Subject: Q: RADIUS
To: None <netbsd-help@netbsd.org>
From: Markus A. Boeing <markus@boeing-online.de>
List: netbsd-help
Date: 06/30/2001 17:02:57
Ladies and Gents,
may I ask for your advise regarding RADIUS on a DEC Alpha running NetBSD 1.5?
I do have a couple of Cisco routers and I want to use RADIUS to
authenticate access to the boxes. The AAA thing works nicely against
Cistron RADIUS on a Linux box but now I want to provide RADIUS from my lab
Alpha. So I installed the Merit AAA server using pgk_add, modified the
files "clients" and "users", and fired up radiusd. Unfortunately I can not
successfully authenticate against RADIUS on the NetBSD machine. I verified
(a couple of times:) that I am using the correct password and RADIUS key.
The router configuration is ok (=> at least it works against another RADIUS
server). I think the configuration of Merit AAA is ok as well(I added the
routers to "clients". I added "DEFAULT Authentication-Type = Unix-PW,
Filter-Id = "unlim" to "users").
Am I missing something obvious? Anybody out there using RADIUS on a Alpha?
I've attached output from "debug radius" on the router, and the "-x" output
from radiusd.
Any hint is very welcome.
TIA
/Markus.
1) This is a login attempt to the router using an account/password tuple in
/etc/passwd.
Beta#deb radius
Radius protocol debugging is on
Beta#term moni
Beta#! This is using account markus, should be using /etc/passwd
Jun 24 14:12:37.007: RADIUS: ustruct sharecount=1
Jun 24 14:12:37.011: Radius: radius_port_info() success=1 radius_nas_port=1
Jun 24 14:12:37.019: RADIUS: Initial Transmit tty3 id 3
192.168.16.201:1812, Access-Request, len 80
Jun 24 14:12:37.019: Attribute 4 6 C0A82002
Jun 24 14:12:37.023: Attribute 5 6 00000003
Jun 24 14:12:37.023: Attribute 61 6 00000005
Jun 24 14:12:37.027: Attribute 1 8 6D61726B
Jun 24 14:12:37.027: Attribute 31 16 3139322E
Jun 24 14:12:37.031: Attribute 2 18 7932B486
Jun 24 14:12:37.071: RADIUS: Received from id 3 192.168.16.201:1812,
Access-Reject, len 135
Jun 24 14:12:37.075: Attribute 4 6 C0A82002
Jun 24 14:12:37.075: Attribute 5 6 00000003
Jun 24 14:12:37.079: Attribute 61 6 00000005
Jun 24 14:12:37.079: Attribute 1 8 6D61726B
Jun 24 14:12:37.083: Attribute 31 16 3139322E
Jun 24 14:12:37.083: Attribute 2 18 7932B486
Jun 24 14:12:37.087: Attribute 222 8 6D61726B
Jun 24 14:12:37.087: Attribute 32 16 62657461
Jun 24 14:12:37.091: Attribute 11 7 756E6C69
Jun 24 14:12:37.091: Attribute 18 24 41757468
Jun 24 14:12:37.095: RADIUS: Response (3) failed decrypt
Jun 24 14:12:37.099: RADIUS: Reply for 3 fails decrypt
And this is what radius.debug thinks about it:
Program = radiusd
NAS-IP-Address = 192.168.32.2 [flags = 0x00004500]
NAS-Port = 3 [flags = 0x00004500]
NAS-Port-Type = Virtual [flags = 0x00004500]
User-Name = "markus" [flags = 0x00004500]
Calling-Station-Id = "192.168.16.200" [flags = 0x00004500]
User-Password = "y2\0xb4\0x86\n~xS\0xc5h\0x1f;\0xd3\0x8f\0xdd\0xdd"
[flags = 0x00004500]
get_radrequest: Request from c0a82002 (beta.brest.lab[1645]) access, id =
3, len = 80
unix_pass: ID = 'markus'
unix_pass: encrypted passwords do not match
NAS-IP-Address = 192.168.32.2 [flags = 0x00004500]
NAS-Port = 3 [flags = 0x00004500]
NAS-Port-Type = Virtual [flags = 0x00004500]
User-Name = "markus" [flags = 0x00004500]
Calling-Station-Id = "192.168.16.200" [flags = 0x00004500]
User-Password = "y2\0xb4\0x86\n~xS\0xc5h\0x1f;\0xd3\0x8f\0xdd\0xdd"
[flags = 0x00004500]
User-Id = "markus" [flags = 0x00000400]
NAS-Identifier = "beta.brest.lab" [flags = 0x00004500]
Filter-Id = "unlim" [flags = 0x00004400]
Reply-Message = "Authentication failure" [flags = 0x00004000]
send_reply: Authentication: 3/0 'markus' from beta.brest.lab port 3
2) This is a login attempt to the router using an account/password tuple in
"users".
Beta#
Beta#! This is using account labdog - should be using password from the
file users
Beta#
Jun 24 14:19:30.744: RADIUS: ustruct sharecount=1
Jun 24 14:19:30.744: Radius: radius_port_info() success=1 radius_nas_port=1
Jun 24 14:19:30.752: RADIUS: Initial Transmit tty3 id 4
192.168.16.201:1812, Access-Request, len 80
Jun 24 14:19:30.756: Attribute 4 6 C0A82002
Jun 24 14:19:30.756: Attribute 5 6 00000003
Jun 24 14:19:30.760: Attribute 61 6 00000005
Jun 24 14:19:30.760: Attribute 1 8 6C616264
Jun 24 14:19:30.764: Attribute 31 16 3139322E
Jun 24 14:19:30.764: Attribute 2 18 520EB2B4
Jun 24 14:19:30.777: RADIUS: Received from id 4 192.168.16.201:1812,
Access-Reject, len 135
Jun 24 14:19:30.781: Attribute 4 6 C0A82002
Jun 24 14:19:30.781: Attribute 5 6 00000003
Jun 24 14:19:30.785: Attribute 61 6 00000005
Jun 24 14:19:30.785: Attribute 1 8 6C616264
Jun 24 14:19:30.789: Attribute 31 16 3139322E
Jun 24 14:19:30.789: Attribute 2 18 520EB2B4
Jun 24 14:19:30.793: Attribute 222 8 6C616264
Jun 24 14:19:30.793: Attribute 32 16 62657461
Jun 24 14:19:30.797: Attribute 11 7 756E6C69
Jun 24 14:19:30.797: Attribute 18 24 41757468
Jun 24 14:19:30.801: RADIUS: Response (4) failed decrypt
Jun 24 14:19:30.805: RADIUS: Reply for 4 fails decrypt
And here is radius.debug again:
NAS-IP-Address = 192.168.32.2 [flags = 0x00004500]
NAS-Port = 3 [flags = 0x00004500]
NAS-Port-Type = Virtual [flags = 0x00004500]
User-Name = "labdog" [flags = 0x00004500]
Calling-Station-Id = "192.168.16.200" [flags = 0x00004500]
User-Password =
"R\0x0e\0xb2\0xb4\0x82\0xd42&\0x0b-\0x1a\0x9c\0xb6\0x01R\0xc7" [flags =
0x00004500]
get_radrequest: Request from c0a82002 (beta.brest.lab[1645]) access, id =
4, len = 80
NAS-IP-Address = 192.168.32.2 [flags = 0x00004500]
NAS-Port = 3 [flags = 0x00004500]
NAS-Port-Type = Virtual [flags = 0x00004500]
User-Name = "labdog" [flags = 0x00004500]
Calling-Station-Id = "192.168.16.200" [flags = 0x00004500]
User-Password =
"R\0x0e\0xb2\0xb4\0x82\0xd42&\0x0b-\0x1a\0x9c\0xb6\0x01R\0xc7" [flags =
0x00004500]
User-Id = "labdog" [flags = 0x00000400]
NAS-Identifier = "beta.brest.lab" [flags = 0x00004500]
Filter-Id = "unlim" [flags = 0x00004400]
Reply-Message = "Authentication failure" [flags = 0x00004000]
send_reply: Authentication: 4/1 'labdog' from beta.brest.lab port 3