Freeradius & vpn issue

[Alan DeKok]

Guillermo Bayon del Oso wrote:
> I'm a non native speaker, so please accept my apologies if I'm not
> totally clear with my language. It's an issue with a net equipment that
> implements VPN connections and an the authentication server (implemented
> with Freeradius).

  Your language is fine.

> We work with several software providers who connect with our Intranet
> through the VPN, in order to make their web applications maintenance
> tasks. The clients are connected without problems for a long period of
> time during the night. But eventually the Freeradius (or vpn appliance,
> we don't know for certain) suddently disconnect the clients from the VPN
> during the next day in the morning (when our partners are working).
> Actually several times (maybe 6 times).

  If the user gets connected for a time, and THEN disconnected: blame
the NAS (or VPN appliance).  The explanation is simple: the user is
allowed on the network after talking to FreeRADIUS.  Then, without
talking to FreeRADIUS, the user is disconnected.

  It can't be a FreeRADIUS issue.

> The error we've seen in the log (we've used radmin and raddebug tools) is:
> 
>     "Acct-Terminate-Cause = 0"
> 
> But in the Radius Accounting RFC
> (http://freeradius.org/rfc/rfc2866.html) this value is not permitted
> (possible values are 1-18).

  Ah, yes.  The VPN software is broken.  This is fairly common.
FreeRADIUS follows the RFCs.  NAS / VPN software... not so much.

> <sess_id_num>, <acct_sess_id>, <IP_x> and <usr_name> aren't real values
> (they're masked for privacy) although I think the error isn't related to
> them.
> Thank you very much in advance!!

  Call up the vendor of the VPN appliance, and ask them why their
product doesn't work.  If they argue, point out that I'm the author /
co-author of many RADIUS RFCs, include 5080, 6158, and others.

  They can believe their internal engineers who know nothing about
RADIUS.  Or, they can believe someone who wrote the specifications
describing the protocol.

  Alan DeKok.