User Problem with Cisco Nexus 4.x

Jan.Gnepper at t-systems.com Jan.Gnepper at t-systems.com
Wed Jul 13 18:40:37 CEST 2011


Hi,

I have a little problem.
I have two devices within the same huntgroup, but i get in trouble with one of them.
Both are Cisco Nexus, but there is one difference:
The working one has NXOS 5.x, the one that is not working as expected NXOS 4.x

Why is the right line in the users file found for the working device (line 67), but not found for the other device (line 136)?
While both devices are in the same huntgroup and both requests look identically?

Any ideas?
Am i just blind?

The interesting part is, that both requests look identical (even in tcpdump!).
But the answer paket always shows a "bad udp checksum" when i´m not able to log in.

17:33:57.201238 IP (tos 0x0, ttl  64, id 1280, offset 0, flags [none], proto: UDP (17), length: 48) radius-server.datametrics > 10.48.137.62 .40077: [bad udp cksum 2dde!] RADIUS, length: 20
        Access Reject (3), id: 0x17, Authenticator: 436530c99d29615e3a35aa878275a97d

Is it possible that this causes my problem?

Jan


Huntgroups:
================================
nexus   NAS-IP-Address == 10.48.141.157
nexus   NAS-IP-Address == 10.48.137.62


Users:
================================
Line 67 ff:
test Auth-Type := Pap, Huntgroup-Name == "nexus", MD5-Password := "098f6bcd4621d373cade4e832627b4f6 "
        Login-Service = Telnet,
        Vendor-Specific = 9,
        Cisco-AVPair = "shell:roles*\"network-operator\" \"vdc-operator\""

Line 136:
DEFAULT Auth-Type := Reject


Not Working:
================================

rad_recv: Access-Request packet from host 10.48.137.62 port 7032, id=63, length=62
        User-Name = "test"
        User-Password = "test"
        NAS-Port-Type = Virtual
        NAS-Port = 3002
        NAS-IP-Address = 10.48.137.62
+- entering group authorize {...}
++[preprocess] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry DEFAULT at line 136
++[files] returns ok
[ldap] performing user authorization for test
[ldap]  expand: (uid=%u) -> (uid=test)
[ldap]  expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = Reject
Auth-Type = Reject, rejecting user
Failed to authenticate the user.
Login incorrect (rlm_ldap: User not found): [test] (from client RZ-XXX port 3002)
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> test
 attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 63 to 10.48.137.62 port 7032
Finished request 20.
Going to the next request
Waking up in 4.9 seconds.


Working:
================================

rad_recv: Access-Request packet from host 10.48.141.157 port 48132, id=229, length=62
        User-Name = "test"
        User-Password = "test"
        NAS-Port-Type = Virtual
        NAS-Port = 3019
        NAS-IP-Address = 10.48.141.157
+- entering group authorize {...}
++[preprocess] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]         expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
[files]         expand: (uid=%u) -> (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
[files] users: Matched entry test at line 67
++[files] returns ok
[ldap] performing user authorization for test
[ldap]  expand: (uid=%u) -> (uid=test)
[ldap]  expand: o=IAN,o=AD,o=WiW -> o=IAN,o=AD,o=WiW
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
[ldap] search failed
rlm_ldap: ldap_release_conn: Release Id: 0
++[ldap] returns notfound
[pap] Normalizing MD5-Password from hex encoding
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "test"
[pap] Using MD5 encryption.
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [test] (from client RZ-XXX port 3019)
  WARNING: Empty section.  Using default return values.
Sending Access-Accept of id 229 to 10.48.141.157 port 48132
        Login-Service = Telnet
        Vendor-Specific = 0x39
        Cisco-AVPair = "shell:roles*\"network-operator\" \"vdc-operator\""
Finished request 17.
Going to the next request
Waking up in 4.9 seconds.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20110713/fecb3db8/attachment.html>


More information about the Freeradius-Users mailing list