(RADIATOR) Radiator & Cisco 5350

Hugh Irvine hugh at open.com.au
Sat Aug 7 01:45:30 CDT 2004 

Hello Bobby -

Cisco's usually require the same Service-Type in the access accept as  
was present in the access request.

In this case you will need something like the following if all of your  
users require the same reply attributes:

	<AuthBy SQL>
		.....
		AddToReply Service-Type = Framed-User, \
			Framed-Protocol = PPP, \
			.....
	</AuthBy>

Note that it is usual to specify the common reply attributes in this  
way and only specify per-user attributes in the user records.

I am also not sure about the Framed-IP-Netmask = 255.255.255.255.

You should check a debug on the Cisco to see what is happening.

regards

Hugh


On 7 Aug 2004, at 11:01, Bobby Brown, Jr. wrote:

> I have my Cisco 5350 authenticating off of my installation of Radiator  
> which
> uses MySQL.  My users can connect without any problem, but for some odd
> reason they can't get to anything.  They can't get on the web, check  
> mail,
> or anything else.  I have tried modifying my REPLYATTR by removing one  
> entry
> at a time, but still no luck.  Does anyone have a clue what i've done  
> wrong?
>
> Here is a list of my cfg, ATTR's, and logs to help out.
>
> radius.cfg
> ------------------------------
>
> LogDir  /var/log/radius
> DbDir  /etc/radiator
> Trace  5
>
> <Client DEFAULT>
>  Secret XXXXXXXXXX
>  DupInterval 0
>  SNMPCommunity ssinternet
>  NasType Cisco
> </Client>
>
> <Realm DEFAULT>
>     <AuthBy SQL>
>  # Adjust DBSource, DBUsername, DBAuth to suit your DB
>  DBSource dbi:mysql:radius
>  DBUsername XXXXX
>  DBAuth  XXXXXXXXXXX
>
>  # Coded from OSC to use MAXLOGINS and STATUS fields
>  AuthSelect select PASSWORD, MAXLOGINS, CHECKATTR, REPLYATTR \
>   from SUBSCRIBERS \
>   where USERNAME=%0 \
>   and STATUS=1
>   AuthColumnDef 0, Password, check
>   AuthColumnDef 1, Simultaneous-Use, check
>   AuthColumnDef 2, GENERIC, check
>   AuthColumnDef 3, GENERIC, reply
>
>
>  # You may want to tailor these for your ACCOUNTING table
>  # You can add your own columns to store whatever you like
>  AccountingTable ACCOUNTING
>   AcctColumnDef USERNAME,User-Name
>   AcctColumnDef TIME_STAMP,Timestamp,integer
>   AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
>   AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
>   AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
>   AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
>   AcctColumnDef ACCTSESSIONID,Acct-Session-Id
>   AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
>   AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
>   AcctColumnDef NASIDENTIFIER,NAS-Identifier
>   AcctColumnDef NASPORT,NAS-Port,integer
>   AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
>
>  # You can arrange to log accounting to a file if the
>  # SQL insert fails with AcctFailedLogFileName
>  # That way you could recover from a broken SQL
>  # server
>  #AcctFailedLogFileName /etc/radiator/AcctFailedLogFile
>
>  # Alternatively, you can arrange to save failed SQL accounting insert
> queries to a text
>  # file with SQLRecoveryFile
>  SQLRecoveryFile /etc/radiator/SQLRecoveryFile
>     </AuthBy>
> </Realm>
>
> --------------------------------
>
> here is what is in my CHECKATTR and REPLYATTR fields in the SUBSCRIBERS
> table
>
> --------------------------------
>
> CHECKATTR
> Service-Type = Framed-User
>
> REPLYATTR
> Framed-Protocol = PPP,Framed-IP-Netmask =  
> 255.255.255.255,Framed-Routing =
> None,Framed-MTU = 1500,Framed-Compression = Van-Jacobson-TCP-IP
>
> ---------------------------------
>
> here is my log file when i connect a user
>
> ---------------------------------
>
> Fri Aug  6 19:57:43 2004: DEBUG: Packet dump:
> *** Received from 64.217.179.126 port 1645 ....
>
> Packet length = 88
> 01 0b 00 58 7c 81 19 0f c3 6c 0b e1 f7 a2 2d 60
> 07 20 4f fd 07 06 00 00 00 01 01 07 6d 69 6b 65
> 6d 03 13 01 d5 4c c3 07 56 0a fb 55 22 40 aa c9
> 34 c0 24 8d 1e 0c 39 30 33 35 37 35 31 30 39 35
> 05 06 00 00 00 e8 3d 06 00 00 00 00 06 06 00 00
> 00 02 04 06 40 d9 b3 7e
> Code:       Access-Request
> Identifier: 11
> Authentic:  |<129><25><15><195>l<11><225><247><162>-`<7> O<253>
> Attributes:
>  Framed-Protocol = PPP
>  User-Name = "mikem"
>  CHAP-Password = <1><213>L<195><7>V<10><251>U"@<170><201>4<192>$<141>
>  Called-Station-Id = "9035751095"
>  NAS-Port = 232
>  NAS-Port-Type = Async
>  Service-Type = Framed-User
>  NAS-IP-Address = 64.217.179.126
>
> Fri Aug  6 19:57:43 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug  6 19:57:43 2004: DEBUG:  Deleting session for mikem,
> 64.217.179.126, 232
> Fri Aug  6 19:57:43 2004: DEBUG: Handling with Radius::AuthSQL
> Fri Aug  6 19:57:43 2004: DEBUG: Handling with Radius::AuthSQL:
> Fri Aug  6 19:57:43 2004: DEBUG: Query is: 'select PASSWORD, MAXLOGINS,
> CHECKATTR, REPLYATTR from SUBSCRIBERS where USERNAME='mikem' and  
> STATUS=1':
>
> Fri Aug  6 19:57:43 2004: DEBUG: Radius::AuthSQL looks for match with  
> mikem
> Fri Aug  6 19:57:43 2004: DEBUG: Radius::AuthSQL ACCEPT:
> Fri Aug  6 19:57:43 2004: DEBUG: Access accepted for mikem
> Fri Aug  6 19:57:43 2004: DEBUG: Packet dump:
> *** Sending to 64.217.179.126 port 1645 ....
>
> Packet length = 50
> 02 0b 00 32 74 6d 43 09 69 1a 0c 79 32 2a 34 62
> 57 24 d5 ce 07 06 00 00 00 01 09 06 ff ff ff ff
> 0a 06 00 00 00 00 0c 06 00 00 05 dc 0d 06 00 00
> 00 01
> Code:       Access-Accept
> Identifier: 11
> Authentic:  |<129><25><15><195>l<11><225><247><162>-`<7> O<253>
> Attributes:
>  Framed-Protocol = PPP
>  Framed-IP-Netmask = 255.255.255.255
>  Framed-Routing = None
>  Framed-MTU = 1500
>  Framed-Compression = Van-Jacobson-TCP-IP
>
> Fri Aug  6 19:57:43 2004: DEBUG: Packet dump:
> *** Received from 64.217.179.126 port 1646 ....
>
> Packet length = 123
> 04 12 00 7b b2 f6 89 56 02 7d e1 ee 84 34 b1 9a
> 93 e9 59 d1 2c 0a 30 30 30 30 30 30 31 41 07 06
> 00 00 00 01 4d 1a 32 34 30 30 30 2f 32 36 34 30
> 30 20 56 33 34 2f 56 34 34 2f 4c 41 50 4d 2d 06
> 00 00 00 01 01 07 6d 69 6b 65 6d 28 06 00 00 00
> 01 1e 0c 39 30 33 35 37 35 31 30 39 35 05 06 00
> 00 00 e8 3d 06 00 00 00 00 06 06 00 00 00 02 04
> 06 40 d9 b3 7e 29 06 00 00 00 00
> Code:       Accounting-Request
> Identifier: 18
> Authentic:   
> <178><246><137>V<2>}<225><238><132>4<177><154><147><233>Y<209>
> Attributes:
>  Acct-Session-Id = "0000001A"
>  Framed-Protocol = PPP
>  Connect-Info = "24000/26400 V34/V44/LAPM"
>  Acct-Authentic = RADIUS
>  User-Name = "mikem"
>  Acct-Status-Type = Start
>  Called-Station-Id = "9035751095"
>  NAS-Port = 232
>  NAS-Port-Type = Async
>  Service-Type = Framed-User
>  NAS-IP-Address = 64.217.179.126
>  Acct-Delay-Time = 0
>
> Fri Aug  6 19:57:43 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug  6 19:57:43 2004: DEBUG:  Adding session for mikem,  
> 64.217.179.126,
> 232
> Fri Aug  6 19:57:43 2004: DEBUG: Handling with Radius::AuthSQL
> Fri Aug  6 19:57:43 2004: DEBUG: Handling accounting with  
> Radius::AuthSQL
> Fri Aug  6 19:57:43 2004: DEBUG: do query is: 'insert into ACCOUNTING
> (ACCTDELAYTIME,ACCTSESSIONID,ACCTSTATUSTYPE,NASPORT,TIME_STAMP,USERNAME 
> )
> values (0,'0000001A','Start',232,1091840263,'mikem')':
>
> Fri Aug  6 19:57:43 2004: DEBUG: Accounting accepted
> Fri Aug  6 19:57:43 2004: DEBUG: Packet dump:
> *** Sending to 64.217.179.126 port 1646 ....
>
> Packet length = 20
> 05 12 00 14 a6 72 c5 e4 91 af c6 d0 43 4a a8 a1
> d8 b3 6e 6e
> Code:       Accounting-Response
> Identifier: 18
> Authentic:   
> <178><246><137>V<2>}<225><238><132>4<177><154><147><233>Y<209>
> Attributes:
>
> ---------------------------------
>
> here is my log when I disconnect
>
> ---------------------------------
>
> Fri Aug  6 19:59:42 2004: DEBUG: Packet dump:
> *** Received from 64.217.179.126 port 1646 ....
>
> Packet length = 165
> 04 13 00 a5 c3 c8 43 2e 04 73 18 08 b9 32 6a 94
> 4e b5 05 81 2c 0a 30 30 30 30 30 30 31 41 07 06
> 00 00 00 01 08 06 40 d9 b3 81 2d 06 00 00 00 01
> 2e 06 00 00 00 78 4d 1a 32 34 30 30 30 2f 32 36
> 34 30 30 20 56 33 34 2f 56 34 34 2f 4c 41 50 4d
> 2a 06 00 00 05 74 2b 06 00 00 00 9a 2f 06 00 00
> 00 0f 30 06 00 00 00 08 31 06 00 00 00 01 01 07
> 6d 69 6b 65 6d 28 06 00 00 00 02 1e 0c 39 30 33
> 35 37 35 31 30 39 35 05 06 00 00 00 e8 3d 06 00
> 00 00 00 06 06 00 00 00 02 04 06 40 d9 b3 7e 29
> 06 00 00 00 00
> Code:       Accounting-Request
> Identifier: 19
> Authentic:  <195><200>C.<4>s<24><8><185>2j<148>N<181><5><129>
> Attributes:
>  Acct-Session-Id = "0000001A"
>  Framed-Protocol = PPP
>  Framed-IP-Address = 64.217.179.129
>  Acct-Authentic = RADIUS
>  Acct-Session-Time = 120
>  Connect-Info = "24000/26400 V34/V44/LAPM"
>  Acct-Input-Octets = 1396
>  Acct-Output-Octets = 154
>  Acct-Input-Packets = 15
>  Acct-Output-Packets = 8
>  Acct-Terminate-Cause = User-Request
>  User-Name = "mikem"
>  Acct-Status-Type = Stop
>  Called-Station-Id = "9035751095"
>  NAS-Port = 232
>  NAS-Port-Type = Async
>  Service-Type = Framed-User
>  NAS-IP-Address = 64.217.179.126
>  Acct-Delay-Time = 0
>
> Fri Aug  6 19:59:42 2004: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Fri Aug  6 19:59:42 2004: DEBUG:  Deleting session for mikem,
> 64.217.179.126, 232
> Fri Aug  6 19:59:42 2004: DEBUG: Handling with Radius::AuthSQL
> Fri Aug  6 19:59:42 2004: DEBUG: Handling accounting with  
> Radius::AuthSQL
> Fri Aug  6 19:59:42 2004: DEBUG: do query is: 'insert into ACCOUNTING
> (ACCTDELAYTIME,ACCTINPUTOCTETS,ACCTOUTPUTOCTETS,ACCTSESSIONID,ACCTSESSI 
> ONTIM
> E,ACCTSTATUSTYPE,ACCTTERMINATECAUSE,FRAMEDIPADDRESS,NASPORT,TIME_STAMP, 
> USERN
> AME) values
> (0,1396,154,'0000001A',120,'Stop','User- 
> Request','64.217.179.129',232,109184
> 0382,'mikem')':
>
> Fri Aug  6 19:59:42 2004: DEBUG: Accounting accepted
> Fri Aug  6 19:59:42 2004: DEBUG: Packet dump:
> *** Sending to 64.217.179.126 port 1646 ....
>
> Packet length = 20
> 05 13 00 14 22 42 1e 9f 6a 65 cf ec 32 99 05 d3
> 47 83 86 76
> Code:       Accounting-Response
> Identifier: 19
> Authentic:  <195><200>C.<4>s<24><8><185>2j<148>N<181><5><129>
> Attributes:
>
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list