Re: freeradius not responding on machine specific IPs
Check firewall ports - we had "fun" when FR was listening on the 18s but our firewall guy did his config using the "traditional" 16s. Also have you got your FR client configured so FR server knows to process requests from that source? Hth Andy On 12/12/2008, kevin wrote: > I was loathe to ask a newbie question, but it appears I have one. > > How does one configure freeradius to listen on all IPs specific to a > machine? > > I have a remote Ubuntu 7.10 server (32bit) which I want to use for > authentication via freeradius. It (freeradius 1.1.6-2) installed all > nice and is running properly in default config, or it would seem. I > cannot get a response when a remote authenticate is made. > > When I ssh into the server, it appropriately responds to the following: > >> r...@server3:/home/kevin# radtest fred wilma 127.0.0.1 1812 mysecret >> Sending Access-Request of id 1 to 127.0.0.1 port 1812 >> User-Name = "fred" >> User-Password = "wilma" >> NAS-IP-Address = 255.255.255.255 >> NAS-Port = 1812 >> Re-sending Access-Request of id 1 to 127.0.0.1 port 1812 >> User-Name = "fred" >> User-Password = "wilma" >> NAS-IP-Address = 255.255.255.255 >> NAS-Port = 1812 >> rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=1, length=20 >> rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 >> with invalid signature (err=2)! (Shared secret is incorrect.) > > When I try radtest on the network IP, it fails, as per: > >> r...@server3:/home/kevin# radtest fred wilma 192.168.3.199 1812 mysecret >> Sending Access-Request of id 5 to 192.168.3.199 port 1812 >> User-Name = "fred" >> User-Password = "wilma" >> NAS-IP-Address = 255.255.255.255 >> NAS-Port = 1812 >> Re-sending Access-Request of id 5 to 192.168.3.199 port 1812 >> User-Name = "fred" >> User-Password = "wilma" >> NAS-IP-Address = 255.255.255.255 >> NAS-Port = 1812 > > etc... > > I have tried setting the listen in Radiusd.conf to be the network IP of the > machine > (x.x.3.199), but that gave the same results. > > Any thoughts on what this n00b is doing wrong? > > Thanks, > > Kevin > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Sent from my mobile device - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
David - agreed. It's a workaround until the billing software can be modified (or replaced); in combination with an expiry_due check and also checking whether its the billing system that made the change though, its not a bad short-term workaround. Needs to be both of those checks though ;-) Andy On 25/01/2008, David Roze <[EMAIL PROTECTED]> wrote: > A trigger on the password field is a workaround. > What about if he wants to change a user's password or when it changes back > to bring the connection back on? > Changing the password is not the right way to reject a connection and > everything possible should be done to change the software's behaviour. > > David Roze > --- > http://www.netexpertise.eu > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > On Behalf Of Andy Billington > Sent: 25 January 2008 18:58 > To: FreeRadius users mailing list > Subject: Re: Hello, and a (hopefully) simple question > > Vlad, > are the passwords changed _by the billing system_ for any other > reason? You could use a trigger on the table to make a corresponding > change on the usergroup when the billing system changes the password. > > Better though might just be to have a "Expiry Due?" column added to > the users, and then have "if expiry_due AND if password changed, then > change usergroup" triggered. You'll have to have a way to keep track > of expiration dates and so on > > Vlad, > are the passwords changed by the billing system for any other reason? > You could use a trigger on the table to make a corresponding change on > the usergroup when a billing system changes the password. > > Better though might just be to have a "Expired Yes/No" column added to > the users, and then have "if expired AND password changed, then change > usergroup" triggered. You'll have to have a way to keep track of > expiration dates and so on but if the renewals are for a standard > period (e.g. 12 months) then you could do > > a. if expiry_due and password changed, change usergroup (and hence ip etc) > > b. if expired, password changed already and then password changed > again, change usergroup back to normal on assumption that billing > system has reset password when payment received. Reset expiry_due to > today() plus 12 months > > Then again I'm probably looking at database level stuff when > FreeRADIUS will provide a better way using the many bits of it I dont > understand ;-) > Andy > > > > > > On 25/01/2008, Vlad Sedov <[EMAIL PROTECTED]> wrote: > > Well, what I'm trying to do is accept the session whether the password > > is correct or not, but if it's not correct, assign Framed-IP-Address > > from a different IP pool, so our firewall downstream from the NAS can > > redirect their HTTP traffic to a payment site. > > > > > > Vlad > > > > > > On Jan 25, 2008 11:27 AM, JB <[EMAIL PROTECTED]> wrote: > > > If it's just a message you want to display, you could use the Reply- > > > Message attribute. > > > Of course, your access controler would have to know how handle this > > > attribute. > > > > > > JB > > > > > > > > > Marinko Tarlac wrote: > > > > > > > radius will reply whatever you need but you need to tell him what do > > > > you want. > > > > > > > > For example, if you're using mysql, when user account expires you > > > > can add him to specific group and group attributes you can set in > > > > radgroupreply table. (ip pool, tx, rx limit etc.) > > > > > > > > On Jan 25, 2008 6:18 PM, Vlad Sedov <[EMAIL PROTECTED]> wrote: > > > >> Hey folks. > > > >> > > > >> Right now, we use freeradius to authenticate simple pap/chap PPP > > > >> clients. When a username/password is rejected, radius simply send > > > >> back > > > >> a reject message to the NAS. > > > >> > > > >> Is it possible to change this behavior so that a failed auth attempt > > > >> gets accepted with an alternate IP pool instead of being rejected? > > > >> > > > >> the idea is to force suspended users through a web proxy that tells > > > >> them that they have a billing issue, instead of rejecting their > > > >> connection altogether. > > > >> > > > >> > > > >> Any help would be appreciated > > > >> > > > >> > > > >> Vlad > > > > > > > > > > > > JB > > > > > > > > > > > > > > > - > > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Hello, and a (hopefully) simple question
Vlad, are the passwords changed _by the billing system_ for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when the billing system changes the password. Better though might just be to have a "Expiry Due?" column added to the users, and then have "if expiry_due AND if password changed, then change usergroup" triggered. You'll have to have a way to keep track of expiration dates and so on Vlad, are the passwords changed by the billing system for any other reason? You could use a trigger on the table to make a corresponding change on the usergroup when a billing system changes the password. Better though might just be to have a "Expired Yes/No" column added to the users, and then have "if expired AND password changed, then change usergroup" triggered. You'll have to have a way to keep track of expiration dates and so on but if the renewals are for a standard period (e.g. 12 months) then you could do a. if expiry_due and password changed, change usergroup (and hence ip etc) b. if expired, password changed already and then password changed again, change usergroup back to normal on assumption that billing system has reset password when payment received. Reset expiry_due to today() plus 12 months Then again I'm probably looking at database level stuff when FreeRADIUS will provide a better way using the many bits of it I dont understand ;-) Andy On 25/01/2008, Vlad Sedov <[EMAIL PROTECTED]> wrote: > Well, what I'm trying to do is accept the session whether the password > is correct or not, but if it's not correct, assign Framed-IP-Address > from a different IP pool, so our firewall downstream from the NAS can > redirect their HTTP traffic to a payment site. > > > Vlad > > > On Jan 25, 2008 11:27 AM, JB <[EMAIL PROTECTED]> wrote: > > If it's just a message you want to display, you could use the Reply- > > Message attribute. > > Of course, your access controler would have to know how handle this > > attribute. > > > > JB > > > > > > Marinko Tarlac wrote: > > > > > radius will reply whatever you need but you need to tell him what do > > > you want. > > > > > > For example, if you're using mysql, when user account expires you > > > can add him to specific group and group attributes you can set in > > > radgroupreply table. (ip pool, tx, rx limit etc.) > > > > > > On Jan 25, 2008 6:18 PM, Vlad Sedov <[EMAIL PROTECTED]> wrote: > > >> Hey folks. > > >> > > >> Right now, we use freeradius to authenticate simple pap/chap PPP > > >> clients. When a username/password is rejected, radius simply send > > >> back > > >> a reject message to the NAS. > > >> > > >> Is it possible to change this behavior so that a failed auth attempt > > >> gets accepted with an alternate IP pool instead of being rejected? > > >> > > >> the idea is to force suspended users through a web proxy that tells > > >> them that they have a billing issue, instead of rejecting their > > >> connection altogether. > > >> > > >> > > >> Any help would be appreciated > > >> > > >> > > >> Vlad > > > > > > > > JB > > > > > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: unlang question
Thanks Alan, Looking into it more what I really need to do is take a list of existing usernames and proxy them to an external server, but allow other usernames with the same format to be handled by a virtual server in the FreeRADIUS box. The list can be in a database or a text file or hard-coded into a script, its fairly short. New usernames can be handled as a different realm no problem but some of the existing ones have to be proxied also, we're having to delegate admin of them to a customer. Any thoughts - things to watch out for or that might help? Andy On 23/01/2008, Alan DeKok <[EMAIL PROTECTED]> wrote: > Andy Billington wrote: > > hi all, > > am looking at whether to migrate to 2.0 to create a couple of > > possibilities and was wondering if I can: > > 1. create a main vritual server > > 2. use unlang to parse the incoming requests and then based on whether > > they match a regex, proxy them to different virtual servers or to an > > external 3rd party RADIUS? > > Yes. That's one of my test cases. > > The only issue is that you *will* have to proxy them. i.e. set up a > client of 127.0.0.1, set up different "listen" sections for each virtual > server, and set up those listen sections as "home servers". The code > does not currently have a way to re-direct requests to a virtual server. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unlang question
hi all, am looking at whether to migrate to 2.0 to create a couple of possibilities and was wondering if I can: 1. create a main vritual server 2. use unlang to parse the incoming requests and then based on whether they match a regex, proxy them to different virtual servers or to an external 3rd party RADIUS? I'm sure Ive missed something in the docs so pls any pointers verey gratefully received ! Andy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS in SQL
sorry, had read docs in older version (only got round to looking into 2.0.0-pre last night as attempt to answer my own ?) Thanks for quick response! Andy On 26/10/2007, Alan DeKok <[EMAIL PROTECTED]> wrote: > Andy Billington wrote: > > Is there a way to define NAS info / secrets in a SQL database > > Yes. See the sql.conf file. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco NAS Password problem
Is there a way to define NAS info / secrets in a SQL database and have it as part of the standard queries? Am guessing the perl / python options would let you do it from that (pls correct me tho if not right!) but can it just be done without writing code? Tia Andy On 25/10/2007, John Morris <[EMAIL PROTECTED]> wrote: > > Debug output like this usually points to non-matching RADIUS secrets. Check > the radius secret in your switch config as well as the secret configured in > your nas SQL table. Freeradius only reads the nas table on startup, so if > you make changes to that table, you must restart the daemon for those changes > to take effect. > > Kevin Bonner > > Kevin, > > Thanks for the prompt reply. I went ahead and went to failing switches, > cleared the radius-server entries and started from scratch. I had done this > before, and it didn't fix the problem. But this time everything is working. > > It surprises me that the debug output doesn't appear to mention the failure > of the NAS secret. I would have thought I would have gotten then that message > and that the auth would have stopped there. > > Regards, > > John > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AW: AW: Newbie Question o.O
which explains why gmail shows all his mails as being 0 minutes ago. Not even Google has harnessed time travel (don't tell the shareholders tho) On 24/10/2007, Sebastian Wild <[EMAIL PROTECTED]> wrote: > Bernd please correct your system date. You keep sending mails dated in > the future! > > Sebastian > > Am Mittwoch, den 31.10.2007, 14:20 +0100 schrieb Bernd: > > I'm sorry...I never worked with RADIUS, please consider that. I don't mind > > reading documentations :) - but I don't know where I can find the NAS > > documentation > > > > -Ursprüngliche Nachricht- > > Von: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] Im Auftrag von Alan > > DeKok > > Gesendet: Mittwoch, 24. Oktober 2007 12:38 > > An: FreeRadius users mailing list > > Betreff: Re: AW: Newbie Question o.O > > > > Bernd wrote: > > > > Do the AP's send RADIUS requests to authenticate the MAC when they see > > > a new machine? If not, you can't do it. > > > > > > How do I know if they do? > > ... > > > > >> Unfortunately, you're being told to go read the NAS documentation. > > > > Alan DeKok. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > > > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: aaa accounting command
in case any help, here's some howto's for TACACS+ integrating with some other features http://www.debian-administration.org/articles/429 or for BSD http://www.joe-ma.co.za/page.php?9 Andy On 23/10/2007, Kevin Bonner <[EMAIL PROTECTED]> wrote: > On Tuesday 23 October 2007 11:58:22 Dominique Demore wrote: > > Hi folks, > > > > Is there any method of keeping track of the commands issued by a user with > > Radius. Under the aaa option, there is "aaa accounting command " but > > for some reason, I'm not seeing the accounting information stored in the > > radacct information. I know a few years ago, this was an issue, but I'm not > > sure if it has been resolved. > > http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg39493.html > http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg34103.html > > > Does anyone have an alternative to accomplish this if it's not possible > > with Radius. > > TACACS+ > > Kevin Bonner > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: merging accounting records from two databases
Given my levels of FreeRADIUS knowledge vs MySQL, I would go with a database-level approach :-) What version of MySQL are you using - you could maybe cluster the databases? Alternatively have RADIUS write to one database and use MySQL Proxy to handle the two databases if you dont want to cluster (ie use replication primary --> secondary, put proxy in the data flow and tell it to write to secondary if primary unavail, then when primary fixed, reverse the roles so what was the seconday becomes the primary, replicates data, and then you can either flip them back (if e.g. the original primary is heavier hardware) or not .. Andy On 26/09/2007, Stella <[EMAIL PROTECTED]> wrote: > Hi, > > We're setting up two radius servers and configuring them so the accounting > records are inserted into a mysql database. For redundancy, we're having two > radius servers and two database servers. Both radius servers will attempt to > write the records to the primary database, if that fails, the secondary > database will be used. However, I only see one place in the radius sql.conf > file to set the database connection settings. Is there anyway to set the > connection settings for a secondary database, or is there no failover? If > not, what do people suggest we use? A load balancer or some such? > > Another problem with this setup is that there may be records in the secondary > database which I need to add to the primary database. The main issue I have > is when the start record of a session is in one database and the stop record > is in the other. I need to match these two records up, so I have all the > records in both databases. Is there any application out there that will do > this or do I need to write my own? Surely someone else has encountered the > same issue? > > So can anyone advise on the above or point me at some documentation that > explains how to do this? All help much appreciated! > > Cheers, > Stella > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius / NAS issue
Thankyou Alan! I don't want to shout at the NAS owner (we rely on them for customer connections on a private DSL network and the other sites are fine!) without backup / confidence that I'm not making mistakes. The users connect, both the logs earlier and now the debug output show Accept messages going out to the NAS correctly, and as i said most of our user community connects without issue. Which lead me to say it's not RADIUS, but I was given a "it's your RADIUS" response by our provider. I guess my first step tomorrow is to make sure the NAS receives the Access-Accept for all sites and then give it to them to figure out why some are being marked as Reject by the NAS and some are OK and do as i said about "new" user setups. As I said previously, Thankyou very much for your assistance - the accounting packet issue i can sort given time (and offline) and hopefully i wont need to trouble anyone further. All ideas gratefully recieved though! Andy On 09/08/2007, Alan DeKok <[EMAIL PROTECTED]> wrote: > Andy Billington wrote: > > Was thinking about setting up another FR instance, separate IP and > > with just pure text (users) info but am not sure - what concerns me is > > seeing a few mails that have same symptoms (connect starts, then > > restarts after 10s) > > Do those users get connected at *all*? If they do, then the problem > is the NAS. It's being told to connect them, it does, and then 10s > later, it disconnects them. > > *Please* ensure that the problem is something other than RADIUS before > poking your FreeRADIUS configuration. If the NAS receives the > Access-Accept and lets the user on, DON'T touch your RADIUS > configuration. Buy a NAS that works. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius / NAS issue
hi Ivan, Just been able to restart witout affecting working sites, have started using -X and am seeing lots of info; for a start its binding to correct IP (which counters the multi-home issue i was concerned about). The sites that have probs are all reporting RADIUS ok, my query / concern is that why do some work and not others? Surely if it was routing / network stuff, none would work or all would work; unless the NAS is not behaving? Was thinking about setting up another FR instance, separate IP and with just pure text (users) info but am not sure - what concerns me is seeing a few mails that have same symptoms (connect starts, then restarts after 10s) from other users but they dont seem to have got working. Have I upgraded FR (apt-get etc) and broken my config :( which I'm sure isnt true. Woudl setting up second FR be overkill, given stuff is working for other sites? Andy On 08/08/2007, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > The best way to verify this is to look at the debug (radiusd -X) for the > requests coming from the sites that have a problem. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 8/8/2007, "Andy Billington" <[EMAIL PROTECTED]> piše: > > >Thanks Alan - that last point was what I wanted to confirm before > >going to the NAS owner to request they start looking. As you've said, > >teh RADIUS server sends out packets and they hit the network - if > >routing / network was the cause if this, none of the auth responses > >would get through. I'm trying disabling accounting for the moment, > >using Listen, to squash accounting related error messages. Cant enable > >debug for another two hours when the various test sites will finally > >close for the day and I can restart without impacting the sites that > >do work. > > > >The NAS and RADIUS servers are both doing auth and accounting, same > >IPs and same shared secrets (although different ports obviously). > >Again, if auth works for some sites - even if not for others - the > >shared secret must be correct, no? > > > >Sorry for asking what probably seem like basic questions but want to > >be sure of myself :-) > > > >Andy > > > > > >On 08/08/2007, Alan DeKok <[EMAIL PROTECTED]> wrote: > >> Andy Billington wrote: > >> > debug didnt seem a likely source of info given that this is a server > >> > that has been functionig without incident for six months and no > >> > changes have been made to its config. I have been looking at network / > >> > routing issues but couldnt figure out why some sites would work and > >> > not others, if it was network / routing? > >> > >> If the RADIUS server sends packets, it's done with RADIUS. After > >> that, check that the packets make it onto the local network, to the next > >> router, etc. > >> > >> > Surely all would work, or none, if it was that ie. the NAS woudl > >> > reject all transactions not just some of them? Not that interested in > >> > accounting packet problems except as an explanation of why sessions > >> > are dropping _in some cases_ but not in all; the authentication > >> > traffic seems to be fine. > >> > >> If all of the authentication traffic is OK, and accounting doesn't > >> work, then the accounting shared secrets are likely wrong. > >> > >> > Is there any network / routing related reason why a NAS would accept > >> > some FR responses but not others? > >> > >> If a NAS accepts one Access-Accept from a server, it should accept > >> them all. If it accepts on Accounting-Response from a server, it should > >> accept them all. > >> > >> Alan DeKok. > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > >- > >List info/subscribe/unsubscribe? See > >http://www.freeradius.org/list/users.html > > > > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius / NAS issue
Thanks Alan - that last point was what I wanted to confirm before going to the NAS owner to request they start looking. As you've said, teh RADIUS server sends out packets and they hit the network - if routing / network was the cause if this, none of the auth responses would get through. I'm trying disabling accounting for the moment, using Listen, to squash accounting related error messages. Cant enable debug for another two hours when the various test sites will finally close for the day and I can restart without impacting the sites that do work. The NAS and RADIUS servers are both doing auth and accounting, same IPs and same shared secrets (although different ports obviously). Again, if auth works for some sites - even if not for others - the shared secret must be correct, no? Sorry for asking what probably seem like basic questions but want to be sure of myself :-) Andy On 08/08/2007, Alan DeKok <[EMAIL PROTECTED]> wrote: > Andy Billington wrote: > > debug didnt seem a likely source of info given that this is a server > > that has been functionig without incident for six months and no > > changes have been made to its config. I have been looking at network / > > routing issues but couldnt figure out why some sites would work and > > not others, if it was network / routing? > > If the RADIUS server sends packets, it's done with RADIUS. After > that, check that the packets make it onto the local network, to the next > router, etc. > > > Surely all would work, or none, if it was that ie. the NAS woudl > > reject all transactions not just some of them? Not that interested in > > accounting packet problems except as an explanation of why sessions > > are dropping _in some cases_ but not in all; the authentication > > traffic seems to be fine. > > If all of the authentication traffic is OK, and accounting doesn't > work, then the accounting shared secrets are likely wrong. > > > Is there any network / routing related reason why a NAS would accept > > some FR responses but not others? > > If a NAS accepts one Access-Accept from a server, it should accept > them all. If it accepts on Accounting-Response from a server, it should > accept them all. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius / NAS issue
thanks for your quick response! debug didnt seem a likely source of info given that this is a server that has been functionig without incident for six months and no changes have been made to its config. I have been looking at network / routing issues but couldnt figure out why some sites would work and not others, if it was network / routing? Surely all would work, or none, if it was that ie. the NAS woudl reject all transactions not just some of them? Not that interested in accounting packet problems except as an explanation of why sessions are dropping _in some cases_ but not in all; the authentication traffic seems to be fine. Is there any network / routing related reason why a NAS would accept some FR responses but not others? Thanks again Andy On 08/08/2007, Alan DeKok <[EMAIL PROTECTED]> wrote: > Andy Billington wrote: > > auth-detail reports the Access-Request properly AFAIK. > > reply-detail reports the Access-Accept properly. > > > > In the radius.log I get > > As opposed to debug mode, which is suggested in the README, FAQ, > INSTALL, etc.? > > > In the detail log I get > > Accounting packets. NOT authentication packets. > > You are aware that they are different? > > > Thanks in advance for any pointers anyone can give, and very sorry if > > my searching of the list missed a solution posted previously!! > > If the server sends an Access-Accept and the NAS doesn't see it, it's > likely a network / routing problem. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius / NAS issue
hi all, I've searched the list for clues but havent' found a resolution for the following: 1. On a testing network, with seven identically configured routers, four connect and three dont. They are all the same make / model. 2. They're all using different usernames and passwords, and the NAS is reporting that RADIUS is rejecting three of them but the other four are OK. 3. The box _is_ multihomed; saw the FAQ and i've set bind and port to the one address I want and also have recompiled with --with-udpfromto 4. I'm seeing fewer errors than I was, but the sites still aren't connecting. 5. When I connect from another site using ntradping to the same FreeRADIUS all seven usernames / passwords work and I get Access-Accept. 6. At the not workign sites, the routers (Draytek) report that the ADSL is in sync, sending an Access-Request, then nine seconds later they drop the PPP session. auth-detail reports the Access-Request properly AFAIK. reply-detail reports the Access-Accept properly. In the radius.log I get Wed Aug 8 18:17:35 2007 : Error: rlm_sql (sql) in sql_accounting: stop packet with zero session length. [user 'Redback', nas 'a.b.c.d'] Wed Aug 8 18:17:36 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:17:36 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:17:36 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:17:36 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:17:41 2007 : Auth: Login OK: [EMAIL PROTECTED]/] (from client NAS-ocl port 1114112) Wed Aug 8 18:17:43 2007 : Auth: Login OK: [EMAIL PROTECTED]/] (from client NAS-ocl port 1114112) Wed Aug 8 18:17:44 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:17:44 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:17:44 2007 : Error: rlm_sql (sql) in sql_accounting: stop packet with zero session length. [user 'Redback', nas 'a.b.c.d'] Wed Aug 8 18:17:45 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:17:45 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:17:45 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:17:45 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:17:50 2007 : Auth: Login OK: [EMAIL PROTECTED]/] (from client NAS-ocl port 1114112) Wed Aug 8 18:17:50 2007 : Auth: Login incorrect: [Redback/*] (from client NAS-ocl port 0) Wed Aug 8 18:17:50 2007 : Info: rlm_sql (sql): No matching entry in the database for request from user [redback] Wed Aug 8 18:17:50 2007 : Auth: Login incorrect: [redback/*] (from client NAS-ocl port 0) Wed Aug 8 18:18:02 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:18:02 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:18:02 2007 : Error: rlm_sql (sql) in sql_accounting: stop packet with zero session length. [user '[EMAIL PROTECTED]', nas 'a.b.c.d'] Wed Aug 8 18:18:02 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:18:02 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:18:02 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:18:02 2007 : Error: rlm_radutmp: Logout for NAS NAS-ocl port 1114112, but no Login record Wed Aug 8 18:18:02 2007 : Error: rlm_sql (sql) in sql_accounting: stop packet with zero session length. [user '[EMAIL PROTECTED]', nas 'a.b.c.d'] In the detail log I get Wed Aug 8 17:34:02 2007 User-Name = "REMOVED" Acct-Status-Type = Stop Acct-Session-Id = "FF10584ECD3D-46B9FE2D" Service-Type = Framed-User Framed-Protocol = PPP NAS-Identifier = "t6-se1" NAS-Port = 1114112 NAS-Port-Type = Virtual NAS-Port-Id = "L2TP LNS 5164349" Medium-Type = DSL Connect-Info = "15552/15552" Platform-Type = SmartEdge-800 OS-Version = "4.0.5.4p1" Acct-Authentic = RADIUS Tunnel-Type:0 = L2TP Tunnel-Medium-Type:0 = IP Tunnel-Server-Endpoint:0 = "192.168.XXX.YYY" Tunnel-Client-Endpoint:0 = "192.168.XXX.ZZZ" Tunnel-Max-Sessions = 2300 Tunnel-Max-Tunnels = 32767 Tunnel-Function = LNS-Only Acct-Session-Time = 0 Acct-Terminate-Cause = User-Request Session-Error-Code = 140 Session-Error-Msg = "Received PPP Terminate Request" Acct-Input-Packets = 0 Acct-Output-Packets = 0 Acct-Input-Octets = 0 Acct-Output-Octets = 0 Acct-Input-Gigawords = 0
