(RADIATOR) ascend max authentification problems
Hugh Irvine
hugh at open.com.au
Thu Nov 20 11:44:43 CST 2003
Hello Bogdan -
It looks to me like the Max has timed out and is retrying the request
10 seconds later.
I would suspect that there are filters or access lists blocking the
return path so the access accept that is sent from Radiator never gets
back to the Max.
regards
Hugh
On 20/11/2003, at 10:47 PM, Bogdan TARU wrote:
>
> Hi everyone,
>
> I just installed a Max 6000 as an RAS, with authentification and
> accounting to a radiator server. But the authentification isn't
> succesfull, even though I can see the radiator server sending the
> 'Accesss-Accept' packets to the Ascend box.
>
> Here is the log file:
>
> Thu Nov 20 12:31:03 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.3 port 1025 ....
> Code: Access-Request
> Identifier: 3
> Authentic:
> <184><247><1><127><146><180><157>Df<174>(<196><22><217><216><11>
> Attributes:
> User-Name = "bgd"
> CHAP-Password =
> <1><24><25><233>S"=<219><226><237>0<162><255>[<19>:<233>
> NAS-IP-Address = 192.168.0.3
> NAS-Port = 10204
> NAS-Port-Type = Sync
> Service-Type = Framed-User
> Framed-Protocol = PPP
> State = ""
> Called-Station-Id = "90407500"
> Acct-Session-Id = "436366998"
> Ascend-Data-Rate = 64000
> Ascend-Xmit-Rate = 64000
>
> Thu Nov 20 12:31:03 2003: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Nov 20 12:31:03 2003: DEBUG: Rewrote user name to bgd
> Thu Nov 20 12:31:03 2003: DEBUG: SessionsDSX Deleting session for bgd,
> 192.168.0
> .3, 10204
> Thu Nov 20 12:31:03 2003: DEBUG: do query is: 'delete from online
> where NASID='1
> 92.168.0.3' and NASPort='010204'':
>
> Thu Nov 20 12:31:03 2003: DEBUG: Handling with Radius::AuthSQL
> Thu Nov 20 12:31:03 2003: DEBUG: Handling with Radius::AuthSQL:
> Thu Nov 20 12:31:03 2003: DEBUG: Query is: 'select users.attribute
> from users le
> ft join users AS tmp on tmp.User='bgd' where (tmp.User IS NULL AND
> users.User='D
> efault')':
>
> Thu Nov 20 12:31:03 2003: DEBUG: Radius::AuthSQL looks for match with
> bgd
> Thu Nov 20 12:31:03 2003: DEBUG: Radius::AuthSQL ACCEPT:
> Thu Nov 20 12:31:03 2003: DEBUG: Handling with Radius::AuthDYNADDRESS
> Thu Nov 20 12:31:03 2003: DEBUG: Query is: 'select Time, IPAddr from
> pools where
> Pool='192.168.0.3' and State=0 order by Time limit 1':
>
> Thu Nov 20 12:31:03 2003: DEBUG: do query is: 'update pools set
> State=1,Time=106
> 9327863,Expiry=1069331463,User='bgd',NASPort=010204 where
> IPAddr='10.1.1.5' and
> Time =0':
>
> Thu Nov 20 12:31:03 2003: DEBUG: Access accepted for bgd
> Thu Nov 20 12:31:03 2003: DEBUG: Packet dump:
> *** Sending to 192.168.0.3 port 1025 ....
> Code: Access-Accept
> Identifier: 3
> Authentic:
> <184><247><1><127><146><180><157>Df<174>(<196><22><217><216><11>
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Session-Timeout = 3600
> Framed-IP-Address = 10.1.1.5
>
> Thu Nov 20 12:31:13 2003: DEBUG: Packet dump:
> *** Received from 192.168.0.3 port 1025 ....
> Code: Access-Request
> Identifier: 3
> Authentic:
> <184><247><1><127><146><180><157>Df<174>(<196><22><217><216><11>
> Attributes:
> User-Name = "bgd"
> CHAP-Password =
> <1><24><25><233>S"=<219><226><237>0<162><255>[<19>:<233>
> NAS-IP-Address = 192.168.0.3
> NAS-Port = 10204
> NAS-Port-Type = Sync
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
>
> As you can see, the ascend receives the 'Access-Accept' packet, but
> sends an 'Access-Request' immediately afterwards. Any idea what could
> be wrong? Here is my radius configuration:
>
>
>
>
>
> ### Begin of global configuration
>
> ### Some easy parameters
> #BackGround
> LogDir .
> DbDir .
> Trace 4
>
> AuthPort 1900
> AcctPort 1901
>
>
> #RewriteUsername s/\*/@/
>
> ### Fetch all allowed Dialinrouters from the DB
> <ClientListSQL>
> DBSource dbi:mysql:radius
> DBUsername radius
> DBAuth ***
>
> GetClientQuery select Name,Secret,NasType from clients
> </ClientListSQL>
>
> ### IPCP Parameters are fetched from here
> <AddressAllocator SQL>
> Identifier POOL
> DBSource dbi:mysql:radius
> DBUsername radius
> DBAuth ***
>
> DefaultLeasePeriod 7200
> LeaseReclaimInterval 1800
>
> FindQuery select Time, IPAddr from pools \
> where Pool='%{NAS-IP-Address}' and State=0 order by Time
> limit 1
> AllocateQuery update pools set
> State=1,Time=%0,Expiry=%1,User=%2,NASPort=0%{NAS-Port} \
> where IPAddr='%3' and Time %4
> CheckPoolQuery select State from pools where IPAddr='%0'
> AddAddressQuery insert into pools (State,Time,Pool,IPAddr) \
> values (0, %t, '%0', '%1')
> # DeallocateQuery has this (IP=%0 or NASPort=0%{NAS-Port}
> because
> # when I send a session-timeout, the IP isn't returned in the
> Cisco reply,
> # so I don't know what to deallocate
> DeallocateQuery update pools set State=0,Time=%t,NASPort=0
> where (IPAddr='%0' OR NASPort=0%{NAS-Port}) AND
> Pool='%{NAS-IP-Address}'
> ReclaimQuery update pools set State=0 where State!=0 and
> Expiry < %0
>
> ### This ensures a sync between database and the router-status
> ### of allocated IPs at startup of radiator
> <AddressPool 192.168.0.3>
> Range 10.1.1.2 10.1.1.129
> </AddressPool>
> </AddressAllocator>
> ### End of global configuration
>
> ### Used for "who's online now" stats.. basically optional
> <SessionDatabase SQL>
> Identifier SessionsDSX
> DBSource dbi:mysql:radius
> DBUsername radius
> DBAuth ***
>
> AddQuery insert into online (User, NASID, NASPort, \
> AcctSessionID, Time, FramedIPAddress, NASPortType ) \
> values ('%U', '%N', 0%{NAS-Port}, '%{Acct-Session-Id}',\
> %{Timestamp}, '%{Framed-IP-Address}', '%{NAS-Port-Type}')
> DeleteQuery delete from online \
> where NASID='%N' and NASPort='0%2'
> ClearNasQuery delete from online where NASID='%N'
> CountQuery select NASID, NASPort, AcctSessionID from online \
> where User='%U'
>
> ### This ensures a sync between database and the router-status
> ### of allocated IPs at startup of radiator
> <AddressPool 192.168.0.3>
> Range 10.1.1.2 10.1.1.129
> </AddressPool>
> </AddressAllocator>
> ### End of global configuration
>
> ### Used for "who's online now" stats.. basically optional
> <SessionDatabase SQL>
> Identifier SessionsDSX
> DBSource dbi:mysql:radius
> DBUsername radius
> DBAuth ***
>
> AddQuery insert into online (User, NASID, NASPort, \
> AcctSessionID, Time, FramedIPAddress, NASPortType ) \
> values ('%U', '%N', 0%{NAS-Port}, '%{Acct-Session-Id}',\
> %{Timestamp}, '%{Framed-IP-Address}', '%{NAS-Port-Type}')
> DeleteQuery delete from online \
> where NASID='%N' and NASPort='0%2'
> ClearNasQuery delete from online where NASID='%N'
> CountQuery select NASID, NASPort, AcctSessionID from online \
> where User='%U'
>
> </SessionDatabase>
>
> #######################################################################
> ###
> # Only one realm for now, the default one (everything goes in one
> table)
> #######################################################################
> ###
> <Realm DEFAULT>
> SessionDatabase SessionsDSX
> # AuthByPolicy ContinueWhileAccept # This is needed for multiple
> Auth-by statements being non-blocking
> AuthByPolicy ContinueUntilReject
> ### Kill off trailing '\'`s cause this would cause errors while
> writing into DB
> RewriteUsername s/(.*)\\+$/$1/
>
> ### Authenticate the user, and write accounting stats
> <AuthBy SQL>
> DBSource dbi:mysql:radius
> DBUsername radius
> DBAuth ***
> # AuthSelect select attribute from users where \
> # User='DEFAULT' order by id
> AuthSelect select users.attribute from users left join
> users AS tmp on \
> tmp.User='%{User-Name}' where (tmp.User IS
> NULL AND users.User='Default')
> AuthColumnDef 0, GENERIC, reply
>
> AccountingStopsOnly # we dont need starts, we are just
> calculating start time later on
> AcctSQLStatement insert into dialer \
> (AcctID, User, PhoneNr, \
> NASIPAddr, NASPortType, \
> AcctStartTime, AcctStopTime, AcctSessionTime, \
> AcctTerminateCause) \
> values \
> ( NULL, '%U', '%{Calling-Station-Id}', \
> '%{NAS-IP-Address}', '%{NAS-Port-Type}', \
> %t-%{Acct-Session-Time}, %t, '%{Acct-Session-Time}', \
> '%{Ascend-Disconnect-Cause}')
>
> </AuthBy>
> ### allocate an IP for the user, and set the maximum session time
> per country
> <AuthBy DYNADDRESS>
> Allocator POOL
> PoolHint %{NAS-IP-Address}
> MapAttribute yiaddr, Framed-IP-Address
> </AuthBy>
> </Realm>
> ############################################################
>
>
> Thanks,
> bogdan
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list