FreeRADIUS filtering of action AVPs for MPD5 routers acting as both LAC and LNS

  • PPPoE sessions from the incumbent telco come randomly to one of our 3 LNSes
  • single authentication database in PostgreSQL, served by FreeRADIUS
  • MLPPP sessions need to be terminated on the same LNSes, we can specify this with a RADIUS AVP
  • MPD5 (our LNS software) doesn’t take well to receiving the L2TP forwarding instruction when the termination point is itself (could create an infinite loop, or broken config)
  • We need to filter out the mpd-action AVP from the RADIUS reply
  • We’re not the first to have the problem, although I might be the first to document how to resolve it
  • FreeRADIUS’ and MPD5’s docs are okay, but more of a reference than a guide for a newcomer

Step 1: Add a policy script that will filter the mpd-action attribute from an LNS, but not a LAC.

RADSERVER # cat /usr/local/etc/raddb/policy.d/antiloop
antiloop.post-auth {
if ( \
(NAS-IP-Address == "100.64.0.201" && reply:mpd-action == "forward LNS01") || \
(NAS-IP-Address == "100.64.0.202" && reply:mpd-action == "forward LNS02") || \
(NAS-IP-Address == "100.64.0.203" && reply:mpd-action == "forward LNS03") \
) {
update reply {
mpd-action !* ANY # nukes this AVP, regardless of value
}
}
}
RADSERVER #

Step 2: Call the policy in the post-auth {} block of the FreeRADIUS site definition:
(So probably /usr/local/etc/raddb/sites-available/default if you’re on FreeBSD)

# Post-Authentication
# Once we KNOW that the user has been authenticated, there are
# additional steps we can take.
post-auth {
antiloop
...

Step 3: Restart FreeRADIUS
Step 4: Test

[00:28:53] 0 root@LNS01:~$ radtest SendToFirstLNS@servernorth.net lamepw RADSERVER 1812 radpw

Sending Access-Request of id 242 to RADSERVER port 1812
        User-Name = "SendToFirstLNS@servernorth.net"
        User-Password = "lamepw"
        NAS-IP-Address = 100.64.0.201
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host RADSERVER port 1812, id=242, length=26
        Framed-IP-Address = 10.111.111.111
[00:30:14] 0 root@LNS01:~$ radtest SendToThirdLNS@servernorth.net lamepw RADSERVER 1812 radpw
Sending Access-Request of id 177 to RADSERVER port 1812
        User-Name = "SendToThirdLNS@servernorth.net"
        User-Password = "lamepw"
        NAS-IP-Address = 100.64.0.201
        NAS-Port = 1812
        Message-Authenticator = 0x00000000000000000000000000000000
rad_recv: Access-Accept packet from host RADSERVER port 1812, id=177, length=51
        mpd-action = "forward LNS03"
        Framed-IP-Address = 10.33.33.33
[00:30:20] 0 root@LNS01:~$ 
[root@LNS03 ~]# radtest SendToFirstLNS@servernorth.net lamepw RADSERVER 1812 radpw
Sent Access-Request Id 117 from 0.0.0.0:39833 to RADSERVER:1812 length 100
User-Name = "SendToFirstLNS@servernorth.net"
User-Password = "lamepw"
NAS-IP-Address = LNS03
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "lamepw"
Received Access-Accept Id 117 from RADSERVER:1812 to 0.0.0.0:0 length 51
Attr-26.12341.18 = 0x666f7277617264204236412d4c4e533031*
Framed-IP-Address = 10.111.111.111
[root@LNS03 ~]# radtest SendToThirdLNS@servernorth.net lamepw RADSERVER 1812 radpw
Sent Access-Request Id 116 from 0.0.0.0:39457 to RADSERVER:1812 length 100
User-Name = "SendToThirdLNS@servernorth.net"
User-Password = "lamepw"
NAS-IP-Address = LNS03
NAS-Port = 1812
Message-Authenticator = 0x00
Cleartext-Password = "lamepw"
Received Access-Accept Id 116 from RADSERVER:1812 to 0.0.0.0:0 length 26
Framed-IP-Address = 10.33.33.33
[root@LNS03 ~]#

* Note: LNS03 doesn’t have the AVP for mpd-action in it’s RADIUS dictionary, hence the “Attr-26.12341.18” noise.

Leave a Reply

Your email address will not be published. Required fields are marked *