By: Ruben Rodriguez Garcia user 30 Mar 2020 at 4:07 p.m. CDT

8 Responses

Hi, I have been configured GLUU server 4.1 in Ubuntu 18.04 and when I tried to authenticate an application using RADIUS Authentication but it doesn’t work, I run the command: > tcpdump -s0 host 192.168.2.2 I observed the next: > 14:29:21.477647 IP GLUU-SERV > 192.168.2.2: ICMP GLUU-SERV UDP port radius unreachable, length 112 Server 192.168.2.2 is a Windows server and Firewall is disabled and both (GLUU-SERV - 192.168.2.10) servers are in the same network. Any idea how to fix this? > root@GLUU-SERV:/home/user# tcpdump -s0 host 192.168.2.2 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on ens160, link-type EN10MB (Ethernet), capture size 262144 bytes 14:28:51.472955 ARP, Request who-has GLUU-SERV tell 192.168.2.2, length 46 14:28:51.472992 ARP, Reply GLUU-SERV is-at 00:01:02:03:04:05 (oui Unknown), length 28 14:28:51.473211 IP 192.168.2.2.64405 > GLUU-SERV.radius: RADIUS, Access-Request (1), id: 0xff length: 76 14:28:51.473256 IP GLUU-SERV > 192.168.2.2: ICMP GLUU-SERV udp port radius unreachable, length 112 14:28:56.683340 ARP, Request who-has 192.168.2.2 tell GLUU-SERV, length 28 14:28:56.683618 ARP, Reply 192.168.2.2 is-at 00:0c:29:6b:40:d9 (oui Unknown), length 46 14:29:01.474516 IP 192.168.2.2.64406 > GLUU-SERV.radius: RADIUS, Access-Request (1), id: 0x73 length: 76 14:29:01.474599 IP GLUU-SERV > 192.168.2.2: ICMP GLUU-SERV udp port radius unreachable, length 112 14:29:11.476095 IP 192.168.2.2.64407 > GLUU-SERV.radius: RADIUS, Access-Request (1), id: 0x98 length: 76 14:29:11.476204 IP GLUU-SERV > 192.168.2.2: ICMP GLUU-SERV udp port radius unreachable, length 112 14:29:21.477583 IP 192.168.2.2.64408 > GLUU-SERV.radius: RADIUS, Access-Request (1), id: 0x9f length: 76 14:29:21.477647 IP GLUU-SERV > 192.168.2.2: ICMP GLUU-SERV udp port radius unreachable, length 112 14:29:26.635345 ARP, Request who-has 192.168.2.2 tell GLUU-SERV, length 28 14:29:26.635526 ARP, Reply 192.168.2.2 is-at 00:0c:29:6b:40:d9 (oui Unknown), length 46 14:29:31.479096 IP 192.168.2.2.64409 > GLUU-SERV.radius: RADIUS, Access-Request (1), id: 0x99 length: 76 14:29:31.479172 IP GLUU-SERV > 192.168.2.2: ICMP GLUU-SERV udp port radius unreachable, length 112 14:29:36.087915 ARP, Request who-has GLUU-SERV (00:01:02:03:04:05 (oui Unknown)) tell 192.168.2.2, length 46 14:29:36.087966 ARP, Reply GLUU-SERV is-at 00:01:02:03:04:05 (oui Unknown), length 28

Ubuntu 18.04

closed

By Dzouato Djeumen Rolain Bonaventure staff 31 Mar 2020 at 3:32 p.m. CDT

Copy

Hello Rodrigo , Let me take a look at this.

By Dzouato Djeumen Rolain Bonaventure staff 01 Apr 2020 at 7:46 a.m. CDT

Copy

Hello Rodrigo, Please login to your Gluu Instance and run `service status gluu-radius` to make sure it's running. Also , if possible , still from your container , go to `/opt/gluu/radius/logs/` and if you find any log files there , provide them to us here.

By Ruben Rodriguez Garcia user 02 Apr 2020 at 1:27 a.m. CDT

Copy

Hi! Thanks for your help. I restarted the service with command systemctl restart gluu-radius, now is possible to authenticate users when authentication scheme in Gluu RADIUS config file is onestep; however, if I change authentication scheme to twostep, it doesn't work, gluu-radius.log just response Access-Reject. When I configure authentication scheme as twostep I configure Default Authentication Method > Authentication mode and oxTrust authentication mode as OTP, I’m using Microsoft Authentication app for Android (because I don enroll users with Super Gluu) and user is local (created in Users > Manage People). I notice that time in gluu-radius.log is different than time in Gluu Server, does it means something? What else can I do to fix it? > -rw-r--r-- 1 radius gluu 813 Apr 1 21:51 gluu-radius.log > root@GLUU-SERV:/opt/gluu/radius/logs# > root@GLUU-SERV:/opt/gluu/radius/logs# > root@GLUU-SERV:/opt/gluu/radius/logs# > root@GLUU-SERV:/opt/gluu/radius/logs# cat gluu-radius.log > [INFO ] 2020-04-02 03:51:10.767 [Radius Auth Listener] GluuRadiusServer - Client ip: 192.168.2.2 > [INFO ] 2020-04-02 03:51:10.769 [Radius Auth Listener] GluuRadiusServer - Client ip: 192.168.2.2 > [INFO ] 2020-04-02 03:51:10.770 [Radius Auth Listener] GluuRadiusServer - Client ip: 192.168.2.2 > [INFO ] 2020-04-02 03:51:10.770 [Radius Auth Listener] GluuRadiusServer - Client ip: 192.168.2.2 > [INFO ] 2020-04-02 03:51:10.771 [Radius Auth Listener] RadiusServer - received packet from /192.168.2.2:55332 on local address 0.0.0.0/0.0.0.0:1812: Access-Request, ID 124 > NAS-IP-Address: 192.168.2.2 > NAS-Port: 1 > User-Name: tester > User-Password: 0x3151617a7873773221 > Message-Authenticator: 0x334fdfcdabbf984d0971b4671d19d16f > [INFO ] 2020-04-02 03:51:11.013 [Radius Auth Listener] RadiusServer - send response: Access-Reject, ID 124 > root@GLUU-SERV:/opt/gluu/radius/logs# Thanks for your help, I really appreciate it.

By Dzouato Djeumen Rolain Bonaventure staff 02 Apr 2020 at 5:18 a.m. CDT

Copy

Hello , The only two step application for which the script works is `Super-Gluu` for now. If you need to have it working with another app , you'll have to write a custom script for that by using the super-gluu script as reference. It's actually straightforward. If you need some directions, I'll be happy to provide.

By Ruben Rodriguez Garcia user 03 Apr 2020 at 1:52 a.m. CDT

Copy

Hello, I checked the script but I understood anything :-( I can't enroll users with Super Gluu (for Android), when I try to enroll a user appears an error, What am I doing wrong? [Enroll user](https://photos.app.goo.gl/qtK89p6xeJKowm746) [Error](https://photos.app.goo.gl/D8fFbMwfsftKKNjq9) Thanks for your help,

By Dzouato Djeumen Rolain Bonaventure staff 03 Apr 2020 at 11:50 a.m. CDT

Copy

Let me address your concerns one after the other. - You may need a support contract with us if you need further assistance writing/modifying a custom script. That said , we do have good documentation about it. You can find it here. https://gluu.org/docs/gluu-server/admin-guide/custom-script/ - As for not being able to enroll a device , my guess is , you're still using a self-signed certificate on your gluu installation, which is fine. Go to the Super-Gluu app menu and enable the `Trust All` option. Thanks.

By Ruben Rodriguez Garcia user 03 Apr 2020 at 1:21 p.m. CDT

Copy

Hi Rolain, Thank you for your answer! * I will check documentation and try to write a custom script. * Now, Super-Gluu shows the error message: [Failed to get Fido U2F metadata.](https://photos.app.goo.gl/AKqxJNomiK3gJtuq5) What else can i do? Kind regards,

By Ruben Rodriguez Garcia user 04 Apr 2020 at 7:13 a.m. CDT

Copy

Hello Rolain, I have solved the issues and now all is working very well! I have a doubt and issue regarding cache refresh, I think is better to close these case and open a new case. Thanks for your help!

You need to Login in order to post an answer

Problem to authenticate using RADIUS.

By: Ruben Rodriguez Garcia user 30 Mar 2020 at 4:07 p.m. CDT

Answers

By Dzouato Djeumen Rolain Bonaventure staff 31 Mar 2020 at 3:32 p.m. CDT

By Dzouato Djeumen Rolain Bonaventure staff 01 Apr 2020 at 7:46 a.m. CDT

By Ruben Rodriguez Garcia user 02 Apr 2020 at 1:27 a.m. CDT

By Dzouato Djeumen Rolain Bonaventure staff 02 Apr 2020 at 5:18 a.m. CDT

By Ruben Rodriguez Garcia user 03 Apr 2020 at 1:52 a.m. CDT

By Dzouato Djeumen Rolain Bonaventure staff 03 Apr 2020 at 11:50 a.m. CDT

By Ruben Rodriguez Garcia user 03 Apr 2020 at 1:21 p.m. CDT

By Ruben Rodriguez Garcia user 04 Apr 2020 at 7:13 a.m. CDT

Post an answer