RADIUS Monitoring tool

Clement Ogedengbe c.ogedengbe at worc.ac.uk
Wed Feb 25 14:28:50 CET 2015


On two occasions in the last 2 weeks, our RADIUS server suddenly started to reject ALL users. Even though we have set up a failover system. Unfotunately, the fail-over system did not kick in because the RADIUS service was still running, only that it was rejecting all users for some strange reasons.

Does anyone know of any monitoring script/tool that can be used to test that the RADIUS server is authenticating properly and which can send an alert by email or text in the event that the server rejects authentication of a valid user credentials a number of times.  

Best Regards

Clement Ogedengbe


-----Original Message-----
From: Freeradius-Users [mailto:freeradius-users-bounces+c.ogedengbe=worc.ac.uk at lists.freeradius.org] On Behalf Of Tevfik Ceydeliler
Sent: 25 February 2015 12:44
To: freeradius-users at lists.freeradius.org
Subject: Re: GGSN/APN Freeradius and Proxy



On 02/24/2015 06:00 PM, Alan DeKok wrote:
> On Feb 24, 2015, at 10:14 AM, Tevfik Ceydeliler <tevfik.ceydeliler at astron.yasar.com.tr> wrote:
>> I use Kobil Secovid as Motp , home server and its log very primitive like this:
>> "Tue Feb 24 11:40:21 2015: sending reject for vantacgida4's query from 10.43.1.51"
>> It not help me to understand why reject.
>    So… ask the Kobil people why their RADIUS server is broken.
No support we paid :(
>
>> Differences are very obvious:
>    So… use FreeRADIUS to edit the proxied packet, so that it looks more like the one from radtest.  That’s what the “pre-proxy” section is for.  There are lots of examples and documentation for this.
>
>> rad_recv: Access-Request packet from host 172.30.80.1 port 24208, 
>> id=136, length=372 Comes from GGSN:
>> Calling-Station-Id = "905344776557"
>>     User-Name = "vantacgida4”
>> ...
>>     User-Password = "5080+00526417”
>    Does that name / password work for radtest?  If not, then stop 
> wasting your time, and throw the home server in the garbage.  Get one 
> that works,
I cant test this use bec. It is reseller. But I create another user and can test it.
########################################################
root at radiuspnb:/etc/freeradius# radtest kivanccepel 475224928708
10.1.1.51 10 geheim
Sending Access-Request of id 21 to 10.1.1.51 port 1812
     User-Name = "kivanccepel"
     User-Password = "475224928708"
     NAS-IP-Address = 127.0.1.1
     NAS-Port = 10
     Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host 10.1.1.51 port 1812, id=21,
length=2
###########################################################
As you see it works.
But from GGSN not work.
I really wish to throw taht home-serve rto garbage. But more that 300 reseller connect via this home-server.

OK lets change home server. I have another one for internal usage.
In this case,
##################################################################33
ad_recv: Access-Request packet from host 172.30.80.1 port 24144, id=10,
length=377
     Calling-Station-Id = "905303630245"
     User-Name = "biryudumgida3"
     NAS-IP-Address = 172.30.80.1
     NAS-Identifier = "MTCGGSNK3"
     Service-Type = Framed-User
     Framed-Protocol = GPRS-PDP-Context
     NAS-Port-Type = Wireless-Other
     3GPP-IMSI = "286015918760926"
     3GPP-IMSI-MCC-MNC = "28601"
     3GPP-NSAPI = "5"
     3GPP-Selection-Mode = "0"
     3GPP-Charging-ID = 50711443
     3GPP-GPRS-Negotiated-QoS-profile = "05-13921F7396F7FE74620846006400"
     3GPP-Charging-Characteristics = "0800"
     Called-Station-Id = "yasarapn"
     3GPP-SGSN-Address = 86.108.153.116
     3GPP-SGSN-MCC-MNC = "28601"
     3GPP-GGSN-Address = 86.108.153.126
     3GPP-GGSN-MCC-MNC = "28601"
     3GPP-Negotiated-DSCP = 18
     3GPP-RAT-Type = 1
     3GPP-Location-Info = 0x0182f610eb2acd62
     3GPP-Attr-23 = 0x8020
     3GPP-IMEISV = "9800670040325323"
     3GPP-PDP-Type = 0
     NAS-Port = 41524
     User-Password = "645327067460"
     3GPP-Charging-Gateway-Address = 10.200.211.27 # Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "biryudumgida3", looking up realm NULL [suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql]     expand: %{User-Name} -> biryudumgida3
[sql] sql_set_user escaped user --> 'biryudumgida3'
rlm_sql (sql): Reserving sql socket id: 4
[sql]     expand: SELECT id, username, attribute, value, op           
FROM radcheck           WHERE username = '%{SQL-User-Name}'           
ORDER BY id -> SELECT id, username, attribute, value, op           FROM 
radcheck           WHERE username = 'biryudumgida3'           ORDER BY id
[sql] User found in radcheck table
[sql]     expand: SELECT id, username, attribute, value, op           
FROM radreply           WHERE username = '%{SQL-User-Name}'           
ORDER BY id -> SELECT id, username, attribute, value, op           FROM 
radreply           WHERE username = 'biryudumgida3'           ORDER BY id
[sql]     expand: SELECT groupname           FROM radusergroup           
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT 
groupname           FROM radusergroup           WHERE username = 
'biryudumgida3' ORDER BY priority
[sql]     expand: SELECT id, groupname, attribute,           Value, 
op           FROM radgroupcheck           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           Value, op           FROM radgroupcheck           
WHERE groupname = 'UGR_TcellOtonomYBB-Secovid'           ORDER BY id
[sql] User found in group UGR_TcellOtonomYBB-Secovid
[sql]     expand: SELECT id, groupname, attribute,           value, 
op           FROM radgroupreply           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           value, op           FROM radgroupreply           
WHERE groupname = 'UGR_TcellOtonomYBB-Secovid'           ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
   WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 80 to 10.1.1.51 port 1812
     Calling-Station-Id = "905303630245"
     User-Name = "biryudumgida3"
     NAS-IP-Address = 172.30.80.1
     NAS-Identifier = "MTCGGSNK3"
     Service-Type = Framed-User
     Framed-Protocol = GPRS-PDP-Context
     NAS-Port-Type = Wireless-Other
     3GPP-IMSI = "286015918760926"
     3GPP-IMSI-MCC-MNC = "28601"
     3GPP-NSAPI = "5"
     3GPP-Selection-Mode = "0"
     3GPP-Charging-ID = 50711443
     3GPP-GPRS-Negotiated-QoS-profile = "05-13921F7396F7FE74620846006400"
     3GPP-Charging-Characteristics = "0800"
     Called-Station-Id = "yasarapn"
     3GPP-SGSN-Address = 86.108.153.116
     3GPP-SGSN-MCC-MNC = "28601"
     3GPP-GGSN-Address = 86.108.153.126
     3GPP-GGSN-MCC-MNC = "28601"
     3GPP-Negotiated-DSCP = 18
     3GPP-RAT-Type = 1
     3GPP-Location-Info = 0x0182f610eb2acd62
     3GPP-Attr-23 = 0x8020
     3GPP-IMEISV = "9800670040325323"
     3GPP-PDP-Type = 0
     NAS-Port = 41524
     User-Password = "645327067460"
     3GPP-Charging-Gateway-Address = 10.200.211.27
     Proxy-State = 0x3130
Proxying request 4 to home server 10.1.1.51 port 1812 Sending Access-Request of id 80 to 10.1.1.51 port 1812
     Calling-Station-Id = "905303630245"
     User-Name = "biryudumgida3"
     NAS-IP-Address = 172.30.80.1
     NAS-Identifier = "MTCGGSNK3"
     Service-Type = Framed-User
     Framed-Protocol = GPRS-PDP-Context
     NAS-Port-Type = Wireless-Other
     3GPP-IMSI = "286015918760926"
     3GPP-IMSI-MCC-MNC = "28601"
     3GPP-NSAPI = "5"
     3GPP-Selection-Mode = "0"
     3GPP-Charging-ID = 50711443
     3GPP-GPRS-Negotiated-QoS-profile = "05-13921F7396F7FE74620846006400"
     3GPP-Charging-Characteristics = "0800"
     Called-Station-Id = "yasarapn"
     3GPP-SGSN-Address = 86.108.153.116
     3GPP-SGSN-MCC-MNC = "28601"
     3GPP-GGSN-Address = 86.108.153.126
     3GPP-GGSN-MCC-MNC = "28601"
     3GPP-Negotiated-DSCP = 18
     3GPP-RAT-Type = 1
     3GPP-Location-Info = 0x0182f610eb2acd62
     3GPP-Attr-23 = 0x8020
     3GPP-IMEISV = "9800670040325323"
     3GPP-PDP-Type = 0
     NAS-Port = 41524
     User-Password = "645327067460"
     3GPP-Charging-Gateway-Address = 10.200.211.27
     Proxy-State = 0x3130
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Accept packet from host 10.1.1.51 port 1812, id=80,
length=24
     Proxy-State = 0x3130
# Executing section post-proxy from file /etc/freeradius/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
rlm_sql (sql): Reserving sql socket id: 3
[sqlippool]     expand: %{User-Name} -> biryudumgida3
[sqlippool] sql_set_user escaped user --> 'biryudumgida3'
[sqlippool]     expand: START TRANSACTION -> START TRANSACTION
[sqlippool]     expand: UPDATE radippool   SET nasipaddress = '', 
pool_key = 0,   callingstationid = '', username = '',   expiry_time = 
NULL   WHERE expiry_time <= NOW() - INTERVAL 1 SECOND   AND nasipaddress 
= '%{Nas-IP-Address}' -> UPDATE radippool   SET nasipaddress = '', 
pool_key = 0,   callingstationid = '', username = '',   expiry_time = 
NULL   WHERE expiry_time <= NOW() - INTERVAL 1 SECOND   AND nasipaddress 
= '172.30.80.1'
[sqlippool]     expand: SELECT framedipaddress FROM radippool  WHERE 
pool_name = '%{control:Pool-Name}' AND (expiry_time < NOW() OR expiry_time IS NULL)  ORDER BY (username <> '%{User-Name}'), (callingstationid <> '%{Calling-Station-Id}'),  expiry_time LIMIT 1  FOR UPDATE -> SELECT framedipaddress FROM radippool WHERE pool_name = 'IP_TcellOtonomYBB' AND (expiry_time < NOW() OR expiry_time IS NULL) ORDER BY (username <> 'biryudumgida3'), (callingstationid <> '905303630245'),  expiry_time  LIMIT 1 FOR UPDATE
[sqlippool]     expand: UPDATE radippool  SET nasipaddress = 
'%{NAS-IP-Address}', pool_key = '%{NAS-Port}',  callingstationid = '%{Calling-Station-Id}', username = '%{User-Name}',  expiry_time = NOW() 
+ INTERVAL 21600 SECOND  WHERE framedipaddress = '172.30.64.190' AND
expiry_time IS NULL -> UPDATE radippool  SET nasipaddress = '172.30.80.1', pool_key = '41524',  callingstationid = '905303630245', username = 'biryudumgida3',  expiry_time = NOW() + INTERVAL 21600 SECOND  WHERE framedipaddress = '172.30.64.190' AND expiry_time IS NULL [sqlippool] Allocated IP 172.30.64.190 [be401eac]
[sqlippool]     expand: COMMIT -> COMMIT
rlm_sql (sql): Released sql socket id: 3
[sqlippool]     expand: Allocated IP: %{reply:Framed-IP-Address} from 
%{control:Pool-Name}   (did %{Called-Station-Id} cli 
%{Calling-Station-Id} port %{NAS-Port} user %{User-Name}) -> Allocated 
IP: 172.30.64.190 from IP_TcellOtonomYBB   (did yasarapn cli 
905303630245 port 41524 user biryudumgida3)
Allocated IP: 172.30.64.190 from IP_TcellOtonomYBB   (did yasarapn cli 
905303630245 port 41524 user biryudumgida3)
++[sqlippool] returns ok
++[exec] returns noop
Sending Access-Accept of id 10 to 172.30.80.1 port 24144
     Framed-IP-Address = 172.30.64.190
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 4 ID 10 with timestamp +133 Ready to process requests.
rad_recv: Access-Request packet from host 172.30.80.1 port 24144, id=10,
length=377
     Calling-Station-Id = "905303630245"
     User-Name = "biryudumgida3"
     NAS-IP-Address = 172.30.80.1
     NAS-Identifier = "MTCGGSNK3"
     Service-Type = Framed-User
     Framed-Protocol = GPRS-PDP-Context
     NAS-Port-Type = Wireless-Other
     3GPP-IMSI = "286015918760926"
     3GPP-IMSI-MCC-MNC = "28601"
     3GPP-NSAPI = "5"
     3GPP-Selection-Mode = "0"
     3GPP-Charging-ID = 50711443
     3GPP-GPRS-Negotiated-QoS-profile = "05-13921F7396F7FE74620846006400"
     3GPP-Charging-Characteristics = "0800"
     Called-Station-Id = "yasarapn"
     3GPP-SGSN-Address = 86.108.153.116
     3GPP-SGSN-MCC-MNC = "28601"
     3GPP-GGSN-Address = 86.108.153.126
     3GPP-GGSN-MCC-MNC = "28601"
     3GPP-Negotiated-DSCP = 18
     3GPP-RAT-Type = 1
     3GPP-Location-Info = 0x0182f610eb2acd62
     3GPP-Attr-23 = 0x8020
     3GPP-IMEISV = "9800670040325323"
     3GPP-PDP-Type = 0
     NAS-Port = 41524
     User-Password = "645327067460"
     3GPP-Charging-Gateway-Address = 10.200.211.27 # Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
++[digest] returns noop
[suffix] No '@' in User-Name = "biryudumgida3", looking up realm NULL [suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[files] returns noop
[sql]     expand: %{User-Name} -> biryudumgida3
[sql] sql_set_user escaped user --> 'biryudumgida3'
rlm_sql (sql): Reserving sql socket id: 2
[sql]     expand: SELECT id, username, attribute, value, op           
FROM radcheck           WHERE username = '%{SQL-User-Name}'           
ORDER BY id -> SELECT id, username, attribute, value, op           FROM 
radcheck           WHERE username = 'biryudumgida3'           ORDER BY id
[sql] User found in radcheck table
[sql]     expand: SELECT id, username, attribute, value, op           
FROM radreply           WHERE username = '%{SQL-User-Name}'           
ORDER BY id -> SELECT id, username, attribute, value, op           FROM 
radreply           WHERE username = 'biryudumgida3'           ORDER BY id
[sql]     expand: SELECT groupname           FROM radusergroup           
WHERE username = '%{SQL-User-Name}' ORDER BY priority -> SELECT 
groupname           FROM radusergroup           WHERE username = 
'biryudumgida3' ORDER BY priority
[sql]     expand: SELECT id, groupname, attribute,           Value, 
op           FROM radgroupcheck           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           Value, op           FROM radgroupcheck           
WHERE groupname = 'UGR_TcellOtonomYBB-Secovid'           ORDER BY id
[sql] User found in group UGR_TcellOtonomYBB-Secovid
[sql]     expand: SELECT id, groupname, attribute,           value, 
op           FROM radgroupreply           WHERE groupname = 
'%{Sql-Group}'           ORDER BY id -> SELECT id, groupname, 
attribute,           value, op           FROM radgroupreply           
WHERE groupname = 'UGR_TcellOtonomYBB-Secovid'           ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
   WARNING: Empty pre-proxy section.  Using default return values.
Sending Access-Request of id 101 to 10.1.1.51 port 1812
     Calling-Station-Id = "905303630245"
     User-Name = "biryudumgida3"
     NAS-IP-Address = 172.30.80.1
     NAS-Identifier = "MTCGGSNK3"
     Service-Type = Framed-User
     Framed-Protocol = GPRS-PDP-Context
     NAS-Port-Type = Wireless-Other
     3GPP-IMSI = "286015918760926"
     3GPP-IMSI-MCC-MNC = "28601"
     3GPP-NSAPI = "5"
     3GPP-Selection-Mode = "0"
     3GPP-Charging-ID = 50711443
     3GPP-GPRS-Negotiated-QoS-profile = "05-13921F7396F7FE74620846006400"
     3GPP-Charging-Characteristics = "0800"
     Called-Station-Id = "yasarapn"
     3GPP-SGSN-Address = 86.108.153.116
     3GPP-SGSN-MCC-MNC = "28601"
     3GPP-GGSN-Address = 86.108.153.126
     3GPP-GGSN-MCC-MNC = "28601"
     3GPP-Negotiated-DSCP = 18
     3GPP-RAT-Type = 1
     3GPP-Location-Info = 0x0182f610eb2acd62
     3GPP-Attr-23 = 0x8020
     3GPP-IMEISV = "9800670040325323"
     3GPP-PDP-Type = 0
     NAS-Port = 41524
     User-Password = "645327067460"
     3GPP-Charging-Gateway-Address = 10.200.211.27
     Proxy-State = 0x3130
Proxying request 5 to home server 10.1.1.51 port 1812 Sending Access-Request of id 101 to 10.1.1.51 port 1812
     Calling-Station-Id = "905303630245"
     User-Name = "biryudumgida3"
     NAS-IP-Address = 172.30.80.1
     NAS-Identifier = "MTCGGSNK3"
     Service-Type = Framed-User
     Framed-Protocol = GPRS-PDP-Context
     NAS-Port-Type = Wireless-Other
     3GPP-IMSI = "286015918760926"
     3GPP-IMSI-MCC-MNC = "28601"
     3GPP-NSAPI = "5"
     3GPP-Selection-Mode = "0"
     3GPP-Charging-ID = 50711443
     3GPP-GPRS-Negotiated-QoS-profile = "05-13921F7396F7FE74620846006400"
     3GPP-Charging-Characteristics = "0800"
     Called-Station-Id = "yasarapn"
     3GPP-SGSN-Address = 86.108.153.116
     3GPP-SGSN-MCC-MNC = "28601"
     3GPP-GGSN-Address = 86.108.153.126
     3GPP-GGSN-MCC-MNC = "28601"
     3GPP-Negotiated-DSCP = 18
     3GPP-RAT-Type = 1
     3GPP-Location-Info = 0x0182f610eb2acd62
     3GPP-Attr-23 = 0x8020
     3GPP-IMEISV = "9800670040325323"
     3GPP-PDP-Type = 0
     NAS-Port = 41524
     User-Password = "645327067460"
     3GPP-Charging-Gateway-Address = 10.200.211.27
     Proxy-State = 0x3130
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Reject packet from host 10.1.1.51 port 1812, id=101,
length=24
     Proxy-State = 0x3130
# Executing section post-proxy from file /etc/freeradius/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Using Post-Auth-Type Reject
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group REJECT {...}
[attr_filter.access_reject]     expand: %{User-Name} -> biryudumgida3
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 5 for 1 seconds Going to the next request Waking up in 0.9 seconds.
Sending delayed reject for request 5
Sending Access-Reject of id 10 to 172.30.80.1 port 24144 Waking up in 4.9 seconds.
Cleaning up request 5 ID 10 with timestamp +143 Ready to process requests.

####################################################3
User somes from GGSN
SQL detect username and IP pool and profile Freeradius receive Access-Accept message from home server:

rad_recv: Access-Accept packet from host 10.1.1.51 port 1812, id=80,
length=24
     Proxy-State = 0x3130
# Executing section post-proxy from file /etc/freeradius/sites-enabled/default
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
# Executing section post-auth from file /etc/freeradius/sites-enabled/default
+- entering group post-auth {...}
rlm_sql (sql): Reserving sql socket id: 3
[sqlippool]     expand: %{User-Name} -> biryudumgida3
[sqlippool] sql_set_user escaped user --> 'biryudumgida3'
[sqlippool]     expand: START TRANSACTION -> START TRANSACTION

Then again SQL query
Again and again.
really dont know why happen






>    Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See 
> http://www.freeradius.org/list/users.html

-- 


<br>
<img src="http://www.yasar.com.tr/banner/yhbanner.jpg"> </img> <br><br> Bu elektronik postada bulunan tum fikir ve gorusler ve ekindeki dosyalar sadece adres sahip/sahiplerine ait olup, Yasar Toplulugu Sirketleri bu mesajin icerigi ile ilgili olarak hic bir hukuksal sorumlulugu kabul etmez. Eger gonderilmesi dusunulen kisi veya kurulus degilseniz, lutfen gonderen kisiyi derhal haberdar ediniz ve mesaji sisteminizden siliniz.The information contained in this e-mail and any files transmitted with it are intended solely for the use of the individual or entity to whom they are addressed and Yasar Group Companies do not accept legal responsibility for the contents. If you are not the intended recipient, please immediately notify the sender and delete it from your system.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



More information about the Freeradius-Users mailing list