(RADIATOR) RADIUS Attrib 28 (Idle-Timeout) default?

Hugh Irvine hugh at open.com.au
Mon Jan 23 06:31:07 CST 2006 

Hello Martin -

I will need to see a trace 4 debug showing what is being sent from  
Radiator.

regards

Hugh


On 23 Jan 2006, at 18:50, Martin Wallner wrote:

> Hi All,
>
> I have a little problem here with Attribute 28 (Idle-Timeout) on  
> RADIATOR 3.11:
>
> It looks like it is _always_ sent in the replypacket, even if it is  
> NOT configured (according to the RFC an Access-Accept or a Access- 
> Challenge can have this attribute in, not as a requirement ....)
>
> Scenario:
>
> Cisco 5300 with 120 ASYNC and 4 E1-Controller, standard setup, Dial- 
> In should be possible with ISDN and POTS, IOS c5300-is-mz. 
> 121-19.bin (12.1(19))
>
> Error:
>
> Thing is, dialin is possible with POTS, but NOT with ISDN...  
> Radiator authenticates fine, and sending the replypacket (CISCO-Log)
>
> Jan 23 10:46:38.134 CET: Se0:24 PAP: Authenticating peer in9878
> Jan 23 10:46:38.134 CET: AAA: parse name=Serial0:24 idb type=13 tty=-1
> Jan 23 10:46:38.134 CET: AAA: name=Serial0:24 flags=0x51 type=1  
> shelf=0 slot=0 adapter=0 port=0 channel=24
> Jan 23 10:46:38.134 CET: AAA: parse name=<no string> idb type=-1  
> tty=-1
> Jan 23 10:46:38.134 CET: AAA/MEMORY: create_user (0x62611D4C)  
> user='in9878' ruser='' port='Serial0:24' rem_addr='189933'  
> authen_type=PAP service=PPP priv=1
> Jan 23 10:46:38.134 CET: AAA/AUTHEN/START (148326749):  
> port='Serial0:24' list='' action=LOGIN service=PPP
> Jan 23 10:46:38.134 CET: AAA/AUTHEN/START (148326749): using  
> "default" list
> Jan 23 10:46:38.134 CET: AAA/AUTHEN/START (148326749):  
> Method=radius (radius)
> Jan 23 10:46:38.134 CET: RADIUS: ustruct sharecount=1
> Jan 23 10:46:38.134 CET: RADIUS: Initial Transmit Serial0:24 id 208  
> 193.154.160.80:1645, Access-Request, len 84
> Jan 23 10:46:38.134 CET:         Attribute 4 6 C3AA5D03
> Jan 23 10:46:38.134 CET:         Attribute 5 6 00004E38
> Jan 23 10:46:38.134 CET:         Attribute 61 6 00000002
> Jan 23 10:46:38.134 CET:         Attribute 1 8 696E3938
> Jan 23 10:46:38.134 CET:         Attribute 31 8 31383939
> Jan 23 10:46:38.134 CET:         Attribute 2 18 87617D7F
> Jan 23 10:46:38.138 CET:         Attribute 6 6 00000002
> Jan 23 10:46:38.138 CET:         Attribute 7 6 00000001
> Jan 23 10:46:38.162 CET: RADIUS: Received from id 208  
> 193.154.160.80:1645, Access-Accept, len 62
> Jan 23 10:46:38.162 CET:         Attribute 6 6 00000002
> Jan 23 10:46:38.162 CET:         Attribute 7 6 00000001
> Jan 23 10:46:38.162 CET:         Attribute 13 6 00000001
> Jan 23 10:46:38.162 CET:         Attribute 10 6 00000000
> Jan 23 10:46:38.162 CET:         Attribute 9 6 FFFFFFFF
> Jan 23 10:46:38.162 CET:         Attribute 28 6 00000000
> Jan 23 10:46:38.162 CET:         Attribute 12 6 000003EE
> Jan 23 10:46:38.162 CET: RADIUS: saved authorization data for user  
> 62611D4C at 62694A88
> Jan 23 10:46:38.162 CET: AAA/AUTHEN (148326749): status = PASS
>
>
> Now, it ends with a clear 'PASS', so Radiator authenticated the  
> Request from the NAS.... The strange thing is, that in the  
> Replypacket there is still Attribute 28, set to 0 .... AND I DIDN'T  
> CONFIGURE IT IN, neither as 'Reply-Attribute' in the databaseentry  
> for the user, nor in the clause
>
>
>    AddToReplyIfNotExist Service-Type = Framed-User, \
>                         Framed-IP-Netmask = 255.255.255.255,\
>                         Framed-IP-Address = 255.255.255.254,\
>                         Framed-Protocol=PPP,\
>                         Framed-Routing=Listen,\
>                         Framed-Compression=Van-Jacobson-TCP-IP,\
>                         Framed-MTU=1006,\
>                         Port-Limit=2
>
> in the Radiator-config.... Is Attribute 28 (Idle-Timeout) a default  
> attribute according to RFC? (because, I didn't find it in there....)
>
> Well, the Router stomps on, starting to process the AV-pairs:
>
> Jan 23 10:46:38.162 CET: Se0:24 AAA/AUTHOR/LCP: Authorize LCP
> Jan 23 10:46:38.162 CET: Se0:24 AAA/AUTHOR/LCP (4293684466):  
> Port='Serial0:24' list='' service=NET
> Jan 23 10:46:38.162 CET: AAA/AUTHOR/LCP: Se0:24 (4293684466)  
> user='in9878'
> Jan 23 10:46:38.162 CET: Se0:24 AAA/AUTHOR/LCP (4293684466): send  
> AV service=ppp
> Jan 23 10:46:38.162 CET: Se0:24 AAA/AUTHOR/LCP (4293684466): send  
> AV protocol=lcp
> Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP (4293684466): found  
> list "default"
> Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP (4293684466):  
> Method=radius (radius)
> Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR (4293684466): Post  
> authorization status = PASS_REPL
> Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP: Processing AV  
> service=ppp
> Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP: Processing AV  
> routing*false
> Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP: Processing AV  
> idletime=0
> Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP: idletime failed
> Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP: Denied
> d1-ixi1.vie#
> Jan 23 10:46:38.166 CET: Se0:24 PAP: O AUTH-NAK id 24 len 25 msg is  
> "Authorization failed"
> Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR: Duplicate per-user  
> event LCP_DOWN ignored
> Jan 23 10:46:38.166 CET: Se0:24 PPP: Phase is TERMINATING
>
> And fails miserably, processing the idletime=0 ..... Now, CISCO-TAC  
> wants from me that I do some tests, one of them is, to remove the  
> idletime-response in the Access-Accept....
>
> Any Ideas? Since this seems to be a flow problem, I only added the  
> part of the RADIATOR config that is connected with the error on the  
> NAS...
>
> Anyone out there encountered the same probs with ISDN and Cisco 5300?
>
> regards,
> Martin Wallner
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> mfg
> Martin Wallner (=mw=)
>
> -----
> Eunet Telekom GmbH			e-mail 'martin.wallner at eunet.co.at
> vorm. Nextra Österreich			e-mail 'martin.wallner at nextranet.at'
> vorm. ViP EDV-Dienstleistungs GesmbH	e-mail 'hostmaster at vip.at'
> vorm. Gramtel Austria GmbH.		e-mail 'hostmaster at gramtel.at'
> Systems					RIPE:     WM355-RIPE
> Nussdorfer Lände 23			NicAT:    WM503823-NICAT
> 1190 Wien, Vienna, Austria		Tel. +43 (0) 59 1 59 - 1354
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.


NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list