Re: The client does not connect _*_*_*_
ok, I think the server is reading files on the path: /usr/local/etc/ so, I modified the file /usr/local/etc/raddb/clients.conf by adding: client ipipgw { ipaddr = 192.168.6.201 secret = testing123 shortname = c3725 nastype = cisco login = user password= userpass } and this is the debug output: Ready to process requests. rad_recv: Access-Request packet from host 192.168.6.201 port 1645, id=4, length=84 User-Name = thanh User-Password = -*\333\003D\215\345\\\302\036\251\320:\373ȇ NAS-Port = 98 NAS-Port-Id = tty98 NAS-Port-Type = Virtual Calling-Station-Id = 192.168.6.20 NAS-IP-Address = 192.168.6.201 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = thanh, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - thanh attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 0 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 4 to 192.168.6.201 port 1645 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.6.201 port 1645, id=4, length=84 Sending duplicate reply to client ipipgw port 1645 - ID: 4 Sending Access-Reject of id 4 to 192.168.6.201 port 1645 Waking up in 1.2 seconds. Cleaning up request 0 ID 4 with timestamp +52 Ready to process requests. rad_recv: Access-Request packet from host 192.168.6.201 port 1645, id=4, length=84 User-Name = thanh User-Password = -*\333\003D\215\345\\\302\036\251\320:\373ȇ NAS-Port = 98 NAS-Port-Id = tty98 NAS-Port-Type = Virtual Calling-Station-Id = 192.168.6.20 NAS-IP-Address = 192.168.6.201 +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = thanh, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[unix] returns notfound ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING! No known good password found for the user. Authentication may fail because of this. ++[pap] returns noop No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - thanh attr_filter: Matched entry DEFAULT at line 11 ++[attr_filter.access_reject] returns updated Delaying reject of request 1 for 1 seconds Going to the next request Waking up in 0.9 seconds. Sending delayed reject for request 1 Sending Access-Reject of id 4 to 192.168.6.201 port 1645 Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.6.201 port 1645, id=4, length=84 Sending duplicate reply to client ipipgw port 1645 - ID: 4 Sending Access-Reject of id 4 to 192.168.6.201 port 1645 Waking up in 1.2 seconds. Cleaning up request 1 ID 4 with timestamp +61 Ready to process requests. plz tell me how to solve this. thank you vrey much - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- htt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Hi, User-Password = -*\333\003D\215\345\\\302\036\251\320:\373ȇ note the mess ..then note this warning: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! not sure how much more help the server can give you. you have incorrect shared secret. double check your values...trailing space? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Hi, I don't know why the user-password id encrypted, how can I make a cleartext secret...;(( thank in advance On 11 May 2010 14:23, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: Hi, User-Password = -*\333\003D\215\345\\\302\036\251\320:\373ȇ note the mess ..then note this warning: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! not sure how much more help the server can give you. you have incorrect shared secret. double check your values...trailing space? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- htt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Le 11/05/2010 10:09, htt thanh a écrit : Hi, I don't know why the user-password id encrypted, how can I make a cleartext secret...;(( The pb is with your client shared secret: the secret you set in /etc/raddb/clients.conf and in your NAS configuration. It seems that you haven't set the same secret in your FR configuration and in your NAS so that the password sent to FR is not correctly decrypted. Thibaukt thank in advance On 11 May 2010 14:23, Alan Buxey a.l.m.bu...@lboro.ac.uk mailto:a.l.m.bu...@lboro.ac.uk wrote: Hi, User-Password = -*\333\003D\215\345\\\302\036\251\320:\373ȇ note the mess ..then note this warning: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! not sure how much more help the server can give you. you have incorrect shared secret. double check your values...trailing space? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- htt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
hafthanhf wrote: hi Alan, I have the same problem with Martin, plz help me.. I added something in the raddb/clients.conf file as follow: So... run the server in debugging mode as suggested everywhere. READ the debug output. Is the client listed? READ the debug output. When it receives a packet, what happens? My magical ability to solve problems is largely a result of reading the output of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
thank for repy Alan, for clear, here is my topology PC | SW---Router (c3725) | Radius server when I telnet to the router fromg my PC, the radius server list the clients as unknow clients.as soon as I entered the password. the debug output is as follow: ignoring request to authentication address * port 1812 from unknow client 192.168.6.201 port 1645 I've also run debug radius mode on the router, and here is the output: *Mar 1 00:06:03.507: RADIUS: no sg in radius-timers: ctx 0x658A67E4 sg 0x *Mar 1 00:06:03.511: RADIUS: Retransmit to (192.168.6.102:1812,1813) for id 1645/2 each time the router retransmit access requess message, the server show the output as above. On 10 May 2010 13:10, Alan DeKok al...@deployingradius.com wrote: hafthanhf wrote: hi Alan, I have the same problem with Martin, plz help me.. I added something in the raddb/clients.conf file as follow: So... run the server in debugging mode as suggested everywhere. READ the debug output. Is the client listed? READ the debug output. When it receives a packet, what happens? My magical ability to solve problems is largely a result of reading the output of the server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- htt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
htt thanh wrote: thank for repy Alan, for clear, here is my topology I didn't ask for that. when I telnet to the router fromg my PC, the radius server list the clients as unknow clients.as soon as I entered the password. You already said that. the debug output is as follow: ignoring request to authentication address * port 1812 from unknow client 192.168.6.201 port 1645 Did you read the *rest* of the debug output as I suggested? I've also run debug radius mode on the router, and here is the output: I didn't ask for that. Honestly, it's not that difficult to see what's going on. Go back to my previous message, and READ IT. Be sure that you answer BOTH questions. The problem here is that you're not following instructions. That's a guaranteed way to *never* solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
hi Alan, thank you to get me out of the wrong way, I've checked the whole of server's output,in debug mode , and I found out that the radius included its configuration file with this path, all of them are: /usr/local/etc/raddb/xxx e.g: including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ ... while the path of configuration files I modified is: /usr/local/freeradius-server-2.1.8/raddb/ So should I change the configuration files in the path /usr/local/etc/raddb or make some modifications in the /usr/local/freeradius-server-2.1.8/raddb/radiusd.conf? .. On 10 May 2010 15:11, Alan DeKok al...@deployingradius.com wrote: htt thanh wrote: thank for repy Alan, for clear, here is my topology I didn't ask for that. when I telnet to the router fromg my PC, the radius server list the clients as unknow clients.as soon as I entered the password. You already said that. the debug output is as follow: ignoring request to authentication address * port 1812 from unknow client 192.168.6.201 port 1645 Did you read the *rest* of the debug output as I suggested? I've also run debug radius mode on the router, and here is the output: I didn't ask for that. Honestly, it's not that difficult to see what's going on. Go back to my previous message, and READ IT. Be sure that you answer BOTH questions. The problem here is that you're not following instructions. That's a guaranteed way to *never* solve the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- htt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
htt thanh wrote: hi Alan, thank you to get me out of the wrong way, I've checked the whole of server's output,in debug mode , and I found out that the radius included its configuration file with this path, all of them are: /usr/local/etc/raddb/xxx e.g: including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including files in directory /usr/local/etc/raddb/modules/ ... while the path of configuration files I modified is: /usr/local/freeradius-server-2.1.8/raddb/ So should I change the configuration files in the path /usr/local/etc/raddb or make some modifications in the /usr/local/freeradius-server-2.1.8/raddb/radiusd.conf? Which one is the server reading? Which one should you modify? Is there a reason to modify a file that the server does not read? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Alan DeKok-2 wrote: Martin Silvero wrote: Thu Sep 25 12:49:16 2008 : Debug: Ignoring request to authentication address * port 1812 from unknown client 10.0.42.250 Well... did you add that IP as a client in raddb/clients.conf? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html hi Alan, I have the same problem with Martin, plz help me.. I added something in the raddb/clients.conf file as follow: client ipipgw { ipaddr = 192.168.6.201 secret = testing123 shortname = c3725 nastype = cisco login = user password= userpass } -- View this message in context: http://old.nabble.com/The-client-does-not-connect-_*_*_*_-tp19672841p28468884.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Again, what's the debug output? Does the client manage to send a RADIUS packet that actually arrives at the server? //anders 2008/10/1 Martin Silvero [EMAIL PROTECTED] sorry what they say is ... The access point has an IP 10.0.31.x and is included within raddb/client.conf, forget the IP 10.0.42.250 because I connect to that network to another topic. The server is in the 10.30.1.x , we do not need to be on the same network because they are VLAN ruteables. Pinging responds well. What could be the problem? -- -- Silvero Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Get Wireshark and start looking at what happens to radius packets. Staring at it is not going to make it work. You will find out that you do have a firewall after all. Or your AP is sending packets to the wrong address. Or your routing is messed up. Ivan Kalik Kalik Informatika ISP Dana 3/10/2008, Martin Silvero [EMAIL PROTECTED] piše: the problem is... when I want to connect from the notebook to the network radius, asking me to configure the profile to the type of authentication, and so on. what set everything is ready and when I try to connect but does not connect to the server and are not recorded requests. on the server are not recorded movements, and the notebook does not show any error. I have no firewall either. Got it? the ping's respond well in both directions. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
rlm_eap_tls: TLS 1.0 Handshake [length 0384], Certificate -- verify error:num=20:unable to get local issuer certificate rlm_eap_tls: TLS 1.0 Alert [length 0002], fatal unknown_ca TLS Alert write:fatal:unknown CA TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned rlm_eap_tls: SSL_read failed in a system call (-1), TLS session fails. eaptls_process returned 13 Have you imported CA certificate onto the users machine? Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
* Martin Silvero [EMAIL PROTECTED] [2008-10-03 21:02]: yes, I imported client.p12 and ca.der to the notebook, the checked again and are fine Can you please learn to quote and reply properly. Thanks. -- Vegard Svanberg [EMAIL PROTECTED] [EMAIL PROTECTED] (EFnet)] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Hi, Well, when I want to connect from the notebook to the network radius, asking me to configure the profile to the type of authentication, and so on. what set everything is ready and when I try to connect but does not connect to the server and are not recorded requests. What could be the problem? wheres the debug output - as per asked for EVERY time such a query is asked of people on this list? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
The access point has an IP 10.0.31.x and is included within raddb/client.conf, forget the IP 10.0.42.250 because I connect to that network to another topic. The server is in the 10.30.1.x , we do not need to be on the same network because they are VLAN ruteables. Pinging responds well. What could be the problem? Still the same: routing/firewall. Use Wireshark to find out what happens with radius packets. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Que? No Habla Espanol. Habla Ingles?? That, and how to order a beer is roughly the extent of my Spanish. //anders On 26/09/2008 15:53, Martin Silvero [EMAIL PROTECTED] wrote: el access point tiena la IP 10.0.31.40 http://10.0.31.40 y esta incluida dentro de raddb/client.conf, olvidemos la IP 10.0.42.250 http://10.0.42.250 porque me conecte a esa red para otro tema. El servidor esta en la 10.30.1.x y no hace falta que esté en la misma red porque son VLAN ruteables. Haciendo ping responde bien. ¿cual podria ser el problema? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
You say 10.0.32.x is on a different network than 10.0.42.x? What's your netmasks and your routing table like? What network is your client on and what network is your server on? Can you ping the server (or access it in any way) from the client? This is really more a basic networking question than a specific Radius issue. //anders On 25/09/2008 22:48, Pshem Kowalczyk [EMAIL PROTECTED] wrote: Hi All, Please don't forget that radius is UDP, and telnet TCP - firewall might be protocol specific and the fact that you can't telnet to port 1812 doesn't mean you can't use radius. kind regards Pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
any firewall ? try with ntradping ( free tool to test radius ) 2008/9/25 Martin Silvero [EMAIL PROTECTED]: Good morning! I am with a new problem, I feel like I'm close. My problem now is that set in a notebook the connection to authenticate with tls but not connecting, I am not showing any error, just does not connect, you run into the radius with -x and is waiting for requests. Why is this wrong? Do you ever step on someone? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Martin Silvero wrote: Thu Sep 25 12:49:16 2008 : Debug: Ignoring request to authentication address * port 1812 from unknown client 10.0.42.250 Well... did you add that IP as a client in raddb/clients.conf? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Can you ping the radius server from the access point. This is a networking issue - nothing to do with radius. Ivan Kalik Kalik Informatika ISP Dana 25/9/2008, Martin Silvero [EMAIL PROTECTED] piše: in fact this IP (10.0.42.250) is another network which is connected to the notebook, which I have done now is to disconnect from the network and try to connect to the radius of the outcome this time is that in the radius server does not There is movement and the tool NTRadPing I get: no response from server (time out), new attemp - could not receive a response from the server the IP i add to raddb/clients.conf is the access point client = 10.0.31.40 the IP 10.0.42.250 as other networks but i disconect thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
maybe its a hotspot issue , i had one with some Mikrotik Hotspot and had to do an IP - Hotspot - IP Binding. theorically its a NAT issue 2008/9/25 [EMAIL PROTECTED]: Can you ping the radius server from the access point. This is a networking issue - nothing to do with radius. Ivan Kalik Kalik Informatika ISP Dana 25/9/2008, Martin Silvero [EMAIL PROTECTED] piše: in fact this IP (10.0.42.250) is another network which is connected to the notebook, which I have done now is to disconnect from the network and try to connect to the radius of the outcome this time is that in the radius server does not There is movement and the tool NTRadPing I get: no response from server (time out), new attemp - could not receive a response from the server the IP i add to raddb/clients.conf is the access point client = 10.0.31.40 the IP 10.0.42.250 as other networks but i disconect thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Then try to telnet (port 1812) from access point to server. If you can't - problem is firewall. If you can - you haven't configured radius on AP properly. Ivan Kalik Kalik Informatika ISP Dana 25/9/2008, Martin Silvero [EMAIL PROTECTED] piše: Yes, tried to ping and responds quickly and without losses. Also I did from the server and also responds. What could be the problem? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The client does not connect _*_*_*_
Hi All, Please don't forget that radius is UDP, and telnet TCP - firewall might be protocol specific and the fact that you can't telnet to port 1812 doesn't mean you can't use radius. kind regards Pshem - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html