(RADIATOR) Unknown reply received in RADIUS Accounting-Response
Hugh Irvine
hugh at open.com.au
Mon Jun 13 17:22:32 CDT 2005
Hello William -
Your analysis is correct - you are receiving two accounting responses
from the proxy target.
I am guessing that the remote proxy target is processing the
accounting requests twice, hence generating two responses.
This is an innocuous error message which you can deal with by using
"AccountingHandled" in your Handler clause and adding
"IgnoreAccountingResponse" to your AuthBy RADIUS clause. See the
relevant sections of the Radiator 3.13 reference manual ("doc/
ref.html").
I doubt that "UseExtendedIds" will make any difference as you will
still receive two accounting responses.
regards
Hugh
On 14 Jun 2005, at 06:15, William Hernandez wrote:
> Hello everyone,
>
> We're constantly seeing log entries like the following every day.
>
> Mon May 2 00:00:23 2005: WARNING: Unknown reply received in
> AuthRADIUS for request 65 from xx.xx.xx.xx:1646
> Mon May 2 00:00:29 2005: WARNING: Unknown reply received in
> AuthRADIUS for request 66 from xx.xx.xx.xx:1646
> Mon May 2 00:00:32 2005: WARNING: Unknown reply received in
> AuthRADIUS for request 67 from xx.xx.xx.xx:1646
> Mon May 2 00:00:50 2005: WARNING: Unknown reply received in
> AuthRADIUS for request 68 from xx.xx.xx.xx:1646
>
> The log entries come from the "Accounting-Response" that are
> being sent to us from a remote Radius Server that is running
> Radiator 3.7.1 according to "radpwtst -status". We're running
> Radiator 3.12. The remote server is not under our administration
> and I have not been able to obtain debug information from them.
>
> Here is some more DEBUG info from our logs:
>
> Mon May 2 16:43:15 2005: DEBUG: Packet dump:
> *** Received from xx.xx.xx.xx port 1812 ....
> Code: Access-Request
> Identifier: 224
> Authentic:
> <161>G<149><163><143><155>~<166><218><0><133><205><148><202>l<200
>
>>
>>
> Attributes:
> User-Name = "xxxxxx"
> User-Password = "6Ge2<252><165><255>HQ<9>q^44AU"
> NAS-IP-Address = 10.1.1.12
> NAS-Identifier = "10.1.1.12"
> NAS-Port = 46
> Acct-Session-Id = "2491343"
> USR-Interface-Index = 1295
> Tunnel-Supports-Tags = 0
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Chassis-Call-Slot = 1
> Chassis-Call-Span = 2
> Chassis-Call-Channel = 39
> Connect-Speed = NONE
> Called-Station-Id = "9999999"
> NAS-Port-Type = Async
>
> Mon May 2 16:43:15 2005: DEBUG: Handling with Radius::AuthRADIUS
> Mon May 2 16:43:15 2005: DEBUG: Packet dump:
> *** Sending to xx.xx.xx.xx port 1645 ....
> Code: Access-Request
> Identifier: 2
> Authentic:
> <161>G<149><163><143><155>~<166><218><0><133><205><148><202>l<200
>
>>
>>
> Attributes:
> User-Name = "xxxxxx"
> User-Password =
> "<209><136><220><127><207><217><247><184>C<180><135>#<9><9>{<168>
> "
> NAS-IP-Address = xx.xx.xx.xx
> NAS-Identifier = "10.1.1.12"
> NAS-Port = 46
> Acct-Session-Id = "2491343"
> USR-Interface-Index = 1295
> Tunnel-Supports-Tags = 0
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Chassis-Call-Slot = 1
> Chassis-Call-Span = 2
> Chassis-Call-Channel = 39
> Connect-Speed = NONE
> Called-Station-Id = "9999999999"
> NAS-Port-Type = Async
>
> Mon May 2 16:43:15 2005: DEBUG: Packet dump:
> *** Received from xx.xx.xx.xx port 1645 ....
> Code: Access-Accept
> Identifier: 2
> Authentic: <5><250>mZ<22>n)<230>5{?<157><168><173><230>r
> Attributes:
> Ascend-Data-Filter = ip in forward tcp est
> Ascend-Data-Filter = ip in forward dstip xx.xx.xx.xx/24
> Ascend-Data-Filter = ip in drop tcp dstport = 25
> Ascend-Data-Filter = ip in forward
> Idle-Timeout = 900
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Session-Timeout = 28800
>
> Mon May 2 16:43:15 2005: DEBUG: Received reply in AuthRADIUS for
> req 2 from xx.xx.xx.xx:1645
> Mon May 2 16:43:15 2005: DEBUG: Access accepted for xxxxxx
> Mon May 2 16:43:15 2005: DEBUG: Packet dump:
> *** Sending to xx.xx.xx.xx port 1812 ....
> Code: Access-Accept
> Identifier: 224
> Authentic:
> <161>G<149><163><143><155>~<166><218><0><133><205><148><202>l<200
>
>>
>>
> Attributes:
> Ascend-Data-Filter = ip in forward tcp est
> Ascend-Data-Filter = ip in forward dstip xx.xx.xx.xx/24
> Ascend-Data-Filter = ip in drop tcp dstport = 25
> Ascend-Data-Filter = ip in forward
> Idle-Timeout = 900
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Session-Timeout = 28800
> Framed-IP-Netmask = 255.255.255.255
> Framed-Compression = Van-Jacobson-TCP-IP
> USR-V92-Feature-Control = 1
>
> Mon May 2 16:43:15 2005: DEBUG: Packet dump:
> *** Received from 208.249.78.130 port 55915 ....
> Code: Accounting-Request
> Identifier: 64
> Authentic:
> <168><210><226><209><21><22><213><214><207><211><155><185><128><2
> 33><131>-
> Attributes:
> User-Name = "xxxxxx"
> NAS-IP-Address = 10.1.1.12
> NAS-Identifier = "10.1.1.12"
> Acct-Status-Type = Start
> Acct-Session-Id = "2491343"
> Acct-Delay-Time = 0
> Acct-Authentic = RADIUS
> Service-Type = Framed-User
> NAS-Port-Type = Async
> NAS-Port = 46
> USR-Modem-Training-Time = 19
> USR-Interface-Index = 1295
> Chassis-Call-Slot = 1
> Chassis-Call-Span = 2
> Chassis-Call-Channel = 39
> Unauthenticated-Time = 1
> Calling-Station-Id = ""
> Called-Station-Id = "9999999"
> VPN-ID = 0
> Modulation-Type = v90Digital
> Simplified-MNP-Levels = ccittV42SREJ
> Simplified-V42bis-Usage = 4
> Connect-Speed = 45333_BPS
> Framed-Protocol = PPP
> Framed-IP-Address = xx.xx.xx.xx
> VTS-Session-Key =
> "<193>-<218><204><233>3<247>g+qR<131>,<175><11>4"
> Call-Arrived-time = 294612175
>
> Mon May 2 16:43:15 2005: DEBUG: Handling with Radius::AuthRADIUS
> Mon May 2 16:43:15 2005: DEBUG: Packet dump:
> *** Sending to xx.xx.xx.xx port 1646 ....
> Code: Accounting-Request
> Identifier: 5
> Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Attributes:
> User-Name = "xxxxxx"
> NAS-IP-Address = xx.xx.xx.xx
> NAS-Identifier = "10.1.1.12"
> Acct-Status-Type = Start
> Acct-Session-Id = "2491343"
> Acct-Delay-Time = 0
> Acct-Authentic = RADIUS
> Service-Type = Framed-User
> NAS-Port-Type = Async
> NAS-Port = 46
> USR-Modem-Training-Time = 19
> USR-Interface-Index = 1295
> Chassis-Call-Slot = 1
> Chassis-Call-Span = 2
> Chassis-Call-Channel = 39
> Unauthenticated-Time = 1
> Calling-Station-Id = ""
> Called-Station-Id = "9999999999"
> VPN-ID = 0
> Modulation-Type = v90Digital
> Simplified-MNP-Levels = ccittV42SREJ
> Simplified-V42bis-Usage = 4
> Connect-Speed = 45333
> Framed-Protocol = PPP
> Framed-IP-Address = xx.xx.xx.xx
> VTS-Session-Key =
> "<193>-<218><204><233>3<247>g+qR<131>,<175><11>4"
> Call-Arrived-time = 294612175
>
> Mon May 2 16:43:16 2005: DEBUG: Packet dump:
> *** Received from xx.xx.xx.xx port 1646 ....
> Code: Accounting-Response
> Identifier: 5
> Authentic: /Q<216>Fe<1><132><253><7><240>><213>)<205><129><210>
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Mon May 2 16:43:16 2005: DEBUG: Received reply in AuthRADIUS for
> req 5 from xx.xx.xx.xx:1646
> Mon May 2 16:43:16 2005: DEBUG: Accounting accepted
> Mon May 2 16:43:16 2005: DEBUG: Packet dump:
> *** Sending to 208.249.78.130 port 55915 ....
> Code: Accounting-Response
> Identifier: 64
> Authentic:
> <168><210><226><209><21><22><213><214><207><211><155><185><128><2
> 33><131>-
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> USR-V92-Feature-Control = 1
>
> Mon May 2 16:43:16 2005: DEBUG: Packet dump:
> *** Received from xx.xx.xx.xx port 1646 ....
> Code: Accounting-Response
> Identifier: 5
> Authentic: <212><135>WU<15>6.P<0>|<213><133>y-<250><13>
> Attributes:
> Service-Type = Framed-User
> Framed-Protocol = PPP
> Service-Type = Framed-User
> Framed-Protocol = PPP
>
> Mon May 2 16:43:16 2005: WARNING: Unknown reply received in
> AuthRADIUS for request 5 from xx.xx.xx.xx:1646
>
> The debug seems to show the following actions:
>
> 1. Our RADIUS server receives an Access-Request from one of ours
> NASes.
> 2. Our RADIUS server forwards The Access-Request to xx.xx.xx.xx.
> 3. Our RADIUS server receives an Access-Accept from xx.xx.xx.xx.
> 4. Our RADIUS server sends the Access-Accept to our NAS.
> 5. Our RADIUS server receives an Accounting-Request from one of
> our NASes.
> 6. Our RADIUS server forwards the Accounting-Request to
> xx.xx.xx.xx.
> 7. Our RADIUS server receives an Accounting-Response from
> xx.xx.xx.xx.
> 8. Our RADIUS server sends the Accounting-Response to our NAS.
> 9. Our RADIUS server receives a second Accounting-Response from
> xx.xx.xx.xx.
>
> It appears to be step 9 that is generating the "Unknown reply",
> although I don't see a Proxy-State attribute in any response.
>
> The radius.cfg has the following:
>
> <AuthLog FILE>
> Identifier abc-logfile
> Filename %L/abc/radius.log
> LogSuccess 1
> SuccessFormat %l: Login OK: [%u] (%c)
> LogFailure 1
> FailureFormat %l: INFO: Access rejected for %n: %1
> </AuthLog>
>
> <AuthBy PORTLIMITCHECK>
> Identifier abc-portlimitcheck
> SessionLimit 200
> CountQuery select COUNT(*) from RADONLINE_ABC
> </AuthBy>
>
> <AuthBy SQL>
> Identifier accessnumber
> DBSource dbi:Sybase:database=xxx
> DBUsername xxxxxx
> DBAuth xxxxxx
> DBSource dbi:mysql:xxx:xxx
> DBUsername xxxxxx
> DBAuth xxxxxx
> </AuthBy>
>
> <AuthBy RADIUS>
> Identifier abc-radius
> Host xx.xx.xx.xx
> Host yy.yy.yy.yy
> Secret xxxxxx
> AuthPort 1645
> AcctPort 1646
> StripFromRequest Active
> AddToReplyIfNotExist Service-Type = Framed-User, \
> Framed-Protocol = PPP, \
> Framed-IP-Netmask = 255.255.255.255, \
> Framed-Compression = Van-Jacobson-TCP-IP
> </AuthBy>
>
> <AuthBy FILE>
> Identifier abc-users
> Filename /etc/raddb/users.abc
> NoDefaultIfFound
> </AuthBy>
>
> <AuthLog SQL>
> Identifier abc-replyhook
> DBSource dbi:Sybase:database=xxx
> DBUsername xxxxxx
> DBAuth xxxxxx
> DBSource dbi:mysql:xxx:xxx
> DBUsername xxxxxx
> DBAuth xxxxxx
> Table AUTHLOG_ABC
> LogSuccess 1
> SuccessQuery insert into AUTHLOG_ABC \
> (USERNAME, NASIDENTIFIER,
> NASPORT, \
> ACCTSESSIONID, TIME_STAMP,
> FRAMEDIPADDRESS, \
> NASPORTTYPE, SERVICETYPE) \
> values \
> ('%2', '%{NAS-Identifier}',
> '%{NAS-Port}', \
> '%{Acct-Session-Id}',
> %t,'%{Framed-IP-Address}',
> \
> '%{NAS-Port-Type}',
> '%{Service-Type}')
> </AuthLog>
>
> <SessionDatabase SQL>
> Identifier sessiondb-abc-radius
> DBSource dbi:Sybase:database=xxx
> DBUsername xxxxxx
> DBAuth xxxxxx
> DBSource dbi:mysql:xxx:xxx
> DBUsername xxxxxx
> DBAuth xxxxxx
>
> AddQuery insert into RADONLINE_ABC \
> (USERNAME, NASIDENTIFIER,
> NASPORT, \
> ACCTSESSIONID, TIME_STAMP,
> FRAMEDIPADDRESS, \
> NASPORTTYPE, SERVICETYPE) \
> values \
> ('%n', '%N', 0%{NAS-Port}, \
> '%{Acct-Session-Id}', %{Timestamp},
> '%{Framed-IP-Address}', \
> '%{NAS-Port-Type}', '%{Service-Type}')
>
> CountQuery select NASIDENTIFIER, NASPORT, ACCTSESSIONID \
> from RADONLINE_ABC \
> where USERNAME='%n'
>
> DeleteQuery delete from RADONLINE_ABC \
> where NASIDENTIFIER='%N' and
> NASPORT=0%{NAS-Port}
> </SessionDatabase>
>
> <Handler Called-Station-Id=/9999$/>
> SessionDatabase sessiondb-abc-radius
> AuthByPolicy ContinueWhileAccept
> AuthBy abc-portlimitcheck
> AuthBy abc-radius
>
> AcctLogFileName %L/abc/detail
> AuthLog abc-logfile
> PasswordLogFileName %L/abc/radius.log
> </Handler>
>
> Is this WARNING a portent of more serious problems? If it can be
> ignored, will using "UseExtendedIds" eliminate the warnings
> although the docs seem to say that that should only be used with
> broken Radius Servers and the remote server in this case appears
> to be running Radiator 3.7.1?
>
>
> Please advise,
>
> William
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list