Re: Accounting-Response with invalid signature
Hi Alan, Thanks for your explanation. Do you know when will it happen ? Rio 2007/5/25, Alan Dekok <[EMAIL PROTECTED]>: Rio Yang wrote: > I got the following message from my radius.log. > > Wed May 23 16:39:11 2007 : Error: Received Accounting-Response packet from > 172.16.1.1:1813 with invalid signature (err=2)! (Shared secret is > incorrect.) > Wed May 23 16:39:11 2007 : Error: Reply from home server 172.16.1.1:1813 - > ID: 180 arrived too late for request 2515449. Try increasing 'retry_delay' > or 'max_request_time' This happens sometimes in versions before 1.1.5. Upgrade. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
I have checked all secrets and they are the same. Not all Accounting-Response with invalid signature. This error message occurred in sometime. It's a very strange. Rio 2007/5/23, Alex French <[EMAIL PROTECTED]>: On 23/05/07, Rio Yang <[EMAIL PROTECTED]> wrote: > NAS (Aptilo) --- FreeRADIUS --- JuniperSBR (Funk) > > (FreeRadius proxy to JuniperSBR) > > The error message occurred between FreeRADIUS and JuniperSBR. But then you need to set the same shared secret on the FreeRadius server and the JuniperSBR, nothing to do with the NAS. Alex - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting-Response with invalid signature
Hi Milan, Sorry~ I don't describ my architecture more detail. NAS (Aptilo) --- FreeRADIUS --- JuniperSBR (Funk) (FreeRadius proxy to JuniperSBR) The error message occurred between FreeRADIUS and JuniperSBR. In my thinking, there is no secret error in Accounting-Request why I got the secret error in Accounting-Response. Rio 2007/5/23, Milan Holub <[EMAIL PROTECTED]>: Hi Rio, what type of NAS are you using? I've experienced similar behaviour with nocat software. The problem was that the NAS did not generate correct packet signature according to rfc. I have a simple patch to freeradius to bypass checking of signature of accounting packets. Although the correct way is to fix your NAS to create the signature according to rfc. Anyway I can send you the patch for testing if needed. Regards Milan Holub holub (at) thenet (dot) ch -- TheNet-Internet Services AG, im Bernertechnopark, Morgenstr. 129 CH-3018, Bern, Switzerland 031 998 4333, Fax 031 998 4330 http://www.thenet.ch http://wlan.thenet.ch -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting-Response with invalid signature
Hi All, I got the following message from my radius.log. Wed May 23 16:39:11 2007 : Error: Received Accounting-Response packet from 172.16.1.1:1813 with invalid signature (err=2)! (Shared secret is incorrect.) Wed May 23 16:39:11 2007 : Error: Reply from home server 172.16.1.1:1813 - ID: 180 arrived too late for request 2515449. Try increasing 'retry_delay' or 'max_request_time' It caused some problem on accounting record . The secret between NAS and RADIUS are the same. But the log tell me the secret is incorrect at Accounting-Response. Do anybody know what's the main cause and how to fix it ? PS. NAS and Radius are in the same subnet without any firewall. [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wrong Realm in the detail files
I'll try to upgrade to 1.1.6 Thanks Alan. Rio 2007/5/9, Alan DeKok <[EMAIL PROTECTED]>: Rio Yang wrote: > I configured two realm in proxy.conf. > One is realm "ABC" (prefix mode), and another is "def.org" (suffix mode). > > In my thinking, when request come into radius, prefix will work first > then suffix. (configured in radius.conf) Did you list "prefix" before "suffix" in radiusd.conf? > PS. I'm using freeradius-1.1.2. You should upgrade to 1.1.6. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Wrong Realm in the detail files
Hi, Recently, I found the wrong realm in the detail files. This log is captured from detail file. Tue May 8 17:46:41 2007 Class = 0x417074696c6f313a313a31383030 User-Name = "ABC/[EMAIL PROTECTED]" Acct-Status-Type = Start Acct-Session-Id = "464046fecc9c08a5" Acct-Delay-Time = 0 Acct-Authentic = RADIUS Framed-IP-Address = NAS-IP-Address = NAS-Port-Type = Wireless-802.11 Event-Timestamp = "May 8 2007 17:46:41 CST" NAS-Identifier = "NAS" Vendor-13209-Attr-9 = 0x5157464e484150433037 Called-Station-Id = Calling-Station-Id = Vendor-13209-Attr-1 = 0x5177617265507562537461726275636b73 NAS-Port-Id = "NAS-Port" WISPr-Location-ID = WISPr-Location-Name = Proxy-State = 0x30 Client-IP-Address = Acct-Unique-Session-Id = "26719654223287c6" Stripped-User-Name = "ABC/950160" Realm = "def.org" Freeradius-Proxied-To = Timestamp = 1178617601 I configured two realm in proxy.conf. One is realm "ABC" (prefix mode), and another is "def.org" (suffix mode). In my thinking, when request come into radius, prefix will work first then suffix. (configured in radius.conf) In this case, I should have a realm value "ABC" and Stripped-User-Name value "[EMAIL PROTECTED]". But I got the realm value "def.org" and Stripped-User-Name value "ABC/950160". Is it a bug ? or some configuration I missed. PS. I'm using freeradius-1.1.2. Thanks. Rio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Realm and LDAP authentication
Hi,I wanna to authenticate user by LDAP server.But I have two LDAP servers for different group of users.For example, students or staffs, each has different realm name.Students' realm name is @ stud.test and staffs' realm name is @staf.test.Realm (@stud.test) must pass to LDAP server one to authenticate.And realm (@staff.test) must pass to LDAP server two to authenticate.Does freeradius support this scenario ?? And how to do it ??Thanks.Rio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Realm Error or Realm dead ??
Hi Alan,Do you mean if the realm "abc.com" have been marked "dead" by freeradius, then the following packets that proxy to " abc.com" will use the default realm???Thanks.Rio2006/10/30, Alan DeKok <[EMAIL PROTECTED] >:"Rio Yang" <[EMAIL PROTECTED] > wrote:> Or abc.com deaded and the freeradius assign [EMAIL PROTECTED] to new realm> (default) ??? Yes. See "radius.log", it will contain messages about abc.com being dead. Alan DeKok.-- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy Realm Error or Realm dead ??
Hi all,Found a problem on freeradius when I review the log file (detail-MMDD).The following is my proxy settings.default (proxy to 1.1.1.1)abc.com (proxy to 2.2.2.2)But I found some error entries in detail log.The username is [EMAIL PROTECTED] and it's realm must be "abc.com"But in detail log, it belongs "default".Is there anybody have the same problem ??Or abc.com deaded and the freeradius assign [EMAIL PROTECTED] to new realm (default) ???Rio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewrite Attribute when proxy the specific realm
I found the solution.The preproxy_users file can rewrite attribute by the specific realm.Thanks.Rio2006/10/20, Rio Yang <[EMAIL PROTECTED] >:Thanks.But the hints file can only add new attributes.I wanna to rewrite the attribute not create new one. Any new idea?Rio2006/10/20, Richard Cotrina < [EMAIL PROTECTED]>: You might use regular expressions in the hints file. - Original Message - From: Rio Yang To: freeradius-users@lists.freeradius.org Sent: Tuesday, October 17, 2006 8:03 PM Subject: Rewrite Attribute when proxy the specific realm Hi, I have tried attr_rewrite function to rewrite attribute value on specific attribute successfully.But now, I want to rewrite to attribute that proxy to specific realm.For example, When the AUTH proxy the realm " abc.com".I wanna to rewrite the attribute "NAS-Identifier" value into new one.Could somebody know to how configure it?Thanks.Rio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Rewrite Attribute when proxy the specific realm
Thanks.But the hints file can only add new attributes.I wanna to rewrite the attribute not create new one.Any new idea?Rio2006/10/20, Richard Cotrina < [EMAIL PROTECTED]>: You might use regular expressions in the hints file. - Original Message - From: Rio Yang To: freeradius-users@lists.freeradius.org Sent: Tuesday, October 17, 2006 8:03 PM Subject: Rewrite Attribute when proxy the specific realm Hi, I have tried attr_rewrite function to rewrite attribute value on specific attribute successfully.But now, I want to rewrite to attribute that proxy to specific realm.For example, When the AUTH proxy the realm " abc.com".I wanna to rewrite the attribute "NAS-Identifier" value into new one.Could somebody know to how configure it?Thanks.Rio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rewrite Attribute when proxy the specific realm
Hi,I have tried attr_rewrite function to rewrite attribute value on specific attribute successfully.But now, I want to rewrite to attribute that proxy to specific realm.For example, When the AUTH proxy the realm " abc.com".I wanna to rewrite the attribute "NAS-Identifier" value into new one.Could somebody know to how configure it?Thanks.Rio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting-Response Log ??
Hi,I have two radius servers. (Freeradius and Juniper SBR).Freeradius server be a radius proxy to proxy all auth/acct requests to Juniper SBR.Then I sometimes found there are some accounting-stop request don't arrival to Juniper SBR. Because Freeradius server and Juniper SBR is in the different subnet and through firewall.I think this problem may cause by firewall.In the radius accounting communication model there should have request and response. Is freeradius log the accounting-response result ?How to enable it ?I want to this log to identify the problem.Thanks.Rio Yang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting-Response Log ??
Hi,I have two radius servers. (Freeradius and Juniper SBR).Freeradius server be a radius proxy to proxy all auth/acct requests to Juniper SBR.Then I sometimes found there are some accounting-stop request don't arrival to Juniper SBR. Because Freeradius server and Juniper SBR is in the different subnet and through firewall.I think this problem may cause by firewall.In the radius accounting communication model there should have request and response. Is freeradius log the accounting-response result ?How to enable it ?I want to this log to identify the problem.Thanks.Rio Yang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html