Radius manager and PPTP tunnel

Caci99 · Tue Jan 22, 2013 8:57 pm

Hi
I have a PC with Radius Manager on it. This one is already serving radius authentication for pppoe connections on local router. The Radius Manager is directly connected to the router. Until now it has worked very well, as expected.
I wanted to have the same service for another router which is on another site, not connected to the local network by any means. So, I did a pptp tunnel. The pptp server is on the local router, while pptp client on the remote one. Unfortunately, I can't make this work, the remote router does not get an answer from radius, in the log I see "radius timeout".
Anyone has succesfully managed to connect a remote router to a remote radius? Any special configuration needed?
On local router the configuration is:

/ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE            
 0   172.16.0.1/30      172.16.0.0      172.16.0.3             ether5
 1   172.172.16.1/30   172.172.16.0   172.172.16.3         pptp-1

172.16.0.1 is the IP on router, while 172.16.0.2 is the IP of Radius Manager
172.172.16.1 is the IP of local pptp interface, and 172.172.16.2 is the IP of the remote pptp interface

On remote router:

/ip address print
92 D 172.172.16.2/32    172.172.16.1    pptp-out1

/ip route print
105 A S  172.16.0.0/24                      pptp-out1                 1

The communication between both sites via ping looks fine, both, radius manager and remote router can ping each other.
I have also the logs of radius from both routers, form the one that can get authentication form radius and from the remote that does not get authentication from radius. The log of the first router looks like this:

19:08:10 radius,debug new request 1b:00 code=Accounting-Request service=ppp called-id=pppoe-server 
19:08:10 radius,debug sending 1b:00 to 172.16.0.2:1813 
19:08:10 radius,debug,packet sending Accounting-Request with id 89 to 172.16.0.2:1813 
19:08:10 radius,debug,packet     Signature = 0xb73cd7db7ffcdea89fa6181d93431de5 
19:08:10 radius,debug,packet     Service-Type = 2 
19:08:10 radius,debug,packet     Framed-Protocol = 1 
19:08:10 radius,debug,packet     NAS-Port = 67455 
19:08:10 radius,debug,packet     NAS-Port-Type = 15 
19:08:10 radius,debug,packet     User-Name = "user1" 
19:08:10 radius,debug,packet     Calling-Station-Id = "xx:xx:xx:FE:16:53" 
19:08:10 radius,debug,packet     Called-Station-Id = "pppoe-server" 
19:08:10 radius,debug,packet     NAS-Port-Id = "bridge1" 
19:08:10 radius,debug,packet     Acct-Session-Id = "8120009f" 
19:08:10 radius,debug,packet     Framed-IP-Address = 172.16.16.247 
19:08:10 radius,debug,packet     Acct-Authentic = 1 
19:08:10 radius,debug,packet     Event-Timestamp = 1358878090 
19:08:10 radius,debug,packet     Acct-Session-Time = 23524 
19:08:10 radius,debug,packet     Acct-Input-Octets = 32123315 
19:08:10 radius,debug,packet     Acct-Input-Gigawords = 0 
19:08:10 radius,debug,packet     Acct-Input-Packets = 381459 
19:08:10 radius,debug,packet     Acct-Output-Octets = 781987434 
19:08:10 radius,debug,packet     Acct-Output-Gigawords = 0 
19:08:10 radius,debug,packet     Acct-Output-Packets = 600501 
19:08:10 radius,debug,packet     Acct-Status-Type = 3 
19:08:10 radius,debug,packet     NAS-Identifier = "Identity" 
19:08:10 radius,debug,packet     NAS-IP-Address = 172.16.0.1 
19:08:10 radius,debug,packet     Acct-Delay-Time = 0 
19:08:10 radius,debug,packet received Accounting-Response with id 89 from 172.16.0.2:1813 
19:08:10 radius,debug,packet     Signature = 0x9d64728cbd131c2953f0bba861827ec4 
19:08:10 radius,debug received reply for 1b:00 
19:08:10 radius,debug request 1b:00 processed

The log from the remote router:

07:00:53 radius,debug new request 1b:f5c code=Access-Request service=ppp called-id=service4 
07:00:53 radius,debug sending 1b:f5c to 172.16.0.2:1812 
07:00:53 radius,debug,packet sending Access-Request with id 153 to 172.16.0.2:1812 
07:00:53 radius,debug,packet     Signature = 0x1e846a46b7c134b8387539ee761c140a 
07:00:53 radius,debug,packet     Service-Type = 2 
07:00:53 radius,debug,packet     Framed-Protocol = 1 
07:00:53 radius,debug,packet     NAS-Port = 2188 
07:00:53 radius,debug,packet     NAS-Port-Type = 15 
07:00:53 radius,debug,packet     User-Name = "user2" 
07:00:53 radius,debug,packet     Calling-Station-Id = "xx:xx:xx:xx:51:87" 
07:00:53 radius,debug,packet     Called-Station-Id = "service4" 
07:00:53 radius,debug,packet     NAS-Port-Id = "bridge1" 
07:00:53 radius,debug,packet     MS-CHAP-Challenge = 0x40b665e754714879a315565f32dbb1bc 
07:00:53 radius,debug,packet     MS-CHAP2-Response = 0x0100057f624aa7945f8e2694830a297a 
07:00:53 radius,debug,packet       82ab0000000000000000f54e05e2e69b 
07:00:53 radius,debug,packet       dbeeb838047b0a5ba84c562429f4ab90 
07:00:53 radius,debug,packet       d53e 
07:00:53 radius,debug,packet     NAS-Identifier = "Identity" 
07:00:53 radius,debug,packet     NAS-IP-Address = 172.172.16.2 
07:00:53 radius,debug resending 1b:f5c 
07:00:53 radius,debug,packet sending Access-Request with id 153 to 172.16.0.2:1812 
07:00:53 radius,debug,packet     Signature = 0x1e846a46b7c134b8387539ee761c140a 
07:00:53 radius,debug,packet     Service-Type = 2 
07:00:53 radius,debug,packet     Framed-Protocol = 1 
07:00:53 radius,debug,packet     NAS-Port = 2188 
07:00:53 radius,debug,packet     NAS-Port-Type = 15 
07:00:53 radius,debug,packet     User-Name = "user2" 
07:00:53 radius,debug,packet     Calling-Station-Id = "xx:xx:xx:xx:51:87" 
07:00:53 radius,debug,packet     Called-Station-Id = "service4" 
07:00:53 radius,debug,packet     NAS-Port-Id = "bridge1" 
07:00:53 radius,debug,packet     MS-CHAP-Challenge = 0x40b665e754714879a315565f32dbb1bc 
07:00:53 radius,debug,packet     MS-CHAP2-Response = 0x0100057f624aa7945f8e2694830a297a 
07:00:53 radius,debug,packet       82ab0000000000000000f54e05e2e69b 
07:00:53 radius,debug,packet       dbeeb838047b0a5ba84c562429f4ab90 
07:00:53 radius,debug,packet       d53e 
07:00:53 radius,debug,packet     NAS-Identifier = "Identity" 
07:00:53 radius,debug,packet     NAS-IP-Address = 172.172.16.2 
07:00:53 radius,debug resending 1b:f5c 
07:00:53 radius,debug,packet sending Access-Request with id 153 to 172.16.0.2:1812 
07:00:53 radius,debug,packet     Signature = 0x1e846a46b7c134b8387539ee761c140a 
07:00:53 radius,debug,packet     Service-Type = 2 
07:00:53 radius,debug,packet     Framed-Protocol = 1 
07:00:53 radius,debug,packet     NAS-Port = 2188 
07:00:53 radius,debug,packet     NAS-Port-Type = 15 
07:00:53 radius,debug,packet     User-Name = "user2" 
07:00:53 radius,debug,packet     Calling-Station-Id = "xx:xx:xx:xx:51:87" 
07:00:53 radius,debug,packet     Called-Station-Id = "service4" 
07:00:53 radius,debug,packet     NAS-Port-Id = "bridge1" 
07:00:53 radius,debug,packet     MS-CHAP-Challenge = 0x40b665e754714879a315565f32dbb1bc 
07:00:53 radius,debug,packet     MS-CHAP2-Response = 0x0100057f624aa7945f8e2694830a297a 
07:00:53 radius,debug,packet       82ab0000000000000000f54e05e2e69b 
07:00:53 radius,debug,packet       dbeeb838047b0a5ba84c562429f4ab90 
07:00:53 radius,debug,packet       d53e 
07:00:53 radius,debug,packet     NAS-Identifier = "Identity" 
07:00:53 radius,debug,packet     NAS-IP-Address = 172.172.16.2 
07:00:54 radius,debug timeout for 1b:f5c 
07:00:54 pppoe,ppp,info <pppoe-0>: terminating... - user user2 authentication failed - radius timeout 
07:00:54 pppoe,ppp,info <pppoe-0>: disconnected

It's a bit long post. Hope someone can point to the right direction. The difference between the two routers is that the first is running ROS 4.10, while the second is running ROS 5.22.

tchus · Wed Jan 23, 2013 7:30 am

You need to route to the pptp server "gateway" which is the local address you've given to the PPTP server NOT the local IP on RM.

Caci99 · Wed Jan 23, 2013 11:49 am

The gateway is already there:

/ip route print
dst-address=172.16.0.0/24 gateway=pptp-out1

both sites are reachable. I can ping from both sites. I can connect via ssh to the radius manager from the remote router.

net365 · Sun Feb 03, 2013 3:52 pm

In radiusmanager when you added the new NAS did you hit "restart radius server" under tools?

Its a very common mistake and people spend hours trying to find out why their radius is not responding (including us in the past)

Caci99 · Sun Feb 03, 2013 7:14 pm

In radiusmanager when you added the new NAS did you hit "restart radius server" under tools?

Its a very common mistake and people spend hours trying to find out why their radius is not responding (including us in the past)

No I haven't restarted. I will see if this helps and let you know. I might answer some days after as right now do not have the possibility to do that.

Caci99 · Tue Feb 05, 2013 3:29 pm

@net365 Thank you, your suggestion worked. After reboot the connection is okay now.

ener · Thu Jun 13, 2013 3:08 am

im planning to do this can anyone share a script please?

Radius manager and PPTP tunnel

Radius manager and PPTP tunnel

Re: Radius manager and PPTP tunnel

Re: Radius manager and PPTP tunnel

Re: Radius manager and PPTP tunnel

Re: Radius manager and PPTP tunnel

Re: Radius manager and PPTP tunnel

Re: Radius manager and PPTP tunnel