No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

AC is not working with freeradius server

Publication Date:  2016-10-18 Views:  232 Downloads:  0
Issue Description

We have 2 ACU2 working in active/stanby scenario. The master is working ok but when we switch to standby, the authentication is not working. When we connect using master ACU2 we are assigned to vlan 305 which is ok. When we make the switch and connect using standby ACU2, we are assigned to vlan 498. 

interface Wlan-Ess1

  description eduroam wlan interface

  port hybrid untagged vlan 305 313 498

  dot1x enable

  dot1x authentication-method eap

  permit-domain name xxx

  force-domain name xxx

  port-isolate enable

 

wlan

  service-set name xxx id 1

   forward-mode tunnel

   wlan-ess 1

   ssid xxx

   user-isolate

   traffic-profile id 0

   security-profile id 0

   service-vlan 498

  

According to debug information, it seems that on standby, some attributes are not sent by radius server. It seems that attributes Tunnel-Type and  Tunnel-Medium-Type are missing.

Debug using master:

Sending Access-Accept of id 50 to 10.1.252.31 port 1812
    Tunnel-Type:0 = VLAN
    Tunnel-Medium-Type:0 = IEEE-802
    Tunnel-Private-Group-Id:0 = "305"
    Reply-Message = "Staff User"
    User-Name = "npac"
    MS-MPPE-Recv-Key = 0xcd68ae34cbf47a3d1bf8f4f883e8d7fc599d7fc154b95d745113b9112f137a3f
    MS-MPPE-Send-Key = 0xe344832782972d5d768b5877f744515f64b138329b34ef37b865df55c3747e16
    EAP-Message = 0x03020004
    Message-Authenticator = 0x00000000000000000000000000000000

Debug using standby:

Sending Access-Accept of id 221 to 10.1.252.31 port 1812
    Reply-Message = "Remote ncl.ac.uk eduroam user"
    User-Name = "npac"
    Tunnel-Private-Group-Id:0 = "305"
    MS-MPPE-Recv-Key = 0xa79ee358b4cd055d7bf04bf326e0d2e0642f8c1c4e2eea6d723e7850eeb42a17
    MS-MPPE-Send-Key = 0x7b4bec894ddf959b814ff3ce567fa4398a2956ef7471383403a8fca03729881c
    EAP-Message = 0x03380004
    Message-Authenticator = 0x00000000000000000000000000000000
 

Solution
It turns out the FreeRadius configuration rule was too long for the buffer. It was using to parse the config file (253 characters) and was truncating at olb-host-003, so most of backup controllers would have failed on this rule and moved on to the next one.

It turns out that standby controller is pushed it over the buffer size.

I've split all the rules up into smaller sizes so they don't overflow the buffer and now they match correctly.

Below you have the rule

DEFAULT User-Name =~ "^[nN][a-zA-Z0-9]+@test.ro", NAS-Identifier =~ "clt-host-test|clt- host-001|clt- host-002|clt- host-003|clt- host-004|clt- host-005|clt- host-006|clt- host-007|clt- host-008|clt- host-009|clt- host-010|clt- host-021|clt- host-022|olb- host-test|olb- host-001|olb- host-002|olb- host-003|olb- host-004|olb- host-005|olb- host-006|olb- host-007|olb- host-008|olb- host-009|olb- host-010|olb- host-021|olb- host-022"

END