I encountered the problem that there is an account in the database, but the authentication process feedback does not exist. Please help.
Alan DeKok
aland at deployingradius.com
Wed Dec 6 12:59:51 UTC 2023
On Dec 5, 2023, at 10:00 PM, 娶你苟命 <qunigouming at gmail.com> wrote:
> * The following is the debugging process tee debugfile I provide for
> freeradius sever to execute radiusd -X 2>&1 | (this includes valid
> authentication and invalid authentication processes, I will put them at the
> end of the email):*
Read http://wiki.freeradius.org/list-help
Don't post debug logs where the server receives no packets. It doesn't help. Don't post switch configuration. It doesn't help.
> *What is puzzling is that the user "netnoc" exists on my mysql, but
> when using H3C network supplier products, it will prompt that the user does
> not exist. I have repeatedly confirmed that there is no problem with the
> switch configuration file. This problem will not exist when testing with
> Cisco ACS.*
So look at the ACS configuration to see what attributes it returns in the Access-Accept.
Or, use wireshark to look at the Access-Accept from ACS.
See what attributes are in the Access-Accept, and then configure FreeRADIUS to reply with the same attributes. There's no magic here. The switch just sees the Access-Accept. It doesn't know if the RADIUS server is ACS or is FreeRADIUS.
If FreeRADIUS is sending the same Access-Accept as ACS, and the switch *still* behaves differently, then check the switch configuration. It's been configured to treat the two RADIUS servers as different.
We can't help with fixing the switch configuration. But that kind of issue is very, very, rare.
It's almost always that you've configured ACS to do one thing, and then configured FreeRADIUS to do something else. That''s why the switch is behaving differently for the two situations.
And upgrade the server, too. There's pretty much zero reason to use 3.0.13.
Alan DeKok.
More information about the Freeradius-Users
mailing list