Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 30 subscribers
  • Views 14461 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSO via Radius Accounting not working - Errors in access_server.log

Michael Cicogna

Hello!

I have configured SSO via radius accounting in my home network. I use Microsoft NPS on Server 2016 as a Radius server and three access points running OpenWRT.

Radius authentication on the accesspoints is working fine and the accounting is configured to end up at the Firewall XG.

My problem now is, that XG is not recognizing any of the users authenticated to the WIFI. In the UI i do not see any messages at all. In the access_server.log however i get lots of error messages. 10.200.254.253 is one of my APs. 

I have tried on various versions of XG and also purposefully moved to a new hardware running on SFVH_SO01_SFOS 16.05.1 MR-1. 

Is there any hint you could give me how to go forward in my search?

Thanks + best regards

Michael

 

MESSAGE Mar 12 19:41:06 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253
ERROR Mar 12 19:41:06 [4144719680]: handle_radius_account_req: couldn't initialize dictionary
MESSAGE Mar 12 19:41:10 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253
ERROR Mar 12 19:41:10 [4144719680]: handle_radius_account_req: received radius accounting with status 1
ERROR Mar 12 19:41:10 [4144719680]: handle_radius_account_req: received radius accounting packet without login ip host
MESSAGE Mar 12 19:42:06 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253
ERROR Mar 12 19:42:06 [4144719680]: handle_radius_account_req: received radius accounting with status 3
MESSAGE Mar 12 19:43:03 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253
ERROR Mar 12 19:43:03 [4144719680]: handle_radius_account_req: received radius accounting with status 2
MESSAGE Mar 12 19:43:05 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253
ERROR Mar 12 19:43:05 [4144719680]: handle_radius_account_req: received radius accounting with status 1
ERROR Mar 12 19:43:05 [4144719680]: handle_radius_account_req: received radius accounting packet without login ip host
MESSAGE Mar 12 19:43:19 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253
ERROR Mar 12 19:43:19 [4144719680]: handle_radius_account_req: received radius accounting with status 1
ERROR Mar 12 19:43:19 [4144719680]: handle_radius_account_req: received radius accounting packet without login ip host
MESSAGE Mar 12 19:44:05 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253
ERROR Mar 12 19:44:05 [4144719680]: handle_radius_account_req: received radius accounting with status 3
MESSAGE Mar 12 19:44:19 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253
ERROR Mar 12 19:44:19 [4144719680]: handle_radius_account_req: received radius accounting with status 3
MESSAGE Mar 12 19:45:05 [4144719680]: handle_radius_account_req: request received from radius client 10.200.254.253



Edited Tags
[edited by: Erick Jan at 12:43 AM (GMT -7) on 16 Sep 2022]
Parents
  • 0

    HI Michael, 

    It would seem the issue with Segmentation fault or some issue with the service , Could you check the status of the service in Shell access Console > option 5 > Option 3 

    service -S | grep access

    output :Access_server  |running/dead/stopped

    If possible restart the service for the same if not running 

    service access_server:restart -ds nosync

    Output fail or 200 Ok 

    This should resolve your issue , if not you may post the output of your authentication service and also provide me a scenario which this event would reproduce easily. 

  • 0 in reply to Aditya Patel

    Hello Aditya!

    Thanks for your assistance. I tried but the authentication is still unsuccessful and the message in the access_server.log is still the same.

    Please find the output of the commands below:

    SFVH_SO01_SFOS 16.05.1 MR-1# service -S | grep access
    supportaccess UNTOUCHED
    access_server RUNNING
    SFVH_SO01_SFOS 16.05.1 MR-1# service access_server:restart -ds nosync
    200 OK

    And here the content of the access_server.log from the restart 

    6835.access_server.txt

     And the error message that still occurs:

     MESSAGE Mar 15 21:37:48 [4144965440]: handle_radius_account_req: request received from radius client 10.200.254.253
    ERROR Mar 15 21:37:48 [4144965440]: handle_radius_account_req: couldn't initialize dictionary
    ERROR Mar 15 21:37:50 [4144965440]: config_resolve_bwid: BW Policy 0 not found
    ERROR Mar 15 21:37:51 [4122999616]: config_resolve_bwid: BW Policy 0 not found
    MESSAGE Mar 15 21:37:51 [4144965440]: handle_radius_account_req: request received from radius client 10.200.254.253
    ERROR Mar 15 21:37:51 [4144965440]: handle_radius_account_req: received radius accounting with status 1
    ERROR Mar 15 21:37:51 [4144965440]: handle_radius_account_req: received radius accounting packet without login ip host
    ERROR Mar 15 21:37:52 [4144965440]: config_resolve_bwid: BW Policy 0 not found
    ....
    ERROR Mar 15 21:38:26 [4144965440]: config_resolve_bwid: BW Policy 0 not found
    ERROR Mar 15 21:38:26 [4122999616]: config_resolve_bwid: BW Policy 0 not found
    MESSAGE Mar 15 21:38:48 [4144965440]: handle_radius_account_req: request received from radius client 10.200.254.253
    ERROR Mar 15 21:38:48 [4144965440]: handle_radius_account_req: received radius accounting with status 3

    To reproduce the issue i assume any OpenWRT based access point should be fine. The screenshot of the configuration shows that the Radius-Server is pointing to my Win 2016 Server and Accounting is pointing to the XG. If i log on to the wireless I see sucessful authentication on the AP and also get a "starting accounting session" log entry on the AP. At the same time the errors in authentication_server.log start appearing

    Please let me know if i can provide any more information.

    Thanks + best regards

    Michael

Reply
  • 0 in reply to Aditya Patel

    Hello Aditya!

    Thanks for your assistance. I tried but the authentication is still unsuccessful and the message in the access_server.log is still the same.

    Please find the output of the commands below:

    SFVH_SO01_SFOS 16.05.1 MR-1# service -S | grep access
    supportaccess UNTOUCHED
    access_server RUNNING
    SFVH_SO01_SFOS 16.05.1 MR-1# service access_server:restart -ds nosync
    200 OK

    And here the content of the access_server.log from the restart 

    6835.access_server.txt

     And the error message that still occurs:

     MESSAGE Mar 15 21:37:48 [4144965440]: handle_radius_account_req: request received from radius client 10.200.254.253
    ERROR Mar 15 21:37:48 [4144965440]: handle_radius_account_req: couldn't initialize dictionary
    ERROR Mar 15 21:37:50 [4144965440]: config_resolve_bwid: BW Policy 0 not found
    ERROR Mar 15 21:37:51 [4122999616]: config_resolve_bwid: BW Policy 0 not found
    MESSAGE Mar 15 21:37:51 [4144965440]: handle_radius_account_req: request received from radius client 10.200.254.253
    ERROR Mar 15 21:37:51 [4144965440]: handle_radius_account_req: received radius accounting with status 1
    ERROR Mar 15 21:37:51 [4144965440]: handle_radius_account_req: received radius accounting packet without login ip host
    ERROR Mar 15 21:37:52 [4144965440]: config_resolve_bwid: BW Policy 0 not found
    ....
    ERROR Mar 15 21:38:26 [4144965440]: config_resolve_bwid: BW Policy 0 not found
    ERROR Mar 15 21:38:26 [4122999616]: config_resolve_bwid: BW Policy 0 not found
    MESSAGE Mar 15 21:38:48 [4144965440]: handle_radius_account_req: request received from radius client 10.200.254.253
    ERROR Mar 15 21:38:48 [4144965440]: handle_radius_account_req: received radius accounting with status 3

    To reproduce the issue i assume any OpenWRT based access point should be fine. The screenshot of the configuration shows that the Radius-Server is pointing to my Win 2016 Server and Accounting is pointing to the XG. If i log on to the wireless I see sucessful authentication on the AP and also get a "starting accounting session" log entry on the AP. At the same time the errors in authentication_server.log start appearing

    Please let me know if i can provide any more information.

    Thanks + best regards

    Michael

Children
  • +1 in reply to Michael Cicogna

    Hello again!

    With some help I was able to verify that XG is actually doing what it is supposed to.

    XG seems to expect either Login-IP-Host or Framed-IP-Adress to be included in any of the Radius packets. It does not need to be in the start - an IP adress in any of the update packets is enough. I tested that with NTRadPing Utility and the SSO authentication captures the data that i sent in.

    In conclusion my APs are not sending any of these fields to XG - which is somewhat logical as they don't do DHCP themself but rather let an external DHCP server do the work. There seems to be some DHCP Snooping code in the hostapd package but so far i was not able to get it to work properly. If somebody got that setup working I would really like to know how you did it :)

    Sorry for bothering you in the first place - Thanks again for your support 

    best regards

    Michael

  • 0 in reply to Michael Cicogna

    Hi Michael,

    you can find my ugly workaround described here: https://community.sophos.com/products/xg-firewall/f/authentication/83697/radius-sso-with-microsoft-nps/316910#316910

     

    I basically have a file where I assign a MAC to an IP, have FreeRADIUS logging data in a different file, running a script via cron updating the file with the missing information and writing the file which is picked up by FreeNAS for accounting.

     

    The script is not so good and needs to be improved in the way that it contains only complete sets of data. 

     

    Regards,

    Claas