[RADIATOR] AuthBy LDAP2 and FailureBackoffTime

Heikki Vatiainen hvn at open.com.au
Wed Jun 9 16:23:53 UTC 2021 

On 8.6.2021 16.31, Jan Tomasek wrote:

> On 08. 06. 21 15:16, Jan Tomasek wrote:
>> I also attached log example. I just realized, that access-reject is 
>> produced for transmitted request. 
> 
> I mean re-transmitted, here is client side:

Thanks for the config and the logs. I think we can get this fixed 
easily. Your Radiator config has 'DupInterval 0' in the <Client ...>
clause. For this reason Access-Request with id 7 is not detected as a 
duplicate by Radiator and it's written to OpenSSL, which then correctly 
does not like it.

The default DupInterval is 10 (seconds). The configuration samples used 
to have 0 for testing purposes, but this is no longer needed and the 
default is fine for the most cases.

Even with the default DupInterval there still can be a problem that the 
TLS handshake is done before LDAP is attempted. When LDAP access is 
attempted IGNORE is returned but before that TLS handhsake can be done.

Please let us know if the default DupInterval helps.

Thanks,
Heikki

> ....
> Received RADIUS message
> RADIUS message: code=11 (Access-Challenge) identifier=6 length=101
>     Attribute 79 (EAP-Message) length=63
>        Value: 
> 0184003d190017030300323668f2957c308bb0bfc6202524c4a07cbe9bfe969bc66b9656360d496737327fabb94c9dc064d535fa50969b120ea0b0ec2c 
> 
>     Attribute 80 (Message-Authenticator) length=18
>        Value: 1e0905ad595712969322e32c4677dfa2
> Sending RADIUS message to authentication server
> RADIUS message: code=1 (Access-Request) identifier=7 length=290
>     Attribute 1 (User-Name) length=20
>        Value: 'netsaint at cesnet.cz'
>     Attribute 4 (NAS-IP-Address) length=6
>        Value: 127.0.0.1
>     Attribute 31 (Calling-Station-Id) length=19
>        Value: '70-6F-6C-69-01-F7'
>     Attribute 12 (Framed-MTU) length=6
>        Value: 1400
>     Attribute 61 (NAS-Port-Type) length=6
>        Value: 19
>     Attribute 6 (Service-Type) length=6
>        Value: 2
>     Attribute 77 (Connect-Info) length=79
>        Value: 'ermon.cesnet.cz is testing realm cesnet.cz at radius 
> server radius1.cesnet.cz'
>     Attribute 79 (EAP-Message) length=110
>        Value: 
> 0284006c1900170303006195c79d1ad87c61c5396bf6d4ea7984cbe4263bcd95f3944bf5f58ac85aa7dc0d3aefd4eafe069d557b67cb68e86fdb910f97bd928240bc375e2885175a8cb2d231b63a86a5a564eb3d8b63977243b3e485e5405eca5db08ce746ba4bed15f0ce31 
> 
>     Attribute 80 (Message-Authenticator) length=18
>        Value: 4dea5652d58321283164c6c12bdb323c
> STA 70:6f:6c:69:01:f7: Resending RADIUS message (id=7)
> Received RADIUS message
> RADIUS message: code=3 (Access-Reject) identifier=7 length=60
>     Attribute 79 (EAP-Message) length=6
>        Value: 04840004
>     Attribute 80 (Message-Authenticator) length=18
>        Value: 5d71bbb4c23aabcff00098829a478142
>     Attribute 18 (Reply-Message) length=16
>        Value: 'Request Denied'
> 
> Please note, that "Resending RADIUS message (id=7)" after which reject 
> come.
> 
> Sorry for double post.

-- 
Heikki Vatiainen <hvn at open.com.au>

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, TACACS+, PAM, Active Directory,
EAP, TLS, TTLS, PEAP, WiMAX, RSA, Vasco, Yubikey, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, etc.

More information about the radiator mailing list