Remote users - proxying fails - NPS timeout
Alan DeKok
aland at deployingradius.com
Fri Aug 18 09:48:02 CEST 2017
On Aug 18, 2017, at 1:37 AM, John Horne <john.horne at plymouth.ac.uk> wrote:
> However, I have updated freeradius to 3.0.15 (locally built RPM) on one of the
> servers. Whilst the local and visiting eduroam users are authenticating
> correctly, the majority of our own eduroam users authenticating to us via the
> NRPS servers now fail. The radius log shows (for example):
>
> ==========
> Thu Aug 17 23:16:20 2017 : ERROR: (7299) ERROR: Failing proxied request for
> user "abc at students.plymouth.ac.uk", due to lack of any response from home
> server 141.163.xxx.yyy port 1812
If NPS doesn't respond, NPS is the problem. :(
> For the NRPS clients this occurs nearly 100% of the time. For some reason an
> occassional user will authenticate successfully. I have captured the debug
> output for a user who authenticated successfully on the 3.0.4 server, but then
> failed to authenticate on the 3.0.15 server. Although the last packet sent
> seemed acceptable, with no reply from the MS NPS server it is difficult to know
> what happened next.
Well, both 3.0.4 and 3.0.15 are compliant with all RADIUS standards. I suspect NPS isn't.
I suspect that there are minor differences in packets which causes NPS to barf. I suggest looking at PCAPs (tcpdump / wireshark) to see what's different about the packets.
Or, send me the PCAPs (off-list), and say which packets are the problems. I'll see if I can discover anything.
> However, before that I thought I would ask here if anyone has any thoughts
> about this? Has anyone had a similar problem?
I've seen similar issues before with NPS. If NPS receives an attribute that it thinks is type "integer", but is instead 8 bytes long (i.e. not an integer), NPS will *drop the whole packet*.
This behaviour is beyond stupid. I put text into RFC 6929 to address this exact problem:
https://tools.ietf.org/html/rfc6929#section-2.8
I've also seen issues with other proprietary RADIUS servers that sometimes expect to see attributes in a particular order. One in particular had the idiotic behaviour of replying to "bad" packets by *echoing the bad packet back to the client*. I'm at a loss for how anyone ever thought that was a good idea.
Alan DeKok.
More information about the Freeradius-Users
mailing list