GGSN/APN Freeradius and Proxy

Tevfik Ceydeliler tevfik.ceydeliler at astron.yasar.com.tr
Tue Feb 24 16:14:42 CET 2015 


On 02/24/2015 03:39 PM, Alan DeKok wrote:
> On Feb 24, 2015, at 8:25 AM, Tevfik Ceydeliler <tevfik.ceydeliler at astron.yasar.com.tr> wrote:
>> I wonder this really. Becaue I try to move all user from MS-IAS to Freeradius to use IP pool. So, those users are defined on IAs and works well. 10.1.1.51 is my OTP server.
>    Well.. look at it’s logs to see why it’s rejecting the user.
I use Kobil Secovid as Motp , home server and its log very primitive 
like this:
"Tue Feb 24 11:40:21 2015: sending reject for vantacgida4's query from 
10.43.1.51"
It not help me to understand why reject.

>
>> But, both Real connection from GSM and NTradping use same proxy and home servers. 10.1.1.51. So there is only one difference is that coming packet from GGSN.
>> Little bit more hint please :)
>    There’s no “hint” needed.  Look at the logs on the home server.
>
>    Or, look at the packets.  See what the differences are between the ones that succeed, and ones that fail.  Those differences are causing the failure.
Differences are very obvious:
rad_recv: Access-Request packet from host 172.30.80.1 port 24208, 
id=136, length=372
Comes from GGSN:
Calling-Station-Id = "905344776557"
     User-Name = "vantacgida4"
     NAS-IP-Address = 172.30.80.1
     NAS-Identifier = "MTCGGSNK3"
     Service-Type = Framed-User
     Framed-Protocol = GPRS-PDP-Context
     NAS-Port-Type = Wireless-Other
     3GPP-IMSI = "286015326539253"
     3GPP-IMSI-MCC-MNC = "28601"
     3GPP-NSAPI = "5"
     3GPP-Selection-Mode = "0"
     3GPP-Charging-ID = 151347210
     3GPP-GPRS-Negotiated-QoS-profile = "05-13921F7396F7FE74620846006400"
     3GPP-Charging-Characteristics = "0800"
     Called-Station-Id = "yasarapn"
     3GPP-SGSN-Address = 86.108.153.243
     3GPP-SGSN-MCC-MNC = "28601"
     3GPP-GGSN-Address = 86.108.153.126
     3GPP-GGSN-MCC-MNC = "28601"
     3GPP-Negotiated-DSCP = 18
     3GPP-RAT-Type = 1
     3GPP-Location-Info = 0x0182f610ebaa0678
     3GPP-Attr-23 = 0x8020
     3GPP-IMEISV = "3539230324392801"
     3GPP-PDP-Type = 0
     NAS-Port = 121000
     User-Password = "5080+00526417"
     3GPP-Charging-Gateway-Address = 10.200.211.27

ANd comes from Local:
rad_recv: Access-Request packet from host 10.65.8.117 port 53599, id=4, 
length=51
     User-Name = "kivanccepel"
     User-Password = "475295016226"

When I look at logs, at the end of sql query everything is ok. But IN 
GGSN case, after sql returns OK, All Access request send to proxy 
server. But Only username and password should send to proxy.again and 
again as u see in log:
I mean, freeradius send  this:
Sending Access-Request of id 235 to 10.1.1.51 port 1812
     Calling-Station-Id = "905344776557"
     User-Name = "vantacgida4"
     NAS-IP-Address = 172.30.80.1
     NAS-Identifier = "MTCGGSNK3"
     Service-Type = Framed-User
     Framed-Protocol = GPRS-PDP-Context
     NAS-Port-Type = Wireless-Other
     3GPP-IMSI = "286015326539253"
     ...
...
     3GPP-PDP-Type = 0
     NAS-Port = 121000
     User-Password = "5080+00526417"
     3GPP-Charging-Gateway-Address = 10.200.211.27
     Proxy-State = 0x323130

Then I get:

Sending duplicate proxied request to home server 10.1.1.51 port 1812 - 
ID: 235
rad_recv: Access-Reject packet from host 10.1.1.51 port 1812, id=235, 
length=25

But only should sed these:

Sending Access-Request of id 235 to 10.1.1.51 port 1812
     User-Name = "vantacgida4"
User-Password = "5080+00526417"

  other values not necessary.

Because home-server  logs are primitive cant have an idea.
Maybe If there was and radius packet analyzer or monitor exist I can see 
what is wrong..

>
>    Those are your *only* options.  There is no magic here.
>
>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-- 


<br>
<img src="http://www.yasar.com.tr/banner/yhbanner.jpg"> </img>
<br><br>
Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.

More information about the Freeradius-Users mailing list