Hi,<br><br>I work at an ISP in Brazil, our main radius server is running freeradius 1.X. I'm configuring a new server with freeradius 2.X and doing some tests to see if I find any problem before putting it on production. So far I've found a little problem that doesn't disable me to put it in production, but can confuse in case of a radius failure. When an authentication failure happens, on the nas it appears that the radius server is not responding, it shows a "Radius timeout" message, here is the output of the radius debug:<br>
<br><br><br>rad_recv: Access-Request packet from host 192.168.2.100 port 35710, id=86, length=145<br> Service-Type = Framed-User<br> Framed-Protocol = PPP<br> NAS-Port = 124<br> NAS-Port-Type = Ethernet<br> User-Name = "modesto"<br>
Calling-Station-Id = "BC:AE:C5:9C:87:C5"<br> Called-Station-Id = "isimples"<br> NAS-Port-Id = "LAN"<br> CHAP-Challenge = 0x246ed4d8e9cffc10c7c5120963c5d990<br> CHAP-Password = 0x0134931ed7c1c7fda0493d9663d658e789<br>
NAS-Identifier = "REDE_ISIMPLES"<br> NAS-IP-Address = 192.168.2.100<br># Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default<br>+- entering group authorize {...}<br>++[preprocess] returns ok<br>
[chap] Setting 'Auth-Type := CHAP'<br>++[chap] returns ok<br>++[mschap] returns noop<br>++[digest] returns noop<br>[suffix] No '@' in User-Name = "modesto", looking up realm NULL<br>[suffix] No such realm "NULL"<br>
++[suffix] returns noop<br>[eap] No EAP-Message, not doing EAP<br>++[eap] returns noop<br>[files] users: Matched entry DEFAULT at line 172<br>++[files] returns ok<br>[sql] expand: %{User-Name} -> modesto<br>[sql] sql_set_user escaped user --> 'modesto'<br>
rlm_sql (sql): Reserving sql socket id: 0<br>[sql] expand: SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = '%{SQL-User-Name}' AND ativo='S' ORDER BY id -> SELECT id, UserName, Attribute, Value, op FROM radcheck WHERE Username = 'modesto' AND ativo='S' ORDER BY id<br>
[sql] expand: SELECT GroupName FROM usergroup WHERE UserName='%{SQL-User-Name}' -> SELECT GroupName FROM usergroup WHERE UserName='modesto'<br>rlm_sql (sql): Released sql socket id: 0<br>[sql] User modesto not found<br>
++[sql] returns notfound<br>sql_xlat<br> expand: %{User-Name} -> modesto<br>sql_set_user escaped user --> 'modesto'<br> expand: SELECT nas_pool_name FROM naspool WHERE nas_ip=INET_ATON('%{NAS-IP-Address}') -> SELECT nas_pool_name FROM naspool WHERE nas_ip=INET_ATON('192.168.2.100')<br>
rlm_sql (sql): Reserving sql socket id: 4<br>SQL query did not return any results<br>rlm_sql (sql): Released sql socket id: 4<br> expand: %{sql: SELECT nas_pool_name FROM naspool WHERE nas_ip=INET_ATON('%{NAS-IP-Address}')} -> <br>
++[control] returns notfound<br>++[expiration] returns noop<br>++[logintime] returns noop<br>[pap] WARNING! No "known good" password found for the user. Authentication may fail because of this.<br>++[pap] returns noop<br>
Found Auth-Type = CHAP<br># Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>+- entering group CHAP {...}<br>[chap] login attempt by "modesto" with CHAP password<br>[chap] Cleartext-Password is required for authentication<br>
++[chap] returns invalid<br>Failed to authenticate the user.<br>Login incorrect (rlm_chap: Clear text password not available): [modesto/<CHAP-Password>] (from client teste port 124 cli BC:AE:C5:9C:87:C5)<br>Using Post-Auth-Type Reject<br>
# Executing group from file /usr/local/etc/raddb/sites-enabled/default<br>+- entering group REJECT {...}<br>[attr_filter.access_reject] expand: %{User-Name} -> modesto<br>attr_filter: Matched entry DEFAULT at line 11<br>
++[attr_filter.access_reject] returns updated<br>Delaying reject of request 4 for 1 seconds<br>Going to the next request<br>Waking up in 0.9 seconds.<br>rad_recv: Access-Request packet from host 192.168.2.100 port 35710, id=86, length=145<br>
Waiting to send Access-Reject to client teste port 35710 - ID: 86<br>Waking up in 0.6 seconds.<br>rad_recv: Access-Request packet from host 192.168.2.100 port 35710, id=86, length=145<br>Waiting to send Access-Reject to client teste port 35710 - ID: 86<br>
Waking up in 0.3 seconds.<br>Sending delayed reject for request 4<br>Sending Access-Reject of id 86 to 192.168.2.100 port 35710<br>Waking up in 4.9 seconds.<br>Cleaning up request 4 ID 86 with timestamp +41<br>Ready to process requests.<br>
<span style="color:rgb(51,51,51)"></span><b style="color:rgb(51,51,51)"></b><br><br>The freeradius server is running on a FreeBSD 9-STABLE Jail, there is no firewall rules in the middle that could prevent the packet from being sent.<br>
<br><br>Regards.<br>