The mystery deepens...
I did a RADIUS ping from my NAS, here is what it says...
Secure_WiFi_Test(config-test)# radius-ping external primary user
[email protected] password ****** auth-type chap
Starting RADIUS ping. This may take up to 20 seconds.
Testing RADIUS connection ... server is not responding. Host is down, RADIUS
secret is incorrect, or authentication failed.
Secure_WiFi_Test(config-test)#
However, this is what the radius server saw:
rad_recv: Access-Request packet from host 10.11.30.3 port 32782, id=226,
length=63
User-Name = "[email protected]"
CHAP-Password = 0xe23091fc0b8cadeaeaccf1accfdd830eb1
NAS-Port = 1812
server packetfence {
+- entering group authorize {...}
[suffix] Looking up realm "umhb.edu" for User-Name = "[email protected]"
[suffix] Found realm "umhb.edu"
[suffix] Adding Stripped-User-Name = "install"
[suffix] Adding Realm = "umhb.edu"
[suffix] Authentication realm is LOCAL.
++[suffix] returns ok
++[preprocess] returns ok
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[files] users: Matched entry DEFAULT at line 1
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
rlm_perl: Added pair CHAP-Challenge = 0x4e9b978325a8a42eff24c8e66a13ea25
rlm_perl: Added pair CHAP-Password = 0xe23091fc0b8cadeaeaccf1accfdd830eb1
rlm_perl: Added pair User-Name = [email protected]
rlm_perl: Added pair Realm = umhb.edu
rlm_perl: Added pair NAS-IP-Address = 10.11.30.3
rlm_perl: Added pair Stripped-User-Name = install
rlm_perl: Added pair NAS-Port = 1812
rlm_perl: Added pair Auth-Type = Accept
++[perl] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
+- entering group post-auth {...}
++[exec] returns noop
rlm_perl: Added pair User-Name = [email protected]
rlm_perl: Added pair CHAP-Password = 0xe23091fc0b8cadeaeaccf1accfdd830eb1
rlm_perl: Added pair CHAP-Challenge = 0x4e9b978325a8a42eff24c8e66a13ea25
rlm_perl: Added pair Realm = umhb.edu
rlm_perl: Added pair NAS-Port = 1812
rlm_perl: Added pair Stripped-User-Name = install
rlm_perl: Added pair NAS-IP-Address = 10.11.30.3
rlm_perl: Added pair Auth-Type = Accept
++[perl] returns ok
} # server packetfence
Sending Access-Accept of id 226 to 10.11.30.3 port 32782
Finished request 85.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 85 ID 226 with timestamp +9002
Ready to process requests.
And the tcpdump:
[root@NAC01 raddb]# tcpdump -vv -i eth0 -n port 1812
tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
15:38:02.959741 IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto: UDP
(17), length: 91) 10.11.30.3.32782 > 10.2.1.74.radius: RADIUS, length: 63
Access Request (1), id: 0x78, Authenticator:
7f9f1133a6c30312688a5aecf0fc12b7
Username Attribute (1), length: 18, Value: [email protected]
0x0000: 696e 7374 616c 6c40 756d 6862 2e65 6475
CHAP Password Attribute (3), length: 19, Value:
0x0000: 786b 29d0 18c2 a729 8d91 d653 d130 [|radius]
15:38:02.960583 IP (tos 0x0, ttl 64, id 28151, offset 0, flags [none], proto:
UDP (17), length: 48) 10.2.1.74.radius > 10.11.30.3.32782: [bad udp cksum
baa7!] RADIUS, length: 20
Access Accept (2), id: 0x78, Authenticator:
de497308ad27e4d4d839da276fe861d3
Notice, the RADIUS server responds with an accept but the NAS doesn't see it...
why does this have to happen on a Friday! : )
Jake Sallee
Godfather of Bandwidth
Network Engineer
University of Mary Hardin-Baylor
900 College St.
Belton, Texas
76513
Fone: 254-295-4658
Phax: 254-295-4221
From: Francois Gaudreault [mailto:[email protected]]
Sent: Friday, May 06, 2011 2:45 PM
To: [email protected]
Subject: Re: [Packetfence-users] FreeRADIUS client authentication problem
Well according to the log you sent me, it jams on the access-challenge
response, correct?
> So bottom line, make sure the UDP go out on the same IP than it goes IN.
The requests are coming in from a Xirrus AP ALWAYS on 10.11.30.3.
What I mean is on the PacketFence server. You need to make sure that the
RADIUS request comes on IP 1.1.1.1 and goes out from IP 1.1.1.1. A quick
tcpdump should show if its the case or not :
tcpdump -i ethX -n port 1812
Keep us posted.
--
Francois Gaudreault, ing. jr
[email protected]<mailto:[email protected]> :: +1.514.447.4918
(x130) :: www.inverse.ca<http://www.inverse.ca>
Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and
PacketFence (www.packetfence.org<http://www.packetfence.org>)
------------------------------------------------------------------------------
WhatsUp Gold - Download Free Network Management Software
The most intuitive, comprehensive, and cost-effective network
management toolset available today. Delivers lowest initial
acquisition cost and overall TCO of any competing solution.
http://p.sf.net/sfu/whatsupgold-sd
_______________________________________________
Packetfence-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/packetfence-users
