help-gnu-radius
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnu-radius] Proxy authentication failure - More info

From: Sergey Poznyakoff
Subject: Re: [Help-gnu-radius] Proxy authentication failure - More info
Date: Thu, 26 Sep 2002 10:25:29 +0300 
Hi Gary,

I've been away for a while, so I'll try to answer all your letters
at once:

> I keep getting a login failure trying to do a proxy login. i.e. connect 
> to our NAS (Cisco 5300) and do a proxy login to another NT server 
> maintained by a customer. Can anyone decipher the text below and let me 
> know wnything useful.

OK, here it goes:

> Sep 25 15:23:38: Main.debug: radius.c:367:radrecv: Request from host 
> d40f4002 code=1, id=86, length=100

Your server has received an authentication request (code=1) from
the NAS 212.15.64.2. The contents of the request is: 

> NAS-IP-Address = 212.15.64.2
> NAS-Port-Id = 20
> NAS-Port-Type = Async
> User-Name = address@hidden <mailto:address@hidden>
> Called-Station-Id =1771
> CHAP-Password = \264\346\163\046\305>=F3=E6Q\016
> Service-Type = Framed-User
> Framed-Protocol = PPP

Note the user name. I can't say exactly how it would be processed by
your peer radius, but most configurations will reject it (due to the
<mailto: part). 

Anyway, so far everything seems OK. Now, next line from your logs:

> Sep 25 15:23:38: Main.debug: radius.c:367:radrecv: Request from 
 host c2a46b06 code=3, id=0, length=38

Your radiusd has received *authentication reject* (code=3) message
from the peer 194.164.107.6. The only attribute the reject packet
contained was:

> radius.c:443:radrecv: recv: Proxy-State =
  \000\000\000\000\000\000\000\126\000\000\000\000\302\244\153\006

Next:

> Sep 25 15:23:38: Auth.notice: Rejected: address@hidden: 
  CLID unknown (from nas access.isp.net.uk)
> Sep 25 15:23:38: Auth.debug: radius.c:113:rad_send_reply: Sending Reject 
  of id 86 to d40f4002 (nas access.isp.net.uk)

Your server has normally passed the reject packet to the NAS.

In sum, the transcript shows a normal interaction between the two
radiuses. You should contact the administrator of 194.164.107.6 to
see why exactly did his server reject the user
address@hidden

> Can I somehow see why the password is being rejected, or what is being 
> returned by the customer NT proxy server ?

Well, you can see what the peer server returned; as I said, it was
an authentication reject without any special attributes. But the
exact reason why did it reject the authentication can be known only
from the remote server's log files.

> Managed to get some more debug

Great. Basically, it shows the same thing, but with an interesting
technical detail. These are the attributes *actually sent* by your
radius server to the peer:

> NAS-IP-Address = x.x.x.x
> NAS-Port-Id = 5
> NAS-Port-Type = Async
> User-Name = address@hidden <mailto:address@hidden>
[..the rest omitted..]

Notice, that the username is sent unstripped, i.e. with the domain
part. Did you actually intend this? Does your remote peer understand
domain parts in the usernames?

Regards,
Sergey
reply via email to
[Prev in Thread] Current Thread [Next in Thread]