Tim Cheyne
2018-12-08 21:05:54 UTC
Hi
we receive status requests on our version 3 Freeradius (RedHat 7) server periodically from upstream radius proxies also in our company.
Upon investigation I can see that these requests are being rejected.
They come in on UDP port 1645. Looking into status it would seem that you can't receive status requests from an upstream radius proxy on the same port (1645) that you process auth requests. You would have to configure 18121 to be allowed thru the interconnecting firewalls etc and at both ends.
This is the command I run from another radius (10.241.69.183) and output below it with main status config below that.
10.241.69.183 is also in the clients file and it does have a different secret but I have tried matching that too.
Specifying 1645 as status port just results in conflict of ports. Am I missing the point as I just assumed it was misconfigured on my end.
Thanks for your help
Tim
Command:
echo "Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1, Response-Packet-Type = Access-Accept"| radclient -x 10.241.69.185:1645 status adminsecret
Log output on radius (.185):
(2) Received Status-Server Id 167 from 10.241.69.183:53816 to 10.241.69.185:1645 length 50
Dropping packet without response because of error: Received packet from 10.241.69.183 with invalid Message-Authenticator! (Shared secret is incorrect.)
Waking up in 0.3 seconds.
(2) Cleaning up request packet ID 167 with timestamp +147
Ready to process requests
/etc/raddb/sites-available/status
==================================
server status {
listen {
# ONLY Status-Server is allowed to this port.
# ALL other packets are ignored.
type = status
ipaddr = *
port = 18121
#port = 1645
}
client admin {
ipaddr = 127.0.0.1
secret = adminsecret
}
client rad020 {
ipaddr = 10.241.69.183
secret = adminsecret
}
This email, including any attachments, is confidential. If you have received this email in error, please let me know and then delete it - do not read, use, or distribute it or its contents. This email does not designate an information system for the purposes of the Contract and Commercial Law Act 2017.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
we receive status requests on our version 3 Freeradius (RedHat 7) server periodically from upstream radius proxies also in our company.
Upon investigation I can see that these requests are being rejected.
They come in on UDP port 1645. Looking into status it would seem that you can't receive status requests from an upstream radius proxy on the same port (1645) that you process auth requests. You would have to configure 18121 to be allowed thru the interconnecting firewalls etc and at both ends.
This is the command I run from another radius (10.241.69.183) and output below it with main status config below that.
10.241.69.183 is also in the clients file and it does have a different secret but I have tried matching that too.
Specifying 1645 as status port just results in conflict of ports. Am I missing the point as I just assumed it was misconfigured on my end.
Thanks for your help
Tim
Command:
echo "Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 1, Response-Packet-Type = Access-Accept"| radclient -x 10.241.69.185:1645 status adminsecret
Log output on radius (.185):
(2) Received Status-Server Id 167 from 10.241.69.183:53816 to 10.241.69.185:1645 length 50
Dropping packet without response because of error: Received packet from 10.241.69.183 with invalid Message-Authenticator! (Shared secret is incorrect.)
Waking up in 0.3 seconds.
(2) Cleaning up request packet ID 167 with timestamp +147
Ready to process requests
/etc/raddb/sites-available/status
==================================
server status {
listen {
# ONLY Status-Server is allowed to this port.
# ALL other packets are ignored.
type = status
ipaddr = *
port = 18121
#port = 1645
}
client admin {
ipaddr = 127.0.0.1
secret = adminsecret
}
client rad020 {
ipaddr = 10.241.69.183
secret = adminsecret
}
This email, including any attachments, is confidential. If you have received this email in error, please let me know and then delete it - do not read, use, or distribute it or its contents. This email does not designate an information system for the purposes of the Contract and Commercial Law Act 2017.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list