can't connect to radius server

Laker Netman laker_netman at yahoo.com
Tue May 23 17:22:41 CEST 2006 


--- simon at 434canada.com wrote:

> I have tried running tcpdump, and I am getting
> packets from the client to the server:
> 09:38:42.376543 IP 10.10.1.1.bpmd >
> 10.10.1.102.radius: RADIUS, Access Request (1), id:
> 0x00 length: 131
> 09:38:42.376543 IP 10.10.1.1.bpmd >
> 10.10.1.102.radius: RADIUS, Access Request (1), id:
> 0x00 length: 129
> 
> Here is the output I get when I start the server in
> debug mode:
> 
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file:
> /usr/local/etc/raddb/proxy.conf
> Config: including file:
> /usr/local/etc/raddb/clients.conf
> Config: including file:
> /usr/local/etc/raddb/snmp.conf
> Config: including file:
> /usr/local/etc/raddb/eap.conf
> Config: including file:
> /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/usr/local/var"
> main: logdir = "/usr/local/var/log/radius"
> main: libdir = "/usr/local/lib"
> main: radacctdir =
> "/usr/local/var/log/radius/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file =
> "/usr/local/var/log/radius/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile =
> "/usr/local/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> Using deprecated naslist file. Support for this will
> go away soon.
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program = "(null)"
> exec: input_pairs = "request"
> exec: output_pairs = "(null)"
> exec: packet_type = "(null)"
> rlm_exec: Wait=yes but no output defined. Did you
> mean output=none?
> Module: Instantiated exec (exec)
> Module: Loaded expr
> Module: Instantiated expr (expr)
> Module: Loaded PAP
> pap: encryption_scheme = "crypt"
> Module: Instantiated pap (pap)
> Module: Loaded CHAP
> Module: Instantiated chap (chap)
> Module: Loaded MS-CHAP
> mschap: use_mppe = yes
> mschap: require_encryption = yes
> mschap: require_strong = yes
> mschap: with_ntdomain_hack = no
> mschap: passwd = "(null)"
> mschap: authtype = "MS-CHAP"
> mschap: ntlm_auth = "(null)"
> Module: Instantiated mschap (mschap)
> Module: Loaded System
> unix: cache = no
> unix: passwd = "(null)"
> unix: shadow = "(null)"
> unix: group = "(null)"
> unix: radwtmp = "/usr/local/var/log/radius/radwtmp"
> unix: usegroup = no
> unix: cache_reload = 600
> Module: Instantiated unix (unix)
> Module: Loaded eap
> eap: default_eap_type = "peap"
> eap: timer_expire = 60
> eap: ignore_unknown_eap_types = no
> eap: cisco_accounting_username_bug = no
> rlm_eap: Loaded and initialized type md5
> rlm_eap: Loaded and initialized type leap
> gtc: challenge = "Password: "
> gtc: auth_type = "PAP"
> rlm_eap: Loaded and initialized type gtc
> tls: rsa_key_exchange = no
> tls: dh_key_exchange = yes
> tls: rsa_key_length = 512
> tls: dh_key_length = 512
> tls: verify_depth = 0
> tls: CA_path = "(null)"
> tls: pem_file_type = yes
> tls: private_key_file =
> "/usr/local/etc/raddb/certs/cert-srv.pem"
> tls: certificate_file =
> "/usr/local/etc/raddb/certs/cert-srv.pem"
> tls: CA_file =
> "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
> tls: private_key_password = "whatever"
> tls: dh_file = "/usr/local/etc/raddb/certs/dh"
> tls: random_file =
> "/usr/local/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> rlm_eap_tls: Loading the certificate file as a chain
> rlm_eap: Loaded and initialized type tls
> peap: default_eap_type = "mschapv2"
> peap: copy_request_to_tunnel = no
> peap: use_tunneled_reply = no
> peap: proxy_tunneled_request_as_eap = yes
> rlm_eap: Loaded and initialized type peap
> mschapv2: with_ntdomain_hack = no
> rlm_eap: Loaded and initialized type mschapv2
> Module: Instantiated eap (eap)
> Module: Loaded preprocess
> preprocess: huntgroups =
> "/usr/local/etc/raddb/huntgroups"
> preprocess: hints = "/usr/local/etc/raddb/hints"
> preprocess: with_ascend_hack = no
> preprocess: ascend_channels_per_line = 23
> preprocess: with_ntdomain_hack = no
> preprocess: with_specialix_jetstream_hack = no
> preprocess: with_cisco_vsa_hack = no
> Module: Instantiated preprocess (preprocess)
> Module: Loaded realm
> realm: format = "suffix"
> realm: delimiter = "@"
> realm: ignore_default = no
> realm: ignore_null = no
> Module: Instantiated realm (suffix)
> Module: Loaded files
> files: usersfile = "/usr/local/etc/raddb/users"
> files: acctusersfile =
> "/usr/local/etc/raddb/acct_users"
> files: preproxy_usersfile =
> "/usr/local/etc/raddb/preproxy_users"
> files: compat = "no"
> Module: Instantiated files (files)
> Module: Loaded Acct-Unique-Session-Id
> acct_unique: key = "User-Name, Acct-Session-Id,
> NAS-IP-Address, Client-IP-Address, NAS-Port"
> Module: Instantiated acct_unique (acct_unique)
> Module: Loaded detail
> detail: detailfile =
>
"/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename =
> "/usr/local/var/log/radius/radutmp"
> radutmp: username = "%{User-Name}"
> radutmp: case_sensitive = yes
> radutmp: check_with_nas = yes
> radutmp: perm = 384
> radutmp: callerid = yes
> Module: Instantiated radutmp (radutmp)
> Listening on authentication *:1812
> Listening on accounting *:1813
> Ready to process requests. 
> 
> When I run nmap on the Radius server, just watching
> port 1812, I get conflicting results depending on
> what machine I run nmap on.  When I test the port
> from the client machine, it returns saying the port
> is filtered, but when I run nmap on the actual
> server, 
=== message truncated ===

If you're not seeing any output after "Ready to
process requests." then the packets aren't making it
to FR.
Rather than looking at packet level information, it
may be of more value to look at the firewall details. 
If you're running iptables, for example, "iptables -L
-v --line-numbers" will give you a clear and detailed
view of what the firewalling is blocking and allowing.
If this server does not have any interfaces exposed to
the public Internet, try turning off the firewall
completely and test (be sure to turn it back on though
:)
Laker

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Freeradius-Users mailing list