Ubuntu – Freeradius is ignoring Packets

currently i'm installing a Cisco ASR1k as an PPPoE BRAS.

I'm using freeradius as authentication service.
The setup is an Ubuntu 14.04LTS with a quite outdated freeradius 2.1.12 installed via APT.

freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Aug 26 2015 at 14:47:03

Im running freeradius on an IPv6 socket.

The issue is that radius packets sent from the Cisco LAC Router are completely ignored and quite discarded. Running freeradius in -X debug mode only shows the message "Ready to process requests." beeing repeatead about every 10 Seconds.

TCPDUMP shows that Access request packets are being received, but not answered.

21:49:13.619711 IP6 2001:4cd8::X.21646 > 2001:4cd8::Y.1812: RADIUS, Access Request (1), id: 0x14 length: 145
21:49:18.653658 IP6 2001:4cd8::X.21646 > 2001:4cd8::Y.1812: RADIUS, Access Request (1), id: 0x14 length: 145

ufw is disabled, no iptables rules are applied.

Using radtest on localhost is successful as well as configuring an 'automate-tester' on the Cisco Box itself with the same user credentials.

So, i'dont think that there is a general fault in the configuration, but it seems that there are some attributes in the original Access-Request packet that causes the freeradius to ignore it completely.

freeradius -X shows absolutely no output.

Below you'll find a complete "debug radius verbose" output of the Cisco ASR, sorry for obfuscating the IPs.

Mar 15 21:08:44.983: RADIUS/ENCODE(00001009):Orig. component type = PPPoE
Mar 15 21:08:44.983: RADIUS: DSL line rate attributes successfully added
Mar 15 21:08:44.983: RADIUS(00001009): Config NAS IP: X.X.X.X
Mar 15 21:08:44.983: RADIUS(00001009): Config NAS IPv6: 2001:4CD8:::X
Mar 15 21:08:44.983: RADIUS/ENCODE(00001009): acct_session_id: 4095
Mar 15 21:08:44.983: RADIUS(00001009): sending
Mar 15 21:08:44.983: RADIUS/ENCODE: Best Local IPv6-Address 2001:4CD8:::X for Radius-Server 2001:4CD8:::Y
Mar 15 21:08:44.983: RADIUS(00001009): Send Access-Request to 2001:4CD8:::Y:1812 id 21646/94, len 145
Mar 15 21:08:44.983: RADIUS:  authenticator E0 41 D9 2A 4B 76 67 34 - CA 07 D2 29 EB 04 56 F1
Mar 15 21:08:44.983: RADIUS:  Framed-Protocol     [7]   6   PPP                       [1]
Mar 15 21:08:44.983: RADIUS:  User-Name           [1]   12  "user-2"
Mar 15 21:08:44.983: RADIUS:  User-Password       [2]   18  *
Mar 15 21:08:44.983: RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
Mar 15 21:08:44.983: RADIUS:  NAS-Port            [5]   6   0                         
Mar 15 21:08:44.983: RADIUS:  NAS-Port-Id         [87]  12  "0/0/3/1996"
Mar 15 21:08:44.983: RADIUS:  Vendor, Cisco       [26]  41  
Mar 15 21:08:44.983: RADIUS:   Cisco AVpair       [1]   35  "client-mac-address=0078.8827.6b03"
Mar 15 21:08:44.983: RADIUS:  Service-Type        [6]   6   Framed                    [2]
Mar 15 21:08:44.983: RADIUS:  NAS-IPv6-Address    [95]  18  2001:4CD8:::X
Mar 15 21:08:44.983: RADIUS(00001009): Sending a IPv6 Radius Packet
Mar 15 21:08:44.983: RADIUS: IPv6 udp send - source address: 2001:4CD8:::X, dest address: 2001:4CD8:::Y
Mar 15 21:08:44.983: RADIUS(00001009): Started 5 sec timeout
Mar 15 21:08:50.022: RADIUS(00001009): Request timed out! 
Mar 15 21:08:50.023: RADIUS: Retransmit to (2001:4CD8:::Y:1812,1813) for id 21646/94
Mar 15 21:08:50.023: RADIUS(00001009): Started 5 sec timeout
Mar 15 21:08:55.029: RADIUS(00001009): Request timed out! 
Mar 15 21:08:55.029: %RADIUS-4-RADIUS_DEAD: RADIUS server 2001:4CD8:::Y:1812,1813 is not responding.
Mar 15 21:08:55.029: RADIUS: Retransmit to (2001:4CD8:::Y:1812,1813) for id 21646/94
Mar 15 21:08:55.029: RADIUS(00001009): Started 5 sec timeout
Mar 15 21:08:55.030: %RADIUS-4-RADIUS_ALIVE: RADIUS server 2001:4CD8:::Y:1812,1813 is being marked alive.
Mar 15 21:09:00.063: RADIUS(00001009): Request timed out! 
Mar 15 21:09:00.063: RADIUS: Retransmit to (2001:4CD8:::Y:1812,1813) for id 21646/94
Mar 15 21:09:00.063: RADIUS(00001009): Started 5 sec timeout
Mar 15 21:09:05.105: RADIUS(00001009): Request timed out! 
Mar 15 21:09:05.105: RADIUS: Retransmit to (2001:4CD8:::Y:1812,1813) for id 21646/94
Mar 15 21:09:05.105: RADIUS(00001009): Started 5 sec timeout
Mar 15 21:09:10.152: RADIUS(00001009): Request timed out! 
Mar 15 21:09:10.153: RADIUS: Retransmit to (2001:4CD8:::Y:1812,1813) for id 21646/94
Mar 15 21:09:10.153: RADIUS(00001009): Started 5 sec timeout
Mar 15 21:09:15.159: RADIUS(00001009): Request timed out! 
Mar 15 21:09:15.159: RADIUS: No response from (2001:4CD8:::Y:1812,1813) for id 21646/94
Mar 15 21:09:15.159: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Mar 15 21:09:15.159: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL

Any idea how to isolate or to solve this issue?

Best Regards
Andreas

Best Answer

If FreeRADIUS is showing absolutely no debug output, then the server is not receiving the packets from the kernel, or you have it listening on the wrong port.

Trace using radsniff -i <interface>. It will show any packets received on UDP ports 1812/1813.

If you see packets, verify netstat -lun | grep 181[23] shows FreeRADIUS is listening on those ports.

Also verify the reverse routing path for the packet is the same interface as it was received on or disable RPS (http://www.slashroot.in/linux-kernel-rpfilter-settings-reverse-path-filtering).

Best Answer

Related Solutions

Freeradius: Clients.conf and CoA

FreeRADIUS REST expansion

Related Topic