I encountered the problem that there is an account in the database, but the authentication process feedback does not exist. Please help.

娶你苟命 qunigouming at gmail.com
Fri Dec 8 03:15:18 UTC 2023

Thanks for Alan's correction. I will not publish the switch configuration
file in subsequent questions. Yesterday I used the GNS3 simulated switch to
test three solutions to compare wireshark messages (1. Log in with the
local account of the switch, 2. Radius server database Stored accounts,
third, accounts coexisting in the switch local and radius server database,
but the two passwords are inconsistent), only the third one is successful.
But judging from the data packets captured on wireshark, there is no
difference between the data packets of the second and third test scenarios.
Considering the rigor of the experiment, I will use real network equipment
to test the results and feedback to you.

Alan DeKok <aland at deployingradius.com> 于2023年12月6日周三 21:00写道:

> On Dec 5, 2023, at 10:00 PM, 娶你苟命 <qunigouming at gmail.com> wrote:
> > *   The following is the debugging process tee debugfile I provide for
> > freeradius sever to execute radiusd -X 2>&1 | (this includes valid
> > authentication and invalid authentication processes, I will put them at
> the
> > end of the email):*
>   Read http://wiki.freeradius.org/list-help
>   Don't post debug logs where the server receives no packets.  It doesn't
> help.  Don't post switch configuration.  It doesn't help.
> >    *What is puzzling is that the user "netnoc" exists on my mysql, but
> > when using H3C network supplier products, it will prompt that the user
> does
> > not exist. I have repeatedly confirmed that there is no problem with the
> > switch configuration file. This problem will not exist when testing with
> > Cisco ACS.*
>   So look at the ACS configuration to see what attributes it returns in
> the Access-Accept.
>   Or, use wireshark to look at the Access-Accept from ACS.
>   See what attributes are in the Access-Accept, and then configure
> FreeRADIUS to reply with the same attributes.  There's no magic here.  The
> switch just sees the Access-Accept.  It doesn't know if the RADIUS server
> is ACS or is FreeRADIUS.
>   If FreeRADIUS is sending the same Access-Accept as ACS, and the switch
> *still* behaves differently, then check the switch configuration.  It's
> been configured to treat the two RADIUS servers as different.
>   We can't help with fixing the switch configuration.  But that kind of
> issue is very, very, rare.
>   It's almost always that you've configured ACS to do one thing, and then
> configured FreeRADIUS to do something else.  That''s why the switch is
> behaving differently for the two situations.
>   And upgrade the server, too.  There's pretty much zero reason to use
> 3.0.13.
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list