Troubleshooting a Moonshot RP Proxy

Owned by Stefan Paetow
Last updated: Mar 17, 2015
2 min read

This flowchart illustrates a general troubleshooting flow of a local Moonshot RP proxy.

Your first step should be to check that your RP Proxy is correctly installed and configured.

See Install an RP Proxy first.

Check that your services are running. FreeRADIUS and the Temporary ID Server (TIDS) must be running and accept connections. Also check that any firewall on the RP Proxy itself or between the RP Proxy and any servers using it allow traffic to and from the RP Proxy on tcp/2083 and tcp/12309.

 

If FreeRADIUS and/or TIDS are not running, turn them on, retry your GSSAPI connection. Does the connection work now?

If your GSSAPI connection is still failing, you should restart FreeRADIUS in debug mode. This is an interactive mode that shows virtually everything (it masks passwords for security reasons):

On Debian or Ubuntu
$ su - --shell=/bin/bash freerad
$ unset DISPLAY
$ /usr/sbin/freeradius -fxx -l stdout
On Redhat, CentOS or Scientific Linux
$ su - --shell=/bin/bash radiusd
$ unset DISPLAY
$ radiusd -fxx -l stdout

Retry your GSSAPI connection. Does the connection work now?

 

If the GSSAPI connection continues to fail, check the FreeRADIUS debug output. Are there any errors?

Common errors include:

  1. The certificates used for the TLS connection may have expired. Check them with this command:

    $ openssl x509 -enddate -noout -in /path/to/certificate.file
  2. The TID client failed to obtain the IdP realm from the Trust Router. You should troubleshoot the Temporary ID Client.
  3. The IdP returned an error. Check your identity details. 
    1. Are you using the correct username and password? 
    2. If your details are correct and you are using an identity managed by your own IdP, you should troubleshoot your IdP next.
  4. The RP Proxy experienced a failure internally:
    1. Are all your scripts and policies present?
    2. Have you made any recent changes to them?
    3. If using account mapping, are the servers for your account mapping connected and available?

Resolve the error(s) experienced. Retry your GSSAPI connection. Does the connection work now?

Contact the Moonshot community mailing list with any errors that are unknown to you or that you cannot resolve.

If your GSSAPI connection continues to fail, but there are no obvious errors in the FreeRADIUS debug output, check the Temporary ID Server (TIDS) log for errors.

To resolve TIDS errors, see Troubleshooting the Temporary ID Server.

If there are no errors in the TIDS log, contact the Moonshot community mailing list with your problem. Capture your TIDS and FreeRADIUS output of a failed GSSAPI attempt and include it in the message.

Alternatively, contact your Trust Router network operator's support.