(RADIATOR) DefaultSimultaneousUse With Cisco
Rickard Ekeroth
rickard at spidernet.net
Thu Jan 22 02:32:37 CST 2004
Hello Geoffrey!
We are using the RADIUS Class attribute for session tracking also. According
to the RADIUS RFC 2865 the NAS should keep the value of the Class attribute,
if it receives it from the RADIUS server in the access accept request, and
return it unmodified in any subsequent accounting request for that specific
session. Of course this depends on the NAS supporting this functionality...
Perhaps it might be useful somehow...
Regards,
Rickard Ekeroth @ SPIDERNET
Programmer/Analyst
rickard at spidernet.net
-----Original Message-----
From: owner-radiator at open.com.au [mailto:owner-radiator at open.com.au]On
Behalf Of DUFOUR Geoffrey
Sent: Wednesday, January 21, 2004 12:31 PM
To: al mccain
Cc: radiator at open.com.au
Subject: Re: (RADIATOR) DefaultSimultaneousUse With Cisco
Hugh,
I can understand the NAS-IP-Address/NAS-Port solution is far more reliable,
but I think the User-Name/Acct-Session-Id is an interesting alternative when
you cannot rely on Nas-Port.
DeleteQuery delete from RADONLINE where USERNAME='%u' and ACCTSESSIONID = %3
CountQuery select ... from RADONLINE where USERNAME = '%u'
Moreover I think if you need to limit simultaneous use to 1 for all your
users you could rely on User-Name only.
Of course, you need to modify RADIATOR code to prevent execution of the
DeleteQuery upon reception of Access-Request.
Depending on the Access Server reliability (Accounting, "Ghost" Sessions,
...), this could be an interesting alternative. But I do agree it can
quickly lead to unwanted Access-Reject's in case of NAS Reboot, lost
Accounting-Stop, or "Ghost" sessions (VPN servers, ...).
Am I missing something ? I guess I am :) !
Regards.
Geoffrey
-----Message d'origine-----
De : Hugh Irvine [mailto:hugh at open.com.au]
Envoyé : mercredi 21 janvier 2004 10:53
À : DUFOUR Geoffrey
Cc : radiator at open.com.au; al mccain
Objet : Re: (RADIATOR) DefaultSimultaneousUse With Cisco
Hello Geoffrey -
Unfortunately this will not work, as there is no Acct-Session-Id in the
access request.
The problem is to be able to distinguish between different sessions
when the access request is received so you know how many sessions are
currently active for the user. You can use the query you show below,
but there is no way to distinguish between "real" sessions and "stale"
sessions if you don't have reliable, sensible information.
regards
Hugh
On 21 Jan 2004, at 20:23, DUFOUR Geoffrey wrote:
> Hello Hugh, Al,
>
> If you cannot rely on NAS-Port, simultaneous use can be based on
> User-Name/Acct-Session-Id instead of NAS-IP-Address/NAS-Port.
>
> DeleteQuery delete from RADONLINE where USERNAME='%u' and
> ACCTSESSIONID = %3
>
> For this to work, DeleteQuery must not be executed upon reception of
> Access-Request.
>
> Of course this is less accurate than NAS-IP-Address/NAS-Port.
>
> Hugh, correct ?
>
> Regards.
>
> Geoffrey
>
> -----Message d'origine-----
> De : owner-radiator at open.com.au [mailto:owner-radiator at open.com.au] De
> la part de Hugh Irvine
> Envoyé : mercredi 21 janvier 2004 0:42
> À : al mccain
> Cc : radiator at open.com.au
> Objet : Re: (RADIATOR) DefaultSimultaneousUse With Cisco
>
>
> Hello Al -
>
> Managing simultaneous use depends on being able to distinguish between
> sessions.
>
> If all of the sessions for the Cisco use NAS-Port 0 it is impossible to
> know which is which.
>
> You should check with Cisco.
>
> regards
>
> Hugh
>
>
> On 21 Jan 2004, at 01:41, al mccain wrote:
>
>> Hugh,
>>
>> Thanks for the quick reply! However, I am a little confused.
>> Are you saying that there is no way to implement this with our cisco
>> boxes?
>>
>> Thanks,
>> Al
>>
>>
>>
>> On Tue, 20 Jan 2004, Hugh Irvine wrote:
>>
>>>
>>> Hello Al -
>>>
>>> I'm guessing here, but I suspect the problem is due to your Client
>>> definitions in the SQL database - specifically the contents of the
>>> NASTYPE field for at least the NAS in question. As you will see from
>>> the debug, Radiator is trying to find a module called "
>>> Radius/Nas/.pm"
>>> in the Redback case so this is not correct at all.
>>>
>>> The problem with the Cisco is that the NAS-Port attribute is always
>>> "0", so this will never work in any case.
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 20 Jan 2004, at 09:04, al mccain wrote:
>>>
>>>>
>>>> Hello Guys,
>>>>
>>>> I have yet another problem. We are trying to implement concurrent
>>>> login
>>>> checks. I am having trouble using DefaultSimultaneousUse = 1 with
>>>> our
>>>> cisco boxes. It works perfectly for our Redbacks equipment. Could
>>>> someone
>>>> take a look and let me know what I'm doing wrong? I have attached my
>>>> config as well as 2 trace 4's. One is the redback (acting perfectly)
>>>> and
>>>> one of the cisco (acting no-so-perfectly).
>>>>
>>>> Thanks!
>>>>
>>>> Al
>>>>
>>>>
>>>> Config
>>>> --------------------------------------------------------
>>>>
>>>> #Foreground
>>>> #LogStdout
>>>> LogDir /var/adm/radacct
>>>> DbDir /etc/raddb
>>>> PreHandlerHook file:"%D/prehook"
>>>>
>>>> SnmpgetProg /usr/local/bin/snmpget
>>>> Trace 4
>>>> RewriteUsername s/^([^@]+)\@centurytel.net/$1/
>>>> RewriteUsername s/^([^@]+)\@digisys.net/$1/
>>>> RewriteUsername s/\s+//g
>>>> #RewriteUsername s/\'//g
>>>> RewriteUsername tr/A-Z/a-z/
>>>> <Client DEFAULT>
>>>>
>>>>
>>>> Secret letMEin
>>>> DupInterval 0
>>>>
>>>>
>>>> </Client>
>>>>
>>>> <SessionDatabase SQL>
>>>>
>>>> DBSource dbi:mysql:radius:*******************
>>>> DBUsername ******
>>>> DBAuth ********
>>>> Identifier SQLS
>>>>
>>>> AddQuery insert into RADONLINE (USERNAME,\
>>>> NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP,\
>>>> FRAMEDIPADDRESS, NASPORTTYPE) \
>>>> values ('%n', '%N',\
>>>> '%{NAS-Port}', '%{Acct-Session-Id}', '%o',\
>>>> '%{Framed-IP-Address}', '%{NAS-Port-Type}')
>>>>
>>>>
>>>> DeleteQuery delete from RADONLINE where NASIDENTIFIER='%1' and
>>>> NASPORT=0%2
>>>> ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%0'
>>>> CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID from
>>>> RADONLINE
>>>> \
>>>> where USERNAME ='%u'
>>>>
>>>>
>>>> </SessionDatabase>
>>>>
>>>>
>>>> <ClientListSQL>
>>>>
>>>> DBSource dbi:mysql:radius:********************
>>>> DBUsername *******
>>>> DBAuth *********
>>>>
>>>> select NASIDENTIFIER,SECRET,IGNOREACCTSIGNATURE,DUPINTERVAL,
>>>> \
>>>> DEFAULTREALM,NASTYPE,SNMPCOMMUNITY,LIVINGSTONOFFS, \
>>>> LIVINGSTONHOLE,FRAMEDGROUPBASEADDRESS, \
>>>> FRAMEDGROUPMAXPORTSPERCLASSC,REWRITEUSERNAME, \
>>>> NOIGNOREDUPLICATES from RADCLIENTLIST
>>>>
>>>>
>>>> </ClientListSQL>
>>>> <AuthBy UNIX>
>>>>
>>>> # DefaultSimultaneousUse 1
>>>> Identifier System
>>>> Filename /etc/shadow
>>>>
>>>> </AuthBy>
>>>>
>>>> <AuthBy LDAP2>
>>>> DefaultSimultaneousUse 1
>>>> Identifier LDAP
>>>> Host 127.0.0.1
>>>> Port 389
>>>> AuthDN uid=searchuser,dc=centurytel,dc=net
>>>> AuthPassword ********
>>>> BaseDN %0=%1,ou=people,dc=centurytel,dc=net
>>>> Scope base
>>>> UsernameAttr uid
>>>> PasswordAttr userPassword
>>>> HoldServerConnection
>>>> SearchFilter (&(gecos=active)(uid=%1))
>>>> AuthAttrDef gidNumber, gid-attr, request
>>>> # DefaultReply
>>>> Service-Type=Framed-User,Framed-Protocol=PPP
>>>> </AuthBy>
>>>> <AuthBy SQL>
>>>> # NoDefault
>>>> DefaultSimultaneousUse 1
>>>> Identifier CheckSQL
>>>>
>>>> DBSource dbi:mysql:radius:********************
>>>> DBUsername ******
>>>> DBAuth ********
>>>>
>>>>
>>>> AuthSelect select PASSWORD, CHECKATTR, REPLYATTR \
>>>> from SUBSCRIBERS \
>>>> where USERNAME=%0
>>>>
>>>> AuthColumnDef 0, User-Password, check
>>>> AuthColumnDef 1, GENERIC, check
>>>> AuthColumnDef 2, GENERIC, reply
>>>> # DefaultReply
>>>> Service-Type=Framed-User,Framed-Protocol=PPP
>>>>
>>>>
>>>> </AuthBy>
>>>> <Realm DEFAULT>
>>>> RewriteUsername s/^([^@]+).*/$1/
>>>>
>>>>
>>>>
>>>> PostAuthHook file:"%D/postHook"
>>>> AcctLogFileName %L/%N/detail
>>>>
>>>>
>>>>
>>>> #AuthByPolicy ContinueWhileReject
>>>> AuthByPolicy ContinueUntilAccept
>>>> #AuthBy LDAP
>>>> AuthBy CheckSQL
>>>> AuthBy System
>>>>
>>>>
>>>> </Realm>
>>>>
>>>> ----------------------------------------------
>>>> End Config
>>>>
>>>>
>>>> Trace 4 Redback
>>>> ----------------------------------------------
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Packet dump:
>>>> *** Received from 209.142.136.22 port 1812 ....
>>>> Code: Access-Request
>>>> Identifier: 11
>>>> Authentic: E<138><164><4>E<130>FE<30><232><199>@<23>j<201><247>
>>>> Attributes:
>>>> User-Name = "nethelp1"
>>>> User-Password = "<187>6<25>L<247><7><5><168><148><235>0 5V<3><199>"
>>>> NAS-Identifier = "rb-test.mx"
>>>> NAS-IP-Address = 209.142.136.22
>>>> RB-NAS-Real-Port = 537067624
>>>> Service-Type = Framed-User
>>>> Framed-Protocol = PPP
>>>> NAS-Port = 3892314117
>>>> Connect-Info = "ubrc"
>>>>
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:10 2004: DEBUG: SQLS Deleting session for nethelp1,
>>>> 209.142.136.22, 3892314117
>>>> Mon Jan 19 12:56:10 2004: DEBUG: do query is: 'delete from RADONLINE
>>>> where NASIDENTIFIER='209.142.136.22' and NASPORT=03892314117':
>>>>
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Handling with Radius::AuthSQL
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Handling with Radius::AuthSQL:
>>>> CheckSQL
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Query is: 'select PASSWORD,
>>>> CHECKATTR, REPLYATTR from SUBSCRIBERS where USERNAME='nethelp1'':
>>>>
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Radius::AuthSQL looks for match
>>>> with
>>>> nethelp1
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Query is: 'select NASIDENTIFIER,
>>>> NASPORT from RADONLINE where USERNAME ='nethelp1'':
>>>>
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Radius::AuthSQL ACCEPT:
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Access accepted for nethelp1
>>>> Mon Jan 19 12:56:10 2004: DEBUG: Packet dump:
>>>> *** Sending to 209.142.136.22 port 1812 ....
>>>> Code: Access-Accept
>>>> Identifier: 11
>>>> Authentic: E<138><164><4>E<130>FE<30><232><199>@<23>j<201><247>
>>>> Attributes:
>>>> Framed-IP-Address = 66.112.90.42
>>>> Service-Type = Framed-User
>>>> Framed-Protocol = PPP
>>>> Framed-IP-Netmask = 255.255.255.255
>>>> Idle-Timeout = 0
>>>> Session-Timeout = 0
>>>>
>>>> Mon Jan 19 12:56:12 2004: ERR: Attribute number 144 (vendor 2352) is
>>>> not defined in your dictionary
>>>> Mon Jan 19 12:56:12 2004: DEBUG: Packet dump:
>>>> *** Received from 209.142.136.22 port 1812 ....
>>>> Code: Accounting-Request
>>>> Identifier: 29
>>>> Authentic:
>>>> <136>}<253><170><198>`<188><251>N<28><253>`<135><232><29>r
>>>> Attributes:
>>>> User-Name = "nethelp1"
>>>> NAS-Identifier = "rb-test.mx"
>>>> NAS-IP-Address = 209.142.136.22
>>>> Service-Type = Framed-User
>>>> Framed-Protocol = PPP
>>>> NAS-Port = 3892314117
>>>> RB-NAS-Real-Port = 537067624
>>>> Acct-Session-Id = "E8000005-400B2C3E"
>>>> Acct-Authentic = RADIUS
>>>> Connect-Info = "ubrc"
>>>> Framed-IP-Address = 66.112.90.42
>>>> Acct-Status-Type = Start
>>>>
>>>> Mon Jan 19 12:56:12 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:12 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:12 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:12 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:12 2004: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>> Mon Jan 19 12:56:12 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:12 2004: DEBUG: SQLS Adding session for nethelp1,
>>>> 209.142.136.22, 3892314117
>>>> Mon Jan 19 12:56:12 2004: DEBUG: do query is: 'delete from RADONLINE
>>>> where NASIDENTIFIER='209.142.136.22' and NASPORT=03892314117':
>>>>
>>>> Mon Jan 19 12:56:12 2004: DEBUG: do query is: 'insert into RADONLINE
>>>> (USERNAME,NASIDENTIFIER, NASPORT, ACCTSESSIONID,
>>>> TIME_STAMP,FRAMEDIPADDRESS, NASPORTTYPE) values ('nethelp1',
>>>> '209.142.136.22','3892314117', 'E8000005-400B2C3E', 'Mon Jan 19
>>>> 12:56:12 2004','66.112.90.42', '')':
>>>>
>>>> Mon Jan 19 12:56:12 2004: DEBUG: Handling with Radius::AuthSQL
>>>> Mon Jan 19 12:56:12 2004: DEBUG: Handling accounting with
>>>> Radius::AuthSQL
>>>> Mon Jan 19 12:56:12 2004: DEBUG: Accounting accepted
>>>> Mon Jan 19 12:56:12 2004: DEBUG: Packet dump:
>>>> *** Sending to 209.142.136.22 port 1812 ....
>>>> Code: Accounting-Response
>>>> Identifier: 29
>>>> Authentic:
>>>> <136>}<253><170><198>`<188><251>N<28><253>`<135><232><29>r
>>>> Attributes:
>>>>
>>>> Mon Jan 19 12:56:13 2004: ERR: Attribute number 144 (vendor 2352) is
>>>> not defined in your dictionary
>>>> Mon Jan 19 12:56:13 2004: DEBUG: Packet dump:
>>>> *** Received from 209.142.136.22 port 1812 ....
>>>> Code: Accounting-Request
>>>> Identifier: 30
>>>> Authentic: g%M<161><249><226><174>'<244>NO<194>5Y<176>s
>>>> Attributes:
>>>> User-Name = "nethelp1"
>>>> NAS-Identifier = "rb-test.mx"
>>>> NAS-IP-Address = 209.142.136.22
>>>> Service-Type = Framed-User
>>>> Framed-Protocol = PPP
>>>> NAS-Port = 3892314117
>>>> RB-NAS-Real-Port = 537067624
>>>> Acct-Session-Id = "E8000005-400B2C3E"
>>>> Acct-Authentic = RADIUS
>>>> Connect-Info = "ubrc"
>>>> Acct-Status-Type = Alive
>>>> Framed-IP-Address = 66.112.90.42
>>>> Framed-IP-Netmask = 255.255.255.255
>>>> RB-Client-DNS-Pri = 209.142.136.85
>>>> RB-Client-DNS-Sec = 209.206.199.16
>>>> Acct-Input-Octets = 180
>>>> Acct-Output-Octets = 0
>>>> Acct-Input-Packets = 3
>>>> Acct-Output-Packets = 0
>>>> Acct-Session-Time = 0
>>>> RB-Acct-Input-Octets-64 = 0xb4
>>>> RB-Acct-Output-Octets-64 = 0x0
>>>> RB-Acct-Input-Packets-64 = 0x3
>>>> RB-Acct-Output-Packets-64 = 0x0
>>>>
>>>> Mon Jan 19 12:56:13 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:13 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:13 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:13 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:13 2004: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>> Mon Jan 19 12:56:13 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:56:13 2004: DEBUG: SQLS Adding session for nethelp1,
>>>> 209.142.136.22, 3892314117
>>>> Mon Jan 19 12:56:13 2004: DEBUG: do query is: 'delete from RADONLINE
>>>> where NASIDENTIFIER='209.142.136.22' and NASPORT=03892314117':
>>>>
>>>> Mon Jan 19 12:56:13 2004: DEBUG: do query is: 'insert into RADONLINE
>>>> (USERNAME,NASIDENTIFIER, NASPORT, ACCTSESSIONID,
>>>> TIME_STAMP,FRAMEDIPADDRESS, NASPORTTYPE) values ('nethelp1',
>>>> '209.142.136.22','3892314117', 'E8000005-400B2C3E', 'Mon Jan 19
>>>> 12:56:13 2004','66.112.90.42', '')':
>>>>
>>>> Mon Jan 19 12:56:13 2004: DEBUG: Handling with Radius::AuthSQL
>>>> Mon Jan 19 12:56:13 2004: DEBUG: Handling accounting with
>>>> Radius::AuthSQL
>>>> Mon Jan 19 12:56:13 2004: DEBUG: Accounting accepted
>>>> Mon Jan 19 12:56:13 2004: DEBUG: Packet dump:
>>>> *** Sending to 209.142.136.22 port 1812 ....
>>>> Code: Accounting-Response
>>>> Identifier: 30
>>>> Authentic: g%M<161><249><226><174>'<244>NO<194>5Y<176>s
>>>> Attributes:
>>>>
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Packet dump:
>>>> *** Received from 209.142.136.22 port 1812 ....
>>>> Code: Access-Request
>>>> Identifier: 12
>>>> Authentic:
>>>> <240><165><246>oN<222><231>t<28><143><163>oA<206><12><203>
>>>> Attributes:
>>>> User-Name = "nethelp1"
>>>> User-Password = ""<4>y<223>1J<218>2<240><239><149><197>I<213>"m"
>>>> NAS-Identifier = "rb-test.mx"
>>>> NAS-IP-Address = 209.142.136.22
>>>> RB-NAS-Real-Port = 537067622
>>>> Service-Type = Framed-User
>>>> Framed-Protocol = PPP
>>>> NAS-Port = 3892314118
>>>> Connect-Info = "ubrc"
>>>>
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:57:53 2004: DEBUG: SQLS Deleting session for nethelp1,
>>>> 209.142.136.22, 3892314118
>>>> Mon Jan 19 12:57:53 2004: DEBUG: do query is: 'delete from RADONLINE
>>>> where NASIDENTIFIER='209.142.136.22' and NASPORT=03892314118':
>>>>
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Handling with Radius::AuthSQL
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Handling with Radius::AuthSQL:
>>>> CheckSQL
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Query is: 'select PASSWORD,
>>>> CHECKATTR, REPLYATTR from SUBSCRIBERS where USERNAME='nethelp1'':
>>>>
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Radius::AuthSQL looks for match
>>>> with
>>>> nethelp1
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Query is: 'select NASIDENTIFIER,
>>>> NASPORT from RADONLINE where USERNAME ='nethelp1'':
>>>>
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Checking if user is still online: ,
>>>> nethelp1, 209.142.136.22, 3892314117,
>>>> Mon Jan 19 12:57:53 2004: ERR: Could not load NAS-specific module
>>>> Radius::Nas::: Can't locate Radius/Nas/.pm in @INC (@INC contains: .
>>>> /usr/local/lib/perl5/5.8.0/sun4-solaris /usr/local/lib/perl5/5.8.0
>>>> /usr/local/lib/perl5/site_perl/5.8.0/sun4-solaris
>>>> /usr/local/lib/perl5/site_perl/5.8.0 /usr/local/lib/perl5/site_perl
>>>> .)
>>>> at (eval 190) line 3.
>>>>
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Radius::AuthSQL REJECT:
>>>> Simultaneous-Use of 1 exceeded
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Query is: 'select PASSWORD,
>>>> CHECKATTR, REPLYATTR from SUBSCRIBERS where USERNAME='DEFAULT'':
>>>>
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Radius::AuthSQL looks for match
>>>> with
>>>> DEFAULT
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Handling with Radius::AuthLDAP2:
>>>> LDAP
>>>> Mon Jan 19 12:57:53 2004: INFO: Connecting to 127.0.0.1, port 389
>>>> Mon Jan 19 12:57:53 2004: ERR: Could not open LDAP connection to
>>>> 127.0.0.1, port 389. Backing off for 600 seconds.
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Radius::AuthSQL IGNORE: User
>>>> database
>>>> access error
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Handling with Radius::AuthUNIX:
>>>> System
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Radius::AuthUNIX looks for match
>>>> with
>>>> nethelp1
>>>> Mon Jan 19 12:57:53 2004: INFO: Access rejected for nethelp1: No
>>>> such
>>>> user
>>>> Mon Jan 19 12:57:53 2004: DEBUG: Packet dump:
>>>> *** Sending to 209.142.136.22 port 1812 ....
>>>> Code: Access-Reject
>>>> Identifier: 12
>>>> Authentic:
>>>> <240><165><246>oN<222><231>t<28><143><163>oA<206><12><203>
>>>> Attributes:
>>>> Reply-Message = "choice: "
>>>> Reply-Message = "Request Denied"
>>>>
>>>> -----------------------------------------------
>>>> end trace 4 redback
>>>>
>>>>
>>>> Trace 4 cisco
>>>> -----------------------------------------------
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Packet dump:
>>>> *** Received from 209.142.136.170 port 21659 ....
>>>> Code: Access-Request
>>>> Identifier: 15
>>>> Authentic: ,6~<148>$L<139>/<139>hC<142><166><16><184>D
>>>> Attributes:
>>>> Framed-Protocol = PPP
>>>> User-Name = "nethelp1"
>>>> User-Password =
>>>> "<219>@~<155><31><188><179><167><189><12><204><218><232><31><139>i"
>>>> NAS-Port-Type = Virtual
>>>> Cisco-NAS-Port = "5/0/0/3.102"
>>>> NAS-Port = 0
>>>> Service-Type = Framed-User
>>>> NAS-IP-Address = 209.142.136.170
>>>>
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:42:45 2004: DEBUG: SQLS Deleting session for nethelp1,
>>>> 209.142.136.170, 0
>>>> Mon Jan 19 12:42:45 2004: DEBUG: do query is: 'delete from RADONLINE
>>>> where NASIDENTIFIER='209.142.136.170' and NASPORT=00':
>>>>
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Handling with Radius::AuthSQL
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Handling with Radius::AuthSQL:
>>>> CheckSQL
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Query is: 'select PASSWORD,
>>>> CHECKATTR, REPLYATTR from SUBSCRIBERS where USERNAME='nethelp1'':
>>>>
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Radius::AuthSQL looks for match
>>>> with
>>>> nethelp1
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Query is: 'select NASIDENTIFIER,
>>>> NASPORT from RADONLINE where USERNAME ='nethelp1'':
>>>>
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Radius::AuthSQL ACCEPT:
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Access accepted for nethelp1
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Packet dump:
>>>> *** Sending to 209.142.136.170 port 21659 ....
>>>> Code: Access-Accept
>>>> Identifier: 15
>>>> Authentic: ,6~<148>$L<139>/<139>hC<142><166><16><184>D
>>>> Attributes:
>>>> Framed-IP-Address = 66.112.90.42
>>>> Service-Type = Framed-User
>>>> Framed-Protocol = PPP
>>>> Framed-IP-Netmask = 255.255.255.255
>>>> Idle-Timeout = 0
>>>> Session-Timeout = 0
>>>>
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Packet dump:
>>>> *** Received from 209.142.136.170 port 21659 ....
>>>> Code: Accounting-Request
>>>> Identifier: 16
>>>> Authentic: <211><202>yl<21>J<178>fh<233><213><244>4<236><236>b
>>>> Attributes:
>>>> Acct-Session-Id = "00000506"
>>>> cisco-avpair = "client-mac-address=0060.0f4e.604e"
>>>> Framed-Protocol = PPP
>>>> Acct-Authentic = RADIUS
>>>> User-Name = "nethelp1"
>>>> Acct-Status-Type = Start
>>>> NAS-Port-Type = Virtual
>>>> Cisco-NAS-Port = "5/0/0/3.102"
>>>> NAS-Port = 0
>>>> Service-Type = Framed-User
>>>> NAS-IP-Address = 209.142.136.170
>>>> Acct-Delay-Time = 0
>>>>
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:42:45 2004: DEBUG: SQLS Adding session for nethelp1,
>>>> 209.142.136.170, 0
>>>> Mon Jan 19 12:42:45 2004: DEBUG: do query is: 'delete from RADONLINE
>>>> where NASIDENTIFIER='209.142.136.170' and NASPORT=00':
>>>>
>>>> Mon Jan 19 12:42:45 2004: DEBUG: do query is: 'insert into RADONLINE
>>>> (USERNAME,NASIDENTIFIER, NASPORT, ACCTSESSIONID,
>>>> TIME_STAMP,FRAMEDIPADDRESS, NASPORTTYPE) values ('nethelp1',
>>>> '209.142.136.170','0', '00000506', 'Mon Jan 19 12:42:45 2004','',
>>>> 'Virtual')':
>>>>
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Handling with Radius::AuthSQL
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Handling accounting with
>>>> Radius::AuthSQL
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Accounting accepted
>>>> Mon Jan 19 12:42:45 2004: DEBUG: Packet dump:
>>>> *** Sending to 209.142.136.170 port 21659 ....
>>>> Code: Accounting-Response
>>>> Identifier: 16
>>>> Authentic: <211><202>yl<21>J<178>fh<233><213><244>4<236><236>b
>>>> Attributes:
>>>>
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Packet dump:
>>>> *** Received from 209.142.136.170 port 21659 ....
>>>> Code: Access-Request
>>>> Identifier: 17
>>>> Authentic: ~<193>en-4}<12>B<224><28><14>mr<201><0>
>>>> Attributes:
>>>> Framed-Protocol = PPP
>>>> User-Name = "nethelp1"
>>>> User-Password =
>>>> "<27><217><190>0<243><6>g<208><239><241><24><215><249>_<229>+"
>>>> NAS-Port-Type = Virtual
>>>> Cisco-NAS-Port = "5/0/0/3.104"
>>>> NAS-Port = 0
>>>> Service-Type = Framed-User
>>>> NAS-IP-Address = 209.142.136.170
>>>>
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:43:46 2004: DEBUG: SQLS Deleting session for nethelp1,
>>>> 209.142.136.170, 0
>>>> Mon Jan 19 12:43:46 2004: DEBUG: do query is: 'delete from RADONLINE
>>>> where NASIDENTIFIER='209.142.136.170' and NASPORT=00':
>>>>
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Handling with Radius::AuthSQL
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Handling with Radius::AuthSQL:
>>>> CheckSQL
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Query is: 'select PASSWORD,
>>>> CHECKATTR, REPLYATTR from SUBSCRIBERS where USERNAME='nethelp1'':
>>>>
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Radius::AuthSQL looks for match
>>>> with
>>>> nethelp1
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Query is: 'select NASIDENTIFIER,
>>>> NASPORT from RADONLINE where USERNAME ='nethelp1'':
>>>>
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Radius::AuthSQL ACCEPT:
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Access accepted for nethelp1
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Packet dump:
>>>> *** Sending to 209.142.136.170 port 21659 ....
>>>> Code: Access-Accept
>>>> Identifier: 17
>>>> Authentic: ~<193>en-4}<12>B<224><28><14>mr<201><0>
>>>> Attributes:
>>>> Framed-IP-Address = 66.112.90.42
>>>> Service-Type = Framed-User
>>>> Framed-Protocol = PPP
>>>> Framed-IP-Netmask = 255.255.255.255
>>>> Idle-Timeout = 0
>>>> Session-Timeout = 0
>>>>
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Packet dump:
>>>> *** Received from 209.142.136.170 port 21659 ....
>>>> Code: Accounting-Request
>>>> Identifier: 18
>>>> Authentic: <223>G<198><10><160>]<178>"<182><166>()<158>PZ<19>
>>>> Attributes:
>>>> Acct-Session-Id = "00000507"
>>>> cisco-avpair = "client-mac-address=0060.0fd5.b0f0"
>>>> Framed-Protocol = PPP
>>>> Acct-Authentic = RADIUS
>>>> User-Name = "nethelp1"
>>>> Acct-Status-Type = Start
>>>> NAS-Port-Type = Virtual
>>>> Cisco-NAS-Port = "5/0/0/3.104"
>>>> NAS-Port = 0
>>>> Service-Type = Framed-User
>>>> NAS-IP-Address = 209.142.136.170
>>>> Acct-Delay-Time = 0
>>>>
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Handling request with Handler
>>>> 'Realm=DEFAULT'
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Rewrote user name to nethelp1
>>>> Mon Jan 19 12:43:46 2004: DEBUG: SQLS Adding session for nethelp1,
>>>> 209.142.136.170, 0
>>>> Mon Jan 19 12:43:46 2004: DEBUG: do query is: 'delete from RADONLINE
>>>> where NASIDENTIFIER='209.142.136.170' and NASPORT=00':
>>>>
>>>> Mon Jan 19 12:43:46 2004: DEBUG: do query is: 'insert into RADONLINE
>>>> (USERNAME,NASIDENTIFIER, NASPORT, ACCTSESSIONID,
>>>> TIME_STAMP,FRAMEDIPADDRESS, NASPORTTYPE) values ('nethelp1',
>>>> '209.142.136.170','0', '00000507', 'Mon Jan 19 12:43:46 2004','',
>>>> 'Virtual')':
>>>>
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Handling with Radius::AuthSQL
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Handling accounting with
>>>> Radius::AuthSQL
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Accounting accepted
>>>> Mon Jan 19 12:43:46 2004: DEBUG: Packet dump:
>>>> *** Sending to 209.142.136.170 port 21659 ....
>>>> Code: Accounting-Response
>>>> Identifier: 18
>>>> Authentic: <223>G<198><10><160>]<178>"<182><166>()<158>PZ<19>
>>>> Attributes:
>>>>
>>>> -------------------------------------------------------------
>>>> end trace 4 cisco
>>>>
>>>> ===
>>>> Archive at http://www.open.com.au/archives/radiator/
>>>> Announcements on radiator-announce at open.com.au
>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>> 'unsubscribe radiator' in the body of the message.
>>>>
>>>>
>>>
>>> NB: have you included a copy of your configuration file (no secrets),
>>> together with a trace 4 debug showing what is happening?
>>>
>>> --
>>> Radiator: the most portable, flexible and configurable RADIUS server
>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>> -
>>> Nets: internetwork inventory and management - graphical, extensible,
>>> flexible with hardware, software, platform and database independence.
>>> -
>>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>>
>>> ===
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>>
>>
>>
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> ===
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list