Hi, > Thank you for your kind answer. > > Yes, I think so, > Limit is not the cause. > > I have changed “max_attributes” to 300 at radiusd.conf. > No difference. > > I also disabled proxy request. > > #proxy_requests = yes > #$INCLUDE proxy.conf > > (I do not know what the proxy_requests does) > > But Error message is same. > > This is /var/log/radius.log > > Mon Mar 27 18:05:29 2017 : Warning: > [/etc/freeradius/mods-config/attr_filter/access_r > eject]:11 Check item "FreeRADIUS-Response-Delay-USec" found in filter > list for real > m "DEFAULT". > Mon Mar 27 18:05:29 2017 : Info: Loaded virtual server <default> > Mon Mar 27 18:05:29 2017 : Warning: Ignoring "sql" (see > raddb/mods-available/README.r > st) > Mon Mar 27 18:05:29 2017 : Warning: Ignoring "ldap" (see > raddb/mods-available/README. > rst) > Mon Mar 27 18:05:29 2017 : Info: # Skipping contents of 'if' as it is > always 'false' > -- /etc/freeradius/sites-enabled/inner-tunnel:330 > Mon Mar 27 18:05:29 2017 : Info: Loaded virtual server inner-tunnel > Mon Mar 27 18:05:29 2017 : Info: Loaded virtual server default > Mon Mar 27 18:05:29 2017 : Info: Ready to process requests > Mon Mar 27 18:05:34 2017 : Info: Dropping packet without response > because of error: P > ossible DoS attack from host 127.0.0.1: Too many attributes in request > (received 301, > max 300 are allowed). > ...
You still have a loop somewhere. Attributes get added and the message replayed until the limit is exceeded (now just 300 instead of 200). Try running FreeRADIUS in debug mode (-X). maybe the log will tell you why it does resend the message to itself. > I imagine there are some misconfiguration. > > But I can not know which configuration is wrong, charon or radius? Most likely FreeRADIUS. > This is my radiusd.conf > (I have not changed except max_attributes and proxy_requests ) > > prefix = /usr > exec_prefix = /usr > sysconfdir = /etc > localstatedir = /var > sbindir = ${exec_prefix}/sbin > logdir = /var/log/freeradius > raddbdir = /etc/freeradius > radacctdir = ${logdir}/radacct > name = freeradius > confdir = ${raddbdir} > modconfdir = ${confdir}/mods-config > certdir = ${confdir}/certs > cadir = ${confdir}/certs > run_dir = ${localstatedir}/run/${name} > db_dir = ${raddbdir} > libdir = /usr/lib/freeradius > pidfile = ${run_dir}/${name}.pid > correct_escapes = true > max_request_time = 30 > cleanup_delay = 5 > max_requests = 16384 > hostname_lookups = no > log { > destination = files > colourise = yes > file = ${logdir}/radius.log > syslog_facility = daemon > stripped_names = no > auth = no > auth_badpass = no > auth_goodpass = no > msg_denied = "You are already logged in - access denied" > } > checkrad = ${sbindir}/checkrad > security { > user = freerad > group = freerad > allow_core_dumps = no > max_attributes = 300 > reject_delay = 1 > status_server = yes > } > $INCLUDE clients.conf > thread pool { > start_servers = 5 > max_servers = 32 > min_spare_servers = 3 > max_spare_servers = 10 > max_requests_per_server = 0 > auto_limit_acct = no > } > modules { > $INCLUDE mods-enabled/ > } > instantiate { > } > policy { > $INCLUDE policy.d/ > } > $INCLUDE sites-enabled/ > > > PS : > It seems that I have read that eap-radius + mschapv2 is not supported > on freeradius. > Is that so? That depends on the FreeRADIUS configuration (sites/virtual servers). Regards, Tobias _______________________________________________ Users mailing list Users@lists.strongswan.org https://lists.strongswan.org/mailman/listinfo/users