>If the server is replying with the wrong address on the packets, then
>the NAS would ignore them and retry sending them, hoping to get a
>response. You're using the wrong address. Really.
>
> - chad
>I once had a problem where the route from the NAS (which was on the other
>side of 2 routers) to the radius server was ok, but the route from the
>radius server to the NAS was not.
>This gave the same symptoms - multiple login attempts for each user would
>be logged in radius.log, but nobody (from their point of view) would ever
>get authenticated because the NAS would never receive any replies...
>
>Regards,
>Simon
Neither the first nor the second answer seem to be the solution.
Here is a detailed configuration of how things works for me:
--------------------------------------------------------------------------------
1 - The linux box:
#uname -a
Linux netpc2 2.4.4-4GB #1 Fri May 18 14:11:12 GMT 2001 i686 unknown
#cat /etc/issue
Welcome to SuSE Linux 7.2 (i386) - Kernel \r (\l).
(I would beter have used debian but at the office , I don't choose everything :))
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:E0:4C:60:03:F9
inet addr:160.103.180.140 Bcast:160.103.180.255 Mask:255.255.255.0
inet6 addr: fe80::2e0:4cff:fe60:3f9/10 Scope:Link
inet6 addr: fe80::e0:4c60:3f9/10 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:75665 errors:0 dropped:0 overruns:0 frame:0
TX packets:17608 errors:0 dropped:0 overruns:0 carrier:0
collisions:369 txqueuelen:100
RX bytes:6110654 (5.8 Mb) TX bytes:1701888 (1.6 Mb)
Interrupt:10 Base address:0x7f00
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:242 errors:0 dropped:0 overruns:0 frame:0
TX packets:242 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18215 (17.7 Kb) TX bytes:18215 (17.7 Kb)
--------------------------------------------------------------------------------
2 - The NAS:
It's a cisco 2514.
rtmod180#show version
Cisco Internetwork Operating System Software
IOS (tm) 2500 Software (C2500-D-L), Version 11.2(12), RELEASE SOFTWARE (fc1)
cisco 2500 (68030) processor (revision L) with 2048K/2048K bytes of memory.
(I didn't paste everything as I don't think everything is interesting)
rtmod180#show interfaces
Ethernet0 is up, line protocol is up
Hardware is Lance, address is 0010.7b37.b06c (bia 0010.7b37.b06c)
Internet address is 160.103.180.79/24
(I didn't paste everything as I don't think everything is interesting)
rtmod180#wr t
rtmod180#wr t
aaa accounting exec wait-start radius ###comment about this line and the next one
after the paste
aaa accounting network wait-start radius ###
ip route 0.0.0.0 0.0.0.0 160.103.180.99 ###This actually dont work but is not
really needed (according to me ) because the NAS and the Radiusd are on the same
subnet (and we are trying to logon the nas from a machine wich is in the same subnet)
radius-server host 160.103.180.140 auth-port 1812 acct-port 1813
radius-server timeout 1
radius-server optional-passwords
radius-server key radmin
(I didn't paste everything as I don't think everything is interesting)
In /freeradius-0.1/doc/cisco on the part about IOS 11.3 (I'm using IOS 11.2)
Also you might see a lot of "duplicates" in the logfile. That can be
fixed by
aaa accounting network wait radius #canot set to wait in IOS 11.2
radius-server timeout 3 #this just change the Acct-Delay-Time value in
detail
-------------------------------------------------------------------------------
3 - Executed from the radius server (linux)
netpc2:/opt/freeradius/sbin # ./check-radiusd-config
./check-radiusd-config: line 55: 16866 Killed $sbindir/radiusd -X -p
32768 >startup.log 2>&1
Radius server configuration looks OK.
./startup.log is created but empty.
netpc2:/opt/freeradius/sbin # ./radiusd -A -i 160.103.180.140 -y
radiusd: Starting - reading configuration files ...
at this time , /opt/freeradius/var/log/radius.log contain:
Mon Jul 30 14:44:24 2001 : Info: Listening on IP address *, ports 1812/udp and
1813/udp, with proxy on 1814/udp.
Mon Jul 30 14:44:24 2001 : Info: Ready to process requests.
Now trying a connexion on the NAS:
netpc2:/opt/freeradius # telnet rtmod180
Trying 160.103.180.79...
Connected to rtmod180.
Escape character is '^]'.
User Access Verification
Username: userrad
Password:
rtmod180>exit
Connection closed by foreign host.
netpc2:/opt/freeradius #
The file "/opt/freeradius/var/log/radacct/160.103.180.79/detail" were the logs of this
connexion are, is attached with this mail.
The only files I changed to configure freeradius are in /opt/freeradius/etc/raddb and
are: clients.conf huntgroups naslist naspasswd users radiusd.conf
if one is needed I can send it.
Thanks for any help
Samuel Maftoul
Mon Jul 30 14:50:51 2001
NAS-IP-Address = 160.103.180.79
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "userrad"
Calling-Station-Id = "160.103.180.140"
Acct-Status-Type = Start
Acct-Authentic = Local
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000025"
Acct-Delay-Time = 0
Client-IP-Address = 160.103.180.79
Timestamp = 996497451
Request-Authenticator = None
Mon Jul 30 14:50:52 2001
NAS-IP-Address = 160.103.180.79
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "userrad"
Calling-Station-Id = "160.103.180.140"
Acct-Status-Type = Start
Acct-Authentic = Local
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000025"
Acct-Delay-Time = 1
Client-IP-Address = 160.103.180.79
Timestamp = 996497452
Request-Authenticator = None
Mon Jul 30 14:50:53 2001
NAS-IP-Address = 160.103.180.79
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "userrad"
Calling-Station-Id = "160.103.180.140"
Acct-Status-Type = Start
Acct-Authentic = Local
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000025"
Acct-Delay-Time = 2
Client-IP-Address = 160.103.180.79
Timestamp = 996497453
Request-Authenticator = None
Mon Jul 30 14:50:54 2001
NAS-IP-Address = 160.103.180.79
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "userrad"
Calling-Station-Id = "160.103.180.140"
Acct-Status-Type = Start
Acct-Authentic = Local
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000025"
Acct-Delay-Time = 3
Client-IP-Address = 160.103.180.79
Timestamp = 996497454
Request-Authenticator = None
Mon Jul 30 14:50:54 2001
NAS-IP-Address = 160.103.180.79
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "userrad"
Calling-Station-Id = "160.103.180.140"
Acct-Status-Type = Stop
Acct-Authentic = Local
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000025"
Acct-Session-Time = 3
Acct-Delay-Time = 0
Client-IP-Address = 160.103.180.79
Timestamp = 996497454
Request-Authenticator = None
Mon Jul 30 14:50:55 2001
NAS-IP-Address = 160.103.180.79
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "userrad"
Calling-Station-Id = "160.103.180.140"
Acct-Status-Type = Stop
Acct-Authentic = Local
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000025"
Acct-Session-Time = 3
Acct-Delay-Time = 1
Client-IP-Address = 160.103.180.79
Timestamp = 996497455
Request-Authenticator = None
Mon Jul 30 14:50:56 2001
NAS-IP-Address = 160.103.180.79
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "userrad"
Calling-Station-Id = "160.103.180.140"
Acct-Status-Type = Stop
Acct-Authentic = Local
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000025"
Acct-Session-Time = 3
Acct-Delay-Time = 2
Client-IP-Address = 160.103.180.79
Timestamp = 996497456
Request-Authenticator = None
Mon Jul 30 14:50:57 2001
NAS-IP-Address = 160.103.180.79
NAS-Port = 2
NAS-Port-Type = Virtual
User-Name = "userrad"
Calling-Station-Id = "160.103.180.140"
Acct-Status-Type = Stop
Acct-Authentic = Local
Service-Type = NAS-Prompt-User
Acct-Session-Id = "00000025"
Acct-Session-Time = 3
Acct-Delay-Time = 3
Client-IP-Address = 160.103.180.79
Timestamp = 996497457
Request-Authenticator = None
