Freeradius with LNS & Provider BRAS

Neil Morris nmorris at tibus.com
Sat Sep 12 20:21:38 CEST 2015


Wayne & James,

Thanks very much for your input, its much appreciated.

@James ­ I have stripped everything back just using just the ‘Framed’
sections and can get authentications to pass successfully.  As soon as I add
an AVP it fails again…

I remarked out the compression lines as this had caught me out early on in
the setup.  I also tried returning the full profile for the access-accept
but again this failed.


@Wayne ­ Any tips on the unlang setup?  I am up against it with time.. If I
can get away with not having to 're-invent the wheel' so to speak, that
would be great..

Kind Regards,

Neil 

From:  James Bensley <jwbensley at gmail.com>
Reply-To:  FreeRadius users mailing list
<freeradius-users at lists.freeradius.org>
Date:  Saturday, 12 September 2015 11:42
To:  FreeRadius users mailing list <freeradius-users at lists.freeradius.org>
Subject:  Re: Freeradius with LNS & Provider BRAS

On 11 September 2015 at 16:34, Neil Morris <nmorris at tibus.com> wrote:
>  I have take some of my config from the following link¹
>  https://supportforums.cisco.com/discussion/11294066/session-vrf-mpls-vpn-usi
>  ng-radius-attribute



>  From:  Alan Buxey <A.L.M.Buxey at lboro.ac.uk>
>  Date:  Friday, 11 September 2015 15:27
>  To:  FreeRadius users mailing list <freeradius-users at lists.freeradius.org>,
>  Neil Morris <nmorris at tibus.com>
>  Subject:  Re: Freeradius-Users Digest, Vol 125, Issue 34
> 
>  You aren't sending them what they request. Read your email and see the
>  differences eg service-type



>  From: Neil Morris <nmorris at tibus.com>
>  Date: Friday, 11 September 2015 15:02
>  To: <freeradius-users at lists.freeradius.org>
>  Subject:  Re: Freeradius with LNS & Provider BRAS
> 
>  The below is what the SP has requested I return to their BRAS;
> 
>  mydom.net.uk Cleartext-Password := ³password"
>  Service-Type = Outbound-User,
>  Tunnel-Type = L2TP,
>  Tunnel-Medium-Type = IP,
>  Tunnel-Password = password,
>  Tunnel-Server-Endpoint = 89.x.y.134,
>  Tunnel-Client-Auth-ID = ³MY-LNS"
> 
> 
>  The following is an example of a user account and the Cisco AVP that I am
>  sending;
> 
>  test at mydom.net.uk Cleartext-Password := ³test"
>  Service-Type = Framed-User,
>  Framed-Protocol = PPP,
>  Framed-MTU = 1440,
>  Framed-IP-Address = 10.31.253.253,
>  Framed-IP-Netmask = 255.255.255.255,
>  Framed-Route = "0.0.0.0 0.0.0.0 89.x.y.134",
>  Cisco-AVPair = "ip:vrf-id=VRF_417858",
>  Cisco-Avpair += "ip:route#1=vrf VRF_417858 10.31.249.0 255.255.255.0
>  10.31.253.253 tag 417858",
>  Cisco-AVPair += "ip:ip-unnumbered=Loopback417858"
> 
>  The SP is advising me that from their debugs I am sending them everything
>  after the username & password as listed above..
> 
>  They mention that I should have 2 instances for RADIUS or that I change the
>  radius system I use..


Hi Neil,

Like most things in life there is more than one way to skin a cat....
I have successfully used FreeRADIUS for on-net ADSL (requests coming
up from our own DSLAMs and BRAS nodes) with the folllowing users.conf
entry:

example.net Cleartext-Password := "cisco"
Service-Type = Outbound-User,
Tunnel-Type = L2TP,
Tunnel-Medium-Type = IP,
Tunnel-Client-Auth-ID = lac-name,
Tunnel-Server-Auth-ID = lns-name,
Tunnel-Password = L2TPPassword,
Tunnel-Server-Endpoint = 192.0.2.2


Then when our LNS nodes query the RADIUS servers using the whole
username the following users.conf entry is returned by FreeRADIUS:

testuser2 at example.net Cleartext-Password := "testpassword"
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-MTU 1500,
Framed-IP-Address = 10.0.0.2,
Framed-IP-Netmask = 255.255.255.255,
Session-Timeout = 0,
Idle-Timeout = 300,
Cisco-AVPair = "ip:ip-unnumbered=Loopback0"


In your case when you are using an off-net ASDL provider (a wholesale
ADSL provider), as we also use two wholesale providers as well as LLU,
in the case of both wholesale providers when they send in the
access-request we actually provide a full RADIUS profile back to them
in the access-accept as follows:


Framed-MTU = 1500
Framed-Protocol = PPP
Framed-IP-Address = 100..0.0.1
Framed-IP-Netmask = 255.255.255.255
Service-Type = Framed
Cisco-AVPair = ip:ip-unnumbered=Loopback123
Cisco-AVPair += ip:route=vrf CUST-VRF 192.168.0.0 255.255.255.0 10.0.0.1
Tunnel-Type = :1:L2TP
Tunnel-Medium-Type = :1:IPv4
Tunnel-Client-Auth-ID = :1:Provider-LAC-Name
Tunnel-Server-Auth-ID = :1:My-LNS-Name
Tunnel-Password = :1:SuperSecret
Tunnel-Server-Endpoint = :1:MY.LNS.IP.ADDR
Tunnel-Preference = :1:100


As a side note we are actually using Postgres backed FreeRADIUS and
not file based, I just have a file based lab system because I'm lazy,
either way we're returning the exact same info in the lab and in our
production network.

So in the case of my example config above, both of the wholesale
providers ignore everything except the "Tunnel-" fields, they just
build the tunnel to one of our LNS routers and then the LNS replays
the PPP auth, queries the RADIUS servers and does the reverse when it
gets all that info returned and ignores the "Tunnel-" fields and reads
all the others. This isn't by any special configuration on our LNS
routers or the wholesalers LACs but simply the way these protocols
work. The wholesale providers should only be interested in the
"Tunnel-" fields because they are not terminating the PPP sessions
locally but forwarding it on to us over L2TP.

In your configuration I would try changing this:

>  Cisco-Avpair += "ip:route#1=vrf VRF_417858 10.31.249.0 255.255.255.0
>  10.31.253.253 tag 417858",

To be without the "#1", just:

Cisco-Avpair += "ip:route=vrf VRF_417858 10.31.249.0 255.255.255.0
10.31.253.253 tag 417858",

Also have you tried just removing all the AV pairs except a loopback,
just terminate the session on a loopback in your global routing table
on the LNS and see if the session comes up?

Also have you checked your FreeRADIUS users.conf file and some of the
default configuration files, we found for example that
Frame-Compression was enabled (somewhere by default, I forget where
exactly) which we had to remove because some of our newer LNS routers
don't support that.


I hope that helps somehow.

Cheers,
James.

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




More information about the Freeradius-Users mailing list