Re: Proxy not sending out packets (was Re: Proxying a PEAP request to an IAS server)
Alan DeKok wrote: Dan Newcombe [EMAIL PROTECTED] wrote: The short of it is I'm trying to get 802.1x with PEAP to be proxied by freeradius to an ias radius server. Start simple. Use PAP, and radtest to send the packets. If that makes FreeRADIUS proxy the packets, then go to PEAP. Otherwise, you're test is just too complicated, and you don't know what's going wrong. I used radtest and the request was proxied just fine, and the ias box gave me a positive response. This is really an issue with the kernel, I think. If FreeRADIUS calls the kernel send packet function, it should work. That was my thoughts - was just hoping someone knew a reason why it may not be doing so. I'm currently digging deep in the source where the packet is sent and trying to remember my disused socket programming memories to see just what it is trying to send, hoping to find something glaringly obvious. One thing I've noticed is on the non-PEAP packets, the src address of the packet going to the IAS box is 172.28.240.73, whereas on the PEAP packets, it is 127.0.0.1, which is causing sendmsg in udpfromto.c:sendfromto to return an Invalid Argument error which says on sendmsg: *EINVAL - *The sum of the /iov_len/ values overflows an *ssize_t*. Can you ping the IAS server from 172.28.240.73? Can you use radtest on 172.28.240.73 to send packets to IAS? Yes. I can ping and radtest works, and if it's not a PEAP request, freeradius works as well - very odd. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy not sending out packets (was Re: Proxying a PEAP request to an IAS server)
Dan Newcombe [EMAIL PROTECTED] wrote: One thing I've noticed is on the non-PEAP packets, the src address of the packet going to the IAS box is 172.28.240.73, whereas on the PEAP packets, it is 127.0.0.1, That's bad. That's the source of the problem, then. I have *no* idea why that would be happening. What's so magic about PEAP packets? I'll take a look at the source and see if anything pops out/. You're using 1.0.5, right? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy not sending out packets (was Re: Proxying a PEAP request to an IAS server)
Alan DeKok wrote: Dan Newcombe [EMAIL PROTECTED] wrote: One thing I've noticed is on the non-PEAP packets, the src address of the packet going to the IAS box is 172.28.240.73, whereas on the PEAP packets, it is 127.0.0.1, That's bad. That's the source of the problem, then. I have *no* idea why that would be happening. What's so magic about PEAP packets? I'll take a look at the source and see if anything pops out/. You're using 1.0.5, right? Yes...I'm on 1.0.5.Glad to know I'm not crazy - wonder if my wife will believe me though :) Thanks, -Dan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy not sending out packets (was Re: Proxying a PEAP request to an IAS server)
Dan Newcombe [EMAIL PROTECTED] wrote: The short of it is I'm trying to get 802.1x with PEAP to be proxied by freeradius to an ias radius server. Start simple. Use PAP, and radtest to send the packets. If that makes FreeRADIUS proxy the packets, then go to PEAP. Otherwise, you're test is just too complicated, and you don't know what's going wrong. It appears I have everything working with one small exception - freeradius seems to be unwilling to send a packet to the ias radius server. I will put more of the logs below, but the gist of it is at this part of the process: Sending Access-Request of id 1 to 172.28.240.114:1812 (where 172.28.240.114 is the ias box) no packet appears to be dropped on the network. This is really an issue with the kernel, I think. If FreeRADIUS calls the kernel send packet function, it should work. best deduction is that for some reason in proxying, freeradius does not want to send a packet. Can you ping the IAS server from 172.28.240.73? Can you use radtest on 172.28.240.73 to send packets to IAS? If radtest doesn't send packets to IAS, then 172.28.240.73 has firewall rules that block outgoing RADIUS traffic. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html