On 8.6.2021 16.31, Jan Tomasek wrote:
On 08. 06. 21 15:16, Jan Tomasek wrote:
I also attached log example. I just realized, that access-reject is
produced for transmitted request.
I mean re-transmitted, here is client side:
Thanks for the config and the logs. I think we can get this fixed
easily. Your Radiator config has 'DupInterval 0' in the <Client ...>
clause. For this reason Access-Request with id 7 is not detected as a
duplicate by Radiator and it's written to OpenSSL, which then correctly
does not like it.
The default DupInterval is 10 (seconds). The configuration samples used
to have 0 for testing purposes, but this is no longer needed and the
default is fine for the most cases.
Even with the default DupInterval there still can be a problem that the
TLS handshake is done before LDAP is attempted. When LDAP access is
attempted IGNORE is returned but before that TLS handhsake can be done.
Please let us know if the default DupInterval helps.
Thanks,
Heikki
....
Received RADIUS message
RADIUS message: code=11 (Access-Challenge) identifier=6 length=101
Attribute 79 (EAP-Message) length=63
Value:
0184003d190017030300323668f2957c308bb0bfc6202524c4a07cbe9bfe969bc66b9656360d496737327fabb94c9dc064d535fa50969b120ea0b0ec2c
Attribute 80 (Message-Authenticator) length=18
Value: 1e0905ad595712969322e32c4677dfa2
Sending RADIUS message to authentication server
RADIUS message: code=1 (Access-Request) identifier=7 length=290
Attribute 1 (User-Name) length=20
Value: 'netsa...@cesnet.cz'
Attribute 4 (NAS-IP-Address) length=6
Value: 127.0.0.1
Attribute 31 (Calling-Station-Id) length=19
Value: '70-6F-6C-69-01-F7'
Attribute 12 (Framed-MTU) length=6
Value: 1400
Attribute 61 (NAS-Port-Type) length=6
Value: 19
Attribute 6 (Service-Type) length=6
Value: 2
Attribute 77 (Connect-Info) length=79
Value: 'ermon.cesnet.cz is testing realm cesnet.cz at radius
server radius1.cesnet.cz'
Attribute 79 (EAP-Message) length=110
Value:
0284006c1900170303006195c79d1ad87c61c5396bf6d4ea7984cbe4263bcd95f3944bf5f58ac85aa7dc0d3aefd4eafe069d557b67cb68e86fdb910f97bd928240bc375e2885175a8cb2d231b63a86a5a564eb3d8b63977243b3e485e5405eca5db08ce746ba4bed15f0ce31
Attribute 80 (Message-Authenticator) length=18
Value: 4dea5652d58321283164c6c12bdb323c
STA 70:6f:6c:69:01:f7: Resending RADIUS message (id=7)
Received RADIUS message
RADIUS message: code=3 (Access-Reject) identifier=7 length=60
Attribute 79 (EAP-Message) length=6
Value: 04840004
Attribute 80 (Message-Authenticator) length=18
Value: 5d71bbb4c23aabcff00098829a478142
Attribute 18 (Reply-Message) length=16
Value: 'Request Denied'
Please note, that "Resending RADIUS message (id=7)" after which reject
come.
Sorry for double post.
--
Heikki Vatiainen <h...@open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.
_______________________________________________
radiator mailing list
radiator@lists.open.com.au
https://lists.open.com.au/mailman/listinfo/radiator