Server logs say users authenticate, but they don't (Now with more details!)

Ernie Dunbar maillist at lightspeed.ca
Wed Nov 8 23:01:26 CET 2006 

Okay, after doing these tests, we can see that the Cisco is now accepting
the packets.

However, the AS5300 is now telling us "no appropriate authorization type
for user". Here's the logs from the AS5300 (XX.XX.XX.X is the new server,
XX.XX.XX.Y is the backup that was offline for the duration of the test):

*Jan  3 16:30:43: RADIUS: Trying next server (XX.XX.XX.X) for id 20
*Jan  3 16:30:43: RADIUS: Retransmit id 20
*Jan  3 16:30:43: RADIUS: Received from id 20 XX.XX.XX.X:1812,
Access-Accept, len 20
*Jan  3 16:30:43: RADIUS: saved authorization data for user 616D09DC at
614184A4
*Jan  3 16:30:43: RADIUS: no appropriate authorization type for user.
*Jan  3 16:30:43: RADIUS: ustruct sharecount=1
*Jan  3 16:30:43: RADIUS: Initial Transmit Async56 id 21 XX.XX.XX.Y:1645,
Access-Request, len 88
*Jan  3 16:30:43:         Attribute 4 6 CCF4E9FE
*Jan  3 16:30:43:         Attribute 5 6 00000038
*Jan  3 16:30:43:         Attribute 61 6 00000000
*Jan  3 16:30:43:         Attribute 1 11 72737461
*Jan  3 16:30:43:         Attribute 30 9 36383131
*Jan  3 16:30:43:         Attribute 2 18 A3B5B2A0
*Jan  3 16:30:43:         Attribute 6 6 00000002
*Jan  3 16:30:43:         Attribute 7 6 00000001
*Jan  3 16:30:44: %ISDN-6-DISCONNECT: Interface Serial2:5  disconnected
from unknown , call lasted 53 seconds
*Jan  3 16:30:44:  isdn_Call_disconnect()


> Hi Ernie,
>
> * Run radiusd -X and check that Access-Accept is being sent, and how
> long after the Access-Request this is.
>
> * Verify with tcpdump that the packet is actually getting onto the wire.
>
> * Check for iptables rules/access-lists that might be dropping/rejecting
> the packets.
>
> * Make sure your AS5300 and freeradius are configured to use the same
> port numbers.  freeradius shouldn't be seeing the Access-Request if not,
> but it might be worth a look.
>
> Ernie Dunbar wrote:
>>> G'day Ernie,
>>>
>>> Can you sniff on the AS5300 and ensure the Access-Accept packets are
>>> arriving before the 3 second (default) timeout?
>>
>> Yes, we tried that. The access-accept packets aren't arriving at all!
>>
>>> Does it work if you temporarily disable the Simultaneous-Use check?
>>
>> No, that doesn't work either.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>
>
> --
> James Wakefield,
> Unix Administrator, Information Technology Services Division
> Deakin University, Geelong, Victoria 3217 Australia.
>
> Phone: 03 5227 8690 International: +61 3 5227 8690
> Fax:   03 5227 8866 International: +61 3 5227 8866
> E-mail:   james.wakefield at deakin.edu.au
> Website:  http://www.deakin.edu.au
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>

More information about the Freeradius-Users mailing list