(RADIATOR) Problems with radius authentication

Francisco Rodrigo Cortinas Maseda francisco.cortinas at jazztel.com
Wed Mar 5 03:54:21 CST 2008 

Hi Hugh,

The problem was not the shared secret, because the packet was processed, giving always "No such user" to the radius downstream.

The question is: if the downstream radius server sends an attibutte to the upstream radius that the upstream radius dont have on the dictionary, is the packet correctly processed or not (saying that the unknown attibutes are not relevant to the autentication process)?

Francisco Rodrigo Cortiñas
Jazz Telecom SAU
Telefono: +34 91 183 9046
Email: francisco.cortinas at jazztel.com


-----Mensaje original-----
De: Hugh Irvine [mailto:hugh at open.com.au] 
Enviado el: martes 4 de marzo de 2008 23:43
Para: Francisco Rodrigo Cortinas Maseda
CC: radiator at open.com.au
Asunto: Re: (RADIATOR) Problems with radius authentication



Hello Francisco -

 From your description it sounds like one or more incorrect shared  
secrets.

However to say any more will require a copy of your Radiator  
configuration file (no secrets) together with a trace 4 debug showing  
what is happening.

The undefined attributes shown below are all in the latest Radiator  
4.1 dictionary.

regards

Hugh


On 5 Mar 2008, at 04:27, Francisco Rodrigo Cortinas Maseda wrote:

> Hello everybody,
>
> my name is Francisco, and i had a problem with the authentication
> of part of my network. We inserted a new radius server on the net,  
> and this radius begun serving requests to clients.
>
> Some hours later, some clients call the callcenter saying the
> service was unavailable. The NOC people undo the changes, passing  
> the traffic through the old server, and all starts functioning again.
>
> Doing some investigation, we saw that some people could
> authenticate, and some not (nothing common between them). We dont  
> know what the problem was, but seeing the radius servers upstream,  
> we saw the following error:
>
> Mon Mar  3 18:48:58 2008 369177: ERR: Attribute number 59 (vendor
> 2011) is not defined in your dictionary
> Mon Mar  3 18:48:58 2008 369528: ERR: Attribute number 60 (vendor  
> 2011) is not defined in your dictionary
> Mon Mar  3 18:48:58 2008 369711: ERR: Attribute number 26 (vendor  
> 2011) is not defined in your dictionary
> Mon Mar  3 18:48:58 2008 369881: ERR: Attribute number 254 (vendor  
> 2011) is not defined in your dictionary
>
> I supose that what the error is saying is that an attribute coming
> from the NAS is not being correctly interpreted by the upstream  
> radius (where the traces where found). The question is:
>
> Is a must that the attributes that the radius is marking as unknown
> where defined in the dictionary in order to process the request?
>
> Thanks everybody.
> Antes de imprimir este e-mail piense bien si es necesario hacerlo.
>
> Este mensaje es privado y CONFIDENCIAL y se dirige exclusivamente a
> su destinatario. Si usted ha recibido este mensaje por error, no  
> debe revelar, copiar, distribuir o usarlo en ningun sentido. Le  
> rogamos lo comunique al remitente y borre dicho mensaje y cualquier  
> documento adjunto que pudiera contener. El correo electronico via  
> Internet no permite asegurar la confidencialidad de los mensajes  
> que se transmiten ni su integridad o correcta recepcion. JAZZTEL no  
> asume responsabilidad por estas circunstancias. Si el destinatario  
> de este mensaje no consintiera la utilizacion del correo  
> electronico via Internet y la grabacion de los mensajes, rogamos lo  
> ponga en nuestro conocimiento de forma inmediata.Cualquier opinion  
> expresada en este mensaje pertenece unicamente al autor remitente,  
> y no representa necesariamente la opinion de JAZZTEL, a no ser que  
> expresamente se diga y el remitente este autorizado para hacerlo.
>
>
> This message is private and CONFIDENTIAL and it is intended  
> exclusively for its addressee. If you receive this message in  
> error, you should not disclose, copy, distribute this e-mail or use  
> it in any other way. Please inform the sender and delete the  
> message and attachments from your system.Internet e-mail neither  
> guarantees the confidentiality nor the integrity or proper receipt  
> of the messages sent. JAZZTEL does not assume any liability for  
> those circumstances. If the addressee of this message does not  
> consent to the use of Internet e-mail and message recording, please  
> notify us immediately.Any views or opinions contained in this  
> message are solely those of the author, and do not necessarily  
> represent those of JAZZTEL, unless otherwise specifically stated  
> and the sender is authorised to do so.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list