(RADIATOR) AddressAllocator, Accounting and Cisco VPN Conc
Hugh Irvine
hugh at open.com.au
Tue Dec 17 23:52:44 CST 2002
Hello Petr -
I will need to see the complete configuration file (no secrets)
togehter with a more complete trace 4 debug showing several
authentications and the corresponding accounting records.
regards
Hugh
On Tuesday, Dec 17, 2002, at 22:29 Australia/Melbourne, Petr Zimak
wrote:
>
> Hi
>
> I am running a Cisco VPN Concentrator (with quite a new
> software image) and use Radiator 3.5 for authentication and also
> for address allocation. I want to have different user groups
> (or realms) using different address pools. I want also to have
> radius accounting records to contain the assigned address.
>
> My config is something like:
>
> --------------------------------------------
> <AddressAllocator SQL>
> Identifier intern-pool
> ...
> <AddressPool intern-pool-1>
> Subnetmask 255.255.255.0
> DNSServer A.B.G.1 A.B.G.5
> Range A.B.N.1 A.B.N.3
> </AddressPool>
> </AddressAllocator>
>
> <AddressAllocator SQL>
> Identifier extern-pool
> ...
> <AddressPool extern-pool-1>
> Subnetmask 255.255.255.0
> DNSServer A.B.G.1 A.B.G.5
> Range A.B.M.1 A.B.M.3
> </AddressPool>
> </AddressAllocator>
>
>
> <AuthBy GROUP>
> Identifier mailbox-auth
> AuthByPolicy ContinueWhileAccept
>
> <AuthBy FILE>
> Filename %D/unix-general
> </AuthBy>
>
> <AuthBy IMAP>
> Identifier imap-auth
> Host %R
> UsernameMatchesWithoutRealm
> AddToReplyIfNotExist PoolHint=intern-pool-1
> </AuthBy>
>
> <AuthBy DYNADDRESS>
> AddressAllocator intern-pool
> </AuthBy>
>
> StripFromReply PoolHint
>
> </AuthBy>
>
> <AuthBy GROUP>
> Identifier extern-auth
> AuthByPolicy ContinueWhileAccept
>
> <AuthBy FILE>
> Filename %D/extern
> AddToReplyIfNotExist PoolHint=extern-pool-1
> </AuthBy>
>
> <AuthBy DYNADDRESS>
> AddressAllocator extern-pool
> </AuthBy>
>
> StripFromReply PoolHint
>
> </AuthBy>
> --------------------------------------------
>
> I am using mysql with the standard table layout from the goodies.
>
> My problems are:
>
> (1) The accounting stop records sometimes do and sometimes
> do not contain the IP address. I cannot say what makes them
> not appear. I suspect a similar problem as described in FAQ
> "117: Why dont I get Framed-IP-Address in Accounting from my Cisco?"
> where the solution is either "aaa accounting update newinfo" or
> "aaa accounting delay-start" on the access router.
> Does anybody know what to do on a VPN Concentrator?
>
>
> (2) Even if the IP address appears in the accounting record, the
> address
> is not marked as free again in the RADPOOL table because it does not
> make it into the SQL statement as you see in the line
>
> Tue Dec 17 11:39:38 2002: DEBUG: do query is: update RADPOOL set
> STATE=0,
> TIME_STAMP=1040121578 where YIADDR=''
>
> This is a very severe problem, because the addresses never get freed
> and the pools fill fast!
> Below you see the extract from my logfile:
>
> ---------------------------------------------
> Tue Dec 17 11:39:38 2002: DEBUG: Packet dump:
> *** Received from A.B.C.D port 1063 ....
> Code: Accounting-Request
> Identifier: 25
> Authentic: <X><Y><Z>
> Attributes:
> User-Name = "some at extern"
> NAS-Port = 1046
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = A.B.M.3
> Class = "UnibasNet"
> Acct-Status-Type = Stop
> Acct-Input-Octets = 0
> Acct-Output-Octets = 0
> Acct-Session-Id = "B310001E"
> Acct-Session-Time = 61
> Acct-Input-Packets = 0
> Acct-Output-Packets = 0
> Acct-Terminate-Cause = User-Request
> Tunnel-Client-Endpoint = A.B.P.36
> Acct-Authentic = RADIUS
> Acct-Delay-Time = 0
> NAS-IP-Address = A.B.V.225
> NAS-Port-Type = Virtual
>
> Tue Dec 17 11:39:38 2002: DEBUG: Handling request with Handler
> 'Realm=extern'
> Tue Dec 17 11:39:38 2002: DEBUG: Deleting session for some at extern,
> A.B.V.225, 1046
> Tue Dec 17 11:39:38 2002: DEBUG: Handling with Radius::AuthGROUP
> Tue Dec 17 11:39:38 2002: DEBUG: Handling with Radius::AuthFILE:
> Tue Dec 17 11:39:38 2002: DEBUG: Handling with Radius::AuthDYNADDRESS
> Tue Dec 17 11:39:38 2002: DEBUG: do query is: update RADPOOL set
> STATE=0,
> TIME_STAMP=1040121578 where YIADDR=''
>
> Tue Dec 17 11:39:38 2002: DEBUG: Accounting accepted
> Tue Dec 17 11:39:38 2002: DEBUG: Packet dump:
> *** Sending to A.B.V.225 port 1063 ....
> Code: Accounting-Response
> Identifier: 25
> Authentic: <X><Y><Z>
> Attributes:
> ---------------------------------------------
>
> (3) Even if the address appears in the accounting packet, it
> doesn't make it into the accounting file. The entry for
> the above event is:
>
> ---------------------------------------------
> Tue Dec 17 11:39:38 2002
> User-Name = "some at extern"
> NAS-Port = 1046
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Class = "ExternNet"
> Acct-Status-Type = Stop
> Acct-Input-Octets = 0
> Acct-Output-Octets = 0
> Acct-Session-Id = "B310001E"
> Acct-Session-Time = 61
> Acct-Input-Packets = 0
> Acct-Output-Packets = 0
> Acct-Terminate-Cause = User-Request
> Tunnel-Client-Endpoint = A.B.P.36
> Acct-Authentic = RADIUS
> Acct-Delay-Time = 0
> NAS-IP-Address = A.B.V.225
> NAS-Port-Type = Virtual
> Timestamp = 1040121578
> ---------------------------------------------
>
>
> Any help is greatly appreciated.
>
> Regards, Petr
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list