still not working (newbie for radius)

gahn ipfreak at yahoo.com
Mon Sep 20 19:07:08 CEST 2010 

Thanks.

the clients, in my case, are those juniper devices. the configuration is fairly straightforward:

radius-server {
    192.168.255.128 secret testing123
}

class operator-local {
    permissions view-configuration;
}

user remote {
    uid 3000;
    class operator-local;
}

for "users", i have only this:

bob     Cleartext-Password := "bob" 

by default, the user "bob" in radius server will be mapped to juniper user local user "remote".

yes the server is working but not configurations of the server. i checked with the file "dirctory" and I have the required line for juniper-specific in it:

$INCLUDE   /usr/local/share/freeradius/dictionary.juniper

also i bought the book of "radius" and read some of it. as those docs online, the book doesn't seem to be very accurate. guess it has been ther since 2002 and it hasn't changed over the years. obviously the book/online docs don't get updated that much...


i removed this line "nastype = juniper" in clients.conf and now no more duplicate messages any more. 

as to the "NAS-Identifier" and "NAS-IP-Address", i don't know why they show up together



--- On Sun, 9/19/10, Michael Lecuyer <mjl at iterpacis.org> wrote:

> From: Michael Lecuyer <mjl at iterpacis.org>
> Subject: Re: still not working (newbie for radius)
> To: "FreeRadius users mailing list" <freeradius-users at lists.freeradius.org>
> Date: Sunday, September 19, 2010, 9:53 PM
> I'm merely speculating that your SSH
> client is rejecting the response 
> where the User-Name & Juniper-Local-User-Name for 'bob'
> but accepts the 
> name 'labrat' and response name 'labrat'.
> 
>  > well, i don't have user "labrat" configured in file
> "users" on the
>  > radius server.
> 
> KISS:
> Set up the server to test the Juniper-Local-User-Name
> responses. You 
> might consider testing just that side of things 'til you
> figure out the 
> pattern. This part is not a RADIUS problem.
> 
> BTW the Access-Request packet should use either the
> NAS-Identifier OR 
> the NAS-IP-Address but not both. Something is likely to
> mysteriously 
> break later. Choose one.
> 
>  > also you are right, for some reasons, every login
> attempt will have
>  > two more duplicated messages besides the first one.
> why is that?
> 
> The RADIUS server is working properly. Your client is not.
> 
> Your RADIUS client sends an identical packet for each
> different attempt 
> to log in. This is just plain wrong and the server is
> replying with a 
> copy of the original response.
> 
> Either the client is broken or SSH is misusing the client.
> 
> On 2010-09-19 11:19 PM, gahn wrote:
> > thanks.
> >
> > well, i don't have user "labrat" configured in file
> "users" on the
> > radius server. the "labrat" is in local user password
> database on the
> > juniper box. for the raqdius support on juniper
> routers, it must map
> > a remote user (in the database of radius server) to a
> specific local
> > user. in my case, i map the radius username "bob" to
> the juniper
> > local username "labrat".
> >
> > if i understand correctly what you were saying, this
> attribute of
> > "Juniper-Local-User-Name" is not working?
> >
> > also you are right, for some reasons, every login
> attempt will have
> > two more duplicated messages besides the first one.
> why is that?
> >
> > I am really new on this. thanks for the help...
> >
> >
> > --- On Sun, 9/19/10, Michael Lecuyer<mjl at iterpacis.org> wrote:
> >
> >> From: Michael Lecuyer<mjl at iterpacis.org>
> Subject: Re: still not
> >> working (newbie for radius) To: "FreeRadius users
> mailing
> >> list"<freeradius-users at lists.freeradius.org>
> Date: Sunday,
> >> September 19, 2010, 7:26 PM By the looks of it you
> have two
> >> problems. The User-Password name 'bob' isn't
> matched by the
> >> response Juniper-Local-User-Name 'labrat'. Perhaps
> ssh cares.
> >>
> >> Your broken client sends the identical packet for
> the new
> >> authentication attempt when it must send a brand
> new packet
> >> (different id, socket or port). That's why the
> server drops
> >> subsequent login attempts from ssh - they're
> duplicate requests
> >> which the server has already answered.
> >>
> >> In your second attempt you're User-Name is
> 'labrat' and the
> >>
> >> Juniper-Local-User-Name 'labrat' is being returned
> in the response
> >> probably convincing SSH you are who you claim to
> be.
> >>
> >> On 2010-09-19 9:35 PM, gahn wrote:
> >>> thanks tim:
> >>>
> >>> yes, it is better but yet working correctly:
> >>>
> >>> gahn at giraffe:~:$ ssh bob at 192.168.255.138
> bob at 192.168.255.138's
> >>> password: Permission denied, please try
> again.
> >>> bob at 192.168.255.138's password: Permission
> denied, please try
> >>> again. bob at 192.168.255.138's password:
> Permission denied
> >> (publickey,password,keyboard-interactive).
> >>>
> >>> but trying local username "labrat" is working
> fine:
> >>>
> >>> gahn at giraffe:~:$ ssh labrat at 192.168.255.138
> >>> labrat at 192.168.255.138's password: --- JUNOS
> 8.5R4.3 built
> >>> 2008-08-12 23:16:55 UTC labrat at lab-r8>
> >>>
> >>> what is interesting here is that now i can
> see
> >> "Access-Accept" in the debugging messages of
> "radiusd -X":
> >>>
> >>> rad_recv: Access-Request packet from host
> >> 192.168.255.138 port 65003, id=3, length=57
> >>> User-Name = "bob" User-Password =
> >> "bob"
> >>> NAS-Identifier =
> >> "lab-r8"
> >>> NAS-IP-Address =
> >> 150.150.0.1
> >>> +- entering group authorize {...}
> ++[preprocess] returns ok
> >>> ++[chap] returns noop ++[mschap] returns noop
> [suffix] No '@' in
> >>> User-Name = "bob", looking up realm
> >> NULL
> >>> [suffix] No such realm "NULL" ++[suffix]
> returns noop [eap] No
> >>> EAP-Message, not doing EAP ++[eap] returns
> noop ++[unix] returns
> >>> notfound [files] users: Matched entry bob at
> line 1 ++[files]
> >>> returns ok ++[expiration] returns noop
> ++[logintime] returns
> >>> noop ++[pap] returns updated Found Auth-Type =
> PAP +- entering
> >>> group PAP {...} [pap] login attempt with
> password "bob" [pap]
> >>> Using clear text password "bob" [pap] User
> authenticated
> >>> successfully ++[pap] returns ok +- entering
> group post-auth
> >>> {...} ++[exec] returns noop Sending
> Access-Accept of id 3 to
> >>> 192.168.255.138 port
> >> 65003
> >>>
> >> Juniper-Local-User-Name = "labrat"
> >>> Finished request 4. Going to the next request
> Waking up in 4.9
> >>> seconds. rad_recv: Access-Request packet from
> host
> >> 192.168.255.138 port 65003, id=3, length=57
> >>> Sending duplicate reply to client r8 port
> 65003 - ID:
> >> 3
> >>> Sending Access-Accept of id 3 to
> 192.168.255.138 port
> >> 65003
> >>> Waking up in 1.9 seconds. Cleaning up request
> 4 ID 3 with
> >>> timestamp +91 Ready to process requests.
> rad_recv: Access-Request
> >>> packet from host
> >> 192.168.255.138 port 65003, id=3, length=57
> >>> User-Name = "bob" User-Password =
> >> "bob"
> >>> NAS-Identifier =
> >> "lab-r8"
> >>> NAS-IP-Address =
> >> 150.150.0.1
> >>> +- entering group authorize {...}
> ++[preprocess] returns ok
> >>> ++[chap] returns noop ++[mschap] returns noop
> [suffix] No '@' in
> >>> User-Name = "bob", looking up realm
> >> NULL
> >>> [suffix] No such realm "NULL" ++[suffix]
> returns noop [eap] No
> >>> EAP-Message, not doing EAP ++[eap] returns
> noop ++[unix] returns
> >>> notfound [files] users: Matched entry bob at
> line 1 ++[files]
> >>> returns ok ++[expiration] returns noop
> ++[logintime] returns
> >>> noop ++[pap] returns updated Found Auth-Type =
> PAP +- entering
> >>> group PAP {...} [pap] login attempt with
> password "bob" [pap]
> >>> Using clear text password "bob" [pap] User
> authenticated
> >>> successfully ++[pap] returns ok +- entering
> group post-auth
> >>> {...} ++[exec] returns noop Sending
> Access-Accept of id 3 to
> >>> 192.168.255.138 port
> >> 65003
> >>>
> >> Juniper-Local-User-Name = "labrat"
> >>> Finished request 5. Going to the next request
> Waking up in 4.9
> >>> seconds. Cleaning up request 5 ID 3 with
> timestamp +97 Ready to
> >>> process requests.
> >>>
> >>>
> >>>
> >>> --- On Sun, 9/19/10, Tim
> >>> Sylvester<tim.sylvester at networkradius.com>
> >> wrote:
> >>>
> >>>> From: Tim Sylvester<tim.sylvester at networkradius.com>
> Subject:
> >>>> RE: still not working (newbie for
> >> radius)
> >>>> To: "'FreeRadius users mailing
> >>>> list'"<freeradius-users at lists.freeradius.org>
> Date: Sunday,
> >>>> September 19, 2010, 5:52 PM
> >>>>
> >>>> well, i had tried other configuration for
> >> "users":
> >>>>
> >>>> bob 
>    Cleartext-Password =
> >> "bob"
> >>>>
> >> Juniper-Local-User-Name = "labrat"
> >>>>
> >>>> labrat is local login user id so that all
> of
> >> radius users
> >>>> will be mapped to that user.
> unfortunately, it is also failed
> >>>> though
> >> with no
> >>>> warning messages:
> >>>>
> >>>>
> >>>> <tim>   You are
> missing a : - try the
> >> following:
> >>>>
> >>>> bob 
>    Cleartext-Password :=
> >> "bob"
> >>>>
> >> Juniper-Local-User-Name =
> >>>> "labrat"
> >>
> >>
> >> - List info/subscribe/unsubscribe? See
> >> http://www.freeradius.org/list/users.html
> >>
> >
> >
> >
> >
> > - List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
> >
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list