I've emailed the list with this same problem in the past.. I'll outline it below, with details. then further below that, I'll list the most common suggestions I recieved, and the appropriate information/reply concerning that suggestion.
Ok, the goal is: I want to migrate from my existing cistron setup, to Freeradius for several reasons.
I've mocked up my complete setup in the office, including the NAS (ascend max 6000's) the radius server OS (FreeBSD 4.8) the network (using the exact same hardware, on a completely independant LAN) the configurations (I've got exact copies of the NAS config, radius config, and everything on the mockup. Including IP addresses *again on a seperate independant mock networkso there are no IP conflicts)
The problem:
Cistron radius works. Call comes in, user/password is sent from NAS to radius, radius replies "OK" call connects.
Freeradius doesn't work. Call comes in, user/password is sent from NAS to radius, radius replies "OK" NAS says "Call terminated" and drops the call.
Basically, the easiest way to describe what appears to be happening is.. Radius is authenticating the connection, sends back an Access-Accept packet, but the NAS never seems to get it, or if it is getting it, doesn't honor/understand it. Almost as if a firewall rule allowed everything but was magically blocking the Access-Accept packet from Freeradius (but letting cistrons through).
The suggestions I recieved last time I posted:
- Enable VSA's on the MAX. VSA's have been enabled since I set the ISP up
- Check firewall rules.
The mockup network has no firewall in place, though the production network does/will
- Check tpdump/ethereal and compare attributes/replies
I had already though of that, output to/from both versions of radius are nearly identical, both send back the same attributes and the Access-Accept reply.
- Check the FAQ about radius servers with multiple IP's
I have gone through the FAQ a thousand times. This one doesn't apply. My radius server only has one IP. However, I tried the suggestion anyway, with identical results.
- Try out one of the other radius servers available (I'm ommiting several of the suggested variants)
I have done some research. Freeradius has the features I am looking for. In looking at the mailing list history, it has a decent userbase with helpful replies. It seems to have the most active development cycle among all the projects I've found. And as the final push, it's based off of Cistron, which I am alrready familiar with, so it minimizes the learning curve impact.
Any further help or suggestions would be MUCH appreciated. Cistron does the job, but I've got plans to offer new features/services that I will not be able to use Cistron for.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
