Radius - 'no radius server found for 0d:02'

tonyd · Thu Aug 08, 2013 8:32 pm

Greetings,

I'm at a loss as to why I'm seeing this error and unable to attempt User login authentication via Radius. I'm at a development stage in setup and testing. I've reviewed a number of posts both related to User Manager and FreeRadius and have not found any information to shed light on this problem. Perhaps someone might have some insight on this issue. As you will notice, the router is talking to the Radius server and in fact sending and receiving an Accounting-Request. However, when attempting to send and Access-Request the router log indicates it can't reach the Radius server. This makes no sense. The router is set up on a bench in my NOC. There are no FW rules, NAT'ing, or Masq on the router. Ping and routing are good, as evidenced by the sending and receipt of the Accounting-Request. I have increased Timeout to 2s as well. Any ideas what might be my issue; something obvious I'm overlooking? Please let me know if there is something I can provide to assist. Thank you very much.

RB750GL RouterOS v5.25 (tried 5.18, 5.22) - IP 10.10.0.10
FreeRADIUS Version 2.1.10, for host x86_64-pc-linux-gnu - IP 10.0.0.28

What I see on the router:

jan/02/1970 00:01:09 radius,debug sending 05:00 to 10.0.0.28:1813 
jan/02/1970 00:01:09 radius,debug,packet sending Accounting-Request with id 5 to 1
0.0.0.28:1813 
jan/02/1970 00:01:09 radius,debug,packet     Signature = 0xd0994a75ee2088f7f7de896
a08514e98 
jan/02/1970 00:01:09 radius,debug,packet     Acct-Status-Type = 7 
jan/02/1970 00:01:09 radius,debug,packet     NAS-Identifier = "MikroTik" 
jan/02/1970 00:01:09 radius,debug,packet     Acct-Delay-Time = 0 
jan/02/1970 00:01:09 radius,debug,packet     NAS-IP-Address = 10.10.0.10 
jan/02/1970 00:01:09 radius,debug,packet received Accounting-Response with id 5 fr
om 10.0.0.28:1813 
jan/02/1970 00:01:09 radius,debug,packet     Signature = 0xa9a7880868d30cfa1d553b4
6e513dd13 
jan/02/1970 00:01:09 radius,debug received reply for 05:00 
17:04:19 radius,debug[b] new request 0d:02 code=Access-Request service=login
17:04:19 radius,debug no radius server found for 0d:02
17:04:19 radius,debug timeout for 0d:02

Also, the Radius counters are not incrementing as I make attempts to login

admin@MikroTik] /radius> monitor 0
           pending: 0
          requests: 6
           accepts: 1
           rejects: 0
           resends: 0
          timeouts: 5
       bad-replies: 0
  last-request-rtt: 10ms

What I see on the server side:

rad_recv: Accounting-Request packet from host 10.10.0.10 port 43000, id=5, length=48
	Acct-Status-Type = Accounting-On
	NAS-Identifier = "MikroTik"
	Acct-Delay-Time = 0
	NAS-IP-Address = 10.10.0.10
# Executing section preacct from file /etc/freeradius/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent
[acct_unique] WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent
[acct_unique] WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 10.10.0.10,NAS-IP-Address = 10.10.0.10,,'
[acct_unique] Acct-Unique-Session-ID = "6c7617ab6a50b15d".
++[acct_unique] returns ok
[suffix] Proxy reply, or no User-Name.  Ignoring.
++[suffix] returns ok
++[files] returns noop
# Executing section accounting from file /etc/freeradius/sites-enabled/default
+- entering group accounting {...}
[detail] 	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/10.10.0.10/detail-20130808
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.0.10/detail-20130808
[detail] 	expand: %t -> Thu Aug  8 03:00:44 2013
++[detail] returns ok
++[unix] returns noop
[radutmp] 	expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp
rlm_radutmp: NAS 10.10.0.10 restarted (Accounting-On packet seen)
rlm_radutmp: Error accessing file /var/log/freeradius/radutmp: No such file or directory
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] 	expand: %{User-Name} -> 
++[attr_filter.accounting_response] returns noop
Sending Accounting-Response of id 5 to 10.10.0.10 port 43000
Finished request 1.
Cleaning up request 1 ID 5 with timestamp +1181
Going to the next request
Ready to process requests.

Router Radius Config

admin@MikroTik] /radius> print detail 
Flags: X - disabled 
 0   service=login,hotspot called-id="mtr_bench" domain="test" address=10.0.0.28 secret="testing123" authentication-port=1812 
     accounting-port=1813 timeout=2s accounting-backup=no realm="" src-address=10.10.0.10

Server Firewall (relative portion)

*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT ACCEPT [0:0]

# Keep state.
-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

# Loop device.
-A INPUT -i lo -j ACCEPT

# Radius
-A INPUT -p udp -s 10.10.0.10 --dport 1812 -i eth0 -j ACCEPT 
-A INPUT -p udp -s 10.10.0.10 --dport 1813 -i eth0 -j ACCEPT 
-A INPUT -p udp -s 10.10.0.10 --dport 1814 -i eth0 -j ACCEPT

root@radiusdev:/etc/freeradius# iptables --list
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     udp  --  10.10.0.10           anywhere             udp dpt:radius
ACCEPT     udp  --  10.10.0.10           anywhere             udp dpt:radius-acct
ACCEPT     udp  --  10.10.0.10           anywhere             udp dpt:1814
ACCEPT     udp  --  x.x.x.x            anywhere             udp dpt:snmp
ACCEPT     udp  --  x.x.x.x          anywhere             udp dpt:snmp
ACCEPT     udp  --  x.x.x.x         anywhere             udp dpt:snmp
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     tcp  --  x.x.x.x            anywhere             tcp dpt:ssh
ACCEPT     tcp  --  x.x.x.x          anywhere             tcp dpt:ssh
ACCEPT     tcp  --  x.x.x.x         anywhere             tcp dpt:ssh
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request
ACCEPT     tcp  --  x.x.x.x         anywhere             tcp dpt:mysql
ACCEPT     tcp  --  x.x.x.x         anywhere             tcp dpt:20133
ACCEPT     tcp  --  anywhere             anywhere             tcp dpt:http limit: avg 25/min burst 100

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination

Radius Config (/etc/freeradius/clients.conf and users)

client localhost {
	ipaddr = 127.0.0.1
	secret = testing123
	require_message_authenticator = no
	nastype = other
}

client dw_test {
	ipaddr = 10.10.0.9
	secret = testing123
	require_message_authenticator = no
	nastype = other
}

client 10.10.0.10 {
#	ipaddr = 10.10.0.10
	secret = testing123
	require_message_authenticator = no
	nastype = other
}

"noctester" ClearText-Password := "mytestpw"
        Reply-Message = "Hello, %{User-Name}"

tonyd · Sat Aug 10, 2013 3:03 am

Please anyone, I could sure use some assistance why the Mikrotik believe the Radius server isn't reachable when it just send and received an Account-Request.

Thank you very much

SurferTim · Sat Aug 10, 2013 11:10 am

If you do not see any requests in the RADIUS log, do you have both ports 1812 and 1813 open on the FreeRADIUS server firewall? Sounds like maybe port 1812 is closed. Just a thought.

tonyd · Sat Aug 10, 2013 8:24 pm

Hi,

I have verified that I have all the radius ports open with the proper protocol. That's what's so strange. Torching the traffic on my WAN interface shows no traffic to my radius server, no udp port 1812, and the radius statistics don't increment. I'm stumpted.

=)

Before login attempt

[admin@MikroTik] /radius> monitor 0
           pending: 0
          requests: 11
           accepts: 0
           rejects: 0
           resends: 0
          timeouts: 11
       bad-replies: 0
  last-request-rtt: 0ms

After login attempt

[admin@MikroTik] /radius> monitor 0
           pending: 0
          requests: 11
           accepts: 0
           rejects: 0
           resends: 0
          timeouts: 11
       bad-replies: 0
  last-request-rtt: 0ms

My radius and users config

[admin@MikroTik] /radius> export
# aug/10/2013 17:15:37 by RouterOS 5.25
# software id = UBT2-WC52
#
/radius
add accounting-backup=no accounting-port=1813 address=10.0.0.28 authentication-port=1812 called-id=mtr_bench disabled=no \
    domain=test realm="" secret=testing123 service=login,hotspot src-address=10.10.0.10 timeout=2s
/radius incoming
set accept=yes port=3799

[admin@MikroTik] /user> export 
# aug/10/2013 17:14:55 by RouterOS 5.25
# software id = UBT2-WC52
#
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,!ftp,!write,!policy \
    skin=default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,!ftp,!policy \
    skin=default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api skin=\
    default
/user
add address="" comment="system default user" disabled=no group=full name=admin
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=yes

Radius server reachability

[admin@MikroTik] > ping 10.0.0.8
HOST                                     SIZE TTL TIME  STATUS                                                                
10.0.0.8                                   56  63 0ms  
10.0.0.8                                   56  63 0ms  
10.0.0.8                                   56  63 0ms  
    sent=3 received=3 packet-loss=0% min-rtt=0ms avg-rtt=0ms max-rtt=0ms

Selection_009.png

Here is my freeradius status

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on authentication address 127.0.0.1 port 18120 as server inner-tunnel
Listening on proxy address * port 1814
Ready to process requests.

And another look at my firewall rules
root@radiusdev:/home/tonyd# iptables --list

Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state RELATED,ESTABLISHED
whitelist  tcp  --  anywhere             anywhere             tcp dpt:ssh
whitelist  udp  --  anywhere             anywhere             udp dpt:snmp
DROP       tcp  --  anywhere             anywhere             tcp dpt:telnet
whitelist  tcp  --  anywhere             anywhere             tcp dpt:http
whitelist  tcp  --  anywhere             anywhere             tcp dpt:https
ACCEPT     udp  --  anywhere             anywhere             udp dpt:radius
ACCEPT     udp  --  anywhere             anywhere             udp dpt:radius-acct
ACCEPT     udp  --  anywhere             anywhere             udp dpt:1814
ACCEPT     icmp --  anywhere             anywhere             icmp echo-request state NEW,RELATED,ESTABLISHED limit: avg 30/sec burst 5
ACCEPT     icmp --  anywhere             anywhere             icmp destination-unreachable limit: avg 30/sec burst 5
ACCEPT     icmp --  anywhere             anywhere             icmp redirect limit: avg 30/sec burst 5
ACCEPT     icmp --  anywhere             anywhere             icmp time-exceeded limit: avg 30/sec burst 5
LOG        all  --  anywhere             anywhere             limit: avg 5/min burst 7 LOG level warning
DROP       all  --  anywhere             anywhere            

Chain FORWARD (policy DROP)
target     prot opt source               destination         

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     all  --  anywhere             anywhere            
ACCEPT     all  --  anywhere             anywhere             state NEW,RELATED,ESTABLISHED

Chain whitelist (4 references)
target     prot opt source               destination         
ACCEPT     all  --  x.x.x.x         anywhere            
ACCEPT     all  --  x.x.x.x          anywhere            
ACCEPT     all  --  x.x.x.x            anywhere            
ACCEPT     all  --  x.x.x.x          anywhere

=)

SurferTim · Sat Aug 10, 2013 9:02 pm

Post "/ip hotspot profile". What I will be looking for is the "radius-default-domain" setting. If it is not set to "test", then it won't use that radius server for authentication by default. You would need to login using "username@test" as a user.

Or remove the "domain" setting in your "/radius" section.

/radius
set 0 domain=""

And not an export. Use "/ip hotspot profile print".

tonyd · Sat Aug 10, 2013 11:56 pm

Hey SurferTim,

Here's the hostpot output. I tried removing the domain from the radius config, unfortunately no change. Regarding the hotspot, I do have that checked in the Radius config, but not using it. Not yet past getting user login to work.

Thanks so much!

[admin@MikroTik] > /ip hotspot profile print
Flags: * - default 
 0 * name="default" hotspot-address=0.0.0.0 dns-name="" html-directory=hotspot 
     rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 
     login-by=cookie,http-chap http-cookie-lifetime=3d split-user-domain=no 
     use-radius=no

[admin@MikroTik] > /radius print detail
Flags: X - disabled 
 0   service=login called-id="mtr_bench" domain="" address=10.0.0.28 
     secret="testing123" authentication-port=1812 accounting-port=1813 
     timeout=2s accounting-backup=no realm=""

Here's a torch running during the login attempt. There's no call to the radius server. Now an interesting note. When I reboot the router. Upon boot up it sends an Accounting-Request and gets a response. See following torch.

Selection_010.png

Ready to process requests.






rad_recv: Accounting-Request packet from host 10.10.0.10 port 41234, id=5, length=48
	Acct-Status-Type = Accounting-On
	NAS-Identifier = "MikroTik"
	Acct-Delay-Time = 0
	NAS-IP-Address = 10.10.0.10
# Executing section preacct from file /etc/freeradius/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] WARNING: Attribute NAS-Port was not found in request, unique ID MAY be inconsistent
[acct_unique] WARNING: Attribute Acct-Session-Id was not found in request, unique ID MAY be inconsistent
[acct_unique] WARNING: Attribute User-Name was not found in request, unique ID MAY be inconsistent
[acct_unique] Hashing ',Client-IP-Address = 10.10.0.10,NAS-IP-Address = 10.10.0.10,,'
[acct_unique] Acct-Unique-Session-ID = "6c7617ab6a50b15d".
++[acct_unique] returns ok
[suffix] Proxy reply, or no User-Name.  Ignoring.
++[suffix] returns ok
++[files] returns noop
# Executing section accounting from file /etc/freeradius/sites-enabled/default
+- entering group accounting {...}
[detail] 	expand: /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d -> /var/log/freeradius/radacct/10.10.0.10/detail-20130810
[detail] /var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands to /var/log/freeradius/radacct/10.10.0.10/detail-20130810
[detail] 	expand: %t -> Sat Aug 10 06:42:51 2013
++[detail] returns ok
++[unix] returns noop
[radutmp] 	expand: /var/log/freeradius/radutmp -> /var/log/freeradius/radutmp
rlm_radutmp: NAS 10.10.0.10 restarted (Accounting-On packet seen)
rlm_radutmp: Error accessing file /var/log/freeradius/radutmp: No such file or directory
++[radutmp] returns ok
++[exec] returns noop
[attr_filter.accounting_response] 	expand: %{User-Name} -> 
++[attr_filter.accounting_response] returns noop
Sending Accounting-Response of id 5 to 10.10.0.10 port 41234
Finished request 0.
Cleaning up request 0 ID 5 with timestamp +11922
Going to the next request
Ready to process requests.

SurferTim · Sun Aug 11, 2013 12:35 am

I just used radius to login to my test router. I had to test it. If you do not have debug logging enabled, you should do that.

/system logging
add topics=radius,debug action=memory

Then try a login and check the router's log.

tonyd · Sun Aug 11, 2013 1:21 am

I do have debugging enabled. Seeing the "no radius server found" is what seems to be at the root of the problem. However, how can the MTR conclude the server is unreachable if it never "apparently" makes an attempt to reach the server as shown by the torch?

=)

Selection_011.png

bhusebye · Sun Aug 11, 2013 2:55 am

I'm not that familiar with your setup but from what I can tell, and I fix routers and switches for a living, after quickly scanning the posts, my guess is you need to use an IP address you can route. 10.s won't route.

SurferTim · Sun Aug 11, 2013 4:34 am

I think it is telling you that there is not an entry in "/radius" that qualifies. I was able to get the "No radius server" message by adding the "called-id=mtr_bench" to my /radius settings. Try removing that entry.

/radius
set 0 called-id=""

tonyd · Mon Aug 12, 2013 1:25 am

BINGO! SurferTim, thank you so much. I've got to look into the called-Id and why this prevented the MTR from making a call to the Radius server. I admit, I'm not yet very familiar with Radius. My gratitude and appreciation for helping me troubleshoot this!

=)

Radius - 'no radius server found for 0d:02'

Radius - 'no radius server found for 0d:02'

Re: Radius - 'no radius server found for 0d:02'

Re: Radius - 'no radius server found for 0d:02'

Re: Radius - 'no radius server found for 0d:02'

Re: Radius - 'no radius server found for 0d:02'

Re: Radius - 'no radius server found for 0d:02'

Re: Radius - 'no radius server found for 0d:02'

Re: Radius - 'no radius server found for 0d:02'

Re: Radius - 'no radius server found for 0d:02'

Re: Radius - 'no radius server found for 0d:02'

Re: Radius - 'no radius server found for 0d:02' - SOLVED

Who is online