Problem with Cisco WLC probes in FR 2.2.1
Jonathan Gazeley
Jonathan.Gazeley at bristol.ac.uk
Fri Oct 4 13:40:09 CEST 2013
We've recently upgraded our radius servers from 2.1.12 (CentOS 6
packaged default) to 2.2.1 (latest stable from FR, built by hand).
A config that used to work under 2.1.12 no longer appears to work the
same way under 2.2.1. Our Cisco WLCs send periodic probes in the form of
a test authentication. There is a snippet of config that intercepts
these authentication requests:
# /etc/raddb/conf.d/wism-checks.conf
if (Service-Type == "NAS-Prompt-User") {
if (NAS-IP-Address =~ /^172\.17\.107\./) {
if (User-Name =~ /^wisms\-testing/) {
update control {
Auth-Type := Accept
}
updated
}
else {
reject
}
}
updated = return
}
This config is included in every virtual server's outer config:
# /etc/raddb/sites-enabled/eduroamlocal
authorize {
$INCLUDE conf.d/wism-checks.conf
}
Looking at the output from radiusd -XC the wism-checks.conf file is
being included in multiple places, yet when the server is running there
is no record of these test probe packets being processed. This means the
WLCs think the radius server is dead, and stop using it. I've had to
roll back to 2.1.12 to restore stable wireless service for our users.
I can only assume this code block is being skipped over for some reason.
At present I'm unable to drop production radius servers into debug mode
since they can't handle the load while debugging, and while I do have
some development radius servers, our WLCs won't sent it these probe
packets unless it is an active production radius server.
Does anyone have any tips for debugging this in a minimally disruptive
way? At the moment we don't have any development WLCs but we might have
to get some so we can have a separate environment for testing. In the
meantime I'm trying to get this code block to work so we can use the
newer version of FR.
Thanks, and happy Friday
Jonathan
More information about the Freeradius-Users
mailing list