Tim Basher took an interest and asked > What does radiusd report in the logfile? You might trying running radiusd > in debug mode (add "-x -x" to the command line) and checking the messages > in the radius.debug. I tried this and was not illuminated. Maybe you can read more from the debug output than I can. This is my first bash at radius. Mon Oct 20 13:37:03 1997: Debugging turned ON, Level 2 Version r1_0Ai7 sun sys5 M_KERB A_KERB TACACS TACACS+ ODBC ACE DEFENDER S/Key AS CEND ASCEND_SECRET BINARY_FILTERS directory = /etc/raddb Program = /usr/sbin/radiusd stat_files: entered hook_setup(): entered child_end: entered child_end: leaving routine null_void_hook_function(): entered rad_recv: entered get_radrequest: entered gen_valpairs: entered User-Name = "crawdad@FNAL.GOV" User-Password = "<censored>" Service-Type = Outbound NAS-IP-Address = 131.225.83.208 NAS-Port = 1 get_radrequest: Request from 83e153d0 (i-radius-2.fnal.gov[33133]) access, id = 87, len = 74 is_dup_request: entered list_copy: entered list_copy: copied 5 items User-Id = "crawdad@FNAL.GOV" NAS-Identifier = "i-radius-2.fnal.gov" state_machine: entered: current state = STD::START (0) event = [254 AUTH_ONLY 0 ] state_machine: decision: action = AUTHENTICATE next_state = STD::COMMONWAIT (1) call_action: AATV 'AUTHENTICATE', type 0, value 0 and '' rad_authenticate: entered null_hook_function(): entered real_user_find: entered real_user_find: entered list_copy: entered list_copy: copied 1 items list_copy: entered list_copy: copied 0 items Check items: Authentication-Type = Realm Reply items: call_action: AATV 'REALM', type 0, value 0 and '' chk_pass: entered parse_realm: entered find_auth_type: entered find_auth_type: type 2, agent 'FNAL.GOV', realm 'FNAL.GOV' and filter '' User-Realm = "FNAL.GOV" parse_realm: name = 'crawdad', realm = 'FNAL.GOV' find_auth_type: entered find_auth_type: type 2, agent 'FNAL.GOV', realm 'FNAL.GOV' and filter '' call_action: AATV 'AKERB', type 2, value 0 and 'FNAL.GOV' krb_pass: entered krb_pass: ID = crawdad Realm = FNAL.GOV record_event: entered record_event: event [0 'AUTHENTICATE' 'AKERB' PID = 1259 0 'FNAL.GOV'] state_machine: after action: event = [0 AUTHENTICATE 2 ] state_machine: decision: action = NULL next_state = STD::COMMONWAIT (1) call_action: AATV 'NULL', type 0, value 0 and '' state_machine: after action: event = [1 NULL 2 ] state_machine: return from FSM -- nothing to do krb_pass: principle (crawdad) in realm (FNAL.GOV) has bad pw child_end: entered child_end: exit status: FFFFFFFF state_machine: entered: current state = STD::COMMONWAIT (1) event = [0 AUTHENTI CATE -1] state_machine: decision: action = REPLY next_state = STD::HOLD (3) call_action: AATV 'REPLY', type 1, value 0 and 'FNAL.GOV' rad_reply: entered protocol_check: entered list_copy: entered list_copy: copied 8 items send_reply: entered: result = -1 Reply-Message = "Authentication failure" Reply-Message = "Authentication failure" send_reply: Authentication: 87/0 'crawdad@FNAL.GOV' from i-radius-2.fnal.gov por t 1 Authenticate-Only list_free: entered list_free: freeing 1 pairs record_event: entered record_event: event [1 'REPLY' 'REPLY' PID = 0 0 'FNAL.GOV'] state_machine: after action: event = [1 REPLY 2 FNAL.GOV] state_machine: decision: action = NULL next_state = STD::HOLD (3) call_action: AATV 'NULL', type 0, value 0 and 'FNAL.GOV' state_machine: after action: event = [3 NULL 2 FNAL.GOV] state_machine: return from FSM -- nothing to do child_end: leaving routine null_void_hook_function(): entered null_void_hook_function(): entered state_machine: entered: current state = STD::HOLD (3) event = [254 * 6] state_machine: decision: action = NULL next_state = END (255) call_action: AATV 'NULL', type 0, value 0 and '' state_machine: after action: event = [3 NULL 2 ] list_free: entered list_free: freeing 5 pairs list_free: entered list_free: freeing 8 pairs list_free: entered list_free: freeing 1 pairs state_machine: return from FSM -- finished with FSM table null_void_hook_function(): entered sig_term: entered defender_kill_child() odbc_kill_child() odbc_kill_child() limit_cleanup(): entered limit_cleanup(): entered pool_cleanup: entered It looks to me like there is no debugging inside the ticket decoding code. Even with three "-x" options I didn't get any more details there. > > Trying MIT-KRB in place of AFS-KRB changes nothing. > > MIT-KRB will definitely fail for a real AFS Kerberos server. The format of > the info in a ticket is different and you need a different passwd_to_key() > function. I know that; I was just frobbing every available knob. Matt Crawford ++ Ascend Users Mailing List ++ To unsubscribe: send unsubscribe to ascend-users-request@bungi.com To get FAQ'd: <<A HREF="http://www.nealis.net/ascend/faq">http://www.nealis.net/ascend/faq</A>> </PRE> <!--X-MsgBody-End--> <!--X-Follow-Ups--> <!--X-Follow-Ups-End--> <!--X-References--> <HR> <STRONG>References</STRONG>: <UL> <LI><STRONG><A HREF="msg09765.html">Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos</A></STRONG></LI> <UL> <LI><EM>From</EM>: Tim Basher <basher@alpha.CES.CWRU.Edu></LI> </UL> </UL> <!--X-References-End--> <!--X-BotPNI--> <HR> <UL> <LI>Prev by Date: <STRONG><A HREF="msg09857.html">Re: (ASCEND) slow throughput Max 4004</A></STRONG> </LI> <LI>Next by Date: <STRONG><A HREF="msg09855.html">(ASCEND) Q: wanDisplay and timeouts</A></STRONG> </LI> <LI>Prev by thread: <STRONG><A HREF="msg09765.html">Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos</A></STRONG> </LI> <LI>Next by thread: <STRONG><A HREF="msg09912.html">Re: (ASCEND) Ascend Access Control RADIUS <--> Kerberos</A></STRONG> </LI> <LI>Index(es): <UL> <LI><A HREF="mail7.html#09861"><STRONG>Main</STRONG></A></LI> <LI><A HREF="thrd206.html#09861"><STRONG>Thread</STRONG></A></LI> </UL> </LI> </UL> <!--X-BotPNI-End--> <!--X-User-Footer--> <!--X-User-Footer-End--> </BODY> </HTML>