Discussion:
DHCP howto
(too old to reply)
Igor Smitran
2013-02-15 10:52:07 UTC
Permalink
What would need to be done in dhcp setup in order to have
radusergroup/radcheck/radreply/radacct-alike behavior?

I am trying to make it work with cable equipment (CM,MTA,CPE) but i am
not sure how to start. CM and MTA would have static IP addresses (sql
prefered because of additional replies: boot-file,dns,gateway etc.) and
CPE's would have dynamic IP address assigned.

I am willing to do some serious tests and get back with results because
if everything works ok i would switch to freeradius from standard ISC dhcpd.

Thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Phil Mayers
2013-02-15 13:17:47 UTC
Permalink
Post by Igor Smitran
What would need to be done in dhcp setup in order to have
radusergroup/radcheck/radreply/radacct-alike behavior?
As far as I can tell:

1. Figure our the SQL queries that return the "check/reply" and group
items you want for the values in the DHCP packet
2. Configure those queries on an instance of the SQL module
3. Use the config:

dhcp ... {
...
# do radcheck/radreply
sql.authorize
...
# do radacct-like behaviour
sql.accounting
}

The latter is necessary because "dhcp" blocks are post-auth blocks
internally, so you need to specify that you want "authorize" not
post-auth behaviour.
Post by Igor Smitran
I am trying to make it work with cable equipment (CM,MTA,CPE) but i am
not sure how to start. CM and MTA would have static IP addresses (sql
prefered because of additional replies: boot-file,dns,gateway etc.) and
CPE's would have dynamic IP address assigned.
Dynamic IP assignment might require the sqlippool module; the server
comes with examples for this.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2013-02-15 13:43:40 UTC
Permalink
This post might be inappropriate. Click to display it.
Duane Cox
2013-02-15 14:48:44 UTC
Permalink
I am working on this as well.

I have a spare CMTS, cable modems, and linux box next to me, with the intention of replacing ISC dhcp with freeradius (as freeradius already does the auth on the cablemodems).

I've managed to get parts of it working, and will be spending some more time on it to finish it up.
If interested, let's try to consolidate and document the efforts.

Duane


-----Original Message-----
From: freeradius-users-bounces+duanecox=***@lists.freeradius.org [mailto:freeradius-users-bounces+duanecox=***@lists.freeradius.org] On Behalf Of Igor Smitran
Sent: Friday, February 15, 2013 4:52 AM
To: FreeRadius users mailing list
Subject: DHCP howto

What would need to be done in dhcp setup in order to have radusergroup/radcheck/radreply/radacct-alike behavior?

I am trying to make it work with cable equipment (CM,MTA,CPE) but i am not sure how to start. CM and MTA would have static IP addresses (sql prefered because of additional replies: boot-file,dns,gateway etc.) and CPE's would have dynamic IP address assigned.

I am willing to do some serious tests and get back with results because if everything works ok i would switch to freeradius from standard ISC dhcpd.

Thank you
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2013-02-15 19:50:33 UTC
Permalink
Post by Duane Cox
I've managed to get parts of it working, and will be spending some more time on it to finish it up.
If interested, let's try to consolidate and document the efforts.
Any configuration changes / additions can make it into the next
release. Send them over, and I'll add them in.

The Wiki could also be updated to add DHCP howto's

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Igor Smitran
2013-02-19 08:32:08 UTC
Permalink
During debug session (radiusd -X) beside other things i can see this:

DHCP-Parameter-Request-List = DHCP-Subnet-Mask
DHCP-Parameter-Request-List = DHCP-Router-Address
DHCP-Parameter-Request-List = DHCP-NTP-Servers
DHCP-Parameter-Request-List = DHCP-Domain-Name-Server
DHCP-Parameter-Request-List = DHCP-Log-Server
DHCP-Parameter-Request-List = DHCP-Domain-Name
DHCP-Parameter-Request-List = DHCP-Renewal-Time
DHCP-Parameter-Request-List = DHCP-Rebinding-Time
DHCP-Parameter-Request-List = DHCP-NETBIOS-Name-Servers
DHCP-Parameter-Request-List = DHCP-TFTP-Server-Name

But, when i call exec script (phh for example) this array only contains
last key:

DHCP-Parameter-Request-List = DHCP-TFTP-Server-Name

It is logical that those values will be overwritten but...

Is there a way to work around this problem?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Igor Smitran
2013-02-19 15:22:19 UTC
Permalink
Use +=, not =
Alan DeKok.
Request from client is this:

DHCP-Parameter-Request-List = DHCP-Subnet-Mask
DHCP-Parameter-Request-List = DHCP-Router-Address
DHCP-Parameter-Request-List = DHCP-NTP-Servers

Freeradius puts everything into ENV. Because of the same key only last
value is used, other ones are overwritten.
So, ENV in this example will have only this:

DHCP-Parameter-Request-List = DHCP-NTP-Servers

PHP script will be able to read that client asked only for
DHCP-NTP-Servers value.
This is PHP error or Freeradius error?
Or am i missing something?

Igor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2013-02-19 16:43:54 UTC
Permalink
Post by Igor Smitran
Freeradius puts everything into ENV.
For running external scripts.
Post by Igor Smitran
Because of the same key only last
value is used, other ones are overwritten.
Yes. So don't run a script. Use the policies in the server. Or the
Perl module. Or the Python module. Or the Ruby module.
Post by Igor Smitran
DHCP-Parameter-Request-List = DHCP-NTP-Servers
PHP script will be able to read that client asked only for
DHCP-NTP-Servers value.
This is PHP error or Freeradius error?
Or am i missing something?
There are limitations when running an external script. That's why the
server has plugin modules.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2013-02-19 14:41:15 UTC
Permalink
Igor Smitran wrote:
...
Post by Igor Smitran
But, when i call exec script (phh for example) this array only contains
DHCP-Parameter-Request-List = DHCP-TFTP-Server-Name
It is logical that those values will be overwritten but...
Is there a way to work around this problem?
Use +=, not =

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Igor Smitran
2013-02-21 14:50:31 UTC
Permalink
1. In sqlippool.conf is stated:

################################################################
#
# WARNING: MySQL has certain limitations that means it can
# hand out the same IP address to 2 different users.
#
# We suggest using an SQL DB with proper transaction
# support, such as PostgreSQL, or using MySQL
# with InnoDB.
#
################################################################

Does this mean that only thing needed is to create innodb tables? Module
will use transactions automaticaly?

2. Is freeradius ready to work as dhcp server for IPv6? Would it be
enough to insert some new words into dictionary and change configuration
appropriately?

Igor
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2013-02-21 18:56:04 UTC
Permalink
Post by Igor Smitran
Does this mean that only thing needed is to create innodb tables? Module
will use transactions automaticaly?
Yes.
Post by Igor Smitran
2. Is freeradius ready to work as dhcp server for IPv6? Would it be
enough to insert some new words into dictionary and change configuration
appropriately?
It doesn't do DHCPv6. It's possible, but a lot of work.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Igor Smitran
2013-04-03 10:31:10 UTC
Permalink
Post by Alan DeKok
Post by Igor Smitran
2. Is freeradius ready to work as dhcp server for IPv6? Would it be
enough to insert some new words into dictionary and change configuration
appropriately?
It doesn't do DHCPv6. It's possible, but a lot of work.
Any plans to implement ipv6 support any time soon?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok
2013-04-03 13:14:45 UTC
Permalink
Post by Igor Smitran
Any plans to implement ipv6 support any time soon?
Sure. Send a patch. :)

There are ways to prioritize DHCPv6 support. One is to ensure that
the current code works, is documented, and gets wide-spread usage.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Łukasz Kopiszka
2013-04-04 13:17:14 UTC
Permalink
Hi,

I have strange problem host can't receive IP becouse he get
Acct-Status-Type = Stop
Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_DOWN
after one second before:
Acct-Status-Type = Start
Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_UP

short log:

Sending Access-Accept of id 126 to 91.231.70.5 port 1812
Service-Type = Outbound-User
Framed-IP-Address == 91.231.71.17
Acct-Interim-Interval == 300
Service-Type == Outbound-User
Connect-Info == "1"
Port-Limit == 1
DHCP_Max_Leases == 1
Context-Name == "CLIPS"
HTTP-Redirect-Profile-Name == ""
Forward-Policy == "in:CLIPS-DEFAULT"
QOS-Rate-Outbound == "20480"
QOS-Rate-Inbound == "2048"
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 91.231.70.5 port 1812,
id=223, length=385
User-Name = "00:17:08:2e:76:d2"
Acct-Status-Type = Start
Acct-Session-Id = "0100FFFF7800029F-515D7656"
Service-Type = Outbound-User
Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_UP
NAS-Identifier = "ALFASYSTEM"
NAS-Port = 33619968
NAS-Real-Port = 553649127
NAS-Port-Type = Virtual
NAS-Port-Id = "2/1 vlan-id 999 clips 131743"
Medium-Type = DSL
Mac-Addr = "00-17-08-2e-76-d2"
Platform-Type = SE-100
OS-Version = "6.5.1.5"
Acct-Authentic = RADIUS
Port-Limit = 1
DHCP-Max-Leases = 1
Framed-IP-Address = 91.231.71.17
Source-Validation = Enabled
DHCP-Option = "\014\014\004alfa"
Acct-Interim-Interval = 600
Forward-Policy = "in:CLIPS-DEFAULT"
QOS-Rate-Outbound = "20480:0:0"
QOS-Rate-Inbound = "2048:0:0"
Qos-Policing-Profile-Name = "customer-out"
Qos-Metering-Profile-Name = "customer-in"
Event-Timestamp = "Apr 4 2013 14:47:18 CEST" << start

rad_recv: Accounting-Request packet from host 91.231.70.5 port 1812,
id=224, length=603
User-Name = "00:17:08:2e:76:d2"
Acct-Status-Type = Stop
Acct-Session-Id = "0100FFFF7800029F-515D7656"
Service-Type = Outbound-User
Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_DOWN
NAS-Identifier = "ALFASYSTEM"
NAS-Port = 33619968
NAS-Real-Port = 553649127
NAS-Port-Type = Virtual
NAS-Port-Id = "2/1 vlan-id 999 clips 131743"
Medium-Type = DSL
Mac-Addr = "00-17-08-2e-76-d2"
Platform-Type = SE-100
OS-Version = "6.5.1.5"
Acct-Authentic = RADIUS
Port-Limit = 1
DHCP-Max-Leases = 1
Framed-IP-Address = 91.231.71.17
Source-Validation = Enabled
DHCP-Option = "\014\014\004alfa"
Acct-Session-Time = 1
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Acct-Input-Packets-64 = 0x0000000000000000
Acct-Output-Packets-64 = 0x0000000000000000
Acct-Input-Octets-64 = 0x0000000000000000
Acct-Output-Octets-64 = 0x0000000000000000
Acct-Mcast-In-Packets = 0
Acct-Mcast-Out-Packets = 0
Acct-Mcast-In-Octets = 0
Acct-Mcast-Out-Octets = 0
Acct-Mcast-In-Packets-64 = 0x0000000000000000
Acct-Mcast-Out-Packets-64 = 0x0000000000000000
Acct-Mcast-In-Octets-64 = 0x0000000000000000
Acct-Mcast-Out-Octets-64 = 0x0000000000000000
Acct-Interim-Interval = 600
Forward-Policy = "in:CLIPS-DEFAULT"
QOS-Rate-Outbound = "20480:0:0"
QOS-Rate-Inbound = "2048:0:0"
Qos-Policing-Profile-Name = "customer-out"
Qos-Metering-Profile-Name = "customer-in"
Event-Timestamp = "Apr 4 2013 14:47:19 CEST" << stop after 1 second!

full log: http://pastebin.com/HTYxdg1B

Everything was working great until I change something but I don't
remember what was it :)
--
Pozdrawiam,
Łukasz Kopiszka
tel. 694-212-718
www.alfa-system.pl

-
List info/subscribe/unsubsc
Phil Mayers
2013-04-04 13:29:43 UTC
Permalink
This post might be inappropriate. Click to display it.
Mulindwa
2013-04-04 13:36:58 UTC
Permalink
Hi All,

Have been trying to authenticate my ADSL users using Mac Address Auth, however i have failed even after going through the documentation.

I want to authenticate with the highlighted, anyone done this and can help?

Thanx

This is how the accounting file looks;

User-Name = "***@ut3"
        Acct-Status-Type = Interim-Update
        Acct-Session-Id = "0202FFFF6800C44B-515D1107"
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Acct-Update-Reason = AAA_LOAD_ACCT_PERIODIC
        NAS-Identifier = "UT-BRAS-EDGE"
        NAS-IP-Address = x.x.x.x
        NAS-Port = 855648779
        NAS-Real-Port = 855638316
        NAS-Port-Type = Virtual
        NAS-Port-Id = "3/3 vlan-id 300 pppoe 10763"
        Medium-Type = DSL
        Mac-Addr = "b4-82-fe-ed-2c-7c"
        Platform-Type = 3
        OS-Version = "6.2.1.9"
        Acct-Authentic = RADIUS
        Ip-Address-Pool-Name = "pool_256"
        Port-Limit = 1
        Client-DNS-Pri = x.x.x.x
        Client-DNS-Sec = x.x.x.x
        Framed-IP-Address = 10.40.141.152
        Acct-Session-Time = 27601
        Acct-Input-Packets = 2756
        Acct-Output-Packets = 2973
        Acct-Input-Octets = 94115
        Acct-Output-Octets = 106491
        Acct-Input-Gigawords = 0
        Acct-Output-Gigawords = 0
        Acct-Input-Packets-64 = 0x0000000000000ac4
        Acct-Output-Packets-64 = 0x0000000000000b9d
        Acct-Input-Octets-64 = 0x0000000000016fa3
        Acct-Output-Octets-64 = 0x0000000000019ffb
        Acct-Mcast-In-Packets = 0
        Acct-Mcast-Out-Packets = 221
        Acct-Mcast-In-Octets = 0
        Acct-Mcast-Out-Octets = 12818
        Acct-Mcast-In-Packets-64 = 0x0000000000000000
        Acct-Mcast-Out-Packets-64 = 0x00000000000000dd
        Acct-Mcast-In-Octets-64 = 0x0000000000000000
        Acct-Mcast-Out-Octets-64 = 0x0000000000003212
        Qos-Policy-Metering = "broadband_256_metering"
        Qos-Policy-Policing = "broadband_256_policing"
        NAT-Policy-Name = "NAT_POLICY1"
        Event-Timestamp = "Apr  4 2013 16:15:05 EAT"
        Acct-Unique-Session-Id = "4f2a5dc771fd3034"
        Timestamp = 1365082454
        Request-Authenticator = Verified


 
Eric M


________________________________
Alan DeKok
2013-04-04 13:47:42 UTC
Permalink
Post by Mulindwa
Hi All,
Have been trying to authenticate my ADSL users using Mac Address Auth,
however i have failed even after going through the documentation.
I want to authenticate with the highlighted, anyone done this and can help?
It's been done.
Post by Mulindwa
This is how the accounting file looks;
If you're trying to debug authentication, it helps to look at
*authentication* traffic, and not *accounting* data.

And run the server in debugging mode as suggested in the FAQ, "man"
page, web pages, and daily on this list.

Honestly, there is NO excuse for refusing to do this.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mulindwa
2013-04-04 13:58:36 UTC
Permalink
Thanks Alan,

Let me do so.


 
Eric M


________________________________
From: Alan DeKok <***@deployingradius.com>
To: Mulindwa <***@yahoo.com>; FreeRadius users mailing list <freeradius-***@lists.freeradius.org>
Sent: Thursday, April 4, 2013 4:47 PM
Subject: Re: MAC Address Auth
Post by Mulindwa
Hi All,
Have been trying to authenticate my ADSL users using Mac Address Auth,
however i have failed even after going through the documentation.
I want to authenticate with the highlighted, anyone done this and can help?
  It's been done.
Post by Mulindwa
This is how the accounting file looks;
  If you're trying to debug authentication, it helps to look at
*authentication* traffic, and not *accounting* data.

  And run the server in debugging mode as suggested in the FAQ, "man"
page, web pages, and daily on this list.

  Honestly, there is NO excuse for refusing to do this.

  Alan DeKok.
Mulindwa
2013-04-04 14:25:55 UTC
Permalink
Great, i have run the debug and i did get the attribute required.
If i want to full fill the two conditions i.e username/passwd and Mac Address = Attr-2352-145

How would i need to twick my radiusd.conf file to achieve this?




User-Name = "***@ut3"
   CHAP-Password = "cccddd'"
    CHAP-Challenge = "mmmm"
    Service-Type = Framed-User
    Framed-Protocol = PPP
    NAS-Identifier = "UT-BRAS-EDGE"
    NAS-IP-Address = x.x.x.x
    NAS-Port = 855649483
    NAS_Real_Port = 855638816
    NAS-Port-Type = Virtual
    Attr-87 = "3/3 vlan-id 800 pppoe 11467"
    Medium_Type = 11
    Attr-2352-145 = "5c-7d-5e-3f-d0-f7" ==== MAC Address
    Attr-2352-98 = "3"
    Attr-2352-112 = "6.2.1.9"
    Acct-Session-Id = "0202FFFF68008FC9-515D8419"

 
Eric M


________________________________
From: Mulindwa <***@yahoo.com>
To: Alan DeKok <***@deployingradius.com>; FreeRadius users mailing list <freeradius-***@lists.freeradius.org>
Sent: Thursday, April 4, 2013 4:58 PM
Subject: Re: MAC Address Auth


Thanks Alan,

Let me do so.

 
Eric M


________________________________
From: Alan DeKok <***@deployingradius.com>
To: Mulindwa <***@yahoo.com>; FreeRadius users mailing list <freeradius-***@lists.freeradius.org>
Sent: Thursday, April 4, 2013 4:47 PM
Subject: Re: MAC Address Auth
Post by Mulindwa
Hi All,
Have been trying to authenticate my ADSL users using Mac Address Auth,
however i have failed even after going through the documentation.
I want to authenticate with the highlighted, anyone done this and can help?
  It's been done.
Post by Mulindwa
This is how the accounting file looks;
  If you're trying to debug authentication, it helps to look at
*authentication* traffic, and not *accounting* data.

  And run the server in debugging mode as suggested in the FAQ, "man"
page, web pages, and daily on this list.

  Honestly, there is NO excuse for refusing to do this.

  Alan DeKok.



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matthias Nagel
2013-04-04 14:41:49 UTC
Permalink
Hello,
add the correct check item to your user database. In the case below (User-Name = ***@ut3) you should have the check item
Attr-2352-145 == "5c-7d-5e-3f-d0-f7"
for this speicifc user in your user database. Then you repeat this for every user/mac-address pair you want.
Best regards, Matthias
Post by Mulindwa
Great, i have run the debug and i did get the attribute required.
If i want to full fill the two conditions i.e username/passwd and Mac Address = Attr-2352-145
How would i need to twick my radiusd.conf file to achieve this?
CHAP-Password = "cccddd'"
CHAP-Challenge = "mmmm"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = "UT-BRAS-EDGE"
NAS-IP-Address = x.x.x.x
NAS-Port = 855649483
NAS_Real_Port = 855638816
NAS-Port-Type = Virtual
Attr-87 = "3/3 vlan-id 800 pppoe 11467"
Medium_Type = 11
Attr-2352-145 = "5c-7d-5e-3f-d0-f7" ==== MAC Address
Attr-2352-98 = "3"
Attr-2352-112 = "6.2.1.9"
Acct-Session-Id = "0202FFFF68008FC9-515D8419"
Eric M
________________________________
Sent: Thursday, April 4, 2013 4:58 PM
Subject: Re: MAC Address Auth
Thanks Alan,
Let me do so.
Eric M
________________________________
Sent: Thursday, April 4, 2013 4:47 PM
Subject: Re: MAC Address Auth
Post by Mulindwa
Hi All,
Have been trying to authenticate my ADSL users using Mac Address Auth,
however i have failed even after going through the documentation.
I want to authenticate with the highlighted, anyone done this and can help?
It's been done.
Post by Mulindwa
This is how the accounting file looks;
If you're trying to debug authentication, it helps to look at
*authentication* traffic, and not *accounting* data.
And run the server in debugging mode as suggested in the FAQ, "man"
page, web pages, and daily on this list.
Honestly, there is NO excuse for refusing to do this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
----------------------------------------------------------------------
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe

Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: ***@gmail.com
ICQ: 499797758
Skype: nagmat84

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mulindwa
2013-04-05 06:07:02 UTC
Permalink
Thanks Mattias,

I get an error saying; Unknown attribute "Attr-2352-145"

This is how i have it setup


***@ut3      Password = "006060", Simultaneous-Use = 1
        Attr-2352-145 = "5c-7d-5e-3f-d0-f7",
        Service-Type = Framed-User,
        Qos_Policy_Policing = broadband_128_policing,
        Qos_Policy_Metering = broadband_128_metering,
        Framed-Protocol = PPP,
        Ip_Address_Pool_Name = pool_128,
        Framed-Address = 255.255.255.254,
        Framed-Netmask = 255.255.255.255,
        Fall-Through = 0


 
Eric M


________________________________
From: Matthias Nagel <***@gmail.com>
To: freeradius-***@lists.freeradius.org
Sent: Thursday, April 4, 2013 5:41 PM
Subject: Re: MAC Address Auth

Hello,
add the correct check item to your user database. In the case below (User-Name = ***@ut3) you should have the check item
Attr-2352-145 == "5c-7d-5e-3f-d0-f7"
for this speicifc user in your user database. Then you repeat this for every user/mac-address pair you want.
Best regards, Matthias
Post by Mulindwa
Great, i have run the debug and i did get the attribute required.
If i want to full fill the two conditions i.e username/passwd and Mac Address = Attr-2352-145
How would i need to twick my radiusd.conf file to achieve this?
    CHAP-Password = "cccddd'"
    CHAP-Challenge = "mmmm"
    Service-Type = Framed-User
    Framed-Protocol = PPP
    NAS-Identifier = "UT-BRAS-EDGE"
    NAS-IP-Address = x.x.x.x
    NAS-Port = 855649483
    NAS_Real_Port = 855638816
    NAS-Port-Type = Virtual
    Attr-87 = "3/3 vlan-id 800 pppoe 11467"
    Medium_Type = 11
    Attr-2352-145 = "5c-7d-5e-3f-d0-f7" ==== MAC Address
    Attr-2352-98 = "3"
    Attr-2352-112 = "6.2.1.9"
    Acct-Session-Id = "0202FFFF68008FC9-515D8419"
 
Eric M
________________________________
Sent: Thursday, April 4, 2013 4:58 PM
Subject: Re: MAC Address Auth
 
Thanks Alan,
Let me do so.
 
Eric M
________________________________
Sent: Thursday, April 4, 2013 4:47 PM
Subject: Re: MAC Address Auth
 
Post by Mulindwa
Hi All,
Have been trying to authenticate my ADSL users using Mac Address Auth,
however i have failed even after going through the documentation.
I want to authenticate with the highlighted, anyone done this and can help?
  It's been done.
Post by Mulindwa
This is how the accounting file looks;
  If you're trying to debug authentication, it helps to look at
*authentication* traffic, and not *accounting* data.
  And run the server in debugging mode as suggested in the FAQ, "man"
page, web pages, and daily on this list.
  Honestly, there is NO excuse for refusing to do this.
  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
----------------------------------------------------------------------
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe

Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: ***@gmail.com
ICQ: 499797758
Skype: nagmat84

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matthias Nagel
2013-04-05 08:59:30 UTC
Permalink
Hello Eric,

two remarks. The first one replies to your question, the second is a comment on your user entry.

1) At the moment I believe that you either have a very old FreeRADIUS installation or that you broke your configuration with regard to the dictonary files. "Atttr-2352-145" is a Redback attribute (Vendor ID 2352) and means "Mac-Addr" (Atrribute ID 145). In my installation (Debian Squeeze, Freeradius 2.1.10) this attribute is already contained in the dictionary files out of the box. Hence, Freeradius should replace all occurences of "Atttr-2352-145" by the more friendly name "Mac-Addr" and one should use that in the user file, too. But if your debug output and your accounting logs show "Atttr-2352-145" instead of "Mac-Addr", then Freeradius does not seem to know this attribute, which means something is broken.

2) For a moment ignore the problem about the unknown attribute "Attr-2352-145". Anyway you must use this attribute (or "Mac-Addr") as a check item not as a reply item and the correct operator is "==" not "=". (See my last mail and http://freeradius.org/radiusd/man/users.html). So it must be on the first line. I also doubt that you want Password = "006060", but Cleartext-Password := "006060" instead. Read http://freeradius.org/radiusd/man/users.html.

Matthias
Post by Mulindwa
Thanks Mattias,
I get an error saying; Unknown attribute "Attr-2352-145"
This is how i have it setup
Attr-2352-145 = "5c-7d-5e-3f-d0-f7",
Service-Type = Framed-User,
Qos_Policy_Policing = broadband_128_policing,
Qos_Policy_Metering = broadband_128_metering,
Framed-Protocol = PPP,
Ip_Address_Pool_Name = pool_128,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Fall-Through = 0
Eric M
________________________________
Sent: Thursday, April 4, 2013 5:41 PM
Subject: Re: MAC Address Auth
Hello,
Attr-2352-145 == "5c-7d-5e-3f-d0-f7"
for this speicifc user in your user database. Then you repeat this for every user/mac-address pair you want.
Best regards, Matthias
Post by Mulindwa
Great, i have run the debug and i did get the attribute required.
If i want to full fill the two conditions i.e username/passwd and Mac Address = Attr-2352-145
How would i need to twick my radiusd.conf file to achieve this?
CHAP-Password = "cccddd'"
CHAP-Challenge = "mmmm"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = "UT-BRAS-EDGE"
NAS-IP-Address = x.x.x.x
NAS-Port = 855649483
NAS_Real_Port = 855638816
NAS-Port-Type = Virtual
Attr-87 = "3/3 vlan-id 800 pppoe 11467"
Medium_Type = 11
Attr-2352-145 = "5c-7d-5e-3f-d0-f7" ==== MAC Address
Attr-2352-98 = "3"
Attr-2352-112 = "6.2.1.9"
Acct-Session-Id = "0202FFFF68008FC9-515D8419"
Eric M
________________________________
Sent: Thursday, April 4, 2013 4:58 PM
Subject: Re: MAC Address Auth
Thanks Alan,
Let me do so.
Eric M
________________________________
Sent: Thursday, April 4, 2013 4:47 PM
Subject: Re: MAC Address Auth
Post by Mulindwa
Hi All,
Have been trying to authenticate my ADSL users using Mac Address Auth,
however i have failed even after going through the documentation.
I want to authenticate with the highlighted, anyone done this and can help?
It's been done.
Post by Mulindwa
This is how the accounting file looks;
If you're trying to debug authentication, it helps to look at
*authentication* traffic, and not *accounting* data.
And run the server in debugging mode as suggested in the FAQ, "man"
page, web pages, and daily on this list.
Honestly, there is NO excuse for refusing to do this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
----------------------------------------------------------------------
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
ICQ: 499797758
Skype: nagmat84
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
----------------------------------------------------------------------
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe

Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: ***@gmail.com
ICQ: 499797758
Skype: nagmat84

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mulindwa
2013-04-08 11:18:54 UTC
Permalink
Hi good pple, have been reading on how to enforce the attribute of Mac-Addr and i have not seen it anywhere.

Has anyone done it before, please help throw some light on how i can achieve this.

I want user ***@ut3 with this Mac Address to log in , and if the MAC address is different he will not be granted access.


***@ut3      Cleartext-Password := "eric", Simultaneous-Use := 1
        Mac-Addr = 02-1B-9E-D3-0B-F0,
        Service-Type = Framed-User,
        Qos-Policy-Policing = broadband_128_policing,
        Qos-Policy-Metering = broadband_128_metering,
        Framed-Protocol = PPP,
        Ip_Address_Pool_Name = pool_128,
        Framed-Address = 255.255.255.254,
        Framed-Netmask = 255.255.255.255,
        Fall-Through = 0

 
Eric M


________________________________
From: Mulindwa <***@yahoo.com>
To: FreeRadius users mailing list <freeradius-***@lists.freeradius.org>
Sent: Friday, April 5, 2013 9:07 AM
Subject: Re: MAC Address Auth


Thanks Mattias,

I get an error saying; Unknown attribute "Attr-2352-145"

This is how i have it setup


***@ut3      Password = "006060", Simultaneous-Use = 1
        Attr-2352-145 = "5c-7d-5e-3f-d0-f7",
        Service-Type = Framed-User,
        Qos_Policy_Policing = broadband_128_policing,
        Qos_Policy_Metering = broadband_128_metering,
        Framed-Protocol = PPP,
        Ip_Address_Pool_Name =
pool_128,
        Framed-Address = 255.255.255.254,
        Framed-Netmask = 255.255.255.255,
        Fall-Through = 0


 
Eric M


________________________________
From: Matthias Nagel <***@gmail.com>
To: freeradius-***@lists.freeradius.org
Sent: Thursday, April 4, 2013 5:41 PM
Subject: Re: MAC Address Auth

Hello,
add the correct check item to your user database. In the case below (User-Name = ***@ut3) you should have the check item
Attr-2352-145 == "5c-7d-5e-3f-d0-f7"
for this speicifc user in your user database. Then you repeat this for every user/mac-address pair you want.
Best regards, Matthias
Post by Mulindwa
Great, i have run the debug and i did get the attribute required.
If i want to full fill the two conditions i.e username/passwd and Mac Address = Attr-2352-145
How would i need to twick my radiusd.conf file to achieve this?
    CHAP-Password = "cccddd'"
    CHAP-Challenge = "mmmm"
    Service-Type = Framed-User
    Framed-Protocol = PPP
    NAS-Identifier = "UT-BRAS-EDGE"
   
NAS-IP-Address = x.x.x.x
Post by Mulindwa
    NAS-Port = 855649483
    NAS_Real_Port = 855638816
    NAS-Port-Type = Virtual
    Attr-87 = "3/3 vlan-id 800 pppoe 11467"
    Medium_Type = 11
    Attr-2352-145 = "5c-7d-5e-3f-d0-f7" ==== MAC Address
    Attr-2352-98 = "3"
    Attr-2352-112 = "6.2.1.9"
    Acct-Session-Id = "0202FFFF68008FC9-515D8419"
 
Eric M
________________________________
Sent: Thursday, April 4, 2013 4:58 PM
Subject: Re: MAC Address Auth
 
Thanks Alan,
Let me do so.
 
Eric M
________________________________
Sent: Thursday, April 4, 2013 4:47 PM
Subject: Re: MAC Address Auth
 
Post by Mulindwa
Hi
All,
Post by Mulindwa
Post by Mulindwa
Have been trying to authenticate my ADSL users using Mac Address Auth,
however i have failed even after going through the documentation.
I want to authenticate with the highlighted, anyone done this and can help?
  It's been done.
Post by Mulindwa
This is how the accounting file looks;
  If you're trying to debug authentication, it helps to look at
*authentication* traffic, and not *accounting* data.
  And run the server in debugging mode as suggested in the FAQ, "man"
page, web pages, and daily on this list.
  Honestly, there is NO excuse for refusing to do this.
  Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
----------------------------------------------------------------------
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe

Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
e-Mail: ***@gmail.com
ICQ: 499797758
Skype: nagmat84

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
George Chelidze
2013-04-08 11:39:27 UTC
Permalink
Post by Mulindwa
Hi good pple, have been reading on how to enforce the attribute of
Mac-Addr and i have not seen it anywhere.
You don't read carefully what "good pple" reply to you. Ironically, the
reply to your question is attached to your question.

As Matthias already pointed out:

1. Put *Mac-Addr* to your dictionary (or make sure it's already there).
2. Remove it from your reply list and put it into the check list.
Post by Mulindwa
------------------------------------------------------------------------
*Sent:* Thursday, April 4, 2013 5:41 PM
*Subject:* Re: MAC Address Auth
Hello,
add the correct check item to your user database. In the case below
Attr-2352-145 == "5c-7d-5e-3f-d0-f7"
for this speicifc user in your user database. Then you repeat this for
every user/mac-address pair you want.
Best regards, Matthias
--
George Chelidze

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Matthew Newton
2013-04-08 13:16:43 UTC
Permalink
Post by Mulindwa
the MAC address is different he will not be granted access.
Move the Mac-Addr attribute from the reply list to the check list,
and make it a check operator (==) not assignment (=):

***@ut3      Cleartext-Password := "eric", Simultaneous-Use := 1, Mac-Addr == 02-1B-9E-D3-0B-F0
        Service-Type = Framed-User,
        Qos-Policy-Policing = broadband_128_policing,
        Qos-Policy-Metering = broadband_128_metering,
        Framed-Protocol = PPP,
        Ip_Address_Pool_Name = pool_128,
        Framed-Address = 255.255.255.254,
        Framed-Netmask = 255.255.255.255,
        Fall-Through = 0

Matthew
--
Matthew Newton, Ph.D. <***@le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mulindwa
2013-04-08 13:32:55 UTC
Permalink
Thanks Matthew,

Sorry to askm but where is the reply list and where is the check list?


 
Eric M


________________________________
From: Matthew Newton <***@leicester.ac.uk>
To: Mulindwa <***@yahoo.com>; FreeRadius users mailing list <freeradius-***@lists.freeradius.org>
Sent: Monday, April 8, 2013 4:16 PM
Subject: Re: MAC Address Auth
Post by Mulindwa
the MAC address is different he will not be granted access.
Move the Mac-Addr attribute from the reply list to the check list,
and make it a check operator (==) not assignment (=):

***@ut3      Cleartext-Password := "eric", Simultaneous-Use := 1, Mac-Addr == 02-1B-9E-D3-0B-F0
        Service-Type = Framed-User,
        Qos-Policy-Policing = broadband_128_policing,
        Qos-Policy-Metering = broadband_128_metering,
        Framed-Protocol = PPP,
        Ip_Address_Pool_Name = pool_128,
        Framed-Address = 255.255.255.254,
        Framed-Netmask = 255.255.255.255,
        Fall-Through = 0

Matthew
--
Matthew Newton, Ph.D. <***@le.ac.uk>

Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

For IT help contact helpdesk extn. 2253, <***@le.ac.uk>
Marinko Tarlać
2013-04-08 14:02:14 UTC
Permalink
Do you plan to read anything or you think we're here in a chat room,
waiting for your questions (the same questions every day...) ?
Post by Mulindwa
Thanks Matthew,
Sorry to askm but where is the reply list and where is the check list?
Eric M
------------------------------------------------------------------------
*Sent:* Monday, April 8, 2013 4:16 PM
*Subject:* Re: MAC Address Auth
Post by Mulindwa
the MAC address is different he will not be granted access.
Move the Mac-Addr attribute from the reply list to the check list,
Mac-Addr == 02-1B-9E-D3-0B-F0
Service-Type = Framed-User,
Qos-Policy-Policing = broadband_128_policing,
Qos-Policy-Metering = broadband_128_metering,
Framed-Protocol = PPP,
Ip_Address_Pool_Name = pool_128,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Fall-Through = 0
Matthew
--
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mulindwa
2013-04-08 14:17:58 UTC
Permalink
I have read and read, and i have not seen where thr reply list or check list is


 
Eric M


________________________________
From: Marinko Tarlać <***@gmail.com>
To: freeradius-***@lists.freeradius.org
Sent: Monday, April 8, 2013 5:02 PM
Subject: Re: MAC Address Auth


Do you plan to read anything or you think we're here in a chat room, waiting for your questions (the same questions every day...) ?




On 8.4.2013 15:32, Mulindwa wrote:

Thanks Matthew,
Post by Mulindwa
Sorry to askm but where is the reply list and where is the check list?
 
Eric M
________________________________
Sent: Monday, April 8, 2013 4:16 PM
Subject: Re: MAC Address Auth
and if
Post by Mulindwa
Post by Mulindwa
the MAC address is different he will not be granted
access.
Post by Mulindwa
Move the Mac-Addr attribute from the reply list to the check
list,
:= 1, Mac-Addr == 02-1B-9E-D3-0B-F0
Post by Mulindwa
        Service-Type = Framed-User,
        Qos-Policy-Policing = broadband_128_policing,
        Qos-Policy-Metering = broadband_128_metering,
        Framed-Protocol = PPP,
        Ip_Address_Pool_Name = pool_128,
        Framed-Address = 255.255.255.254,
        Framed-Netmask = 255.255.255.255,
        Fall-Through = 0
Matthew
--
Systems Specialist, Infrastructure Services,
I.T. Services, University of Leicester, Leicester LE1 7RH,
United Kingdom
Post by Mulindwa
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Marinko Tarlać
2013-04-08 11:36:24 UTC
Permalink
Add

***@ut3 Calling-Station-Id == 02:1B:9E:D3:0B:F0

inside radcheck table or inside users file

***@ut3 Cleartext-Password := "eric", Simultaneous-Use := 1
Calling-Station-Id == 02:1B:9E:D3:0B:F0
Service-Type = Framed-User,
Qos-Policy-Policing = broadband_128_policing,
Qos-Policy-Metering = broadband_128_metering,
Framed-Protocol = PPP,
Ip_Address_Pool_Name = pool_128,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Fall-Through = 0


NOtice the double "=" sign....
Post by Mulindwa
Hi good pple, have been reading on how to enforce the attribute of
Mac-Addr and i have not seen it anywhere.
Has anyone done it before, please help throw some light on how i can achieve this.
address is different he will not be granted access.
Mac-Addr = 02-1B-9E-D3-0B-F0,
Service-Type = Framed-User,
Qos-Policy-Policing = broadband_128_policing,
Qos-Policy-Metering = broadband_128_metering,
Framed-Protocol = PPP,
Ip_Address_Pool_Name = pool_128,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Fall-Through = 0
Eric M
------------------------------------------------------------------------
*To:* FreeRadius users mailing list
*Sent:* Friday, April 5, 2013 9:07 AM
*Subject:* Re: MAC Address Auth
Thanks Mattias,
I get an error saying; Unknown attribute "Attr-2352-145"
This is how i have it setup
Attr-2352-145 = "5c-7d-5e-3f-d0-f7",
Service-Type = Framed-User,
Qos_Policy_Policing = broadband_128_policing,
Qos_Policy_Metering = broadband_128_metering,
Framed-Protocol = PPP,
Ip_Address_Pool_Name = pool_128,
Framed-Address = 255.255.255.254,
Framed-Netmask = 255.255.255.255,
Fall-Through = 0
Eric M
------------------------------------------------------------------------
*Sent:* Thursday, April 4, 2013 5:41 PM
*Subject:* Re: MAC Address Auth
Hello,
add the correct check item to your user database. In the case below
Attr-2352-145 == "5c-7d-5e-3f-d0-f7"
for this speicifc user in your user database. Then you repeat this for
every user/mac-address pair you want.
Best regards, Matthias
Post by Mulindwa
Great, i have run the debug and i did get the attribute required.
If i want to full fill the two conditions i.e username/passwd and
Mac Address = Attr-2352-145
Post by Mulindwa
How would i need to twick my radiusd.conf file to achieve this?
CHAP-Password = "cccddd'"
CHAP-Challenge = "mmmm"
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = "UT-BRAS-EDGE"
NAS-IP-Address = x.x.x.x
NAS-Port = 855649483
NAS_Real_Port = 855638816
NAS-Port-Type = Virtual
Attr-87 = "3/3 vlan-id 800 pppoe 11467"
Medium_Type = 11
Attr-2352-145 = "5c-7d-5e-3f-d0-f7" ==== MAC Address
Attr-2352-98 = "3"
Attr-2352-112 = "6.2.1.9"
Acct-Session-Id = "0202FFFF68008FC9-515D8419"
Eric M
________________________________
Sent: Thursday, April 4, 2013 4:58 PM
Subject: Re: MAC Address Auth
Thanks Alan,
Let me do so.
Eric M
________________________________
Sent: Thursday, April 4, 2013 4:47 PM
Subject: Re: MAC Address Auth
Post by Mulindwa
Hi All,
Have been trying to authenticate my ADSL users using Mac Address Auth,
however i have failed even after going through the documentation.
I want to authenticate with the highlighted, anyone done this and
can help?
Post by Mulindwa
It's been done.
Post by Mulindwa
This is how the accounting file looks;
If you're trying to debug authentication, it helps to look at
*authentication* traffic, and not *accounting* data.
And run the server in debugging mode as suggested in the FAQ, "man"
page, web pages, and daily on this list.
Honestly, there is NO excuse for refusing to do this.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
----------------------------------------------------------------------
Matthias Nagel
Willy-Andreas-Allee 1, Zimmer 506
76131 Karlsruhe
Telefon: +49-721-8695-1506
Mobil: +49-151-15998774
ICQ: 499797758
Skype: nagmat84
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Łukasz Kopiszka
2013-04-04 13:18:30 UTC
Permalink
Hi,

I have strange problem host can't receive IP becouse he get
Acct-Status-Type = Stop
Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_DOWN
after one second before:
Acct-Status-Type = Start
Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_UP

short log:

Sending Access-Accept of id 126 to 91.231.70.5 port 1812
Service-Type = Outbound-User
Framed-IP-Address == 91.231.71.17
Acct-Interim-Interval == 300
Service-Type == Outbound-User
Connect-Info == "1"
Port-Limit == 1
DHCP_Max_Leases == 1
Context-Name == "CLIPS"
HTTP-Redirect-Profile-Name == ""
Forward-Policy == "in:CLIPS-DEFAULT"
QOS-Rate-Outbound == "20480"
QOS-Rate-Inbound == "2048"
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 91.231.70.5 port 1812,
id=223, length=385
User-Name = "00:17:08:2e:76:d2"
Acct-Status-Type = Start
Acct-Session-Id = "0100FFFF7800029F-515D7656"
Service-Type = Outbound-User
Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_UP
NAS-Identifier = "ALFASYSTEM"
NAS-Port = 33619968
NAS-Real-Port = 553649127
NAS-Port-Type = Virtual
NAS-Port-Id = "2/1 vlan-id 999 clips 131743"
Medium-Type = DSL
Mac-Addr = "00-17-08-2e-76-d2"
Platform-Type = SE-100
OS-Version = "6.5.1.5"
Acct-Authentic = RADIUS
Port-Limit = 1
DHCP-Max-Leases = 1
Framed-IP-Address = 91.231.71.17
Source-Validation = Enabled
DHCP-Option = "\014\014\004alfa"
Acct-Interim-Interval = 600
Forward-Policy = "in:CLIPS-DEFAULT"
QOS-Rate-Outbound = "20480:0:0"
QOS-Rate-Inbound = "2048:0:0"
Qos-Policing-Profile-Name = "customer-out"
Qos-Metering-Profile-Name = "customer-in"
Event-Timestamp = "Apr 4 2013 14:47:18 CEST" << start

rad_recv: Accounting-Request packet from host 91.231.70.5 port 1812,
id=224, length=603
User-Name = "00:17:08:2e:76:d2"
Acct-Status-Type = Stop
Acct-Session-Id = "0100FFFF7800029F-515D7656"
Service-Type = Outbound-User
Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_DOWN
NAS-Identifier = "ALFASYSTEM"
NAS-Port = 33619968
NAS-Real-Port = 553649127
NAS-Port-Type = Virtual
NAS-Port-Id = "2/1 vlan-id 999 clips 131743"
Medium-Type = DSL
Mac-Addr = "00-17-08-2e-76-d2"
Platform-Type = SE-100
OS-Version = "6.5.1.5"
Acct-Authentic = RADIUS
Port-Limit = 1
DHCP-Max-Leases = 1
Framed-IP-Address = 91.231.71.17
Source-Validation = Enabled
DHCP-Option = "\014\014\004alfa"
Acct-Session-Time = 1
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Acct-Input-Packets-64 = 0x0000000000000000
Acct-Output-Packets-64 = 0x0000000000000000
Acct-Input-Octets-64 = 0x0000000000000000
Acct-Output-Octets-64 = 0x0000000000000000
Acct-Mcast-In-Packets = 0
Acct-Mcast-Out-Packets = 0
Acct-Mcast-In-Octets = 0
Acct-Mcast-Out-Octets = 0
Acct-Mcast-In-Packets-64 = 0x0000000000000000
Acct-Mcast-Out-Packets-64 = 0x0000000000000000
Acct-Mcast-In-Octets-64 = 0x0000000000000000
Acct-Mcast-Out-Octets-64 = 0x0000000000000000
Acct-Interim-Interval = 600
Forward-Policy = "in:CLIPS-DEFAULT"
QOS-Rate-Outbound = "20480:0:0"
QOS-Rate-Inbound = "2048:0:0"
Qos-Policing-Profile-Name = "customer-out"
Qos-Metering-Profile-Name = "customer-in"
Event-Timestamp = "Apr 4 2013 14:47:19 CEST" << stop after 1 second!

full log: http://pastebin.com/HTYxdg1B

Everything was working great until I change something but I don't
remember what was it
--
Pozdrawiam,
Łukasz Kopiszka
tel. 694-212-718
www.alfa-system.pl

-
List info/subscribe/unsubscri
Alexander Silveröhrt
2013-04-04 14:28:29 UTC
Permalink
Hard to know what you missconfigured but...i can give you some "usual suspects" maybe..

Also can you post a "show subscribers active all" while trying to auth.

Also debug with
Term mon
debug aaa rad-attr
debug rad-packet

Your forward policy looks wicked
Forward-Policy == "in:CLIPS-DEFAULT"
are you sure that is the name of your forwarding policy? And if you are using netop make sure that this forwarding policy is the one in the database.


Also double check that you have below Metering and policing on the router and that they are configured with the right rate and burst.
Qos-Policing-Profile-Name = "customer-out"
Qos-Metering-Profile-Name = "customer-in"

Also if you are using netop check that you have those customer-out and customer-in in Netops service attribute Variation/bandwidth variation and that they point to existing valid customer-out and customer-in on the router.
From the look of it from your reply attributes they should look like..

qos policy customer-out metering
rate 20480 burst 100000
!
qos customer-in policing
rate 2048 burst 10000
!

And of course make sure you have a context with the name "CLIPS" to bound the session to.

And since i have never used below attributes in a SME before that makes me suspicious..Just make sure they aren't doing anything crazy:)
Connect-Info == "1"
Port-Limit == 1


Cheers
Alex


-----Ursprungligt meddelande-----
Från: freeradius-users-bounces+alexander.silverohrt=***@lists.freeradius.org [mailto:freeradius-users-bounces+alexander.silverohrt=***@lists.freeradius.org] För Lukasz Kopiszka
Skickat: den 4 april 2013 15:19
Till: freeradius-***@lists.freeradius.org
Ämne: disconected after one second


Hi,

I have strange problem host can't receive IP becouse he get
Acct-Status-Type = Stop
Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_DOWN
after one second before:
Acct-Status-Type = Start
Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_UP

short log:

Sending Access-Accept of id 126 to 91.231.70.5 port 1812
Service-Type = Outbound-User
Framed-IP-Address == 91.231.71.17
Acct-Interim-Interval == 300
Service-Type == Outbound-User
Connect-Info == "1"
Port-Limit == 1
DHCP_Max_Leases == 1
Context-Name == "CLIPS"
HTTP-Redirect-Profile-Name == ""
Forward-Policy == "in:CLIPS-DEFAULT"
QOS-Rate-Outbound == "20480"
QOS-Rate-Inbound == "2048"
Finished request 5.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 91.231.70.5 port 1812,
id=223, length=385
User-Name = "00:17:08:2e:76:d2"
Acct-Status-Type = Start
Acct-Session-Id = "0100FFFF7800029F-515D7656"
Service-Type = Outbound-User
Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_UP
NAS-Identifier = "ALFASYSTEM"
NAS-Port = 33619968
NAS-Real-Port = 553649127
NAS-Port-Type = Virtual
NAS-Port-Id = "2/1 vlan-id 999 clips 131743"
Medium-Type = DSL
Mac-Addr = "00-17-08-2e-76-d2"
Platform-Type = SE-100
OS-Version = "6.5.1.5"
Acct-Authentic = RADIUS
Port-Limit = 1
DHCP-Max-Leases = 1
Framed-IP-Address = 91.231.71.17
Source-Validation = Enabled
DHCP-Option = "\014\014\004alfa"
Acct-Interim-Interval = 600
Forward-Policy = "in:CLIPS-DEFAULT"
QOS-Rate-Outbound = "20480:0:0"
QOS-Rate-Inbound = "2048:0:0"
Qos-Policing-Profile-Name = "customer-out"
Qos-Metering-Profile-Name = "customer-in"
Event-Timestamp = "Apr 4 2013 14:47:18 CEST" << start

rad_recv: Accounting-Request packet from host 91.231.70.5 port 1812,
id=224, length=603
User-Name = "00:17:08:2e:76:d2"
Acct-Status-Type = Stop
Acct-Session-Id = "0100FFFF7800029F-515D7656"
Service-Type = Outbound-User
Acct-Update-Reason = AAA_LOAD_ACCT_SESSION_DOWN
NAS-Identifier = "ALFASYSTEM"
NAS-Port = 33619968
NAS-Real-Port = 553649127
NAS-Port-Type = Virtual
NAS-Port-Id = "2/1 vlan-id 999 clips 131743"
Medium-Type = DSL
Mac-Addr = "00-17-08-2e-76-d2"
Platform-Type = SE-100
OS-Version = "6.5.1.5"
Acct-Authentic = RADIUS
Port-Limit = 1
DHCP-Max-Leases = 1
Framed-IP-Address = 91.231.71.17
Source-Validation = Enabled
DHCP-Option = "\014\014\004alfa"
Acct-Session-Time = 1
Acct-Input-Packets = 0
Acct-Output-Packets = 0
Acct-Input-Octets = 0
Acct-Output-Octets = 0
Acct-Input-Gigawords = 0
Acct-Output-Gigawords = 0
Acct-Input-Packets-64 = 0x0000000000000000
Acct-Output-Packets-64 = 0x0000000000000000
Acct-Input-Octets-64 = 0x0000000000000000
Acct-Output-Octets-64 = 0x0000000000000000
Acct-Mcast-In-Packets = 0
Acct-Mcast-Out-Packets = 0
Acct-Mcast-In-Octets = 0
Acct-Mcast-Out-Octets = 0
Acct-Mcast-In-Packets-64 = 0x0000000000000000
Acct-Mcast-Out-Packets-64 = 0x0000000000000000
Acct-Mcast-In-Octets-64 = 0x0000000000000000
Acct-Mcast-Out-Octets-64 = 0x0000000000000000
Acct-Interim-Interval = 600
Forward-Policy = "in:CLIPS-DEFAULT"
QOS-Rate-Outbound = "20480:0:0"
QOS-Rate-Inbound = "2048:0:0"
Qos-Policing-Profile-Name = "customer-out"
Qos-Metering-Profile-Name = "customer-in"
Event-Timestamp = "Apr 4 2013 14:47:19 CEST" << stop after 1 second!

full log: http://pastebin.com/HTYxdg1B

Everything was working great until I change something but I don't
remember what was it
--
Pozdrawiam,
Łukasz Kopiszka
tel. 694-212-718
www.alfa-system.pl

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

********* DISCLAIMER *********

This message and any attachment are confidential and may be privileged or otherwise protected from disclosure and may include proprietary information. If you are not the intended recipient, please telephone or email the sender and delete this message and any attachment from your system. If you are not the intended recipient you must not copy this message or attachment or disclose the contents to any other person
-
List info/subscribe/un
Łukasz Kopiszka
2013-04-04 15:57:51 UTC
Permalink
Moore debug "show log fac aaa":

Apr 4 17:43:26: %AAA-7-RADIUS: rad_mgr, Process radius requests in db
request queue
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: rad_process_aaad_req: Receive request (Authentication)
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RAD_ATTR:
aaa_idx 50000358: rad_add_attr_to_tlv_list, Add attr NAS_Port_ID (2/1
vlan-id 1000 clips 131927) with len 30 to t
lv list
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: aaaidx_tree_insert: insert aaa_idx to idx tree for context
rad_idx 2212 db_request_type Authentic
ation. (00:17:08:2e:76:d2)
Apr 4 17:43:26: %AAA-7-RADIUS: rad_send, Process radius requests in
authen low priority queue
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: do_auth_send: Find free server 91.231.70.50 (ctx CLIPS, src
port 1812, dst port 1812). (00:17:08:
2e:76:d2)
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/1 User_Name
tag=32 data_type=4 vlen=17 size=19
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/2 User_Password
tag=32 data_type=5 vlen=16 size=18
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/6 Service_Type
tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/32
NAS_Identifier tag=32 data_type=4 vlen=10 size=12
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/5 NAS_Port
tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/62
NAS_Real_Port tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/61 NAS_Port_Type
tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/87 NAS_Port_ID
tag=32 data_type=4 vlen=29 size=31
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/38
Medium_Type tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/145
Mac-Address tag=32 data_type=4 vlen=17 size=19
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/98
Platform_Type tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/112
OS_Version tag=32 data_type=4 vlen=7 size=9
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/202
DHCP_Option tag=32 data_type=5 vlen=7 size=9
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RAD_PKT: aaa_idx
50000358: Send packet (209 bytes) to 91.231.70.50/1812 (00:17:08:2e:76:d2):

0 01 8a 00 d1 1a bb b5 44 61 cd 05 90 95 aa f3 47
16 46 c9 34 68 01 13 30 30 3a 31 37 3a 30 38 3a 32
32 65 3a 37 36 3a 64 32 02 12 81 a3 9a b1 14 9c 7f
48 32 8e 56 91 c5 26 39 7f 22 06 06 00 00 00 05 20
64 0c 41 4c 46 41 53 59 53 54 45 4d 05 06 02 01 00
80 00 1a 0c 00 00 09 30 3e 06 21 00 03 e8 3d 06 00
96 00 00 05 57 1f 32 2f 31 20 76 6c 61 6e 2d 69 64
112 20 31 30 30 30 20 63 6c 69 70 73 20 31 33 31 39
128 32 37 1a 0c 00 00 09 30 26 06 00 00 00 0b 1a 19
144 00 00 09 30 91 13 30 30 2d 31 37 2d 30 38 2d 32
160 65 2d 37 36 2d 64 32 1a 0c 00 00 09 30 62 06 00
176 00 00 04 1a 0f 00 00 09 30 70 09 36 2e 35 2e 31
192 2e 35 1a 0f 00 00 09 30 ca 09 0c 0c 04 61 6c 66
208 61

Apr 4 17:43:26: [0258]: %AAA-7-RADIUS: Using local address 91.231.70.5
Apr 4 17:43:26: [0258]: %AAA-7-RADIUS: do_send: 209 bytes send to radius
server 91.231.70.50 (1812).
Apr 4 17:43:26: %AAA-7-RADIUS: rad_process_send_queue, 1 requests
processed (0 retransmit)
[local]ALFASYSTEM#show log active fac aaa since 2013:04:04:17:40
Apr 4 17:43:26: %AAA-7-RADIUS: rad_mgr, Process radius requests in db
request queue
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: rad_process_aaad_req: Receive request (Authentication)
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RAD_ATTR:
aaa_idx 50000358: rad_add_attr_to_tlv_list, Add attr NAS_Port_ID (2/1
vlan-id 1000 clips 131927) with len 30 to t
lv list
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: aaaidx_tree_insert: insert aaa_idx to idx tree for context
rad_idx 2212 db_request_type Authentic
ation. (00:17:08:2e:76:d2)
Apr 4 17:43:26: %AAA-7-RADIUS: rad_send, Process radius requests in
authen low priority queue
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: do_auth_send: Find free server 91.231.70.50 (ctx CLIPS, src
port 1812, dst port 1812). (00:17:08:
2e:76:d2)
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/1 User_Name
tag=32 data_type=4 vlen=17 size=19
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/2 User_Password
tag=32 data_type=5 vlen=16 size=18
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/6 Service_Type
tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/32
NAS_Identifier tag=32 data_type=4 vlen=10 size=12
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/5 NAS_Port
tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/62
NAS_Real_Port tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/61 NAS_Port_Type
tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/87 NAS_Port_ID
tag=32 data_type=4 vlen=29 size=31
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/38
Medium_Type tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/145
Mac-Address tag=32 data_type=4 vlen=17 size=19
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/98
Platform_Type tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/112
OS_Version tag=32 data_type=4 vlen=7 size=9
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/202
DHCP_Option tag=32 data_type=5 vlen=7 size=9
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RAD_PKT: aaa_idx
50000358: Send packet (209 bytes) to 91.231.70.50/1812 (00:17:08:2e:76:d2):

0 01 8a 00 d1 1a bb b5 44 61 cd 05 90 95 aa f3 47
16 46 c9 34 68 01 13 30 30 3a 31 37 3a 30 38 3a 32
32 65 3a 37 36 3a 64 32 02 12 81 a3 9a b1 14 9c 7f
48 32 8e 56 91 c5 26 39 7f 22 06 06 00 00 00 05 20
64 0c 41 4c 46 41 53 59 53 54 45 4d 05 06 02 01 00
80 00 1a 0c 00 00 09 30 3e 06 21 00 03 e8 3d 06 00
96 00 00 05 57 1f 32 2f 31 20 76 6c 61 6e 2d 69 64
112 20 31 30 30 30 20 63 6c 69 70 73 20 31 33 31 39
128 32 37 1a 0c 00 00 09 30 26 06 00 00 00 0b 1a 19
144 00 00 09 30 91 13 30 30 2d 31 37 2d 30 38 2d 32
160 65 2d 37 36 2d 64 32 1a 0c 00 00 09 30 62 06 00
176 00 00 04 1a 0f 00 00 09 30 70 09 36 2e 35 2e 31
192 2e 35 1a 0f 00 00 09 30 ca 09 0c 0c 04 61 6c 66
208 61

Apr 4 17:43:26: [0258]: %AAA-7-RADIUS: Using local address 91.231.70.5
Apr 4 17:43:26: [0258]: %AAA-7-RADIUS: do_send: 209 bytes send to radius
server 91.231.70.50 (1812).
Apr 4 17:43:26: %AAA-7-RADIUS: rad_process_send_queue, 1 requests
processed (0 retransmit)
Apr 4 17:43:36: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: rad_process_time_q: Timer Pop moved 1 req to send q to be
retransmitted
Apr 4 17:43:36: %AAA-7-RADIUS: rad_send, Process radius requests in
authen low priority queue
Apr 4 17:43:36: [0258]: %AAA-7-RADIUS: rad_change_srv_state: Auto detect
server connectivity function actived for server 91.231.70.50/1812

Apr 4 17:43:36: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RAD_PKT: aaa_idx
50000358: Send packet (209 bytes) to 91.231.70.50/1812 (00:17:08:2e:76:d2):

0 01 8a 00 d1 1a bb b5 44 61 cd 05 90 95 aa f3 47
16 46 c9 34 68 01 13 30 30 3a 31 37 3a 30 38 3a 32
32 65 3a 37 36 3a 64 32 02 12 81 a3 9a b1 14 9c 7f
48 32 8e 56 91 c5 26 39 7f 22 06 06 00 00 00 05 20
64 0c 41 4c 46 41 53 59 53 54 45 4d 05 06 02 01 00
80 00 1a 0c 00 00 09 30 3e 06 21 00 03 e8 3d 06 00
96 00 00 05 57 1f 32 2f 31 20 76 6c 61 6e 2d 69 64
112 20 31 30 30 30 20 63 6c 69 70 73 20 31 33 31 39
128 32 37 1a 0c 00 00 09 30 26 06 00 00 00 0b 1a 19
144 00 00 09 30 91 13 30 30 2d 31 37 2d 30 38 2d 32
160 65 2d 37 36 2d 64 32 1a 0c 00 00 09 30 62 06 00
176 00 00 04 1a 0f 00 00 09 30 70 09 36 2e 35 2e 31
192 2e 35 1a 0f 00 00 09 30 ca 09 0c 0c 04 61 6c 66
208 61

Apr 4 17:43:36: [0258]: %AAA-7-RADIUS: Using local address 91.231.70.5
Apr 4 17:43:36: [0258]: %AAA-7-RADIUS: do_send: 209 bytes send to radius
server 91.231.70.50 (1812).
Apr 4 17:43:36: %AAA-7-RADIUS: rad_process_send_queue, 1 requests
processed (1 retransmit)
Apr 4 17:43:46: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: rad_process_time_q: Timer Pop moved 1 req to send q to be
retransmitted
Apr 4 17:43:46: %AAA-7-RADIUS: rad_send, Process radius requests in
authen low priority queue
Apr 4 17:43:46: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: do_auth_send: Use dead server (as last resort) 91.231.70.50
(ctx CLIPS, src port 1812, dst port 1
812). (00:17:08:2e:76:d2)
Apr 4 17:43:46: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RAD_PKT: aaa_idx
50000358: Send packet (209 bytes) to 91.231.70.50/1812 (00:17:08:2e:76:d2):

0 01 8a 00 d1 1a bb b5 44 61 cd 05 90 95 aa f3 47
16 46 c9 34 68 01 13 30 30 3a 31 37 3a 30 38 3a 32
32 65 3a 37 36 3a 64 32 02 12 81 a3 9a b1 14 9c 7f
48 32 8e 56 91 c5 26 39 7f 22 06 06 00 00 00 05 20
64 0c 41 4c 46 41 53 59 53 54 45 4d 05 06 02 01 00
80 00 1a 0c 00 00 09 30 3e 06 21 00 03 e8 3d 06 00
96 00 00 05 57 1f 32 2f 31 20 76 6c 61 6e 2d 69 64
112 20 31 30 30 30 20 63 6c 69 70 73 20 31 33 31 39
128 32 37 1a 0c 00 00 09 30 26 06 00 00 00 0b 1a 19
144 00 00 09 30 91 13 30 30 2d 31 37 2d 30 38 2d 32
160 65 2d 37 36 2d 64 32 1a 0c 00 00 09 30 62 06 00
176 00 00 04 1a 0f 00 00 09 30 70 09 36 2e 35 2e 31
192 2e 35 1a 0f 00 00 09 30 ca 09 0c 0c 04 61 6c 66
208 61

Apr 4 17:43:46: [0258]: %AAA-7-RADIUS: Using local address 91.231.70.5
Apr 4 17:43:46: [0258]: %AAA-7-RADIUS: do_send: 209 bytes send to radius
server 91.231.70.50 (1812).
Apr 4 17:43:46: %AAA-7-RADIUS: rad_process_send_queue, 1 requests
processed (1 retransmit)


More debug "show log active fac clips":

Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-CCT: Assigned
session-id 131929
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Sending circuit
create to ISM
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Sending circuit
flags IP to ISM
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Sending circuit
config to ISM session id 131929
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Sending circuit
state UP to ISM
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-FSM: State now:
Await-cct-up, was: Initial
Apr 4 17:51:20: [2/1:511:63:31/1/2/28668]: %CLIPS-7-DHCP: Processed
CREATE from dhcpd: flags=0x0 ip=192.168.0.4 ctx=0x0 giaddr=0.0.0.0
mac=00:17:08:2e:76:d2 (new sesid=131929)
Apr 4 17:51:20: [2/1:511:63:31/1/2/28668]: %CLIPS-7-DHCP: hostname len=4
hostname=alfa
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:20: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/7/2/857
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:20: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/7/2/857
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Processing ISM
event: CCT state; CCT up
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: sub_event 2
state: Await-cct-up
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-FSM: State now:
Sent-auth-req, was: Await-cct-up
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-AUTH: Sending
authentication request to AAAd
Apr 4 17:51:20: %CLIPS-7-AUTH: authen_req: recreate: 0
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-AUTH: [4] Hostname: alfa
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-AUTH: Authentication
response status: Success
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-FSM: State now:
Await-IP, was: Sent-auth-req
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-AUTH: Sending session
up to AAAd
Apr 4 17:51:21: [2/1:511:63:31/1/2/28668]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:21: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/1/2/28668
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:21: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/7/2/857
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-DHCP: Received DELETE
(reason 17)
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-FSM:
2/1:511:63:31/7/2/857: fsm_state Await-IP ism up 1 shut 0 dhcp 1 mac_set
1 auth fail 0 del_pend 0 bounce 0 starting 0
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-FSM: State now:
Await-down-cplt, was: Await-IP
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-AUTH: Sending session
down to AAAd; cause: No error was recorded (0)
Apr 4 17:51:22: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:22: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/7/2/857
Apr 4 17:51:22: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Processing ISM
event: CCT state; CCT del
Apr 4 17:51:22: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: sub_event 4
state: Await-down-cplt
Apr 4 17:51:22: [2/1:511:63:31/7/2/857]: %CLIPS-7-FSM: State now:
Unknown, was: Await-down-cplt
Apr 4 17:51:22: %CLIPS-7-ISM: ICR Lib processing ISM CCT DEL:
2/1:511:63:31/7/2/857
Apr 4 17:51:22: [2/1:511:63:31/1/2/28668]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:22: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/1/2/28668
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-CCT: Assigned
session-id 131930
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Sending circuit
create to ISM
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Sending circuit
flags IP to ISM
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Sending circuit
config to ISM session id 131930
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Sending circuit
state UP to ISM
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-FSM: State now:
Await-cct-up, was: Initial
Apr 4 17:51:23: [2/1:511:63:31/1/2/28668]: %CLIPS-7-DHCP: Processed
CREATE from dhcpd: flags=0x0 ip=192.168.0.4 ctx=0x0 giaddr=0.0.0.0
mac=00:17:08:2e:76:d2 (new sesid=131930)
Apr 4 17:51:23: [2/1:511:63:31/1/2/28668]: %CLIPS-7-DHCP: hostname len=4
hostname=alfa
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Processing ISM
event: CCT state; CCT create
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: sub_event 3
state: Await-cct-up
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:23: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/7/2/858
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Processing ISM
event: CCT state; CCT up
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: sub_event 2
state: Await-cct-up
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-FSM: State now:
Sent-auth-req, was: Await-cct-up
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-AUTH: Sending
authentication request to AAAd
Apr 4 17:51:23: %CLIPS-7-AUTH: authen_req: recreate: 0
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-AUTH: [4] Hostname: alfa
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-AUTH: Authentication
response status: Success
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-FSM: State now:
Await-IP, was: Sent-auth-req
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-AUTH: Sending session
up to AAAd



Any suggestions? Where to look, what to check, etc. Thx for help :)
Post by Alexander Silveröhrt
Your forward policy looks wicked
Forward-Policy == "in:CLIPS-DEFAULT"
are you sure that is the name of your forwarding policy? And if you are using netop make sure that this forwarding policy is the one in the database.
It's correct.
Post by Alexander Silveröhrt
Also double check that you have below Metering and policing on the router and that they are configured with the right rate and burst.
Qos-Policing-Profile-Name = "customer-out"
Qos-Metering-Profile-Name = "customer-in"
Also if you are using netop check that you have those customer-out and customer-in in Netops service attribute Variation/bandwidth variation and that they point to existing valid customer-out and customer-in on the router.
I don't use netop.
Post by Alexander Silveröhrt
From the look of it from your reply attributes they should look like..
qos policy customer-out metering
rate 20480 burst 100000
!
qos customer-in policing
rate 2048 burst 10000
!
I get QOS values from db.
Post by Alexander Silveröhrt
And of course make sure you have a context with the name "CLIPS" to bound the session to.
And since i have never used below attributes in a SME before that makes me suspicious..Just make sure they aren't doing anything crazy:)
Connect-Info == "1"
Port-Limit == 1
Try it but without success.
--
Pozdrawiam,
Łukasz Kopiszka
tel. 694-212-718
www.alfa-system.pl

-
List info/subscribe/unsubscribe? See http://www.freera
Phil Mayers
2013-04-04 16:08:52 UTC
Permalink
Please take the Cisco debugging somewhere else, like a Cisco list (or to
private emails).
-
List info/subscribe/unsubscribe? See http://www.freeradiu
Łukasz Kopiszka
2013-04-04 15:52:46 UTC
Permalink
Moore debug "show log fac aaa":

Apr 4 17:43:26: %AAA-7-RADIUS: rad_mgr, Process radius requests in db
request queue
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: rad_process_aaad_req: Receive request (Authentication)
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RAD_ATTR:
aaa_idx 50000358: rad_add_attr_to_tlv_list, Add attr NAS_Port_ID (2/1
vlan-id 1000 clips 131927) with len 30 to t
lv list
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: aaaidx_tree_insert: insert aaa_idx to idx tree for context
rad_idx 2212 db_request_type Authentic
ation. (00:17:08:2e:76:d2)
Apr 4 17:43:26: %AAA-7-RADIUS: rad_send, Process radius requests in
authen low priority queue
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: do_auth_send: Find free server 91.231.70.50 (ctx CLIPS, src
port 1812, dst port 1812). (00:17:08:
2e:76:d2)
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/1 User_Name
tag=32 data_type=4 vlen=17 size=19
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/2 User_Password
tag=32 data_type=5 vlen=16 size=18
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/6 Service_Type
tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/32
NAS_Identifier tag=32 data_type=4 vlen=10 size=12
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/5 NAS_Port
tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/62
NAS_Real_Port tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/61 NAS_Port_Type
tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/87 NAS_Port_ID
tag=32 data_type=4 vlen=29 size=31
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/38
Medium_Type tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/145
Mac-Address tag=32 data_type=4 vlen=17 size=19
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/98
Platform_Type tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/112
OS_Version tag=32 data_type=4 vlen=7 size=9
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/202
DHCP_Option tag=32 data_type=5 vlen=7 size=9
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RAD_PKT: aaa_idx
50000358: Send packet (209 bytes) to 91.231.70.50/1812 (00:17:08:2e:76:d2):

0 01 8a 00 d1 1a bb b5 44 61 cd 05 90 95 aa f3 47
16 46 c9 34 68 01 13 30 30 3a 31 37 3a 30 38 3a 32
32 65 3a 37 36 3a 64 32 02 12 81 a3 9a b1 14 9c 7f
48 32 8e 56 91 c5 26 39 7f 22 06 06 00 00 00 05 20
64 0c 41 4c 46 41 53 59 53 54 45 4d 05 06 02 01 00
80 00 1a 0c 00 00 09 30 3e 06 21 00 03 e8 3d 06 00
96 00 00 05 57 1f 32 2f 31 20 76 6c 61 6e 2d 69 64
112 20 31 30 30 30 20 63 6c 69 70 73 20 31 33 31 39
128 32 37 1a 0c 00 00 09 30 26 06 00 00 00 0b 1a 19
144 00 00 09 30 91 13 30 30 2d 31 37 2d 30 38 2d 32
160 65 2d 37 36 2d 64 32 1a 0c 00 00 09 30 62 06 00
176 00 00 04 1a 0f 00 00 09 30 70 09 36 2e 35 2e 31
192 2e 35 1a 0f 00 00 09 30 ca 09 0c 0c 04 61 6c 66
208 61

Apr 4 17:43:26: [0258]: %AAA-7-RADIUS: Using local address 91.231.70.5
Apr 4 17:43:26: [0258]: %AAA-7-RADIUS: do_send: 209 bytes send to radius
server 91.231.70.50 (1812).
Apr 4 17:43:26: %AAA-7-RADIUS: rad_process_send_queue, 1 requests
processed (0 retransmit)
[local]ALFASYSTEM#show log active fac aaa since 2013:04:04:17:40
Apr 4 17:43:26: %AAA-7-RADIUS: rad_mgr, Process radius requests in db
request queue
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: rad_process_aaad_req: Receive request (Authentication)
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RAD_ATTR:
aaa_idx 50000358: rad_add_attr_to_tlv_list, Add attr NAS_Port_ID (2/1
vlan-id 1000 clips 131927) with len 30 to t
lv list
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: aaaidx_tree_insert: insert aaa_idx to idx tree for context
rad_idx 2212 db_request_type Authentic
ation. (00:17:08:2e:76:d2)
Apr 4 17:43:26: %AAA-7-RADIUS: rad_send, Process radius requests in
authen low priority queue
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: do_auth_send: Find free server 91.231.70.50 (ctx CLIPS, src
port 1812, dst port 1812). (00:17:08:
2e:76:d2)
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/1 User_Name
tag=32 data_type=4 vlen=17 size=19
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/2 User_Password
tag=32 data_type=5 vlen=16 size=18
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/6 Service_Type
tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/32
NAS_Identifier tag=32 data_type=4 vlen=10 size=12
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/5 NAS_Port
tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/62
NAS_Real_Port tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/61 NAS_Port_Type
tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 1/87 NAS_Port_ID
tag=32 data_type=4 vlen=29 size=31
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/38
Medium_Type tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/145
Mac-Address tag=32 data_type=4 vlen=17 size=19
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/98
Platform_Type tag=32 data_type=2 vlen=4 size=6
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/112
OS_Version tag=32 data_type=4 vlen=7 size=9
Apr 4 17:43:26: %AAA-7-RAD_ATTR: rad_fill_attr_value: 2352/202
DHCP_Option tag=32 data_type=5 vlen=7 size=9
Apr 4 17:43:26: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RAD_PKT: aaa_idx
50000358: Send packet (209 bytes) to 91.231.70.50/1812 (00:17:08:2e:76:d2):

0 01 8a 00 d1 1a bb b5 44 61 cd 05 90 95 aa f3 47
16 46 c9 34 68 01 13 30 30 3a 31 37 3a 30 38 3a 32
32 65 3a 37 36 3a 64 32 02 12 81 a3 9a b1 14 9c 7f
48 32 8e 56 91 c5 26 39 7f 22 06 06 00 00 00 05 20
64 0c 41 4c 46 41 53 59 53 54 45 4d 05 06 02 01 00
80 00 1a 0c 00 00 09 30 3e 06 21 00 03 e8 3d 06 00
96 00 00 05 57 1f 32 2f 31 20 76 6c 61 6e 2d 69 64
112 20 31 30 30 30 20 63 6c 69 70 73 20 31 33 31 39
128 32 37 1a 0c 00 00 09 30 26 06 00 00 00 0b 1a 19
144 00 00 09 30 91 13 30 30 2d 31 37 2d 30 38 2d 32
160 65 2d 37 36 2d 64 32 1a 0c 00 00 09 30 62 06 00
176 00 00 04 1a 0f 00 00 09 30 70 09 36 2e 35 2e 31
192 2e 35 1a 0f 00 00 09 30 ca 09 0c 0c 04 61 6c 66
208 61

Apr 4 17:43:26: [0258]: %AAA-7-RADIUS: Using local address 91.231.70.5
Apr 4 17:43:26: [0258]: %AAA-7-RADIUS: do_send: 209 bytes send to radius
server 91.231.70.50 (1812).
Apr 4 17:43:26: %AAA-7-RADIUS: rad_process_send_queue, 1 requests
processed (0 retransmit)
Apr 4 17:43:36: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: rad_process_time_q: Timer Pop moved 1 req to send q to be
retransmitted
Apr 4 17:43:36: %AAA-7-RADIUS: rad_send, Process radius requests in
authen low priority queue
Apr 4 17:43:36: [0258]: %AAA-7-RADIUS: rad_change_srv_state: Auto detect
server connectivity function actived for server 91.231.70.50/1812

Apr 4 17:43:36: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RAD_PKT: aaa_idx
50000358: Send packet (209 bytes) to 91.231.70.50/1812 (00:17:08:2e:76:d2):

0 01 8a 00 d1 1a bb b5 44 61 cd 05 90 95 aa f3 47
16 46 c9 34 68 01 13 30 30 3a 31 37 3a 30 38 3a 32
32 65 3a 37 36 3a 64 32 02 12 81 a3 9a b1 14 9c 7f
48 32 8e 56 91 c5 26 39 7f 22 06 06 00 00 00 05 20
64 0c 41 4c 46 41 53 59 53 54 45 4d 05 06 02 01 00
80 00 1a 0c 00 00 09 30 3e 06 21 00 03 e8 3d 06 00
96 00 00 05 57 1f 32 2f 31 20 76 6c 61 6e 2d 69 64
112 20 31 30 30 30 20 63 6c 69 70 73 20 31 33 31 39
128 32 37 1a 0c 00 00 09 30 26 06 00 00 00 0b 1a 19
144 00 00 09 30 91 13 30 30 2d 31 37 2d 30 38 2d 32
160 65 2d 37 36 2d 64 32 1a 0c 00 00 09 30 62 06 00
176 00 00 04 1a 0f 00 00 09 30 70 09 36 2e 35 2e 31
192 2e 35 1a 0f 00 00 09 30 ca 09 0c 0c 04 61 6c 66
208 61

Apr 4 17:43:36: [0258]: %AAA-7-RADIUS: Using local address 91.231.70.5
Apr 4 17:43:36: [0258]: %AAA-7-RADIUS: do_send: 209 bytes send to radius
server 91.231.70.50 (1812).
Apr 4 17:43:36: %AAA-7-RADIUS: rad_process_send_queue, 1 requests
processed (1 retransmit)
Apr 4 17:43:46: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: rad_process_time_q: Timer Pop moved 1 req to send q to be
retransmitted
Apr 4 17:43:46: %AAA-7-RADIUS: rad_send, Process radius requests in
authen low priority queue
Apr 4 17:43:46: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RADIUS: aaa_idx
50000358: do_auth_send: Use dead server (as last resort) 91.231.70.50
(ctx CLIPS, src port 1812, dst port 1
812). (00:17:08:2e:76:d2)
Apr 4 17:43:46: [0258]: [2/1:511:63:31/7/2/855]: %AAA-7-RAD_PKT: aaa_idx
50000358: Send packet (209 bytes) to 91.231.70.50/1812 (00:17:08:2e:76:d2):

0 01 8a 00 d1 1a bb b5 44 61 cd 05 90 95 aa f3 47
16 46 c9 34 68 01 13 30 30 3a 31 37 3a 30 38 3a 32
32 65 3a 37 36 3a 64 32 02 12 81 a3 9a b1 14 9c 7f
48 32 8e 56 91 c5 26 39 7f 22 06 06 00 00 00 05 20
64 0c 41 4c 46 41 53 59 53 54 45 4d 05 06 02 01 00
80 00 1a 0c 00 00 09 30 3e 06 21 00 03 e8 3d 06 00
96 00 00 05 57 1f 32 2f 31 20 76 6c 61 6e 2d 69 64
112 20 31 30 30 30 20 63 6c 69 70 73 20 31 33 31 39
128 32 37 1a 0c 00 00 09 30 26 06 00 00 00 0b 1a 19
144 00 00 09 30 91 13 30 30 2d 31 37 2d 30 38 2d 32
160 65 2d 37 36 2d 64 32 1a 0c 00 00 09 30 62 06 00
176 00 00 04 1a 0f 00 00 09 30 70 09 36 2e 35 2e 31
192 2e 35 1a 0f 00 00 09 30 ca 09 0c 0c 04 61 6c 66
208 61

Apr 4 17:43:46: [0258]: %AAA-7-RADIUS: Using local address 91.231.70.5
Apr 4 17:43:46: [0258]: %AAA-7-RADIUS: do_send: 209 bytes send to radius
server 91.231.70.50 (1812).
Apr 4 17:43:46: %AAA-7-RADIUS: rad_process_send_queue, 1 requests
processed (1 retransmit)


More debug "show log active fac clips":

Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-CCT: Assigned
session-id 131929
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Sending circuit
create to ISM
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Sending circuit
flags IP to ISM
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Sending circuit
config to ISM session id 131929
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Sending circuit
state UP to ISM
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-FSM: State now:
Await-cct-up, was: Initial
Apr 4 17:51:20: [2/1:511:63:31/1/2/28668]: %CLIPS-7-DHCP: Processed
CREATE from dhcpd: flags=0x0 ip=192.168.0.4 ctx=0x0 giaddr=0.0.0.0
mac=00:17:08:2e:76:d2 (new sesid=131929)
Apr 4 17:51:20: [2/1:511:63:31/1/2/28668]: %CLIPS-7-DHCP: hostname len=4
hostname=alfa
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:20: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/7/2/857
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:20: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/7/2/857
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Processing ISM
event: CCT state; CCT up
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: sub_event 2
state: Await-cct-up
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-FSM: State now:
Sent-auth-req, was: Await-cct-up
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-AUTH: Sending
authentication request to AAAd
Apr 4 17:51:20: %CLIPS-7-AUTH: authen_req: recreate: 0
Apr 4 17:51:20: [2/1:511:63:31/7/2/857]: %CLIPS-7-AUTH: [4] Hostname: alfa
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-AUTH: Authentication
response status: Success
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-FSM: State now:
Await-IP, was: Sent-auth-req
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-AUTH: Sending session
up to AAAd
Apr 4 17:51:21: [2/1:511:63:31/1/2/28668]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:21: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/1/2/28668
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:21: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/7/2/857
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-DHCP: Received DELETE
(reason 17)
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-FSM:
2/1:511:63:31/7/2/857: fsm_state Await-IP ism up 1 shut 0 dhcp 1 mac_set
1 auth fail 0 del_pend 0 bounce 0 starting 0
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-FSM: State now:
Await-down-cplt, was: Await-IP
Apr 4 17:51:21: [2/1:511:63:31/7/2/857]: %CLIPS-7-AUTH: Sending session
down to AAAd; cause: No error was recorded (0)
Apr 4 17:51:22: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:22: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/7/2/857
Apr 4 17:51:22: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: Processing ISM
event: CCT state; CCT del
Apr 4 17:51:22: [2/1:511:63:31/7/2/857]: %CLIPS-7-ISM: sub_event 4
state: Await-down-cplt
Apr 4 17:51:22: [2/1:511:63:31/7/2/857]: %CLIPS-7-FSM: State now:
Unknown, was: Await-down-cplt
Apr 4 17:51:22: %CLIPS-7-ISM: ICR Lib processing ISM CCT DEL:
2/1:511:63:31/7/2/857
Apr 4 17:51:22: [2/1:511:63:31/1/2/28668]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:22: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/1/2/28668
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-CCT: Assigned
session-id 131930
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Sending circuit
create to ISM
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Sending circuit
flags IP to ISM
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Sending circuit
config to ISM session id 131930
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Sending circuit
state UP to ISM
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-FSM: State now:
Await-cct-up, was: Initial
Apr 4 17:51:23: [2/1:511:63:31/1/2/28668]: %CLIPS-7-DHCP: Processed
CREATE from dhcpd: flags=0x0 ip=192.168.0.4 ctx=0x0 giaddr=0.0.0.0
mac=00:17:08:2e:76:d2 (new sesid=131930)
Apr 4 17:51:23: [2/1:511:63:31/1/2/28668]: %CLIPS-7-DHCP: hostname len=4
hostname=alfa
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Processing ISM
event: CCT state; CCT create
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: sub_event 3
state: Await-cct-up
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Processing ISM
event: CCT cfg; CCT 1qcfg
Apr 4 17:51:23: %CLIPS-7-ISM: ICR Lib processing ISM CCT CFG :
2/1:511:63:31/7/2/858
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: Processing ISM
event: CCT state; CCT up
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-ISM: sub_event 2
state: Await-cct-up
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-FSM: State now:
Sent-auth-req, was: Await-cct-up
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-AUTH: Sending
authentication request to AAAd
Apr 4 17:51:23: %CLIPS-7-AUTH: authen_req: recreate: 0
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-AUTH: [4] Hostname: alfa
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-AUTH: Authentication
response status: Success
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-FSM: State now:
Await-IP, was: Sent-auth-req
Apr 4 17:51:23: [2/1:511:63:31/7/2/858]: %CLIPS-7-AUTH: Sending session
up to AAAd



Any suggestions? Where to look, what to check, etc. Thx for help :)
Post by Alexander Silveröhrt
Your forward policy looks wicked
Forward-Policy == "in:CLIPS-DEFAULT"
are you sure that is the name of your forwarding policy? And if you are using netop make sure that this forwarding policy is the one in the database.
It's fine.
Post by Alexander Silveröhrt
Also double check that you have below Metering and policing on the router and that they are configured with the right rate and burst.
Qos-Policing-Profile-Name = "customer-out"
Qos-Metering-Profile-Name = "customer-in"
Also if you are using netop check that you have those customer-out and customer-in in Netops service attribute Variation/bandwidth variation and that they point to existing valid customer-out and customer-in on the router.
I don't use netop.
Post by Alexander Silveröhrt
From the look of it from your reply attributes they should look like..
qos policy customer-out metering
rate 20480 burst 100000
!
qos customer-in policing
rate 2048 burst 10000
!
I get QOS values from db.
Post by Alexander Silveröhrt
And of course make sure you have a context with the name "CLIPS" to bound the session to.
And since i have never used below attributes in a SME before that makes me suspicious..Just make sure they aren't doing anything crazy:)
Connect-Info == "1"
Port-Limit == 1
Try it but without success.
--
Pozdrawiam,
Łukasz Kopiszka
tel. 694-212-718
www.alfa-system.pl
Łukasz Kopiszka
2013-04-05 10:33:50 UTC
Permalink
I solve my problem. I need to comment "radutmp" in site-available/default

session {
# radutmp

#
# See "Simultaneous Use Checking Queries" in sql.conf
sql
}
--
Pozdrawiam,
Łukasz Kopiszka
tel. 694-212-718
www.alfa-system.pl

-
List info/subscribe/unsubscribe? S
Alan DeKok
2013-04-08 14:21:58 UTC
Permalink
I have read and read, and i have not seen where thr reply list or check
list is
$ man unlang

Read doc/rlm_sql

I have no idea which files you're reading. But it's clear you're
*not* reading the documentation that comes with the server.

Don't google for random pages on the net. Read the documentation.
Read the Wiki. 99% of questions are answered there.

Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mulindwa
2013-04-08 14:27:25 UTC
Permalink
Great, thanx Alan


 
Eric M


________________________________
From: Alan DeKok <***@deployingradius.com>
To: Mulindwa <***@yahoo.com>; FreeRadius users mailing list <freeradius-***@lists.freeradius.org>
Sent: Monday, April 8, 2013 5:21 PM
Subject: Re: MAC Address Auth
I have read and read, and i have not seen where thr reply list or check
list is
$ man unlang

  Read doc/rlm_sql

  I have no idea which files you're reading.  But it's clear you're
*not* reading the documentation that comes with the server.

  Don't google for random pages on the net.  Read the documentation.
Read the Wiki.  99% of questions are answered there.

  Alan DeKok.
Mulindwa
2013-04-09 11:16:05 UTC
Permalink
Hi,

Am happy to say that i managed to have this work, tested and double tested and it works fine,

However now the challenge i have to ensure that all my users at a domain say @ut3 are resquested to fullfil all the parameters on this 1st line, How do i ensure this one?

***@ut3      Cleartext-Password := "eric", Simultaneous-Use := 1, Mac-Addr == "00-24-d2-28-4f-39"
        Service-Type = Framed-User,
        Qos-Policy-Policing = broadband_128_policing,
        Qos-Policy-Metering = broadband_128_metering,
        Framed-Protocol = PPP,
        Ip_Address_Pool_Name = pool_128,
        Framed-Address = 255.255.255.254,
        Framed-Netmask = 255.255.255.255,
        Fall-Through = 0




 
Eric M


________________________________
From: Alan DeKok <***@deployingradius.com>
To: Mulindwa <***@yahoo.com>; FreeRadius users mailing list <freeradius-***@lists.freeradius.org>
Sent: Monday, April 8, 2013 5:21 PM
Subject: Re: MAC Address Auth
Post by Mulindwa
I have read and read, and i have not seen where thr reply list or check list is
$ man unlang

  Read doc/rlm_sql

  I have no idea which files you're reading.  But it's clear you're
*not* reading the documentation that comes with the server.

  Don't google for random pages on the net.  Read the documentation.
Read the Wiki.  99% of questions are answered there.

  Alan DeKok.

Continue reading on narkive:
Loading...