Problem with Cisco WLC probes in FR 2.2.1

Mon Oct 7 09:06:47 CEST 2013

On 7 Oct 2013, at 02:30, Bruce Nunn <ironrake at yahoo.com> wrote:

> Thanks for the heads-up. I will look for this this coming weekend when I get 2.2.2 in production. 
> 
> Jonathan Gazeley <Jonathan.Gazeley at bristol.ac.uk> wrote:
> 
>> We've recently upgraded our radius servers from 2.1.12 (CentOS 6 
>> packaged default) to 2.2.1 (latest stable from FR, built by hand).
>> 
>> A config that used to work under 2.1.12 no longer appears to work the 
>> same way under 2.2.1. Our Cisco WLCs send periodic probes in the form of 
>> a test authentication. There is a snippet of config that intercepts 
>> these authentication requests:
>> 
>> # /etc/raddb/conf.d/wism-checks.conf
>> if (Service-Type == "NAS-Prompt-User") {
>> if (NAS-IP-Address =~ /^172\.17\.107\./) {
>>  if (User-Name =~ /^wisms\-testing/) {
>>   update control {
>>        Auth-Type := Accept
>>   }
>>   updated
>>  }
>>  else {
>>        reject
>>  }
>> }
>> updated = return
>> }
>> 
>> 
>> This config is included in every virtual server's outer config:
>> 
>> # /etc/raddb/sites-enabled/eduroamlocal
>> authorize {
>>  $INCLUDE conf.d/wism-checks.conf
>> }
>> 
>> 
>> Looking at the output from radiusd -XC the wism-checks.conf file is 
>> being included in multiple places, yet when the server is running there 
>> is no record of these test probe packets being processed. This means the 
>> WLCs think the radius server is dead, and stop using it. I've had to 
>> roll back to 2.1.12 to restore stable wireless service for our users.
>> 
>> I can only assume this code block is being skipped over for some reason. 
>> At present I'm unable to drop production radius servers into debug mode 
>> since they can't handle the load while debugging, and while I do have 
>> some development radius servers, our WLCs won't sent it these probe 
>> packets unless it is an active production radius server.
>> 
>> Does anyone have any tips for debugging this in a minimally disruptive 
>> way? At the moment we don't have any development WLCs but we might have 
>> to get some so we can have a separate environment for testing. In the 
>> meantime I'm trying to get this code block to work so we can use the 
>> newer version of FR.

We don't have any extra code for the wism checks on our FreeRADIUS.  The wism-check user is treated just like any other user, and consequently receives an Access-Reject (because it isn't a real user).  Why send an access accept?  The wism doesn't care what it gets back (Accept or Reject), it simply wants an answer from the radius so it knows it is alive.

Have you tried running with your wism-checks config commented out?

To debug I would first check the configuration on the wism.  Make sure it is configured for Active fallback checks.  Then I would use radmin, something like:

set debug file wism-fallback-test
set condition '(User-Name == wism-check)'

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 204 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20131007/f946a6ee/attachment.pgp>