We have a hotspot gateway issue with RADIUS that I can't figure out and was hoping someone might have an idea of what is wrong. RADIUS server is Radiator and has the mikrotik dictionary installed.
The hotspot gateway sits inside a firewall and the radius server outside.
If the firewall is removed and the hotspot gateway has a clear path to radius, then it works fine. When the firewall is introduced, the request gets to the radius server, it responds, the gateway receives the message, but says that it has a bad packet signature and won't authenticate the user.
Radius ports are 1645 and 1646 and the gateway is configured to use these ports. The firewall is open for these ports. CHAP is being used for Radius.
A linksys with DD-WRT, and a Orinoco/Proxim are both on the same network and radius works fine with them under the exact same conditions, through the firewall with the same secret.
We thought that the secret might be too long and shortened it to 7 characters, but that did not fix it.
The error looks like this:
19:00:20 hotspot,debug hotspot1: dhcp host 00:02:2D:5E:88:D4/10.5.50.254 added, ip 10.5.50.254
19:00:34 hotspot,info,debug bon (10.5.50.254): trying to log in by https
19:00:34 hotspot,info,debug bon (10.5.50.254): trying to log in by https
19:00:34 hotspot,debug bon (10.5.50.254): local user not found
19:00:34 hotspot,debug bon (10.5.50.254): sending RADIUS authentication request
19:00:34 radius,debug new request 3f:56 code=Access-Request service=hotspot called-id=hotspot1 domain=test.net
19:00:34 radius,debug sending 3f:56 to xxx.xxx.xxx.xxx:1645 (address hidden for privacy)
19:00:34 radius,debug,packet sending Access-Request with id 16 to xxx.xxx.xxx.xxx:1645 (address hidden for privacy)
19:00:34 radius,debug,packet Signature = 0x701a2222e9dd16453ec80630a1d44f61
19:00:34 radius,debug,packet NAS-Port-Type = 19
19:00:34 radius,debug,packet Calling-Station-Id = "00:02:2D:5E:88:D4"
19:00:34 radius,debug,packet Called-Station-Id = "hotspot1"
19:00:34 radius,debug,packet NAS-Port-Id = "wlan2"
19:00:34 radius,debug,packet User-Name = "bon"
19:00:34 radius,debug,packet MS-CHAP-Domain = "test.net"
19:00:34 radius,debug,packet NAS-Port = 2160066583
19:00:34 radius,debug,packet Acct-Session-Id = "80c00017"
19:00:34 radius,debug,packet Framed-IP-Address = 10.5.50.254
19:00:34 radius,debug,packet MT-Host-IP = 10.5.50.254
19:00:34 radius,debug,packet User-Password = 0x6e6f7769726570726f6a656374
19:00:34 radius,debug,packet Service-Type = 1
19:00:34 radius,debug,packet WISPr-Logoff-URL = "http://xxx.xxx.xxx.xxx/logout" (address hidden for privacy)
19:00:34 radius,debug,packet NAS-Identifier = "HauteSpot"
19:00:34 radius,debug,packet NAS-IP-Address = 192.168.123.253
19:00:34 radius,debug,packet MT-Realm = 0x7163776972656c6573732e6e6574
19:00:34 radius,debug,packet received bad Access-Accept with id 16 from xxx.xxx.xxx.xxx:1645 (address hidden for privacy)
19:00:34 radius,debug,packet Signature = bad 0xfb055e3e4108ee831bfa0be34c59ba19
19:00:34 radius,debug,packet Framed-IP-Address = 10.5.50.254
19:00:34 radius,debug,packet User-Name = "bon"
19:00:34 radius,debug,packet User-Password = 0x
19:00:34 radius,debug,packet NAS-IP-Address = xxx.xxx.xxx.xxx (address hidden for privacy)
19:00:34 radius,debug received packet for 3f:56 with bad signature, dropping
19:00:35 radius,debug resending 3f:56
19:00:35 radius,debug,packet sending Access-Request with id 16 to xxx.xxx.xxx.xxx:1645 (address hidden for privacy)
19:00:35 radius,debug,packet Signature = 0x701a2222e9dd16453ec80630a1d44f61
19:00:35 radius,debug,packet NAS-Port-Type = 19
19:00:35 radius,debug,packet Calling-Station-Id = "00:02:2D:5E:88:D4"
19:00:35 radius,debug,packet Called-Station-Id = "hotspot1"
19:00:35 radius,debug,packet NAS-Port-Id = "wlan2"
19:00:35 radius,debug,packet User-Name = "bon"
19:00:35 radius,debug,packet MS-CHAP-Domain = "test.net"
19:00:35 radius,debug,packet NAS-Port = 2160066583
19:00:35 radius,debug,packet Acct-Session-Id = "80c00017"
19:00:35 radius,debug,packet Framed-IP-Address = 10.5.50.254
19:00:35 radius,debug,packet MT-Host-IP = 10.5.50.254
19:00:35 radius,debug,packet User-Password = 0x6e6f7769726570726f6a656374
19:00:35 radius,debug,packet Service-Type = 1
19:00:35 radius,debug,packet WISPr-Logoff-URL = "http://xxx.xxx.xxx.xxx/logout"
19:00:35 radius,debug,packet NAS-Identifier = "HauteSpot"
19:00:35 radius,debug,packet NAS-IP-Address = 192.168.123.253
19:00:35 radius,debug,packet MT-Realm = 0x7163776972656c6573732e6e6574
19:00:35 radius,debug,packet received bad Access-Accept with id 16 from xxx.xxx.xxx.xxx:1645 (address hidden for privacy)
19:00:35 radius,debug,packet Signature = bad 0xfb055e3e4108ee831bfa0be34c59ba19
19:00:35 radius,debug,packet Framed-IP-Address = 10.5.50.254
19:00:35 radius,debug,packet User-Name = "bon"
19:00:35 radius,debug,packet User-Password = 0x
19:00:35 radius,debug,packet NAS-IP-Address = xxx.xxx.xxx.xxx (address hidden for privacy)
19:00:35 radius,debug received packet for 3f:56 with bad signature, dropping
19:00:36 radius,debug resending 3f:56
19:00:36 radius,debug,packet sending Access-Request with id 16 to xxx.xxx.xxx.xxx:1645 (address hidden for privacy)
19:00:36 radius,debug,packet Signature = 0x701a2222e9dd16453ec80630a1d44f61
19:00:36 radius,debug,packet NAS-Port-Type = 19
19:00:36 radius,debug,packet Calling-Station-Id = "00:02:2D:5E:88:D4"
19:00:36 radius,debug,packet Called-Station-Id = "hotspot1"
19:00:36 radius,debug,packet NAS-Port-Id = "wlan2"
19:00:36 radius,debug,packet User-Name = "bon"
19:00:36 radius,debug,packet MS-CHAP-Domain = "test.net"
19:00:36 radius,debug,packet NAS-Port = 2160066583
19:00:36 radius,debug,packet Acct-Session-Id = "80c00017"
19:00:36 radius,debug,packet Framed-IP-Address = 10.5.50.254
19:00:36 radius,debug,packet MT-Host-IP = 10.5.50.254
19:00:36 radius,debug,packet User-Password = 0x6e6f7769726570726f6a656374
19:00:36 radius,debug,packet Service-Type = 1
19:00:36 radius,debug,packet WISPr-Logoff-URL = "http://xxx.xxx.xxx.xxx/logout"
19:00:36 radius,debug,packet NAS-Identifier = "HauteSpot"
19:00:36 radius,debug,packet NAS-IP-Address = 192.168.123.253
19:00:36 radius,debug,packet MT-Realm = 0x7163776972656c6573732e6e6574
19:00:36 radius,debug,packet received bad Access-Accept with id 16 from xxx.xxx.xxx.xxx:1645 (address hidden for privacy)
19:00:36 radius,debug,packet Signature = bad 0xfb055e3e4108ee831bfa0be34c59ba19
19:00:36 radius,debug,packet Framed-IP-Address = 10.5.50.254
19:00:36 radius,debug,packet User-Name = "bon"
19:00:36 radius,debug,packet User-Password = 0x
19:00:36 radius,debug,packet NAS-IP-Address = xxx.xxx.xxx.xxx (address hidden for privacy)
19:00:36 radius,debug received packet for 3f:56 with bad signature, dropping
19:00:37 radius,debug timeout for 3f:56
19:00:37 hotspot,info,debug bon (10.5.50.254): login failed: RADIUS server is not responding
19:00:37 hotspot,info,debug bon (10.5.50.254): login failed: RADIUS server is not responding
19:00:50 hotspot,debug hotspot1: dhcp host 10.5.50.254 changed type to dynamic (remove after 5s)
19:00:50 dhcp,debug,packet dhcp1 received release with id 1661188391 from 10.5.50.254
19:00:50 dhcp,debug,packet flags = broadcast
19:00:50 dhcp,debug,packet ciaddr = 10.5.50.254
19:00:50 dhcp,debug,packet chaddr = 00:02:2D:5E:88:D4
19:00:50 dhcp,debug,packet Msg-Type = release
19:00:50 dhcp,debug,packet Server-Id = 10.5.50.1
19:00:50 dhcp,debug,packet Client-Id = 01-00-02-2D-5E-88-D4
19:00:50 dhcp,info,debug dhcp1 deassigned 10.5.50.254 from 00:02:2D:5E:88:D4
19:00:50 dhcp,info,debug dhcp1 deassigned 10.5.50.254 from 00:02:2D:5E:88:D4
19:00:55 hotspot,debug hotspot1: dynamic host 10.5.50.254 removed: lost dhcp lease
19:01:15 wireless,info 00:02:2D:5E:88:D4@wlan2: disconnected, extensive data loss
Any help would be great.
-
-
aldoinireland
just joined
- Posts: 1
- Joined:
Re: Hotspot Radius Reply Issues
i also would love to know what this error is about as well. my knowledge of radius is fine. i can see that the chap hashes look to be differnet so what do you do in freeradius or mtech to overcome this issue
Re: Hotspot Radius Reply Issues
We have still not figured out what the problem seems to be. Any suggestions?
Re: Hotspot Radius Reply Issues
hautespot,
Did you ever find anything out about these?
I was getting them very often from one of my hotspots, but not from two others using the same RADIUS server. The difference between this one site and the other two is the circuit utilization: the problem site was swamped, with ping times to the RADIUS server getting up above 400ms. The default RADIUS timeout in MT is 300ms. I bumped the timeout up to 1s and that's eliminated these errors except when the line is pegged.
I'll probably put in a couple of qos rules to deal with this better, but I'm still getting my head around those.
Another cause that I saw in my lab while testing some stuff is when the secret doesn't match.
Did you ever find anything out about these?
I was getting them very often from one of my hotspots, but not from two others using the same RADIUS server. The difference between this one site and the other two is the circuit utilization: the problem site was swamped, with ping times to the RADIUS server getting up above 400ms. The default RADIUS timeout in MT is 300ms. I bumped the timeout up to 1s and that's eliminated these errors except when the line is pegged.
I'll probably put in a couple of qos rules to deal with this better, but I'm still getting my head around those.
Another cause that I saw in my lab while testing some stuff is when the secret doesn't match.
Re: Hotspot Radius Reply Issues
Could it be just some normal networking issue like MTU size or maybe source IP is wrong on NAS list if firewall is masquerading?
Re: Hotspot Radius Reply Issues
I have the same problem on 2.9.44 with error "lost dhcp lease" but it does not effect to all users who connected. Only some but with pretty high quantities. Is there any bugs which not covered-up yet?