'Re: [Help-gnu-radius] Proxy authentication failure - More info'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       gnu-radius-help
Subject:    Re: [Help-gnu-radius] Proxy authentication failure - More info
From:       Sergey Poznyakoff <gray () Mirddin ! farlep ! net>
Date:       2002-09-26 7:25:29
[Download RAW message or body]

Hi Gary,

I've been away for a while, so I'll try to answer all your letters
at once:

> I keep getting a login failure trying to do a proxy login. i.e. connect 
> to our NAS (Cisco 5300) and do a proxy login to another NT server 
> maintained by a customer. Can anyone decipher the text below and let me 
> know wnything useful.

OK, here it goes:

> Sep 25 15:23:38: Main.debug: radius.c:367:radrecv: Request from host 
> d40f4002 code=1, id=86, length=100

Your server has received an authentication request (code=1) from
the NAS 212.15.64.2. The contents of the request is: 

> NAS-IP-Address = 212.15.64.2
> NAS-Port-Id = 20
> NAS-Port-Type = Async
> User-Name = username05@daniel.domain.net <mailto:username05@daniel.domain.net>
> Called-Station-Id =1771
> CHAP-Password = \264\346\163\046\305>=F3=E6Q\016
> Service-Type = Framed-User
> Framed-Protocol = PPP

Note the user name. I can't say exactly how it would be processed by
your peer radius, but most configurations will reject it (due to the
<mailto: part). 

Anyway, so far everything seems OK. Now, next line from your logs:

> Sep 25 15:23:38: Main.debug: radius.c:367:radrecv: Request from 
 host c2a46b06 code=3, id=0, length=38

Your radiusd has received *authentication reject* (code=3) message
from the peer 194.164.107.6. The only attribute the reject packet
contained was:

> radius.c:443:radrecv: recv: Proxy-State =
  \000\000\000\000\000\000\000\126\000\000\000\000\302\244\153\006

Next:

> Sep 25 15:23:38: Auth.notice: Rejected: [username05@daniel.domain.net]: 
  CLID unknown (from nas access.isp.net.uk)
> Sep 25 15:23:38: Auth.debug: radius.c:113:rad_send_reply: Sending Reject 
  of id 86 to d40f4002 (nas access.isp.net.uk)

Your server has normally passed the reject packet to the NAS.

In sum, the transcript shows a normal interaction between the two
radiuses. You should contact the administrator of 194.164.107.6 to
see why exactly did his server reject the user
username05@daniel.domain.net.

> Can I somehow see why the password is being rejected, or what is being 
> returned by the customer NT proxy server ?

Well, you can see what the peer server returned; as I said, it was
an authentication reject without any special attributes. But the
exact reason why did it reject the authentication can be known only
from the remote server's log files.

> Managed to get some more debug

Great. Basically, it shows the same thing, but with an interesting
technical detail. These are the attributes *actually sent* by your
radius server to the peer:

> NAS-IP-Address = x.x.x.x
> NAS-Port-Id = 5
> NAS-Port-Type = Async
> User-Name = username05@domain.net <mailto:username05@domain.net>
[..the rest omitted..]

Notice, that the username is sent unstripped, i.e. with the domain
part. Did you actually intend this? Does your remote peer understand
domain parts in the usernames?

Regards,
Sergey



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic