Hello, This might have been asked before (and I hope so), but I can't get my freeradius server to respond remote authentications requests. I got the SQL authentication set up and things seem to work in local. radtest works for me with this command: radtest myuser mypass 127.0.0.1 1812 test which would be in my NAS: client 127.0.0.1{ ipaddr = 127.0.0.1 secret = test } -> I see the package accepted from debug mode on server. Now if I want to test through the Internet, using NTRadPing, I am not sure how I should set up my client, I tried (with xx.xx.xx.xx my IP as seen through the Internet): client xx.xx.xx.xx{ ipaddr = xx.xx.xx.xx secret = test } but the server debug mode (server side) does not react at all and stay in the waiting for requests state, while the client gets its requests to timeout. What am I missing? Did I get the IP thing right anyways?
Hi,
but the server debug mode (server side) does not react at all and stay in the waiting for requests state, while the client gets its requests to timeout.
..so the server doesnt receive the packet at all? in that case check your firewalls - eg the server firewall...ensure UDP 1812 is allowed alan
Am Dienstag, 25. März 2014, 13:34:26 schrieb A.L.M.Buxey@lboro.ac.uk:
Hi,
but the server debug mode (server side) does not react at all and stay in the waiting for requests state, while the client gets its requests to timeout.
..so the server doesnt receive the packet at all? in that case check your firewalls - eg the server firewall...ensure UDP 1812 is allowed
You could check with a tcpdump -n -i eth0 port 1812 if your RADIUS server recieves and packets at all, provided eth0 is the interface in question. Mit freundlichen Grüßen, Michael Schwartzkopff -- [*] sys4 AG http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044 Franziskanerstraße 15, 81669 München Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263 Vorstand: Patrick Ben Koetter, Marc Schiffbauer Aufsichtsratsvorsitzender: Florian Kirstein
I am not an expert in networking, but I assume this is the command you are talking about: ubuntu:/etc/freeradius$ sudo netstat -anpu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 127.0.0.1:18120 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:1812 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:1813 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:1814 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:68 0.0.0.0:* 459/dhclient3
Date: Tue, 25 Mar 2014 13:34:26 +0000 From: A.L.M.Buxey@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: No remote authentication
Hi,
but the server debug mode (server side) does not react at all and stay in the waiting for requests state, while the client gets its requests to timeout.
..so the server doesnt receive the packet at all? in that case check your firewalls - eg the server firewall...ensure UDP 1812 is allowed
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No. That command just shows that the daemon is listening on those ports. The firewall service might not be letting packets through. Alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Check if you have the iptables process running. If you do, you have a firewall. Stop the service and see if things start working. If they do, your firewall was blocking the traffic and you will need to set up rules for that. Regards Stefan From: Benoit [mailto:goony@hotmail.fr] Sent: 25 March 2014 13:54 To: FreeRadius users mailing list Subject: RE: No remote authentication I am not an expert in networking, but I assume this is the command you are talking about: ubuntu:/etc/freeradius$ sudo netstat -anpu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 127.0.0.1:18120 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:1812 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:1813 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:1814 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:68 0.0.0.0:* 459/dhclient3
Date: Tue, 25 Mar 2014 13:34:26 +0000 From: A.L.M.Buxey@lboro.ac.uk<mailto:A.L.M.Buxey@lboro.ac.uk> To: freeradius-users@lists.freeradius.org<mailto:freeradius-users@lists.freeradius.org> Subject: Re: No remote authentication
Hi,
but the server debug mode (server side) does not react at all and stay in the waiting for requests state, while the client gets its requests to timeout.
..so the server doesnt receive the packet at all? in that case check your firewalls - eg the server firewall...ensure UDP 1812 is allowed
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
Again, I am not very good with networking, but I assume there's no active firewall on my server after running those 2 commands: ubuntu:~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ubuntu:~$ sudo ufw status Status: inactive Am I correct? Thanks everyone for trying to help by the way. I just joined the mailing list and am happy to see it so active. Benoit From: stefan.paetow@diamond.ac.uk To: freeradius-users@lists.freeradius.org Subject: RE: No remote authentication Date: Tue, 25 Mar 2014 18:15:46 +0000 Check if you have the iptables process running. If you do, you have a firewall. Stop the service and see if things start working. If they do, your firewall was blocking the traffic and you will need to set up rules for that. Regards Stefan From: Benoit [mailto:goony@hotmail.fr] Sent: 25 March 2014 13:54 To: FreeRadius users mailing list Subject: RE: No remote authentication I am not an expert in networking, but I assume this is the command you are talking about: ubuntu:/etc/freeradius$ sudo netstat -anpu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 127.0.0.1:18120 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:1812 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:1813 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:1814 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:68 0.0.0.0:* 459/dhclient3
Date: Tue, 25 Mar 2014 13:34:26 +0000
From: A.L.M.Buxey@lboro.ac.uk
To: freeradius-users@lists.freeradius.org
Subject: Re: No remote authentication
Hi,
but the server debug mode (server side) does not react at all and stay in
the waiting for requests state, while the client gets its requests to
timeout.
..so the server doesnt receive the packet at all? in that case check your firewalls
- eg the server firewall...ensure UDP 1812 is allowed
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Apparently your firewall is inactive. For the sake of conscience, issue the following command: sudo iptables -F This will flush all firewall rules, including other tables. Make sure radiusd.conf "listen_address" param is equal to "*". This ensures freerarius will bind in all available IP addresses (0.0.0.0). Clayton A. Alves <http://claytonaalves.github.com> *claytonaalves* +55 66 9233-3406 2014-03-25 18:27 GMT-04:00 Benoit <goony@hotmail.fr>:
Again, I am not very good with networking, but I assume there's no active firewall on my server after running those 2 commands:
ubuntu:~$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination
Chain FORWARD (policy ACCEPT) target prot opt source destination
Chain OUTPUT (policy ACCEPT) target prot opt source destination
ubuntu:~$ sudo ufw status Status: inactive
Am I correct?
Thanks everyone for trying to help by the way. I just joined the mailing list and am happy to see it so active.
Benoit
------------------------------ From: stefan.paetow@diamond.ac.uk To: freeradius-users@lists.freeradius.org
Subject: RE: No remote authentication Date: Tue, 25 Mar 2014 18:15:46 +0000
Check if you have the iptables process running. If you do, you have a firewall.
Stop the service and see if things start working. If they do, your firewall was blocking the traffic and you will need to set up rules for that.
Regards
Stefan
*From:* Benoit [mailto:goony@hotmail.fr] *Sent:* 25 March 2014 13:54 *To:* FreeRadius users mailing list *Subject:* RE: No remote authentication
I am not an expert in networking, but I assume this is the command you are talking about:
ubuntu:/etc/freeradius$ sudo netstat -anpu Active Internet connections (servers and established) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name udp 0 0 127.0.0.1:18120 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:1812 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:1813 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:1814 0.0.0.0:* 3777/freeradius udp 0 0 0.0.0.0:68 0.0.0.0:* 459/dhclient3
Date: Tue, 25 Mar 2014 13:34:26 +0000 From: A.L.M.Buxey@lboro.ac.uk To: freeradius-users@lists.freeradius.org Subject: Re: No remote authentication
Hi,
but the server debug mode (server side) does not react at all and stay in the waiting for requests state, while the client gets its requests to timeout.
..so the server doesnt receive the packet at all? in that case check your firewalls - eg the server firewall...ensure UDP 1812 is allowed
alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If the freeradius daemin sees nothing and is listening on the ports (netstat) and theres no firewall (iptables) then either something somewhere else on your network is blocking the RADIUS packets or your NAS config is wrong (either its AAA settings or its eg management routing ) alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Alright... this is a little embarrassing. I am using amazon EC2 for the server and I completely forgot there is a firewall to manage in the EC2 management console as well. Requests go through now. Thank you all for helping me to figure this out. Benoit Subject: RE: No remote authentication From: A.L.M.Buxey@lboro.ac.uk Date: Wed, 26 Mar 2014 07:30:32 +0000 To: freeradius-users@lists.freeradius.org; goony@hotmail.fr If the freeradius daemin sees nothing and is listening on the ports (netstat) and theres no firewall (iptables) then either something somewhere else on your network is blocking the RADIUS packets or your NAS config is wrong (either its AAA settings or its eg management routing ) alan -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
Hi Benoit, If you have a firewall, you need to make sure that you can access the RADIUS server on ports 1812-1813 (and if you're proxying, 1814) on UDP. It is quite possible it is simply ignored. Stefan From: Benoit [mailto:goony@hotmail.fr] Sent: 25 March 2014 13:14 To: freeradius-users@lists.freeradius.org Subject: No remote authentication Hello, This might have been asked before (and I hope so), but I can't get my freeradius server to respond remote authentications requests. I got the SQL authentication set up and things seem to work in local. radtest works for me with this command: radtest myuser mypass 127.0.0.1 1812 test which would be in my NAS: client 127.0.0.1{ ipaddr = 127.0.0.1 secret = test } -> I see the package accepted from debug mode on server. Now if I want to test through the Internet, using NTRadPing, I am not sure how I should set up my client, I tried (with xx.xx.xx.xx my IP as seen through the Internet): client xx.xx.xx.xx{ ipaddr = xx.xx.xx.xx secret = test } but the server debug mode (server side) does not react at all and stay in the waiting for requests state, while the client gets its requests to timeout. What am I missing? Did I get the IP thing right anyways? -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
participants (6)
-
A.L.M.Buxey@lboro.ac.uk -
Alan Buxey -
Benoit -
Clayton Alves -
Michael Schwartzkopff -
stefan.paetow@diamond.ac.uk