(RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DB

Dave Kitabjian dave at netcarrier.com
Thu Jul 11 15:00:20 CDT 2002 

Hugh and Frank,

Thanks for the great ideas. The included hook is nice, although I think
it assumes a single Async card, so that would have to be added to get it
to work. This would be a good solution if there wasn't a better
one...See my next email...

D

> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au] 
> Sent: Thursday, July 11, 2002 3:18 AM
> To: Frank Danielson; Dave Kitabjian; radiator at open.com.au
> Subject: Re: (RADIATOR) Cisco, non-unique NAS-Ports, 
> clobbering Online DB
> 
> 
> 
> Hello Dave, Hello Frank -
> 
> There is an example hook that does exactly this in 
> "goodies/hooks.txt".
> 
> regards
> 
> Hugh
> 
> 
> On Thu, 11 Jul 2002 10:39, Frank Danielson wrote:
> > How about handling it with a preclient hook in the client clause to 
> > strip the number you want out of the Cisco-NAS-Port attribute and 
> > stuff it into the NAS-Port attribute.
> >
> > -----Original Message-----
> > From: Dave Kitabjian [mailto:dave at netcarrier.com]
> > Sent: Wednesday, July 10, 2002 5:25 PM
> > To: radiator at open.com.au
> > Subject: (RADIATOR) Cisco, non-unique NAS-Ports, clobbering 
> Online DB
> >
> >
> >
> > I finally tracked down the reason why our Online DB has 
> been reporting 
> > a much lower count of onliners than are actually online.
> >
> > Look at the attached sequence of two accounting records. 
> tmeyers logs 
> > on to NAS 216.118.66.25 and Port 105. Then, 3 minutes later, while 
> > he's still online, cheezwhiz logs off of the same NAS and Port, 
> > clobbering tmeyers' entry in the online DB.
> >
> > But how can two people have been on the same port at the same time, 
> > you ask? The answer is that when Cisco is (again) lazy, 
> it's easy to 
> > happen. If you look at the Cisco-NAS-Port attribute, you'll 
> see that 
> > they are really on two distinct ports. Cisco is just taking 
> a portion 
> > of the info and plopping it in NAS-Port, even though that 
> means that 
> > many people can be on the same NAS-Port at once. Most manufacturers 
> > come up with a procedure for encoding all that 
> > "Async4/105*Serial7/0:25:3" stuff into some unique, numeric port 
> > number and then put that in NAS-Port.
> >
> > Now, if we were enforcing concurrency limits we'd be even more 
> > screwed.
> >
> > Has anyone else experienced this? How are you dealing with it? Does 
> > Radiator have any solutions? I wonder if using the 
> Acct-Session-Id for 
> > deletions would be more reliable than matching NAS/Port combos. 
> > Comments welcome!
> >
> > Dave
> > _____________________________
> >
> > Wed Jul 10 15:23:21 2002: DEBUG: Packet dump:
> > *** Received from 216.118.66.25 port 1646 ....
> > Code:       Accounting-Request
> > Identifier: 188
> > Authentic:  
> > <218><232>t<199>j<163><234><138><27><251><221><133>HsX<142>
> > Attributes:
> >         Acct-Session-Id = "000087C2"
> >         Framed-Protocol = PPP
> >         Connect-Info = "46667/24000 V90/V42bis/LAPM"
> >         cisco-avpair = "connect-progress=Call Up"
> >         Acct-Authentic = RADIUS
> >         Acct-Status-Type = Start
> >         User-Name = "tmeyers"
> >         Acct-Multi-Session-Id = "0000511D"
> >         Acct-Link-Count = "<0><0><0><2>"
> >         Framed-Address = 216.118.88.4
> >         Cisco-NAS-Port = "Async4/105*Serial7/0:25:3"
> >         NAS-Port = 105
> >         NAS-Port-Type = Async
> >         Class = "netcarrier.com"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 216.118.66.25
> >         Event-Timestamp = 1026329001
> >         Acct-Delay-Time = 0
> >
> >
> > Wed Jul 10 15:26:16 2002: DEBUG: Packet dump:
> > *** Received from 216.118.66.25 port 1646 ....
> > Code:       Accounting-Request
> > Identifier: 239
> > Authentic:  
> <30>u<226><4><138><177><143><248><254>:<165>d<182><<200>?
> > Attributes:
> >         Acct-Session-Id = "000084AB"
> >         Framed-Protocol = PPP
> >         cisco-avpair = "connect-progress=Call Up"
> >         Acct-Session-Time = 2897
> >         Connect-Info = "49333/24000 V90/V42bis/LAPM"
> >         Acct-Input-Octets = 349671
> >         Acct-Output-Octets = 2362531
> >         Acct-Input-Packets = 3246
> >         Acct-Output-Packets = 2835
> >         Acct-Terminate-Cause = User-Request
> >         cisco-avpair = "disc-cause-ext=PPP Receive Term"
> >         Acct-Authentic = RADIUS
> >         Acct-Status-Type = Stop
> >         User-Name = "cheezwhiz"
> >         Acct-Multi-Session-Id = "00004F51"
> >         Acct-Link-Count = "<0><0><0><1>"
> >         Framed-Address = 216.118.90.220
> >         Cisco-NAS-Port = "Async3/105*Serial7/0:18:21"
> >         NAS-Port = 105
> >         NAS-Port-Type = Async
> >         Class = "netcarrier.com"
> >         Service-Type = Framed-User
> >         NAS-IP-Address = 216.118.66.25
> >         Event-Timestamp = 1026329176
> >         Acct-Delay-Time = 0
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS 
> server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, 
> NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, 
> extensible, flexible with hardware, software, platform and 
> database independence.
> 
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list