AAA/802.1x
Highlighted
AAA/802.1x

User Errors with Steel-Belted RADIUS (Most Read threads copied from the old J-Net)

[ Edited ]
‎11-08-2007 02:15 PM

Posts: 3
Registered on:
Nov 8, 2006
User Errors with Steel-Belted RADIUS
Posted: Nov 9, 2006  12:50 PM 109 views  
Hello I am a new Steel-Belted RADIUS adminstrator. Right now we are noticing that a good amount of our users are continuing to have password issues. Without changing or resetting any passwords, a user can not access our network and receives a username and/or password error. After reviewing our daily logs these are the 2 error messages I see most frequent.

ERROR #1

"proxy error: no username in request - request not proxy forwarded"

ERROR #2

"unable to find user X with matching password"

I'm still making my way around SBR but I need to get to the bottom of this issue before anything else. Not sure what information anyone would need from me. Any ideas into this issue are most welcome. Thanks in advance!

Derek

Posts: 108
Registered on:
Jan 11, 2006

RE: User Errors with Steel-Belted RADIUS
Posted: Nov 10, 2006  5:58 AM 110 views
In reply to: User Errors with Steel-Belted RADIUS — Hello I am a new Steel-Belted RADIUS adminstrator. Right now we are...
posted by dmanson on Nov 9, 2006  12:50 PM
Hi Derek,

I'm also new to SBR (although pretty familiar with RADIUS) and I've been building and testing the server using MySQL database as the datastore for authentication and accounting over the past few days.  I have seen your second message when the RADIUS server was unable to talk to the backend SQL server and when I had quotes around the Password in the DSN in Sqlauth.aut.  The quotes are copied verbatim into the password that is compared to the one sent by the user so, of course, it doesn't match.

I've not seen the first error but then I'm not using any proxies.  It appears that there is no user-name attribute in the request from which the server can decide to which proxy server the request should be sent.

You can test very effectively using a radius client like NTRadPing or a basic radius client under unix.  Actually create some RADIUS Access-Requests with 100% known content and send them to your server.  NTRadPing shows you the content of the reply.  Also, if you go to radius.ini, at the top of the file, there are two attributes (LogLevel and TraceLevel).  Record their current settings.  Then set both to 2, run some tests that demonstrate both issues, and then set them both back to their original settings.  This will generate some verbose logging in 20061110.log.  If you're still having issues, you can try sending that to the list.

Rgds,

Guy
Posts: 14
Registered on:
Apr 15, 2006

RE: User Errors with Steel-Belted RADIUS
Posted: Nov 30, 2006  10:06 AM 104 views
In reply to: User Errors with Steel-Belted RADIUS — Hello I am a new Steel-Belted RADIUS adminstrator. Right now we are...
posted by dmanson on Nov 9, 2006  12:50 PM
 

Hi Derek, for the #1 issue your having, first off the User-Name attribute must be present in the Access Request packet. If it is not, SBR will not process the request. The RFC does state though that a User-Name attribute SHOULD be present, and this may be an enhancement going forward as to not make it a MUST.

The other issue, which I think you are having is having NULL within the User-Name attribute. There is a switch in radius.ini that you can turn on to allow NULL User-Name attributes within radius. If this switch is not turned on, then that is why you are probably getting that error. Read the following technote on how to implement this.

 

The RFC does not require that the user-name attribute be present in the authentication request. So SBR should process the request if it's not there. The problem is if the User-Name IS present but with a None-zero length field. For this issue SBR requires that the username attribute have a non-zero length value. E.g. not null. This was modified post 3.0 as allowing Null caused a great deal of problems when interoperating with back-ends, for example if we actually searched for a NULL username in LDAP and got a match we will core.
That said enabling the following will work with the 4.0 through 4.71 servers( and possbily any later releases too though these HAVE NOT been tested either ) and have it act the same way it did with 3.0.

NOTE:This feature is undocumented right now and unsupported. If it causes any issues we are not responsible.
Though your user can report the problem as a bug. LET YOUR END USER"S KNOW THAT THIS MAY CAUSE CORES OR OTHER UNEXPECTED BAD RESULTS.

Posts: 3
Registered on:
Nov 8, 2006

RE: RE: User Errors with Steel-Belted RADIUS
Posted: Nov 30, 2006  2:06 PM 104 views
In reply to: RE: User Errors with Steel-Belted RADIUS — Hi Derek,I'm also new to SBR (although pretty familiar with RADIUS) and...
posted by gdavies on Nov 10, 2006  5:58 AM
Thanks Guy and sorry for such a late reply. Your comment about using MySQL as the backend for authentication interests me. I am working on rebuilding our dial-up network to run on a Linux box. Is there much to running MySQL as the backend?

Thanks again,
Derek
Posts: 3
Registered on:
Nov 8, 2006

RE: RE: RE: User Errors with Steel-Belted RADIUS
Posted: Nov 30, 2006  2:19 PM 101 views  
In reply to: RE: User Errors with Steel-Belted RADIUS — Hi Derek,I'm also new to SBR (although pretty familiar with RADIUS) and...
posted by gdavies on Nov 10, 2006  5:58 AM
Thanks anorton! This sounds very promising. Before I commit any changes I want to run this by another admin but this is much more than I have discovered. Thanks again for your insight.

Derek

Posts: 108
Registered on:
Jan 11, 2006

RE: RE: RE: User Errors with Steel-Belted RADIUS
Posted: Dec 12, 2006  1:33 PM 83 views
In reply to: RE: RE: User Errors with Steel-Belted RADIUS — Thanks Guy and sorry for such a late reply. Your comment about using...
posted by dmanson on Nov 30, 2006  2:06 PM
Hi Derek,

Sorry for the terribly long time to reply.  Been out of the country.

Running MySQL is remarkably easy.  I managed to setup a trivial authentication, authorization and accounting setup to a basic MySQL database in less than one hour.  It takes the longest time to actually install MySQL and get that running :-)

There are some examples of SQL (not specifically MySQL) setup in the documentation (admin and reference guides) but if you're really struggling, give me a ping and I'll drop some example config files to you.  Checkout sqlauth.aut and sqlacct.acc in the radius/service directory.

Make sure to download the GA versions of MySQL, the MySQL admin front end and the MySQL ODBC driver.

Rgds,

Guy




Message Edited by ac on 11-08-2007 02:16 PM
Announcements

AAA/802.1X

IC Series Unified Access Control Appliances are hardened, centralized policy servers, combining the user identity, device security state and network location gathered by the UAC Agent to create unique network access control policy per user, per session.

RSS Icon