Actualmente estoy construyendo un freeradius (CentOS 7) con MySQL (mariadb) para la autenticación de radio. Puedo recibir autenticación de pruebas de host local usando radtest. Una vez que uso NTRadPing con las mismas credenciales, puedo ver paquetes que llegan al servidor Radius pero no reciben respuesta (tcpdump). He verificado que el firewall (iptables) está apagado, puedo hacer ping al cuadro y radiod -X muestra que la tabla nas carga el cuadro de Windows desde el que estoy usando NTRadPing.
> rlm_sql (sql): Opening additional connection (0) rlm_sql_mysql:
> Starting connect to MySQL server rlm_sql (sql): Opening additional
> connection (1) rlm_sql_mysql: Starting connect to MySQL server rlm_sql
> (sql): Opening additional connection (2) rlm_sql_mysql: Starting
> connect to MySQL server rlm_sql (sql): Opening additional connection
> (3) rlm_sql_mysql: Starting connect to MySQL server rlm_sql (sql):
> Opening additional connection (4) rlm_sql_mysql: Starting connect to
> MySQL server rlm_sql (sql): Processing generate_sql_clients rlm_sql
> (sql) in generate_sql_clients: query is SELECT id, nasname, shortname,
> type, secret, server FROM nas rlm_sql (sql): Reserved connection (4)
> rlm_sql (sql): Executing query: 'SELECT id, nasname, shortname, type,
> secret, server FROM nas' rlm_sql (sql): Adding client rtr.wisenet.lan
> (buffalo) to global clients list rlm_sql (10.24.11.56): Client
> "buffalo" (sql) added rlm_sql (sql): Adding client
> win7wisenet.wisenet.lan (win7) to global clients list rlm_sql
> (10.24.11.4): Client "win7" (sql) added rlm_sql (sql): Released
> connection (4) } # modules radiusd: #### Loading Virtual Servers ####
> server { # from file /etc/raddb/radiusd.conf } # server server default
> { # from file /etc/raddb/sites-enabled/default # Creating Auth-Type =
> digest # Loading authenticate {...} # Loading authorize {...} #
> Loading preacct {...} # Loading accounting {...} # Loading session
> {...} # Loading post-proxy {...} # Loading post-auth {...} } #
> server default server inner-tunnel { # from file
> /etc/raddb/sites-enabled/inner-tunnel # Loading authenticate {...} #
> Loading authorize {...} Ignoring "ldap" (see
> raddb/mods-available/README.rst) # Loading session {...} # Loading
> post-proxy {...} # Loading post-auth {...} } # server inner-tunnel
> radiusd: #### Opening IP addresses and Ports #### listen {
> type = "auth"
> ipaddr = *
> port = 0 limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30 } } listen {
> type = "acct"
> ipaddr = 127.0.0.1
> port = 0 limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30 } } listen {
> type = "auth"
> ipv6addr = ::
> port = 0 limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30 } } listen {
> type = "acct"
> ipv6addr = ::
> port = 0 limit {
> max_connections = 16
> lifetime = 0
> idle_timeout = 30 } } listen {
> type = "auth"
> ipaddr = 127.0.0.1
> port = 18120 } Listening on auth address * port 1812 as server default Listening on acct address 127.0.0.1 port 1813 as server
> default Listening on auth address :: port 1812 as server default
> Listening on acct address :: port 1813 as server default Listening on
> auth address 127.0.0.1 port 18120 as server inner-tunnel Opening new
> proxy socket 'proxy address * port 0' Listening on proxy address *
> port 51000 Ready to process requests
Salida de tcpdump:
[root@dhcp13 ~]# tcpdump -i eno16777736 dst port 1812
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eno16777736, link-type EN10MB (Ethernet), capture size 65535 bytes
11:22:54.963548 IP win7wisenet.wisenet.lan.55314 > dhcp13.wisenet.lan.radius: RADIUS, Access Request (1), id: 0x21 length: 45
11:22:58.473151 IP win7wisenet.wisenet.lan.55314 > dhcp13.wisenet.lan.radius: RADIUS, Access Request (1), id: 0x21 length: 45
Mencionaré que CentOS se ejecuta en la estación de trabajo 11. ¿Algún otro lugar que deba consultar? Gracias.
Respuesta1
Por extraño que parezca, al activar el firewall (y una verificación getenforce) todo funciona. En la tabla nas de mysql, tuve que configurar el nombre nas en la dirección IP aunque parecía resolverse a través de dns.