(RADIATOR) No reply - Proxy does not catch the Request

Lengacher Stefan Stefan.Lengacher at weroam.com
Fri Jul 16 03:51:31 CDT 2004


Hugh

Indeed it was iptables blocking my request. I was wrong in thinking it's ipchain where i opend the appropriate port. After shutting down iptables all worked well.

Thanks a lot for your support.

Stefan

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au] 
Sent: Freitag, 16. Juli 2004 10:06
To: Lengacher Stefan
Subject: Re: (RADIATOR) No reply - Proxy does not catch the Request



Hello Stefan -

Yes it looks like Radiator on the testing system is running properly.

If the local test with radpwtst works correctly to port 1645 it  
therefore follows that Radiator is correctly listening on port 1645.

If tcpdump shows that a proxied radius request is arriving on port  
1645, but Radiator is not seeing it while listening on port 1645, it  
therefore follows that there _must_ be something blocking the request  
between the hardware interface and the operating system and/or the  
radiusd process.

regards

Hugh


On 16 Jul 2004, at 16:21, Lengacher Stefan wrote:

> Hi Hugh
>
> Yes, i'm sure that radiator is running on my test system.
>
> This is what happens when i do this locally:
> ---------------------------------------------
> [root at RAdminTest radiator]# radpwtst -s 127.0.0.1 -secret xxxx
> -auth_port 1645 -noacct -user lemy -password marcelluswallace -trace 4
> Reading dictionary file './dictionary'
> sending Access-Request...
> Packet dump:
> *** Sending to 127.0.0.1 port 1645 ....
> Code:       Access-Request
> Identifier: 149
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "lemy"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =  
> "<148><234>- 
> <206><202>0h<131><207>Oh<204><180><28><27><252>^k<252><16><216>KG<129>< 
> 13><18>*<210><151><145><245><205>"
>
> Packet dump:
> *** Received from 127.0.0.1 port 1645 ....
> Code:       Access-Accept
> Identifier: 149
> Authentic:  <148><139>L9[u<205>W&D<197>6Mb<161>#
> Attributes:
>
> OK
> -------------------------------------------------
>
> And the Logfile:
> -------------------------------------------------
> Fri Jul 16 08:17:07 2004: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 1029 ....
> Code:       Access-Request
> Identifier: 142
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "lemy"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =  
> "<148><234>- 
> <206><202>0h<131><207>Oh<204><180><28><27><252>^k<252><16><216>KG<129>< 
> 13><18>*<210><151><145><245><205>"
>
> Fri Jul 16 08:17:07 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Fri Jul 16 08:17:07 2004: DEBUG:  Deleting session for lemy,  
> 203.63.154.1, 1234
> Fri Jul 16 08:17:07 2004: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 16 08:17:07 2004: DEBUG: Radius::AuthFILE looks for match with  
> lemy
> Fri Jul 16 08:17:07 2004: DEBUG: Radius::AuthFILE ACCEPT:
> Fri Jul 16 08:17:07 2004: DEBUG: Access accepted for lemy
> Fri Jul 16 08:17:07 2004: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1029 ....
> Code:       Access-Accept
> Identifier: 142
> Authentic:  1234567890123456
> Attributes:
>
> Fri Jul 16 08:17:14 2004: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 1029 ....
> Code:       Access-Request
> Identifier: 149
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "lemy"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.63.154.1
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         User-Password =  
> "<148><234>- 
> <206><202>0h<131><207>Oh<204><180><28><27><252>^k<252><16><216>KG<129>< 
> 13><18>*<210><151><145><245><205>"
>
> Fri Jul 16 08:17:14 2004: DEBUG: Handling request with Handler  
> 'Realm=DEFAULT'
> Fri Jul 16 08:17:14 2004: DEBUG:  Deleting session for lemy,  
> 203.63.154.1, 1234
> Fri Jul 16 08:17:14 2004: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 16 08:17:14 2004: DEBUG: Radius::AuthFILE looks for match with  
> lemy
> Fri Jul 16 08:17:14 2004: DEBUG: Radius::AuthFILE ACCEPT:
> Fri Jul 16 08:17:14 2004: DEBUG: Access accepted for lemy
> Fri Jul 16 08:17:14 2004: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1029 ....
> Code:       Access-Accept
> Identifier: 149
> Authentic:  1234567890123456
> Attributes:
> -------------------------------------------------
>
> So, locally it seems to work for me or am i wrong?
>
> Kindly Regards,
>
> Stefan
>
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Freitag, 16. Juli 2004 03:41
> To: Lengacher Stefan
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) No reply - Proxy does not catch the Request
>
>
>
> Hello Stefan -
>
> As far as I can see what you are trying to do should work.
>
> Are you sure that Radiator is running on the testing host when you try
> your tests?
>
> And what does the local radpwtst show on the testing host?
>
> regards
>
> Hugh
>
>
> On 16 Jul 2004, at 01:18, Lengacher Stefan wrote:
>
>> Hello all
>>
>> I'm playing around with Radmin now and therefore i just installed a
>> _simple and thin_ radiator on the same machine for this purpose.
>> Radmin works fine with the appropriate Radiator. Now i'm trying to use
>> this installation with our working radiator environment. This means:
>>
>> We have a working Radius Proxy (Radiator) which now tries to do
>> Auth-Requests on my testing Radiator where i'm playing around with
>> Radmin.
>>
>> I can successful use radpwtst on my testing radius locally. It works
>> with my defined user.
>> I can successful use radpwtst on my testing radius against the working
>> radiator. It works with the users which are defined in the working
>> environment.
>> Unfortunately vice-versa does not work. I get no reply from the
>> testing radiator on the request from the working one.
>>
>> It is not a routing/networking issue since i see on my testing
>> computer (using tcpdump) that the requests arrives correctly on
>> udp-port 1645 (as defined). On the testing side nothing gets logged
>> (using Trace 4!). On the working side i get:
>>
>> INFO: AuthRADIUS: No reply after 3 retransmissions to xxx.xxx.xxx.xxx
>> for lemy at lemy.ch (226)
>> INFO: AuthRADIUS could not find a working host to forward to.  
>> Ignoring.
>> (you can see the whole downwards)
>>
>> This is the request i sent on my working radius machine:
>> -----------------------------------------------------------
>> Radpwtst -s 127.0.0.1 -secret xxxx -auth_port 11812 -noacct -user
>> lemy at lemy.ch -password xxxxxxxx -trace 4
>> -----------------------------------------------------------
>>
>> On the test-machine, tcpdump gives me:
>> -----------------------------------------------------------
>> [root at RAdminTest radiator]# tcpdump -i eth0 -t udp
>> tcpdump: listening on eth0
>> 195.141.161.202.32841 > 195.141.161.230.datametrics:  rad-access-req
>> 114 [id 11] Attr[  User{lemy at lemy.ch} Service_type{Framed}
>> NAS_ipaddr{oscar.open.com.au} NAS_port{1234} [|radius] (DF)
>> 195.141.161.230.1029 > ns2.togewa.com.domain:  36594+ PTR?
>> 230.161.141.195.in-addr.arpa. (46) (DF)
>> ns2.togewa.com.domain > 195.141.161.230.1029:  36594 NXDomain* 0/1/0
>> (131)
>> 195.141.161.230.1029 > ns2.togewa.com.domain:  36595+ PTR?
>> 202.161.141.195.in-addr.arpa. (46) (DF)
>> ns2.togewa.com.domain > 195.141.161.230.1029:  36595 NXDomain* 0/1/0
>> (131)
>> 195.141.161.230.1029 > ns2.togewa.com.domain:  36596+ PTR?
>> 1.154.63.203.in-addr.arpa. (43) (DF)
>> ns2.togewa.com.domain > 195.141.161.230.1029:  36596 1/0/0 (74)
>> 195.141.161.230.1029 > ns2.togewa.com.domain:  36597+ PTR?
>> 10.149.2.62.in-addr.arpa. (42) (DF)
>> ns2.togewa.com.domain > 195.141.161.230.1029:  36597* 1/0/0
>> PTR[|domain]
>> 195.141.161.202.32841 > 195.141.161.230.datametrics:  rad-access-req
>> 114 [id 11] Attr[  User{lemy at lemy.ch} Service_type{Framed}
>> NAS_ipaddr{oscar.open.com.au} NAS_port{1234} [|radius] (DF)
>> 195.141.161.202.32841 > 195.141.161.230.datametrics:  rad-access-req
>> 114 [id 11] Attr[  User{lemy at lemy.ch} Service_type{Framed}
>> NAS_ipaddr{oscar.open.com.au} NAS_port{1234} [|radius] (DF)
>> 195.141.161.202.32841 > 195.141.161.230.datametrics:  rad-access-req
>> 114 [id 11] Attr[  User{lemy at lemy.ch} Service_type{Framed}
>> NAS_ipaddr{oscar.open.com.au} NAS_port{1234} [|radius] (DF)
>> -----------------------------------------------------------
>> This means, the request arrives at my testing machine and since there
>> is no firewall on it running, this is really no networking/routing
>> issue.
>>
>> These are the files on the working machine (well not the whole, just
>> the parts catching this case since these files are really big ;-):
>>
>> Radius.cfg:
>> ------------------
>> AuthPort	11812
>> AcctPort	11814
>>
>> Trace 4
>>
>> <Realm lemy.ch>
>> 	<AuthBy RADIUS>
>> 		Host xxx.xxx.xxx.xxx (this is the ip of the testing machine)
>> 		Secret <snipped>
>> 		AuthPort 1645
>> 		AcctPort 1646
>> 	</AuthBy>
>> </Realm>
>> ------------------ /Radius.cfg
>>
>> Logfile:
>> ------------------
>> *** Received from 127.0.0.1 port 32840 ....
>> Code:       Access-Request
>> Identifier: 226
>> Authentic:  1234567890123456
>> Attributes:
>>         User-Name = "lemy at lemy.ch"
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 203.63.154.1
>>         NAS-Port = 1234
>>         Called-Station-Id = "123456789"
>>         Calling-Station-Id = "987654321"
>>         NAS-Port-Type = Async
>>         User-Password =
>> "<134><238><29><182><146><18><178><199><9><176><151><4><230>g[<229>g<1 
>> 6
>> 5>"<167><202><241><192><155>"<25><178>B<28><223>)<17>"
>>
>> Thu Jul 15 16:32:20 2004: DEBUG: Rewrote user name to lemy at lemy.ch
>> Thu Jul 15 16:32:20 2004: DEBUG: Handling request with Handler
>> 'Realm=lemy.ch'
>> Thu Jul 15 16:32:20 2004: DEBUG:  Deleting session for lemy at lemy.ch,
>> 203.63.154.1, 1234
>> Thu Jul 15 16:32:20 2004: DEBUG: do query is: 'delete from RADONLINE
>> where NASIDENTIFIER='203.63.154.1' and NASPORT=01234':
>>
>> Thu Jul 15 16:32:20 2004: DEBUG: Handling with Radius::AuthRADIUS
>> Thu Jul 15 16:32:20 2004: DEBUG: Packet dump:
>> *** Sending to 195.141.161.230 port 1645 ....
>> Code:       Access-Request
>> Identifier: 9
>> Authentic:  1234567890123456
>> Attributes:
>>         User-Name = "lemy at lemy.ch"
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 203.63.154.1
>>         NAS-Port = 1234
>>         Called-Station-Id = "123456789"
>>         Calling-Station-Id = "987654321"
>>         NAS-Port-Type = Async
>>         User-Password =
>> "z<252>Nk<159><205><0>i*'g<178><12>U<133><189>U5<203><225><198><227><2 
>> 5
>> 0><249><250><245><235>|5<25><182><216>"
>>
>> Thu Jul 15 16:32:25 2004: DEBUG: Timed out, retransmitting
>> Thu Jul 15 16:32:25 2004: DEBUG: Packet dump:
>> *** Sending to 195.141.161.230 port 1645 ....
>> Code:       Access-Request
>> Identifier: 9
>> Authentic:  1234567890123456
>> Attributes:
>>         User-Name = "lemy at lemy.ch"
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 203.63.154.1
>>         NAS-Port = 1234
>>         Called-Station-Id = "123456789"
>>         Calling-Station-Id = "987654321"
>>         NAS-Port-Type = Async
>>         User-Password =
>> "z<252>Nk<159><205><0>i*'g<178><12>U<133><189>U5<203><225><198><227><2 
>> 5
>> 0><249><250><245><235>|5<25><182><216>"
>>
>> Thu Jul 15 16:32:30 2004: DEBUG: Timed out, retransmitting
>> Thu Jul 15 16:32:30 2004: DEBUG: Packet dump:
>> *** Sending to 195.141.161.230 port 1645 ....
>> Code:       Access-Request
>> Identifier: 9
>> Authentic:  1234567890123456
>> Attributes:
>>         User-Name = "lemy at lemy.ch"
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 203.63.154.1
>>         NAS-Port = 1234
>>         Called-Station-Id = "123456789"
>>         Calling-Station-Id = "987654321"
>>         NAS-Port-Type = Async
>>         User-Password =
>> "z<252>Nk<159><205><0>i*'g<178><12>U<133><189>U5<203><225><198><227><2 
>> 5
>> 0><249><250><245><235>|5<25><182><216>"
>>
>> Thu Jul 15 16:32:35 2004: DEBUG: Timed out, retransmitting
>> Thu Jul 15 16:32:35 2004: DEBUG: Packet dump:
>> *** Sending to 195.141.161.230 port 1645 ....
>> Code:       Access-Request
>> Identifier: 9
>> Authentic:  1234567890123456
>> Attributes:
>>         User-Name = "lemy at lemy.ch"
>>         Service-Type = Framed-User
>>         NAS-IP-Address = 203.63.154.1
>>         NAS-Port = 1234
>>         Called-Station-Id = "123456789"
>>         Calling-Station-Id = "987654321"
>>         NAS-Port-Type = Async
>>         User-Password =
>> "z<252>Nk<159><205><0>i*'g<178><12>U<133><189>U5<203><225><198><227><2 
>> 5
>> 0><249><250><245><235>|5<25><182><216>"
>>
>> Thu Jul 15 16:32:40 2004: INFO: AuthRADIUS: No reply after 3
>> retransmissions to 195.141.161.230:1645 for lemy at lemy.ch  (226)
>> Thu Jul 15 16:32:40 2004: INFO: AuthRADIUS could not find a working
>> host to forward to. Ignoring
>> ------------------------ /Logfile
>>
>> And finally, these are the _small and thin_ files on my testing
>> environment:
>>
>> Radius.cfg
>> ---------------------------
>> AuthPort	1645
>> AcctPort	1646
>> Trace		4
>>
>> <Client 195.141.161.202>
>>         Secret xxxxxx
>> </Client>
>>
>> <Client DEFAULT>
>>         Secret  xxxxxxx
>>         DupInterval 0
>> </Client>
>>
>> <Realm lemy.ch>
>>         RewriteUsername s/^([^@]+).*/$1/
>>         <AuthBy FILE>
>>                 Filename %D/users
>>         </AuthBy>
>>         # Log accounting to a detail file
>>         AcctLogFileName %L/detail
>> </Realm>
>>
>> <Realm DEFAULT>
>>         <AuthBy FILE>
>>                 Filename %D/users
>>         </AuthBy>
>>         # Log accounting to a detail file
>>         AcctLogFileName %L/detail
>> </Realm>
>> ---------------------------/Radius.cfg
>>
>> Users
>> ---------------------------
>> lemy    User-Password="xxxxxxxxxxxxxx"
>> ---------------------------/Users
>>
>> Logfile:
>> ---------------------------
>> Thu Jul 15 17:12:32 2004: NOTICE: SIGTERM received: stopping
>> Thu Jul 15 17:12:32 2004: DEBUG: Reading users file  
>> /etc/radiator/users
>> Thu Jul 15 17:12:32 2004: DEBUG: Reading users file  
>> /etc/radiator/users
>> Thu Jul 15 17:12:32 2004: DEBUG: Finished reading configuration file
>> '/etc/radia
>> tor/radius.cfg'
>> Thu Jul 15 17:12:32 2004: DEBUG: Reading dictionary file
>> '/etc/radiator/dictiona
>> ry'
>> Thu Jul 15 17:12:32 2004: DEBUG: Creating authentication port
>> 0.0.0.0:1645
>> Thu Jul 15 17:12:32 2004: DEBUG: Creating accounting port 0.0.0.0:1646
>> Thu Jul 15 17:12:32 2004: NOTICE: Server started: Radiator 3.9 on
>> RAdminTest
>> ---------------------------/Logfile
>>
>> That's all information i got. I really hope, someone can help me,
>> since rebuilding the whole testing environment is never funny at all
>> :-|
>>
>> Regards,
>>
>> Stefan Lengacher
>> Project & Testing Manager
>>
>> ____________________________________________
>> WeRoam®
>>
>> TOGEWAnet AG / P.O. Box / Nussbaumstrasse 25
>> CH-3000 Bern 22 / Switzerland
>> tel. +41 31 341 10 20
>> direct: +41 31 341 1126
>> fax: +41 31 341 10 21
>> mobile: +41 79 483 8422
>> Stefan.Lengacher at weroam.com
>> www.weroam.com
>> ____________________________________________
>> This email may contain confidential and/or privileged information
>> which should not be used, copied or disclosed without  permission. If
>> you are not an intended recipient, please contact the sender
>> immediately.
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list