We are having an issue with failed logins with FreeRADIUS. The problem is that FreeRADIUS doesn't appear to actually send a RADIUS Reject until the second authentication request comes in. I have an IOS Router authenticating ssh logins against freeradius. The example packets above I am using a static username/password in the users file. I see that if I enter the wrong password, radiusd doesn't send a NAK until the IOS router transmits the request. There are not any delay issues with ACKs coming out of freeradius.
TCP Dump output: 10:38:22.703456 IP 172.16.1.8.1645 > 172.16.2.60.1645: RADIUS, Access Request (1), id: 0xf1 length: 103 10:38:38.008371 IP 172.16.1.8.1645 > 172.16.2.60.1645: RADIUS, Access Request (1), id: 0xf1 length: 103 10:38:38.008588 IP 172.16.2.60.1645 > 172.16.1.8.1645: RADIUS, Access Reject (3), id: 0xf1 length: 20 Does this sound familiar to anyone? Ideas? -- -------------------------------------------------- Jeremy M. Guthrie [email protected] Hosting and Managed Services Managed Cisco Security Services Technical Architect Phone: 608-298-1061 CDW Fax: 608-288-3007 5520 Research Park Drive NOC: 608-298-1102 Madison, WI 53711 NOC Email: [email protected]
signature.asc
Description: This is a digitally signed message part.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
