SecureAuth IdP Version Affected: All
RADIUS Server Version Affected: 2.0.x and newer
After an unscheduled reboot, the RADIUS server is no longer responding to incoming RADIUS requests, regardless of source.
When troubleshooting, you have ruled out RADIUS service, Firewall settings, and local machine key permissions. When trying to use NTRadPing locally on the RADIUS server to test connectivity, you get no responses from the RADIUS server.
After enabling "ALL" logging, you see in RADIUS logs showing errors caused by exceptionally large packet size being received by the RADIUS server:
[08/Nov/2017:16:06:21 +0000] ERROR UDPListener: Radius server error
java.lang.RuntimeException: Radius package parse error
at com.secureauth.idp.radius.RadiusLibFacade.getAttributeContainer(RadiusLibFacade.java:183) ~[secureauth-radius-2.0.21.jar!/:?]
at com.secureauth.idp.radius.UDPRequestEntry.addRequestEntry(UDPRequestEntry.java:27) ~[secureauth-radius-2.0.21.jar!/:?]
at com.secureauth.idp.radius.udp.UDPListener.run(UDPListener.java:44) [secureauth-radius-2.0.21.jar!/:?]
Caused by: org.tinyradius.util.RadiusException: bad packet: packet too long (26209 bytes)
at org.tinyradius.packet.RadiusPacket.decodePacket(RadiusPacket.java:852) ~[tinyradius-1.0.p1.jar!/:?]
at org.tinyradius.packet.RadiusPacket.decodeRequestPacket(RadiusPacket.java:538) ~[tinyradius-1.0.p1.jar!/:?]
at org.tinyradius.util.RadiusServer.makeRadiusPacket(RadiusServer.java:461) ~[tinyradius-1.0.p1.jar!/:?]
at com.secureauth.radius.server.SARadiusServer.makeRadiusPacket(SARadiusServer.java:94) ~[secureauth-radius-2.0.21.jar!/:?]
at com.secureauth.idp.radius.RadiusLibFacade.getAttributeContainer(RadiusLibFacade.java:179) ~[secureauth-radius-2.0.21.jar!/:?]
Due to an unscheduled reboot, there is a chance that the libraries that RADIUS relies on become corrupted. Simply restarting the service, or replacing the RADIUS server configuration file is insufficient to overcome the corruption.
You will need to uninstall the RADIUS server completely, and delete the folder it was installed in. Then re-install the RADIUS server cleanly.
Backup the RADIUS server configuration files first before proceeding. If unable to access the RADIUS Server Admin Console, you can navigate to the folder where RADIUS is installed and manually copy the appliance.radius.properties file to a safe location.
You will need this file to restore the configuration into the new install of RADIUS.
To enable "ALL" logging in RADIUS, you will need to replace the log4j2.xml file in the RADIUS /bin/conf folder with the log4j2.xml attached below the disclaimer.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Please sign in to leave a comment.