radiusd only sending a NAK after a retransmission
Jeremy M. Guthrie
jeremy.guthrie at cdw.com
Tue Apr 21 18:15:04 CEST 2009
We are having an issue with failed logins with FreeRADIUS. The problem is
that FreeRADIUS doesn't appear to actually send a RADIUS Reject until the
second authentication request comes in. I have an IOS Router authenticating
ssh logins against freeradius. The example packets above I am using a static
username/password in the users file. I see that if I enter the wrong
password, radiusd doesn't send a NAK until the IOS router transmits the
request. There are not any delay issues with ACKs coming out of freeradius.
TCP Dump output:
10:38:22.703456 IP 172.16.1.8.1645 > 172.16.2.60.1645: RADIUS, Access Request
(1), id: 0xf1 length: 103
10:38:38.008371 IP 172.16.1.8.1645 > 172.16.2.60.1645: RADIUS, Access Request
(1), id: 0xf1 length: 103
10:38:38.008588 IP 172.16.2.60.1645 > 172.16.1.8.1645: RADIUS, Access Reject
(3), id: 0xf1 length: 20
Does this sound familiar to anyone? Ideas?
--
--------------------------------------------------
Jeremy M. Guthrie jeremy.guthrie at cdw.com
Hosting and Managed Services
Managed Cisco Security Services
Technical Architect Phone: 608-298-1061
CDW Fax: 608-288-3007
5520 Research Park Drive NOC: 608-298-1102
Madison, WI 53711 NOC Email: hmshelp at cdw.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 827 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20090421/7ad7313c/attachment.pgp>
More information about the Freeradius-Users
mailing list