Re: (RADIATOR) Bad authenticator in request read the FAQ'sstill not working
Hello Andrew - It looks to me like the shared secrets are different between the NAS and the Client clause. You only show an accounting request and if this is only happening with accounting requests (ie. authentication requests are working) then it is likely a software bug in the NAS that the IgnoreAcctSignature tag in the Client clause will deal with. hth Hugh I'm trying to setup another 3COM Total Control Chassis. The first config works and is the first chassis. The second one fails with WARNING: Bad authenticator in request from 209.113.232.252 (209. 113.232.252) Please see bottom. Both NAS appear to be setup identically. Any suggestions would be greatly appreciated. The second chassis has a different Secret and community string. # THIS ON WORKS Client 63.112.157.254 Secret XX NasType TotalControlSNMP IgnoreAcctSignature SNMPCommunity /Client #THIS ONE FAILS WITH BAD AUTHENTICATOR Client 209.113.232.252 Secret X IgnoreAcctSignature NasType TotalControlSNMP SNMPCommunity XX /Client Code: Accounting-Request Identifier: 14 Authentic: 188H-l/b168P225245210136194187190D Attributes: User-Name = unauthenticated NAS-Identifier = 209.113.232.252 Acct-Status-Type = Stop Acct-Session-Id = 524292 Acct-Delay-Time = 9660 Service-Type = 0 NAS-Port-Type = Async NAS-Port = 9 Caller-Id = 2033183057 Client-Port-DNIS = 2035230015 Acct-Session-Time = 30 Acct-Terminate-Cause = 2 Acct-Input-Octets = 0 Acct-Output-Octets = 92 Thu Nov 1 12:29:59 2001: DEBUG: Rewrote user name to unauthenticated Thu Nov 1 12:29:59 2001: DEBUG: Rewrote user name to unauthenticated Thu Nov 1 12:29:59 2001: WARNING: Bad authenticator in request from 209.113.232.252 (209. 113.232.252) Andrew P. Kaplan Network Administrator CyberShore, Inc. http://www.cshore.com I couldn't give him advice in business and he couldn't give me advice in technology. --Linus Torvalds, about why he wouldn't be interested in meeting Bill Gates. --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.286 / Virus Database: 152 - Release Date: 10/9/01 === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- NB: I am travelling this week, so there may be delays in our correspondence. Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad authenticator in request from DEFAULT ?
On 5/31/01 19:40, Hugh Irvine [EMAIL PROTECTED] wrote: Now, I have two other problems. The log file reports that Attributes 197 and 255 (Ascend-Xmit-Rate and Ascend-Data-Rate) are missing, even if they do are in the dictionnary (and accounting logs those attributes, strange). Can you please send me the trace 4 debug from Radiator showing what is happening? I'm getting: Sat Jun 2 23:59:26 2001: ERR: Attribute number 38947 (vendor 429) is not defined in your dictionary Sat Jun 2 23:59:44 2001: ERR: Attribute number 197 (vendor 529) is not defined in your dictionary Sat Jun 2 23:59:44 2001: ERR: Attribute number 255 (vendor 529) is not defined in your dictionary -- +--+ | Pascal Robert Inter.net Canada | | | | Gestionnaire technique de projets /Technical Project Manager | | | | http://www.ca.inter.net/[EMAIL PROTECTED] | +--+ === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad authenticator in request from DEFAULT ?
On Mon, Jun 11, 2001 at 02:21:07PM -0400, Pascal Robert wrote: On 5/31/01 19:40, Hugh Irvine [EMAIL PROTECTED] wrote: Now, I have two other problems. The log file reports that Attributes 197 and 255 (Ascend-Xmit-Rate and Ascend-Data-Rate) are missing, even if they do are in the dictionnary (and accounting logs those attributes, strange). Can you please send me the trace 4 debug from Radiator showing what is happening? I'm getting: Sat Jun 2 23:59:26 2001: ERR: Attribute number 38947 (vendor 429) is not defined in your dictionary Sat Jun 2 23:59:44 2001: ERR: Attribute number 197 (vendor 529) is not defined in your dictionary Sat Jun 2 23:59:44 2001: ERR: Attribute number 255 (vendor 529) is not defined in your dictionary You should include the dictionary.ascend2 and dictionary.usr into your dictionary file. vendor 429 is 'USR' and 529 is 'Ascend'. The new dictionary files available with 2.18.2 also include a more thorough USR definition than previous dictionary releases. Another work around, for the Ascend equipment is to check under Ethernet-Mod Config-Auth-Auth Compat Mode, if this is set to 'OLD' it will work with the default dictionary, if it is set to VSA (which I'd recommend) you will need to have the ascend2 dictionary included. Be careful though, each of these dictionary files also include ATTRIBUTE listings, so some attributes may get renamed when the server encounters a second ATTRIBUTE listing, unless you edit these entries out of the combined dictionary file. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad authenticator in request from DEFAULT ?
Hello Robert, Salut Pascal - As Robert says, there are two sets of attributes for Ascend, the old ones that were stolen from the RFC standard set, and the new ones that implement the Ascend Vendor Specific Attributes (vendor 529). The standard Radiator dictionary (dictionary) includes the old Ascend attributes, and there is an add-on called dictionary.ascend2 which defines the new VSA's. The dictionary files are just simple text files, and in general you should start with the dictionary file and delete from it what you don't need and add to it what you do need. BTW - vendor 429 is USR. hth Hugh On Tuesday 12 June 2001 05:43, Robert G. Fisher wrote: On Mon, Jun 11, 2001 at 02:21:07PM -0400, Pascal Robert wrote: On 5/31/01 19:40, Hugh Irvine [EMAIL PROTECTED] wrote: Now, I have two other problems. The log file reports that Attributes 197 and 255 (Ascend-Xmit-Rate and Ascend-Data-Rate) are missing, even if they do are in the dictionnary (and accounting logs those attributes, strange). Can you please send me the trace 4 debug from Radiator showing what is happening? I'm getting: Sat Jun 2 23:59:26 2001: ERR: Attribute number 38947 (vendor 429) is not defined in your dictionary Sat Jun 2 23:59:44 2001: ERR: Attribute number 197 (vendor 529) is not defined in your dictionary Sat Jun 2 23:59:44 2001: ERR: Attribute number 255 (vendor 529) is not defined in your dictionary You should include the dictionary.ascend2 and dictionary.usr into your dictionary file. vendor 429 is 'USR' and 529 is 'Ascend'. The new dictionary files available with 2.18.2 also include a more thorough USR definition than previous dictionary releases. Another work around, for the Ascend equipment is to check under Ethernet-Mod Config-Auth-Auth Compat Mode, if this is set to 'OLD' it will work with the default dictionary, if it is set to VSA (which I'd recommend) you will need to have the ascend2 dictionary included. Be careful though, each of these dictionary files also include ATTRIBUTE listings, so some attributes may get renamed when the server encounters a second ATTRIBUTE listing, unless you edit these entries out of the combined dictionary file. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad authenticator in request from DEFAULT ?
On 5/28/01 20:06, Hugh Irvine [EMAIL PROTECTED] wrote:
Hello Pascal -
This is usually due to the shared secrets not being set correctly.
Ok, I resolved this issue. For some reasons, I have some IdenticalClients
lines that were more than 80 chars and it didn't like it.
Now, I have two other problems. The log file reports that Attributes 197
and 255 (Ascend-Xmit-Rate and Ascend-Data-Rate) are missing, even if they do
are in the dictionnary (and accounting logs those attributes, strange).
The other is that all outgoing proxy requests timeout:
*** Received from 212.87.192.40 port 4901
Code: Access-Request
Identifier: 69
Authentic: 1791691792403025143165_240253206kQ
Attributes:
User-Name = [EMAIL PROTECTED]
User-Password = 225Qh16623i243228146:221c252\l/
Wed May 30 13:34:46 2001: DEBUG: Handling request with Handler
'Realm=pa.inter.net'
Wed May 30 13:34:46 2001: DEBUG: Deleting session for
[EMAIL PROTECTED], 212.87.192.40,
Wed May 30 13:34:46 2001: DEBUG: Handling with Radius::AuthRADIUS
Wed May 30 13:34:46 2001: DEBUG: Packet dump:
*** Sending to 38.210.35.139 port 1645
Code: Access-Request
Identifier: 2
Authentic: 1791691792403025143165_240253206kQ
Attributes:
User-Name = [EMAIL PROTECTED]
User-Password =
3\~Uo167187127132182169165136623723=31{?243207
160164179254yruC
Wed May 30 13:34:47 2001: DEBUG: Timed out, retransmitting
Wed May 30 13:34:47 2001: DEBUG: Packet dump:
*** Sending to 38.210.35.139 port 1645
Code: Access-Request
Identifier: 2
Authentic: 1791691792403025143165_240253206kQ
Attributes:
User-Name = [EMAIL PROTECTED]
User-Password =
3\~Uo167187127132182169165136623723=31{?243207
160164179254yruC
Wed May 30 13:34:48 2001: DEBUG: Packet dump:
--
+--+
| Pascal Robert Inter.net Canada |
| |
| Gestionnaire technique de projets /Technical Project Manager |
| |
| http://www.ca.inter.net/[EMAIL PROTECTED] |
+--+
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad authenticator in request from DEFAULT ?
Hello Pascal - This is usually due to the shared secrets not being set correctly. If you would like to send me a copy of your configuration file (no secrets) together with a trace 4 debug I will take a look. regards Hugh On Tuesday 29 May 2001 03:16, Pascal Robert wrote: Hi, I installed Radiator demo and started doing heavy usage testing. Every logging is working fine but each request returns: Mon May 28 12:47:24 2001: WARNING: Bad authenticator in request from DEFAULT (154.11.30.136) And at the same time, all local requests are working but proxing don't work, this is related ? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad authenticator
Hello Viraj - At 17:18 -0500 1/12/00, Viraj Alankar wrote: Hugh, Actually this client is in our clients file with the correct secret, and we indeed get proper accounting and authentication from it. However, I am also seeing those entries in the log so I'm wondering what it means. In that case I would suspect a NAS bug. regards Hugh -- NB: I am travelling this week, so there may be delays in our correspondence. -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad authenticator
Hugh, Actually this client is in our clients file with the correct secret, and we indeed get proper accounting and authentication from it. However, I am also seeing those entries in the log so I'm wondering what it means. Thanks, Viraj. On Wed, 29 Nov 2000, Hugh Irvine wrote: Hello Viraj - On Wed, 29 Nov 2000, Viraj Alankar wrote: Hello, I am noticing in my logs warnings similar to: WARNING: Bad authenticator in request from 1.2.3.4 The manual suggests that if I am gettings these, my accounting requests are not being store, and authentications are OK, to try IgnoreAcctSignature. However, I am getting accounting and authentications just fine, and have verified the secrets are correct. These messages usually occur because the host 1.2.3.4 is not listed in the Clients definitions in Radiator. It is usually some radius device that is firing radius packets indiscriminately. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad authenticator
Hello Viraj - On Wed, 29 Nov 2000, Viraj Alankar wrote: Hello, I am noticing in my logs warnings similar to: WARNING: Bad authenticator in request from 1.2.3.4 The manual suggests that if I am gettings these, my accounting requests are not being store, and authentications are OK, to try IgnoreAcctSignature. However, I am getting accounting and authentications just fine, and have verified the secrets are correct. These messages usually occur because the host 1.2.3.4 is not listed in the Clients definitions in Radiator. It is usually some radius device that is firing radius packets indiscriminately. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad Authenticator in request from DEFAULT
Hello Asif - On Wed, 17 May 2000, Asif Rumani wrote: Hello, I have 2 USR NetServers with 16 modem ports each. One out of the two works fine, authentication and accounting are done flawlessly. But the other produces the following error message during accounting-requests. Bad authenticator in request from DEFAULT Any help on the above would be more than welcome.. This is usually due to the shared secret being set incorrectly. Check characters like 1 (one) and l (ell), and 0 (zero) and O (oh). If it is only accouning, you can set the IgnoreAcctSignature in the Client clause (you should check the version of the USR software and upgrade if required). regards Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, Interbiller, TACACS+, PAM, external, etc, etc. Available on Unix, Linux, FreeBSD, Windows 95/98/2000, NT, MacOS X. === Archive at http://www.starport.net/~radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad authenticator in reply
Hello Steve - On Sun, 30 Jan 2000, Steve Suehring wrote: Hello- I'm seeing tons of these messages: Sat Jan 29 13:43:29 2000: WARNING: Bad authenticator received in reply to ID 58 Ok, normally you'd say that I would need to add IgnoreAcctSignature. But these are coming from another Radius server from an AuthBy RADIUS portion of a Realm. If I add IgnoreAcctSignature to the AuthBy RADIUS portion for this particular host: 1) Will it even work?* 2) Will it break anything? * = The Manual indicates that IgnoreAcctSignature is a Client level option. I'd normally just try it, but I don't wanna break accounting on this system. The first thing to check is the shared secret for the two ends of the proxy connection. Take particular care with "0/O" (zero, oh) and "1/l" (one, el). You could also try configuring a Client clause for that host (same secret) and adding IgnoreAcctSignature there to see what happens. If neither of these works, could you send us the configuration file and a trace 4 debug showing what is happening. thanks Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad Authenticator
Hello David - On Tue, 05 Oct 1999, David Lloyd wrote: What does it mean to have a bad authenticator in a request? My secrets match up okay, but I"m getting spammed with these. It could be problems with non-conforming Accounting packets. You can set IgnoreAcctSignature in the offending Clients to see if that helps: Client Secret IgnoreAcctSignature /Client See Section 6.4.3 in the Radiator 2.14.1 reference manual. hth Hugh -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === Archive at http://www.thesite.com.au/~radiator/ To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad authenticator ?
Hi Tom, On May 11, 5:43pm, tom wrote: Subject: (RADIATOR) Bad authenticator ? Hi all, What does the following error/warning means? I have been getting these every minute. And only from the server 208.245.148.31 Tue May 11 18:28:11 1999: WARNING: Bad authenticator in request from DEFAULT (208.245.148.31) Radiator is complaining that the signature in an accounting request is not valid. It means that either: 1. Your shared secret is incorrect for that NAS 2. The NAS does not implement signatures properly. Fix this by setting IgnoreAcctSignature in your Client clause. Hope that helps. Cheers. Thanks, Tom === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. -- End of excerpt from tom -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, etc etc on Unix, Win95/8, NT, Rhapsody === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Bad Authenticator
Hi Richard, this error means that Radiator received an accounting packet, and found that the signature in the packet did not agreee with the Radiuas protocol requirements. This can be from one of 2 things: 1. The shared secret in your Nas and Radiator are not the same. This is not likely as it would probably mean all your authentications would fail too. 2. The NAS you are using is one of the handful that do not correctly implement the Radius standard. You can work around this by specifying IgnoreActtSignature in the Client cluase for that NAS. Hope that helps. BTW John at Internet2Exterme has a similar problem, so I have CCd the mailing list. Cheers. --- Mike McCauley [EMAIL PROTECTED] Open System Consultants +61 3 9598 0985 Mike is travelling right now, and there may be delays in our correspondence. -Original Message- From: Richard Hawley [EMAIL PROTECTED] To: [EMAIL PROTECTED] [EMAIL PROTECTED] Date: Tuesday, March 02, 1999 7:10 AM Subject: (RADIATOR) Bad Authenticator Mon Mar 1 13:38:47 1999: WARNING: Bad authenticator in request from DEFAULT (xxx.xxx.xxx.xxx) Im not sure what this means. I assume it means the NAS is passing something to radiator that it does not recognize? The authentication is working. I have users dialing in, but my log is getting filled with this line. Any help would be great. ..Rich -- --- Richard W. Hawley, Network Engineer CyberZone Internet Services http://www.cyberzone.net [EMAIL PROTECTED] --- === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
