Hi People, I hope you can shed some light on a problem I am having with freeradius acting as a proxy. As you can see the packet below has a corrupt UDP header ( Checksum: 0x5b10 (incorrect, should be 0x9f2d) ). If I use radtest then the packet is fine and I get authenticated, the problem only occurs when the request is proxied out, all of the packets forwarded to the secondary radius server have the UDP checksum error, I have tried the latest version of freeradius with exactly the same results, so I have gone back to the version supplied with RedHat, on a fresh build. Versions are as follows: radiusd: FreeRADIUS Version 1.0.1, for host , built on Nov 26 2004 at 10:48:39 OpenSSL 0.9.7g 11 Apr 2005 Linux <MY HOST NAME> 2.6.9-5.ELsmp #1 SMP Wed Jan 5 19:30:39 EST 2005 i686 i686 i386 GNU/Linux This is RedHat ES version 4 Please let me know if you need any further information Regards Graham Frame 12 (197 bytes on wire, 197 bytes captured) Arrival Time: Jun 17, 2005 11:19:35.560228000 Time delta from previous packet: 4.660183000 seconds Time since reference or first frame: 111.704161000 seconds Frame Number: 12 Packet Length: 197 bytes Capture Length: 197 bytes Protocols in frame: eth:ip:udp:radius:eap Ethernet II, Src: 00:12:79:3c:9c:61, Dst: 00:00:0c:07:ac:14 Destination: 00:00:0c:07:ac:14 (All-HSRP-routers_14) Source: 00:12:79:3c:9c:61 (HewlettP_3c:9c:61) Type: IP (0x0800) Internet Protocol, Src Addr: XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX), Dst Addr: XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX) Version: 4 Header length: 20 bytes Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00) 0000 00.. = Differentiated Services Codepoint: Default (0x00) .... ..0. = ECN-Capable Transport (ECT): 0 .... ...0 = ECN-CE: 0 Total Length: 183 Identification: 0x0005 (5) Flags: 0x04 (Don't Fragment) 0... = Reserved bit: Not set .1.. = Don't fragment: Set ..0. = More fragments: Not set Fragment offset: 0 Time to live: 64 Protocol: UDP (0x11) Header checksum: 0xdfd5 (correct) Source: XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX) Destination: XXX.XXX.XXX.XXX (XXX.XXX.XXX.XXX) User Datagram Protocol, Src Port: 1814 (1814), Dst Port: radius (1812) Source port: 1814 (1814) Destination port: radius (1812) Length: 163 Checksum: 0x5b10 (incorrect, should be 0x9f2d) Radius Protocol Code: Access Request (1) Packet identifier: 0x1 (1) Length: 155 Authenticator: 0x22840C6BAE7ECB8E4FE8A8A3773B1A08 Attribute value pairs t:User Name(1) l:8, Value:"graham" User-Name: graham t:Framed MTU(12) l:6, Value:1400 t:Called Station Id(30) l:16, Value:"000e.842e.8230" Called-Station-Id: 000e.842e.8230 t:Calling Station Id(31) l:16, Value:"0040.96a7.f8d2" Calling-Station-Id: 0040.96a7.f8d2 t:Service Type(6) l:6, Value:Login(1) Service-Type: Login (1) t:Message Authenticator(80) l:18, Value:C77E1EE1C2A7E98B00E464AB0DB0DE48 t:EAP Message(79) l:34 Extensible Authentication Protocol Code: Response (2) Id: 2 Length: 32 Type: Identity [RFC3748] (1) Identity (27 bytes): graham@test.com t:NAS Port Type(61) l:6, Value:Wireless IEEE 802.11(19) t:NAS Port(5) l:6, Value:1646 t:NAS IP Address(4) l:6, Value:172.23.1.201 Nas IP Address: 172.23.1.201 (172.23.1.201) t:NAS identifier(32) l:8, Value:"ap1200" t:Proxy State(33) l:5, Value:323533
"Taylor, Graham" <GrahamTaylor@michaelpage.com> wrote:
Hi People, I hope you can shed some light on a problem I am having with freeradius acting as a proxy. As you can see the packet below has a corrupt UDP header
The kernel creates the UDP header, including checksum. If it's wrong, there's little FreeRADIUS can do.
If I use radtest then the packet is fine and I get authenticated, the problem only occurs when the request is proxied out, all of the packets forwarded to the secondary radius server have the UDP checksum error,
I've never seen that, and I'm not sure why it would happen. Alan DeKok.
participants (2)
-
Alan DeKok -
Taylor, Graham