(RADIATOR) TACACS disconnect during AuthByRADIUS proxy (bug?)

Mike McCauley mikem at open.com.au
Mon May 22 21:31:02 CDT 2006 

Hello Robert,

Thanks for the log excerpt.
Looking at the log, I suspect that the tacacs client is doing the 
disconnection.
I see a 4 second delay between proxying the request 192.168.73.100 and an 
answer being received back from it. But 3 seconds after receiving the 
request, Radiator reports the tacacs client disconnected.
I suspect the client is disconnecting after 3 seconds and no reply.
Suggest you investigate the long delay time associated with Radius server at 
192.168.73.100 or else adjust the clinet tacacs timeout.

Cheers.


On Tuesday 23 May 2006 11:14, Patrick, Robert wrote:
> Hello!
>
> We are running the latest 3.14 with consolidated patches as of May 18.
>
> Setup is with Radiator acting as TACACS server, which proxies
> authentication for users logging into Cisco devices, sending
> authentication requests via RADIUS to an RSA SecurID RADIUS server so we
> can use our 2-factor tokens for login access to Cisco routers and
> switches.
>
> I'm getting a lot of intermittent failures, where the Cisco device
> prompts a second time for password.  Generally quitting the login
> session, and trying again will result in a successful "normal" login.
>
> After running with trace set to 4, it looks like a TACACS session
> disconnect in the middle of the RADIUS back-and-forth (send
> access-request, receive access-accept) during those times when the login
> breaks, causing the Cisco device to prompt a second time for password.
>
> The specific event is:
>
> <timestamp> DEBUG: TacacsplusConnection disconnected from
> <ip_address:port>
>
>
> Any ideas on a fix for this behavior?
>
>
>
> Log extract below:
>
> Mon May 22 21:03:41 2006: DEBUG: Handling with Radius::AuthRADIUS
> Mon May 22 21:03:41 2006: DEBUG: Packet dump:
> *** Sending to 192.168.73.100 port 1645 ....
> Code:       Access-Request
> Identifier: 2
> Authentic:  <cropped>
> Attributes:
>         NAS-IP-Address = 192.168.35.189
>         NAS-Port-Id = "tty450"
>         Calling-Station-Id = "192.168.61.99"
>         Service-Type = Login-User
>         User-Name = "username"
>         User-Password = <cropped>
>
> Mon May 22 21:03:41 2006: DEBUG: Radius::AuthFILE IGNORE: : username
> [username]
> Mon May 22 21:03:41 2006: DEBUG: AuthBy FILE result: IGNORE,
> Mon May 22 21:03:44 2006: DEBUG: TacacsplusConnection disconnected from
> 192.168.35.189:64332
> Mon May 22 21:03:45 2006: DEBUG: Packet dump:
> *** Received from 192.168.73.100 port 1645 ....
> Code:       Access-Accept

-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd            Unix, Perl, Motif, C++, WWW
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP etc on Unix, Windows, MacOS, NetWare etc.

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list