HA scenario = failure

Rob Walker rob3rt.walk3r at gmail.com
Mon Feb 9 17:09:03 CET 2015 

Hello,

I'm a freerad newb, trying to get my HP Procurve 2910al working with 2
freerad servers (setup identically) and windows/linux endpoints. I've
tested this setup successfully against each individual freerad server ok.
As soon as I test stopping one of the free radius server hosts so that the
2910al is forced to try the other freerad server (testing a HA scenario) -
authentication fails.

I can only guess that it's something the switch is mishandling? If someone
could advise on the below outputs it would be appreciated, it seems the
packet length is much less when it doesn't work?

Thanks

*WORKS*

# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "examiner", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 9 length 43
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
[peap] eaptls_verify returned 7
[peap] Done initial handshake
[peap] eaptls_process returned 7
[peap] EAPTLS_OK
[peap] Session established.  Decoding tunneled attributes.
[peap] Peap state send tlv success
[peap] Received EAP-TLV response.
[peap] Success
[eap] Freeing handler
++[eap] returns ok
# Executing section post-auth from file
/etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 222 to 192.168.20.5 port 1812
        MS-MPPE-Recv-Key =
0x5ed30fd859b49a49dd16e772a30e330d3573a5630212036937d8f2d
        MS-MPPE-Send-Key =
0x72687c7646048677b9bc3d82e25efbfeefeb6a5fad3ad0bc50a87c2
        EAP-Message = 0x03090004
        Message-Authenticator = 0x00000000000000000000000000000000
        User-Name = "examiner"
Finished request 8.
Going to the next request

*FAILS*

# Executing section authorize from file
/etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "examiner", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] EAP packet type response id 5 length 13
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[files] users: Matched entry examiner at line 50
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING: Auth-Type already set.  Not setting to PAP
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type md5
rlm_eap_md5: Issuing Challenge
++[eap] returns handled
Sending Access-Challenge of id 213 to 192.168.20.5 port 1812
        EAP-Message = 0x01060016041053527f160f5a194e8608d8bced20ec12
        Message-Authenticator = 0x00000000000000000000000000000000
        State = 0xa8a53daca8a339aa1a93d90a4cd655f7
Finished request 20.
Going to the next request

More information about the Freeradius-Users mailing list