02.02.2012 23:14:27
sableuser
Posts: 5
|
I recently installed TekRadius and am running into the following authentication problem.
All I need is to send a Access-Request with a User-Name and User-Password, have TekRadius validate the password against
the user and return 1 or more Success-Reply items. I have only one Check against the user, the User-Password.
My client runs on Linux. Any hints/suggestions would be greatly appreciated!
RadAuth req. from : x.x.x.x:y- 2/2/2012 11:41:48 AM
Size : 104 / 104
Identifier : 110
Attributes :
NAS-Port-Type = 5
Service-Type = 7
Calling-Station-Id = mycallingstationid
NAS-IP-Address = 10.1.0.17
NAS-Port = 6113
NAS-Identifier = login
User-Name = raduser
2/2/2012 11:41:48 AM - PAP Authentication commencing for user 'raduser'
2/2/2012 11:41:48 AM - Check items control - Start (Group : Sable).
2/2/2012 11:41:48 AM - Check items control - Stop (Group : Sable).
2/2/2012 11:41:48 AM - Authentication failed for user 'raduser'
|
|
|
0
• permalink
|
03.02.2012 08:57:05
Admin
Administrator
Posts: 1833
|
Hi,
Please check if configured RADIUS secret matches with the one in TekRADIUS clients tab.
Best regards,
Yasin KAPLAN
|
|
|
0
• permalink
|
03.02.2012 16:07:45
sableuser
Posts: 5
|
Yasin, Thank you for your prompt reply. I checked the radius secret -- it matches. I neglected to mention in my original post that I am using TekRadius LT -- not sure this makes any difference. I have only one Check item against the user, the User-Password. Is there a way to print out the User-Password received by TekRadius, to check that it actually matches?
|
|
|
0
• permalink
|
03.02.2012 21:19:04
sableuser
Posts: 5
|
Hi Yasin, There is only one "Check" item (the" User-Password)" for 'raduser'. Is there a way to determine why exactly that check fails? I have verified the passwords between TekRadius and the Linux client and they appear the same. If I set "Authorization-Only" under "Setting/ServiceParameters" then the "Success-Reply" items are sent to the Linux client succesfully, so I assume that this means that the "Clients" secret is fine. There just seems to be a problem with the "User-Password" check and I'm at a loss as to why ...
|
|
|
0
• permalink
|
04.02.2012 11:21:56
Admin
Administrator
Posts: 1833
|
TekRADIUS does not display content of User-Password for security reasons. Can there be a check attribute in user group "Sable"?
|
|
|
0
• permalink
|
06.02.2012 17:07:46
sableuser
Posts: 5
|
Hi Yasin, Thank you for your continued response. I opted to start over to minimize the variables involved. Here's what I have right now ... This works using freeradius and a Service-Type of 8 (Authenticate-Only). The freeradius implementation will return Success-Reply items with this service-type even though that does not follow RFC 2865. TekRadius does follow RFC 2865 and based on the posting titled "Success-Reply Attribute - Class -not sent in reply" in interoperability, TekRadius will authenticate but will not send back Success-Reply items as it shouldn't. Before I change my client to use a different Service-Type (not 8 in order to get back items from TekRadius) I want to at least see it authenticate the user using Service-Type 8, even though it will not send back Success-Reply items. At this time my client is unchanged -- I am using the same client as with freeradius with the same MD5 password algorithm and service-type of 8. This is not working for me. I have attached screen shots of all I have configured and the log in the attached PDF file. Can you please take a look? Thanks so much!
|
|
|
0
• permalink
|
07.02.2012 11:42:58
Admin
Administrator
Posts: 1833
|
Can you test TekRADIUS LT against http://www.coova.org/JRadius/Simulator with same set of attributes?
|
|
|
0
• permalink
|
10.02.2012 16:16:48
sableuser
Posts: 5
|
Yasin, Thanks for the help. I upgraded the pam_radius client module from 1.3.13 to 1.3.17 and it's working now. The older version seemed to have some bugs with the way the password was sent to the radius server.
|
|
|
0
• permalink
|
10.02.2012 16:32:06
Admin
Administrator
Posts: 1833
|
You welcome
|
|
|
0
• permalink
|