Hello Alex -
On Sat, 16 Dec 2000, Alex S. Burba wrote:
> Hello.
>
> When GW
> is trying to start a L2F tunnel it asks Radiator for 2 usernames with password.
> These usernames are names of NAS and GW, so GW asks them from Radiator in
> order to authenticate itself to NAS and in order to authenticate NAS to itself.
> After this authentication tunnel will be opened. Here is a GW log when this
> authentication does not complete: (interesting that there is no log records in
> Raditor's log about asking names "acc" and "acc2").
> ...
> 11d04h: L2F: Creating new tunnel for acc2
> 1d04h: L2F: Tunnel state closed
> 1d04h: L2F: Got a tunnel named acc2, responding
> 1d04h: AAA/AUTHEN: create_user (0x27BDC8) user='acc' ruser='' port='' rem_addr='
> ' authen_type=CHAP service=PPP priv=1
> 1d04h: AAA/AUTHEN/START (483411013): port='' list='default' action=SENDAUTH serv
> ice=PPP
> 1d04h: AAA/AUTHEN/START (483411013): found list default
> 1d04h: AAA/AUTHEN (483411013): status = UNKNOWN
> 1d04h: AAA/AUTHEN/START (483411013): Method=RADIUS
> 1d04h: RADIUS: SENDPASS not supported (action=4)
> 1d04h: AAA/AUTHEN (483411013): status = ERROR
> 1d04h: AAA/AUTHEN/START (483411013): failed to authenticate
> ...
> AAfter this NAS and GW stop trying to establish a tunnel. What could it be?
> Mine opinion that Radiator somehow can not process this request at all. But
> if I test these names "acc" and "acc2" via radpwtst or via loggin to cisco from
>telnet, Radiator works fine (procces my requests).
>
>From memory the Cisco (this is a Cisco isn't it?) first sends a request with
the suffix of the fully qualified username to the Radius server with a password
of "cisco" requesting the tunnel creation parameters. Once that happens, and
the tunnel is created, there is a second radius request from the tunnel
termination end with the fully qualified username together with the password as
entered by the user.
What does a Radiator trace 4 show? If you don't see a request at all, it is
because you don't have the Cisco configured to request the tunnel creation
parameters from radius. If on the other hand, you are seeing a request for just
the suffix of the username and it is being rejected, it is because you have not
got a username created as I have described above.
There is an example user entry for doing tunnel creation in the sample "users"
file in the Radiator distribution.
If you need any further help, please send me a copy of your configuration file
(no secrets) together with a trace 4 debug showing what is happening.
hth
Hugh
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
