Cyno Technical Support

Troubleshooting

This is the troubleshooting section from the MacRADIUS Administrator's Guide.

The user attribute I want to edit is italicized and inactive. Why?

The attribute is being overridden by a group attribute. Go to the group that the user is in and deactivate that attribute, or remove the user from that group.

My NAS and MacRADIUS won't talk to each other! Help!

There are two sorts of problems here: no communication at all, and garbled communication. To solve the first:

Make sure your NAS and MacRADIUS can actually talk to each other. A good way to do this is to open a NAS administration session of some sort from the Macintosh that is running MacRADIUS. This will verify that the network between the two machines is working.

Be sure that the authentication (and accounting) servers are switched on in the server configuration window of MacRADIUS. MacRADIUS comes pre-configured to use the standard UDP port numbers of 1645 and 1646 for RADIUS authentication and accounting. If you have reprogrammed your NAS (or your NAS does not use these port numbers) you will have to change the values here.

Be sure that the IP address and secret for MacRADIUS in the NAS is correct. If your NAS supports secondary (or other) backup servers, be sure that they are pointing to a copy of MacRADIUS or are turned off.

Be sure that the IP address and secret for the NAS in MacRADIUS is correct. Delete and re-create the NAS entry, and enter the IP address and secret carefully and slowly.

Remove all the users from the internal database of your NAS. Be sure that there are no "unusual" characters in the name of the user you are trying to authenticate, and that the name is a "reasonable" length.

Reboot the NAS with MacRADIUS already up and running so that the NAS can "see" MacRADIUS when it is booting.

I get entries in the MacRADIUS log complaining that an "unknown NAS" is trying to connect.

The IP address for that device in the NAS list is wrong.

MacRADIUS says in the log that authentication was successful, but my NAS disconnects the call anyway.

This could result from several different problems:

Your NAS could be one of the few that hangs up when it receives an unknown attribute. Switch off all the "send" attributes for your test user and see if you get any farther. If so, you can add attributes one at a time until you arrive at the one that is causing your NAS trouble. If the documentation that comes with your NAS is any good, you might be able to find the answer there.

Be sure that your NAS and MacRADIUS agree on the values and use of any vendor-specific attributes. Remember, true vendor-specific attributes that are sub-attributes of standard attribute 26 must be added to an exported "users" text file by hand and re-imported. Vendor attributes that merely take a number from the unassigned range must be added to the dictionary and aliases file before they can be used.

If your callers are being hung up on shortly after logging in, check the "max account time" parameter. Remember, a value of "30" is 30 seconds, not 30 minutes!

Why are users being "randomly" disabled?

"Number of password attempts before user disabled" is turned on in "Server Configuration."

I keep getting the message "Bad PAP Password" in the log, but the user's password is right!

There are three things this could be:

Most of the time, number 3 is the problem.

Because of the way the RADIUS protocol works, MacRADIUS cannot tell the difference between a bad PAP password and a bad shared secret, and so the MacRADIUS log says "Bad PAP Password" since it is assumed that once things are setup correctly this is what it will be.

The best thing to do is re-enter the secret carefully for the NAS in the Network Access Server List in MacRADIUS.

I have selected the "Prevent simultaneous sessions for the same user" checkbox in Server Configuration, but I still see some users logged on more than once at the same time. What’s wrong?

One or more things could cause this:

In the first two cases, the MacRADIUS log will be missing the "Authentication successful" entry for the users in question.

In the last case, the users in question will not appear in the "Tracked Session List", and the MacRADIUS log will be missing the "Start accounting" entries for them.

Make sure that the IP addresses entered in your NAS equipment for RADIUS authentication and accounting are the address of your MacRADIUS server. Check the log of your NAS device to ensure that it did not switch to a secondary RADIUS server.

I am getting a message about OTClientLib not found when I try to run MacRADIUS. What should I do?

You are trying to run MacRADIUS on a Powermac without Open Transport installed. Please consult the MacRADIUS Admin Guide for a detailed workaround.

I just switched to the Ascend dictionaries. Can I still authenticate my Tribe? My Livingston?

Yes.

What is the "Error 49 at Network Interface" message I see in the log window?

MacRADIUS sent a response to your NAS but the UDP port MacRADIUS sent it to has closed. This can happen if the response from MacRADIUS is delayed for too long a time. If you are seeing a lot of these errors, you may wish to make MacRADIUS the foreground application or increase RADIUS protocol timeouts on your NAS equipment.

What is "Invalid request: code = ?, length = ??" message I see in the log window?

MacRADIUS will not process an inbound RADIUS packet with a code other than 1 or 4 (access-request or accounting-request). If you see this message with a code number other than 1 or 4, the packet is damaged or is not a RADIUS packet.

If the code number is a 1 or 4, the length of the packet is wrong. Versions of MacRADIUS prior to 1.0.3 would reject a packet if the length in the RADIUS header did not match the physical length of the packet. Versions of MacRADIUS from 1.0.3 on are more relaxed, and only reject a packet if the length in the RADIUS header is larger than the physical packet length.

Back to top

Back to Technical Support Home |