can't get radtest/radclient to work
I'm having a really stupid problem. I created a "dummy" user for testing: useradd -m testing passwd testing (set password to "testing"). not secure, but who cares - it's just for testing. left share secret as default, tried to login locally with this: echo "User-Name = testing,password=testing" | /usr/bin/radclient localhost:1812 auth testing123 I enabled bad password logging, and get this error in the log: Wed Feb 27 15:13:18 2008 : Auth: rlm_unix: [testing]: invalid password Wed Feb 27 15:13:18 2008 : Auth: Login incorrect: [testing/testing] (from client localhost port 0) I also tried this way: radtest testing testing 127.0.0.1:1812 0 testing123 and this was the result: Sending Access-Request of id 92 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Re-sending Access-Request of id 92 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=92, length=20 All the radius.conf defaults are left the same except the extra bad password logging. I have no idea why that's failing. I know it's something really stupid like the "system" login fall-through bypass not being high up enough in the config or something. Can anyone jog my memory again? thanks! Dan. _________________________________________________________________
Alan, it's the age-old 64bit API problem again, it's on OpenSUSE 10.3 now, using 1.1.6 with 1.1.7 libraries it looks like the CVS fix seems to work here as well. Any way you can get those changes into the Suse pacakges? Dan. From: dgahling@hotmail.com To: freeradius-users@lists.freeradius.org Subject: can't get radtest/radclient to work Date: Wed, 27 Feb 2008 15:49:37 -0500 I'm having a really stupid problem. I created a "dummy" user for testing: useradd -m testing passwd testing (set password to "testing"). not secure, but who cares - it's just for testing. left share secret as default, tried to login locally with this: echo "User-Name = testing,password=testing" | /usr/bin/radclient localhost:1812 auth testing123 I enabled bad password logging, and get this error in the log: Wed Feb 27 15:13:18 2008 : Auth: rlm_unix: [testing]: invalid password Wed Feb 27 15:13:18 2008 : Auth: Login incorrect: [testing/testing] (from client localhost port 0) I also tried this way: radtest testing testing 127.0.0.1:1812 0 testing123 and this was the result: Sending Access-Request of id 92 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 Re-sending Access-Request of id 92 to 127.0.0.1 port 1812 User-Name = "testing" User-Password = "testing" NAS-IP-Address = 255.255.255.255 NAS-Port = 0 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=92, length=20 All the radius.conf defaults are left the same except the extra bad password logging. I have no idea why that's failing. I know it's something really stupid like the "system" login fall-through bypass not being high up enough in the config or something. Can anyone jog my memory again? thanks! Dan. _________________________________________________________________
Question, Is it possible from the radius server to force a user to disconnect ? If yes what do I need to do that ? Normal Client --> NAS --> Radius server I would like to send a request Radius server --> NAS X Client Thanks for your time _________________________________________________________________
J-P Raymond wrote:
Question,
Is it possible from the radius server to force a user to disconnect ?
If yes what do I need to do that ?
Normal Client --> NAS --> Radius server
I would like to send a request Radius server --> NAS X Client
Thanks for your time
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes but your NAS needs to support CoA (Change of Authorisation) , and your RADIUS server needs to support it too; currently FR doesn't. Your best bet is to use the standard 802.1x mib and force re-authentication using SNMP. Most NAS implement this MIB just people seem to overlook it... Regards, Arran -- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
Ok I'll look at it thanks but what about Disconnect message ? I pull this info from my log User-Name = xxx@xxxx.com Acct-Status-Type = Start Acct-Session-Id = "12345678.90.123" NAS-Identifier = "router" NAS-IP-Address = 200.10.50.100 NAS-Port-Type = Virtual Framed-IP-Address = 200.10.50.1 Acct-Delay-Time = 0 Client-IP-Address = 200.10.50.100 Acct-Unique-Session-Id = "8d120506b2972302" I put this in packet.txt I tried : cat packet.txt | radclient -x 200.10.50.100:3799 disconnect mysecret But radclient keep retrying and it doesn't seams to work ! on the web site it mentioned I need disconnect enabled Nas ? Someone already tried this ? Thanks
Date: Wed, 27 Feb 2008 21:31:06 +0000> To: freeradius-users@lists.freeradius.org> Subject: Re: Force user disconnect on NAS> From: A.Cudbard-Bell@sussex.ac.uk> > J-P Raymond wrote:> >> > Question,> > > > Is it possible from the radius server to force a user to disconnect ?> > > > If yes what do I need to do that ?> > > > Normal> > Client --> NAS --> Radius server> > > > I would like to send a request> > Radius server --> NAS X Client> > > > Thanks for your time> > > > > >> >> > ------------------------------------------------------------------------> >> > -> > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html> Yes but your NAS needs to support CoA (Change of Authorisation) , and > your RADIUS server needs to support it too; currently FR doesn't.> > Your best bet is to use the standard 802.1x mib and force > re-authentication using SNMP. Most NAS implement this MIB just people > seem to overlook it...> > Regards,> Arran> > > -- > Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk)> Authentication, Authorisation and Accounting Officer> Infrastructure Services | ENG1 E1-1-08 > University Of Sussex, Brighton> EXT:01273 873900 | INT: 3900> > -> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
J-P Raymond wrote:
Ok I'll look at it thanks but
what about Disconnect message ?
I pull this info from my log
User-Name = xxx@xxxx.com <mailto:xxx@xxxx.com> Acct-Status-Type = Start Acct-Session-Id = "12345678.90.123" NAS-Identifier = "router" NAS-IP-Address = 200.10.50.100 NAS-Port-Type = Virtual Framed-IP-Address = 200.10.50.1 Acct-Delay-Time = 0 Client-IP-Address = 200.10.50.100 Acct-Unique-Session-Id = "8d120506b2972302"
I put this in packet.txt
I tried : cat packet.txt | radclient -x 200.10.50.100:3799 disconnect mysecret // But radclient keep retrying and it doesn't seams to work !
on the web site it mentioned I need disconnect enabled Nas ?
Someone already tried this ?
See when someone gives you the answer to your question and you completely ignore it... *sigh* Look http://www.rfc-archive.org/getrfc.php?rfc=3576 RFC 3576 CoA It's an extension to the RADIUS protocol. Most NAS don't support it because no RADIUS servers support it. Use the IEEE 802.1x MIB, It works, It works very well. I'll try and dig out the relevant OIDs tomorrow if your interested... Arran
Thanks
Date: Wed, 27 Feb 2008 21:31:06 +0000 To: freeradius-users@lists.freeradius.org Subject: Re: Force user disconnect on NAS From: A.Cudbard-Bell@sussex.ac.uk
J-P Raymond wrote:
Question,
Is it possible from the radius server to force a user to disconnect ?
If yes what do I need to do that ?
Normal Client --> NAS --> Radius server
I would like to send a request Radius server --> NAS X Client
Thanks for your time
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html Yes but your NAS needs to support CoA (Change of Authorisation) , and your RADIUS server needs to support it too; currently FR doesn't.
Your best bet is to use the standard 802.1x mib and force re-authentication using SNMP. Most NAS implement this MIB just people seem to overlook it...
Regards, Arran
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
J-P Raymond wrote:
Ok I'll look at it thanks but
what about Disconnect message ?
I pull this info from my log
User-Name = xxx@xxxx.com <mailto:xxx@xxxx.com> Acct-Status-Type = Start Acct-Session-Id = "12345678.90.123" NAS-Identifier = "router" NAS-IP-Address = 200.10.50.100 NAS-Port-Type = Virtual Framed-IP-Address = 200.10.50.1 Acct-Delay-Time = 0 Client-IP-Address = 200.10.50.100 Acct-Unique-Session-Id = "8d120506b2972302"
I put this in packet.txt
I tried : cat packet.txt | radclient -x 200.10.50.100:3799 disconnect mysecret // But radclient keep retrying and it doesn't seams to work !
on the web site it mentioned I need disconnect enabled Nas ?
Someone already tried this ?
http://www.ieee802.org/1/files/public/MIBs/802-1x-2004-mib.txt
Thanks
Date: Wed, 27 Feb 2008 21:31:06 +0000 To: freeradius-users@lists.freeradius.org Subject: Re: Force user disconnect on NAS From: A.Cudbard-Bell@sussex.ac.uk
J-P Raymond wrote:
Question,
Is it possible from the radius server to force a user to disconnect ?
If yes what do I need to do that ?
Normal Client --> NAS --> Radius server
I would like to send a request Radius server --> NAS X Client
Thanks for your time
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html Yes but your NAS needs to support CoA (Change of Authorisation) , and your RADIUS server needs to support it too; currently FR doesn't.
Your best bet is to use the standard 802.1x mib and force re-authentication using SNMP. Most NAS implement this MIB just people seem to overlook it...
Regards, Arran
-- Arran Cudbard-Bell (A.Cudbard-Bell@sussex.ac.uk) Authentication, Authorisation and Accounting Officer Infrastructure Services | ENG1 E1-1-08 University Of Sussex, Brighton EXT:01273 873900 | INT: 3900
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------------------------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This works fine for me. It is POD message (packet of disconnect) Check port number and check NAS and radius log files if it doesn't work. If you have some programming skills, you can create schedule script to disconnect all active users at specific time...
User-Name = xxx@xxxx.com <mailto:xxx@xxxx.com> Acct-Status-Type = Start Acct-Session-Id = "12345678.90.123" NAS-Identifier = "router" NAS-IP-Address = 200.10.50.100 NAS-Port-Type = Virtual Framed-IP-Address = 200.10.50.1 Acct-Delay-Time = 0 Client-IP-Address = 200.10.50.100 Acct-Unique-Session-Id = "8d120506b2972302"
I put this in packet.txt
I tried : cat packet.txt | radclient -x 200.10.50.100:3799 disconnect mysecret //
Dan Gahlinger wrote:
Alan, it's the age-old 64bit API problem again, it's on OpenSUSE 10.3 now, using 1.1.6 with 1.1.7 libraries it looks like the CVS fix seems to work here as well.
Uh... which CVS fix?
Any way you can get those changes into the Suse pacakges?
I don't control the Suse packages. I suggest asking Suse. Alan DeKok.
participants (5)
-
Alan DeKok -
Arran Cudbard-Bell -
Dan Gahlinger -
J-P Raymond -
Marinko Tarlac