Re: [USR-TC] Authentication... I am at dead end!!!!

14 Jan 2004

      I guess I would check to make sure the router isn't dropping packets. I'm
sure after the most recent worms/virus's they might have a few access lists
on it ;)

Strange that you have a NAS and no router....I'm surprised att or whoever
allows you to do that.

Todd

----- Original Message ----- 
From: "Kirti S. Bajwa" <kbajwa@tib.com>
To: "'Discussion relating to the 3Com/US Robotics Total Control
modemsystems.'" <usr-tc@mailman.xmission.com>
Sent: Tuesday, January 13, 2004 10:06 AM
Subject: RE: [USR-TC] Authentication... I am at dead end!!!!
...
Todd:
Yours is the most kind and helpful response. Please help me with my theory
(you can play devil's advocate):
(a) From ARC terminal screen, I can ping the RADIUS server 12.21.237.15.
The
response is alive, then
(b) I authenticate a user:
_auth <UID> <PW>
It fails. But here is my concern. On the RADIUS server, I have started the
RADIUS server in debug mode (radiusd -x). In every case whenever I tried
to
test anything on the RADIUS server (RADIUS related), there is a bunch of
lines displayed on the RADIUS debug screen.
OK now. When I run authentication and it fails, there is no display on the
debug screen on the RADIUS server. Therefore, my feeling is that the
authentication never reaches the RADIUS server else there will be some
display on the debug screen. What do you think?
If I go along with this theory, then that means, something is blocking the
AUTHENTICATION. There are two places where AUTHENTICATION can be stopped &
quietly dropped:
(1) Firewall
(2) Gateway Router
(Tell me if there are more places).
I do have firewall (shorewall). I stopped it completely and then tried to
AUTHENTICATE. No change.
Now I think the problem may be the Gateway Router, which is a CISCO 26XX &
managed by AT&T. After doing some research, it seems that 3Com TC does not
talk to any server directly but always send its inquiries to a Gateway
Router, which in turn determines that the command is for a local server
and
sends it back to the local network. Now I am not an expert on CISCO
equipment but I think that AT&T has programmed their router in such a way
that it drops the traffic directed from the (internal) network to
(internal)
network and only traffic from the Internet to the (internal) network and
from (internal) network to Internet pass through.
I have not talk to AT&T yet but you (or others on this list) can give
their
thoughts.
Thanks.
Kirti
-----Original Message-----
From: Todd Bertolozzi [mailto:todd.bertolozzi@voyager.net]
Sent: Monday, January 12, 2004 8:54 PM
To: 'Discussion relating to the 3Com/US Robotics Total Control
modemsystems.'
Subject: RE: [USR-TC] Authentication... I am at dead end!!!!
It would be helpful to have more then 1 radius packet...can you copy and
paste a "show ppp settings" please.
It does seem a bit weird that you see the following in your radius
packet:
Initial-Connect-Rate : 1(NONE)
That could be that it doesn't show a connect b/c of the failed
auth...I'm not positive. Hard to tell with just the 1 packet.  I'm
wondering what your " DIAL_IN Users Authenticate:" is set to....it
should be set to PAP. You should see that under a 'show ppp settings'.
You're positive the radius secret is the same on the arc and your radius
box?  You can double check on the arc using:
_reveal commands
_show autheNTICATION radIUS secRETS
If all else fails...if you would like to setup a temp account to the arc
I can jump in and take a look in my spare time. Email me off the list
for that though ;)
Todd
berto@voyager.net
-----Original Message-----
From: usr-tc-bounces+todd.bertolozzi=voyager.net@mailman.xmission.com
[mailto:usr-tc-bounces+todd.bertolozzi=voyager.net@mailman.xmission.com]
On Behalf Of Kirti S. Bajwa
Sent: Monday, January 12, 2004 3:43 PM
To: 'Discussion relating to the 3Com/US Robotics Total Control
modemsystems.'
Subject: RE: [USR-TC] Authentication... I am at dead end!!!!
Todd:
I changed the Primary Destination Port to 1812 & tested. No change.
Any ideas?
Kirti
--------------------------
Todd:
Thanks for your reply. Here is output from "monitor radius":
---------------------------------------------------------------------
NAS-Identi
   Source-IP         Src-Port Destination-IP Dest-Port Id Packet-Type
NAS-Port : 516
---------------------------------------------------------------------
---------------------------------------------------------------------
User-Name : kbajwa
                 User-Password : xxxxxxxxxx
                NAS-IP-Address : 12.21.237.241
                NAS-Identifier : 12.21.237.241
                      NAS-Port : 522
               Acct-Session-Id : 34144257
               Interface-Index : 1778
             Nas-Supports-Tags : 0
                  Service-Type : 2
               Framed-Protocol : PPP
     Multilink-PPP-Endpoint-Id : 25 64 ca ee 8e 61 41 95 95 ca 1e 7 44
38 a7
e1
0 0 0 0
                        MP-EDO : 25 64 ca ee 8e 61 41 95 95 ca 1e 7 44
38 a7
e1
0 0 0 0
              Chasis-Call-Slot : 3
              Chasis-Call-Span : 1
           Chasis-Call-Channel : 10
          Initial-Connect-Rate : 1(NONE)
            Calling-Station-Id : 4237273002
             Called-Station-Id : 6248
                 NAS-Port-Type : 0
--------------------------------------------------------------
Here is output from "show authentification settings"
RADIUS AUTHENTICATION SETTINGS
Local Authentication is:                   ENABLED
Remote Authentication is:                  ENABLED
Hint Assigned is:                          DISABLED
Primary Server is:                         12.21.237.15
Primary Destination Port is:               1645
Secondary Server is:                       0.0.0.0
Secondary Destination Port is:             1645
Tertiary Server is:                        0.0.0.0
Tertiary Destination Port is:              1645
Source Port is:                            1645
Retransmission  Timeout:                   3 seconds
Max Retransmissions:                       10
Per Server Retry Count                     3
Vendor Specific Attribute:                 ENABLED
Prioritize Auth Server:                    DISABLED
Active Authentication Server:              12.21.237.15
Send service type indication:              ENABLED
Authentication Counters Syslogs:           DISABLED
Authentication Counters Syslog Frequency:  TWELVE HOURS
Authentication Counters Syslog Reset:      DISABLED
Primary Auth Server Preference:            1
Secondary Auth Server Preference:          2
Tertiary Auth Server Preference:           3
--------------------------------------------------------------
The only thing I can see unusual is the port number of 1645. I have no
idea
where it is being set in 3Com. I have looked and looked but I am new &
probably missing it.
Thanks again for your help. I wait your response and/or suggestion!!
Kirti
-----Original Message-----
From: Todd Bertolozzi [mailto:todd.bertolozzi@voyager.net]
Sent: Monday, January 12, 2004 9:10 AM
To: Discussion relating to the 3Com/US Robotics Total Control
modemsystems.
Subject: Re: [USR-TC] Authentication... I am at dead end!!!!
You can always try a 'monitor radius' from cli.
Can you copy and paste an output from 'show authentication settings'
Todd
----- Original Message ----- 
From: "Kirti S. Bajwa" <kbajwa@tib.com>
To: <usr-tc@mailman.xmission.com>
Sent: Sunday, January 11, 2004 6:52 PM
Subject: [USR-TC] Authentication... I am at dead end!!!!
...
Hello List:
I have setup a 3Com TC box and having authentication problems. After
entire
weekend of going around circles and squares, now I ask for help. Here
are
the facts:
RADIUS Server:
-----------------------
RH9
freeRADIUS 0.9.3
3Com TC
-------------
1-HiPer NMC (8.6.3)
2-HiPer ARC (5.3.3)
10-HiPer DSP (3.5.12)
===============================
I setup a RADIUS server & did a "radtest". I can authenticate a user.
I
have
added this ONE user only for testing. Next I setup NTRadPing utility
on a
Window machine and authenticated the same <UID> & <PW>, no problem. In
both
cases I have DEBUG utility (radiusd -X) running on the RADIUS server
and I
can see the entries being authenticated.
Next I have setup the 3Com TC. I believe, I have all the necessary
entries.
Port is setup to 1812, SecretKey is verified, IP address of the RADIUS
server is correctly entered, etc.
However, when I try to authenticate a user from 3Com:
_auth <UID> <PW>
No activity takes place on the RADIUS servers debug screen and
authentication fails. There is nothing in the log file
"/usr/local/var/log/radius/radius.log" other than "Ready to process
requests".
I have checked the cabling. Both ARC cards Ethernet ports are
connected to
a
HUB which also connects to RADIUS server. When I am in CLI for ARC
card, I
can ping the RADIUS server's IP address and "HiPer>>" responds by
saying
that the server is ACTIVE.
Having no activity on RADIUS server's DEBUG screen, I am assuming that
3Com
is not connecting to the RADIUS server. By the way, I did dial into
3Com
TC
box and tried to connect as a Dial-In user, the authentication failed.
If there is any place where I can see a log of the cause of the
rejection
of
the authentication, I might be able to work my way. I do appreciate
any
suggestion help from this list.
Thanks in advance.
Kirti
_______________________________________________
USR-TC mailing list
USR-TC@mailman.xmission.com
http://mailman.xmission.com/cgi-bin/mailman/listinfo/usr-tc
_______________________________________________
USR-TC mailing list
USR-TC@mailman.xmission.com
http://mailman.xmission.com/cgi-bin/mailman/listinfo/usr-tc
_______________________________________________
USR-TC mailing list
USR-TC@mailman.xmission.com
http://mailman.xmission.com/cgi-bin/mailman/listinfo/usr-tc
_______________________________________________
USR-TC mailing list
USR-TC@mailman.xmission.com
http://mailman.xmission.com/cgi-bin/mailman/listinfo/usr-tc
_______________________________________________
USR-TC mailing list
USR-TC@mailman.xmission.com
http://mailman.xmission.com/cgi-bin/mailman/listinfo/usr-tc