(RADIATOR) Unknown reply received in...

Hugh Irvine hugh at open.com.au
Mon Jul 28 21:22:14 CDT 2003


Hello Simon -

This problem is in fact caused by your use of "Fork".

You should use neither "Fork" nor "Synchronous" in an AuthBy  
[SQL]RADIUS clause, as it operates asynchronously and maintains a table  
of outstanding requests for which it is awaiting a response. When you  
use "Fork" the new child instance of radiusd will send the proxy  
request, however the reply will come back to the parent process, which  
is why you are seeing the "Unknown reply ..." messages.

The "FailureBackoffTime" parameter really only applies to the SQL  
database, because the RADIUS Host objects are created dynamically out  
of the database for each request that is proxied.

regards

Hugh


On Tuesday, Jul 29, 2003, at 10:43 Australia/Melbourne,  
simon at 1earth.net wrote:

>
>
> Hi Guys,
>
> I have a problem in that I keep getting the following error from the  
> current
> config that I am running.
> WARNING: Unknown reply received in AuthRADIUS for request 1 from  
> xx.xx.xx.xx:1645
> WARNING: Unknown reply received in AuthRADIUS for request 1 from  
> yy.yy.yy.yy:1645
> WARNING: Unknown reply received in AuthRADIUS for request 1 from  
> xx.xx.xx.xx:1645
> WARNING: Unknown reply received in AuthRADIUS for request 1 from  
> xx.xx.xx.xx:1646
>
> I am trying look in one database for a user, and if they exist then  
> proxy the
> request to another radius server based on the realm.
>
> This config works fine If I just use it with only one user (me) using  
> it.  When
> a lot of different user use it though, I find that radiator starts to  
> ignore
> alot of the reply packets from the downstream radius servers.
> It looks like radiator sends out the packet but then receives a reply  
> from one
> of the other servers, so it ignores the correct reply, as though it  
> can not tell
> the difference between the various replys it has received.
>
> Some of the realms use the same proxy as each other, but other realms  
> that have
> one unique server to themselves  still get unknown replys.
>
> I think the problem may be stemming from my use of the 'Syncronous'  
> flag but
> from what I have checked in the documentation I beleive it is right.
>
> For what It is worth I have included a trace at the end, which shows
>
> request received->
> request checked at first db->
> proxed to other server->
> reply received.
>
> But then I get the unknown reply error.
>
> On another note there is a but of ambiguity with the use of the
> FailureBackoffTime in <authby SQLRADIUS>  does it relate to the sql  
> server back
> off time or the radius proxy backoff time.
>
> My Config...
> Basically this is the handler that is hit for almost all the realms...
>
>
>     <Handler Realm = /*.net/>
>
>         Identifier RADallusers
>
>
>         AuthBy RADUser
>
>         AuthBy RADUserLog
>
>         AcctLogFileName /var/log/radacct/details/%R.detail
>
>     </Handler>
>
>
>
> which then gets passed to this auth module...
>
>
>     <authBy GROUP>
>         Identifier RADUser
>         AuthByPolicy ContinueUntilReject
>         Fork
>
>         <authBy SQL>
>                 Identifier RADUserCheck
>
>                 DBSource  
> dbi:mysql:%{GlobalVar:DBNAME}:%{GlobalVar:DBSERVER}
>                 DBUsername      %{GlobalVar:DBUSER}
>                 DBAuth  %{GlobalVar:DBPASS}
>                 FailureBackoffTime %{GlobalVar:DBBACKOFFTIME}
>
>                 IgnoreAccounting
>                 NoDefault
>
>                 AuthSelect select username, extra from users where  
> username=%0
>                 AuthColumnDef 0, User-Name, check
>                 AuthColumnDef 1, GENERIC, reply
>
>
>         </AuthBy>
>         <authBy SQLRADIUS>
>                 Identifier      RADProxy
>
>                 Synchronous
>                 # I have tried every combo of these to no availe.
>                 #UseExtendedIds
>
>                 #IgnoreReplySignature
>
>                 #ServerHasBrokenAddresses
>
>
>
>
>
>                 Retries 2
>
>                 RetryTimeout 15
>
>
>
>                 DBSource  
> dbi:mysql:%{GlobalVar:DBNAME}:%{GlobalVar:DBSERVER}
>
>                 DBUsername      %{GlobalVar:DBUSER}
>
>                 DBAuth  %{GlobalVar:DBPASS}
>
>                 FailureBackoffTime %{GlobalVar:DBBACKOFFTIME}
>
>
>
>                 HostSelect select R.host%0, R.secret, R.authport, \
>
>                 R.acctport, R.rewriteusername from radiusservers R \
>
>                  where R.dsl_domain='%R'
>
>
>
>                 NumHosts 2
>
>                 HostColumnDef 0, Host
>
>                 HostColumnDef 1, Secret
>
>                 HostColumnDef 2, AuthPort
>
>                 HostColumnDef 3, AcctPort
>
>                 HostColumnDef 4, RewriteUsername
>
>
>
>         </AuthBy>
>
>
>
>     </AuthBy>
>
>
> And then this bit...(but no problems here.)
>
>
>     <authBy SQL>
>         Identifier RADUserLog
>
>         DBSource dbi:mysql:%{GlobalVar:DBNAME}:%{GlobalVar:DBSERVER}
>         DBUsername      %{GlobalVar:DBUSER}
>         DBAuth  %{GlobalVar:DBPASS}
>         FailureBackoffTime %{GlobalVar:DBBACKOFFTIME}
>
>         AcctFailedLogFileName %Y%m/%R.detail
>         AccountingTable detail_%Y%m
>
>         IgnoreAuthentication
>
>         AcctColumnDef   loggin stuff...
>     </AuthBy>
>
>
> I do have other Handles in the file that are just strait out <authBy  
> RADIUS>.
>
>
>
> Thanks for any help,
> Simon Woodward
> One Earth Internet
>
>
>
> Mon Jul 28 18:45:03 2003: DEBUG: Timed out, retransmitting
> Mon Jul 28 18:45:03 2003: DEBUG: Packet dump:
> *** Sending to 203.26.199.6 port 1646 ....
> Code:       Accounting-Request
> Identifier: 2
> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Attributes:
>         Acct-Session-Id = "0006A8F5"
>         Tunnel-Server-Endpoint = 203.194.30.234
>         Tunnel-Client-Endpoint = 172.31.148.87
>         Tunnel-Assignment-ID = 1
>         Tunnel-Type = 0:L2TP
>         Tunnel-ID = 1956114
>         Tunnel-Client-Auth-ID = n2563728k-vez2
>         Tunnel-Server-Auth-ID = LNS02-DRYB-MEL
>         Framed-Protocol = PPP
>         Framed-IP-Address = 220.240.71.96
>         Ascend-Connect-Progress = 60
>         Ascend-PreSession-Time = 2
>         Ascend-Xmit-Rate = 512
>         Ascend-Data-Rate = 512
>         Acct-Session-Time = 13962
>         Acct-Input-Octets = 43904
>         Acct-Output-Octets = 48593
>         Ascend-Pre-Input-Octets = 0
>         Ascend-Pre-Output-Octets = 98
>         Acct-Input-Packets = 2820
>         Acct-Output-Packets = 2827
>         Ascend-Pre-Input-Packets = 0
>         Ascend-Pre-Output-Packets = 6
>         Acct-Authentic = RADIUS
>         Acct-Status-Type = Alive
>         NAS-Port = 1310
>         Calling-Station-Id = "atm 9"
>         Called-Station-Id = "3:2.184#184569834##speed:UBR:512#pppoe
> 00:09:f3:00:ab:3b#/"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.220.79.62
>         Ascend-Session-Svr-Key = "91DA2645"
>         Event-Timestamp = 1059381899
>         NAS-Identifier = "LNS02-DRYB-MEL.comindico.com.au"
>         Acct-Delay-Time = 5
>         User-Name = "c at dr.net"
>         NAS-Port-Type = ADSL-DMT
>         Timestamp = 1059381898
>
> Mon Jul 28 18:45:03 2003: DEBUG: Packet dump:
> *** Received from 203.194.28.132 port 1813 ....
> Code:       Accounting-Request
> Identifier: 147
> Authentic:  <248><147>Ud]<0><254><227>LI<182><9>J<173><128>8
> Attributes:
>         Acct-Session-Id = "000DB306"
>         Tunnel-Server-Endpoint = 203.194.30.234
>         Tunnel-Client-Endpoint = 172.31.147.87
>         Tunnel-Assignment-ID = 1
>         Tunnel-Type = 0:L2TP
>         Tunnel-ID = 1048028
>         Tunnel-Client-Auth-ID = n2563728k-nky2
>         Tunnel-Server-Auth-ID = LNS02-KENT-SYD
>         Framed-Protocol = PPP
>         Framed-IP-Address = 220.240.4.159
>         Ascend-Connect-Progress = 60
>         Ascend-PreSession-Time = 2
>         Ascend-Xmit-Rate = 512
>         Ascend-Data-Rate = 512
>         Acct-Session-Time = 566934
>         Acct-Input-Octets = 64704547
>         Acct-Output-Octets = 103235506
>         Ascend-Pre-Input-Octets = 0
>         Ascend-Pre-Output-Octets = 101
>         Acct-Input-Packets = 260287
>         Acct-Output-Packets = 274132
>         Ascend-Pre-Input-Packets = 0
>         Ascend-Pre-Output-Packets = 5
>         Acct-Authentic = RADIUS
>         Acct-Status-Type = Alive
>         NAS-Port = 1642
>         Calling-Station-Id = "atm 10"
>         Called-Station-Id = "0:2.299#184550311##speed:UBR:512#pppoe
> 00:50:ba:99:e8:b4#/"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.194.30.241
>         Ascend-Session-Svr-Key = "189124C2"
>         Event-Timestamp = 1059381904
>         NAS-Identifier = "LNS02-KENT-SYD.comindico.com.au"
>         Acct-Delay-Time = 0
>         User-Name = "b at 1earth.net"
>         NAS-Port-Type = ADSL-DMT
>         Proxy-State =
>
> BSP2ims01-syd/ 
> 6A8327DD60A0ED5525616BCEE8C7A478A18777C27B90B583A712D0B6F52951109EA394B 
> B7B90B0436CD0CCE8A1805778425391
>
> CD9798AD449F71BA7887426403FCCCE02019FFDF76E723B778875D3F54E7CCE02056F4C 
> 228897CB76D
>
> Mon Jul 28 18:45:03 2003: DEBUG: Rewrote user name to b at 1earth.net
> Mon Jul 28 18:45:03 2003: DEBUG: Rewrote user name to b at 1earth.net
> Mon Jul 28 18:45:03 2003: DEBUG: Handling request with Handler 'Realm  
> = 1earth.net'
> Mon Jul 28 18:45:03 2003: DEBUG:  Adding session for b at 1earth.net,
> 203.194.30.241, 1642
> Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthGROUP
> Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthRADIUS
> Mon Jul 28 18:45:03 2003: DEBUG: Query is: 'select R.host1, R.secret,
> R.authport, R.acctport, R.rewriteusername,
>
> R.extras from radius R where R.domain='1earth.net'':
>
> Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 28 18:45:03 2003: DEBUG: Handling accounting with  
> Radius::AuthSQL
>
> Mon Jul 28 18:45:03 2003: DEBUG: Accounting accepted
> Mon Jul 28 18:45:03 2003: DEBUG: Packet dump:
> *** Sending to 203.194.28.132 port 1813 ....
> Code:       Accounting-Response
> Identifier: 147
> Authentic:  <248><147>Ud]<0><254><227>LI<182><9>J<173><128>8
> Attributes:
>         Proxy-State =
>
> BSP2ims01-syd/ 
> 6A8327DD60A0ED5525616BCEE8C7A478A18777C27B90B583A712D0B6F52951109EA394B 
> B7B90B0436CD0CCE8A1805778425391
>
> CD9798AD449F71BA7887426403FCCCE02019FFDF76E723B778875D3F54E7CCE02056F4C 
> 228897CB76D
>
> Mon Jul 28 18:45:03 2003: DEBUG: Packet dump:
> *** Sending to 203.132.224.18 port 1646 ....
> Code:       Accounting-Request
> Identifier: 7
> Authentic:  <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Attributes:
>         Acct-Session-Id = "000DB306"
>         Tunnel-Server-Endpoint = 203.194.30.234
>         Tunnel-Client-Endpoint = 172.31.147.87
>         Tunnel-Assignment-ID = 1
>         Tunnel-Type = 0:L2TP
>         Tunnel-ID = 1048028
>         Tunnel-Client-Auth-ID = n2563728k-nky2
>         Tunnel-Server-Auth-ID = LNS02-KENT-SYD
>         Framed-Protocol = PPP
>         Framed-IP-Address = 220.240.4.159
>         Ascend-Connect-Progress = 60
>         Ascend-PreSession-Time = 2
>         Ascend-Xmit-Rate = 512
>         Ascend-Data-Rate = 512
>         Acct-Session-Time = 566934
>         Acct-Input-Octets = 64704547
>         Acct-Output-Octets = 103235506
>         Ascend-Pre-Input-Octets = 0
>         Ascend-Pre-Output-Octets = 101
>         Acct-Input-Packets = 260287
>         Acct-Output-Packets = 274132
>         Ascend-Pre-Input-Packets = 0
>         Ascend-Pre-Output-Packets = 5
>         Acct-Authentic = RADIUS
>         Acct-Status-Type = Alive
>         NAS-Port = 1642
>         Calling-Station-Id = "atm 10"
>         Called-Station-Id = "0:2.299#184550311##speed:UBR:512#pppoe
> 00:50:ba:99:e8:b4#/"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.194.30.241
>         Ascend-Session-Svr-Key = "189124C2"
>         Event-Timestamp = 1059381904
>         NAS-Identifier = "LNS02-KENT-SYD.comindico.com.au"
>         Acct-Delay-Time = 0
>         User-Name = "b at 1earth.net"
>         NAS-Port-Type = ADSL-DMT
>         Timestamp = 1059381903
>
> Mon Jul 28 18:45:03 2003: DEBUG: Packet dump:
> *** Received from 203.132.224.18 port 1646 ....
> Code:       Accounting-Response
> Identifier: 7
> Authentic:   
> <222><133><178><141><175><174><220>b<234><19><1><129><28><183><196><180 
> >
> Attributes:
>
> Mon Jul 28 18:45:03 2003: WARNING: Unknown reply received in  
> AuthRADIUS for
> request 7 from 203.132.224.18:1646
> Mon Jul 28 18:45:03 2003: DEBUG: Packet dump:
> *** Received from 203.194.28.131 port 1812 ....
> Code:       Access-Request
> Identifier: 149
> Authentic:  <245>H<13><241><167>yD<19>Zz<177><139>j<14><187>?
> Attributes:
>         Framed-Protocol = PPP
>         NAS-Port = 2195
>         Calling-Station-Id = "atm 10"
>         Called-Station-Id = "0:2.219#184550111##speed:UBR:256#/"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.194.30.241
>         NAS-Identifier = "LNS02-KENT-SYD.comindico.com.au"
>         User-Password = "<142><7><209>0K$<146><168>~<249>!<17>c<179>6y"
>         User-Name = "simo at 1earth.net"
>         NAS-Port-Type = ADSL-DMT
>         Proxy-State =
>
> BSP2ims01-syd/ 
> F5480DF1A77944135A7AB18B6A0EBB3FC0461D8175533E662DEE5203BCF5406FFF62FEF 
> 875533BA6E62C4E5DE85C48FE009D00
>
> EE995B23A1158D38CDCE9E7B858C0B927E1B130BC44C9C24C4928C27898D4F9B62197D5 
> 4C459
>
> Mon Jul 28 18:45:03 2003: DEBUG: Rewrote user name to simo at 1earth.net
> Mon Jul 28 18:45:03 2003: DEBUG: Rewrote user name to simo at 1earth.net
> Mon Jul 28 18:45:03 2003: DEBUG: Handling request with Handler  
> 'User-Name =
> simo at 1earth.net'
> Mon Jul 28 18:45:03 2003: DEBUG:  Deleting session for simo at 1earth.net,
> 203.194.30.241, 2195
> Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthGROUP
> Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthSQL
> Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthSQL:  
> DSLUserCheck
> Mon Jul 28 18:45:03 2003: DEBUG: Query is: 'select username, extra  
> from users
> where username='simo at 1earth.net'':
>
> Mon Jul 28 18:45:03 2003: DEBUG: Radius::AuthSQL looks for match with
> simo at 1earth.net
> Mon Jul 28 18:45:03 2003: DEBUG: Query is: 'select username, extra  
> from users
> where username='DEFAULT'':
>
> Mon Jul 28 18:45:03 2003: DEBUG: Radius::AuthSQL looks for match with  
> DEFAULT
> Mon Jul 28 18:45:03 2003: DEBUG: Radius::AuthSQL ACCEPT:
> Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthRADIUS
> Mon Jul 28 18:45:03 2003: DEBUG: Query is: 'select R.host1, R.secret,
> R.authport, R.acctport, R.rewriteusername,
>
> R.extras from radius R where R.domain='1earth.net'':
>
> Mon Jul 28 18:45:03 2003: DEBUG: Packet dump:
> *** Sending to 203.132.224.18 port 1645 ....
> Code:       Access-Request
> Identifier: 2
> Authentic:  <245>H<13><241><167>yD<19>Zz<177><139>j<14><187>?
> Attributes:
>         Framed-Protocol = PPP
>         NAS-Port = 2195
>         Calling-Station-Id = "atm 10"
>         Called-Station-Id = "0:2.219#184550111##speed:UBR:256#/"
>         Service-Type = Framed-User
>         NAS-IP-Address = 203.194.30.241
>         NAS-Identifier = "LNS02-KENT-SYD.comindico.com.au"
>         User-Password =  
> "<166>UD<162><159>'<186><205>+Oz<149>L<246><253>-"
>         User-Name = "simo at 1earth.net"
>         NAS-Port-Type = ADSL-DMT
>
> Mon Jul 28 18:45:03 2003: DEBUG: Packet dump:
> *** Received from 203.132.224.18 port 1645 ....
> Code:       Access-Accept
> Identifier: 2
> Authentic:  v<241><242>y<182><254><4><154>bz<245><127><19><238><133>*
> Attributes:
>         Service-Type = Framed-User
>         Framed-Protocol = PPP
>         Framed-Compression = Van-Jacobson-TCP-IP
>
> Mon Jul 28 18:45:03 2003: WARNING: Unknown reply received in  
> AuthRADIUS for
> request 2 from 203.132.224.18:1645
>
>
>
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list