Freeradius + VYOS -> Duplicate Reply

Hannibal Smith

Jumbo Frame
Registriert
Apr. 2015
Beiträge
1.180
Guten Morgen zusammen,

habe hier ein kleines Problem mit freeradius in Kombination mit VYOS.
Auf dem VYOS läuft ein PPPoE Server, der die Anfragen via Radius Authentifizieren soll.
VYOS und Freeradius sind ein einem gemeinsamen Netz und erreichen sich auch via ping.
Der freeradius bekommt auch die Anfragen des VYOS und beantwortet diese folgendermasen
Code:
(0) Received Access-Request Id 1 from 172.16.16.1:45291 to 172.16.16.2:1812 length 101
(0)   User-Name = "PPPoE"
(0)   NAS-Port-Type = Virtual
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   Calling-Station-Id = "0c:db:d1:07:00:00"
(0)   Called-Station-Id = "0c:12:54:53:00:04"
(0)   User-Password = "password"
(0) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(0)   authorize {
(0)     policy filter_username {
(0)       if (&User-Name) {
(0)       if (&User-Name)  -> TRUE
(0)       if (&User-Name)  {
(0)         if (&User-Name =~ / /) {
(0)         if (&User-Name =~ / /)  -> FALSE
(0)         if (&User-Name =~ /@[^@]*@/ ) {
(0)         if (&User-Name =~ /@[^@]*@/ )  -> FALSE
(0)         if (&User-Name =~ /\.\./ ) {
(0)         if (&User-Name =~ /\.\./ )  -> FALSE
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))  {
(0)         if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))   -> FALSE
(0)         if (&User-Name =~ /\.$/)  {
(0)         if (&User-Name =~ /\.$/)   -> FALSE
(0)         if (&User-Name =~ /@\./)  {
(0)         if (&User-Name =~ /@\./)   -> FALSE
(0)       } # if (&User-Name)  = notfound
(0)     } # policy filter_username = notfound
(0)     [preprocess] = ok
(0)     [chap] = noop
(0)     [mschap] = noop
(0)     [digest] = noop
(0) suffix: Checking for suffix after "@"
(0) suffix: No '@' in User-Name = "PPPoE", looking up realm NULL
(0) suffix: No such realm "NULL"
(0)     [suffix] = noop
(0) eap: No EAP-Message, not doing EAP
(0)     [eap] = noop
(0) files: users: Matched entry PPPoE at line 1
(0)     [files] = ok
(0)     [expiration] = noop
(0)     [logintime] = noop
(0)     [pap] = updated
(0)   } # authorize = updated
(0) Found Auth-Type = PAP
(0) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(0)   Auth-Type PAP {
(0) pap: Login attempt with password
(0) pap: Comparing with "known good" Cleartext-Password
(0) pap: User authenticated successfully
(0)     [pap] = ok
(0)   } # Auth-Type PAP = ok
(0) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(0)   post-auth {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(0)     if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name))  -> FALSE
(0)     update {
(0)       No attributes updated for RHS &session-state:
(0)     } # update = noop
(0)     [exec] = noop
(0)     policy remove_reply_message_if_eap {
(0)       if (&reply:EAP-Message && &reply:Reply-Message) {
(0)       if (&reply:EAP-Message && &reply:Reply-Message)  -> FALSE
(0)       else {
(0)         [noop] = noop
(0)       } # else = noop
(0)     } # policy remove_reply_message_if_eap = noop
(0)   } # post-auth = noop
(0) Sent Access-Accept Id 1 from 172.16.16.2:1812 to 172.16.16.1:45291 length 0
(0)   Service-Type = Framed-User
(0)   Framed-Protocol = PPP
(0)   Framed-IP-Address = 100.64.0.1
(0)   Framed-IP-Netmask = 255.255.255.255
(0)   Delegated-IPv6-Prefix = "IPv6 Prefix /64"
(0)   Framed-IPv6-Prefix = "IPv6 Prefix /64"
(0) Finished request
Waking up in 4.9 seconds.
(0) Sending duplicate reply to client BNG2 port 45291 - ID: 1
Waking up in 7.0 seconds.
(0) Sending duplicate reply to client BNG2 port 45291 - ID: 1
Waking up in 14.0 seconds.
Hier die entsprechenden Meldungen im VYOS log
Code:
May  9 08:25:42 vyos accel-pppoe: eth4.3331: recv [PPPoE PADI 0c:db:d1:07:00:00 => ff:ff:ff:ff:ff:ff sid=0000 <Host-Uniq 8b015500> <Service-Name > <PPP-Max-Payload 1492>]
May  9 08:25:42 vyos accel-pppoe: eth4.3331: send [PPPoE PADO 0c:12:54:53:00:04 => 0c:db:d1:07:00:00 sid=0000 <AC-Name vyos-ac> <Service-Name > <AC-Cookie 854b2cb2cfac3ff1fa39fa5118491e13bc803530ec0ac3a8> <Host-Uniq 8b015500> <PPP-Max-Payload 1492>]
May  9 08:25:42 vyos accel-pppoe: eth4.3331: recv [PPPoE PADR 0c:db:d1:07:00:00 => 0c:12:54:53:00:04 sid=0000 <Host-Uniq 8c015500> <Service-Name > <PPP-Max-Payload 1492> <AC-Cookie 854b2cb2cfac3ff1fa39fa5118491e13bc803530ec0ac3a8>]
May  9 08:25:42 vyos accel-pppoe: eth4.3331: send [PPPoE PADS 0c:12:54:53:00:04 => 0c:db:d1:07:00:00 sid=3800 <AC-Name vyos-ac> <Service-Name > <Host-Uniq 8c015500>]
May  9 08:25:42 vyos accel-pppoe: eth4.3331:: send [LCP ConfReq id=c5 <auth CHAP-md5> <mru 1492> <magic 536a6d43>]
May  9 08:25:42 vyos accel-pppoe: eth4.3331:: recv [LCP ConfReq id=1f <mru 1480> <magic c4800b6d>]
May  9 08:25:42 vyos accel-pppoe: eth4.3331:: send [LCP ConfNak id=1f <mru 1492>]
May  9 08:25:42 vyos accel-pppoe: eth4.3331:: recv [LCP ConfNak id=c5 <auth PAP>]
May  9 08:25:42 vyos accel-pppoe: eth4.3331:: send [LCP ConfReq id=c6 <auth PAP> <mru 1492> <magic 536a6d43>]
May  9 08:25:42 vyos accel-pppoe: eth4.3331:: recv [LCP ConfReq id=20 <mru 1492> <magic c4800b6d>]
May  9 08:25:42 vyos accel-pppoe: eth4.3331:: send [LCP ConfAck id=20]
May  9 08:25:42 vyos accel-pppoe: eth4.3331:: recv [LCP ConfAck id=c6 <auth PAP> <mru 1492> <magic 536a6d43>]
May  9 08:25:42 vyos accel-pppoe: eth4.3331:: recv [PAP AuthReq id=5d]
May  9 08:25:42 vyos accel-pppoe: eth4.3331:: send [RADIUS(1) Access-Request id=1 <User-Name "PPPoE"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "0c:db:d1:07:00:00"> <Called-Station-Id "0c:12:54:53:00:04"> <User-Password 0xa91cdfb2f1f8cf2d74abfbbbd7b26e29>]
May  9 08:25:45 vyos accel-pppoe: eth4.3331:: recv [PAP AuthReq id=5e]
May  9 08:25:45 vyos accel-pppoe: eth4.3331:: send [RADIUS(1) Access-Request id=1 <User-Name "PPPoE"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "0c:db:d1:07:00:00"> <Called-Station-Id "0c:12:54:53:00:04"> <User-Password 0xa91cdfb2f1f8cf2d74abfbbbd7b26e29>]
May  9 08:25:48 vyos accel-pppoe: eth4.3331:: recv [PAP AuthReq id=5f]
May  9 08:25:48 vyos accel-pppoe: eth4.3331:: send [RADIUS(1) Access-Request id=1 <User-Name "PPPoE"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "0c:db:d1:07:00:00"> <Called-Station-Id "0c:12:54:53:00:04"> <User-Password 0xa91cdfb2f1f8cf2d74abfbbbd7b26e29>]
May  9 08:25:51 vyos accel-pppoe: eth4.3331:: recv [PAP AuthReq id=60]
May  9 08:25:51 vyos accel-pppoe: eth4.3331:: radius: server(1) not responding
May  9 08:25:51 vyos accel-pppoe: eth4.3331:: radius: no available servers
May  9 08:25:51 vyos accel-pppoe: eth4.3331:: send [PAP AuthNak id=5d "Authentication failed"]
May  9 08:25:51 vyos accel-pppoe: eth4.3331:PPPoE: PPPoE: authentication failed
May  9 08:25:51 vyos accel-pppoe: PPPoE: authentication failed
May  9 08:25:51 vyos accel-pppoe: eth4.3331:PPPoE: send [LCP TermReq id=200]
May  9 08:25:51 vyos accel-pppoe: eth4.3331:PPPoE: recv [LCP TermReq id=21]
May  9 08:25:51 vyos accel-pppoe: eth4.3331:PPPoE: send [LCP TermAck id=33]
May  9 08:25:51 vyos accel-pppoe: eth4.3331: send [PPPoE PADT 0c:12:54:53:00:04 => 0c:db:d1:07:00:00 sid=3800 <AC-Name vyos-ac> <Service-Name >]
May  9 08:25:51 vyos accel-pppoe: eth4.3331:: disconnected
und hier noch die config des PPPoE Servers
Code:
vyos@vyos# show service pppoe-server
 authentication {
     mode radius
     protocols chap
     protocols pap
     radius {
         rate-limit {
             enable
         }
         server 172.16.16.2 {
             disable-accounting
             key "secret"
         }
         source-address 172.16.16.1
     }
 }
 client-ip-pool {
     subnet 192.168.0.0/30
 }
 gateway-address "Gateway für die PPPoE Clients"
 interface eth4 {
     vlan-id 1
     vlan-range 1-4093
 }
 ppp-options {
     ipv6 allow
 }
Das ist nur ein Testsetup, aber es sollte so funktionieren, haben das an einer anderen Stelle mit der selben Config in Betrieb. Leider weiß ich aktuell nicht wirklich weiter. VYOS ist auf Version 1.3.1

Habt ihr eventuell eine Idee oder einfach nur anhaltspunkte?
 
Update: habe eine "Lösung" gefunden.
Die oben beschriebene Umgebung war in bis auf den Radius Server in GNS3 gebaut.
und obwohl sich radius und vyos(e) untereinander pingen konnten, geht es jetzt nachdem ich den Radius ebenfalls ins GNS geholt habe.
Zumindest ist die config und alles die selbe geblieben, keine Ahnung was da los war.
 
Danke, dass du das in einen Toten thread geschrieben hast. Ich hatte keine Lösung, fand das Problem aber interessant
 
  • Gefällt mir
Reaktionen: konkretor und Hannibal Smith
...nicht sicher ob das Danke ironisch war aber dafür gibts Foren, um Erfahrungen etc. auszutauschen
 
100% ernst. Sonst hätte ich hier nicht auf folgen geklickt
 
  • Gefällt mir
Reaktionen: konkretor und Hannibal Smith
Zurück
Oben