(RADIATOR) ascend max authentification problems
Bogdan TARU
bgd at icomag.de
Thu Nov 20 05:47:59 CST 2003
Hi everyone,
I just installed a Max 6000 as an RAS, with authentification and
accounting to a radiator server. But the authentification isn't
succesfull, even though I can see the radiator server sending the
'Accesss-Accept' packets to the Ascend box.
Here is the log file:
Thu Nov 20 12:31:03 2003: DEBUG: Packet dump:
*** Received from 192.168.0.3 port 1025 ....
Code: Access-Request
Identifier: 3
Authentic:
<184><247><1><127><146><180><157>Df<174>(<196><22><217><216><11>
Attributes:
User-Name = "bgd"
CHAP-Password =
<1><24><25><233>S"=<219><226><237>0<162><255>[<19>:<233>
NAS-IP-Address = 192.168.0.3
NAS-Port = 10204
NAS-Port-Type = Sync
Service-Type = Framed-User
Framed-Protocol = PPP
State = ""
Called-Station-Id = "90407500"
Acct-Session-Id = "436366998"
Ascend-Data-Rate = 64000
Ascend-Xmit-Rate = 64000
Thu Nov 20 12:31:03 2003: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Nov 20 12:31:03 2003: DEBUG: Rewrote user name to bgd
Thu Nov 20 12:31:03 2003: DEBUG: SessionsDSX Deleting session for bgd,
192.168.0
.3, 10204
Thu Nov 20 12:31:03 2003: DEBUG: do query is: 'delete from online
where NASID='1
92.168.0.3' and NASPort='010204'':
Thu Nov 20 12:31:03 2003: DEBUG: Handling with Radius::AuthSQL
Thu Nov 20 12:31:03 2003: DEBUG: Handling with Radius::AuthSQL:
Thu Nov 20 12:31:03 2003: DEBUG: Query is: 'select users.attribute
from users le
ft join users AS tmp on tmp.User='bgd' where (tmp.User IS NULL AND
users.User='D
efault')':
Thu Nov 20 12:31:03 2003: DEBUG: Radius::AuthSQL looks for match with
bgd
Thu Nov 20 12:31:03 2003: DEBUG: Radius::AuthSQL ACCEPT:
Thu Nov 20 12:31:03 2003: DEBUG: Handling with Radius::AuthDYNADDRESS
Thu Nov 20 12:31:03 2003: DEBUG: Query is: 'select Time, IPAddr from
pools where
Pool='192.168.0.3' and State=0 order by Time limit 1':
Thu Nov 20 12:31:03 2003: DEBUG: do query is: 'update pools set
State=1,Time=106
9327863,Expiry=1069331463,User='bgd',NASPort=010204 where
IPAddr='10.1.1.5' and
Time =0':
Thu Nov 20 12:31:03 2003: DEBUG: Access accepted for bgd
Thu Nov 20 12:31:03 2003: DEBUG: Packet dump:
*** Sending to 192.168.0.3 port 1025 ....
Code: Access-Accept
Identifier: 3
Authentic:
<184><247><1><127><146><180><157>Df<174>(<196><22><217><216><11>
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Session-Timeout = 3600
Framed-IP-Address = 10.1.1.5
Thu Nov 20 12:31:13 2003: DEBUG: Packet dump:
*** Received from 192.168.0.3 port 1025 ....
Code: Access-Request
Identifier: 3
Authentic:
<184><247><1><127><146><180><157>Df<174>(<196><22><217><216><11>
Attributes:
User-Name = "bgd"
CHAP-Password =
<1><24><25><233>S"=<219><226><237>0<162><255>[<19>:<233>
NAS-IP-Address = 192.168.0.3
NAS-Port = 10204
NAS-Port-Type = Sync
Service-Type = Framed-User
Framed-Protocol = PPP
As you can see, the ascend receives the 'Access-Accept' packet, but
sends an 'Access-Request' immediately afterwards. Any idea what could
be wrong? Here is my radius configuration:
### Begin of global configuration
### Some easy parameters
#BackGround
LogDir .
DbDir .
Trace 4
AuthPort 1900
AcctPort 1901
#RewriteUsername s/\*/@/
### Fetch all allowed Dialinrouters from the DB
<ClientListSQL>
DBSource dbi:mysql:radius
DBUsername radius
DBAuth ***
GetClientQuery select Name,Secret,NasType from clients
</ClientListSQL>
### IPCP Parameters are fetched from here
<AddressAllocator SQL>
Identifier POOL
DBSource dbi:mysql:radius
DBUsername radius
DBAuth ***
DefaultLeasePeriod 7200
LeaseReclaimInterval 1800
FindQuery select Time, IPAddr from pools \
where Pool='%{NAS-IP-Address}' and State=0 order by Time
limit 1
AllocateQuery update pools set
State=1,Time=%0,Expiry=%1,User=%2,NASPort=0%{NAS-Port} \
where IPAddr='%3' and Time %4
CheckPoolQuery select State from pools where IPAddr='%0'
AddAddressQuery insert into pools (State,Time,Pool,IPAddr) \
values (0, %t, '%0', '%1')
# DeallocateQuery has this (IP=%0 or NASPort=0%{NAS-Port}
because
# when I send a session-timeout, the IP isn't returned in the
Cisco reply,
# so I don't know what to deallocate
DeallocateQuery update pools set State=0,Time=%t,NASPort=0
where (IPAddr='%0' OR NASPort=0%{NAS-Port}) AND
Pool='%{NAS-IP-Address}'
ReclaimQuery update pools set State=0 where State!=0 and
Expiry < %0
### This ensures a sync between database and the router-status
### of allocated IPs at startup of radiator
<AddressPool 192.168.0.3>
Range 10.1.1.2 10.1.1.129
</AddressPool>
</AddressAllocator>
### End of global configuration
### Used for "who's online now" stats.. basically optional
<SessionDatabase SQL>
Identifier SessionsDSX
DBSource dbi:mysql:radius
DBUsername radius
DBAuth ***
AddQuery insert into online (User, NASID, NASPort, \
AcctSessionID, Time, FramedIPAddress, NASPortType ) \
values ('%U', '%N', 0%{NAS-Port}, '%{Acct-Session-Id}',\
%{Timestamp}, '%{Framed-IP-Address}', '%{NAS-Port-Type}')
DeleteQuery delete from online \
where NASID='%N' and NASPort='0%2'
ClearNasQuery delete from online where NASID='%N'
CountQuery select NASID, NASPort, AcctSessionID from online \
where User='%U'
### This ensures a sync between database and the router-status
### of allocated IPs at startup of radiator
<AddressPool 192.168.0.3>
Range 10.1.1.2 10.1.1.129
</AddressPool>
</AddressAllocator>
### End of global configuration
### Used for "who's online now" stats.. basically optional
<SessionDatabase SQL>
Identifier SessionsDSX
DBSource dbi:mysql:radius
DBUsername radius
DBAuth ***
AddQuery insert into online (User, NASID, NASPort, \
AcctSessionID, Time, FramedIPAddress, NASPortType ) \
values ('%U', '%N', 0%{NAS-Port}, '%{Acct-Session-Id}',\
%{Timestamp}, '%{Framed-IP-Address}', '%{NAS-Port-Type}')
DeleteQuery delete from online \
where NASID='%N' and NASPort='0%2'
ClearNasQuery delete from online where NASID='%N'
CountQuery select NASID, NASPort, AcctSessionID from online \
where User='%U'
</SessionDatabase>
##########################################################################
# Only one realm for now, the default one (everything goes in one
table)
##########################################################################
<Realm DEFAULT>
SessionDatabase SessionsDSX
# AuthByPolicy ContinueWhileAccept # This is needed for multiple
Auth-by statements being non-blocking
AuthByPolicy ContinueUntilReject
### Kill off trailing '\'`s cause this would cause errors while
writing into DB
RewriteUsername s/(.*)\\+$/$1/
### Authenticate the user, and write accounting stats
<AuthBy SQL>
DBSource dbi:mysql:radius
DBUsername radius
DBAuth ***
# AuthSelect select attribute from users where \
# User='DEFAULT' order by id
AuthSelect select users.attribute from users left join
users AS tmp on \
tmp.User='%{User-Name}' where (tmp.User IS
NULL AND users.User='Default')
AuthColumnDef 0, GENERIC, reply
AccountingStopsOnly # we dont need starts, we are just
calculating start time later on
AcctSQLStatement insert into dialer \
(AcctID, User, PhoneNr, \
NASIPAddr, NASPortType, \
AcctStartTime, AcctStopTime, AcctSessionTime, \
AcctTerminateCause) \
values \
( NULL, '%U', '%{Calling-Station-Id}', \
'%{NAS-IP-Address}', '%{NAS-Port-Type}', \
%t-%{Acct-Session-Time}, %t, '%{Acct-Session-Time}', \
'%{Ascend-Disconnect-Cause}')
</AuthBy>
### allocate an IP for the user, and set the maximum session time
per country
<AuthBy DYNADDRESS>
Allocator POOL
PoolHint %{NAS-IP-Address}
MapAttribute yiaddr, Framed-IP-Address
</AuthBy>
</Realm>
############################################################
Thanks,
bogdan
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list