Re: Cisco VPN3000 with freeradius
Alan DeKok [EMAIL PROTECTED] wrote: From: Alan DeKok [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Cisco VPN3000 with freeradius Date: Mon, 15 Dec 2003 14:39:46 -0500 Reply-To: [EMAIL PROTECTED] Spetzler, Arne (DZ-SH) [EMAIL PROTECTED] wrote: i'am successfully authenticate Certificate users against freeradius = 0.9.0 (from suse 9.0). BUT: only the 'first' time. That means: wait a 'long' time (av. 15 min) authenticate successfull This has nothing to do with FreeRADIUS. If the client/NAS doesn't contact the server, there's nothing that FreeRADIUS can do to speed up the process. The CISCO Access Control Server ACS did not show this behauvior. I would suggest seeing what attributes are sent back from the Cisco server, and make FreeRADIUS send back the same attributes. Whatever the problem is, that is the only fix. Alan DeKok. Hi, Alan, no, this is _not_ the only fix ;) I have found the problem now: the VPN3000 Concentrator has a timing problem: if the answer from the radius server is _fast_ ( 200ms) _and_ a lot of debugging is enabled - then the vpn3000 may lost the udp packet which contains the answer. The FREERADIUS _is_ fast - in our environement the answers came after 30-180 ms. So packets get lost. Because the CISCO ACS is not so fast ( 300ms) this did not happen with ACS. regards, Arne Spetzler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN3000 with freeradius
On Tue, Dec 16, 2003 at 05:56:40PM +0100, Spetzler, Arne (DZ-SH) wrote: if the answer from the radius server is _fast_ ( 200ms) _and_ a lot of debugging is enabled - then the vpn3000 may lost the udp packet which contains the answer. The FREERADIUS _is_ fast - in our environement the answers came after 30-180 ms. So packets get lost. Because the CISCO ACS is not so fast ( 300ms) this did not happen with ACS. Huh, cool :) So what about a answer-delay option for sluggy NASes? ;) Oliver. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN3000 with freeradius
Oliver Graf [EMAIL PROTECTED] wrote: So what about a answer-delay option for sluggy NASes? ;) Yuck. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco VPN3000 with freeradius
Hello there, i'am successfully authenticate Certificate users against freeradius 0.9.0 (from suse 9.0). BUT: only the 'first' time. That means: wait a 'long' time (av. 15 min) authenticate successfull wait a very short time authentication fails wait authentication fails wait 'long' time authentication successfull The debugg from the radius shows nothing special: --- rad_recv: Access-Request packet from host 10.1.50.10:1064, id=38, length=125 User-Name = TC_TEST User-Password = 12345 NAS-Port = 0 Service-Type = Framed-User Framed-Protocol = PPP Called-Station-Id = 10.1.50.10 Calling-Station-Id = 10.1.3.132 Tunnel-Client-Endpoint:0 = 10.1.3.132 Attr-201588758 = 0x0001 NAS-IP-Address = 10.1.50.10 NAS-Port-Type = Virtual modcall: entering group authorize modcall[authorize]: module preprocess returns ok modcall[authorize]: module chap returns noop rlm_eap: EAP-Message not found modcall[authorize]: module eap returns noop rlm_realm: No '@' in User-Name = TC_TEST, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop users: Matched TC_TEST at 76 modcall[authorize]: module files returns ok modcall[authorize]: module mschap returns noop modcall: group authorize returns ok rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Sending Access-Accept of id 38 to 10.1.50.10:1064 CVPN3000-IPSec-Banner1 = Authenticated by FREERADIUS Class = 0x46524545524144495553 Finished request 4 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 4 ID 38 with timestamp 3fde1931 Nothing to do. Sleeping until we see a request. - The CISCO Access Control Server ACS did not show this behauvior. I search the archive and the FAQ and did't find anything... Has someone seen this before? regards, Arne --- Datenzentrale Schleswig-Holstein Altenholzer Str. 10-14, 24161 Altenholz, Germany http://www.dzsh.de/ mailto:[EMAIL PROTECTED] Tel: +49.431.3295.6840 Fax: +49.431.3295.410 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco VPN3000 with freeradius
Spetzler, Arne (DZ-SH) [EMAIL PROTECTED] wrote: i'am successfully authenticate Certificate users against freeradius = 0.9.0 (from suse 9.0). BUT: only the 'first' time. That means: wait a 'long' time (av. 15 min) authenticate successfull This has nothing to do with FreeRADIUS. If the client/NAS doesn't contact the server, there's nothing that FreeRADIUS can do to speed up the process. The CISCO Access Control Server ACS did not show this behauvior. I would suggest seeing what attributes are sent back from the Cisco server, and make FreeRADIUS send back the same attributes. Whatever the problem is, that is the only fix. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html