Re: freeradius and mikrotik auth problem pppoe error 691
i had the same problem when i wanted to authenticate the hotspot`s user with freeradius. the solution was to make a static mapping on IP - HOTSPOT - IP BINDINGS MAC address : THE MAC OF THE SERVER ADDRESS : THE IP ADDRESS OF THE SERVER TO ADDRESS : THE SAME AS ABOVE SERVER : ALL TYPE : REGULAR or BYPASSED and than it worked. it was related since the hotspot connections are passed to the mikrotik`s webproxy ( capture portal/page ) 2009/3/19 Fajar A. Nugraha fa...@fajar.net 2009/3/19 Lazar Cherveniakov laz...@mail.bg: Everything looks fine in IP addresses, but the problem is still the same. Looks like you got exactly the problem I described. See here : Mikrotik debug log 01:33:40 radius,debug sending 53:02 to 192.168.200.2:1812 Mikrotik thinks radius IP is 192.168.200.2 radius server ip`s # ifconfig eth0 Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8 inet addr:192.168.200.3 Bcast:192.168.200.255 Mask:255.255.255.0 eth0:1Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8 inet addr:192.168.200.2 Bcast:192.168.200.255 Mask:255.255.255.0 ... while that IP is secondary IP on the radius server. Do a tcpdump on radius and you should see that radius replies comes from 192.168.200.3 (which mikrotik discards, because it's not the IP it sends the request to). There are several ways to fix this (one of them involves recompiling freeradius with --with-udpfromto, see http://wiki.freeradius.org/index.php/FAQ#Why_does_the_NAS_ignore_the_RADIUS_server.27s_reply.3F ), but the easiest way is simply change mikrotik's config to use 192.168.200.3 as radius IP address. Regards, Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
I don`t have firewall How i solve the problem ? Tanks advanced -- Lazar Cherveniakov Micro computers system - Lazkom LIVE FREE OR DIE - Powered by Mail.BG - http://mail.bg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
2009/3/19 Lazar Cherveniakov laz...@mail.bg: I don`t have firewall How i solve the problem ? Does your radius server have more than one IP address? If yes, then probably you tell mikrotik that radius IP is the secondary address while freeradius sends replies from primary IP address. There are some ways to fix this, but the easiest way is to set your NAS (mikrotik) to use the radius server's primary IP address. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
ping NAS from radius server ping radius server from nas Also, check mtik logs... you can turn on radius debugging in mtik and you will see what is the problem... On Thu, Mar 19, 2009 at 9:42 AM, Fajar A. Nugraha fa...@fajar.net wrote: 2009/3/19 Lazar Cherveniakov laz...@mail.bg: I don`t have firewall How i solve the problem ? Does your radius server have more than one IP address? If yes, then probably you tell mikrotik that radius IP is the secondary address while freeradius sends replies from primary IP address. There are some ways to fix this, but the easiest way is to set your NAS (mikrotik) to use the radius server's primary IP address. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
I don`t have firewall How i solve the problem ? Yes, you do. Things like iptables are also firewalls. Use wireshark to find where are packets stopped. And then fix it. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
Everything looks fine in IP addresses, but the problem is still the same. Here again the log of Mikrotik and freeradius: Mikrotik debug log 01:33:40 pppoe,info PPPoE connection established from 00:15:AF:1F:23:1A 01:33:40 pppoe,ppp,info pppoe-0: waiting for call... 01:33:40 radius,debug new request 53:02 code=Access-Request service=ppp called-id=pppoe-in 01:33:40 radius,debug sending 53:02 to 192.168.200.2:1812 01:33:40 radius,debug,packet sending Access-Request with id 8 to 192.168.200.2:1812 01:33:40 radius,debug,packet Signature = 0x83d0415d6b98f0421df6bb83a01bdb28 01:33:40 radius,debug,packet Service-Type = 2 01:33:40 radius,debug,packet Framed-Protocol = 1 01:33:40 radius,debug,packet NAS-Port = 10 01:33:40 radius,debug,packet NAS-Port-Type = 15 01:33:40 radius,debug,packet User-Name = lacho 01:33:40 radius,debug,packet Calling-Station-Id = 00:15:AF:1F:23:1A 01:33:40 radius,debug,packet Called-Station-Id = pppoe-in 01:33:40 radius,debug,packet NAS-Port-Id = ether1 01:33:40 radius,debug,packet CHAP-Challenge = 0xe3c819400560adadbf019f209dc42f7e 01:33:40 radius,debug,packet CHAP-Password = 0x01dad26d1d56167a1899b3e9c8a8ba01 01:33:40 radius,debug,packet 18 01:33:40 radius,debug,packet NAS-Identifier = TEST-RADIUS 01:33:40 radius,debug,packet NAS-IP-Address = 192.168.200.4 01:33:41 radius,debug resending 53:02 01:33:41 radius,debug,packet sending Access-Request with id 8 to 192.168.200.2:1812 01:33:41 radius,debug,packet Signature = 0x83d0415d6b98f0421df6bb83a01bdb28 01:33:41 radius,debug,packet Service-Type = 2 01:33:41 radius,debug,packet Framed-Protocol = 1 01:33:41 radius,debug,packet NAS-Port = 10 01:33:41 radius,debug,packet NAS-Port-Type = 15 01:33:41 radius,debug,packet User-Name = lacho 01:33:41 radius,debug,packet Calling-Station-Id = 00:15:AF:1F:23:1A 01:33:41 radius,debug,packet Called-Station-Id = pppoe-in 01:33:41 radius,debug,packet NAS-Port-Id = ether1 01:33:41 radius,debug,packet CHAP-Challenge = 0xe3c819400560adadbf019f209dc42f7e 01:33:41 radius,debug,packet CHAP-Password = 0x01dad26d1d56167a1899b3e9c8a8ba01 01:33:41 radius,debug,packet 18 01:33:41 radius,debug,packet NAS-Identifier = TEST-RADIUS 01:33:41 radius,debug,packet NAS-IP-Address = 192.168.200.4 01:33:41 radius,debug resending 53:02 01:33:41 radius,debug,packet sending Access-Request with id 8 to 192.168.200.2:1812 01:33:41 radius,debug,packet Signature = 0x83d0415d6b98f0421df6bb83a01bdb28 01:33:41 radius,debug,packet Service-Type = 2 01:33:41 radius,debug,packet Framed-Protocol = 1 01:33:41 radius,debug,packet NAS-Port = 10 01:33:41 radius,debug,packet NAS-Port-Type = 15 01:33:41 radius,debug,packet User-Name = lacho 01:33:41 radius,debug,packet Calling-Station-Id = 00:15:AF:1F:23:1A 01:33:41 radius,debug,packet Called-Station-Id = pppoe-in 01:33:41 radius,debug,packet NAS-Port-Id = ether1 01:33:41 radius,debug,packet CHAP-Challenge = 0xe3c819400560adadbf019f209dc42f7e 01:33:41 radius,debug,packet CHAP-Password = 0x01dad26d1d56167a1899b3e9c8a8ba01 01:33:41 radius,debug,packet 18 01:33:41 radius,debug,packet NAS-Identifier = TEST-RADIUS 01:33:41 radius,debug,packet NAS-IP-Address = 192.168.200.4 01:33:41 radius,debug timeout for 53:02 01:33:41 pppoe,ppp,info pppoe-lacho: terminating... - user lacho authentication failed - radius timeout (6) 01:33:41 pppoe,ppp,info pppoe-lacho: disconnected Freeradius debug log: Sending Access-Accept of id 7 to 192.168.200.4 port 32768 Acct-Interim-Interval = 300 Session-Timeout = 31 Mikrotik-Xmit-Limit = 1073217536 Framed-IP-Address = 10.8.15.44 Mikrotik-Recv-Limit = 1073217536 Framed-IP-Netmask = 255.255.255.255 Thu Mar 19 12:37:16 2009 : Debug: Finished request 3 Thu Mar 19 12:37:16 2009 : Debug: Going to the next request Thu Mar 19 12:37:16 2009 : Debug: Thread 4 waiting to be assigned a request rad_recv: Access-Request packet from host 192.168.200.4:32768, id=8, length=144 Thu Mar 19 12:37:31 2009 : Debug: --- Walking the entire request list --- Thu Mar 19 12:37:31 2009 : Debug: Cleaning up request 3 ID 7 with timestamp 49c2205c Thu Mar 19 12:37:31 2009 : Debug: Waking up in 31 seconds... Thu Mar 19 12:37:31 2009 : Debug: Threads: total/active/spare threads = 5/0/5 Thu Mar 19 12:37:31 2009 : Debug: Thread 5 got semaphore Thu Mar 19 12:37:31 2009 : Debug: Thread 5 handling request 4, (1 handled so far) Service-Type = Framed-User Framed-Protocol = PPP NAS-Port = 10 NAS-Port-Type = Ethernet User-Name = lacho Calling-Station-Id = 00:15:AF:1F:23:1A Called-Station-Id = pppoe-in NAS-Port-Id = ether1 CHAP-Challenge = 0xe3c819400560adadbf019f209dc42f7e CHAP-Password =
Re: freeradius and mikrotik auth problem pppoe error 691
Everything looks fine in IP addresses, but the problem is still the same. No, it's not looking fine. Mikrotik debug log . has no trace of Access-Accept packet - it didn't arrive. Here again the log of Mikrotik and freeradius: Stop looking at the logs and start looking at the network. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
The machines are connected to cable and on 2 meters, in this case where to find the problem? What and how to get to see where the real problem? Wireshark. If you see packets on the wire - Mikrotik is stopping it. If you don't see them on the wire - radius machine is stopping them. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
2009/3/19 Lazar Cherveniakov laz...@mail.bg: Everything looks fine in IP addresses, but the problem is still the same. Looks like you got exactly the problem I described. See here : Mikrotik debug log 01:33:40 radius,debug sending 53:02 to 192.168.200.2:1812 Mikrotik thinks radius IP is 192.168.200.2 radius server ip`s # ifconfig eth0 Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8 inet addr:192.168.200.3 Bcast:192.168.200.255 Mask:255.255.255.0 eth0:1 Link encap:Ethernet HWaddr 00:19:66:4E:F4:E8 inet addr:192.168.200.2 Bcast:192.168.200.255 Mask:255.255.255.0 ... while that IP is secondary IP on the radius server. Do a tcpdump on radius and you should see that radius replies comes from 192.168.200.3 (which mikrotik discards, because it's not the IP it sends the request to). There are several ways to fix this (one of them involves recompiling freeradius with --with-udpfromto, see http://wiki.freeradius.org/index.php/FAQ#Why_does_the_NAS_ignore_the_RADIUS_server.27s_reply.3F ), but the easiest way is simply change mikrotik's config to use 192.168.200.3 as radius IP address. Regards, Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
The machines are connected to cable and on 2 meters, in this case where to find the problem? What and how to get to see where the real problem? -- Lazar Cherveniakov Micro computers system - Lazkom LIVE FREE OR DIE - Powered by Mail.BG - http://mail.bg - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
I`m new radius user and i`m beginner. I have problem with connect mikrotik with radius server. My clients using pppoe server but i have connect to radius server but after configuration from internet documentation my server don`t work and i receive errors in radius.log and pppoe server show 691 error Wrong log. http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_still_doesn.27t_work.21 Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius and mikrotik auth problem pppoe error 691
Hello, I`m new radius user and i`m beginner. I have problem with connect mikrotik with radius server. My clients using pppoe server but i have connect to radius server but after configuration from internet documentation my server don`t work and i receive errors in radius.log and pppoe server show 691 error this is the errors Wed Mar 11 17:59:23 2009 : Error: Discarding duplicate request from client TEST-RADIUS:32768 - ID: 8 due to unfinished request 0 Wed Mar 11 17:59:26 2009 : Error: Discarding duplicate request from client TEST-RADIUS:32768 - ID: 9 due to unfinished request 1 Wed Mar 11 17:59:28 2009 : Error: Discarding duplicate request from client TEST-RADIUS:32768 - ID: 10 due to unfinished request 2 Wed Mar 11 18:44:28 2009 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Mar 11 18:44:28 2009 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed Mar 11 18:44:28 2009 : Info: Ready to process requests. Wed Mar 11 18:57:43 2009 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Mar 11 18:57:43 2009 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed Mar 11 18:57:43 2009 : Info: Ready to process requests. Mon Mar 16 22:20:07 2009 : Info: Using deprecated naslist file. Support for this will go away soon. Mon Mar 16 22:20:07 2009 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Mon Mar 16 22:20:07 2009 : Info: Ready to process requests. Wed Mar 18 22:35:19 2009 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Mar 18 22:35:19 2009 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed Mar 18 22:35:19 2009 : Info: Ready to process requests. Wed Mar 18 22:35:25 2009 : Info: Using deprecated naslist file. Support for this will go away soon. Wed Mar 18 22:35:25 2009 : Info: rlm_exec: Wait=yes but no output defined. Did you mean output=none? Wed Mar 18 22:35:25 2009 : Info: Ready to process requests. Wed Mar 18 22:35:39 2009 : Error: Discarding duplicate request from client TEST-RADIUS:32768 - ID: 1 due to unfinished request 0 Wed Mar 18 22:35:40 2009 : Error: Discarding duplicate request from client TEST-RADIUS:32768 - ID: 1 due to unfinished request 0 ~ ~ this is the mikrotik error mar/13 23:42:18 pppoe,info PPPoE connection established from 00:15:AF:1F:23:1A mar/13 23:42:18 pppoe,ppp,info pppoe-0: waiting for call... mar/13 23:42:19 pppoe,ppp,info pppoe-lacho: terminating... - user lacho authentication failed - radius timeout (6) mar/13 23:42:19 pppoe,ppp,info pppoe-lacho: disconnected please help me advanced Tanks. -- Lazar Cherveniakov Micro computers system - Lazkom LIVE FREE OR DIE - Sportingbet – €1500 всеки ден, бонуси тенис залози на живо! http://bg.sportingbet.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius and mikrotik auth problem pppoe error 691
Sorry i`m new mail-list user While tracking installed following instructions http://abills.net.ua/wiki/doku.php?id=abills:docs_03:install:en[1] the all debug log is # radiusd -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: snmp = no main: max_request_time = 30 main: cleanup_delay = 2 main: max_requests = 102400 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt pap: auto_header = yes Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = /etc/shadow unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = md5 eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc mschapv2: with_ntdomain_hack = no rlm_eap: Loaded and initialized type mschapv2 Module: Instantiated eap (eap) Module: Loaded preprocess preprocess: huntgroups = /etc/raddb/huntgroups preprocess: hints = /etc/raddb/hints preprocess: with_ascend_hack = no preprocess: ascend_channels_per_line = 23 preprocess: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no preprocess: with_alvarion_vsa_hack = no Module: Instantiated preprocess (preprocess) exec: wait = yes exec: program = /usr/abills/libexec/rauth.pl pre_auth exec: input_pairs = request exec: output_pairs = config exec: packet_type = (null) Module: Instantiated exec (pre_auth) Module: Loaded files files: usersfile = /etc/raddb/users files: acctusersfile = /etc/raddb/acct_users files: preproxy_usersfile = /etc/raddb/preproxy_users files: compat = no Module: Instantiated files (files) Module: Loaded Acct-Unique-Session-Id acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port Module: Instantiated acct_unique (acct_unique) Module: Loaded realm realm: format = suffix realm: delimiter = @ realm: ignore_default = no realm: ignore_null = no Module: Instantiated realm (suffix) Module: Loaded detail detail: detailfile = /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d detail: detailperm = 384 detail: dirperm = 493 detail: locking = no Module: Instantiated detail (detail) Module: Loaded radutmp radutmp: filename = /var/log/radius/radutmp radutmp: username = %{User-Name} radutmp: case_sensitive = yes radutmp: check_with_nas = yes radutmp: perm = 384 radutmp: callerid = yes Module: Instantiated radutmp (radutmp) exec: wait = yes exec: program = /usr/abills/libexec/rauth.pl post_auth exec: input_pairs = request exec: output_pairs = config exec: packet_type = (null) Module: Instantiated exec
Re: freeradius and mikrotik auth problem pppoe error 691
Sending Access-Accept of id 2 to 192.168.200.4 port 32768 .. rad_recv: Access-Request packet from host 192.168.200.4:32768, id=2, length=144 Sending duplicate reply to client TEST-RADIUS:32768 - ID: 2 Re-sending Access-Accept of id 2 to 192.168.200.4 port 32768 .. rad_recv: Access-Request packet from host 192.168.200.4:32768, id=2, length=144 etc. Your Access-Accept packet is not reaching Mikrotik. There is a firewall stopping those packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html