This is the output from tcpdump between the freeradius server on
tatra.sbs.sk and the Safeword Premier Server on swpa.sbs.sk.
I just don't see any problem there.
tatra:/etc/raddb # tcpdump -i eth1 host swpa
tcpdump: listening on eth1
16:41:07.872156 arp who-has swpa.sbs.sk tell tatra.sbs.sk
16:41:07.872496 arp reply swpa.sbs.sk is-at 8:0:20:81:3d:b3
16:41:07.872509 tatra.sbs.sk.tdp-suite > swpa.sbs.sk.sightline:
rad-access-req 63 [id 1] Attr[ User{robert} NAS_ipaddr{163.242.48.9}
NAS_port{0} [|radius] (DF)
16:41:11.983914 swpa.sbs.sk.sightline > tatra.sbs.sk.tdp-suite:
rad-access-accept 125 [id 1] Attr[ Service_type{Framed} Framed_proto{PPP}
[|radius] (DF)
Could anybody provide me with a functional proxy setup? Especially, I need
information on what to put in other configuration files. I tried to put into
users file:
[EMAIL PROTECTED]
Service-Type = Login-User,
Reply-Message = "Hello, %u"
with no success.
Robert Szelepcs�nyi
Operation Related Services
Siemens Business Services s.r.o.
Stromov� 9
830 07 BRATISLAVA
Slovesk� republika
* (+421 2) 5968 4914
* (+421 903) 634 844
* [EMAIL PROTECTED]
-----Original Message-----
From: Batman [mailto:[EMAIL PROTECTED]
Sent: Friday, May 07, 2004 4:22 PM
To: [EMAIL PROTECTED]
Subject: RE: radius server hangs after a correct login authenticated through
proxy
I would check on the accounting. You have it set as port 1813, whereas it
would usually be 1646 on a system with authentication at port 1645.
If you have access to swpa.sbs.sk, try running radiusd in the foreground
(radiusd -X) and watch what it tells you when you send the request.
All The Best,
Brian Andrus
Millenia Internet Services, Inc.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Szelepcsenyi Robert
Sent: Friday, May 07, 2004 7:09 AM
To: [EMAIL PROTECTED]
Subject: radius server hangs after a correct login authenticated through
proxy
I need to set up a Freeradius server proxying certain requests to another
radius server (Safeword Premier Access) in other to authenticate users with
tokens. All other users are to be authenticated locally.
My problem is: If I supply a correct password, the thread serving the
request gets into an infinite loop eating almost 100% of CPU time. Bad
passwords are rejected correctly.
The only thing I have configured (besides shared sercrets) is that I defined
"myrealm" in proxy.conf file:
realm myrealm {
type = radius
authhost = swpa.sbs.sk:1645
accthost = swpa.sbs.sk:1813
secret = mysecret
}
When I try to log into the router as [EMAIL PROTECTED] supplying an incorrect
password, the request is successfully refused. However, when I supply a
correct password, the thread serving the request receives an Access-Accept
packet from the home server, but following that it gets into an infinite
loop and fails to send any response to the NAS. After a while the master
process logs "WARNING: Unresponsive child (id XXXXX) for request YY". strace
or ltrace on the blocked thread did not yield anything.
My OS is SuSE 9.0. I tried both the SuSE package (version 0.9.0) and and a
binary compiled from the sources (version 0.9.3).
I suppose that I am missing something in my configuration (although the
server should not get into an infinite loop).
Any help will be appreciated.
the output from "radiusd -xx" is:
**************** Incorrect password supplied *********************
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=105,
length=66
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
NAS-IP-Address = 163.242.48.9
NAS-Port = 0
User-Name = "[EMAIL PROTECTED]"
User-Password = "123456"
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: Looking up realm "myrealm" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "myrealm"
rlm_realm: Adding Stripped-User-Name = "robert"
rlm_realm: Proxying request from user robert to realm myrealm
rlm_realm: Adding Realm = "myrealm"
rlm_realm: Preparing to proxy authentication request to realm "myrealm"
modcall[authorize]: module "suffix" returns updated for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0 Sending
Access-Request of id 1 to 163.242.54.177:1645
User-Name = "robert"
NAS-IP-Address = 163.242.48.9
NAS-Port = 0
User-Password = "123456"
Proxy-State = 0x313035
Thread 1 waiting to be assigned a request
rad_recv: Access-Reject packet from host 163.242.54.177:1645, id=1,
length=28
Thread 2 assigned request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
Thread 2 handling request 0, (1 handled so far)
Reply-Message = "\n"
Proxy-State = 0x313035
modcall: entering group post-proxy for request 0
modcall[post-proxy]: module "eap" returns noop for request 0
modcall: group post-proxy returns noop for request 0 Delaying request 0 for
1 seconds Finished request 0 Going to the next request Thread 2 waiting to
be assigned a request
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5 Sending Access-Reject of id 105
to 163.242.48.9:1645
Reply-Message = "\n"
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 105 with timestamp 409b9368 Nothing to do.
Sleeping until we see a request.
**************** Correct password supplied *********************
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107,
length=66
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
NAS-IP-Address = 163.242.48.9
NAS-Port = 0
User-Name = "[EMAIL PROTECTED]"
User-Password = "fp5cp7"
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: Looking up realm "myrealm" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "myrealm"
rlm_realm: Adding Stripped-User-Name = "robert"
rlm_realm: Proxying request from user robert to realm myrealm
rlm_realm: Adding Realm = "myrealm"
rlm_realm: Preparing to proxy authentication request to realm "myrealm"
modcall[authorize]: module "suffix" returns updated for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0 Sending
Access-Request of id 1 to 163.242.54.177:1645
User-Name = "robert"
NAS-IP-Address = 163.242.48.9
NAS-Port = 0
User-Password = "fp5cp7"
Proxy-State = 0x313037
Thread 1 waiting to be assigned a request
rad_recv: Access-Accept packet from host 163.242.54.177:1645, id=1,
length=125
Thread 2 assigned request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
Thread 2 handling request 0, (1 handled so far)
Service-Type = Framed-User
Framed-Protocol = PPP
Cisco-AVPair = "lcp:callback-dialstring="
Cisco-AVPair = "lcp:nocallback-verify=1"
Cisco-AVPair = "ip:addr-pool=main_pool"
modcall: entering group post-proxy for request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107,
length=66
Discarding new request from client cisco2500:1645 - ID: 107 due to live
request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107,
length=66
Discarding new request from client cisco2500:1645 - ID: 107 due to live
request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107,
length=66
Discarding new request from client cisco2500:1645 - ID: 107 due to live
request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
WARNING: Unresponsive child (id 32771) for request 0 Server rejecting
request 0.
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
Robert Szelepcs�nyi
Operation Related Services
Siemens Business Services s.r.o.
Stromov� 9
830 07 BRATISLAVA
Slovesk� republika
* (+421 2) 5968 4914
* (+421 903) 634 844
* [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
