add radius-clinet in c1

[be...@brit.com]

We will configure the Radius.nlm. So will set in the ConsoleOne
in the Radius-Object a Radius-Client(Client /add). We can enter there the
values, but when we reopen the object these informations are not save.
We tried C1 1.3,6, 1.3.5 and also Nwadmin. but it is everywhere the same.

Does anybody knows how we can resolve this? Thanks.

Beat

[Marku...@msg.de]

The DAS object ist damaged. You must delete it und create a new one.

Markus Kell

[Scott Kiester]

There is no need to delete your DAS. If you're running NMAS RADIUS, then
there is most likely a problem with the tree key in your environment.

If you're running NMAS RADIUS (IE: RADIUS from BorderManager 3.8 or iChain),
then you should be using ConsoleOne to do your administration. NWAdmin is
for BMAS 3.5/3.6/3.7 only. As you've seen, clients added with NWAdmin will
not be visible to an NMAS RADIUS server.

Because the DAS client table contains the shared secrets for your RADIUS
clients, this information is encrypted before it is stored in eDirectory.
The eDirectory tree key is used to encrypt this information. The problem you
describe can happen if one or more of the servers in your tree does not have
a valid copy of the tree key. You can use SDIDIAG (available as a free
download from the support site) to diagnose and correct tree key problems.

If SDIDIAG does not report any problems, then it would be helpful to see a
debug trace from ConsoleOne. You can generate the debug trace by running
ConsoleOne with the following command line: "consoleone -debug -windowout".

>>> <Marku...@msg.de> 12/03/04 2:47 AM >>>

[be...@brit.com]

we let run sdidiag:
this is the result, but what should we do now ?

Beat

SDIDIAG Check: Ausgabe Fehler "Error -708 accessing server"
SDIDiag, Security Domain Infrastructure Diagnostic Utility
Version 2.1 Jun 26 2003
Copyright 2003 Novell, Inc. All rights reserved.

Server IP Addr : 192.168.100.22
User Name (Full DN): admin1.ebm

Password : ************
SDIDIAG> help

SDIDIAG - Check and Synchronize SDI keys.

Check SDI Domain:
CHECK
Check Partition Servers:
CHECK -n <dn>
Synchronize Partiton Servers:
RESYNC -T -n <dn>
Synchronize All Servers in Tree:
RESYNC -T

Switches:
-n <dn> (must be a full DN with the treename.)
Example: .ORG.NOVELL.NOVELL_TREE.
-v Output to console.
> <filename> Redirect output to <filename>
>> <filename> Append output to <filename>

Example: CHECK -n .ORG.NOVELL.NOVELL_TREE. -v >> SYS:TMP\SDICHECK.TXT

SDIDIAG> resync -t

*** [RESYNC Domain - BEGIN] ***
[PASS 1 of 2]
[Looking for All Server Objects]
*** [Find Servers - BEGIN] ***
Found: .COM1.KOMM.EBM.NDS_EBM.
- Checking eDirectory version.
- Good.
Found: .FS4.EBM.NDS_EBM.
- Checking eDirectory version.
- Good.
Found: .PRG1.RES.EBM.NDS_EBM.
- Checking eDirectory version.
- Good.
Found: .PROXY.KOMM.EBM.NDS_EBM.
- Checking eDirectory version.
- May need eDirectory or NICI upgrade.
Found: .ZEN1.ZEN.EBM.NDS_EBM.
- Checking eDirectory version.
- Good.

*** The -u file lists 1 server(s) that that are running
eDirectory versions prior to 87.1 or had errors.
*** [Find Servers - END] ***
Servers Ignored:
(Could not be checked and may need an eDirectory
or NICI upgrade.)
.PROXY.KOMM.EBM.NDS_EBM.
[Processing Server 1 of 4]
Processing Server .ZEN1.ZEN.EBM.NDS_EBM.
Synchronize Server .ZEN1.ZEN.EBM.NDS_EBM. ...
- Synchronized.
- Moving keys to domain.
- Processing complete.
[Processing Server 2 of 4]
Processing Server .PRG1.RES.EBM.NDS_EBM.
Synchronize Server .PRG1.RES.EBM.NDS_EBM. ...
- Synchronized.
- Moving keys to domain.
- Processing complete.
[Processing Server 3 of 4]
Processing Server .FS4.EBM.NDS_EBM.
Synchronize Server .FS4.EBM.NDS_EBM. ...
- Synchronized.
- Moving keys to domain.
- Processing complete.
[Processing Server 4 of 4]
Processing Server .COM1.KOMM.EBM.NDS_EBM.
Synchronize Server .COM1.KOMM.EBM.NDS_EBM. ...
- Synchronized.
- Moving keys to domain.
- Processing complete.

[Synchronizing SDI Domain Key Servers]
*** Error -708 accessing server .

*** Error synchronizing Security Domain. (error = -708)
*** The Security Domain is not synchronized becauses of errors.
- Could not complete. (error = -708)
*** Errors occurred during the RESYNC process.
*** [RESYNC Domain - END] ***
Error -708
SDIDIAG>

Radius Log: Ausgabe Fehler no such attribute (-603)
Context Lookup List set to:
[2004-12-13 01:54:11 PM] 1) EBM
[2004-12-13 01:54:11 PM] Number of contexts = 1
[2004-12-13 01:54:11 PM] (->)NDSSetUpClientTable(ive.ive.ebm) failed,
no such attribute (-603)
[2004-12-13 01:54:11 PM] Cache: Error from NDSSetUpClientTable: failed,
no such attribute (-603)
[2004-12-13 01:54:11 PM] Cache: Successfully set up client table
[2004-12-13 01:54:11 PM] (->)NDSSetUpContextList(ive.ive.ebm),
ProxyContext is empty
[2004-12-13 01:54:11 PM] Cache: Successfully set up context list
[2004-12-13 01:54:11 PM] (->)NDSSetUpDomainList(ive.ive.ebm), Domain
list is empty.
[2004-12-13 01:54:11 PM] Cache: Successfully set up domain list
[2004-12-13 01:54:11 PM] Cache: Successfully set up search domain list
[2004-12-13 01:54:11 PM] Cache: Successfully build context list
[2004-12-13 01:54:11 PM] CACHE: Cache reloaded at [2004-12-13
01:54:11 PM], current reload count is 3
[2004-12-13 01:54:11 PM] Cacher: RefreshCache(), succeeded
[2004-12-13 01:54:11 PM] CACHE: Cache loaded at [2004-12-13 11:32:24
AM] has been discarded , current reload count is 3
[2004-12-13 01:55:11 PM] (->)Cacher: NWDSReadObjectInfo(ive.ive.ebm),
succeeded, time:1
[2004-12-13 01:56:10 PM] (->)Cacher: NWDSReadObjectInfo(ive.ive.ebm),
succeeded, time:2
[2004-12-13 01:57:10 PM] (->)Cacher: NWDSReadObjectInfo(ive.ive.ebm),
succeeded, time:1
[2004-12-13 01:58:10 PM] (->)Cacher: NWDSReadObjectInfo(ive.ive.ebm),
succeeded, time:2
[2004-12-13 01:59:09 PM] (->)Cacher: NWDSReadObjectInfo(ive.ive.ebm),
succeeded, time:3
[2004-12-13 01:59:28 PM] Cacher: Console initiated rebuild of cache
[2004-12-13 01:59:28 PM] (->)Cacher: NWDSReadObjectInfo(ive.ive.ebm),
succeeded, time:2
[2004-12-13 01:59:28 PM] Cacher: Rebuilding cache, mod time different,

[2004-12-13 01:59:28 PM]
(->)NDSReadData:NWDSRead(ive.ive.ebm,RADIUS:DAS Version) succeeded,
time:3
[2004-12-13 01:59:28 PM]
(->)NDSReadData:NWDSRead(ive.ive.ebm,RADIUS:Password Policy) failed, no
such attribute (-603), time:3
[2004-12-13 01:59:28 PM]
(->)NDSReadData:NWDSRead(ive.ive.ebm,RADIUS:Common Name Resolution)
succeeded, time:3
[2004-12-13 01:59:28 PM]
(->)NDSReadData:NWDSRead(ive.ive.ebm,RADIUS:Concurrent Limit) failed, no
such attribute (-603), time:2
[2004-12-13 01:59:28 PM]
(->)NDSReadData:NWDSRead(ive.ive.ebm,RADIUS:Interim Accting Timeout)
failed, no such attribute (-603), time:3
[2004-12-13 01:59:28 PM]
(->)NDSReadData:NWDSRead(ive.ive.ebm,RADIUS:Aged Interval) failed, no
such attribute (-603), time:2
[2004-12-13 01:59:28 PM]
(->)NDSReadData:NWDSRead(ive.ive.ebm,RADIUS:Maximum History Record)
failed, no such attribute (-603), time:3
[2004-12-13 01:59:28 PM] CACHE: Use Netware Password for
"ive.ive.ebm": Enabled
[2004-12-13 01:59:28 PM] CACHE: CN Login for "ive.ive.ebm": Enabled
[2004-12-13 01:59:28 PM] CACHE: Concurrent Limit for "ive.ive.ebm":
0x80000000
[2004-12-13 01:59:28 PM] CACHE: Interim Timeout for "ive.ive.ebm": 10
minutes
[2004-12-13 01:59:28 PM] CACHE: Interval For Aging for "ive.ive.ebm":
7 days
[2004-12-13 01:59:28 PM] CACHE: Max History Record for "ive.ive.ebm":
30
[2004-12-13 01:59:28 PM]
Context Lookup List set to:
[2004-12-13 01:59:28 PM] 1) EBM
[2004-12-13 01:59:28 PM] Number of contexts = 1
[2004-12-13 01:59:28 PM] (->)NDSSetUpClientTable(ive.ive.ebm) failed,
no such attribute (-603)
[2004-12-13 01:59:28 PM] Cache: Error from NDSSetUpClientTable: failed,
no such attribute (-603)
[2004-12-13 01:59:28 PM] Cache: Successfully set up client table
[2004-12-13 01:59:28 PM] (->)NDSSetUpContextList(ive.ive.ebm),
ProxyContext is empty
[2004-12-13 01:59:28 PM] Cache: Successfully set up context list
[2004-12-13 01:59:28 PM] (->)NDSSetUpDomainList(ive.ive.ebm), Domain
list is empty.
[2004-12-13 01:59:28 PM] Cache: Successfully set up domain list
[2004-12-13 01:59:28 PM] Cache: Successfully set up search domain list
[2004-12-13 01:59:28 PM] Cache: Successfully build context list
[2004-12-13 01:59:28 PM] CACHE: Cache reloaded at [2004-12-13
01:59:28 PM], current reload count is 4
[2004-12-13 01:59:28 PM] Cacher: RefreshCache(), succeeded

[Scott Kiester]

Error -708 is an eDirectory error for "Invalid response." I'm not sure what
this means in the context of SDIDIAG, since I don't know what eDir calls
it's making. I suggest that you run DSRepair and try again. If that does not
work, then you should probably open an incident.

>>> <be...@brit.com> 12/15/2004 12:22 AM >>>

[Craig Johnson]

Still having the issue? I'm trying to catch up on unresolved posts.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***

[Craig Johnson]

In article <linde907...@no-mx.forums.novell.com>, Linde9070 wrote:
> After upgrade to edir 8.8.3. In the das object the clients are visible
> but when editted it disappears. a new client wil also disapear
>
Sounds like an iManager plugin bug - have you checked for updated
plugins? Using iMan 2.6 or 2.7?

[linde9070]

We use the plugin for Console one because we use the radius from bm38.
Is there a radius plug in for imangager 2.7. I found only the
freeradius plugin.

> BorderManager, go to 'Craig Johnson Consulting - BorderManager,
> NetWare, and More' (http://www.craigjconsulting.com) ***

--
linde9070
------------------------------------------------------------------------
linde9070's Profile: http://forums.novell.com/member.php?userid=31366
View this thread: http://forums.novell.com/showthread.php?t=35099

[Craig Johnson]

I'm trying to remember some odd causes I've seen for things like that,
but I don't have any experience working with NMAS RADIUS and eDir
8.8.3. But it sounds a little like incomplete synchronization from one
server to another.

I wonder if you could look at the DAS objects using DSBROWSE on the
servers, and see if some of the new entries you are adding in
ConsoleOne are showing up on some replicas but not others?

Otherwise, it sounds like a bug.

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on

BorderManager, go to http://www.craigjconsulting.com ***

[linde9070]

Its indeed a BUG. Radius is an end of live product. So novell doesn't
fix this problem. Hopefully its fixed by an update

But I have "temporary" fix it.

- I have installed an temporary server with edir 8.8.2 into the
tree.
- Log on to the temporary server disconnect from the server and NDS
- Start Console one localy.
- Auteticate in console one to de NDS.
- Check that the connection is to the temporary server.
- Make your changes and check them.
- Remove server from the NDS.
- Start Radius

It's not recommented an supported by novell but it does the job.
I have used edir 8.8.2 because it's in the same edir version. I don't
know what is happining when edir 8.7.9 wil be used.

I haven't checked dsbrowse yet.

Thanks

Bart

[Craig Johnson]

In article <linde907...@no-mx.forums.novell.com>, Linde9070 wrote:

> - I have installed an temporary server with edir 8.8.2 into the
> tree.
> - Log on to the temporary server disconnect from the server and NDS
> - Start Console one localy.
> - Auteticate in console one to de NDS.
> - Check that the connection is to the temporary server.
> - Make your changes and check them.
> - Remove server from the NDS.
> - Start Radius
>

Interesting workaround!

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on

BorderManager, go to http://www.craigjconsulting.com ***

[linde9070]

Its isn't the correct way but its does the job