(RADIATOR) Access-Request packet length limit for Radiator

ilkera at koc.net ilkera at koc.net
Tue Jun 24 07:07:15 CDT 2003 

 

	Dear Sirs,
	
	We are using Radiator as a Radius Proxy server  between our Cisco 5300 Access-Servers and CiscoSecure CSU (2.3.6.1) AAA server in authenticating users for several network services, but mainly for ppp dialup connection.
	Our dialup users have per-user access-lists which are received by the access-server when a user establishes a ppp connection. This occurs during the authorization process right after authentication.
	These access-lists get larger in time. We had problems with some of our users which had longer access-lists. They were geting authenticated but could not reach anywhere on the network. When we examined the problem on our Cisco access-servers we saw that their access-list was not fully downloaded to the NAS.
	The last line is cut from some point. When we remove the last line from the access-list , the problem disappears. Access-accept packet which is received from the proxy radius (which is Radiator) is exactly 8192bytes in size.
	
	When we remove the Radiator server from operation and establish AAA connections directly between access-server and CiscoSecure CSU , we receive the full access-list on the NAS, and the access-accept packet is larger than 8192bytes.
	This shows that the CiscoSecure CSU server and the Cisco NAS does not limit the access-list size (or the authorization packet).
	
	Is there such a limit on the Radiator server ?
	
	When we increase the log level of the Radius server and check the logfile we see that the radiator says: received packet is 8192 bytes long. This is a part of the log file :
	
	Tue Jun 24 14:20:02 2003: DEBUG: Packet dump:
	*** Received from 193.243.216.8 port 1645 ....
	
	Packet length = 75
	01 4f 00 4b 5b 79 33 9e f5 d8 6a 8e 76 7a 83 d3
	2a 11 58 0b 04 06 c1 f3 d8 08 3d 06 00 00 00 00
	01 19 74 65 73 74 73 65 72 74 61 6e 40 6d 61 69
	6c 2e 6b 6f 63 2e 6e 65 74 02 12 91 43 78 1d 3d
	6b f9 ef 2a 4d d6 21 fc a2 f2 ab
	Code:       Access-Request
	Identifier: 79
	Authentic:  [y3<158><245><216>j<142>vz<131><211>*<17>X<11>
	Attributes:
	        NAS-IP-Address = 193.243.216.8
	        NAS-Port-Type = Async
	        User-Name = "testsertan at mail.koc.net"
	        User-Password = "<145>Cx<29>=k<249><239>*M<214>!<252><162><242><171>"
	
	Tue Jun 24 14:20:02 2003: DEBUG: Handling request with Handler ''
	Tue Jun 24 14:20:02 2003: DEBUG:  Deleting session for testsertan at mail.koc.net, 193.243.216.8,
	Tue Jun 24 14:20:02 2003: DEBUG: Handling with Radius::AuthRADIUS
	Tue Jun 24 14:20:02 2003: DEBUG: Packet dump:
	*** Sending to 195.87.1.231 port 1645 ....
	
	Packet length = 75
	01 53 00 4b 5b 79 33 9e f5 d8 6a 8e 76 7a 83 d3
	2a 11 58 0b 04 06 c1 f3 d8 08 3d 06 00 00 00 00
	01 19 74 65 73 74 73 65 72 74 61 6e 40 6d 61 69
	6c 2e 6b 6f 63 2e 6e 65 74 02 12 91 43 78 1d 3d
	6b f9 ef 2a 4d d6 21 fc a2 f2 ab
	Code:       Access-Request
	Identifier: 83
	Authentic:  [y3<158><245><216>j<142>vz<131><211>*<17>X<11>
	Attributes:
	        NAS-IP-Address = 193.243.216.8
	        NAS-Port-Type = Async
	        User-Name = "testsertan at mail.koc.net"
	        User-Password = "<145>Cx<29>=k<249><239>*M<214>!<252><162><242><171>"
	
	Tue Jun 24 14:20:02 2003: DEBUG: Packet dump:
	*** Received from 195.87.1.231 port 1645 ....
	
	Packet length = 8192
	
	
	Best Regards,
	ilker Aktuna
	Koc.net Network Services
 
_____________________________________________________________________________________________________________________________________________
 
Bu e-posta mesaji kisiye ozel olup, gizli bilgiler iceriyor olabilir. Eger bu e-posta mesaji size yanlislikla ulasmissa,  icerigini hic bir sekilde kullanmayiniz ve ekli dosyalari acmayiniz. Bu durumda lutfen e-posta mesajini kullaniciya hemen geri gonderiniz  ve  tum kopyalarini mesaj kutunuzdan siliniz. Bu e-posta mesaji, hic bir sekilde, herhangi bir amac icin cogaltilamaz, yayinlanamaz ve para karsiligi satilamaz.  Bu e-posta mesaji viruslere karsi anti-virus sistemleri tarafindan taranmistir. Ancak yollayici, bu e-posta mesajinin - virus koruma sistemleri ile kontrol ediliyor olsa bile - virus icermedigini garanti etmez ve meydana gelebilecek zararlardan dogacak hicbir sorumlulugu kabul etmez. 
 
This message is intended solely for the use of the individual or entity to whom it is addressed , and may contain confidential  information. If you are not the intended recipient of this message or you receive this mail in error, you should refrain from making any use of the contents and from opening any attachment. In that case, please notify the sender immediately and return the message to the sender, then, delete and destroy all copies. This e-mail message, could not be copied, published or sold for any reason. This e-mail message has been swept by anti-virus systems for the presence of computer viruses. In doing so, however,  sender  cannot warrant that virus or other forms of data corruption may not be present and do not take any responsibility in any occurrence.
 
_____________________________________________________________________________________________________________________________________________
 

 

 

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20030624/4d25394b/attachment.html>

More information about the radiator mailing list