issues with radius proxy settings

Prem Khanal prem.khanal at n4l.co.nz
Wed Aug 28 23:29:58 CEST 2019


Hi Alan,

Thanks for the reply. I went through the documentation of robust proxy
accounting again. Here is my problem:

1. When I start freeradius -X, I can see the virtual server are started. (
log snippet below )

===================
radiusd: #### Loading Virtual Servers ####
server { # from file /etc/freeradius/radiusd.conf
} # server
server default { # from file /etc/freeradius/sites-enabled/default
 # Loading authenticate {...}
 # Loading authorize {...}
Ignoring "sql" (see raddb/mods-available/README.rst)
Ignoring "ldap" (see raddb/mods-available/README.rst)
 # Loading preacct {...}
 # Loading accounting {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
} # server default
server acct_detail.example.com { # from file
/etc/freeradius/sites-enabled/robust-proxy-accounting
 # Loading accounting {...}
} # server acct_detail.example.com
server home.example.com { # from file
/etc/freeradius/sites-enabled/robust-proxy-accounting
 # Loading accounting {...}
 # Loading post-proxy {...}
} # server home.example.com
server inner-tunnel { # from file /etc/freeradius/sites-enabled/inner-tunnel
 # Loading authenticate {...}
 # Loading authorize {...}
 # Loading session {...}
 # Loading post-proxy {...}
 # Loading post-auth {...}
 # Skipping contents of 'if' as it is always 'false' --
/etc/freeradius/sites-enabled/inner-tunnel:336
} # server inner-tunnel
radiusd: #### Opening IP addresses and Ports ####
listen {
        type = "auth"
        ipaddr = *
        port = 0
   limit {
=====================

Freeradius starts successfully and starts accepting the packets from radius
client.

=============
(0) Received Accounting-Request Id 97 from 172.30.248.99:44770 to
172.30.248.5:1813 length 363
(0)   Acct-Session-Id = "5D66EC5E-D6CCD401"
(0)   Framed-IP-Address = 172.20.1.76
(0)   Acct-Multi-Session-Id = "187c0b8a939c843835c4234f5d66ec5e0129"
(0)   Acct-Link-Count = 3
(0)   Acct-Status-Type = Interim-Update
(0)   Acct-Authentic = RADIUS
(0)   User-Name = "AP274 at haeata.school.nz"
(0)   NAS-IP-Address = 10.1.1.10
(0)   NAS-Identifier = "18-7C-0B-8A-93-9C"
(0)   NAS-Port = 2
(0)   Called-Station-Id = "18-7C-0B-8A-93-9C:N4L"
(0)   Calling-Station-Id = "84-38-35-C4-23-4F"
(0)   NAS-Port-Type = Wireless-802.11
(0)   Connect-Info = "CONNECT 802.11a/n"
(0)   Event-Timestamp = "Aug 29 2019 09:25:26 NZST"
(0)   Class = 0x436f6e74656e7446696c7465722d536e7253747564656e74
(0)   Ruckus-SSID = "N4L"
(0)   Ruckus-BSSID = 0x187c0b8a939c
(0)   Ruckus-VLAN-ID = 999
(0)   Ruckus-SCG-CBlade-IP = 167837962
(0)   Ruckus-SCG-DBlade-IP = 167838210
(0)   Acct-Input-Packets = 86281
(0)   Acct-Output-Packets = 145596
(0)   Acct-Input-Octets = 6184672
(0)   Acct-Output-Octets = 143477035
(0)   Ruckus-Sta-RSSI = 28
(0)   Acct-Session-Time = 1253
(0)   Proxy-State = 0x323431
(0) # Executing section preacct from file
/etc/freeradius/sites-enabled/default
(0)   preacct {
(0)     [preprocess] = ok
(0)     policy acct_unique {
(0)       update request {
(0)         &Tmp-String-9 := "ai:"
(0)       } # update request = noop
(0)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i)) {
(0)       EXPAND %{hex:&Class}
(0)          --> 436f6e74656e7446696c7465722d536e7253747564656e74
(0)       EXPAND ^%{hex:&Tmp-String-9}
(0)          --> ^61693a
(0)       if (("%{hex:&Class}" =~ /^%{hex:&Tmp-String-9}/) &&
("%{string:&Class}" =~ /^ai:([0-9a-f]{32})/i))  -> FALSE
(0)       else {
(0)         update request {
(0)           EXPAND
%{md5:%{User-Name},%{Acct-Session-ID},%{%{NAS-IPv6-Address}:-%{NAS-IP-Address}},%{NAS-Identifier},%{NAS-Port-ID},%{NAS-Port}}
(0)              --> 996c8986a23a1c489994ebe28d72f78e
(0)           &Acct-Unique-Session-Id := 996c8986a23a1c489994ebe28d72f78e
(0)         } # update request = noop
(0)       } # else = noop
(0)     } # policy acct_unique = noop
(0)     [files] = noop
(0)   } # preacct = ok
(0) # Executing section accounting from file
/etc/freeradius/sites-enabled/default
(0)   accounting {
(0) detail: EXPAND
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
(0) detail:    --> /var/log/freeradius/radacct/172.30.248.99/detail-20190829
(0) detail:
/var/log/freeradius/radacct/%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}/detail-%Y%m%d
expands to /var/log/freeradius/radacct/172.30.248.99/detail-20190829
(0) detail: EXPAND %t
(0) detail:    --> Thu Aug 29 09:26:24 2019
(0)     [detail] = ok
(0)     [unix] = noop
(0)     [exec] = noop
(0) attr_filter.accounting_response: EXPAND %{User-Name}
(0) attr_filter.accounting_response:    --> AP274 at haeata.school.nz
(0) attr_filter.accounting_response: Matched entry DEFAULT at line 12
(0)     [attr_filter.accounting_response] = updated
(0)   } # accounting = updated
(0) Sent Accounting-Response Id 97 from 172.30.248.5:1813 to
172.30.248.99:44770 length 0
(0)   Proxy-State = 0x323431
(0) Finished request
(0) Cleaning up request packet ID 97 with timestamp +28
Ready to process requests
===================================

It doesn't forward accounting packets to the homeservers specified in
robust-proxy-accounting configuration. Neither I could see any logs that
would provide some hint what is wrong with my configuration.


Regards
Prem


On Tue, Aug 27, 2019 at 12:57 AM Alan DeKok <aland at deployingradius.com>
wrote:

> On Aug 26, 2019, at 2:52 AM, Prem Khanal <prem.khanal at n4l.co.nz> wrote:
> >
> > Hi Alan,
> >
> > Thanks for the reply. I have been trying to configure robust proxy
> account
> > following the steps in
> >
> https://networkradius.com/doc/3.0.10/raddb/sites-available/robust-proxy-accounting.html
> > .
> > I have only changed the IP and secret of a home home server to test if
> the
> > configuration is working. But the proxy is not happening. Means the
> > accounting packets are not forwarded to the home server.
>
>   And what does the debug output say?
>
>   This isn't difficult.
>
> > Then I tried
> >
> > nmap -sU -p 1813 <home server IP>
> >
> > which returned a success
>
>   Which is entirely useless.  And, a waste of your time.
>
>   If you're going to debug a RADIUS server, then debug the *RADIUS
> SERVER*.  Don't run random other tools.
>
>   The documentation is EXTREMELY CLEAR on how to debug a FreeRADIUS
> configuration.  NOTHING in the documentation says to run "nmap".
>
> > I believe I have added the relevant services to sites-enabled and
> > mods-enabled ( attached are the screen shots ).
>
>   Stop wasting our time.
>
>   The documentation says DO NOT POST HTE CONFIGURATION.  The documentation
> also says DO NOT POST SCREEN SHOTS.
>
>   Honestly, I have no idea why *anyone* would think it's a good idea to
> post images of text.  Is cut & paste too difficult?
>
> > strace -Ff -tt freeradius -X 2>&1 | tee strace-freeradius.log
>
>   That's also a waste of your time.  Why "strace?"
>
> > and when checking the log file I couldn't see any attempt to communicate
> > with the home server specified in robust-proxy-accounting configuration
> > file. The only entry I found for proxy is ( not sure what does this mean
> )
> >
> > [pid 36713] 18:23:42.431513 write(1, "(2)   Proxy-State = 0x3334\n",
> 27(2)
> >  Proxy-State = 0x3334
>
>   The Wiki has clear instructions for how to read and understand the debug
> output:
>
> http://wiki.freeradius.org/radiusd-X
>
> > Do I need to update default file to make robust proxy work? All other
> > settings are default.  Kindly guide me if I am missing some
> configuration.
>
>   I've spent 20 years writing TONS of documentation for the server.
> Pretty much everything you're trying to do is extensively documented.
>
>   So yes, I *tried* to guide you by writing that documentation.  Why are
> you ignoring the documentation?
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html



-- 
Cheers
Prem


More information about the Freeradius-Users mailing list