FreeRadius authentication problems
Taneli Virtanen
virtanentaneli at gmail.com
Mon Dec 3 15:10:49 CET 2012
Well, I'm home right now, but tomorrow when I get back to work I'll see
what I can do. Client is a Windows 7, but I can also test with XP and Win 8
clients if necessary.
2012/12/3 Primož Marinšek <pmtelos at gmail.com>
> I know a little about Ruckus. Can you SSH to the ZD and input the following
>
> enable
> show aaa
> show wlan
>
> and send me the output direclty. Maybe there is something strange there.
>
> Also tell me which FW you are using and which OS the client is using
> (tell me which SP if Windows)
>
> Regards
>
> On 3 December 2012 12:30, Arran Cudbard-Bell <a.cudbardb at freeradius.org>
> wrote:
> >>
> >> ++[pap] returns noop
> >> Found Auth-Type = Accept
> >> Auth-Type = Accept, accepting the user
> >>
> >> # Executing section post-auth from file
> /etc/freeradius/sites-enabled/default
> >> +- entering group post-auth {...}
> >> ++[exec] returns noop
> >> Sending Access-Accept of id 9 to 192.168.154.12 port 1065
> >> Finished request 0.
> >> Going to the next request
> >> Waking up in 4.9 seconds.
> >> Cleaning up request 0 ID 9 with timestamp +7
> >> Ready to process requests.
> >>
> >>
> >> I followed the plain mac auth guide to get this far, and the system
> sort of works, but not quite. So the configs must be out of whack somehow,
> but since radius doesn't give any debug info when I get booted out of the
> network I'm at loss here. Any help?
> >
> > If you're not seeing any information in the FreeRADIUS debug, then the
> Ruckus controller isn't sending anything. If you enable RADIUS accounting
> on the Ruckus you *may* get an Accounting-Request with the
> Acct-Terminate-Cause, which may give you a clue as to what's happening.
> >
> > First though I would enable debugging logs on the controller to see if
> it's complaining about the Access-Accept coming back, it may be missing
> some attributes that the Ruckus controller needs.
> >
> > I'd also verify the Access-Accept is actually reaching the controller
> (maybe dodgy routing).
> >
> > It may also be that the Ruckus requires a Message-Authenticator in the
> Access-Accept, in which case inserting:
> >
> > update reply {
> > Message-Authenticator = 0x00
> > }
> >
> > Should trigger its generation.
> >
> > I'd also try:
> >
> > update reply {
> > Service-Type = Framed-User
> > }
> >
> > (some NAS require a service type).
> >
> > The delay suggests that the Ruckus may be discarding the responses from
> the RADIUS server, or never actually received the response. Do you see the
> request sent multiple times?
> >
> > -Arran
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
>
> --
> Primož Marinšek
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20121203/957a0984/attachment.html>
More information about the Freeradius-Users
mailing list