Server logs say users authenticate, but they don't (Now with more details!)

James Wakefield jamesw at deakin.edu.au
Thu Nov 9 00:04:42 CET 2006 

G'day Ernie,

What value are you sending for Service-Type?  Best way to check is 
radiusd -X, and watch for the Access-Accept that freeradius sends, in 
case your authorization config isn't quite right.

Cheers,
James.

Ernie Dunbar wrote:
> Okay, after doing these tests, we can see that the Cisco is now accepting
> the packets.
> 
> However, the AS5300 is now telling us "no appropriate authorization type
> for user". Here's the logs from the AS5300 (XX.XX.XX.X is the new server,
> XX.XX.XX.Y is the backup that was offline for the duration of the test):
> 
> *Jan  3 16:30:43: RADIUS: Trying next server (XX.XX.XX.X) for id 20
> *Jan  3 16:30:43: RADIUS: Retransmit id 20
> *Jan  3 16:30:43: RADIUS: Received from id 20 XX.XX.XX.X:1812,
> Access-Accept, len 20
> *Jan  3 16:30:43: RADIUS: saved authorization data for user 616D09DC at
> 614184A4
> *Jan  3 16:30:43: RADIUS: no appropriate authorization type for user.
> *Jan  3 16:30:43: RADIUS: ustruct sharecount=1
> *Jan  3 16:30:43: RADIUS: Initial Transmit Async56 id 21 XX.XX.XX.Y:1645,
> Access-Request, len 88
> *Jan  3 16:30:43:         Attribute 4 6 CCF4E9FE
> *Jan  3 16:30:43:         Attribute 5 6 00000038
> *Jan  3 16:30:43:         Attribute 61 6 00000000
> *Jan  3 16:30:43:         Attribute 1 11 72737461
> *Jan  3 16:30:43:         Attribute 30 9 36383131
> *Jan  3 16:30:43:         Attribute 2 18 A3B5B2A0
> *Jan  3 16:30:43:         Attribute 6 6 00000002
> *Jan  3 16:30:43:         Attribute 7 6 00000001
> *Jan  3 16:30:44: %ISDN-6-DISCONNECT: Interface Serial2:5  disconnected
> from unknown , call lasted 53 seconds
> *Jan  3 16:30:44:  isdn_Call_disconnect()
> 
> 
>> Hi Ernie,
>>
>> * Run radiusd -X and check that Access-Accept is being sent, and how
>> long after the Access-Request this is.
>>
>> * Verify with tcpdump that the packet is actually getting onto the wire.
>>
>> * Check for iptables rules/access-lists that might be dropping/rejecting
>> the packets.
>>
>> * Make sure your AS5300 and freeradius are configured to use the same
>> port numbers.  freeradius shouldn't be seeing the Access-Request if not,
>> but it might be worth a look.
>>
>> Ernie Dunbar wrote:
>>>> G'day Ernie,
>>>>
>>>> Can you sniff on the AS5300 and ensure the Access-Accept packets are
>>>> arriving before the 3 second (default) timeout?
>>> Yes, we tried that. The access-accept packets aren't arriving at all!
>>>
>>>> Does it work if you temporarily disable the Simultaneous-Use check?
>>> No, that doesn't work either.
>>>
>>> -
>>> List info/subscribe/unsubscribe? See
>>> http://www.freeradius.org/list/users.html
>>
>> --
>> James Wakefield,
>> Unix Administrator, Information Technology Services Division
>> Deakin University, Geelong, Victoria 3217 Australia.
>>
>> Phone: 03 5227 8690 International: +61 3 5227 8690
>> Fax:   03 5227 8866 International: +61 3 5227 8866
>> E-mail:   james.wakefield at deakin.edu.au
>> Website:  http://www.deakin.edu.au
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
> 
> 
> - 
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-- 
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   james.wakefield at deakin.edu.au
Website:  http://www.deakin.edu.au

More information about the Freeradius-Users mailing list