On Mon, Sep 03, 2007 at 10:52:27AM +0200, Alan DeKok wrote: > Scott Lambert wrote: > > I decided to simplify and try just using radclient from the new server > > and leaving the FreeRADIUS daemon out of it. That also gets replies but > > radclient throws them out because it doesn't think it sent the request. > > Ok. Both the server and radclient now use the same code to match > replies to requests, so it's expected that they will have the same issues. > > > I suspect that the jail has a lot to do with the problem. > > Try running a test system outside of the jail. If that works, then > the problem will at least be narrowed down to the jail. > > > tcpdump of the request: > ... > > That looks OK. > > Another option is to instrument src/lib/packet.c, function > lrad_packet_cmp(). Have it print out WHAT it's comparing, and WHEN it's > returning. You'll get a lot of spurious output, but you'll also find > out why the reply isn't being matched to a request.
I've been instrumenting the heck out of anything I thought might be useful. My coding skills are very rusty, but here's what I've come up with. src/lib/packet.c:lrad_packet_cmp() likes the response packet. src/lib/packet.c:lrad_packet_find_by_reply() seems to be failing. radclient appears to be using 0.0.0.0 as the source IP address. lrad_packet_cmp appears to be seeing the source IP address as 69.153.112.27. I haven't figured out how to instrument lrad_hash_table_finddata and the stuff chained from there in a meaningful way. I'm getting lost in the execution path. Based on the above, I changed the listen stanza in radius.conf - ipaddr = * + ipaddr = 69.153.112.27 This permits the server to succesfully proxy requests to other servers. I don't see a way to get radclient to use a specific source IP address. $ ( echo "User-Name = \"testuser1\""; echo "User-Password = \"shhhhh!\""; echo "NAS-IP-Address = 69.153.112.27"; echo "NAS-Port = 1645"; echo "Framed-Protocol = PPP") | ./radclient -r 2 -x 216.61.218.2:1645 auth radius_secret Sending Access-Request of id 233 to 216.61.218.2 port 1645 User-Name = "testuser1" User-Password = "shhhhh!" NAS-IP-Address = 69.153.112.27 NAS-Port = 1645 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 216.61.218.2 port 1645, id=233, length=366 radclient: recv_one_packet: client_ipaddr.af = 2 radclient: recv_one_packet: client_ipaddr.ipaddr.ip4addr = 0 lrad_packet_list_find_byreply: lrad_socket_find returned 134591488 lrad_packet_list_find_byreply: ps->inaddr_any false, reply->dst_ipaddr.ipaddr.ip4addr = 0 # the above is the false path of the if statment based on ps->inaddr_any. lrad_packet_list_find_byreply: reply->src_ipaddr.ipaddr.ip4addr = 47857112 reply->src_port = 1645 lrad_packet_list_find_byreply: lrad_hash_table_finddata returned 0 radclient: received response to request we did not send. (id=233 socket 3) Sending Access-Request of id 233 to 216.61.218.2 port 1645 User-Name = "testuser1" User-Password = "shhhhh!" NAS-IP-Address = 69.153.112.27 NAS-Port = 1645 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 216.61.218.2 port 1645, id=233, length=366 radclient: recv_one_packet: client_ipaddr.af = 2 radclient: recv_one_packet: client_ipaddr.ipaddr.ip4addr = 0 lrad_packet_list_find_byreply: lrad_socket_find returned 134591488 lrad_packet_list_find_byreply: ps->inaddr_any false, reply->dst_ipaddr.ipaddr.ip4addr = 0 lrad_packet_list_find_byreply: reply->src_ipaddr.ipaddr.ip4addr = 47857112 reply->src_port = 1645 lrad_packet_list_find_byreply: lrad_hash_table_finddata returned 0 radclient: received response to request we did not send. (id=233 socket 3) lrad_packet_cmp: a->sockfd=3 b->sockfd=3 lrad_packet_cmp: a->id=233 b->id=233 lrad_packet_cmp: a->src_port=62844 b->src_port=62844 lrad_packet_cmp: a->dst_port=1645 b->dst_port=1645 lrad_packet_cmp: a->dst_ipaddr=2 b->dst_ipaddr=47857112 lrad_packet_cmp: a->dst_ipaddr.af=2 b->dst_ipaddr.af=2 lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=47857112 b->dst_ipaddr.ipaddr.ip4addr=47857112 lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=216.61.218.2 b->dst_ipaddr.ipaddr.ip4addr=216.61.218.2 lrad_packet_cmp: a->src_ipaddr=2 b->src_ipaddr=460364101 lrad_packet_cmp: a->src_ipaddr.af=2 b->src_ipaddr.af=2 lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=460364101 b->src_ipaddr.ipaddr.ip4addr=460364101 lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=69.153.112.27 b->src_ipaddr.ipaddr.ip4addr=69.153.112.27 lrad_packet_cmp: lrad_ipaddr_cmp = 0 lrad_packet_cmp: a->sockfd=3 b->sockfd=3 lrad_packet_cmp: a->id=233 b->id=233 lrad_packet_cmp: a->src_port=62844 b->src_port=62844 lrad_packet_cmp: a->dst_port=1645 b->dst_port=1645 lrad_packet_cmp: a->dst_ipaddr=2 b->dst_ipaddr=47857112 lrad_packet_cmp: a->dst_ipaddr.af=2 b->dst_ipaddr.af=2 lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=47857112 b->dst_ipaddr.ipaddr.ip4addr=47857112 lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=216.61.218.2 b->dst_ipaddr.ipaddr.ip4addr=216.61.218.2 lrad_packet_cmp: a->src_ipaddr=2 b->src_ipaddr=460364101 lrad_packet_cmp: a->src_ipaddr.af=2 b->src_ipaddr.af=2 lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=460364101 b->src_ipaddr.ipaddr.ip4addr=460364101 lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=69.153.112.27 b->src_ipaddr.ipaddr.ip4addr=69.153.112.27 lrad_packet_cmp: lrad_ipaddr_cmp = 0 radclient: no response from server for ID 233 socket 3 ================================================================= Outside the jail on the same hardware/freeradius binaries, this is what the radclient output looks like: $ ( echo "User-Name = \"testuser1\""; echo "User-Password = \"shhhhh!\""; echo "NAS-IP-Address = 69.153.112.27"; echo "NAS-Port = 16"; echo "Framed-Protocol = PPP") | ./radclient -r 2 -x 216.61.218.2:1645 auth radius_secret Sending Access-Request of id 39 to 216.61.218.2 port 1645 User-Name = "testuser1" User-Password = "shhhhh!" NAS-IP-Address = 69.153.112.27 NAS-Port = 16 Framed-Protocol = PPP rad_recv: Access-Accept packet from host 216.61.218.2 port 1645, id=39, length=366 radclient: recv_one_packet: client_ipaddr.af = 2 radclient: recv_one_packet: client_ipaddr.ipaddr.ip4addr = 0 lrad_packet_list_find_byreply: lrad_socket_find returned 134593536 lrad_packet_list_find_byreply: ps->inaddr_any true, ps->ipaddr = 2 # the above is the true path of the if statment based on ps->inaddr_any. lrad_packet_list_find_byreply: reply->src_ipaddr.ipaddr.ip4addr = 47857112 reply->src_port = 1645 lrad_packet_cmp: a->sockfd=3 b->sockfd=3 lrad_packet_cmp: a->id=39 b->id=39 lrad_packet_cmp: a->src_port=63507 b->src_port=63507 lrad_packet_cmp: a->dst_port=1645 b->dst_port=1645 lrad_packet_cmp: a->dst_ipaddr=2 b->dst_ipaddr=47857112 lrad_packet_cmp: a->dst_ipaddr.af=2 b->dst_ipaddr.af=2 lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=47857112 b->dst_ipaddr.ipaddr.ip4addr=47857112 lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=216.61.218.2 b->dst_ipaddr.ipaddr.ip4addr=216.61.218.2 lrad_packet_cmp: a->src_ipaddr=2 b->src_ipaddr=0 lrad_packet_cmp: a->src_ipaddr.af=2 b->src_ipaddr.af=2 lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=0 b->src_ipaddr.ipaddr.ip4addr=0 lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=0.0.0.0 b->src_ipaddr.ipaddr.ip4addr=0.0.0.0 lrad_packet_cmp: lrad_ipaddr_cmp = 0 lrad_packet_list_find_byreply: lrad_hash_table_finddata returned 134571284 lrad_packet_cmp: a->sockfd=3 b->sockfd=3 lrad_packet_cmp: a->id=39 b->id=39 lrad_packet_cmp: a->src_port=63507 b->src_port=63507 lrad_packet_cmp: a->dst_port=1645 b->dst_port=1645 lrad_packet_cmp: a->dst_ipaddr=2 b->dst_ipaddr=47857112 lrad_packet_cmp: a->dst_ipaddr.af=2 b->dst_ipaddr.af=2 lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=47857112 b->dst_ipaddr.ipaddr.ip4addr=47857112 lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=216.61.218.2 b->dst_ipaddr.ipaddr.ip4addr=216.61.218.2 lrad_packet_cmp: a->src_ipaddr=2 b->src_ipaddr=0 lrad_packet_cmp: a->src_ipaddr.af=2 b->src_ipaddr.af=2 lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=0 b->src_ipaddr.ipaddr.ip4addr=0 lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=0.0.0.0 b->src_ipaddr.ipaddr.ip4addr=0.0.0.0 lrad_packet_cmp: lrad_ipaddr_cmp = 0 lrad_packet_cmp: a->sockfd=3 b->sockfd=3 lrad_packet_cmp: a->id=39 b->id=39 lrad_packet_cmp: a->src_port=63507 b->src_port=63507 lrad_packet_cmp: a->dst_port=1645 b->dst_port=1645 lrad_packet_cmp: a->dst_ipaddr=2 b->dst_ipaddr=47857112 lrad_packet_cmp: a->dst_ipaddr.af=2 b->dst_ipaddr.af=2 lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=47857112 b->dst_ipaddr.ipaddr.ip4addr=47857112 lrad_packet_cmp: a->dst_ipaddr.ipaddr.ip4addr=216.61.218.2 b->dst_ipaddr.ipaddr.ip4addr=216.61.218.2 lrad_packet_cmp: a->src_ipaddr=2 b->src_ipaddr=0 lrad_packet_cmp: a->src_ipaddr.af=2 b->src_ipaddr.af=2 lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=0 b->src_ipaddr.ipaddr.ip4addr=0 lrad_packet_cmp: a->src_ipaddr.ipaddr.ip4addr=0.0.0.0 b->src_ipaddr.ipaddr.ip4addr=0.0.0.0 lrad_packet_cmp: lrad_ipaddr_cmp = 0 Service-Type = Framed-User ... Do I need to take this to the FreeBSD folks, or is this fixable in FreeRADIUS? -- Scott Lambert KC5MLE Unix SysAdmin [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html