(no subject)

Gary N. McKinney (gmckinney@megabits.net)
Sun, 06 Oct 1996 03:51:30 -0700

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Howard Leadmon: "Re: ISDN hunt with PM2ei and 5ESS"
Previous message: Derric Scott: "Re: ISDN hunt with PM2ei and 5ESS"
Next in thread: Howard Leadmon: "Re: ISDN hunt with PM2ei and 5ESS"

Dan Struthers wrote:
>
> HELP!!!!!!!
>
> I am still having trouble with Radius authentication from 2 ip's. To recap;
> PM1, PM2, DNS and Radius on #1 'C', PM3 and DNS on 2nd 'C'. All running BSD.
>
> PM1 & 2 console log, activity log and authenticate no problem. PM3 console
> log, activity log no problem. PM3 WILL NOT authenticate. 20 - 30 second
> timeout when ID is entered in PM3 before message 'go away'. On 1st 'C''s
> console we get log message saying login failed. If I add an ID and Password
> to PM3 directly, logs in no problem and the PM3 will generate activity log
> for login, off......as it should.
>
> I have checked the following;
>
> -arp
> -put PM3 in hosts, hosts.equiv
> -ping, no prob by name or address
> -put address of PM3 in clients, no go
> -tried radius with -x switch, crashed radius
>
> Have i missed anything? As well, there is a limit to how much I can 'play'
> as this is a live system. Also, the following is the result of dig -x
> 206.47.47.29 from both DNS servers.
>
> From the lgnd.com nameserver;
>
> ; <<>> DiG 2.1 <<>> -x
> ;; res options: init recurs defnam dnsrch
> ;; got answer:
> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
> ;; flags: qr aa rd ra; Ques: 1, Ans: 1, Auth: 1, Addit: 0
> ;; QUESTIONS:
> ;; 29.47.47.206.in-addr.arpa, type = ANY, class = IN
>
> ;; ANSWERS:
> 29.47.47.206.in-addr.arpa. 3600 PTR portmaster.lgnd.com.
>
> ;; AUTHORITY RECORDS:
> 47.47.206.IN-ADDR.ARPA. 3600 NS elvis.lgnd.com.
>
> ;; Total query time: 13 msec
> ;; FROM: elvis.lgnd.com to SERVER: default -- 0.0.0.0
> ;; WHEN: Sat Oct 5 12:54:40 1996
> ;; MSG SIZE sent: 43 rcvd: 118
>
> >From the radius host (bserv.com (also a nameserver);
>
> ;; QUESTIONS:
> ;; 29.47.47.206.in-addr.arpa, type = ANY, class = IN
>
> ;; ANSWERS:
> 29.47.47.206.in-addr.arpa. 915 PTR portmaster.lgnd.com.
>
> ;; AUTHORITY RECORDS:
> 47.206.IN-ADDR.ARPA. 93708 NS JUPITER.WORLDLINX.COM.
> 47.206.IN-ADDR.ARPA. 93708 NS MARS.WORLDLINX.COM.
> 47.206.IN-ADDR.ARPA. 330616 NS NS1.BELLGLOBAL.COM.
> 47.206.IN-ADDR.ARPA. 330616 NS NS2.BELLGLOBAL.COM.
>
> ;; ADDITIONAL RECORDS:
> JUPITER.WORLDLINX.COM. 27350 A 198.235.216.1
> MARS.WORLDLINX.COM. 75791 A 198.235.216.2
> NS1.BELLGLOBAL.COM. 128119 A 198.235.216.1
> NS2.BELLGLOBAL.COM. 30177 A 198.235.216.2
>
> ;; Sent 1 pkts, answer found in time: 0 msec
> ;; FROM: bserv.com to SERVER: default -- 0.0.0.0
> ;; WHEN: Sat Oct 5 12:42:18 1996
>
> ----------------------------------------------------------
> Dan Struthers
>
> The solution to any problem lies in its proper definition.
> ----------------------------------------------------------

Dan ...

I like your tagline at the bottom of your message ... It says so much
about the problem you are having!

I tryed NSLOOKUP ( very handy DNS tool! ) to see if I could resolve your
DNS servers and your portmasters. Interesting thing, I can resolve your
DNS servers and your first two Portmasters but I can not "see" your third
portmaster. I suspect, if you look at your DNS definitions for your
"portmaster.lgnd.com" unit are not setup correctly. I can "see" the first
two portmasters fine so your radius host should have no problem but without
the DNS "working" properly for the "portmaster.lgnd.com" unit the radius will
not be able to verify who that unit is and will not respond for authentication.

results of NSLOOKUP:

> portmaster.lgnd.comServer: ns1.megabits.net

*** ns1.megabits.net can't find portmaster.lgnd.com: Server failed

> 206.47.47.29Server: ns1.megabits.net

*** ns1.megabits.net can't find 206.47.47.29: Non-existent host/domain

> elvis.lgnd.comServer: ns1.megabits.net

Non-authoritative answer:
Name: elvis.lgnd.com
Address: 206.47.47.2

> 206.47.47.2Server: ns1.megabits.net

Name: lgnd.com
Address: 206.47.47.2

> bserv.comServer: ns1.megabits.net

Name: bserv.com
Address: 204.101.197.2

> portmaster.lgnd.comServer: ns1.megabits.net

*** ns1.megabits.net can't find portmaster.lgnd.com: Server failed

> portmaster.bserv.comServer: ns1.megabits.net

Name: portmaster.bserv.com
Address: 204.101.197.21

> portmaster2.bserv.comServer: ns1.megabits.net

Name: portmaster2.bserv.com
Address: 204.101.197.23

One other thing ... are you using a router ( or routing software such as gated )
to "inform" the 204.101.197.0 network that there exists a 206.47.47.0 in your domain?
If not then this may be the "root" of the problem as there needs to be some method
for routing between the two networks (even if they exist on the same physical wire) or
one network will not be able to "see" the other network! This would manifest itself as
the inablility to communicate from one network to the other.

A quick check would be to log into the 206.47.47.0 network Portmaster and see if you
can "ping" the radius server. If you can then perform a "traceroute" to see what
the route is the system uses to communicate with the radius server ( and don't forget
to "inform" the radius server of the portmaster's IP address and secret password or
all of this is for nought.

Hope the above gives you some ideas to test and all of the above is doable with the
system "live".

Gary N. McKinney.

Next message: Howard Leadmon: "Re: ISDN hunt with PM2ei and 5ESS"
Previous message: Derric Scott: "Re: ISDN hunt with PM2ei and 5ESS"
Next in thread: Howard Leadmon: "Re: ISDN hunt with PM2ei and 5ESS"