migrating client from 2.0 to 3.0

Conrad Classen conrad.classen at gmail.com
Fri Jan 13 07:50:39 UTC 2023 

Hi

I have seen weird responses from some NAS's, specifically on some Ciscos 
if the reply packet includes a Framed-Compression attribute.

If you are handing any of these out in the response, remove it to see if 
it changes.

I hope this is useful to you.

Conrad

On 2023/01/13 03:14, Matt Zagrabelny via Freeradius-Users wrote:
> Hi Alan,
>
> On Thu, Jan 12, 2023 at 6:19 PM Alan DeKok<aland at deployingradius.com>
> wrote:
>
>> On Jan 12, 2023, at 6:18 PM, Matt Zagrabelny via Freeradius-Users <
>> freeradius-users at lists.freeradius.org> wrote:
>>> However if I attempt to auth directly from the UPS to the 3.0 system, it
>>> does not work - call this scenario B:
>>    Hmm... the typical reason is that the shared secret is wrong.  But if
>> that's correct, there isn't much else that can go wrong.
>>
>>    If you're running v2 and v3 on the same machine, and the Access-Accept
>> packets are the same, then it really should work.
>>
> No, not the same machine.
>
>
>>> I'm not sure if there is more to look at between the 2.0 and 3.0 systems.
>>> It is difficult to do any debugging on the UPS, so I was hoping to figure
>>> out the issue on the FR systems.
>>>
>>> I've performed a diff of the scenario A and B 3.0 debug outputs and I
>> don't
>>> see anything significant in the difference.
>>    Yeah, that's a problem.  Even the debug output doesn't matter as much as
>> the Access-Accept.  i.e. the the Access-Accepts have the same contents,
>> then it should work.
>>
>>> I have removed the Service-Type from the configurations and I still get a
>>> success authentication, I am just entered into a non-administrative role
>> on
>>> the UPS.
>>    So the UPS is recognizing the Access-Accept, but not the Service-Type.
>> That is just weird.
>>
> Sorry. I wasn't clear. The Service-Type is working as expected. If I remove
> it from Scenario A, I drop into the console with reduced privileges.
>
> I removed the update reply stanza to simplify the FR configs. Didn't seem
> to change anything - obviously.
>
>> Does anyone have any ideas for further debugging?
>>
>>    I really don't have much to offer here.  I don't recall ever seeing this
>> before.
>>
>>    It has to be a networking issue.  I can't think of anything else.
>>
> That's where I'll look. Though the UPS does contact the 3.0 system just
> fine (when it is configured to do so) - it just appears that it isn't
> respecting the Access-Accept.
>
> -m
> -
> List info/subscribe/unsubscribe? Seehttp://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list