(RADIATOR) TACACs connections not closing
Ben Ragg
bragg at internode.com.au
Mon May 28 01:50:31 CDT 2007
Hi Guys,
We've recently moved from tac_plus to Radiator with tacacs and noticing
when authentication fails the connection remains established (for 3+
days, at which point the server seems to hit a connection limit and
fails to authenticate any more devices). Happy to accept it as a Cisco
bug, but we've seen it on different hardware platforms running different
IOS versions.
A C2600 running 12.3 (10)
A C2500 running 12.3 (22)
An AS5350 running 12.4 (11) T1
Currently running Radiator 3.17-1 with the latest patches on a Solaris
10 machine.
The authentication failures are caused by poorly configured devices
attempting to login to each other with their banner, so it's easy enough
to significantly reduce the problem to the point where it is a
non-event, but it seemed like a good opportunity to try and look in to
it further.
A copy of the config...
---
Foreground
LogStdout
LogDir .
LogFile
DbDir .
# User a lower trace level in production systems:
Trace 4
User radius
Group radius
<Client DEFAULT>
Secret XXX
DupInterval 0
</Client>
<Handler Service-Type = Administrative-User>
<AuthBy SQL>
DBSource dbi:Pg:dbname=nms
DBUsername nms
DBAuth XXX
AuthSelect select
enablepassword,department,checkattr,replyattr from subscribers where
username=%0;
AuthColumnDef 0, Encrypted-Password, check
AuthColumnDef 1, Tacacs-Group, reply
AuthColumnDef 2, GENERIC, check
AuthColumnDef 3, GENERIC, reply
</AuthBy>
</Handler>
<Handler>
<AuthBy SQL>
DBSource dbi:Pg:dbname=nms
DBUsername nms
DBAuth XXX
AuthSelect select
encryptedpassword,department,checkattr,replyattr from subscribers where
username=%0;
AuthColumnDef 0, Encrypted-Password, check
AuthColumnDef 1, Tacacs-Group, reply
AuthColumnDef 2, GENERIC, check
AuthColumnDef 3, GENERIC, reply
</AuthBy>
</Handler>
<ServerTACACSPLUS>
Key XXX
GroupMemberAttr Tacacs-Group
Timeout 15
</ServerTACACSPLUS>
---
While I only have one of the devices running on this server, it's hard
to know in the logs what comes from a successful connection and what
comes from a failed connection.
netstat -a | grep "\.49" after half hour uptime.
xx.xx.xx.xx.49 failed.device.60951 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.55973 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.57994 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.17498 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.23795 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.47408 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.33500 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.13221 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.31865 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.25273 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.13752 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.14821 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.11287 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.61595 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.11139 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.60300 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.12072 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.13888 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.47305 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.52491 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.20223 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.35038 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.56777 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.19891 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.55406 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.25256 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.24853 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.38131 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.56311 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.31112 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.20041 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.27621 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.27115 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.24307 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.65247 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.20364 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.13402 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.42483 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.48534 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.17392 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.36614 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.51240 4100 0 49282 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.48892 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.12215 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.55326 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.54551 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.63092 3988 0 49215 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.15860 4016 0 49232 0 ESTABLISHED
xx.xx.xx.xx.49 failed.device.23810 3988 0 49215 0 ESTABLISHED
Snippet from logfile (can provide more if it's useful, but to me it
looks like a connection is created on 13888 and nothing else happens all
the other lines are most likely from 49115)...
Mon May 28 15:54:26 2007: DEBUG: New TacacsplusConnection created for
failed.device:49115
Mon May 28 15:54:26 2007: DEBUG: TacacsplusConnection request 192, 1, 1,
0, 2722891956, 18
Mon May 28 15:54:26 2007: DEBUG: TacacsplusConnection Authentication
START 1, 1, 1 for , tty17, async
Mon May 28 15:54:26 2007: DEBUG: TacacsplusConnection Authentication
REPLY 4, 0, Username: ,
Mon May 28 15:54:38 2007: DEBUG: New TacacsplusConnection created for
failed.device:13888
Mon May 28 15:54:38 2007: DEBUG: TacacsplusConnection request 192, 1, 1,
0, 2123654105, 17
Mon May 28 15:54:38 2007: DEBUG: TacacsplusConnection Authentication
START 1, 1, 1 for , tty2, async
Mon May 28 15:54:38 2007: DEBUG: TacacsplusConnection Authentication
REPLY 4, 0, Username: ,
Mon May 28 15:54:39 2007: DEBUG: TacacsplusConnection request 192, 1, 3,
0, 2123654105, 5
Mon May 28 15:54:39 2007: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, ,
Mon May 28 15:54:39 2007: DEBUG: TacacsplusConnection Authentication
REPLY 4, 0, Username: ,
Mon May 28 15:54:39 2007: DEBUG: TacacsplusConnection request 192, 1, 5,
0, 2123654105, 5
Mon May 28 15:54:39 2007: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, ,
Mon May 28 15:54:39 2007: DEBUG: TacacsplusConnection Authentication
REPLY 4, 0, Username: ,
Mon May 28 15:54:39 2007: DEBUG: TacacsplusConnection request 192, 1, 7,
0, 2123654105, 5
Mon May 28 15:54:39 2007: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, ,
Mon May 28 15:54:39 2007: DEBUG: TacacsplusConnection Authentication
REPLY 4, 0, Username: ,
Mon May 28 15:54:39 2007: DEBUG: TacacsplusConnection request 192, 1, 9,
0, 2123654105, 5
Mon May 28 15:54:39 2007: DEBUG: TacacsplusConnection Authentication
CONTINUE 0, ,
Mon May 28 15:54:39 2007: DEBUG: TacacsplusConnection Authentication
REPLY 4, 0, Username: ,
Mon May 28 15:54:57 2007: DEBUG: TacacsplusConnection disconnected from
failed.device:49115
Regards,
Ben
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list