migrating client from 2.0 to 3.0
Matt Zagrabelny
mzagrabe at d.umn.edu
Fri Jan 13 01:14:40 UTC 2023
Hi Alan,
On Thu, Jan 12, 2023 at 6:19 PM Alan DeKok <aland at deployingradius.com>
wrote:
> On Jan 12, 2023, at 6:18 PM, Matt Zagrabelny via Freeradius-Users <
> freeradius-users at lists.freeradius.org> wrote:
> > However if I attempt to auth directly from the UPS to the 3.0 system, it
> > does not work - call this scenario B:
>
> Hmm... the typical reason is that the shared secret is wrong. But if
> that's correct, there isn't much else that can go wrong.
>
> If you're running v2 and v3 on the same machine, and the Access-Accept
> packets are the same, then it really should work.
>
No, not the same machine.
> > I'm not sure if there is more to look at between the 2.0 and 3.0 systems.
> > It is difficult to do any debugging on the UPS, so I was hoping to figure
> > out the issue on the FR systems.
> >
> > I've performed a diff of the scenario A and B 3.0 debug outputs and I
> don't
> > see anything significant in the difference.
>
> Yeah, that's a problem. Even the debug output doesn't matter as much as
> the Access-Accept. i.e. the the Access-Accepts have the same contents,
> then it should work.
>
> > I have removed the Service-Type from the configurations and I still get a
> > success authentication, I am just entered into a non-administrative role
> on
> > the UPS.
>
> So the UPS is recognizing the Access-Accept, but not the Service-Type.
> That is just weird.
>
Sorry. I wasn't clear. The Service-Type is working as expected. If I remove
it from Scenario A, I drop into the console with reduced privileges.
I removed the update reply stanza to simplify the FR configs. Didn't seem
to change anything - obviously.
> Does anyone have any ideas for further debugging?
>
> I really don't have much to offer here. I don't recall ever seeing this
> before.
>
> It has to be a networking issue. I can't think of anything else.
>
That's where I'll look. Though the UPS does contact the 3.0 system just
fine (when it is configured to do so) - it just appears that it isn't
respecting the Access-Accept.
-m
More information about the Freeradius-Users
mailing list