RE: Wimax with Free radius
Hallo there, i have an issue with my wimax setup, am trying to have my users authenticate using the wonderful freeradius but still failing. Am suing WASN9970 and using freeradius 2.1.12, When i turn on radius using radius-X, this is what i get, and client never authenticates someone please come to my rescue istening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 196.0.4.18 port 1812, id=250, length=187 User-Name = "gulucdp@utmax" NAS-IP-Address = 192.168.224.70 Calling-Station-Id = "6416f00100e1" NAS-Identifier = "WASN9770" Event-Timestamp = "Mar 5 2012 09:14:53 EAT" EAP-Message = 0x020100120167756c756364704075746d6178 WiMAX-Release = "1.1" WiMAX-Accounting-Capabilities = Flow-Based WiMAX-BS-Id = 0x303030303038316235393030 WiMAX-GMT-Timezone-offset = 10800 NAS-Port-Type = Wireless-802.16 WiMAX-Available-In-Client = 3 Service-Type = Framed-User Message-Authenticator = 0x143b601c01eca1d4595511b0a81c0d78 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/196.0.4.18/auth-detail-20120305 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/196.0.4.18/auth-detail-20120305 [auth_log] expand: %t -> Mon Mar 5 08:59:56 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop ++[wimax] returns ok [suffix] Looking up realm "utmax" for User-Name = "gulucdp@utmax" [suffix] Found realm "utmax" [suffix] Adding Realm = "utmax" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 125 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 250 to 196.0.4.18 port 1812 Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Netmask = 255.255.255.255 EAP-Message = 0x0102001604101bd377e252fa3b4f59a9210cb6a3fdfb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0dc4c5bf0dc6c1ff885e3d68e8e55b4e Finished request 0. Eric M
Mulindwa wrote:
Hallo there, i have an issue with my wimax setup, am trying to have my users authenticate using the wonderful freeradius but still failing.
Am suing WASN9970 and using freeradius 2.1.12,
When i turn on radius using radius-X, this is what i get, and client never authenticates someone please come to my rescue
The NAS isn't seeing the response from the RADIUS server. This isn't a RADIUS issue. It's that your network is broken. Alan DeKok.
On 5 Mar 2012, at 12:28, Alan DeKok wrote:
Mulindwa wrote:
Hallo there, i have an issue with my wimax setup, am trying to have my users authenticate using the wonderful freeradius but still failing.
Am suing WASN9970 and using freeradius 2.1.12,
When i turn on radius using radius-X, this is what i get, and client never authenticates someone please come to my rescue
The NAS isn't seeing the response from the RADIUS server. This isn't a RADIUS issue. It's that your network is broken.
Or the WiMax client is buggy and doesn't support EAP method negotiation. Seen that before with some supplicants. Try setting the default to the EAP method you'll actually be using instead of MD5. -Arran
Dear Members, I would like to create an account that is based on Volume consumption, how would i do this with free Radius Say i create a user and when they say hit 2GB or xGB they are disconnected irrespective of the Qos i have provisioned them Rgds EM
Hi Alan, Seems NAS is rejecting my request, what do you think could be the issue? # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/196.0.4.18/auth-detail-20120306 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/196.0.4.18/auth-detail-20120306 [auth_log] expand: %t -> Tue Mar 6 08:40:50 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop ++[wimax] returns ok [suffix] Looking up realm "utmax" for User-Name = "cephascourts@utmax" [suffix] Found realm "utmax" [suffix] Adding Realm = "utmax" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 23 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 255 to 196.0.4.18 port 10002 EAP-Message = 0x010200160410ed1cb559afc9f370f07f43c455d550f0 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x149f077f149d03c127633988497e8370 Finished request 4409. Going to the next request Sending delayed reject for request 4392 Sending Access-Reject of id 238 to 196.0.4.18 port 10002 Message-Authenticator = 0x00000000000000000000000000000000 EAP-Message = 0x04010004 Cleaning up request 4329 ID 175 with timestamp +262 rad_recv: Access-Request packet from host 196.0.4.18 port 10003, id=1, length=195 User-Name = "ediofegirls@utmax" NAS-IP-Address = 192.168.224.70 Calling-Station-Id = "0c4c39b783a9" NAS-Identifier = "WASN9770" Event-Timestamp = "Mar 6 2012 08:55:35 EAT" EAP-Message = 0x02010016016564696f66656769726c734075746d6178 WiMAX-Release = "1.1" WiMAX-Accounting-Capabilities = Flow-Based WiMAX-BS-Id = 0x303030303038303366303230 WiMAX-GMT-Timezone-offset = 10800 NAS-Port-Type = Wireless-802.16 WiMAX-Available-In-Client = 3 Service-Type = Framed-User Message-Authenticator = 0x3aeebd33360c6a8807f5ed0edf2c7222 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/196.0.4.18/auth-detail-20120306 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/196.0.4.18/auth-detail-20120306 [auth_log] expand: %t -> Tue Mar 6 08:40:50 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop ++[wimax] returns ok [suffix] Looking up realm "utmax" for User-Name = "ediofegirls@utmax" [suffix] Found realm "utmax" [suffix] Adding Realm = "utmax" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 22 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 1 to 196.0.4.18 port 10003 EAP-Message = 0x01020016041098357cd07dee0e1ee8e0e64678987793 Message-Authenticator = 0x00000000000000000000000000000000 State = 0x67eaf21567e8f6a668a5c8815c961ad3 Finished request 4410. Going to the next request Cleaning up request 4330 ID 176 with timestamp +262 Sending delayed reject for request 4396 Sending Access-Reject of id 242 to 196.0.4.18 port 10002 Message-Authenticator = 0x00000000000000000000000000000000 EAP-Message = 0x04010004 Cleaning up request 4312 ID 158 with timestamp +261 Cleaning up request 4316 ID 162 with timestamp +261 Sending delayed reject for request 4400 Sending Access-Reject of id 246 to 196.0.4.18 port 10002 Message-Authenticator = 0x00000000000000000000000000000000 EAP-Message = 0x04010004 Cleaning up request 4320 ID 166 with timestamp +261 Cleaning up request 4331 ID 177 with timestamp +262 Cleaning up request 4333 ID 179 with timestamp +262 Cleaning up request 4334 ID 180 with timestamp +262 Sending delayed reject for request 4404 Sending Access-Reject of id 250 to 196.0.4.18 port 10002 Message-Authenticator = 0x00000000000000000000000000000000 EAP-Message = 0x04010004 Eric M ________________________________ From: Alan DeKok <aland@deployingradius.com> To: Mulindwa <meric_l@yahoo.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Monday, March 5, 2012 2:28 PM Subject: Re: Wimax with Free radius Mulindwa wrote:
Hallo there, i have an issue with my wimax setup, am trying to have my users authenticate using the wonderful freeradius but still failing.
Am suing WASN9970 and using freeradius 2.1.12,
When i turn on radius using radius-X, this is what i get, and client never authenticates someone please come to my rescue
The NAS isn't seeing the response from the RADIUS server. This isn't a RADIUS issue. It's that your network is broken. Alan DeKok.
Hi there, How can i use my free radius to authenticate users of a certain realm with them using any password EM
On Tue, Mar 6, 2012 at 2:28 PM, Mulindwa <meric_l@yahoo.com> wrote:
Hi there,
How can i use my free radius to authenticate users of a certain realm with them using any password
Start by reading http://wiki.freeradius.org/FAQ#How+do+I+permit+access+to+any+user+regardless... -- Fajar
Thanks Fajar, My users are using EAP-TTLS, is there a possibility to have them connect without a password Eric M ________________________________ From: Fajar A. Nugraha <list@fajar.net> To: Mulindwa <meric_l@yahoo.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Tuesday, March 6, 2012 10:35 AM Subject: Re: Wimax with Free radius On Tue, Mar 6, 2012 at 2:28 PM, Mulindwa <meric_l@yahoo.com> wrote:
Hi there,
How can i use my free radius to authenticate users of a certain realm with them using any password
Start by reading http://wiki.freeradius.org/FAQ#How+do+I+permit+access+to+any+user+regardless... -- Fajar
On Tue, Mar 6, 2012 at 3:16 PM, Mulindwa <meric_l@yahoo.com> wrote:
Thanks Fajar, My users are using EAP-TTLS, is there a possibility to have them connect without a password
See http://wiki.freeradius.org/Protocol%20Compatibility or to be specific, just the paragraph under the table :) -- Fajar
Fajar, So far looks good only that users are not authenticating yet. Please see the log i have; Found Auth-Type = Accept Auth-Type = Accept, accepting the user Login OK: [cccl@utmax/<via Auth-Type = Accept>] (from client Wimax port 0 cli 6416f0010cbf) # Executing section post-auth from file /usr/local/etc/raddb/sites-enabled/default +- entering group post-auth {...} [reply_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/196.0.4.18/reply-detail-20120306 [reply_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/196.0.4.18/reply-detail-20120306 [reply_log] expand: %t -> Tue Mar 6 12:23:04 2012 ++[reply_log] returns ok [sql_log] Processing sql_log_postauth [sql_log] expand: %{User-Name} -> cccl@utmax [sql_log] expand: %{%{User-Name}:-DEFAULT} -> cccl@utmax [sql_log] sql_set_user escaped user --> 'cccl@utmax' [sql_log] WARNING: Deprecated conditional expansion ":-". See "man unlang" for details [sql_log] ... expanding second conditional [sql_log] expand: Chap-Password -> Chap-Password [sql_log] expand: INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('%{User-Name}', '%{User-Password:-Chap-Password}', '%{reply:Packet-Type}', '%S'); -> INSERT INTO radpostauth (username, pass, reply, authdate) VALUES ('cccl@utmax', 'Chap-Password', 'Access-Accept', '2012-03-06 12:23:04'); [sql_log] expand: /usr/local/var/log/radius/radacct/sql-relay -> /usr/local/var/log/radius/radacct/sql-relay ++[sql_log] returns ok ++[exec] returns noop expand: %{User-Name} -> cccl@utmax ++[request] returns noop expand: %{EAP-MSK} -> ++[reply] returns noop [wimax] No EAP-MSK or EAP-EMSK. Cannot create WiMAX keys. i wonder what this error means ++[wimax] returns noop Sending Access-Accept of id 16 to 196.0.4.18 port 1812 Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Netmask = 255.255.255.255 WiMAX-FA-RK-Key = 0x00 WiMAX-MSK = 0x The entry i have in my users's file is this DEFAULT Auth-Type :=Accept Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 Eric M ________________________________ From: Fajar A. Nugraha <list@fajar.net> To: Mulindwa <meric_l@yahoo.com> Cc: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Tuesday, March 6, 2012 11:22 AM Subject: Re: Wimax with Free radius On Tue, Mar 6, 2012 at 3:16 PM, Mulindwa <meric_l@yahoo.com> wrote:
Thanks Fajar, My users are using EAP-TTLS, is there a possibility to have them connect without a password
See http://wiki.freeradius.org/Protocol%20Compatibility or to be specific, just the paragraph under the table :) -- Fajar
On Tue, Mar 6, 2012 at 4:11 PM, Alan DeKok <aland@deployingradius.com> wrote:
Mulindwa wrote:
So far looks good only that users are not authenticating yet.
You cannot set "Auth-Type := Accept" for WiMAX connections. It won't work. It's impossible.
Ooops. My bad. Wiki updated. -- Fajar
Hi Fajar and Alan, am still having a challenge and seeking your guidance, i have this account in my users file as shown below; reporter@utmax Cleartext-Password := "atom" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-Address = 255.255.255.254, Framed-Netmask = 255.255.255.255, Fall-Through = 0 However, client still can not connect and this is the log below, what could be the issue? rad_recv: Access-Request packet from host 196.0.4.18 port 1812, id=249, length=189 User-Name = "reporter@utmax" NAS-IP-Address = 192.168.224.70 Calling-Station-Id = "0c4c39b782dd" NAS-Identifier = "WASN9770" Event-Timestamp = "Mar 6 2012 14:33:06 EAT" EAP-Message = 0x02010013017265706f727465724075746d6178 WiMAX-Release = "1.1" WiMAX-Accounting-Capabilities = Flow-Based WiMAX-BS-Id = 0x303030303038303366633230 WiMAX-GMT-Timezone-offset = 10800 NAS-Port-Type = Wireless-802.16 WiMAX-Available-In-Client = 3 Service-Type = Framed-User Message-Authenticator = 0xc547707138b93ae18c61dc60ebd63974 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/196.0.4.18/auth-detail-20120306 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/196.0.4.18/auth-detail-20120306 [auth_log] expand: %t -> Tue Mar 6 14:18:26 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop ++[wimax] returns ok [suffix] Looking up realm "utmax" for User-Name = "reporter@utmax" [suffix] Found realm "utmax" [suffix] Adding Realm = "utmax" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 19 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry reporter@utmax at line 134 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 249 to 196.0.4.18 port 1812 Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Netmask = 255.255.255.255 EAP-Message = 0x0102001604105bb61822dad6bbb70866f6e6fd6800b5 Message-Authenticator = 0x00000000000000000000000000000000 State = 0xdfea5fdcdfe85b2a10496a6255f7cdae Finished request 33 Eric M ________________________________ From: Fajar A. Nugraha <list@fajar.net> To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Tuesday, March 6, 2012 1:10 PM Subject: Re: Wimax with Free radius On Tue, Mar 6, 2012 at 4:11 PM, Alan DeKok <aland@deployingradius.com> wrote:
Mulindwa wrote:
So far looks good only that users are not authenticating yet.
You cannot set "Auth-Type := Accept" for WiMAX connections. It won't work. It's impossible.
Ooops. My bad. Wiki updated. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mulindwa wrote:
am still having a challenge and seeking your guidance, i have this account in my users file as shown below;
However, client still can not connect and this is the log below, what could be the issue?
The debug output is the same, so the problem is the same. This question was already asked and answered. Go look in your email history for the answer. Alan DeKok.
Thanks Alan, I have actually changed the my eap.conf file and have it with default_eap_type = ttls However still wimax client cannot connect even when i have enabled password for him, what could i be doing wrong? Thanks for your support Alan Eric M ________________________________ From: Alan DeKok <aland@deployingradius.com> To: Mulindwa <meric_l@yahoo.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Tuesday, March 6, 2012 2:38 PM Subject: Re: Wimax with Free radius Mulindwa wrote:
am still having a challenge and seeking your guidance, i have this account in my users file as shown below;
However, client still can not connect and this is the log below, what could be the issue?
The debug output is the same, so the problem is the same. This question was already asked and answered. Go look in your email history for the answer. Alan DeKok.
Mulindwa wrote:
I have actually changed the my eap.conf file and have it with default_eap_type = ttls
However still wimax client cannot connect even when i have enabled password for him, what could i be doing wrong?
You're not follow instructions. If you don't read the answers on this list, you have no business posting questions here. The list policy says that if you keep this up, you will be unsubscribed and banned. Alan DeKok.
Thanks Alan, The answer i did see which stated that you can not have Wimax users with no authentication. However i have not seen the instructions of how to setup a wimax account or having wimax work with freeradius, i have followed all instruction enabling the rlm_wimax and anything to do with wimax, however am still havinga challenge and this is why i need help from the list of people that have done it and it has worked for them, i do not want to waste your precious time. Eric M ________________________________ From: Alan DeKok <aland@deployingradius.com> To: Mulindwa <meric_l@yahoo.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Tuesday, March 6, 2012 2:59 PM Subject: Re: Wimax with Free radius Mulindwa wrote:
I have actually changed the my eap.conf file and have it with default_eap_type = ttls
However still wimax client cannot connect even when i have enabled password for him, what could i be doing wrong?
You're not follow instructions. If you don't read the answers on this list, you have no business posting questions here. The list policy says that if you keep this up, you will be unsubscribed and banned. Alan DeKok.
+- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 249 to 196.0.4.18 port 1812
You're still have EAP-MD5 as default EAP method. Look thoroughly into eap.conf. There is default_eap_type setting in eap {...} section. This is default outer EAP method. You should set it to ttls. There is default_eap_type setting in ttls {...} subsection of eap {...} section. This is default inner EAP method for EAP-TTLS. You should set it to gtc. Restart freeradius after the change. You should see something like this when processing first Access-Request: [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1
Thanks Lliya, Have done so but still client not able to connected. Eric M ________________________________ From: Iliya Peregoudov <iperegudov@cboss.ru> To: Mulindwa <meric_l@yahoo.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Tuesday, March 6, 2012 3:42 PM Subject: Re: Wimax with Free radius
+- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 249 to 196.0.4.18 port 1812
You're still have EAP-MD5 as default EAP method. Look thoroughly into eap.conf. There is default_eap_type setting in eap {...} section. This is default outer EAP method. You should set it to ttls. There is default_eap_type setting in ttls {...} subsection of eap {...} section. This is default inner EAP method for EAP-TTLS. You should set it to gtc. Restart freeradius after the change. You should see something like this when processing first Access-Request: [eap] EAP Identity [eap] processing type tls [tls] Initiate [tls] Start returned 1
On Tue, Mar 6, 2012 at 8:50 PM, Mulindwa <meric_l@yahoo.com> wrote:
Thanks Lliya,
Have done so but still client not able to connected.
... and what does the debug log looks like now? Does it still show md5 being used? Also, to doublecheck, what EAP method do you configure your client to use? Have you set the server to use the same type? -- Fajar
Hello, Since more than a year we're doing EAP-TTLS to authenticate Wimax Users on Alcatel and Huawei NASes. Last week we've migrate Motorola authentication on freeradius. (no more radiator :-) ). But then we've experienced freeradius crash. Informations : Software : Freeradius 2.1.12 OS : Freebsd8.0p4 64bits Users : Huawei = 500 users -> 0,5 requests per second Alcatel = 1500 users -> 2 requests per second Motorola = 8000 users -> 5 requests per second The crash usually happen when home servers (ISP radius) does not respond, then the radius load goes up to 50/60 requests per second and after 40/50 minutes the radius crash. Logs : Tue Mar 6 00:40:17 2012 : Info: [eap_moto] Request found, released from the list Tue Mar 6 00:40:17 2012 : Info: [eap_moto] EAP/ttls Tue Mar 6 00:40:17 2012 : Info: [eap_moto] processing type ttls Tue Mar 6 00:40:17 2012 : Info: [ttls] Authenticate Tue Mar 6 00:40:17 2012 : Info: [ttls] processing EAP-TLS Tue Mar 6 00:40:17 2012 : Info: [ttls] eaptls_verify returned 7 Tue Mar 6 00:40:17 2012 : Info: [ttls] Done initial handshake Tue Mar 6 00:40:17 2012 : Info: [ttls] (other): before/accept initialization Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: before/accept initialization Tue Mar 6 00:40:17 2012 : Info: [ttls] <<< TLS 1.0 Handshake [length 0053], ClientHello Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: SSLv3 read client hello A Tue Mar 6 00:40:17 2012 : Info: [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: SSLv3 write server hello A Tue Mar 6 00:40:17 2012 : Info: [ttls] >>> TLS 1.0 Handshake [length 0b56], Certificate Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: SSLv3 write certificate A Tue Mar 6 00:40:17 2012 : Info: [ttls] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: SSLv3 write key exchange A Tue Mar 6 00:40:17 2012 : Info: [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: SSLv3 write server done A Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: SSLv3 flush data Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A Tue Mar 6 00:40:17 2012 : Debug: In SSL Handshake Phase Tue Mar 6 00:40:17 2012 : Debug: In SSL Accept mode Tbash: [65774: 2 (255)] tcsetattr: Interrupted system call Killed: 9 It seems this is more related to SSL issue ? Could you confirm this idea is correct ? I can compile the radius in gdb to get more information if this is usefull. Thanks Thomas
Thomas Fagart wrote:
Last week we've migrate Motorola authentication on freeradius. (no more radiator :-) ).
Nice.
But then we've experienced freeradius crash.
Not so nice.
The crash usually happen when home servers (ISP radius) does not respond, then the radius load goes up to 50/60 requests per second and after 40/50 minutes the radius crash.
That kind of situation is hard to test.
It seems this is more related to SSL issue ?
Maybe. It's hard to know.
Could you confirm this idea is correct ?
I can compile the radius in gdb to get more information if this is usefull.
Yes. See doc/bugs for complete instructions. Also, try compiking with debugging flags, and using valgrind. Alan DeKok.
Hello, Here's the debug output this happens specialy when we add a virtual server as a fallback server. Finished request 75. Going to the next request Waking up in 0.1 seconds. rad_recv: Access-Request packet from host X.Y.Z.W port 34405, id=225, length=389 # Executing section post-proxy from file /usr/local/etc/raddb/sites-enabled/proxy_alu_huawei +- entering group post-proxy {...} [eap_alu_huawei] Doing post-proxy callback [eap_alu_huawei] Passing reply from proxy back into the tunnel. Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 8011021c0 (LWP 100073)] 0x00000008036e05dd in eapttls_postproxy (handler=0x802964800, data=0x804017000) at ttls.c:816 816 if (fake && (handler->request->proxy_reply->code == PW_AUTHENTICATION_ACK)) { (gdb) where #0 0x00000008036e05dd in eapttls_postproxy (handler=0x802964800, data=0x804017000) at ttls.c:816 #1 0x00000008031c66e7 in eap_post_proxy (inst=0x802940200, request=0x801137200) at rlm_eap.c:607 #2 0x000000000041b4eb in modcall (component=6, c=Variable "c" is not available. ) at modcall.c:297 #3 0x000000000041869e in indexed_modcall (comp=4284416, idx=0, request=0x801137200) at modules.c:737 #4 0x00000000004234f2 in process_proxy_reply (request=0x801137200) at event.c:1734 #5 0x000000000042361b in request_pre_handler (request=0x801137200) at event.c:1859 #6 0x000000000042670b in radius_handle_request (request=0x801137200, fun=0x426ac0 <virtual_server_handler>) at event.c:3773 #7 0x000000000041ed34 in thread_pool_addrequest (request=0x801137200, fun=0x426ac0 <virtual_server_handler>) at threads.c:886 #8 0x0000000000428e80 in received_request (listener=0x802963a80, packet=0x80297e800, prequest=0x7fffffffe470, client=0x801170cc0) at event.c:917 #9 0x0000000000414a33 in auth_socket_recv (listener=0x802963a80, pfun=0x7fffffffe478, prequest=0x7fffffffe470) at listen.c:857 #10 0x000000000042397e in event_socket_handler (xel=Variable "xel" is not available. ) at event.c:3423 #11 0x000000080069aa42 in fr_event_loop (el=0x802971000) at event.c:415 #12 0x000000000041bf7a in main (argc=Variable "argc" is not available. ) at radiusd.c:408 (gdb) info threads * 2 Thread 8011021c0 (LWP 100073) 0x00000008036e05dd in eapttls_postproxy (handler=0x802964800, data=0x804017000) at ttls.c:816 (gdb) thread apply all bt full Thread 2 (Thread 8011021c0 (LWP 100073)): #0 0x00000008036e05dd in eapttls_postproxy (handler=0x802964800, data=0x804017000) at ttls.c:816 rcode = Variable "rcode" is not available. Hope that help Regards Thomas Le 06/03/2012 10:29, Alan DeKok a écrit :
Thomas Fagart wrote:
Last week we've migrate Motorola authentication on freeradius. (no more radiator :-) ). Nice.
But then we've experienced freeradius crash. Not so nice.
The crash usually happen when home servers (ISP radius) does not respond, then the radius load goes up to 50/60 requests per second and after 40/50 minutes the radius crash. That kind of situation is hard to test.
It seems this is more related to SSL issue ? Maybe. It's hard to know.
Could you confirm this idea is correct ?
I can compile the radius in gdb to get more information if this is usefull. Yes. See doc/bugs for complete instructions.
Also, try compiking with debugging flags, and using valgrind.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Many thanks, I will test it when available. Thomas Le 28/03/2012 17:15, Alan DeKok a écrit :
Thomas Fagart wrote:
Here's the debug output this happens specialy when we add a virtual server as a fallback server. OK... it looks like the proxy_reply doesn't exist. I'll push a patch.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, After three month having stable situation, the ISP home servers has started again to loose packet and to have slow response time, then our freeradius proxies has began to crash again. We've reproduced the crash with the Git version. Here's the output that I got with gdb Going to the next request rad_recv: Accounting-Request packet from host X.X.X.X port 1812, id=124, length=520 Received conflicting packet from client bas-man72-02 port 1812 - ID: 124 due to unfinished request 715241. Giving up on old request. ASSERT FAILED event.c[2773]: request->ev != NULL Program received signal SIGABRT, Aborted. [Switching to Thread 8012021c0 (LWP 100143)] 0x0000000800fb978c in kill () from /lib/libc.so.7 (gdb) (gdb) thread apply all bt full Thread 2 (Thread 8012021c0 (LWP 100143)): #0 0x0000000800fb978c in kill () from /lib/libc.so.7 No symbol table info available. #1 0x0000000800fb858b in abort () from /lib/libc.so.7 No symbol table info available. #2 0x0000000000420cd4 in rad_assert_fail (file=Variable "file" is not available. ) at util.c:366 No locals. #3 0x0000000000429d9a in received_request (listener=0x801fdcac0, packet=0x8051c1900, prequest=0x7fffffffe4d0, client=0x801fdaa80) at event.c:2773 when = {tv_sec = 1340876260, tv_usec = 138114} packet_p = Variable "packet_p" is not available. Is there enough information for this bug ? Do you want me to get some more information ? I can provide smokeping graphs that shows packet loss and slow response time (3 seconds) Many thanks Thomas Le 29/03/2012 23:04, Thomas Fagart a écrit :
Many thanks, I will test it when available.
Thomas
Le 28/03/2012 17:15, Alan DeKok a écrit :
Thomas Fagart wrote:
Here's the debug output this happens specialy when we add a virtual server as a fallback server. OK... it looks like the proxy_reply doesn't exist. I'll push a patch.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, Did you have the opportunity to push this patch ? The crash does not occur very soon (around once a month). Many thanks Regards Thomas On 28.03.2012 17:15, Alan DeKok wrote:
Thomas Fagart wrote:
Here's the debug output this happens specialy when we add a virtual server as a fallback server.
OK... it looks like the proxy_reply doesn't exist. I'll push a patch.
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Thomas, How did manage to configure Freeradius with Huawei NAS, its a big challenge to me, have still failed. Eric M ________________________________ From: Thomas Fagart <tfagart@brozs.net> To: freeradius-users@lists.freeradius.org Sent: Tuesday, March 6, 2012 12:19 PM Subject: Freeradius crash during EAP-TTLS authentication Hello, Since more than a year we're doing EAP-TTLS to authenticate Wimax Users on Alcatel and Huawei NASes. Last week we've migrate Motorola authentication on freeradius. (no more radiator :-) ). But then we've experienced freeradius crash. Informations : Software : Freeradius 2.1.12 OS : Freebsd8.0p4 64bits Users : Huawei = 500 users -> 0,5 requests per second Alcatel = 1500 users -> 2 requests per second Motorola = 8000 users -> 5 requests per second The crash usually happen when home servers (ISP radius) does not respond, then the radius load goes up to 50/60 requests per second and after 40/50 minutes the radius crash. Logs : Tue Mar 6 00:40:17 2012 : Info: [eap_moto] Request found, released from the list Tue Mar 6 00:40:17 2012 : Info: [eap_moto] EAP/ttls Tue Mar 6 00:40:17 2012 : Info: [eap_moto] processing type ttls Tue Mar 6 00:40:17 2012 : Info: [ttls] Authenticate Tue Mar 6 00:40:17 2012 : Info: [ttls] processing EAP-TLS Tue Mar 6 00:40:17 2012 : Info: [ttls] eaptls_verify returned 7 Tue Mar 6 00:40:17 2012 : Info: [ttls] Done initial handshake Tue Mar 6 00:40:17 2012 : Info: [ttls] (other): before/accept initialization Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: before/accept initialization Tue Mar 6 00:40:17 2012 : Info: [ttls] <<< TLS 1.0 Handshake [length 0053], ClientHello Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: SSLv3 read client hello A Tue Mar 6 00:40:17 2012 : Info: [ttls] >>> TLS 1.0 Handshake [length 002a], ServerHello Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: SSLv3 write server hello A Tue Mar 6 00:40:17 2012 : Info: [ttls] >>> TLS 1.0 Handshake [length 0b56], Certificate Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: SSLv3 write certificate A Tue Mar 6 00:40:17 2012 : Info: [ttls] >>> TLS 1.0 Handshake [length 018d], ServerKeyExchange Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: SSLv3 write key exchange A Tue Mar 6 00:40:17 2012 : Info: [ttls] >>> TLS 1.0 Handshake [length 0004], ServerHelloDone Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: SSLv3 write server done A Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: SSLv3 flush data Tue Mar 6 00:40:17 2012 : Info: [ttls] TLS_accept: Need to read more data: SSLv3 read client certificate A Tue Mar 6 00:40:17 2012 : Debug: In SSL Handshake Phase Tue Mar 6 00:40:17 2012 : Debug: In SSL Accept mode Tbash: [65774: 2 (255)] tcsetattr: Interrupted system call Killed: 9 It seems this is more related to SSL issue ? Could you confirm this idea is correct ? I can compile the radius in gdb to get more information if this is usefull. Thanks Thomas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dear All, I also have this info, do i need to have it in my free radius? Server Root CA Cert. Info /C=US/O=WiMAX Forum(R)/CN=WiMAX Forum(R) Server Root - CA1 Device Cert. Info /C=TW/O=MitraStar Technology/OU=WiMAX Forum(R) Devices/CN=0C4C39b7830b WiMAX Series Eric M ________________________________ From: Fajar A. Nugraha <list@fajar.net> To: Mulindwa <meric_l@yahoo.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Tuesday, March 6, 2012 10:35 AM Subject: Re: Wimax with Free radius On Tue, Mar 6, 2012 at 2:28 PM, Mulindwa <meric_l@yahoo.com> wrote:
Hi there,
How can i use my free radius to authenticate users of a certain realm with them using any password
Start by reading http://wiki.freeradius.org/FAQ#How+do+I+permit+access+to+any+user+regardless... -- Fajar
Hi there, Anyone worked with WASN9770 , how did you setup the wimax account? I want to setup an account with such a profile. say username password 512K bandwidth bi-direction Always on username2 password 512Kbps bandwidth bi-direction Only connects at night How would i achieve this?
Was wondering if there is anyone on this forum who is using WASN9770 and are using Freeradius, am sure they would be more than happy to direct me in the right direction. But if there are none, am sure i will have no response, otherwise thanks Alan Eric M ________________________________ From: Alan DeKok <aland@deployingradius.com> To: Mulindwa <meric_l@yahoo.com>; FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Sent: Thursday, March 15, 2012 2:44 PM Subject: Re: Wimax Account Mulindwa wrote:
Anyone worked with WASN9770 , how did you setup the wimax account?
Ask the vendor how their product works. This isn't a FreeRADIUS question. Alan DeKok.
Did you enable the WiMax module? David From: freeradius-users-bounces+davidp=wirelessconnections.net@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Mulindwa Sent: Monday, March 05, 2012 6:16 AM To: freeradius-users@lists.freeradius.org Subject: RE: Wimax with Free radius Hallo there, i have an issue with my wimax setup, am trying to have my users authenticate using the wonderful freeradius but still failing. Am suing WASN9970 and using freeradius 2.1.12, When i turn on radius using radius-X, this is what i get, and client never authenticates someone please come to my rescue istening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 196.0.4.18 port 1812, id=250, length=187 User-Name = "gulucdp@utmax" NAS-IP-Address = 192.168.224.70 Calling-Station-Id = "6416f00100e1" NAS-Identifier = "WASN9770" Event-Timestamp = "Mar 5 2012 09:14:53 EAT" EAP-Message = 0x020100120167756c756364704075746d6178 WiMAX-Release = "1.1" WiMAX-Accounting-Capabilities = Flow-Based WiMAX-BS-Id = 0x303030303038316235393030 WiMAX-GMT-Timezone-offset = 10800 NAS-Port-Type = Wireless-802.16 WiMAX-Available-In-Client = 3 Service-Type = Framed-User Message-Authenticator = 0x143b601c01eca1d4595511b0a81c0d78 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/196.0.4.18/auth-detail-20120305 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/196.0.4.18/auth-detail-20120305 [auth_log] expand: %t -> Mon Mar 5 08:59:56 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop ++[wimax] returns ok [suffix] Looking up realm "utmax" for User-Name = "gulucdp@utmax" [suffix] Found realm "utmax" [suffix] Adding Realm = "utmax" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 125 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 250 to 196.0.4.18 port 1812 Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Netmask = 255.255.255.255 EAP-Message = 0x0102001604101bd377e252fa3b4f59a9210cb6a3fdfb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0dc4c5bf0dc6c1ff885e3d68e8e55b4e Finished request 0. Eric M
I have it enabled Eric M ________________________________ From: David Peterson <davidp@wirelessconnections.net> To: freeradius-users@lists.freeradius.org Sent: Monday, March 5, 2012 2:46 PM Subject: RE: Wimax with Free radius Did you enable the WiMax module? David From:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freeradius.org] On Behalf Of Mulindwa Sent: Monday, March 05, 2012 6:16 AM To: freeradius-users@lists.freeradius.org Subject: RE: Wimax with Free radius Hallo there, i have an issue with my wimax setup, am trying to have my users authenticate using the wonderful freeradius but still failing. Am suing WASN9970 and using freeradius 2.1.12, When i turn on radius using radius-X, this is what i get, and client never authenticates someone please come to my rescue istening on authentication address 127.0.0.1 port 18120 as server inner-tunnel Listening on proxy address * port 1814 Ready to process requests. rad_recv: Access-Request packet from host 196.0.4.18 port 1812, id=250, length=187 User-Name = "gulucdp@utmax" NAS-IP-Address = 192.168.224.70 Calling-Station-Id = "6416f00100e1" NAS-Identifier = "WASN9770" Event-Timestamp = "Mar 5 2012 09:14:53 EAT" EAP-Message = 0x020100120167756c756364704075746d6178 WiMAX-Release = "1.1" WiMAX-Accounting-Capabilities = Flow-Based WiMAX-BS-Id = 0x303030303038316235393030 WiMAX-GMT-Timezone-offset = 10800 NAS-Port-Type = Wireless-802.16 WiMAX-Available-In-Client = 3 Service-Type = Framed-User Message-Authenticator = 0x143b601c01eca1d4595511b0a81c0d78 # Executing section authorize from file /usr/local/etc/raddb/sites-enabled/default +- entering group authorize {...} ++[preprocess] returns ok [auth_log] expand: /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -> /usr/local/var/log/radius/radacct/196.0.4.18/auth-detail-20120305 [auth_log] /usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /usr/local/var/log/radius/radacct/196.0.4.18/auth-detail-20120305 [auth_log] expand: %t -> Mon Mar 5 08:59:56 2012 ++[auth_log] returns ok ++[chap] returns noop ++[mschap] returns noop ++[digest] returns noop ++[wimax] returns ok [suffix] Looking up realm "utmax" for User-Name = "gulucdp@utmax" [suffix] Found realm "utmax" [suffix] Adding Realm = "utmax" [suffix] Authentication realm is LOCAL. ++[suffix] returns ok [eap] EAP packet type response id 1 length 18 [eap] No EAP Start, assuming it's an on-going EAP conversation ++[eap] returns updated [files] users: Matched entry DEFAULT at line 125 ++[files] returns ok ++[expiration] returns noop ++[logintime] returns noop Found Auth-Type = EAP # Executing group from file /usr/local/etc/raddb/sites-enabled/default +- entering group authenticate {...} [eap] EAP Identity [eap] processing type md5 rlm_eap_md5: Issuing Challenge ++[eap] returns handled Sending Access-Challenge of id 250 to 196.0.4.18 port 1812 Service-Type = Framed-User Framed-Protocol = PPP Framed-Address = 255.255.255.254 Framed-Netmask = 255.255.255.255 EAP-Message = 0x0102001604101bd377e252fa3b4f59a9210cb6a3fdfb Message-Authenticator = 0x00000000000000000000000000000000 State = 0x0dc4c5bf0dc6c1ff885e3d68e8e55b4e Finished request 0. Eric M - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
participants (7)
-
Alan DeKok -
Arran Cudbard-Bell -
David Peterson -
Fajar A. Nugraha -
Iliya Peregoudov -
Mulindwa -
Thomas Fagart