(RADIATOR) hostslect FAILUREPOLICY bug!

Hugh Irvine hugh at open.com.au
Wed Sep 11 17:56:41 CDT 2002


Hello Mohamed -

Thanks for sending the debug information.

The following is taken from the source code in the file 
"Radius/AuthSQLRADIUS.pm".

The default HostSelect query is this:

     $self->{HostSelect} = 'select HOST%0, SECRET, AUTHPORT, ACCTPORT,
RETRIES, RETRYTIMEOUT, USEOLDASCENDPASSWORDS, SERVERHASBROKENPORTNUMBERS,
SERVERHASBROKENADDRESSES, IGNOREREPLYSIGNATURE, FAILUREPOLICY from 
RADSQLRADIUS
where TARGETNAME=\'%R\'';

Which is processed with this code:

             $fp->{failurePolicy} = $row[10] if defined $row[10];

             $host = Radius::Host->new
              (undef,  $row[0],
               defined $row[1] ? (Secret                     => 
$row[1]) : (),
               defined $row[2] ? (AuthPort                   => 
$row[2]) : (),
               defined $row[3] ? (AcctPort                   => 
$row[3]) : (),
               defined $row[4] ? (Retries                    => 
$row[4]) : (),
               defined $row[5] ? (RetryTimeout               => 
$row[5]) : (),
               defined $row[6] ? (UseOldAscendPasswords      => 
$row[6]) : (),
               defined $row[7] ? (ServerHasBrokenPortNumbers => 
$row[7]) : (),
               defined $row[8] ? (ServerHasBrokenAddresses   => 
$row[8]) : (),
               defined $row[9] ? (IgnoreReplySignature       => 
$row[9]) : (),
               );

In other words, the FailurePolicy is expected to be the 11th element of 
the row returned by the query.

To fix your problem the simplest thing to do is use NULL's for the 
elements you are not using in the query:

 HostSelect select HOST%0, SECRET, AUTHPORT, ACCTPORT, RETRIES, 
RETRYTIMEOUT, NULL, NULL, NULL, NULL, \
FAILUREPOLICY from  RADSQLRADIUS where TARGETNAME='%R'

Otherwise, you could use HostColumnDef's as described in section 6.45.3 
in the Radiator 3.3.1 reference manual.
("doc/ref.html").

regards

Hugh


On Wednesday, September 11, 2002, at 10:52 PM, Mohamed Majdoubi wrote:

> Hi
> i am trying to use FAILUREPOLICY field in the hostselect statement. The 
> value FAILUREPOLICY is set to 1 (see the database output), this 
> should result in a reject to NAS if the host radius does not respond. 
> unfortunatly this is not happening, the NAS gets still no answer from 
> the proxy radius. i can conclude that the proxy radius does use the 
> failure policy to send a reject instead of a ignore. below you can find 
> configuration and the output
>  
> with kind regards
> Mohamed Majdoubi
> KPN Telecom
>  
> #####################################################################
>                                             radius setup
> #####################################################################
>  
>  
> ||||||||||||||||||||||                        ||||||||||||||||||||||     
>                    |||||||||||||||||||||| 
> |     NAS   |   --------------------- 
> proxy       |------------------------ radius       
> ||||||||||||||||||||||                        
> ||||||||||||||||||||||                        |||||||||||||||||||||| 
>  
>  
>  
>  
> #####################################################################
>                                             Configuration
> #####################################################################
>
> <AuthBy SQLRADIUS>
>  Identifier ProxyToOffice
>      FailureBackoffTime 60
>  DBSource dbi:mysql:ProxyDB
>  DBUsername root
>  DBAuth 
>  HostSelect select HOST%0, SECRET, AUTHPORT, ACCTPORT, RETRIES, 
> RETRYTIMEOUT, FAILUREPOLICY from \
>  RADSQLRADIUS where TARGETNAME='%R'
>  StripFromRequest Cisco-NAS-Port, \
>                 NAS-Port, \
>                 NAS-Port-Type, \
>   NAS-IP-Address, \
>                 Called-Station-Id, \
>                 Calling-Station-Id
>  
>  AddToRequest Service-Class = %{Reply:Service-Class}
>   AllowInReply Service-Type, \
>   Framed-Protocol, \
>           Framed-IP-Netmask, \
>   Framed-IP-Address, \
>   Ascend-Client-Primary-DNS, \
>   Ascend-Client-Secondary-DNS, \
>   Loopback-Tag, \
>   Release-Name, \
>   VRF-Tag
>  ReplyHook file:"%D/reply.pl"
> </AuthBy>
> #####################################################################
>                                 Database output
> #####################################################################
>  
> mysql> select HOST1, SECRET, AUTHPORT, ACCTPORT, RETRIES, RETRYTIMEOUT, 
> FAILUREPOLICY from RADSQLRADIUS where TARGETNAME='office1';
> +-----------+--------+----------+----------+---------+--------------+---------------+
> | HOST1     | SECRET | AUTHPORT | ACCTPORT | RETRIES | RETRYTIMEOUT | 
> FAILUREPOLICY |
> +-----------+--------+----------+----------+---------+--------------+---------------+
> | 127.0.0.1 | kpn    | 1812     | 1813     |       2 |            5 
> |             1 |
> +-----------+--------+----------+----------+---------+--------------+---------------+
> 1 row in set (0.00 sec)
>  
>  
>  
> #####################################################################
>                                             Debug
> #####################################################################
>  
> Code:       Access-Request
> Identifier: 2
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "mohamed at office1"
>         Service-Type = Framed-User
>         User-Password = 
> "<166><186>H1By%<222><155><151><153><171><216>!U<133>"
>         Service-Class = "office2-1.1.1.1-2222"
>  
> Wed Sep 11 11:03:22 2002: DEBUG: Timed out, retransmitting
> Wed Sep 11 11:03:22 2002: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1812 ....
>  
> Packet length = 83
> 01 02 00 53 31 32 33 34 35 36 37 38 39 30 31 32
> 33 34 35 36 01 11 6d 6f 68 61 6d 65 64 40 6f 66
> 66 69 63 65 31 06 06 00 00 00 02 02 12 a6 ba 48
> 31 42 79 25 de 9b 97 99 ab d8 21 55 85 95 16 6f
> 66 66 69 63 65 32 2d 31 2e 31 2e 31 2e 31 2d 32
> 32 32 32
> Code:       Access-Request
> Identifier: 2
> Authentic:  1234567890123456
> Attributes:
>         User-Name = "mohamed at office1"
>         Service-Type = Framed-User
>         User-Password = 
> "<166><186>H1By%<222><155><151><153><171><216>!U<133>"
>         Service-Class = "office2-1.1.1.1-2222"
>  
> Wed Sep 11 11:03:27 2002: INFO: AuthRADIUS: No reply after 2 
> retransmissions to 127.0.0.1:1812 for mohamed at off
> ice1  (132)
> Wed Sep 11 11:03:27 2002: INFO: AuthRADIUS could not find a working 
> host to forward to. Ignoring
>  
>

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: text/enriched
Size: 6889 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20020912/aa73f9a2/attachment.bin>


More information about the radiator mailing list