Clients in virtual servers

Stanislav Lorenc stanislav.lorenc at cernovice.net
Tue Apr 10 10:27:15 CEST 2018 

On 9 Apr 2018, at 17:11, Stanislav Lorenc <stanislav.lorenc at cernovice.net 
<http://lists.freeradius.org/mailman/listinfo/freeradius-users>> wrote:
>/i register NAS clients into two virtual servers with the same ip and 
this fall with duplicate error. /
The error is intended - you've added a duplicate client.

>/Is there way how to register NAS clients separately. /
That's not possible, but what behaviour would you be expecting? Packets randomly assigned to a virtual server? Packets to be sent to both virtual servers simultaneously and two responses returned?

Adam Bishop

   gpg: E75B 1F92 6407 DFDF 9F1C  BF10 C993 2504 6609 D460

jisc.ac.uk

Jisc is a registered charity (number 1149740) and a company limited by guarantee which is registered in England under Company No. 5747339, VAT No. GB 197 0632 86. Jisc’s registered office is: One Castlepark, Tower Hill, Bristol, BS2 0JA. T 0203 697 5800.

Jisc Services Limited is a wholly owned Jisc subsidiary and a company limited by guarantee which is registered in England under company number 2881024, VAT number GB 197 0632 86. The registered office is: One Castle Park, Tower Hill, Bristol BS2 0JA. T 0203 697 5800.

--------------------------------------------
--------------------------------------------
--------------------------------------------

Hi i expect if packet is send to concrete virtual server on concrete port will be process within this server.
I use radius in mikrotik and i have multiple radius account in mikrotik for different services.
Look like this:
/radius
add address=192.168.1.100 authentication-port=9999 realm=cernovice_net secret=test service=login timeout=3s < -- Check user access to device
add address=192.168.1.100 authentication-port=1111 realm=ppp secret=test service=ppp timeout=3s <-- check users for pppoe services

One server for ppp services with realm ppp and second server for user access to device. For different purposes i have different virtual servers with own business logic and users separate in virtual server.
This device send request from one management IP. More IP is possible but confusing.

Problem is occurred if  device send packet from port 9999 for check access to device and client is registered in first virtual host(port 1111 - ppp services). Request is process within ppp virtual server instead of login virtual server

Mikrotik Log: -> send request to 9999

09:33:58 radius,debug new request 0d:02 code=Access-Request service=login
09:33:58 radius,debug sending 0d:02 to 192.168.1.100:9999
09:33:58 radius,debug,packet sending Access-Request with id 2 to 192.168.1.100:9999
09:33:58 radius,debug,packet     Signature = 0x268b43fc121da2883c30f476ee137502
09:33:58 radius,debug,packet     Service-Type = 1
09:33:58 radius,debug,packet     User-Name = "lorenc"
09:33:58 radius,debug,packet     CHAP-Challenge = 0xe593b52e5739b57a979f8a40629e19d2
09:33:58 radius,debug,packet     CHAP-Password = 0x0018ab7cf3a5fb9364723bc9343dd086
09:33:58 radius,debug,packet       10
09:33:58 radius,debug,packet     Calling-Station-Id = "30:5A:3A:02:ED:BB"
09:33:58 radius,debug,packet     NAS-Identifier = "male_rb_test"
09:33:58 radius,debug,packet     MT-Realm = 0x6365726e6f766963655f6e6574
09:33:58 radius,debug,packet     NAS-IP-Address = 192.168.1.223
09:33:59 radius,debug,packet received Access-Reject with id 2 from 192.168.1.100:9999
09:33:59 radius,debug,packet     Signature = 0x27f48d656775fe94bd345924a9988c11
09:33:59 radius,debug received reply for 0d:02

Radius output executed by /etc/freeradius/sites-enabled/test_local_ppp_services.virtual_server.conf ( ppp services and client register inside this virtual server):

Tue Apr 10 10:17:23 2018 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 192.168.1.223 port 51032, id=10, length=131
         Service-Type = Login-User
         User-Name = "lorenc"
         CHAP-Challenge = 0x7f54c88e8ff8a895b536c9e4f26f43ba
         CHAP-Password = 0x0079373826d8a430860427d8691478870e
         Calling-Station-Id = "30:5A:3A:02:ED:BB"
         NAS-Identifier = "male_rb_test"
         Mikrotik-Realm = "cernovice_net"
         NAS-IP-Address = 192.168.1.223
Tue Apr 10 10:17:28 2018 : Info: server test_local_ppp_services {
Tue Apr 10 10:17:28 2018 : Info: # Executing section authorize from file /etc/freeradius/sites-enabled/test_local_ppp_services.virtual_server.conf
Tue Apr 10 10:17:28 2018 : Info: +group authorize {
Tue Apr 10 10:17:28 2018 : Info: ++[preprocess] = ok
Tue Apr 10 10:17:28 2018 : Info: [chap] Setting 'Auth-Type := CHAP'
Tue Apr 10 10:17:28 2018 : Info: ++[chap] = ok
Tue Apr 10 10:17:28 2018 : Info: ++[mschap] = noop
Tue Apr 10 10:17:28 2018 : Info: [test_local_ppp_services_sql]  expand: %{User-Name} -> lorenc
Tue Apr 10 10:17:28 2018 : Info: [test_local_ppp_services_sql] sql_set_user escaped user --> 'lorenc'
Tue Apr 10 10:17:28 2018 : Debug: rlm_sql (test_local_ppp_services_sql): Reserving sql socket id: 3
...

If i register NAS client to the right virtual server - it is executed correctly. So i need make two or more separated clients list for each virtual server.

Stanislav Lorenc

More information about the Freeradius-Users mailing list