Re: only work with 5 users or clients

Tue, 03 Oct 2006 21:25:19 -0700 

Hi Tom,
I see nothing that should cause the behaviour you're seeing, though bear in mind I'm not a VPDN expert. 

Could you post:

* An Access-Request packet logged when your setup is working
* The Access-Accept packet that corresponds with the above Access-Request
* An Access-Request packet when your setup is *not* working
* The Access-Accept packet that corresponds with the above Access-Request


Could you also perhaps check on the general health of your router and 
the AAA server when the setup isn't working?  Does it coincide with 
anomalous CPU usage, load average, memory usage etc?



I don't *think* you need to check or reply with any tunnelling-related 
attributes in simple cases of a VPDN setup, but as I say, I'm not an 
expert in that area.


Cheers,
James.


Tom Miller wrote:

Here is a more details list of aaa for my Cisco 7204 
configuration:


aaa new-model
aaa authentication login default local
aaa authentication login console enable
aaa authentication login telnet line
aaa authentication login localauth local
aaa authentication ppp default group radius local
aaa authorization network default group radius local
aaa accounting delay-start
aaa accounting nested
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius


!
vpdn enable
vpdn aaa override-server 172.17.17.17
!
vpdn-group 1
 accept-dialin
  protocol l2tp
  virtual-template 1
 terminate-from hostname aaaabbbr.ca.AADS
 local name abc123456789cha
 lcp renegotiation always
 l2tp tunnel password 7 xxxxxxxxxxxxxxxx
!

radius-server host 172.17.17.17 auth-port 1645 acct-port 1646


!
interface Virtual-Template1
 mtu 1492
 ip address 192.168.172.1 255.255.255.128
 peer default ip address pool DSLCustomer
 ppp authentication chap callin
!
ip local pool DSLCustomer 192.168.172.51 192.168.172.125




















---- Original message ----

Date: Mon, 02 Oct 2006 09:18:59 +1000

From: James Wakefield <[EMAIL PROTECTED]>  
Subject: Re: only work with 5 users or clients  
To: [EMAIL PROTECTED], FreeRadius users mailing list 

<[email protected]>

Tom Miller wrote:

I have a 7204 (12.0(22)S1) terminating DSL L2TP VPDN and 
freeradius ( 1.0.4)



I am having problem when number of users (clients) 
increase from 6 and up.


It worked fine when I have only 5 users (clients) using
the system.



I found the max_requests was set at 1024 in radiusd.conf 

and 

have inscrease the number up to 50 clients (50x256=12800)

max_requests = 12800




However,  It doesn't seem to have any effect. What am I 

doing

wrong.



One things I noticed.  The two users that can not connect 
will sent incomplete information

to the radius server from NAS (7204) such as:


Waking up in 6 seconds...

rad_recv: Access-Request packet from host 

192.168.17.1:1645, 

id=200, length=95
        NAS-IP-Address = 192.168.17.1
        NAS-Port = 3
        NAS-Port-Type = ISDN
        User-Name = "[EMAIL PROTECTED]"
        CHAP-Password = 7482c25ab08ffsddfddc0625fcb4007e
        Service-Type = Framed-User
        Framed-Protocol = PPP

auth: user supplied CHAP-Password matches local User-

Password

Sending Access-Accept of id 200 to 192.168.17.1:1645
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 209.101.222.12
        Framed-IP-Netmask = 255.255.255.128
        Framed-MTU = 1492
Finished request 16
Going to the next request





*********** This is a log when it connected.   It 

included 

the Tunnel server and client end point *********




rad_recv: Accounting-Request packet from host 
192.168.17.1:1646, id=199, length=232

        NAS-IP-Address = 192.168.17.1
        NAS-Port = 6
        NAS-Port-Type = ISDN
        User-Name = "[EMAIL PROTECTED]"
        Acct-Status-Type = Stop
        Acct-Authentic = RADIUS
        Service-Type = Framed-User
        Acct-Session-Id = "00000CD8"
        Framed-Protocol = PPP
        Tunnel-Server-Endpoint:0 = "10.10.6.5"
        Tunnel-Client-Endpoint:0 = "10.10.6.6"
        Tunnel-Type:0 = L2TP
        Tunnel-Client-Auth-Id:0 = "12345678"
        Tunnel-Server-Auth-Id:0 = "sfldse26rr.wi.AADS"
        Acct-Tunnel-Connection = "13441125"
        Framed-IP-Address = 209.101.222.12
        Acct-Terminate-Cause = Admin-Reset
        Acct-Input-Octets = 281672
        Acct-Output-Octets = 266074
        Acct-Input-Packets = 4390
        Acct-Output-Packets = 4154
        Acct-Session-Time = 1967
        Acct-Delay-Time = 0
  Processing the preacct section of radiusd.conf


This is an accounting stop record, as opposed to the access 

accept 

record you display above and below.  It isn't necessarily 

indicative of 

what freeradius sent to the NAS, or anything else that 

happened when the 

client connected.


--- Walking the entire request list ---
Waking up in 6 seconds...

rad_recv: Access-Request packet from host 

172.17.17.1:1645, 

id=200, length=95
        NAS-IP-Address = 172.17.17.1
        NAS-Port = 3
        NAS-Port-Type = ISDN
        User-Name = "[EMAIL PROTECTED]"

        CHAP-Password = 

0xcc3aeb78c7482c25ab08dc0625fcb4007e

        Service-Type = Framed-User
        Framed-Protocol = PPP

auth: user supplied CHAP-Password matches local User-

Password

Sending Access-Accept of id 200 to 172.17.17.1:1645
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 38.101.172.12
        Framed-IP-Netmask = 255.255.255.128
        Framed-MTU = 1492
Finished request 16
Going to the next request


What am I missing here?

How are you authenticating and authorizing your users?  

users file, some 

sort of database or directory?  Could you send some 

relevant excerpts 

from those sources, eg: some users file stanzas if you're 

using the 

users file, objects from your LDAP directory in LDIF if 

you're using LDAP?

My hunch is that freeradius isn't configured to send the 

necessary 

attributes and your NAS is defaulting those attributes, but 

can't do 

that for more than 5 concurrent users.  Unless you're 

observing 

considerable delay between the receipt of access-request 

and the sending 

of access-accept (ie: more than a couple of seconds), or 

freeradius is 

sending different attributes with the access-accept for the 

same user 

when things seem to be going wrong to when they're going 

right, I think 

you're missing some attributes or your NAS is misconfigured 

or both.


Cheers,
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   [EMAIL PROTECTED]
Website:  http://www.deakin.edu.au



--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   [EMAIL PROTECTED]
Website:  http://www.deakin.edu.au

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





















					Reply via email to