Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos

To: Tim Basher <basher@alpha.CES.CWRU.Edu>
Subject: Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos
From: "Matt Crawford" <crawdad@fnal.gov>
Date: Mon, 20 Oct 1997 13:47:21 -0500
Cc: ascend-users@max.bungi.com
In-reply-to: Your message of Thu, 16 Oct 1997 17:04:48 EDT. <199710162104.RAA17196@fox.CES.CWRU.Edu>
Sender: owner-ascend-users@max.bungi.com

> > I have the Access Control version of the RADIUS server [...] and I'm
> > trying to get it to authenticate against an AFS-style Kerberos v4 server.
> > [...]

Tim Basher took an interest and asked
> What does radiusd report in the logfile?  You might trying running radiusd
> in debug mode (add "-x -x" to the command line) and checking the messages
> in the radius.debug.

I tried this and was not illuminated.  Maybe you can read more from
the debug output than I can.  This is my first bash at radius.

Mon Oct 20 13:37:03 1997: Debugging turned ON, Level 2
Version r1_0Ai7 sun sys5 M_KERB A_KERB TACACS TACACS+ ODBC ACE DEFENDER S/Key AS
CEND ASCEND_SECRET BINARY_FILTERS
directory = /etc/raddb
Program = /usr/sbin/radiusd
stat_files: entered
hook_setup(): entered
child_end: entered
child_end: leaving routine
null_void_hook_function(): entered
rad_recv: entered
get_radrequest: entered
gen_valpairs: entered
    User-Name = "crawdad@FNAL.GOV"
    User-Password = "<censored>"
    Service-Type = Outbound
    NAS-IP-Address = 131.225.83.208
    NAS-Port = 1
get_radrequest: Request from 83e153d0 (i-radius-2.fnal.gov[33133]) access, id = 
87, len = 74
is_dup_request: entered
list_copy: entered
list_copy: copied 5 items
    User-Id = "crawdad@FNAL.GOV"
    NAS-Identifier = "i-radius-2.fnal.gov"
state_machine: entered: current state = STD::START (0)  event = [254 AUTH_ONLY 0
]
state_machine: decision: action = AUTHENTICATE  next_state = STD::COMMONWAIT (1)
call_action: AATV 'AUTHENTICATE', type 0, value 0 and ''
rad_authenticate: entered
null_hook_function(): entered
real_user_find: entered
real_user_find: entered
list_copy: entered
list_copy: copied 1 items
list_copy: entered
list_copy: copied 0 items
Check items:
    Authentication-Type = Realm
Reply items:
call_action: AATV 'REALM', type 0, value 0 and ''
chk_pass: entered
parse_realm: entered
find_auth_type: entered
find_auth_type: type 2, agent 'FNAL.GOV', realm 'FNAL.GOV' and filter ''
    User-Realm = "FNAL.GOV"
parse_realm: name = 'crawdad', realm = 'FNAL.GOV'
find_auth_type: entered
find_auth_type: type 2, agent 'FNAL.GOV', realm 'FNAL.GOV' and filter ''
call_action: AATV 'AKERB', type 2, value 0 and 'FNAL.GOV'
krb_pass: entered
krb_pass: ID = crawdad  Realm = FNAL.GOV
 
record_event: entered
record_event: event [0 'AUTHENTICATE' 'AKERB'  PID = 1259  0 'FNAL.GOV']
state_machine: after action: event = [0 AUTHENTICATE 2 ]
state_machine: decision: action = NULL  next_state = STD::COMMONWAIT (1)
call_action: AATV 'NULL', type 0, value 0 and ''
state_machine: after action: event = [1 NULL 2 ]
state_machine: return from FSM -- nothing to do
krb_pass: principle (crawdad) in realm (FNAL.GOV) has bad pw
child_end: entered
child_end: exit status: FFFFFFFF
state_machine: entered: current state = STD::COMMONWAIT (1)  event = [0 AUTHENTI
CATE -1]
state_machine: decision: action = REPLY  next_state = STD::HOLD (3)
call_action: AATV 'REPLY', type 1, value 0 and 'FNAL.GOV'
rad_reply: entered
protocol_check: entered
list_copy: entered
list_copy: copied 8 items
send_reply: entered: result = -1
    Reply-Message = "Authentication failure"
    Reply-Message = "Authentication failure"
send_reply: Authentication: 87/0 'crawdad@FNAL.GOV' from i-radius-2.fnal.gov por
t 1 Authenticate-Only
list_free: entered
list_free: freeing 1 pairs
record_event: entered
record_event: event [1 'REPLY' 'REPLY'  PID = 0  0 'FNAL.GOV']
state_machine: after action: event = [1 REPLY 2 FNAL.GOV]
state_machine: decision: action = NULL  next_state = STD::HOLD (3)
call_action: AATV 'NULL', type 0, value 0 and 'FNAL.GOV'
state_machine: after action: event = [3 NULL 2 FNAL.GOV]
state_machine: return from FSM -- nothing to do
child_end: leaving routine
null_void_hook_function(): entered
null_void_hook_function(): entered
state_machine: entered: current state = STD::HOLD (3)  event = [254 * 6]
state_machine: decision: action = NULL  next_state = END (255)
call_action: AATV 'NULL', type 0, value 0 and ''
state_machine: after action: event = [3 NULL 2 ]
list_free: entered
list_free: freeing 5 pairs
list_free: entered
list_free: freeing 8 pairs
list_free: entered
list_free: freeing 1 pairs
state_machine: return from FSM -- finished with FSM table
null_void_hook_function(): entered
sig_term: entered
defender_kill_child()
odbc_kill_child()
odbc_kill_child()
limit_cleanup(): entered
limit_cleanup(): entered
pool_cleanup: entered


It looks to me like there is no debugging inside the ticket decoding
code.  Even with three "-x" options I didn't get any more details there.

> > Trying MIT-KRB in place of AFS-KRB changes nothing.
> 
> MIT-KRB will definitely fail for a real AFS Kerberos server.  The format of
> the info in a ticket is different and you need a different passwd_to_key()
> function.

I know that; I was just frobbing every available knob.

				Matt Crawford
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

References:

Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos

From: Tim Basher <basher@alpha.CES.CWRU.Edu>

Prev by Date: Re: (ASCEND) slow throughput Max 4004
Next by Date: (ASCEND) Q: wanDisplay and timeouts
Prev by thread: Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos
Next by thread: Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos
Index(es):
- Main
- Thread