PMP 450 and Radius - issues rate limiting SM

rnelson · June 30, 2017, 4:13pm

Hi,

We are using PMP 450 with capped subscriber modules on version 15.0.3 and authenticating with freeradius version 3.0.4.

We are attempting to rate limit the radio via the radius attributes. The Cambium dictionary.canopy file and openssl certs are in place on the freeradius server. We can authenticate over EAP-TTLS MSCHAPv2 and talk between the AP to SM.

For rate limiting, we tried both the Cambium-Canopy-* and Motorola-Canopy-* attributes, but the SM is not picking up the rate limits. The AP is set to Bandwidth Configuration Source -> Authentication Server, so it should be configured to recognize the attributes.

Attached is the radius server debug log that shows the rate limit attempts (search for Canopy). The reply appears to be passing the rate limiting back to the SM. However the SM is not rate limiting. I’ve also attached the sql statements that setup the attributes in radius.

Is there any additional configuration needed to get this feature working?

radius-server-debug-rl.txt (171 KB)
radius-sql-rate-limit.txt (1.4 KB)

dshea · June 30, 2017, 5:10pm

Have you added the necessary dictionary info on the freeradius server? I have files for dictionary.cambium, dictionary.canopy, and dictionary.motorola.wimax (for my old PMP320 SMs) in /usr/share/freeradius.

Without those, the AP won't know how to interpret the RADIUS rate-limiting attributes.

rnelson · June 30, 2017, 5:24pm

Thank you for the reply.

The dictionary file exists in /usr/share/freereadius:

[root@localhost ~]# ls -la /usr/share/freeradius/dictionary.canopy
-rw-r--r--. 1 root root 6914 Jul 1 2015 /usr/share/freeradius/dictionary.canopy

The dictionary is included in /usr/share/freeradius/dictionary:

....

$INCLUDE dictionary.cabletron
$INCLUDE dictionary.camiant
$INCLUDE dictionary.canopy
$INCLUDE dictionary.chillispot
$INCLUDE dictionary.cisco

....

Chitrang · June 30, 2017, 5:40pm

Hi,

In the final Access-Accept packet I dont see any of the rate limiting Attributes sent to SM.

Thats the reason probably its not working, Attributes shown here matters finally.

hu Jun 29 13:53:21 2017 : Debug: (34) Sending Access-Accept packet to host 10.121.56.101 port 1422, id=0, length=0
Thu Jun 29 13:53:21 2017 : Debug: (34)  MS-MPPE-Recv-Key = 0xad08f05c18d4767839149bd617e25ee77da480f890488ab12e51b968439c5505
Thu Jun 29 13:53:21 2017 : Debug: (34)  MS-MPPE-Send-Key = 0x9eaba930bcf45440aa327e3737e46445f7a8ae7758d2b78022ea4f1973ee8af6
Thu Jun 29 13:53:21 2017 : Debug: (34)  EAP-MSK = 0xad08f05c18d4767839149bd617e25ee77da480f890488ab12e51b968439c55059eaba930bcf45440aa327e3737e46445f7a8ae7758d2b78022ea4f1973ee8af6
Thu Jun 29 13:53:21 2017 : Debug: (34)  EAP-EMSK = 0xdb22afddaa8d0dfd170c1c1ed21012962a51326857b6df1dd2ff7154325afd34c4d640cfe50e9896a6cf3ac3ccdff3f83477908cbf0a52cce4ad234a262ee9aa
Thu Jun 29 13:53:21 2017 : Debug: (34)  EAP-Session-Id = 0x159503dc4daf196bc9c32c9d64a074651b157da54dc144bb65bb157ad8c24e5d31595568c19a68e13f0a5b5d64f4af124b3fab95c1f39a22f1e73db3d8deaf9ef9
Thu Jun 29 13:53:21 2017 : Debug: (34)  EAP-Message = 0x03070004
Thu Jun 29 13:53:21 2017 : Debug: (34)  Message-Authenticator = 0x00000000000000000000000000000000

To fix that you have to change configuration where you copy inner tunnel attributes to outer tunnel.

Open eap.conf and go under section of ttls and set these both as yes.

copy_request_to_tunnel = yes
use_tunneled_reply = yes

This shouldn't matter but please start using Canopy attributes , check radius dictionary file from 15.0.3 release.

Thanks,

Chitrang

rnelson · June 30, 2017, 5:56pm

Thank you Chitrang - that was what we needed!