problems with authentication on freeradius using mikrotik

classic Classic list List threaded Threaded
9 messages Options
| Threaded
Open this post in threaded view
|

problems with authentication on freeradius using mikrotik

juliana sales porto
Hey guys I am facing a problem since yesterday with authentication on freeradius using a mikrotik routerboard. For some reason when the user log in on hotspot system the radius insert on radacct same  acctstarttime and acctstoptime.
[cid:bf8e8693-57e0-4482-b037-df95e6473b8d]

I am using the wi-fi and I am active on mikrotik hotspot system, but on radius shows that I am not connected. There is something that I can do on radius?

Att,

Juliana Porto

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

image.png (30K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: problems with authentication on freeradius using mikrotik

Alan DeKok-2
On Oct 8, 2019, at 11:39 AM, juliana sales porto <[hidden email]> wrote:
>
> Hey guys I am facing a problem since yesterday with authentication on freeradius using a mikrotik routerboard. For some reason when the user log in on hotspot system the radius insert on radacct same  acctstarttime and acctstoptime.
> [cid:bf8e8693-57e0-4482-b037-df95e6473b8d]

  FreeRADIUS just logs what the NAS sends.  If the NAS sends the wrong information, FreeRADIUS logs it.

> I am using the wi-fi and I am active on mikrotik hotspot system, but on radius shows that I am not connected. There is something that I can do on radius?

  No.  Fix the NAS so that it doesn't lie to FreeRADIUS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: problems with authentication on freeradius using mikrotik

juliana sales porto
Alan the FreeRADIUS these logs of error. A little help, please? 😄
[cid:a02efe62-d131-4da6-934f-b62a99e64d67]


Att,

Juliana Porto

________________________________
De: Freeradius-Users <freeradius-users-bounces+julianaporto3=[hidden email]> em nome de Alan DeKok <[hidden email]>
Enviado: terça-feira, 8 de outubro de 2019 17:39
Para: FreeRadius users mailing list <[hidden email]>
Assunto: Re: problems with authentication on freeradius using mikrotik

On Oct 8, 2019, at 11:39 AM, juliana sales porto <[hidden email]> wrote:
>
> Hey guys I am facing a problem since yesterday with authentication on freeradius using a mikrotik routerboard. For some reason when the user log in on hotspot system the radius insert on radacct same  acctstarttime and acctstoptime.
> [cid:bf8e8693-57e0-4482-b037-df95e6473b8d]

  FreeRADIUS just logs what the NAS sends.  If the NAS sends the wrong information, FreeRADIUS logs it.

> I am using the wi-fi and I am active on mikrotik hotspot system, but on radius shows that I am not connected. There is something that I can do on radius?

  No.  Fix the NAS so that it doesn't lie to FreeRADIUS.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

image.png (166K) Download Attachment
| Threaded
Open this post in threaded view
|

Re: problems with authentication on freeradius using mikrotik

Alan DeKok-2
On Oct 9, 2019, at 8:53 AM, juliana sales porto <[hidden email]> wrote:
>
> Alan the FreeRADIUS these logs of error. A little help, please? 😄

  It's not a good idea to post images to the mailing list.  Is it really that difficult to cut & paste text from a terminal window?

  The error messages are always due to the same issue.  A back-end database is slow and is blocking the server.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: problems with authentication on freeradius using mikrotik

juliana sales porto
So let me think if I understood correctly
all these msgs:
Wed Oct  9 12:25:30 2019 : Info: rlm_radutmp: Login entry for NAS 10.71.2.30 port 2162201848 duplicate
Wed Oct  9 12:25:30 2019 : Error: rlm_radutmp: Logout for NAS 10.50.4.30 port 2162197987, but no Login record
Wed Oct  9 12:25:32 2019 : Error: Discarding duplicate request from client all port 59797 - ID: 175 due to unfinished request 188853
Wed Oct  9 12:25:33 2019 : Error: Discarding conflicting packet from client all port 59797 - ID: 175 due to recent request 188853.
Wed Oct  9 12:25:33 2019 : Error: Discarding conflicting packet from client all port 48639 - ID: 157 due to recent request 188856.
Wed Oct  9 12:25:34 2019 : Info: rlm_radutmp: Login entry for NAS 10.71.2.30 port 2162201849 duplicate
Wed Oct  9 12:25:35 2019 : Error: Discarding duplicate request from client all port 60778 - ID: 65 due to unfinished request 188863
Wed Oct  9 12:25:35 2019 : Error: Discarding conflicting packet from client all port 60778 - ID: 65 due to recent request 188863.

It's better now?

So all these issues is because my database is slow?
But I have another question, why this issues doesn't happen with pfsense or aruba authetication? Only mikrotik?


Att,

Juliana Porto

________________________________
De: Freeradius-Users <freeradius-users-bounces+julianaporto3=[hidden email]> em nome de Alan DeKok <[hidden email]>
Enviado: quarta-feira, 9 de outubro de 2019 09:56
Para: FreeRadius users mailing list <[hidden email]>
Assunto: Re: problems with authentication on freeradius using mikrotik

On Oct 9, 2019, at 8:53 AM, juliana sales porto <[hidden email]> wrote:
>
> Alan the FreeRADIUS these logs of error. A little help, please? 😄

  It's not a good idea to post images to the mailing list.  Is it really that difficult to cut & paste text from a terminal window?

  The error messages are always due to the same issue.  A back-end database is slow and is blocking the server.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: problems with authentication on freeradius using mikrotik

Orestes Leal Rodríguez
Juliana,

On 10/9/19, juliana sales porto <[hidden email]> wrote:

> So let me think if I understood correctly
> all these msgs:
> Wed Oct  9 12:25:30 2019 : Info: rlm_radutmp: Login entry for NAS 10.71.2.30
> port 2162201848 duplicate
> Wed Oct  9 12:25:30 2019 : Error: rlm_radutmp: Logout for NAS 10.50.4.30
> port 2162197987, but no Login record
> Wed Oct  9 12:25:32 2019 : Error: Discarding duplicate request from client
> all port 59797 - ID: 175 due to unfinished request 188853
> Wed Oct  9 12:25:33 2019 : Error: Discarding conflicting packet from client
> all port 59797 - ID: 175 due to recent request 188853.
> Wed Oct  9 12:25:33 2019 : Error: Discarding conflicting packet from client
> all port 48639 - ID: 157 due to recent request 188856.
> Wed Oct  9 12:25:34 2019 : Info: rlm_radutmp: Login entry for NAS 10.71.2.30
> port 2162201849 duplicate
> Wed Oct  9 12:25:35 2019 : Error: Discarding duplicate request from client
> all port 60778 - ID: 65 due to unfinished request 188863
> Wed Oct  9 12:25:35 2019 : Error: Discarding conflicting packet from client
> all port 60778 - ID: 65 due to recent request 188863.
>
> It's better now?
>
> So all these issues is because my database is slow?
> But I have another question, why this issues doesn't happen with pfsense or
> aruba authetication? Only mikrotik?

Can you do a packet capture and configirm that the NAS is sending duplicates?

From RFC 2865:

The RADIUS server can detect a duplicate request if  it has the same
client source IP address and source UDP port and Identifier within a
short span of time

And Also from https://tools.ietf.org/html/rfc5080#section-2.2.2

The NAS is the problem.

Orestes



>
>
> Att,
>
> Juliana Porto
>
> ________________________________
> De: Freeradius-Users
> <freeradius-users-bounces+julianaporto3=[hidden email]> em
> nome de Alan DeKok <[hidden email]>
> Enviado: quarta-feira, 9 de outubro de 2019 09:56
> Para: FreeRadius users mailing list <[hidden email]>
> Assunto: Re: problems with authentication on freeradius using mikrotik
>
> On Oct 9, 2019, at 8:53 AM, juliana sales porto <[hidden email]>
> wrote:
>>
>> Alan the FreeRADIUS these logs of error. A little help, please? 😄
>
>   It's not a good idea to post images to the mailing list.  Is it really
> that difficult to cut & paste text from a terminal window?
>
>   The error messages are always due to the same issue.  A back-end database
> is slow and is blocking the server.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: problems with authentication on freeradius using mikrotik

mehrzadmo
plz send the mikrotik log , routeros version .

On Wed, Oct 9, 2019 at 8:15 PM Orestes Leal Rodríguez <[hidden email]>
wrote:

> Juliana,
>
> On 10/9/19, juliana sales porto <[hidden email]> wrote:
> > So let me think if I understood correctly
> > all these msgs:
> > Wed Oct  9 12:25:30 2019 : Info: rlm_radutmp: Login entry for NAS
> 10.71.2.30
> > port 2162201848 duplicate
> > Wed Oct  9 12:25:30 2019 : Error: rlm_radutmp: Logout for NAS 10.50.4.30
> > port 2162197987, but no Login record
> > Wed Oct  9 12:25:32 2019 : Error: Discarding duplicate request from
> client
> > all port 59797 - ID: 175 due to unfinished request 188853
> > Wed Oct  9 12:25:33 2019 : Error: Discarding conflicting packet from
> client
> > all port 59797 - ID: 175 due to recent request 188853.
> > Wed Oct  9 12:25:33 2019 : Error: Discarding conflicting packet from
> client
> > all port 48639 - ID: 157 due to recent request 188856.
> > Wed Oct  9 12:25:34 2019 : Info: rlm_radutmp: Login entry for NAS
> 10.71.2.30
> > port 2162201849 duplicate
> > Wed Oct  9 12:25:35 2019 : Error: Discarding duplicate request from
> client
> > all port 60778 - ID: 65 due to unfinished request 188863
> > Wed Oct  9 12:25:35 2019 : Error: Discarding conflicting packet from
> client
> > all port 60778 - ID: 65 due to recent request 188863.
> >
> > It's better now?
> >
> > So all these issues is because my database is slow?
> > But I have another question, why this issues doesn't happen with pfsense
> or
> > aruba authetication? Only mikrotik?
>
> Can you do a packet capture and configirm that the NAS is sending
> duplicates?
>
> From RFC 2865:
>
> The RADIUS server can detect a duplicate request if  it has the same
> client source IP address and source UDP port and Identifier within a
> short span of time
>
> And Also from https://tools.ietf.org/html/rfc5080#section-2.2.2
>
> The NAS is the problem.
>
> Orestes
>
>
>
> >
> >
> > Att,
> >
> > Juliana Porto
> >
> > ________________________________
> > De: Freeradius-Users
> > <freeradius-users-bounces+julianaporto3=[hidden email]>
> em
> > nome de Alan DeKok <[hidden email]>
> > Enviado: quarta-feira, 9 de outubro de 2019 09:56
> > Para: FreeRadius users mailing list <
> [hidden email]>
> > Assunto: Re: problems with authentication on freeradius using mikrotik
> >
> > On Oct 9, 2019, at 8:53 AM, juliana sales porto <
> [hidden email]>
> > wrote:
> >>
> >> Alan the FreeRADIUS these logs of error. A little help, please? 😄
> >
> >   It's not a good idea to post images to the mailing list.  Is it really
> > that difficult to cut & paste text from a terminal window?
> >
> >   The error messages are always due to the same issue.  A back-end
> database
> > is slow and is blocking the server.
> >
> >   Alan DeKok.
> >
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

RE: problems with authentication on freeradius using mikrotik

juliana sales porto
In reply to this post by Orestes Leal Rodríguez
Thanks a lot. I will take a look, because I can't check the NAS from Mikrotik. This problem is happening and some locals with MK. I will try to find something to capture the package


Att,

Juliana Porto

________________________________
De: Freeradius-Users <freeradius-users-bounces+julianaporto3=[hidden email]> em nome de Orestes Leal Rodríguez <[hidden email]>
Enviado: quarta-feira, 9 de outubro de 2019 13:44
Para: FreeRadius users mailing list <[hidden email]>
Assunto: Re: problems with authentication on freeradius using mikrotik

Juliana,

On 10/9/19, juliana sales porto <[hidden email]> wrote:

> So let me think if I understood correctly
> all these msgs:
> Wed Oct  9 12:25:30 2019 : Info: rlm_radutmp: Login entry for NAS 10.71.2.30
> port 2162201848 duplicate
> Wed Oct  9 12:25:30 2019 : Error: rlm_radutmp: Logout for NAS 10.50.4.30
> port 2162197987, but no Login record
> Wed Oct  9 12:25:32 2019 : Error: Discarding duplicate request from client
> all port 59797 - ID: 175 due to unfinished request 188853
> Wed Oct  9 12:25:33 2019 : Error: Discarding conflicting packet from client
> all port 59797 - ID: 175 due to recent request 188853.
> Wed Oct  9 12:25:33 2019 : Error: Discarding conflicting packet from client
> all port 48639 - ID: 157 due to recent request 188856.
> Wed Oct  9 12:25:34 2019 : Info: rlm_radutmp: Login entry for NAS 10.71.2.30
> port 2162201849 duplicate
> Wed Oct  9 12:25:35 2019 : Error: Discarding duplicate request from client
> all port 60778 - ID: 65 due to unfinished request 188863
> Wed Oct  9 12:25:35 2019 : Error: Discarding conflicting packet from client
> all port 60778 - ID: 65 due to recent request 188863.
>
> It's better now?
>
> So all these issues is because my database is slow?
> But I have another question, why this issues doesn't happen with pfsense or
> aruba authetication? Only mikrotik?

Can you do a packet capture and configirm that the NAS is sending duplicates?

From RFC 2865:

The RADIUS server can detect a duplicate request if  it has the same
client source IP address and source UDP port and Identifier within a
short span of time

And Also from https://tools.ietf.org/html/rfc5080#section-2.2.2

The NAS is the problem.

Orestes



>
>
> Att,
>
> Juliana Porto
>
> ________________________________
> De: Freeradius-Users
> <freeradius-users-bounces+julianaporto3=[hidden email]> em
> nome de Alan DeKok <[hidden email]>
> Enviado: quarta-feira, 9 de outubro de 2019 09:56
> Para: FreeRadius users mailing list <[hidden email]>
> Assunto: Re: problems with authentication on freeradius using mikrotik
>
> On Oct 9, 2019, at 8:53 AM, juliana sales porto <[hidden email]>
> wrote:
>>
>> Alan the FreeRADIUS these logs of error. A little help, please? 😄
>
>   It's not a good idea to post images to the mailing list.  Is it really
> that difficult to cut & paste text from a terminal window?
>
>   The error messages are always due to the same issue.  A back-end database
> is slow and is blocking the server.
>
>   Alan DeKok.
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
| Threaded
Open this post in threaded view
|

Re: problems with authentication on freeradius using mikrotik

Alan DeKok-2
In reply to this post by juliana sales porto
On Oct 9, 2019, at 11:34 AM, juliana sales porto <[hidden email]> wrote:

>
> So let me think if I understood correctly
> all these msgs:
> Wed Oct  9 12:25:30 2019 : Info: rlm_radutmp: Login entry for NAS 10.71.2.30 port 2162201848 duplicate
> Wed Oct  9 12:25:30 2019 : Error: rlm_radutmp: Logout for NAS 10.50.4.30 port 2162197987, but no Login record
> Wed Oct  9 12:25:32 2019 : Error: Discarding duplicate request from client all port 59797 - ID: 175 due to unfinished request 188853
> Wed Oct  9 12:25:33 2019 : Error: Discarding conflicting packet from client all port 59797 - ID: 175 due to recent request 188853.
> Wed Oct  9 12:25:33 2019 : Error: Discarding conflicting packet from client all port 48639 - ID: 157 due to recent request 188856.
> Wed Oct  9 12:25:34 2019 : Info: rlm_radutmp: Login entry for NAS 10.71.2.30 port 2162201849 duplicate
> Wed Oct  9 12:25:35 2019 : Error: Discarding duplicate request from client all port 60778 - ID: 65 due to unfinished request 188863
> Wed Oct  9 12:25:35 2019 : Error: Discarding conflicting packet from client all port 60778 - ID: 65 due to recent request 188863.
>
> It's better now?

  Yes.

> So all these issues is because my database is slow?

  Very likely.  If FreeRADIUS doesn't interact with a database, then those messages won't appear.

> But I have another question, why this issues doesn't happen with pfsense or aruba authetication? Only mikrotik?

  I have no idea.  Only you know how you configured your local system.  Are you using a database?  What is the system doing differently with the different NASes?

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html