The online/offline node option does not work when the radius service is configured outside the management interface. #8233
Assignees
Labels
Comments
4 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
It seems that the pfacct service is listening on management interface and when you configure radius service on another interface/vlan, pfacct drop packets, in consequence the option offline/online node is not working.
Management interface:
[interface enp1s0]
mask=255.255.255.0
ip=192.168.150.181
type=management,portal
Registration interface:
[interface enp2s0.2]
type=internal,radius
ip=192.168.254.254
mask=255.255.255.0
enforcement=vlan
pfacct listenning on management address 192.168.150.181
[root@localhost ~]# netstat -tunlp | grep 1813
udp 0 0 192.168.150.181:1813 0.0.0.0:* 3248/docker-proxy
[root@localhost ~]# docker ps |grep 1813
d5e5220e4877 packetfence/pfacct:devel "/bin/sh -c /usr/loc…" 36 minutes ago Up 36 minutes 192.168.150.181:1813->1813/udp, 0.0.0.0:2056->2056/udp, :::2056->2056/udp pfacct
radius listening on 0.0.0.0
[root@localhost ~]# netstat -tunlp | grep 1812
udp 0 0 127.0.0.1:18121 0.0.0.0:* 10648/radiusd
udp 0 0 0.0.0.0:1812 0.0.0.0:* 10648/radiusd
Firewall opened ports on register vlan
[root@localhost ~]# iptables -S | grep input-radius-if
-N input-radius-if
-A INPUT -i enp2s0.2 -j input-radius-if
-A INPUT -i enp1s0 -j input-radius-if
-A INPUT -i enp1s0 -j input-radius-if
-A input-radius-if -p tcp -m tcp --dport 1812 -j ACCEPT
-A input-radius-if -p udp -m udp --dport 1812 -j ACCEPT
-A input-radius-if -p tcp -m tcp --dport 1813 -j ACCEPT
-A input-radius-if -p udp -m udp --dport 1813 -j ACCEPT
From tcpdump, I see the pfaact is not responding because is listening on management interface
[root@localhost ~]# tcpdump -i any port 1813 -nn
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes
09:27:12.665709 ethertype IPv4, IP 192.168.254.200.36365 > 192.168.254.254.1813: RADIUS, Accounting-Request (4), id: 0x3b length: 249
09:27:12.665709 IP 192.168.254.200.36365 > 192.168.254.254.1813: RADIUS, Accounting-Request (4), id: 0x3b length: 249
09:27:15.671300 ethertype IPv4, IP 192.168.254.200.36365 > 192.168.254.254.1813: RADIUS, Accounting-Request (4), id: 0x3c length: 249
09:27:15.671300 IP 192.168.254.200.36365 > 192.168.254.254.1813: RADIUS, Accounting-Request (4), id: 0x3c length: 249
09:27:21.314569 ethertype IPv4, IP 192.168.254.200.36365 > 192.168.254.254.1813: RADIUS, Accounting-Request (4), id: 0x3e length: 249
09:27:21.314569 IP 192.168.254.200.36365 > 192.168.254.254.1813: RADIUS, Accounting-Request (4), id: 0x3e length: 249
09:27:23.998346 ethertype IPv4, IP 192.168.254.200.36365 > 192.168.254.254.1813: RADIUS, Accounting-Request (4), id: 0x48 length: 201
I have tested the service to listen on 0.0.0.0 and online/offline option works properly
The text was updated successfully, but these errors were encountered: