Cisco NAS Password problem
Hello: I am new to using Freeradius, and I am using Freeradius 1.1.6 that comes with Ubuntu Server 7.10 I have set up Freeradius with MySQL as the backend database. I set up one of my Cisco 3550 switches to use Radius as the login method. This worked fine, authentication was running through freeradius. All of my Cisco switches are running the same IOS version, and all configured similarly (only port information is different). I then added a second switch to the freeradius client configuration (nas table), and encountered a problem. The password was being rejected. So I ran Freeradius -X so I could see what was going on. On the good password attempt (first switch added) I see something like this: rad_recv: Access-Request packet from host 192.168.x.x:1645, id=9, length=80 NAS-IP-Address = 192.168.x.x NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "username" Calling-Station-Id = "192.168.x.y" User-Password = "decodedpassword" On the failed password attempt (second and now third switch in the list) I see something like this: rad_recv: Access-Request packet from host 192.168.x.z:1645, id=1, length=80 NAS-IP-Address = 192.168.x.z NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "username" Calling-Station-Id = "192.168.x.y" User-Password = "r\306\324\333M\014\247\022\363\216K\257`\315#]" The password doesnt appear to get decoded before processing of the auth packet occurs. All of the entries in the nas table include the same NAS type. I've gone thru my configs several times, and I'm not sure what I am missing. Does anyone out there have any ideas? Regards John
On Thursday 25 October 2007 17:26:10 John Morris wrote:
I then added a second switch to the freeradius client configuration (nas table), and encountered a problem. The password was being rejected. So I ran Freeradius -X so I could see what was going on.
On the failed password attempt (second and now third switch in the list) I see something like this:
rad_recv: Access-Request packet from host 192.168.x.z:1645, id=1, length=80 NAS-IP-Address = 192.168.x.z NAS-Port = 1 NAS-Port-Type = Virtual User-Name = "username" Calling-Station-Id = "192.168.x.y" User-Password = "r\306\324\333M\014\247\022\363\216K\257`\315#]"
Debug output like this usually points to non-matching RADIUS secrets. Check the radius secret in your switch config as well as the secret configured in your nas SQL table. Freeradius only reads the nas table on startup, so if you make changes to that table, you must restart the daemon for those changes to take effect. Kevin Bonner
Debug output like this usually points to non-matching RADIUS secrets. Check the radius secret in your switch config as well as the secret configured in your nas SQL table. Freeradius only reads the nas table on startup, so if you make changes to that table, you must restart the daemon for those changes to take effect. Kevin Bonner Kevin, Thanks for the prompt reply. I went ahead and went to failing switches, cleared the radius-server entries and started from scratch. I had done this before, and it didn't fix the problem. But this time everything is working. It surprises me that the debug output doesn't appear to mention the failure of the NAS secret. I would have thought I would have gotten then that message and that the auth would have stopped there. Regards, John
Is there a way to define NAS info / secrets in a SQL database and have it as part of the standard queries? Am guessing the perl / python options would let you do it from that (pls correct me tho if not right!) but can it just be done without writing code? Tia Andy On 25/10/2007, John Morris <jmorris@rscva.com> wrote:
Debug output like this usually points to non-matching RADIUS secrets. Check the radius secret in your switch config as well as the secret configured in your nas SQL table. Freeradius only reads the nas table on startup, so if you make changes to that table, you must restart the daemon for those changes to take effect.
Kevin Bonner
Kevin,
Thanks for the prompt reply. I went ahead and went to failing switches, cleared the radius-server entries and started from scratch. I had done this before, and it didn't fix the problem. But this time everything is working.
It surprises me that the debug output doesn't appear to mention the failure of the NAS secret. I would have thought I would have gotten then that message and that the auth would have stopped there.
Regards,
John
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sorry, had read docs in older version (only got round to looking into 2.0.0-pre last night as attempt to answer my own ?) Thanks for quick response! Andy On 26/10/2007, Alan DeKok <aland@deployingradius.com> wrote:
Andy Billington wrote:
Is there a way to define NAS info / secrets in a SQL database
Yes. See the sql.conf file.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
John Morris wrote:
It surprises me that the debug output doesn't appear to mention the failure of the NAS secret.
It does. There's a big WARNING during the authentication portion.
I would have thought I would have gotten then that message and that the auth would have stopped there.
It can't. A binary password *is* technically valid. Alan DeKok.
participants (4)
-
Alan DeKok -
Andy Billington -
John Morris -
Kevin Bonner