FreeRADIUS allows connections locally, but not remotely

Ernie Dunbar maillist at lightspeed.ca
Mon Dec 28 23:29:44 CET 2015 

Hi everyone. I have a difficult problem that appears to have come out of 
the blue.

After rebooting the Debian Wheezy server that hosts our RADIUS 
authentication this morning, suddenly FreeRADIUS v2.1.12+dfsg-1.2 is no 
longer working. I can successfully test the connection locally using 
'radtest' like this:

# /usr/bin/radtest customer password localhost:1812 5 localsecret -4 
127.0.0.1
Sending Access-Request of id 218 to 127.0.0.1 port 1812
	User-Name = "customer"
	User-Password = "password"
	NAS-IP-Address = 127.0.0.1
	NAS-Port = 5
	Message-Authenticator = 0x00000000000000000000000000000000
	Framed-Protocol = PPP
rad_recv: Access-Accept packet from host 127.0.0.1 port 1812, id=218, 
length=38
	Framed-Protocol = PPP
	Service-Type = Framed-User
	Framed-Compression = Van-Jacobson-TCP-IP

I get the rad_recv response right away.

When I test it from the same machine, but *saying* I'm connecting 
remotely, it apparently times out:

www:/etc/freeradius# /usr/bin/radtest customer password localhost:1812 5 
remotesecret -4 XXX.XXX.XXX.254
Sending Access-Request of id 34 to 127.0.0.1 port 1812
	User-Name = "customer"
	User-Password = "password"
	NAS-IP-Address = XXX.XXX.XXX.254
	NAS-Port = 5
	Message-Authenticator = 0x00000000000000000000000000000000
	Framed-Protocol = PPP



Sending Access-Request of id 34 to 127.0.0.1 port 1812
	User-Name = "customer"
	User-Password = "password"
	NAS-IP-Address = XXX.XXX.XXX.254
	NAS-Port = 5
	Message-Authenticator = 0x00000000000000000000000000000000
	Framed-Protocol = PPP
^C


The connection evidently times out and radtest retries, at which point I 
hit Ctrl-C.

I get the same results when I actually test the connection from a remote 
site as when I pretend to make the connection from a remote site with -4 
XXX.XXX.XXX.254. I can't really test *from* that site, since it's a 
Cisco AS5300.

The only thing I can think of that *might* have changed was the Debian 
package version, but I can't even confirm that really, and it's in the 
old stable branch, which I believe is no longer supported with new 
patches. Nothing has changed in the FreeRADIUS configuration since about 
2010.

Any assistance would be appreciated!

More information about the Freeradius-Users mailing list