Hi,
I'm trying to configure a Freeradius server so that it can host the authentication of serveral network elements (Nokia firewalls and Alteon WebSwitches by the way). I'm not having any problem with Nokias, but i'm not able to make it work with Alteon.
The freeradius version I'm using is 0.9.2-4 and it runs in a Debian machine (kernel 2.4.19). The problem is that, when I try to validate from the Alteon against the Radius server, I get the following message:
Enter radius username: <user>
Enter radius password:
<user>: Sorry.
There's no time wait between the password and the 'Sorry' message. Activating the debug in the radius server, this is what I see:
rad_recv: Access-Request packet from host 172.16.138.64:3010, id=236, length=52
User-Name = "user"
User-Password = "password"
NAS-IP-Address = 212.170.233.83
modcall: entering group authorize for request 0
Invalid operator for item User-Name: reverting to '=='
Invalid operator for item User-Name: reverting to '=='
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
rlm_eap: EAP-Message not found
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "user", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
huntgroups: Matched networking at 29
huntgroups: Matched clients at 35
users: Matched user at 65
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 236 to 172.16.138.64:3010
Finished request 0
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 236 with timestamp 3fccc59a
Nothing to do. Sleeping until we see a request.
Apparently, the radius server authenticates correctly the request, but the Alteon does not understand it. I've checked that the dictionary config file has included the Alteon dictionary. I also tried to add the following line to the user definition: "Alteon-Service-Type := Alteon-L4admin" as it is described in dictionary.alteon (I really don't know if this is correct). In this case, sniffing with Ethereal, I get the following (at the end of the UDP response packet):
Attribute value pair, and below:
t: Vendor Specific (26) l:12, Vendor: Undefined(1872), and below,
t:Unknown type (26) l:6, Value: Unknown Value Type
Don't really know if this helps. Anyway, I don't even get these messages if I don't add the Alteon-Service-Type line.
I've also included in the client definition nastype=alteon (also tried with 'other') with the same results.
Please, I'm beginnig to be a bit desperated about this. Has anybody else tried to make it work with an Alteon WebSwitch?. If needed, I can also provide the configuration files, but they're pretty standard (I only have added a pair of huntgroups, a pair of clients and a local user).
The issue is that, as far as I know, the RADIUS seems to be sending the Alteon any kind of information that it does not understand. It is supossed to send what kind of user is trying to log on (standard telnet authentication in alteon is only checked by password, without username. Kind of a Catalyst Switch).
I forgot to tell that I also sniffed in the firewall between the Alteon and the RADIUS. Everything seems to be fine overthere. If not, I would not work with the Nokia firewalls.
Thanks in advance, and sorry if the explanation is a bit long :-)
Victor.
- Re: Freeradius and Alteon Problems Victor Mira
- Re: Freeradius and Alteon Problems Alan DeKok
- Re: Freeradius and Alteon Problems Victor Mira
- Re: Freeradius and Alteon Problems Alan DeKok
- Re: Freeradius and Alteon Problems Victor Mira
