(RADIATOR) Radiator freezing intermitantly
Brian Fisk
bfisk at lazerlink.com
Fri Jun 27 08:12:56 CDT 2003
Well after fooling around with it, I found that the problem was not an ip
issue, but with accounting. The message I was getting from my RAS was AUTH:
client/server failure which I found usually meant a secret mismatch. I
turned on monitoring for auth and accounting on the ras, and I saw I was
getting the error message in my RAS syslog ever time it sent an accounting
request. I turned off Accounting on my ras and the problem went away and
users could authenticate. So I redid my accounting statements in my
radius.cfg to be a bit more simple and only logg what I need. I also
cleared the mysql accounting table which had around 20k entries in it. It
is a slower machine and maybe from what Matt said, it could have been too
much. But it seams to be holding steady.
Brian
----- Original Message -----
From: "Hugh Irvine" <hugh at open.com.au>
To: "Brian Fisk" <bfisk at lazerlink.com>
Cc: <radiator at open.com.au>
Sent: Thursday, June 26, 2003 8:07 PM
Subject: Re: (RADIATOR) Radiator freezing intermitantly
>
> Hello Brian -
>
> If the machine running Radiator only has a single interface and a
> single IP address, then the only reason that the NAS will not receive a
> reply and send a retransmission must be due to packets being dropped on
> the return path, either because of filters or firewalls or
> misconfigured interfaces.
>
> By definition, if Radiator is receiving the request, processing it and
> sending back a reply, then Radiator is operating correctly.
>
> As mentioned in my previous mail, this sort of problem usually requires
> debugging with a packet sniffer to ascertain exactly what is going on.
>
> regards
>
> Hugh
>
>
> On Thursday, Jun 26, 2003, at 23:27 Australia/Melbourne, Brian Fisk
> wrote:
>
> > Update:
> >
> > We are running into the same problem on a machine where we are using
> > the
> > primary ip address of the system for radiator. A user will dial in
> > and our
> > equipment will run the radius request, at which I can see radius
> > authenticating the user in authlog, but the dialup equip isn't getting
> > it
> > cause it tries 5 times to auth (the set value) and tells users their
> > username and password is invalid. We are using 3com (now utstarcom)
> > hiperarc running TCS 4.2 and the newest version of radiator.
> > Attached is
> > my conf file. I have radius stable on a system now, but when I tried
> > to
> > move it to this new system it worked. The problem is intermitent.
> >
> >
> > # radius.cfg -JJGracia - Jan2003
> > #
> > #Foreground
> > #LogStdout
> >
> > # Use a low trace level in production systems. Increase
> > # it to 4 or 5 for debugging, or use the -trace flag to radiusd
> >
> >
> > PidFile /var/run/radiusd.pid
> > AuthPort 1645
> > AcctPort 1646
> > #BindAddress 199.234.153.42,199.234.153.3
> > #NasType TotalControlSNMP
> > #trace 3
> >
> > DbDir /etc/radiator
> > DictionaryFile %D/dictionary.usr
> >
> > LogDir /var/log/radius
> > #LogFile %L/%Y%m.log
> > #Trace 3
> >
> > <Log FILE>
> > Filename %L/%Y%m.log
> > Trace 3
> > #LogFormat %0:%1:%2
> > LogMicroseconds
> > </Log>
> >
> > <AuthLog FILE>
> > Identifier myauthlogger
> > Filename %L/authlog
> > LogSuccess 1
> > LogFailure 1
> > SuccessFormat %l:%U:%P:OK
> > FailureFormat %l:%U:%P:FAIL
> > </AuthLog>
> >
> > <StatsLog FILE>
> > Identifier mystatslogger
> > Filename %L/statslog
> > # Format %0:%1:%2:%23
> > </StatsLog>
> >
> > <Client localhost>
> > Secret tempest
> > DupInterval 0
> > </Client>
> >
> > <Client DEFAULT>
> > Secret tempest
> > DupInterval 0
> > # NasType TotalControl
> > SNMPCommunity private
> > </Client>
> >
> > <SessionDatabase SQL>
> > DBSource dbi:mysql:radius:localhost
> > DBUsername blue
> > DBAuth green
> > </SessionDatabase>
> >
> > <ClientListSQL>
> > DBSource dbi:mysql:radius
> > DBUsername blue
> > DBAuth green
> > </ClientListSQL>
> >
> > <Realm DEFAULT>
> >
> >
> > RewriteUsername s/^([^@]+).*/$1/
> > RewriteUsername tr/[A-Z]/[a-z]/
> > RewriteUsername s/\s+//g
> > # RewriteUsername tr/A-Za-z0-9_@//cd
> > # AcctLogFileName %L/detail
> > # WtmpFileName %L/wtmp
> >
> > <AuthBy SQL>
> >
> > DBSource dbi:mysql:radius:localhost
> > DBUsername blue
> > DBAuth green
> >
> > AuthSelect select PASSWORD,CHECKATTR,REPLYATTR from
> > SUBSCRIBERS
> > where USERNAME='%n'
> >
> > AccountingTable ACCOUNTING
> > AcctColumnDef USERNAME,User-Name
> > AcctColumnDef TIME_STAMP,Timestamp,integer
> > AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
> > AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
> > AcctColumnDef
> > ACCTINPUTOCTETS,Acct-Input-Octets,integer
> > AcctColumnDef
> > ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
> > AcctColumnDef ACCTSESSIONID,Acct-Session-Id
> > AcctColumnDef
> > ACCTSESSIONTIME,Acct-Session-Time,integer
> > AcctColumnDef ACCTTERMINATECAUSE,Acct_Terminate-Cause
> > AcctColumnDef NASIDENTIFIER,NAS-IP-Address
> > AcctColumnDef NASIPADDRESS,NAS-Identifier
> > AcctColumnDef NASPORT,NAS-Port,integer
> > AcctColumnDef ACCTFRAMEDIP,Framed-IP-Address
> > AcctColumnDef ACCTFRAMEDNETMASK,Framed-Netmask
> > AcctColumnDef ACCTCALLERID,Calling-Station-Id
> > AcctColumnDef ACCTCALLEDID,Called-Station-Id
> > AcctColumnDef
> > MODEMTRAININGTIME,Modem-Training-Time,integer
> > AcctColumnDef
> > CHASISCALLSLOT,Chassis-Call-Slot,integer
> > AcctColumnDef
> > CHASISCALLSPAN,Chassis-Call-Span,integer
> > AcctColumnDef
> > CHASISCALLCHAN,Chassis-Call-Channel,integer
> > AcctColumnDef MODULATIONTYPE,Modulation-Type
> > AcctColumnDef ERRORCNTL,Error-Control
> > AcctColumnDef COMPRESSTYPE,Compression-Type
> > AcctColumnDef INTICONNECTRATE,Initial-Connect-Rate
> > AcctColumnDef FRAMEDPROTOCOL,Framed-Protocol
> > AcctColumnDef SPEEDOFCONNECT, Speed-Of-Connection
> > # AcctFailedLogFileName %D/missedaccounting
> > </AuthBy>
> > AuthLog myauthlogger
> > #StatsLog mystatslogger
> > </Realm>
> >
> >
> >
> >
> >
> >
> > ----- Original Message -----
> > From: "Hugh Irvine" <hugh at open.com.au>
> > To: "Brian Fisk" <bfisk at lazerlink.com>
> > Cc: <radiator at open.com.au>
> > Sent: Friday, June 20, 2003 7:41 PM
> > Subject: Re: (RADIATOR) Radiator freezing intermitantly
> >
> >
> >>
> >> Hello Brian -
> >>
> >> On machines with multiple interfaces, this is usually due to the
> >> radius
> >> response being sent back to the client from a different IP address to
> >> that from which the request was received (ie the response was sent via
> >> a different interface).
> >>
> >> Using a sniffer to check the packet flow is usually very helpful
> >> (snoop, tcpdump, ethereal, ...).
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >> On Friday, Jun 20, 2003, at 23:12 Australia/Melbourne, Brian Fisk
> >> wrote:
> >>
> >>> We had more troubles yesterday and the problem that is happening is
> >>> when we
> >>> have radiator setup to bind on a secondary ip of the machine. When I
> >>> took
> >>> out the bind address statement, which should make radiator listen on
> >>> all
> >>> ip's, it still wouldn't work. I had to set our dialup equipment to
> >>> use the
> >>> base ip of the machine and then it started working. When a user
> >>> tried
> >>> to
> >>> dial up, they would authenticate, as I could see in my authlog, but
> >>> the
> >>> dialup equipment kept authenticating them for around 3-4 times before
> >>> it
> >>> hung up on them. The dialup equipment (total control) was giving me
> >>> error
> >>> messages that according to the total control website, said that the
> >>> secret
> >>> key was a mismatch. I think it's an ip issue with the machine but we
> >>> will
> >>> find out more from testing on monday.
> >>>
> >>> Brian Fisk
> >>>
> >>>
> >>>
> >>> ----- Original Message -----
> >>> From: "Hugh Irvine" <hugh at open.com.au>
> >>> To: "Brian Fisk" <bfisk at lazerlink.com>
> >>> Cc: <radiator at open.com.au>
> >>> Sent: Thursday, June 19, 2003 8:03 PM
> >>> Subject: Re: (RADIATOR) Radiator freezing intermitantly
> >>>
> >>>
> >>>>
> >>>> Hello Brian -
> >>>>
> >>>> I will need to see a copy of the configuration file (no secrets)
> >>>> together with a trace 4 debug from Radiator showing what is
> >>>> happening.
> >>>>
> >>>> There is also a FAQ item regarding Redhat 8 here:
> >>>>
> >>>> http://www.open.com.au/radiator/faq.html#127
> >>>>
> >>>> regards
> >>>>
> >>>> Hugh
> >>>>
> >>>>
> >>>> On Friday, Jun 20, 2003, at 02:20 Australia/Melbourne, Brian Fisk
> >>>> wrote:
> >>>>
> >>>>> I have been running radiator on the same server for the last 3
> >>>>> years
> >>>>> and it
> >>>>> worked perfect. I am now setting up radiator 3.6 on another server
> >>>>> using
> >>>>> the old config file which was version 2.18.1
> >>>>>
> >>>>> I am noticing that radiator will just freeze up for a period of 5
> >>>>> minutes or
> >>>>> so. Is there any incompatabilities between the versions for the
> >>>>> config
> >>>>> file, or can someone suggest a way of logging to diagnose the
> >>>>> problem?
> >>>>>
> >>>>> I am running Redhat 8.0 Linux server1 2.4.18-24.8.0smp #1 SMP Fri
> >>>>> Jan
> >>>>> 31
> >>>>> 06:03:47 EST 2003 i686 i686 i386 GNU/Linux)
> >>>>>
> >>>>>
> >>>>> ===
> >>>>> Archive at http://www.open.com.au/archives/radiator/
> >>>>> Announcements on radiator-announce at open.com.au
> >>>>> To unsubscribe, email 'majordomo at open.com.au' with
> >>>>> 'unsubscribe radiator' in the body of the message.
> >>>>>
> >>>>>
> >>>>
> >>>> NB: have you included a copy of your configuration file (no
> >>>> secrets),
> >>>> together with a trace 4 debug showing what is happening?
> >>>>
> >>>> --
> >>>> Radiator: the most portable, flexible and configurable RADIUS server
> >>>> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> >>>> -
> >>>> Nets: internetwork inventory and management - graphical, extensible,
> >>>> flexible with hardware, software, platform and database
> >>>> independence.
> >>>>
> >>>>
> >>>
> >>>
> >>
> >> NB: have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database independence.
> >>
> >> ===
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >>
> >>
> >
> > ===
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list