freeradius confuses switch
Alan DeKok
aland at deployingradius.com
Fri May 9 11:42:10 UTC 2025
On May 9, 2025, at 6:55 AM, Christoph Egger via Freeradius-Users <freeradius-users at lists.freeradius.org> wrote:
>> Request ID 53 (number 52), weird looking request, maybe it's an odd form of mac auth bypass?
>
> MAB is disabled.
That doesn't matter.
FreeRADIUS doesn't invent Access-Request packets. If the NAS is sending an Access-Request packet, it's because the NAS is configured to send Access-Request packets.
>>> authentik-freeradius-1 | (52) Received Access-Request Id 53 from 172.16.1.1:49514 to 172.16.1.2:1812 length 217
PLEASE just post the output of "radiusd -X". We don't need to see the machine name on every debug line. It's useless.
And DON'T post tcpdumps. They're useless.
The documentation makes all of this VERY clear: http://wiki.freeradius.org/list-help.
> How can I tell freeradius to wait for the first one?
You don't. The supplicant and NAS are in charge of when packets are sent. If they send packets in the wrong other, they're broken.
You can't fix a broken supplicant / NAS by poking the RADIUS server.
As Matthew said:
>> Looks like your NAS is broken, sending invalid requests, or not waiting for the first one to finish before sending another.
When you see a message like that, your response should be "Hmm... I guess I have to fix the NAS". Your response should not be to ignore that summary, and then ask how to "fix" FreeRADIUS.
Alan DeKok.
More information about the Freeradius-Users
mailing list