3.0.6: all good :-)
Anil Thapa
anilth at hi.is
Thu Jan 8 15:38:12 CET 2015
On 01/05/2015 09:32 AM, A.L.M.Buxey at lboro.ac.uk wrote:
> Hi,
>
>> Shared secret are correct and does arrive the traffic to 10.1.1.1
>> server (Centos 6, Freeradius 2.1.12). But I still get in my logs
>> server is dead.
> ..and what do the logs show on 10.1.1.1 ? is this client allowed to
> talk to the server running (not just in clients.conf - do the packets
> get through any firewall?) - where does the traffic FROM that server
> go to? (it might be that the replies are being sent out the wrong
> interface and thus never getting back to you).
>
> we arent mind readers - we need all the debug/output/views that you see
> if you want us to help.
>
> alan
> -
Hi Alan,
I did some test yesterday and still no luck. Here are my scenario.
I have a freeradius server installed in Freebsd from port version 3.0.4
This server has multiple ipaddress in its interface.
10.128.1.1
10.128.1.2 (primary IP address of the host)
Freeradius is bind on 10.128.1.1 address, which i configured in
/usr/local/etc/raddb/sites-enabled/default listen section
ipaddr = 10.128.1.1 and verified freeradius is listening on this ipaddress
host$:/home/anilth # sockstat -4 |grep radius
root radiusd 19692 7 udp4 127.0.0.1:18120 *:*
root radiusd 19692 8 udp4 10.128.1.1:1812 *:*
root radiusd 19692 9 udp4 10.128.1.1:1813 *:*
root radiusd 19692 10 udp4 *:38044 *:*
root radiusd 19692 13 udp4 *:60477 *:*
I have turned off the firewall on all these testing environment to avoid
the firewall issue and shared secret are correct
This server should proxy if the realm is future.edu to remote freeradius
(installed in Centos) server 10.1.1.1
So when I perform the test from one of my test client(192.168.5.1) with
eapol_test tool tcpdump show this :
No. Time Source Destination Protocol Length Info
455 2.415158 192.168.5.1 10.128.1.1 RADIUS 176
Access-Request(1) (id=0, l=134)
507 2.415990 10.128.1.2 10.1.1.1 RADIUS
185 Access-Request(1) (id=200, l=143)
595 5.416455 192.168.5.1 10.128.1.1 RADIUS 176
Access-Request(1) (id=0, l=134), Duplicate Request ID:0
865 11.417648 192.168.5.1 10.128.1.1 RADIUS 176
Access-Request(1) (id=0, l=134)
1536 23.418787 192.168.5.1 10.128.1.1 RADIUS 176
Access-Request(1) (id=0, l=134)
2231 39.402951 10.128.1.1 192.168.5.1 RADIUS 86
Access-Reject(3) (id=0, l=44)
So, looking at the tcpdump, server received the request on 10.128.1.1
from the client 192.168.5.1 but when it is proxying to remote server it
uses its primary address 10.128.1.2.
Listening on auth address 127.0.0.1 port 18120 as server inner-tunnel
Listening on auth address 10.128.1.1 port 1812 as server default
Listening on acct address 10.128.1.1 port 1813 as server default
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 45789
Ready to process requests
Received Access-Request Id 0 from 192.168.5.1:50874 to 10.128.1.1:1812
length 134
User-Name = 'anilth at future.edu'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x02000012016e656d616e64694068692e6973
Message-Authenticator = 0x32685b88c77e2d89135de62dbf37c138
(0) Received Access-Request packet from host 192.168.5.1 port 50874,
id=0, length=134
(0) User-Name = 'anilth at future.edu'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x02000012016e656d616e64694068692e6973
(0) Message-Authenticator = 0x32685b88c77e2d89135de62dbf37c138
(0) # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
(0) authorize {
(0) [preprocess] = ok
(0) auth_log : EXPAND
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
(0) auth_log : --> /var/log/radacct/192.168.5.1/auth-detail-20150107
(0) auth_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/auth-detail-%Y%m%d
expands to /var/log/radacct/192.168.5.1/auth-detail-20150107
(0) auth_log : EXPAND %t
(0) auth_log : --> Wed Jan 7 12:17:23 2015
(0) [auth_log] = ok
(0) [chap] = noop
(0) [mschap] = noop
(0) suffix : Checking for suffix after "@"
(0) suffix : Looking up realm "future.edu" for User-Name =
"anilth at future.edu"
(0) suffix : Found realm "future.edu"
(0) suffix : Adding Realm = "future.edu"
(0) suffix : Proxying request from user anilth at future.edu to realm
future.edu
(0) suffix : Preparing to proxy authentication request to realm
"future.edu"
(0) [suffix] = updated
(0) eap : Request is supposed to be proxied to Realm future.edu. Not
doing EAP.
(0) [eap] = noop
(0) [files] = noop
(0) [expiration] = noop
(0) [logintime] = noop
(0) [pap] = noop
(0) } # authorize = updated
(0) # Executing section pre-proxy from file
/usr/local/etc/raddb/sites-enabled/default
(0) pre-proxy {
(0) operator-name.pre-proxy operator-name.pre-proxy {
(0) if (("%{request:Packet-Type}" == 'Access-Request') &&
"%{client:Operator-Name}")
(0) EXPAND %{request:Packet-Type}
(0) --> Access-Request
(0) Client does not contain config item "Operator-Name"
(0) EXPAND %{client:Operator-Name}
(0) -->
(0) if (("%{request:Packet-Type}" == 'Access-Request') &&
"%{client:Operator-Name}") -> FALSE
(0) } # operator-name.pre-proxy operator-name.pre-proxy = noop
(0) pre_proxy_log : EXPAND
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
(0) pre_proxy_log : -->
/var/log/radacct/192.168.5.1/pre-proxy-detail-20150107
(0) pre_proxy_log :
/var/log/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/pre-proxy-detail-%Y%m%d
expands to /var/log/radacct/192.168.5.1/pre-proxy-detail-20150107
(0) pre_proxy_log : EXPAND %t
(0) pre_proxy_log : --> Wed Jan 7 12:17:23 2015
(0) [pre_proxy_log] = ok
(0) } # pre-proxy = ok
Opening new proxy socket 'proxy address * port 0'
Listening on proxy address * port 18809
(0) Proxying request to home server 10.1.1.1 port 1812 timeout 30.000000
(0) Sending Access-Request packet to host 10.1.1.1 port 1812, id=78,
length=0
(0) User-Name = 'anilth at future.edu'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x02000012016e656d616e64694068692e6973
(0) Message-Authenticator = 0x32685b88c77e2d89135de62dbf37c138
(0) Event-Timestamp = 'Jan 7 2015 12:17:23 GMT'
(0) Realm = 'future.edu'
(0) EAP-Type = Identity
(0) Proxy-State = 0x30
Sending Access-Request Id 78 from 0.0.0.0:18809 to 10.1.1.1:1812
User-Name = 'anilth at future.edu'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x02000012016e656d616e64694068692e6973
Message-Authenticator = 0x32685b88c77e2d89135de62dbf37c138
Event-Timestamp = 'Jan 7 2015 12:17:23 GMT'
Proxy-State = 0x30
Waking up in 0.3 seconds.
Waking up in 0.1 seconds.
(0) Expecting proxy response no later than 29.490859 seconds from now
Waking up in 29.4 seconds.
Received Access-Request Id 0 from 192.168.5.1:50874 to 10.128.1.1:1812
length 134
(0) Sending duplicate proxied request to home server 10.1.1.1 port 1812
- ID: 78
(0) Sending Access-Request packet to host 10.1.1.1 port 1812, id=78,
length=143
(0) User-Name = 'anilth at future.edu'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x02000012016e656d616e64694068692e6973
(0) Message-Authenticator = 0x32685b88c77e2d89135de62dbf37c138
(0) Event-Timestamp = 'Jan 7 2015 12:17:23 GMT'
(0) Realm = 'future.edu'
(0) EAP-Type = Identity
(0) Proxy-State = 0x30
Sending Access-Request Id 78 from 0.0.0.0:18809 to 10.1.1.1:1812
User-Name = 'anilth at future.edu'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x02000012016e656d616e64694068692e6973
Message-Authenticator = 0x32685b88c77e2d89135de62dbf37c138
Event-Timestamp = 'Jan 7 2015 12:17:23 GMT'
Proxy-State = 0x30
Waking up in 26.9 seconds.
Received Access-Request Id 0 from 192.168.5.1:50874 to 10.128.1.1:1812
length 134
(0) Sending duplicate proxied request to home server 10.1.1.1 port 1812
- ID: 78
(0) Sending Access-Request packet to host 10.1.1.1 port 1812, id=78,
length=143
(0) User-Name = 'anilth at future.edu'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x02000012016e656d616e64694068692e6973
(0) Message-Authenticator = 0x32685b88c77e2d89135de62dbf37c138
(0) Event-Timestamp = 'Jan 7 2015 12:17:23 GMT'
(0) Realm = 'future.edu'
(0) EAP-Type = Identity
(0) Proxy-State = 0x30
Sending Access-Request Id 78 from 0.0.0.0:18809 to 10.1.1.1:1812
User-Name = 'anilth at future.edu'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x02000012016e656d616e64694068692e6973
Message-Authenticator = 0x32685b88c77e2d89135de62dbf37c138
Event-Timestamp = 'Jan 7 2015 12:17:23 GMT'
Proxy-State = 0x30
Waking up in 20.9 seconds.
Received Access-Request Id 0 from 192.168.5.1:50874 to 10.128.1.1:1812
length 134
(0) Sending duplicate proxied request to home server 10.1.1.1 port 1812
- ID: 78
(0) Sending Access-Request packet to host 10.1.1.1 port 1812, id=78,
length=143
(0) User-Name = 'anilth at future.edu'
(0) NAS-IP-Address = 127.0.0.1
(0) Calling-Station-Id = '02-00-00-00-00-01'
(0) Framed-MTU = 1400
(0) NAS-Port-Type = Wireless-802.11
(0) Connect-Info = 'CONNECT 11Mbps 802.11b'
(0) EAP-Message = 0x02000012016e656d616e64694068692e6973
(0) Message-Authenticator = 0x32685b88c77e2d89135de62dbf37c138
(0) Event-Timestamp = 'Jan 7 2015 12:17:23 GMT'
(0) Realm = 'future.edu'
(0) EAP-Type = Identity
(0) Proxy-State = 0x30
Sending Access-Request Id 78 from 0.0.0.0:18809 to 10.1.1.1:1812
User-Name = 'anilth at future.edu'
NAS-IP-Address = 127.0.0.1
Calling-Station-Id = '02-00-00-00-00-01'
Framed-MTU = 1400
NAS-Port-Type = Wireless-802.11
Connect-Info = 'CONNECT 11Mbps 802.11b'
EAP-Message = 0x02000012016e656d616e64694068692e6973
Message-Authenticator = 0x32685b88c77e2d89135de62dbf37c138
Event-Timestamp = 'Jan 7 2015 12:17:23 GMT'
Proxy-State = 0x30
Waking up in 8.9 seconds.
(0) No proxy response, giving up on request and marking it done
Marking home server 10.1.1.1 port 1812 as zombie (it has not responded
in 30.000000 seconds).
(0) ERROR: Failing proxied request, due to lack of any response from
home server 10.1.1.1 port 1812
So, it looks like, when it is proxy to remote radius server it usages
its primary address 10.128.1.2 rather 10.128.1.1 which actually binds
for radius. my question is. does the freeradius server has to be
running in the primary address of the interface ? probably not ! or am I
doing something wrong. Or how to tell radiusd server, use the same ip
address that is bind when proxing the request as well ?
here is my interface details on FreeBSD server
igb4: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> metric 0 mtu 1500
options=403bb<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU,VLAN_HWCSUM,TSO4,TSO6,VLAN_HWTSO>
ether 50:a2:a9:e0:59:fe
inet 10.128.1.2 netmask 0xffffff00 broadcast 10.128.1.255
inet 10.128.1.1 netmask 0xffffffff broadcast 10.128.1.1
nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
media: Ethernet autoselect (1000baseT <full-duplex>)
status: active
Any help on this would be appreciated.
More information about the Freeradius-Users
mailing list