(RADIATOR) AuthbyRADIUS with DYNADDRESS

Hugh Irvine hugh at open.com.au
Mon Jan 7 18:37:59 CST 2002 

Hello Matt, Hello Steve -

Thanks for sending the files.

The problem you have with the two Access-Accepts is because you have 
specified "NoForwardAuthentication" in the second AuthBy RADIUS clause. This 
will cause this AuthBy to always Accept any authentication request. This is 
not what you need - you should use "IgnoreAuthentication" instead (see 
section 6.29.11 in the manual).

I apologise for not seeing this sooner.

BTW - as has been mentioned in another posting you should consider using the 
AuthBy SQLRADIUS clause to manage large numbers of Called-Station-Id's.

BTW2 - you should also consider running two instances of Radiator - one for 
authentication and the other for accounting - it will make your configuration 
files much simpler.

regards

Hugh


On Tue, 8 Jan 2002 10:17, Matt Scifo wrote:
> Hugh
>
> We have had some confusion regarding issuing dynamic ip's when using
> AuthbyRADIUS in a proxy situation.  We understand that once an
> AuthbyRADIUS clause is processed, it returns immediatly to the nas
> without waiting for a reply from the proxy server.  In order to issue a
> dynamic ip in this situation, either Synchronous mode or a ReplyHook
> must be used according to the manual.  Synchronous mode can severely
> impact performance, even when specifying Fork.  Our setup includes well
> over a 100 handlers which are used based on called-station-id and/or
> realm.  We setup our handlers to use a ReplyHook instead of Synchronous
> mode to assign a dynamic ip back to the nas.  However, when using a
> ReplyHook, an ip never gets sent back to the nas successfully.  The
> attached debug file (replyhook_example.log) shows that as soon as
> AuthbyRADIUS sends the Access-Request to the proxy server, an
> Access-Accept is sent back to our nas containing no attributes, even
> with the ReplyHook.  The nas then authenticates the user but assigns
> them an IP of 0.0.0.0 and kicks him a few seconds later.  As soon as the
> proxy server responds, another response is sent to the nas with the
> correct attributes, including the IP taken from our SQLAllocator, but is
> dismissed by the nas because it already received a repsonse regarding
> that session.
>
> Isn't the ReplyHook supposed to allow a dynamic IP to be sent back to
> the nas even though the AuthbyRADIUS clause returns immediately?  How is
> it supposed to work?
>
> We then enabled Synchronous mode and everything worked fine.  Radiator
> waited for a response from the proxy server before sending a dynamic IP
> with the reply back to the nas as shown in the attached debug file
> (sync_example.log).  However, using a ReplyHook is supposed to
> circumvent the need to use Synchronous mode and still maintain the
> ability to assign dynamic ip's.
>
> Also attached is our radius.cfg.  Are we implementing the ReplyHook
> (AllocateIPAddressOnReplyFromProxy taken from goodies/hooks.txt)
> incorrectly?  Can our needs be met without using Synchronous/Fork mode?
>
> Thanks
>
> Matt

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list