Re: Error: Ignoring request from unknown client IP:1645
Ok you got it! It was a simple user permissions problem on the file clients.conf! Shame on me... The daemon tried to read the old confguration files clients and naslist just because user that runs radiusd can't access the actual clients.conf Now everything is working fine, I have to review some concepts on cisco AAA because it won't authorize my users but just authenticate it but this issue it's surely on cisco side. Thanks a lot for the quick help Davide Il giorno mar, 13/02/2007 alle 15.26 +0100, Alan DeKok ha scritto: > Davide Molteni wrote: > >>> Error: Ignoring request from unknown client ipmycisco:1645 > >> Did you configure the server to have that IP in "clients.conf"? > > > > Sure! With the IP and the same shared key as the cisco NAS client > > The server isn't finding it. > > Are you sure the server is reading the "clients.conf" file you're editing? > > > Please notice that I would like to use this radius for simple PAP ONLY. > > Maybe I'm doing something wrong with users file? > > No. > > > Please tell me the right way to configure a single test user for PAP > > only. I would like to disable unused modules (ldap,mysql...) > > It's in the FAQ. > > > It couldn't be a problem of authentication method? > > No. > > > I forgot an important element to tell anyone wants to help. > > I tried to change the shared key on one side (radius) and noticed that > > log file continue to write again the same error > > > > Ignoring request from unknown client IP:1645 > > > > So the issue it's due to the fact that cisco client don't exchange > > shared key with radius... > > No. They don't exchange shared keys. You MUST list the Cisco's IP in > "clients.conf". > > It looks like you're not doing that, or you're doing it wrong, or > you're editing a file the server isn't reading. > > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
Davide Molteni wrote: >>> Error: Ignoring request from unknown client ipmycisco:1645 >> Did you configure the server to have that IP in "clients.conf"? > > Sure! With the IP and the same shared key as the cisco NAS client The server isn't finding it. Are you sure the server is reading the "clients.conf" file you're editing? > Please notice that I would like to use this radius for simple PAP ONLY. > Maybe I'm doing something wrong with users file? No. > Please tell me the right way to configure a single test user for PAP > only. I would like to disable unused modules (ldap,mysql...) It's in the FAQ. > It couldn't be a problem of authentication method? No. > I forgot an important element to tell anyone wants to help. > I tried to change the shared key on one side (radius) and noticed that > log file continue to write again the same error > > Ignoring request from unknown client IP:1645 > > So the issue it's due to the fact that cisco client don't exchange > shared key with radius... No. They don't exchange shared keys. You MUST list the Cisco's IP in "clients.conf". It looks like you're not doing that, or you're doing it wrong, or you're editing a file the server isn't reading. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
Hi, > Ok just after this test i have > > after many tries "Re-Sending Access-Request ..." > > radclient: no response from server for ID 250 sounds like you have a firewall blocking the request or that your server is not active! in one window, run 'radiusd -X' at the same time as the 'radtest' this is the best debug method for this level of issue. then, run e.g. on Linux box iptables -L -n if you have firewall. add UDP ports 1812/1813 slsn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
I had the problem before and it was because in the clients.conf file I had written clients (with an s) and not client. > > Message: 1 > Date: Tue, 13 Feb 2007 12:13:08 +0100 > From: Davide Molteni <[EMAIL PROTECTED]> > Subject: Re: Error: Ignoring request from unknown client IP:1645 > To: freeradius list > Message-ID: <[EMAIL PROTECTED]> > Content-Type: text/plain > > I'm very sorry Alan for replying to your own email address and not on > the list. Here it is > > > Il giorno lun, 12/02/2007 alle 13.35 +0100, Alan DeKok ha scritto: >> Davide Molteni wrote: >> >>> On the cisco I configured: >>> radius-server host ipmyradius auth-port 1812 acct-port 1813 >>> and the other aaa commands needed >>> >>> If I look at the radius.log file I always see >>> >>> Error: Ignoring request from unknown client ipmycisco:1645 >> Did you configure the server to have that IP in "clients.conf"? > > Sure! With the IP and the same shared key as the cisco NAS client > >>> The Cisco router keeps always trying to connect to radius using port >>> 1645 even if I specified to use 1812... >> That's a bug in the Cisco router. > > Yea but is this a problem for freeradius to properly work? I need to set > freeradius to listen on 1645 in radiusd.conf? Or I need to change it > in /etc/services ? > >>> I have tried to configure radius >>> server to listen on port 1645 but is the same. >> Listening on port 1645 won't make the server believe that > "ipmycisco" >> is a known client. > > Well I know this very well in fact, the client that is ignored is > properly configured in clients.conf >>> The microsoft radius integration(server 2003) worked at first try > with >>> this cisco config... >> Really. Did you configure the Cisco box as a client in the MS > RADIUS >> server? > > Yes, sure I had to put in the ms radius the cisco box as a client > otherwise it wouldn't work... > > Please notice that I would like to use this radius for simple PAP ONLY. > Maybe I'm doing something wrong with users file? > Please tell me the right way to configure a single test user for PAP > only. I would like to disable unused modules (ldap,mysql...) > > It couldn't be a problem of authentication method? > > I forgot an important element to tell anyone wants to help. > I tried to change the shared key on one side (radius) and noticed that > log file continue to write again the same error > > Ignoring request from unknown client IP:1645 > > So the issue it's due to the fact that cisco client don't exchange > shared key with radius... > > This can halp to focus better the problem? > > thanks in advance > -- Walt Reynolds Principle Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
Il giorno mar, 13/02/2007 alle 11.59 +, [EMAIL PROTECTED] ha
scritto:
> Hi,
>
> > client localhost {
> > secret = 181180
> > shortname = localhost
> > nastype = other
> > }
> >
> > client 192.168.0.1 {
> > secret = 181180
> > shortname = testcisco
> > nastype = cisco
> > }
> >
>
> those look fine. have you actually tried a 'radtest' on the local server
> to check all is well? eg put the following into your 'users' file
>
> testuser01 Auth-Type:=Local, User-Password=="ehwtehi"
>
>
> restart radiusd process then do
>
> radtest testuser01 ehwtehi localhost 1812 181180
Ok just after this test i have
after many tries "Re-Sending Access-Request ..."
radclient: no response from server for ID 250
This without any change to the radiusd.conf Now I will make all the
modifications you suggested and send you the results.
I'm not proxying.
The freeradius version is 1.0.1
>
>
>
> this is pure and simple PAP authentication at its best.
>
>
>
> > ## radiusd.conf -- FreeRADIUS server configuration file.
>
> which version of freeradius? this config is a bit crusty for a 1.x
> install
>
> change the following parts
>
>
> #bind_address = *
> #port = 0
>
> listen {
> # IP address on which to listen.
> # Allowed values are:
> # dotted quad (1.2.3.4)
> # hostname(radius.example.com)
> # wildcard(*)
> ipaddr = *
>
> # Port on which to listen.
> # Allowed values are:
> # integer port number (1812)
> # 0 means "use /etc/services for the proper port"
> port = 1645
>
> # Type of packets to listen for.
> # Allowed values are:
> # authlisten for authentication packets
> # acctlisten for accounting packets
> #
> type = auth
> }
>
> this uses the 1.x listen directive. i've also changed the port to 1645 - as
> you say your
> cisco is expecting this port!
>
> > proxy_requests = yes
> > $INCLUDE ${confdir}/proxy.conf
>
> are you proxying? you didnt say so. you should set this to no(!)
>
> > # Supports multiple encryption schemes
> > # clear: Clear text
> > # crypt: Unix crypt
> > #md5: MD5 ecnryption
> > # sha1: SHA1 encryption.
> > # DEFAULT: crypt
> > pap {
> > encryption_scheme = crypt
> > }
>
> to do the radtest I mentioned above, this value needs to be 'clear'
>
> you a crypted version of that password if you wish to use 'crypt'
>
>
> as for all the rest. if you arent using it. comment it out.
>
> alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
Hi,
> client localhost {
> secret = 181180
> shortname = localhost
> nastype = other
> }
>
> client 192.168.0.1 {
> secret = 181180
> shortname = testcisco
> nastype = cisco
> }
>
those look fine. have you actually tried a 'radtest' on the local server
to check all is well? eg put the following into your 'users' file
testuser01 Auth-Type:=Local, User-Password=="ehwtehi"
restart radiusd process then do
radtest testuser01 ehwtehi localhost 1812 181180
this is pure and simple PAP authentication at its best.
> ## radiusd.conf -- FreeRADIUS server configuration file.
which version of freeradius? this config is a bit crusty for a 1.x
install
change the following parts
#bind_address = *
#port = 0
listen {
# IP address on which to listen.
# Allowed values are:
# dotted quad (1.2.3.4)
# hostname(radius.example.com)
# wildcard(*)
ipaddr = *
# Port on which to listen.
# Allowed values are:
# integer port number (1812)
# 0 means "use /etc/services for the proper port"
port = 1645
# Type of packets to listen for.
# Allowed values are:
# authlisten for authentication packets
# acctlisten for accounting packets
#
type = auth
}
this uses the 1.x listen directive. i've also changed the port to 1645 - as you
say your
cisco is expecting this port!
> proxy_requests = yes
> $INCLUDE ${confdir}/proxy.conf
are you proxying? you didnt say so. you should set this to no(!)
> # Supports multiple encryption schemes
> # clear: Clear text
> # crypt: Unix crypt
> #md5: MD5 ecnryption
> # sha1: SHA1 encryption.
> # DEFAULT: crypt
> pap {
> encryption_scheme = crypt
> }
to do the radtest I mentioned above, this value needs to be 'clear'
you a crypted version of that password if you wish to use 'crypt'
as for all the rest. if you arent using it. comment it out.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
Hi, > I'm very sorry Alan for replying to your own email address and not on > the list. Here it is your errors are symptomatic of a trivial but basic configuration munge. can you email your clients.conf and radiusd.conf files alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
I'm very sorry Alan for replying to your own email address and not on the list. Here it is Il giorno lun, 12/02/2007 alle 13.35 +0100, Alan DeKok ha scritto: > Davide Molteni wrote: > > > On the cisco I configured: > > radius-server host ipmyradius auth-port 1812 acct-port 1813 > > and the other aaa commands needed > > > > If I look at the radius.log file I always see > > > > Error: Ignoring request from unknown client ipmycisco:1645 > > Did you configure the server to have that IP in "clients.conf"? Sure! With the IP and the same shared key as the cisco NAS client > > > The Cisco router keeps always trying to connect to radius using port > > 1645 even if I specified to use 1812... > > That's a bug in the Cisco router. Yea but is this a problem for freeradius to properly work? I need to set freeradius to listen on 1645 in radiusd.conf? Or I need to change it in /etc/services ? > > > I have tried to configure radius > > server to listen on port 1645 but is the same. > > Listening on port 1645 won't make the server believe that "ipmycisco" > is a known client. Well I know this very well in fact, the client that is ignored is properly configured in clients.conf > > > The microsoft radius integration(server 2003) worked at first try with > > this cisco config... > > Really. Did you configure the Cisco box as a client in the MS RADIUS > server? Yes, sure I had to put in the ms radius the cisco box as a client otherwise it wouldn't work... Please notice that I would like to use this radius for simple PAP ONLY. Maybe I'm doing something wrong with users file? Please tell me the right way to configure a single test user for PAP only. I would like to disable unused modules (ldap,mysql...) It couldn't be a problem of authentication method? I forgot an important element to tell anyone wants to help. I tried to change the shared key on one side (radius) and noticed that log file continue to write again the same error Ignoring request from unknown client IP:1645 So the issue it's due to the fact that cisco client don't exchange shared key with radius... This can halp to focus better the problem? thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: Ignoring request from unknown client IP:1645
Davide Molteni wrote: > On the cisco I configured: > radius-server host ipmyradius auth-port 1812 acct-port 1813 > and the other aaa commands needed > > If I look at the radius.log file I always see > > Error: Ignoring request from unknown client ipmycisco:1645 Did you configure the server to have that IP in "clients.conf"? > The Cisco router keeps always trying to connect to radius using port > 1645 even if I specified to use 1812... That's a bug in the Cisco router. > I have tried to configure radius > server to listen on port 1645 but is the same. Listening on port 1645 won't make the server believe that "ipmycisco" is a known client. > The microsoft radius integration(server 2003) worked at first try with > this cisco config... Really. Did you configure the Cisco box as a client in the MS RADIUS server? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Error: Ignoring request from unknown client IP:1645
I made this very simple environmet for testing purpuse but I can't get it work... I have a cisco 1750 router with IOS 12.1(5)IB4 and configured it to access a radius server made with phpRADmin livecd (fedora5+freeradius) On the cisco I configured: radius-server host ipmyradius auth-port 1812 acct-port 1813 and the other aaa commands needed If I look at the radius.log file I always see Error: Ignoring request from unknown client ipmycisco:1645 The Cisco router keeps always trying to connect to radius using port 1645 even if I specified to use 1812... I have tried to configure radius server to listen on port 1645 but is the same. Obviously the shared key is the same on both sides. I even tried with a clean installation of freeradius on a plain debian but I get the same error in the logs... The microsoft radius integration(server 2003) worked at first try with this cisco config... Please any help? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
