[rbak-nsp] Clips and radius problem
ADMINET Uslugi Informatyczne
mail at adminet.net.pl
Tue May 14 09:30:24 EDT 2013
Hello Friends,
I hawe little problem with Clips service , when i set aaa authentication
none dhcp assigned ip to the subscriber corretly form dhcp range , when i
configure aaa authentication local and add subscriber username 00:25.90....
its still working , when i define aaa authentication subscriber radius and
add radius server , subscriber cannot bind to circuit and cannot be
authenticated
here is my config :
[dhcp]bras_Robaczek#show configuration
Building configuration...
Current configuration:
!
context dhcp
!
no ip domain-lookup
!
interface dhcp-biznesowi multibind
ip address 10.0.0.1/26
dhcp server interface
!
interface radius
ip address 192.168.4.11/24
no logging console
!
aaa authentication administrator local
aaa authentication administrator maximum sessions 1
aaa authentication subscriber radius
!
radius server 192.168.4.2 encrypted-key 460350D401780171
!
subscriber default
dhcp max-addrs 1
dns primary 192.168.88.1
dns secondary 192.168.88.12
!
dhcp server policy
option domain-name-server 192.168.88.12
default-lease-time 1800
maximum-lease-time 3600
subnet 10.0.0.0/26
range 10.0.0.2 10.0.0.22
option router 10.0.0.1
!
/etc/freeradius/users
00:25:90:7a:df:10 Auth-Type := Local, Cleartext-Password:="Redback"
Framed-IP-Address = 10.0.0.24,
Framed-IP-Netmask = 255.255.255.128,
Dhcp-Max-Leases = 1,
# Context_Name = dhcp,
Service-Type = Outbound-User,
radius logs :
Tue May 14 15:14:47 2013 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 192.168.4.11 port 1812, id=147,
length=230
User-Name = "00:25:90:7a:df:10"
User-Password = "Redback"
Service-Type = Outbound-User
NAS-Identifier = "bras_Robaczek"
NAS-Port = 33619968
NAS-Real-Port = 553648227
NAS-Port-Type = Virtual
NAS-Port-Id = "2/1 vlan-id 99 clips 136525"
Medium-Type = DSL
Mac-Addr = "00-25-90-7a-df-10"
Platform-Type = SE-100
OS-Version = "6.5.1.5"
DHCP-Option = "==\007\001\000%\220z\337\020"
DHCP-Option = "\014\014\010MikroTik"
Tue May 14 15:14:47 2013 : Info: # Executing section authorize from file
/etc/freeradius/sites-enabled/default
Tue May 14 15:14:47 2013 : Info: +- entering group authorize {...}
Tue May 14 15:14:47 2013 : Info: ++[preprocess] returns ok
Tue May 14 15:14:47 2013 : Info: ++[chap] returns noop
Tue May 14 15:14:47 2013 : Info: ++[mschap] returns noop
Tue May 14 15:14:47 2013 : Info: ++[digest] returns noop
Tue May 14 15:14:47 2013 : Info: [suffix] No '@' in User-Name =
"00:25:90:7a:df:10", looking up realm NULL
Tue May 14 15:14:47 2013 : Info: [suffix] No such realm "NULL"
Tue May 14 15:14:47 2013 : Info: ++[suffix] returns noop
Tue May 14 15:14:47 2013 : Info: [files] users: Matched entry
00:25:90:7a:df:10 at line 6
Tue May 14 15:14:47 2013 : Info: ++[files] returns ok
Tue May 14 15:14:47 2013 : Info: ++[expiration] returns noop
Tue May 14 15:14:47 2013 : Info: ++[logintime] returns noop
Tue May 14 15:14:47 2013 : Info: [pap] WARNING: Auth-Type already set. Not
setting to PAP
Tue May 14 15:14:47 2013 : Info: ++[pap] returns noop
Tue May 14 15:14:47 2013 : Info: Found Auth-Type = Local
Tue May 14 15:14:47 2013 : Info: WARNING: Please update your configuration,
and remove 'Auth-Type = Local'
Tue May 14 15:14:47 2013 : Info: WARNING: Use the PAP or CHAP modules
instead.
Tue May 14 15:14:47 2013 : Info: User-Password in the request is correct.
Tue May 14 15:14:47 2013 : Info: # Executing section post-auth from file
/etc/freeradius/sites-enabled/default
Tue May 14 15:14:47 2013 : Info: +- entering group post-auth {...}
Tue May 14 15:14:47 2013 : Info: ++[exec] returns noop
Sending Access-Accept of id 147 to 192.168.4.11 port 1812
Framed-IP-Address = 10.0.0.24
Framed-IP-Netmask = 255.255.255.128
Service-Type = Outbound-User
Tue May 14 15:14:47 2013 : Info: Finished request 136.
Tue May 14 15:14:47 2013 : Debug: Going to the next request
Tue May 14 15:14:47 2013 : Debug: Waking up in 4.9 seconds.
SEOS-6.5.1.5-Release , freeradius: FreeRADIUS Version 2.1.12,
I hawe no idea what i doing wrong , thanks for any help
--------------------------------------------------
From: <redback-nsp-request at puck.nether.net>
Sent: Sunday, May 05, 2013 6:00 PM
To: <redback-nsp at puck.nether.net>
Subject: redback-nsp Digest, Vol 65, Issue 2
> Send redback-nsp mailing list submissions to
> redback-nsp at puck.nether.net
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://puck.nether.net/mailman/listinfo/redback-nsp
> or, via email, send a message with subject or body 'help' to
> redback-nsp-request at puck.nether.net
>
> You can reach the person managing the list at
> redback-nsp-owner at puck.nether.net
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of redback-nsp digest..."
>
>
> Today's Topics:
>
> 1. uRPF (Ali Norouzi)
> 2. Re: uRPF (Jim Tyrrell)
> 3. Re: uRPF (Yuri Shefer)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Sat, 4 May 2013 16:39:27 +0430
> From: Ali Norouzi <norouzi1983 at gmail.com>
> To: redback-nsp at puck.nether.net
> Subject: [rbak-nsp] uRPF
> Message-ID:
> <CAK1yZrnywKuTBBtgQysgMb9PivAqsMkmA9jyG2YQKcuf4VFN7g at mail.gmail.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello Friends,
>
> There is spoofing problem in the BRAS. The BRASs is SE-100 and SE-800. Is
> there anything like RPF (Reverse Path Forwarding) in SEOS?
>
> Thank you
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://puck.nether.net/pipermail/redback-nsp/attachments/20130504/6c695ddc/attachment-0001.html>
>
> ------------------------------
>
> Message: 2
> Date: Sat, 04 May 2013 20:55:32 +0100
> From: Jim Tyrrell <jim at scusting.com>
> To: Ali Norouzi <norouzi1983 at gmail.com>
> Cc: redback-nsp at puck.nether.net
> Subject: Re: [rbak-nsp] uRPF
> Message-ID: <518567B4.7000701 at scusting.com>
> Content-Type: text/plain; charset="iso-8859-1"; Format="flowed"
>
> Look at 'ip source-validation'.
>
> context <name>
> subscriber default
> ip source-validation
>
>
> Jim.
>
> On 04/05/2013 13:09, Ali Norouzi wrote:
>> Hello Friends,
>>
>> There is spoofing problem in the BRAS. The BRASs is SE-100 and SE-800.
>> Is there anything like RPF (Reverse Path Forwarding) in SEOS?
>>
>> Thank you
>>
>>
>> _______________________________________________
>> redback-nsp mailing list
>> redback-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/redback-nsp
>
> -------------- next part --------------
> An HTML attachment was scrubbed...
> URL:
> <https://puck.nether.net/pipermail/redback-nsp/attachments/20130504/ac2adef0/attachment-0001.html>
>
> ------------------------------
>
> Message: 3
> Date: Sat, 4 May 2013 22:36:00 -0700
> From: Yuri Shefer <shefys at gmail.com>
> To: Ali Norouzi <norouzi1983 at gmail.com>
> Cc: redback-nsp at puck.nether.net
> Subject: Re: [rbak-nsp] uRPF
> Message-ID: <93CD0246-C830-4519-ADA1-4D52C5D4A903 at gmail.com>
> Content-Type: text/plain; charset=iso-8859-1
>
> Hi Ali,
>
> For normal interfaces you can use "ip verify unicast source reachable-via
> <option>" command under interface configuration.
>
> [local]SE600(config-if)#ip verify unicast source reachable-via ?
> any Source ip address can be reached by any interface
> rx Source address must be reachable thru the incoming interface
>
> BR, Yury.
>
>
> On May 4, 2013, at 5:09 AM, Ali Norouzi <norouzi1983 at gmail.com> wrote:
>
>> Hello Friends,
>>
>> There is spoofing problem in the BRAS. The BRASs is SE-100 and SE-800. Is
>> there anything like RPF (Reverse Path Forwarding) in SEOS?
>
>
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> _______________________________________________
> redback-nsp mailing list
> redback-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/redback-nsp
>
>
> ------------------------------
>
> End of redback-nsp Digest, Vol 65, Issue 2
> ******************************************
More information about the redback-nsp
mailing list