(RADIATOR) Disconnect after 12 hours with WindowsXP clients

Tue Dec 6 06:51:37 CST 2005

We had a situation that could also fit your case.
Wireless, dhcp and time after time subscriber gets disconnected and
immediately got connected again. And all this with customers that had VPN
tunneling software running. As it turned out - the problem was in the VPN
configuration. They got always disconnected when their DHCP Lease expired.
When DHCP tried to renew its address, its request was sent into the vpn
tunnel and not to NAS. You'll get always such a problems when using VPN
profile that tunnels ALL the traffic - you might end up tunneling something
that doesn't belong there.
Maybe it helps.

Rgds.
Toomas

----- Original Message ----- 
From: "Hugh Irvine" <hugh at open.com.au>
To: "DELORT Stephane" <Stephane.DELORT at murex.com>
Cc: "NNNNNN Nnnnn" <Nnnnn.NNNNNN at murex.com>; <radiator at open.com.au>
Sent: Tuesday, December 06, 2005 12:18 AM
Subject: Re: (RADIATOR) Disconnect after 12 hours with WindowsXP clients

>
> Hello Stephane -
>
> Radiator is not initiating the disconnects.
>
> You should have a look at a trace 4 debug from Radiator to see what
> is reported in the RADIUS requests.
>
> regards
>
> Hugh
>
>
> On 5 Dec 2005, at 22:26, DELORT Stephane wrote:
>
> >
> > Hello,
> >
> > I am currently usign Radiator as a RADIUS server beyond Trapeze
> > switch. All the clients are Windows XP stations with patches and
> > drivers up to date for a 802.11 wireless configuration (PEAP/MSCHAP
> > v2).
> > After 12 hours of connection the station disconnect and reconnect
> > (saw by acct stop/start).
> > It happens with every stations.
> >
> >
> >
> > The NAS is set to be "passthrough" and every parameter is set to 24
> > hours.
> > On the RADIUS, the only parameter that could have a role is, I
> > think, the EAPTLS_SessionResumptionLimit. It is also set to 24 hours.
> >
> > So, is there a known isssue with windows XP stations ?
> > Could the APTLS_SessionResumptionLimit be responsible of these
> > disconnections ?
> > How can I see if the disconnection is initiated from the RADIUS,
> > the switch or the station ?
> >
> >
> > My PEAP config is shown below.
> >
> > Regards,
> > Stéphane
> >
> >
> >
> >
> >
> > *******************************************************
> >
> > <Handler Called-Station-Id=/MX_WIFI/ >
> > SessionDatabase NULL_SESSION_DB
> > MaxSessions 1
> > <AuthBy FILE>
> > EAPAnonymous %0
> > # The username of the outer authentication
> > #  must be in this file to get anywhere. In this example,
> > # it requires an entry for 'anonymous' which is the standard
> > username
> > # in the outer requests, and it also requires an entry for the
> > # actual user name who is trying to connect (ie the 'Login name'
> > entered
> > # in the Funk Odyssey 'Edit Profile Properties' page
> > #Filename %D/users
> >
> > # EAPType sets the EAP type(s) that Radiator will honour.
> > # Options are: MD5-Challenge, One-Time-Password
> > # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> > # Multiple types can be comma separated. With the default (most
> > # preferred) type given first
> > EAPType PEAP
> >
> > # EAPTLS_CAFile is the name of a file of CA certificates
> > # in PEM format. The file can contain several CA certificates
> > # Radiator will first look in EAPTLS_CAFile then in
> > # EAPTLS_CAPath, so there usually is no need to set both
> > #EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
> > EAPTLS_CAFile %D/certificates/certifs_murex/sdelort.crt
> >
> > # EAPTLS_CertificateFile is the name of a file containing
> > # the servers certificate. EAPTLS_CertificateType
> > # specifies the type of the file. Can be PEM or ASN1
> > # defaults to ASN1
> > #EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> > EAPTLS_CertificateFile %D/certificates/certifs_murex/sdelort.crt
> > EAPTLS_CertificateType PEM
> >
> > # EAPTLS_PrivateKeyFile is the name of the file containing
> > # the servers private key. It is sometimes in the same file
> > # as the server certificate (EAPTLS_CertificateFile)
> > # If the private key is encrypted (usually the case)
> > # then EAPTLS_PrivateKeyPassword is the key to descrypt it
> > #EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> > #EAPTLS_PrivateKeyPassword whatever
> > EAPTLS_PrivateKeyFile %D/certificates/certifs_murex/sdelort.key
> > EAPTLS_PrivateKeyPassword murex
> >
> > # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> > # size that will be replied by Radiator. It must be small
> > # enough to fit in a single Radius request (ie less than 4096)
> > # and still leave enough space for other attributes
> > # Aironet APs seem to need a smaller MaxFragmentSize
> > # (eg 1024) than the default of 2048. Others need even smaller
> > sizes.
> > EAPTLS_MaxFragmentSize 1000
> >
> > # Some clients, depending on their configuration, may require you
> > to specify
> > # MPPE send and receive keys. This _will_ be required if you select
> > # 'Keys will be generated automatically for data privacy' in the
> > Funk Odyssey
> > # client Network Properties dialog.
> > # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> > # in the final Access-Accept
> > AutoMPPEKeys
> >
> > # You can enable some warning messages from the Net::SSLeay
> > # module by setting SSLeayTrace to an integer from 1 to 4
> > # 1=ciphers, 2=trace, 3=dump data
> > SSLeayTrace 4
> >
> > # You can configure the User-Name that will be used for the inner
> > # authentication. Defaults to 'anonymous'. This can be useful
> > # when proxying the inner authentication. If tehre is a realm, it
> > can
> > # be used to choose a local Realm to handle the inner
> > authentication.
> > # %0 is replaced with the EAP identitiy
> > # EAPAnonymous anonymous at some.other.realm
> >
> > # You can enable or disable support for TTLS Session Resumption and
> > # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
> > # Default is enabled
> > #EAPTLS_SessionResumption 0
> >
> > # You can limit how long after the initial session that a session
> > can be resumed
> > # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults
> > to 43200
> > # (12 hours)
> > EAPTLS_SessionResumptionLimit 86400
> >
> > # You can control which version of the draft PEAP protocol to honour
> > # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusual
> > clients,
> > # such as Funk Odyssey Client 2.22 or later.
> > EAPTLS_PEAPVersion 0
> >
> > # You can make PEAP Version 1 support compatible with
> > # nonstandard PEAP V1 clients that use the old broken TLS
> > encryption labels that
> > # appear to be used frequently, due to Microsofts use of the
> > incorrect
> > # label in its V0 client.
> > #EAPTLS_PEAPBrokenV1Label
> > </AuthBy>
> > </Handler>
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.