Powered by Jitbit .Net Forum free trial version. dismiss

HomeInteroperability

Interoperability with RADIUS clients & servers

TekRADIUS LT authentication issues over Mikrotik Messages in this topic - RSS

Zeynep
Zeynep
Posts: 26


9.08.2019
Zeynep
Zeynep
Posts: 26
I am trying TekRADIUS LT as the radius server to assign IP to the GSM/GPRS devices working in the IPSec tunnel. The tunnel is up and running. I defined the srcnat rules between the network where the server is located and the network of the devices in Mikrotik and I can ping the tunnel.
However, though declared successful in the logs, the devices can not get or retain the IP addresses from the radius server. The logs are as follows:

09.08.2019 01:18:29.202 - PAP Authentication commencing for user '5xxxx'

09.08.2019 01:18:29.202 - Check items control for user '55xxxx' - Start (PAP) [Group: 'Default'].

09.08.2019 01:18:29.202 - Check items control for user '55xxxx' - Stop [Group: 'Default'].

09.08.2019 01:18:29.202 - Authentication successful for user '55xxxx'

09.08.2019 01:18:29.202 - Fetching Success-Reply items for user '55xxxx' - Start.

09.08.2019 01:18:29.202 - Fetching Success-Reply items for user '55xxxx' - Stop.

09.08.2019 01:18:29.202 - Generating Reply Packet - Start.

09.08.2019 01:18:29.203 - Generating Reply Packet - Stop.
I tried by defining Generate-MS-MPPE keys for default group, but no change.
Can you please kindly help?

Thanks
0 link
Admin
Admin
Administrator
Posts: 5028


9.08.2019
Admin
Admin
Administrator
Posts: 5028
Hi,

Does your client support MS-CHAP-v1 or MS-CHAP-v2 authentication protocols? Is it possible you to test with MS-CHAP-v1 or MS-CHAP-v2 authentication protocols?

Best regards,

Yasin KAPLAN
0 link
Zeynep
Zeynep
Posts: 26


9.08.2019
Zeynep
Zeynep
Posts: 26
It supports v2; I have another instance working with v2. Same parameters here, but with TekRADIUS 5.5. I do not know how to test. Admin wrote:
Hi,

Does your client support MS-CHAP-v1 or MS-CHAP-v2 authentication protocols? Is it possible you to test with MS-CHAP-v1 or MS-CHAP-v2 authentication protocols?

Best regards,

Yasin KAPLAN
0 link
Zeynep
Zeynep
Posts: 26


9.08.2019
Zeynep
Zeynep
Posts: 26
It works with MS-CHAP-v2, I have another instance working well. Same parameters in this one, but with TekRADIUS LT 5.5. I do not now how to test CHAP-v1 protocol.
0 link
Admin
Admin
Administrator
Posts: 5028


9.08.2019
Admin
Admin
Administrator
Posts: 5028
Can you send TekRADIUS log entries for working instance for an authentication attempt?
0 link
Admin
Admin
Administrator
Posts: 5028


9.08.2019
Admin
Admin
Administrator
Posts: 5028
Can you also send me received attributes in TekRADIUS log for this authentication attempt?
0 link
Admin
Admin
Administrator
Posts: 5028


9.08.2019
Admin
Admin
Administrator
Posts: 5028
It seems that TekRADIUS returns IP address to the client. Can you verify if there is not a firewall or IP filter blocking RADIUS responses from TekRADIUS to the client?
0 link
Zeynep
Zeynep
Posts: 26


9.08.2019
Zeynep
Zeynep
Posts: 26
There is no firewall or IP filter. I defined a srcnat before the masquerade in mikrotik firewall between 172.16.230.0/24 network and 10.128.128.0/24 network. There is no filter rule on Firewall
0 link
Admin
Admin
Administrator
Posts: 5028


9.08.2019
Admin
Admin
Administrator
Posts: 5028
There may be problem with NAT configuration. Can you verify if RADIUS responses from TekRADIUS arrive to the client? Who is 10.128.128.241?
0 link
Zeynep
Zeynep
Posts: 26


9.08.2019
Zeynep
Zeynep
Posts: 26
It is the NAS IP sending the IP request from the devices
0 link
Admin
Admin
Administrator
Posts: 5028


9.08.2019
Admin
Admin
Administrator
Posts: 5028
Is it possible you to debug or get a trace to see if RADIUS response packets arrives to 10.128.128.241?
0 link
Zeynep
Zeynep
Posts: 26


9.08.2019
Zeynep
Zeynep
Posts: 26
Yesterday I checked it with the GSM operator while there was 5.1 installation of TekRADIUS LT. It arrived, but the devices could not retain the IP. Can you suggest any way for me to check it now?
0 link
Admin
Admin
Administrator
Posts: 5028


9.08.2019
Admin
Admin
Administrator
Posts: 5028
Can GSM operator verify that RADIUS responses are accepted?

Can you update .exe files under TekRADIUS application directory with the ones in https://www.kaplansoft.com/tekradius/release/TekRADIUSLT-Update.zip and try again?
0 link
Zeynep
Zeynep
Posts: 26


9.08.2019
Zeynep
Zeynep
Posts: 26
I updated the exe files. The logs are different now:

09.08.2019 11:05:40.073 - RadAuth reply to : 10.128.128.241:49217 (Success)

Size : 38
Identifier : 205
Attributes :

User-Name = 55XXX
Framed-IP-Address = 10.128.128.14

09.08.2019 11:05:40.520 - RadAcct req. from : 10.128.128.241:49217 [UDP]

Size : 139 / 139
Identifier : 211
Attributes :

Framed-IP-Address = 10.128.128.14
Acct-Status-Type = Start
NAS-Port-Type = Virtual
Called-Station-Id = signalix
Calling-Station-Id = 9055XXX
NAS-IP-Address = 10.128.128.241
Acct-Session-Id = D91FF8C207350241
NAS-Identifier = VGGTZLE01
User-Name = 55XXX

09.08.2019 11:06:36.388 - RadAcct req. from : 10.128.128.241:49365 [UDP]

Size : 169 / 169
Identifier : 81
Attributes :

Acct-Input-Octets = 0
Framed-IP-Address = 10.128.128.14
Acct-Status-Type = Stop
NAS-Port-Type = Virtual
Called-Station-Id = signalix
Calling-Station-Id = 9055XXX
NAS-IP-Address = 10.128.128.241
Acct-Session-Id = D91FF8C207350241
Acct-Output-Octets = 0
Acct-Terminate-Cause = User-Request
NAS-Identifier = VGGTZLE01
User-Name = 55XXX


Admin wrote:
Can GSM operator verify that RADIUS responses are accepted?

Can you update .exe files under TekRADIUS application directory with the ones in https://www.kaplansoft.com/tekradius/release/TekRADIUSLT-Update.zip and try again?
0 link
Admin
Admin
Administrator
Posts: 5028


9.08.2019
Admin
Admin
Administrator
Posts: 5028
It seems that client has got the IP address and started and stopped a session. Can you confirm?
0 link
Zeynep
Zeynep
Posts: 26


9.08.2019
Zeynep
Zeynep
Posts: 26
According to the logs it seems so. I am now checking with the operator any possible reason. Can you suggest me any?
0 link
Admin
Admin
Administrator
Posts: 5028


9.08.2019
Admin
Admin
Administrator
Posts: 5028
Previous built of TekRADIUS may have a problem with RADIUS secret.
0 link
Zeynep
Zeynep
Posts: 26


9.08.2019
Zeynep
Zeynep
Posts: 26
Tunnel secret and radius secret are different. This must not cause any problem, right? Just to confirm.
0 link
Admin
Admin
Administrator
Posts: 5028


9.08.2019
Admin
Admin
Administrator
Posts: 5028
This cannot be a problem.
0 link
Zeynep
Zeynep
Posts: 26


9.08.2019
Zeynep
Zeynep
Posts: 26
Now it works! The operator first arranged to No accounting on response needed and unacknowledge. The ping started working. However, they reverted the settings back to the original and it still pings.
Thank you very much.
0 link
12






Powered by Jitbit Forum 8.3.8.0 © 2006-2013 Jitbit Software