(RADIATOR) Problem with LDAP2 authentication on Radiator-3.17.1-1

Francisco Rodrigo Cortinas Maseda francisco.cortinas at jazztel.com
Tue Jul 17 01:27:39 CDT 2007


Well done!! What a shameful thing......... Very thanks.


For informational purposes, in case someone encounters the same problem, i attach the traces:

[root at RAD0MA11 radiator]# /usr/bin/perl /usr/bin/radiusd -foreground -log_stdout -trace 4 -config_file /opt/etc/radiator/SSII_Huawei.cfg
Tue Jul 17 08:08:41 2007: DEBUG: include /opt/etc/radiator/BaseHuawei
Tue Jul 17 08:08:41 2007: DEBUG: Reading dictionary file '/opt/etc/radiator/dictionary'
Tue Jul 17 08:08:41 2007: DEBUG: Creating authentication port 10.0.23.126:1812
Tue Jul 17 08:08:41 2007: NOTICE: Server started: Radiator 3.17.1 on RAD0MA11

Tue Jul 17 08:08:44 2007: DEBUG: Packet dump:
*** Received from 10.0.23.126 port 32807 ....
Code:       Access-Request
Identifier: 44
Authentic:  1234567890123456
Attributes:
        User-Name = "teldat2 at adsl2g.cli1vpn01@i2p"
        Service-Type = Framed-User
        NAS-IP-Address = 10.252.32.42
        NAS-Identifier = "203.63.154.1"
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        User-Password = <140>_<8><130><162><174><20>HU<24>C. <137><169><132>

Tue Jul 17 08:08:44 2007: DEBUG: Handling request with Handler 'Realm=/^adsl2g\.[a-z][a-z][a-z]\wvpn\d\d/i, User-Realm=/i2p$/i'
Tue Jul 17 08:08:44 2007: DEBUG: Rewrote user name to teldat2 at adsl2g.cli1vpn01
Tue Jul 17 08:08:44 2007: DEBUG:  Deleting session for teldat2 at adsl2g.cli1vpn01@i2p, 10.252.32.42, 1234
Tue Jul 17 08:08:44 2007: DEBUG: Handling with Radius::AuthGROUP: ldap_i2p
Tue Jul 17 08:08:44 2007: DEBUG: Handling with Radius::AuthLDAP2: 
Tue Jul 17 08:08:44 2007: INFO: Connecting to 10.0.27.60:389
Tue Jul 17 08:08:44 2007: INFO: Attempting to bind to LDAP server 10.0.27.60:389
Net::LDAP=HASH(0xa194ce0) sending:

30 48 02 01 01 60 43 02 01 03 04 2A 63 6E 3D 69 0H...`C....*cn=i
32 70 5F 6C 64 61 70 5F 77 72 69 74 65 5F 72 6F 2p_ldap_write_ro
6F 74 2C 20 64 63 3D 6A 61 7A 7A 6C 61 62 2C 20 ot, dc=jazzlab, 
64 63 3D 63 6F 6D 80 12 69 32 70 5F 6C 64 61 70 dc=com..i2p_ldap
5F 77 72 69 74 65 5F 70 77 64 __ __ __ __ __ __ _write_pwd

0000   72: SEQUENCE {
0002    1:   INTEGER = 1
0005   67:   [APPLICATION 0] {
0007    1:     INTEGER = 3
000A   42:     STRING = 'cn=i2p_ldap_write_root, dc=jazzlab, dc=com'
0036   18:     [CONTEXT 0]
0038     :       69 32 70 5F 6C 64 61 70 5F 77 72 69 74 65 5F 70 i2p_ldap_write_p
0048     :       77 64 __ __ __ __ __ __ __ __ __ __ __ __ __ __ wd
004A     :   }
004A     : }
Net::LDAP=HASH(0xa194ce0) received:

30 0C 02 01 01 61 07 0A 01 00 04 00 04 00 __ __ 0....a........

0000   12: SEQUENCE {
0002    1:   INTEGER = 1
0005    7:   [APPLICATION 1] {
0007    1:     ENUM = 0
000A    0:     STRING = ''
000C    0:     STRING = ''
000E     :   }
000E     : }
Net::LDAP=HASH(0xa194ce0) sending:

30 67 02 01 02 63 62 04 12 64 63 3D 6A 61 7A 7A 0g...cb..dc=jazz
6C 61 62 2C 20 64 63 3D 63 6F 6D 0A 01 02 0A 01 lab, dc=com.....
02 02 01 00 02 01 00 01 01 00 A3 21 04 05 6C 6F ...........!..lo
67 69 6E 04 18 74 65 6C 64 61 74 32 40 61 64 73 gin..teldat2 at ads
6C 32 67 2E 63 6C 69 31 76 70 6E 30 31 30 1A 04 l2g.cli1vpn010..
08 70 61 73 73 77 6F 72 64 04 0E 73 68 2D 73 72 .password..sh-sr
76 2D 70 72 6F 66 69 6C 65 __ __ __ __ __ __ __ v-profile

0000  103: SEQUENCE {
0002    1:   INTEGER = 2
0005   98:   [APPLICATION 3] {
0007   18:     STRING = 'dc=jazzlab, dc=com'
001B    1:     ENUM = 2
001E    1:     ENUM = 2
0021    1:     INTEGER = 0
0024    1:     INTEGER = 0
0027    1:     BOOLEAN = FALSE
002A   33:     [CONTEXT 3] {
002C    5:       STRING = 'login'
0033   24:       STRING = 'teldat2 at adsl2g.cli1vpn01'
004D     :     }
004D   26:     SEQUENCE {
004F    8:       STRING = 'password'
0059   14:       STRING = 'sh-srv-profile'
0069     :     }
0069     :   }
0069     : }
Net::LDAP=HASH(0xa194ce0) received:

30 81 95 02 01 02 64 81 8F 04 4B 6C 6F 67 69 6E 0.....d...Klogin
3D 74 65 6C 64 61 74 32 40 61 64 73 6C 32 67 2E =teldat2 at adsl2g.
63 6C 69 31 76 70 6E 30 31 2C 72 65 61 6C 6D 49 cli1vpn01,realmI
64 3D 61 64 73 6C 32 67 2C 6F 3D 63 6C 69 31 76 d=adsl2g,o=cli1v
70 6E 30 31 2C 64 63 3D 6A 61 7A 7A 6C 61 62 2C pn01,dc=jazzlab,
64 63 3D 63 6F 6D 30 40 30 15 04 08 70 61 73 73 dc=com0 at 0...pass
77 6F 72 64 31 09 04 07 74 65 6C 64 61 74 32 30 word1...teldat20
27 04 0E 73 68 2D 73 72 76 2D 70 72 6F 66 69 6C '..sh-srv-profil
65 31 15 04 13 4D 6F 64 61 6C 69 64 61 64 2D 32 e1...Modalidad-2
47 2D 32 4D 2F 36 34 30 __ __ __ __ __ __ __ __ G-2M/640

0000  149: SEQUENCE {
0003    1:   INTEGER = 2
0006  143:   [APPLICATION 4] {
0009   75:     STRING = 'login=teldat2 at adsl2g.cli1vpn01,realmId=adsl2g,o=cli1vpn01,dc=jazzlab,dc=com'
0056   64:     SEQUENCE {
0058   21:       SEQUENCE {
005A    8:         STRING = 'password'
0064    9:         SET {
0066    7:           STRING = 'teldat2'
006F     :         }
006F     :       }
006F   39:       SEQUENCE {
0071   14:         STRING = 'sh-srv-profile'
0081   21:         SET {
0083   19:           STRING = 'Modalidad-2G-2M/640'
0098     :         }
0098     :       }
0098     :     }
0098     :   }
0098     : }
Net::LDAP=HASH(0xa194ce0) received:

30 0C 02 01 02 65 07 0A 01 00 04 00 04 00 __ __ 0....e........

0000   12: SEQUENCE {
0002    1:   INTEGER = 2
0005    7:   [APPLICATION 5] {
0007    1:     ENUM = 0
000A    0:     STRING = ''
000C    0:     STRING = ''
000E     :   }
000E     : }
Tue Jul 17 08:08:44 2007: DEBUG: LDAP got result for login=teldat2 at adsl2g.cli1vpn01,realmId=adsl2g,o=cli1vpn01,dc=jazzlab,dc=com
Tue Jul 17 08:08:44 2007: DEBUG: LDAP got password: teldat2
Tue Jul 17 08:08:44 2007: DEBUG: LDAP got sh-srv-profile: Modalidad-2G-2M/640
Tue Jul 17 08:08:44 2007: DEBUG: Radius::AuthLDAP2 looks for match with teldat2 at adsl2g.cli1vpn01 [teldat2 at adsl2g.cli1vpn01@i2p]
Tue Jul 17 08:08:44 2007: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password: teldat2 at adsl2g.cli1vpn01 [teldat2 at adsl2g.cli1vpn01@i2p]
Tue Jul 17 08:08:44 2007: DEBUG: AuthBy GROUP result: REJECT, Bad Password
Tue Jul 17 08:08:44 2007: INFO: Access rejected for teldat2 at adsl2g.cli1vpn01: Bad Password
Tue Jul 17 08:08:44 2007: DEBUG: Packet dump:
*** Sending to 10.0.23.126 port 32807 ....
Code:       Access-Reject
Identifier: 44
Authentic:  1234567890123456
Attributes:
        Tunnel-Server-Endpoint = 1:62.15.191.129
        Reply-Message = "Request Denied"
        Tunnel-Type = 1:L2TP
        Tunnel-Client-Auth-ID = 1:I2PADSL2G
        Tunnel-Server-Auth-ID = 1:LNS-I2PADSL2G
        Tunnel-Password = "<1><177>pC{<243>\<11><140>rE<179>D3z<193><207><%"


-----Mensaje original-----
De: Hugh Irvine [mailto:hugh at open.com.au] 
Enviado el: martes 17 de julio de 2007 1:31
Para: Francisco Rodrigo Cortinas Maseda
CC: Radiator list
Asunto: Re: (RADIATOR) Problem with LDAP2 authentication on Radiator-3.17.1-1



Hello Francisco -

As has been mentioned already, the shared secrets are probably not  
correct.

You should specifiy the shared secret to match your Client clause in  
the configuration file when you run radpwtst.

What format is the password stored in the LDAP server?

What is shown on stderr from the LDAP debug when you run radiusd like  
this?

	cd /your/Radiator/distribution

	perl radiusd -foreground -log_stdout -trace 4 -config_file /your/ 
configuration/file

regards

Hugh


On 16 Jul 2007, at 23:01, Francisco Rodrigo Cortinas Maseda wrote:

> Hello,
>
> We are having problems with the auth by the LDAP module; we are
> seeing "Bad Password" all the time, we have checked that the LDAP  
> server is working fine.
>
> We have installed the RPM version of Radiator, we have used the
> packet Radiator-3.17.1-1.noarch.rpm.
>
>> From here we are having this problem:
>
> 1º We have configured the authby clause to connect to the LDAP
> repository; the clause:
>
> <AuthBy GROUP>
>         Identifier      ldap_i2p
>         AuthByPolicy    ContinueWhileIgnore
>         <AuthBy LDAP2>
>                 Host            10.0.27.60
>                 Port            389
>                 AuthDN          cn=i2p_ldap_write_root, dc=jazzlab,  
> dc=com
>                 AuthPassword    i2p_ldap_write_pwd
>                 BaseDN          dc=jazzlab, dc=com
>                 UsernameAttr    login
>                 PasswordAttr    password
>                 AuthAttrDef     sh-srv-profile,Shasta-Service- 
> Profile,reply
>                 NoDefault
>                 NoDefaultIfFound
>                 HoldServerConnection
>                 FailureBackoffTime      30
>                 Version         3
>                 Debug 255
>         </AuthBy>
>         <AuthBy LDAP2>
>                 Host            10.0.27.61
>                 Port            389
>                 AuthDN          cn=i2p_ldap_write_root, dc=jazzlab,  
> dc=com
>                 AuthPassword    i2p_ldap_write_pwd
>                 BaseDN          dc=jazzlab, dc=com
>                 UsernameAttr    login
>                 PasswordAttr    password
>                 AuthAttrDef     sh-srv-profile,Shasta-Service- 
> Profile,reply
>                 NoDefault
>                 NoDefaultIfFound
>                 HoldServerConnection
>                 FailureBackoffTime      30
>                 Version         3
>         </AuthBy>
> </AuthBy>
>
> 2º We launch a test with this command:
>
> radpwtst -trace 4 -s 10.0.23.126 -secret radius-2G-local -user
> teldat2 at adsl2g.cli1vpn01@i2p -password teldat2 -auth_port 1812 - 
> noacct -nas_ip_address 10.252.32.42
>
> 3º We see this on the Trace 4 log archive:
>
> *** Received from 10.0.23.126 port 32807 ....
> Code:       Access-Request
> Identifier: 253
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "teldat2 at adsl2g.cli1vpn01@i2p"
>         Service-Type = Framed-User
>         NAS-IP-Address = 10.252.32.42
>         NAS-Identifier = "203.63.154.1"
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password = <140>_<8><130><162><174><20>HU<24>C.
> <137><169><132>
>
> Mon Jul 16 14:38:13 2007 705184: DEBUG: Handling request with
> Handler 'Realm=/^adsl2g\.[a-z][a-z][a-z]\wvpn\d\d/i, User-Realm=/i2p 
> $/i'
> Mon Jul 16 14:38:13 2007 705624: DEBUG: Rewrote user name to  
> teldat2 at adsl2g.cli1vpn01
> Mon Jul 16 14:38:13 2007 705993: DEBUG:  Deleting session for  
> teldat2 at adsl2g.cli1vpn01@i2p, 10.252.32.42, 1234
> Mon Jul 16 14:38:13 2007 706239: DEBUG: Handling with  
> Radius::AuthGROUP: ldap_i2p
> Mon Jul 16 14:38:13 2007 706498: DEBUG: Handling with  
> Radius::AuthLDAP2:
> Mon Jul 16 14:38:13 2007 706834: INFO: Connecting to 10.0.27.60:389
> Mon Jul 16 14:38:13 2007 711031: INFO: Attempting to bind to LDAP  
> server 10.0.27.60:389
> Mon Jul 16 14:38:13 2007 892214: DEBUG: LDAP got result for  
> login=teldat2 at adsl2g.cli1vpn01,realmId=adsl2g,o=cli1vpn01,dc=jazzlab,d 
> c=com
> Mon Jul 16 14:38:13 2007 892538: DEBUG: LDAP got password: teldat2
> Mon Jul 16 14:38:13 2007 892765: DEBUG: LDAP got sh-srv-profile:  
> Modalidad-2G-2M/640
> Mon Jul 16 14:38:13 2007 893058: DEBUG: Radius::AuthLDAP2 looks for  
> match with teldat2 at adsl2g.cli1vpn01 [teldat2 at adsl2g.cli1vpn01@i2p]
> Mon Jul 16 14:38:13 2007 893814: DEBUG: Radius::AuthLDAP2 REJECT:  
> Bad Password: teldat2 at adsl2g.cli1vpn01 [teldat2 at adsl2g.cli1vpn01@i2p]
> Mon Jul 16 14:38:13 2007 894065: DEBUG: AuthBy GROUP result:  
> REJECT, Bad Password
> Mon Jul 16 14:38:13 2007 894414: INFO: Access rejected for  
> teldat2 at adsl2g.cli1vpn01: Bad Password
> Mon Jul 16 14:38:13 2007 895562: DEBUG: Packet dump:
> *** Sending to 10.0.23.126 port 32807 ....
> Code:       Access-Reject
> Identifier: 253
> Authentic:  1234567890123456
> Attributes:
>         Tunnel-Server-Endpoint = 1:XXX.XXX.XXX.XXX
>         Reply-Message = "Request Denied"
>         Tunnel-Type = 1:L2TP
>         Tunnel-Client-Auth-ID = 1:I2PADSL2G
>         Tunnel-Server-Auth-ID = 1:LNS-I2PADSL2G
>         Tunnel-Password =  
> "<1><184>0<19><198>"pE<168><19><230><154><165><247>Ek<255><177><11>"
>
> [root at RAD0MA11 radiator]#
>
> 4º On the password file we are seen this:
>
> Mon Jul 16 14:18:49 2007:1184588329:fprc1868:`ÒX{Y¶ˆé
> JŽøôÑ:acc05006:FAIL
>
>
> Anybody can imagine what is happening?
>
> Thanks to all.
>
> Antes de imprimir este e-mail piense bien si es necesario hacerlo.
>
> *********
> Este mensaje es privado y CONFIDENCIAL y se dirige exclusivamente a  
> su destinatario. Si usted ha recibido este mensaje por error, no  
> debe revelar, copiar, distribuir o usarlo en ningún sentido. Le  
> rogamos lo comunique al remitente y borre dicho mensaje y cualquier  
> documento adjunto que pudiera contener. El correo electrónico via  
> Internet no permite asegurar la confidencialidad de los mensajes  
> que se transmiten ni su integridad o correcta recepción. JAZZTEL no  
> asume responsabilidad por estas circunstancias. Si el destinatario  
> de este mensaje no consintiera la utilización del correo  
> electrónico via Internet y la grabación de los mensajes, rogamos lo  
> ponga en nuestro conocimiento de forma inmediata.Cualquier opinión  
> expresada en este mensaje pertenece únicamente al autor remitente,  
> y no representa necesariamente la opinión de JAZZTEL, a no ser que  
> expresamente se diga y el remitente esté autorizado para hacerlo.
> *********
> This message is private and CONFIDENTIAL and it is intended  
> exclusively for its addressee. If you receive this message in  
> error, you should not disclose, copy, distribute this e-mail or use  
> it in any other way. Please inform the sender and delete the  
> message and attachments from your system.Internet e-mail neither  
> guarantees the confidentiality nor the integrity or proper receipt  
> of the messages sent. JAZZTEL does not assume any liability for  
> those circumstances. If the addressee of this message does not  
> consent to the use of Internet e-mail and message recording, please  
> notify us immediately.Any views or opinions contained in this  
> message are solely those of the author, and do not necessarily  
> represent those of JAZZTEL, unless otherwise specifically stated  
> and the sender is authorised to do so.
> *********
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list