Thanks for the suggestion. I was also suspicious about accounting. The ports are correct. That's the idiocracy of Safeword Premier Access. In fact one of the reasons for using freeradius is to log accounting packets into a SQL database, so I have removed the accthost attribute from proxy.conf. However, the behavior is exactly the same - infinite loop.
Robert Szelepcsényi Operation Related Services Siemens Business Services s.r.o. Stromová 9 830 07 BRATISLAVA Sloveská republika * (+421 2) 5968 4914 * (+421 903) 634 844 * [EMAIL PROTECTED] -----Original Message----- From: Batman [mailto:[EMAIL PROTECTED] Sent: Friday, May 07, 2004 4:22 PM To: [EMAIL PROTECTED] Subject: RE: radius server hangs after a correct login authenticated through proxy I would check on the accounting. You have it set as port 1813, whereas it would usually be 1646 on a system with authentication at port 1645. If you have access to swpa.sbs.sk, try running radiusd in the foreground (radiusd -X) and watch what it tells you when you send the request. All The Best, Brian Andrus Millenia Internet Services, Inc. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Szelepcsenyi Robert Sent: Friday, May 07, 2004 7:09 AM To: [EMAIL PROTECTED] Subject: radius server hangs after a correct login authenticated through proxy I need to set up a Freeradius server proxying certain requests to another radius server (Safeword Premier Access) in other to authenticate users with tokens. All other users are to be authenticated locally. My problem is: If I supply a correct password, the thread serving the request gets into an infinite loop eating almost 100% of CPU time. Bad passwords are rejected correctly. The only thing I have configured (besides shared sercrets) is that I defined "myrealm" in proxy.conf file: realm myrealm { type = radius authhost = swpa.sbs.sk:1645 accthost = swpa.sbs.sk:1813 secret = mysecret } When I try to log into the router as [EMAIL PROTECTED] supplying an incorrect password, the request is successfully refused. However, when I supply a correct password, the thread serving the request receives an Access-Accept packet from the home server, but following that it gets into an infinite loop and fails to send any response to the NAS. After a while the master process logs "WARNING: Unresponsive child (id XXXXX) for request YY". strace or ltrace on the blocked thread did not yield anything. My OS is SuSE 9.0. I tried both the SuSE package (version 0.9.0) and and a binary compiled from the sources (version 0.9.3). I suppose that I am missing something in my configuration (although the server should not get into an infinite loop). Any help will be appreciated. the output from "radiusd -xx" is: **************** Incorrect password supplied ********************* rad_recv: Access-Request packet from host 163.242.48.9:1645, id=105, length=66 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 1 handling request 0, (1 handled so far) NAS-IP-Address = 163.242.48.9 NAS-Port = 0 User-Name = "[EMAIL PROTECTED]" User-Password = "123456" modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: Looking up realm "myrealm" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "myrealm" rlm_realm: Adding Stripped-User-Name = "robert" rlm_realm: Proxying request from user robert to realm myrealm rlm_realm: Adding Realm = "myrealm" rlm_realm: Preparing to proxy authentication request to realm "myrealm" modcall[authorize]: module "suffix" returns updated for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 1 to 163.242.54.177:1645 User-Name = "robert" NAS-IP-Address = 163.242.48.9 NAS-Port = 0 User-Password = "123456" Proxy-State = 0x313035 Thread 1 waiting to be assigned a request rad_recv: Access-Reject packet from host 163.242.54.177:1645, id=1, length=28 Thread 2 assigned request 0 --- Walking the entire request list --- Waking up in 5 seconds... Thread 2 handling request 0, (1 handled so far) Reply-Message = "\n" Proxy-State = 0x313035 modcall: entering group post-proxy for request 0 modcall[post-proxy]: module "eap" returns noop for request 0 modcall: group post-proxy returns noop for request 0 Delaying request 0 for 1 seconds Finished request 0 Going to the next request Thread 2 waiting to be assigned a request --- Walking the entire request list --- Threads: total/active/spare threads = 5/0/5 Sending Access-Reject of id 105 to 163.242.48.9:1645 Reply-Message = "\n" Waking up in 1 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 105 with timestamp 409b9368 Nothing to do. Sleeping until we see a request. **************** Correct password supplied ********************* rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107, length=66 Thread 1 assigned request 0 --- Walking the entire request list --- Threads: total/active/spare threads = 5/1/4 Waking up in 5 seconds... Thread 1 handling request 0, (1 handled so far) NAS-IP-Address = 163.242.48.9 NAS-Port = 0 User-Name = "[EMAIL PROTECTED]" User-Password = "fp5cp7" modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "eap" returns noop for request 0 rlm_realm: Looking up realm "myrealm" for User-Name = "[EMAIL PROTECTED]" rlm_realm: Found realm "myrealm" rlm_realm: Adding Stripped-User-Name = "robert" rlm_realm: Proxying request from user robert to realm myrealm rlm_realm: Adding Realm = "myrealm" rlm_realm: Preparing to proxy authentication request to realm "myrealm" modcall[authorize]: module "suffix" returns updated for request 0 users: Matched DEFAULT at 152 modcall[authorize]: module "files" returns ok for request 0 modcall[authorize]: module "mschap" returns noop for request 0 modcall: group authorize returns updated for request 0 Sending Access-Request of id 1 to 163.242.54.177:1645 User-Name = "robert" NAS-IP-Address = 163.242.48.9 NAS-Port = 0 User-Password = "fp5cp7" Proxy-State = 0x313037 Thread 1 waiting to be assigned a request rad_recv: Access-Accept packet from host 163.242.54.177:1645, id=1, length=125 Thread 2 assigned request 0 --- Walking the entire request list --- Waking up in 5 seconds... Thread 2 handling request 0, (1 handled so far) Service-Type = Framed-User Framed-Protocol = PPP Cisco-AVPair = "lcp:callback-dialstring=" Cisco-AVPair = "lcp:nocallback-verify=1" Cisco-AVPair = "ip:addr-pool=main_pool" modcall: entering group post-proxy for request 0 --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107, length=66 Discarding new request from client cisco2500:1645 - ID: 107 due to live request 0 --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107, length=66 Discarding new request from client cisco2500:1645 - ID: 107 due to live request 0 --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... rad_recv: Access-Request packet from host 163.242.48.9:1645, id=107, length=66 Discarding new request from client cisco2500:1645 - ID: 107 due to live request 0 --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- WARNING: Unresponsive child (id 32771) for request 0 Server rejecting request 0. Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... --- Walking the entire request list --- Waking up in 5 seconds... Robert Szelepcsényi Operation Related Services Siemens Business Services s.r.o. Stromová 9 830 07 BRATISLAVA Sloveská republika * (+421 2) 5968 4914 * (+421 903) 634 844 * [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html