[RADIATOR] No Framed-IP in reply

Hugh Irvine hugh at open.com.au
Mon Mar 29 00:07:59 CDT 2010 

Hello Corey -

It would be very helpful to see your complete configuraiton file together with a more complete trace 4 debug.

Yes Cisco's are picky - in general the reply attributes need to match the request attributes.

If I can see your configuration file and debug it will help a lot to understand what is going on.

You seem to have a "Framed-IP-Address" set somewhere, but it looks like it is not in the correct format.

As you say, you can allocate IP addresses in various ways, depending on the AP. Details will depend on what your AP supports.

For accounting, some AP's don't support RADIUS accounting at all, and others need to have it configured separately to the authentication.

You will need to check your AP documentation for details.

regards

Hugh

On 29 Mar 2010, at 15:58, Corey Gray wrote:

> High Hugh,
>    Sorry for the lateness of the reply.  The Framed IP address was me trying to give the client an IP Address manually through Radiator. I have sorted out the two Service-Type = Framed-User, Framed-Protocol = PPP i wasn't stripping these before adding them. (Still not sure why they don't show up without that in the config). 
> 
> Basically what i am trying to do is have people log onto the 'wireless' network using AD logins. Authentication is working perfectly, but there is no accounting requests sent, and also the AP (Cisco WRT310N) wont issue an IP address to the client after access-accept, I have tried to do this with our main DHCP server and having the AP issue but no luck.
> 
> I have heard that Cisco in particular is very picky about what reply attributes are needed, so with the config file below is there anything i am missing or could this just be an AP issue 
> 
> Thanks alot for your time Hugh, you've been a great help
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au] 
> Sent: Wednesday, 24 March 2010 8:39 AM
> To: Corey Gray
> Cc: Radiator at open.com.au
> Subject: Re: [RADIATOR] No Framed-IP in reply
> 
> 
> Hello Corey -
> 
> The important line of the debug is this:
> 
>> Wed Mar 24 07:59:35 2010: ERR: Bad attribute=value pair: Framed-IP-Address
> 
> but it is not clear to me where this is coming from?
> 
> Also, there are two Service-Type = Framed-User, Framed-Protocol = PPP in your reply?
> 
> Can you give me a bit more detail on what you are doing?
> 
> regards
> 
> Hugh
> 
> 
> 
> On 24 Mar 2010, at 08:55, Corey Gray wrote:
> 
>> Hi,
>>   Im currently running Radiator 4.6 using AuthByNTLM everything seems to work correctly but there is No Framed-IP in the reply field
>> 
>> Here is the config
>> 
>> 
>> <Handler Client-Identifier=TSA>
>>        RewriteUsername s/^(.*)\\(.*)/$2/
>>                <AuthBy NTLM>
>>                        Domain TSA
>>                        EAPType PEAP TTLS MSCHAP-V2
>>                        #TSA Certificates
>>                        EAPTLS_CAPath /etc/radiator/certificates
>>                        EAPTLS_CertificateFile /etc/radiator/certificates/tsa_server.crt
>>                        EAPTLS_CertificateType PEM
>>                        EAPTLS_PrivateKeyFile /etc/radiator/certificates/tsa_priv.key
>>                        EAPTLS_PrivateKeyPassword tsasoft12
>>                        EAPTLS_MaxFragmentSize 1000
>>                        UsernameMatchesWithoutRealm
>>                        EAPType MSCHAP-V2
>>                        AddToReply Service-Type=Framed-User,Framed-Protocol=PPP
>>                </AuthBy>
>> </Handler>
>> 
>> 
>> Here is the last reply from radiator
>> 
>> Wed Mar 24 07:59:35 2010: DEBUG: Handling request with Handler 'Client-Identifier=TSA'
>> Wed Mar 24 07:59:35 2010: DEBUG: Rewrote user name to corey
>> Wed Mar 24 07:59:35 2010: DEBUG:  Deleting session for corey, 192.168.201.74, 59
>> Wed Mar 24 07:59:35 2010: DEBUG: Handling with Radius::AuthNTLM:
>> Wed Mar 24 07:59:35 2010: DEBUG: Handling with EAP: code 2, 9, 43, 25
>> Wed Mar 24 07:59:35 2010: DEBUG: Response type 25
>> Wed Mar 24 07:59:35 2010: ERR: Bad attribute=value pair: Framed-IP-Address
>> Wed Mar 24 07:59:35 2010: DEBUG: EAP result: 0,
>> Wed Mar 24 07:59:35 2010: DEBUG: AuthBy NTLM result: ACCEPT,
>> Wed Mar 24 07:59:35 2010: DEBUG: Access accepted for corey
>> Wed Mar 24 07:59:35 2010: DEBUG: Packet dump:
>> *** Sending to 192.168.201.74 port 1025 ....
>> Code:       Access-Accept
>> Identifier: 0
>> Authentic:  <17><215>L<174>K*<28>y<192><253>hG<183><193>wk
>> Attributes:
>>        Service-Type = Framed-User
>>        Framed-Protocol = PPP
>>        EAP-Message = <3><9><0><4>
>>        Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>        Service-Type = Framed-User
>>        Framed-Protocol = PPP
>> 
>> Im using a Cisco / Linksys NAS if that makes any difference. Any help would be greatly appreciated
>> 
>> 
>> 
>> 
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB: 
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets), 
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> 
> 



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list