Migrating from Cisco Access Registrar to FreeRADIUS<freeradius-users at lists.freeradius.org>,

Fahad Saleem addyrocker at gmail.com
Fri Dec 20 12:30:46 CET 2013 

Hello All,



Let me just say I'm a big fan of the work being done by Freeradius. We've
been thinking of ditching our Cisco Access Registrar (AAA) for sometime now
as we've been facing many issues with it, massive memory leakage being one
of them. For this purpose we did some testing with Freeradius and one of
our NAS gear, Samsung General ATM Switching Network (GAN) deployed in a
3GPP2 EV-DO environment for the purpose of hardware autentication only.
Things didn't go too well however, following is the output of radiusd -X



Listening on authentication address * port 1812
Listening on accounting address * port 1813
Listening on command file /var/run/radiusd/radiusd.sock
Listening on proxy address * port 1814
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.1.24 port 1812, id=252,
length=88
        User-Name = "92421013626"
        CHAP-Password = 0x01ef28b52424c1b5f35683fb12ffb371f8
        NAS-IP-Address = 172.16.1.24
        CHAP-Challenge = 0xfd2f308b721c8fbbd198087e43ed71f0
        3GPP2-Attr-60 = 0x00000001
+- entering group authorize {...}
++[preprocess] returns ok
Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
No '@' in User-Name = "92421013626", looking up realm NULL
No such realm "NULL"
++[suffix] returns noop
No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry 92421013626 at line 85
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
login attempt by "92421013626" with CHAP password
Using clear text password "0D2379B0" for user 92421013626 authentication.
chap user 92421013626 authenticated succesfully
++[chap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 252 to 172.16.1.24 port 1812
        Callback-Id = "410530421013626"
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 252 with timestamp +5
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.1.24 port 1812, id=253,
length=88
        User-Name = "92421013626"
        CHAP-Password = 0x01ff3da64a9d26f7eddeb6043deafcdc5b
        NAS-IP-Address = 172.16.1.24
        CHAP-Challenge = 0x79bc887e81bdff4ebacb6bacd26945f9
        3GPP2-Attr-60 = 0x00000001
+- entering group authorize {...}
++[preprocess] returns ok
Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
No '@' in User-Name = "92421013626", looking up realm NULL
No such realm "NULL"
++[suffix] returns noop
No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry 92421013626 at line 85
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
login attempt by "92421013626" with CHAP password
Using clear text password "0D2379B0" for user 92421013626 authentication.
chap user 92421013626 authenticated succesfully
++[chap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 253 to 172.16.1.24 port 1812
        Callback-Id = "410530421013626"
        Finished request 1.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 253 with timestamp +39
Ready to process requests.
rad_recv: Access-Request packet from host 172.16.1.24 port 1812, id=254,
length=88
        User-Name = "92421013626"
        CHAP-Password = 0x0122be6028d9a8501e7df9d2da160d5366
        NAS-IP-Address = 172.16.1.24
        CHAP-Challenge = 0x7db1dfd61694cc5d964c6ceb1f15dd67
        3GPP2-Attr-60 = 0x00000001
+- entering group authorize {...}
++[preprocess] returns ok
Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
No '@' in User-Name = "92421013626", looking up realm NULL
No such realm "NULL"
++[suffix] returns noop
No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
users: Matched entry 92421013626 at line 85
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = CHAP
+- entering group CHAP {...}
login attempt by "92421013626" with CHAP password
Using clear text password "0D2379B0" for user 92421013626 authentication.
chap user 92421013626 authenticated succesfully
++[chap] returns ok
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 254 to 172.16.1.24 port 1812
        Callback-Id = "410530421013626"
Finished request 2.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 2 ID 254 with timestamp +62
Ready to process requests.



As you can see freeradius is sending an access accept with the callback-id
to the client but nothing happens afterwards and the user is unable to
connect. From what I've been able to understand the NAS is sending a
3GPP2-Attr-60 = 0x00000001 which is the 3GPP2-HRPD-Access-Authentication
which in not defined in the 3GPP2 dictionary, would patching the 3GPP2
dictionary do the trick or is there something else I am missing? as this
VSA is I would've tested this already however this kind of testing requires
approval from other departements as well which is gonna take a couple of
days
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131220/23d96f40/attachment.html>

More information about the Freeradius-Users mailing list