(RADIATOR) AddressAllocator, Accounting and Cisco VPN Conc

Petr Zimak Petr.Zimak at unibas.ch
Tue Dec 17 05:29:26 CST 2002 

Hi

I am running a Cisco VPN Concentrator (with quite a new
software image) and use Radiator 3.5 for authentication and also
for address allocation. I want to have different user groups
(or realms) using different address pools.  I want also to have
radius accounting records to contain the assigned address.

My config is something like:

--------------------------------------------
<AddressAllocator SQL>
  Identifier intern-pool
  ...
  <AddressPool intern-pool-1>
    Subnetmask 255.255.255.0
    DNSServer A.B.G.1 A.B.G.5
    Range A.B.N.1 A.B.N.3
  </AddressPool>
</AddressAllocator>

<AddressAllocator SQL>
  Identifier extern-pool
  ...
  <AddressPool extern-pool-1>
    Subnetmask 255.255.255.0
    DNSServer A.B.G.1 A.B.G.5
    Range A.B.M.1 A.B.M.3
  </AddressPool>
</AddressAllocator>


<AuthBy GROUP>
  Identifier mailbox-auth
  AuthByPolicy ContinueWhileAccept

  <AuthBy FILE>
    Filename %D/unix-general
  </AuthBy>

  <AuthBy IMAP>
    Identifier imap-auth
    Host %R
    UsernameMatchesWithoutRealm
    AddToReplyIfNotExist PoolHint=intern-pool-1
  </AuthBy>

  <AuthBy DYNADDRESS>
    AddressAllocator intern-pool
  </AuthBy>

   StripFromReply PoolHint

</AuthBy>

<AuthBy GROUP>
  Identifier extern-auth
  AuthByPolicy ContinueWhileAccept

  <AuthBy FILE>
    Filename %D/extern
    AddToReplyIfNotExist PoolHint=extern-pool-1
  </AuthBy>

  <AuthBy DYNADDRESS>
    AddressAllocator extern-pool
  </AuthBy>

   StripFromReply PoolHint

</AuthBy>
--------------------------------------------

I am using mysql with the standard table layout from the goodies.

My problems are:

(1) The accounting stop records sometimes do and sometimes
    do not contain the IP address. I cannot say what makes them
    not appear. I suspect a similar problem as described in FAQ
    "117: Why dont I get Framed-IP-Address in Accounting from my Cisco?"
    where the solution is either "aaa accounting update newinfo" or
    "aaa accounting delay-start" on the access router.
    Does anybody know what to do on a VPN Concentrator?


(2) Even if the IP address appears in the accounting record, the address
    is not marked as free again in the RADPOOL table because it does not
    make it into the SQL statement as you see in the line

      Tue Dec 17 11:39:38 2002: DEBUG: do query is: update RADPOOL set 
STATE=0,
      TIME_STAMP=1040121578 where YIADDR=''

    This is a very severe problem, because the addresses never get freed
    and the pools fill fast!
    Below you see the extract from my logfile:

---------------------------------------------
Tue Dec 17 11:39:38 2002: DEBUG: Packet dump:
*** Received from A.B.C.D port 1063 ....
Code:       Accounting-Request
Identifier: 25
Authentic:  <X><Y><Z>
Attributes:
    User-Name = "some at extern"
    NAS-Port = 1046
    Service-Type = Framed-User
    Framed-Protocol = PPP
    Framed-IP-Address = A.B.M.3
    Class = "UnibasNet"
    Acct-Status-Type = Stop
    Acct-Input-Octets = 0
    Acct-Output-Octets = 0
    Acct-Session-Id = "B310001E"
    Acct-Session-Time = 61
    Acct-Input-Packets = 0
    Acct-Output-Packets = 0
    Acct-Terminate-Cause = User-Request
    Tunnel-Client-Endpoint = A.B.P.36
    Acct-Authentic = RADIUS
    Acct-Delay-Time = 0
    NAS-IP-Address = A.B.V.225
    NAS-Port-Type = Virtual

Tue Dec 17 11:39:38 2002: DEBUG: Handling request with Handler 
'Realm=extern'
Tue Dec 17 11:39:38 2002: DEBUG:  Deleting session for some at extern, 
A.B.V.225, 1046
Tue Dec 17 11:39:38 2002: DEBUG: Handling with Radius::AuthGROUP
Tue Dec 17 11:39:38 2002: DEBUG: Handling with Radius::AuthFILE:
Tue Dec 17 11:39:38 2002: DEBUG: Handling with Radius::AuthDYNADDRESS
Tue Dec 17 11:39:38 2002: DEBUG: do query is: update RADPOOL set STATE=0,
TIME_STAMP=1040121578 where YIADDR=''

Tue Dec 17 11:39:38 2002: DEBUG: Accounting accepted
Tue Dec 17 11:39:38 2002: DEBUG: Packet dump:
*** Sending to A.B.V.225 port 1063 ....
Code:       Accounting-Response
Identifier: 25
Authentic:  <X><Y><Z>
Attributes:
---------------------------------------------

(3)  Even if the address appears in the accounting packet, it
     doesn't make it into the accounting file. The entry for
     the above event is:

---------------------------------------------
Tue Dec 17 11:39:38 2002
    User-Name = "some at extern"
    NAS-Port = 1046
    Service-Type = Framed-User
    Framed-Protocol = PPP
    Class = "ExternNet"
    Acct-Status-Type = Stop
    Acct-Input-Octets = 0
    Acct-Output-Octets = 0
    Acct-Session-Id = "B310001E"
    Acct-Session-Time = 61
    Acct-Input-Packets = 0
    Acct-Output-Packets = 0
    Acct-Terminate-Cause = User-Request
    Tunnel-Client-Endpoint = A.B.P.36
    Acct-Authentic = RADIUS
    Acct-Delay-Time = 0
    NAS-IP-Address = A.B.V.225
    NAS-Port-Type = Virtual
    Timestamp = 1040121578
---------------------------------------------


Any help is greatly appreciated.

Regards, Petr


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list