Radius / NMAS / BM / Ichain
Hello,
i have the following Setup:
1x Single Tree Server with Nw 6.5 SP1a / BM3.8 SP2
This is a simple authentication Server which is placed in our dmz. Some users are synchronized with dirxml from the productive main tree to the authentication tree.
Primary this box is used for client2site vpn with vasco digipass tokens. This setup is working.
Now i wish to use the same box for ichain Radius authentication.
I have setup a 2nd box in the dmz for ichain 2.3. I have made the necessary schema extension on the Authentication server and installed the snapins for ichain.
I tested authentication with ldap to the authentication server.... no problem
Now the problems:
I setup a authentication profile on the ichain server for radius
I configured the authentication servers lpo and radius objects. All this is described in the ichain admin book page 89 (chapter 7 using radius authentication)
When i check the radius console i get the following message:
[DATE TIME] Access Request Dropped
IchainIP, cn, Unknown Radius client
What i did again: I found several tid's where the problem is described. I Changed rights to the lpo, installed the nmas234.tar, changed userprops.....but till now nothing works.
MoreSysinfos:
Radius.nlm V 4.14 / 6.March 2003
nmas.nlm 2.68 / 17.June 2004
nmasldap.nlm V 1.20 / 31.March 2004
Here the RadiusDebugLog, during authentication:
[2004-08-09 02:42:40 PM] Deleting file "sys:etc\radius\log\20040802.log", failed
[2004-08-09 02:42:40 PM] Parameter count = 1
[2004-08-09 02:42:40 PM] argv[0] = SYS:\SYSTEM\RADIUS.NLM
[2004-08-09 02:42:40 PM] Tree Name = "<null>"
[2004-08-09 02:42:40 PM] Login Name = "<null>"
[2004-08-09 02:42:40 PM] Name = "<null>"
[2004-08-09 02:42:40 PM] Workers = 0
[2004-08-09 02:42:40 PM] Port = 0
[2004-08-09 02:42:40 PM] Error encountered = 0
[2004-08-09 02:42:40 PM] Checking if parameters are to be retrieved from Registry
[2004-08-09 02:42:40 PM] Got Tree Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Login Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Service Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Number Threads from registry, 5
[2004-08-09 02:42:40 PM] Got Service Port from registry, 1645
[2004-08-09 02:42:40 PM] Got Accounting Port from registry, 1646
[2004-08-09 02:42:40 PM] Got Accounting Path from registry, "sys:\etc\radius\acct"
[2004-08-09 02:42:40 PM] Got Accounting File Format from registry, "comma"
[2004-08-09 02:42:40 PM] Got RollOver from registry, "daily"
[2004-08-09 02:42:40 PM] Services supported, [2004-08-09 02:42:40 PM] "authentication" [2004-08-09 02:42:40 PM] "accounting" [2004-08-09 02:42:40 PM]
[2004-08-09 02:42:40 PM] Got Accounting Attribute File from registry, sys:\etc\radius\radacct.atr
[2004-08-09 02:42:40 PM] Got Authentication Path from registry, sys:etc\radius
[2004-08-09 02:43:03 PM] Debug logging enabled to file sys:etc\radius\debug\raddbg.log
[2004-08-09 02:43:17 PM] 1) [(ip) 62.200.168.121:1812], Received 43 Bytes (Access-Request (1))
[2004-08-09 02:43:17 PM] [(total=1) (p=0) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-09 02:43:17 PM] <2> Done GetNextMessage [(ip) 62.200.168.121:1812]: time:208207
[2004-08-09 02:43:17 PM] -------- START : (Access-Request (1)) [(ip) 62.200.168.121:1812]: time:-35971301---
[2004-08-09 02:43:17 PM] CACHE: CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-09 02:43:17 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-09 02:43:17 PM] CACHE: CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-09 02:43:17 PM] HandleLocalRequest(), CacheReadSecretForNASAddress failed, no such RADIUS client (-822), Packet Dropped
[2004-08-09 02:43:17 PM] -------- END : (Access-Request (1)) [(ip) 62.200.168.121:1812]: time:-35971299---
[2004-08-09 02:43:23 PM] 2) [(ip) 62.200.168.121:1812], Received 43 Bytes (Access-Request (1))
[2004-08-09 02:43:23 PM] [(total=2) (p=1) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-09 02:43:23 PM] <3> Done GetNextMessage [(ip) 62.200.168.121:1812]: time:266774
[2004-08-09 02:43:23 PM] -------- START : (Access-Request (1)) [(ip) 62.200.168.121:1812]: time:-35912704---
[2004-08-09 02:43:23 PM] CACHE: CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-09 02:43:23 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-09 02:43:23 PM] CACHE: CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-09 02:43:23 PM] HandleLocalRequest(), CacheReadSecretForNASAddress failed, no such RADIUS client (-822), Packet Dropped
[2004-08-09 02:43:23 PM] -------- END : (Access-Request (1)) [(ip) 62.200.168.121:1812]: time:-35912701---
[2004-08-09 02:48:42 PM] (->)Cacher: NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:2
Thanks
Stefan
It's working now.
The Problem was the LPO. In the LoginSequences tab i have modified the standard digipass entry and added a
NDS entry. This was necessary for BM3.8 VPN Logins in our environment.
So I createt a new one, with only digipass inside and associate this LoginSequence to the Radius DAS.
Have a nice time
Stefan
>>> Scott Kiester<[email protected]> 11.08.04 22:21 >>>
You can't execute two login sequences with RADIUS, because there is no way
for RADIUS to prompt for a second set of credentials over the PAP or CHAP
protocols. The ConsoleOne snapin should not be allowing you to mark more
than one sequence as mandatory, as this configuration is invalid.
The recommended way of supporting multiple methods through RADIUS is by
creating a single NMAS "OR" login sequence, rather than using multiple
rules. You could create a sequence that specified "NDS" OR "Digipass." In
this case RADIUS would first execute the NDS method, and only execute the
Digipass method if NDS fails.
I realize that you want to require NDS AND Digipass, not NDS OR Digipass. A
login sequence that specifies NDS AND Digipass would always fail, because
the password supplied by the user would never be valid for both methods.
Unfortunately, there is not a way to require both NDS and Digipass through
RADIUS.
>>> Stefan Winterberg<[email protected]> 08/11/04 2:43 AM >>>
Hello Scott,
thank you very much. it seems that your eyes are better than ours.
The unknown client is now gone, but we still have some problems.
I have the new raddbg and nmasmon-log file below.
We have set the Sequences in the LPO for this DAS-Object to:
NDS Mandatory
Digipass Mandatory
On the UserObject the DefaultLoginClearance is set to password&token.
When we attemp to login we can see that the vasco digipass successfull login
counter is incremented by 1.
--Raddbg.log------------------------------
[2004-08-11 10:38:36 AM] Debug logging enabled to file
sys:etc\radius\debug\raddbg.log
[2004-08-11 10:38:42 AM] Cacher: Console initiated rebuild of cache
[2004-08-11 10:38:42 AM] (->)Cacher:
NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:3
[2004-08-11 10:38:42 AM] Cacher: Rebuilding cache, mod time different,
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:DAS Version)
succeeded, time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Password Policy)
failed, no such attribute (-603), time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Common Name
Resolution) succeeded, time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Concurrent Limit)
failed, no such attribute (-603), time:1
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Interim Accting
Timeout) failed, no such attribute (-603), time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Aged Interval)
failed, no such attribute (-603), time:2
[2004-08-11 10:38:42 AM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Maximum History
Record) failed, no such attribute (-603), time:1
[2004-08-11 10:38:42 AM] CACHE: Use Netware Password for
"ichaindas.ichain.netstal": Enabled
[2004-08-11 10:38:42 AM] CACHE: CN Login for "ichaindas.ichain.netstal":
Enabled
[2004-08-11 10:38:42 AM] CACHE: Concurrent Limit for
"ichaindas.ichain.netstal": 0x80000000
[2004-08-11 10:38:42 AM] CACHE: Interim Timeout for
"ichaindas.ichain.netstal": 10 minutes
[2004-08-11 10:38:42 AM] CACHE: Interval For Aging for
"ichaindas.ichain.netstal": 7 days
[2004-08-11 10:38:42 AM] CACHE: Max History Record for
"ichaindas.ichain.netstal": 30
[2004-08-11 10:38:42 AM]
Context Lookup List set to:
[2004-08-11 10:38:42 AM] 1) USERS.NETSTAL
[2004-08-11 10:38:42 AM] Number of contexts = 1
[2004-08-11 10:38:42 AM] tag extracted: 62.200.168.121, size: 15, tagLength:
30
[2004-08-11 10:38:42 AM] Cache: Successfully set up client table
[2004-08-11 10:38:42 AM]
(->)NDSSetUpContextList(ichaindas.ichain.netstal), ProxyContext is empty
[2004-08-11 10:38:42 AM] Cache: Successfully set up context list
[2004-08-11 10:38:42 AM] (->)NDSSetUpDomainList(ichaindas.ichain.netstal),
Domain list is empty.
[2004-08-11 10:38:42 AM] Cache: Successfully set up domain list
[2004-08-11 10:38:42 AM] Cache: Successfully set up search domain list
[2004-08-11 10:38:42 AM] Cache: Successfully build context list
[2004-08-11 10:38:42 AM] CACHE: Cache reloaded at [2004-08-11 10:38:42
AM], current reload count is 5
[2004-08-11 10:38:42 AM] Cacher: RefreshCache(), succeeded
[2004-08-11 10:38:42 AM] CACHE: Cache loaded at [2004-08-11 10:38:11 AM]
has been discarded , current reload count is 5
[2004-08-11 10:38:57 AM] 7) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-11 10:38:57 AM] [(total=7) (p=6) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-11 10:38:57 AM] <3> Done GetNextMessage [(ip) 62.200.168.121:1812]:
time:7776133
[2004-08-11 10:38:57 AM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:1545446252---
[2004-08-11 10:38:57 AM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-11 10:38:57 AM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-11 10:38:57 AM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-11 10:38:57 AM] CACHE:
CacheGetEnableCNLogin(ichaindas.ichain.netstal), using cache
[2004-08-11 10:38:57 AM] CacheGetDNForName(wst), Using cache
[2004-08-11 10:38:57 AM] (->)CacheGetDNForName:NWDSReadObjectInfo(wst),
succeeded, time:9
[2004-08-11 10:38:57 AM] userName: wst
[2004-08-11 10:38:57 AM] userDN: WST.USERS.NETSTAL
[2004-08-11 10:38:57 AM]
(->)NDSVerifyAttr:NWDSRead(WST.USERS.NETSTAL,RADIUS: Dial Access Group)
succeeded, time:3
[2004-08-11 10:38:57 AM] (->)NWDSCompare:(WST.USERS.NETSTAL) succeeded,
time:2
[2004-08-11 10:38:57 AM] (->)NWDSRead(WST.USERS.NETSTAL,RADIUS Enable
Attr) failed, no such attribute (-603), time:2
[2004-08-11 10:38:57 AM] (->)User "WST.USERS.NETSTAL", Looking in
(USERS.NETSTAL) for (RADIUS:Enable Dial Access)
[2004-08-11 10:38:57 AM] (->)NWDSRead(USERS.NETSTAL,RADIUS Enable Attr)
succeeded, time:2
[2004-08-11 10:38:57 AM] User Name: wst, User DN: WST.USERS.NETSTAL,
Domain: , Service Tag:
[2004-08-11 10:38:57 AM] (->)NADMAuthRequest()
[2004-08-11 10:38:57 AM] (->)NADMAuthRequest(WST.USERS.NETSTAL) failed,
-1642 (0xfffff996), time:1776
[2004-08-11 10:38:57 AM] (->)Authenticate (0 policy, NDS pswd) (for
WST.USERS.NETSTAL), failed, -1642 (0xfffff996)
[2004-08-11 10:38:57 AM] (->)Authentication FAILED
[2004-08-11 10:38:57 AM] ->Sending Access-Reject (3) [(ip)
62.200.168.121(1812)] count=20
[2004-08-11 10:38:57 AM] ->Inserting into RespQ , code(3) id(6).
[2004-08-11 10:38:57 AM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:1545448063---
----nmasmon.log-------------------------------------------------------------
NMAS Enterprise Edition
0: Screen and file output started at Wed Aug 11 10:37:47 2004
GetLoginConfig: 0
NMAS_GetLoginConfig: 0
GetLoginConfig: 0
NMAS_GetLoginConfig: 0
GetLoginConfig: 0
NMAS_GetLoginConfig: 0
4: Destroy NMAS Session for reuse
4: Create NMAS Session
4: RemoteCheckIfLocalUser checking WST.USERS.NETSTAL.
4: RemoteCheckIfLocalUser is a local user.
4: Server thread started
4: NMAS_CanDo StartClientSession 0
4: >>ClientPut: message size=8 queue Size 0
4: >>ClientPut: message size=35 queue Size 8
4: NMAS_CanDo sendMessage 0
4: <<ClientGet: message size=8 queue Size 0
4: >>ServerGet: message size=8 queue size 0
4: >>ServerGet: message size=35 queue size 35
4: CanDo
4: Sequence Selected == "Digipass"
4: Login Method 0x00000050
4: MAF_Begin LSM 0x00000050
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=5 queue size 8
4: MAF_GetAttribute LSM 0x00000050 AID: 1 Value: WST.USERS.NETSTAL
4: <<ClientGet: message size=5 queue Size 0
4: NMAS_CanDo sendMessage 0
4: NMAS_CanDo disassembleDoPacket 0
4: MAF_Begin LCM 0x00000050
4: MAF_XRead LCM 0x00000050
4: <<ClientGet: message size=8 queue Size 0
4: MAF_GetAttribute LSM 0x00000050 AID: 22 Tag: digipass
4: MAF_XWrite LSM 0x00000050
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=60 queue size 8
4: MAF_XRead LSM 0x00000050
4: >>ServerGet: message size=8 queue size 0
4: <<ClientGet: message size=60 queue Size 0
4: MAF_GetAttribute LCM 0x00000050 AID: 6
4: MAF_XWrite LCM 0x00000050
4: >>ClientPut: message size=8 queue Size 0
4: >>ClientPut: message size=29 queue Size 8
4: MAF_XRead LCM 0x00000050
4: <<ClientGet: message size=8 queue Size 0
4: >>ServerGet: message size=29 queue size 0
4: MAF_PutAttribute LSM 0x00000050 AID: 22 Tag: digipass
4: MAF_XWrite LSM 0x00000050
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=16 queue size 8
4: MAF_End LSM 0x00000050 successful
4: >>ServerGet: message size=8 queue size 0
4: <<ClientGet: message size=16 queue Size 0
4: MAF_End LCM 0x00000007
4: >>ClientPut: message size=8 queue Size 0
4: <<ClientGet: message size=8 queue Size 0
4: WhatNext
4: Login Method 0x00000007
4: MAF_GetAttribute LSM 0x00000007 AID: 2
4: MAF_GetAttribute LSM 0x00000007 AID: 1 Value: WST.USERS.NETSTAL
4: MAF_Begin LSM 0x00000007
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=5 queue size 8
4: MAF_AllowPasswordSet LSM 0x00000007
4: MAF_GetPassword LSM 0x00000007
4: MAF_Write LSM 0x00000007
4: <<ServerPut: message size=8 queue size 5
4: <<ServerPut: message size=40 queue size 13
4: MAF_GetNDSPasswordHash LSM 0x00000007
4: MAF_XWrite LSM 0x00000007
4: <<ServerPut: message size=8 queue size 53
4: <<ServerPut: message size=36 queue size 61
4: MAF_XRead LSM 0x00000007
4: >>ServerGet: message size=8 queue size 0
4: <<ClientGet: message size=5 queue Size 0
4: MAF_Begin LCM 0x00000007
4: MAF_GetAttribute LCM 0x00000007 AID: 6
4: MAF_GetAttribute LCM 0x00000007 AID: 1 Value: WST.USERS.NETSTAL
4: MAF_Read LCM 0x00000007
4: <<ClientGet: message size=8 queue Size 92
4: <<ClientGet: message size=40 queue Size 84
4: MAF_XRead LCM 0x00000007
4: <<ClientGet: message size=8 queue Size 44
4: <<ClientGet: message size=36 queue Size 36
4: MAF_XWrite LCM 0x00000007
4: >>ClientPut: message size=8 queue Size 0
4: >>ClientPut: message size=56 queue Size 8
4: MAF_XRead LCM 0x00000007
4: <<ClientGet: message size=8 queue Size 0
4: >>ServerGet: message size=56 queue size 0
4: MAF_GetNDSPasswordHash LSM 0x00000007
4: MAF_XWrite LSM 0x00000007
4: <<ServerPut: message size=8 queue size 0
4: <<ServerPut: message size=32 queue size 8
4: MAF_End LSM 0x00000007 failed
4: ERROR: -1642 Login Method
4: ERROR: -1642 WhatNext
4: ERROR: -1642 NMAS Manager
4: <<ServerPut: message size=8 queue size 32
4: <<ServerPut: message size=4 queue size 40
4: >>ServerGet: message size=8 queue size 0
4: <<ClientGet: message size=32 queue Size 0
4: MAF_Write LCM 0x00000007
4: >>ClientPut: message size=8 queue Size 0
4: >>ClientPut: message size=12 queue Size 8
4: MAF_End LCM 0x00000007
4: >>ClientPut: message size=8 queue Size 12
4: <<ClientGet: message size=8 queue Size 12
4: <<ClientGet: message size=4 queue Size 4
4: >>ClientPut: message size=8 queue Size 20
4: <<ClientGet: message size=8 queue Size 0
4: >>ServerGet: message size=12 queue size 0
4: >>ServerGet: message size=8 queue size 16
4: >>ServerGet: message size=8 queue size 8
4: <<ServerPut: message size=8 queue size 0
4: Server thread exited
4: Client Session Destroy Request
4: Local Session Cleared (Not Destroyed)
Thanks
>>> Scott Kiester<[email protected]> 10.08.04 19:14 >>>
It looks like you transposed the middle two octets in the client IP
address.
Here's what RADIUS.NLM is reading out of the client table:
[2004-08-10 04:44:21 PM] tag extracted: 62.168.200.121, size: 15,
tagLength:
30
And here's the access-request:
[2004-08-10 04:45:32 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901386806---
>>> Stefan Winterberg<[email protected]> 08/10/04 8:52 AM >>>
Hello Scott,
there is no problem with the tree key. ConsoleOne can add , remove and
modify these properties.
here the actual raddbg.log:
[2004-08-10 04:44:21 PM] Cacher: Console initiated rebuild of cache
[2004-08-10 04:44:21 PM] (->)Cacher:
NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:2
[2004-08-10 04:44:21 PM] Cacher: Rebuilding cache, mod time different,
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:DAS Version)
succeeded, time:3
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Password Policy)
failed, no such attribute (-603), time:2
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Common Name
Resolution) succeeded, time:2
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Concurrent Limit)
failed, no such attribute (-603), time:1
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Interim Accting
Timeout) failed, no such attribute (-603), time:2
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Aged Interval)
failed, no such attribute (-603), time:2
[2004-08-10 04:44:21 PM]
(->)NDSReadData:NWDSRead(ichaindas.ichain.netstal,RA DIUS:Maximum History
Record) failed, no such attribute (-603), time:2
[2004-08-10 04:44:21 PM] CACHE: Use Netware Password for
"ichaindas.ichain.netstal": Enabled
[2004-08-10 04:44:21 PM] CACHE: CN Login for "ichaindas.ichain.netstal":
Enabled
[2004-08-10 04:44:21 PM] CACHE: Concurrent Limit for
"ichaindas.ichain.netstal": 0x80000000
[2004-08-10 04:44:21 PM] CACHE: Interim Timeout for
"ichaindas.ichain.netstal": 10 minutes
[2004-08-10 04:44:21 PM] CACHE: Interval For Aging for
"ichaindas.ichain.netstal": 7 days
[2004-08-10 04:44:21 PM] CACHE: Max History Record for
"ichaindas.ichain.netstal": 30
[2004-08-10 04:44:21 PM]
Context Lookup List set to:
[2004-08-10 04:44:21 PM] 1) USERS.NETSTAL
[2004-08-10 04:44:21 PM] Number of contexts = 1
[2004-08-10 04:44:21 PM] tag extracted: 62.168.200.121, size: 15,
tagLength:
30
[2004-08-10 04:44:21 PM] Cache: Successfully set up client table
[2004-08-10 04:44:21 PM]
(->)NDSSetUpContextList(ichaindas.ichain.netstal), ProxyContext is empty
[2004-08-10 04:44:21 PM] Cache: Successfully set up context list
[2004-08-10 04:44:21 PM]
(->)NDSSetUpDomainList(ichaindas.ichain.netstal),
Domain list is empty.
[2004-08-10 04:44:21 PM] Cache: Successfully set up domain list
[2004-08-10 04:44:21 PM] Cache: Successfully set up search domain list
[2004-08-10 04:44:21 PM] Cache: Successfully build context list
[2004-08-10 04:44:21 PM] CACHE: Cache reloaded at [2004-08-10 04:44:21
PM], current reload count is 5
[2004-08-10 04:44:21 PM] Cacher: RefreshCache(), succeeded
[2004-08-10 04:44:21 PM] CACHE: Cache loaded at [2004-08-10 04:43:05 PM]
has been discarded , current reload count is 5
[2004-08-10 04:45:21 PM] (->)Cacher:
NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:1
[2004-08-10 04:45:32 PM] 15) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-10 04:45:32 PM] [(total=15) (p=14) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-08-10 04:45:32 PM] <6> Done GetNextMessage [(ip)
62.200.168.121:1812]:
time:124205589
[2004-08-10 04:45:32 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901386806---
[2004-08-10 04:45:32 PM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-10 04:45:32 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-10 04:45:32 PM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-10 04:45:32 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress
failed, no such RADIUS client (-822), Packet Dropped
[2004-08-10 04:45:32 PM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901386809---
[2004-08-10 04:45:38 PM] 16) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-10 04:45:38 PM] [(total=16) (p=15) (d=0) (r=0) (acc=0)
(rej=0)]
[2004-08-10 04:45:38 PM] <2> Done GetNextMessage [(ip)
62.200.168.121:1812]:
time:124022378
[2004-08-10 04:45:38 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901444855---
[2004-08-10 04:45:38 PM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-10 04:45:38 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-10 04:45:38 PM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-10 04:45:38 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress
failed, no such RADIUS client (-822), Packet Dropped
[2004-08-10 04:45:38 PM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:901444857---
Thanks
Stefan
>>> Scott Kiester<[email protected]> 10.08.04 01:07 >>>
You might have a problem with the tree key in your environment. First of
all, make sure that ConosleOne is storing the client data. After you add a
new entry to the client table on your DAS, close the DAS properties dialog
and re-open it. If the new client is not there when you re-open the dialog,
then ConsoleOne may have been unable to save the data due to a problem with
the tree key. You can confirm this by executing ConsoleOne with the
following command line: "consoleone -debug -windowout". This will make
ConsoleOne display a debug window in the top-left portion of your screen.
If
there is a problem saving the client data, then ConsoleOne will display an
exception and an error code in this window. If the error is in the -14xx
range, (-1460 and -1418 are most common) then you most likely have a
problem
with your tree key.
If ConsoleOne is saving the data correctly, then you'll need to see what is
happening when RADIUS.NLM reads this data. To do this, issue a "radius
refreshcache" command at the server console after you enable debug logging.
Please post this file here and I'll take a look at it.
Tree key problems can be corrected with SDIDIAG, which IIRC is available as
a free download from the support site.
>>> Stefan Winterberg<[email protected]> 08/09/04 8:16 AM >>>
Hello,
i have the following Setup:
1x Single Tree Server with Nw 6.5 SP1a / BM3.8 SP2
This is a simple authentication Server which is placed in our dmz. Some
users are synchronized with dirxml from the productive main tree to the
authentication tree.
Primary this box is used for client2site vpn with vasco digipass tokens.
This setup is working.
Now i wish to use the same box for ichain Radius authentication.
I have setup a 2nd box in the dmz for ichain 2.3. I have made the necessary
schema extension on the Authentication server and installed the snapins for
ichain.
I tested authentication with ldap to the authentication server.... no
problem
Now the problems:
I setup a authentication profile on the ichain server for radius
I configured the authentication servers lpo and radius objects. All this is
described in the ichain admin book page 89 (chapter 7 using radius
authentication)
When i check the radius console i get the following message:
[DATE TIME] Access Request Dropped
IchainIP, cn, Unknown Radius client
What i did again: I found several tid's where the problem is described. I
Changed rights to the lpo, installed the nmas234.tar, changed
userprops.....but till now nothing works.
MoreSysinfos:
Radius.nlm V 4.14 / 6.March 2003
nmas.nlm 2.68 / 17.June 2004
nmasldap.nlm V 1.20 / 31.March 2004
Here the RadiusDebugLog, during authentication:
[2004-08-09 02:42:40 PM] Deleting file "sys:etc\radius\log\20040802.log",
failed
[2004-08-09 02:42:40 PM] Parameter count = 1
[2004-08-09 02:42:40 PM] argv[0] = SYS:\SYSTEM\RADIUS.NLM
[2004-08-09 02:42:40 PM] Tree Name = "<null>"
[2004-08-09 02:42:40 PM] Login Name = "<null>"
[2004-08-09 02:42:40 PM] Name = "<null>"
[2004-08-09 02:42:40 PM] Workers = 0
[2004-08-09 02:42:40 PM] Port = 0
[2004-08-09 02:42:40 PM] Error encountered = 0
[2004-08-09 02:42:40 PM] Checking if parameters are to be retrieved from
Registry
[2004-08-09 02:42:40 PM] Got Tree Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Login Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Service Name from registry, "<null>"
[2004-08-09 02:42:40 PM] Got Number Threads from registry, 5
[2004-08-09 02:42:40 PM] Got Service Port from registry, 1645
[2004-08-09 02:42:40 PM] Got Accounting Port from registry, 1646
[2004-08-09 02:42:40 PM] Got Accounting Path from registry,
"sys:\etc\radius\acct"
[2004-08-09 02:42:40 PM] Got Accounting File Format from registry,
"comma"
[2004-08-09 02:42:40 PM] Got RollOver from registry, "daily"
[2004-08-09 02:42:40 PM] Services supported, [2004-08-09 02:42:40 PM]
"authentication" [2004-08-09 02:42:40 PM] "accounting" [2004-08-09
02:42:40
PM]
[2004-08-09 02:42:40 PM] Got Accounting Attribute File from registry,
sys:\etc\radius\radacct.atr
[2004-08-09 02:42:40 PM] Got Authentication Path from registry,
sys:etc\radius
[2004-08-09 02:43:03 PM] Debug logging enabled to file
sys:etc\radius\debug\raddbg.log
[2004-08-09 02:43:17 PM] 1) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-09 02:43:17 PM] [(total=1) (p=0) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-09 02:43:17 PM] <2> Done GetNextMessage [(ip)
62.200.168.121:1812]:
time:208207
[2004-08-09 02:43:17 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:-35971301---
[2004-08-09 02:43:17 PM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-09 02:43:17 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-09 02:43:17 PM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-09 02:43:17 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress
failed, no such RADIUS client (-822), Packet Dropped
[2004-08-09 02:43:17 PM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:-35971299---
[2004-08-09 02:43:23 PM] 2) [(ip) 62.200.168.121:1812], Received 43 Bytes
(Access-Request (1))
[2004-08-09 02:43:23 PM] [(total=2) (p=1) (d=0) (r=0) (acc=0) (rej=0)]
[2004-08-09 02:43:23 PM] <3> Done GetNextMessage [(ip)
62.200.168.121:1812]:
time:266774
[2004-08-09 02:43:23 PM] -------- START : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:-35912704---
[2004-08-09 02:43:23 PM] CACHE:
CacheDomainListExist(ichaindas.ichain.netstal), using cache
[2004-08-09 02:43:23 PM] AuthRequestHandler(), Calling RequestHandler.
[2004-08-09 02:43:23 PM] CACHE:
CacheReadSecretForNASAddress(ichaindas.ichain.nets tal), using cache
[2004-08-09 02:43:23 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress
failed, no such RADIUS client (-822), Packet Dropped
[2004-08-09 02:43:23 PM] -------- END : (Access-Request (1)) [(ip)
62.200.168.121:1812]: time:-35912701---
[2004-08-09 02:48:42 PM] (->)Cacher:
NWDSReadObjectInfo(ichaindas.ichain.netstal), succeeded, time:2
Thanks
Stefan
Similar Messages
-
When trying to authenticate to novell radius using the MD5 login method
the novell server abends - Page fault processor exception on the
LSMMD5.nlm which was passed by NMAS. This is a NW 6.5 sp 1 and running
the radius.nlm from bordermanager 3.8 The LSMMD5.nlm is version 1.10
12/3/03. Note other login methods are working fine (NDSpassword and tokens)
Has anyone had a similar problem or is using MD5 authentication with the
Novell Radius server?It sounds like there is a problem in the NMAS Digest MD5 Method. The NMAS
team will need to investigate this.
You should use the Simple Password method with RADIUS instead of the Digest
MD5 Method. The Digest MD5 Method uses the NMAS Simple Password, but my
understanding is that this method is intended to be used only with the LDAP
Digest MD5 SASL mechanism. You should not use this method with RADIUS.
If you're trying to set up CHAP, you should use the Simple Password Method.
The Simple Password Method supports both PAP and CHAP.
>>> Heidi<[email protected]> 6/23/2004 2:19:24 PM >>>
When trying to authenticate to novell radius using the MD5 login method
the novell server abends - Page fault processor exception on the
LSMMD5.nlm which was passed by NMAS. This is a NW 6.5 sp 1 and running
the radius.nlm from bordermanager 3.8 The LSMMD5.nlm is version 1.10
12/3/03. Note other login methods are working fine (NDSpassword and
tokens)
Has anyone had a similar problem or is using MD5 authentication with the
Novell Radius server? -
Radius NMAS 2 Calling station Id
Hello,
can the Novell RADIUS server be set up to provide authentication based on
MAC address and/or Calling - Station -ID ?
Currently running system 6.5sp2 servers and NMAS with radius.
Thanks
MichaelThe called-station-id and calling-station-id attributes are generally
referred to as "request attributes" because the NAS provides them in the
access-request packet. Unfortunately, the current version of RADIUS does not
support request attributes. When you configure attributes for Novell RADIUS,
you may only configure attributes for the access-accept packet.
>>> <[email protected]> 10/07/04 7:08 AM >>>
Hello,
can the Novell RADIUS server be set up to provide authentication based on
MAC address and/or Calling - Station -ID ?
Currently running system 6.5sp2 servers and NMAS with radius.
Thanks
Michael -
we have Nw6.5 SP2 with radius files from ichain 2.3 CD(overwrite all)
with the nmas patch
nmas V2.6.8
radius v4.15
problems:
1.were getting radius client unknown (radius nlm does load but wont
unload, just hangs)
2. i can only get nwadmin to save the client details in the DAS object
C1 just wont save it- ive tried V136c,136,135 and the server version
which errors with
"waiting for reading vendor list from attribute file" however the
radius.atr file does exist
3. not sure if this is relevant here but vasco token wont assign to a user
errors with "unable to write configuration data"
thanks for helpwell for no reason at all it started working with C1 locally 2 days later !
weird
Also if I assign a DAS object to a container and all users underneath are
told to inherit the DAS from the container settings
then I wont have to configure each user object ? This doesnt sem to inherit
for some reason.
Is the Radus.nlm form the ichain 2.3 auth CD good enough for a NW6.5 SP2
server or is
there an update
Thanks?
"Scott Kiester" <[email protected]> wrote in message
news:bYq%[email protected]...
> Your first and third items could be due to an inconsistent or missing tree
> key. You can use SDIDIAG to troubleshoot and correct tree key issues.
> SDIDIAG is available as a free download from the support site.
>
> Your second issue is due to a bug in the RADIUS ConsoleOne snapin. The
> problem should go away if you run ConsoleOne from your local workstation,
> instead of running it from a drive mapped to the server. The snapin uses a
> very inefficient method of parsing the radius.atr file, which requires it
to
> do several seeks for each record that is processed. When ConsoleOne has to
> go over the network to access the file, it can take a very long time to
> parse (10-15 minutes in my experience).
>
> Also, don't administer NMAS RADIUS with NWAdmin. NWAdmin is for BMAS 3.7
and
> older BMAS servers only. (BMAS 3.8 is NMAS RADIUS, and therefore uses
> ConsoleOne.)
>
> >>> <[email protected]> 09/07/04 7:12 AM >>>
> we have Nw6.5 SP2 with radius files from ichain 2.3 CD(overwrite all)
> with the nmas patch
> nmas V2.6.8
> radius v4.15
>
> problems:
> 1.were getting radius client unknown (radius nlm does load but wont
> unload, just hangs)
> 2. i can only get nwadmin to save the client details in the DAS object
> C1 just wont save it- ive tried V136c,136,135 and the server version
> which errors with
> "waiting for reading vendor list from attribute file" however the
> radius.atr file does exist
> 3. not sure if this is relevant here but vasco token wont assign to a user
> errors with "unable to write configuration data"
>
> thanks for help
>
> -
Radius-Authentication / Cisco 2600 fails MiscError -1642
Hi,
Im trying to configure BM 3.8 SP3ir3, Radius (NMAS 2.3) to
authenticate a Cisco 2600 against my BM. Under BM 3.7 this
setup is working fine, but now with 3.8 I get the following
error:
Access rejected, Miscellaneous error (-1642)
Ive configured the LPO with the following sequences:
NDS acceptable, simple acceptable
A test with NTRADPING:
with CHAP disabled, it works fine (LPO sequence is NDS)
with CHAP enabled, Ive got the error above
I tried the simple login sequence also (like a posting
in this newsgroup), but no change.
Hope you can help me, I need chap-authentication...
From Radius-Debug:
This one works (without CHAP):
[2005-07-28 05:52:43 PM] (->)Cacher:
NWDSReadObjectInfo(das01.radius.bmanager.informati k.kli_pa),
succeeded, time:7
[2005-07-28 05:52:43 PM] 31) [(ip) 172.24.4.2:2642], Received 46 Bytes
(Access-Request (1))
[2005-07-28 05:52:43 PM] [(total=31) (p=30) (d=0) (r=0) (acc=0)
(rej=0)]
[2005-07-28 05:52:43 PM] <2> Done GetNextMessage [(ip)
172.24.4.2:2642]: time:2611012
[2005-07-28 05:52:43 PM] -------- START : (Access-Request (1)) [(ip)
172.24.4.2:2642]: time:640356694---
[2005-07-28 05:52:43 PM] CACHE:
CacheDomainListExist(das01.radius.bmanager.informa tik.kli_pa), using cache
[2005-07-28 05:52:43 PM] AuthRequestHandler(), Calling
NewRequestHandler.
[2005-07-28 05:52:43 PM] CACHE:
CacheGetEnableCNLogin(das01.radius.bmanager.inform atik.kli_pa), using
cache
[2005-07-28 05:52:43 PM]
(->)CacheGetDNForName:NWDSReadObjectInfo(NAS2-1), succeeded, time:72
[2005-07-28 05:52:43 PM] CacheFindContext - GetParentDN(userDN)
(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:43 PM] CacheFindContext - tmpContext
(RADIUS.BMANAGER.INFORMATIK.KLI_PA),
contextName(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:43 PM] Handling local authentication request.
[2005-07-28 05:52:43 PM] CACHE:
CacheReadSecretForNASAddress(das01.radius.bmanager .informatik.kli_pa),
using cache
[2005-07-28 05:52:43 PM]
(->)NDSVerifyAttr:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Dial
Access Group) succeeded, time:47
[2005-07-28 05:52:43 PM]
(->)NWDSCompare:(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA) succeeded,
time:42
[2005-07-28 05:52:43 PM]
(->)NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS Enable
Attr) succeeded, time:45
[2005-07-28 05:52:43 PM] User Name: NAS2-1, User DN:
NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Domain: , Service Tag:
[2005-07-28 05:52:43 PM] (->)NADMAuthRequest()
[2005-07-28 05:52:43 PM]
(->)NADMAuthRequest(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA)
succeeded, time:961
[2005-07-28 05:52:43 PM] (->)Authenticate (0 policy, NDS pswd) (for
NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA), succeeded
[2005-07-28 05:52:43 PM]
(->)NDSReadData:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Concurr ent
Limit) failed, no such attribute (-603), time:50
[2005-07-28 05:52:43 PM] CACHE:
CacheGetConcurrentLimit(das01.radius.bmanager.info rmatik.kli_pa),
using cache
[2005-07-28 05:52:43 PM]
User:NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Current Login:0, Login
Limit:-1, succeeded
[2005-07-28 05:52:43 PM] (->)Authentication SUCCEEDED
[2005-07-28 05:52:43 PM] Tag "DIALIN" uses profile
"DIALIN.RADIUS.BMANAGER.INFORMATIK.KLI_PA"
[2005-07-28 05:52:43 PM] FDN:
CN=NAS2-1.OU=RADIUS.OU=BMANAGER.OU=INFORMATIK.O=KLI_PA
[2005-07-28 05:52:43 PM] PutAttributesInBuffer, calling FilterAttribute
[2005-07-28 05:52:43 PM] Filter attribute, vendorID: 0, attribute: 6
[2005-07-28 05:52:43 PM] PutAttributesInBuffer, calling FilterAttribute
[2005-07-28 05:52:43 PM] Filter attribute, vendorID: 0, attribute: 7
[2005-07-28 05:52:43 PM] ->Sending Access-Accept (2) [(ip)
172.24.4.2(2642)] count=32
[2005-07-28 05:52:43 PM] ->Inserting into RespQ , code(2) id(7).
[2005-07-28 05:52:43 PM] -------- END : (Access-Request (1)) [(ip)
172.24.4.2:2642]: time:640358122---
This one dont work (chap enabled):
[2005-07-28 05:52:55 PM] 32) [(ip) 172.24.4.2:2647], Received 47 Bytes
(Access-Request (1))
[2005-07-28 05:52:55 PM] [(total=32) (p=31) (d=0) (r=0) (acc=0)
(rej=0)]
[2005-07-28 05:52:55 PM] <4> Done GetNextMessage [(ip)
172.24.4.2:2647]: time:2426593
[2005-07-28 05:52:55 PM] -------- START : (Access-Request (1)) [(ip)
172.24.4.2:2647]: time:640481075---
[2005-07-28 05:52:55 PM] CACHE:
CacheDomainListExist(das01.radius.bmanager.informa tik.kli_pa), using cache
[2005-07-28 05:52:55 PM] AuthRequestHandler(), Calling
NewRequestHandler.
[2005-07-28 05:52:55 PM] CACHE:
CacheGetEnableCNLogin(das01.radius.bmanager.inform atik.kli_pa), using
cache
[2005-07-28 05:52:55 PM]
(->)CacheGetDNForName:NWDSReadObjectInfo(NAS2-1), succeeded, time:72
[2005-07-28 05:52:55 PM] CacheFindContext - GetParentDN(userDN)
(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:55 PM] CacheFindContext - tmpContext
(RADIUS.BMANAGER.INFORMATIK.KLI_PA),
contextName(RADIUS.BMANAGER.INFORMATIK.KLI_PA)
[2005-07-28 05:52:55 PM] Handling local authentication request.
[2005-07-28 05:52:55 PM] HandleCHAPRequest(NAS2-1)
[2005-07-28 05:52:55 PM] CACHE:
CacheReadSecretForNASAddress(das01.radius.bmanager .informatik.kli_pa),
using cache
[2005-07-28 05:52:55 PM] CHAP chapCSize: 16
[2005-07-28 05:52:55 PM] [CHAP]User Name: NAS2-1, User DN:
NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA, Domain: , Service Tag:
[2005-07-28 05:52:55 PM]
(->)NDSVerifyAttr:NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS:Dial
Access Group) succeeded, time:53
[2005-07-28 05:52:55 PM]
(->)NWDSCompare:(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA) succeeded,
time:42
[2005-07-28 05:52:55 PM]
(->)NWDSRead(NAS2-1.RADIUS.BMANAGER.INFORMATIK.KLI_PA,RADIUS Enable
Attr) succeeded, time:44
[2005-07-28 05:52:55 PM] (->)NADMAuthRequest()
[2005-07-28 05:52:59 PM] ->Sending Access-Reject (3) [(ip)
172.24.4.2(2647)] count=20
[2005-07-28 05:52:59 PM] ->Inserting into RespQ , code(3) id(8).
[2005-07-28 05:52:59 PM] -------- END : (Access-Request (1)) [(ip)
172.24.4.2:2647]: time:640512029---
I cannt see an error with chap enabled..
Regards
GuentherI'm having the same problem. radping works with chap and simple passwords
but gives the -1642 error when I'm authenticating from my cisco vpn router.
BTW, I had everything working for YEARS with nds passwords and earlier
versions of bordermanager. BM 3.8 broke it.
Thanks
David
> Hi Jake,
>
> yes, its a cisco-issue. For downloading dynamic routes with
> radius you need the cisco-default-pw called "cisco". Strange
> and a big security leak....
>
> The authentication with ppp-user and chap / simple password
> works fine now.
>
> Regards
> Guenther
>
> Jake Speed schrieb:
> > Hi,
> > yes it's woking fine !
> > Working with a 3640, and 8 Bri/40 Async Interaces. With Chap enabeld,
> > and simple password used.
> > Seems to be a problem on the cisco site, so if radping works NW Radius
> > and the objects are ok.
> >
> > by
> > Jake
> >
> > Guenther Rasch wrote:
> >
> >> Hi Craig,
> >>
> >> I dont know why, but now CHAP works with ntradping.exe
> >> - Cisco router still doesnt work. Ive configured
> >> "simple password" in the lp-object...
> >>
> >> Does anyone have a working configuration nmas radius /
> >> cisco nas-router?
> >>
> >> Regards
> >> Guenther
> >>
> >> Craig Johnson schrieb:
> >>
> >>> In article <Yg0He.13962$[email protected]>,
> >>> Guenther Rasch wrote:
> >>>
> >>>> is it possible in BM 3.8? Which password / login sequence do I need
to
> >>>> get CHAP working?
> >>>>
> >>>
> >>> As far as I know, you cannot make CHAP work against an NDS password,
> >>> in any version of Novell RADIUS.
> >>> I don't really know about getting the dial access system password
> >>> working 3.8 (NMAS) RADIUS. I would assume there would be a login
> >>> policy object rule for it.
> >>>
> >>> Craig Johnson
> >>> Novell Support Connection SysOp
> >>> *** For a current patch list, tips, handy files and books on
> >>> BorderManager, go to http://www.craigjconsulting.com ***
> >>>
> >>> -
NMAS based token for radius authentication towards checkpoint firewall
hi,
i'm looking for token based access towards a checkpoint firewall. i found
out about radius, and think that's the way to go.
our user administration is NW65SP2 & Edir 8.7.3 based.
has anyone a success story about a token based radius server based on this
configuration ?
which token ?
additional software ?
anyone ?Hi Peter,
have a look at the RADIUS implementation CookBook (www.vasco.com/novell)
chris
> We use Vasco tokens for two things: Checkpoint Firewall-1 VPN
> authentication, and iChain 2.2 RADIUS authentication. The current
> RADIUS.NLM that we use is from the iChain authentication CD.
>
> The only problem I can think of to mention is the "Unknown RADIUS client"
> error that we got after NW6 SP5. That was solved by the latest NMAS
patches
> and an upgrade from eDir 8.6.2 to 8.7.3.
>
>
> "Peter van de Meerendonk" <[email protected]>
wrote in
> message news:JNiQd.595$[email protected]..
> > > Well, just let me cover my hiney a little. We did have extremely bad
> > > results with Activcard ACO000 tokens, but that is an old product from
> > about
> > > 3-4 years ago. I have no knowledge of the current Activcard tokens.
> > >
> > OK, but the licensing policy makes activcard a costly alternative.
we've
> got
> > a good deal on RSA, and are negociating a deal on Vasco. eventually we
> might
> > need 250+ tokens.
> >
> > I am very interested in configuration details of your setup. do you use
> the
> > tokens only for checkpoint authentication, or for novell
authentication as
> > well?
> >
> >
> >
>
> -
Unknown RADIUS Client error again with NMAS RADIUS
I had this problem before and it seemed to be related to the FDN being
assigned at the container level. Now (for some reason) it's come back
and the previous fix doesn't work.
Running NW 6.5SP5
NMAS.NLM ver 2.65
RADIUS.NLM ver 4.15
GAMS.NLM ver 1.30
NMASGPXY.NLM ver 1.04
When I use NTRADPING to query the RADIUS server, it times out. The
following is the debug output from RADIUS:
[2006-05-08 05:27:21 PM] 2) [(ip) 172.22.105.81:1944], Received 46
Bytes (Access-Request (1))
[2006-05-08 05:27:21 PM] [(total=2) (p=1) (d=0) (r=0) (acc=0)
(rej=0)]
[2006-05-08 05:27:21 PM] <4> Done GetNextMessage [(ip)
172.22.105.81:1944]: time:1608203
[2006-05-08 05:27:21 PM] -------- START : (Access-Request (1)) [(ip)
172.22.105.81:1944]: time:891983657---
[2006-05-08 05:27:21 PM] CACHE:
CacheDomainListExist(testdas1.radius.mc), using cache
[2006-05-08 05:27:21 PM] AuthRequestHandler(), Calling
RequestHandler.
[2006-05-08 05:27:21 PM] CACHE:
CacheReadSecretForNASAddress(testdas1.radius.mc), using cache
[2006-05-08 05:27:21 PM] HandleLocalRequest(),
CacheReadSecretForNASAddress failed, no such RADIUS client (-822),
Packet Dropped
[2006-05-08 05:27:21 PM] -------- END : (Access-Request (1)) [(ip)
172.22.105.81:1944]: time:891983668---
However, the client is configured in the DAS as a generic radius
client.
This is a newly created DAS and Profile for test purposes. The user has
been configured for this DAS and profile but the properties have NOT
been added to avoid conflict.
On a RADIUS REFRESHCACHE, the debug output is as follows:
[2006-05-08 05:27:03 PM] Cacher: Console initiated rebuild of cache
[2006-05-08 05:27:03 PM] (->)Cacher:
NWDSReadObjectInfo(testdas1.radius.mc), succeeded, time:3
[2006-05-08 05:27:03 PM] Cacher: Rebuilding cache, mod time different,
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:D AS Version)
succeeded, time:5
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:P assword Policy)
failed, no such attribute (-603), time:4
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:C ommon Name
Resolution) succeeded, time:4
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:C oncurrent Limit)
failed, no such attribute (-603), time:3
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:I nterim Accting
Timeout) failed, no such attribute (-603), time:3
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:A ged Interval)
failed, no such attribute (-603), time:3
[2006-05-08 05:27:03 PM]
(->)NDSReadData:NWDSRead(testdas1.radius.mc,RADIUS:M aximum History
Record) failed, no such attribute (-603), time:4
[2006-05-08 05:27:03 PM] CACHE: Use Netware Password for
"testdas1.radius.mc": Enabled
[2006-05-08 05:27:03 PM] CACHE: CN Login for "testdas1.radius.mc":
Enabled
[2006-05-08 05:27:03 PM] CACHE: Concurrent Limit for
"testdas1.radius.mc": 0x80000000
[2006-05-08 05:27:03 PM] CACHE: Interim Timeout for
"testdas1.radius.mc": 10 minutes
[2006-05-08 05:27:03 PM] CACHE: Interval For Aging for
"testdas1.radius.mc": 7 days
[2006-05-08 05:27:03 PM] CACHE: Max History Record for
"testdas1.radius.mc": 30
[2006-05-08 05:27:03 PM] tag extracted: 172.22.105.81, size: 14,
tagLength: 28
[2006-05-08 05:27:03 PM] (->)NDSSetUpClientTable(testdas1.radius.mc)
failed, no such entry (-601)
[2006-05-08 05:27:03 PM] Cache: Error from NDSSetUpClientTable: failed,
no such entry (-601)
[2006-05-08 05:27:03 PM] Cache: Successfully set up client table
[2006-05-08 05:27:03 PM] Cache: Successfully set up context list
[2006-05-08 05:27:04 PM] NDSSetUpDomainList(testdas1.radius.mc),
Invalid Proxy Authentication Secret entry found, type = 00000000,
Skipped, failed, no such entry (-601)
[2006-05-08 05:27:04 PM] (->)NDSSetUpDomainList(), failed, -826
(0xfffffcc6)
[2006-05-08 05:27:04 PM] NDSSetUpDomainList failed. Error: failed,
-826 (0xfffffcc6)
[2006-05-08 05:27:04 PM] Cache: Successfully set up search domain list
[2006-05-08 05:27:04 PM] Cache: Successfully build context list
[2006-05-08 05:27:04 PM] CACHE: Cache reloaded at [2006-05-08
05:27:04 PM], current reload count is 4
[2006-05-08 05:27:04 PM] Cacher: RefreshCache(), succeeded
[2006-05-08 05:27:04 PM] CACHE: Cache loaded at [2006-05-08 05:26:17
PM] has been discarded , current reload count is 4
Suggestions?
WayneFixed by updating eDir to 8.7.3.8 and applying ssp201
Regards,
Wayne -
RADIUS SecurID .. works from one iChain, not from the other
I have two iChain appliances, one running iChain 2.2, the other running
2.3. Both are configured with a SecurID authentication profile which
uses a Novell RADIUS server (NetWare 6.5 SP1) to forward tokens to our
ACE server. This works perfectly from the iChain 2.2 server but not
from the 2.3 server. Both are configured identically.
Any idea what could be wrong?Are both of your iChain servers using the same RADIUS server? If they are,
do you see an "access-reject" message on the RADIUS server console when
users try to authenticate through your iChain 2.3 server? If you do see an
access-reject message, what is the error code or error message associated
with the access-reject?
If you're not getting access-rejects from the RADIUS server, then your
problem is most likely in your iChain configuration. You'll probably have
better luck asking in the iChain forum in this case.
>>> Doug Black<[email protected]> 08/24/04 8:57 AM >>>
I have two iChain appliances, one running iChain 2.2, the other running
2.3. Both are configured with a SecurID authentication profile which
uses a Novell RADIUS server (NetWare 6.5 SP1) to forward tokens to our
ACE server. This works perfectly from the iChain 2.2 server but not
from the 2.3 server. Both are configured identically.
Any idea what could be wrong? -
Authenicating Windows Servers to NMAS Radius Server
I am trying to figure out how to authenicate logins to a Windows Server (W2k & W2003) via NMAS Radius Server 3.8. Has anyone done this?
JohnJohn,
It appears that in the past few days you have not received a response to your
posting. That concerns us, and has triggered this automated reply.
Has your problem been resolved? If not, you might try one of the following options:
- Do a search of our knowledgebase at http://support.novell.com/search/kb_index.jsp
- Check all of the other support tools and options available at
http://support.novell.com.
- You could also try posting your message again. Make sure it is posted in the
correct newsgroup. (http://support.novell.com/forums)
Be sure to read the forum FAQ about what to expect in the way of responses:
http://support.novell.com/forums/faq_general.html
If this is a reply to a duplicate posting, please ignore and accept our apologies
and rest assured we will issue a stern reprimand to our posting bot.
Good luck!
Your Novell Product Support Forums Team
http://support.novell.com/forums/ -
I'm having a bit of a problem with ConsoleOne snapins and RADIUS objects.
The Radius DAS object appears as unknown on all my systems running
ConsoleOne 1.3.6d. I have one system running v1.3.6 and the radius objects
appear fine. All consoleone installations have the same NMAS snapins
loaded (from the iChain CD). I recall having to copy radius.atr to the
consoleone/bin directory to get it working the first time but this doesn't
seem to do the trick on these other workstations.
Also, almost out of the blue, I don't see the my new (RSA) login process
listed under the login methods of the user object properties anymore. I'm
not sure what has changed as it's only been about two weeks since I've been
out to this site. It still works for the users that I previously setup but
I can't configure new users.
Does anyone have any thoughts?I got the RSA login method to appear again. I had to reinstall the RSA
NMAS snapin that I downloaded from RSA. Something must have gotten corrupt.
However, I still can't see the properties of the Radius objects in
ConsoleOne. The only thing I can find is a potentially bad radius.atr
file. I've copied this file from a working system to the other systems but
its still missing something. Snap-ins are sooo much fun.
> I'm having a bit of a problem with ConsoleOne snapins and RADIUS objects.
> The Radius DAS object appears as unknown on all my systems running
> ConsoleOne 1.3.6d. I have one system running v1.3.6 and the radius objects
> appear fine. All consoleone installations have the same NMAS snapins
> loaded (from the iChain CD). I recall having to copy radius.atr to the
> consoleone/bin directory to get it working the first time but this doesn't
> seem to do the trick on these other workstations.
>
> Also, almost out of the blue, I don't see the my new (RSA) login process
> listed under the login methods of the user object properties anymore. I'm
> not sure what has changed as it's only been about two weeks since I've been
> out to this site. It still works for the users that I previously setup but
> I can't configure new users.
>
> Does anyone have any thoughts? -
Shell access required for RADIUS authentication?
Hello all,
A customer of mine has a fleet of modern Mac laptops, all accessing 3 AFP file servers. Access to those file servers is governed by a Snow Leopard Open Directory Master. Pretty simple.
I’ve been tasked with introducing RADIUS authentication to the WLAN there. The WAPs are all Airport Extremes, so again the setup is pretty simple.
But in testing, I see that users can authenticate to the RADIUS WLAN only if I give those user accounts shell access in Open Directory. If a user’s account has a login shell set to None (our previous default), then any RADIUS authentication attempt produces the following log error:
Auth: [unix] [USERNAME]: invalid shell [/dev/null]
If I switch that user’s login shell to (for example) /bin/bash, then restart RADIUS, that user authenticates successfully thereafter.
Is this expected behavior? Is there an alternative to giving everyone shell access?
Thanks for any info,
Brandon White
System Administrator
www.technico.usHi Peter,
have a look at the RADIUS implementation CookBook (www.vasco.com/novell)
chris
> We use Vasco tokens for two things: Checkpoint Firewall-1 VPN
> authentication, and iChain 2.2 RADIUS authentication. The current
> RADIUS.NLM that we use is from the iChain authentication CD.
>
> The only problem I can think of to mention is the "Unknown RADIUS client"
> error that we got after NW6 SP5. That was solved by the latest NMAS
patches
> and an upgrade from eDir 8.6.2 to 8.7.3.
>
>
> "Peter van de Meerendonk" <[email protected]>
wrote in
> message news:JNiQd.595$[email protected]..
> > > Well, just let me cover my hiney a little. We did have extremely bad
> > > results with Activcard ACO000 tokens, but that is an old product from
> > about
> > > 3-4 years ago. I have no knowledge of the current Activcard tokens.
> > >
> > OK, but the licensing policy makes activcard a costly alternative.
we've
> got
> > a good deal on RSA, and are negociating a deal on Vasco. eventually we
> might
> > need 250+ tokens.
> >
> > I am very interested in configuration details of your setup. do you use
> the
> > tokens only for checkpoint authentication, or for novell
authentication as
> > well?
> >
> >
> >
>
> -
We are running Novell Netware 6.0 SP4 and eDirectory 8.6.2. We have set up
iChain 2.3 with the included NMAS and RADIUS services. iChain with NDS
password authentication works properly. Now we are trying to add token
authentication, and it is not working. The RADIUS screen keeps showing
"Access Request Dropped", "<ip address>, <user>, Unknown RADIUS client".
I have turned on debug mode, refreshed the cache, tried logging in again,
and checked the debug file. The error I am getting I have not seen
referenced in previous newsgroup posts. The important section shows this:
Context Lookup List set to:
[2004-08-05 09:42:21 AM] 1) DEN.RJL
[2004-08-05 09:42:21 AM] 2) RJL
[2004-08-05 09:42:21 AM] Number of contexts = 2
[2004-08-05 09:42:21 AM] tag extracted: 10.1.1.242, size: 11, tagLength: 22
[2004-08-05 09:42:21 AM] (->)NDSSetUpClientTable(DAS_RJL.RJL) failed, no
such entry (-601)
[2004-08-05 09:42:21 AM] Cache: Error from NDSSetUpClientTable: failed, no
such entry (-601)
[2004-08-05 09:42:21 AM] Cache: Successfully set up client table
It looks like it is not reading the client table properly, but I don't know
how to fix it. We have recreated the DAS object, removed and re-added the
client address in the DAS object, etc.
If anyone has any ideas on what else we can try, I would really appreciate
it. Thanks.You should always administer NMAS from a Windows workstation, Unfortunately
you can't administer NMAS, and therefore NMAS RADIUS, on any other platform
right now. The NMAS ConsoleOne snapins make native calls to nmaswrap.dll,
and this module is only available on Windows.
You can map a drive to your server from a Windows box and run ConsoleOne
from the mapped drive to see if this works. However, for best results with
RADIUS, you will want to install ConsoleOne locally on a Windows box. When
run over a mapped drive, the RADIUS snapin can take a very long time (5-15
minutes in my experience) to load the RADIUS attribute file.
You mentioned that you've been running ConsoleOne from a workstation, so I
assume that you've tried setting the DAS client information from a Windows
box already. If you have not tried this yet, then please do so.
The -601 you're getting from NMAS_GetLoginConfig is interesting.
Unfortunately this method is implemented in NMAS.NLM, which is maintained by
a different team, so I'm not sure how much more help I can provide with
this. However, I do have a few ideas:
1) When RADIUS calls NMAS_GetLoginConfig, its asking NMAS to read encrypted
data that is stored in attributes on the DAS object. If I remember
correctly, NMAS.NLM cannot go off the box when it does this. Does your
RADIUS server have a local replica that contains the DAS object? If it does
not, then this might be your problem.
2) If putting the DAS in a local replica does not work, then a DS Trace with
the NMAS and Resolve Name options turned on may provide some insight. (I
can't remember if NMAS is a DS Trace option in eDir 8.6 - if you don't see
the NMAS option, then don't worry about it.) Start DSTrace while RADIUS is
running and issue a "radius refreshcache" command like you did before.
If neither of the above suggestions is helpful, then tell the support
engineer you're working with that the -601 error is coming from
NMAS_GetLoginConfig and which version of NMAS.NLM you have. Please also tell
the support engineer that you've been working with me (Scott Kiester) on
this, and that he/she may call me they have any questions.
>>> Stephen Taylor<[email protected]> 08/06/04 12:38 PM >>>
Hi Scott,
Thank you for the follow-up. Based on suggestions from some of your other
posts, I had already run ConsoleOne with the debug window, and I did not
see
any errors when I added a DAS client. I ran the SDIDiag utility and went
through the three recommended steps. There were no errors, and the tree key
looked the same on all our servers. I did not know about the NMAS log file.
I followed your directions, and this is all that the log file shows:
0: Screen and file output started at Fri Aug 6 10:49:53 2004
GetLoginConfig: -601
NMAS_GetLoginConfig: -601
Based on a couple of other posts, I decided to try deleting the DAS object
and recreating it using ConsoleOne from the NMAS server instead of from a
workstation. It asks me for the password when creating the object, then
immediately abends the serve and locks up ConsoleOne. This has happened
three times now, even after reloading the snap-ins. I don't know what to
try
next. We have run dsrepair and it runs cleanly.
"Scott Kiester" <[email protected]> wrote in message
news:_uOQc.4698$8%[email protected]...
> Hi Stephen,
>
> Based on the log snippet that you posted, it appears that an NMAS call is
> failing and returning the -601 error. NMAS RADIUS makes a call to NMAS to
> obtain the client shared secrets because NMAS will encrypt them before
> storing them in eDirectory. It looks like your server is able to read the
> client IP address off of the DAS object, but is unable to obtain the
> corresponding shared secret from NMAS.
>
> I can think of a couple of things that might cause this:
>
> 1) Perhaps ConsoleOne is not storing the shared secret. Unfortunately,
the
> ConsoleOne snapin will not report errors it encounters while storing
entries
> in the client table. ConsoleOne must make an NMAS call to store the
shared
> secret, and if this call fails it will not report the error. You can
usually
> tell if this call failed by closing the DAS "Properties" dialog and
> re-opening it after adding a new entry. If your new entry is not there
when
> the dialog is re-opened, then the call failed.
>
> To find out if this call is failing, please start ConsoleOne with the
> following command line: "consoleone -debug -windowout". This will make
> ConsoleOne display a debug window in the top-left portion of your screen.
If
> an error occurs when you add a DAS client, you will see an error code and
> stack dump in this window. If this happens, please post the error code
and
> stack dump.
>
> Problems with the tree key are the most common reason for this call to
fail.
> You can resolve tree key issues using the SDIDIAG utility, which is
> available from the support site.
>
> 2) It is unusual to get a -601 ("object not found" - this is _not_ the
same
> as "attribute not found") error when RADIUS attempts to make this NMAS
call.
> RADIUS must set up and log in a new DS context before it calls NMAS here.
> It's possible that this is where the failure is, but I think it's
unlikely.
> The -601 error is probably coming from the NMAS call. If you determine
that
> ConsoleOne is storing this data properly using the instructions in step
1,
> then it would be helpful to see a log file from NMAS when this call is
made.
> To get this log file, please do the following:
>
> A) Load RADIUS and provide the DAS name and password
> B) At the server console, type "nmasmon * sys:\etc\nmasmon.log"
> C) At the server console, type "radius refreshcache"
> D) At the server console, type "unload nmasmon"
>
> This will cause NMAS log information to be written to
sys:\etc\nmasmon.log.
> Please post this file here, or send it to me at [email protected].
> -
RADIUS and Vendor-Specific attributes
Hi,
I'm trying to add a vendor specific attribute (Cisco AV Pair) to BMAS
(NMAS 3.1.2 on NetWare 6.5 SP6). I can add any generic attribute I
want, but any of the vendor-specific attributes are not sent back in the
radius access-accept packet. Is there some configuration change I need
to make to support vendor specific attributes? They all show up in
ConsoleOne, I can add them, and they are saved when I hit OK.
Thanks for any suggestions!
GregIn article <UG2Jm.1195$[email protected]>, Greg Palumbo
wrote:
> I read the other two recent threads on this, it does sort of sound like
> a snapin issue, but those are usually under the 1.2\snapins directory I
> thought. what about installing a fresh copy of C1 on the C:\ drive from
> the BMAS CD or from NW65SP7? Also, wouldn't all the replaced sys/public
> files be in SYS/SYSTEM:\BACKSP7? Maybe something like Beyond Compare or
> WinMerge could flag all the changed files easily...
>
My latest thinking is that this is related to security. The failing
attribute contains an encryption of the DAS client password. I'm assuming
that ConsoleOne relies on some background process to do the encryption, and
that between SP7 and SP8, it changed. The new attributes are longer than
the old ones, so the snapin-related issue may simply be that it cannot read
what was stored.
I don't know if there is a particular security-related component that can
be reversed to allow changes to the DAS object, then updated again to put
things back to SP8.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
Hello,
I am trying to load BM Authentication services 3.7 on Netware 6.5 but whenever it launches the install it gives me the error:
Fatal error occured check the sys:\nl\data\ni.log file. I looked this up on kb and it says that you need to down grade your nici to 2.6.4 and change the version by running product menu on the cmd line. I can't find nici 2.6.4 and will this be bad to down grade from 2.6.7?
I have one radius server that is working but trying to make a secondary radius server. I have a BM server that has Authentication services already install and tried to load the access file and it seemed to connect fine but on the radius log screen it says
[2008-06-19 04:34:32 PM] Accounting Request Dropped
10.1.0.7, user.csb(Edfund-Windows)[List_122], Unknown RADIUS client
Is there something I need to do for it to know the radius client? In my DAS I have the IP addresses of the VPN and Dial up access servers. How does it know what Netware server is the Radius server. We are using Cisco and Juniper SSL VPN and the interface we changed the radius server to this one and it still didn't work.
I also wonder if I can use LDAP to authenticate my users instead of using radius server.
Thank youThe 3.7 version of radius is BMAS. The 3.8 version of radius is NMAS,
and the NMAS version needs the later NMAS/Nici patches, I'm pretty
sure. Backrevving sound problematical to me.
Any chance you can get your hands on a copy of BM 3.8? Either an eval
you had lying around, or the last Small Business Suite that contained
it? (That would have the free NMAS radius version in it).
The radius config tells the radius server what devices are allowed to
query it.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com *** -
Unknown Radius client (frustrated!!to say the least)
I am having unknown radius user issues i have a nw65 sp2 server and
installed the nmas radius from BM3.8,i followed TID 10078616 (how to
install and configure radius on nmas) when i use NTRADping it times out
the errors on the radius screen are Access Request Dropped and Unknown
RADIUS client,
I know there are a number of threads on this and the only thing i haven't
done is patch my NMAS?didn't really see anything pertaining to this issue
on the download site and the TID that mentioned patching NMAS from an
earlier post had been removed from the knowledgebase.
here is the debug log with the errors....
Cacher: Console initiated rebuild of cache
[2005-01-21 00:13:23 AM] (->)Cacher: NWDSReadObjectInfo
(DenDAS.RADIUS.Security.TMG), succeeded, time:69
[2005-01-21 00:13:23 AM] Cacher: Rebuilding cache, mod time different,
[2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
(DenDAS.RADIUS.Security.TMG,RADIUS:DAS Version) succeeded, time:96
[2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
(DenDAS.RADIUS.Security.TMG,RADIUS:Password Policy) failed, no such
attribute (-603), time:8
[2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
(DenDAS.RADIUS.Security.TMG,RADIUS:Common Name Resolution) succeeded,
time:5
[2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
(DenDAS.RADIUS.Security.TMG,RADIUS:Concurrent Limit) failed, no such
attribute (-603), time:4
[2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
(DenDAS.RADIUS.Security.TMG,RADIUS:Interim Accting Timeout) failed, no
such attribute (-603), time:4
[2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
(DenDAS.RADIUS.Security.TMG,RADIUS:Aged Interval) failed, no such
attribute (-603), time:4
[2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
(DenDAS.RADIUS.Security.TMG,RADIUS:Maximum History Record) failed, no
such attribute (-603), time:4
[2005-01-21 00:13:23 AM] CACHE: Use Netware Password
for "DenDAS.RADIUS.Security.TMG": Enabled
[2005-01-21 00:13:23 AM] CACHE: CN Login
for "DenDAS.RADIUS.Security.TMG": Enabled
[2005-01-21 00:13:23 AM] CACHE: Concurrent Limit
for "DenDAS.RADIUS.Security.TMG": 0x80000000
[2005-01-21 00:13:23 AM] CACHE: Interim Timeout
for "DenDAS.RADIUS.Security.TMG": 10 minutes
[2005-01-21 00:13:23 AM] CACHE: Interval For Aging
for "DenDAS.RADIUS.Security.TMG": 7 days
[2005-01-21 00:13:23 AM] CACHE: Max History Record
for "DenDAS.RADIUS.Security.TMG": 30
[2005-01-21 00:13:23 AM]
Context Lookup List set to:
[2005-01-21 00:13:23 AM] 1) Denver.TMG
[2005-01-21 00:13:23 AM] 2) IT.Denver.TMG
[2005-01-21 00:13:23 AM] 3) TMG
[2005-01-21 00:13:23 AM] Number of contexts = 3
[2005-01-21 00:13:23 AM] tag extracted: 10.1.32.10, size: 11, tagLength:
22
[2005-01-21 00:13:23 AM] (->)NDSSetUpClientTable
(DenDAS.RADIUS.Security.TMG) failed, -1460 (0xfffffa4c)
[2005-01-21 00:13:23 AM] Cache: Error from NDSSetUpClientTable: failed, -
1460 (0xfffffa4c)
[2005-01-21 00:13:23 AM] Cache: Successfully set up client table
[2005-01-21 00:13:23 AM] (->)NDSSetUpContextList
(DenDAS.RADIUS.Security.TMG), ProxyContext is empty
[2005-01-21 00:13:23 AM] Cache: Successfully set up context list
[2005-01-21 00:13:23 AM] (->)NDSSetUpDomainList
(DenDAS.RADIUS.Security.TMG), Domain list is empty.
[2005-01-21 00:13:23 AM] Cache: Successfully set up domain list
[2005-01-21 00:13:23 AM] Cache: Successfully set up search domain list
[2005-01-21 00:13:23 AM] Cache: Successfully build context list
[2005-01-21 00:13:23 AM] CACHE: Cache reloaded at [2005-01-21 00:13:23
AM], current reload count is 3
[2005-01-21 00:13:23 AM] Cacher: RefreshCache(), succeeded
[2005-01-21 00:13:23 AM] CACHE: Cache loaded at [2005-01-21 00:12:47
AM] has been discarded , current reload count is 3
[2005-01-21 00:13:37 AM] 13) [(ip) 10.1.32.10:1679], Received 46 Bytes
(Access-Request (1))
[2005-01-21 00:13:37 AM] [(total=13) (p=12) (d=0) (r=0) (acc=0)
(rej=0)]
[2005-01-21 00:13:37 AM] <3> Done GetNextMessage [(ip) 10.1.32.10:1679]:
time:7890707
[2005-01-21 00:13:37 AM] -------- START : (Access-Request (1)) [(ip)
10.1.32.10:1679]: time:365263663---
[2005-01-21 00:13:37 AM] CACHE: CacheDomainListExist
(DenDAS.RADIUS.Security.TMG), using cache
[2005-01-21 00:13:37 AM] AuthRequestHandler(), Calling RequestHandler.
[2005-01-21 00:13:37 AM] CACHE: CacheReadSecretForNASAddress
(DenDAS.RADIUS.Security.TMG), using cache
[2005-01-21 00:13:37 AM] HandleLocalRequest(),
CacheReadSecretForNASAddress failed, no such RADIUS client (-822), Packet
Dropped
[2005-01-21 00:13:37 AM] Deleting
file "sys:etc\radius\log\20050114.log", failed
[2005-01-21 00:13:37 AM] -------- END : (Access-Request (1)) [(ip)
10.1.32.10:1679]: time:365263976---
[2005-01-21 00:13:41 AM] 14) [(ip) 10.1.32.10:1679], Received 46 Bytes
(Access-Request (1))
[2005-01-21 00:13:41 AM] [(total=14) (p=13) (d=0) (r=0) (acc=0)
(rej=0)]
[2005-01-21 00:13:41 AM] <5> Done GetNextMessage [(ip) 10.1.32.10:1679]:
time:7890449
[2005-01-21 00:13:41 AM] -------- START : (Access-Request (1)) [(ip)
10.1.32.10:1679]: time:365298757---
[2005-01-21 00:13:41 AM] CACHE: CacheDomainListExist
(DenDAS.RADIUS.Security.TMG), using cache
[2005-01-21 00:13:41 AM] AuthRequestHandler(), Calling RequestHandler.
[2005-01-21 00:13:41 AM] CACHE: CacheReadSecretForNASAddress
(DenDAS.RADIUS.Security.TMG), using cache
[2005-01-21 00:13:41 AM] HandleLocalRequest(),
CacheReadSecretForNASAddress failed, no such RADIUS client (-822), Packet
Dropped
[2005-01-21 00:13:41 AM] -------- END : (Access-Request (1)) [(ip)
10.1.32.10:1679]: time:365298770---
[2005-01-21 00:13:45 AM] 15) [(ip) 10.1.32.10:1679], Received 46 Bytes
(Access-Request (1))
[2005-01-21 00:13:45 AM] [(total=15) (p=14) (d=0) (r=0) (acc=0)
(rej=0)]
[2005-01-21 00:13:45 AM] <6> Done GetNextMessage [(ip) 10.1.32.10:1679]:
time:7261379
[2005-01-21 00:13:45 AM] -------- START : (Access-Request (1)) [(ip)
10.1.32.10:1679]: time:365335091---
[2005-01-21 00:13:45 AM] CACHE: CacheDomainListExist
(DenDAS.RADIUS.Security.TMG), using cache
[2005-01-21 00:13:45 AM] AuthRequestHandler(), Calling RequestHandler.
[2005-01-21 00:13:45 AM] CACHE: CacheReadSecretForNASAddress
(DenDAS.RADIUS.Security.TMG), using cache
[2005-01-21 00:13:45 AM] HandleLocalRequest(),
CacheReadSecretForNASAddress failed, no such RADIUS client (-822), Packet
Dropped
[2005-01-21 00:13:45 AM] -------- END : (Access-Request (1)) [(ip)
10.1.32.10:1679]: time:365335260---
[2005-01-21 00:14:35 AM] (->)Cacher: NWDSReadObjectInfo
(DenDAS.RADIUS.Security.TMG), succeeded, time:110
[2005-01-21 00:15:46 AM] (->)Cacher: NWDSReadObjectInfo
(DenDAS.RADIUS.Security.TMG), succeeded, time:40
[2005-01-21 00:16:58 AM] (->)Cacher: NWDSReadObjectInfo
(DenDAS.RADIUS.Security.TMG), succeeded, time:401
any direction would be greatly appreciated.
ThanksJust thought i woukld give an update on this, it appeared that on my
NW6.0 server (which holds the Certificate of Authority) when i service
packed it awhile back it didn't install all the files and so my nici
version was 2.0.2, so i reran the support pack update and everything
appears to work in conjunction with Radius running on my 6.5 server.
Thanks for the suggestions though
> Patching NMAS will not help. Here's the problem:
>
> [2005-01-21 00:13:23 AM] (->)NDSSetUpClientTable
> (DenDAS.RADIUS.Security.TMG) failed, -1460 (0xfffffa4c)
> [2005-01-21 00:13:23 AM] Cache: Error from NDSSetUpClientTable:
failed, -
> 1460 (0xfffffa4c)
>
> The -1460 error indicates that NICI could not find a copy of your tree
key.
> RADIUS needs the tree key to decrypt the shared secrets for your
clients.
> You can use SDIDIAG (available from the support site) to diagnose and
> correct tree key problems.
>
> >>> <[email protected]> 1/20/2005 3:40:25 PM >>>
> I am having unknown radius user issues i have a nw65 sp2 server and
> installed the nmas radius from BM3.8,i followed TID 10078616 (how to
> install and configure radius on nmas) when i use NTRADping it times out
> the errors on the radius screen are Access Request Dropped and Unknown
> RADIUS client,
> I know there are a number of threads on this and the only thing i
haven't
> done is patch my NMAS?didn't really see anything pertaining to this
issue
> on the download site and the TID that mentioned patching NMAS from an
> earlier post had been removed from the knowledgebase.
> here is the debug log with the errors....
>
> Cacher: Console initiated rebuild of cache
> [2005-01-21 00:13:23 AM] (->)Cacher: NWDSReadObjectInfo
> (DenDAS.RADIUS.Security.TMG), succeeded, time:69
> [2005-01-21 00:13:23 AM] Cacher: Rebuilding cache, mod time different,
> [2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
> (DenDAS.RADIUS.Security.TMG,RADIUS:DAS Version) succeeded, time:96
> [2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
> (DenDAS.RADIUS.Security.TMG,RADIUS:Password Policy) failed, no such
> attribute (-603), time:8
> [2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
> (DenDAS.RADIUS.Security.TMG,RADIUS:Common Name Resolution) succeeded,
> time:5
> [2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
> (DenDAS.RADIUS.Security.TMG,RADIUS:Concurrent Limit) failed, no such
> attribute (-603), time:4
> [2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
> (DenDAS.RADIUS.Security.TMG,RADIUS:Interim Accting Timeout) failed, no
> such attribute (-603), time:4
> [2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
> (DenDAS.RADIUS.Security.TMG,RADIUS:Aged Interval) failed, no such
> attribute (-603), time:4
> [2005-01-21 00:13:23 AM] (->)NDSReadData:NWDSRead
> (DenDAS.RADIUS.Security.TMG,RADIUS:Maximum History Record) failed, no
> such attribute (-603), time:4
> [2005-01-21 00:13:23 AM] CACHE: Use Netware Password
> for "DenDAS.RADIUS.Security.TMG": Enabled
> [2005-01-21 00:13:23 AM] CACHE: CN Login
> for "DenDAS.RADIUS.Security.TMG": Enabled
> [2005-01-21 00:13:23 AM] CACHE: Concurrent Limit
> for "DenDAS.RADIUS.Security.TMG": 0x80000000
> [2005-01-21 00:13:23 AM] CACHE: Interim Timeout
> for "DenDAS.RADIUS.Security.TMG": 10 minutes
> [2005-01-21 00:13:23 AM] CACHE: Interval For Aging
> for "DenDAS.RADIUS.Security.TMG": 7 days
> [2005-01-21 00:13:23 AM] CACHE: Max History Record
> for "DenDAS.RADIUS.Security.TMG": 30
> [2005-01-21 00:13:23 AM]
> Context Lookup List set to:
> [2005-01-21 00:13:23 AM] 1) Denver.TMG
> [2005-01-21 00:13:23 AM] 2) IT.Denver.TMG
> [2005-01-21 00:13:23 AM] 3) TMG
> [2005-01-21 00:13:23 AM] Number of contexts = 3
> [2005-01-21 00:13:23 AM] tag extracted: 10.1.32.10, size: 11,
tagLength:
> 22
> [2005-01-21 00:13:23 AM] (->)NDSSetUpClientTable
> (DenDAS.RADIUS.Security.TMG) failed, -1460 (0xfffffa4c)
> [2005-01-21 00:13:23 AM] Cache: Error from NDSSetUpClientTable:
failed, -
> 1460 (0xfffffa4c)
> [2005-01-21 00:13:23 AM] Cache: Successfully set up client table
> [2005-01-21 00:13:23 AM] (->)NDSSetUpContextList
> (DenDAS.RADIUS.Security.TMG), ProxyContext is empty
> [2005-01-21 00:13:23 AM] Cache: Successfully set up context list
> [2005-01-21 00:13:23 AM] (->)NDSSetUpDomainList
> (DenDAS.RADIUS.Security.TMG), Domain list is empty.
> [2005-01-21 00:13:23 AM] Cache: Successfully set up domain list
> [2005-01-21 00:13:23 AM] Cache: Successfully set up search domain list
> [2005-01-21 00:13:23 AM] Cache: Successfully build context list
> [2005-01-21 00:13:23 AM] CACHE: Cache reloaded at [2005-01-21
00:13:23
> AM], current reload count is 3
> [2005-01-21 00:13:23 AM] Cacher: RefreshCache(), succeeded
> [2005-01-21 00:13:23 AM] CACHE: Cache loaded at [2005-01-21 00:12:47
> AM] has been discarded , current reload count is 3
> [2005-01-21 00:13:37 AM] 13) [(ip) 10.1.32.10:1679], Received 46 Bytes
> (Access-Request (1))
> [2005-01-21 00:13:37 AM] [(total=13) (p=12) (d=0) (r=0) (acc=0)
> (rej=0)]
> [2005-01-21 00:13:37 AM] <3> Done GetNextMessage [(ip)
10.1.32.10:1679]:
> time:7890707
> [2005-01-21 00:13:37 AM] -------- START : (Access-Request (1)) [(ip)
> 10.1.32.10:1679]: time:365263663---
> [2005-01-21 00:13:37 AM] CACHE: CacheDomainListExist
> (DenDAS.RADIUS.Security.TMG), using cache
> [2005-01-21 00:13:37 AM] AuthRequestHandler(), Calling RequestHandler.
> [2005-01-21 00:13:37 AM] CACHE: CacheReadSecretForNASAddress
> (DenDAS.RADIUS.Security.TMG), using cache
> [2005-01-21 00:13:37 AM] HandleLocalRequest(),
> CacheReadSecretForNASAddress failed, no such RADIUS client (-822),
Packet
> Dropped
> [2005-01-21 00:13:37 AM] Deleting
> file "sys:etc\radius\log\20050114.log", failed
> [2005-01-21 00:13:37 AM] -------- END : (Access-Request (1)) [(ip)
> 10.1.32.10:1679]: time:365263976---
> [2005-01-21 00:13:41 AM] 14) [(ip) 10.1.32.10:1679], Received 46 Bytes
> (Access-Request (1))
> [2005-01-21 00:13:41 AM] [(total=14) (p=13) (d=0) (r=0) (acc=0)
> (rej=0)]
> [2005-01-21 00:13:41 AM] <5> Done GetNextMessage [(ip)
10.1.32.10:1679]:
> time:7890449
> [2005-01-21 00:13:41 AM] -------- START : (Access-Request (1)) [(ip)
> 10.1.32.10:1679]: time:365298757---
> [2005-01-21 00:13:41 AM] CACHE: CacheDomainListExist
> (DenDAS.RADIUS.Security.TMG), using cache
> [2005-01-21 00:13:41 AM] AuthRequestHandler(), Calling RequestHandler.
> [2005-01-21 00:13:41 AM] CACHE: CacheReadSecretForNASAddress
> (DenDAS.RADIUS.Security.TMG), using cache
> [2005-01-21 00:13:41 AM] HandleLocalRequest(),
> CacheReadSecretForNASAddress failed, no such RADIUS client (-822),
Packet
> Dropped
> [2005-01-21 00:13:41 AM] -------- END : (Access-Request (1)) [(ip)
> 10.1.32.10:1679]: time:365298770---
> [2005-01-21 00:13:45 AM] 15) [(ip) 10.1.32.10:1679], Received 46 Bytes
> (Access-Request (1))
> [2005-01-21 00:13:45 AM] [(total=15) (p=14) (d=0) (r=0) (acc=0)
> (rej=0)]
> [2005-01-21 00:13:45 AM] <6> Done GetNextMessage [(ip)
10.1.32.10:1679]:
> time:7261379
> [2005-01-21 00:13:45 AM] -------- START : (Access-Request (1)) [(ip)
> 10.1.32.10:1679]: time:365335091---
> [2005-01-21 00:13:45 AM] CACHE: CacheDomainListExist
> (DenDAS.RADIUS.Security.TMG), using cache
> [2005-01-21 00:13:45 AM] AuthRequestHandler(), Calling RequestHandler.
> [2005-01-21 00:13:45 AM] CACHE: CacheReadSecretForNASAddress
> (DenDAS.RADIUS.Security.TMG), using cache
> [2005-01-21 00:13:45 AM] HandleLocalRequest(),
> CacheReadSecretForNASAddress failed, no such RADIUS client (-822),
Packet
> Dropped
> [2005-01-21 00:13:45 AM] -------- END : (Access-Request (1)) [(ip)
> 10.1.32.10:1679]: time:365335260---
> [2005-01-21 00:14:35 AM] (->)Cacher: NWDSReadObjectInfo
> (DenDAS.RADIUS.Security.TMG), succeeded, time:110
> [2005-01-21 00:15:46 AM] (->)Cacher: NWDSReadObjectInfo
> (DenDAS.RADIUS.Security.TMG), succeeded, time:40
> [2005-01-21 00:16:58 AM] (->)Cacher: NWDSReadObjectInfo
> (DenDAS.RADIUS.Security.TMG), succeeded, time:401
>
> any direction would be greatly appreciated.
> Thanks
>
>
>
Maybe you are looking for
-
Please Help, I can't figure this stuff out! I've just built my second website and the code for clickable thumbnails for my image gallery doesn't work in Safari, unless I refresh the page. For some reason, a mouseover on a thumbnails fails to call the
-
How do i set the classpath in weblogic server
hi, i am using weblogic SP2. in my application, i have some jars in the lib directory. currently my application is running fine. but when i add some new jars, it is throwing some exception. i guess that it may be because that in the classpath, these
-
How many devices can i use with the time capsule?
When I said devices, I mean iphone, ipad, macbook and imac
-
From iPhoto 2 to iPhoto 6 in one leap?
I've probably had iPhoto in my iMac for several years, but I've never tried to use it because of techphobia. Today, however, I decided to give it try, since I have always found David Pogue's books to be informative and easy to follow. Anyway, I soon
-
Handshake failure with client authentication
Hi, I am using the JDK1.4 beta 3 to accomplish the following: I want to request an HTML page on an Apache webserver configured with SSL and client-authentication. It works with Netscape and Internet Explorer (and also with the openssl s_client test p