FREERADIUS SERVER PROBLEM

Support for security such as Firewalls and securing linux
tecksonic
Posts: 5
Joined: 2011/10/01 05:53:13

FREERADIUS SERVER PROBLEM

Postby tecksonic » 2011/10/01 19:43:52

Hi

I have a Centos 5.5 virtual machine on my computer and i've configure a freeradius server in it...
the problem is that i'm not able to communicate the AP and the radius server, i've configured the client already, and configured the AP with the secret, port, and ip server...

when i do a radtest for localhost works fine..the packet is accepted...but with the AP there is no response..
i ping the AP and it's fine... so the last thing that i've done is the tcpdump to the AP to see what's happening
it seems that the request is being sended...but there is no response....can anyone help me with this??

thank u

[root@localhost raddb]# tcpdump host 192.168.1.100
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
23:33:30.176868 IP 192.168.75.129.44844 > castel.local.radius: RADIUS, Access Request (1), id: 0x40 length: 58
23:33:35.801316 IP 192.168.75.129.44844 > castel.local.radius: RADIUS, Access Request (1), id: 0x40 length: 58
23:33:41.577914 IP 192.168.75.129.44844 > castel.local.radius: RADIUS, Access Request (1), id: 0x40 length: 58

User avatar
TrevorH
Forum Moderator
Posts: 21208
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

FREERADIUS SERVER PROBLEM

Postby TrevorH » 2011/10/01 20:03:52

Do you have iptables running and have you allowed the radius port from outside?

tecksonic
Posts: 5
Joined: 2011/10/01 05:53:13

Re: FREERADIUS SERVER PROBLEM

Postby tecksonic » 2011/10/01 20:46:27

TrevorH wrote:
Do you have iptables running and have you allowed the radius port from outside?


The Centos Firewall is deactivated...so iptables is not running
and all the ports are allowed for the virtual machine
i'm new in this centos and freeradius issue so excuse me if that wasn't what you meant

User avatar
TrevorH
Forum Moderator
Posts: 21208
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: FREERADIUS SERVER PROBLEM

Postby TrevorH » 2011/10/01 21:04:19

If you are sure that the firewall is disabled then the command below should say

Code: Select all

# service iptables status
iptables: Firewall is not running.


If so then have you checked the ports that radius is listening on? Maybe you have it set to listen only on localhost?

Code: Select all

netstat -antup | grep 1812


should show you the ports that are open and listening.

tecksonic
Posts: 5
Joined: 2011/10/01 05:53:13

Re: FREERADIUS SERVER PROBLEM

Postby tecksonic » 2011/10/01 21:17:24

Yep, the firewall is not running..i checked

and this is what i get when doing netstat

[root@localhost radius]# netstat -antup | grep 1812
udp 0 0 0.0.0.0:1812 0.0.0.0:* 12186/radiusd

it means that the port is listening any ip right? or am i wrong?

User avatar
TrevorH
Forum Moderator
Posts: 21208
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: FREERADIUS SERVER PROBLEM

Postby TrevorH » 2011/10/02 01:40:53

It looks that way but from the lack of any response in your tcpdump output, it still looks to me like your firewall is enabled. When you run tcpdump it 'sees' the packets before they go through the iptables level so it will list packets that are subsequently dropped by iptables rules. I was hoping that you would post the output from `service iptables status` here to show that it was actually not running but...

Otherwise I think your next step is to put the radius log level up to debug and check the logs there to see if it indicates any activity at all.

tecksonic
Posts: 5
Joined: 2011/10/01 05:53:13

Re: FREERADIUS SERVER PROBLEM

Postby tecksonic » 2011/10/02 02:09:57

[root@localhost ~]# service iptables status
El cortafuegos está detenido. >> it means the firewall is not running


this is the debugging output for the localhost, the last log for radius.log says the authentication was accepeted for the localhost...

when im doing the radtest for the AP...nothing appears in the debugging output and the radius.log either

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 46599, id=213, length=56
User-Name = "mile"
User-Password = "salsera"
NAS-IP-Address = 127.0.0.1
NAS-Port = 1812
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = "mile", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[sql] expand: %{User-Name} -> mile
[sql] sql_set_user escaped user --> 'mile'
rlm_sql (sql): Reserving sql socket id: 3
[sql] expand: SELECT id, username, attribute, value, op FROM radcheck WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radcheck WHERE username = 'mile' ORDER BY id
WARNING: Found User-Password == "...".
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See "man rlm_pap" for more information.
[sql] User found in radcheck table
[sql] expand: SELECT id, username, attribute, value, op FROM radreply WHERE username = '%{SQL-User-Name}' ORDER BY id -> SELECT id, username, attribute, value, op FROM radreply WHERE username = 'mile' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT groupname FROM radusergroup WHERE username = 'mile' ORDER BY priority
rlm_sql (sql): Released sql socket id: 3
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Replacing User-Password in config items with Cleartext-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!! Please update your configuration so that the "known good" !!!
!!! clear text password is in Cleartext-Password, and not in User-Password. !!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
+- entering group PAP {...}
[pap] login attempt with password "salsera"
[pap] Using clear text password "salsera"
[pap] User authenticated successfully
++[pap] returns ok
Login OK: [mile] (from client localhost port 1812)
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 213 to 127.0.0.1 port 46599
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 213 with timestamp +36
Ready to process requests.

User avatar
TrevorH
Forum Moderator
Posts: 21208
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: FREERADIUS SERVER PROBLEM

Postby TrevorH » 2011/10/02 12:13:01

Could you re-run your tcpdump with the -n -nn switches so that the ip addresses and port numbers come out as numbers and not as translated port names.

tecksonic
Posts: 5
Joined: 2011/10/01 05:53:13

Re: FREERADIUS SERVER PROBLEM

Postby tecksonic » 2011/10/02 20:02:13

TrevorH wrote:
Could you re-run your tcpdump with the -n -nn switches so that the ip addresses and port numbers come out as numbers and not as translated port names.


tcpdump host 192.168.0.1 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes
14:03:00.237775 IP 192.168.75.129.42283 > 192.168.0.1.1812: RADIUS, Access Request (1), id: 0x8b length: 58
14:03:06.150241 IP 192.168.75.129.42283 > 192.168.0.1.1812: RADIUS, Access Request (1), id: 0x8b length: 58
14:03:11.986443 IP 192.168.75.129.42283 > 192.168.0.1.1812: RADIUS, Access Request (1), id: 0x8b length: 58



here it is...Please help me...i need this working!! :(

User avatar
TrevorH
Forum Moderator
Posts: 21208
Joined: 2009/09/24 10:40:56
Location: Brighton, UK

Re: FREERADIUS SERVER PROBLEM

Postby TrevorH » 2011/10/02 20:31:06

Sorry, I don't have a clue what is wrong.