(RADIATOR) buggy version of Radiator?

Jesse Guardiani jesse at wingnet.net
Fri May 7 17:13:30 CDT 2004


On Friday 07 May 2004 05:07, Hugh Irvine wrote:
> Hello Jesse -
>
> Without seeing a more complete trace 4, a copy of your configuration
> file (no secrets) and a copy of the user record, it is impossible to
> say what may be happening. What you show below are two different types
> of request - an access request and an accounting request.

OK. This is a lot of information, so I hope you don't mind. I spent the
entire day today trying to help myself figure this out (reading documentation,
testing various configs, googling, etc), but I'm just at a loss. Maybe you
can help. I'll try to be concise.

For reference, I'm running Radiator 2.18.1 on a BSDi 4.1 machine (the
thorn in my flesh. This is a legacy machine that I *will* be getting rid
of sometime soon, but for now I'm stuck with it) as my PRIMARY authentication
server. My PRIMARY accounting server is running Radiator 2.18.4 on FreeBSD
4.6.2-RELEASE. I don't *think* this should cause any problems with the two
session databases, but I could be very wrong. I know very little about
Radiator and I'm not the person that set these two versions up. If this
is a problem, please let me know and why.

Please see attached for my radius.cfg - minus the Secrets. The realm we're
dealing with here is 'wingnet.net', which you'll see from the trace 4s
below.

Let's just focus on one user: swbates.

This user is NOT listed in our 'users.filter' file, so it falls through
to the DEFAULT, which is blank. So the 'users.filter' AuthBy FILE returns
ACCEPT, which is again visible in the trace 4 below, and is exactly what
we want.

Now, this user has a Simultaneous-Use check item in our 'users' file here:

swbates         Simultaneous-Use = 1, Auth-Type = System
                Idle-Timeout = 1200, Session-Timeout = 10800

I've tried putting the Simultaneous-Use in front of and behind the Auth-Type
(I read somewhere that in front of is better, and we were placing it behind)
but the result is always the same: It doesn't work.

So this user should NOT be allowed multiple simultaneous logins. However,
my pmwho command to my TotalControl terminal server reveals that he is
indeed logging in twice:

# hawho mega | grep swbates
Sba  swbates         206.30.62.93     Netwrk  In  ESTABLISHED       49      0
Sci  swbates                          Netwrk  In  ESTABLISHED       47      0

And here are the two trace 4 debug authentication logs (minus the user's
password):

-------- START trace 4 number 1 --------

Fri May  7 16:59:47 2004: DEBUG: Packet dump:
*** Received from 206.30.62.10 port 1812 ....
Code:       Access-Request
Identifier: 108
Authentic:  <198><223>@B<143><209><130><185><200>9L<196><187><17><241>S
Attributes:
        User-Name = "swbates"
        NAS-IP-Address = 206.30.62.10
        NAS-Port = 257
        Acct-Session-Id = "16779629"
        Interface-Index = 1513
        Tunnel-Supports-Tags = 0
        Service-Type = Framed-User
        Framed-Protocol = PPP
        MP-EDO-HIPER = <0>`h<130><22><15>
        Chassis-Call-Slot = 2
        Chassis-Call-Span = 1
        Chassis-Call-Channel = 1
        Connect-Speed = NONE
        Calling-Station-Id = "4233380909"
        Called-Station-Id = "3035465"
        NAS-Port-Type = ISDN-Sync

Fri May  7 16:59:47 2004: DEBUG: Check if Handler Realm=wingnet.net should be used to handle this request
Fri May  7 16:59:47 2004: DEBUG: Handling request with Handler 'Realm=wingnet.net'
Fri May  7 16:59:47 2004: DEBUG: Rewrote user name to swbates
Fri May  7 16:59:47 2004: DEBUG:  Deleting session for swbates, 206.30.62.10, 257
Fri May  7 16:59:47 2004: DEBUG: Handling with Radius::AuthFILE
Fri May  7 16:59:47 2004: DEBUG: Radius::AuthFILE looks for match with swbates
Fri May  7 16:59:47 2004: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Fri May  7 16:59:47 2004: DEBUG: Radius::AuthFILE ACCEPT:
Fri May  7 16:59:47 2004: DEBUG: Handling with Radius::AuthFILE
Fri May  7 16:59:47 2004: DEBUG: Radius::AuthFILE looks for match with swbates
Fri May  7 16:59:47 2004: DEBUG: Handling with Radius::AuthUNIX
Fri May  7 16:59:47 2004: DEBUG: Radius::AuthUNIX looks for match with swbates
Fri May  7 16:59:47 2004: DEBUG: Radius::AuthUNIX ACCEPT:
Fri May  7 16:59:47 2004: DEBUG: Radius::AuthFILE ACCEPT:
Fri May  7 16:59:47 2004: DEBUG: Access accepted for swbates
Fri May  7 16:59:47 2004: DEBUG: Packet dump:
*** Sending to 206.30.62.10 port 1812 ....
Code:       Access-Accept
Identifier: 108
Authentic:  <198><223>@B<143><209><130><185><200>9L<196><187><17><241>S
Attributes:
        Idle-Timeout = 1200
        Session-Timeout = 10800

-------- END trace 4 number 1 --------

-------- START trace 4 number 2 --------

Fri May  7 17:02:06 2004: DEBUG: Packet dump:
*** Received from 206.30.62.10 port 1812 ....
Code:       Access-Request
Identifier: 111
Authentic:  <185><21><203>d.X<31>s<197><171>^6<192><242>@<29>
Attributes:
        User-Name = "swbates"
        NAS-IP-Address = 206.30.62.10
        NAS-Port = 521
        Acct-Session-Id = "34079817"
        Interface-Index = 1777
        Tunnel-Supports-Tags = 0
        Service-Type = Framed-User
        Framed-Protocol = PPP
        MP-EDO-HIPER = <0>`h<130><22><15>
        Chassis-Call-Slot = 3
        Chassis-Call-Span = 1
        Chassis-Call-Channel = 9
        Connect-Speed = NONE
        Calling-Station-Id = "4233380908"
        Called-Station-Id = "3035465"
        NAS-Port-Type = ISDN-Sync

Fri May  7 17:02:06 2004: DEBUG: Check if Handler Realm=wingnet.net should be used to handle this request
Fri May  7 17:02:06 2004: DEBUG: Handling request with Handler 'Realm=wingnet.net'
Fri May  7 17:02:06 2004: DEBUG: Rewrote user name to swbates
Fri May  7 17:02:06 2004: DEBUG:  Deleting session for swbates, 206.30.62.10, 521
Fri May  7 17:02:06 2004: DEBUG: Handling with Radius::AuthFILE
Fri May  7 17:02:06 2004: DEBUG: Radius::AuthFILE looks for match with swbates
Fri May  7 17:02:06 2004: DEBUG: Radius::AuthFILE looks for match with DEFAULT
Fri May  7 17:02:06 2004: DEBUG: Radius::AuthFILE ACCEPT:
Fri May  7 17:02:06 2004: DEBUG: Handling with Radius::AuthFILE
Fri May  7 17:02:06 2004: DEBUG: Radius::AuthFILE looks for match with swbates
Fri May  7 17:02:06 2004: DEBUG: Handling with Radius::AuthUNIX
Fri May  7 17:02:06 2004: DEBUG: Radius::AuthUNIX looks for match with swbates
Fri May  7 17:02:06 2004: DEBUG: Radius::AuthUNIX ACCEPT:
Fri May  7 17:02:06 2004: DEBUG: Radius::AuthFILE ACCEPT:
Fri May  7 17:02:06 2004: DEBUG: Access accepted for swbates
Fri May  7 17:02:06 2004: DEBUG: Packet dump:
*** Sending to 206.30.62.10 port 1812 ....
Code:       Access-Accept
Identifier: 111
Authentic:  <185><21><203>d.X<31>s<197><171>^6<192><242>@<29>
Attributes:
        Idle-Timeout = 1200
        Session-Timeout = 10800

-------- END trace 4 number 2 --------


Radiator says above that it deleted the session, which I'm thinking is probably not
good. However, I don't know why it did that. Also, I have never seen anything stating
that Radiator is actually using the pmwho program I set up. Before, when I was trying
to get the snmpget program working with TotalControlSNMP it at least showed the snmpget
command being executed (but the command failed for some reason, so I'm back to using pmwho).

Hopefully you can tell me what the problem is. Basically, at this point I'm wondering
two things:

1.) Why isn't Radiator tracking sessions and honoring Simultaneous-Use properly?

2.) Why isn't Radiator using my pmwho command (hawho)?

Thanks for all the help!


> regards
>
> Hugh
>
> On 7 May 2004, at 07:15, Jesse Guardiani wrote:
> > Howdy list,
> >
> > Am I running a buggy version of Radiator? I'm using 2.18.4.
> >
> > Radiator just isn't handling Simultaneous-Use properly. Sometimes
> > I get DEBUG output that looks like this:
> >
> > Mon May  3 22:10:42 2004: DEBUG: Check if Handler Realm=wingnet.net
> > should be used to handle this request
> > Mon May  3 22:10:42 2004: DEBUG: Handling request with Handler
> > 'Realm=wingnet.net'
> > Mon May  3 22:10:42 2004: DEBUG: Rewrote user name to cyrilthompson
> > Mon May  3 22:10:42 2004: DEBUG:  Deleting session for
> > cyrilthompson at wingnet.net, 66.19.138.227, 1032
> > Mon May  3 22:10:42 2004: DEBUG: Handling with Radius::AuthFILE:
> > Mon May  3 22:10:42 2004: DEBUG: Radius::AuthFILE looks for match with
> > cyrilthompson
> > Mon May  3 22:10:42 2004: DEBUG: Radius::AuthFILE looks for match with
> > DEFAULT
> > Mon May  3 22:10:42 2004: DEBUG: Radius::AuthFILE ACCEPT:
> > Mon May  3 22:10:42 2004: DEBUG: Handling with Radius::AuthFILE:
> > Mon May  3 22:10:42 2004: DEBUG: Radius::AuthFILE looks for match with
> > cyrilthompson
> > Mon May  3 22:10:42 2004: DEBUG: Radius::AuthFILE looks for match with
> > DEFAULT
> > Mon May  3 22:10:42 2004: DEBUG: Handling with Radius::AuthUNIX: System
> > Mon May  3 22:10:42 2004: DEBUG: Radius::AuthUNIX looks for match with
> > cyrilthompson
> > Mon May  3 22:10:42 2004: DEBUG: Radius::AuthUNIX ACCEPT:
> > Mon May  3 22:10:42 2004: DEBUG: Radius::AuthFILE ACCEPT:
> > Mon May  3 22:10:42 2004: DEBUG: Access accepted for cyrilthompson
> > Mon May  3 22:10:42 2004: DEBUG: Packet dump:
> > *** Sending to 216.126.128.10 port 1814 ....
> > Code:       Access-Accept
> > Identifier: 180
> >
> >
> > And other times the output is very abreviated:
> >
> > Mon May  3 22:10:52 2004: DEBUG: Check if Handler Realm=wingnet.net
> > should be used to handle this request
> > Mon May  3 22:10:52 2004: DEBUG: Handling request with Handler
> > 'Realm=wingnet.net'
> > Mon May  3 22:10:52 2004: DEBUG: Rewrote user name to dguthrie03
> > Mon May  3 22:10:52 2004: DEBUG:  Adding session for dguthrie03,
> > 206.30.62.10, 529
> > Mon May  3 22:10:52 2004: DEBUG: Handling with Radius::AuthFILE:
> > Mon May  3 22:10:52 2004: DEBUG: Handling with Radius::AuthFILE:
> > Mon May  3 22:10:52 2004: DEBUG: Accounting accepted
> > Mon May  3 22:10:52 2004: DEBUG: Packet dump:
> > *** Sending to 206.30.62.10 port 1813 ....
> > Code:       Accounting-Response
> > Identifier: 96
> >
> > One user in particular is explicitly set with a Simultaneous-Use = 1,
> > but he's still logging in with both ISDN channels. Is this Radiator's
> > fault?
> > Should I upgrade? I want my Simultaneous-Use check items to be
> > enforced.
> >
> > Thanks!
> >
> > --
> > Jesse Guardiani, Systems Administrator
> > WingNET Internet Services,
> > P.O. Box 2605 // Cleveland, TN 37320-2605
> > 423-559-LINK (v)  423-559-5145 (f)
> > http://www.wingnet.net
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au
> > To unsubscribe, email 'majordomo at open.com.au' with
> > 'unsubscribe radiator' in the body of the message.
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?

-- 
Jesse Guardiani, Systems Administrator
WingNET Internet Services,
P.O. Box 2605 // Cleveland, TN 37320-2605
423-559-LINK (v)  423-559-5145 (f)
http://www.wingnet.net

-------------- next part --------------
# radius.cfg
#
AuthPort 1812
AcctPort 1813

#AuthPort 1645
#AcctPort 1646

# UCD-snmpget
SnmpgetProg /usr/local/bin/snmpget

LogDir /var/log/radius

Trace 4
#Trace 0
Foreground

# Set this to the database directory. It should contain these files:
# users           The user database
# dictionary      The dictionary for your NAS
DbDir /usr/local/Radiator/raddb

LogFile %L/debug/radiusinfo

DictionaryFile %D/dictionary

PidFile /var/run/radiusd.pid

# Custom C pmwho program for 3COM/USR TotalControl Hiper Arc
PmwhoProg /usr/local/bin/hawho

<SessionDatabase DBM>
Filename %D/online
</SessionDatabase>

# Mega
<Client 206.30.62.10>
	DefaultRealm wingnet.net
	NasType TotalControl
#	NasType Hiper
</Client>



#<Client localhost>
<Client 127.0.0.1>
#	DefaultRealm wingnet.net
	DupInterval 0
</Client>

<Client radius1.starnetinc.com>
	DefaultRealm wingnet.net
	IdenticalClients 204.178.185.221 204.178.185.220 216.126.128.8
#	DupInterval 60
</Client>

<Client radius2.starnetinc.com>
	DefaultRealm wingnet.net
	IdenticalClients 216.126.128.9 216.126.128.8 216.126.128.10 216.126.218.164 216.126.218.165 216.126.218.11 216.126.136.243 66.19.192.194
</Client>

<Client radius9.starnetinc.com>
	DefaultRealm wingnet.net
	IdenticalClients 204.178.185.219 216.126.128.164
</Client>

######################################################
#
# This clause is the default realm for users dialing
# in from Mega. Other users will probably hit the
# unnamed Handler.
#
######################################################

<Handler Realm=wingnet.net>
   # Grab just the user portion
   RewriteUsername s/^([^@]+).*/$1/
     PasswordLogFileName %L/pw.%Y.%m
     ExcludeFromPasswordLog root craig cthompson jesse trevarthan sdguardiani
     AcctLogFileName	%L/detail.wingnet
     AuthByPolicy ContinueWhileAccept
        <AuthBy FILE>

		Filename %D/users.filter
        </AuthBy>
	<AuthBy FILE>
		# don't fall through to DEFAULT if a users check item failed
		NoDefaultIfFound

#		AddToReply Framed-IP-Address-Pool-Name="ippool"
		Filename %D/users
	</AuthBy>
</Handler>

<Handler Realm=dual.wingnet.net>
   RewriteUsername s/^([^@]+).*/$1/
     PasswordLogFileName %L/pw.%Y.%m
     ExcludeFromPasswordLog root craig cthompson jesse trevarthan sdguardiani
     AcctLogFileName	%L/detail.wingnet
     AuthByPolicy ContinueWhileAccept
        <AuthBy FILE>

		Filename %D/users.filter
        </AuthBy>
	<AuthBy FILE>
		# don't fall through to DEFAULT if a users check item failed
		NoDefaultIfFound

#		AddToReply Framed-IP-Address-Pool-Name="ippool"
		Filename %D/users
	</AuthBy>
</Handler>

<Handler Realm=filter.wingnet.net>
   RewriteUsername s/^([^@]+).*/$1/
     PasswordLogFileName %L/pw.%Y.%m
     ExcludeFromPasswordLog root craig cthompson jesse trevarthan sdguardiani
     AcctLogFileName	%L/detail.wingnet
	<AuthBy FILE>
		# don't fall through to DEFAULT if a users check item failed
		NoDefaultIfFound

#		AddToReply Framed-IP-Address-Pool-Name="ippool"
# LCT 10/14/03
#		AddToReply Filter-Id="webfilter"
		Filename %D/users
	</AuthBy>
</Handler>

<Handler Realm=dual.filter.wingnet.net>
   RewriteUsername s/^([^@]+).*/$1/
     PasswordLogFileName %L/pw.%Y.%m
     ExcludeFromPasswordLog root craig cthompson jesse trevarthan sdguardiani
     AcctLogFileName	%L/detail.wingnet
	<AuthBy FILE>
		# don't fall through to DEFAULT if a users check item failed
		NoDefaultIfFound

#		AddToReply Framed-IP-Address-Pool-Name="ippool"
# LCT 10/14/03
#		AddToReply Filter-Id="webfilter"
		Filename %D/users
	</AuthBy>
</Handler>

######################################################
#
# This clause defines a single realm to handle
# If someone logs in without @wingnet.net, they are
# authed here...
#
######################################################

# JDG 2004/05/06 as far as I can tell the below empty
# handler is NOT used. The Client clause for Mega near
# the top of this file specifies a DefaultRealm of wingnet.net
<Handler>
    PasswordLogFileName %L/password.log
    ExcludeFromPasswordLog root craig cthompson jesse trevarthan sdguardiani
     AcctLogFileName	%L/detail.wingnet
	<AuthBy FILE>
		# don't fall through to DEFAULT if a users check item failed
		NoDefaultIfFound

		Filename %D/users
	</AuthBy>
</Handler>



######################################################
#
# Dummy realm to point to the Unix passwd file for
# UNIX authentication.  We name this 'System' and 
# reference 'System' as an Auth-Type in raddb/users.
#
######################################################

<Realm dummyrealmforholdingauthbyunix>
     AcctLogFileName	%L/detail.wingnet
	<AuthBy UNIX>
		Identifier System

		Filename /etc/master.passwd
	</AuthBy>
</Realm>


More information about the radiator mailing list