Hi Jake, The CHAP will return an Accept, but for the NAS, it is normal to fail. As you can see, RADIUS did not respond with an Access-Challenge required for CHAP. In fact, I am not sure that the chap module is enabled for the authentication method.
Now, this doesn't explain why the NAS hang on the access-challenge. I remember that a switch we had was doing the same behavior, but I cannot remember exactly what I did to fix it. Maybe it will come back to me this weekend. The mystery deepens... > > I did a RADIUS ping from my NAS, here is what it says... > > Secure_WiFi_Test(config-test)# radius-ping external primary user > [email protected] password ****** auth-type chap > > Starting RADIUS ping. This may take up to 20 seconds. > > Testing RADIUS connection ... server is not responding. Host is down, > RADIUS secret is incorrect, or authentication failed. > > Secure_WiFi_Test(config-test)# > > However, this is what the radius server saw: > > rad_recv: Access-Request packet from host 10.11.30.3 port 32782, id=226, > length=63 > User-Name = "[email protected]" > CHAP-Password = 0xe23091fc0b8cadeaeaccf1accfdd830eb1 > NAS-Port = 1812 > server packetfence { > +- entering group authorize {...} > [suffix] Looking up realm "umhb.edu" for User-Name = "[email protected]" > [suffix] Found realm "umhb.edu" > [suffix] Adding Stripped-User-Name = "install" > [suffix] Adding Realm = "umhb.edu" > [suffix] Authentication realm is LOCAL. > ++[suffix] returns ok > ++[preprocess] returns ok > [eap] No EAP-Message, not doing EAP > ++[eap] returns noop > [files] users: Matched entry DEFAULT at line 1 > ++[files] returns ok > ++[expiration] returns noop > ++[logintime] returns noop > rlm_perl: Added pair CHAP-Challenge = 0x4e9b978325a8a42eff24c8e66a13ea25 > rlm_perl: Added pair CHAP-Password = 0xe23091fc0b8cadeaeaccf1accfdd830eb1 > rlm_perl: Added pair User-Name = [email protected] > rlm_perl: Added pair Realm = umhb.edu > rlm_perl: Added pair NAS-IP-Address = 10.11.30.3 > rlm_perl: Added pair Stripped-User-Name = install > rlm_perl: Added pair NAS-Port = 1812 > rlm_perl: Added pair Auth-Type = Accept > ++[perl] returns noop > Found Auth-Type = Accept > Auth-Type = Accept, accepting the user > +- entering group post-auth {...} > ++[exec] returns noop > rlm_perl: Added pair User-Name = [email protected] > rlm_perl: Added pair CHAP-Password = 0xe23091fc0b8cadeaeaccf1accfdd830eb1 > rlm_perl: Added pair CHAP-Challenge = 0x4e9b978325a8a42eff24c8e66a13ea25 > rlm_perl: Added pair Realm = umhb.edu > rlm_perl: Added pair NAS-Port = 1812 > rlm_perl: Added pair Stripped-User-Name = install > rlm_perl: Added pair NAS-IP-Address = 10.11.30.3 > rlm_perl: Added pair Auth-Type = Accept > ++[perl] returns ok > } # server packetfence > Sending Access-Accept of id 226 to 10.11.30.3 port 32782 > Finished request 85. > Going to the next request > Waking up in 4.9 seconds. > Cleaning up request 85 ID 226 with timestamp +9002 > Ready to process requests. > > And the tcpdump: > > [root@NAC01 raddb]# tcpdump -vv -i eth0 -n port 1812 > tcpdump: listening on eth0, link-type EN10MB (Ethernet), capture size 96 > bytes > 15:38:02.959741 IP (tos 0x0, ttl 61, id 0, offset 0, flags [DF], proto: > UDP (17), length: 91) 10.11.30.3.32782 > 10.2.1.74.radius: RADIUS, length: > 63 > Access Request (1), id: 0x78, Authenticator: > 7f9f1133a6c30312688a5aecf0fc12b7 > Username Attribute (1), length: 18, Value: [email protected] > 0x0000: 696e 7374 616c 6c40 756d 6862 2e65 6475 > CHAP Password Attribute (3), length: 19, Value: > 0x0000: 786b 29d0 18c2 a729 8d91 d653 d130 [|radius] > 15:38:02.960583 IP (tos 0x0, ttl 64, id 28151, offset 0, flags [none], > proto: UDP (17), length: 48) 10.2.1.74.radius > 10.11.30.3.32782: [bad udp > cksum baa7!] RADIUS, length: 20 > Access Accept (2), id: 0x78, Authenticator: > de497308ad27e4d4d839da276fe861d3 > > > Notice, the RADIUS server responds with an accept but the NAS doesn't see > it... why does this have to happen on a Friday! : ) > > Jake Sallee > Godfather of Bandwidth > Network Engineer > University of Mary Hardin-Baylor > 900 College St. > Belton, Texas > 76513 > Fone: 254-295-4658 > Phax: 254-295-4221 > From: Francois Gaudreault [mailto:[email protected]] > Sent: Friday, May 06, 2011 2:45 PM > To: [email protected] > Subject: Re: [Packetfence-users] FreeRADIUS client authentication problem > > Well according to the log you sent me, it jams on the access-challenge > response, correct? > >> So bottom line, make sure the UDP go out on the same IP than it goes IN. > The requests are coming in from a Xirrus AP ALWAYS on > 10.11.30.3. > What I mean is on the PacketFence server. You need to make sure that the > RADIUS request comes on IP 1.1.1.1 and goes out from IP 1.1.1.1. A quick > tcpdump should show if its the case or not : > tcpdump -i ethX -n port 1812 > > Keep us posted. > > -- > > Francois Gaudreault, ing. jr > > [email protected]<mailto:[email protected]> :: +1.514.447.4918 > (x130) :: www.inverse.ca<http://www.inverse.ca> > > Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and > PacketFence (www.packetfence.org<http://www.packetfence.org>) > ------------------------------------------------------------------------------ > WhatsUp Gold - Download Free Network Management Software > The most intuitive, comprehensive, and cost-effective network > management toolset available today. Delivers lowest initial > acquisition cost and overall TCO of any competing solution. > http://p.sf.net/sfu/whatsupgold-sd_______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > ------------------------------------------------------------------------------ WhatsUp Gold - Download Free Network Management Software The most intuitive, comprehensive, and cost-effective network management toolset available today. Delivers lowest initial acquisition cost and overall TCO of any competing solution. http://p.sf.net/sfu/whatsupgold-sd _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
