Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    CP cannot work when VM and host are working together

    Scheduled Pinned Locked Moved Captive Portal
    6 Posts 2 Posters 3.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • Z
      zlyzwy
      last edited by

      I am trying to build a Hotspot with PF(CP+ FreeRadius2 pkg) + MySQL.
      Basically I have got it working, CP and FreeRadius will do the auth for clients and MySQL will log the data I need.
      There is one client running VMware Workstaion inside Win2003. They are using the same physical network card, VM is bridged on win2003.
      The problem is only one(VM or Win2003) can pass CP to access the Internet.

      In my option, even VM's network is bridged on win2003, but there should have two MACs in CP's log. However as I tested here, there always be one MAC record for win2003.

      The error in system log:

      Jan 20 11:15:07 radiusd[55144]:rlm_radutmp: Logout for NAS CP port 76, but no Login record
Jan 20 11:15:07 radiusd[55144]: rlm_radutmp: Logout for NAS CP port 76, but no Login record
Jan 20 11:14:06 radiusd[55144]: rlm_radutmp: Login entry for NAS CP port 76 wrong order
Jan 20 11:14:06 radiusd[55144]: rlm_radutmp: Login entry for NAS CP port 76 wrong order

      What I have tried:
      1. Put both VM and Win2003's MAC to pass list, it doesn't work
      2. Change VM's MAC to be the same as win2003, it dowsn't work

      Does anyone has some idea on this?

      Thanks for any reply in advance.

      1 Reply Last reply Reply Quote 0
      • N
        Nachtfalke
        last edited by

        I found this on the net:

        http://lists.gnu.org/archive/html/help-gnu-radius/2009-09/msg00000.html

        1. login: entry for NAS %s port %d wrong order

        While writing a start entry, radiusd discovered that this NAS/port
        combination is already marked with stop for the same session id.
        This means that the stop record reached radius server before the
        start record (possibly due to network issues or high server load).
        Usually the corresponding session has zero Acct-Session-Time
        attribute.

        Do you have "reauthenticate every minute" enabled on CP ?

        I had such logs, too. I think the problem is CP.
        When I set "Simultaneous-Use := 1" in freeradius users and I enable "reauthenticate every minute" on CP than it doesn't work. radutmp recognizes a double login. This makes sense:
        If CP tries to reauthenticate it must first disconnect the session and then reconnect again. But CP is using same NAS-Port, ID and so on. So radutmp gets a incorrect order (because of the same attributes which CP sends).

        When you browse the web and radiusd re-authenticates then you will be disconnected and cannot reconnect because of "Simultaneous-Use:= 1". This is why we need at least Simultaneous-use := 2 so that it will work on CP.

        I will post to mailing lists beause I think it is a CP issue. Perhaps it is possible to change the NAS port dynamically so that each new request has a new NAS port.

        1 Reply Last reply Reply Quote 0
        • Z
          zlyzwy
          last edited by

          Hi Nachtfalke,

          Thanks for your time and help!!

          Yes, I did enable the "reauthenticate every minute" in CP.

          With this option disabled, the VM still can't access the Internet.. Furthermore I can still see the error log:

          Jan 21 14:08:44	radiusd[48703]: rlm_radutmp: Logout for NAS CP port 4, but no Login record
Jan 21 14:08:44	radiusd[48703]: rlm_radutmp: Logout for NAS CP port 4, but no Login record
Jan 21 14:07:43	radiusd[48703]: rlm_radutmp: Login entry for NAS CP port 4 wrong order
Jan 21 14:07:43	radiusd[48703]: rlm_radutmp: Login entry for NAS CP port 4 wrong order
Jan 21 14:06:42	radiusd[48703]: rlm_radutmp: Logout for NAS CP port 4, but no Login record
Jan 21 14:06:42	radiusd[48703]: rlm_radutmp: Logout for NAS CP port 4, but no Login record
Jan 21 14:05:41	radiusd[48703]: rlm_radutmp: Login entry for NAS CP port 4 wrong order
Jan 21 14:05:41	radiusd[48703]: rlm_radutmp: Login entry for NAS CP port 4 wrong order
Jan 21 14:05:18	radiusd[48703]: Login OK: [00-02-a5-4e-df-67] (from client CP port 4 cli 00-02-a5-4e-df-67)
Jan 21 14:05:18	radiusd[48703]: Login OK: [00-02-a5-4e-df-67] (from client CP port 4 cli 00-02-a5-4e-df-67)

          Can you take a look at my setting as below?

          • CP
            Enable captive portal  –> check
            Interfaces --> LAN
            Authentication --> RADIUS Authentication
            Primary RADIUS server/ IP --> PF's IP
            Shared secret  --> xxxxx
            send RADIUS accounting packets -->  check
            Accounting updates --> stop/start accounting
            Enable RADIUS MAC authentication --> check
            Shared secret --> zzzzz
            RADIUS NAS IP attribute  --> LAN
            Use RADIUS Session-Timeout attributes  --> check
            MAC address format --> ietf

          -FreeRadius
          Users
          Username --> Server's MAC
          Password --> zzzzzz
          Number of simultaneous connections --> 10

          NAS/Clients
          Client IP Address  --> 192.168.1.1
          Client Shared Secret --> xxxxx

          SQL settings shouldn't be the problem.

          The rest of settings are all in default.

          1 Reply Last reply Reply Quote 0
          • Z
            zlyzwy
            last edited by

            It seems there is no fix for this issue.

            Currently I still can't use FreeRadius2 + CP cause of this problem.

            I hope there is some attention on this issue.

            Thanks in advance!

            1 Reply Last reply Reply Quote 0
            • N
              Nachtfalke
              last edited by

              @zlyzwy:

              It seems there is no fix for this issue.

              Currently I still can't use FreeRadius2 + CP cause of this problem.

              I hope there is some attention on this issue.

              Thanks in advance!

              Hmm…it is working but only without Simultaneous-Use in FreeRADIUS. Just leave the field empty. Then there is still the error in syslog but then there is no disconnection.
              But I am pretty sure that the problem is CP because I tried with another NAS (AP with DD-WRT) and there isn't such a problem/error.

              I posted this issue on pfsense mail list but we didn't find a solution. We discussed several problems there. Take a look at the conversation.
              http://lists.pfsense.org/pipermail/dev/2012-January/000118.html

              Why it isn't working with your VM environment…puh...I don't know.

              If I find a solution I will fix it. If someone tells me the solution, I will fix it. But at the moment I am out of ideas.

              1 Reply Last reply Reply Quote 0
              • Z
                zlyzwy
                last edited by

                Hmm…it is working but only without Simultaneous-Use in FreeRADIUS. Just leave the field empty. Then there is still the error in syslog but then there is no disconnection.
                But I am pretty sure that the problem is CP because I tried with another NAS (AP with DD-WRT) and there isn't such a problem/error.

                I posted this issue on pfsense mail list but we didn't find a solution. We discussed several problems there. Take a look at the conversation.
                http://lists.pfsense.org/pipermail/dev/2012-January/000118.html

                Why it isn't working with your VM environment...puh...I don't know.

                If I find a solution I will fix it. If someone tells me the solution, I will fix it. But at the moment I am out of ideas.

                First I would like to appreciate your great help.

                If I have money I will put a bounty on this, I am afraid I can't afford it..

                I noticed that PF 2.1 is now running snapshot, I will give a try later. maybe there is some lucky?

                Anyway, thanks a lot ~~

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.