Radius Proxying and IP injection

John Williams john.williams at eurisp.co.uk
Mon Jun 12 22:07:29 CEST 2006 

Just got some radius debugging here.

 

#######################

rad_recv: Access-Request packet from host 212.248.232.242:1645, id=116,
length=85

        Framed-Protocol = PPP

        User-Name = "bob.ken at maxsurf"

        User-Password = "accutronic2"

        NAS-Port-Type = Virtual

        NAS-Port = 907

        Service-Type = Framed-User

        NAS-IP-Address = 212.248.232.242

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 465

  modcall[authorize]: module "preprocess" returns ok for request 465

  modcall[authorize]: module "chap" returns noop for request 465

  modcall[authorize]: module "mschap" returns noop for request 465

    rlm_realm: Looking up realm "maxsurf" for User-Name = "bob.ken at maxsurf"

    rlm_realm: Found realm "maxsurf"

    rlm_realm: Proxying request from user bob.ken to realm maxsurf

    rlm_realm: Adding Realm = "maxsurf"

    rlm_realm: Preparing to proxy authentication request to realm "maxsurf"

  modcall[authorize]: module "suffix" returns updated for request 465

  rlm_eap: No EAP-Message, not doing EAP

  modcall[authorize]: module "eap" returns noop for request 465

  modcall[authorize]: module "files" returns notfound for request 465

modcall: group authorize returns updated for request 465

  Processing the pre-proxy section of radiusd.conf

modcall: entering group pre-proxy for request 465

radius_xlat:
'/var/log/radius/radacct/212.248.232.242/pre-proxy-detail-20060612'

rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d expands
to /var/log/radius/radacct/212.248.232.242/pre-proxy-detail-20060612

  modcall[pre-proxy]: module "pre_proxy_log" returns ok for request 465

modcall: group pre-proxy returns ok for request 465

Sending Access-Request of id 0 to 62.41.128.19:1645

        Framed-Protocol = PPP

        User-Name = "bob.ken at maxsurf"

        User-Password = "accutronic2"

        NAS-Port-Type = Virtual

        NAS-Port = 907

        Service-Type = Framed-User

        NAS-IP-Address = 212.248.232.242

        Proxy-State = 0x313136

--- Walking the entire request list ---

Waking up in 4 seconds...

rad_recv: Access-Accept packet from host 62.41.128.19:1645, id=0, length=111

        Class =
0x5342522d434c20444e3d22313433373830222041543d22323030222055533d22222053493d
2235363935303638352200

        Session-Timeout = 7200

        Framed-IP-Address = 255.255.255.254

        Framed-IP-Netmask = 255.255.255.255

        Framed-Protocol = PPP

        Idle-Timeout = 600

        Service-Type = Framed-User

        Proxy-State = 0x313136

  Processing the post-proxy section of radiusd.conf

modcall: entering group post-proxy for request 465

radius_xlat:
'/var/log/radius/radacct/212.248.232.242/post-proxy-detail-20060612'

rlm_detail:
/var/log/radius/radacct/%{Client-IP-Address}/post-proxy-detail-%Y%m%d
expands to
/var/log/radius/radacct/212.248.232.242/post-proxy-detail-20060612

  modcall[post-proxy]: module "post_proxy_log" returns ok for request 465

modcall: group post-proxy returns ok for request 465

  Processing the authorize section of radiusd.conf

modcall: entering group authorize for request 465

  modcall[authorize]: module "preprocess" returns ok for request 465

  modcall[authorize]: module "chap" returns noop for request 465

  modcall[authorize]: module "mschap" returns noop for request 465

    rlm_realm: Proxy reply, or no User-Name.  Ignoring.

  modcall[authorize]: module "suffix" returns noop for request 465

  modcall[authorize]: module "eap" returns noop for request 465

  modcall[authorize]: module "files" returns notfound for request 465

modcall: group authorize returns ok for request 465

  rad_check_password:  Found Auth-Type

  rad_check_password: Auth-Type = Accept, accepting the user

Login OK: [bob.ken at maxsurf/accutronic2] (from client l2tp-tunnel port 907)

Sending Access-Accept of id 116 to 212.248.232.242:1645

        Class =
0x5342522d434c20444e3d22313433373830222041543d22323030222055533d22222053493d
2235363935303638352200

        Session-Timeout = 7200

        Framed-IP-Address = 255.255.255.254

        Framed-IP-Netmask = 255.255.255.255

        Framed-Protocol = PPP

        Idle-Timeout = 600

        Service-Type = Framed-User

Finished request 465

Going to the next request

 

##############################

 

 

The strange thing is the Framed-IP-Address, it isn't showing the correct IP
address that the user has assigned in our customer radius users file.

If I run radtest from the command line against the customers radius server
it returns:

 

###################

Sending Access-Request of id 3 to 62.41.128.19:1645

        User-Name = "bob.ken at maxsurf"

        User-Password = "accutronic2"

        NAS-IP-Address = cw2.eurisp.net

        NAS-Port = 1645

rad_recv: Access-Accept packet from host 62.41.128.19:1645, id=3, length=106

        Class =
0x5342522d434c20444e3d22313433373830222041543d22323030222055533d22222053493d
2235363935313230372200

        Session-Timeout = 0

        Framed-IP-Address = 85.92.190.82

        Framed-IP-Netmask = 255.255.255.255

        Acct-Interim-Interval = 7200

        Framed-Protocol = PPP

        Service-Type = Framed-User

#######################

 

With the correct IP address.

Any ideas why it's doing this?

 

Thanks

John

 

 

 

  _____  

From:
freeradius-users-bounces+john.williams=eurisp.co.uk at lists.freeradius.org
[mailto:freeradius-users-bounces+john.williams=eurisp.co.uk at lists.freeradius
.org] On Behalf Of John Williams
Sent: 12 June 2006 20:58
To: freeradius-users at lists.freeradius.org
Subject: Radius Proxying and IP injection 

 

Hi all

 

We are proxying a realm for a customer that takes ADSL connections from us.

Our ADSL connections terminate on a Cisco 7204 over an L2TP tunnel.

 

The proxying seems to be working fine as all requests for the realm are sent
to the customers radius server.

And our log files show that the authentication was "OK".

However the users that are authenticating are being dropped offline as soon
as they authenticate.

The account logs show the reason as being "User-Request" although the user
hasn't requested a disconnect, in fact they aren't connected long enough to
do so.

 

The customer is also sending a framed IP address for each user that connects
via the users radius users file entry.

I'm wondering if this has something to do with the problem, although I can't
really see why.

The customer is issuing IP addresses from our own RIPE allocation that the
Cisco knows about and we announce via BGP to upstreams.

 

I'm trying to get some radius and cisco debugging for these users, but
unfortunately everyone has buggered off home and most of the users are
offices.

So I guess I'm just wondering if there are any gotchas with radius proxying
and injecting IP addresses that anyone may have come across.

Or does anyone have any ideas what I should be looking for to help fix the
problem?

 

Thanks In Advance

John

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20060612/f9eabf07/attachment.html>

More information about the Freeradius-Users mailing list