only work with 5 users or clients

James Wakefield jamesw at deakin.edu.au
Wed Oct 4 06:11:04 CEST 2006 

Hi Tom,

I see nothing that should cause the behaviour you're seeing, though bear 
in mind I'm not a VPDN expert.

Could you post:

* An Access-Request packet logged when your setup is working
* The Access-Accept packet that corresponds with the above Access-Request
* An Access-Request packet when your setup is *not* working
* The Access-Accept packet that corresponds with the above Access-Request

Could you also perhaps check on the general health of your router and 
the AAA server when the setup isn't working?  Does it coincide with 
anomalous CPU usage, load average, memory usage etc?

I don't *think* you need to check or reply with any tunnelling-related 
attributes in simple cases of a VPDN setup, but as I say, I'm not an 
expert in that area.

Cheers,
James.


Tom Miller wrote:
> Here is a more details list of aaa for my Cisco 7204 
> configuration:
> 
> aaa new-model
> aaa authentication login default local
> aaa authentication login console enable
> aaa authentication login telnet line
> aaa authentication login localauth local
> aaa authentication ppp default group radius local
> aaa authorization network default group radius local
> aaa accounting delay-start
> aaa accounting nested
> aaa accounting exec default start-stop group radius
> aaa accounting network default start-stop group radius
> 
> 
> !
> vpdn enable
> vpdn aaa override-server 172.17.17.17
> !
> vpdn-group 1
>  accept-dialin
>   protocol l2tp
>   virtual-template 1
>  terminate-from hostname aaaabbbr.ca.AADS
>  local name abc123456789cha
>  lcp renegotiation always
>  l2tp tunnel password 7 xxxxxxxxxxxxxxxx
> !
> 
> radius-server host 172.17.17.17 auth-port 1645 acct-port 1646
> 
> 
> !
> interface Virtual-Template1
>  mtu 1492
>  ip address 192.168.172.1 255.255.255.128
>  peer default ip address pool DSLCustomer
>  ppp authentication chap callin
> !
> ip local pool DSLCustomer 192.168.172.51 192.168.172.125
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> ---- Original message ----
>> Date: Mon, 02 Oct 2006 09:18:59 +1000
>> From: James Wakefield <jamesw at deakin.edu.au>  
>> Subject: Re: only work with 5 users or clients  
>> To: tom at hostwebase.com, FreeRadius users mailing list 
> <freeradius-users at lists.freeradius.org>
>> Tom Miller wrote:
>>> I have a 7204 (12.0(22)S1) terminating DSL L2TP VPDN and 
>>> freeradius ( 1.0.4)
>>>
>>> I am having problem when number of users (clients) 
>>> increase from 6 and up.
>>>
>>> It worked fine when I have only 5 users (clients) using
>>> the system.
>>>
>>>
>>> I found the max_requests was set at 1024 in radiusd.conf 
> and 
>>> have inscrease the number up to 50 clients (50x256=12800)
>>>
>>> max_requests = 12800
>>>
>>>
>>>
>>> However,  It doesn't seem to have any effect. What am I 
> doing
>>> wrong.
>>>
>>>
>>> One things I noticed.  The two users that can not connect 
>>> will sent incomplete information
>>> to the radius server from NAS (7204) such as:
>>>
>>>
>>> Waking up in 6 seconds...
>>> rad_recv: Access-Request packet from host 
> 192.168.17.1:1645, 
>>> id=200, length=95
>>>         NAS-IP-Address = 192.168.17.1
>>>         NAS-Port = 3
>>>         NAS-Port-Type = ISDN
>>>         User-Name = "knguyen at abc.net"
>>>         CHAP-Password = 7482c25ab08ffsddfddc0625fcb4007e
>>>         Service-Type = Framed-User
>>>         Framed-Protocol = PPP
>>>
>>> auth: user supplied CHAP-Password matches local User-
> Password
>>> Sending Access-Accept of id 200 to 192.168.17.1:1645
>>>         Service-Type = Framed-User
>>>         Framed-Protocol = PPP
>>>         Framed-IP-Address = 209.101.222.12
>>>         Framed-IP-Netmask = 255.255.255.128
>>>         Framed-MTU = 1492
>>> Finished request 16
>>> Going to the next request
>>>
>>>
>>>
>>>
>>> *********** This is a log when it connected.   It 
> included 
>>> the Tunnel server and client end point *********
>>>
>>>
>>>
>>> rad_recv: Accounting-Request packet from host 
>>> 192.168.17.1:1646, id=199, length=232
>>>         NAS-IP-Address = 192.168.17.1
>>>         NAS-Port = 6
>>>         NAS-Port-Type = ISDN
>>>         User-Name = "knguyen at abc.net"
>>>         Acct-Status-Type = Stop
>>>         Acct-Authentic = RADIUS
>>>         Service-Type = Framed-User
>>>         Acct-Session-Id = "00000CD8"
>>>         Framed-Protocol = PPP
>>>         Tunnel-Server-Endpoint:0 = "10.10.6.5"
>>>         Tunnel-Client-Endpoint:0 = "10.10.6.6"
>>>         Tunnel-Type:0 = L2TP
>>>         Tunnel-Client-Auth-Id:0 = "12345678"
>>>         Tunnel-Server-Auth-Id:0 = "sfldse26rr.wi.AADS"
>>>         Acct-Tunnel-Connection = "13441125"
>>>         Framed-IP-Address = 209.101.222.12
>>>         Acct-Terminate-Cause = Admin-Reset
>>>         Acct-Input-Octets = 281672
>>>         Acct-Output-Octets = 266074
>>>         Acct-Input-Packets = 4390
>>>         Acct-Output-Packets = 4154
>>>         Acct-Session-Time = 1967
>>>         Acct-Delay-Time = 0
>>>   Processing the preacct section of radiusd.conf
>>>
>> This is an accounting stop record, as opposed to the access 
> accept 
>> record you display above and below.  It isn't necessarily 
> indicative of 
>> what freeradius sent to the NAS, or anything else that 
> happened when the 
>> client connected.
>>
>>> --- Walking the entire request list ---
>>> Waking up in 6 seconds...
>>> rad_recv: Access-Request packet from host 
> 172.17.17.1:1645, 
>>> id=200, length=95
>>>         NAS-IP-Address = 172.17.17.1
>>>         NAS-Port = 3
>>>         NAS-Port-Type = ISDN
>>>         User-Name = "knguyen at eintegration.net"
>>>         CHAP-Password = 
> 0xcc3aeb78c7482c25ab08dc0625fcb4007e
>>>         Service-Type = Framed-User
>>>         Framed-Protocol = PPP
>>>
>>> auth: user supplied CHAP-Password matches local User-
> Password
>>> Sending Access-Accept of id 200 to 172.17.17.1:1645
>>>         Service-Type = Framed-User
>>>         Framed-Protocol = PPP
>>>         Framed-IP-Address = 38.101.172.12
>>>         Framed-IP-Netmask = 255.255.255.128
>>>         Framed-MTU = 1492
>>> Finished request 16
>>> Going to the next request
>>>
>>>
>>> What am I missing here?
>> How are you authenticating and authorizing your users?  
> users file, some 
>> sort of database or directory?  Could you send some 
> relevant excerpts 
>>from those sources, eg: some users file stanzas if you're 
> using the 
>> users file, objects from your LDAP directory in LDIF if 
> you're using LDAP?
>> My hunch is that freeradius isn't configured to send the 
> necessary 
>> attributes and your NAS is defaulting those attributes, but 
> can't do 
>> that for more than 5 concurrent users.  Unless you're 
> observing 
>> considerable delay between the receipt of access-request 
> and the sending 
>> of access-accept (ie: more than a couple of seconds), or 
> freeradius is 
>> sending different attributes with the access-accept for the 
> same user 
>> when things seem to be going wrong to when they're going 
> right, I think 
>> you're missing some attributes or your NAS is misconfigured 
> or both.
>>
>> Cheers,
>> -- 
>> James Wakefield,
>> Unix Administrator, Information Technology Services Division
>> Deakin University, Geelong, Victoria 3217 Australia.
>>
>> Phone: 03 5227 8690 International: +61 3 5227 8690
>> Fax:   03 5227 8866 International: +61 3 5227 8866
>> E-mail:   james.wakefield at deakin.edu.au
>> Website:  http://www.deakin.edu.au


-- 
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   james.wakefield at deakin.edu.au
Website:  http://www.deakin.edu.au

More information about the Freeradius-Users mailing list