Just got some radius debugging here. ####################### rad_recv: Access-Request packet from host 212.248.232.242:1645, id=116, length=85 Framed-Protocol = PPP User-Name = "bob.ken@maxsurf" User-Password = "accutronic2" NAS-Port-Type = Virtual NAS-Port = 907 Service-Type = Framed-User NAS-IP-Address = 212.248.232.242 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 465 modcall[authorize]: module "preprocess" returns ok for request 465 modcall[authorize]: module "chap" returns noop for request 465 modcall[authorize]: module "mschap" returns noop for request 465 rlm_realm: Looking up realm "maxsurf" for User-Name = "bob.ken@maxsurf" rlm_realm: Found realm "maxsurf" rlm_realm: Proxying request from user bob.ken to realm maxsurf rlm_realm: Adding Realm = "maxsurf" rlm_realm: Preparing to proxy authentication request to realm "maxsurf" modcall[authorize]: module "suffix" returns updated for request 465 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module "eap" returns noop for request 465 modcall[authorize]: module "files" returns notfound for request 465 modcall: group authorize returns updated for request 465 Processing the pre-proxy section of radiusd.conf modcall: entering group pre-proxy for request 465 radius_xlat: '/var/log/radius/radacct/212.248.232.242/pre-proxy-detail-20060612' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands to /var/log/radius/radacct/212.248.232.242/pre-proxy-detail-20060612 modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 465 modcall: group pre-proxy returns ok for request 465 Sending Access-Request of id 0 to 62.41.128.19:1645 Framed-Protocol = PPP User-Name = "bob.ken@maxsurf" User-Password = "accutronic2" NAS-Port-Type = Virtual NAS-Port = 907 Service-Type = Framed-User NAS-IP-Address = 212.248.232.242 Proxy-State = 0x313136 --- Walking the entire request list --- Waking up in 4 seconds... rad_recv: Access-Accept packet from host 62.41.128.19:1645, id=0, length=111 Class = 0x5342522d434c20444e3d22313433373830222041543d22323030222055533d22222053493d 2235363935303638352200 Session-Timeout = 7200 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Protocol = PPP Idle-Timeout = 600 Service-Type = Framed-User Proxy-State = 0x313136 Processing the post-proxy section of radiusd.conf modcall: entering group post-proxy for request 465 radius_xlat: '/var/log/radius/radacct/212.248.232.242/post-proxy-detail-20060612' rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d expands to /var/log/radius/radacct/212.248.232.242/post-proxy-detail-20060612 modcall[post-proxy]: module "post_proxy_log" returns ok for request 465 modcall: group post-proxy returns ok for request 465 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 465 modcall[authorize]: module "preprocess" returns ok for request 465 modcall[authorize]: module "chap" returns noop for request 465 modcall[authorize]: module "mschap" returns noop for request 465 rlm_realm: Proxy reply, or no User-Name. Ignoring. modcall[authorize]: module "suffix" returns noop for request 465 modcall[authorize]: module "eap" returns noop for request 465 modcall[authorize]: module "files" returns notfound for request 465 modcall: group authorize returns ok for request 465 rad_check_password: Found Auth-Type rad_check_password: Auth-Type = Accept, accepting the user Login OK: [bob.ken@maxsurf/accutronic2] (from client l2tp-tunnel port 907) Sending Access-Accept of id 116 to 212.248.232.242:1645 Class = 0x5342522d434c20444e3d22313433373830222041543d22323030222055533d22222053493d 2235363935303638352200 Session-Timeout = 7200 Framed-IP-Address = 255.255.255.254 Framed-IP-Netmask = 255.255.255.255 Framed-Protocol = PPP Idle-Timeout = 600 Service-Type = Framed-User Finished request 465 Going to the next request ############################## The strange thing is the Framed-IP-Address, it isn't showing the correct IP address that the user has assigned in our customer radius users file. If I run radtest from the command line against the customers radius server it returns: ################### Sending Access-Request of id 3 to 62.41.128.19:1645 User-Name = "bob.ken@maxsurf" User-Password = "accutronic2" NAS-IP-Address = cw2.eurisp.net NAS-Port = 1645 rad_recv: Access-Accept packet from host 62.41.128.19:1645, id=3, length=106 Class = 0x5342522d434c20444e3d22313433373830222041543d22323030222055533d22222053493d 2235363935313230372200 Session-Timeout = 0 Framed-IP-Address = 85.92.190.82 Framed-IP-Netmask = 255.255.255.255 Acct-Interim-Interval = 7200 Framed-Protocol = PPP Service-Type = Framed-User ####################### With the correct IP address. Any ideas why it's doing this? Thanks John _____ From: freeradius-users-bounces+john.williams=eurisp.co.uk@lists.freeradius.org [mailto:freeradius-users-bounces+john.williams=eurisp.co.uk@lists.freeradius .org] On Behalf Of John Williams Sent: 12 June 2006 20:58 To: freeradius-users@lists.freeradius.org Subject: Radius Proxying and IP injection Hi all We are proxying a realm for a customer that takes ADSL connections from us. Our ADSL connections terminate on a Cisco 7204 over an L2TP tunnel. The proxying seems to be working fine as all requests for the realm are sent to the customers radius server. And our log files show that the authentication was "OK". However the users that are authenticating are being dropped offline as soon as they authenticate. The account logs show the reason as being "User-Request" although the user hasn't requested a disconnect, in fact they aren't connected long enough to do so. The customer is also sending a framed IP address for each user that connects via the users radius users file entry. I'm wondering if this has something to do with the problem, although I can't really see why. The customer is issuing IP addresses from our own RIPE allocation that the Cisco knows about and we announce via BGP to upstreams. I'm trying to get some radius and cisco debugging for these users, but unfortunately everyone has buggered off home and most of the users are offices. So I guess I'm just wondering if there are any gotchas with radius proxying and injecting IP addresses that anyone may have come across. Or does anyone have any ideas what I should be looking for to help fix the problem? Thanks In Advance John