Thanks for the suggestion. I was also suspicious about accounting. The ports
are correct. That's the idiocracy of Safeword Premier Access. In fact one of
the reasons for using freeradius is to log accounting packets into a SQL
database, so I have removed the accthost attribute from proxy.conf. However,
the behavior is exactly the same - infinite loop.
Robert Szelepcsényi
Operation Related Services
Siemens Business Services s.r.o.
Stromová 9
830 07 BRATISLAVA
Sloveská republika
* (+421 2) 5968 4914
* (+421 903) 634 844
* [EMAIL PROTECTED]
-----Original Message-----
From: Batman [mailto:[EMAIL PROTECTED]
Sent: Friday, May 07, 2004 4:22 PM
To: [EMAIL PROTECTED]
Subject: RE: radius server hangs after a correct login authenticated through
proxy
I would check on the accounting. You have it set as port 1813, whereas it
would usually be 1646 on a system with authentication at port 1645.
If you have access to swpa.sbs.sk, try running radiusd in the foreground
(radiusd -X) and watch what it tells you when you send the request.
All The Best,
Brian Andrus
Millenia Internet Services, Inc.
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Szelepcsenyi Robert
Sent: Friday, May 07, 2004 7:09 AM
To: [EMAIL PROTECTED]
Subject: radius server hangs after a correct login authenticated through
proxy
I need to set up a Freeradius server proxying certain requests to another
radius server (Safeword Premier Access) in other to authenticate users with
tokens. All other users are to be authenticated locally.
My problem is: If I supply a correct password, the thread serving the
request gets into an infinite loop eating almost 100% of CPU time. Bad
passwords are rejected correctly.
The only thing I have configured (besides shared sercrets) is that I defined
"myrealm" in proxy.conf file:
realm myrealm {
type = radius
authhost = swpa.sbs.sk:1645
accthost = swpa.sbs.sk:1813
secret = mysecret
}
When I try to log into the router as [EMAIL PROTECTED] supplying an incorrect
password, the request is successfully refused. However, when I supply a
correct password, the thread serving the request receives an Access-Accept
packet from the home server, but following that it gets into an infinite
loop and fails to send any response to the NAS. After a while the master
process logs "WARNING: Unresponsive child (id XXXXX) for request YY". strace
or ltrace on the blocked thread did not yield anything.
My OS is SuSE 9.0. I tried both the SuSE package (version 0.9.0) and and a
binary compiled from the sources (version 0.9.3).
I suppose that I am missing something in my configuration (although the
server should not get into an infinite loop).
Any help will be appreciated.
the output from "radiusd -xx" is:
**************** Incorrect password supplied *********************
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=105,
length=66
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
NAS-IP-Address = 163.242.48.9
NAS-Port = 0
User-Name = "[EMAIL PROTECTED]"
User-Password = "123456"
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: Looking up realm "myrealm" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "myrealm"
rlm_realm: Adding Stripped-User-Name = "robert"
rlm_realm: Proxying request from user robert to realm myrealm
rlm_realm: Adding Realm = "myrealm"
rlm_realm: Preparing to proxy authentication request to realm "myrealm"
modcall[authorize]: module "suffix" returns updated for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0 Sending
Access-Request of id 1 to 163.242.54.177:1645
User-Name = "robert"
NAS-IP-Address = 163.242.48.9
NAS-Port = 0
User-Password = "123456"
Proxy-State = 0x313035
Thread 1 waiting to be assigned a request
rad_recv: Access-Reject packet from host 163.242.54.177:1645, id=1,
length=28
Thread 2 assigned request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
Thread 2 handling request 0, (1 handled so far)
Reply-Message = "\n"
Proxy-State = 0x313035
modcall: entering group post-proxy for request 0
modcall[post-proxy]: module "eap" returns noop for request 0
modcall: group post-proxy returns noop for request 0 Delaying request 0 for
1 seconds Finished request 0 Going to the next request Thread 2 waiting to
be assigned a request
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/0/5 Sending Access-Reject of id 105
to 163.242.48.9:1645
Reply-Message = "\n"
Waking up in 1 seconds...
--- Walking the entire request list ---
Cleaning up request 0 ID 105 with timestamp 409b9368 Nothing to do.
Sleeping until we see a request.
**************** Correct password supplied *********************
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107,
length=66
Thread 1 assigned request 0
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds...
Thread 1 handling request 0, (1 handled so far)
NAS-IP-Address = 163.242.48.9
NAS-Port = 0
User-Name = "[EMAIL PROTECTED]"
User-Password = "fp5cp7"
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: Looking up realm "myrealm" for User-Name = "[EMAIL PROTECTED]"
rlm_realm: Found realm "myrealm"
rlm_realm: Adding Stripped-User-Name = "robert"
rlm_realm: Proxying request from user robert to realm myrealm
rlm_realm: Adding Realm = "myrealm"
rlm_realm: Preparing to proxy authentication request to realm "myrealm"
modcall[authorize]: module "suffix" returns updated for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns updated for request 0 Sending
Access-Request of id 1 to 163.242.54.177:1645
User-Name = "robert"
NAS-IP-Address = 163.242.48.9
NAS-Port = 0
User-Password = "fp5cp7"
Proxy-State = 0x313037
Thread 1 waiting to be assigned a request
rad_recv: Access-Accept packet from host 163.242.54.177:1645, id=1,
length=125
Thread 2 assigned request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
Thread 2 handling request 0, (1 handled so far)
Service-Type = Framed-User
Framed-Protocol = PPP
Cisco-AVPair = "lcp:callback-dialstring="
Cisco-AVPair = "lcp:nocallback-verify=1"
Cisco-AVPair = "ip:addr-pool=main_pool"
modcall: entering group post-proxy for request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107,
length=66
Discarding new request from client cisco2500:1645 - ID: 107 due to live
request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107,
length=66
Discarding new request from client cisco2500:1645 - ID: 107 due to live
request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107,
length=66
Discarding new request from client cisco2500:1645 - ID: 107 due to live
request 0
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
WARNING: Unresponsive child (id 32771) for request 0 Server rejecting
request 0.
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
--- Walking the entire request list ---
Waking up in 5 seconds...
Robert Szelepcsényi
Operation Related Services
Siemens Business Services s.r.o.
Stromová 9
830 07 BRATISLAVA
Sloveská republika
* (+421 2) 5968 4914
* (+421 903) 634 844
* [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
