User Problem with Cisco Nexus 4.x
Hi, I have a little problem. I have two devices within the same huntgroup, but i get in trouble with one of them. Both are Cisco Nexus, but there is one difference: The working one has NXOS 5.x, the one that is not working as expected NXOS 4.x Why is the right line in the users file found for the working device (line 67), but not found for the other device (line 136)? While both devices are in the same huntgroup and both requests look identically? Any ideas? Am i just blind? The interesting part is, that both requests look identical (even in tcpdump!). But the answer paket always shows a "bad udp checksum" when i´m not able to log in. 17:33:57.201238 IP (tos 0x0, ttl 64, id 1280, offset 0, flags [none], proto: UDP (17), length: 48) radius-server.datametrics > 10.48.137.62 .40077: [bad udp cksum 2dde!] RADIUS, length: 20 Access Reject (3), id: 0x17, Authenticator: 436530c99d29615e3a35aa878275a97d Is it possible that this causes my problem? Jan Huntgroups: ================================ nexus NAS-IP-Address == 10.48.141.157 nexus NAS-IP-Address == 10.48.137.62 Users: ================================ Line 67 ff: test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6 " Login-Service = Telnet, Vendor-Specific = 9, Cisco-AVPair = "shell:roles*\"network-operator\" \"vdc-operator\"" Line 136: DEFAULT Auth-Type := Reject Not Working: ================================ rad_recv: Access-Request packet from host 10.48.137.62 port 7032, id=63, length=62 User-Name = "test" User-Password = "test" NAS-Port-Type = Virtual NAS-Port = 3002 NAS-IP-Address = 10.48.137.62 +- entering group authorize {...} ++[preprocess] returns ok rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 [files] users: Matched entry DEFAULT at line 136 ++[files] returns ok [ldap] performing user authorization for test [ldap] expand: (uid=%u) -> (uid=test) [ldap] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = Reject Auth-Type = Reject, rejecting user Failed to authenticate the user. Login incorrect (rlm_ldap: User not found): [test] (from client RZ-XXX port 3002) Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} -> test attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Sending Access-Reject of id 63 to 10.48.137.62 port 7032 Finished request 20. Going to the next request Waking up in 4.9 seconds. Working: ================================ rad_recv: Access-Request packet from host 10.48.141.157 port 48132, id=229, length=62 User-Name = "test" User-Password = "test" NAS-Port-Type = Virtual NAS-Port = 3019 NAS-IP-Address = 10.48.141.157 +- entering group authorize {...} ++[preprocess] returns ok rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 rlm_ldap: Entering ldap_groupcmp() [files] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW [files] expand: (uid=%u) -> (uid=test) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 [files] users: Matched entry test at line 67 ++[files] returns ok [ldap] performing user authorization for test [ldap] expand: (uid=%u) -> (uid=test) [ldap] expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test) rlm_ldap: object not found [ldap] search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[ldap] returns notfound [pap] Normalizing MD5-Password from hex encoding [pap] Found existing Auth-Type, not changing it. ++[pap] returns noop Found Auth-Type = PAP +- entering group PAP {...} [pap] login attempt with password "test" [pap] Using MD5 encryption. [pap] User authenticated successfully ++[pap] returns ok Login OK: [test] (from client RZ-XXX port 3019) WARNING: Empty section. Using default return values. Sending Access-Accept of id 229 to 10.48.141.157 port 48132 Login-Service = Telnet Vendor-Specific = 0x39 Cisco-AVPair = "shell:roles*\"network-operator\" \"vdc-operator\"" Finished request 17. Going to the next request Waking up in 4.9 seconds.
On 07/13/2011 05:40 PM, Jan.Gnepper@t-systems.com wrote:
Access Reject (3), id: 0x17, Authenticator: 436530c99d29615e3a35aa878275a97d Is it possible that this causes my problem?
No, this is just due to checksum offload. Ignore it.
Jan Huntgroups: ================================ nexus NAS-IP-Address == 10.48.141.157 nexus NAS-IP-Address == 10.48.137.62 Users: ================================ Line 67 ff:
Are you absolutely sure that: 1. This file really says exactly this, and 2. FreeRADIUS is reading this file - have you check you aren't editing the wrong file? Have you restarted FreeRADIUS after editing it? The requests look identical. However, your "users" file is obviously complex; you must have a lot of "LDAP-Group" comparisons earlier in it. I suggest emptying the file and starting simple, with just two entries - the "test" user and the default reject.
test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password :=
Don't set Auth-Type to PAP. Let the "pap" module handle this.
participants (2)
-
Jan.Gnepper@t-systems.com -
Phil Mayers