radius is not listening
Hi I am a newbie and recently would like to try to experience freeradius-server-2.0.4 but unfortunately I have problems can't solved. The freeradius is running ok but when attempt to authenticate the server is just not responding to clients request. I am running RHEL 4 . the server has two ethernet card..eth0 for client authentication, eth1 with DNS, iptables. here the debug output: #netstat -a netstat -a Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 *:32769 *:* LISTEN tcp 0 0 *:mysql *:* LISTEN tcp 0 0 *:netbios-ssn *:* LISTEN tcp 0 0 localhost.localdomain:783 *:* LISTEN tcp 0 0 *:sunrpc *:* LISTEN tcp 0 0 *:ftp *:* LISTEN tcp 0 0 svr1.marind.com:domain *:* LISTENvr tcp 0 0 192.168.0.10:domain *:* LISTEN tcp 0 0 localhost.localdomai:domain *:* LISTEN tcp 0 0 localhost.localdomain:ipp *:* LISTEN tcp 0 0 *:squid *:* LISTEN tcp 0 0 localhost.localdomain:smtp *:* LISTEN tcp 0 0 localhost.localdomain:rndc *:* LISTEN tcp 0 0 *:microsoft-ds *:* LISTEN tcp 0 0 svr1.marind.com:32858 10.subnet125-160-16.ak:http ESTABLISHED tcp 0 0 *:imaps *:* LISTEN tcp 0 0 *:pop3s *:* LISTEN tcp 0 0 *:pop3 *:* LISTEN tcp 0 0 *:imap *:* LISTEN tcp 0 0 *:http *:* LISTEN tcp 0 0 *:ssh *:* LISTEN tcp 0 0 *:https *:* LISTEN udp 0 0 *:32768 *:* udp 0 0 *:32769 *:* udp 0 0 *:32772 *:* udp 0 0 svr1.marind:netbios-ns *:* udp 0 0 192.168.0.10:netbios-ns *:* udp 0 0 *:netbios-ns *:* udp 0 0 s1.marin:netbios-dgm *:*vr udp 0 0 192.168.0.1:netbios-dgm *:* udp 0 0 *:netbios-dgm *:* udp 0 0 192.168.0.10:radius *:* udp 0 0 192.168.0.1:radius-acct *:* udp 0 0 192.168.0.10:1814 *:* udp 0 0 srv1.marind.c:domain *:* udp 0 0 192.168.0.10:domain *:* udp 0 0 localhost.locald:domain *:* udp 0 0 *:icpv2 *:* udp 0 0 *:958 *:* udp 0 0 *:bootps *:* udp 0 0 *:sunrpc *:* udp 0 0 *:ipp *:* udp 0 0 *:32770 *:* raw 0 0 *:icmp *:* #radiusd -X FreeRADIUS Version 2.0.4, for host i686-pc-linux-gnu, built on May 15 2008 at 21:44:23 Copyright (C) 1999-2008 The FreeRADIUS server project and contributors. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. You may redistribute copies of FreeRADIUS under the terms of the GNU General Public License. Starting - reading configuration files ... including configuration file /usr/local/etc/raddb/radiusd.conf including configuration file /usr/local/etc/raddb/proxy.conf including configuration file /usr/local/etc/raddb/clients.conf including configuration file /usr/local/etc/raddb/snmp.conf including configuration file /usr/local/etc/raddb/eap.conf including configuration file /usr/local/etc/raddb/sql.conf including configuration file /usr/local/etc/raddb/sql/mysql/dialup.conf including configuration file /usr/local/etc/raddb/sql/mysql/counter.conf including configuration file /usr/local/etc/raddb/policy.conf including files in directory /usr/local/etc/raddb/sites-enabled/ including configuration file /usr/local/etc/raddb/sites-enabled/default including configuration file /usr/local/etc/raddb/sites-enabled/inner-tunnel including dictionary file /usr/local/etc/raddb/dictionary main { prefix = "/usr/local" localstatedir = "/usr/local/var" logdir = "/usr/local/var/log/radius" libdir = "/usr/local/lib" radacctdir = "/usr/local/var/log/radius/radacct" hostname_lookups = no max_request_time = 30 cleanup_delay = 5 max_requests = 1024 allow_core_dumps = no pidfile = "/usr/local/var/run/radiusd/radiusd.pid" checkrad = "/usr/local/sbin/checkrad" debug_level = 0 proxy_requests = yes security { max_attributes = 200 reject_delay = 1 status_server = yes } } client localhost { ipaddr = 127.0.0.1 netmask = 32 require_message_authenticator = no secret = "testing123" shortname = "svr1.marind.com" nastype = "portslave" } client 192.168.0.0/24 { require_message_authenticator = no secret = "testing123-1" shortname = "sb" } radiusd: #### Loading Realms and Home Servers #### proxy server { retry_delay = 5 retry_count = 3 default_fallback = no dead_time = 120 wake_all_if_all_dead = no } home_server localhost { ipaddr = 127.0.0.1 port = 1812 type = "auth" secret = "testing123" response_window = 20 max_outstanding = 65536 zombie_period = 40 status_check = "status-server" ping_check = "none" ping_interval = 30 check_interval = 30 num_answers_to_alive = 3 num_pings_to_alive = 3 revive_interval = 120 status_check_timeout = 4 } home_server_pool my_auth_failover { type = fail-over home_server = localhost } realm example.com { auth_pool = my_auth_failover } realm LOCAL { } radiusd: #### Instantiating modules #### instantiate { Module: Linked to module rlm_exec Module: Instantiating exec exec { wait = yes input_pairs = "request" shell_escape = yes } Module: Linked to module rlm_expr Module: Instantiating expr Module: Linked to module rlm_expiration Module: Instantiating expiration expiration { reply-message = "Password Has Expired " } Module: Linked to module rlm_logintime Module: Instantiating logintime logintime { reply-message = "You are calling outside your allowed timespan " minimum-timeout = 60 } } radiusd: #### Loading Virtual Servers #### server inner-tunnel { modules { Module: Checking authenticate {...} for more modules to load Module: Linked to module rlm_pap Module: Instantiating pap pap { encryption_scheme = "auto" auto_header = no } Module: Linked to module rlm_chap Module: Instantiating chap Module: Linked to module rlm_mschap Module: Instantiating mschap mschap { use_mppe = no require_encryption = yes require_strong = yes with_ntdomain_hack = no } Module: Linked to module rlm_unix Module: Instantiating unix unix { radwtmp = "/usr/local/var/log/radius/radwtmp" } Module: Linked to module rlm_eap Module: Instantiating eap eap { default_eap_type = "peap" timer_expire = 60 ignore_unknown_eap_types = no cisco_accounting_username_bug = no } Module: Linked to sub-module rlm_eap_md5 Module: Instantiating eap-md5 Module: Linked to sub-module rlm_eap_leap Module: Instantiating eap-leap Module: Linked to sub-module rlm_eap_gtc Module: Instantiating eap-gtc gtc { challenge = "Password: " auth_type = "PAP" } Module: Linked to sub-module rlm_eap_tls Module: Instantiating eap-tls tls { rsa_key_exchange = no dh_key_exchange = yes rsa_key_length = 512 dh_key_length = 512 verify_depth = 0 pem_file_type = yes private_key_file = "/usr/local/etc/raddb/certs/server.pem" certificate_file = "/usr/local/etc/raddb/certs/server.pem" CA_file = "/usr/local/etc/raddb/certs/ca.pem" private_key_password = "Mars123" dh_file = "/usr/local/etc/raddb/certs/dh" random_file = "/usr/local/etc/raddb/certs/random" fragment_size = 1024 include_length = yes check_crl = no cipher_list = "DEFAULT" make_cert_command = "/usr/local/etc/raddb/certs/bootstrap" } Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = "md5" copy_request_to_tunnel = no use_tunneled_reply = no virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_peap Module: Instantiating eap-peap peap { default_eap_type = "mschapv2" copy_request_to_tunnel = no use_tunneled_reply = no proxy_tunneled_request_as_eap = yes virtual_server = "inner-tunnel" } Module: Linked to sub-module rlm_eap_mschapv2 Module: Instantiating eap-mschapv2 mschapv2 { with_ntdomain_hack = no } Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_realm Module: Instantiating suffix realm suffix { format = "suffix" delimiter = "@" ignore_default = no ignore_null = no } Module: Linked to module rlm_files Module: Instantiating files files { usersfile = "/usr/local/etc/raddb/users" acctusersfile = "/usr/local/etc/raddb/acct_users" preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users" compat = "no" } Module: Checking session {...} for more modules to load Module: Linked to module rlm_radutmp Module: Instantiating radutmp radutmp { filename = "/usr/local/var/log/radius/radutmp" username = "%{User-Name}" case_sensitive = yes check_with_nas = yes perm = 384 callerid = yes } Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load Module: Linked to module rlm_attr_filter Module: Instantiating attr_filter.access_reject attr_filter attr_filter.access_reject { attrsfile = "/usr/local/etc/raddb/attrs.access_reject" key = "%{User-Name}" } } } server { modules { Module: Checking authenticate {...} for more modules to load Module: Checking authorize {...} for more modules to load Module: Linked to module rlm_preprocess Module: Instantiating preprocess preprocess { huntgroups = "/usr/local/etc/raddb/huntgroups" hints = "/usr/local/etc/raddb/hints" with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no with_alvarion_vsa_hack = no } Module: Checking preacct {...} for more modules to load Module: Linked to module rlm_acct_unique Module: Instantiating acct_unique acct_unique { key = "User-Name, Acct-Session-Id, NAS-IP-Address, Client-IP-Address, NAS-Port" } Module: Checking accounting {...} for more modules to load Module: Linked to module rlm_detail Module: Instantiating detail detail { detailfile = "/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d" header = "%t" detailperm = 384 dirperm = 493 locking = no log_packet_header = no } Module: Instantiating attr_filter.accounting_response attr_filter attr_filter.accounting_response { attrsfile = "/usr/local/etc/raddb/attrs.accounting_response" key = "%{User-Name}" } Module: Checking session {...} for more modules to load Module: Checking post-proxy {...} for more modules to load Module: Checking post-auth {...} for more modules to load } } radiusd: #### Opening IP addresses and Ports #### listen { type = "auth" ipaddr = 192.168.0.10 port = 0 } listen { type = "acct" ipaddr = 192.168.0.10 port = 0 } Listening on authentication address 192.168.0.10 port 1812 Listening on accounting address 192.168.0.10 port 1813 Listening on proxy address 192.168.0.10 port 1814 Ready to process requests. _________________________________________________________________
saman saman wrote:
Hi I am a newbie and recently would like to try to experience freeradius-server-2.0.4 but unfortunately I have problems can't solved. The freeradius is running ok but when attempt to authenticate the server is just not responding to clients request.
...
#radiusd -X ... Ready to process requests.
The point of debug mode is to show it processing packets. If you've sent it packets and it doesn't receive them, fix the firewall on your OS to allow RADIUS packets. Alan DeKok.
HI Alan, what If radtest localhost also doesn't work either? here the iptables output #iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 127.0.0.1 0.0.0.0/0 ACCEPT all -- 192.168.1.2 0.0.0.0/0 ACCEPT all -- 192.168.0.10 0.0.0.0/0 ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.1.0/24 ACCEPT all -- .0.0.0/0 192.168.1.2 state RELATED,ESTABLISHED svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 srv1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 srv1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1812 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1813 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1814 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:110 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2074 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4000 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 80 Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 127.0.0.1 0.0.0.0/0 ACCEPT all -- 192.168.0.10 0.0.0.0/0 ACCEPT all -- 192.168.1.2 0.0.0.0/0 ACCEPT all -- 192.168.1.206 0.0.0.0/0 Chain mars (6 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp -- 0.0.0.0/0 0.0.0.0/0 #radtest John hello localhost 0 testing User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 The above iptables output shows the udp 1812, 1813 & 1814 are all accepted.
Hi I am a newbie and recently would like to try to experience freeradius-server-2.0.4 but unfortunately I have problems can't solved. The freeradius is running ok but when attempt to authenticate the server is just not responding to clients request. ... #radiusd -X ... Ready to process requests.
The point of debug mode is to show it processing packets.
If you've sent it packets and it doesn't receive them, fix the firewall on your OS to allow RADIUS packets.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________
Greetings! I have a suggestion ,If you want to see if the packets are getting to the host try running tcp -X udp also tcpdump -X host <hostname> then try a request and see if the packets show up. On Sun, Oct 19, 2008 at 7:38 PM, saman saman <ssaman@hotmail.com> wrote:
HI Alan, what If radtest localhost also doesn't work either? here the iptables output #iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 127.0.0.1 0.0.0.0/0 ACCEPT all -- 192.168.1.2 0.0.0.0/0 ACCEPT all -- 192.168.0.10 0.0.0.0/0 ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.1.0/24 ACCEPT all -- .0.0.0/0 192.168.1.2 state RELATED,ESTABLISHED svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 srv1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 srv1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1812 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1813 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1814 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:110 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2074 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4000 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 80
Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 127.0.0.1 0.0.0.0/0 ACCEPT all -- 192.168.0.10 0.0.0.0/0 ACCEPT all -- 192.168.1.2 0.0.0.0/0 ACCEPT all -- 192.168.1.206 0.0.0.0/0
Chain mars (6 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp -- 0.0.0.0/0 0.0.0.0/0
#radtest John hello localhost 0 testing User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0
The above iptables output shows the udp 1812, 1813 & 1814 are all accepted.
Hi I am a newbie and recently would like to try to experience freeradius-server-2.0.4 but unfortunately I have problems can't solved. The freeradius is running ok but when attempt to authenticate the server is just not responding to clients request. ... #radiusd -X ... Ready to process requests.
The point of debug mode is to show it processing packets.
If you've sent it packets and it doesn't receive them, fix the firewall on your OS to allow RADIUS packets.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a few more suggestions :) What is in your rules file? Can you telnet to localhost port 1812, how about 127.0.0.1 1812 (broken hosts file mebbe) also try this lsof -i |grep -i radius you should see radius listening Liz On Sun, Oct 19, 2008 at 7:38 PM, saman saman <ssaman@hotmail.com> wrote:
HI Alan, what If radtest localhost also doesn't work either? here the iptables output #iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 127.0.0.1 0.0.0.0/0 ACCEPT all -- 192.168.1.2 0.0.0.0/0 ACCEPT all -- 192.168.0.10 0.0.0.0/0 ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.1.0/24 ACCEPT all -- .0.0.0/0 192.168.1.2 state RELATED,ESTABLISHED svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 srv1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 srv1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1812 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1813 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1814 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:110 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2074 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4000 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 80
Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 127.0.0.1 0.0.0.0/0 ACCEPT all -- 192.168.0.10 0.0.0.0/0 ACCEPT all -- 192.168.1.2 0.0.0.0/0 ACCEPT all -- 192.168.1.206 0.0.0.0/0
Chain mars (6 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp -- 0.0.0.0/0 0.0.0.0/0
#radtest John hello localhost 0 testing User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0
The above iptables output shows the udp 1812, 1813 & 1814 are all accepted.
Hi I am a newbie and recently would like to try to experience freeradius-server-2.0.4 but unfortunately I have problems can't solved. The freeradius is running ok but when attempt to authenticate the server is just not responding to clients request. ... #radiusd -X ... Ready to process requests.
The point of debug mode is to show it processing packets.
If you've sent it packets and it doesn't receive them, fix the firewall on your OS to allow RADIUS packets.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Elizabeth, Thanks for the quick response. I tried #/usr/sbin/tcpdump -X host 127.0.0.1 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes (Nothing happening) #/usr/sbin/tcpdump -X svr1.marind.com 15:20:55.301070 IP 192.168.1.50.63188> svr1.marind.com.domain: 13870+ A? b.rad.live.com. (32)vr 0x0000: 4500 003c a1c1 0000 8011 1568 c0a8 0132 E.. svr1.marind.com.domain: 57001+ A? b.rad.live.com. (32) 0x0000: 4500 003c a1cb 0000 8011 155e c0a8 0132 E.. svr1.marind.com.domain: 28694+ A? gfx2.hotmail.com. (34) 0x0000: 4500 003e a1cc 0000 8011 155b c0a8 0132 E..>.......[...2 0x0010: c0a8 0105 d55b 0035 002a 1dc8 7016 0100 .....[.5.*..p... 0x0020: 0001 0000 0000 0000 0467 6678 3207 686f .........gfx2.ho 0x0030: 746d 6169 6c03 636f 6d00 0001 0001 tmail.com..... 15:21:05.556816 IP 192.168.1.50.51451> svr1.marind.com.domain: 57001+ A? b.rad.live.com. (32) 0x0000: 4500 003c a1cd 0000 8011 155c c0a8 0132 E.. svr1.marind.com.domain: 28694+ A? gfx2.hotmail.com. (34) 0x0000: 4500 003e a1ce 0000 8011 1559 c0a8 0132 E..>.......Y...2 0x0010: c0a8 0105 d55b 0035 002a 1dc8 7016 0100 .....[.5.*..p... 0x0020: 0001 0000 0000 0000 0467 6678 3207 686f .........gfx2.ho 0x0030: 746d 6169 6c03 636f 6d00 0001 0001 tmail.com..... .....etc # /usr/sbin/lsof -i |grep -i radius radiusd 3965 root 5u IPv4 10123 UDP 192.168.0.10:radius radiusd 3965 root 6u IPv4 10125 UDP 192.168.0.10:radius-acct radiusd 3965 root 7u IPv4 10126 UDP 192.168.0.10:1814 #telnet 127.0.0.1 Trying 127.0.0.1... telnet: connect to address 127.0.0.1: Connection refused telnet: Unable to connect to remote host: Connection refused # telnet localhost 25 Trying 127.0.0.1... Connected to localhost.localdomain (127.0.0.1). Escape character is '^]'. 220 svr1.marind.com ESMTP Sendmail 8.13.1/8.13.1; Tue, 21 Oct 2008 15:46:37 +0700 #netstat -tna Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 0.0.0.0:32769 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:139 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:783 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:111 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:21 0.0.0.0:* LISTEN tcp 0 0 192.168.1.5:53 0.0.0.0:* LISTEN tcp 0 0 192.168.0.10:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:631 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:3128 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:953 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:445 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:25 127.0.0.1:32848 TIME_WAIT tcp 0 0 :::993 :::* LISTEN tcp 0 0 :::995 :::* LISTEN tcp 0 0 :::110 :::* LISTEN tcp 0 0 :::143 :::* LISTEN tcp 0 0 :::80 :::* LISTEN tcp 0 0 :::22 :::* LISTEN tcp 0 0 :::443 :::* LISTEN Before I changed the freeradius setting from tls to peap..everything were fine.. I have mail server also and previously testing telnet localhost work fine. "rules file" do you mean iptables? ________________________________
Date: Sun, 19 Oct 2008 21:46:37 -0700 From: liz@twistedpair.cc To: freeradius-users@lists.freeradius.org Subject: Re: radius is not listening
a few more suggestions :)
What is in your rules file?
Can you telnet to localhost port 1812, how about 127.0.0.1 1812 (broken hosts file mebbe)
also try this
lsof -i |grep -i radius
you should see radius listening
Liz
On Sun, Oct 19, 2008 at 7:38 PM, saman saman <ssaman@hotmail.com> wrote:
HI Alan, what If radtest localhost also doesn't work either? here the iptables output #iptables -L -n Chain INPUT (policy DROP) target prot opt source destination ACCEPT all -- 127.0.0.1 0.0.0.0/0 ACCEPT all -- 192.168.1.2 0.0.0.0/0 ACCEPT all -- 192.168.0.10 0.0.0.0/0 ACCEPT all -- 192.168.0.0/24 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 192.168.1.0/24 ACCEPT all -- .0.0.0/0 192.168.1.2 state RELATED,ESTABLISHED svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:21 svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:22 srv1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 srv1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80 svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:110 svr1 tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:113 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1812 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1813 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:1814 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:53 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:110 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:2074 ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:4000 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 8 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 11 ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 icmp type 80
Chain FORWARD (policy DROP) target prot opt source destination ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED
Chain OUTPUT (policy DROP) target prot opt source destination ACCEPT all -- 127.0.0.1 0.0.0.0/0 ACCEPT all -- 192.168.0.10 0.0.0.0/0 ACCEPT all -- 192.168.1.2 0.0.0.0/0 ACCEPT all -- 192.168.1.206 0.0.0.0/0
Chain mars (6 references) target prot opt source destination ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp flags:0x16/0x02 ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 state RELATED,ESTABLISHED DROP tcp -- 0.0.0.0/0 0.0.0.0/0
#radtest John hello localhost 0 testing User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0 User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0
The above iptables output shows the udp 1812, 1813 & 1814 are all accepted.
Hi I am a newbie and recently would like to try to experience freeradius-server-2.0.4 but unfortunately I have problems can't solved. The freeradius is running ok but when attempt to authenticate the server is just not responding to clients request. ... #radiusd -X ... Ready to process requests.
The point of debug mode is to show it processing packets.
If you've sent it packets and it doesn't receive them, fix the firewall on your OS to allow RADIUS packets.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
_________________________________________________________________
saman saman wrote:
Hi Elizabeth, Thanks for the quick response. I tried
Nothing you were told to try. And you tried lots of other things. Please spend some time reading about your OS and networks. If you don't understand the difference between TCP and UDP, this isn't the place to learn. Alan DeKok.
Elizabeth Steinke wrote:
a few more suggestions :)
What is in your rules file?
Can you telnet to localhost port 1812, how about 127.0.0.1 <http://127.0.0.1> 1812 (broken hosts file mebbe)
Well. AFAIK FreeRADIUS operates in UDP protocol while telnet uses TCP. I don't believe saman will be able to connect. Anyway. Saman. Your FreeRADIUS server listens at:
Listening on authentication address 192.168.0.10 port 1812 Listening on accounting address 192.168.0.10 port 1813 Listening on proxy address 192.168.0.10 port 1814
And you're trying to connect at:
#radtest John hello localhost 0 testing User-Name = "John" User-Password = "hello" NAS-IP-Address = 192.168.1.2 NAS-Port = 0
Can you see a difference? Try to connect at 192.168.0.10 using radtest or change FreeRADIUS' listening ports. Kind regards, -- Lech Karol Pawłaszek <ike> "You will never see me fall from grace" [KoRn]
saman saman wrote:
what If radtest localhost also doesn't work either? here the iptables output ... #radtest John hello localhost 0 testing
OK... you've looked at the server in debugging mode when it's not receiving packets. You've looked at the firewall. You've looked at the debug output of radclient when the server isn't running. It looks like you're doing everything *but* running all of the tests at the same time. The server has to be *running* for it to respond to packets. Make sure that's happening. Alan DeKok.
participants (4)
-
Alan DeKok -
Elizabeth Steinke -
Lech Karol Pawłaszek -
saman saman