Radius timeout

danailpetrov · March 22, 2007, 9:46am

Hi there,
this is my first post here, and i would like to apologies in advance if i violate any forum rules. However, i have very strange problem with my router Mikrotik 2.8.11 (yeah , i know that it’s old version,but it feed my needs to this moment)so ,i try to use radius server to authenticate my pptp users. First, i wish to mention that i did it couple of times before (even in older versions of mikrotik (2.7.x)) with same radius and etc, but now i am stuck in some very annoying issue. Everytime when users trying to log in with pptp client, the routers says “radius timeout”, but that’s not even true because i start some traffic analyzers (tethereal,tcpdump)on my freeradius machine to check what is actually happen , and i can’t see neither one packet coming from mikrotik. So, why it says “radius timeout” when it didn’t try to reach the radius server? My configuration is attached below,and any ideas will be appreciated!!!

(PPTP server has ip : 192.168.20.1, FreeRadius is installed on: 192.168.20.7)

/ radius
add service=ppp called-id=“192.168.20.1” domain=“” address=192.168.20.7 secret=“realsecret”
authentication-port=1812 accounting-port=1813 timeout=10s accounting-backup=yes comment=“Radius”
disabled=no

/ ppp aaa
[admin@border] ppp aaa> print
use-radius: yes
accounting: yes
interim-update: 5m

/ snipped log

mar/22/2007 12:01:36 : terminating… - user dpetrov authentication failed - radius timeout
mar/22/2007 12:01:36 : disconnected

At this time , my tcpdump on freeradius was turned on, and there’s nothing coming from mikrotik router. I did some radtests with “radtest” binary that comes with freeradius, and here is the result:

Sending Access-Request of id 50 to 192.168.20.7:1812
User-Name = “dpetrov”
User-Password = “$1$us5oTF8d$YpEQw97zKS5ku.ADkJvNn0”
NAS-IP-Address = netguard
NAS-Port = 7
rad_recv: Access-Accept packet from host 192.168.20.7:1812, id=50, length=32
Framed-IP-Address = 192.168.123.100
Framed-IP-Netmask = 255.255.255.128

Thank you for reading, and sorry for bad english

savage · March 22, 2007, 4:56pm

And does that not answer your question? Radius uses UDP, which is a protocol that is not guaranteed to be delivered. The links used to transmit these packets are more than likely of a bad quality, and you are having packet loss between your mikrotik and radius machine…

danailpetrov · March 22, 2007, 5:16pm

Not at all. My connection between two routers (MT and FreeRadius which is actually server) is 100mbps ethernet. They are both connected to one network switch , and there is no connection issues between them. So that could not be the problem (i cat guarantee at 100%).

Any other suggestions?

virtualmystic · March 23, 2007, 9:33am

upgrade to newer version…if you are having problem then how is it filling your needs??

ASAD

danailpetrov · March 23, 2007, 12:06pm

My problems stated since i need to implement VPN service to my colleagues. But your answer sounds like а caviling. So when you don’t know how to help me , please don’t get abuse on my post.

savage · March 23, 2007, 1:51pm

Well.. I’d also upgrade.

It’s quiet possible that there was a problem with Radius in that old version. Are any radius working at all?

As a test, I would also set accounting-backup=no, I’d increase the timeout, and I’d remove the called-id configuration on the MT…

danailpetrov · March 23, 2007, 2:24pm

Hi,
everything you said has been tested before i post here (nothing helped) . Unfortunately i can’t update my MT router, because the license is already expired (since 2005) and the machine is far away from me (>500km away). The other workaround for me is to use local based authentication, but doing this , i will loose my user’s management capabilities (or i need to write additional perl scripts to my user’s management system), because when i have Radius to authenticate my pptp colleagues , users management it quite easy (just few sql query’s to the database). That’s what i need the solution of my problem , not workaround (new version, new machine or local based authentication)

Thank u anyway!

BR,
Danail Petrov

savage · March 23, 2007, 5:02pm

fair enough.

the fact of the matter though, unless the packets end up at the radius server (which it doesnt as far as your tcpdump goes), there’s nothing radius can do here. your problem lies at the MT…

danailpetrov · March 23, 2007, 9:02pm

Well, i don’t have many choices, but that what i really scared of, is fact of my investigations of new MT routers. I have few more MT in my network, which acts like distribution router for different offices. So, i tried to set up Radius server on another MT router (2.9.6) , and i get “radius timeout” again
So , please … can anyone tell me which version of MT should i use to get my network works (including routing protocols OSPF,BGP [because now it doesn’t work]) properly?

P.s. Is there any opportunity for remote upgrade of MT packages although my license is expire? And even if i can perform the upgrade, what will happen with my current configuration? I’m sure that at least 50% of my current config will not be applied properly in the newest MT version? Does it?

Kind Regards,
Danail Petrov

virtualmystic · March 24, 2007, 5:31pm

Dear Danail Petrov,

I am not adding abuse to your post..i have alot of experience with numerious access servers & radiuses and ur post just made it clear that problem lies in your MT..so thats why i said to upgrade it..

well if not in MT, problem could be in your network..check firewalls in your radius machine..network accessability that whether radius really is accessable to MT or not..n lastly assign the same ip of MT to a machine in your network with possibally same network segment as MT and run radtest or ntradping(win)..newly implemented VPN might be causing some problems..

regds,
Asad

savage · March 24, 2007, 7:12pm

[quote="danailpetrovSo, i tried to set up Radius server on another MT router (2.9.6) , and i get “radius timeout” again
[/quote]

So why not enlighten me rather as to why you upgrade to 2.9.6, instead of the latest, 2.9.41 (odd)? If you are going to take the risk to upgrade something 500km odd away, then upgrading it once to the latest version should have you covered. I think theres a significant amount more here that you are not telling us…

moral of the story, you have something blocking the radius requests. check your firewalls, stop trying to be clever. we’re helping you because we want to, not because we have to

danailpetrov · March 24, 2007, 11:07pm

Hello savage, you get me wrong. I didn’t upgrade anything , i just have couple of MT routers in my network. Some of them have been purchased in different time interval from where comes the differences between versions.

What do you mean? i can’t get that..

I guarantee at 100% that there is NOTHING to block ANY requests, but however

what are u talking about? How did you get to this conclusion?

“fair enough”.

Kind Regards,
Danail Petrov