(RADIATOR) Problems with radius authentication

Hugh Irvine hugh at open.com.au
Wed Mar 5 15:37:42 CST 2008 

Hello Francisco -

Yes the request will be processed normally (albeit without the  
unknown VSA's).

Whether or not this has a bearing on the overall result on the  
session will depend on the NAS.

Ie. if the NAS expects those particular VSA's to do something like  
set up a tunnel, apply session limits, or bandwidth limits, then  
clearly if they are not returned the session will not be set up  
correctly.

regards

Hugh


On 5 Mar 2008, at 20:54, Francisco Rodrigo Cortinas Maseda wrote:

> Hi Hugh,
>
> The problem was not the shared secret, because the packet was  
> processed, giving always "No such user" to the radius downstream.
>
> The question is: if the downstream radius server sends an attibutte  
> to the upstream radius that the upstream radius dont have on the  
> dictionary, is the packet correctly processed or not (saying that  
> the unknown attibutes are not relevant to the autentication process)?
>
> Francisco Rodrigo Cortiñas
> Jazz Telecom SAU
> Telefono: +34 91 183 9046
> Email: francisco.cortinas at jazztel.com
>
>
> -----Mensaje original-----
> De: Hugh Irvine [mailto:hugh at open.com.au]
> Enviado el: martes 4 de marzo de 2008 23:43
> Para: Francisco Rodrigo Cortinas Maseda
> CC: radiator at open.com.au
> Asunto: Re: (RADIATOR) Problems with radius authentication
>
>
>
> Hello Francisco -
>
>  From your description it sounds like one or more incorrect shared
> secrets.
>
> However to say any more will require a copy of your Radiator
> configuration file (no secrets) together with a trace 4 debug showing
> what is happening.
>
> The undefined attributes shown below are all in the latest Radiator
> 4.1 dictionary.
>
> regards
>
> Hugh
>
>
> On 5 Mar 2008, at 04:27, Francisco Rodrigo Cortinas Maseda wrote:
>
>> Hello everybody,
>>
>> my name is Francisco, and i had a problem with the authentication
>> of part of my network. We inserted a new radius server on the net,
>> and this radius begun serving requests to clients.
>>
>> Some hours later, some clients call the callcenter saying the
>> service was unavailable. The NOC people undo the changes, passing
>> the traffic through the old server, and all starts functioning again.
>>
>> Doing some investigation, we saw that some people could
>> authenticate, and some not (nothing common between them). We dont
>> know what the problem was, but seeing the radius servers upstream,
>> we saw the following error:
>>
>> Mon Mar  3 18:48:58 2008 369177: ERR: Attribute number 59 (vendor
>> 2011) is not defined in your dictionary
>> Mon Mar  3 18:48:58 2008 369528: ERR: Attribute number 60 (vendor
>> 2011) is not defined in your dictionary
>> Mon Mar  3 18:48:58 2008 369711: ERR: Attribute number 26 (vendor
>> 2011) is not defined in your dictionary
>> Mon Mar  3 18:48:58 2008 369881: ERR: Attribute number 254 (vendor
>> 2011) is not defined in your dictionary
>>
>> I supose that what the error is saying is that an attribute coming
>> from the NAS is not being correctly interpreted by the upstream
>> radius (where the traces where found). The question is:
>>
>> Is a must that the attributes that the radius is marking as unknown
>> where defined in the dictionary in order to process the request?
>>
>> Thanks everybody.
>> Antes de imprimir este e-mail piense bien si es necesario hacerlo.
>>
>> Este mensaje es privado y CONFIDENCIAL y se dirige exclusivamente a
>> su destinatario. Si usted ha recibido este mensaje por error, no
>> debe revelar, copiar, distribuir o usarlo en ningun sentido. Le
>> rogamos lo comunique al remitente y borre dicho mensaje y cualquier
>> documento adjunto que pudiera contener. El correo electronico via
>> Internet no permite asegurar la confidencialidad de los mensajes
>> que se transmiten ni su integridad o correcta recepcion. JAZZTEL no
>> asume responsabilidad por estas circunstancias. Si el destinatario
>> de este mensaje no consintiera la utilizacion del correo
>> electronico via Internet y la grabacion de los mensajes, rogamos lo
>> ponga en nuestro conocimiento de forma inmediata.Cualquier opinion
>> expresada en este mensaje pertenece unicamente al autor remitente,
>> y no representa necesariamente la opinion de JAZZTEL, a no ser que
>> expresamente se diga y el remitente este autorizado para hacerlo.
>>
>>
>> This message is private and CONFIDENTIAL and it is intended
>> exclusively for its addressee. If you receive this message in
>> error, you should not disclose, copy, distribute this e-mail or use
>> it in any other way. Please inform the sender and delete the
>> message and attachments from your system.Internet e-mail neither
>> guarantees the confidentiality nor the integrity or proper receipt
>> of the messages sent. JAZZTEL does not assume any liability for
>> those circumstances. If the addressee of this message does not
>> consent to the use of Internet e-mail and message recording, please
>> notify us immediately.Any views or opinions contained in this
>> message are solely those of the author, and do not necessarily
>> represent those of JAZZTEL, unless otherwise specifically stated
>> and the sender is authorised to do so.
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list