Re: [RADIATOR] AuthBy LDAP2 and FailureBackoffTime

Wed, 09 Jun 2021 09:24:53 -0700 

On 8.6.2021 16.31, Jan Tomasek wrote:


On 08. 06. 21 15:16, Jan Tomasek wrote:
I also attached log example. I just realized, that access-reject is produced for transmitted request. 

I mean re-transmitted, here is client side:



Thanks for the config and the logs. I think we can get this fixed 
easily. Your Radiator config has 'DupInterval 0' in the <Client ...>
clause. For this reason Access-Request with id 7 is not detected as a 
duplicate by Radiator and it's written to OpenSSL, which then correctly 
does not like it.



The default DupInterval is 10 (seconds). The configuration samples used 
to have 0 for testing purposes, but this is no longer needed and the 
default is fine for the most cases.



Even with the default DupInterval there still can be a problem that the 
TLS handshake is done before LDAP is attempted. When LDAP access is 
attempted IGNORE is returned but before that TLS handhsake can be done.


Please let us know if the default DupInterval helps.

Thanks,
Heikki


....
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=6 length=101
    Attribute 79 (EAP-Message) length=63

       Value: 
0184003d190017030300323668f2957c308bb0bfc6202524c4a07cbe9bfe969bc66b9656360d496737327fabb94c9dc064d535fa50969b120ea0b0ec2c 


    Attribute 80 (Message-Authenticator) length=18
       Value: 1e0905ad595712969322e32c4677dfa2
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=7 length=290
    Attribute 1 (User-Name) length=20
       Value: 'netsa...@cesnet.cz'
    Attribute 4 (NAS-IP-Address) length=6
       Value: 127.0.0.1
    Attribute 31 (Calling-Station-Id) length=19
       Value: '70-6F-6C-69-01-F7'
    Attribute 12 (Framed-MTU) length=6
       Value: 1400
    Attribute 61 (NAS-Port-Type) length=6
       Value: 19
    Attribute 6 (Service-Type) length=6
       Value: 2
    Attribute 77 (Connect-Info) length=79

       Value: 'ermon.cesnet.cz is testing realm cesnet.cz at radius 
server radius1.cesnet.cz'

    Attribute 79 (EAP-Message) length=110

       Value: 
0284006c1900170303006195c79d1ad87c61c5396bf6d4ea7984cbe4263bcd95f3944bf5f58ac85aa7dc0d3aefd4eafe069d557b67cb68e86fdb910f97bd928240bc375e2885175a8cb2d231b63a86a5a564eb3d8b63977243b3e485e5405eca5db08ce746ba4bed15f0ce31 


    Attribute 80 (Message-Authenticator) length=18
       Value: 4dea5652d58321283164c6c12bdb323c
STA 70:6f:6c:69:01:f7: Resending RADIUS message (id=7)
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=7 length=60
    Attribute 79 (EAP-Message) length=6
       Value: 04840004
    Attribute 80 (Message-Authenticator) length=18
       Value: 5d71bbb4c23aabcff00098829a478142
    Attribute 18 (Reply-Message) length=16
       Value: 'Request Denied'


Please note, that "Resending RADIUS message (id=7)" after which reject 
come.


Sorry for double post.


--
Heikki Vatiainen <h...@open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator





















					Reply via email to