Re: How to check сorrectness of the secret key?
On 2012-09-24, at 10:38 AM, "Konstantin Chekushin" <koch2@inbox.lv> wrote:
but, tcpdump shows me, that packet was arrived... I've used radclient on localhost to check the auth-tion. It's works fine.
So?
When NAS server (in different network) send auth request from , then tcpdump shows correct port, ip's, but no answer from RADIUS, no info in the log.
You already said that.
I've tried to send auth request from localhost againg, but with wrong key. As a result -- no log-info in radius.log, also no any response... That is why I think, that something is wrong with secret key on my NAS-server.
Your thinking is wrong. If you are not going to believe the answers you get from the RADIUS experts, then don't ask questions here. It's not a RADIUS problem. It's not a shared secret problem. I gave you the answer. Now go check that. Alan DeKok.
On Mon, Sep 24, 2012 at 10:50:29AM +0200, Alan DeKok wrote:
When NAS server (in different network) send auth request from , then tcpdump shows correct port, ip's, but no answer from RADIUS, no info in the log.
You already said that.
I've tried to send auth request from localhost againg, but with wrong key. As a result -- no log-info in radius.log, also no any response... That is why I think, that something is wrong with secret key on my NAS-server.
Your thinking is wrong.
However he is asserting a behaviour he has seen, which would be consistent with freeradius ignoring packets with bad secrets. This means that something is wrong. It may mean that he is not in fact running the server in debugging mode; or it may mean he is running some ancient freeradius, or one which has been hacked by the vendor to behave differently to standard code. Or it may not even be freeradius at all, but something completely different. So for the benefit of the OP, here's what I see if I am running "freeradius -X", using freeradius 2.1.12 under Ubuntu 10.04, and I send a regular (PAP) radtest packet using "radtest test test localhost 1 badsecret" rad_recv: Access-Request packet from host 127.0.0.1 port 37219, id=59, length=74 Received packet from 127.0.0.1 with invalid Message-Authenticator! (Shared secret is incorrect.) Dropping packet without response. Going to the next request Waking up in 0.9 seconds. Cleaning up request 0 ID 59 with timestamp +3 If you don't see this, then make sure you are sending the packet to the correct port (default is 1812), make sure you have stopped any other radius daemon listening on that port (use "netstat -naup" to check), and then run radiusd -X or freeradius -X, depending on your distribution. Run radtest in a different window, then go back to the freeradius window to check the output. It would also be helpful if you were to describe what exact operating system and version you are running, what version of freeradius you are running, and where you got it from (e.g. did you get it from the OS packages repository, did you compile it from source etc) Please also post the output from freeradius -X (or radius -X) when you start it up. Alan is of course right, freeradius doesn't behave in the way you describe; but I also believe that you are not lying when you say you see this behaviour, so we need additional information if you want us to help you pin down your problem. Regards, Brian.
Brian Candler wrote:
Your thinking is wrong.
However he is asserting a behaviour he has seen, which would be consistent with freeradius ignoring packets with bad secrets.
The server doesn't work like that. I said so:
If the RADIUS server receives a packet, it says so in debugging mode.
If tcpdump shows the packet and FreeRADIUS doesn't see it, then you
What is so hard to understand about that? This is the 13-year-old question. Why the HELL are people asking questions on the list when they immediately ignore the answer?
This means that something is wrong. It may mean that he is not in fact running the server in debugging mode;
Then he should have follow the instructions in the FAQ, "man" page, web page, and daily on the -users list. It's not hard.
or it may mean he is running some ancient freeradius,
It ALWAYS printed out packets received in debugging mode.
or one which has been hacked by the vendor to behave differently to standard code.
Then he should ask his vendor how it works. It's not *my* problem when people butcher FreeRADIUS.
Or it may not even be freeradius at all, but something completely different.
Then he's an idiot for asking questions on this list. And ALL of those reasons are post-facto excuses. The ONLY relevant item is that he asked a question, and ignored the answer.
Alan is of course right, freeradius doesn't behave in the way you describe; but I also believe that you are not lying when you say you see this behaviour, so we need additional information if you want us to help you pin down your problem.
I don't care what he *thinks* he's doing. What he *is* doing is not following instructions: 1) run the server in debug mode 2) check the firewall to be sure it isn't blocking RADIUS packets He had a problem and posted a question. Fine. But he MUST follow the existing documentation. He MUST follow instructions. I DO NOT accept excuses from him, or from anyone else. If people aren't going to follow instructions, they have no business posting to the list. It's ignorant, rude, and will result in them getting unsubscribed and banned. My patience for this kind of idiocy is at an end. Alan DeKok.
On Mon, Sep 24, 2012 at 11:45:06AM +0200, Alan DeKok wrote:
If tcpdump shows the packet and FreeRADIUS doesn't see it, then you
What is so hard to understand about that?
This is the 13-year-old question. Why the HELL are people asking questions on the list when they immediately ignore the answer?
A little politeness doesn't cost anything, and I am trying to be helpful. I was picking up on something he said, which I believe amounted to the following: - radtest to localhost with correct secret shows debug output - radtest to localhost with incorrect secret shows nothing That clearly *isn't* an IP firewall problem, and until this problem is understood, we cannot trust any debug output that the OP reports is/is not there. It is therefore in the OP's interest, and ours if we are going to help with the original problem, to sort this out first.
My patience for this kind of idiocy is at an end.
And personally I am not happy to see people being publicly branded as "idiots" after only one or two postings. If you don't have the patience, then please consider allowing the rest of the community to answer. I would agree that this thread belongs on freeradius-users not freeradius-devel, and I have no problem with any question like this being quickly bounced across to the other list. Regards, Brian.
Brian Candler wrote:
A little politeness doesn't cost anything, and I am trying to be helpful.
That's uncalled for. My responses were polite, and helpful. My less than polite response was to *your* defense of inexcusable behavior.
I was picking up on something he said, which I believe amounted to the following:
- radtest to localhost with correct secret shows debug output - radtest to localhost with incorrect secret shows nothing
... in the radius.log. He *didn't* say he tried it in debugging mode.
That clearly *isn't* an IP firewall problem, and until this problem is understood, we cannot trust any debug output that the OP reports is/is not there.
I can believe (a) that the OP screwed up his description of what he did, or (b) that FreeRADIUS magically doesn't log packets it receives. (b) isn't impossible, but is overwhelmingly less likely.
It is therefore in the OP's interest, and ours if we are going to help with the original problem, to sort this out first.
My suggestions have stayed the same: a) run the server in debugging mode b) check the firewall. The server NOT receiving packets AND tcpdump receiving them means that a firewall is blocking them. It's happened many times before. The problem description is the same. The solution is the same. Run the server in debugging mode for packets received from the external NAS. Don't look at "radius.log" AS HE SAID HE DID. It's not rocket science. There is no excuse for it, and there is *no* reason for you to defend inexcusable behavior.
And personally I am not happy to see people being publicly branded as "idiots" after only one or two postings. If you don't have the patience, then please consider allowing the rest of the community to answer.
I answered politely. Twice. I only got testy when *you* stepped in to misconstrue what the OP said, and to defend his failure to follow decade-old documentation. So... get off your high horse. It's almost as annoying as people who ask questions and then ignore the answers. Alan DeKok.
On Mon, Sep 24, 2012 at 01:12:55PM +0200, Alan DeKok wrote:
My less than polite response was to *your* defense of inexcusable behavior.
Ah I see; in which case I apologise for testing your patience. If the OP is still reading, hopefully by now he has got the message that he *must* run the server with "radiusd -X" / "freeradius -X" before drawing any conclusions. I will leave it there. Regards, Brian.
On 24/09/12 11:45, Brian Candler wrote:
I was picking up on something he said, which I believe amounted to the following:
- radtest to localhost with correct secret shows debug output - radtest to localhost with incorrect secret shows nothing
My reading is subtly different. In his first email, he said: radtest to localhost - ok request from remote nas - no debug output ...but in a later email he says: radclient on localhost - fine request from remote nas - tcpdump shows packet, but "no info in the log" He then says: """ I've tried to send auth request from localhost againg, but with wrong key. As a result -- no log-info in radius.log """ It's not clear to me that he's consistently testing with "radiusd -X", or if he's looking at the "log { }" stanza output, which is not the right thing to do.
Phil Mayers wrote:
He then says:
""" I've tried to send auth request from localhost againg, but with wrong key. As a result -- no log-info in radius.log """
Right. Which is why everything says run the server in debugging mode. It does NOT log bad shared secrets to radius.log. Doing so would open it up to a denial of service attack.
It's not clear to me that he's consistently testing with "radiusd -X", or if he's looking at the "log { }" stanza output, which is not the right thing to do.
Inconsistency is a hallmark of people who don't solve problems. Attempting random things without a clear method is always a bad idea. Alan DeKok.
On 09/24/2012 09:38 AM, Konstantin Chekushin wrote:
First of all, sorry for the wrong list. (just notice this...)
Well, move it over to -users :o/ As always run FR in debug mode with "radiusd -X" and see what it says. Checking the shared secret is easy - just, you know, *look* at it, and see if they're the same on both ends. Better yet, run FR in debug mode - it will tell you if the packet has an invalid secret, or if (more likely) you've got the "client" statement wrong and FR thinks the client is unknown.
Hi,
but, tcpdump shows me, that packet was arrived...
yes...but if you dont see ANYTHING in the 'radiusd -X' terminal window, then the server is not getting the packet
I've used radclient on localhost to check the auth-tion. It's works fine.
..which is local...and therefore is direct
When NAS server (in different network) send auth request from , then tcpdump shows correct port, ip's, but no answer from RADIUS, no info in the log.
what does 'radiusd -X' show then ?
I've tried to send auth request from localhost againg, but with wrong key. As a result -- no log-info in radius.log, also no any response... That is why I think, that something is wrong with secret key on my NAS-server.
one last time....as you've already been informed. IF you are running FreeRADIUS in full debug mode ie 'radiusd -X' you WILL see packets arrive...and if the shared secret is incorrect then you will be told about it: "WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS!" you wont see ANYTHING in the logs (theres a silent reject) in standard mode - this is to protect the server from DoS attack alan
participants (5)
-
alan buxey -
Alan DeKok -
Brian Candler -
Konstantin Chekushin -
Phil Mayers