Migrating from Cisco Access Registrar to FreeRADIUS

SerpentoR addyrocker at gmail.com
Wed Feb 10 18:54:39 CET 2010


Hello All,

Let me just say I'm a big fan of FreeRADIUS and highly appreciate the work
and effort put in to this project. We've been thinking of ditching our
current cisco Radius server as it has been prone to massive memory leaks,
daily restart required. We did some testing of FreeRADIUS with one of our
NAS gear, Samsung's General ATM Switch Network (GAN) deployed in a 3GPP2
EV-DO network. Things didn't go as I'd hoped. Following is the output of
Radiusd -x.

Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.1.24 port 1812, id=252,
length=88
        User-Name = "92421013626"
        CHAP-Password = 0x01ef28b52424c1b5f35683fb12ffb371f8
        NAS-IP-Address = 172.16.1.24
        CHAP-Challenge = 0xfd2f308b721c8fbbd198087e43ed71f0
        3GPP2-Attr-60 = 0x00000001
+- entering group authorize {...}
++[preprocess] returns ok
Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
No '@' in User-Name = "92421013626", looking up realm NULL
No such realm "NULL"
++[suffix] returns noop
No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry 92421013626 at line 85
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
login attempt by "92421013626" with CHAP password
Using clear text password "0D2379B0" for user 92421013626 authentication.
chap user 92421013626 authenticated succesfully
++[chap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 252 to 172.16.1.24 port 1812
        Callback-Id = "410530421013626"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 252 with timestamp +5
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.1.24 port 1812, id=253,
length=88
        User-Name = "92421013626"
        CHAP-Password = 0x01ff3da64a9d26f7eddeb6043deafcdc5b
        NAS-IP-Address = 172.16.1.24
        CHAP-Challenge = 0x79bc887e81bdff4ebacb6bacd26945f9
        3GPP2-Attr-60 = 0x00000001
+- entering group authorize {...}
++[preprocess] returns ok
Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
No '@' in User-Name = "92421013626", looking up realm NULL
No such realm "NULL"
++[suffix] returns noop
No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry 92421013626 at line 85
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
login attempt by "92421013626" with CHAP password
Using clear text password "0D2379B0" for user 92421013626 authentication.
chap user 92421013626 authenticated succesfully
++[chap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 253 to 172.16.1.24 port 1812
        Callback-Id = "410530421013626"
Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 253 with timestamp +39
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.1.24 port 1812, id=254,
length=88
        User-Name = "92421013626"
        CHAP-Password = 0x0122be6028d9a8501e7df9d2da160d5366
        NAS-IP-Address = 172.16.1.24
        CHAP-Challenge = 0x7db1dfd61694cc5d964c6ceb1f15dd67
        3GPP2-Attr-60 = 0x00000001
+- entering group authorize {...}
++[preprocess] returns ok
Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
No '@' in User-Name = "92421013626", looking up realm NULL
No such realm "NULL"
++[suffix] returns noop
No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry 92421013626 at line 85
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
login attempt by "92421013626" with CHAP password
Using clear text password "0D2379B0" for user 92421013626 authentication.
chap user 92421013626 authenticated succesfully
++[chap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 254 to 172.16.1.24 port 1812
        Callback-Id = "410530421013626"
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 254 with timestamp +62
Ready to process requests.

As you can see access-accepts are being sent to the NAS with the callback-id
but the user is unable to connect. From what I am able to understand the NAS
is sending a 3GPP2-Attr-60 VSA which is the 3GPP2-HRPD-Access-Attribute not
defined in the 3GPP2 dictionary of Freeradius but is defined in Cisco'
Access Registrar would patching the 3GPP2 dictionary do the trick or am I
missing something? I would've tested this already but this would require
approval from other departments as well which in gonna take a couple of
days but any help in this matter would be appreciated.

Regards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20100210/2847a182/attachment.html>


More information about the Freeradius-Users mailing list