MAX_PACKET_LEN setting limiting number of Cisco- Avpair's
Hi After looking through the source code on v 1.148.2.3 I can see that the reason that cisco-avpair += within the users file is not being sent to the firewall for ACL's above a certain number is due to the fact that the maximum Radius Packet size is 4k. This is coded under radius.c for max_packet_len 4096 I can modify the entry to increase the packets size and recompile, which may work in that further cisco-avpair += may be pushed to the firewall, but this will probably cause a number of other problems. Apart from this is there any other way to increase the number of Cisco-Avpair's within freeradius to be pushed to a firewall or is this the maximum ? Thanks, Niall
_____________________________________________ From: Niall Browne Sent: Tuesday, June 28, 2005 10:20 AM To: 'freeradius-users@lists.freeradius.org' Subject: RE: Issue with increasing the number of ACL's in users file
I sent this week and did not receive a response.
Since then I have again gone through all files in detail, viewed countless debugs, and searched all past posts re freeradius, with no success.
Anyone have any idea what may be causing this or have seen a similar problem in the past ?
Thanks, Niall
_____________________________________________ From: Niall Browne Sent: Wednesday, June 22, 2005 8:49 PM To: 'freeradius-users@lists.freeradius.org' Subject: Issue with increasing the number of ACL's in users file
Hi
I am having a problem with an apparent limit on ACL's on my freeradius servers. I have been running this servers for a number of years, and have always had the number of ACL's on the users file below 52, and have never had any problems.
I noticed as soon as I increased the ACL's above 52 it appeared to authenticate in the logs, however the auth connection through Cisco VPN simply continued to try to authenticate and nothing happened. As soon as I removed the ACL's below 52 and restarted it works fine.
I dumped the logs
/usr/local/freeradius/sbin/radiusd -p 1647 -sfxxyz -l stdout
When I then auth'd and viewed the stdout logs, they are identical for <52 and then >52 (when compared). The only difference is that the ACL's after the magic 52 mark do not show in the stout, and this causes my timeout to fail. When I revert to <52 I can see the last ACL's and all works fine.
I have checked through the configs including radiusd.conf however I cannot find a hard coded limitation on ACL's anywhere.
Is anyone aware of how to resolve this ?
Thanks in advance, Niall
Niall Browne <nbrowne@Yodlee.com> wrote:
After looking through the source code on v 1.148.2.3 I can see that the reason that cisco-avpair += within the users file is not being sent to the firewall for ACL's above a certain number is due to the fact that the maximum Radius Packet size is 4k.
That would happen for a large number of ACL's.
This is coded under radius.c for max_packet_len 4096
That's what the RFC's say it shoul dbe.
I can modify the entry to increase the packets size and recompile, which may work in that further cisco-avpair += may be pushed to the firewall, but this will probably cause a number of other problems.
I don't think so. It's only one place in the source tree, so the rest of the server won't care. And if the client accepts the packet, and applies all of the ACL's, then that's all that matters.
Apart from this is there any other way to increase the number of Cisco-Avpair's within freeradius to be pushed to a firewall or is this the maximum ?
You may be able to set up pools of ACL's, and say "this user is in pool X", but you'd have to consult Cisco docs for more information. Alan DeKok.
On Tue, Jun 28, 2005 at 03:10:51PM -0700, Niall Browne wrote:
Apart from this is there any other way to increase the number of Cisco-Avpair's within freeradius to be pushed to a firewall or is this the maximum ?
You already seem to know the way for creating acl via radius: inacl#X An input access list definition. For IP, standard or extended access list syntax can be used, though you cannot mix them within a single list. For IPX, only extended syntax is recognized. The value of this attribute is the text that comprises the body of a named access list definition. outacl#X An output access list definition. For IP, standard or extended access list syntax can be used. For IPX, only extended syntax is recognized. The value of this attribute is the text that comprises the body of a named access list definition. But you might also use the ip:inacl/outacl without a rule number to assign a named ip access-list which is defined on the router: router: ip access-list extended No-EIGRP remark Filters EIGRP Traffic remark used with dynamic ADSL deny eigrp any any permit ip any any radius: Cisco-AVPair += "ip:inacl=No-EIGRP", Cisco-AVPair += "ip:outacl=No-EIGRP" If you have a CCO (I think you need one for that) you could take a look at ciscos Dial Solutions Configuration Guide, which helps you with such stuff. Oliver.
participants (3)
-
Alan DeKok -
Niall Browne -
Oliver Graf