Thanks for the reply;
I had temporarily removed the DNS entires of the PM3 box to see if it
would authenticate by address only (it doesn't). I have added it back in
now. As for the two "C"'s on the same wire, yes, I have my 204 UNIX box
acting as a router to the 206 net. It works fine, I can ping, telnet etc
between the two nets. I am at my wits end!
>Dan Struthers wrote:
>>
>> HELP!!!!!!!
>>
>> I am still having trouble with Radius authentication from 2 ip's. To recap;
>> PM1, PM2, DNS and Radius on #1 'C', PM3 and DNS on 2nd 'C'. All running BSD.
>>
>> PM1 & 2 console log, activity log and authenticate no problem. PM3 console
>> log, activity log no problem. PM3 WILL NOT authenticate. 20 - 30 second
>> timeout when ID is entered in PM3 before message 'go away'. On 1st 'C''s
>> console we get log message saying login failed. If I add an ID and Password
>> to PM3 directly, logs in no problem and the PM3 will generate activity log
>> for login, off......as it should.
>>
>> I have checked the following;
>>
>> -arp
>> -put PM3 in hosts, hosts.equiv
>> -ping, no prob by name or address
>> -put address of PM3 in clients, no go
>> -tried radius with -x switch, crashed radius
>>
>> Have i missed anything? As well, there is a limit to how much I can 'play'
>> as this is a live system. Also, the following is the result of dig -x
>> 206.47.47.29 from both DNS servers.
>>
>> From the lgnd.com nameserver;
>>
>> ; <<>> DiG 2.1 <<>> -x
>> ;; res options: init recurs defnam dnsrch
>> ;; got answer:
>> ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6
>> ;; flags: qr aa rd ra; Ques: 1, Ans: 1, Auth: 1, Addit: 0
>> ;; QUESTIONS:
>> ;; 29.47.47.206.in-addr.arpa, type = ANY, class = IN
>>
>> ;; ANSWERS:
>> 29.47.47.206.in-addr.arpa. 3600 PTR portmaster.lgnd.com.
>>
>> ;; AUTHORITY RECORDS:
>> 47.47.206.IN-ADDR.ARPA. 3600 NS elvis.lgnd.com.
>>
>> ;; Total query time: 13 msec
>> ;; FROM: elvis.lgnd.com to SERVER: default -- 0.0.0.0
>> ;; WHEN: Sat Oct 5 12:54:40 1996
>> ;; MSG SIZE sent: 43 rcvd: 118
>>
>> >From the radius host (bserv.com (also a nameserver);
>>
>> ;; QUESTIONS:
>> ;; 29.47.47.206.in-addr.arpa, type = ANY, class = IN
>>
>> ;; ANSWERS:
>> 29.47.47.206.in-addr.arpa. 915 PTR portmaster.lgnd.com.
>>
>> ;; AUTHORITY RECORDS:
>> 47.206.IN-ADDR.ARPA. 93708 NS JUPITER.WORLDLINX.COM.
>> 47.206.IN-ADDR.ARPA. 93708 NS MARS.WORLDLINX.COM.
>> 47.206.IN-ADDR.ARPA. 330616 NS NS1.BELLGLOBAL.COM.
>> 47.206.IN-ADDR.ARPA. 330616 NS NS2.BELLGLOBAL.COM.
>>
>> ;; ADDITIONAL RECORDS:
>> JUPITER.WORLDLINX.COM. 27350 A 198.235.216.1
>> MARS.WORLDLINX.COM. 75791 A 198.235.216.2
>> NS1.BELLGLOBAL.COM. 128119 A 198.235.216.1
>> NS2.BELLGLOBAL.COM. 30177 A 198.235.216.2
>>
>> ;; Sent 1 pkts, answer found in time: 0 msec
>> ;; FROM: bserv.com to SERVER: default -- 0.0.0.0
>> ;; WHEN: Sat Oct 5 12:42:18 1996
>>
>> ----------------------------------------------------------
>> Dan Struthers
>>
>> The solution to any problem lies in its proper definition.
>> ----------------------------------------------------------
>
> Dan ...
>
>I like your tagline at the bottom of your message ... It says so much
>about the problem you are having!
>
>I tryed NSLOOKUP ( very handy DNS tool! ) to see if I could resolve your
>DNS servers and your portmasters. Interesting thing, I can resolve your
>DNS servers and your first two Portmasters but I can not "see" your third
>portmaster. I suspect, if you look at your DNS definitions for your
>"portmaster.lgnd.com" unit are not setup correctly. I can "see" the first
>two portmasters fine so your radius host should have no problem but without
>the DNS "working" properly for the "portmaster.lgnd.com" unit the radius will
>not be able to verify who that unit is and will not respond for authentication.
>
>results of NSLOOKUP:
>
>> portmaster.lgnd.comServer: ns1.megabits.net
>
>*** ns1.megabits.net can't find portmaster.lgnd.com: Server failed
>
>> 206.47.47.29Server: ns1.megabits.net
>
>*** ns1.megabits.net can't find 206.47.47.29: Non-existent host/domain
>
>
>> elvis.lgnd.comServer: ns1.megabits.net
>
>Non-authoritative answer:
>Name: elvis.lgnd.com
>Address: 206.47.47.2
>
>
>> 206.47.47.2Server: ns1.megabits.net
>
>Name: lgnd.com
>Address: 206.47.47.2
>
>
>> bserv.comServer: ns1.megabits.net
>
>Name: bserv.com
>Address: 204.101.197.2
>
>
>> portmaster.lgnd.comServer: ns1.megabits.net
>
>*** ns1.megabits.net can't find portmaster.lgnd.com: Server failed
>
>
>> portmaster.bserv.comServer: ns1.megabits.net
>
>Name: portmaster.bserv.com
>Address: 204.101.197.21
>
>
>> portmaster2.bserv.comServer: ns1.megabits.net
>
>Name: portmaster2.bserv.com
>Address: 204.101.197.23
>
>
> One other thing ... are you using a router ( or routing software such as
gated )
>to "inform" the 204.101.197.0 network that there exists a 206.47.47.0 in
your domain?
>If not then this may be the "root" of the problem as there needs to be some
method
>for routing between the two networks (even if they exist on the same
physical wire) or
>one network will not be able to "see" the other network! This would
manifest itself as
>the inablility to communicate from one network to the other.
>
>A quick check would be to log into the 206.47.47.0 network Portmaster and
see if you
>can "ping" the radius server. If you can then perform a "traceroute" to
see what
>the route is the system uses to communicate with the radius server ( and
don't forget
>to "inform" the radius server of the portmaster's IP address and secret
password or
>all of this is for nought.
>
>Hope the above gives you some ideas to test and all of the above is doable
with the
>system "live".
>
>Gary N. McKinney.
>
>
----------------------------------------------------------
Dan Struthers
The solution to any problem lies in its proper definition.
----------------------------------------------------------