Reply
Highlighted
Established Member
Posts: 812
Registered: ‎12-24-2010
Kudos: 195
Solutions: 26
Contributions: 1
Accepted Solution

PPPoE Server Radius Update

[ Edited ]

I have successfully been able to set up my PPPoE server connected to my radius.  I seem to be missing a configuration for AAA interim updates so my radius server doesn't think that the users have disconnected after 10 minutes.

 

The other issue I currently have is that the Edgemax tells the radius server it's NAS ID is 127.0.1.1  I worked around this but not sure why it keeps using only that IP.

 

Thanks for your help in advance.


Accepted Solutions
Established Member
Posts: 812
Registered: ‎12-24-2010
Kudos: 195
Solutions: 26
Contributions: 1

Re: PPPoE Server Radius Update

I found:

 

https://bugs.launchpad.net/ubuntu/+source/radiusclient-ng/+bug/706036

 

and added the following to dictionary-ravpn.  Now it seems to be updating correctly.

 

# RFC 2869
ATTRIBUTE Acct-Interim-Interval 85 integer

# Limit session traffic
ATTRIBUTE Session-Octets-Limit 227 integer

# What to assume as limit - 0 in+out, 1 in, 2 out, 3 max(in,out)
ATTRIBUTE Octets-Direction 228 integer

# Octets-Direction
VALUE Octets-Direction Sum 0
VALUE Octets-Direction Input 1
VALUE Octets-Direction Output 2
VALUE Octets-Direction MaxOveral 3
VALUE Octets-Direction MaxSession 4

View solution in original post


All Replies
Established Member
Posts: 812
Registered: ‎12-24-2010
Kudos: 195
Solutions: 26
Contributions: 1

Re: PPPoE Server Radius Update

OK, So I've tried finding a way to force the sessions to re-auth every X minutes as well as trying to find a way to get the radius client to send an update.  I have hit a brick wall with both options.  Am I missing something or is this not currently an available option with EdgeMax through even the CLI?

 

Thanks

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: PPPoE Server Radius Update

From what I can see, the RADIUS server needs to include the "Acct-Interim-Interval" attribute (in its "Access-Accept" response) if it wants to receive interim updates. Is there a setting for this on your RADIUS server? For example, for freeradius it looks like this can be set in the "acct_users" config file.

Established Member
Posts: 812
Registered: ‎12-24-2010
Kudos: 195
Solutions: 26
Contributions: 1

Re: PPPoE Server Radius Update

Here is my radius communication information.  I don't seem to be getting updates.

 

Sending Access-Accept of id 119 to 10.0.3.1 port 56236
        MS-CHAP2-Success = 0xef533d4333423235414239453335393xxxxxxxxxxxxxxxxxxxxxxxxxxxx
        MS-MPPE-Recv-Key = 0x4c4c7dbff535caa3xxxxxxxxxxxxxxxxxx
        MS-MPPE-Send-Key = 0x302cbcf5329a50bxxxxxxxxxxxxxxxxxxx
        MS-MPPE-Encryption-Policy = 0x00000001
        MS-MPPE-Encryption-Types = 0x00000006
        Acct-Interim-Interval = 300
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Accounting-Request packet from host 10.0.3.1 port 50549, id=120, length=128
        Acct-Session-Id = "xxxxxxx"
        User-Name = "xxxxxxx"
        Acct-Status-Type = Start
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Calling-Station-Id = "xxxxxx"
        Acct-Authentic = RADIUS
        NAS-Port-Type = Async
        Framed-IP-Address = xxx

        NAS-IP-Address = 127.0.1.1
        NAS-Port = 12
        Acct-Delay-Time = 0

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: PPPoE Server Radius Update

Maybe try capturing packets and see if the interim update packets are actually sent out by the router? Also, check the system log /var/log/messages to see if there's any errors/warnings (e.g., failing to send interim updates).

Established Member
Posts: 812
Registered: ‎12-24-2010
Kudos: 195
Solutions: 26
Contributions: 1

Re: PPPoE Server Radius Update

[ Edited ]

There is no dictionary entry on the EdgeMax for Acct-Interim-Interval under any of the dictionary files

 

The Acct-Interim-Interval is not being written into the radattr.pppX

 

It does not seem the EdgeMax currently supports Acct-Interim-Interval with the 1.1 firmware and dictionarys.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: PPPoE Server Radius Update

Yeah good point, I was looking at the PPP side and the plugin does seem to support interim updates, but maybe the radiusclient library used by the plugin does not. Do you see any messages in the log indicating unknown attributes or something like that from the library? Also, you could try adding an entry 85 for the Acct-Interim-Interval attribute (the dictionary file is "/etc/radiusclient-ng/dictionary-ravpn") and see if it is able to process the attribute correctly.

Established Member
Posts: 812
Registered: ‎12-24-2010
Kudos: 195
Solutions: 26
Contributions: 1

Re: PPPoE Server Radius Update

I found:

 

https://bugs.launchpad.net/ubuntu/+source/radiusclient-ng/+bug/706036

 

and added the following to dictionary-ravpn.  Now it seems to be updating correctly.

 

# RFC 2869
ATTRIBUTE Acct-Interim-Interval 85 integer

# Limit session traffic
ATTRIBUTE Session-Octets-Limit 227 integer

# What to assume as limit - 0 in+out, 1 in, 2 out, 3 max(in,out)
ATTRIBUTE Octets-Direction 228 integer

# Octets-Direction
VALUE Octets-Direction Sum 0
VALUE Octets-Direction Input 1
VALUE Octets-Direction Output 2
VALUE Octets-Direction MaxOveral 3
VALUE Octets-Direction MaxSession 4

SuperUser
Posts: 4,016
Registered: ‎06-30-2010
Kudos: 1830
Solutions: 173
Contributions: 9

Re: PPPoE Server Radius Update

Added the above to dictionary-ravpn according to bug.

I use Radius Manager, added "Acct-Interim-Interval=60" to "Custom RADIUS attributes" field.

 

Logged in and see 

root@EdgeRouter-PoE:/etc/radiusclient-ng# cat /var/run/radattr.ppp0 
MS-CHAP2-Success xxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
MS-MPPE-Recv-Key xxxxxxxxxxxxxxxxx
MS-MPPE-Send-Key xxxxxxxxxxxxxxxxxx
MS-MPPE-Encryption-Policy 
MS-MPPE-Encryption-Types 
Acct-Interim-Interval 60

 And RM keeps "Connection Status" = Online , and traffic report updates every minute.

 

/Paetur

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: PPPoE Server Radius Update

Yeah that's good information! We should be able to add the dictionary entries into our package. Thanks!

Established Member
Posts: 812
Registered: ‎12-24-2010
Kudos: 195
Solutions: 26
Contributions: 1

Re: PPPoE Server Radius Update

Remember that the value for Acct-Interim-Interval MUST NOT be below 60 and most common uses are between 300-600 to keep network traffic to a minimum while keeping good accounting.
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: PPPoE Server Radius Update

Yeah, that's good recommendation! On the router side, the PPP plugin also enforces the RFC requirement, i.e., it will use 60 if the server sends something smaller.

SuperUser
Posts: 4,016
Registered: ‎06-30-2010
Kudos: 1830
Solutions: 173
Contributions: 9

Re: PPPoE Server Radius Update

On mikrotik, the interim is set on the router.

/Paetur
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: PPPoE Server Radius Update

Yeah we could look into changing the PPP plugin to make the interval configurable on the router side. Of course first we need to make sure the interval from the RADIUS server works since the server is required to send it (if it wants updates) according to the RFC.

Member
Posts: 157
Registered: ‎01-03-2013
Kudos: 18
Solutions: 6

Re: PPPoE Server Radius Update

Is there any fresh update on this ?  We are also using RadiusManager and we need to set Interim-Update time how can we do this ?

Thanks !!!

Upcoming UBNT Certified Training in India
Click Here


Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: PPPoE Server Radius Update

Yeah the dictionary issue was fixed a few releases back so interim updates should work if requested by the RADIUS server. For the case where the server somehow doesn't/can't send the request, we will need to add a configuration option to hard-code this on the router side and that is on the TODO list as discussed.

Member
Posts: 157
Registered: ‎01-03-2013
Kudos: 18
Solutions: 6

Re: PPPoE Server Radius Update

server cannot send interim requst without an API support i think 

Is there any way we can resolve this temporarily at our side in the router 

Upcoming UBNT Certified Training in India
Click Here


Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: PPPoE Server Radius Update

As mentioned this requires modifications to the RADIUS plugin to support such servers that are not compliant with RFC.

I've got a few minutes today so decided to add an option to the plugin to override the interim interval. If you're interested, you can try the attached ppp package. You will also need to change the file "/opt/vyatta/share/perl5/Vyatta/PPPoEServerConfig.pm", add the following line:

$rstr .= "override-interim 60\n";

before this existing line:

$rstr .= "plugin radattr.so\n";

then reconfigure the PPPoE server so that the config gets re-generated. Would be great if ajbtv2 and Paetur and others can give this a try too of course. If this work we can look at making it a configurable setting in the next release.

Attachment
Established Member
Posts: 812
Registered: ‎12-24-2010
Kudos: 195
Solutions: 26
Contributions: 1

Re: PPPoE Server Radius Update

[ Edited ]

I just dropped in the new package.  First review is that is does truly ignore any Interim-Update parameters sent in the RADIUS reply, even tho the attribute is still captured in the raddattr.pppoesX file in /var/run


I've tested with override-interim 120 and 240 and both stop sending accounting data at 60 *which is what is sent in the reply* and send on the new override.

This is a great first step. You have to add the line in the correct location or you will get an "Invalid attribute in config" error and no clients will connect.  I didn't read the lines fully and placed it 5 lines too high to begin with.

I'm wondering what it would take to set this up with a toggle to choose either an override or an "if attr missing, then use XX" function, but at this point I think this a step in the right direction for addition to the config.

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5465
Solutions: 1656
Contributions: 2

Re: PPPoE Server Radius Update

Yeah that's a good point, I can make it a "default interim interval" instead of "override". Thanks for testing it!

Reply