[afnog] RADIUS error

Brian Candler B.Candler at pobox.com
Wed Aug 16 20:23:40 SAST 2006


On Tue, Aug 15, 2006 at 04:58:40PM +0300, Mike Barnard wrote:
> hi, i have a strange error occuring on my RADIUS server...ICRADIUS running
> on SuSE 9.0. first, i have no prior setup knowledge of RADIUS, but from the
> little checking, it seems like this install was done from sources, rpm -qa
> does not show anything close to radius.

Then you have a difficult system to maintain; firstly because any upgrading
will require recompiling and reinstalling, and secondly because you can't be
sure exactly what options ICRADIUS was built with in the first place, so
upgrading may break your existing setup.

You might be wise to set up a system which you *can* maintain. Build a test
box, compile ICRADIUS from scratch (or install it from a pre-built package),
make sure it has all the functionality you require, and _document_ every
step that you took to make it work. Then roll this out onto your live
system.

> i started by getting duplicate authentication errors and then passwords got
> scrambled...
> 
> Mon Aug 14 14:49:47 2006: Error: Dropping duplicate authentication packet
> from client patton - ID: 39 Mon Aug 14 14:49:57 2006: Error: Dropping
> duplicate authentication packet from client patton - ID: 39
> Mon Aug 14 14:50:07 2006: Error: Dropping duplicate authentication packet

"Duplicate authentication packet" generally means that either the RADIUS
server didn't send a reply; or it sent a reply but it got lost; or it sent a
reply which was somehow invalid so was ignored by the NAS.

Or maybe there was a problem which meant that it was taking so long to
process a request that the NAS assumed it must have got lost, so sent again.
Usually the NAS will wait several seconds before retrying though.

> from client patton - ID: 39 Mon Aug 14 14:55:20 2006: Error: Killing
> unresponsive child pid 3075
> Mon Aug 14 14:55:21 2006: Info: CHILD: exit.

That might also indicate that a process got stuck handling a particular
request, and so the radius server decided to kill it.

It's hard to say why this might be, since you give very little info about
your setup. For example, if you have a Mysql database backend, then maybe
Mysql isn't responding to the queries that are being sent to it.

> only the clients who were trying to dial in at the moment the system
> came up managed to get in, after that, no one else was able to login...this
> time it was scrambling the passwords....yes i checked and made sure that the
> secret phrase on both NAS and RADIUS were the same, redid them just to
> ensure that, but it still gave the same error:
> 
> Mon Aug 14 15:10:24 2006: Info: Starting - reading configuration files ...
> Mon Aug 14 15:10:24 2006: Info: SQL: Attempting to connect to
> radius at localhost:radius Mon Aug 14 15:10:27 2006: Info: Ready to process
> requests.
> Mon Aug 14 15:21:59 2006: Auth: Login OK: [steakout at ieazy] (from nas
> patton/S40) socket 0 (0 sec)
> Mon Aug 14 15:25:52 2006: Auth: Login OK: [bridget at ieazy] (from nas
> patton/S31) socket 0 (0 sec)
> Mon Aug 14 16:00:48 2006: Auth: Login incorrect: 
> [obernosterer at ieazy/??Ê¥???Ó
> ÏÕ´[/]S] Password should be 'xxxxxxxxx' (from nas patton/S31 cli 772772084)
> Mon Aug 14 16:00:58 2006: Auth: Login incorrect: 
> [obernosterer at ieazy/??Ê¥???Ó
> ÏÕ´[/]S] Password should be 'xxxxxxxxx' (from nas patton/S31 cli 772772084)

That does look like a wrong secret. Where is the RADIUS server getting its
secrets from? Perhaps that's from Mysql or the like too, and that's failing?

It's possible (although tedious) to prove for yourself whether the passwords
have been encrypted with the correct secret. You dump the raw packets using
"tcpdump -i eth0 -n -s1500 -vX udp port 1812", and follow the procedures in
RFC 2865 for decrypting the User-Password field. If you're not experienced
in hacking around the raw innards of binary protocols, you may find this a
bit difficult.

> as of this writing, no packets are being sent from my NAS to the RADIUS
> server.

Maybe because the RADIUS server isn't sending responses, the NAS has marked
it as being dead.

> i can log into my NAS, i can access the management webpage too. but
> no packets are being sent to RADIUS.

See if the NAS has an option to show the status of its RADIUS servers.

> i have run tcpdump on RADIUS and i pick
> nothing at all this time.
> 
> any ideas??? im really stuck

I think you need to (a) understand the innards of your RADIUS server a bit
more, and (b) be able to install a working RADIUS server that you're
comfortable with, given the one that you've inherited is undocumented and
seems to be broken or at least difficult to debug.

If I were you, and I needed to get service up and running quickly, I'd
install a different RADIUS server, and get it working in the simplest
possible way (e.g. install freeradius, using the plain text 'users' file to
hold usernames and passwords). If this works then you have a baseline to
compare your ICRADIUS setup against.

If you're not in an urgent loss-of-service situation, then I would try to
build my chosen radius server from scratch on a test system and document it,
as described above, and test it using 'radtest' or 'radclient' (so you don't
have to mess with your live NAS). When you're happy that you have all the
functionality you need, *and* you understand how it works, how to extract
logs from it and debug it, then you can roll it out live.

Sorry I can't give any more simple or specific suggestions - I'm not
familiar with ICRADIUS.

Regards,

Brian.



More information about the afnog mailing list