Freeradius 3.16 and mysql - duplicated entries in radpostauth

Marcin Marszałkowski m.marszal at wp.pl
Sun Aug 18 15:58:02 CEST 2019 

Thanks Alan D, I knew I won’t be perfect.

>  We need "radiusd -X".  Not "radiusd -Xxxxxxxxxxx".   Among a few other issues.
> 
>  Read this:  http://wiki.freeradius.org/list-help

I’ve read wiki but I sent more detailed debug info because I hadn’t seen sql entry in standard debug.


Gigawords
>  Ask the NAS vendor how there equipment works.


I did ask Ubiquiti but unfortunately without any result/reply. That’s why I’m trying to figure it out somewhere else.



>  If you get an Access-Accept, why you do care how many packets there are?


Because I wasn’t sure whether it may affect accounting/problems with gigawords.
I did read info about EAP protocol but I couldn’t find details about packets exchange. I need only push in the right direction.

Regards
Martin



> Wiadomość napisana przez Alan DeKok <aland at deployingradius.com> w dniu 18.08.2019, o godz. 13:49:
> 
> On Aug 18, 2019, at 3:33 AM, Marcin Marszałkowski <m.marszal at wp.pl> wrote:
>> I’m newbie to Freeradius and have been pulling my hair out…
>> Installed Freeradius 3.16 with mysql and Daloradius. Autheticating and authorizing work (I think so).
>> But I might have something misconfigured - radpostauth table is full of duplicated/always double entries with the same timestamp. And it happens only for EAP auth., PAP (radtest)  and MD5 (MAC based auth.) are not affected. Does it may affect accounting?
> 
>  It doesn't affect accounting.  You can *read* the debug log to verify this.
> 
>  The "double entries" are how PEAP works.  There is an outer identity, and an inner one.  They can be different.
> 
>> Following is request debug where double input to radpostauth is visible:
>> ————————————————
>> Sat Aug 17 18:23:36 2019 : Debug: (10) Received Access-Request Id 248 from 172.16.0.5:48453 to 172.16.0.12:1812 length 242
>> Sat Aug 17 18:23:36 2019 : Debug: (10)   User-Name = "Robert"
>> Sat Aug 17 18:23:36 2019 : Debug: (10)   NAS-Identifier = "feec3a9aeda5"
> 
>  <sigh>  Is it *really* that hard to read the documentation?  Where should we put the documentation where you will *read* it?
> 
>  We need "radiusd -X".  Not "radiusd -Xxxxxxxxxxx".   Among a few other issues.
> 
>  Read this:  http://wiki.freeradius.org/list-help
> 
>  When you joined the mailing list, you were sent an email giving you that URL, and telling you what to post.  The "man radiusd" page tells you to run "radiusd -X".  The documentation on the main web site tells you do use "radiusd -X".  We say this almost daily on the mailing list.
> 
>  So... WHY are you ignoring all of the documentation?
> 
>> On top of that I have a problems with accounting, it seems like NAS doesn’t like Gigawords - quite often reports 4GB up and down. More often it happens when session is longer than shorter. Is there any any fix available on Freeradius side? Ubiquiti claims https://help.ubnt.com/hc/en-us/articles/115005255907-UniFi-Hotspot-RADIUS-Attributes their APs should be working with this attribute. NAS it is Unifi AP AC Pro.
> 
>  Ask the NAS vendor how there equipment works.
> 
>> So, where do I need to troubleshoot, Freeradius or NAS? While looking at tcpdump on port 1812 I can see lengthy negotiation: multiple access requests and access challenges (12 times) followed finally by access accept... I don't know how many requests and challenges should be there.
> 
>  If you get an Access-Accept, why you do care how many packets there are?
> 
>  If you really want to know how many packets there *should* be, then read the documentation / specifications for EAP.  But given the avoidance of all documentation. I guess that won't happen.
> 
>  Alan DeKok.
> 
> 
> 
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

More information about the Freeradius-Users mailing list