When the RADIUS packet is torn apart it matches the source ip address with
the ip address in the clients file. (If you have a host name there then
that host name is resolved to an ip). If that ip is not represented in the
clients file you'll get a mismatch.
>> To watch the return RADIUS packets use the following:
>>
>> This packet filter will show all RADIUS packets returning to the Portmaster.
>> It will NOT show RADIUS packets orginating from the Portmaster.
>>
>> This is a very useful tool in debugging RADIUS problems. If the RADIUS
>> packet is returning from an ip address that differs from the ip address (or
>> the ip address of the hostname) that appears for the RADIUS server with the
>> "show global" command, then the packet is discarded.
>
>
>Will it also show any packets coming in from a "wrong" IP address? i.e, one
>neither the primary or alternate auth host? Or will it be discarded before
>it gets that far?
It will show all RADIUS packets coming to the portmaster even if it is
coming from the wrong address which makes the filter so handy. If you have
a host running RADIUS that has 60 ip address aliased to it for example. If
the Portmaster were to receive a response from one of the other ips then the
portmaster would reject the packet.
>Ran the ptrace for a couple hours. Trimmed a bunch of "good" requests
>to the primary auth host (199.183.254.131) from the top. The alternate
>is 199.183.254.4, and there is no real reason that the PM should be
>consulting it at this time. The trace output doesn't seem to do anything
>but confirm what we already know.
>
>Can you get anything useful out of this?
[**packet trace output deleted**]
Nope, as you said, all returning packets coming from good RADIUS servers.
Next, check reverse DNS on all entries in the clients file and check, double
check the secrets in the clients file vs the secret in the portmaster.
--- jstorms@livingston.com So much to do, so litt...[Hold on a sec]