[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Help-gnu-radius] Proxy authentication failure - More info
From: |
Sergey Poznyakoff |
Subject: |
Re: [Help-gnu-radius] Proxy authentication failure - More info |
Date: |
Thu, 26 Sep 2002 10:25:29 +0300 |
Hi Gary,
I've been away for a while, so I'll try to answer all your letters
at once:
> I keep getting a login failure trying to do a proxy login. i.e. connect
> to our NAS (Cisco 5300) and do a proxy login to another NT server
> maintained by a customer. Can anyone decipher the text below and let me
> know wnything useful.
OK, here it goes:
> Sep 25 15:23:38: Main.debug: radius.c:367:radrecv: Request from host
> d40f4002 code=1, id=86, length=100
Your server has received an authentication request (code=1) from
the NAS 212.15.64.2. The contents of the request is:
> NAS-IP-Address = 212.15.64.2
> NAS-Port-Id = 20
> NAS-Port-Type = Async
> User-Name = address@hidden <mailto:address@hidden>
> Called-Station-Id =1771
> CHAP-Password = \264\346\163\046\305>=F3=E6Q\016
> Service-Type = Framed-User
> Framed-Protocol = PPP
Note the user name. I can't say exactly how it would be processed by
your peer radius, but most configurations will reject it (due to the
<mailto: part).
Anyway, so far everything seems OK. Now, next line from your logs:
> Sep 25 15:23:38: Main.debug: radius.c:367:radrecv: Request from
host c2a46b06 code=3, id=0, length=38
Your radiusd has received *authentication reject* (code=3) message
from the peer 194.164.107.6. The only attribute the reject packet
contained was:
> radius.c:443:radrecv: recv: Proxy-State =
\000\000\000\000\000\000\000\126\000\000\000\000\302\244\153\006
Next:
> Sep 25 15:23:38: Auth.notice: Rejected: address@hidden:
CLID unknown (from nas access.isp.net.uk)
> Sep 25 15:23:38: Auth.debug: radius.c:113:rad_send_reply: Sending Reject
of id 86 to d40f4002 (nas access.isp.net.uk)
Your server has normally passed the reject packet to the NAS.
In sum, the transcript shows a normal interaction between the two
radiuses. You should contact the administrator of 194.164.107.6 to
see why exactly did his server reject the user
address@hidden
> Can I somehow see why the password is being rejected, or what is being
> returned by the customer NT proxy server ?
Well, you can see what the peer server returned; as I said, it was
an authentication reject without any special attributes. But the
exact reason why did it reject the authentication can be known only
from the remote server's log files.
> Managed to get some more debug
Great. Basically, it shows the same thing, but with an interesting
technical detail. These are the attributes *actually sent* by your
radius server to the peer:
> NAS-IP-Address = x.x.x.x
> NAS-Port-Id = 5
> NAS-Port-Type = Async
> User-Name = address@hidden <mailto:address@hidden>
[..the rest omitted..]
Notice, that the username is sent unstripped, i.e. with the domain
part. Did you actually intend this? Does your remote peer understand
domain parts in the usernames?
Regards,
Sergey