(RADIATOR) RADIUS Attrib 28 (Idle-Timeout) default?
Martin Wallner
Martin.Wallner at eunet.co.at
Mon Jan 23 07:00:25 CST 2006
Hi Hugh,
Trace 4 coming up...
*** Received from 195.170.93.3 port 1645 ....
Code: Access-Request
Identifier: 11
Authentic: <236>W<16><203>-]2<196><14><166><238><232>@<201><181><31>
Attributes:
NAS-IP-Address = 195.170.93.3
NAS-Port = 20010
NAS-Port-Type = ISDN
User-Name = "in9878"
Calling-Station-Id = "150286"
User-Password = "<203><213><215><173><218><152><25>Fq-1@<174><246><179><148>"
Service-Type = Framed
Framed-Protocol = PPP
Mon Jan 23 13:47:52 2006: DEBUG: Rewrote user name to in9878
Mon Jan 23 13:47:52 2006: DEBUG: Rewrote user name to in9878
Mon Jan 23 13:47:52 2006: DEBUG: Rewrote user name to in9878
Mon Jan 23 13:47:52 2006: DEBUG: Rewrote user name to in9878
Mon Jan 23 13:47:52 2006: DEBUG: Handling request with Handler 'NAS-IP-Address = 195.170.93.105|195.170.95.249|195.170.70.72|195.170
.95.150|195.170.93.3'
Mon Jan 23 13:47:52 2006: DEBUG: Rewrote user name to in9878
Mon Jan 23 13:47:52 2006: DEBUG: radonline Deleting session for in9878, 195.170.93.3, 20010
Mon Jan 23 13:47:52 2006: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='195.170.93.3' and NASPORT=020010':
Mon Jan 23 13:47:52 2006: DEBUG: Handling with Radius::AuthGROUP
Mon Jan 23 13:47:52 2006: DEBUG: Handling with Radius::AuthSQL
Mon Jan 23 13:47:52 2006: DEBUG: Handling with Radius::AuthGROUP
Mon Jan 23 13:47:52 2006: DEBUG: Rewrote user name to in9878
Mon Jan 23 13:47:52 2006: DEBUG: Handling with Radius::AuthSQL
Mon Jan 23 13:47:52 2006: DEBUG: Handling with Radius::AuthSQL: NEXTRA-Auth
Mon Jan 23 13:47:52 2006: DEBUG: Query is: 'SELECT password, checkattr, replyattr FROM subscribers WHERE lower(username)='in9878'':
Mon Jan 23 13:47:52 2006: DEBUG: Radius::AuthSQL looks for match with in9878
Mon Jan 23 13:47:52 2006: DEBUG: Radius::AuthSQL ACCEPT:
Mon Jan 23 13:47:52 2006: DEBUG: Access accepted for in9878
Mon Jan 23 13:47:52 2006: DEBUG: Packet dump:
*** Sending to 195.170.93.3 port 1645 ....
Code: Access-Accept
Identifier: 11
Authentic: <236>W<16><203>-]2<196><14><166><238><232>@<201><181><31>
Attributes:
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-Compression = Van-Jacobsen-TCP-IP
Framed-Routing = None
Framed-Netmask = 255.255.255.255
Idle-Timeout = 0
Framed-MTU = 1006
and that is pretty much it.... As stated before, I have no clause where Idle-Timeout is set manually, it works when I set it to another value than 0, but if not in the config, it will be sent in the reply set to value 0, instead of not sent at all (which I think would be the correct interpretation of the RFC)
Regards
=mw=
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Montag, 23. Jänner 2006 13:31
> To: Martin Wallner
> Cc: radiator at open.com.au
> Subject: Re: (RADIATOR) RADIUS Attrib 28 (Idle-Timeout) default?
>
>
> Hello Martin -
>
> I will need to see a trace 4 debug showing what is being sent
> from Radiator.
>
> regards
>
> Hugh
>
>
> On 23 Jan 2006, at 18:50, Martin Wallner wrote:
>
> > Hi All,
> >
> > I have a little problem here with Attribute 28 (Idle-Timeout) on
> > RADIATOR 3.11:
> >
> > It looks like it is _always_ sent in the replypacket, even if it is
> > NOT configured (according to the RFC an Access-Accept or a Access-
> > Challenge can have this attribute in, not as a requirement ....)
> >
> > Scenario:
> >
> > Cisco 5300 with 120 ASYNC and 4 E1-Controller, standard
> setup, Dial-
> > In should be possible with ISDN and POTS, IOS c5300-is-mz.
> > 121-19.bin (12.1(19))
> >
> > Error:
> >
> > Thing is, dialin is possible with POTS, but NOT with ISDN...
> > Radiator authenticates fine, and sending the replypacket (CISCO-Log)
> >
> > Jan 23 10:46:38.134 CET: Se0:24 PAP: Authenticating peer
> in9878 Jan 23
> > 10:46:38.134 CET: AAA: parse name=Serial0:24 idb type=13
> tty=-1 Jan 23
> > 10:46:38.134 CET: AAA: name=Serial0:24 flags=0x51 type=1 shelf=0
> > slot=0 adapter=0 port=0 channel=24 Jan 23 10:46:38.134 CET:
> AAA: parse
> > name=<no string> idb type=-1
> > tty=-1
> > Jan 23 10:46:38.134 CET: AAA/MEMORY: create_user (0x62611D4C)
> > user='in9878' ruser='' port='Serial0:24' rem_addr='189933'
> > authen_type=PAP service=PPP priv=1
> > Jan 23 10:46:38.134 CET: AAA/AUTHEN/START (148326749):
> > port='Serial0:24' list='' action=LOGIN service=PPP Jan 23
> 10:46:38.134
> > CET: AAA/AUTHEN/START (148326749): using "default" list Jan 23
> > 10:46:38.134 CET: AAA/AUTHEN/START (148326749):
> > Method=radius (radius)
> > Jan 23 10:46:38.134 CET: RADIUS: ustruct sharecount=1 Jan 23
> > 10:46:38.134 CET: RADIUS: Initial Transmit Serial0:24 id 208
> > 193.154.160.80:1645, Access-Request, len 84
> > Jan 23 10:46:38.134 CET: Attribute 4 6 C3AA5D03
> > Jan 23 10:46:38.134 CET: Attribute 5 6 00004E38
> > Jan 23 10:46:38.134 CET: Attribute 61 6 00000002
> > Jan 23 10:46:38.134 CET: Attribute 1 8 696E3938
> > Jan 23 10:46:38.134 CET: Attribute 31 8 31383939
> > Jan 23 10:46:38.134 CET: Attribute 2 18 87617D7F
> > Jan 23 10:46:38.138 CET: Attribute 6 6 00000002
> > Jan 23 10:46:38.138 CET: Attribute 7 6 00000001
> > Jan 23 10:46:38.162 CET: RADIUS: Received from id 208
> > 193.154.160.80:1645, Access-Accept, len 62
> > Jan 23 10:46:38.162 CET: Attribute 6 6 00000002
> > Jan 23 10:46:38.162 CET: Attribute 7 6 00000001
> > Jan 23 10:46:38.162 CET: Attribute 13 6 00000001
> > Jan 23 10:46:38.162 CET: Attribute 10 6 00000000
> > Jan 23 10:46:38.162 CET: Attribute 9 6 FFFFFFFF
> > Jan 23 10:46:38.162 CET: Attribute 28 6 00000000
> > Jan 23 10:46:38.162 CET: Attribute 12 6 000003EE
> > Jan 23 10:46:38.162 CET: RADIUS: saved authorization data for user
> > 62611D4C at 62694A88 Jan 23 10:46:38.162 CET: AAA/AUTHEN
> (148326749):
> > status = PASS
> >
> >
> > Now, it ends with a clear 'PASS', so Radiator authenticated the
> > Request from the NAS.... The strange thing is, that in the
> Replypacket
> > there is still Attribute 28, set to 0 .... AND I DIDN'T
> CONFIGURE IT
> > IN, neither as 'Reply-Attribute' in the databaseentry for the user,
> > nor in the clause
> >
> >
> > AddToReplyIfNotExist Service-Type = Framed-User, \
> > Framed-IP-Netmask = 255.255.255.255,\
> > Framed-IP-Address = 255.255.255.254,\
> > Framed-Protocol=PPP,\
> > Framed-Routing=Listen,\
> > Framed-Compression=Van-Jacobson-TCP-IP,\
> > Framed-MTU=1006,\
> > Port-Limit=2
> >
> > in the Radiator-config.... Is Attribute 28 (Idle-Timeout) a default
> > attribute according to RFC? (because, I didn't find it in there....)
> >
> > Well, the Router stomps on, starting to process the AV-pairs:
> >
> > Jan 23 10:46:38.162 CET: Se0:24 AAA/AUTHOR/LCP: Authorize
> LCP Jan 23
> > 10:46:38.162 CET: Se0:24 AAA/AUTHOR/LCP (4293684466):
> > Port='Serial0:24' list='' service=NET
> > Jan 23 10:46:38.162 CET: AAA/AUTHOR/LCP: Se0:24 (4293684466)
> > user='in9878'
> > Jan 23 10:46:38.162 CET: Se0:24 AAA/AUTHOR/LCP
> (4293684466): send AV
> > service=ppp Jan 23 10:46:38.162 CET: Se0:24 AAA/AUTHOR/LCP
> > (4293684466): send AV protocol=lcp Jan 23 10:46:38.166 CET: Se0:24
> > AAA/AUTHOR/LCP (4293684466): found list "default"
> > Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP (4293684466):
> > Method=radius (radius)
> > Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR (4293684466): Post
> > authorization status = PASS_REPL Jan 23 10:46:38.166 CET: Se0:24
> > AAA/AUTHOR/LCP: Processing AV service=ppp Jan 23 10:46:38.166 CET:
> > Se0:24 AAA/AUTHOR/LCP: Processing AV routing*false Jan 23
> 10:46:38.166
> > CET: Se0:24 AAA/AUTHOR/LCP: Processing AV idletime=0 Jan 23
> > 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP: idletime failed Jan 23
> > 10:46:38.166 CET: Se0:24 AAA/AUTHOR/LCP: Denied d1-ixi1.vie# Jan 23
> > 10:46:38.166 CET: Se0:24 PAP: O AUTH-NAK id 24 len 25 msg is
> > "Authorization failed"
> > Jan 23 10:46:38.166 CET: Se0:24 AAA/AUTHOR: Duplicate
> per-user event
> > LCP_DOWN ignored Jan 23 10:46:38.166 CET: Se0:24 PPP: Phase is
> > TERMINATING
> >
> > And fails miserably, processing the idletime=0 ..... Now, CISCO-TAC
> > wants from me that I do some tests, one of them is, to remove the
> > idletime-response in the Access-Accept....
> >
> > Any Ideas? Since this seems to be a flow problem, I only added the
> > part of the RADIATOR config that is connected with the error on the
> > NAS...
> >
> > Anyone out there encountered the same probs with ISDN and
> Cisco 5300?
> >
> > regards,
> > Martin Wallner
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > mfg
> > Martin Wallner (=mw=)
> >
> > -----
> > Eunet Telekom GmbH e-mail
> 'martin.wallner at eunet.co.at
> > vorm. Nextra Österreich e-mail
> 'martin.wallner at nextranet.at'
> > vorm. ViP EDV-Dienstleistungs GesmbH e-mail
> 'hostmaster at vip.at'
> > vorm. Gramtel Austria GmbH. e-mail 'hostmaster at gramtel.at'
> > Systems RIPE: WM355-RIPE
> > Nussdorfer Lände 23 NicAT: WM503823-NICAT
> > 1190 Wien, Vienna, Austria Tel. +43 (0) 59 1 59 - 1354
> >
> > --
> > Archive at http://www.open.com.au/archives/radiator/
> > Announcements on radiator-announce at open.com.au To
> unsubscribe, email
> > 'majordomo at open.com.au' with 'unsubscribe radiator' in the
> body of the
> > message.
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/ radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no
> secrets), together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS
> server anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical,
> extensible, flexible with hardware, software, platform and
> database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list