Opened 6 years ago

Closed 6 years ago

Last modified 5 weeks ago

#459 closed request (not broken)

no IP address via eduroam

Reported by: Ronald.vanderPol@… Owned by: bzeeb+ietf@…
Priority: tbd Milestone: ietf-083
Component: wireless Keywords: eduroam dhcp
Cc: Ronald.vanderPol@… My Current Location: maillot
My MAC Address: 00:23:6c:8d:1e:5a My OS: MacOSX 10.7.3

Description

I get authenticated with PEAP MSCHAPv2, but no IP address. After 20 seconds I only get a self assigned:
spock# ifconfig en1
en1: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500

ether 00:23:6c:8d:1e:5a
inet6 fe80::223:6cff:fe8d:1e5a%en1 prefixlen 64 scopeid 0x5
inet 169.254.70.197 netmask 0xffff0000 broadcast 169.254.255.255
media: autoselect
status: active

spock#

dhcp gets no reply (while authenticated):

tcpdump -e -vvv -i en1 ether host 00:23:6c:8d:1e:5a and port bootps

09:37:35.098481 00:23:6c:8d:1e:5a (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 255, id 19985, offset 0, flags [none], proto UDP (17), length 328)

0.0.0.0.bootpc > broadcasthost.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:23:6c:8d:1e:5a (oui Unknown), length 300, xid 0x3168a447, secs 11, Flags [none] (0x0000)

Client-Ethernet-Address 00:23:6c:8d:1e:5a (oui Unknown)
Vendor-rfc1048 Extensions

Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Parameter-Request Option 55, length 9:

Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
Option 119, LDAP, Option 252, Netbios-Name-Server
Netbios-Node

MSZ Option 57, length 2: 1500
Client-ID Option 61, length 7: ether 00:23:6c:8d:1e:5a
Lease-Time Option 51, length 4: 7776000
Hostname Option 12, length 5: "spock"
END Option 255, length 0
PAD Option 0, length 0, occurs 19

09:37:38.087631 00:23:6c:8d:1e:5a (oui Unknown) > Broadcast, ethertype IPv4 (0x0800), length 342: (tos 0x0, ttl 255, id 19986, offset 0, flags [none], proto UDP (17), length 328)

0.0.0.0.bootpc > broadcasthost.bootps: [udp sum ok] BOOTP/DHCP, Request from 00:23:6c:8d:1e:5a (oui Unknown), length 300, xid 0x3168a447, secs 14, Flags [none] (0x0000)

Client-Ethernet-Address 00:23:6c:8d:1e:5a (oui Unknown)
Vendor-rfc1048 Extensions

Magic Cookie 0x63825363
DHCP-Message Option 53, length 1: Discover
Parameter-Request Option 55, length 9:

Subnet-Mask, Default-Gateway, Domain-Name-Server, Domain-Name
Option 119, LDAP, Option 252, Netbios-Name-Server
Netbios-Node

MSZ Option 57, length 2: 1500
Client-ID Option 61, length 7: ether 00:23:6c:8d:1e:5a
Lease-Time Option 51, length 4: 7776000
Hostname Option 12, length 5: "spock"
END Option 255, length 0
PAD Option 0, length 0, occurs 19

Change history (18)

comment:1 Changed 6 years ago by bzeeb+ietf@…

Component: incomingnetwork
Owner: changed from llynch@… to bzeeb+ietf@…
Status: newassigned

comment:2 Changed 6 years ago by bzeeb+ietf@…

Could you please check if the issue still exists and let me know?

We had a partial service interruption during that time frame. Though that should not have affected you I cannot see DHCP requests from your ether address, but I do see other people associated on the same AP with SSID eduroam that you had been trying on.

comment:3 Changed 6 years ago by bzeeb+ietf@…

Date: Tue, 27 Mar 2012 10:41:00 +0200
From: Ronald van der Pol
Subject: Re: [IETF Meeting/NOC] #459: no IP address via eduroam

Yes, still not working. Never worked since Saturday. I asked Bernard Tuy (Renater) this morning and it was working for him in the same room. My mac is still trying at the moment. I am using my ipad
via .1x

rvdp

comment:4 Changed 6 years ago by bzeeb+ietf@…

Hi,

I cannot see your requests anywhere arriving here. It's strange that it's only happening on eduroam for you.

There is a helpdesk at the Terminal Room behind the rfc-editors. Could you please come by there. They know about the issue to help you.

/bz

comment:5 Changed 6 years ago by bzeeb+ietf@…

Component: networkhelpdesk
Owner: changed from bzeeb+ietf@… to Hans Kuhn

comment:6 Changed 6 years ago by bzeeb+ietf@…

Component: helpdeskwireless
Owner: changed from Hans Kuhn to bzeeb+ietf@…

comment:7 Changed 6 years ago by bzeeb+ietf@…

Resolution: wontfix
Status: assignedclosed

Hi,

your IdP (home organization - @sara.nl) is sending VLAN assignments which puts you on a different network, which explains why it does not work for you. You need to check with them to not send these Attributes in RADIUS replies to external requests.

I can probably work around but you'll hit this elsewhere so they must fix it.

/bz

comment:8 Changed 6 years ago by bzeeb+ietf@…

Date: Tue, 27 Mar 2012 13:03:12 +0200
From: Ronald van der Pol <Ronald.vanderPol@…>
Subject: Re: [IETF Meeting/NOC] #459: no IP address via eduroam

Great thanks. I have sent the question to them. I'll keep you posted.

rvdp

comment:9 Changed 6 years ago by bzeeb+ietf@…

Date: Tue, 27 Mar 2012 15:41:16 +0200
From: Ronald van der Pol <Ronald.vanderPol@…>
Subject: Re: [IETF Meeting/NOC] #459: no IP address via eduroam

The sysadmin says he does not see the radius requests. Can you
confirm the reply comes from 145.100.0.0/15?

Just a question. Does this mean that the guest user can choose
on which vlan he will get at the remote side? Isn't that a
security risk for the remote side? Should the remote side not
be in control over the vlan to put the guest user in?

rvdp

comment:10 Changed 6 years ago by bzeeb+ietf@…

Resolution: wontfix
Status: closedreopened
Type: defectrequest

I cannot confirm that as I do not have the data or access to the servers talking to them. They do not yet seem to support DNS Roaming for Eduroam yet so rather than directly talking to them the RADIUS request routing goes up the eduroam server chain to the EU top levels from us talking to them probably through the country level peers they have.

comment:11 Changed 6 years ago by bzeeb+ietf@…

Date: Tue, 27 Mar 2012 16:15:48 +0200
From: Ronald van der Pol <Ronald.vanderPol@…>
Subject: Re: [IETF Meeting/NOC] #459: no IP address via eduroam

Thanks for your quick replies. This is extremely helpful for me
(I have long standing issues and this may be core issue).

Therefore one final question so that I fully understand:

Does the vlan attribute mean that the guest user can choose on
which vlan he will get at the remote side? Isn't that a security
risk for the remote side? Should the remote side not be in control
over the vlan to put the guest user in?

rvdp

comment:12 Changed 6 years ago by bzeeb+ietf@…

Yes, a user could put himself in a different VLAN if that VLAN ID was provided by the remote site and in use and not filtered on the local site. However your AP configs need to play along here as well. Given eduroam is usually statically tied to a VLAN and you asking to be put elsewhere you end up nowhere.

comment:13 Changed 6 years ago by bzeeb+ietf@…

Resolution: not broken
Status: reopenedclosed

FYI, I have put in a workaround for you, so in case it'll start working it does not mean they fixed it.
I'll close that ticket now again.

comment:14 Changed 6 years ago by anonymous

Date: Thu, 29 Mar 2012 16:49:28 +0200
From: Ronald van der Pol <Ronald.vanderPol@…>
Subject: Re: [IETF Meeting/NOC] #459: no IP address via eduroam

On Tue, Mar 27, 2012 at 16:28:50 -0000, IETF Meeting/NOC wrote:

Bjoern,

This did not fix it yet. Do you have time to look at it in the next half
our or so? Just to make sure the vlan attribute is really the issue.

rvdp

comment:15 Changed 6 years ago by anonymous

Assuming rvdp at *.nl is you, you are getting back constant Access-Accepts and get on but your device seems to constantly try and try again.

Can we meet at the helpdesk at 17:20?

comment:16 Changed 6 years ago by bzeeb+ietf@…

Problem solved by patching Radiator. Patch sent upstream. Thanks a lot for helping to debug this!

comment:17 Changed 5 years ago by anonymous

nutrition for pregnancy pregnancy diet recipes We're ecstatic," Angelil told People magazine, "Céline is just hoping for a healthy pregnancy. sweefrituccut

comment:18 Changed 5 weeks ago by Rick Alfvin

Milestone: ietf-83ietf-083

Milestone renamed

Note: See TracTickets for help on using tickets.