Hi, Running FreeRadius 2.0.3 built from source on Centos 5.1 with a Mysql 5.0.45 back end. We've been doing testing on our setup for MONTHS (First FR1, now FR2) and its been flawless. Today we went to put our first unit into production and am having issues. We are reading NAS from SQL. The entry is : (3,'192.168.25.13','SBC-1918','other',0,'KhLcPALLdzTcJs3f','GLRXTAFLfhf3N4zT','First Install') From the user table I have : (1, 'tuc','User-Password',':=','PLAINTEXT') And when I run : #!/bin/sh (echo 'User-Name = "tuc"' echo 'User-Password = "PLAINTEXT"' echo 'NAS-IP-Address = 192.168.25.13' echo 'NAS-Port = 0') | /usr/local/bin/radclient -x localhost auth KhLcPALLdzTcJs3f I get : [root@ports ~]# sh TESTRAD User-Name = "tuc" User-Password = "PLAINTEXT" NAS-IP-Address = 192.168.25.13 NAS-Port = 0 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.) and in radius.log I see : Wed Apr 30 16:38:43 2008 : Auth: Login incorrect: [tuc/eY\261㡩\226`\305\020y\366/�?\333] (from client localhost port 0) HELP... I can't see what I'm doing wrong. Thanks, Tuc
Hey Tuc, This might happen because of interface changes. Also add a record to the nas table for the 127.0.0.1 ip address (or the other IP address you have configured on your ethernet interface). And I'm also assuming you have configured the nas table in sql.conf Regards, Liran Tal. On Wed, Apr 30, 2008 at 11:41 PM, Tuc at T-B-O-H.NET <ml@t-b-o-h.net> wrote:
Hi,
Running FreeRadius 2.0.3 built from source on Centos 5.1 with a Mysql 5.0.45 back end.
We've been doing testing on our setup for MONTHS (First FR1, now FR2) and its been flawless. Today we went to put our first unit into production and am having issues.
We are reading NAS from SQL. The entry is :
(3,'192.168.25.13','SBC-1918','other',0,'KhLcPALLdzTcJs3f','GLRXTAFLfhf3N4zT','First Install')
From the user table I have :
(1, 'tuc','User-Password',':=','PLAINTEXT')
And when I run :
#!/bin/sh (echo 'User-Name = "tuc"' echo 'User-Password = "PLAINTEXT"' echo 'NAS-IP-Address = 192.168.25.13' echo 'NAS-Port = 0') | /usr/local/bin/radclient -x localhost auth KhLcPALLdzTcJs3f
I get :
[root@ports ~]# sh TESTRAD User-Name = "tuc" User-Password = "PLAINTEXT" NAS-IP-Address = 192.168.25.13 NAS-Port = 0 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=2)! (Shared secret is incorrect.)
and in radius.log I see :
Wed Apr 30 16:38:43 2008 : Auth: Login incorrect: [tuc/eY\261ã¡(c)\226`\305\020y\366/Â?\333] (from client localhost port 0)
HELP... I can't see what I'm doing wrong.
Thanks, Tuc
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi, I have a record for 127.0.0.1, and for the ip of the machine itself (Fixed dedicated IP). The end result is that I found that no matter what IP I used to pass on the NAS-IP-Address, it used the machines IP to match the secret. The problem I had is we placed the device out in the field, and I wanted to verify the tech used the right secret. I was hoping to be able to tell radclient to "pretend" it was another IP, and therefore search for that IPs secret to try. Unfortunately, it doesn't seem like it has that capability. I don't understand what use then is the ability to change the NAS-IP-Address if it still only cared about the secret for the local machine. Thanks, Tuc
Hey Tuc,
This might happen because of interface changes. Also add a record to the nas table for the 127.0.0.1 ip address (or the other IP address you have configured on your ethernet interface). And I'm also assuming you have configured the nas table in sql.conf
Regards, Liran Tal.
On Wed, Apr 30, 2008 at 11:41 PM, Tuc at T-B-O-H.NET <ml@t-b-o-h.net> wrote= :
Hi,
Running FreeRadius 2.0.3 built from source on Centos 5.1 with a Mysql 5.0.45 back end.
We've been doing testing on our setup for MONTHS (First FR1, now FR2) and its been flawless. Today we went to put our first unit into production and am having issues.
We are reading NAS from SQL. The entry is :
(3,'192.168.25.13','SBC-1918','other',0,'KhLcPALLdzTcJs3f','GLRXTAFLfhf3N= 4zT','First Install')
From the user table I have :
(1, 'tuc','User-Password',':=3D','PLAINTEXT')
And when I run :
#!/bin/sh (echo 'User-Name =3D "tuc"' echo 'User-Password =3D "PLAINTEXT"' echo 'NAS-IP-Address =3D 192.168.25.13' echo 'NAS-Port =3D 0') | /usr/local/bin/radclient -x localhost auth KhLcPALLdzTcJs3f
I get :
[root@ports ~]# sh TESTRAD User-Name =3D "tuc" User-Password =3D "PLAINTEXT" NAS-IP-Address =3D 192.168.25.13 NAS-Port =3D 0 rad_verify: Received Access-Reject packet from client 127.0.0.1 port 1812 with invalid signature (err=3D2)! (Shared secret is incorrect.)
and in radius.log I see :
Wed Apr 30 16:38:43 2008 : Auth: Login incorrect: [tuc/eY\261=E3=A1(c)\226`\305\020y\366/=C2?\333] (from client localhost p= ort 0)
HELP... I can't see what I'm doing wrong.
Thanks, Tuc
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------=_Part_6964_29469845.1209627227987 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline
Hey Tuc,<br><br>This might happen because of interface changes.<br>Also add= a record to the nas table for the <a href=3D"http://127.0.0.1">127.0.0.1</= a> ip address (or the other<br>IP address you have configured on your ether= net interface).<br> And I'm also assuming you have configured the nas table in sql.conf<br>= <br><br>Regards,<br>Liran Tal.<br><br><div class=3D"gmail_quote">On Wed, Ap= r 30, 2008 at 11:41 PM, Tuc at <a href=3D"http://T-B-O-H.NET">T-B-O-H.NET</= a> <<a href=3D"mailto:ml@t-b-o-h.net">ml@t-b-o-h.net</a>> wrote:<br> <blockquote class=3D"gmail_quote" style=3D"border-left: 1px solid rgb(204, = 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Hi,<br> <br> Running FreeRadius 2.0.3 built from source on C= entos 5.1 with<br> a Mysql 5.0.45 back end.<br> <br> We've been doing testing on our setup for M= ONTHS (First FR1,<br> now FR2) and its been flawless. Today we went to put our first unit into<br=
production and am having issues.<br> <br> We are reading NAS from SQL. The entry is :<br> <br> (3,'<a href=3D"http://192.168.25.13" target=3D"_blank">192.168.25.13</a=
','SBC-1918','other',0,'KhLcPALLdzTcJs3f','= ;GLRXTAFLfhf3N4zT','First Install')<br> <br> From the user table I have :<br> <br> (1, 'tuc','User-Password',':=3D','PLAINTEXT'= ;)<br> <br> And when I run :<br> <br> #!/bin/sh<br> (echo 'User-Name =3D "tuc"'<br> echo 'User-Password =3D "PLAINTEXT"'<br> echo 'NAS-IP-Address =3D <a href=3D"http://192.168.25.13" target=3D"_bl= ank">192.168.25.13</a>'<br> echo 'NAS-Port =3D 0') | /usr/local/bin/radclient -x localhost auth= KhLcPALLdzTcJs3f<br> <br> I get :<br> <br> [root@ports ~]# sh TESTRAD<br> User-Name =3D "tuc"<br> User-Password =3D "PLAINTEXT"<br> NAS-IP-Address =3D <a href=3D"http://192.168.25= .13" target=3D"_blank">192.168.25.13</a><br> NAS-Port =3D 0<br> rad_verify: Received Access-Reject packet from client <a href=3D"http://127= .0.0.1" target=3D"_blank">127.0.0.1</a> port 1812 with invalid signature (e= rr=3D2)! (Shared secret is incorrect.)<br> <br> and in radius.log I see :<br> <br> Wed Apr 30 16:38:43 2008 : Auth: Login incorrect: [tuc/eY\261=E3=A1©\2= 26`\305\020y\366/=C2?\333] (from client localhost port 0)<br> <br> <br> <br> HELP... I can't see what I'm doing wron= g.<br> <br> Thanks, Tuc<br> <br>-<br> List info/subscribe/unsubscribe? See <a href=3D"http://www.freeradius.org/l= ist/users.html" target=3D"_blank">http://www.freeradius.org/list/users.html= </a><br></blockquote></div><br>
------=_Part_6964_29469845.1209627227987--
--===============1703607565== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html --===============1703607565==--
hi, are you sure that there isnt a legacy secret entry in clients.conf file? alan
hi,
are you sure that there isnt a legacy secret entry in clients.conf file?
Nope... [root@ports sbin]# more /usr/local/etc/raddb/clients.conf #****************************************************************************** #****************************************************************************** #****************************************************************************** #****************************************************************************** #****************************************************************************** #****************************************************************************** # THIS FILE IS NO LONGER USED. UPDATE ALL NAS IN NOC #****************************************************************************** #****************************************************************************** #****************************************************************************** #****************************************************************************** #****************************************************************************** #****************************************************************************** [root@ports sbin]# I did find the problem (Error between eyes and brain of the tech installing the units. Put the secret as the community and visa versa.) that caused me to look into using radtest... It still leaves one item open. I can't seem to get radclient to be able to take the NAS-IP-Address and then the secret for that NAS-IP-Address. It seems no matter what, it wants to use the secret for the localhost. Is this how its supposed to work, or is there a bug somewhere? Thanks, Tuc
Hi,
It still leaves one item open. I can't seem to get radclient to be able to take the NAS-IP-Address and then the secret for that NAS-IP-Address. It seems no matter what, it wants to use the secret for the localhost. Is this how its supposed to work, or is there a bug somewhere?
man radclient Packet-Dst-IP-Address - if this attribute is present in the request then the packet will be sent to that address. ie it wont go to 127.0.0.1 if you specify the real IP of the server. alternately, use the IP address of the server and not its canonical 'localhost' which will always be 127.0.0.1 unless you've played with the systems IP stack..... alan
Hi,
It still leaves one item open. I can't seem to get radclient to be able to take the NAS-IP-Address and then the secret for that NAS-IP-Address. It seems no matter what, it wants to use the secret for the localhost. Is this how its supposed to work, or is there a bug somewhere?
man radclient
Packet-Dst-IP-Address - if this attribute is present in the request then the packet will be sent to that address. ie it wont go to 127.0.0.1 if you specify the real IP of the server. alternately, use the IP address of the server and not its canonical 'localhost' which will always be 127.0.0.1 unless you've played with the systems IP stack.....
alan
I guess I'm not clear in what I was attempting to accomplish, maybe subsequently I went about it the wrong way. Tech calls in and say that he can't get an appliance working in the field. I ask him what secret he's using and the IP address of the appliance. I want to be able to be locally logged onto the radius server and use radtest/radclient/rad???? to be able to query radius asking "If I was IP, and I gave you SECRET, would you authorize me?". So I want to be on 1.2.3.4, but say I'm on 3.4.5.6 . Right now, If I say I'm on 3.4.5.6, it still wants the secret for 1.2.3.4 . Thanks, Tuc
Hi,
Tech calls in and say that he can't get an appliance working in the field. I ask him what secret he's using and the IP address of the appliance. I want to be able to be locally logged onto the radius server and use radtest/radclient/rad???? to be able to query radius asking "If I was IP, and I gave you SECRET, would you authorize me?".
So I want to be on 1.2.3.4, but say I'm on 3.4.5.6 . Right now, If I say I'm on 3.4.5.6, it still wants the secret for 1.2.3.4 .
you want to spoof the source address? tricky. one 'easy' way to do this would be to create a local VPN/GRE tunnel on the linux box under which you could emulate a remote link. configure freeradius to also listen on that virtual address, run the radclient with the destination being the end point of the VPN - the linux routing tables would then come into play. you'd have to reconfigure the VPN end addresses etc each time to emulate an outside world link...but it would work. alan
Hi,
Tech calls in and say that he can't get an appliance working in the field. I ask him what secret he's using and the IP address of the appliance. I want to be able to be locally logged onto the radius server and use radtest/radclient/rad???? to be able to query radius asking "If I was IP, and I gave you SECRET, would you authorize me?".
So I want to be on 1.2.3.4, but say I'm on 3.4.5.6 . Right now, If I say I'm on 3.4.5.6, it still wants the secret for 1.2.3.4 .
you want to spoof the source address? tricky. one 'easy' way to do this would be to create a local VPN/GRE tunnel on the linux box under which you could emulate a remote link.
configure freeradius to also listen on that virtual address, run the radclient with the destination being the end point of the VPN - the linux routing tables would then come into play. you'd have to reconfigure the VPN end addresses etc each time to emulate an outside world link...but it would work.
Not worth it. All I'm looking to do is get programatic confirmation that the ip/secret combination in the field is correct. Since this is an appliance, not an OS, I don't have access to radtest on the appliance. To have someone start setting up VPN/GRE/etc is more hassle than its worth. I just have to tell the tech to RTFD closer. I was just hoping I could put together a local form on a webserver that could shell out to a script to make the test. We'll just have to suffer. :) (Or ask the manufacturer to include a utility in the "diagnostic" section) Thanks, Tuc
If you have a spare box on a local network, switch that supports VLANs and a router that can tag VLANs - you can spoof the whole outside network with simple IP/VLAN configuration: configure a gateway IP interface for the network you want to spoof on your router and tag it with testing VLAN ID - that will create a locally connected routing table entry - no creative manual entries needed configure testing VLAN ID on the switchport to which you will connect the testing box configure IP you want to spoof on the testing box That shouldn't take more than 5 minutes. Just make sure that you remove the spoofed gateway interface from the router after testing in order to be able to use the real network. Ivan Kalik Kalik Informatika ISP Dana 4/5/2008, "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net> piše:
Hi,
Tech calls in and say that he can't get an appliance working in the field. I ask him what secret he's using and the IP address of the appliance. I want to be able to be locally logged onto the radius server and use radtest/radclient/rad???? to be able to query radius asking "If I was IP, and I gave you SECRET, would you authorize me?".
So I want to be on 1.2.3.4, but say I'm on 3.4.5.6 . Right now, If I say I'm on 3.4.5.6, it still wants the secret for 1.2.3.4 .
you want to spoof the source address? tricky. one 'easy' way to do this would be to create a local VPN/GRE tunnel on the linux box under which you could emulate a remote link.
configure freeradius to also listen on that virtual address, run the radclient with the destination being the end point of the VPN - the linux routing tables would then come into play. you'd have to reconfigure the VPN end addresses etc each time to emulate an outside world link...but it would work.
Not worth it. All I'm looking to do is get programatic confirmation that the ip/secret combination in the field is correct. Since this is an appliance, not an OS, I don't have access to radtest on the appliance. To have someone start setting up VPN/GRE/etc is more hassle than its worth. I just have to tell the tech to RTFD closer. I was just hoping I could put together a local form on a webserver that could shell out to a script to make the test.
We'll just have to suffer. :) (Or ask the manufacturer to include a utility in the "diagnostic" section)
Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan, Really, I appreciate the information. I'm sure between the suggestions given I could do it. However, if it is more than a command line or script on the radius server itself, its too involved for the person I have to turn it over to. I just saw that radtest took nasname as an option and thought it would have a bearing on the secret. Not the case, so I know better. :) Thanks, Tuc
If you have a spare box on a local network, switch that supports VLANs and a router that can tag VLANs - you can spoof the whole outside network with simple IP/VLAN configuration:
configure a gateway IP interface for the network you want to spoof on your router and tag it with testing VLAN ID - that will create a locally connected routing table entry - no creative manual entries needed
configure testing VLAN ID on the switchport to which you will connect the testing box
configure IP you want to spoof on the testing box
That shouldn't take more than 5 minutes. Just make sure that you remove the spoofed gateway interface from the router after testing in order to be able to use the real network.
Ivan Kalik Kalik Informatika ISP
Dana 4/5/2008, "Tuc at T-B-O-H.NET" <ml@t-b-o-h.net> pi�e:
Hi,
Tech calls in and say that he can't get an appliance working in the field. I ask him what secret he's using and the IP address of the appliance. I want to be able to be locally logged onto the radius server and use radtest/radclient/rad???? to be able to query radius asking "If I was IP, and I gave you SECRET, would you authorize me?".
So I want to be on 1.2.3.4, but say I'm on 3.4.5.6 . Right now, If I say I'm on 3.4.5.6, it still wants the secret for 1.2.3.4 .
you want to spoof the source address? tricky. one 'easy' way to do this would be to create a local VPN/GRE tunnel on the linux box under which you could emulate a remote link.
configure freeradius to also listen on that virtual address, run the radclient with the destination being the end point of the VPN - the linux routing tables would then come into play. you'd have to reconfigure the VPN end addresses etc each time to emulate an outside world link...but it would work.
Not worth it. All I'm looking to do is get programatic confirmation that the ip/secret combination in the field is correct. Since this is an appliance, not an OS, I don't have access to radtest on the appliance. To have someone start setting up VPN/GRE/etc is more hassle than its worth. I just have to tell the tech to RTFD closer. I was just hoping I could put together a local form on a webserver that could shell out to a script to make the test.
We'll just have to suffer. :) (Or ask the manufacturer to include a utility in the "diagnostic" section)
Thanks, Tuc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (4)
-
A.L.M.Buxey@lboro.ac.uk -
Ivan Kalik -
Liran Tal -
Tuc at T-B-O-H.NET