FreeRadius not responding to requests from external host

Darren Share darren.share at chronos.uk
Wed Mar 9 17:27:45 UTC 2022


If this is what you mean, this is it:

14:55:13.682482 IP (tos 0x0, ttl 64, id 60077, offset 0, flags [DF], proto UDP (17), length 93)
    172.31.1.36.58188 > 172.31.2.11.1812: RADIUS, length: 65
        Access-Request (1), id: 0x0c, Authenticator: 563b39fc146c0193e012f3787be53c16
          User-Name Attribute (1), length: 8, Value: darren
          CHAP-Password Attribute (3), length: 19, Value:
          CHAP-Challenge Attribute (60), length: 18, Value: ......#5|:O.....

The application is configured to retry three times, so I get three packets as above, and no response from FR.

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+darren.share=chronos.uk at lists.freeradius.org> On Behalf Of Jonathan Davis
Sent: 09 March 2022 17:23
To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject: Re: FreeRadius not responding to requests from external host

tcpdump filtered by the nas ip

> On Mar 9, 2022, at 12:13 PM, Darren Share <darren.share at chronos.uk> wrote:
>
> Hello Alan,
>
> Thanks for the reply.
>
>> If FreeRADIUS isn't getting packets, then it's an OS issue.
>
> Well, I guess that's my implied question. *Is* FR for sure not getting packets? If there's no response on the output of radiusd -X, does that mean it is 100% not receiving anything? As opposed to simply being unhappy with what it's receiving, for whatever reason?
>
>> That doesn't matter.
>
>> TCPdump looks at the packets deep in the OS network stack.  i.e. it typically bypasses firewalls and other security systems.
>
> It matters insomuch as I am happy there's no network issue, and also that it's not an interop issue with the application itself. Just trying to eliminate all the obvious stuff first.
>
>> SeLinux is running, and is preventing FreeRADIUS from accepting packets.
>
> SeLinux was running, you are correct. However, disabling it has had no effect.
>
> [root at tp11 ~]# sestatus
> SELinux status:                 disabled
>
>>  Ugh.  Why?  We have up to date packages available at: http://packages.networkradius.com
>
> It was just installed from the CentOS repos, suggest you raise it with the maintainers. For my part, this is just a quick-and-dirty installation to confirm there are no issues with our application's implementation of a RADIUS client, so it's good enough, as long as I can resolve this issue at the moment.
>
> Would appreciate any further thoughts.
>
> Thanks.
>
> Darren.
>
>
> -----Original Message-----
> From: Freeradius-Users <freeradius-users-bounces+darren.share=chronos.uk at lists.freeradius.org> On Behalf Of Alan DeKok
> Sent: 09 March 2022 16:26
> To: FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
> Subject: Re: FreeRadius not responding to requests from external host
>
>> On Mar 9, 2022, at 10:58 AM, Darren Share <darren.share at chronos.uk> wrote:
>> Hope someone can tell me where I’m going wrong here, because I’m stumped.
>
>  If FreeRADIUS isn't getting packets, then it's an OS issue.
>
>  If FreeRAIDUS is getting packets and complaining about "unknown client" or "invalid authenticator", then the clients.conf entry is missing or wrong.
>
>  There really are no other options.
>
>> FR server is on 172.31.2.11. Firewalld turned off. FR responds perfectly to requests from an application running locally on the same server.
>
>  That's good.
>
>> A copy of the same application on a server with IP 172.31.1.36 is not getting any response. The output of radiusd -X shows nothing, as if it didn’t receive a request, yet packets are arriving as per tcpdump:
>
>  That doesn't matter.
>
>  TCPdump looks at the packets deep in the OS network stack.  i.e. it typically bypasses firewalls and other security systems.
>
>> [root at tp11 raddb]# firewall-cmd --list-all FirewallD is not running
>
>  SeLinux is running, and is preventing FreeRADIUS from accepting packets.
>
>> Complete output of radiusd -X:
>>
>> FreeRADIUS Version 3.0.13
>
>  Ugh.  Why?  We have up to date packages available at: http://packages.networkradius.com
>
>  Alan DeKok.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> Caution: This email originated outside of our organisation. DO NOT CLICK links or attachments unless you recognise the sender and know the content is safe.
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Caution: This email originated outside of our organisation. DO NOT CLICK links or attachments unless you recognise the sender and know the content is safe.



More information about the Freeradius-Users mailing list