Strange IAS Radius Issue



  • I’ve got a 5GT that I’ve configured to allow NSR clients to use XAuth to authenticate.  I’ve configured it to talk to a Microsoft 2003 (really SBS) IAS Radius server per the doco on the Netscreen site.  The Radius server is at 192.168.1.11 (same subnet), and the 5GT can ping it.

    I get the XAuth popup from NSR, but on the Netscreen I get:

    2006-11-16 11:43:23 info IKE<x.x.x.x>: XAuth login expired and was terminated for username <kjs3>at <0.0.0.0>.
    2006-11-16 11:43:15 info IKE<x.x.x.x>: XAuth login was aborted for gateway <mc-vpn>, username <kjs3>, retry: 1.
    2006-11-16 11:43:03 warn Primary 192.168.1.11, backup1 , and backup2  servers failed
    2006-11-16 11:42:51 warn Trying primary server 192.168.1.11
    2006-11-16 11:42:39 info IKE<x.x.x.x>: Received initial contact notification and removed Phase 1 SAs.
    2006-11-16 11:42:39 info IKE <x.x.x.x>Phase 1: Completed Aggressive mode negotiations with a <28800>-second lifetime.
    2006-11-16 11:42:39 info IKE <x.x.x.x>Phase 1: Completed for user vpn@foo.com.
    2006-11-16 11:42:39 info IKE<x.x.x.x>: Received initial contact notification and removed Phase 2 SAs.
    2006-11-16 11:42:39 info IKE<x.x.x.x>: Received a notification message for DOI <1> <24578> <notify_initial_contact>.
    2006-11-16 11:42:39 info IKE<x.x.x.x>: Received a notification message for DOI <1> <24577> <notify_replay_status>.
    2006-11-16 11:42:39 info IKE <x.x.x.x>Phase 1: IKE responder has detected NAT in front of the remote device.
    2006-11-16 11:42:39 info IKE <x.x.x.x>Phase 1: Responder starts AGGRESSIVE mode negotiations.

    However, on the IAS server, I get:

    User kjs3 was granted access.
    Fully-Qualified-User-Name = foo.local/MyBusiness/Users/SBSUsers/kjs3
    NAS-IP-Address = 192.168.1.1
    NAS-Identifier = <not present="">Client-Friendly-Name = mc-fw
    Client-IP-Address = 192.168.1.1
    Calling-Station-Identifier = <not present="">NAS-Port-Type = Virtual
    NAS-Port = 27
    Proxy-Policy-Name = Use Windows authentication for all users
    Authentication-Provider = Windows
    Authentication-Server = <undetermined>Policy-Name = mc-vpn
    Authentication-Type = PAP
    EAP-Type = <undetermined>So IAS thinks I’ve authenticated just fine.

    If I do a debug auth radius, I get:

    ns5gt-> get dbuf stream

    12:07:58 : >>> radius_send(aq_ent=0x010ce0e0{soc=69, flag=2, rad_state=1})

    12:07:58 : >>> radius_initiate_authentication(aq_ent={un=‘kjs3’, fl=2, as_id=2(192.168.1.11:1645), rt=0, rt1=0, rt2=0})

    12:07:58 : get_auth_radius_clnt_session_id: entered

    12:07:58 : >>> rad_send_auth_l2tp(soc=69, ip=192.168.1.11, port=1645, vsys=0x033f52d0, id=5, un=‘kjs3’, ss=‘X’, sid=‘NS-00000005’, phy_port=30)

    12:07:58 : >>> rad_send(soc=69, ip=192.168.1.11, port=1645, vsys=0x033f52d0, pac=0x07567d60, len=83)

    12:07:58 : <<< rad_send() = 1

    12:07:58 : <<< rad_send_auth_l2tp() = 1

    12:07:58 : <<< radius_initiate_authentication() = 1

    12:07:58 : <<< radius_send(aq_ent=0x010ce0e0{soc=69, flag=3, rad_state=2}) = 1

    12:08:02 : >>> radius_send(aq_ent=0x010ce0e0{soc=69, flag=3, rad_state=1})

    12:08:02 : >>> radius_initiate_authentication(aq_ent={un=‘kjs3’, fl=3, as_id=2(192.168.1.11:1645), rt=1, rt1=0, rt2=0})

    12:08:02 : get_auth_radius_clnt_session_id: entered

    12:08:02 : >>> rad_send_auth_l2tp(soc=69, ip=192.168.1.11, port=1645, vsys=0x033f52d0, id=5, un=‘kjs3’, ss=‘X’, sid=‘NS-00000005’, phy_port=31)

    12:08:02 : >>> rad_send(soc=69, ip=192.168.1.11, port=1645, vsys=0x033f52d0, pac=0x07567d60, len=83)

    12:08:02 : <<< rad_send() = 1

    12:08:02 : <<< rad_send_auth_l2tp() = 1

    12:08:02 : <<< radius_initiate_authentication() = 1

    12:08:02 : <<< radius_send(aq_ent=0x010ce0e0{soc=69, flag=3, rad_state=2}) = 1

    12:08:06 : >>> radius_send(aq_ent=0x010ce0e0{soc=69, flag=3, rad_state=1})

    12:08:06 : >>> radius_initiate_authentication(aq_ent={un=‘kjs3’, fl=3, as_id=2(192.168.1.11:1645), rt=2, rt1=0, rt2=0})

    12:08:06 : get_auth_radius_clnt_session_id: entered

    12:08:06 : >>> rad_send_auth_l2tp(soc=69, ip=192.168.1.11, port=1645, vsys=0x033f52d0, id=5, un=‘kjs3’, ss=‘X’, sid=‘NS-00000005’, phy_port=32)

    –- more —

    12:08:06 : >>> rad_send(soc=69, ip=192.168.1.11, port=1645, vsys=0x033f52d0, pac=0x07567d60, len=83)

    12:08:06 : <<< rad_send() = 1

    12:08:06 : <<< rad_send_auth_l2tp() = 1

    12:08:06 : <<< radius_initiate_authentication() = 1

    12:08:06 : <<< radius_send(aq_ent=0x010ce0e0{soc=69, flag=3, rad_state=2}) = 1

    12:08:10 : >>> radius_send(aq_ent=0x010ce0e0{soc=69, flag=3, rad_state=1})

    12:08:10 : >>> radius_initiate_authentication(aq_ent={un=‘kjs3’, fl=3, as_id=2(192.168.1.11:1645), rt=3, rt1=0, rt2=0})

    12:08:10 : get_auth_radius_clnt_session_id: entered

    12:08:10 : >>> rad_send_auth_l2tp(soc=69, ip=192.168.1.11, port=1645, vsys=0x033f52d0, id=5, un=‘kjs3’, ss=‘X’, sid=‘NS-00000005’, phy_port=33)

    12:08:10 : >>> rad_send(soc=69, ip=192.168.1.11, port=1645, vsys=0x033f52d0, pac=0x07567d60, len=83)

    12:08:10 : <<< rad_send() = 1

    12:08:10 : <<< rad_send_auth_l2tp() = 1

    12:08:10 : <<< radius_initiate_authentication() = 1

    12:08:10 : <<< radius_send(aq_ent=0x010ce0e0{soc=69, flag=3, rad_state=2}) = 1

    12:08:14 : >>> radius_send(aq_ent=0x010ce0e0{soc=69, flag=3, rad_state=1})

    12:08:14 : >>> radius_initiate_authentication(aq_ent={un=‘kjs3’, fl=3, as_id=2(0.0.0.0:1645), rt=3, rt1=1, rt2=0})

    12:08:14 : get_auth_radius_clnt_session_id: entered

    12:08:14 : >>> rad_send_auth_l2tp(soc=69, ip=0.0.0.0, port=1645, vsys=0x033f52d0, id=5, un=‘kjs3’, ss=‘X’, sid=‘NS-00000005’, phy_port=34)

    12:08:14 : >>> rad_send(soc=69, ip=0.0.0.0, port=1645, vsys=0x033f52d0, pac=0x07567d60, len=83)

    12:08:14 : <<< rad_send() = 0

    12:08:14 : <<< rad_send_auth_l2tp() = 0

    12:08:14 : <<< radius_initiate_authentication() = 0

    — more —

    12:08:14 : <<< radius_send(aq_ent=0x010ce0e0{soc=69, flag=3, rad_state=9}) = 0

    12:08:14 : >>> radius_send(aq_ent=0x010ce0e0{soc=69, flag=3, rad_state=1})

    12:08:14 : >>> radius_initiate_authentication(aq_ent={un=‘kjs3’, fl=3, as_id=2(0.0.0.0:1645), rt=3, rt1=3, rt2=1})

    12:08:14 : get_auth_radius_clnt_session_id: entered

    12:08:14 : >>> rad_send_auth_l2tp(soc=69, ip=0.0.0.0, port=1645, vsys=0x033f52d0, id=5, un=‘kjs3’, ss=‘X’, sid=‘NS-00000005’, phy_port=35)

    12:08:14 : >>> rad_send(soc=69, ip=0.0.0.0, port=1645, vsys=0x033f52d0, pac=0x07567d60, len=83)

    12:08:14 : <<< rad_send() = 0

    12:08:14 : <<< rad_send_auth_l2tp() = 0

    12:08:14 : <<< radius_initiate_authentication() = 0

    12:08:14 : <<< radius_send(aq_ent=0x010ce0e0{soc=69, flag=3, rad_state=9}) = 0

    ns5gt->

    Anyone seen this?</undetermined></undetermined></not></not></x.x.x.x></x.x.x.x></notify_replay_status></x.x.x.x></notify_initial_contact></x.x.x.x></x.x.x.x>/vpn@foo.com</x.x.x.x></x.x.x.x></x.x.x.x></kjs3></mc-vpn></x.x.x.x></kjs3></x.x.x.x>



  • Still no solution to this one? Guess I’ll keep the old, slow, limited PIX in place, since it actually can use RADIUS to auth.



  • I also have the same problem;

    User … belongs to a different group in the RADIUS server than that allowed in the device.

    I’ve upgraded the SSG140 to 6.2.0r3.0.
    Done all the checks mentioned in earlier postings.
    It’s very frustrating  :-D.

    Any help would be appreciated.

    Thanks, Ray



  • Hi

    Has anyone got a fix for this?  I have a SSG-350 with ver 6.0 and am getting the following error only when the primary RADIUS (MS 2003 IAS) server is unavailiable.  There is a backup IP entered in the Auth Servers settings that points to an identical IAS server.

    “User username belongs to a different group in the RADIUS server than that allowed in the device.”

    Both IAS servers show as Access granted in the logs, yet the backup server displays the above message in the Juniper logs and does not allow the user access, just pops up another login box to enter credentials.

    Thanks


  • Engineer

    Have you tried 5.3.0r8, or whatever is the latest on 5.3.0?  I seem to recall this as a known issue on 5.3.0r4.



  • I am experiencing the same exact problem with IAS and 5.3.0r4.0  on a netscreen ISG1000.

    Where can I get the 5.4.0r2.0?



  • An ScreenOS upgrade solve the problem. Apperantly this is a bug not a configuration error.



  • I’ve had Juniper on the case for sometime now, and they thought they had found the solution, but it didn’t work for me.  I’m also running 6 now…still no change, they’re trying though.



  • We had the same issue using xauth and IAS.

    Upgraded from 5.4.0r3 to 5.4.0r2.0 and this fixed it.

    Evan



  • Elfinity,
      I thought that the server would give the ip too.
    However I did a “debug ike detail” and “debug auth radius”, and from what I could see in the dbuf stream (“get dbuf stream”), if the server does not provide an ip address, the netscreen picked one from the ip pool configured in the “xauth default config”

    I am not sure though



  • elfinity,



  • But I thought as soon as you use xauth, all the client settings should come from the external server?



  • I provide ip address from IP Pool that is defined on NetScreen device.



  • Thanks.
    Quick question.
    Do you provide a static ip address or an address from an ip pool.
    And who provides it? Th IAS server or the netscreen.
    It seems that the problem is that for some reason after the netscreen receives the AUTH VALID from the IAS, it does not communicate back to the netscreen-remote client.

    Thanks for any suggestions.

    Also the client is behind a NAT, and I have NAT traversal on. And if I xauth against the netscreen with a local user everything works fine.
    I have opened a case with juniper but no response back jet 😞

    Thanks for any help



  • This is output from debug auth radius from my ssg-5:

    get dbuf stream

    2007-05-08 15:28:54 : >>> radius_send(aq_ent=0x049ce564{soc=78, socipv6=-1, flag=2, rad_state=1})

    2007-05-08 15:28:54 : >>> radius_initiate_authentication(aq_ent={un=‘vladimirh’, fl=2, as_id=1(192.168.0.200) or (::):1645, rt=0, rt1=0, rt2=0, phy_port=15})

    2007-05-08 15:28:54 : get_auth_radius_clnt_session_id: entered

    2007-05-08 15:28:54 : >>> rad_send_auth_xauth_or_l2tp(soc=78, ip=192.168.0.200, ipv6=::, port=1645, vsys=0x029cd960, id=46, un=‘vladimirh’, ss=‘password’, sid=‘NS-0000000f’, phy_port=15, acs_srv_typ 3)

    2007-05-08 15:28:54 : >>> rad_send(soc=78, soc_ipv6=4294967295, ip=192.168.0.200, ipv6=::, port=1645, vsys=0x029cd960, pac=0x026f4a54, len=124)

    2007-05-08 15:28:54 :    rad_send(soc=78, sending to ip=192.168.0.200, port=1645)

    2007-05-08 15:28:54 : <<< rad_send() = 1

    2007-05-08 15:28:54 : <<< rad_send_auth_xauth_or_l2tp() = 1

    2007-05-08 15:28:54 : <<< radius_initiate_authentication() = 1

    2007-05-08 15:28:54 : <<< radius_send(aq_ent=0x049ce564{soc=78, socipv6=-1, flag=3, rad_state=2}) = 1

    2007-05-08 15:28:54 : auth_proto_process: recvd some data on socket 0

    2007-05-08 15:28:54 : auth_proto_process: recvd some data on socket 0

    2007-05-08 15:28:54 : auth_proto_process: recvd some data on socket 0

    2007-05-08 15:28:54 : auth_proto_process: recvd some data on socket 0

    2007-05-08 15:28:54 : auth_proto_process: recvd some data on socket 0

    2007-05-08 15:28:55 : auth_proto_process: recvd some data on socket 0

    2007-05-08 15:28:55 : auth_proto_process: recvd some data on socket 78

    2007-05-08 15:28:55 : >>> rad_parse(packet=0x04d8f010, len=78)

    2007-05-08 15:28:55 : >>> rad_attr_create_raw(sa=0x04d8f024, *bu=3474276)

    <<< rad_attr_create_raw(*bu=14) = rad_attr=0x04963cb4{26, 12, 1a e 0 0 c ffffff98 3 8 5f 4e 53 56 50 4e }

    2007-05-08 15:28:55 : >>> rad_attr_create_raw(sa=0x04d8f032, *bu=14)

    <<< rad_attr_create_raw(*bu=6) = rad_attr=0x04963b94{7, 4, 7 6 0 0 0 1 }

    2007-05-08 15:28:55 : >>> rad_attr_create_raw(sa=0x04d8f038, *bu=6)

    <<< rad_attr_create_raw(*bu=6) = rad_attr=0x04d90054{6, 4, 6 6 0 0 0 2 }

    2007-05-08 15:28:55 : >>> rad_attr_create_raw(sa=0x04d8f03e, *bu=6)

    <<< rad_attr_create_raw(*bu=32) = rad_attr=0x04d90174{25, 30, 19 20 5f 4a 6 ffffff8f 0 0 1 37 0 1 ffffffc0 ffffffa8 0 ffffffc8 1 ffffffc7 ffffff89 ffffffd4 1d 50 ffffffb8 ffffffd0 0 0 0 0 0 0 0 b }

    2007-05-08 15:28:55 : rad_parse() = rad_msg=0x0482676c{code=2, id=46, …}

    2007-05-08 15:28:55 : RadiusRecv: checking j:socket 78, socipv6 -1, sock 78, j:rad_id 46, rad_msg->id 46

    2007-05-08 15:28:55 : RadiusRecv: Breaking for sock 78

    2007-05-08 15:28:55 : is_resp_authenticator_valid: Valid Response authenticator

    2007-05-08 15:28:55 : RadiusRecv: data on socket 78 for aq_ent 0x49ce564, state 0x2, curr_active 1

    2007-05-08 15:28:55 : >>> rad_recv_auth(soc=3460480)

    2007-05-08 15:28:55 : rad_attr_store_groups:adding first _NSVPN

    2007-05-08 15:28:55 : <<< rad_recv_auth() = rad_auth_resp=0x053bed90{authed=1 priv=0 id=46}

    2007-05-08 15:28:55 : is_resp_authenticator_valid: Valid Response authenticator

    2007-05-08 15:28:55 : radius_recv_auth_resp: RESPONSE AUTH VALID (was a Accept)

    2007-05-08 15:28:55 : group_check_ok: ugx_name _NSVPN, group_item_ptr 0x53af024, username vladimirh

    2007-05-08 15:28:55 : is_rad_group_in: compare _NSVPN with _NSVPN

    2007-05-08 15:28:55 :  MATCHED

    2007-05-08 15:28:55 : group_check_ok: ext group _NSVPN present

    2007-05-08 15:28:55 : radius_recv_auth_resp: auth 0x49ce564, id 46,  GROUP MATCHED have _NSVPN

    2007-05-08 15:28:55 : radius_recv_auth_resp: auth 0x49ce564, id 46,  AUTHENTICATED

    2007-05-08 15:28:55 : rad_groups_free: freeing: next_item_ptr->group_name _NSVPN

    2007-05-08 15:28:55 : >>> RadiusRecv(aq_ent={un=‘vladimirh’, fl=3, as_id=1, rt=0, rt1=0, rt2=0})

    2007-05-08 15:28:55 : <<< RadiusRecv(aq_ent={rad_state=7}) = 1

    2007-05-08 15:28:55 : RadiusRecv: result 1

    2007-05-08 15:28:55 : get_auth_radius_clnt_session_id: entered

    2007-05-08 15:28:55 : >>> radius_send(aq_ent=0x049ce564{soc=78, socipv6=-1, flag=2, rad_state=3})

    2007-05-08 15:28:55 : >>> radius_initiate_accounting_start(aq_ent={un=‘vladimirh’, fl=2, as_id=1, phy_port=15})

    2007-05-08 15:28:55 : get_auth_radius_clnt_session_id: entered

    2007-05-08 15:28:55 : >>> rad_send_acct_msg(soc=78, ip=192.168.0.200, ipv6=::, port=1645, vsys=0x029cd960, id=47, ss=‘password’, sid=‘NS-0000000f’, phy_port=15, status_type 1)

    2007-05-08 15:28:55 : >>> rad_send(soc=78, soc_ipv6=4294967295, ip=192.168.0.200, ipv6=::, port=1646, vsys=0x029cd960, pac=0x026f4a54, len=118)

    2007-05-08 15:28:55 :    rad_send(soc=78, sending to ip=192.168.0.200, port=1646)

    2007-05-08 15:28:55 : <<< rad_send() = 1

    2007-05-08 15:28:55 : <<< rad_send_acct_msg() = 1

    2007-05-08 15:28:55 : <<< radius_initiate_accounting_start() = 1

    2007-05-08 15:28:55 : <<< radius_send(aq_ent=0x049ce564{soc=78, socipv6=-1, flag=3, rad_state=4}) = 1

    2007-05-08 15:28:55 : auth_proto_process: recvd some data on socket 0

    2007-05-08 15:28:55 : auth_proto_process: recvd some data on socket 78

    2007-05-08 15:28:55 : >>> rad_parse(packet=0x04d8f010, len=20)

    2007-05-08 15:28:55 : rad_parse() = rad_msg=0x0482676c{code=5, id=47, …}

    2007-05-08 15:28:55 : RadiusRecv: checking j:socket 78, socipv6 -1, sock 78, j:rad_id 47, rad_msg->id 47

    2007-05-08 15:28:55 : RadiusRecv: Breaking for sock 78

    2007-05-08 15:28:55 : is_resp_authenticator_valid: Valid Response authenticator

    2007-05-08 15:28:55 : RadiusRecv: data on socket 78 for aq_ent 0x49ce564, state 0x4, curr_active 1

    2007-05-08 15:28:55 : >>> rad_recv_acct_status(soc=3460480)

    2007-05-08 15:28:55 : is_resp_authenticator_valid: Valid Response authenticator

    2007-05-08 15:28:55 : rad_recv_acct_status: RESPONSE AUTH VALID

    2007-05-08 15:28:55 : <<< rad_recv_acct_status() = 1

    2007-05-08 15:28:55 : RadiusRecv: result 2

    gw->

    Authentication is OK, VPN is OK…



  • I am experiencing the same exact problem with SBS IAS and 5.3.0r4.0  on a netscreen 25. Exactly same symptoms.

    I have posted the output from debug auth radius from the netscreen. It seems that everything stops after "RadiusRecv: result 2"
    Does anyone know what result 2 means?

    here is the output from the get dbuf stream

    2007-05-06 19:53:25 : >>> radius_send(aq_ent=0x03c33cf4{soc=265, socipv6=-1, flag=2, rad_state=1})

    2007-05-06 19:53:25 : >>> radius_initiate_authentication(aq_ent={un=‘adolfo’, fl=2, as_id=1(192.168.1.5) or (::):1645

    , rt=0, rt1=0, rt2=0, phy_port=5})

    2007-05-06 19:53:25 : get_auth_radius_clnt_session_id: entered

    2007-05-06 19:53:25 : >>> rad_send_auth_xauth_or_l2tp(soc=265, ip=192.168.1.5, ipv6=::, port=1645, vsys=0x0232f3b0, i

    d=12, un=‘adolfo’, ss=‘B0F55D897F2C27191F87C’, sid=‘NS-00000005’, phy_port=5, acs_srv_typ 0)

    2007-05-06 19:53:25 : >>> rad_send(soc=265, soc_ipv6=4294967295, ip=192.168.1.5, ipv6=::, port=1645, vsys=0x0232f3b0,

    pac=0x06b1e720, len=77)

    2007-05-06 19:53:25 :    rad_send(soc=265, sending to ip=192.168.1.5, port=1645)

    2007-05-06 19:53:25 : <<< rad_send() = 1

    2007-05-06 19:53:25 : <<< rad_send_auth_xauth_or_l2tp() = 1

    2007-05-06 19:53:25 : <<< radius_initiate_authentication() = 1

    2007-05-06 19:53:25 : <<< radius_send(aq_ent=0x03c33cf4{soc=265, socipv6=-1, flag=3, rad_state=2}) = 1

    2007-05-06 19:53:25 : RadiusLDAPRecv: recvd some data on socket 265

    2007-05-06 19:53:25 : >>> rad_parse(packet=0x06b4cf40, len=104)

    2007-05-06 19:53:25 : >>> rad_attr_create_raw(sa=0x06b4cf54, *bu=4294967293)

    <<< rad_attr_create_raw(*bu=16) = rad_attr=0x06b05050{26, 14, 1a 10 0 0 c ffffff98 3 a 56 50 4e 55 53 45 52 53 }

    2007-05-06 19:53:25 : >>> rad_attr_create_raw(sa=0x06b4cf64, *bu=16)

    <<< rad_attr_create_raw(*bu=12) = rad_attr=0x06b05190{26, 10, 1a c 0 0 c ffffff98 4 6 ffffffc0 ffffffa8 1 5 }

    2007-05-06 19:53:25 : >>> rad_attr_create_raw(sa=0x06b4cf70, *bu=12)

    <<< rad_attr_create_raw(*bu=12) = rad_attr=0x06b052d0{26, 10, 1a c 0 0 c ffffff98 6 6 ffffffc0 ffffffa8 1 5 }

    2007-05-06 19:53:25 : >>> rad_attr_create_raw(sa=0x06b4cf7c, *bu=12)

    <<< rad_attr_create_raw(*bu=6) = rad_attr=0x06b04f10{7, 4, 7 6 0 0 0 1 }

    2007-05-06 19:53:25 : >>> rad_attr_create_raw(sa=0x06b4cf82, *bu=6)

    <<< rad_attr_create_raw(*bu=6) = rad_attr=0x06b1f830{6, 4, 6 6 0 0 0 2 }

    2007-05-06 19:53:25 : >>> rad_attr_create_raw(sa=0x06b4cf88, *bu=6)

    <<< rad_attr_create_raw(*bu=32) = rad_attr=0x06b1f970{25, 30, 19 20 53 c 5 fffffff8 0 0 1 37 0 1 ffffffc0 ffffffa8 1 5 1
    ffffffc7 ffffff8b ffffffa8 ffffffa7 1a ffffffa4 ffffffba 0 0 0 0 0 0 0 36 }

    2007-05-06 19:53:25 : rad_parse() = rad_msg=0x06b220d0{code=2, id=12, …}

    2007-05-06 19:53:25 : RadiusRecv: checking j:socket 265, socipv6 -1, sock 265, j:rad_id 12, rad_msg->id 12

    2007-05-06 19:53:25 : RadiusRecv: Breaking for sock 265

    2007-05-06 19:53:25 : is_resp_authenticator_valid: Valid Response authenticator

    2007-05-06 19:53:25 : RadiusRecv: data on socket 265 for aq_ent 0x3c33cf4, state 0x2, curr_active 1

    2007-05-06 19:53:25 : >>> rad_recv_auth(soc=5974492)

    2007-05-06 19:53:25 : rad_attr_store_groups:adding first VPNUSERS

    2007-05-06 19:53:25 : <<< rad_recv_auth() = rad_auth_resp=0x06b1d090{authed=1 priv=0 id=12}

    2007-05-06 19:53:25 : is_resp_authenticator_valid: Valid Response authenticator

    2007-05-06 19:53:25 : radius_recv_auth_resp: RESPONSE AUTH VALID (was a Accept)

    2007-05-06 19:53:25 : radius_recv_auth_resp: auth 0x3c33cf4, id 12,  AUTHENTICATED

    2007-05-06 19:53:25 : rad_groups_free: freeing: next_item_ptr->group_name VPNUSERS

    2007-05-06 19:53:25 : >>> RadiusRecv(aq_ent={un=‘adolfo’, fl=3, as_id=1, rt=0, rt1=0, rt2=0})

    2007-05-06 19:53:25 : <<< RadiusRecv(aq_ent={rad_state=7}) = 1

    2007-05-06 19:53:25 : RadiusRecv: result 1

    2007-05-06 19:53:25 : get_auth_radius_clnt_session_id: entered

    2007-05-06 19:53:25 : >>> radius_send(aq_ent=0x03c33cf4{soc=265, socipv6=-1, flag=2, rad_state=3})

    2007-05-06 19:53:25 : >>> radius_initiate_accounting_start(aq_ent={un=‘adolfo’, fl=2, as_id=1, phy_port=5})

    2007-05-06 19:53:25 : get_auth_radius_clnt_session_id: entered

    2007-05-06 19:53:25 : >>> rad_send_acct_msg(soc=265, ip=192.168.1.5, ipv6=::, port=1645, vsys=0x0232f3b0, id=13, ss=’

    B0F55D897F2C27191F87C’, sid=‘NS-00000005’, phy_port=5, status_type 1)

    2007-05-06 19:53:25 : >>> rad_send(soc=265, soc_ipv6=4294967295, ip=192.168.1.5, ipv6=::, port=1646, vsys=0x0232f3b0,

    pac=0x06b08f10, len=83)

    2007-05-06 19:53:25 :    rad_send(soc=265, sending to ip=192.168.1.5, port=1646)

    2007-05-06 19:53:25 : <<< rad_send() = 1

    2007-05-06 19:53:25 : <<< rad_send_acct_msg() = 1

    2007-05-06 19:53:25 : <<< radius_initiate_accounting_start() = 1

    2007-05-06 19:53:25 : <<< radius_send(aq_ent=0x03c33cf4{soc=265, socipv6=-1, flag=3, rad_state=4}) = 1

    2007-05-06 19:53:25 : RadiusLDAPRecv: recvd some data on socket 265

    2007-05-06 19:53:25 : >>> rad_parse(packet=0x06b4cf40, len=20)

    2007-05-06 19:53:25 : rad_parse() = rad_msg=0x06b20c20{code=5, id=13, …}

    2007-05-06 19:53:25 : RadiusRecv: checking j:socket 265, socipv6 -1, sock 265, j:rad_id 13, rad_msg->id 13

    2007-05-06 19:53:25 : RadiusRecv: Breaking for sock 265

    2007-05-06 19:53:25 : is_resp_authenticator_valid: Valid Response authenticator

    2007-05-06 19:53:25 : RadiusRecv: data on socket 265 for aq_ent 0x3c33cf4, state 0x4, curr_active 1

    2007-05-06 19:53:25 : >>> rad_recv_acct_status(soc=5974492)

    2007-05-06 19:53:25 : is_resp_authenticator_valid: Valid Response authenticator

    2007-05-06 19:53:25 : rad_recv_acct_status: RESPONSE AUTH VALID

    2007-05-06 19:53:25 : <<< rad_recv_acct_status() = 1

    2007-05-06 19:53:25 : RadiusRecv: result 2

    2007-05-06 19:55:25 : >>> radius_send(aq_ent=0x03c33cf4{soc=265, socipv6=-1, flag=2, rad_state=5})

    2007-05-06 19:55:25 : >>> radius_initiate_accounting_stop(aq_ent={un=‘adolfo’, fl=2, as_id=1})

    2007-05-06 19:55:25 : >>> rad_send_acct_msg(soc=265, ip=192.168.1.5, ipv6=::, port=1645, vsys=0x0232f3b0, id=14, ss=’

    B0F55D897F2C27191F87C’, sid=‘NS-00000005’, phy_port=5, status_type 2)

    2007-05-06 19:55:25 : >>> rad_send(soc=265, soc_ipv6=4294967295, ip=192.168.1.5, ipv6=::, port=1646, vsys=0x0232f3b0,

    pac=0x06b08f10, len=83)

    2007-05-06 19:55:25 :    rad_send(soc=265, sending to ip=192.168.1.5, port=1646)

    2007-05-06 19:55:25 : <<< rad_send() = 1

    2007-05-06 19:55:25 : <<< rad_send_acct_msg() = 1

    2007-05-06 19:55:25 : <<< radius_initiate_accounting_stop() = 1

    2007-05-06 19:55:25 : <<< radius_send(aq_ent=0x03c33cf4{soc=265, socipv6=-1, flag=3, rad_state=6}) = 1

    2007-05-06 19:55:25 : RadiusLDAPRecv: recvd some data on socket 265

    2007-05-06 19:55:25 : >>> rad_parse(packet=0x06b06d80, len=20)

    2007-05-06 19:55:25 : rad_parse() = rad_msg=0x06b08380{code=5, id=14, …}

    2007-05-06 19:55:25 : RadiusRecv: checking j:socket 265, socipv6 -1, sock 265, j:rad_id 14, rad_msg->id 14

    2007-05-06 19:55:25 : RadiusRecv: Breaking for sock 265

    2007-05-06 19:55:25 : is_resp_authenticator_valid: Valid Response authenticator

    2007-05-06 19:55:25 : RadiusRecv: data on socket 265 for aq_ent 0x3c33cf4, state 0x6, curr_active 1

    2007-05-06 19:55:25 : >>> rad_recv_acct_status(soc=5974492)

    2007-05-06 19:55:25 : is_resp_authenticator_valid: Valid Response authenticator

    2007-05-06 19:55:25 : rad_recv_acct_status: RESPONSE AUTH VALID

    2007-05-06 19:55:25 : <<< rad_recv_acct_status() = 1

    2007-05-06 19:55:25 : RadiusRecv: result 2

    ns25->



  • Whatever the latest 5.4.0r3 or whatever was, and recently put the new 6 on to see if it would fix it.



  • Version ScreenOS?



  • Yep, otherwise I get an error on the IAS box stating that there is no stored reversibly encryptable password since that domain option is on.



  • Have you unchecked CHAP in VPNs > AutoKey Advanced > XAuth Settings?

    Note for say-so: IAS =! ISA


 

37
Online

38.4k
Users

12.7k
Topics

44.5k
Posts