(RADIATOR) SNMP problem with PM3..
Hugh Irvine
hugh at open.com.au
Mon Jan 7 20:28:59 CST 2002
Hello Michael -
The SNMP query is not run for every access request - it is only run if there
is a session limit exceeded according to the session database. The problem
with simultaneous use checking is that in many cases the information received
from the NAS in the radius accounting requests is different from the
information for the same session returned by an SNMP query.
hth
Hugh
On Tue, 8 Jan 2002 12:56, Michael Bellears wrote:
> Hi,
>
> This has been discussed on the list before, but I cannot seem to find a
> resolution ;)
>
> One of our clients has Radiator 2.18 with Radmin 1.5 running on Debian
> Linux 2.2, using PM3 NAS's.
>
> Denying Simultaneous use has never worked when clients connect with
> multilink ISDN connections - I now see that the SNMP query has stopped
> for some reason -> (The following user has max simultaneous logins set
> to 4)
>
> ##############################################################
>
> Tue Jan 8 11:22:59 2002: DEBUG: Packet dump:
> *** Received from xxx.xxx.xxx.xxx port 1026 ....
> Code: Access-Request
> Identifier: 111
> Authentic: o<224>a<136><27><30><217>t<162>*<141>V<149><134>Z5
> Attributes:
> User-Name = "amg"
> User-Password =
> "<239>5D<253>l<225><240>H<189><14><136><16><222>Q}*"
> NAS-IP-Address = xxx.xxx.xxx.xxx
> NAS-Port = 21
> NAS-Port-Type = ISDN
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Called-Station-Id = "xxxxxxxx"
> Calling-Station-Id = "xxxxxxxx"
>
> Tue Jan 8 11:22:59 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Jan 8 11:22:59 2002: DEBUG: Deleting session for amg,
> xxx.xxx.xxx.xxx, 21
> Tue Jan 8 11:22:59 2002: DEBUG: do query is: delete from RADONLINE
> where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=021
>
> Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthRADMIN
> Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES
> (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Handling with
> Radius::AuthRADMIN')
>
> Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthRADMIN
> Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES
> (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Handling with
> Radius::AuthRADMIN')
>
> Tue Jan 8 11:22:59 2002: DEBUG: Query is: select PASS_WORD,
> STATICADDRESS, TIMELEFT, MAXLOGINS from RADUSERS where USERNAME='amg'
> and BADLOGINS < 5 and VALIDFROM < 1010452979 and VALIDTO > 1010452979
>
> Tue Jan 8 11:22:59 2002: DEBUG: Radius::AuthRADMIN looks for match with
> amg
> Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES
> (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Radius::AuthRADMIN
> looks for match with amg')
>
> Tue Jan 8 11:22:59 2002: DEBUG: Query is: select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where
> USERNAME='amg'
>
> Tue Jan 8 11:22:59 2002: DEBUG: Radius::AuthRADMIN ACCEPT:
> Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES
> (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Radius::AuthRADMIN
> ACCEPT: ')
>
> Tue Jan 8 11:22:59 2002: DEBUG: do query is: update RADUSERS set
> BADLOGINS=0 where USERNAME='amg'
>
> Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthDYNADDRESS
> Tue Jan 8 11:22:59 2002: DEBUG: Access accepted for amg
> Tue Jan 8 11:22:59 2002: DEBUG: Packet dump:
> *** Sending to xxx.xxx.xxx.xxx port 1026 ....
> Code: Access-Accept
> Identifier: 111
> Authentic: o<224>a<136><27><30><217>t<162>*<141>V<149><134>Z5
> Attributes:
> Framed-IP-Address = yyy.yyy.yyy.yyy
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
>
> Tue Jan 8 11:22:59 2002: DEBUG: Packet dump:
> *** Received from xxx.xxx.xxx.xxx port 1026 ....
> Code: Accounting-Request
> Identifier: 112
> Authentic: ~^<159><185><179><206>~+<219><21> <5>O<25><234>W
> Attributes:
> Acct-Session-Id = "7700026E"
> User-Name = "amg"
> NAS-IP-Address = xxx.xxx.xxx.xxx
> NAS-Port = 21
> NAS-Port-Type = ISDN
> Acct-Status-Type = Start
> Acct-Authentic = RADIUS
> Called-Station-Id = "xxxxxxxx"
> Calling-Station-Id = "xxxxxxxx"
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Framed-IP-Address = yyy.yyy.yyy.yyy
> Acct-Delay-Time = 0
>
> Tue Jan 8 11:22:59 2002: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Jan 8 11:22:59 2002: DEBUG: Adding session for amg,
> xxx.xxx.xxx.xxx, 21
> Tue Jan 8 11:22:59 2002: DEBUG: do query is: delete from RADONLINE
> where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=021
>
> Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADONLINE
> (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,
> FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('amg',
> 'xxx.xxx.xxx.xxx', 021, '7700026E', 1010452979, 'yyy.yyy.yyy.yyy',
> 'ISDN', 'Framed-User')
>
> Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthRADMIN
> Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES
> (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Handling with
> Radius::AuthRADMIN')
>
> Tue Jan 8 11:22:59 2002: DEBUG: Handling accounting with
> Radius::AuthRADMIN
> Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADMESSAGES
> (TIME_STAMP, TYPE, MESSAGE) values (1010452979, 4, 'Handling accounting
> with Radius::AuthRADMIN')
>
> Tue Jan 8 11:22:59 2002: DEBUG: do query is: update RADUSERS set
> TIMELEFT=TIMELEFT-0, OCTETSINLEFT=OCTETSINLEFT-0,
> OCTETSOUTLEFT=OCTETSOUTLEFT-0 where USERNAME='amg'
>
> Tue Jan 8 11:22:59 2002: DEBUG: do query is: insert into RADUSAGE
> (USERNAME, TIME_STAMP, ACCTSTATUSTYPE, ACCTDELAYTIME,
> ACCTSESSIONID, FRAMEDIPADDRESS, NASIDENTIFIER, NASPORT, DNIS,
> Client_Phone_Number)
> values
> ('amg', 1010452979, 1, 0, '7700026E', 'yyy.yyy.yyy.yyy',
> 'xxx.xxx.xxx.xxx', 21, 'xxxxxxxx', 'xxxxxxxx')
>
> Tue Jan 8 11:22:59 2002: DEBUG: Handling with Radius::AuthDYNADDRESS
> Tue Jan 8 11:22:59 2002: DEBUG: Accounting accepted
> Tue Jan 8 11:22:59 2002: DEBUG: Packet dump:
> *** Sending to xxx.xxx.xxx.xxx port 1026 ....
> Code: Accounting-Response
> Identifier: 112
> Authentic: ~^<159><185><179><206>~+<219><21> <5>O<25><234>W
>
> ##############################################################
>
> Whereas, during December I was seeing the following ->
>
> ##############################################################
>
> Tue Dec 18 20:55:00 2001: DEBUG: Packet dump:
> *** Received from xxx.xxx.xxx.xxx port 1026 ....
> Code: Access-Request
> Identifier: 236
> Authentic:
> <234><229>Be<128><235><250>B<141><231><163><15><148><175><28><175>
> Attributes:
> User-Name = "mfskim"
> User-Password =
> "u<232>I<11>/<156><232>v<229><195>N<177>o<9>#<12>"
> NAS-IP-Address = xxx.xxx.xxx.xxx
> NAS-Port = 24
> NAS-Port-Type = Async
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Connect-Info = "26400 LAPM/V42BIS"
> Called-Station-Id = "xxxxxxxx"
> Calling-Station-Id = "xxxxxxxx"
>
> Tue Dec 18 20:55:00 2001: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Tue Dec 18 20:55:00 2001: DEBUG: Deleting session for mfskim,
> xxx.xxx.xxx.xxx, 24
> Tue Dec 18 20:55:00 2001: DEBUG: do query is: delete from RADONLINE
> where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=024
>
> Tue Dec 18 20:55:00 2001: DEBUG: Handling with Radius::AuthRADMIN
> Tue Dec 18 20:55:00 2001: DEBUG: do query is: insert into RADMESSAGES
> (TIME_STAMP, TYPE, MESSAGE) values (1008672900, 4, 'Handling w
> ith Radius::AuthRADMIN')
>
> Tue Dec 18 20:55:00 2001: DEBUG: Handling with Radius::AuthRADMIN
> Tue Dec 18 20:55:00 2001: DEBUG: do query is: insert into RADMESSAGES
> (TIME_STAMP, TYPE, MESSAGE) values (1008672900, 4, 'Handling w
> ith Radius::AuthRADMIN')
>
> Tue Dec 18 20:55:00 2001: DEBUG: Query is: select PASS_WORD,
> STATICADDRESS, TIMELEFT, MAXLOGINS from RADUSERS where USERNAME='mfskim
> ' and BADLOGINS < 5 and VALIDFROM < 1008672900 and VALIDTO > 1008672900
>
> Tue Dec 18 20:55:00 2001: DEBUG: Radius::AuthRADMIN looks for match with
> mfskim
> Tue Dec 18 20:55:00 2001: DEBUG: do query is: insert into RADMESSAGES
> (TIME_STAMP, TYPE, MESSAGE) values (1008672900, 4, 'Radius::Au
> thRADMIN looks for match with mfskim')
>
> Tue Dec 18 20:55:00 2001: DEBUG: Query is: select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPADDRESS from RADONLINE where USERNA
> ME='mfskim'
>
> Tue Dec 18 20:55:00 2001: DEBUG: Checking if user is still online:
> Livingston, mfskim, xxx.xxx.xxx.xxx, 11, 770000AD 203.149.64.239
> Tue Dec 18 20:55:00 2001: DEBUG: Running command `/usr/bin/snmpget
> xxx.xxx.xxx.xxx ******* 2.1.1.1.2.5`
> Tue Dec 18 20:55:06 2001: DEBUG: Running command `/usr/bin/snmpget
> xxx.xxx.xxx.xxx ******* .3.2.1.1.1.5.16`
> Tue Dec 18 20:55:12 2001: NOTICE: Session for mfskim at
> xxx.xxx.xxx.xxx:11 has gone away
> Tue Dec 18 20:55:12 2001: DEBUG: Deleting session for mfskim,
> xxx.xxx.xxx.xxx, 11
> Tue Dec 18 20:55:12 2001: DEBUG: do query is: delete from RADONLINE
> where NASIDENTIFIER='xxx.xxx.xxx.xxx' and NASPORT=011
>
> Tue Dec 18 20:55:12 2001: DEBUG: Radius::AuthRADMIN ACCEPT:
> Tue Dec 18 20:55:12 2001: DEBUG: do query is: insert into RADMESSAGES
> (TIME_STAMP, TYPE, MESSAGE) values (1008672912, 4, 'Radius::Au
> thRADMIN ACCEPT: ')
>
> Tue Dec 18 20:55:12 2001: DEBUG: do query is: update RADUSERS set
> BADLOGINS=0 where USERNAME='mfskim'
>
> Tue Dec 18 20:55:12 2001: DEBUG: Handling with Radius::AuthDYNADDRESS
> Tue Dec 18 20:55:12 2001: DEBUG: Query is: select TIME_STAMP, YIADDR,
> SUBNETMASK, DNSSERVER from RADPOOL
> where POOL='pool1' and STATE=0 order by TIME_STAMP
>
> Tue Dec 18 20:55:12 2001: DEBUG: do query is: update RADPOOL set
> STATE=1,
> TIME_STAMP=1008672912,
> EXPIRY=1008839404, USERNAME='mfskim' where YIADDR='yyy.yyy.yyy.yyy' and
> TIME_STAMP =1007701140
>
> Tue Dec 18 20:55:12 2001: DEBUG: Access accepted for mfskim
> Tue Dec 18 20:55:12 2001: DEBUG: Packet dump:
> *** Sending to xxx.xxx.xxx.xxx port 1026 ....
> Code: Access-Accept
> Identifier: 236
> Authentic:
> <234><229>Be<128><235><250>B<141><231><163><15><148><175><28><175>
> Attributes:
> Session-Timeout = 166492
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
> Framed-IP-Netmask = 255.255.255.0
> Framed-IP-Address = yyy.yyy.yyy.yyy
>
> ##############################################################
>
> The config has not changed since October, any suggestions as to why the
> snmpget query would stop ?
>
>
> config file ->
> ##############################################################
> # You should consider this file to be a starting point only
> # $Id $
>
> Foreground
> LogStdout
> LogDir .
> DbDir .
>
> #DbDir /root/radiator/Radiator-2.18
> #LogDir /var/log/radacct
> DictionaryFile /root/Radiator-2.18/dictionary
>
> # AuthPort specifies the port to list on for authentication requests
> # Can be a numeric port number or a service name from /etc/services
> # Defaults to 1645
> #AuthPort 1645
> AuthPort 1812
>
> # AcctPort specifies the port to list on for accounting requests
> # Can be a numeric port number or a service name from /etc/services
> # Defaults to 1646
> #AcctPort 1646
> AcctPort 1813
>
> BindAddress xxx.xxx.xxx.2
>
> # Dont turn this up too high, since all log messages are logged
> # to the RADMESSAGES table in the database. 3 will give you everything
> # except debugging messages
> Trace 4
>
> # You will probably want to change this to suit your site.
> # You should list all the clients you have, and their secrets
> # If you are using the Radmin Clients table, you wil probably
> # want to disable this.
> #<Client DEFAULT>
> # Secret mysecret
> # DupInterval 0
> #</Client>
>
> # You can put additonal (or all) client details in your Radmin
> # database table
> # and get their details from there with something like this:
> # You can then use the Radmin 'Add Radius Client' to add new clients.
> <ClientListSQL>
> DBSource dbi:mysql:radmin:localhost
> DBUsername radmin
> DBAuth xxxxxxxxx
> </ClientListSQL>
>
> <SNMPAgent>
> Community xxxxxxxx
> </SNMPAgent>
>
> # You can also set up an address pool for Radiator to manage.
> # The standard Radmin tables include a RADPOOL address pool table.
> # see the example in addressallocator.cfg
> <AddressAllocator SQL>
> # This name allows us to refer to it from inside
> # an AuthBy DYNADDRESS
> Identifier myallocator
>
> # For mysql, use something like this
> DBSource dbi:mysql:radmin:localhost
> DBUsername radmin
> DBAuth xxxxxxxxx
>
> # If SessionTimeout is set by a previous AuthBy
> # then that is used as the expiry time. Otherwise
> # DefaultLeasePeriod (in seconds) is used.
> # Defaults to 1 day
> #DefaultLeasePeriod 86400
>
> # How often we check the database for expired leases
> # leases can expire if an acounting stop is lost
> # or if the session goes longer than the lease
> # we originally asked for. Defaults to 1 day.
> #LeaseReclaimInterval 86400
>
> # Define the pools that are to be in our database
> # defining pools here will make AddressAllocator SQL
> # ensure that all the addresses are present in the database
> # at startup. You dont have to define pools here. If you dont,
> # AddressAllocator SQL will just use whatever addresses
> # it finds in the RADPOOL table.
> <AddressPool pool1>
> Subnetmask 255.255.255.0
> Range xxx.xxx.xxx.200 xxx.xxx.xxx.250
> DNSServer xxx.xxx.xxx.1
> </AddressPool>
> # <AddressPool pool2>
> # Subnetmask 255.255.255.127
> # Range 192.2.2.62 192.2.2.99
> # </AddressPool>
> </AddressAllocator>
>
>
> # Handle everyone with RADMIN
> <Realm DEFAULT>
> AuthByPolicy ContinueWhileAccept
>
> <AuthBy RADMIN>
> # Change DBSource, DBUsername, DBAuth for your database
> # See the reference manual. You will also have to
> # change the one in <SessionDatabse SQL> below
> # so its the same
> DBSource dbi:mysql:radmin:localhost
> DBUsername radmin
> DBAuth xxxxxxxxx
>
> # You can add to or change these if you want, but you
> # will probably want to change the database schema first
>
> AccountingTable RADUSAGE
> AcctColumnDef USERNAME,User-Name
> AcctColumnDef TIME_STAMP,Timestamp,integer
> AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type,integer
> AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> AcctColumnDef
> ACCTINPUTOCTETS,Acct-Input-Octets,integer
> AcctColumnDef
> ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> AcctColumnDef
> ACCTSESSIONTIME,Acct-Session-Time,integer
> AcctColumnDef
> ACCTTERMINATECAUSE,Acct-Terminate-Cause,integer
> AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
> AcctColumnDef NASIDENTIFIER,NAS-Identifier
> AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> AcctColumnDef NASPORT,NAS-Port,integer
> AcctColumnDef DNIS,Called-Station-Id
> AcctColumnDef Client_Phone_Number,Calling-Station-Id
> AcctColumnDef Connect_info,Connect-Info
>
> # This updates the time and octets left
> # for this user
> AcctSQLStatement update RADUSERS set
> TIMELEFT=TIMELEFT-0%{Acct-Session-Time},
> OCTETSINLEFT=OCTETSINLEFT-0%{Acct-Input-Octets},
> OCTETSOUTLEFT=OCTETSOUTLEFT-0%{Acct-Output-Octets} where USERNAME='%n'
>
> # These are the classic things to add to each users
> # reply to allow a PPP dialup session. It may be
> # different for your NAS. This will add some
> # reply items to everyone's reply
> AddToReply Framed-Protocol = PPP,\
> Framed-IP-Netmask = 255.255.255.255,\
> Framed-Routing = None,\
> Framed-MTU = 1500,\
> Framed-Compression = Van-Jacobson-TCP-IP
> </AuthBy>
>
> # AuthBy DYNADDRESS needs to be the last AuthBy. If
> # all the previous ones have succeeded, then an address
> # is allocated
> <AuthBy DYNADDRESS>
> # This refers to the AddressAllocator
> # defined below. IT says tyo us that allocator
> # to get an address. Insterad ofg this, you can
> # put the <AddressAllocator xxx> clause directly
> # in here
> Allocator myallocator
>
> # This specifies how to form the pool hint, that
> # the allocator uses to specifiy which pool
> # to allocate an address from. The default
> # is %{Reply:PoolHint}, ie a pseudo
> # attribute in teh current reply,
> # presumably set by an earlier
> # AuthBy, but it could be for example
> # the NAS IP address or similar, or a hardwired
> # string.
> #PoolHint %{Reply:PoolHint}
> PoolHint pool1
>
> # These parameters tell us how to set reply
> # attribtues from the result of the allocation.
> # The left hand side of each pair is
> # the "name" of the data item. The right hand
> # side is the Radius attribute name to use
> # in the reply. The valid data item names are:
> # yiaddr - The allocated address
> # subnetmask - The subnet mask to use
> # dnsserver - the IP address of the DNS server
> # The defualt mappings are:
> #MapAttribute yiaddr, Framed-IP-Address
> #MapAttribute subnetmask, Framed-IP-Netmask
>
> # The AuthBy FILE above sets the pseudo reply attribute
> # PoolHint as the clue to the address allocator
> # need to strip it out at the end of processing
> StripFromReply PoolHint
>
> </AuthBy>
> <AuthLog FILE>
> Identifier myauthlogger
> Filename authlog
> SuccessFormat
> %l:NAS:%N:Calling_Number:%{Calling-Station-Id}:Username:%U:Password:%P:Assi
>gned:%a:Reply:%{Reply:Reply-Message}:Connect_In
>
> fo:%{Connect-Info}:SUCCESS
> FailureFormat
> %l:NAS:%N:Calling_Number:%{Calling-Station-Id}:Username:%U:Password:%P:Repl
>y:%{Reply:Reply-Message}:FAILURE
>
> LogSuccess 1
> LogFailure 1
> </AuthLog>
> </Realm>
>
> <SessionDatabase SQL>
> # This database spec usually should be exactly the same
> # as in <AuthBy RADMIN> above
> DBSource dbi:mysql:radmin:localhost
> DBUsername radmin
> DBAuth xxxxxxxxx
>
> #####################################################
>
> Regards,
> Michael
>
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list