Fwd: Radius question?

yick xie yick.xie at gmail.com
Thu Oct 15 13:11:25 PDT 2015


Hi Nikos
I deployed ocserv 0.10.8 compiled with gnutls-serv 3.3.15 and
freeradius 3.0.9 cooperating with radiusclient 1.1.7 on a same server.
And I used Cisco Anyconnect on IOS7 and windows 7 to test via both
user-password and certificate.
I repeated to log in, and log out within random interval time at
2:30am(I think the network was better) from China to server(US west)
about 250ms+.
Every time the client was checked offline with cmd "occtl show users"
and "ifconfig".
Of course when ocserv failed to send "closing session", the radius got
nothing to response using radiusd -X.
>From the log I suspect the oscerv treated such kinds of disconnect as
"temporarily closing"(actually that session was gone,no one can
re-initiate).
If I sign in and sign out in 2-3 seconds quickly and frequently, such
problems could be much more easily detected.

Had I miss any information you need, please let me know.
Regards,
Yick

The modified part of my ocserv config was listed below:
auth = "radius[config=/etc/radiusclient/radiusclient.conf,groupconfig=true]"
enable-auth = certificate
acct = "radius[config=/etc/radiusclient/radiusclient.conf]"
tcp-port = 443
udp-port = 443
stats-report-time = 150
keepalive = 32400
dpd = 90
mobile-dpd = 1800
try-mtu-discovery = true
tls-priorities =
"PERFORMANCE:-CIPHER-ALL:+AES-128-CBC:+AES-128-GCM:%SERVER_PRECEDENCE:%COMPAT:-VERS-SSL3.0:+VERS-TLS1.2"
auth-timeout = 120
min-reauth-time = 30
cookie-timeout = 1800
use-utmp = true
use-occtl = true
ipv4-network = 10.0.0.0
ipv4-netmask = 255.255.255.0
dns = 10.0.0.1
ping-leases = true
output-buffer = 35
no-route = xxxxx
......
no-route = xxxxx


bug log:

ocserv[4563]: worker:  tlslib.c:378: no certificate was found
ocserv[4479]: sec-mod: using 'radius' authentication to authenticate
user (session: Nn5+O)
ocserv[4479]: radius-auth: communicating username (phone) and password
ocserv[4564]: worker:  tlslib.c:378: no certificate was found
ocserv[4478]: main: *.*.*.*:51910 user disconnected
ocserv[4565]: worker:  tlslib.c:378: no certificate was found
ocserv[4479]: radius-auth: opening session Nn5+OUNO8CMA1k3tgUEB3Q==
ocserv[4478]: main[phone]: *.*.*.*:51911 new user session
ocserv[4479]: sec-mod: initiating session for user 'phone' (session: Nn5+O)
ocserv[4478]: main: pinged 10.0.0.59 and is not in use
ocserv[4478]: main[phone]: *.*.*.*:51911 user logged in
ocserv[4478]: main: *.*.*.*:51909 user disconnected

(disconnect)
ocserv[4478]: main[phone]: *.*.*.*:51911 user disconnected
ocserv[4479]: sec-mod: temporarily closing session for phone (session: Nn5+O)

(It's sometimes seen after several minutes "closing session" might be
sent to amend it.
Freeradius server received "Lost-Service" as a cause, then
"Simultaneous-Use" feature may encounter a big challenge)
ocserv[4479]: radius-auth: closing session


normal log:

ocserv[4544]: worker:  tlslib.c:378: no certificate was found
ocserv[4479]: sec-mod: using 'radius' authentication to authenticate
user (session: dZxHU)
ocserv[4479]: radius-auth: communicating username (phone) and password
ocserv[4545]: worker:  tlslib.c:378: no certificate was found
ocserv[4478]: main: *.*.*.*:51900 user disconnected
ocserv[4546]: worker:  tlslib.c:378: no certificate was found
ocserv[4479]: radius-auth: opening session dZxHUYLzDWcCdh8qu8X94Q==
ocserv[4478]: main[phone]: *.*.*.*:51901 new user session
ocserv[4479]: sec-mod: initiating session for user 'phone' (session: dZxHU)
ocserv[4478]: main: pinged 10.0.0.59 and is not in use
ocserv[4478]: main[phone]: *.*.*.*:51901 user logged in
ocserv[4478]: main: *.*.*.*:51899 user disconnected

(disconnect)
ocserv[4479]: radius-auth: sending session interim update
ocserv[4478]: main[phone]: *.*.*.*:51901 user disconnected
ocserv[4479]: sec-mod: invalidating session of user 'phone' (session: dZxHU)
ocserv[4479]: radius-auth: closing session



More information about the openconnect-devel mailing list