(RADIATOR) RADIUS Attrib 28 (Idle-Timeout) default?

Martin Wallner Martin.Wallner at eunet.co.at
Mon Jan 23 04:50:30 CST 2006 

Hi All,

I have a little problem here with Attribute 28 (Idle-Timeout) on RADIATOR 3.11:

It looks like it is _always_ sent in the replypacket, even if it is NOT configured (according to the RFC an Access-Accept or a Access-Challenge can have this attribute in, not as a requirement ....)

Scenario:

Cisco 5300 with 120 ASYNC and 4 E1-Controller, standard setup, Dial-In should be possible with ISDN and POTS, IOS c5300-is-mz.121-19.bin (12.1(19))

Error:

Thing is, dialin is possible with POTS, but NOT with ISDN... Radiator authenticates fine, and sending the replypacket (CISCO-Log)

Jan 23 10:46:38.134 CET: Se0:24 PAP: Authenticating peer in9878
Jan 23 10:46:38.134 CET: AAA: parse name=Serial0:24 idb type=13 tty=-1
Jan 23 10:46:38.134 CET: AAA: name=Serial0:24 flags=0x51 type=1 shelf=0 slot=0 adapter=0 port=0 channel=24
Jan 23 10:46:38.134 CET: AAA: parse name=<no string> idb type=-1 tty=-1
Jan 23 10:46:38.134 CET: AAA/MEMORY: create_user (0x62611D4C) user='in9878' ruser='' port='Serial0:24' rem_addr='189933' authen_type=PAP service=PPP priv=1
Jan 23 10:46:38.134 CET: AAA/AUTHEN/START (148326749): port='Serial0:24' list='' action=LOGIN service=PPP
Jan 23 10:46:38.134 CET: AAA/AUTHEN/START (148326749): using "default" list
Jan 23 10:46:38.134 CET: AAA/AUTHEN/START (148326749): Method=radius (radius)
Jan 23 10:46:38.134 CET: RADIUS: ustruct sharecount=1
Jan 23 10:46:38.134 CET: RADIUS: Initial Transmit Serial0:24 id 208 193.154.160.80:1645, Access-Request, len 84
Jan 23 10:46:38.134 CET:         Attribute 4 6 C3AA5D03
Jan 23 10:46:38.134 CET:         Attribute 5 6 00004E38
Jan 23 10:46:38.134 CET:         Attribute 61 6 00000002
Jan 23 10:46:38.134 CET:         Attribute 1 8 696E3938
Jan 23 10:46:38.134 CET:         Attribute 31 8 31383939
Jan 23 10:46:38.134 CET:         Attribute 2 18 87617D7F
Jan 23 10:46:38.138 CET:         Attribute 6 6 00000002
Jan 23 10:46:38.138 CET:         Attribute 7 6 00000001
Jan 23 10:46:38.162 CET: RADIUS: Received from id 208 193.154.160.80:1645, Access-Accept, len 62
Jan 23 10:46:38.162 CET:         Attribute 6 6 00000002
Jan 23 10:46:38.162 CET:         Attribute 7 6 00000001
Jan 23 10:46:38.162 CET:         Attribute 13 6 00000001
Jan 23 10:46:38.162 CET:         Attribute 10 6 00000000
Jan 23 10:46:38.162 CET:         Attribute 9 6 FFFFFFFF
Jan 23 10:46:38.162 CET:         Attribute 28 6 00000000
Jan 23 10:46:38.162 CET:         Attribute 12 6 000003EE
Jan 23 10:46:38.162 CET: RADIUS: saved authorization data for user 62611D4C at 62694A88
Jan 23 10:46:38.162 CET: AAA/AUTHEN (148326749): status = PASS


Now, it ends with a clear 'PASS', so Radiator authenticated the Request from the NAS.... The strange thing is, that in the Replypacket there is still Attribute 28, set to 0 .... AND I DIDN'T CONFIGURE IT IN, neither as 'Reply-Attribute' in the databaseentry for the user, nor in the clause


   AddToReplyIfNotExist Service-Type = Framed-User, \
                        Framed-IP-Netmask = 255.255.255.255,\
                        Framed-IP-Address = 255.255.255.254,\
                        Framed-Protocol=PPP,\
                        Framed-Routing=Listen,\
                        Framed-Compression=Van-Jacobson-TCP-IP,\
                        Framed-MTU=1006,\
                        Port-Limit=2

in the Radiator-config.... Is Attribute 28 (Idle-Timeout) a default attribute according to RFC? (because, I didn't find it in there....)

Well, the Router stomps on, starting to process the AV-pairs:

Jan 23 10:46:38.162 CET: Se0:24 AAA/AUTHOR/LCP: Authorize LCP
Jan 23 10:46:38.162 CET: Se0:24 AAA/AUTHOR/LCP (4293684466): Port='Serial0:24' list='' service=NET
Jan 23 10:46:38.162 CET: AAA/AUTHOR/LCP: Se0:24 (4293684466) user='in9878'
Jan 23 10:46:38.162 CET: Se0:24 AAA/AUTHOR/LCP (4293684466): send AV service=ppp
Jan 23 10:46:38.162 CET: Se0:24 AAA/AUTHOR/LCP (4293684466): send AV protocol=lcp
Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP (4293684466): found list "default"
Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP (4293684466): Method=radius (radius)
Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR (4293684466): Post authorization status = PASS_REPL
Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP: Processing AV service=ppp
Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP: Processing AV routing*false
Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP: Processing AV idletime=0
Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP: idletime failed
Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP: Denied
d1-ixi1.vie#
Jan 23 10:46:38.166 CET: Se0:24 PAP: O AUTH-NAK id 24 len 25 msg is "Authorization failed"
Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR: Duplicate per-user event LCP_DOWN ignored
Jan 23 10:46:38.166 CET: Se0:24 PPP: Phase is TERMINATING

And fails miserably, processing the idletime=0 ..... Now, CISCO-TAC wants from me that I do some tests, one of them is, to remove the idletime-response in the Access-Accept.... 

Any Ideas? Since this seems to be a flow problem, I only added the part of the RADIATOR config that is connected with the error on the NAS...

Anyone out there encountered the same probs with ISDN and Cisco 5300?

regards,
Martin Wallner
 


















mfg
Martin Wallner (=mw=)

-----
Eunet Telekom GmbH			e-mail 'martin.wallner at eunet.co.at
vorm. Nextra Österreich			e-mail 'martin.wallner at nextranet.at'
vorm. ViP EDV-Dienstleistungs GesmbH	e-mail 'hostmaster at vip.at'
vorm. Gramtel Austria GmbH.		e-mail 'hostmaster at gramtel.at'
Systems					RIPE:     WM355-RIPE
Nussdorfer Lände 23			NicAT:    WM503823-NICAT
1190 Wien, Vienna, Austria		Tel. +43 (0) 59 1 59 - 1354     

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list