(RADIATOR) Clienty entry by FQDN issue
peirce at maine.edu
peirce at maine.edu
Fri Jun 1 08:36:47 CDT 2007
Hi - I've finally resolved a NAS client problem I'm having but wondering if
the right way to do so. If there's not a better way, perhaps it could be
incoporated into future builds.
I'm running Radiator v3.15.
My client entry's are built from an included script and the entries are
defined by FQDN. ex. <Client rtr-c.xyz.net>
NasType Cisco
Secret <pw>
DefaultRealm XYZ
</Client>
These hosts have multiple IP addresses configured on them and all have DNS entries.
Authenticating into the device can be intermittent and I believe it's
because Radiator is intermittently resolving the client entry name to an
IP address that is different from the incoming request. Through a debug
line I added, I see that when Radiator starts, the known address for a given client entry
changes. An nslookup on the host from the radius server returns all addresses for the host.
It seems Radiator is only choosing one - the first returned?.
If I add all addresses the host has as IdenticalClients, the issue goes
away. Given the large number of clients I have that would be very
cumbersome to do as would defining the clients by all IP addresses.
The clients are configured to always source the request from a defined address.
When the address is the different, the request fails to find a matching
client and is ultimatley rejected.
In my case the NAS_ID contains the FQDN of the device, so I made the
change below in Client::find to try and identify it using the
NAS_IDENTIFIER.
This seems to solve my issue. I found it odd I could not find anything in
the archives of someone having the same issue, so I'm wondering if I've
gone about it in the right way.
I also included a change I found helpful to display the NAS_ID & Calling_Station_ID in the log
when an access-request is rejected.
thanks for any insight,
##############
Client.pm - change to check NAS_ID if check on Client_IP fails
--- Client.pm.orig 2007-06-01 08:49:37.000000000 -0400
+++ Client.pm 2007-06-01 08:21:35.000000000 -0400
@@ -162,6 +162,11 @@
$ret = $Radius::Client::clients{'MAC:' . $mac}
if ($mac =~ /^[0-9a-fA-F]{2}-?[0-9a-fA-F]{2}-?[0-9a-fA-F]{2}-?[0-9a-fA-F]{2}-?[0-9a-fA-
F]{2}-?[0-9a-fA-F]{2}$/);
+ # Try to deduce a entry via NAS_IDENTIFIER
+ my $dns_name = $p->getAttrByNum($Radius::Radius::NAS_IDENTIFIER);
+ $dns_name =~ tr/[A-Z]/[a-z]/;
+ $ret = $Radius::Client::clients{$dns_name};
+
# Still nothing, fall back to the default
$ret = $Radius::Client::clients{DEFAULT}
unless defined $ret;
###########
Handler.pm - change to include NAS and Calling_Station on failed attempt
--- Handler.pm.orig 2007-06-01 08:47:36.000000000 -0400
+++ Handler.pm 2007-06-01 08:46:12.000000000 -0400
@@ -469,7 +469,9 @@
elsif ( $result == $main::REJECT
|| $result == $main::REJECT_IMMEDIATE)
{
- $self->log($main::LOG_INFO, "Access rejected for user $name: $reason", $p);
+ my $nas_id = $p->getNasId();
+ my $calling_station = $p->getAttrByNum($Radius::Radius::CALLING_STATION_ID);
+ $self->log($main::LOG_INFO, "Access rejected at $nas_id for user $name from
$calling_station: $reason", $p);
$self->authlog($main::REJECT, $reason, $p);
$p->{rp}->set_code('Access-Reject');
Garry Peirce peirce at maine.edu 1-207-561-3539
=============================================
Network Analyst
ITS, Communications and Network Services
University of Maine System
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.open.com.au/pipermail/radiator/attachments/20070601/6e0d2d12/attachment.html>
More information about the radiator
mailing list