Swapping RADIUS servers.
Alan DeKok
aland at deployingradius.com
Thu Nov 30 01:29:00 CET 2006
Lin Richardson wrote:
> Our lesser radius server lives on two physical boxes and listens on
> ports 1645/1646 AND 1812/1813 (can freeradius mimic this and listen on
> both sets of ports?)
Yes. See "listen" in radiusd.conf.
> What we saw were requests coming into freeradius, being processed as
> expected, and returning the appropriate response - many Accept responses
> clearly visible in the logs. The radius clients however did not accept
> these responses and treated them as authentication failure.
See the FAQ. Do you have multiple IP's on the machine?
> Does anyone have an idea what could have happened here? If a radius
> client was talking to server X, and then suddenly recieves a response
> from server Y on the same IP / port combination...
Huh? What does that mean? "Suddenly", as in... what, exactly?
If you shut down the old machine, and start a new machine with the
same IP, then RADIUS should work as before, assuming the server
configuration is the same.
> Nov 29 10:58:48 rad_check_password: Found Auth-Type Accept
> Nov 29 10:58:48 rad_check_password: Auth-Type = Accept, accepting the
> user
> Nov 29 10:58:48 Sending Access-Accept of id 105 to 10.32.251.10
> <http://10.32.251.10> port 32768
> Nov 29 10:58:48 Finished request 0
The Access-Accept contains no attributes. Are you sure you want to do
that? The request contained VLAN attributes, so I presume you want to
put the user in a VLAN.
i.e. Are you sure that you have configured FreeRADIUS to return the
SAME response as your old server? If the old server returns a bunch of
attributes, and FreeRADIUS doesn't... then the configurations aren't
identical, and the clients will behave differently.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
More information about the Freeradius-Users
mailing list