Hi Guys,
I currently have a problem with the communication or configuration between VyOS (PPPoE server) and Freeradius and I don’t know what to do next.
The vyos pppoe server and freeradius have IPs in a Subnet and they can talk with each other. ping etc works.
Freeradius also receives the inquiries from the VYOS and answers them but he sends them “duplicate”
In the vyos log i have the message “radius server not responding” but radius did.
Here is the pppoe server config:
vyos@vyos# show service pppoe-server
authentication {
mode radius
radius {
rate-limit {
enable
}
server 172.16.16.2 {
key #shared secred
}
source-address 172.16.16.1
}
}
client-ip-pool {
subnet 192.168.0.0/30 #dummy Pool -> pppoe client should get his IP from Radius
}
gateway-address #Gateway-IP
interface eth4 {
vlan-id 1
vlan-range 1-4093
}
ppp-options {
ipv6 allow
}
Here is the freeradius debug reply
(38) Received Access-Request Id 1 from 172.16.16.1:49317 to 172.16.16.2:1812 length 104
(38) User-Name = "user"
(38) NAS-Port-Type = Virtual
(38) Service-Type = Framed-User
(38) Framed-Protocol = PPP
(38) Calling-Station-Id = "0c:ba:dd:05:00:00"
(38) Called-Station-Id = "0c:12:54:53:00:04"
(38) User-Password = "password"
(38) # Executing section authorize from file /etc/freeradius/3.0/sites-enabled/default
(38) authorize {
(38) policy filter_username {
(38) if (&User-Name) {
(38) if (&User-Name) -> TRUE
(38) if (&User-Name) {
(38) if (&User-Name =~ / /) {
(38) if (&User-Name =~ / /) -> FALSE
(38) if (&User-Name =~ /@[^@]*@/ ) {
(38) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
(38) if (&User-Name =~ /\.\./ ) {
(38) if (&User-Name =~ /\.\./ ) -> FALSE
(38) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
(38) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) -> FALSE
(38) if (&User-Name =~ /\.$/) {
(38) if (&User-Name =~ /\.$/) -> FALSE
(38) if (&User-Name =~ /@\./) {
(38) if (&User-Name =~ /@\./) -> FALSE
(38) } # if (&User-Name) = notfound
(38) } # policy filter_username = notfound
(38) [preprocess] = ok
(38) [chap] = noop
(38) [mschap] = noop
(38) [digest] = noop
(38) suffix: Checking for suffix after "@"
(38) suffix: No '@' in User-Name = "user", looking up realm NULL
(38) suffix: No such realm "NULL"
(38) [suffix] = noop
(38) eap: No EAP-Message, not doing EAP
(38) [eap] = noop
(38) files: users: Matched entry Business at line 9
(38) [files] = ok
(38) [expiration] = noop
(38) [logintime] = noop
(38) [pap] = updated
(38) } # authorize = updated
(38) Found Auth-Type = PAP
(38) # Executing group from file /etc/freeradius/3.0/sites-enabled/default
(38) Auth-Type PAP {
(38) pap: Login attempt with password
(38) pap: Comparing with "known good" Cleartext-Password
(38) pap: User authenticated successfully
(38) [pap] = ok
(38) } # Auth-Type PAP = ok
(38) # Executing section post-auth from file /etc/freeradius/3.0/sites-enabled/default
(38) post-auth {
(38) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {
(38) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE
(38) update {
(38) No attributes updated for RHS &session-state:
(38) } # update = noop
(38) [exec] = noop
(38) policy remove_reply_message_if_eap {
(38) if (&reply:EAP-Message && &reply:Reply-Message) {
(38) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
(38) else {
(38) [noop] = noop
(38) } # else = noop
(38) } # policy remove_reply_message_if_eap = noop
(38) } # post-auth = noop
(38) Sent Access-Accept Id 1 from 172.16.16.2:1812 to 172.16.16.1:49317 length 0
(38) Service-Type = Framed-User
(38) Framed-Protocol = PPP
(38) Framed-IP-Address = "IP"
(38) Framed-IP-Netmask = 255.255.255.255
(38) Delegated-IPv6-Prefix = "IPv6 Prefix /56"
(38) Framed-IPv6-Prefix = "IPv6 Prefix /64"
(38) Finished request
Waking up in 4.9 seconds.
(38) Sending duplicate reply to client BNG2 port 49317 - ID: 1
Waking up in 7.0 seconds.
(38) Sending duplicate reply to client BNG2 port 49317 - ID: 1
Waking up in 13.9 seconds.
(38) Cleaning up request packet ID 1 with timestamp +1560
Here is the vyos pppoe server log
May 16 06:31:21 vyos accel-pppoe: eth4.3334: recv [PPPoE PADI 0c:ba:dd:05:00:00 => ff:ff:ff:ff:ff:ff sid=0000 <Service-Name >]
May 16 06:31:21 vyos accel-pppoe: eth4.3334: send [PPPoE PADO 0c:12:54:53:00:04 => 0c:ba:dd:05:00:00 sid=0000 <AC-Name vyos-ac> <Service-Name > <AC-Cookie 40be2adf6c14fea4a17e52f94fe92a50329480980b9f4f93>]
May 16 06:31:21 vyos accel-pppoe: eth4.3334: recv [PPPoE PADR 0c:ba:dd:05:00:00 => 0c:12:54:53:00:04 sid=0000 <Service-Name > <AC-Cookie 40be2adf6c14fea4a17e52f94fe92a50329480980b9f4f93>]
May 16 06:31:21 vyos accel-pppoe: eth4.3334: send [PPPoE PADS 0c:12:54:53:00:04 => 0c:ba:dd:05:00:00 sid=0b40 <AC-Name vyos-ac> <Service-Name >]
May 16 06:31:21 vyos accel-pppoe: eth4.3334:: send [LCP ConfReq id=49 <auth PAP> <mru 1492> <magic 493aea48>]
May 16 06:31:21 vyos accel-pppoe: eth4.3334:: recv [LCP ConfReq id=35 <mru 1492> <magic ee939de9>]
May 16 06:31:21 vyos accel-pppoe: eth4.3334:: send [LCP ConfAck id=35]
May 16 06:31:21 vyos accel-pppoe: eth4.3334:: recv [LCP ConfAck id=49 <auth PAP> <mru 1492> <magic 493aea48>]
May 16 06:31:21 vyos accel-pppoe: eth4.3334:: recv [PAP AuthReq id=63]
May 16 06:31:21 vyos accel-pppoe: eth4.3334:: send [RADIUS(1) Access-Request id=1 <User-Name "user"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "0c:ba:dd:05:00:00"> <Called-Station-Id "0c:12:54:53:00:04"> <User-Password 0xPW Hash>]
May 16 06:31:24 vyos accel-pppoe: eth4.3334:: send [RADIUS(1) Access-Request id=1 <User-Name "user"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "0c:ba:dd:05:00:00"> <Called-Station-Id "0c:12:54:53:00:04"> <User-Password 0xPW Hash>]
May 16 06:31:24 vyos accel-pppoe: eth4.3334:: recv [PAP AuthReq id=64]
May 16 06:31:27 vyos accel-pppoe: eth4.3334:: send [RADIUS(1) Access-Request id=1 <User-Name "user"> <NAS-Port-Type Virtual> <Service-Type Framed-User> <Framed-Protocol PPP> <Calling-Station-Id "0c:ba:dd:05:00:00"> <Called-Station-Id "0c:12:54:53:00:04"> <User-Password 0xPW Hash>]
May 16 06:31:27 vyos accel-pppoe: eth4.3334:: recv [PAP AuthReq id=65]
May 16 06:31:30 vyos accel-pppoe: eth4.3334:: radius: server(1) not responding
May 16 06:31:30 vyos accel-pppoe: eth4.3334:: radius: no available servers
May 16 06:31:30 vyos accel-pppoe: eth4.3334:: send [PAP AuthNak id=63 "Authentication failed"]
May 16 06:31:30 vyos accel-pppoe: eth4.3334:user: user: authentication failed
May 16 06:31:30 vyos accel-pppoe: user: authentication failed
May 16 06:31:30 vyos accel-pppoe: eth4.3334:user: send [LCP TermReq id=75]
May 16 06:31:30 vyos accel-pppoe: eth4.3334:user: recv [LCP TermReq id=36]
May 16 06:31:30 vyos accel-pppoe: eth4.3334:user: send [LCP TermAck id=54]
May 16 06:31:30 vyos accel-pppoe: eth4.3334: send [PPPoE PADT 0c:12:54:53:00:04 => 0c:ba:dd:05:00:00 sid=0b40 <AC-Name vyos-ac> <Service-Name >]
May 16 06:31:30 vyos accel-pppoe: eth4.3334:: disconnected
May 16 06:31:30 vyos accel-pppoe: eth4.3334: recv [PPPoE PADT 0c:ba:dd:05:00:00 => 0c:12:54:53:00:04 sid=0b40 <AC-Cookie 40be2adf6c14fea4a17e52f94fe92a50329480980b9f4f93>]
Firewall should be disabled on both Devices but another funny fact is, that i cant connect to the vyos via ssh fro m freeradius and vice versa
for me its kind of weird and hopefully some of you knows what to do
Thanks in advance and best regards
Hannibal