Re: only work with 5 users or clients

[James Wakefield <jamesw@deakin.edu.au>]

Tom Miller wrote:
> I have a 7204 (12.0(22)S1) terminating DSL L2TP VPDN and 
> freeradius ( 1.0.4)
>
> I am having problem when number of users (clients) 
> increase from 6 and up.
>
> It worked fine when I have only 5 users (clients) using
> the system.
>
>
> I found the max_requests was set at 1024 in radiusd.conf and 
> have inscrease the number up to 50 clients (50x256=12800)
>
> max_requests = 12800
>
>
>
> However,  It doesn't seem to have any effect. What am I doing
> wrong.
>
>
> One things I noticed.  The two users that can not connect 
> will sent incomplete information
> to the radius server from NAS (7204) such as:
>
>
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 192.168.17.1:1645, 
> id=200, length=95
>         NAS-IP-Address = 192.168.17.1
>         NAS-Port = 3
>         NAS-Port-Type = ISDN
>         User-Name = "knguyen@abc.net"
>         CHAP-Password = 7482c25ab08ffsddfddc0625fcb4007e
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>
> auth: user supplied CHAP-Password matches local User-Password
> Sending Access-Accept of id 200 to 192.168.17.1:1645
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Framed-IP-Address = 209.101.222.12
>         Framed-IP-Netmask = 255.255.255.128
>         Framed-MTU = 1492
> Finished request 16
> Going to the next request
>
>
>
>
> *********** This is a log when it connected.   It included 
> the Tunnel server and client end point *********
>
>
>
> rad_recv: Accounting-Request packet from host 
> 192.168.17.1:1646, id=199, length=232
>         NAS-IP-Address = 192.168.17.1
>         NAS-Port = 6
>         NAS-Port-Type = ISDN
>         User-Name = "knguyen@abc.net"
>         Acct-Status-Type = Stop
>         Acct-Authentic = RADIUS
>         Service-Type = Framed-User
>         Acct-Session-Id = "00000CD8"
>         Framed-Protocol = PPP
>         Tunnel-Server-Endpoint:0 = "10.10.6.5"
>         Tunnel-Client-Endpoint:0 = "10.10.6.6"
>         Tunnel-Type:0 = L2TP
>         Tunnel-Client-Auth-Id:0 = "12345678"
>         Tunnel-Server-Auth-Id:0 = "sfldse26rr.wi.AADS"
>         Acct-Tunnel-Connection = "13441125"
>         Framed-IP-Address = 209.101.222.12
>         Acct-Terminate-Cause = Admin-Reset
>         Acct-Input-Octets = 281672
>         Acct-Output-Octets = 266074
>         Acct-Input-Packets = 4390
>         Acct-Output-Packets = 4154
>         Acct-Session-Time = 1967
>         Acct-Delay-Time = 0
>   Processing the preacct section of radiusd.conf

This is an accounting stop record, as opposed to the access accept 
record you display above and below.  It isn't necessarily indicative of 
what freeradius sent to the NAS, or anything else that happened when the 
client connected.

> --- Walking the entire request list ---
> Waking up in 6 seconds...
> rad_recv: Access-Request packet from host 172.17.17.1:1645, 
> id=200, length=95
>         NAS-IP-Address = 172.17.17.1
>         NAS-Port = 3
>         NAS-Port-Type = ISDN
>         User-Name = "knguyen@eintegration.net"
>         CHAP-Password = 0xcc3aeb78c7482c25ab08dc0625fcb4007e
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>
> auth: user supplied CHAP-Password matches local User-Password
> Sending Access-Accept of id 200 to 172.17.17.1:1645
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Framed-IP-Address = 38.101.172.12
>         Framed-IP-Netmask = 255.255.255.128
>         Framed-MTU = 1492
> Finished request 16
> Going to the next request
>
>
> What am I missing here?

How are you authenticating and authorizing your users?  users file, some 
sort of database or directory?  Could you send some relevant excerpts 
from those sources, eg: some users file stanzas if you're using the 
users file, objects from your LDAP directory in LDIF if you're using LDAP?

My hunch is that freeradius isn't configured to send the necessary 
attributes and your NAS is defaulting those attributes, but can't do 
that for more than 5 concurrent users.  Unless you're observing 
considerable delay between the receipt of access-request and the sending 
of access-accept (ie: more than a couple of seconds), or freeradius is 
sending different attributes with the access-accept for the same user 
when things seem to be going wrong to when they're going right, I think 
you're missing some attributes or your NAS is misconfigured or both.


Cheers,
--
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   james.wakefield@deakin.edu.au
Website:  http://www.deakin.edu.au