You guys are awesome! It was the RADIUS secret, there was a space that somehow got at the end of the radius secret on the switch ... apparently cisco interprets the white space at the end of the radius server key as part of the key its self.
And very big thanks for the raddebug command, I will be looking into that! Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU 900 College St. Belton, Texas 76513 Fone: 254-295-4658 Phax: 254-295-4221 ________________________________ From: Fletcher Haynes [[email protected]] Sent: Wednesday, August 20, 2014 11:07 AM To: [email protected] Subject: Re: [PacketFence-users] RADIUS Access-request but no Access-accept That's the program I was trying to think of! Thank you Louis! On Wed, Aug 20, 2014 at 8:59 AM, Louis Munro <[email protected]<mailto:[email protected]>> wrote: Then say hello to my little friend… raddebug! Using raddebug allows you to add conditions to be debugged with unlang. For example, I can do this: # sbin/raddebug -d etc/raddb -t2800 -c '( Packet-Src-Ip-Address == 192.168.239.141 )' If the shared secret is incorrect you will get an error like the following: Wed Aug 20 11:51:30 2014 : Debug: Received packet from 192.168.239.141 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Shared secret errors are not logged. That is why I suspect it may be your problem. Read the friendly manpage for raddebug and unlang. It is a very powerful technique for debugging connections without restarting radius and still allows you to narrow down the search by client IP, device MAC or any arbitrary condition which you can match using unlang. One caveat: because of the way PF is configured you may have to switch to the pf uid to be allowed to use raddebug: # su - pf Regards, -- Louis Munro [email protected]<mailto:[email protected]> :: www.inverse.ca<http://www.inverse.ca> +1.514.447.4918 x125<tel:%2B1.514.447.4918%20x125> :: +1 (866) 353-6153 x125<tel:%2B1%20%28866%29%C2%A0353-6153%20x125> Inverse inc. :: Leaders behind SOGo (www.sogo.nu<http://www.sogo.nu>) and PacketFence (www.packetfence.org<http://www.packetfence.org>) On 2014-08-20, at 11:25 , "Sallee, Jake" <[email protected]<mailto:[email protected]>> wrote: Yeah, with about 50 auth requests a second, the debug output is a bit hard to manage. But I'll see what I can do. Jake Sallee Godfather of Bandwidth System Engineer University of Mary Hardin-Baylor WWW.UMHB.EDU<http://WWW.UMHB.EDU> ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ PacketFence-users mailing list [email protected]<mailto:[email protected]> https://lists.sourceforge.net/lists/listinfo/packetfence-users -- Fletcher Haynes <[email protected]<mailto:[email protected]>> Systems Administrator/Network Services Consultant Willamette Integrated Technology Services Willamette University, Salem, OR Phone: 503.370.6016 ------------------------------------------------------------------------------ Slashdot TV. Video for Nerds. Stuff that matters. http://tv.slashdot.org/ _______________________________________________ PacketFence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
