(usr-tc) ARC not denying logins
hello all I have rather strange problem. My RADIUS server is rejecting the authentication requests... but the ARC's (two of them) are letting users on online. The user in question is NOT in the users table. The same RADIUS server is working 'correctly' with PATTON 2800's and 2996's (you cannot connect with the 'disabled' accounts). For a starter here is sho radius RADIUS SETTINGS Fill Null Attributes : DISABLED Attribute Style: STANDARD Authentication Algorithm: ROUND_ROBIN Interim Accounting Interval Status: DISABLED Interim Accounting Interval: 240 seconds IEA Radius Source Port Authentication ENABLED IEA User Radius supplied username DISABLED Send Unauthenticated STOP record ENABLED Send Accounting records for default user: ENABLED Report Acct IP Addr only for Primary Link: DISABLED Send only STOP Acct for failed services: DISABLED Test the authentication locally via radtest: radtest jericho xxxxx localhost s1 xxxxx Sending request to server localhost, port 1812. radrecv: Reply from host 127.0.0.1 code=3, id=84, length=20 Access denied. yet TC gives me: HiPer>> _auth jericho xxxxx CLI - User: jericho is Authenticated But the radius server records the denial: Wed Sep 26 18:27:16 2001: Auth: unix_pass: [jericho]: invalid shell Wed Sep 26 18:27:16 2001: Auth: Login incorrect: [jericho/xxxxx] -- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545 - To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
Paul, First off - we need more info. What radius server? Version? Which ARC code? How many ARCs on the network? How many radius servers do you have (why is ROUND_ROBIN enabled?) what does sh authentication contain? What does your radius DEFAULT entry (or entries) look like? Was it working before? What changed? Marshall Morgan Internet Doorway, Inc (aka NETDOOR) http://www.netdoor.com 601.969.1434 x28 | 800.952.1570 x28 | 601.969.3629 x28 | Fax 601.969.3838 ----- Original Message ----- From: "Paul Farber" <farber@admin.f-tech.net> To: <usr-tc@lists.xmission.com> Sent: Wednesday, September 26, 2001 6:01 PM Subject: (usr-tc) ARC not denying logins
hello all
I have rather strange problem. My RADIUS server is rejecting the authentication requests... but the ARC's (two of them) are letting users on online. The user in question is NOT in the users table.
The same RADIUS server is working 'correctly' with PATTON 2800's and 2996's (you cannot connect with the 'disabled' accounts).
For a starter here is sho radius
RADIUS SETTINGS Fill Null Attributes : DISABLED Attribute Style: STANDARD Authentication Algorithm: ROUND_ROBIN Interim Accounting Interval Status: DISABLED Interim Accounting Interval: 240 seconds IEA Radius Source Port Authentication ENABLED IEA User Radius supplied username DISABLED Send Unauthenticated STOP record ENABLED Send Accounting records for default user: ENABLED Report Acct IP Addr only for Primary Link: DISABLED Send only STOP Acct for failed services: DISABLED
Test the authentication locally via radtest:
radtest jericho xxxxx localhost s1 xxxxx
Sending request to server localhost, port 1812. radrecv: Reply from host 127.0.0.1 code=3, id=84, length=20 Access denied.
yet TC gives me:
HiPer>> _auth jericho xxxxx CLI - User: jericho is Authenticated
But the radius server records the denial:
Wed Sep 26 18:27:16 2001: Auth: unix_pass: [jericho]: invalid shell Wed Sep 26 18:27:16 2001: Auth: Login incorrect: [jericho/xxxxx]
-- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
I don't know how long its not been working correctly.... I just discovered it this week. No major changes to the radius server, or any other part of the radius system. The Pattons work fine (4 of them off this 1 radius server) only the TC's are not honoring the REJECT from the server. Even if I point the TC's at the secondary RADIUS server it still has the same results.... Pattons deny corrrectly, TC's allow it. As I stated before, the user list on the TC's are empty, save admin and DEFAULT. And from my understanding there is no way to set the authentication to 'allow all' from the default entry. I looked at the radius info going to and coming from the server (CISTRON 1.6.4) and they are correct (same REJECT response sent to Patton and TC auth requests). So it's either a bug in the TC ARC code or a config item. But my search has not uncovered any type of 'allow all' scheme for dial in users. And since I have no support contract from 3COM, even if it is a software bug (I can't see how, it worked fine before) I do not have access to any code. The ARC's are running different ARC software as one is a 486 and one is a Pentium. I do not have access to the version now.. at a remote site on a laptop with no access to the NMC's for TCM to tell me what they are running. -- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545 On Thu, 27 Sep 2001, Marshall Morgan wrote:
Paul,
First off - we need more info.
What radius server? Version? Which ARC code? How many ARCs on the network? How many radius servers do you have (why is ROUND_ROBIN enabled?) what does sh authentication contain? What does your radius DEFAULT entry (or entries) look like? Was it working before? What changed?
Marshall Morgan
Internet Doorway, Inc (aka NETDOOR) http://www.netdoor.com
601.969.1434 x28 | 800.952.1570 x28 | 601.969.3629 x28 | Fax 601.969.3838 ----- Original Message ----- From: "Paul Farber" <farber@admin.f-tech.net> To: <usr-tc@lists.xmission.com> Sent: Wednesday, September 26, 2001 6:01 PM Subject: (usr-tc) ARC not denying logins
hello all
I have rather strange problem. My RADIUS server is rejecting the authentication requests... but the ARC's (two of them) are letting users on online. The user in question is NOT in the users table.
The same RADIUS server is working 'correctly' with PATTON 2800's and 2996's (you cannot connect with the 'disabled' accounts).
For a starter here is sho radius
RADIUS SETTINGS Fill Null Attributes : DISABLED Attribute Style: STANDARD Authentication Algorithm: ROUND_ROBIN Interim Accounting Interval Status: DISABLED Interim Accounting Interval: 240 seconds IEA Radius Source Port Authentication ENABLED IEA User Radius supplied username DISABLED Send Unauthenticated STOP record ENABLED Send Accounting records for default user: ENABLED Report Acct IP Addr only for Primary Link: DISABLED Send only STOP Acct for failed services: DISABLED
Test the authentication locally via radtest:
radtest jericho xxxxx localhost s1 xxxxx
Sending request to server localhost, port 1812. radrecv: Reply from host 127.0.0.1 code=3, id=84, length=20 Access denied.
yet TC gives me:
HiPer>> _auth jericho xxxxx CLI - User: jericho is Authenticated
But the radius server records the denial:
Wed Sep 26 18:27:16 2001: Auth: unix_pass: [jericho]: invalid shell Wed Sep 26 18:27:16 2001: Auth: Login incorrect: [jericho/xxxxx]
-- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
Have you run the radius diagnostics on the HiperArc themselves and look at what the received packets are? If you do and want something to compare it to I could do the same on mine. Ours are authenticating against Vircom VopRadius and I know the disable function works because we use it to get payment from a small percentage of clients. It is amazing how fast they call after they are disabled. Mark Thornton San Marcos Internet, Inc 512-393-5300 ----- Original Message ----- From: "Paul Farber" <farber@admin.f-tech.net> To: <usr-tc@lists.xmission.com> Sent: Thursday, September 27, 2001 11:50 AM Subject: Re: (usr-tc) ARC not denying logins
I don't know how long its not been working correctly.... I just discovered it this week. No major changes to the radius server, or any other part of the radius system.
The Pattons work fine (4 of them off this 1 radius server) only the TC's are not honoring the REJECT from the server.
Even if I point the TC's at the secondary RADIUS server it still has the same results.... Pattons deny corrrectly, TC's allow it.
As I stated before, the user list on the TC's are empty, save admin and DEFAULT. And from my understanding there is no way to set the authentication to 'allow all' from the default entry.
I looked at the radius info going to and coming from the server (CISTRON 1.6.4) and they are correct (same REJECT response sent to Patton and TC auth requests).
So it's either a bug in the TC ARC code or a config item. But my search has not uncovered any type of 'allow all' scheme for dial in users.
And since I have no support contract from 3COM, even if it is a software bug (I can't see how, it worked fine before) I do not have access to any code.
The ARC's are running different ARC software as one is a 486 and one is a Pentium. I do not have access to the version now.. at a remote site on a laptop with no access to the NMC's for TCM to tell me what they are running.
-- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
On Thu, 27 Sep 2001, Marshall Morgan wrote:
Paul,
First off - we need more info.
What radius server? Version? Which ARC code? How many ARCs on the network? How many radius servers do you have (why is ROUND_ROBIN enabled?) what does sh authentication contain? What does your radius DEFAULT entry (or entries) look like? Was it working before? What changed?
Marshall Morgan
Internet Doorway, Inc (aka NETDOOR) http://www.netdoor.com
601.969.1434 x28 | 800.952.1570 x28 | 601.969.3629 x28 | Fax 601.969.3838 ----- Original Message ----- From: "Paul Farber" <farber@admin.f-tech.net> To: <usr-tc@lists.xmission.com> Sent: Wednesday, September 26, 2001 6:01 PM Subject: (usr-tc) ARC not denying logins
hello all
I have rather strange problem. My RADIUS server is rejecting the authentication requests... but the ARC's (two of them) are letting users on online. The user in question is NOT in the users table.
The same RADIUS server is working 'correctly' with PATTON 2800's and 2996's (you cannot connect with the 'disabled' accounts).
For a starter here is sho radius
RADIUS SETTINGS Fill Null Attributes : DISABLED Attribute Style: STANDARD Authentication Algorithm: ROUND_ROBIN Interim Accounting Interval Status: DISABLED Interim Accounting Interval: 240 seconds IEA Radius Source Port Authentication ENABLED IEA User Radius supplied username DISABLED Send Unauthenticated STOP record ENABLED Send Accounting records for default user: ENABLED Report Acct IP Addr only for Primary Link: DISABLED Send only STOP Acct for failed services: DISABLED
Test the authentication locally via radtest:
radtest jericho xxxxx localhost s1 xxxxx
Sending request to server localhost, port 1812. radrecv: Reply from host 127.0.0.1 code=3, id=84, length=20 Access denied.
yet TC gives me:
HiPer>> _auth jericho xxxxx CLI - User: jericho is Authenticated
But the radius server records the denial:
Wed Sep 26 18:27:16 2001: Auth: unix_pass: [jericho]: invalid shell Wed Sep 26 18:27:16 2001: Auth: Login incorrect: [jericho/xxxxx]
-- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
It working now... there must be some sort of cache in the CISTRON server.... tries the _auth cmd this morning and all of a sudden they fail. -- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545 On Thu, 27 Sep 2001, Mark Thornton wrote:
Have you run the radius diagnostics on the HiperArc themselves and look at what the received packets are? If you do and want something to compare it to I could do the same on mine. Ours are authenticating against Vircom VopRadius and I know the disable function works because we use it to get payment from a small percentage of clients. It is amazing how fast they call after they are disabled.
Mark Thornton San Marcos Internet, Inc 512-393-5300
----- Original Message ----- From: "Paul Farber" <farber@admin.f-tech.net> To: <usr-tc@lists.xmission.com> Sent: Thursday, September 27, 2001 11:50 AM Subject: Re: (usr-tc) ARC not denying logins
I don't know how long its not been working correctly.... I just discovered it this week. No major changes to the radius server, or any other part of the radius system.
The Pattons work fine (4 of them off this 1 radius server) only the TC's are not honoring the REJECT from the server.
Even if I point the TC's at the secondary RADIUS server it still has the same results.... Pattons deny corrrectly, TC's allow it.
As I stated before, the user list on the TC's are empty, save admin and DEFAULT. And from my understanding there is no way to set the authentication to 'allow all' from the default entry.
I looked at the radius info going to and coming from the server (CISTRON 1.6.4) and they are correct (same REJECT response sent to Patton and TC auth requests).
So it's either a bug in the TC ARC code or a config item. But my search has not uncovered any type of 'allow all' scheme for dial in users.
And since I have no support contract from 3COM, even if it is a software bug (I can't see how, it worked fine before) I do not have access to any code.
The ARC's are running different ARC software as one is a 486 and one is a Pentium. I do not have access to the version now.. at a remote site on a laptop with no access to the NMC's for TCM to tell me what they are running.
-- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
On Thu, 27 Sep 2001, Marshall Morgan wrote:
Paul,
First off - we need more info.
What radius server? Version? Which ARC code? How many ARCs on the network? How many radius servers do you have (why is ROUND_ROBIN enabled?) what does sh authentication contain? What does your radius DEFAULT entry (or entries) look like? Was it working before? What changed?
Marshall Morgan
Internet Doorway, Inc (aka NETDOOR) http://www.netdoor.com
601.969.1434 x28 | 800.952.1570 x28 | 601.969.3629 x28 | Fax 601.969.3838 ----- Original Message ----- From: "Paul Farber" <farber@admin.f-tech.net> To: <usr-tc@lists.xmission.com> Sent: Wednesday, September 26, 2001 6:01 PM Subject: (usr-tc) ARC not denying logins
hello all
I have rather strange problem. My RADIUS server is rejecting the authentication requests... but the ARC's (two of them) are letting users on online. The user in question is NOT in the users table.
The same RADIUS server is working 'correctly' with PATTON 2800's and 2996's (you cannot connect with the 'disabled' accounts).
For a starter here is sho radius
RADIUS SETTINGS Fill Null Attributes : DISABLED Attribute Style: STANDARD Authentication Algorithm: ROUND_ROBIN Interim Accounting Interval Status: DISABLED Interim Accounting Interval: 240 seconds IEA Radius Source Port Authentication ENABLED IEA User Radius supplied username DISABLED Send Unauthenticated STOP record ENABLED Send Accounting records for default user: ENABLED Report Acct IP Addr only for Primary Link: DISABLED Send only STOP Acct for failed services: DISABLED
Test the authentication locally via radtest:
radtest jericho xxxxx localhost s1 xxxxx
Sending request to server localhost, port 1812. radrecv: Reply from host 127.0.0.1 code=3, id=84, length=20 Access denied.
yet TC gives me:
HiPer>> _auth jericho xxxxx CLI - User: jericho is Authenticated
But the radius server records the denial:
Wed Sep 26 18:27:16 2001: Auth: unix_pass: [jericho]: invalid shell Wed Sep 26 18:27:16 2001: Auth: Login incorrect: [jericho/xxxxx]
-- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
Cistron requires a reload to read flat users files (/etc/raddb/users). We start ours everyday at 7:00 AM just in case we didn't the day before when making changes. PS: How were the Patton boxes working with it? Marshall Morgan Internet Doorway, Inc (aka NETDOOR) http://www.netdoor.com 601.969.1434 x28 | 800.952.1570 x28 | 601.969.3629 x28 | Fax 601.969.3838 ----- Original Message ----- From: "Paul Farber" <farber@admin.f-tech.net> To: <usr-tc@lists.xmission.com> Sent: Thursday, September 27, 2001 6:50 PM Subject: Re: (usr-tc) ARC not denying logins
It working now... there must be some sort of cache in the CISTRON server.... tries the _auth cmd this morning and all of a sudden they fail.
-- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
On Thu, 27 Sep 2001, Mark Thornton wrote:
Have you run the radius diagnostics on the HiperArc themselves and look at what the received packets are? If you do and want something to compare it to I could do the same on mine. Ours are authenticating against Vircom VopRadius and I know the disable function works because we use it to get payment from a small percentage of clients. It is amazing how fast they call after they are disabled.
Mark Thornton San Marcos Internet, Inc 512-393-5300
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
I don't know... and the RADIUS server WAS restarted (verified in the logs). I wonder if a cache is on the TC's? I'm baffeled... the radius server had ALWAYS rejected the auth request... only the ARC's didn't. Go figure. -- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545 On Fri, 28 Sep 2001, Marshall Morgan wrote:
Cistron requires a reload to read flat users files (/etc/raddb/users). We start ours everyday at 7:00 AM just in case we didn't the day before when making changes.
PS: How were the Patton boxes working with it?
Marshall Morgan
Internet Doorway, Inc (aka NETDOOR) http://www.netdoor.com
601.969.1434 x28 | 800.952.1570 x28 | 601.969.3629 x28 | Fax 601.969.3838 ----- Original Message ----- From: "Paul Farber" <farber@admin.f-tech.net> To: <usr-tc@lists.xmission.com> Sent: Thursday, September 27, 2001 6:50 PM Subject: Re: (usr-tc) ARC not denying logins
It working now... there must be some sort of cache in the CISTRON server.... tries the _auth cmd this morning and all of a sudden they fail.
-- Paul Farber Farber Technology farber@admin.f-tech.net Ph 570-628-5303 Fax 570-628-5545
On Thu, 27 Sep 2001, Mark Thornton wrote:
Have you run the radius diagnostics on the HiperArc themselves and look at what the received packets are? If you do and want something to compare it to I could do the same on mine. Ours are authenticating against Vircom VopRadius and I know the disable function works because we use it to get payment from a small percentage of clients. It is amazing how fast they call after they are disabled.
Mark Thornton San Marcos Internet, Inc 512-393-5300
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
- To unsubscribe to usr-tc, send an email to "majordomo@xmission.com" with "unsubscribe usr-tc" in the body of the message. For information on digests or retrieving files and old messages send "help" to the same address. Do not use quotes in your message.
participants (3)
-
Mark Thornton -
Marshall Morgan -
Paul Farber