Freeradius Isn't Listening
Stefan Winter
stefan.winter at restena.lu
Mon Mar 29 09:41:21 CEST 2010
Hi,
> *PROBLEM*
>
> The problem I'm having is that when I run Freeradius (in production or
> debug mode), my Cisco AS5400 is unable to connect to the freeradius
> server. When I do a netstat -a on my freeradius server, I see no
> connections listening on ports 1812 and 1813 (which freeradius should
> be listening on).
It listens just fine: your netstat shows
udp 0 0 *:radius *:*
udp 0 0 *:radius-acct *:*
You wouldn't believe it, but the IANA assigned port for "radius" is 1812
and "radius-acct" is 1813. It is BTW also what your FreeRADIUS debug says:
Listening on authentication address * port 1812
Listening on accounting address * port 1813
Ready to process requests.
So absolutely no problem here. If your server doesn't get any packets,
then either the AS5400 isn't sending any, or there is indeed a firewall
or other middlebox preventing the traffic from reaching your server.
> I believe that once this problem has been resolved, my setup will work
> correctly:
>
> 1. Call comes into my Cisco AS5400.
> 2. Cisco AS5400 sends accounting requests to my freeradius server.
> 3. Freeradius server performs a MySQL query to my MySQL database.
> 4. Caller hangs up.
> 5. Cisco AS5400 sends an accounting request to my freeradius server.
> 6. Freeradius server performs a MySQL update to my MySQL database,
> thus ending the transaction.
That's what many people do, including myself. It works fine, if the
accounting packets actually reach the server :-)
> And that my server is on a public IP (our radius server is hosted in
> the rackspace cloud, no firewall or anything as far as I know).
Maybe the "as far as I know" constitutes a problem here? Find out with
"tcpdump udp port 1813" if there is any accounting traffic reaching your
box.
Greetings,
Stefan Winter
> *CISCO SETUP*
>
> As I mentioned earlier, my freeradius *client* in this setup is my
> Cisco AS5400. When I have radius debugging turned on, on my cisco,
> here is some debugging output from a call. As you can see, it says
> that the server is not online. When I make calls, I see no activity in
> my freeradius debug window. So it seems that the packets aren't
> getting to freeradius from my cisco.
>
> *Jan 2 08:47:02.895: AAA/BIND(00000190): Bind i/f Serial7/0:15:23
> *Jan 2 08:47:02.899: AAA/BIND(00000191): Bind i/f
> *Jan 2 08:47:02.903: RADIUS/ENCODE(00000191):Orig. component type = VOICE
> *Jan 2 08:47:02.903: RADIUS(00000191): Config NAS IP: 0.0.0.0
> *Jan 2 08:47:02.903: RADIUS(00000191): sending
> *Jan 2 08:47:02.903: RADIUS/ENCODE: Best Local IP-Address 10.0.2.1
> for Radius-Server xx.xx.xx.xx
>
> *Jan 2 08:47:02.907: RADIUS(00000191): Send Accounting-Request
> to xx.xx.xx.xx:1813 id 1646/154, len 128
>
> *Jan 2 08:47:02.907: RADIUS: authenticator 5A 66 34 6D 47 00 B7 9E -
> BD 76 22 42 14 B6 A1 59
>
> *Jan 2 08:47:02.907: RADIUS: Acct-Session-Id [44] 18
> "0200000000000253"
> *Jan 2 08:47:02.907: RADIUS: Calling-Station-Id [31] 12
> "8182179228"
> *Jan 2 08:47:02.907: RADIUS: Called-Station-Id [30] 12
> "2172386245"
> *Jan 2 08:47:02.907: RADIUS: User-Name [1] 12
> "8182179228"
> *Jan 2 08:47:02.907: RADIUS: Acct-Status-Type [40] 6 Start
> [1]
> *Jan 2 08:47:02.907: RADIUS: NAS-Port-Type [61] 6 Async
> [0]
> *Jan 2 08:47:02.907: RADIUS: NAS-Port [5] 6 0
>
> *Jan 2 08:47:02.907: RADIUS: NAS-Port-Id [87] 18 "ISDN
> 7/7:15:D:24"
> *Jan 2 08:47:02.907: RADIUS: Service-Type [6] 6 Login
> [1]
> *Jan 2 08:47:02.907: RADIUS: NAS-IP-Address [4] 6 10.0.2.1
>
> *Jan 2 08:47:02.907: RADIUS: Acct-Delay-Time [41] 6 0
>
> *Jan 2 08:47:07.655: RADIUS: acct-timeout for 4012ECE4 now 5,
> acct-jitter 4294967295, acct-delay-time (at 4012ED5E) now 4
>
> *Jan 2 08:47:07.655: RADIUS: no sg in radius-timers: ctx 0x66F7FB78
> sg 0x0000
> *Jan 2 08:47:07.655: RADIUS: Retransmit to (xx.xx.xx.xx:1812,1813)
> for id 1646/155
> *Jan 2 08:47:12.687: RADIUS: acct-timeout for 4012ECE4 now 9,
> acct-jitter 0, acct-delay-time (at 4012ED5E) now 9
>
> *Jan 2 08:47:12.687: RADIUS: no sg in radius-timers: ctx 0x66F7FB78
> sg 0x0000
> *Jan 2 08:47:12.687: RADIUS: Retransmit to (xx.xx.xx.xx:1812,1813)
> for id 1646/156
> *Jan 2 08:47:14.947: RADIUS/ENCODE(00000191):Orig. component type =
> VOICE
> *Jan 2 08:47:14.947: RADIUS(00000191): Config NAS IP: 0.0.0.0
>
> *Jan 2 08:47:14.947: RADIUS(00000191): sending
>
> *Jan 2 08:47:14.951: RADIUS/ENCODE: Best Local
> IP-Address xx.xx.xx.xx for Radius-Server xx.xx.xx.xx
>
> *Jan 2 08:47:14.951: RADIUS(00000191): Send Accounting-Request
> to xx.xx.xx.xx:1813 id 1646/157, len 158
>
> *Jan 2 08:47:14.951: RADIUS: authenticator 6F 5D 1E 4E CC 63 E0 A1 -
> 64 3B 75 46 FF 42 65 55
>
> *Jan 2 08:47:14.951: RADIUS: Acct-Session-Id [44] 18
> "0200000000000253"
> *Jan 2 08:47:14.951: RADIUS: Calling-Station-Id [31] 12
> "8182179228"
> *Jan 2 08:47:14.951: RADIUS: Called-Station-Id [30] 12
> "2172386245"
> *Jan 2 08:47:14.951: RADIUS: Acct-Input-Octets [42] 6 94880
>
> *Jan 2 08:47:14.951: RADIUS: Acct-Output-Octets [43] 6 95520
>
> *Jan 2 08:47:14.951: RADIUS: Acct-Input-Packets [47] 6 593
>
> *Jan 2 08:47:14.951: RADIUS: Acct-Output-Packets [48] 6 597
>
> *Jan 2 08:47:14.951: RADIUS: Acct-Session-Time [46] 6 12
>
> *Jan 2 08:47:14.951: RADIUS: User-Name [1] 12 "8182179228"
> *Jan 2 08:47:14.951: RADIUS: Acct-Status-Type [40] 6 Stop
> [2]
> *Jan 2 08:47:14.951: RADIUS: NAS-Port-Type [61] 6 Async
> [0]
> *Jan 2 08:47:14.951: RADIUS: NAS-Port [5] 6 0
> *Jan 2 08:47:14.951: RADIUS: NAS-Port-Id [87] 18 "ISDN
> 7/7:15:D:24"
> *Jan 2 08:47:14.951: RADIUS: Service-Type [6] 6 Login
> [1]
> *Jan 2 08:47:14.951: RADIUS: NAS-IP-Address [4] 6 10.0.2.1
> *Jan 2 08:47:14.951: RADIUS: Acct-Delay-Time [41] 6 0
> *Jan 2 08:47:17.559: RADIUS: acct-timeout for 4012ECE4 now 14,
> acct-jitter 0, acct-delay-time (at 4012ED5E) now 14
> *Jan 2 08:47:17.559: RADIUS: no sg in radius-timers: ctx 0x66F7FB78
> sg 0x0000
> *Jan 2 08:47:17.559: RADIUS: Retransmit to (xx.xx.xx.xx:1812,1813)
> for id 1646/158
> *Jan 2 08:47:19.871: RADIUS: acct-timeout for 4013486C now 5,
> acct-jitter 4294967295, acct-delay-time (at 40134904) now 4
> *Jan 2 08:47:19.871: RADIUS: no sg in radius-timers: ctx 0x67045494
> sg 0x0000
> *Jan 2 08:47:19.871: %RADIUS-4-RADIUS_DEAD: RADIUS
> server xx.xx.xx.xx:1812,1813 is not responding.
> *Jan 2 08:47:19.871: %RADIUS-4-RADIUS_ALIVE: RADIUS
> server xx.xx.xx.xx:1812,1813 has returned.
> *Jan 2 08:47:19.871: RADIUS: Retransmit to (xx.xx.xx.xx:1812,1813)
> for id 1646/159
> *Jan 2 08:47:22.527: RADIUS: acct-timeout for 4012ECE4 now 19,
> acct-jitter 0, acct-delay-time (at 4012ED5E) now 19
> *Jan 2 08:47:22.527: RADIUS: no sg in radius-timers: ctx 0x66F7FB78
> sg 0x0000
> *Jan 2 08:47:22.527: RADIUS: No response from (xx.xx.xx.xx:1812,1813)
> for id 1646/158
> *Jan 2 08:47:22.527: RADIUS/DECODE: No response from radius-server;
> parse response; FAIL
> *Jan 2 08:47:22.527: RADIUS/DECODE: Case error(no response/ bad
> packet/ op decode);parse response; FAIL
> *Jan 2 08:47:24.903: RADIUS: acct-timeout for 4013486C now 9,
> acct-jitter 0, acct-delay-time (at 40134904) now 9
> *Jan 2 08:47:24.903: RADIUS: no sg in radius-timers: ctx 0x67045494
> sg 0x0000
> *Jan 2 08:47:24.903: RADIUS: Retransmit to (173.203.117.112:1812
> <http://173.203.117.112:1812>,1813) for id 1646/161
> *Jan 2 08:47:29.415: RADIUS: acct-timeout for 4013486C now 14,
> acct-jitter 0, acct-delay-time (at 40134904) now 14
> *Jan 2 08:47:29.415: RADIUS: no sg in radius-timers: ctx 0x67045494
> sg 0x0000
> *Jan 2 08:47:29.415: RADIUS: Retransmit to (xx.xx.xx.xx:1812,1813)
> for id 1646/162
> *Jan 2 08:47:34.415: RADIUS: acct-timeout for 4013486C now 19,
> acct-jitter 0, acct-delay-time (at 40134904) now 19
> *Jan 2 08:47:34.415: RADIUS: no sg in radius-timers: ctx 0x67045494
> sg 0x0000
> *Jan 2 08:47:34.415: RADIUS: No response from (xx.xx.xx.xx:1812,1813)
> for id 1646/162
> *Jan 2 08:47:34.415: RADIUS/DECODE: No response from radius-server;
> parse response; FAIL
> *Jan 2 08:47:34.415: RADIUS/DECODE: Case error(no response/ bad
> packet/ op decode);parse response; FAIL
>
> *HELP!*
>
> OK, so sorry for this terribly long email, but I hope that this has
> provided enough information for you guys to help me debug what the
> heck is going wrong here. I've spent tons of hours trying to resolve
> this to no avail. I'm out of ideas.
>
> Thanks so much for all of your help, this has been a really irritating
> and frustrating experience. I'm hoping that if anyone else has the
> same problem, this thread may help them later on.
>
> Thanks!
>
> -Randall
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100329/43d72a90/attachment.pgp>
More information about the Freeradius-Users
mailing list