LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Non-*NIX Forums > Programming
User Name
Password
Programming This forum is for all programming questions.
The question does not have to be directly related to Linux and any language is fair game.

Notices

Reply
 
Search this Thread
Old 01-17-2011, 12:27 PM   #1
sotmg
LQ Newbie
 
Registered: Jan 2011
Distribution: FreeBSD
Posts: 4

Rep: Reputation: 0
pfSense & Error sending request: No valid RADIUS responses received


I have enabled captive portal in pfSense and all settings are OK, the internet is connected and works with the User Manager. Now I have enabled RADIUS on default port and with no shared secret.

I made a small program for my small network, it listens to connections on UDP 1812, which works fine, I get the Access-Request packet and use it to get information about the client, but when I send back the Access-Accept packet it get discarded I think.

I read the following pages to learn the packet format:
http://technet.microsoft.com/en-us/l.../cc958030.aspx
http://rfc-ref.org/RFC-TEXTS/2865/chapter3.html
and a few more.

Access-Accept packet format:
byte 0 == Code 2
byte 1 == Identifier (same as Access-Request packet)
byte 2-3 == Length of this packet (always 20 bytes)
byte 4-20 == MD5 hash of this packet's first 4 bytes and Access-Request's Authenticator bytes

20 bytes total.

pfSense returns: "Error sending request: No valid RADIUS responses received "

So, does anyone know what could cause such a thing? the packet built looks fine to me.

Screenshot:
http://i.imgur.com/V9CSD.jpg
 
Old 01-18-2011, 04:53 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
can you use a tool like radtest to be a temporary client?
 
Old 01-18-2011, 05:22 AM   #3
sotmg
LQ Newbie
 
Registered: Jan 2011
Distribution: FreeBSD
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
can you use a tool like radtest to be a temporary client?
Since I am not using FreeRADIUS I can't, I am using pfSense and my program works as RADIUS server.

I only need to process Access-Request and send back an Access-Accept packet, so for me it was faster and easier to make my own small program than to configure a FreeRADIUS server.

The thing is, this Access-Accept packet I build is according to RFC2865, 20 bytes must send and only send attributes if needed. I can't see where could the problem be in those 20 bytes. If only this pfSense was giving a more detailed information in its logs about the packet rather than silently discarding it like an arrogant bitch, it would been nicer.
 
Old 01-18-2011, 05:37 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,384

Rep: Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963Reputation: 1963
why can't you use it? Just becuase radtest comes from FreeRadius, you can still use the binaries.
 
Old 01-18-2011, 12:23 PM   #5
sotmg
LQ Newbie
 
Registered: Jan 2011
Distribution: FreeBSD
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by acid_kewpie View Post
why can't you use it? Just becuase radtest comes from FreeRadius, you can still use the binaries.
I didn't have it ready, but I installed it and tried it.

This commands keeps trying:
#radtest test test 192.168.199.97:1812 1 i486net

Then it says this:
radclient: no response from server for ID 94

I checked the packets with Wireshark, check the screenshots.
Attached Images
File Type: jpg radius.JPG (66.8 KB, 5 views)
File Type: jpg request.JPG (149.9 KB, 4 views)
File Type: jpg accept.JPG (133.2 KB, 3 views)
 
Old 01-20-2011, 11:50 AM   #6
sotmg
LQ Newbie
 
Registered: Jan 2011
Distribution: FreeBSD
Posts: 4

Original Poster
Rep: Reputation: 0
I checked FreeRADIUS's source code and found that they replay back with attributes and any other text they got.

Quote:
...
/*
* Reply to the request. Also attach
* reply attribute value pairs and any user message provided.
*/
int rad_send(RADIUS_PACKET *packet, const RADIUS_PACKET *original,
...
and I read the following page: http://fengnet.com/book/RADIUS/05960...-2-sect-3.html and built a packet according to their Figure 2-3. A typical Access-Accept packet diagram, but it is still the same.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
sending valid email digitaldude Linux - Server 3 09-30-2010 04:15 AM
Error sending status request (Operation not permitted) Reegz Linux - Server 8 09-05-2010 10:15 PM
/etc/audit.rules - Error sending watch insert request Linux_Learner[LL] Linux - Security 2 07-16-2006 07:19 AM
Problems sending emails received on Gmail bogdan.dusa Linux - Software 6 06-13-2006 05:53 PM
Problems sending emails received on Gmail bogdan.dusa Linux - General 1 08-23-2005 02:56 PM


All times are GMT -5. The time now is 10:45 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration