Mac Auth - Timeout Connecting WiFi
Hello, I had freeradius setup and running perfectly on an ubuntu test machine and now I have done the exact same setup and configuration on a new debian machine with the addition of daloradius for easy configuration by other members of the team. I am running latest freeradius 2.1.10. The ubuntu machine was working perfect for mac auth but now this setup is not working. I try and connect to the WiFi and it always times out. Putting freeradius in debug mode shows nothing useful, it shows that it's sending the access accept packet but the connection times out still. Here is a sample debug, if anyone can be of any assistance it would be great. For reference, I change my AP back to the ubuntu server to do the radius mac auth and connect to the wifi and it sends the access accept and connects right away. Maybe I am missing something here....I don't think its an issue using sql as the ubuntu machine isn't using sql but if i disable sql and use exact config etc the time out still occurs. Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.55 port 1030, id=0, length=160 User-Name = "00-1E-58-F9-A6-94" User-Password = "NOPASSWORD" NAS-IP-Address = 192.168.1.55 Called-Station-Id = "00-20-B0-E6-12-A6:TEST" Calling-Station-Id = "00-1E-58-F9-A6-94" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" Message-Authenticator = 0x946f027f36890c6b16ec5b4132e8e1d9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "00-1E-58-F9-A6-94", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> 00-1E-58-F9-A6-94 [sql] sql_set_user escaped user --> '00-1E-58-F9-A6-94' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00-1E-58-F9-A6-94' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '00-1E-58-F9-A6-94' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '00-1E-58-F9-A6-94' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> 00-1E-58-F9-A6-94 [sql] sql_set_user escaped user --> '00-1E-58-F9-A6-94' [sql] expand: %{User-Password} -> NOPASSWORD [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '00-1E-58-F9-A6-94', 'NOPASSWORD', 'Access-Accept', '2011-04-27 15:33:47') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '00-1E-58-F9-A6-94', 'NOPASSWORD', 'Access-Accept', '2011-04-27 15:33:47') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.1.55 port 1030 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.55 port 1030, id=0, length=160 Sending duplicate reply to client AP01 port 1030 - ID: 0 Sending Access-Accept of id 0 to 192.168.1.55 port 1030 Waking up in 1.9 seconds. Cleaning up request 0 ID 0 with timestamp +4732 Ready to process requests.
Any ACL on AP network which might block your debian server IP but not your ubuntu IP? Schilling On Wed, Apr 27, 2011 at 3:59 PM, John Corps <envoys@gmail.com> wrote:
Hello, I had freeradius setup and running perfectly on an ubuntu test machine and now I have done the exact same setup and configuration on a new debian machine with the addition of daloradius for easy configuration by other members of the team. I am running latest freeradius 2.1.10. The ubuntu machine was working perfect for mac auth but now this setup is not working. I try and connect to the WiFi and it always times out. Putting freeradius in debug mode shows nothing useful, it shows that it's sending the access accept packet but the connection times out still. Here is a sample debug, if anyone can be of any assistance it would be great. For reference, I change my AP back to the ubuntu server to do the radius mac auth and connect to the wifi and it sends the access accept and connects right away. Maybe I am missing something here....I don't think its an issue using sql as the ubuntu machine isn't using sql but if i disable sql and use exact config etc the time out still occurs. Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.55 port 1030, id=0, length=160 User-Name = "00-1E-58-F9-A6-94" User-Password = "NOPASSWORD" NAS-IP-Address = 192.168.1.55 Called-Station-Id = "00-20-B0-E6-12-A6:TEST" Calling-Station-Id = "00-1E-58-F9-A6-94" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" Message-Authenticator = 0x946f027f36890c6b16ec5b4132e8e1d9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "00-1E-58-F9-A6-94", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> 00-1E-58-F9-A6-94 [sql] sql_set_user escaped user --> '00-1E-58-F9-A6-94' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00-1E-58-F9-A6-94' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '00-1E-58-F9-A6-94' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '00-1E-58-F9-A6-94' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> 00-1E-58-F9-A6-94 [sql] sql_set_user escaped user --> '00-1E-58-F9-A6-94' [sql] expand: %{User-Password} -> NOPASSWORD [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '00-1E-58-F9-A6-94', 'NOPASSWORD', 'Access-Accept', '2011-04-27 15:33:47') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '00-1E-58-F9-A6-94', 'NOPASSWORD', 'Access-Accept', '2011-04-27 15:33:47') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.1.55 port 1030 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.55 port 1030, id=0, length=160 Sending duplicate reply to client AP01 port 1030 - ID: 0 Sending Access-Accept of id 0 to 192.168.1.55 port 1030 Waking up in 1.9 seconds. Cleaning up request 0 ID 0 with timestamp +4732 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nope. If I set debian Ian to same ip as the ubuntu machine, obviously with ubuntu machine off, same issue happens. On 2011-04-27, at 4:15 PM, schilling <schilling2006@gmail.com> wrote:
Any ACL on AP network which might block your debian server IP but not your ubuntu IP?
Schilling
On Wed, Apr 27, 2011 at 3:59 PM, John Corps <envoys@gmail.com> wrote:
Hello, I had freeradius setup and running perfectly on an ubuntu test machine and now I have done the exact same setup and configuration on a new debian machine with the addition of daloradius for easy configuration by other members of the team. I am running latest freeradius 2.1.10. The ubuntu machine was working perfect for mac auth but now this setup is not working. I try and connect to the WiFi and it always times out. Putting freeradius in debug mode shows nothing useful, it shows that it's sending the access accept packet but the connection times out still. Here is a sample debug, if anyone can be of any assistance it would be great. For reference, I change my AP back to the ubuntu server to do the radius mac auth and connect to the wifi and it sends the access accept and connects right away. Maybe I am missing something here....I don't think its an issue using sql as the ubuntu machine isn't using sql but if i disable sql and use exact config etc the time out still occurs. Ready to process requests. rad_recv: Access-Request packet from host 192.168.1.55 port 1030, id=0, length=160 User-Name = "00-1E-58-F9-A6-94" User-Password = "NOPASSWORD" NAS-IP-Address = 192.168.1.55 Called-Station-Id = "00-20-B0-E6-12-A6:TEST" Calling-Station-Id = "00-1E-58-F9-A6-94" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" Message-Authenticator = 0x946f027f36890c6b16ec5b4132e8e1d9 # Executing section authorize from file /etc/freeradius/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop [suffix] No '@' in User-Name = "00-1E-58-F9-A6-94", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop ++[files] returns noop [sql] expand: %{User-Name} -> 00-1E-58-F9-A6-94 [sql] sql_set_user escaped user --> '00-1E-58-F9-A6-94' rlm_sql (sql): Reserving sql socket id: 3 [sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = '00-1E-58-F9-A6-94' ORDER BY id [sql] User found in radcheck table [sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = '00-1E-58-F9-A6-94' ORDER BY id [sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = '00-1E-58-F9-A6-94' ORDER BY priority rlm_sql (sql): Released sql socket id: 3 ++[sql] returns ok ++[expiration] returns noop ++[logintime] returns noop [pap] WARNING: Auth-Type already set. Not setting to PAP ++[pap] returns noop Found Auth-Type = Accept Auth-Type = Accept, accepting the user # Executing section post-auth from file /etc/freeradius/sites-enabled/default +- entering group post-auth {...} [sql] expand: %{User-Name} -> 00-1E-58-F9-A6-94 [sql] sql_set_user escaped user --> '00-1E-58-F9-A6-94' [sql] expand: %{User-Password} -> NOPASSWORD [sql] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '%{User-Name}', '%{%{User-Password}:-%{Chap-Password}}', '%{reply:Packet-Type}', '%S') -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '00-1E-58-F9-A6-94', 'NOPASSWORD', 'Access-Accept', '2011-04-27 15:33:47') rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ( '00-1E-58-F9-A6-94', 'NOPASSWORD', 'Access-Accept', '2011-04-27 15:33:47') rlm_sql (sql): Reserving sql socket id: 2 rlm_sql (sql): Released sql socket id: 2 ++[sql] returns ok ++[exec] returns noop Sending Access-Accept of id 0 to 192.168.1.55 port 1030 Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Access-Request packet from host 192.168.1.55 port 1030, id=0, length=160 Sending duplicate reply to client AP01 port 1030 - ID: 0 Sending Access-Accept of id 0 to 192.168.1.55 port 1030 Waking up in 1.9 seconds. Cleaning up request 0 ID 0 with timestamp +4732 Ready to process requests.
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
John Corps wrote:
... I try and connect to the WiFi and it always times out. Putting freeradius in debug mode shows nothing useful, it shows that it's sending the access accept packet but the connection times out
Then blame the access point. Also, MAC auth for WiFi sounds strange. Why not EAP? Alan DeKok.
I was blaming the access point but it doesn't make sense that it works fine on my ubuntu test server. It's as if its not sending the request fast enough to the AP to send to the client to be accepted. I am racking my brains over this one, its very strange... I am using mac auth so it is an open network and only authorized macs are allowed to get on. This is the way they want it setup here so that there is nothing to be done on the client side. I am in agreement with you but I have to do what they want, not what I think is best. On Thu, Apr 28, 2011 at 3:37 AM, Alan DeKok <aland@deployingradius.com>wrote:
John Corps wrote:
... I try and connect to the WiFi and it always times out. Putting freeradius in debug mode shows nothing useful, it shows that it's sending the access accept packet but the connection times out
Then blame the access point.
Also, MAC auth for WiFi sounds strange. Why not EAP?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am still racking my brains over this...I am pointing more and more at the AP but not sure why for some reason it works on a test ubuntu server and not my debian server...I have been testing it based on ethernet mac auth using the radius section on a switch and the debian server and ubuntu server work perfectly for that, but still the debian server is sending out the access-accept messages to the wifi clients but it still just sits there connecting and eventually times out....any one with any insight would be good. On Thu, Apr 28, 2011 at 10:04 AM, John Corps <envoys@gmail.com> wrote:
I was blaming the access point but it doesn't make sense that it works fine on my ubuntu test server. It's as if its not sending the request fast enough to the AP to send to the client to be accepted. I am racking my brains over this one, its very strange... I am using mac auth so it is an open network and only authorized macs are allowed to get on. This is the way they want it setup here so that there is nothing to be done on the client side. I am in agreement with you but I have to do what they want, not what I think is best.
On Thu, Apr 28, 2011 at 3:37 AM, Alan DeKok <aland@deployingradius.com> wrote:
John Corps wrote:
... I try and connect to the WiFi and it always times out. Putting freeradius in debug mode shows nothing useful, it shows that it's sending the access accept packet but the connection times out
Then blame the access point.
Also, MAC auth for WiFi sounds strange. Why not EAP?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (3)
-
Alan DeKok -
John Corps -
schilling