[prev in list] [next in list] [prev in thread] [next in thread]
List: freeradius-users
Subject: Re: Configurations for proxying radius requests to home-server using TCP
From: Alan DeKok <aland () deployingradius ! com>
Date: 2021-08-26 21:40:42
Message-ID: D1A43726-B9CE-4A18-8DBD-F0D9EFCF5768 () deployingradius ! com
[Download RAW message or body]
On Aug 26, 2021, at 2:48 PM, Abhilash Y G <ygabhi@gmail.com> wrote:
>
> Proxying to homeserver using a TCP connection is causing issue.
> I am seeing the response from the homeserver, it seems like freeradius
> running on proxy server is not honoring the response.
> I have attached the debug logs collected on the proxying server
> (debug_proxy_server.txt), homeservers (debug_homeserver.txt).
>
> I had to trim the logs to focus on issue logs due to limitation in sending
> attachments more than 500KB.
It's generally a good idea to trim the logs so that only the relevant information \
is sent to the list. If you send megabytes of irrelevant logs, it's likely that \
people will just ignore the message.
Plus, the debug log shows the server receiving many packets at the same time. This \
makes it more difficult to see what's going on.
One useful skill for debugging is knowing how to simplify the problem. Don't try \
to debug issues in production, with tons of packets going by. It will be impossible. \
Instead, set up one or more test systems. You can then send ONE request, and follow \
it through the proxy chain.
> Please advise if any configuration changes are needed on the proxying
> server to handle the requests without timeouts.
That is not a useful way to phrase things. As you've been told, FreeRADIUS replies \
to all packets it gets, UNLESS you've done something to break the configuration.
From the debug log on the proxy:
(28) Received Access-Request Id 27 from 172.29.93.13:2000 to 0.0.0.0:2083 length 687
(28) User-Name = "03111800000899580"
(28) NAS-Identifier = "wifi"
...
This is proxied:
(28) Proxying request to home server 206.XX.XXX.70 port 1234 timeout 3.000000
(28) Sent Access-Request Id 120 from 172.19.0.2:37787 to 206.XX.XXX.70:1234 length \
691 (28) User-Name = "03111800000899580"
(28) NAS-Identifier = "wifi"
Which then gets to the home server:
(13) Received Access-Request Id 120 from 206.XX.XXX.117:37787 to 0.0.0.0:1234 length \
691 (13) User-Name = "03111800000899580"
(13) NAS-Identifier = "wifi"
The IDs match. But the IP addresses are different. So there's a NAT, or another \
proxy server involved.
That request is proxied in turn to another server:
(13) Proxying request to home server 206.XX.XXX.71 port 1817 timeout 3.000000
(13) Sent Access-Request Id 54 from 0.0.0.0:44020 to 206.XX.XXX.71:1817 length 696
(13) User-Name = "03111800000899580"
Which replies:
(13) Received Access-Accept Id 54 from 206.XX.XXX.71:1817 to 172.18.0.2:44020 length \
640 (13) Class = 0x4469616d657465722f6175732d653035342d726d722e636f72702e776179706f7 \
2742e6e65743b313632393739323030323b343531363b3033313131383030303030383939353840776c616 \
e2e6d6e633138302e6d63633331312e336770706e6574776f726b2e6f72673b6175732d653035342d726d722e636f72702e776179706f72742e6e6574
...
And sends the Access-Challenge back to the proxy:
(13) Sent Access-Accept Id 120 from 0.0.0.0:1234 to 206.XX.XXX.117:37787 length 0
(13) Class = 0x4469616d657465722f6175732d653035342d726d722e636f72702e776179706f72742 \
e6e65743b313632393739323030323b343531363b3033313131383030303030383939353840776c616e2e6 \
d6e633138302e6d63633331312e336770706e6574776f726b2e6f72673b6175732d653035342d726d722e636f72702e776179706f72742e6e6574
...
And then nothing comes back to the proxy.
But there are other weird things in the trace. On the "home server", it says:
(5) State = 0x4469616d657465722f68706e623032766f6c746568762e6570632e6d6e633138302e6d \
63633331312e336770706e6574776f726b2e6f72672f6570632e6d6e633138302e6d63633331312e336770 \
706e6574776f726b2e6f72672f6175732d653035342d726d722e636f72702e776179706f72742e6e65743b \
313632393739323030323b343531363b3033313131383030303030383939353840776c616e2e6d6e633138 \
302e6d63633331312e336770706e6574776f726b2e6f72673b6175732d653035342d726d722e636f72702e776179706f72742e6e6574
What the heck is that? Oh wait, it's just ASCII:
Diameter/hpnb02voltehv.epc.mnc180.mcc311.3gppnetwork.org/epc.mnc180.mcc311.3gppnetwork \
.org/aus-e054-rmr.corp.wayport.net;1629792002;4516;0311180000089958@wlan.mnc180.mcc311.3gppnetwork.org;aus-e054-rmr.corp.wayport.net
So no, you are NOT using FreeRADIUS everywhere. FreeRADIUS DOES NOT produce that \
kind of State attribute. So you're using some kind of RADIUS to Diameter gateway.
There's also this:
(5) Proxy-State = 0x000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f \
202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a \
4b4c4d4e4f505152535455565758595a5b5c5d5e5f606162636465666768696a6b6c6d6e6f707172737475 \
767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0 \
a1a2a3a4a5a6a7a8a9aaabacadaeafb0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacb \
cccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfc
Again, that is ridiculous, and not created by FreeRADIUS.
But
So to summarize:
* the debug output shows that many packets get replies, but some don't get replies.
* There's not one proxy.
* There's two
* the home server isn't a home server. It's a proxy to the "real" home server
* Almost all of the packets are going back and forth just fine. i.e. ALL RADIUS \
servers reply
* the ACTUAL home server is some kind of horrific RADIUS to Diameter gateway.
What's happening is that there's some kind of NAT gateway / firewall which is \
dropping the TCP traffic. It's probably either blocking the TCP connections after a \
bit, or it's tearing them down.
Don't put firewalls between your RADIUS servers. Don't have firewalls drop RADIUS \
traffic. It's bad.
PLEASE set up a test system. Trying to debug issues in production is just too \
difficult. You get megabytes of logs, and no idea where to look for problems.
There's nothing wrong with FreeRADIUS. Your network is broken. No amount of \
poking FreeRADIUS will fix the network. Go fix the network.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic