Problem with Cisco WLC probes in FR 2.2.1

Bruce Nunn ironrake at yahoo.com
Mon Oct 7 03:30:36 CEST 2013 

Thanks for the heads-up. I will look for this this coming weekend when I get 2.2.2 in production. 

Jonathan Gazeley <Jonathan.Gazeley at bristol.ac.uk> wrote:

>We've recently upgraded our radius servers from 2.1.12 (CentOS 6 
>packaged default) to 2.2.1 (latest stable from FR, built by hand).
>
>A config that used to work under 2.1.12 no longer appears to work the 
>same way under 2.2.1. Our Cisco WLCs send periodic probes in the form of 
>a test authentication. There is a snippet of config that intercepts 
>these authentication requests:
>
># /etc/raddb/conf.d/wism-checks.conf
>if (Service-Type == "NAS-Prompt-User") {
>  if (NAS-IP-Address =~ /^172\.17\.107\./) {
>   if (User-Name =~ /^wisms\-testing/) {
>    update control {
>         Auth-Type := Accept
>    }
>    updated
>   }
>   else {
>         reject
>   }
>  }
>updated = return
>}
>
>
>This config is included in every virtual server's outer config:
>
># /etc/raddb/sites-enabled/eduroamlocal
>authorize {
>   $INCLUDE conf.d/wism-checks.conf
>}
>
>
>Looking at the output from radiusd -XC the wism-checks.conf file is 
>being included in multiple places, yet when the server is running there 
>is no record of these test probe packets being processed. This means the 
>WLCs think the radius server is dead, and stop using it. I've had to 
>roll back to 2.1.12 to restore stable wireless service for our users.
>
>I can only assume this code block is being skipped over for some reason. 
>At present I'm unable to drop production radius servers into debug mode 
>since they can't handle the load while debugging, and while I do have 
>some development radius servers, our WLCs won't sent it these probe 
>packets unless it is an active production radius server.
>
>Does anyone have any tips for debugging this in a minimally disruptive 
>way? At the moment we don't have any development WLCs but we might have 
>to get some so we can have a separate environment for testing. In the 
>meantime I'm trying to get this code block to work so we can use the 
>newer version of FR.
>
>Thanks, and happy Friday
>Jonathan
>-
>List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list