FreeRadius authentication problems
Primož Marinšek
pmtelos at gmail.com
Mon Dec 3 14:20:16 CET 2012
I know a little about Ruckus. Can you SSH to the ZD and input the following
enable
show aaa
show wlan
and send me the output direclty. Maybe there is something strange there.
Also tell me which FW you are using and which OS the client is using
(tell me which SP if Windows)
Regards
On 3 December 2012 12:30, Arran Cudbard-Bell <a.cudbardb at freeradius.org> wrote:
>>
>> ++[pap] returns noop
>> Found Auth-Type = Accept
>> Auth-Type = Accept, accepting the user
>>
>> # Executing section post-auth from file /etc/freeradius/sites-enabled/default
>> +- entering group post-auth {...}
>> ++[exec] returns noop
>> Sending Access-Accept of id 9 to 192.168.154.12 port 1065
>> Finished request 0.
>> Going to the next request
>> Waking up in 4.9 seconds.
>> Cleaning up request 0 ID 9 with timestamp +7
>> Ready to process requests.
>>
>>
>> I followed the plain mac auth guide to get this far, and the system sort of works, but not quite. So the configs must be out of whack somehow, but since radius doesn't give any debug info when I get booted out of the network I'm at loss here. Any help?
>
> If you're not seeing any information in the FreeRADIUS debug, then the Ruckus controller isn't sending anything. If you enable RADIUS accounting on the Ruckus you *may* get an Accounting-Request with the Acct-Terminate-Cause, which may give you a clue as to what's happening.
>
> First though I would enable debugging logs on the controller to see if it's complaining about the Access-Accept coming back, it may be missing some attributes that the Ruckus controller needs.
>
> I'd also verify the Access-Accept is actually reaching the controller (maybe dodgy routing).
>
> It may also be that the Ruckus requires a Message-Authenticator in the Access-Accept, in which case inserting:
>
> update reply {
> Message-Authenticator = 0x00
> }
>
> Should trigger its generation.
>
> I'd also try:
>
> update reply {
> Service-Type = Framed-User
> }
>
> (some NAS require a service type).
>
> The delay suggests that the Ruckus may be discarding the responses from the RADIUS server, or never actually received the response. Do you see the request sent multiple times?
>
> -Arran
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Primož Marinšek
More information about the Freeradius-Users
mailing list