Swapping RADIUS servers.

Alan DeKok aland at deployingradius.com
Thu Nov 30 01:29:00 CET 2006


Lin Richardson wrote:

> Our lesser radius server lives on two physical boxes and listens on
> ports 1645/1646 AND 1812/1813  (can freeradius mimic this and listen on
> both sets of ports?)

  Yes.  See "listen" in radiusd.conf.

> What we saw were requests coming into freeradius, being processed as
> expected, and returning the appropriate response - many Accept responses
> clearly visible in the logs.  The radius clients however did not accept
> these responses and treated them as authentication failure. 

  See the FAQ.  Do you have multiple IP's on the machine?

> Does anyone have an idea what could have happened here?  If a radius
> client was talking to server X, and then suddenly recieves a response
> from server Y on the same IP / port combination...

  Huh?  What does that mean?  "Suddenly", as in... what, exactly?

  If you shut down the old machine, and start a new machine with the
same IP, then RADIUS should work as before, assuming the server
configuration is the same.


> Nov 29 10:58:48   rad_check_password:  Found Auth-Type Accept
> Nov 29 10:58:48   rad_check_password: Auth-Type = Accept, accepting the
> user
> Nov 29 10:58:48 Sending Access-Accept of id 105 to 10.32.251.10
> <http://10.32.251.10> port 32768
> Nov 29 10:58:48 Finished request 0

  The Access-Accept contains no attributes.  Are you sure you want to do
that?  The request contained VLAN attributes, so I presume you want to
put the user in a VLAN.

  i.e. Are you sure that you have configured FreeRADIUS to return the
SAME response as your old server?  If the old server returns a bunch of
attributes, and FreeRADIUS doesn't... then the configurations aren't
identical, and the clients will behave differently.

  Alan DeKok.
--
  http://deployingradius.com       - The web site of the book
  http://deployingradius.com/blog/ - The blog



More information about the Freeradius-Users mailing list