Access Request from HA rejected
Hi all, I am using FreeRadius 2.1.12 for WIMAX authentication. My initial authentication between ASN-GW and AAA is successful. Keys are generated and received in Access-Accept. But when HA sends Access-Request to AAA, the Request is rejected.The SPI values are all correct. All the AVP values are valid (because I checked with a workaround and it was successful). There looks like a problem in the authorize section when username is checked for in the 'Users' file. Can you please tell me if I am missing something in the configuration? I have added the inner identity in the 'users' file. Clients are defined in the 'clients.conf'. Below is a portion from log file. rad_recv: Access-Request packet from host 172.16.10.10 port 52511, id=1, length=165 User-Name = "01-01-01-03-01-01@abc.com" NAS-IP-Address = 172.16.10.10 NAS-Identifier = "HA1" Message-Authenticator = 0x930277dfe340d323eb58e3ecf7588f30 WiMAX-Release = "1.2" WiMAX-Accounting-Capabilities = No-Accounting WiMAX-hHA-IP-MIP4 = 172.16.10.10 WiMAX-MN-hHA-MIP4-SPI = 1185754294 WiMAX-HA-RK-SPI = 123123 Thu Jan 1 05:53:35 1970 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Thu Jan 1 05:53:35 1970 : Info: +- entering group authorize {...} Thu Jan 1 05:53:35 1970 : Info: ++[preprocess] returns ok Thu Jan 1 05:53:35 1970 : Info: ++[chap] returns noop Thu Jan 1 05:53:35 1970 : Info: ++[mschap] returns noop Thu Jan 1 05:53:35 1970 : Info: [suffix] Looking up realm "abc.com" for User-Name = "01-01-01-03-01-01@abc.com" Thu Jan 1 05:53:35 1970 : Info: [suffix] Found realm "abc.com" Thu Jan 1 05:53:35 1970 : Info: [suffix] Adding Stripped-User-Name = "01-01-01-03-01-01" Thu Jan 1 05:53:35 1970 : Info: [suffix] Adding Realm = "abc.com" Thu Jan 1 05:53:35 1970 : Info: [suffix] Authentication realm is LOCAL. Thu Jan 1 05:53:35 1970 : Info: ++[suffix] returns ok Thu Jan 1 05:53:35 1970 : Info: [eap] No EAP-Message, not doing EAP Thu Jan 1 05:53:35 1970 : Info: ++[eap] returns noop Thu Jan 1 05:53:35 1970 : Info: ++[files] returns noop Thu Jan 1 05:53:35 1970 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Thu Jan 1 05:53:35 1970 : Info: Failed to authenticate the user. Thu Jan 1 05:53:35 1970 : Info: Using Post-Auth-Type Thu Jan 1 05:53:35 1970 : Info: # Executing group from file /etc/raddb/sites-enabled/default Thu Jan 1 05:53:35 1970 : Info: +- entering group REJECT {...} Thu Jan 1 05:53:35 1970 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01-01-01-03-01-01@abc.com Thu Jan 1 05:53:35 1970 : Debug: attr_filter: Matched entry DEFAULT at line 11 Thu Jan 1 05:53:35 1970 : Info: ++[attr_filter.access_reject] returns updated Thu Jan 1 05:53:35 1970 : Info: Delaying reject of request 5 for 1 seconds Thu Jan 1 05:53:35 1970 : Debug: Going to the next request Thu Jan 1 05:53:35 1970 : Debug: Waking up in 0.9 seconds. Thu Jan 1 05:53:36 1970 : Info: Sending delayed reject for request 5 Sending Access-Reject of id 1 to 172.16.10.10 port 52511 -Thanks
Send the whole configuration and initial request/response. The snippet below is pretty much useless. David From: freeradius-users-bounces+davidp=wirelessconnections.net@lists.freeradius.org [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera dius.org] On Behalf Of Suryalakshmi Annadurai Sent: Monday, September 30, 2013 8:46 AM To: freeradius-users@lists.freeradius.org Subject: Access Request from HA rejected Hi all, I am using FreeRadius 2.1.12 for WIMAX authentication. My initial authentication between ASN-GW and AAA is successful. Keys are generated and received in Access-Accept. But when HA sends Access-Request to AAA, the Request is rejected.The SPI values are all correct. All the AVP values are valid (because I checked with a workaround and it was successful). There looks like a problem in the authorize section when username is checked for in the 'Users' file. Can you please tell me if I am missing something in the configuration? I have added the inner identity in the 'users' file. Clients are defined in the 'clients.conf'. Below is a portion from log file. rad_recv: Access-Request packet from host 172.16.10.10 port 52511, id=1, length=165 User-Name = "01-01-01-03-01-01@abc.com" NAS-IP-Address = 172.16.10.10 NAS-Identifier = "HA1" Message-Authenticator = 0x930277dfe340d323eb58e3ecf7588f30 WiMAX-Release = "1.2" WiMAX-Accounting-Capabilities = No-Accounting WiMAX-hHA-IP-MIP4 = 172.16.10.10 WiMAX-MN-hHA-MIP4-SPI = 1185754294 WiMAX-HA-RK-SPI = 123123 Thu Jan 1 05:53:35 1970 : Info: # Executing section authorize from file /etc/raddb/sites-enabled/default Thu Jan 1 05:53:35 1970 : Info: +- entering group authorize {...} Thu Jan 1 05:53:35 1970 : Info: ++[preprocess] returns ok Thu Jan 1 05:53:35 1970 : Info: ++[chap] returns noop Thu Jan 1 05:53:35 1970 : Info: ++[mschap] returns noop Thu Jan 1 05:53:35 1970 : Info: [suffix] Looking up realm "abc.com" for User-Name = "01-01-01-03-01-01@abc.com" Thu Jan 1 05:53:35 1970 : Info: [suffix] Found realm "abc.com" Thu Jan 1 05:53:35 1970 : Info: [suffix] Adding Stripped-User-Name = "01-01-01-03-01-01" Thu Jan 1 05:53:35 1970 : Info: [suffix] Adding Realm = "abc.com" Thu Jan 1 05:53:35 1970 : Info: [suffix] Authentication realm is LOCAL. Thu Jan 1 05:53:35 1970 : Info: ++[suffix] returns ok Thu Jan 1 05:53:35 1970 : Info: [eap] No EAP-Message, not doing EAP Thu Jan 1 05:53:35 1970 : Info: ++[eap] returns noop Thu Jan 1 05:53:35 1970 : Info: ++[files] returns noop Thu Jan 1 05:53:35 1970 : Info: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user Thu Jan 1 05:53:35 1970 : Info: Failed to authenticate the user. Thu Jan 1 05:53:35 1970 : Info: Using Post-Auth-Type Thu Jan 1 05:53:35 1970 : Info: # Executing group from file /etc/raddb/sites-enabled/default Thu Jan 1 05:53:35 1970 : Info: +- entering group REJECT {...} Thu Jan 1 05:53:35 1970 : Info: [attr_filter.access_reject] expand: %{User-Name} -> 01-01-01-03-01-01@abc.com Thu Jan 1 05:53:35 1970 : Debug: attr_filter: Matched entry DEFAULT at line 11 Thu Jan 1 05:53:35 1970 : Info: ++[attr_filter.access_reject] returns updated Thu Jan 1 05:53:35 1970 : Info: Delaying reject of request 5 for 1 seconds Thu Jan 1 05:53:35 1970 : Debug: Going to the next request Thu Jan 1 05:53:35 1970 : Debug: Waking up in 0.9 seconds. Thu Jan 1 05:53:36 1970 : Info: Sending delayed reject for request 5 Sending Access-Reject of id 1 to 172.16.10.10 port 52511 -Thanks
On 30 Sep 2013, at 13:59, "David Peterson" <davidp@wirelessconnections.net> wrote:
Send the whole configuration and initial request/response. The snippet below is pretty much useless.
also, set your date/time correctly. The reason why authentication is failing is because no module has take responsibility in authorize. I don't know enough about crazy WiMAX authentication, but i'd guess one of those SPI values needs to be cached from the previous round, and checked this round? Maybe someone who knows more can describe how it's meant to work. -Arran Arran Cudbard-Bell <a.cudbardb@freeradius.org> FreeRADIUS Development Team
participants (3)
-
Arran Cudbard-Bell -
David Peterson -
Suryalakshmi Annadurai