[c-nsp] RADIUS: Response for non-existent request ident

Oliver Boehmer (oboehmer) oboehmer at cisco.com
Tue Dec 13 12:04:30 EST 2005 

Hi,

this looks very strange.. I don't know where the extra requests come
from, but if we trust the radius debug (and I have currently no reason
to not trust it), the router did not send them. Can you sniff before the
Radius server to see what is going on? Could the packets be "recycled"
somewhere else?

	oli

Piestaga <> wrote on Tuesday, December 13, 2005 4:36 PM:

> Hi,
> 
> Could you please take a look at the problem I have with radius
> authentication.
> This is the problem that occured recently (the environment was stable
> for the last 6 months, untill the problem appeared).
> 
> I have 3 different Radius servers, and the problem touches only one of
> them and theid configuration is the same in all 3 cases.
> 
> I try to authenticate the user (ppp or cisco VPN, but is does not
> matter the user type I suppose, because the behaviour is exactly the
> same) 
> 
> The problem is, that the despite the fact the router sends an original
> autehntication request to radius, it also sens dozens of identical
> packets (and only to one of the radius):
> 
> RADIUS(0000019A): Send Access-Request to 195.114.xxx.xxx:1645 id
> 1645/52, len 91 RADIUS:  authenticator 88 DA 19 E2 01 0C E4 BE - FA
> 49 7F 58 67 3C C8 8 
> RADIUS:  User-Name           [1]   15  "FIRMATESTOWA1"
> RADIUS:  User-Password       [2]   18  *
> RADIUS:  NAS-Port-Type       [61]  6   Virtual                   [5]
> RADIUS:  Service-Type        [6]   6   Outbound                  [5]
> RADIUS:  NAS-IP-Address      [4]   6   33.33.33.33
> RADIUS:  Nas-Identifier      [32]  20  "PRIMARY-AGGREGATOR"
> RADIUS: Received from id 1645/52 195.114.xxx.xxx:1645, Access-Accept,
> len 384 RADIUS:  authenticator BC 0A E0 95 50 AF B3 B0 - 59 2A 32 0E
> 47 1A 28 4F RADIUS:  Class               [25]  35
> RADIUS:   00                                               [?]
> RADIUS:  Vendor, Cisco       [26]  31
> RADIUS:   Cisco AVpair       [1]   25  "ipsec:key-exchange=key "
> RADIUS:  Vendor, Cisco       [26]  41
> RADIUS:   Cisco AVpair       [1]   35 
> "ipsec:key-exchange=preshared-key " RADIUS:  Vendor, Cisco       [26]
> 38 
> RADIUS:   Cisco AVpair       [1]   32  "ipsec:netmask=255.255.255.255
> " 
> RADIUS:  Vendor, Cisco       [26]  30
> RADIUS:   Cisco AVpair       [1]   24  "ipsec:addr-pool=Pool "
> RADIUS:  Service-Type        [6]   6   Outbound                  [5]
> RADIUS:  Tunnel-Password     [69]  21  00:*
> RADIUS:  Tunnel-Type         [64]  6   00:ESP                    [9]
> RADIUS(0000019A): Received from id 1645/52
> RADIUS: Received from id 1645/52 195.114.xxx.xxx:1645, Access-Accept,
> len 384 RADIUS: Response for non-existent request ident
> RADIUS: Received from id 1645/52 195.114.xxx.xxx:1645, Access-Accept,
> len 384 RADIUS: Response for non-existent request ident
> RADIUS: Received from id 1645/52 195.114.xxx.xxx:1645, Access-Accept,
> len 384 RADIUS: Response for non-existent request ident
> 
> and those last 2 lines are repeated over one hundred times.
> 
> At radius, I can see identical behaviour:
> 
> Except the regular acutentication request and response processing (I
> am not presenting that here), I can see dozens of the same requiests:
> 
> -----------------------------------------------------------
> Authentication Request
> Received from: ip=33.33.33.33 port=1645
> 
> Raw Packet :
> 000: 0134005b 88da19e2 010ce4be fa497f58 |.4.[.........I.X|
> 010: 673cc88d 010f4649 524d4154 4553544f |g<....FIRMATESTO|
> 020: 57413102 12cbf1d1 d8ce4caf f4a8b259 |WA1.......L....Y|
> 030: 2ad54999 e63d0600 00000506 06000000 |*.I..=..........|
> 040: 05040621 21212120 14505249 4d415259 |...!!!! .PRIMARY|
> 050: 2d414747 52454741 544f52            |-AGGREGATOR     |
> -----------------------------------------------------------
> 
> and responses:
> 
> -----------------------------------------------------------
> Authentication Response
> Sent to: ip=33.33.33.33 port=1645
> 
> Raw Packet :
> 000: 02340180 bc0ae095 50afb3b0 592a320e |.4......P...Y*2.|
> 010: 471a284f 19235342 522d434c 20444e3d |G.(O.#SBR-CL DN=|
> 020: 22464952 4d415445 53544f57 41312220 |"FIRMATESTOWA1" |
> 030: 41543d22 3022001a 1f000000 09011969 |AT="0".........i|
> 040: 70736563 3a6b6579 2d657863 68616e67 |psec:key-exchang|
> 050: 653d6b65 79001a29 00000009 01236970 |e=key..).....#ip|
> 060: 7365633a 6b65792d 65786368 616e6765 |sec:key-exchange|
> 070: 3d707265 73686172 65642d6b 6579001a |=preshared-key..|
> 080: 26000000 09012069 70736563 3a6e6574 |&..... ipsec:net|
> 090: 6d61736b 3d323535 2e323535 2e323535 |mask=255.255.255|
> 0a0: 2e323535 001a1b00 00000901 15697073 |.255.........ips|
> 0b0: 65633a67 726f7570 2d6c6f63 6b3d3100 |ec:group-lock=1.|
> 0c0: 1a220000 0009011c 69707365 633a696e |."......ipsec:in|
> 0d0: 636c7564 652d6c6f 63616c2d 6c616e3d |clude-local-lan=|
> 0e0: 30001a1b 00000009 01156970 7365633a |0.........ipsec:|
> 0f0: 74696d65 6f75743d 33363030 001a1c00 |timeout=3600....|
> 100: 00000901 16697073 65633a69 646c6574 |.....ipsec:idlet|
> 110: 696d653d 33363030 001a2800 00000901 |ime=3600..(.....|
> 120: 22697073 65633a64 6e732d73 65727665 |"ipsec:dns-serve|
> 130: 72733d31 39352e31 31342e31 36312e32 |rs=195.114.161.2|
> 140: 001a1e00 00000901 18697073 65633a61 |.........ipsec:a|
> 150: 6464722d 706f6f6c 3d454d50 54590006 |ddr-pool=EMPTY..|
> 160: 06000000 05451500 8001b83d a3236f1b |.....E.....=.#o.|
> 170: f72d05a6 5286012e 30074006 00000009 |.-..R...0. at .....|
> -----------------------------------------------------------
> Packet containing 384 bytes successfully sent
> ../radauthd.c radAuthHandleRequest() 2539 Exiting
> ../radauthd.c radAuthHandleRequest() 2509 Entering
> Looking up shared secret
> Looking for RAS client 33.33.33.33 in DB
> Matched 33.33.33.33 to RAS client FIRMATESTOWA1
> Parsing request
> Matching request found in authentication cache
> Cached response being re-sent
> -----------------------------------------------------------
> 
> There are as many requests and responses on radius as there were
> requests sent by router (I suppose, because I do not want to count
> that :-))
> 
> The session itself is autenticated without any problems, but I would
> like to stop that request flooding.
> 
> As I said, according to my fast verification, that problem is applied
> only to one of 3 available radius servers.
> 
> 
> Thanks for any help
> Sebastian
> 
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/

More information about the cisco-nsp mailing list