FreeRadius ignoring authentication requests

Jorge Pereira jpereira at freeradius.org
Thu Jul 9 13:43:26 CEST 2020


If the radiusd is not receiving packets. But, the radsniff is seeing the requests. Probably is because something is _filtering_. Have you checked your firewall?
---
Jorge Pereira
jpereira at freeradius.org





> On 9 Jul 2020, at 02:45, Marcelito de Guzman <marzzz21 at gmail.com> wrote:
> 
> Good Day,
> 
> Our FreeRadius server seems to be ignoring authentication requests. I
> confirmed that the requests are being received via `radsniff -i en18`:
> Access-Request Id 187 40.231.3.9:54182 -> 10.129.1.5:1812 +2222.346
> User-Name = "bob"
> User-Password = "ٞP\322\n\159\34175\760\376%\250\366x\402"
> NAS-Identifier = "cor1"
> Calling-Station-Id = "10.129.1.20"
> NAS-IP-Address = 40.231.3.9
> 
> However, `radiusd -X` doesn't show that it's processing it. What is
> the plausible cause for this?
> 
> radiusd -X:
> radiusd: FreeRADIUS Version 2.2.6, for host x86_64-redhat-linux-gnu,
> built on Sep 22 2015 at 15:27:25
> Copyright (C) 1999-2013 The FreeRADIUS server project and contributors.
> There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
> PARTICULAR PURPOSE.
> You may redistribute copies of FreeRADIUS under the terms of the
> GNU General Public License.
> For more information about these matters, see the file named COPYRIGHT.
> Starting - reading configuration files ...
> including configuration file /etc/raddb/radiusd.conf
> including configuration file /etc/raddb/proxy.conf
> including configuration file /etc/raddb/clients.conf
> including files in directory /etc/raddb/modules/
> including configuration file /etc/raddb/modules/detail
> including configuration file /etc/raddb/modules/linelog
> including configuration file /etc/raddb/modules/echo
> including configuration file /etc/raddb/modules/replicate
> including configuration file /etc/raddb/modules/detail.log
> including configuration file /etc/raddb/modules/logintime
> including configuration file /etc/raddb/modules/policy
> including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
> including configuration file /etc/raddb/modules/dynamic_clients
> including configuration file /etc/raddb/modules/detail.example.com
> including configuration file /etc/raddb/modules/digest
> including configuration file /etc/raddb/modules/otp
> including configuration file /etc/raddb/modules/rediswho
> including configuration file /etc/raddb/modules/inner-eap
> including configuration file /etc/raddb/modules/sql_log
> including configuration file /etc/raddb/modules/attr_filter
> including configuration file /etc/raddb/modules/sradutmp
> including configuration file /etc/raddb/modules/radutmp
> including configuration file /etc/raddb/modules/counter
> including configuration file /etc/raddb/modules/preprocess
> including configuration file /etc/raddb/modules/mschap
> including configuration file /etc/raddb/modules/ippool
> including configuration file /etc/raddb/modules/soh
> including configuration file /etc/raddb/modules/perl
> including configuration file /etc/raddb/modules/passwd
> including configuration file /etc/raddb/modules/cache
> including configuration file /etc/raddb/modules/realm
> including configuration file /etc/raddb/modules/chap
> including configuration file /etc/raddb/modules/smsotp
> including configuration file /etc/raddb/modules/smbpasswd
> including configuration file /etc/raddb/modules/pap
> including configuration file /etc/raddb/modules/files
> including configuration file /etc/raddb/modules/mac2ip
> including configuration file /etc/raddb/modules/acct_unique
> including configuration file /etc/raddb/modules/wimax
> including configuration file /etc/raddb/modules/radrelay
> including configuration file /etc/raddb/modules/always
> including configuration file /etc/raddb/modules/expr
> including configuration file /etc/raddb/modules/dhcp_sqlippool
> including configuration file /etc/raddb/modules/pam
> including configuration file /etc/raddb/modules/etc_group
> including configuration file /etc/raddb/modules/expiration
> including configuration file /etc/raddb/modules/exec
> including configuration file /etc/raddb/modules/opendirectory
> including configuration file /etc/raddb/modules/attr_rewrite
> including configuration file /etc/raddb/modules/unix
> including configuration file /etc/raddb/modules/krb5
> including configuration file /etc/raddb/modules/redis
> including configuration file /etc/raddb/modules/checkval
> including configuration file /etc/raddb/modules/mac2vlan
> including configuration file /etc/raddb/modules/cui
> including configuration file /etc/raddb/modules/ntlm_auth
> including configuration file /etc/raddb/eap.conf
> including configuration file /etc/raddb/policy.conf
> including files in directory /etc/raddb/sites-enabled/
> including configuration file /etc/raddb/sites-enabled/control-socket
> including configuration file /etc/raddb/sites-enabled/default
> including configuration file /etc/raddb/sites-enabled/inner-tunnel
> main {
> user = "radiusd"
> group = "radiusd"
> allow_core_dumps = no
> }
> including dictionary file /etc/raddb/dictionary
> main {
> name = "radiusd"
> prefix = "/usr"
> localstatedir = "/var"
> sbindir = "/usr/sbin"
> logdir = "/var/log/radius"
> run_dir = "/var/run/radiusd"
> libdir = "/usr/lib64/freeradius"
> radacctdir = "/var/log/radius/radacct"
> hostname_lookups = no
> max_request_time = 30
> cleanup_delay = 5
> max_requests = 1024
> pidfile = "/var/run/radiusd/radiusd.pid"
> checkrad = "/usr/sbin/checkrad"
> debug_level = 0
> proxy_requests = yes
> log {
>  stripped_names = no
>  auth = no
>  auth_badpass = no
>  auth_goodpass = no
> }
> security {
>  max_attributes = 200
>  reject_delay = 1
>  status_server = yes
> }
> }
> radiusd: #### Loading Realms and Home Servers ####
> proxy server {
>  retry_delay = 5
>  retry_count = 3
>  default_fallback = no
>  dead_time = 120
>  wake_all_if_all_dead = no
> }
> home_server localhost {
>  ipaddr = 127.0.0.1
>  port = 1812
>  type = "auth"
>  secret = "testing123"
> response_window = 20.000000
>  response_timeouts = 1
>  max_outstanding = 65536
>  require_message_authenticator = yes
>  zombie_period = 40
>  status_check = "status-server"
>  ping_interval = 30
>  check_interval = 30
>  num_answers_to_alive = 3
>  num_pings_to_alive = 3
>  revive_interval = 120
>  status_check_timeout = 4
>  coa {
>  irt = 2
>  mrt = 16
>  mrc = 5
>  mrd = 30
>  }
> }
> home_server_pool my_auth_failover {
> type = fail-over
> home_server = localhost
> }
> realm example.com {
> auth_pool = my_auth_failover
> }
> realm LOCAL {
> }
> radiusd: #### Loading Clients ####
> client localhost {
>  ipaddr = 127.0.0.1
>  require_message_authenticator = no
>  secret = "testing123"
>  nastype = "other"
> }
> 
> client 10.129.1.1 {
>  require_message_authenticator = no
>  secret = "mysecret"
>  shortname = "device-test"
>  nastype = "cisco"
> }
> 
> radiusd: #### Instantiating modules ####
> instantiate {
> Module: Linked to module rlm_exec
> Module: Instantiating module "exec" from file /etc/raddb/modules/exec
>  exec {
>  wait = no
>  input_pairs = "request"
>  shell_escape = yes
>  timeout = 10
>  }
> Module: Linked to module rlm_expr
> Module: Instantiating module "expr" from file /etc/raddb/modules/expr
> Module: Linked to module rlm_expiration
> Module: Instantiating module "expiration" from file
> /etc/raddb/modules/expiration
>  expiration {
>  reply-message = "Password Has Expired  "
>  }
> Module: Linked to module rlm_logintime
> Module: Instantiating module "logintime" from file /etc/raddb/modules/logintime
>  logintime {
>  reply-message = "You are calling outside your allowed timespan  "
>  minimum-timeout = 60
>  }
> }
> radiusd: #### Loading Virtual Servers ####
> server { # from file
> modules {
>  Module: Creating Auth-Type = digest
>  Module: Creating Post-Auth-Type = REJECT
> Module: Checking authenticate {...} for more modules to load
> Module: Linked to module rlm_krb5
> Module: Instantiating module "krb5" from file /etc/raddb/modules/krb5
>  krb5 {
>  keytab = "/etc/krb5.keytab"
>  service_principal = "host/freeradius.foo.bar"
>  cache = yes
>  }
> rlm_krb5: krb5_init ok
> Module: Linked to module rlm_pap
> Module: Instantiating module "pap" from file /etc/raddb/modules/pap
>  pap {
>  encryption_scheme = "auto"
>  auto_header = no
>  }
> Module: Linked to module rlm_chap
> Module: Instantiating module "chap" from file /etc/raddb/modules/chap
> Module: Linked to module rlm_mschap
> Module: Instantiating module "mschap" from file /etc/raddb/modules/mschap
>  mschap {
>  use_mppe = yes
>  require_encryption = no
>  require_strong = no
>  with_ntdomain_hack = no
>  allow_retry = yes
>  }
> Module: Linked to module rlm_digest
> Module: Instantiating module "digest" from file /etc/raddb/modules/digest
> Module: Linked to module rlm_unix
> Module: Instantiating module "unix" from file /etc/raddb/modules/unix
>  unix {
>  radwtmp = "/var/log/radius/radwtmp"
>  }
> Module: Linked to module rlm_eap
> Module: Instantiating module "eap" from file /etc/raddb/eap.conf
>  eap {
>  default_eap_type = "md5"
>  timer_expire = 60
>  ignore_unknown_eap_types = no
>  cisco_accounting_username_bug = no
>  max_sessions = 1024
>  }
> Module: Linked to sub-module rlm_eap_md5
> Module: Instantiating eap-md5
> Module: Linked to sub-module rlm_eap_leap
> Module: Instantiating eap-leap
> Module: Linked to sub-module rlm_eap_gtc
> Module: Instantiating eap-gtc
>   gtc {
>    challenge = "Password: "
>    auth_type = "PAP"
>   }
> Module: Linked to sub-module rlm_eap_tls
> Module: Instantiating eap-tls
>   tls {
>    rsa_key_exchange = no
>    dh_key_exchange = yes
>    rsa_key_length = 512
>    dh_key_length = 512
>    verify_depth = 0
>    CA_path = "/etc/raddb/certs"
>    pem_file_type = yes
>    private_key_file = "/etc/raddb/certs/server.pem"
>    certificate_file = "/etc/raddb/certs/server.pem"
>    CA_file = "/etc/raddb/certs/ca.pem"
>    private_key_password = "whatever"
>    dh_file = "/etc/raddb/certs/dh"
>    fragment_size = 1024
>    include_length = yes
>    check_crl = no
>    cipher_list = "DEFAULT"
>    ecdh_curve = "prime256v1"
>    cache {
>    enable = no
>    lifetime = 24
>    max_entries = 255
>    }
>    verify {
>    }
>    ocsp {
>    enable = no
>    override_cert_url = yes
>    url = "http://127.0.0.1/ocsp/"
>    use_nonce = yes
>    timeout = 0
>    softfail = no
>    }
>   }
> Module: Linked to sub-module rlm_eap_ttls
> Module: Instantiating eap-ttls
>   ttls {
>    default_eap_type = "md5"
>    copy_request_to_tunnel = no
>    use_tunneled_reply = no
>    virtual_server = "inner-tunnel"
>    include_length = yes
>   }
> Module: Linked to sub-module rlm_eap_peap
> Module: Instantiating eap-peap
>   peap {
>    default_eap_type = "mschapv2"
>    copy_request_to_tunnel = no
>    use_tunneled_reply = no
>    proxy_tunneled_request_as_eap = yes
>    virtual_server = "inner-tunnel"
>    soh = no
>   }
> Module: Linked to sub-module rlm_eap_mschapv2
> Module: Instantiating eap-mschapv2
>   mschapv2 {
>    with_ntdomain_hack = no
>    send_error = no
>   }
> Module: Checking authorize {...} for more modules to load
> Module: Linked to module rlm_preprocess
> Module: Instantiating module "preprocess" from file
> /etc/raddb/modules/preprocess
>  preprocess {
>  huntgroups = "/etc/raddb/huntgroups"
>  hints = "/etc/raddb/hints"
>  with_ascend_hack = no
>  ascend_channels_per_line = 23
>  with_ntdomain_hack = no
>  with_specialix_jetstream_hack = no
>  with_cisco_vsa_hack = no
>  with_alvarion_vsa_hack = no
>  }
> reading pairlist file /etc/raddb/huntgroups
> reading pairlist file /etc/raddb/hints
> Module: Linked to module rlm_realm
> Module: Instantiating module "suffix" from file /etc/raddb/modules/realm
>  realm suffix {
>  format = "suffix"
>  delimiter = "@"
>  ignore_default = no
>  ignore_null = no
>  }
> Module: Linked to module rlm_files
> Module: Instantiating module "files" from file /etc/raddb/modules/files
>  files {
>  usersfile = "/etc/raddb/users"
>  acctusersfile = "/etc/raddb/acct_users"
>  preproxy_usersfile = "/etc/raddb/preproxy_users"
>  compat = "no"
>  }
> reading pairlist file /etc/raddb/users
> reading pairlist file /etc/raddb/acct_users
> reading pairlist file /etc/raddb/preproxy_users
> Module: Checking preacct {...} for more modules to load
> Module: Linked to module rlm_acct_unique
> Module: Instantiating module "acct_unique" from file
> /etc/raddb/modules/acct_unique
>  acct_unique {
>  key = "User-Name, Acct-Session-Id, NAS-IP-Address, NAS-Identifier, NAS-Port"
>  }
> Module: Checking accounting {...} for more modules to load
> Module: Linked to module rlm_detail
> Module: Instantiating module "detail" from file /etc/raddb/modules/detail
>  detail {
>  detailfile = "/var/log/radius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d"
>  header = "%t"
>  detailperm = 384
>  dirperm = 493
>  locking = no
>  log_packet_header = no
>  }
> Module: Linked to module rlm_attr_filter
> Module: Instantiating module "attr_filter.accounting_response" from
> file /etc/raddb/modules/attr_filter
>  attr_filter attr_filter.accounting_response {
>  attrsfile = "/etc/raddb/attrs.accounting_response"
>  key = "%{User-Name}"
>  relaxed = no
>  }
> reading pairlist file /etc/raddb/attrs.accounting_response
> Module: Checking session {...} for more modules to load
> Module: Linked to module rlm_radutmp
> Module: Instantiating module "radutmp" from file /etc/raddb/modules/radutmp
>  radutmp {
>  filename = "/var/log/radius/radutmp"
>  username = "%{User-Name}"
>  case_sensitive = yes
>  check_with_nas = yes
>  perm = 384
>  callerid = yes
>  }
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> Module: Instantiating module "attr_filter.access_reject" from file
> /etc/raddb/modules/attr_filter
>  attr_filter attr_filter.access_reject {
>  attrsfile = "/etc/raddb/attrs.access_reject"
>  key = "%{User-Name}"
>  relaxed = no
>  }
> reading pairlist file /etc/raddb/attrs.access_reject
> } # modules
> } # server
> server inner-tunnel { # from file /etc/raddb/sites-enabled/inner-tunnel
> modules {
> Module: Checking authenticate {...} for more modules to load
> Module: Checking authorize {...} for more modules to load
> Module: Checking session {...} for more modules to load
> Module: Checking post-proxy {...} for more modules to load
> Module: Checking post-auth {...} for more modules to load
> } # modules
> } # server
> radiusd: #### Opening IP addresses and Ports ####
> listen {
>  type = "auth"
>  ipaddr = *
>  port = 0
> }
> listen {
>  type = "acct"
>  ipaddr = *
>  port = 0
> }
> listen {
>  type = "control"
> listen {
>  socket = "/var/run/radiusd/radiusd.sock"
> }
> }
> listen {
>  type = "auth"
>  ipaddr = 127.0.0.1
>  port = 18120
> }
> ... adding new socket proxy address * port 45294
> Listening on authentication address * port 1812
> Listening on accounting address * port 1813
> Listening on command file /var/run/radiusd/radiusd.sock
> Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
> Listening on proxy address * port 1814
> Ready to process requests.
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list