目前我正在安装 Cisco ASR1k 作为 PPPoE BRAS。
我使用 freeradius 作为身份验证服务。设置是 Ubuntu 14.04LTS,通过 APT 安装了一个相当过时的 freeradius 2.1.12。
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on Aug 26 2015 at 14:47:03
我在 IPv6 套接字上运行 freeradius。
问题是 Cisco LAC 路由器发送的 radius 数据包被完全忽略并丢弃。在 -X 调试模式下运行 freeradius 只会显示消息“准备处理请求。”每 10 秒重复一次。
TCPDUMP 显示正在接收访问请求数据包,但尚未答复。
21:49:13.619711 IP6 2001:4cd8::X.21646 > 2001:4cd8::Y.1812: RADIUS, Access Request (1), id: 0x14 length: 145
21:49:18.653658 IP6 2001:4cd8::X.21646 > 2001:4cd8::Y.1812: RADIUS, Access Request (1), id: 0x14 length: 145
ufw 已禁用,没有应用任何 iptables 规则。
在 localhost 上使用 radtest 成功,并且使用相同的用户凭证在 Cisco Box 本身上配置“自动测试器”。
因此,我认为配置中不存在一般错误,但似乎原始 Access-Request 数据包中的某些属性导致 freeradius 完全忽略它。
freeradius -X 完全没有显示任何输出。
下面您将看到 Cisco ASR 的完整“debug radius verbose”输出,很抱歉混淆了 IP。
Mar 15 21:08:44.983: RADIUS/ENCODE(00001009):Orig. component type = PPPoE
Mar 15 21:08:44.983: RADIUS: DSL line rate attributes successfully added
Mar 15 21:08:44.983: RADIUS(00001009): Config NAS IP: X.X.X.X
Mar 15 21:08:44.983: RADIUS(00001009): Config NAS IPv6: 2001:4CD8:::X
Mar 15 21:08:44.983: RADIUS/ENCODE(00001009): acct_session_id: 4095
Mar 15 21:08:44.983: RADIUS(00001009): sending
Mar 15 21:08:44.983: RADIUS/ENCODE: Best Local IPv6-Address 2001:4CD8:::X for Radius-Server 2001:4CD8:::Y
Mar 15 21:08:44.983: RADIUS(00001009): Send Access-Request to 2001:4CD8:::Y:1812 id 21646/94, len 145
Mar 15 21:08:44.983: RADIUS: authenticator E0 41 D9 2A 4B 76 67 34 - CA 07 D2 29 EB 04 56 F1
Mar 15 21:08:44.983: RADIUS: Framed-Protocol [7] 6 PPP [1]
Mar 15 21:08:44.983: RADIUS: User-Name [1] 12 "user-2"
Mar 15 21:08:44.983: RADIUS: User-Password [2] 18 *
Mar 15 21:08:44.983: RADIUS: NAS-Port-Type [61] 6 Virtual [5]
Mar 15 21:08:44.983: RADIUS: NAS-Port [5] 6 0
Mar 15 21:08:44.983: RADIUS: NAS-Port-Id [87] 12 "0/0/3/1996"
Mar 15 21:08:44.983: RADIUS: Vendor, Cisco [26] 41
Mar 15 21:08:44.983: RADIUS: Cisco AVpair [1] 35 "client-mac-address=0078.8827.6b03"
Mar 15 21:08:44.983: RADIUS: Service-Type [6] 6 Framed [2]
Mar 15 21:08:44.983: RADIUS: NAS-IPv6-Address [95] 18 2001:4CD8:::X
Mar 15 21:08:44.983: RADIUS(00001009): Sending a IPv6 Radius Packet
Mar 15 21:08:44.983: RADIUS: IPv6 udp send - source address: 2001:4CD8:::X, dest address: 2001:4CD8:::Y
Mar 15 21:08:44.983: RADIUS(00001009): Started 5 sec timeout
Mar 15 21:08:50.022: RADIUS(00001009): Request timed out!
Mar 15 21:08:50.023: RADIUS: Retransmit to (2001:4CD8:::Y:1812,1813) for id 21646/94
Mar 15 21:08:50.023: RADIUS(00001009): Started 5 sec timeout
Mar 15 21:08:55.029: RADIUS(00001009): Request timed out!
Mar 15 21:08:55.029: %RADIUS-4-RADIUS_DEAD: RADIUS server 2001:4CD8:::Y:1812,1813 is not responding.
Mar 15 21:08:55.029: RADIUS: Retransmit to (2001:4CD8:::Y:1812,1813) for id 21646/94
Mar 15 21:08:55.029: RADIUS(00001009): Started 5 sec timeout
Mar 15 21:08:55.030: %RADIUS-4-RADIUS_ALIVE: RADIUS server 2001:4CD8:::Y:1812,1813 is being marked alive.
Mar 15 21:09:00.063: RADIUS(00001009): Request timed out!
Mar 15 21:09:00.063: RADIUS: Retransmit to (2001:4CD8:::Y:1812,1813) for id 21646/94
Mar 15 21:09:00.063: RADIUS(00001009): Started 5 sec timeout
Mar 15 21:09:05.105: RADIUS(00001009): Request timed out!
Mar 15 21:09:05.105: RADIUS: Retransmit to (2001:4CD8:::Y:1812,1813) for id 21646/94
Mar 15 21:09:05.105: RADIUS(00001009): Started 5 sec timeout
Mar 15 21:09:10.152: RADIUS(00001009): Request timed out!
Mar 15 21:09:10.153: RADIUS: Retransmit to (2001:4CD8:::Y:1812,1813) for id 21646/94
Mar 15 21:09:10.153: RADIUS(00001009): Started 5 sec timeout
Mar 15 21:09:15.159: RADIUS(00001009): Request timed out!
Mar 15 21:09:15.159: RADIUS: No response from (2001:4CD8:::Y:1812,1813) for id 21646/94
Mar 15 21:09:15.159: RADIUS/DECODE: No response from radius-server; parse response; FAIL
Mar 15 21:09:15.159: RADIUS/DECODE: Case error(no response/ bad packet/ op decode);parse response; FAIL
知道如何隔离或解决这个问题吗?
致以最诚挚的问候 Andreas
答案1
如果 FreeRADIUS 完全没有显示调试输出,则服务器没有接收来自内核的数据包,或者您在错误的端口上监听它。
使用 进行跟踪radsniff -i <interface>。它将显示在 UDP 端口 1812/1813 上接收到的任何数据包。
如果您看到数据包,请验证netstat -lun | grep 181[23]FreeRADIUS 是否正在监听这些端口。
还要验证数据包的反向路由路径是否与接收数据包的接口相同,或者禁用 RPS(http://www.slashroot.in/linux-kernel-rpfilter-settings-reverse-path-filtering)。
答案2
通过升级到 freeradius 3.0 解决了该问题。