Hello Sergei -
See my other mail, but what is shown below is a NAS configured for CHAP, hence the "CHAP-Password" in the request.
You should use something like this:
qqq Password = kkk
or
qqq User-Password = kkk
which will work for both forms (note that the spelling is important).
See section 13.1.1 in the Radiator 3.7.1 reference manual ("doc/ref.html").
regards
Hugh
On 12/11/2003, at 8:45 PM, Sergei Keler wrote:
Hi!
I have Cisco 2621 (IOS 12.2). When I use folloed radiator config:
users file:
qqq � � user-password="kkk", Service-Type = Framed-User � � � � Framed-Protocol = PPP, � � � � Framed-IP-Netmask = 255.255.255.0, � � � � Framed-Routing = None, � � � � Framed-MTU = 1500
conf file:
<Realm DEFAULT> � � � � <AuthBy FILE> � � � � � � � � Filename %D/users � � � � � � � � AddToReply Service-Type=Framed-User,Framed-Protocol=PPP � � � � </AuthBy> � � � � AcctLogFileName %L/detail � � � � PasswordLogFileName %L/passwd </Realm>
I found followed in log file:
Wed Nov 12 12:33:01 2003: DEBUG: Packet dump: *** Received from 192.168.0.254 port 1645 ....
Packet length = 81
01 22 00 51 c1 0b b7 a4 7f 2f d6 6d f1 81 84 fc
00 ca 95 46 07 06 00 00 00 01 01 05 71 71 71 03
13 0a 98 b9 72 2d 87 44 c4 7d e0 e8 d8 e6 ae 1e
44 5d 05 06 00 00 00 21 3d 06 00 00 00 00 1f 07
61 73 79 6e 63 06 06 00 00 00 02 04 06 c0 a8 00
fe
Code: � � � Access-Request
Identifier: 34
Authentic: �<193><11><183><164><127>/<214>m<241><129><132><252><0><202><149>F
Attributes:
� � � � Framed-Protocol = PPP
� � � � User-Name = "qqq"
� � � � CHAP-Password = <10><152><185>r-<135>D<196>}<224><232><216><230><174><30>D]
� � � � NAS-Port = 33
� � � � NAS-Port-Type = Async
� � � � Calling-Station-Id = "async"
� � � � Service-Type = Framed-User
� � � � NAS-IP-Address = 192.168.0.254
Wed Nov 12 12:33:01 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT'
Wed Nov 12 12:33:01 2003: DEBUG: �Deleting session for qqq, 192.168.0.254, 33
Wed Nov 12 12:33:01 2003: DEBUG: Handling with Radius::AuthFILE:
Wed Nov 12 12:33:01 2003: DEBUG: Reading users file /etc/radiator/users
Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE looks for match with qqq
Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE REJECT: Check item user-password expression'kkk' does not match '' in request
Wed Nov 12 12:33:01 2003: INFO: Access rejected for qqq: Check item user-password expression 'kkk' does not match '' in request
Wed Nov 12 12:33:01 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.254 port 1645 ....
Packet length = 36
03 22 00 24 08 fd ac e8 b2 2d 66 6e c5 97 98 f6
96 3d 58 1a 12 10 52 65 71 75 65 73 74 20 44 65
6e 69 65 64
Code: � � � Access-Reject
Identifier: 34
Authentic: �<193><11><183><164><127>/<214>m<241><129><132><252><0><202><149>F
Attributes:
� � � � Reply-Message = "Request Denied"
====
Cisco's debug:
Nov 12 09:33:00.713: As33 LCP: Lower layer not up, Fast Starting
Nov 12 09:33:00.717: As33 PPP: Treating connection as a dedicated line
Nov 12 09:33:00.717: As33 PPP: Authorization required
Nov 12 09:33:00.717: As33 AAA/AUTHOR/LCP: Authorization succeeds trivially
Nov 12 12:33:00 MSK: %LINK-3-UPDOWN: Interface Async33, changed state to up
Nov 12 09:33:00.969: As33 CHAP: O CHALLENGE id 10 len 27 from "gdc-gw"
Nov 12 09:33:01.205: As33 CHAP: I RESPONSE id 10 len 24 from "qqq"
Nov 12 09:33:01.209: AAA/AUTHEN/PPP (0000DB31): Pick method list 'DIAL-UP'
Nov 12 09:33:01.209: As33 PPP: Sent CHAP LOGIN Request to AAA
Nov 12 09:33:01.209: RADIUS: �AAA Unsupported � � [134] 7
Nov 12 09:33:01.209: RADIUS: � 41 73 79 6E 63 � � � � � � � � � � � � � � � � � [Async]
Nov 12 09:33:01.209: RADIUS(0000DB31): Storing nasport 33 in rad_db
Nov 12 09:33:01.209: RADIUS/ENCODE(0000DB31): acct_session_id: 56116
Nov 12 09:33:01.213: RADIUS(0000DB31): sending
Nov 12 09:33:01.213: RADIUS: Send to unknown id 34 192.168.0.1:1645, Access-Request, len 81
Nov 12 09:33:01.213: RADIUS: �authenticator C1 0B B7 A4 7F 2F D6 6D - F1 81 84 FC 00 CA 95 46
Nov 12 09:33:01.213: RADIUS: �Framed-Protocol � � [7] � 6 � PPP � � � � � � � � � � � [1]
Nov 12 09:33:01.213: RADIUS: �User-Name � � � � � [1] � 5 � "qqq"
Nov 12 09:33:01.213: RADIUS: �CHAP-Password � � � [3] � 19 �*
Nov 12 09:33:01.213: RADIUS: �NAS-Port � � � � � �[5] � 6 � 33 � � � � � � � � � � �
Nov 12 09:33:01.213: RADIUS: �NAS-Port-Type � � � [61] �6 � Async � � � � � � � � � � [0]
Nov 12 09:33:01.213: RADIUS: �Calling-Station-Id �[31] �7 � "async"
Nov 12 09:33:01.217: RADIUS: �Service-Type � � � �[6] � 6 � Framed � � � � � � � � � �[2]
Nov 12 09:33:01.217: RADIUS: �NAS-IP-Address � � �[4] � 6 � 192.168.0.254 � � � � �
Nov 12 09:33:01.225: RADIUS: Received from id 34 192.168.0.1:1645, Access-Reject, len 36
Nov 12 09:33:01.225: RADIUS: �authenticator 08 FD AC E8 B2 2D 66 6E - C5 97 98 F6 96 3D 58 1A
Nov 12 09:33:01.229: RADIUS: �Reply-Message � � � [18] �16
Nov 12 09:33:01.229: RADIUS: � 52 65 71 75 65 73 74 20 44 65 6E 69 65 64 � � � �[Request Denied]
Nov 12 09:33:01.229: RADIUS: Received from id DB31
Nov 12 09:33:01.229: As33 PPP: Received LOGIN Response from AAA = FAIL
Nov 12 09:33:01.229: As33 CHAP: O FAILURE id 10 len 18 msg is "Request Denied"
Nov 12 12:33:03 MSK: %LINK-5-CHANGED: Interface Async33, changed state to reset
Nov 12 12:33:08 MSK: %LINK-3-UPDOWN: Interface Async33, changed state to down
====
So, as I understand cisco didnt send user password to radius??? What to do? :-(
Sergei N Keler
IT-Manager
General DataComm
[EMAIL PROTECTED] [www.gdc.ru] [tel. +7(812)325-1085 (ext. 0723)] [fax +7(812)325-1086]
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
