Re: (RADIATOR) Why is radiator rejecting auth request ?
Hi,
Radiator still rejects login request from the NAS (Ascend MAX 4000).
I have attached my radius.cfg file (towards the bottom), my users file for
is like:
fredUser-Password = "fred"
Service-Type = Framed-User,
Ascend-Metric = 2,
Ascend-Assign-IP-Pool = 0,
Framed-Routing = None,
Ascend-Idle-Limit = 900
With all the user records in the above format, when a request comes in
from NAS, radiator logs:
*** Received from xxx.xx.xxx.xx port
Code: Access-Request
Identifier: 237
Authentic: <191><184><137><226>]sVK<193>Ht<243>#V<239><231>
Attributes:
User-Name = "fred"
User-Password = "<255>Y{<199><207><204><30><208><153>"
NAS-Identifier = xxx.xxx.xxx.xxx
NAS-Port = 20103
NAS-Port-Type = Async
Service-Type = Login-User
State = ""
Ascend-Third-Prompt = ""
Client-Port-DNIS = "xxx"
Acct-Session-Id = "292382139"
Thu Jul 15 23:12:18 1999: INFO: Duplicate request id 237 received from
xxx.xx.xxx.xx: ignored
Thu Jul 15 23:12:20 1999: DEBUG: Packet dump:
Has anyone of you seen or experienced any problem like this.
thanks,
[EMAIL PROTECTED]
On Fri, 16 Jul 1999, Mike McCauley wrote:
>Date: Fri, 16 Jul 1999 12:17:08 -0500
>From: Mike McCauley <[EMAIL PROTECTED]>
>To: postmaster <[EMAIL PROTECTED]>
>Subject: Re: (RADIATOR) Why is radiator rejecting auth request ?
>
>On Jul 15, 8:51pm, postmaster wrote:
>> Subject: Re: (RADIATOR) Why is radiator rejecting auth request ?
>>
>> Mike,
>>
>> Even for users who are in my users file, it rejects the login request. No
>> one can log in. Can you please tell me why it's rejecting valid users.
>Hello.
>
>Its very hard to tell what the problem is without more information. The
>information that we need to look at problems is your configuration file (no
>secrtets) and your radiator log file at atrace level 4, showing what happens
>inside Radaitor.
>
>But, the usual cause of problems like that might be:
>
>1. Users file does not exist, is unreadable etc.
>2. The shared secret configured into Radiator is not correct for your NAS.
>
>Its very hard to tell which (or maybe something else) without the log file.
>
>BTW, it might be better if you address any future questions you
>might have to the Radiator mailing list. That way others can learn
>from the question and answer, and possibly contribute in areas
>where I am not expert. Also, we have other staff on the mailing list
>who can respond when I am not available.
>
>You can join the Radiator mailing list by sending email with the
>single word subscribe in the body (not in the subject line) to
>[EMAIL PROTECTED]
>There is an archive at http://www.thesite.com.au/~radiator/
>
>
>Cheers.
>
>>
>> thanks.
>> [EMAIL PROTECTED]
>>
>> On Wed, 14 Jul 1999, Mike McCauley wrote:
>>
>> >Date: Wed, 14 Jul 1999 16:52:09 -0500
>> >From: Mike McCauley <[EMAIL PROTECTED]>
>> >To: postmaster <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
>> >Subject: Re: (RADIATOR) Why is radiator rejecting auth request ?
>> >
>> >Hello,
>> >
>> >Your config looks fine.
>> >However, Ascends can be configured to query radius for some components of
>their
>> >internal configuration, and that is what you are seeing.
>> >If you do not wish to use these, you will have to change your MAX
>> >configuration.
>> >
>> >Radiator is correctly rejecting those "pseudo-users" because they are not in
>> >your user database.
>> >
>> >Hope that helps.
>> >
>> >Cheers.
>> >
>> >On Jul 14, 12:11am, postmaster wrote:
>> >> Subject: (RADIATOR) Why is radiator rejecting auth request ?
>> >>
>> >> Hello,
>> >>
>> >> I am using Radiator-2.13.1 on Solaris 2.5.1. I have radiator setup to
>> >> do mSQL Accounting and Auth by File. My radius.cfg is shown below:
>> >>
>> >> Note: NAS is is Ascend MAX
>> >>
>-
>> >> Foreground
>> >> LogStdout
>> >> AuthPort1645
>> >> AcctPort1646
>> >> LogDir .
>> >> # LogFile %L/%Y-logfile
>> >> DbDir .
>> >> DictionaryFile %D/dictionary.ascend
>> >> FingerProg /bin/finger
>> >> Trace 4
>> >>
>
Re: (RADIATOR) Why is radiator rejecting auth request ?
Hello,
Your config looks fine.
However, Ascends can be configured to query radius for some components of their
internal configuration, and that is what you are seeing.
If you do not wish to use these, you will have to change your MAX
configuration.
Radiator is correctly rejecting those "pseudo-users" because they are not in
your user database.
Hope that helps.
Cheers.
On Jul 14, 12:11am, postmaster wrote:
> Subject: (RADIATOR) Why is radiator rejecting auth request ?
>
> Hello,
>
> I am using Radiator-2.13.1 on Solaris 2.5.1. I have radiator setup to
> do mSQL Accounting and Auth by File. My radius.cfg is shown below:
>
> Note: NAS is is Ascend MAX
> -
> Foreground
> LogStdout
> AuthPort1645
> AcctPort1646
> LogDir .
> # LogFile %L/%Y-logfile
> DbDir .
> DictionaryFile %D/dictionary.ascend
> FingerProg /bin/finger
> Trace 4
>
>
> Secret xxx
> NasType Ascend
>
>
>
> AuthByPolicy ContinueUntilAccept
> RewriteUsername tr/[A-Z]/[a-z]/
> MaxSessions 1
> RejectHasReason
>
> AuthSelect
> DBSourcedbi:mSQL:radius
> AccountingTable ACCOUNTING
> AcctColumnDef Username,User-Name
> AcctColumnDef the_date,Timestamp,formatted-date,'%e-%m-%Y'
> AcctColumnDef the_time,Timestamp,formatted-date,'%H:%M:%S'
> AcctColumnDef NAS_Identifier,NAS-Identifier
> AcctColumnDef NAS_Port,NAS-Port,integer
> AcctColumnDef Acct_Status_Type,Acct-Status-Type
> AcctColumnDef Acct_Delay_Time,Acct-Delay-Time,integer
> AcctColumnDef Acct_Session_Id,Acct-Session-Id
> AcctColumnDef Acct_Session_Time,Acct-Session-Time,integer
> AcctColumnDef Acct_Input_Octets,Acct-Input-Octets,integer
> AcctColumnDef Acct_Output_Octets,Acct-Output-Octets,integer
> AcctColumnDef Acct_Term_Cause,Acct-Terminate-Cause
> AcctColumnDef Framed_Address,Framed-IP-Address
> AcctColumnDef Framed_Protocol,Framed-Protocol
> AcctColumnDef Connect_Rate,Ascend-Data-Rate
> AcctColumnDef Disconnect_Cause,Ascend-Disconnect-Cause
> AcctColumnDef First_Destination,Ascend-First-Dest
> AcctColumnDef Client_Port_DNIS,Client-Port-DNIS
>
> # If SQL fails then authenticate from flat file
>
> DefaultSimultaneousUse 1
> Filename ./users
>
>
>
>
> DBSourcedbi:mSQL:radius
>
> AddQuery insert into RADONLINE (Username, Time_Stamp, \
> NAS_Identifier, NAS_Port, Acct_Session_Id, Framed_Address, \
> Nas_Port_Type, Service_Type) values ('%n', %{Timestamp},'%N', \
> %{NAS-Port}, '%{Acct-Session-Id}', '%{Framed-IP-Address}', \
> '%{Port-Type}', '%{Service-Type}')
>
> DeleteQuery delete from RADONLINE where Username='%n' and \
> NAS_Identifier='%N' and NAS_Port=%{NAS-Port}
>
> ClearNasQuery delete from RADONLINE where NAS_Identifier='%N'
>
> CountQuery select NAS_Identifier, NAS_Port, Acct_Session_Id from \
> RADONLINE where Username='%n'
>
>
>
> ---
>
> this works fine in 'radpwtst'. But, when the users connect, I get the foll
> errors, Has anyone seen these errors: If so, please let me know:
>
> Note: Note that instead of the actual Username it's sending incorrect data
> like 'route-max4-1', "pools-max4", "permconn-max4-1" as the
> username.
>
> PS: the xxx.xxx.xxx.xxx are the actual IP Addresses.
>
> *** Received from xxx.xxx.xxx.xxx port 1025
> Code: Access-Request
> Identifier: 1
> Authentic: ...
> Attributes:
> User-Name = "route-max4-1"
> User-Password = "."
> NAS-Identifier = xxx.xxx.xxx.xxx
> NAS-Port = 0
> NAS-Port-Type = Virtual
> Service-Type = Dialout-Framed-User
>
> Tue Jul 13 23:54:16 1999: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Jul 13 23:54:16 1999: DEBUG: Rewrote user name to route-max4-1
> Tue Jul 13 23:54:16 1999: DEBUG: Query is: select NAS_Identifier,
> NAS_Port, Acct_Session_Id from RADONLINE where Username='route-max4-1'
>
> Tue Jul 13 23:54:16 1999: DEBUG: Handling with Radius::AuthSQL
> Tue Jul 13 23:54:16 1999: DEBUG: Handling with Radius::AuthFILE
> Tue Jul 13 23:54:16 1999: DEBUG: Radius::AuthFILE looks for match with
> route-max4-1
> Tue Jul 13 23:54:16 1999: INFO: Access rejected for route-max4-1: No such
> user
> Tue Jul 13 23:54:16 1999: DEBUG: Packet dump:
> *** Sending to xxx.xxx.xxx.xxx port 1025
> Code: Access-Reject
> Identifier: 1
> Aut
Re: (RADIATOR) Why is radiator rejecting auth request ?
Just ignore them. Those are special users (see Ascend Max manual or website
for details) which can define stuff like static routes and ip pools via
RADIUS.
[EMAIL PROTECTED]
On Wed, Jul 14, 1999 at 12:11:13AM -0500, postmaster wrote:
>
> Hello,
>
> I am using Radiator-2.13.1 on Solaris 2.5.1. I have radiator setup to
> do mSQL Accounting and Auth by File. My radius.cfg is shown below:
>
> Note: NAS is is Ascend MAX
> -
> Foreground
> LogStdout
> AuthPort1645
> AcctPort1646
> LogDir .
> # LogFile %L/%Y-logfile
> DbDir .
> DictionaryFile %D/dictionary.ascend
> FingerProg /bin/finger
> Trace 4
>
>
> Secret xxx
> NasType Ascend
>
>
>
> AuthByPolicy ContinueUntilAccept
> RewriteUsername tr/[A-Z]/[a-z]/
> MaxSessions 1
> RejectHasReason
>
> AuthSelect
> DBSourcedbi:mSQL:radius
> AccountingTable ACCOUNTING
> AcctColumnDef Username,User-Name
> AcctColumnDef the_date,Timestamp,formatted-date,'%e-%m-%Y'
> AcctColumnDef the_time,Timestamp,formatted-date,'%H:%M:%S'
> AcctColumnDef NAS_Identifier,NAS-Identifier
> AcctColumnDef NAS_Port,NAS-Port,integer
> AcctColumnDef Acct_Status_Type,Acct-Status-Type
> AcctColumnDef Acct_Delay_Time,Acct-Delay-Time,integer
> AcctColumnDef Acct_Session_Id,Acct-Session-Id
> AcctColumnDef Acct_Session_Time,Acct-Session-Time,integer
> AcctColumnDef Acct_Input_Octets,Acct-Input-Octets,integer
> AcctColumnDef Acct_Output_Octets,Acct-Output-Octets,integer
> AcctColumnDef Acct_Term_Cause,Acct-Terminate-Cause
> AcctColumnDef Framed_Address,Framed-IP-Address
> AcctColumnDef Framed_Protocol,Framed-Protocol
> AcctColumnDef Connect_Rate,Ascend-Data-Rate
> AcctColumnDef Disconnect_Cause,Ascend-Disconnect-Cause
> AcctColumnDef First_Destination,Ascend-First-Dest
> AcctColumnDef Client_Port_DNIS,Client-Port-DNIS
>
> # If SQL fails then authenticate from flat file
>
> DefaultSimultaneousUse 1
> Filename ./users
>
>
>
>
> DBSourcedbi:mSQL:radius
>
> AddQuery insert into RADONLINE (Username, Time_Stamp, \
> NAS_Identifier, NAS_Port, Acct_Session_Id, Framed_Address, \
> Nas_Port_Type, Service_Type) values ('%n', %{Timestamp},'%N', \
> %{NAS-Port}, '%{Acct-Session-Id}', '%{Framed-IP-Address}', \
> '%{Port-Type}', '%{Service-Type}')
>
> DeleteQuery delete from RADONLINE where Username='%n' and \
> NAS_Identifier='%N' and NAS_Port=%{NAS-Port}
>
> ClearNasQuery delete from RADONLINE where NAS_Identifier='%N'
>
> CountQuery select NAS_Identifier, NAS_Port, Acct_Session_Id from \
> RADONLINE where Username='%n'
>
>
>
> ---
>
> this works fine in 'radpwtst'. But, when the users connect, I get the foll
> errors, Has anyone seen these errors: If so, please let me know:
>
> Note: Note that instead of the actual Username it's sending incorrect data
> like 'route-max4-1', "pools-max4", "permconn-max4-1" as the
> username.
>
> PS: the xxx.xxx.xxx.xxx are the actual IP Addresses.
>
> *** Received from xxx.xxx.xxx.xxx port 1025
> Code: Access-Request
> Identifier: 1
> Authentic: ...
> Attributes:
> User-Name = "route-max4-1"
> User-Password = "."
> NAS-Identifier = xxx.xxx.xxx.xxx
> NAS-Port = 0
> NAS-Port-Type = Virtual
> Service-Type = Dialout-Framed-User
>
> Tue Jul 13 23:54:16 1999: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Jul 13 23:54:16 1999: DEBUG: Rewrote user name to route-max4-1
> Tue Jul 13 23:54:16 1999: DEBUG: Query is: select NAS_Identifier,
> NAS_Port, Acct_Session_Id from RADONLINE where Username='route-max4-1'
>
> Tue Jul 13 23:54:16 1999: DEBUG: Handling with Radius::AuthSQL
> Tue Jul 13 23:54:16 1999: DEBUG: Handling with Radius::AuthFILE
> Tue Jul 13 23:54:16 1999: DEBUG: Radius::AuthFILE looks for match with
> route-max4-1
> Tue Jul 13 23:54:16 1999: INFO: Access rejected for route-max4-1: No such
> user
> Tue Jul 13 23:54:16 1999: DEBUG: Packet dump:
> *** Sending to xxx.xxx.xxx.xxx port 1025
> Code: Access-Reject
> Identifier: 1
> Authentic: ..
> Attributes:
> Reply-Message = "Request Denied"
> Reply-Message = "No such user"
>
> Tue Jul 13 23:54:16 1999: DEBUG: Packet dump:
>
>
>
> ==
