(RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DB

Dave Kitabjian dave at netcarrier.com
Thu Jul 11 15:17:59 CDT 2002 

Bernhard and Claudio, 
 
Thanks so much for the heads up!
 
That seems to have fixed it. Since I can't find specs on exactly how
format "c" is encoding info into that port, I don't really know for
sure. But the count of onliners has gone up rapidly as soon as I added
that line to our configs. 
 
The ports being reported are all in the 7000 and 8000 ranges, for
whatever reason. If anyone has a info about exactly how they encode the
slot and shelf into this value, I'd be interested in checking it out.
 
Thanks again to all!
 
Dave 
 

	-----Original Message-----
	From: Bernhard Conoplia
[mailto:Bernhard.Conoplia at comindico.com.au] 
	Sent: Wednesday, July 10, 2002 7:12 PM
	To: Dave Kitabjian
	Subject: RE: (RADIATOR) Cisco, non-unique NAS-Ports, clobbering
Online DB
	
	
	Hi Dave,
	 
	Have a try with the IOS command "radius-server attribute
nas-port format c". From memory this command is designed to ensure that
the NAS-port format in preauth and user authentications match
appropriately, ie. the id is the same before and after an Async port has
been assigned, so it must be based on the ISDN channel.  Our 5400's
present a 4 digit NAS-Port-Id, obviously more granular than the 3 digit
id. Cisco says that "theoretically" there are still circumstances when
duplicates can occur, but we've had no problems with approx 150 NAS's. 
	 
	Probably worth a try - let me know how you go.
	 
	Regards,
	 
	Bernhard

		-----Original Message-----
		From: Dave Kitabjian [mailto:dave at netcarrier.com]
		Sent: Thursday, July 11, 2002 7:25 AM
		To: radiator at open.com.au
		Subject: (RADIATOR) Cisco, non-unique NAS-Ports,
clobbering Online DB
		
		

		I finally tracked down the reason why our Online DB has
been reporting a much lower count of onliners than are actually online.

		Look at the attached sequence of two accounting records.
tmeyers logs on to NAS 216.118.66.25 and Port 105. Then, 3 minutes
later, while he's still online, cheezwhiz logs off of the same NAS and
Port, clobbering tmeyers' entry in the online DB. 

		But how can two people have been on the same port at the
same time, you ask? The answer is that when Cisco is (again) lazy, it's
easy to happen. If you look at the Cisco-NAS-Port attribute, you'll see
that they are really on two distinct ports. Cisco is just taking a
portion of the info and plopping it in NAS-Port, even though that means
that many people can be on the same NAS-Port at once. Most manufacturers
come up with a procedure for encoding all that
"Async4/105*Serial7/0:25:3" stuff into some unique, numeric port number
and then put that in NAS-Port. 

		Now, if we were enforcing concurrency limits we'd be
even more screwed. 

		Has anyone else experienced this? How are you dealing
with it? Does Radiator have any solutions? I wonder if using the
Acct-Session-Id for deletions would be more reliable than matching
NAS/Port combos. Comments welcome!

		Dave 
		_____________________________ 

		Wed Jul 10 15:23:21 2002: DEBUG: Packet dump: 
		*** Received from 216.118.66.25 port 1646 .... 
		Code:       Accounting-Request 
		Identifier: 188 
		Authentic:
<218><232>t<199>j<163><234><138><27><251><221><133>HsX<142> 
		Attributes: 
		        Acct-Session-Id = "000087C2" 
		        Framed-Protocol = PPP 
		        Connect-Info = "46667/24000 V90/V42bis/LAPM" 
		        cisco-avpair = "connect-progress=Call Up" 
		        Acct-Authentic = RADIUS 
		        Acct-Status-Type = Start 
		        User-Name = "tmeyers" 
		        Acct-Multi-Session-Id = "0000511D" 
		        Acct-Link-Count = "<0><0><0><2>" 
		        Framed-Address = 216.118.88.4 
		        Cisco-NAS-Port = "Async4/105*Serial7/0:25:3" 
		        NAS-Port = 105 
		        NAS-Port-Type = Async 
		        Class = "netcarrier.com" 
		        Service-Type = Framed-User 
		        NAS-IP-Address = 216.118.66.25 
		        Event-Timestamp = 1026329001 
		        Acct-Delay-Time = 0 


		Wed Jul 10 15:26:16 2002: DEBUG: Packet dump: 
		*** Received from 216.118.66.25 port 1646 .... 
		Code:       Accounting-Request 
		Identifier: 239 
		Authentic:
<30>u<226><4><138><177><143><248><254>:<165>d<182><<200>? 
		Attributes: 
		        Acct-Session-Id = "000084AB" 
		        Framed-Protocol = PPP 
		        cisco-avpair = "connect-progress=Call Up" 
		        Acct-Session-Time = 2897 
		        Connect-Info = "49333/24000 V90/V42bis/LAPM" 
		        Acct-Input-Octets = 349671 
		        Acct-Output-Octets = 2362531 
		        Acct-Input-Packets = 3246 
		        Acct-Output-Packets = 2835 
		        Acct-Terminate-Cause = User-Request 
		        cisco-avpair = "disc-cause-ext=PPP Receive Term"

		        Acct-Authentic = RADIUS 
		        Acct-Status-Type = Stop 
		        User-Name = "cheezwhiz" 
		        Acct-Multi-Session-Id = "00004F51" 
		        Acct-Link-Count = "<0><0><0><1>" 
		        Framed-Address = 216.118.90.220 
		        Cisco-NAS-Port = "Async3/105*Serial7/0:18:21" 
		        NAS-Port = 105 
		        NAS-Port-Type = Async 
		        Class = "netcarrier.com" 
		        Service-Type = Framed-User 
		        NAS-IP-Address = 216.118.66.25 
		        Event-Timestamp = 1026329176 
		        Acct-Delay-Time = 0 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20020711/be2000c0/attachment.html>

More information about the radiator mailing list