possible radtest parameter issue

Laker Netman laker_netman at yahoo.com
Thu Dec 8 22:09:09 CET 2005 

I am trying to use radtest to check some changes I'm
making in my FR "users" file. My goal is to be able to
let visitors use our wifi network for Internet access
by authorizing them against a generic user/password
combo in "users" like "guest" & "wireless", while
everyone in the company, who is actually connecting to
resources on our LAN, authorize/authenticate against
our Active Directory (which is already working).

I read the radtest man file and Googled for some
examples, so I think my syntax is accurate. Am I
correct that radtest, by use of the optional
"nasname", can make FR behave as if the
Access-Requests are coming from a different NAS than
the host upon which it is being run? Either way the
results are not what I anticipated.

When I run the following from a terminal on my FR box:
radtest test test radserver.my.domain 10 secret
ap.my.domain

I get this reply:
Sending Access-Request of id 191 to
192.168.12.210:1812
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = RADSERVER
        NAS-Port = 10
        Framed-Protocol = PPP

I didn't think the Framed-Protocol attribute should
appear unless the optional value following "secret"
was an integer > 0. This looks to me like the
"ap.my.domain" is being taken as [ppphint] rather than
[nasname].  This seems incorrect to me since ppphint
and nasname are both listed as optional, which I
concluded means exclusive of one another. Is that
right?

I expanded my tests. Adding a zero after "secret"
(radtest test test radserver.my.domain 10 secret 0
ap.my.domain) produced the following:
Sending Access-Request of id 105 to
192.168.12.210:1812
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = ap.my.domain
        NAS-Port = 10
        Framed-Protocol = PPP

So now the NAS-IP-Address attribute is populated, but
the Framed-Protocol attribute is still appearing, even
though I explicitly placed a zero at the ppphint
parameter position. And it's a hostname in
NAS-IP-Address, rather than an IP address :) Neither
seems right. Is there a common misconfiguration I
could look for elsewhere?

Here is the last thing that happened I'm not sure
about:
Sending Access-Request of id 105 to
192.168.12.210:1812
        User-Name = "test"
        User-Password = "test"
        NAS-IP-Address = ap.my.domain
        NAS-Port = 10
        Framed-Protocol = PPP
Re-sending Access-Request of id 105 to
192.168.12.210:1812
        User-Name = "test"
        User-Password =
")\346\216Axj\002\322\264\361\330-12Q\242"
        NAS-IP-Address = ap.my.domain
        NAS-Port = 10
        Framed-Protocol = PPP
Re-sending Access-Request of id 105 to
192.168.12.210:1812
        User-Name = "test"
        User-Password =
")\346\216Axj\002\322\264\361\330-12Q\242"
        NAS-IP-Address = ap.my.domain
        NAS-Port = 10
        Framed-Protocol = PPP
Re-sending Access-Request of id 105 to
192.168.12.210:1812
        User-Name = "test"
        User-Password =
")\346\216Axj\002\322\264\361\330-12Q\242"
        NAS-IP-Address = ap.my.domain
        NAS-Port = 10
        Framed-Protocol = PPP

The output from radiusd -X is always:
Ignoring request from unknown client
192.168.12.210:32773
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host
192.168.12.210:32773, id=105, length=62
Ignoring request from unknown client
192.168.12.210:32773
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host
192.168.12.210:32773, id=105, length=62
Ignoring request from unknown client
192.168.12.210:32773
--- Walking the entire request list ---
Nothing to do.  Sleeping until we see a request.
rad_recv: Access-Request packet from host
192.168.12.210:32773, id=105, length=62
Ignoring request from unknown client
192.168.12.210:32773

What caused the User-Password field to change? Each
time I rerun the command, the User-Password is munged
differently, but stays munged the same way on
subsequent resends until I break out of radtest, if
that makes sense. Based on the debug output it doesn't
look like FR acted on the request at all.

I have NTRadPing and the test works as expected from
my desktop (which is configured in clients.conf), but
it's not ideal as it doesn't match what I'm really
trying to test (access through a wifi AP) and I do not
have the resources available to configure a standalone
test machine outside of our AD/domain.

Anyway, I'm curious what the purpose of nasname is. 
And now, I'm hoping someone can explain why I'm seeing
the above results from radtest.

BTW, I am running FR 1.0.5 (compiled from source) on
Fedora Core 4.

TIA,
Laker


__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com

More information about the Freeradius-Users mailing list