Discussion:
Freeradius 3 status server
(too old to reply)
Tim Cheyne
2018-12-08 21:05:54 UTC
Permalink
Hi
we receive status requests on our version 3 Freeradius (RedHat 7) server periodically from upstream radius proxies also in our company.
Upon investigation I can see that these requests are being rejected.
They come in on UDP port 1645. Looking into status it would seem that you can't receive status requests from an upstream radius proxy on the same port (1645) that you process auth requests. You would have to configure 18121 to be allowed thru the interconnecting firewalls etc and at both ends.

This is the command I run from another radius (10.241.69.183) and output below it with main status config below that.
10.241.69.183 is also in the clients file and it does have a different secret but I have tried matching that too.
Specifying 1645 as status port just results in conflict of ports. Am I missing the point as I just assumed it was misconfigured on my end.

Thanks for your help
Tim

Command:
echo "Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1, Response-Packet-Type = Access-Accept"| radclient -x 10.241.69.185:1645 status adminsecret


Log output on radius (.185):
(2) Received Status-Server Id 167 from 10.241.69.183:53816 to 10.241.69.185:1645 length 50
Dropping packet without response because of error: Received packet from 10.241.69.183 with invalid Message-Authenticator! (Shared secret is incorrect.)
Waking up in 0.3 seconds.
(2) Cleaning up request packet ID 167 with timestamp +147
Ready to process requests



/etc/raddb/sites-available/status
==================================

server status {
listen {
# ONLY Status-Server is allowed to this port.
# ALL other packets are ignored.
type = status

ipaddr = *
port = 18121
#port = 1645
}

client admin {
ipaddr = 127.0.0.1
secret = adminsecret
}
client rad020 {
ipaddr = 10.241.69.183
secret = adminsecret
}


This email, including any attachments, is confidential. If you have received this email in error, please let me know and then delete it - do not read, use, or distribute it or its contents. This email does not designate an information system for the purposes of the Contract and Commercial Law Act 2017.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Adam Bishop
2018-12-08 21:23:43 UTC
Permalink
Post by Tim Cheyne
They come in on UDP port 1645. Looking into status it would seem that you can't receive status requests from an upstream radius proxy on the same port (1645) that you process auth requests. You would have to configure 18121 to be allowed thru the interconnecting firewalls etc and at both ends.
That's not correct. The status virtual server is used when you want a dedicated handler for status-server requests. Any virtual server can handle them on any port if you allow it.

The global setting is here:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/radiusd.conf.in#L494-L511
Post by Tim Cheyne
Dropping packet without response because of error: Received packet from 10.241.69.183 with invalid Message-Authenticator! (Shared secret is incorrect.)
Your shared secret isn't what you think it is.
Post by Tim Cheyne
/etc/raddb/sites-available/status
Please don't send us default config files - we know what they contain.

If you think something is not working, please send a full debug to the list showing the failure.

Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
Tim Cheyne
2018-12-09 08:52:04 UTC
Permalink
Thanks Adam. I was blinded by all the wooden trees. Understand it now.

-----Original Message-----
From: Freeradius-Users <freeradius-users-bounces+tim.cheyne=***@lists.freeradius.org> On Behalf Of Adam Bishop
Sent: Sunday, 9 December 2018 10:24 a.m.
To: FreeRadius users mailing list <freeradius-***@lists.freeradius.org>
Subject: Re: Freeradius 3 status server
Post by Tim Cheyne
They come in on UDP port 1645. Looking into status it would seem that you can't receive status requests from an upstream radius proxy on the same port (1645) that you process auth requests. You would have to configure 18121 to be allowed thru the interconnecting firewalls etc and at both ends.
That's not correct. The status virtual server is used when you want a dedicated handler for status-server requests. Any virtual server can handle them on any port if you allow it.

The global setting is here:
https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/radiusd.conf.in#L494-L511
Post by Tim Cheyne
Dropping packet without response because of error: Received packet from 10.241.69.183 with invalid Message-Authenticator! (Shared secret is incorrect.)
Your shared secret isn't what you think it is.
Post by Tim Cheyne
/etc/raddb/sites-available/status
Please don't send us default config files - we know what they contain.

If you think something is not working, please send a full debug to the list showing the failure.

Adam Bishop

gpg: E75B 1F92 6407 DFDF 9F1C BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

This email, including any attachments, is confidential. If you have received this email in error, please let me know and then delete it - do not read, use, or distribute it or its contents. This email does not designate an information system for the purposes of the Contract and Commercial Law Act 2017.


-
List info/subscribe/unsubscribe? See http://www

Loading...