We have been trying to implement the MCI (WorldCom) PAL dialer for
remote
users. Their RADIUS servers act as a proxy to our so we can validate
the
user from our NDS tree. We have internal VPN and RAS boxes (Cisco
3030 VPN
and Cisco 5300) which use CHAP and PAP respectively. Both of these
boxes
function properly.

Where we run into issues is with the RADIUS connection to MCI. We are
able
to connect from time to time, but often it fails. Below are captures
from
their testing software and the results. The first test shows a
successful
connection when the proxy signature is returned the same as the sent
one.

In the second example, the proxy signature differs between the sent
and
received causing the RADIUS proxy to fail the connection with a "bad secret"
message.

We have tried this with both PAP (NDS passwords) and CHAP (Dial Access

Password) and in both cases we have had the same results. It appears
the
issue is with attribute 33, Proxy-State.

We use BM3.6 with RADIUS.NLM version 3.24, NW 5.1. I have tried
RADIUS.NLM
from BM3.7 version 3.70 and this has also failed.

Any ideas would be great.

David Lowry
david.lowry (at) bpb-na.com

---------------------------------------------------------------------
TEST #1


Running ping-radius (CHAP)...
Access-Request packet: code=1, identifier 1, length 156
auth: 6A DE 67 B7 81 6D E9 0B 35 08 49 E4 7A

attr: type User-Name [1], len 22 name = "xxxxx@yyy.org"
attr: type Challenge-Response [3], len 19
data = 03 13 00 1A 12 54 B3 C3 2A DA B4 1A 1F BD
attr: type NAS-Identifier [4], len 6 NAS ID = 153.39.242.113:0
attr: type NAS-Port [5], len 6 NAS PORT = 500
attr: type Proxy-State [33], len 83
Proxy signature: 00 00 00 00 00 00 00 00 saved auth: 6A DE 67 B7 81 6D
E9
F7 B3 F4 0B 35 08 49 E4 7A client: 153.39.242.113:0, server:
209.167.134.224:1645 server_pool_id: 0 nas port: 0 (md5_cached: 0,
md5_valid: 1) md5: [not yet computed] need_uname: 0

Access-Accept packet: code=2, identifier 1, length 127
auth: F9 BA 52 B5 8F CF B5 ED 50 A7 28 BA 07

attr: type Framed-Protocol [7], len 6
data = 00 00 00 01
attr: type Ascend-Assign-IP-Pool [218], len 6
data = 00 00 00 00
attr: type Ascend-Idle-Limit [244], len 6
data = 00 00 02 58
attr: type User-Service [6], len 6 service_type = 2
attr: type Proxy-State [33], len 83
Proxy signature: 00 00 00 00 00 00 00 00 saved auth: 6A DE 67 B7 81 6D
E9
F7 B3 F4 0B 35 08 49 E4 7A client: 153.39.242.113:0, server:
209.167.134.224:1645 server_pool_id: 0 nas port: 0 (md5_cached: 1,
md5_valid: 1) md5: BC AE 81 5B 5D 36 1B A9 B5 96 11 9E DD
need_uname: 0


---------------------------------------------------------------------
Preliminary test is passed

---------------------------------------------------------------------

TEST #2


Running ping-radius (CHAP)...
Access-Request packet: code=1, identifier 1, length 156
auth: EE 8C C9 20 37 7F 73 8C 72 55 86 27 36

attr: type User-Name [1], len 22 name = "xxxxxx@yyy.org"
attr: type Challenge-Response [3], len 19
data = 03 13 00 17 A5 15 01 40 24 4F 94 E8 5E D2
attr: type NAS-Identifier [4], len 6 NAS ID = 153.39.242.113:0
attr: type NAS-Port [5], len 6 NAS PORT = 500
attr: type Proxy-State [33], len 83
Proxy signature: 00 00 00 00 00 00 00 00 saved auth: EE 8C C9 20 37 7F
9C
19 56 73 8C 72 55 86 27 36 client: 153.39.242.113:0, server:
209.167.134.224:1645 server_pool_id: 0 nas port: 0 (md5_cached: 0,
md5_valid: 1) md5: [not yet computed] need_uname: 0

Access-Accept packet: code=2, identifier 1, length 127
auth: F9 BA 52 B5 8F CF B5 ED 50 A7 28 BA 07

attr: type Framed-Protocol [7], len 6
data = 00 00 00 01
attr: type Ascend-Assign-IP-Pool [218], len 6
data = 00 00 00 00
attr: type Ascend-Idle-Limit [244], len 6
data = 00 00 02 58
attr: type User-Service [6], len 6 service_type = 2
attr: type Proxy-State [33], len 83
Proxy signature: 00 00 00 00 00 00 00 00 saved auth: 6A DE 67 B7 81 6D
E9
F7 B3 F4 0B 35 08 49 E4 7A client: 153.39.242.113:0, server:
209.167.134.224:1645 server_pool_id: 0 nas port: 0 (md5_cached: 1,
md5_valid: 1) md5: BC AE 81 5B 99 48 1B A9 B5 96 11 9E DD
need_uname: 0


---------------------------------------------------------------------
Bad-Authenticator Returned: Please verify shared secret

-------------------------------------------------------------------------