Radius Proxying and IP injection

John Williams john.williams at eurisp.co.uk
Mon Jun 12 22:32:12 CEST 2006 

Joe

I don't think our customer is sending any attributes that we don't send to
the Cisco ourselves. However I'll get him to send me a users entry and see
if that's the case before I turn all that debug on :)

If you see my previous email you'll see the radius debug I sent when one the
users tried to log on.
For some reason the IP address being assigned is 255.255.255.254 and not the
one the customer is sending.

Looking through the radius files I saw this in the attrs file:

##################
# The rest of this file contains the DEFAULT entry.
# DEFAULT matches with all realm names.
#

DEFAULT
       Service-Type == Framed-User,
       Service-Type == Login-User,
       Login-Service == Telnet,
       Login-Service == Rlogin,
       Login-Service == TCP-Clear,
       Login-TCP-Port <= 65536,
       Framed-IP-Address == 255.255.255.254,
       Framed-IP-Netmask == 255.255.255.255,
       Framed-Protocol == PPP,
       Framed-Protocol == SLIP,
       Framed-Compression == Van-Jacobson-TCP-IP,
       Framed-MTU >= 576,
       Framed-Filter-ID =* ANY,
       Reply-Message =* ANY,
       Proxy-State =* ANY,
       Session-Timeout <= 28800,
       Idle-Timeout <= 600,

#########

I see the default IP assigned is 255.255.255.254 which is the same as what
the radius debug shows.
Would this be the cause maybe?
I've now commented it out and reload radius, so now I have to wait for a
user to try and connect again.

John

-----Original Message-----
From:
freeradius-users-bounces+john.williams=eurisp.co.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+john.williams=eurisp.co.uk at lists.freeradius
.org] On Behalf Of Joe Maimon
Sent: 12 June 2006 21:10
To: FreeRadius users mailing list
Subject: Re: Radius Proxying and IP injection



John Williams wrote:

>
> 
> However the users that are authenticating are being dropped offline as 
> soon as they authenticate.
> 
> The account logs show the reason as being "User-Request" although the 
> user hasn't requested a disconnect, in fact they aren't connected long 
> enough to do so.
> 
>  
> 
> The customer is also sending a framed IP address for each user that 
> connects via the users radius users file entry.

Your cisco doesnt like certain attributes in the reply and closes the 
connections. Likely as not the attributes it doesnt like is the ones in 
relation to what your customer is trying to assign. debugs will show you 
exactly which one, but beware.

debug radius
debug aaa authentication
debug aaa authorization
debug aaa per-user
debug aaa subsys
debug ppp negotiation
debug vtemplate ev
debug vtemplate cloning
debug vprofile


I would also run your server in debugging mode to see exactly which 
attributes are being sent to your cisco nas for those users.


- 
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list