FreeRADIUS allows connections locally, but not remotely
Alan DeKok
aland at deployingradius.com
Tue Dec 29 03:07:26 CET 2015
On Dec 28, 2015, at 7:59 PM, Ernie Dunbar <maillist at lightspeed.ca> wrote:
> Okay, fair enough. I've made some changes to the FreeRADIUS configuration with respect to the listening port and IP address, and I've added a new "client" for remote testing. Here's the redacted client configuration, according to FreeRADIUS' debug output.
...
> And for each unsuccessful attempt, I get this output from FreeRADIUS:
>
> Ignoring request to authentication address 206.XXX.XX.4 port 1812 from unknown client 206.XXX.XX.205 port 47980
You did't list that IP as a known client.
> Ok, Fair enough. Those attempts are coming through this server's other IP address (206.XXX.XX.205) to its other IP address (206.XXX.XX.4). It's pretty clear that packets are reaching the FreeRADIUS daemon, it's just rejecting them because this other IP address isn't in the clients configuration. No problem, I switch to another Linux box that *does* have its IP address configured in the clients:
Yes.
> And I get this output from the RADIUS server:
>
> Ready to process requests.
> Ready to process requests.
> Ready to process requests.
>
>
> Each time "Ready to process requests" comes up in the console, is exactly timed to a new Access-Request from the radtest client at 65.XX.XXX.178.
Which means that the server didn't receive a RADIUS packet. It got a *UDP* packet, but not a well formed RADIUS one.
> It's not much output, but it appears to demonstrate that FreeRADIUS is accepting the connection over the network and then... doing nothing. If it does do something, it doesn't produce any output. It certainly doesn't complain about a connection coming from an incorrect host, or return a message about how it's correctly authenticated the user or denied the authentication request.
It's not complaining about bad packets by design. Anyone can send non-RADIUS packets via UDP. Even the "unknown client" messages are rate limited in later versions of the server.
> I don't know what to make of this, but I don't think it's a network problem. There are also other servers on this physical machine that are working just fine (like ssh and apache, for example).
They're TCP. Not UDP.
> Also, I've correctly configured the 206.XXX.XX.205 IP address as a client, and then gotten the radtest program to successfully connect and authenticate. Installing the client on another, separate physical machine which exists on the same network switch and class C at 206.XXX.XX.0/24 also results in the same result as connections from our office at 65.XX.XXX.178.
It's a networking problem. You've demonstrated that FreeRADIUS can send and receive UDP packets. But something is preventing the packets from reaching the server.
You could try running a more recent version of the server. But I doubt it would help.
Alan DeKok.
More information about the Freeradius-Users
mailing list