https://jira.akraino.org This file is an XML representation of an issue en-us 9.4.5 940005 11-04-2023 https://jira.akraino.org/browse/IEC-16 Integrated Edge Cloud <p>Running the tests for SEBA-in-a-Box with PONSim will fail with Authentication denied on aarch64 pods. There is no clear indication as to the cause, but there are several logs in ONOS that need to be checked</p> IEC-16

[IEC][SEBA][PONSim] ONU has been validated - Authentication denied

Bug Medium Done Done Ciprian Barbu Ciprian Barbu Release_2 Thu, 25 Jul 2019 16:11:04 +0000 Wed, 23 Oct 2019 14:12:07 +0000 Fri, 20 Sep 2019 13:28:02 +0000 0 1 <p>This was in effect fixed by this change, which updates the commit id in iecedge/seba_charts:</p> <p><a href="https://gerrit.akraino.org/r/#/c/iec/+/1549/" class="external-link" target="_blank" rel="nofollow noopener">https://gerrit.akraino.org/r/#/c/iec/+/1549/</a></p> <p>I managed to test with a modified Docker image based on the iecedge/freeradius:2.2.8. I simply commented out the sql option in the post-auth section and I was able to pass the authentication step.</p> <p>I pushed a change to the corresponding repo:<br/> <a href="https://github.com/iecedge/freeradius/commit/0d7310f8d631ff0c921752e013fa27e82e39c56c" class="external-link" target="_blank" rel="nofollow noopener">https://github.com/iecedge/freeradius/commit/0d7310f8d631ff0c921752e013fa27e82e39c56c</a></p> <p>I also pushed the modified docker image, overwriting the old version:<br/> <a href="https://hub.docker.com/r/iecedge/freeradius/tags" class="external-link" target="_blank" rel="nofollow noopener">https://hub.docker.com/r/iecedge/freeradius/tags</a></p> <p>There might still be an issue with the DHCP request step, I will have to investigate it further, maybe create a new card as well.</p> <p>Looking at the freeradius config file /etc/freeradius/sites-enabled/default, the post-auth section has the sql option enabled, unlike on the x86 pod, where is commented. So perhaps the Mysql error does have a role, but in this case indicates it does not belong there.</p> <p>I will need to track down where the config is generated and modify it in order to test.</p> <p>On the freeradius side, on x86 we have:<br/> rad_recv: Access-Request packet from host 100.100.0.73 port 1812, id=2, length=61rad_recv: Access-Request packet from host 100.100.0.73 port 1812, id=2, length=61 User-Name = "user" NAS-IP-Address = 10.128.9.244 EAP-Message = 0x020100090175736572 Message-Authenticator = 0xc8326151a000a08cf154a104937a4136# Executing section authorize from file /etc/freeradius/sites-enabled/default+group authorize </p> { ....... +} <p> # group authenticate = ok+} # group authenticate = okLogin OK: <span class="error">&#91;user&#93;</span> (from client 0.0.0.0/0 port 0)# Executing section post-auth from file /etc/freeradius/sites-enabled/default+group post-auth {+<ins><span class="error">&#91;exec&#93;</span> = noop</ins>} # group post-auth = noopSending Access-Accept of id 3 to 100.100.0.73 port 1812 EAP-Message = 0x03020004 Message-Authenticator = 0x00000000000000000000000000000000 User-Name = "user"Finished request 1.Going to the next request</p> <p> </p> <p>On the aarch64 pod:</p> <p>rad_recv: Access-Request packet from host 100.100.236.199 port 1812, id=2, length=61rad_recv: Access-Request packet from host 100.100.236.199 port 1812, id=2, length=61 User-Name = "user" NAS-IP-Address = 10.128.9.244 EAP-Message = 0x020100090175736572 Message-Authenticator = 0x8a260065a4e048cfbbe8297ebf204b1d# Executing section authorize from file /etc/freeradius/sites-enabled/default+group authorize </p> { ........ +} <p> # group authenticate = ok+} # group authenticate = okLogin OK: <span class="error">&#91;user&#93;</span> (from client 0.0.0.0/0 port 0)# Executing section post-auth from file /etc/freeradius/sites-enabled/default+group post-auth {<span class="error">&#91;sql&#93;</span> expand: %</p> {User-Name} <p> -&gt; user<span class="error">&#91;sql&#93;</span> sql_set_user escaped user --&gt; 'user'<span class="error">&#91;sql&#93;</span> expand: %{User-Password} -&gt; <span class="error">&#91;sql&#93;</span> ... expanding second conditional<span class="error">&#91;sql&#93;</span> expand: %{Chap-Password} -&gt; <span class="error">&#91;sql&#93;</span> expand: INSERT INTO radpostauth                           (username, pass, reply, authdate, mac)                           VALUES (                           '%{User-Name}',                           '%{%</p> {User-Password} <p>:-%{Chap-Password}}',                           '%{reply:Packet-Type}', '%S', '%{Calling-Station-Id}') -&gt; INSERT INTO radpostauth                           (username, pass, reply, authdate, mac)                           VALUES (                           'user',                           '',                           'Access-Accept', '2019-08-26 17:15:24', '')rlm_sql (sql) in sql_postauth: query is INSERT INTO radpostauth                           (username, pass, reply, authdate, mac)                           VALUES (                           'user',                           '',                           'Access-Accept', '2019-08-26 17:15:24', '')rlm_sql (sql): Trying to (re)connect unconnected handle 31..rlm_sql (sql): Attempting to connect rlm_sql_mysql #31rlm_sql_mysql: Starting connect to MySQL server for #31rlm_sql_mysql: Couldn't connect socket to MySQL server radius@localhost:radiusrlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'rlm_sql (sql): Failed to connect DB handle #31rlm_sql (sql): Ignoring unconnected handle 31..</p> <p> </p> <p>So something is different when executing the post-auth section. The Mysql error might nor might not be meaningful, the socket doesn't seem to exist on the x86 pod either.</p> <p>Update.</p> <p>I haven't been able to make much progress on this because I kept getting into other issues with either SEBA or even PONSim, some of which I will detail in other related cards.</p> <p>However, today I managed to spend some quality time on a pod which has deployed correctly and I managed to get some interesting information, also by comparing against a working x86 pod.</p> <p>First of all here is the onos log showing logs from AAA:<br/> onos&gt; log:tail | grep opencord.aaa<br/> 2019-08-26 17:15:24,235 | INFO | 00.230.146:42080 | StateMachine | 187 - org.opencord.aaa - 1.8.0 | Creating a new state machine for of:0000aabbccddeeff128<br/> 2019-08-26 17:15:24,236 | INFO | 00.230.146:42080 | StateMachine$Idle | 187 - org.opencord.aaa - 1.8.0 | Moving from IDLE state to STARTED state.<br/> 2019-08-26 17:15:24,239 | INFO | 00.230.146:42080 | AaaManager | 187 - org.opencord.aaa - 1.8.0 | Auth event STARTED for of:0000aabbccddeeff/128<br/> 2019-08-26 17:15:24,240 | INFO | 00.230.146:42080 | StateMachine | 187 - org.opencord.aaa - 1.8.0 | Current State 1<br/> 2019-08-26 17:15:24,503 | INFO | 00.230.146:42080 | StateMachine$Started | 187 - org.opencord.aaa - 1.8.0 | Moving from STARTED state to PENDING state.<br/> 2019-08-26 17:15:24,505 | INFO | 00.230.146:42080 | AaaManager | 187 - org.opencord.aaa - 1.8.0 | Auth event REQUESTED for of:0000aabbccddeeff/128<br/> 2019-08-26 17:15:24,506 | INFO | 00.230.146:42080 | StateMachine | 187 - org.opencord.aaa - 1.8.0 | Current State 2<br/> 2019-08-26 17:15:25,708 | WARN | AAA-radius-0 | AaaManager | 187 - org.opencord.aaa - 1.8.0 | Send EAP failure message to supplicant 0A:58:0A:16:00:03<br/> 2019-08-26 17:15:25,711 | INFO | AAA-radius-0 | StateMachine$Pending | 187 - org.opencord.aaa - 1.8.0 | Moving from PENDING state to UNAUTHORIZED state.<br/> 2019-08-26 17:15:25,712 | INFO | AAA-radius-0 | StateMachine | 187 - org.opencord.aaa - 1.8.0 | Current State 4<br/> 2019-08-26 17:15:25,714 | INFO | AAA-radius-0 | AaaManager | 187 - org.opencord.aaa - 1.8.0 | Auth event DENIED for of:0000aabbccddeeff/128</p> <p>By comparison, on the x86 pod:<br/> 2019-08-14 15:25:19,096 | INFO | p-app-activation | SocketBasedRadiusCommunicator | 188 - org.opencord.aaa - 1.8.0 | Remote RADIUS Server: /10.128.10.4:1812<br/> 2019-08-14 15:25:19,098 | INFO | p-app-activation | AaaManager | 188 - org.opencord.aaa - 1.8.0 | Started<br/> 2019-08-14 15:25:19,100 | INFO | p-app-activation | ApplicationManager | 130 - org.onosproject.onos-core-net - 1.13.5 | Application org.opencord.aaa has been activated<br/> 2019-08-14 15:25:19,097 | INFO | AAA-radius-0 | SocketBasedRadiusCommunicator | 188 - org.opencord.aaa - 1.8.0 | UDP listener thread starting up<br/> 2019-08-20 13:59:19,920 | WARN | tive-installer-3 | PacketManager | 130 - org.onosproject.onos-core-net - 1.13.5 | Failed to install packet request DefaultPacketRequest{selector=DefaultTrafficSelector</p> {criteria=[ETH_TYPE:eapol]} <p>, priority=40000, appId=DefaultApplicationId{id=169, name=org.opencord.aaa}, nodeId=100.100.0.73, applies to=all} to of:0000aabbccddeeff: BADPARAMS<br/> 2019-08-20 16:25:14,392 | INFO | 0.100.0.86:34122 | StateMachine | 188 - org.opencord.aaa - 1.8.0 | Creating a new state machine for of:0000aabbccddeeff128<br/> 2019-08-20 16:25:14,392 | INFO | 0.100.0.86:34122 | StateMachine$Idle | 188 - org.opencord.aaa - 1.8.0 | Moving from IDLE state to STARTED state.<br/> 2019-08-20 16:25:14,393 | INFO | 0.100.0.86:34122 | AaaManager | 188 - org.opencord.aaa - 1.8.0 | Auth event STARTED for of:0000aabbccddeeff/128<br/> 2019-08-20 16:25:14,393 | INFO | 0.100.0.86:34122 | StateMachine | 188 - org.opencord.aaa - 1.8.0 | Current State 1<br/> 2019-08-20 16:25:14,475 | INFO | 0.100.0.86:34122 | StateMachine$Started | 188 - org.opencord.aaa - 1.8.0 | Moving from STARTED state to PENDING state.<br/> 2019-08-20 16:25:14,475 | INFO | 0.100.0.86:34122 | AaaManager | 188 - org.opencord.aaa - 1.8.0 | Auth event REQUESTED for of:0000aabbccddeeff/128<br/> 2019-08-20 16:25:14,475 | INFO | 0.100.0.86:34122 | StateMachine | 188 - org.opencord.aaa - 1.8.0 | Current State 2<br/> 2019-08-20 16:25:14,570 | INFO | AAA-radius-0 | AaaManager | 188 - org.opencord.aaa - 1.8.0 | Send EAP success message to supplicant 0A:58:0A:16:00:02<br/> 2019-08-20 16:25:14,570 | INFO | AAA-radius-0 | StateMachine$Pending | 188 - org.opencord.aaa - 1.8.0 | Moving from PENDING state to AUTHORIZED state.<br/> 2019-08-20 16:25:14,570 | INFO | AAA-radius-0 | StateMachine | 188 - org.opencord.aaa - 1.8.0 | Current State 3<br/> 2019-08-20 16:25:14,570 | INFO | AAA-radius-0 | AaaManager | 188 - org.opencord.aaa - 1.8.0 | Auth event APPROVED for of:0000aabbccddeeff/128<br/> 2019-08-20 18:11:16,452 | INFO | 0.100.0.86:34122 | StateMachine$Authorized | 188 - org.opencord.aaa - 1.8.0 | Moving from AUTHORIZED state to STARTED state.<br/> 2019-08-20 18:11:16,452 | INFO | 0.100.0.86:34122 | AaaManager | 188 - org.opencord.aaa - 1.8.0 | Auth event STARTED for of:0000aabbccddeeff/128<br/> 2019-08-20 18:11:16,452 | INFO | 0.100.0.86:34122 | StateMachine | 188 - org.opencord.aaa - 1.8.0 | Current State 1<br/> 2019-08-20 18:11:16,598 | INFO | 0.100.0.86:34122 | StateMachine$Started | 188 - org.opencord.aaa - 1.8.0 | Moving from STARTED state to PENDING state.<br/> 2019-08-20 18:11:16,598 | INFO | 0.100.0.86:34122 | AaaManager | 188 - org.opencord.aaa - 1.8.0 | Auth event REQUESTED for of:0000aabbccddeeff/128<br/> 2019-08-20 18:11:16,598 | INFO | 0.100.0.86:34122 | StateMachine | 188 - org.opencord.aaa - 1.8.0 | Current State 2<br/> 2019-08-20 18:11:16,648 | INFO | AAA-radius-0 | AaaManager | 188 - org.opencord.aaa - 1.8.0 | Send EAP success message to supplicant 0A:58:0A:16:00:02<br/> 2019-08-20 18:11:16,649 | INFO | AAA-radius-0 | StateMachine$Pending | 188 - org.opencord.aaa - 1.8.0 | Moving from PENDING state to AUTHORIZED state.<br/> 2019-08-20 18:11:16,649 | INFO | AAA-radius-0 | StateMachine | 188 - org.opencord.aaa - 1.8.0 | Current State 3<br/> 2019-08-20 18:11:16,649 | INFO | AAA-radius-0 | AaaManager | 188 - org.opencord.aaa - 1.8.0 | Auth event APPROVED for of:0000aabbccddeeff/128</p> <p>Then I also looked in the freeradius pod logs:</p> <p>rlm_sql (sql): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked<br/> rlm_sql (sql): Attempting to connect to radius@localhost:3306/radius<br/> rlm_sql (sql): starting 0<br/> rlm_sql (sql): Attempting to connect rlm_sql_mysql #0<br/> rlm_sql_mysql: Starting connect to MySQL server for #0<br/> rlm_sql_mysql: Couldn't connect socket to MySQL server radius@localhost:radius<br/> rlm_sql_mysql: Mysql error 'Can't connect to local MySQL server through socket '/var/run/mysqld/mysqld.sock' (2)'<br/> rlm_sql (sql): Failed to connect DB handle #0<br/> rlm_sql (sql): starting 1</p> <p> </p> <p>So for now the freeradius logs look interesting, I will continue on this track.</p> Relates IEC-23 Development Rank 0|i000zr: