(RADIATOR) buggy version of Radiator?
Hugh Irvine
hugh at open.com.au
Fri May 7 18:10:35 CDT 2004
Hello Jesse -
Simultaneous use checking will never work if you have two different
session databases.
This is because the accounting records are used to maintain the session
database with a start causing a record to be inserted and a stop
causing the record to be deleted. The access requests are then checked
against the session database to determine whether or not the limit has
been reached. (note that the access request also causes a delete for
the NAS/NAS-Port combination as means of doing housekeeping on the
session database)
regards
Hugh
On 8 May 2004, at 08:13, Jesse Guardiani wrote:
> On Friday 07 May 2004 05:07, Hugh Irvine wrote:
>> Hello Jesse -
>>
>> Without seeing a more complete trace 4, a copy of your configuration
>> file (no secrets) and a copy of the user record, it is impossible to
>> say what may be happening. What you show below are two different types
>> of request - an access request and an accounting request.
>
> OK. This is a lot of information, so I hope you don't mind. I spent the
> entire day today trying to help myself figure this out (reading
> documentation,
> testing various configs, googling, etc), but I'm just at a loss. Maybe
> you
> can help. I'll try to be concise.
>
> For reference, I'm running Radiator 2.18.1 on a BSDi 4.1 machine (the
> thorn in my flesh. This is a legacy machine that I *will* be getting
> rid
> of sometime soon, but for now I'm stuck with it) as my PRIMARY
> authentication
> server. My PRIMARY accounting server is running Radiator 2.18.4 on
> FreeBSD
> 4.6.2-RELEASE. I don't *think* this should cause any problems with the
> two
> session databases, but I could be very wrong. I know very little about
> Radiator and I'm not the person that set these two versions up. If this
> is a problem, please let me know and why.
>
> Please see attached for my radius.cfg - minus the Secrets. The realm
> we're
> dealing with here is 'wingnet.net', which you'll see from the trace 4s
> below.
>
> Let's just focus on one user: swbates.
>
> This user is NOT listed in our 'users.filter' file, so it falls through
> to the DEFAULT, which is blank. So the 'users.filter' AuthBy FILE
> returns
> ACCEPT, which is again visible in the trace 4 below, and is exactly
> what
> we want.
>
> Now, this user has a Simultaneous-Use check item in our 'users' file
> here:
>
> swbates Simultaneous-Use = 1, Auth-Type = System
> Idle-Timeout = 1200, Session-Timeout = 10800
>
> I've tried putting the Simultaneous-Use in front of and behind the
> Auth-Type
> (I read somewhere that in front of is better, and we were placing it
> behind)
> but the result is always the same: It doesn't work.
>
> So this user should NOT be allowed multiple simultaneous logins.
> However,
> my pmwho command to my TotalControl terminal server reveals that he is
> indeed logging in twice:
>
> # hawho mega | grep swbates
> Sba swbates 206.30.62.93 Netwrk In ESTABLISHED 49
> 0
> Sci swbates Netwrk In ESTABLISHED 47
> 0
>
> And here are the two trace 4 debug authentication logs (minus the
> user's
> password):
>
> -------- START trace 4 number 1 --------
>
> Fri May 7 16:59:47 2004: DEBUG: Packet dump:
> *** Received from 206.30.62.10 port 1812 ....
> Code: Access-Request
> Identifier: 108
> Authentic: <198><223>@B<143><209><130><185><200>9L<196><187><17><241>S
> Attributes:
> User-Name = "swbates"
> NAS-IP-Address = 206.30.62.10
> NAS-Port = 257
> Acct-Session-Id = "16779629"
> Interface-Index = 1513
> Tunnel-Supports-Tags = 0
> Service-Type = Framed-User
> Framed-Protocol = PPP
> MP-EDO-HIPER = <0>`h<130><22><15>
> Chassis-Call-Slot = 2
> Chassis-Call-Span = 1
> Chassis-Call-Channel = 1
> Connect-Speed = NONE
> Calling-Station-Id = "4233380909"
> Called-Station-Id = "3035465"
> NAS-Port-Type = ISDN-Sync
>
> Fri May 7 16:59:47 2004: DEBUG: Check if Handler Realm=wingnet.net
> should be used to handle this request
> Fri May 7 16:59:47 2004: DEBUG: Handling request with Handler
> 'Realm=wingnet.net'
> Fri May 7 16:59:47 2004: DEBUG: Rewrote user name to swbates
> Fri May 7 16:59:47 2004: DEBUG: Deleting session for swbates,
> 206.30.62.10, 257
> Fri May 7 16:59:47 2004: DEBUG: Handling with Radius::AuthFILE
> Fri May 7 16:59:47 2004: DEBUG: Radius::AuthFILE looks for match with
> swbates
> Fri May 7 16:59:47 2004: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT
> Fri May 7 16:59:47 2004: DEBUG: Radius::AuthFILE ACCEPT:
> Fri May 7 16:59:47 2004: DEBUG: Handling with Radius::AuthFILE
> Fri May 7 16:59:47 2004: DEBUG: Radius::AuthFILE looks for match with
> swbates
> Fri May 7 16:59:47 2004: DEBUG: Handling with Radius::AuthUNIX
> Fri May 7 16:59:47 2004: DEBUG: Radius::AuthUNIX looks for match with
> swbates
> Fri May 7 16:59:47 2004: DEBUG: Radius::AuthUNIX ACCEPT:
> Fri May 7 16:59:47 2004: DEBUG: Radius::AuthFILE ACCEPT:
> Fri May 7 16:59:47 2004: DEBUG: Access accepted for swbates
> Fri May 7 16:59:47 2004: DEBUG: Packet dump:
> *** Sending to 206.30.62.10 port 1812 ....
> Code: Access-Accept
> Identifier: 108
> Authentic: <198><223>@B<143><209><130><185><200>9L<196><187><17><241>S
> Attributes:
> Idle-Timeout = 1200
> Session-Timeout = 10800
>
> -------- END trace 4 number 1 --------
>
> -------- START trace 4 number 2 --------
>
> Fri May 7 17:02:06 2004: DEBUG: Packet dump:
> *** Received from 206.30.62.10 port 1812 ....
> Code: Access-Request
> Identifier: 111
> Authentic: <185><21><203>d.X<31>s<197><171>^6<192><242>@<29>
> Attributes:
> User-Name = "swbates"
> NAS-IP-Address = 206.30.62.10
> NAS-Port = 521
> Acct-Session-Id = "34079817"
> Interface-Index = 1777
> Tunnel-Supports-Tags = 0
> Service-Type = Framed-User
> Framed-Protocol = PPP
> MP-EDO-HIPER = <0>`h<130><22><15>
> Chassis-Call-Slot = 3
> Chassis-Call-Span = 1
> Chassis-Call-Channel = 9
> Connect-Speed = NONE
> Calling-Station-Id = "4233380908"
> Called-Station-Id = "3035465"
> NAS-Port-Type = ISDN-Sync
>
> Fri May 7 17:02:06 2004: DEBUG: Check if Handler Realm=wingnet.net
> should be used to handle this request
> Fri May 7 17:02:06 2004: DEBUG: Handling request with Handler
> 'Realm=wingnet.net'
> Fri May 7 17:02:06 2004: DEBUG: Rewrote user name to swbates
> Fri May 7 17:02:06 2004: DEBUG: Deleting session for swbates,
> 206.30.62.10, 521
> Fri May 7 17:02:06 2004: DEBUG: Handling with Radius::AuthFILE
> Fri May 7 17:02:06 2004: DEBUG: Radius::AuthFILE looks for match with
> swbates
> Fri May 7 17:02:06 2004: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT
> Fri May 7 17:02:06 2004: DEBUG: Radius::AuthFILE ACCEPT:
> Fri May 7 17:02:06 2004: DEBUG: Handling with Radius::AuthFILE
> Fri May 7 17:02:06 2004: DEBUG: Radius::AuthFILE looks for match with
> swbates
> Fri May 7 17:02:06 2004: DEBUG: Handling with Radius::AuthUNIX
> Fri May 7 17:02:06 2004: DEBUG: Radius::AuthUNIX looks for match with
> swbates
> Fri May 7 17:02:06 2004: DEBUG: Radius::AuthUNIX ACCEPT:
> Fri May 7 17:02:06 2004: DEBUG: Radius::AuthFILE ACCEPT:
> Fri May 7 17:02:06 2004: DEBUG: Access accepted for swbates
> Fri May 7 17:02:06 2004: DEBUG: Packet dump:
> *** Sending to 206.30.62.10 port 1812 ....
> Code: Access-Accept
> Identifier: 111
> Authentic: <185><21><203>d.X<31>s<197><171>^6<192><242>@<29>
> Attributes:
> Idle-Timeout = 1200
> Session-Timeout = 10800
>
> -------- END trace 4 number 2 --------
>
>
> Radiator says above that it deleted the session, which I'm thinking is
> probably not
> good. However, I don't know why it did that. Also, I have never seen
> anything stating
> that Radiator is actually using the pmwho program I set up. Before,
> when I was trying
> to get the snmpget program working with TotalControlSNMP it at least
> showed the snmpget
> command being executed (but the command failed for some reason, so I'm
> back to using pmwho).
>
> Hopefully you can tell me what the problem is. Basically, at this
> point I'm wondering
> two things:
>
> 1.) Why isn't Radiator tracking sessions and honoring Simultaneous-Use
> properly?
>
> 2.) Why isn't Radiator using my pmwho command (hawho)?
>
> Thanks for all the help!
>
>
>> regards
>>
>> Hugh
>>
>> On 7 May 2004, at 07:15, Jesse Guardiani wrote:
>>> Howdy list,
>>>
>>> Am I running a buggy version of Radiator? I'm using 2.18.4.
>>>
>>> Radiator just isn't handling Simultaneous-Use properly. Sometimes
>>> I get DEBUG output that looks like this:
>>>
>>> Mon May 3 22:10:42 2004: DEBUG: Check if Handler Realm=wingnet.net
>>> should be used to handle this request
>>> Mon May 3 22:10:42 2004: DEBUG: Handling request with Handler
>>> 'Realm=wingnet.net'
>>> Mon May 3 22:10:42 2004: DEBUG: Rewrote user name to cyrilthompson
>>> Mon May 3 22:10:42 2004: DEBUG: Deleting session for
>>> cyrilthompson at wingnet.net, 66.19.138.227, 1032
>>> Mon May 3 22:10:42 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Mon May 3 22:10:42 2004: DEBUG: Radius::AuthFILE looks for match
>>> with
>>> cyrilthompson
>>> Mon May 3 22:10:42 2004: DEBUG: Radius::AuthFILE looks for match
>>> with
>>> DEFAULT
>>> Mon May 3 22:10:42 2004: DEBUG: Radius::AuthFILE ACCEPT:
>>> Mon May 3 22:10:42 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Mon May 3 22:10:42 2004: DEBUG: Radius::AuthFILE looks for match
>>> with
>>> cyrilthompson
>>> Mon May 3 22:10:42 2004: DEBUG: Radius::AuthFILE looks for match
>>> with
>>> DEFAULT
>>> Mon May 3 22:10:42 2004: DEBUG: Handling with Radius::AuthUNIX:
>>> System
>>> Mon May 3 22:10:42 2004: DEBUG: Radius::AuthUNIX looks for match
>>> with
>>> cyrilthompson
>>> Mon May 3 22:10:42 2004: DEBUG: Radius::AuthUNIX ACCEPT:
>>> Mon May 3 22:10:42 2004: DEBUG: Radius::AuthFILE ACCEPT:
>>> Mon May 3 22:10:42 2004: DEBUG: Access accepted for cyrilthompson
>>> Mon May 3 22:10:42 2004: DEBUG: Packet dump:
>>> *** Sending to 216.126.128.10 port 1814 ....
>>> Code: Access-Accept
>>> Identifier: 180
>>>
>>>
>>> And other times the output is very abreviated:
>>>
>>> Mon May 3 22:10:52 2004: DEBUG: Check if Handler Realm=wingnet.net
>>> should be used to handle this request
>>> Mon May 3 22:10:52 2004: DEBUG: Handling request with Handler
>>> 'Realm=wingnet.net'
>>> Mon May 3 22:10:52 2004: DEBUG: Rewrote user name to dguthrie03
>>> Mon May 3 22:10:52 2004: DEBUG: Adding session for dguthrie03,
>>> 206.30.62.10, 529
>>> Mon May 3 22:10:52 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Mon May 3 22:10:52 2004: DEBUG: Handling with Radius::AuthFILE:
>>> Mon May 3 22:10:52 2004: DEBUG: Accounting accepted
>>> Mon May 3 22:10:52 2004: DEBUG: Packet dump:
>>> *** Sending to 206.30.62.10 port 1813 ....
>>> Code: Accounting-Response
>>> Identifier: 96
>>>
>>> One user in particular is explicitly set with a Simultaneous-Use = 1,
>>> but he's still logging in with both ISDN channels. Is this Radiator's
>>> fault?
>>> Should I upgrade? I want my Simultaneous-Use check items to be
>>> enforced.
>>>
>>> Thanks!
>>>
>>> --
>>> Jesse Guardiani, Systems Administrator
>>> WingNET Internet Services,
>>> P.O. Box 2605 // Cleveland, TN 37320-2605
>>> 423-559-LINK (v) 423-559-5145 (f)
>>> http://www.wingnet.net
>>>
>>> --
>>> Archive at http://www.open.com.au/archives/radiator/
>>> Announcements on radiator-announce at open.com.au
>>> To unsubscribe, email 'majordomo at open.com.au' with
>>> 'unsubscribe radiator' in the body of the message.
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>
> --
> Jesse Guardiani, Systems Administrator
> WingNET Internet Services,
> P.O. Box 2605 // Cleveland, TN 37320-2605
> 423-559-LINK (v) 423-559-5145 (f)
> http://www.wingnet.net
>
> <radius.cfg.censored>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list