[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Bug-gnu-radius] Failure to relay Access-Challenge
|
From: |
Gayatri Prabhu |
|
Subject: |
[Bug-gnu-radius] Failure to relay Access-Challenge |
|
Date: |
Thu, 22 Aug 2002 10:54:47 -0700 (PDT) |
Hi,
I've been using CHAP with gnu-radius to run some tests
and so far I haven't had any major problems with users
getting authenticated/rejected depending on the
configuration. However, when I tried to use Livingston
Menus, I came across a problem where the Proxy failed
to relay an Access-Challenge from the Server back to
the NAS.
I've attached three files with all the necessary
details (test setup, problem, raddb file contents,
output of radiusd -v, log files). If you need any more
information to understand the problem, or if this is a
setup/configuration error instead of a bug, please let
me know.
Thanks a lot for your help.
Sincerely,
Gayatri
__________________________________________________
Do You Yahoo!?
HotJobs - Search Thousands of New Jobs
http://www.hotjobs.com
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Setup:
NAS Client <-> RADIUS Proxy <-> RADIUS Server
The NAS Client and the RADIUS Proxy run on server "rigel"
The RADIUS server runs on server "regulus"
Ports 1812 & 1813 are used for RADIUS on both servers
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Problem:
# The NAS Client sends an Access Request to the RADIUS Proxy with the following
attributes:
User-Name, CHAP-Password, NAS-IP-Address, NAS-Identifier, NAS-Port-Id
# The RADIUS Proxy forwards this request to the RADIUS Server.
# The RADIUS Server authenticates the user and responds with an
Access-Challenge (code 11).
# The RADIUS Proxy prints the following in the log file for this message:
Aug 22 12:41:31: Main.notice: unknown request 11
# If the users file on the Server is such that it responds with an Accept
or Reject, then the Proxy relays the message to the NAS, but it doesn't
relay an Access-Challenge.
# The debug statement which prints the log message is in radiusd/radiusd.c
in the function radrespond(). The RT_ACCESS_CHALLENGE case does not seem
to be handled in the first switch statement in this function.
# All the messages with their contents were verified by using ethereal on
the network interfaces.
----------------------------------------------------------------------------
----------------------------------------------------------------------------
Output of radiusd -v on rigel & regulus:
radiusd: GNU Radius version 0.96.3 (i686-pc-linux-gnu)
Compilation platform: linux
Debugging flags: MAINTAINER_MODE
Compilation flags: PWD_SHADOW USE_SERVER_GUILE USE_SNMP USE_LIVINGSTON_MENUS
Ports in use:
AUTH: 1812
ACCT: 1813
Paths:
configuration directory: /usr/local/etc/raddb
logging directory: /var/log
accounting directory: /var/log/radacct
pidfile: /var/run/radiusd.pid
Report bugs to <address@hidden>
----------------------------------------------------------------------------
----------------------------------------------------------------------------
These are the contents of the files on rigel that were changed from the
defaults. The rest of the files in raddb are unchanged.
###########################################
Contents of client.conf file on RADIUS Proxy:
###########################################
source_ip 127.0.0.1
server rigel 192.168.1.100 secret 1812 1813
timeout 5
retry 1
###########################################
Contents of config file on RADIUS Proxy:
###########################################
# A minimum config file. See config.syntax for explanation of
# the syntax.
#
option {
usr2delay 30;
max-requests 127;
# Uncomment and edit these if you need to:
log-dir "/var/log";
acct-dir "/var/acct";
source-ip 192.168.1.100;
};
logging {
channel default {
file "radiusproxy.log";
print-category yes;
print-level yes;
};
channel info {
file "radiusproxy.info";
print-pid yes;
print-level yes;
};
channel debug {
file "radiusproxy.debug";
print-level yes;
};
channel notice {
file "radiusproxy.notice";
print-level yes;
};
category auth {
print-auth yes;
print-failed-pass yes;
print-pass no;
};
category info {
channel info;
print-pass no;
};
category notice {
channel notice;
print-pass no;
};
category debug {
channel debug;
level radiusd, proxy, files, auth;
print-pass no;
};
category * {
channel default;
print-pass no;
};
};
auth {
max-requests 127;
detail yes;
strip-names yes;
checkrad-assume-logged yes;
request-cleanup-delay 5;
listen 192.168.1.100:1812;
port 1812;
time-to-live 10;
spawn yes;
};
acct {
max-requests 127;
request-cleanup-delay 5;
listen 192.168.1.100:1813;
port 1813;
time-to-live 10;
spawn yes;
detail yes;
};
proxy {
max-requests 127;
request-cleanup-delay 5;
};
# Guile interface configuration
guile {
debug yes;
load-path "/usr/share/guile/1.4/ice-9";
load "debug.scm";
};
# Reply Messages
message {
account-closed "\r\nSorry, your account is currently closed\r\n";
password-expired "\r\nPassword Has Expired\r\n";
password-expire-warning
"\r\nPassword Will Expire in %R{Password-Expire-Days} Days\r\n";
access-denied "\r\nAccess denied\r\n";
realm-quota "\r\nRealm quota exceeded - access denied\r\n";
multiple-login
"\r\nYou are already logged in %R{Simultaneous-Use} times - access denied\r\n";
second-login "\r\nYou are already logged in - access denied\r\n";
timespan-violation "\r\nYou are calling outside your allowed
timespan\r\n";
};
###########################################
Contents of clients file on RADIUS Proxy:
###########################################
# This is a list of clients which are allowed to make authentication
# requests.
# Each record consists of two fields:
# i. Valid hostname.
# ii. The shared encryption key for this hostname.
#
#Client Name Key
#---------------- -------------------
localhost secret
regulus 12345
###########################################
Contents of naslist file on RADIUS Proxy:
###########################################
#
# This file contains a list of Network Access Servers (NAS) known
# to radiusd.
#
# Each record consists of following fields:
#
# i. A valid hostname or IP address for the client.
# ii. The short name to use in the logfiles for this NAS.
# iii. Type of device. Valid values are those listed in
# /etc/raddb/nastypes file. Two types are predefined:
# true Means no check will be made and 1 code
# will be returned,
# false Means no check will be made and 0 code
# will be returned.
# ** The following is optional:
# iv. Additional arguments to query NAS with. Multiple arguments
# should be separated by commas (,) with no intervening whitespace.
# Currently radiusd recognizes following arguments (S means string,
# N - number):
# a. Common arguments:
# port=N Use port number N instead of the default
# password=S Use password (community for snmp)
# b. Method snmp arguments
# retries=N Retry N times before giving up
# timeout=N Timeout N seconds on each retry
# community=S Use community S
# c. Method finger arguments
# arg=S Argument to query for. By default it is %u
# (username).
# tcp=0 Disable the use of T/TCP for hosts with
# a broken TCP implementation.
#
# NAS Name Short Name Type Checkrad flags
#---------------- ---------- ---- ---------------
localhost localhost true
###########################################
Contents of realms file on RADIUS Proxy:
###########################################
#
# This file contains a list of realms. When a user logs in with @realm
# as the last part of the loginname, the realm part is looked up in this
# file. If found, the request is sent to the listed remote radius server.
#
# Each record consists of following fields:
#
# i. Realm name.
# ii. Hostname. Optional is :port to use a non-standard port.
# In that case, port is the authenication port and the
# accounting port is taken as port + 1.
# A reserved word LOCAL means the logins for this realm must
# be processed locally.
# iii. (optional) flag. This can be either strip, meaning to strip
# the realm name off the full user name (the default), or
# nostrip, meaning the realm should not be stripped.
# Realm Remote server[:port[:port]] flags
#---------------- --------------------- --------
altigy.com regulus.altigy.com:1812 strip
###########################################
Contents of users file on RADIUS Proxy:
###########################################
# This is the users database
anyuser Auth-Type = Reject
NULL
----------------------------------------------------------------------------
----------------------------------------------------------------------------
These are the contents of the files on regulus that were changed from the
defaults. The rest of the files in raddb are unchanged.
###########################################
Contents of config file on RADIUS Server:
###########################################
# A minimum config file. See config.syntax for explanation of
# the syntax.
#
option {
usr2delay 30;
max-requests 127;
# Uncomment and edit these if you need to:
log-dir "/var/log";
acct-dir "/var/acct";
source-ip 192.168.1.20;
};
logging {
channel default {
file "radiusserver.log";
print-category yes;
print-level yes;
};
channel info {
file "radiusserver.info";
print-pid yes;
print-level yes;
};
channel debug {
file "radiusserver.debug";
print-level yes;
};
channel notice {
file "radiusserver.notice";
print-level yes;
};
category auth {
print-auth yes;
print-failed-pass yes;
print-pass no;
};
category info {
channel info;
print-pass no;
};
category notice {
channel notice;
print-pass no;
};
category debug {
channel debug;
level radiusd, proxy, files, auth;
print-pass no;
};
category * {
channel default;
print-pass no;
};
};
auth {
max-requests 127;
detail yes;
strip-names yes;
checkrad-assume-logged yes;
request-cleanup-delay 5;
listen 192.168.1.20:1812;
port 1812;
time-to-live 10;
spawn yes;
};
acct {
max-requests 127;
request-cleanup-delay 5;
listen 192.168.1.20:1813;
port 1813;
time-to-live 10;
spawn yes;
detail yes;
};
proxy {
max-requests 127;
request-cleanup-delay 5;
};
# Guile interface configuration
guile {
debug yes;
load-path "/usr/share/guile/1.4/ice-9";
load "debug.scm";
};
# Reply Messages
message {
account-closed "\r\nSorry, your account is currently closed\r\n";
password-expired "\r\nPassword Has Expired\r\n";
password-expire-warning
"\r\nPassword Will Expire in %R{Password-Expire-Days} Days\r\n";
access-denied "\r\nAccess denied\r\n";
realm-quota "\r\nRealm quota exceeded - access denied\r\n";
multiple-login
"\r\nYou are already logged in %R{Simultaneous-Use} times - access denied\r\n";
second-login "\r\nYou are already logged in - access denied\r\n";
timespan-violation "\r\nYou are calling outside your allowed
timespan\r\n";
};
###########################################
Contents of clients file on RADIUS Server:
###########################################
# This is a list of clients which are allowed to make authentication
# requests.
# Each record consists of two fields:
# i. Valid hostname.
# ii. The shared encryption key for this hostname.
#
#Client Name Key
#---------------- -------------------
rigel 12345
###########################################
Contents of naslist file on RADIUS Server:
###########################################
#
# This file contains a list of Network Access Servers (NAS) known
# to radiusd.
#
# Each record consists of following fields:
#
# i. A valid hostname or IP address for the client.
# ii. The short name to use in the logfiles for this NAS.
# iii. Type of device. Valid values are those listed in
# /etc/raddb/nastypes file. Two types are predefined:
# true Means no check will be made and 1 code
# will be returned,
# false Means no check will be made and 0 code
# will be returned.
# ** The following is optional:
# iv. Additional arguments to query NAS with. Multiple arguments
# should be separated by commas (,) with no intervening whitespace.
# Currently radiusd recognizes following arguments (S means string,
# N - number):
# a. Common arguments:
# port=N Use port number N instead of the default
# password=S Use password (community for snmp)
# b. Method snmp arguments
# retries=N Retry N times before giving up
# timeout=N Timeout N seconds on each retry
# community=S Use community S
# c. Method finger arguments
# arg=S Argument to query for. By default it is %u
# (username).
# tcp=0 Disable the use of T/TCP for hosts with
# a broken TCP implementation.
#
# NAS Name Short Name Type Checkrad flags
#---------------- ---------- ---- ---------------
rigel rigel true
###########################################
Contents of realms file on RADIUS Server:
###########################################
#
# This file contains a list of realms. When a user logs in with @realm
# as the last part of the loginname, the realm part is looked up in this
# file. If found, the request is sent to the listed remote radius server.
#
# Each record consists of following fields:
#
# i. Realm name.
# ii. Hostname. Optional is :port to use a non-standard port.
# In that case, port is the authenication port and the
# accounting port is taken as port + 1.
# A reserved word LOCAL means the logins for this realm must
# be processed locally.
# iii. (optional) flag. This can be either strip, meaning to strip
# the realm name off the full user name (the default), or
# nostrip, meaning the realm should not be stripped.
# Realm Remote server[:port[:port]] flags
#---------------- --------------------- --------
###########################################
Contents of users file on RADIUS Server:
###########################################
user1name
Auth-Type = Local,
Password = "user1pass"
Menu = "ispmenu"
#
user2name
Auth-Type = Local,
Password = "user2pass"
Menu = "ispmenu"
#
user3name
Auth-Type = Local,
Password = "user3pass"
Menu = "ispmenu"
#
user4name
Auth-Type = Local,
Password = "user4pass"
Menu = "ispmenu"
#
user5name
Auth-Type = Local,
Password = "user5pass"
Menu = "ispmenu"
###########################################
Contents of menus/ispmenu file on RADIUS Server:
###########################################
menu
Please enter an option:
1 Start PPP session
2 Exit
Option:
end
1
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 255.255.255.254,
Framed-Routing = None,
Framed-Compression = Van-Jacobson-TCP-IP,
Framed-MTU = 1500
#
2
Menu = "EXIT"
DEFAULT
Menu = "ispmenu"
----------------------------------------------------------------------------
----------------------------------------------------------------------------
radiusproxy.log
Description: radiusproxy.log
radiusserver.log
Description: radiusserver.log
- [Bug-gnu-radius] Failure to relay Access-Challenge,
Gayatri Prabhu <=