Im new on freeradius. Ive just installed it on fedora11 with yum install freeradius* and then done: radiusd X Here are the final lines of the debugging mode: } Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. After install done the test in another shell on the same machine: radtest test test localhost 0 testing123, as suggested in <http://freeradius.org/radiusd/INSTALL> http://freeradius.org/radiusd/INSTALL and nothing appended. What is wrong with it? Can someone help me.
I think that-s everything ok with iptables as you can see: ... *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT -A INPUT -p icmp -j ACCEPT -A INPUT -i lo -j ACCEPT -A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 1812 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 1813 -j ACCEPT -A INPUT -j REJECT --reject-with icmp-host-prohibited -A FORWARD -j REJECT --reject-with icmp-host-prohibited COMMIT ... But I do not understand why this output of nmap localhost, after radiusd -X ... Interesting ports on localhost (127.0.0.1): Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds ... Should port 1812,1813,1814 be list on and open ? José Campos -----Mensagem original----- De: freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org] Em nome de Alan Buxey Enviada: sábado, 23 de Janeiro de 2010 20:51 Para: FreeRadius users mailing list Assunto: Re: Free radius installation Hi,
What is wrong with it? Can someone help me.
iptables ? check /etc/sysconfig/iptables and ensure that UDP 1812 and UDP 1813 are allowed alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 1812 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 1813 -j ACCEPT
its an interesting idea putting state requirements onto UDP protocol methods
But I do not understand why this output of nmap localhost, after radiusd -X ... Interesting ports on localhost (127.0.0.1): Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind
..and what method of nma scan did you use - just quick TCP scan or a full inspection? alan
I did used nmap like bellow: [root@localhost raddb]# nmap -v -O localhost Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-24 14:15 WET NSE: Loaded 0 scripts for scanning. Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Initiating SYN Stealth Scan at 14:15 Scanning localhost (127.0.0.1) [1000 ports] Discovered open port 111/tcp on 127.0.0.1 Discovered open port 22/tcp on 127.0.0.1 Completed SYN Stealth Scan at 14:15, 0.03s elapsed (1000 total ports) Initiating OS detection (try #1) against localhost (127.0.0.1) Host localhost (127.0.0.1) is up (0.000013s latency). Interesting ports on localhost (127.0.0.1): Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.15 - 2.6.27 Uptime guess: 1.827 days (since Fri Jan 22 18:25:10 2010) Network Distance: 0 hops TCP Sequence Prediction: Difficulty=192 (Good luck!) IP ID Sequence Generation: All zeros Read data files from: /usr/share/nmap OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 1.51 seconds Raw packets sent: 1019 (45.598KB) | Rcvd: 2043 (86.988KB) [root@localhost raddb]# .... As I understood is that everything all right with iptables? So why I can't test radius, It seems like something is blocking between radtest(radclient) and radiusd server, because theres no debug info... Can I debug somehow with more details the radtest command sugested on the freeradius toturial José Campos -----Mensagem original----- De: freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org] Em nome de Alan Buxey Enviada: domingo, 24 de Janeiro de 2010 16:01 Para: FreeRadius users mailing list Assunto: Re: Free radius installation Hi,
-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 1812 -j ACCEPT -A INPUT -m state --state NEW -m udp -p udp --dport 1813 -j ACCEPT
its an interesting idea putting state requirements onto UDP protocol methods
But I do not understand why this output of nmap localhost, after radiusd -X ... Interesting ports on localhost (127.0.0.1): Not shown: 998 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind
..and what method of nma scan did you use - just quick TCP scan or a full inspection? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I did used nmap like bellow:
[root@localhost raddb]# nmap -v -O localhost
nmap -v -sU localhost thats a UDP scan
As I understood is that everything all right with iptables?
not really - did you read what I wrote? How can you do a state check on what is a stateless protocol? -p udp --dport 1812 -j ACCEPT -p udp --dport 1813 -j ACCEPT would be more suitable
Can I debug somehow with more details the radtest command sugested on the freeradius toturial
get past the basics first - you could always also use eg 'tcpdump' to see what traffic is on port 1812 on the localhost.... eg tcpdump -eqnntl -i eth0 port 1812 alan
Hello Alan,
not really - did you read what I wrote? How can you do a state check on what is a stateless protocol?
I think you can still do state checks for UDP: http://www.sns.ias.edu/~jns/wp/2006/01/12/iptables-connection-tracking-udp/ Best Regards, George
Hi,
not really - did you read what I wrote? How can you do a state check on what is a stateless protocol?
I think you can still do state checks for UDP:
there are ways and means - sure - but in the first throes of getting some test traffic to the daemon, surely the easiest thing is to just allow UDP port 1812 and 1813 traffic and THEN start learning what firewall flags work with the traffic. alternatively, SElinux is getting in the way (if its enabled) 'sestatus' or 'getenforce' and try setting it to permissive - just for testing! - 'setenforce 0' if thats the case, then put the enforcing back and then check the secure/audit logs to see what/why/how its failing and put the right SELinux rules into place to deal with the requirements of the daemon. plenty of online resources dealing with SELinux and how to configure/check it. alan
Hi, I've SELINUX=disabled. Atentamente, José Campos -----Mensagem original----- De: freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org] Em nome de Alan Buxey Enviada: segunda-feira, 25 de Janeiro de 2010 9:19 Para: FreeRadius users mailing list Assunto: Re: Free radius installation Hi,
not really - did you read what I wrote? How can you do a state check on what is a stateless protocol?
I think you can still do state checks for UDP:
there are ways and means - sure - but in the first throes of getting some test traffic to the daemon, surely the easiest thing is to just allow UDP port 1812 and 1813 traffic and THEN start learning what firewall flags work with the traffic. alternatively, SElinux is getting in the way (if its enabled) 'sestatus' or 'getenforce' and try setting it to permissive - just for testing! - 'setenforce 0' if thats the case, then put the enforcing back and then check the secure/audit logs to see what/why/how its failing and put the right SELinux rules into place to deal with the requirements of the daemon. plenty of online resources dealing with SELinux and how to configure/check it. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 01/25/2010 01:18 PM, Alan Buxey wrote:
Hi,
not really - did you read what I wrote? How can you do a state check on what is a stateless protocol?
I think you can still do state checks for UDP:
there are ways and means - sure - but in the first throes of getting some test traffic to the daemon, surely the easiest thing is to just allow UDP port 1812 and 1813 traffic and THEN start learning what firewall flags work with the traffic.
I just stated that it's possible, I didn't mean it should be configured like this while debugging something. George
Hello, Ok after radius -X command nmap shows me that radius ports are open. ... [root@localhost ~]# nmap -v -sU localhost Starting Nmap 5.00 ( http://nmap.org ) at 2010-01-25 09:36 WET NSE: Loaded 0 scripts for scanning. Warning: Hostname localhost resolves to 2 IPs. Using 127.0.0.1. Initiating UDP Scan at 09:36 Scanning localhost (127.0.0.1) [1000 ports] Completed UDP Scan at 09:36, 1.21s elapsed (1000 total ports) Host localhost (127.0.0.1) is up (0.0000090s latency). Interesting ports on localhost (127.0.0.1): Not shown: 996 closed ports PORT STATE SERVICE 111/udp open|filtered rpcbind 1812/udp open|filtered radius 1813/udp open|filtered radacct 5353/udp open|filtered zeroconf Read data files from: /usr/share/nmap Nmap done: 1 IP address (1 host up) scanned in 1.26 seconds Raw packets sent: 1004 (28.112KB) | Rcvd: 996 (55.776KB) [root@localhost ~]# ... I've changed iptable rules as you mentioned, but with no better results. Even with the firewall turned off, still have any response from server, as you can see here(info from two consoles): ...(console#1) ... ... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. ... ... (console#2) [root@localhost ~]# radtest test test localhost 0 testing123 Sending Access-Request of id 42 to ::1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Sending Access-Request of id 42 to ::1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 Sending Access-Request of id 42 to ::1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 0 radclient: no response from server for ID 42 socket 3 [root@localhost ~]# ... Atentamente, José Campos -----Mensagem original----- De: freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org] Em nome de Alan Buxey Enviada: domingo, 24 de Janeiro de 2010 21:22 Para: FreeRadius users mailing list Assunto: Re: Free radius installation Hi,
I did used nmap like bellow:
[root@localhost raddb]# nmap -v -O localhost
nmap -v -sU localhost thats a UDP scan
As I understood is that everything all right with iptables?
not really - did you read what I wrote? How can you do a state check on what is a stateless protocol? -p udp --dport 1812 -j ACCEPT -p udp --dport 1813 -j ACCEPT would be more suitable
Can I debug somehow with more details the radtest command sugested on the freeradius toturial
get past the basics first - you could always also use eg 'tcpdump' to see what traffic is on port 1812 on the localhost.... eg tcpdump -eqnntl -i eth0 port 1812 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Scanning localhost (127.0.0.1) [1000 ports] Completed UDP Scan at 09:36, 1.21s elapsed (1000 total ports) Host localhost (127.0.0.1) is up (0.0000090s latency). Interesting ports on localhost (127.0.0.1): Not shown: 996 closed ports PORT STATE SERVICE 111/udp open|filtered rpcbind 1812/udp open|filtered radius 1813/udp open|filtered radacct 5353/udp open|filtered zeroconf ... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. ... [root@localhost ~]# radtest test test localhost 0 testing123 Sending Access-Request of id 42 to ::1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
you are nmapping 127.0.0.1 which is ipv4 interface to check whether radiusd is listening (why not try neststat -lnp instead?), while sending radtest queries to ::1 which is ipv6. are you sure your radiusd is listening for ::1 as well? my 2 cents. George
Ok, that's a good observation, but this is a fresh new installation... I did not change anything prior the installation of (yum install freeradius*). Should I change something before testing it? Why is radtest doing queries to ::1 (ipv6 address). Can you help me. José Campos -----Mensagem original----- De: freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org] Em nome de George Chelidze Enviada: segunda-feira, 25 de Janeiro de 2010 10:21 Para: FreeRadius users mailing list Assunto: Re: Free radius installation
Scanning localhost (127.0.0.1) [1000 ports] Completed UDP Scan at 09:36, 1.21s elapsed (1000 total ports) Host localhost (127.0.0.1) is up (0.0000090s latency). Interesting ports on localhost (127.0.0.1): Not shown: 996 closed ports PORT STATE SERVICE 111/udp open|filtered rpcbind 1812/udp open|filtered radius 1813/udp open|filtered radacct 5353/udp open|filtered zeroconf ... Listening on authentication address * port 1812 Listening on accounting address * port 1813 Listening on command file /var/run/radiusd/radiusd.sock Listening on proxy address * port 1814 Ready to process requests. ... [root@localhost ~]# radtest test test localhost 0 testing123 Sending Access-Request of id 42 to ::1 port 1812 User-Name = "test" User-Password = "test" NAS-IP-Address = 127.0.0.1 NAS-Port = 0
you are nmapping 127.0.0.1 which is ipv4 interface to check whether radiusd is listening (why not try neststat -lnp instead?), while sending radtest queries to ::1 which is ipv6. are you sure your radiusd is listening for ::1 as well? my 2 cents. George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 01/25/2010 02:37 PM, José Campos wrote:
Ok, that's a good observation, but this is a fresh new installation...
I did not change anything prior the installation of (yum install freeradius*).
I thing the default is listen { ... ipaddr = * ... } which means to listen for every ipv4 interface. you can also file the following comments in your configuration: # OR, you can use an IPv6 address, but not both # at the same time so, your radius server is _not_ listening for ipv6 interfeces.
Should I change something before testing it? Why is radtest doing queries to ::1 (ipv6 address).
cat /etc/hosts I think you have something like this: ::1 localhost ip6-localhost ip6-loopback either map 127.0.0.1 to localhost, or use radtest test test 127.0.0.1 0 testing123 George
OK, It worked all right with: radtest test test 127.0.0.1 0 testing123 José Campos -----Mensagem original----- De: freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org [mailto:freeradius-users-bounces+jjscampos=gmail.com@lists.freeradius.org] Em nome de George Chelidze Enviada: segunda-feira, 25 de Janeiro de 2010 10:47 Para: FreeRadius users mailing list Assunto: Re: Free radius installation On 01/25/2010 02:37 PM, José Campos wrote:
Ok, that's a good observation, but this is a fresh new installation...
I did not change anything prior the installation of (yum install freeradius*).
I thing the default is listen { ... ipaddr = * ... } which means to listen for every ipv4 interface. you can also file the following comments in your configuration: # OR, you can use an IPv6 address, but not both # at the same time so, your radius server is _not_ listening for ipv6 interfeces.
Should I change something before testing it? Why is radtest doing queries to ::1 (ipv6 address).
cat /etc/hosts I think you have something like this: ::1 localhost ip6-localhost ip6-loopback either map 127.0.0.1 to localhost, or use radtest test test 127.0.0.1 0 testing123 George - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I did not change anything prior the installation of (yum install freeradius*). Should I change something before testing it? Why is radtest doing queries to ::1 (ipv6 address).
look in /etc/hosts see what localhost has been given an alias of. just tell radtest to use 127.0.0.1 - after all, when you go live, you'll be telling your NAS kit to use the IPv4 address of the server..... wont you? (if you are serious about IPv6, then you'll simply copy your default server config file, rename it, eg default-ipv6 and configure it to listen to the IPv6 - see the config for the required syntax) - the current daemon cannot listen to both IPv4 and IPv6 within the same main virtual server we use IPv6 here and FreeRADIUS works (very) well with it thanks. alan
Hi,
Hello, Ok after radius -X command nmap shows me that radius ports are open. ... [root@localhost ~]# nmap -v -sU localhost
okay..what about the output of netstat -apn | grep 1812 ah.....i think I've spotted something far MORE interesting...
[root@localhost ~]# radtest test test localhost 0 testing123 Sending Access-Request of id 42 to ::1 port 1812
::1 oh aye? so this box is configured to have IPv6 running? in that case you should either 1) configure the IPv6 correctly - and that means also configuring the FreeRADIUS to actually be listening on the IPv6 interfaces oe 2) realise that you havent got IPv6 correctly configured and configure it. in either case, THIS will work radtest test test 127.0.0.1 1234 testing123 alan
participants (4)
-
Alan Buxey -
Alan DeKok -
George Chelidze -
José Campos