Question: Troubleshooting FreeRADIUS
Hi
We had an issue where our network security device (Bradford campus manager / Network Sentry) swapped from using our primary FreeRADIUS server to our secondary FreeRADIUS server, however it doesn't seem that the secondary server was functioning correctly.
here is an snippet of the logs (radius.log)
Thu Jun 18 04:03:26 2015 : Auth: Login incorrect: [<a href="mailto:285843@bathspa.ac.uk">285843@bathspa.ac.uk</a>] (from client NPLNX-NSCRTL1 port 13 cli 90-b9-31-88-9b-8f via TLS tunnel) Thu Jun 18 04:03:39 2015 : Error: rlm_eap: No EAP session matching the State variable. Thu Jun 18 04:05:22 2015 : Auth: Login incorrect: [<a href="mailto:285843@bathspa.ac.uk">285843@bathspa.ac.uk</a>] (from client NPLNX-NSCRTL1 port 13 cli 90-b9-31-88-9b-8f via TLS tunnel) Thu Jun 18 04:05:30 2015 : Error: rlm_eap_mschapv2: Unexpected response received Thu Jun 18 04:11:18 2015 : Error: TLS Alert write:fatal:decryption failed
We came in this morning and noticed that it was not working correctly and issued a radiusd restart command and it started working,
However i'm keen on trying to find out what caused these errors and see what we can do to stop them occurring
Is anyone able to assist?
We are running version 2.1.12 of FreeRADIUS on RHEL 5.11
Regards
Pete Fry
Answers
Hi Pete,
This reply is a bit late... I've not looked on here for a while!
None of the errors there mean much I'm afraid.
Someone tried to login with a username of "285843@bathspa.ac.uk", which obviously isn't going to work. (Unless the Jisc web site has messed up the username with HTML markup, in which case its just a normal failed login.)
The TLS session wasn't known. That can happen for all sorts of reasons, but unless it's happening loads it's not usually indicative of a serious problem. It will often be seen when a new RADIUS server starts being sent in-flight packets (as in your case) or when you restart the RADIUS server (which then doesn't know about existing authentications, so reports this).
Same as above.
A client sent an MSCHAP response to the server which wasn't in response to a challenge. Likely a buggy client, though this error is unusual.
https://github.com/FreeRADIUS/freeradius-server/blob/release_2_1_12/src/...
Likely a problem with a client certificate, client software bug or just a bad wireless signal. Not generally indicative of any real problems.
A couple of simple recommendations would be
* Upgrade to a recent version of FreeRADIUS. 2.1.12 has bugs and security issues. Use at least 2.2.9, which is config compatible. Unfortunately Linux distros are really slow at keeping up-to-date, but FR packages are easy to build.
* Run some monitoring on your RADIUS servers so you know that they are always working. For example I've got a script (about to be updated soon) at https://gist.github.com/mcnewton/8c6c54ffc04acf031a08 which will check AD authentication and try and make sure everything is OK (if that's your backend). You can also put together RADIUS checks in Nagios, for example.
I also had something a while ago that may be similar, which is a good reminder about proper monitoring; it may be interesting: http://notes.asd.me.uk/2011/01/11/freeradius-and-ntlm_auth-reminder-from...
Hope that helps?!
Matthew