RADIUS process looping...
Stefan Adams
stefan at borgia.com
Thu Dec 22 05:45:54 CET 2005
I am sure that this is not related to FreeRADIUS but I have seen the
topic posted here so I wanted to post my research for those that
search these archives.
It appears to be a common problem of having a Windows Client
(specifically with the wZc utility) which gets stuck in a loop of
constantly verifying authorization and obtaining an IP. I,
personally, can see from my radiusd -A -X output that the entire
auth/autz process succeeds -- on EVERY pass of the loop.
AFTER applying the MS Hotfix KB885453, I still have my clients
periodically stuck in a loop (as according to the RADIUS server
showing the same debug info over and over). I have found that it
appears to be due to my access point (D-Link DWL-3200AP) REBOOTING!
Here is what I told my D-Link rep:
"These steps help to illustrate the problem:
logged into the windows domain.
configured the wireless interface for WPA using automatically provided
windows credentials
successfully and immediately logged on to the wireless WPA network
logged out
logged back into the windows domain and it successfuly and immediately
connected to the WPA network
rebooted
logged into domain, it took 3 (THREE) minutes to login (using cached
credentials)
-- This entire time NO connections were made to the RADIUS server
after finally logging in I notice that about 40 pings to the AP were
dropped before it came back to life and suddenly 260 buffered RADIUS
requests were sent to the RADIUS server After the 260th, the windows
computer successfully connected to the wpa wireless network
It is important to note that DURING a windows domain logon (and
simultaneously a connection to the WPA wireless network) the AP
REBOOTED."
Is my hypothesis correct -- that it is the AP? Do I have enough
information to make that determination? To anyone that would like to
help me troubleshoot the issue, let me know if I can provide more
information or logs or debug output or whatever...
BTW, I also have syslog logs (DWL-3200AP can log to a syslogger...)
proving that the AP REBOOTED and not just some of my pings were
dropped.
Stefan
Here is my configuration:
D-Link DWL-3200AP FW2.10, WPA-Enterprise w/AES, multi-SSID support, VLAN support
FreeRADIUS 1.1.0-pre0 (snapshot-20051220)
Windows XP SP2, 802.1x, EAP-PEAP, MS-CHAPv2
radiusd.conf:
proxy_requests = no
$INCLUDE ${confdir}/proxy.conf
modules {
unix {
radwtmp = ${logdir}/radwtmp
}
mschap {
authtype = MS-CHAP
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
}
ldap {
server = "<snip>"
identity = "<snip>"
password = <snip>
basedn = "<snip>"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
base_filter = "(objectclass=radiusprofile)"
tls { ... }
access_attr = "dialupAccess"
dictionary_mapping = ${raddbdir}/ldap.attrmap
ldap_connections_number = 5
timeout = 4
timelimit = 3
net_timeout = 1
auto_header = no
access_attr_used_for_allow = yes
}
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
tls {
private_key_password = <snip>
private_key_file = /etc/1x/server.pem
certificate_file = /etc/1x/server.pem
CA_file = /etc/1x/root.pem
dh_file = /etc/1x/DH
random_file = /etc/1x/random
include_length = yes
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
}
mschapv2 {
}
}
realm ntdomain {
format = prefix
delimiter = "\\"
}
preprocess {
:
with_ntdomain_hack = no
:
}
}
authorize {
preprocess
ntdomain
eap
ldap
}
authenticate {
Auth-Type MS-CHAP {
mschap
}
eap
}
clients.conf:
client 172.16.16.0/24 {
secret = testing123
shortname = ap
}
client 172.16.254.0/24 {
secret = testing123
shortname = server
}
proxy.conf:
realm LOCAL {
type = radius
authhost = LOCAL
accthost = LOCAL
}
realm DEFAULT {
type = radius
authhost = LOCAL
accthost = LOCAL
}
[
If SSID Authorization is desired:
modules {
ldap {
filter =
"(&(uid=%{Stripped-User-Name:-%{User-Name}})(radiusCalledStationId=%{Called-Station-ID}))"
}
attr_rewrite getssid {
attribute = Called-Station-Id
# may be "packet", "reply", "proxy", "proxy_reply" or "config"
searchin = packet
# Strip the MAC Address out of the Called-Station-ID
# Resulting in just the SSID
searchfor = ".................:"
replacewith = ""
ignore_case = yes
new_attribute = no
# max_matches = 10
# ## If set to yes then the replace string will be appended to th
# append = no
}
}
authorize {
:
eap
getssid
ldap
:
}
]
Windows XP:
Apply this Pre-SP3 Hotfix:
http://support.microsoft.com/?kbid=885453
Windows Network Connection Properties:
Preferred networks, [SSID] Properties:
Association:
Network Auth: WPA
Data Enc: AES
Authentication:
EAP Type: PEAP
Properties:
X Validate Server certificate
[You must install the Root CA certificate into the trsuted
root ca list and choose it here.]
EAP-MS-CHAP v2
Configure:
X Automatically use my Windows logon name and Password (IF
PC IS JOINED TO DOMAIN)
[ ] Automatically use my Windows logon name and Password
(IF NOT JOINED)
X Enable Fast Reconnect
More information about the Freeradius-Users
mailing list