upgrade from v1 to v3 L2TP issues

Alan DeKok aland at deployingradius.com
Thu Jun 2 17:29:43 CEST 2016 

On Jun 2, 2016, at 9:09 AM, Andy Smith <a.smith at ldex.co.uk> wrote:
> I've just upgraded a freeradius v1.1.8 server with MySQL DB to 3.0.11.
> I didn't install or configure the original and haven't used freeradius
> previously so its been a steep learning curve. I've now got the server
> to a point where it seems to all work on the server side, we are testing
> via NTRadPing and we get a successful authentication logged on the
> server and in NTRadPing. However when we try and use Radius for real
> with a Cisco device doing authentication for L2TP something is failing.

 OK...

> This is what my colleague who runs the network told me having looking at
> the debug info on the router side: 
> 
> "PPP comes up and then the router tries to get an IP address. This
> messages 0.0.0.0 there is no address and request the local router to
> provide it. So basically it's not getting an address from the radius
> server" 

 Everyone blames the RADIUS server for everything.  They're usually wrong.

> When we test with NTRadPing we noticed that the output is slightly
> different if we authenticate against the v1 or v3 radius server: 
> 
> radius 1 - not working
> Framed-IP-Address=93.10.10.10
> vendor Cisco cisco-avpair=lcp:interface-config=ip unnumbered loopback
> 2003\0x0a
> Service-Type=Framed
> Tunnel-Medium-Type=IP
> Tunnel-Type=L2TP
> Tunnel-Password=\0x00\0x85K\0x97\0xd5jk\0x0b\0xefbN\0xac\0x12y\0x80.\0xda\0xb3\0xb1
> Tunnel-Server-Endpoint=178.248.104.124
> Tunnel-Client-Auth-ID=broadband-3
> 
> radius 2 - working (differences in red)

 The list strips HTML.

> Framed-IP-Address=93.10.10.10
> vendor Cisco cisco-avpair=lcp:interface-config=ip unnumbered loopback
> 2003\n
> Service-Type=Framed
> Tunnel-Medium-Type=IP
> Tunnel-Type=L2TP
> Tunnel-Password=\0x00\0xb0}=G\0xe7\0xe4\0x08\0xd1\\0xe4\0xax;\0x0d?\0x15\0xe4\0x8f\0xfe
> Tunnel-Server-Endpoint=178.248.104.124
> Tunnel-Client-Auth-ID=broadband-3 

 The only difference is the cisco-avpair, which ends in 0x0a or \n.

> could this be related to our issue?  Noticing the line return is
> different on the avpair line and the password is different, its stored
> in clear text in the DB.

 The Tunnel-Password is encrypted in the RADIUS packet.  It's supposed to be unreadable.

> Currently a bit stumped. Can pass on the output
> of radiusd -X if the above isn't the key to the problem, 

 Update v3 to send a 0x0a as the final character of the Cisco-AVPair.  But even that shouldn't make a difference.

 The two packets are identical, so far as how things *should* work.

 Alan DeKok.

More information about the Freeradius-Users mailing list