(RADIATOR) hostslect FAILUREPOLICY bug!

Martin Edge martinedge at kbs.net.au
Wed Sep 11 17:47:59 CDT 2002


Yeah, this is the similar effect I have seen as well.

For instance, it was falling back to the default defined AuthBy RADIUS
within SQL RADIUS, after NumHosts was reached, instead of adhering to the
selected Failure Policy. If there was not one defined, it simply ignored.

This is what made me nervous about just letting NumHosts be static.

Oh, the other reason my NumHostSelect query was so important, what about
when there isn't as many authentication servers as there is accounting
servers?

This is the extract from AuthSQLRADIUS that speaks of failurepolicy :

#####################################################################
# Called when no reply is received fromn any of the attempted
# hosts.
# Look at the failure policy we recorded from the database
# and maybe implement it
sub noreply
{
    my ($self, $fp, $p) = @_;

    # Call the NoReply hook if there is one, you could adjust the pending
reply here
    $self->SUPER::noreply($fp, $p, $p->{rp});

    if (defined $fp->{failurePolicy})
    {
        # The database told us how to deal with failure
        $self->adjustReply($p);

        $p->{Handler}->handlerResult
            ($p, $fp->{failurePolicy}, 'SQLRADIUS Proxy failed');
    }
    return;
}

However, in adjustReply there is no mention of FailurePolicy.. I couldn't
find anything in handlerResult either..





-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
Behalf Of Mohamed Majdoubi
Sent: Wednesday, September 11, 2002 10:53 PM
To: radiator at open.com.au
Subject: (RADIATOR) hostslect FAILUREPOLICY bug!


Hi
i am trying to use FAILUREPOLICY field in the hostselect statement. The
value FAILUREPOLICY is set to 1 (see the database output), this should
result in a reject to NAS if the host radius does not respond. unfortunatly
this is not happening, the NAS gets still no answer from the proxy radius. i
can conclude that the proxy radius does use the failure policy to send a
reject instead of a ignore. below you can find configuration and the output

with kind regards
Mohamed Majdoubi
KPN Telecom

#####################################################################
                                            radius setup
#####################################################################


||||||||||||||||||||||                        ||||||||||||||||||||||
||||||||||||||||||||||
|     NAS   |   --------------------- proxy       |------------------------
radius
||||||||||||||||||||||                        ||||||||||||||||||||||
||||||||||||||||||||||




#####################################################################
                                            Configuration
#####################################################################

<AuthBy SQLRADIUS>
 Identifier ProxyToOffice
     FailureBackoffTime 60
 DBSource dbi:mysql:ProxyDB
 DBUsername root
 DBAuth
 HostSelect select HOST%0, SECRET, AUTHPORT, ACCTPORT, RETRIES,
RETRYTIMEOUT, FAILUREPOLICY from \
 RADSQLRADIUS where TARGETNAME='%R'
 StripFromRequest Cisco-NAS-Port, \
                NAS-Port, \
                NAS-Port-Type, \
  NAS-IP-Address, \
                Called-Station-Id, \
                Calling-Station-Id

 AddToRequest Service-Class = %{Reply:Service-Class}
  AllowInReply Service-Type, \
  Framed-Protocol, \
          Framed-IP-Netmask, \
  Framed-IP-Address, \
  Ascend-Client-Primary-DNS, \
  Ascend-Client-Secondary-DNS, \
  Loopback-Tag, \
  Release-Name, \
  VRF-Tag
 ReplyHook file:"%D/reply.pl"
</AuthBy>

#####################################################################
                                Database output
#####################################################################

mysql> select HOST1, SECRET, AUTHPORT, ACCTPORT, RETRIES, RETRYTIMEOUT,
FAILUREPOLICY from RADSQLRADIUS where TARGETNAME='office1';
+-----------+--------+----------+----------+---------+--------------+-------
--------+
| HOST1     | SECRET | AUTHPORT | ACCTPORT | RETRIES | RETRYTIMEOUT |
FAILUREPOLICY |
+-----------+--------+----------+----------+---------+--------------+-------
--------+
| 127.0.0.1 | kpn    | 1812     | 1813     |       2 |            5 |
1 |
+-----------+--------+----------+----------+---------+--------------+-------
--------+
1 row in set (0.00 sec)



#####################################################################
                                            Debug
#####################################################################

Code:       Access-Request
Identifier: 2
Authentic:  1234567890123456
Attributes:
        User-Name = "mohamed at office1"
        Service-Type = Framed-User
        User-Password =
"<166><186>H1By%<222><155><151><153><171><216>!U<133>"
        Service-Class = "office2-1.1.1.1-2222"

Wed Sep 11 11:03:22 2002: DEBUG: Timed out, retransmitting
Wed Sep 11 11:03:22 2002: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1812 ....

Packet length = 83
01 02 00 53 31 32 33 34 35 36 37 38 39 30 31 32
33 34 35 36 01 11 6d 6f 68 61 6d 65 64 40 6f 66
66 69 63 65 31 06 06 00 00 00 02 02 12 a6 ba 48
31 42 79 25 de 9b 97 99 ab d8 21 55 85 95 16 6f
66 66 69 63 65 32 2d 31 2e 31 2e 31 2e 31 2d 32
32 32 32
Code:       Access-Request
Identifier: 2
Authentic:  1234567890123456
Attributes:
        User-Name = "mohamed at office1"
        Service-Type = Framed-User
        User-Password =
"<166><186>H1By%<222><155><151><153><171><216>!U<133>"
        Service-Class = "office2-1.1.1.1-2222"

Wed Sep 11 11:03:27 2002: INFO: AuthRADIUS: No reply after 2 retransmissions
to 127.0.0.1:1812 for mohamed at off
ice1  (132)
Wed Sep 11 11:03:27 2002: INFO: AuthRADIUS could not find a working host to
forward to. Ignoring

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list