(RADIATOR) Subdomain problem [FIXED]
Dan Vande More
dvm at firstlink.com
Thu Aug 7 14:03:19 CDT 2003
Hugh,
Your solution did not work for the second problem (ISDN static/dynamic IP), but it surprisingly DID work for the dsl subdomains.
I'm not really good at radius but should be done reading the rfc by tonight.
This should help in situations like these.
I have another router I'm going to try on this circuit before I do any more radius troubleshooting.
In the meantime I will research as to why this may have fixed the subdomain problem.
For those who didn't catch on:
I tried authenticating subdomains (IE dsl.mydomain.com) through a sql database via radiator.
Radiator authentication went fine. I have the default recommended table structure (To eliminate variables), and switching from authby file to sql broke only certain clients in one domain.
Although the records looked complete and radiator debug showed the correct information returned, the router did not appear to accept it until I threw these lines into my authby sql realm dsl.mydomain.com:
<AuthBy SQL>
.....
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP
</AuthBy>
Thanks!
Dan Vande More
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: Thursday, August 07, 2003 10:51 AM
To: Dan Vande More
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) Subdomain problem
Hello Dan -
It is quite possible that this is due to "Service-Type = Framed-User,
Framed-Protocol = PPP" not being included in the reply attributes
(Cisco's especially are very picky about this).
BTW - for common sets of reply attributes you can use an "AddToReply
...." in the AuthBy clause rather than replicating all of the reply
attributes for every user.
Ie:
<AuthBy SQL>
.....
AddToReply Service-Type = Framed-User, \
Framed-Protocol = PPP
</AuthBy>
regards
Hugh
On Friday, Aug 8, 2003, at 01:15 Australia/Melbourne, Dan Vande More
wrote:
> Well this is what I have after making this change.
>
> It appears to keep re-authenticating, over and over again every 7-10
> seconds.
> Although it appears to give an access accepted, the modem doesn't
> accept it.
>
> Keep in mind, that this works perfectly on AuthBy File, and dies on
> SQL.
>
> Maybe I have something wrong in the db conversion, but I used the
> default table structure included with Radiator, and here is a sample
> record:
>
> INSERT INTO `SUBSCRIBERS` VALUES("dvmsherman at dsl.mydomain.com",
> "mycorrectpassword", NULL, "Service-Type=Framed-User",
> "Framed-Protocol=PPP,Framed-IP-Address=200.200.132.52,Framed-IP-
> Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Framed-
> Compression=Van-Jacobson-TCP-IP", "9999999");
>
> Debug info below.
>
> Additionally out of a large amount of ISDN subscribers, I have one
> particular one I cannot seem to give a static IP to. And if I do, it
> still takes a dynamic.
> It's db record is seen below:
>
> INSERT INTO `SUBSCRIBERS` VALUES("baerisdn at isdn.mydomain.com",
> "password", NULL, "Service-Type=Framed-User",
> "Framed-Protocol=PPP,Framed-IP-Address=200.200.139.207,Framed-IP-
> Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Session-
> Timeout=14400,Idle-Timeout=600,Framed-Compression=Van-Jacobson-TCP-
> IP", "9999999");
>
> Here's a sample of an ISDN record that does keep the static IP every
> time:
>
> INSERT INTO `SUBSCRIBERS` VALUES("bouldcvi at isdn.mydomain.com",
> "password", NULL, "Service-Type=Framed-User",
> "Framed-Protocol=PPP,Framed-IP-Address=200.200.139.132,Framed-IP-
> Netmask=255.255.255.255,Framed-Routing=None,Framed-MTU=1500,Framed-
> Compression=Van-Jacobson-TCP-IP,Session-Timeout=14400,Idle-
> Timeout=600", "9999999");
>
> I'm debating the fact that it is their router. It seems they have a
> Cisco 803, and though there are bugs, none of them point to this
> issue. Nor was I able to find anything close.
>
> Hints? Suggestions?
>
> Thanks!
>
> Dan Vande More
>
> Debug info from issue #1:
>
>
> Mon Aug 4 14:43:45 2003: DEBUG: Packet dump:
> *** Received from 200.200.143.2 port 1645 ....
> Code: Access-Request
> Identifier: 48
> Authentic: he^<205>]<173><3><213><231>v<130><7>p<239><211>T
> Attributes:
> NAS-IP-Address = 200.200.143.2
> NAS-Port = 28
> NAS-Port-Type = Virtual
> User-Name = "dvmsherman at dsl.mydomain.com"
> User-Password =
> "<229><162><139><236>I<225><225><181><150><13>W<249><155>'W<6>"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Mon Aug 4 14:43:45 2003: DEBUG: Handling request with Handler
> 'Realm=dsl.mydomain.com'
> Mon Aug 4 14:43:45 2003: DEBUG: Deleting session for
> dvmsherman at dsl.mydomain.com, 200.200.143.2, 2
> 8
> Mon Aug 4 14:43:45 2003: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='200.200.143
> .2' and NASPORT=028':
>
> Mon Aug 4 14:43:45 2003: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPA
> DDRESS from RADONLINE where USERNAME='dvmsherman at dsl.mydomain.com'':
>
> Mon Aug 4 14:43:45 2003: DEBUG: Handling with Radius::AuthSQL
> Mon Aug 4 14:43:45 2003: DEBUG: Handling with Radius::AuthSQL:
> Mon Aug 4 14:43:45 2003: DEBUG: Query is: 'select PASSWORD,
> CHECKATTR, REPLYATTR from SUBSCRIBERS
> where USERNAME = 'dvmsherman at dsl.mydomain.com'':
>
> Mon Aug 4 14:43:45 2003: DEBUG: Radius::AuthSQL looks for match with
> dvmsherman at dsl.mydomain.com
> Mon Aug 4 14:43:45 2003: DEBUG: Radius::AuthSQL ACCEPT:
> Mon Aug 4 14:43:45 2003: DEBUG: Access accepted for
> dvmsherman at dsl.mydomain.com
> Mon Aug 4 14:43:45 2003: DEBUG: Packet dump:
> *** Sending to 200.200.143.2 port 1645 ....
> Code: Access-Accept
> Identifier: 48
> Authentic: he^<205>]<173><3><213><231>v<130><7>p<239><211>T
> Attributes:
> Framed-IP-Address = 200.200.132.52
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
> Mon Aug 4 14:43:52 2003: DEBUG: Packet dump:
> *** Received from 200.200.143.2 port 1645 ....
> Code: Access-Request
> Identifier: 50
> Authentic: <163>0<206>I<209><251><7><159>.<166><183><143><230><173>b7
> Attributes:
> NAS-IP-Address = 200.200.143.2
> NAS-Port = 28
> NAS-Port-Type = Virtual
> User-Name = "dvmsherman at dsl.mydomain.com"
> User-Password =
> "rE<255><144><186>|>n<26>A<173><133>c<253>g<189>"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Mon Aug 4 14:43:52 2003: DEBUG: Handling request with Handler
> 'Realm=dsl.mydomain.com'
> Mon Aug 4 14:43:52 2003: DEBUG: Deleting session for
> dvmsherman at dsl.mydomain.com, 200.200.143.2, 2
> 8
> Mon Aug 4 14:43:52 2003: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='200.200.143
> .2' and NASPORT=028':
>
> Mon Aug 4 14:43:52 2003: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPA
> DDRESS from RADONLINE where USERNAME='dvmsherman at dsl.mydomain.com'':
>
> Mon Aug 4 14:43:52 2003: DEBUG: Handling with Radius::AuthSQL
> Mon Aug 4 14:43:52 2003: DEBUG: Handling with Radius::AuthSQL:
> Mon Aug 4 14:43:52 2003: DEBUG: Query is: 'select PASSWORD,
> CHECKATTR, REPLYATTR from SUBSCRIBERS
> where USERNAME = 'dvmsherman at dsl.mydomain.com'':
>
> Mon Aug 4 14:43:52 2003: DEBUG: Radius::AuthSQL looks for match with
> dvmsherman at dsl.mydomain.com
> Mon Aug 4 14:43:52 2003: DEBUG: Radius::AuthSQL ACCEPT:
> Mon Aug 4 14:43:52 2003: DEBUG: Access accepted for
> dvmsherman at dsl.mydomain.com
> Mon Aug 4 14:43:52 2003: DEBUG: Packet dump:
> *** Sending to 200.200.143.2 port 1645 ....
> Code: Access-Accept
> Identifier: 50
> Authentic: <163>0<206>I<209><251><7><159>.<166><183><143><230><173>b7
> Attributes:
> Framed-IP-Address = 200.200.132.52
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
>
> Mon Aug 4 14:43:52 2003: DEBUG: Query is: 'select PASSWORD,
> CHECKATTR, REPLYATTR from SUBSCRIBERS
> where USERNAME = 'dvmsherman at dsl.mydomain.com'':
>
> Mon Aug 4 14:43:52 2003: DEBUG: Radius::AuthSQL looks for match with
> dvmsherman at dsl.mydomain.com
> Mon Aug 4 14:43:52 2003: DEBUG: Radius::AuthSQL ACCEPT:
> Mon Aug 4 14:43:52 2003: DEBUG: Access accepted for
> dvmsherman at dsl.mydomain.com
> Mon Aug 4 14:43:52 2003: DEBUG: Packet dump:
> *** Sending to 200.200.143.2 port 1645 ....
> Code: Access-Accept
> Identifier: 50
> Authentic: <163>0<206>I<209><251><7><159>.<166><183><143><230><173>b7
> Attributes:
> Framed-IP-Address = 200.200.132.52
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
> Mon Aug 4 14:43:58 2003: DEBUG: Packet dump:
> *** Received from 200.200.143.2 port 1645 ....
> Code: Access-Request
> Identifier: 52
> Authentic: e<209>b<205>#<227><227><200>{<127><143>"<254>q$<135>
> Attributes:
> NAS-IP-Address = 200.200.143.2
> NAS-Port = 28
> NAS-Port-Type = Virtual
> User-Name = "dvmsherman at dsl.mydomain.com"
> User-Password =
> "<145><148>]<203><23><6><2><205><158><228>k<180><165>8<226><209>"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Mon Aug 4 14:43:58 2003: DEBUG: Handling request with Handler
> 'Realm=dsl.mydomain.com'
> Mon Aug 4 14:43:58 2003: DEBUG: Deleting session for
> dvmsherman at dsl.mydomain.com, 200.200.143.2, 2
> 8
> Mon Aug 4 14:43:58 2003: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='200.200.143
> .2' and NASPORT=028':
>
> Mon Aug 4 14:43:58 2003: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPA
> DDRESS from RADONLINE where USERNAME='dvmsherman at dsl.mydomain.com'':
>
> Mon Aug 4 14:43:58 2003: DEBUG: Handling with Radius::AuthSQL
> Mon Aug 4 14:43:58 2003: DEBUG: Handling with Radius::AuthSQL:
> Mon Aug 4 14:43:58 2003: DEBUG: Query is: 'select PASSWORD,
> CHECKATTR, REPLYATTR from SUBSCRIBERS
> where USERNAME = 'dvmsherman at dsl.mydomain.com'':
>
> Mon Aug 4 14:43:58 2003: DEBUG: Radius::AuthSQL looks for match with
> dvmsherman at dsl.mydomain.com
> Mon Aug 4 14:43:58 2003: DEBUG: Radius::AuthSQL ACCEPT:
> Mon Aug 4 14:43:58 2003: DEBUG: Access accepted for
> dvmsherman at dsl.mydomain.com
> Mon Aug 4 14:43:58 2003: DEBUG: Packet dump:
> *** Sending to 200.200.143.2 port 1645 ....
> Code: Access-Accept
> Identifier: 52
> Authentic: e<209>b<205>#<227><227><200>{<127><143>"<254>q$<135>
> Attributes:
> Framed-IP-Address = 200.200.132.52
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
> Mon Aug 4 14:44:04 2003: DEBUG: Packet dump:
> *** Received from 200.200.143.2 port 1645 ....
> Code: Access-Request
> Identifier: 54
> Authentic:
> <22><20>t<<148><210><212><157><178>}<2><195><136><193><130>S
> Attributes:
> NAS-IP-Address = 200.200.143.2
> NAS-Port = 28
> NAS-Port-Type = Virtual
> User-Name = "dvmsherman at dsl.mydomain.com"
> User-Password =
> "L<253><4><209><179>7Up<219><170><192>g_<195><206>t"
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Mon Aug 4 14:44:04 2003: DEBUG: Handling request with Handler
> 'Realm=dsl.mydomain.com'
> Mon Aug 4 14:44:04 2003: DEBUG: Deleting session for
> dvmsherman at dsl.mydomain.com, 200.200.143.2, 2
> 8
> Mon Aug 4 14:44:04 2003: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='200.200.143
> .2' and NASPORT=028':
>
> Mon Aug 4 14:44:04 2003: DEBUG: Query is: 'select NASIDENTIFIER,
> NASPORT, ACCTSESSIONID, FRAMEDIPA
> DDRESS from RADONLINE where USERNAME='dvmsherman at dsl.mydomain.com'':
>
> Mon Aug 4 14:44:04 2003: DEBUG: Handling with Radius::AuthSQL
> Mon Aug 4 14:44:04 2003: DEBUG: Handling with Radius::AuthSQL:
> Mon Aug 4 14:44:04 2003: DEBUG: Query is: 'select PASSWORD,
> CHECKATTR, REPLYATTR from SUBSCRIBERS
> where USERNAME = 'dvmsherman at dsl.mydomain.com'':
>
> Mon Aug 4 14:44:04 2003: DEBUG: Radius::AuthSQL looks for match with
> dvmsherman at dsl.mydomain.com
> Mon Aug 4 14:44:04 2003: DEBUG: Radius::AuthSQL ACCEPT:
> Mon Aug 4 14:44:04 2003: DEBUG: Access accepted for
> dvmsherman at dsl.mydomain.com
> Mon Aug 4 14:44:04 2003: DEBUG: Packet dump:
> *** Sending to 200.200.143.2 port 1645 ....
> Code: Access-Accept
> Identifier: 54
> Authentic:
> <22><20>t<<148><210><212><157><178>}<2><195><136><193><130>S
> Attributes:
> Framed-IP-Address = 200.200.132.52
> Framed-Protocol = PPP
> Framed-IP-Netmask = 255.255.255.255
> Framed-Routing = None
> Framed-MTU = 1500
> Framed-Compression = Van-Jacobson-TCP-IP
>
>
>
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Sunday, August 03, 2003 7:56 PM
> To: Dan Vande More
> Subject: Re: (RADIATOR) Subdomain problem
>
>
>
> Hello Dan -
>
> Thanks for sending the information.
>
> I suspect the problem is with your AuthBy SQL clause, which should look
> more like this:
>
> <AuthBy SQL>
> DBSource dbi:mysql:otherstuff
> DBUsername username
> DBAuth password
> AuthSelect select PASSWORD, CHECKATTR, REPLYATTR, \
> from SUBSCRIBERS where USERNAME = %0
> AuthColumnDef 0, Password, check
> AuthColumnDef 1, GENERIC, check
> AuthColumnDef 2, GENERIC, reply
> </AuthBy>
>
> See section 6.28 in the Radiator 3.6 reference manual ("doc/ref.html").
>
> This topic has also been discussed on the Radiator mailing list:
>
> www.open.com.au/archives/radiator
>
> regards
>
> Hugh
>
>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list