RE: Radius Proxying and IP injection

Mon, 12 Jun 2006 13:17:27 -0700

Just got some radius debugging here.

 

#######################

rad_recv: Access-Request packet from host 212.248.232.242:1645, id=116, length=85

        Framed-Protocol = PPP

        User-Name = "[EMAIL PROTECTED]"

        User-Password = "accutronic2"

        NAS-Port-Type = Virtual

        NAS-Port = 907

        Service-Type = Framed-User

        NAS-IP-Address = 212.248.232.242

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 465

  modcall[authorize]: module "preprocess" returns ok for request 465

  modcall[authorize]: module "chap" returns noop for request 465

  modcall[authorize]: module "mschap" returns noop for request 465

    rlm_realm: Looking up realm "maxsurf" for User-Name = "[EMAIL PROTECTED]"

    rlm_realm: Found realm "maxsurf"

    rlm_realm: Proxying request from user bob.ken to realm maxsurf

    rlm_realm: Adding Realm = "maxsurf"

    rlm_realm: Preparing to proxy authentication request to realm "maxsurf"

  modcall[authorize]: module "suffix" returns updated for request 465

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 465

  modcall[authorize]: module "files" returns notfound for request 465

modcall: group authorize returns updated for request 465

  Processing the pre-proxy section of radiusd.conf

modcall: entering group pre-proxy for request 465

radius_xlat:  '/var/log/radius/radacct/212.248.232.242/pre-proxy-detail-20060612'

rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /var/log/radius/radacct/212.248.232.242/pre-proxy-detail-20060612

  modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 465

modcall: group pre-proxy returns ok for request 465

Sending Access-Request of id 0 to 62.41.128.19:1645

        Framed-Protocol = PPP

        User-Name = "[EMAIL PROTECTED]"

        User-Password = "accutronic2"

        NAS-Port-Type = Virtual

        NAS-Port = 907

        Service-Type = Framed-User

        NAS-IP-Address = 212.248.232.242

        Proxy-State = 0x313136

--- Walking the entire request list ---

Waking up in 4 seconds...

rad_recv: Access-Accept packet from host 62.41.128.19:1645, id=0, length=111

        Class = 0x5342522d434c20444e3d22313433373830222041543d22323030222055533d22222053493d2235363935303638352200

        Session-Timeout = 7200

        Framed-IP-Address = 255.255.255.254

        Framed-IP-Netmask = 255.255.255.255

        Framed-Protocol = PPP

        Idle-Timeout = 600

        Service-Type = Framed-User

        Proxy-State = 0x313136

  Processing the post-proxy section of radiusd.conf

modcall: entering group post-proxy for request 465

radius_xlat:  '/var/log/radius/radacct/212.248.232.242/post-proxy-detail-20060612'

rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d expands to /var/log/radius/radacct/212.248.232.242/post-proxy-detail-20060612

  modcall[post-proxy]: module "post_proxy_log" returns ok for request 465

modcall: group post-proxy returns ok for request 465

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 465

  modcall[authorize]: module "preprocess" returns ok for request 465

  modcall[authorize]: module "chap" returns noop for request 465

  modcall[authorize]: module "mschap" returns noop for request 465

    rlm_realm: Proxy reply, or no User-Name.  Ignoring.

  modcall[authorize]: module "suffix" returns noop for request 465

  modcall[authorize]: module "eap" returns noop for request 465

  modcall[authorize]: module "files" returns notfound for request 465

modcall: group authorize returns ok for request 465

  rad_check_password:  Found Auth-Type

  rad_check_password: Auth-Type = Accept, accepting the user

Login OK: [EMAIL PROTECTED]/accutronic2] (from client l2tp-tunnel port 907)

Sending Access-Accept of id 116 to 212.248.232.242:1645

        Class = 0x5342522d434c20444e3d22313433373830222041543d22323030222055533d22222053493d2235363935303638352200

        Session-Timeout = 7200

        Framed-IP-Address = 255.255.255.254

        Framed-IP-Netmask = 255.255.255.255

        Framed-Protocol = PPP

        Idle-Timeout = 600

        Service-Type = Framed-User

Finished request 465

Going to the next request

 

##############################

 

 

The strange thing is the Framed-IP-Address, it isn’t showing the correct IP address that the user has assigned in our customer radius users file.

If I run radtest from the command line against the customers radius server it returns:

 

###################

Sending Access-Request of id 3 to 62.41.128.19:1645

        User-Name = "[EMAIL PROTECTED]"

        User-Password = "accutronic2"

        NAS-IP-Address = cw2.eurisp.net

        NAS-Port = 1645

rad_recv: Access-Accept packet from host 62.41.128.19:1645, id=3, length=106

        Class = 0x5342522d434c20444e3d22313433373830222041543d22323030222055533d22222053493d2235363935313230372200

        Session-Timeout = 0

        Framed-IP-Address = 85.92.190.82

        Framed-IP-Netmask = 255.255.255.255

        Acct-Interim-Interval = 7200

        Framed-Protocol = PPP

        Service-Type = Framed-User

#######################

 

With the correct IP address.

Any ideas why it’s doing this?

 

Thanks

John

 

 

 

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of John Williams
Sent: 12 June 2006 20:58
To: [email protected]
Subject: Radius Proxying and IP injection

 

Hi all

 

We are proxying a realm for a customer that takes ADSL connections from us.

Our ADSL connections terminate on a Cisco 7204 over an L2TP tunnel.

 

The proxying seems to be working fine as all requests for the realm are sent to the customers radius server.

And our log files show that the authentication was “OK”.

However the users that are authenticating are being dropped offline as soon as they authenticate.

The account logs show the reason as being “User-Request” although the user hasn’t requested a disconnect, in fact they aren’t connected long enough to do so.

 

The customer is also sending a framed IP address for each user that connects via the users radius users file entry.

I’m wondering if this has something to do with the problem, although I can’t really see why.

The customer is issuing IP addresses from our own RIPE allocation that the Cisco knows about and we announce via BGP to upstreams.

 

I’m trying to get some radius and cisco debugging for these users, but unfortunately everyone has buggered off home and most of the users are offices.

So I guess I’m just wondering if there are any gotchas with radius proxying and injecting IP addresses that anyone may have come across.

Or does anyone have any ideas what I should be looking for to help fix the problem?

 

Thanks In Advance

John

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to