On Jun 2, 2016, at 9:09 AM, Andy Smith <a.smith@ldex.co.uk> wrote:
I've just upgraded a freeradius v1.1.8 server with MySQL DB to 3.0.11. I didn't install or configure the original and haven't used freeradius previously so its been a steep learning curve. I've now got the server to a point where it seems to all work on the server side, we are testing via NTRadPing and we get a successful authentication logged on the server and in NTRadPing. However when we try and use Radius for real with a Cisco device doing authentication for L2TP something is failing.
OK...
This is what my colleague who runs the network told me having looking at the debug info on the router side:
"PPP comes up and then the router tries to get an IP address. This messages 0.0.0.0 there is no address and request the local router to provide it. So basically it's not getting an address from the radius server"
Everyone blames the RADIUS server for everything. They're usually wrong.
When we test with NTRadPing we noticed that the output is slightly different if we authenticate against the v1 or v3 radius server:
radius 1 - not working Framed-IP-Address=93.10.10.10 vendor Cisco cisco-avpair=lcp:interface-config=ip unnumbered loopback 2003\0x0a Service-Type=Framed Tunnel-Medium-Type=IP Tunnel-Type=L2TP Tunnel-Password=\0x00\0x85K\0x97\0xd5jk\0x0b\0xefbN\0xac\0x12y\0x80.\0xda\0xb3\0xb1 Tunnel-Server-Endpoint=178.248.104.124 Tunnel-Client-Auth-ID=broadband-3
radius 2 - working (differences in red)
The list strips HTML.
Framed-IP-Address=93.10.10.10 vendor Cisco cisco-avpair=lcp:interface-config=ip unnumbered loopback 2003\n Service-Type=Framed Tunnel-Medium-Type=IP Tunnel-Type=L2TP Tunnel-Password=\0x00\0xb0}=G\0xe7\0xe4\0x08\0xd1\\0xe4\0xax;\0x0d?\0x15\0xe4\0x8f\0xfe Tunnel-Server-Endpoint=178.248.104.124 Tunnel-Client-Auth-ID=broadband-3
The only difference is the cisco-avpair, which ends in 0x0a or \n.
could this be related to our issue? Noticing the line return is different on the avpair line and the password is different, its stored in clear text in the DB.
The Tunnel-Password is encrypted in the RADIUS packet. It's supposed to be unreadable.
Currently a bit stumped. Can pass on the output of radiusd -X if the above isn't the key to the problem,
Update v3 to send a 0x0a as the final character of the Cisco-AVPair. But even that shouldn't make a difference. The two packets are identical, so far as how things *should* work. Alan DeKok.