Re: freeradius and mikrotik auth problem pppoe error 691
i had the same problem when i wanted to authenticate the hotspot`s user with freeradius. the solution was to make a static mapping on IP - HOTSPOT - IP BINDINGS MAC address : THE MAC OF THE SERVER ADDRESS : THE IP ADDRESS OF THE SERVER TO ADDRESS : THE SAME AS ABOVE SERVER : ALL TYPE : REGULAR or BYPASSED and than it worked. it was related since the hotspot connections are passed to the mikrotik`s webproxy ( capture portal/page ) 2009/3/19 Fajar A. Nugraha fa...@fajar.net 2009/3/19 Lazar Cherveniakov laz...@mail.bg: Everything looks fine in IP addresses, but the problem is still the same. Looks like you got exactly the problem I described. See here : Mikrotik debug log 01:33:40 radius,debug sending 53:02 to 192.168.200.2:1812 Mikrotik thinks radius IP is 192.168.200.2 radius server ip`s # ifconfig eth0 Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8 inet addr:192.168.200.3 Bcast:192.168.200.255 Mask:255.255.255.0 eth0:1Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8 inet addr:192.168.200.2 Bcast:192.168.200.255 Mask:255.255.255.0 ... while that IP is secondary IP on the radius server. Do a tcpdump on radius and you should see that radius replies comes from 192.168.200.3 (which mikrotik discards, because it's not the IP it sends the request to). There are several ways to fix this (one of them involves recompiling freeradius with --with-udpfromto, see http://wiki.freeradius.org/index.php/FAQ#Why_does_the_NAS_ignore_the_RADIUS_server.27s_reply.3F ), but the easiest way is simply change mikrotik's config to use 192.168.200.3 as radius IP address. Regards, Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
I don`t have firewall How i solve the problem ? Tanks advanced -- Lazar Cherveniakov Micro computers system - Lazkom LIVE FREE OR DIE - Powered by Mail.BG - http://mail.bg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
2009/3/19 Lazar Cherveniakov laz...@mail.bg: I don`t have firewall How i solve the problem ? Does your radius server have more than one IP address? If yes, then probably you tell mikrotik that radius IP is the secondary address while freeradius sends replies from primary IP address. There are some ways to fix this, but the easiest way is to set your NAS (mikrotik) to use the radius server's primary IP address. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
ping NAS from radius server ping radius server from nas Also, check mtik logs... you can turn on radius debugging in mtik and you will see what is the problem... On Thu, Mar 19, 2009 at 9:42 AM, Fajar A. Nugraha fa...@fajar.net wrote: 2009/3/19 Lazar Cherveniakov laz...@mail.bg: I don`t have firewall How i solve the problem ? Does your radius server have more than one IP address? If yes, then probably you tell mikrotik that radius IP is the secondary address while freeradius sends replies from primary IP address. There are some ways to fix this, but the easiest way is to set your NAS (mikrotik) to use the radius server's primary IP address. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
I don`t have firewall How i solve the problem ? Yes, you do. Things like iptables are also firewalls. Use wireshark to find where are packets stopped. And then fix it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
Everything looks fine in IP addresses, but the problem is still the same. Here again the log of Mikrotik and freeradius: Mikrotik debug log 01:33:40 pppoe,info PPPoE connection established from 00:15:AF:1F:23:1A 01:33:40 pppoe,ppp,info pppoe-0: waiting for call... 01:33:40 radius,debug new request 53:02 code=Access-Request service=ppp called-id=pppoe-in 01:33:40 radius,debug sending 53:02 to 192.168.200.2:1812 01:33:40 radius,debug,packet sending Access-Request with id 8 to 192.168.200.2:1812 01:33:40 radius,debug,packet Signature = 0x83d0415d6b98f0421df6bb83a01bdb28 01:33:40 radius,debug,packet Service-Type = 2 01:33:40 radius,debug,packet Framed-Protocol = 1 01:33:40 radius,debug,packet NAS-Port = 10 01:33:40 radius,debug,packet NAS-Port-Type = 15 01:33:40 radius,debug,packet User-Name = lacho 01:33:40 radius,debug,packet Calling-Station-Id = 00:15:AF:1F:23:1A 01:33:40 radius,debug,packet Called-Station-Id = pppoe-in 01:33:40 radius,debug,packet NAS-Port-Id = ether1 01:33:40 radius,debug,packet CHAP-Challenge = 0xe3c819400560adadbf019f209dc42f7e 01:33:40 radius,debug,packet CHAP-Password = 0x01dad26d1d56167a1899b3e9c8a8ba01 01:33:40 radius,debug,packet 18 01:33:40 radius,debug,packet NAS-Identifier = TEST-RADIUS 01:33:40 radius,debug,packet NAS-IP-Address = 192.168.200.4 01:33:41 radius,debug resending 53:02 01:33:41 radius,debug,packet sending Access-Request with id 8 to 192.168.200.2:1812 01:33:41 radius,debug,packet Signature = 0x83d0415d6b98f0421df6bb83a01bdb28 01:33:41 radius,debug,packet Service-Type = 2 01:33:41 radius,debug,packet Framed-Protocol = 1 01:33:41 radius,debug,packet NAS-Port = 10 01:33:41 radius,debug,packet NAS-Port-Type = 15 01:33:41 radius,debug,packet User-Name = lacho 01:33:41 radius,debug,packet Calling-Station-Id = 00:15:AF:1F:23:1A 01:33:41 radius,debug,packet Called-Station-Id = pppoe-in 01:33:41 radius,debug,packet NAS-Port-Id = ether1 01:33:41 radius,debug,packet CHAP-Challenge = 0xe3c819400560adadbf019f209dc42f7e 01:33:41 radius,debug,packet CHAP-Password = 0x01dad26d1d56167a1899b3e9c8a8ba01 01:33:41 radius,debug,packet 18 01:33:41 radius,debug,packet NAS-Identifier = TEST-RADIUS 01:33:41 radius,debug,packet NAS-IP-Address = 192.168.200.4 01:33:41 radius,debug resending 53:02 01:33:41 radius,debug,packet sending Access-Request with id 8 to 192.168.200.2:1812 01:33:41 radius,debug,packet Signature = 0x83d0415d6b98f0421df6bb83a01bdb28 01:33:41 radius,debug,packet Service-Type = 2 01:33:41 radius,debug,packet Framed-Protocol = 1 01:33:41 radius,debug,packet NAS-Port = 10 01:33:41 radius,debug,packet NAS-Port-Type = 15 01:33:41 radius,debug,packet User-Name = lacho 01:33:41 radius,debug,packet Calling-Station-Id = 00:15:AF:1F:23:1A 01:33:41 radius,debug,packet Called-Station-Id = pppoe-in 01:33:41 radius,debug,packet NAS-Port-Id = ether1 01:33:41 radius,debug,packet CHAP-Challenge = 0xe3c819400560adadbf019f209dc42f7e 01:33:41 radius,debug,packet CHAP-Password = 0x01dad26d1d56167a1899b3e9c8a8ba01 01:33:41 radius,debug,packet 18 01:33:41 radius,debug,packet NAS-Identifier = TEST-RADIUS 01:33:41 radius,debug,packet NAS-IP-Address = 192.168.200.4 01:33:41 radius,debug timeout for 53:02 01:33:41 pppoe,ppp,info pppoe-lacho: terminating... - user lacho authentication failed - radius timeout (6) 01:33:41 pppoe,ppp,info pppoe-lacho: disconnected Freeradius debug log: Sending Access-Accept of id 7 to 192.168.200.4 port 32768 Acct-Interim-Interval = 300 Session-Timeout = 31 Mikrotik-Xmit-Limit = 1073217536 Framed-IP-Address = 10.8.15.44 Mikrotik-Recv-Limit = 1073217536 Framed-IP-Netmask = 255.255.255.255 Thu Mar 19 12:37:16 2009 : Debug: Finished request 3 Thu Mar 19 12:37:16 2009 : Debug: Going to the next request Thu Mar 19 12:37:16 2009 : Debug: Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.200.4:32768, id=8, length=144 Thu Mar 19 12:37:31 2009 : Debug: --- Walking the entire request list --- Thu Mar 19 12:37:31 2009 : Debug: Cleaning up request 3 ID 7 with timestamp 49c2205c Thu Mar 19 12:37:31 2009 : Debug: Waking up in 31 seconds... Thu Mar 19 12:37:31 2009 : Debug: Threads: total/active/spare threads = 5/0/5 Thu Mar 19 12:37:31 2009 : Debug: Thread 5 got semaphore Thu Mar 19 12:37:31 2009 : Debug: Thread 5 handling request 4, (1 handled so far) Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 10 NAS-Port-Type = Ethernet User-Name = lacho Calling-Station-Id = 00:15:AF:1F:23:1A Called-Station-Id = pppoe-in NAS-Port-Id = ether1 CHAP-Challenge = 0xe3c819400560adadbf019f209dc42f7e CHAP-Password =
Re: freeradius and mikrotik auth problem pppoe error 691
Everything looks fine in IP addresses, but the problem is still the same. No, it's not looking fine. Mikrotik debug log . has no trace of Access-Accept packet - it didn't arrive. Here again the log of Mikrotik and freeradius: Stop looking at the logs and start looking at the network. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
The machines are connected to cable and on 2 meters, in this case where to find the problem? What and how to get to see where the real problem? Wireshark. If you see packets on the wire - Mikrotik is stopping it. If you don't see them on the wire - radius machine is stopping them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
2009/3/19 Lazar Cherveniakov laz...@mail.bg: Everything looks fine in IP addresses, but the problem is still the same. Looks like you got exactly the problem I described. See here : Mikrotik debug log 01:33:40 radius,debug sending 53:02 to 192.168.200.2:1812 Mikrotik thinks radius IP is 192.168.200.2 radius server ip`s # ifconfig eth0 Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8 inet addr:192.168.200.3 Bcast:192.168.200.255 Mask:255.255.255.0 eth0:1 Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8 inet addr:192.168.200.2 Bcast:192.168.200.255 Mask:255.255.255.0 ... while that IP is secondary IP on the radius server. Do a tcpdump on radius and you should see that radius replies comes from 192.168.200.3 (which mikrotik discards, because it's not the IP it sends the request to). There are several ways to fix this (one of them involves recompiling freeradius with --with-udpfromto, see http://wiki.freeradius.org/index.php/FAQ#Why_does_the_NAS_ignore_the_RADIUS_server.27s_reply.3F ), but the easiest way is simply change mikrotik's config to use 192.168.200.3 as radius IP address. Regards, Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
The machines are connected to cable and on 2 meters, in this case where to find the problem? What and how to get to see where the real problem? -- Lazar Cherveniakov Micro computers system - Lazkom LIVE FREE OR DIE - Powered by Mail.BG - http://mail.bg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
I`m new radius user and i`m beginner. I have problem with connect mikrotik with radius server. My clients using pppoe server but i have connect to radius server but after configuration from internet documentation my server don`t work and i receive errors in radius.log and pppoe server show 691 error Wrong log. http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and mikrotik auth problem pppoe error 691
Hello, I`m new radius user and i`m beginner. I have problem with connect mikrotik with radius server. My clients using pppoe server but i have connect to radius server but after configuration from internet documentation my server don`t work and i receive errors in radius.log and pppoe server show 691 error this is the errors Wed Mar 11 17:59:23 2009 : Error: Discarding duplicate request from client TEST-RADIUS:32768 - ID: 8 due to unfinished request 0 Wed Mar 11 17:59:26 2009 : Error: Discarding duplicate request from client TEST-RADIUS:32768 - ID: 9 due to unfinished request 1 Wed Mar 11 17:59:28 2009 : Error: Discarding duplicate request from client TEST-RADIUS:32768 - ID: 10 due to unfinished request 2 Wed Mar 11 18:44:28 2009 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Mar 11 18:44:28 2009 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed Mar 11 18:44:28 2009 : Info: Ready to process requests. Wed Mar 11 18:57:43 2009 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Mar 11 18:57:43 2009 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed Mar 11 18:57:43 2009 : Info: Ready to process requests. Mon Mar 16 22:20:07 2009 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Mar 16 22:20:07 2009 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Mar 16 22:20:07 2009 : Info: Ready to process requests. Wed Mar 18 22:35:19 2009 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Mar 18 22:35:19 2009 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed Mar 18 22:35:19 2009 : Info: Ready to process requests. Wed Mar 18 22:35:25 2009 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Mar 18 22:35:25 2009 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed Mar 18 22:35:25 2009 : Info: Ready to process requests. Wed Mar 18 22:35:39 2009 : Error: Discarding duplicate request from client TEST-RADIUS:32768 - ID: 1 due to unfinished request 0 Wed Mar 18 22:35:40 2009 : Error: Discarding duplicate request from client TEST-RADIUS:32768 - ID: 1 due to unfinished request 0 ~ ~ this is the mikrotik error mar/13 23:42:18 pppoe,info PPPoE connection established from 00:15:AF:1F:23:1A mar/13 23:42:18 pppoe,ppp,info pppoe-0: waiting for call... mar/13 23:42:19 pppoe,ppp,info pppoe-lacho: terminating... - user lacho authentication failed - radius timeout (6) mar/13 23:42:19 pppoe,ppp,info pppoe-lacho: disconnected please help me advanced Tanks. -- Lazar Cherveniakov Micro computers system - Lazkom LIVE FREE OR DIE - Sportingbet – €1500 всеки ден, бонуси тенис залози на живо! http://bg.sportingbet.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
Sorry i`m new mail-list user
While tracking installed following instructions
http://abills.net.ua/wiki/doku.php?id=abills:docs_03:install:en[1]
the all debug log is
# radiusd -X
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Config: including file: /etc/raddb/snmp.conf
Config: including file: /etc/raddb/eap.conf
main: prefix = /usr
main: localstatedir = /var
main: logdir = /var/log/radius
main: libdir = /usr/lib
main: radacctdir = /var/log/radius/radacct
main: hostname_lookups = no
main: snmp = no
main: max_request_time = 30
main: cleanup_delay = 2
main: max_requests = 102400
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = /var/log/radius/radius.log
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = /var/run/radiusd/radiusd.pid
main: user = radiusd
main: group = radiusd
main: usercollide = no
main: lower_user = no
main: lower_pass = no
main: nospace_user = no
main: nospace_pass = no
main: checkrad = /usr/sbin/checkrad
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
Using deprecated naslist file. Support for this will go away soon.
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/lib
Module: Loaded exec
exec: wait = yes
exec: program = (null)
exec: input_pairs = request
exec: output_pairs = (null)
exec: packet_type = (null)
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = crypt
pap: auto_header = yes
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = (null)
mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = (null)
unix: shadow = /etc/shadow
unix: group = (null)
unix: radwtmp = /var/log/radius/radwtmp
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = md5
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = Password:
gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
preprocess: huntgroups = /etc/raddb/huntgroups
preprocess: hints = /etc/raddb/hints
preprocess: with_ascend_hack = no
preprocess: ascend_channels_per_line = 23
preprocess: with_ntdomain_hack = no
preprocess: with_specialix_jetstream_hack = no
preprocess: with_cisco_vsa_hack = no
preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
exec: wait = yes
exec: program = /usr/abills/libexec/rauth.pl pre_auth
exec: input_pairs = request
exec: output_pairs = config
exec: packet_type = (null)
Module: Instantiated exec (pre_auth)
Module: Loaded files
files: usersfile = /etc/raddb/users
files: acctusersfile = /etc/raddb/acct_users
files: preproxy_usersfile = /etc/raddb/preproxy_users
files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded realm
realm: format = suffix
realm: delimiter = @
realm: ignore_default = no
realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded detail
detail: detailfile =
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
detail: detailperm = 384
detail: dirperm = 493
detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
radutmp: filename = /var/log/radius/radutmp
radutmp: username = %{User-Name}
radutmp: case_sensitive = yes
radutmp: check_with_nas = yes
radutmp: perm = 384
radutmp: callerid = yes
Module: Instantiated radutmp (radutmp)
exec: wait = yes
exec: program = /usr/abills/libexec/rauth.pl post_auth
exec: input_pairs = request
exec: output_pairs = config
exec: packet_type = (null)
Module: Instantiated exec
Re: freeradius and mikrotik auth problem pppoe error 691
Sending Access-Accept of id 2 to 192.168.200.4 port 32768 .. rad_recv: Access-Request packet from host 192.168.200.4:32768, id=2, length=144 Sending duplicate reply to client TEST-RADIUS:32768 - ID: 2 Re-sending Access-Accept of id 2 to 192.168.200.4 port 32768 .. rad_recv: Access-Request packet from host 192.168.200.4:32768, id=2, length=144 etc. Your Access-Accept packet is not reaching Mikrotik. There is a firewall stopping those packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
