Re: (RADIATOR) need help on BSDI 4.0
> Hi, try turning on PasswordLogFileName for the handler in radius.cfg and > look in the log you specify - if you get junk with 8-bit characters > rather than the actual passwords, the secret is set wrongly. Took us a > lot of head-scratching to work that one out :) OK. I turned on the PasswordLogFileName and looked at the results of it. The line says: Thu Mar 4 10:34:24 1999:920561664:username:correctpasswd:ENCRYPTED:FAIL Again, I am testing this with radpwtst. I have hard coded the shared secret into radpwtst. I have added a entry in the radius.cfg for the local radpwtst testing. It's probably something simple, but I just can't see it at this point. Thanks for any other help on this. Craig Thompson -- WingNET Internet Services, P.O. Box 3000 // Cleveland, TN 37320-3000 423-559-LINK (v) 423-559-5444 (f) http://www.wingnet.net -- There is always one more imbecile than you counted on. === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) need help on BSDI 4.0
Hi Chris, My best guess is that the shared secret configured into Radiator does not agree with the one configured into your NAS. In the radius protocol, in an access-request, the only thing thats encrypted is the password, so if the secrets dont agree, the only symptom you get is a report of a bad password, even though the password you enter is correct. The only other possibility is that the password you are using is not correct (but I assume you have checked that). Hope that helps. Cheers. --- Mike McCauley [EMAIL PROTECTED] Open System Consultants +61 3 9598 0985 Mike is travelling right now, and there may be delays in our correspondence. -Original Message- From: C Thompson <[EMAIL PROTECTED]> To: Mike McCauley <[EMAIL PROTECTED]> Cc: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Thursday, March 04, 1999 4:10 AM Subject: Re: (RADIATOR) need help on BSDI 4.0 >OK, after the quoted text, I got the trace info... > >> at first glance, it looks like you are doing the right thing. I think you >> must have transcribed some of this to your email, so I presume the lack of >> white space before the reply items in the users file and the "AutyBy" are >> artifacts. > >I have tabs in the 'users' file but simply transcribed as you supposed. > >> It would be best if you could send the Radiator log file while it runs at >> trace level 4, so we can see al the gory details about what Radiator is >> doing while it tries to authenticate your users. > >Again, here's the users file info for reference. > >> >DEFAULT Auth-Type = System >> > Framed-Protocol = PPP, >> > Framed-IP-Netmask = 255.255.255.255 >> > >> >username Auth-Type = System >> > > >This most recent time, I commented out the username so it would default >to the DEFAULT settings... > >Here's the trace info: > >Wed Mar 3 11:50:19 1999: DEBUG: Reading users file >/usr/local/Radiator/raddb/users >Wed Mar 3 11:50:19 1999: DEBUG: Reading password >file /etc/passwd >Wed Mar 3 11:50:21 1999: DEBUG: Reading group file >/etc/group >Wed Mar 3 11:50:22 1999: INFO: Server started >Wed Mar 3 11:50:43 1999: DEBUG: Packet dump: >*** Received from 127.0.0.1 port 51352 >Code: Access-Request >Identifier: 0 >Authentic: 1234567890123456 >Attributes: > User-Name = "craig" > Service-Type = Framed-User > Client-Id = 203.63.154.1 > NAS-Port = 1234 > NAS-Port-Type = Async > User-Password = " stuff deleted for the record " > >Wed Mar 3 11:50:43 1999: DEBUG: Handling request >with Handler 'Realm=DEFAULT' >Wed Mar 3 11:50:43 1999: DEBUG: Handling with >Radius::AuthFILE >Wed Mar 3 11:50:43 1999: DEBUG: Radius::AuthFILE >looks for match with craig >Wed Mar 3 11:50:43 1999: DEBUG: Radius::AuthFILE >looks for match with DEFAULT >Wed Mar 3 11:50:43 1999: DEBUG: Handling with >Radius::AuthUNIX >Wed Mar 3 11:50:43 1999: DEBUG: Radius::AuthUNIX >looks for match with craig >Wed Mar 3 11:50:43 1999: DEBUG: Bad Encrypted- >Password >Wed Mar 3 11:50:43 1999: INFO: Radius::AuthUNIX: >Authentication failed for craig >Wed Mar 3 11:50:43 1999: INFO: Radius::AuthFILE: >Authentication failed for craig >Wed Mar 3 11:50:43 1999: DEBUG: Packet dump: >*** Sending to 127.0.0.1 port 51352 >Code: Access-Reject >Identifier: 0 >Authentic: 1234567890123456 >Attributes: > Port-Message = "Request Denied" > > > >Craig Thompson >-- >WingNET Internet Services, >P.O. Box 3000 // Cleveland, TN 37320-3000 >423-559-LINK (v) 423-559-5444 (f) >http://www.wingnet.net >-- > >Freedom is doing what you like, happiness is liking what you do. > > > === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) need help on BSDI 4.0
OK, after the quoted text, I got the trace info... > at first glance, it looks like you are doing the right thing. I think you > must have transcribed some of this to your email, so I presume the lack of > white space before the reply items in the users file and the "AutyBy" are > artifacts. I have tabs in the 'users' file but simply transcribed as you supposed. > It would be best if you could send the Radiator log file while it runs at > trace level 4, so we can see al the gory details about what Radiator is > doing while it tries to authenticate your users. Again, here's the users file info for reference. > >DEFAULT Auth-Type = System > > Framed-Protocol = PPP, > > Framed-IP-Netmask = 255.255.255.255 > > > >username Auth-Type = System > > This most recent time, I commented out the username so it would default to the DEFAULT settings... Here's the trace info: Wed Mar 3 11:50:19 1999: DEBUG: Reading users file /usr/local/Radiator/raddb/users Wed Mar 3 11:50:19 1999: DEBUG: Reading password file /etc/passwd Wed Mar 3 11:50:21 1999: DEBUG: Reading group file /etc/group Wed Mar 3 11:50:22 1999: INFO: Server started Wed Mar 3 11:50:43 1999: DEBUG: Packet dump: *** Received from 127.0.0.1 port 51352 Code: Access-Request Identifier: 0 Authentic: 1234567890123456 Attributes: User-Name = "craig" Service-Type = Framed-User Client-Id = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async User-Password = " stuff deleted for the record " Wed Mar 3 11:50:43 1999: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Mar 3 11:50:43 1999: DEBUG: Handling with Radius::AuthFILE Wed Mar 3 11:50:43 1999: DEBUG: Radius::AuthFILE looks for match with craig Wed Mar 3 11:50:43 1999: DEBUG: Radius::AuthFILE looks for match with DEFAULT Wed Mar 3 11:50:43 1999: DEBUG: Handling with Radius::AuthUNIX Wed Mar 3 11:50:43 1999: DEBUG: Radius::AuthUNIX looks for match with craig Wed Mar 3 11:50:43 1999: DEBUG: Bad Encrypted- Password Wed Mar 3 11:50:43 1999: INFO: Radius::AuthUNIX: Authentication failed for craig Wed Mar 3 11:50:43 1999: INFO: Radius::AuthFILE: Authentication failed for craig Wed Mar 3 11:50:43 1999: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 51352 Code: Access-Reject Identifier: 0 Authentic: 1234567890123456 Attributes: Port-Message = "Request Denied" Craig Thompson -- WingNET Internet Services, P.O. Box 3000 // Cleveland, TN 37320-3000 423-559-LINK (v) 423-559-5444 (f) http://www.wingnet.net -- Freedom is doing what you like, happiness is liking what you do. === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) need help on BSDI 4.0
Hi Craig, at first glance, it looks like you are doing the right thing. I think you must have transcribed some of this to your email, so I presume the lack of white space before the reply items in the users file and the "AutyBy" are artifacts. It would be best if you could send the Radiator log file while it runs at trace level 4, so we can see al the gory details about what Radiator is doing while it tries to authenticate your users. Cheers. --- Mike McCauley [EMAIL PROTECTED] Open System Consultants +61 3 9598 0985 Mike is travelling right now, and there may be delays in our correspondence. -Original Message- From: C Thompson <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] <[EMAIL PROTECTED]> Date: Wednesday, March 03, 1999 4:40 AM Subject: (RADIATOR) need help on BSDI 4.0 >I'm running BSDI 4 and Radiator 2.12.1. > >All I want for Christmas is not my two front teeth but the following to work: > >1) we will eventually be using a realm (wingnet.net) to authenticate some >users >2) most of our users will not be logging in with a realm and will need to be >authenticated against a realm >3) we authenticate off the BSDI passwd file >4) but we use the Radius 'users' file to keep expiration, simultaneous-use, >and other information on our customers > >I have tried multiple statements in the radius.cfg file according >to the docs but I cannot get radpwtst to authenticate a user off the >passwd file. > >I've even pared down the 'users' file so that it only contains an entry like >so: > >DEFAULT Auth-Type = System > Framed-Protocol = PPP, > Framed-IP-Netmask = 255.255.255.255 > >username Auth-Type = System > >But I cannot get the username to authenticate at all. The only way I can >get it to authenticate is to put the password in the 'users' file. > >Here's a look at the radius.cfg file: > >LogDir /var/log/radius >DbDir /usr/local/Radiator/raddb >LogFile %L/detail >DictionaryFile %D/dictionary > > > Secret secret #which I have changed in radpwtst to match what > #I have here > DupInterval 0 > > > > > > > > > > Identifier System > > > >Pretty simple, and should work as best as I understand the docs, but it >isn't working. > >I have been running radiusd on a separate port so my users don't run >into trouble getting authenticated while I'm testing this. So here's what I >send on radpwtst: > >./radpwtst -status -trace -acct_port 1701 auth_port 1700 -user username - >password password > >The results of the trace simply say >sending Access-Request >Rejected >Code: Access-Reject >... > >However, if I enable one of the default entries in the 'users' file (like the >'mikem' entry that has the password IN the 'users' file) then that gets >authenticated. Or if I put username's password in the 'users' file, then >'username' will be authenticated. It's simply not authenticating against the >BSDI passwd file for some reason. > >Help? Ideas? Sample configs working for someone else? > >Thanks > > >Craig Thompson >-- >WingNET Internet Services, >P.O. Box 3000 // Cleveland, TN 37320-3000 >423-559-LINK (v) 423-559-5444 (f) >http://www.wingnet.net >-- > >I'm not old, I'm chronologically gifted. > > >=== >To unsubscribe, email '[EMAIL PROTECTED]' with >'unsubscribe radiator' in the body of the message. > === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) need help on BSDI 4.0
I'm running BSDI 4 and Radiator 2.12.1. All I want for Christmas is not my two front teeth but the following to work: 1) we will eventually be using a realm (wingnet.net) to authenticate some users 2) most of our users will not be logging in with a realm and will need to be authenticated against a realm 3) we authenticate off the BSDI passwd file 4) but we use the Radius 'users' file to keep expiration, simultaneous-use, and other information on our customers I have tried multiple statements in the radius.cfg file according to the docs but I cannot get radpwtst to authenticate a user off the passwd file. I've even pared down the 'users' file so that it only contains an entry like so: DEFAULT Auth-Type = System Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.255 usernameAuth-Type = System But I cannot get the username to authenticate at all. The only way I can get it to authenticate is to put the password in the 'users' file. Here's a look at the radius.cfg file: LogDir /var/log/radius DbDir /usr/local/Radiator/raddb LogFile %L/detail DictionaryFile %D/dictionary Secret secret #which I have changed in radpwtst to match what #I have here DupInterval 0 Identifier System Pretty simple, and should work as best as I understand the docs, but it isn't working. I have been running radiusd on a separate port so my users don't run into trouble getting authenticated while I'm testing this. So here's what I send on radpwtst: ./radpwtst -status -trace -acct_port 1701 auth_port 1700 -user username - password password The results of the trace simply say sending Access-Request Rejected Code: Access-Reject ... However, if I enable one of the default entries in the 'users' file (like the 'mikem' entry that has the password IN the 'users' file) then that gets authenticated. Or if I put username's password in the 'users' file, then 'username' will be authenticated. It's simply not authenticating against the BSDI passwd file for some reason. Help? Ideas? Sample configs working for someone else? Thanks Craig Thompson -- WingNET Internet Services, P.O. Box 3000 // Cleveland, TN 37320-3000 423-559-LINK (v) 423-559-5444 (f) http://www.wingnet.net -- I'm not old, I'm chronologically gifted. === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.