If this is what you mean, this is it: 14:55:13.682482 IP (tos 0x0, ttl 64, id 60077, offset 0, flags [DF], proto UDP (17), length 93) 172.31.1.36.58188 > 172.31.2.11.1812: RADIUS, length: 65 Access-Request (1), id: 0x0c, Authenticator: 563b39fc146c0193e012f3787be53c16 User-Name Attribute (1), length: 8, Value: darren CHAP-Password Attribute (3), length: 19, Value: CHAP-Challenge Attribute (60), length: 18, Value: ......#5|:O..... The application is configured to retry three times, so I get three packets as above, and no response from FR. -----Original Message----- From: Freeradius-Users <freeradius-users-bounces+darren.share=chronos.uk@lists.freeradius.org> On Behalf Of Jonathan Davis Sent: 09 March 2022 17:23 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: FreeRadius not responding to requests from external host tcpdump filtered by the nas ip
On Mar 9, 2022, at 12:13 PM, Darren Share <darren.share@chronos.uk> wrote:
Hello Alan,
Thanks for the reply.
If FreeRADIUS isn't getting packets, then it's an OS issue.
Well, I guess that's my implied question. *Is* FR for sure not getting packets? If there's no response on the output of radiusd -X, does that mean it is 100% not receiving anything? As opposed to simply being unhappy with what it's receiving, for whatever reason?
That doesn't matter.
TCPdump looks at the packets deep in the OS network stack. i.e. it typically bypasses firewalls and other security systems.
It matters insomuch as I am happy there's no network issue, and also that it's not an interop issue with the application itself. Just trying to eliminate all the obvious stuff first.
SeLinux is running, and is preventing FreeRADIUS from accepting packets.
SeLinux was running, you are correct. However, disabling it has had no effect.
[root@tp11 ~]# sestatus SELinux status: disabled
Ugh. Why? We have up to date packages available at: http://packages.networkradius.com
It was just installed from the CentOS repos, suggest you raise it with the maintainers. For my part, this is just a quick-and-dirty installation to confirm there are no issues with our application's implementation of a RADIUS client, so it's good enough, as long as I can resolve this issue at the moment.
Would appreciate any further thoughts.
Thanks.
Darren.
-----Original Message----- From: Freeradius-Users <freeradius-users-bounces+darren.share=chronos.uk@lists.freeradius.org> On Behalf Of Alan DeKok Sent: 09 March 2022 16:26 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Subject: Re: FreeRadius not responding to requests from external host
On Mar 9, 2022, at 10:58 AM, Darren Share <darren.share@chronos.uk> wrote: Hope someone can tell me where I’m going wrong here, because I’m stumped.
If FreeRADIUS isn't getting packets, then it's an OS issue.
If FreeRAIDUS is getting packets and complaining about "unknown client" or "invalid authenticator", then the clients.conf entry is missing or wrong.
There really are no other options.
FR server is on 172.31.2.11. Firewalld turned off. FR responds perfectly to requests from an application running locally on the same server.
That's good.
A copy of the same application on a server with IP 172.31.1.36 is not getting any response. The output of radiusd -X shows nothing, as if it didn’t receive a request, yet packets are arriving as per tcpdump:
That doesn't matter.
TCPdump looks at the packets deep in the OS network stack. i.e. it typically bypasses firewalls and other security systems.
[root@tp11 raddb]# firewall-cmd --list-all FirewallD is not running
SeLinux is running, and is preventing FreeRADIUS from accepting packets.
Complete output of radiusd -X:
FreeRADIUS Version 3.0.13
Ugh. Why? We have up to date packages available at: http://packages.networkradius.com
Alan DeKok.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Caution: This email originated outside of our organisation. DO NOT CLICK links or attachments unless you recognise the sender and know the content is safe.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Caution: This email originated outside of our organisation. DO NOT CLICK links or attachments unless you recognise the sender and know the content is safe.