Hello Richard -
Thanks for sending the files.
The usual reason for this type of problem is incorrect shared secrets.
You should check the shared secrets again and if you still have a problem, please send us (not to the list) the configuration files with secrets together with the contents of the users file with the real passwords. And could you also include a trace 5 hex dump of the packets so we can see exactly what is going on.
regards
Hugh
I am currently having a problem with authentication of VPDN PPP sessions
from a Cisco 7206 router.
When I send this directly to the authentication radius server the
authenication works fine. But when I try and proxy this via another server
the authentication gets rejected with bad password.
The proxy servers are working fine when proxying Lucent TNT ppp calls.
It appears as though the proxy servers are changing the User-Password
somehow. Below are the relevant configuration of both the authentication
and proxy radius servers, as well as trace 4 logs. At the bottom is also a
password log (with the passwords changed) but as you can see the second line
(which is the proxyed one) has garbled decode of the password.
Do you know what may be causing this?
The proxy radius server is running Radiator 3.4 and the authentication
radius server is running Radiator 3.4
Thanks
Richard
Relevent bits of Authentication RADIUS Server
<Client 203.76.13.132>
Identifier ConnectADSL
NasType CiscoVPDN
Secret secret
IdenticalClients 203.76.0.129
</Client>
<Client 203.32.160.9>
Identifier ConnectADSL
IdenticalClients 203.32.166.111
Secret secret
NasType Ascend
</Client>
<Handler Realm=zircon.com.au, Client-Identifier=ConnectADSL>
<AuthBy FILE>
Filename /usr/local/etc/radius/data/users
Nocache
</AuthBy>
AcctLogFileName /var/log/radius/adsltesting.acct
PasswordLogFileName /var/log/radius/adslpassword
</Handler>
Relevent config bits of Proxy RADIUS Server
Trace 1
Foreground
AuthPort 1812
AcctPort 1813
DbDir /usr/local/etc/radius/raddb
LogDir /var/log/radius
DictionaryFile %D/dictionary
<Client 203.76.0.129>
Identifier ADSL
NasType CiscoVPDN
Secret secret
</Client>
<Handler Realm=zircon.com.au, Client-Identifier=ADSL>
# RewriteUsername s/^([^@]+).*/$1/
AuthBy STAFF
AcctLogFileName /var/log/radius/adsltesting.acct
</Handler>
<AuthBy RADIUS>
Identifier STAFF
Host staff.syd.ip.net.au
AuthPort 1812
AcctPort 1813
RetryTimeout 15
Retries 0
Secret secret
</AuthBy>
Direct Authentication Logfile
Tue Jan 21 09:25:52 2003: DEBUG: Packet dump:
*** Received from 203.76.0.129 port 1645 ....
Code: Access-Request
Identifier: 174
Authentic: <213><240><23>h<<192><172>I<217><11><152><245><222>M<167><159>
Attributes:
NAS-IP-Address = 203.76.0.129
NAS-Port = 1
Cisco-NAS-Port = "Virtual-Access1"
NAS-Port-Type = Virtual
User-Name = "[EMAIL PROTECTED]"
Calling-Station-Id = "nkt112100600855"
User-Password =
"<247><16>)HZ=<222><214><162><182>7V<236>f<252><217>"
Service-Type = Framed-User
Framed-Protocol = PPP
Tue Jan 21 09:25:52 2003: DEBUG: Handling request with Handler
'Realm=zircon.com.au, Client-Identifier=ConnectADSL'
Tue Jan 21 09:25:52 2003: DEBUG: Deleting session for
[EMAIL PROTECTED], 203.76.0.129, 1
Tue Jan 21 09:25:52 2003: DEBUG: Handling with Radius::AuthFILE:
Tue Jan 21 09:25:52 2003: DEBUG: Reading users file
/usr/local/etc/radius/data/users
Tue Jan 21 09:25:52 2003: DEBUG: Radius::AuthFILE looks for match with
[EMAIL PROTECTED]
Tue Jan 21 09:25:52 2003: DEBUG: Radius::AuthFILE ACCEPT:
Tue Jan 21 09:25:52 2003: DEBUG: Access accepted for [EMAIL PROTECTED]
Tue Jan 21 09:25:52 2003: DEBUG: Packet dump:
*** Sending to 203.76.0.129 port 1645 ....
Code: Access-Accept
Identifier: 174
Authentic: <213><240><23>h<<192><172>I<217><11><152><245><222>M<167><159>
Attributes:
Framed-IP-Address = 203.76.9.174
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-IP-Netmask = 255.255.255.255
Framed-Route = "203.76.9.128/29 203.76.9.174 1"
Port-Limit = 2
Idle-Timeout = 60
Session-Timeout = 1200
Via Proxy Server
PROXY Server LOGFILE
Tue Jan 21 09:35:29 2003: DEBUG: Packet dump:
*** Received from 203.76.0.129 port 1645 ....
Code: Access-Request
Identifier: 195
Authentic: <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
Attributes:
NAS-IP-Address = 203.76.0.129
NAS-Port = 1
Cisco-NAS-Port = "Virtual-Access1"
NAS-Port-Type = Virtual
User-Name = "[EMAIL PROTECTED]"
Calling-Station-Id = "nkt112100600855"
User-Password =
"Ekp<229><187>O<142><170>a<169><25><189><170><185><20><145>"
Service-Type = Framed-User
Framed-Protocol = PPP
Tue Jan 21 09:35:29 2003: DEBUG: Handling request with Handler
'Realm=zircon.com.au, Client-Identifier=ADSL'
Tue Jan 21 09:35:29 2003: DEBUG: SDB1 Deleting session for
[EMAIL PROTECTED], 203.76.0.129, 1
Tue Jan 21 09:35:29 2003: DEBUG: do query is: delete from RADONLINE where
NASIDENTIFIER='203.76.0.129' and NASPORT=1
Tue Jan 21 09:35:29 2003: DEBUG: Handling with Radius::AuthRADIUS
Tue Jan 21 09:35:29 2003: DEBUG: Packet dump:
*** Sending to 203.32.166.18 port 1812 ....
Code: Access-Request
Identifier: 1
Authentic: <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
Attributes:
NAS-IP-Address = 203.76.0.129
NAS-Port = 1
Cisco-NAS-Port = "Virtual-Access1"
NAS-Port-Type = Virtual
User-Name = "[EMAIL PROTECTED]"
Calling-Station-Id = "nkt112100600855"
User-Password =
"Ekp<229><187>O<142><170>a<169><25><189><170><185><20><145><251><135><2 41><1
31>DBM<184>W6<197><244><165><206><204><243>"
Service-Type = Framed-User
Framed-Protocol = PPP
Tue Jan 21 09:35:30 2003: DEBUG: Packet dump:
*** Received from 203.32.166.18 port 1812 ....
Code: Access-Reject
Identifier: 1
Authentic: n|<202><227><168>v<246>e<183><219><174><222><241><178><190>6
Attributes:
Reply-Message = "Request Denied"
Tue Jan 21 09:35:30 2003: DEBUG: Received reply in AuthRADIUS for req 1 from
203.32.166.18:1812
Tue Jan 21 09:35:30 2003: INFO: Access rejected for [EMAIL PROTECTED]:
Proxied
Tue Jan 21 09:35:30 2003: DEBUG: Packet dump:
*** Sending to 203.76.0.129 port 1645 ....
Code: Access-Reject
Identifier: 195
Authentic: <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
Attributes:
Reply-Message = "Request Denied"
Reply-Message = "Request Denied"
Logfile from Authenticating RADIUS Server
Tue Jan 21 09:35:29 2003: DEBUG: Packet dump:
*** Received from 203.32.160.9 port 1124 ....
Code: Access-Request
Identifier: 1
Authentic: <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
Attributes:
NAS-IP-Address = 203.76.0.129
NAS-Port = 1
Cisco-NAS-Port = "Virtual-Access1"
NAS-Port-Type = Virtual
User-Name = "[EMAIL PROTECTED]"
Calling-Station-Id = "nkt112100600855"
User-Password =
"Ekp<229><187>O<142><170>a<169><25><189><170><185><20><145><251><135><2 41><1
31>DBM<184>W6<197><244><165><206><204><243>"
Service-Type = Framed-User
Framed-Protocol = PPP
Tue Jan 21 09:35:30 2003: DEBUG: Handling request with Handler
'Realm=zircon.com.au, Client-Identifier=ConnectADSL'
Tue Jan 21 09:35:30 2003: DEBUG: Deleting session for
[EMAIL PROTECTED], 203.76.0.129, 1
Tue Jan 21 09:35:30 2003: DEBUG: Handling with Radius::AuthFILE:
Tue Jan 21 09:35:30 2003: DEBUG: Reading users file
/usr/local/etc/radius/data/users
Tue Jan 21 09:35:30 2003: DEBUG: Radius::AuthFILE looks for match with
[EMAIL PROTECTED]
Tue Jan 21 09:35:30 2003: DEBUG: Radius::AuthFILE REJECT: Bad Password
Tue Jan 21 09:35:30 2003: DEBUG: Reading users file
/usr/local/etc/radius/data/users
Tue Jan 21 09:35:30 2003: INFO: Access rejected for [EMAIL PROTECTED]:
Bad Password
Tue Jan 21 09:35:30 2003: DEBUG: Packet dump:
*** Sending to 203.32.160.9 port 1124 ....
Code: Access-Reject
Identifier: 1
Authentic: <19><153><164>>:<211><129>e<159><191><249><208>/<135><227><15>
Attributes:
Reply-Message = "Request Denied"
PASSWORD LOGFILE
Tue Jan 21 09:25:52
2003:1043101552:[EMAIL PROTECTED]:correctpassword:correctpassword: PASS
Tue Jan 21 09:35:30
2003:1043102130:[EMAIL PROTECTED]:(¯þbbǽX"æu3:correctpassword:FAI L
Richard Vander Reyden E: [EMAIL PROTECTED]
Network & Product Engineer P: +61 2 8304 9300
Zircon Systems Pty Ltd F: +61 2 9669 2912
-------------------------------------------------------
--
Mike McCauley [EMAIL PROTECTED]
Open System Consultants Pty. Ltd Unix, Perl, Motif, C++, WWW
24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au
Phone +61 3 9598-0985 Fax +61 3 9598-0955
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP etc on Unix, Windows, MacOS etc.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
