[RADIATOR] Client erratic selection of handlers

Michael Harlow Michael.Harlow at utas.edu.au
Fri Aug 28 03:22:58 CDT 2009


Hi,

I've having some erratic behaviour with Handler selection. I fetch most of my client IP from SQL with ClientListSQL (about 900), but some special clients, I manually define in the configuration so I can set "Identifier" labels so they can be treated correctly and get special handling.

When I start Radiator, all seems fine, and it works for a period. But later, perhaps after another refresh from the SQL, Radiator seem to be no longer able to recognise the client, and cannot find the handler.

If I "restart" radiator, no config changes, it starts to work again, but after a period will stop working. It does not seem to affect all the special cases, just the "ACE" case as show in the config at the bottom.

Does anyone know what might be going on?

Cheers, Michael


#####################################

THIS is a functioning request that occurs after I restart Radiator.

Fri Aug 28 15:38:53 2009: DEBUG: Gigawords - Check for Counter Wrap.
Fri Aug 28 15:38:53 2009: DEBUG: Packet dump:
*** Received from 172.31.146.131 port 1031 ....
Code:       Access-Request
Identifier: 171
Authentic:  <181><4><219>@+<0><0>\<175>"<210>\<132><19><179>V
Attributes:
	User-Name = "ocsic"
	User-Password = XXXXXXXXXXXXXXXXXXXXXX
	NAS-Port-Type = Virtual
	NAS-Port = 0
	Service-Type = NAS-Prompt-User
	NAS-IP-Address = 172.31.146.131

Fri Aug 28 15:38:53 2009: DEBUG: Handling request with Handler 'Client-Identifier=ACE-Interfaces'
Fri Aug 28 15:38:53 2009: DEBUG: Handling with Radius::AuthLSA: 
Fri Aug 28 15:38:53 2009: DEBUG: Radius::AuthLSA looks for match with ocsic [ocsic]
Fri Aug 28 15:38:53 2009: DEBUG: Radius::AuthLSA ACCEPT: : ocsic [ocsic]
Fri Aug 28 15:38:53 2009: DEBUG: AuthBy LSA result: ACCEPT, 
Fri Aug 28 15:38:53 2009: DEBUG: Access accepted for ocsic
Fri Aug 28 15:38:53 2009: DEBUG: Packet dump:
*** Sending to 172.31.146.131 port 1031 ....
Code:       Access-Accept
Identifier: 171
Authentic:  g<11>M`<202><154><137><199><167><152><163><179>M<234><225><138>
Attributes:
	cisco-avpair = "shell:Admin=Admin default-domain"

##################################

A little later, a ClientListSQL refresh occurs

Fri Aug 28 15:40:04 2009: DEBUG: ClientListSQL automatic refresh
Fri Aug 28 15:40:04 2009: DEBUG: ClientListSQL removes previously added Client nh-av29-2.sw.utas.edu.au
[LOTS of lines removed]
Fri Aug 28 15:40:06 2009: DEBUG: ClientListSQL removes previously added Client cm-mz-2.sw.utas.edu.au.
Fri Aug 28 15:40:06 2009: DEBUG: Adding Clients from SQL database
Fri Aug 28 15:40:06 2009: DEBUG: Query is: 'select 
	NASIDENTIFIER,
	SECRET,
	IGNOREACCTSIGNATURE,
	DUPINTERVAL,
	DEFAULTREALM,
	NASTYPE,
	SNMPCOMMUNITY,
	LIVINGSTONOFFS,
	LIVINGSTONHOLE,
	FRAMEDGROUPBASEADDRESS,
	FRAMEDGROUPMAXPORTSPERCLASSC,
	REWRITEUSERNAME,
	NOIGNOREDUPLICATES,
	PREHANDLERHOOK from RADCLIENTLIST': 
Fri Aug 28 15:40:06 2009: ERR: Execute failed for 'select 
	NASIDENTIFIER,
	SECRET,
	IGNOREACCTSIGNATURE,
	DUPINTERVAL,
	DEFAULTREALM,
	NASTYPE,
	SNMPCOMMUNITY,
	LIVINGSTONOFFS,
	LIVINGSTONHOLE,
	FRAMEDGROUPBASEADDRESS,
	FRAMEDGROUPMAXPORTSPERCLASSC,
	REWRITEUSERNAME,
	NOIGNOREDUPLICATES,
	PREHANDLERHOOK from RADCLIENTLIST': Lost connection to MySQL server during query
Fri Aug 28 15:40:06 2009: DEBUG: ClientListSQL adds Client nh-av29-2.sw.utas.edu.au
Fri Aug 28 15:40:06 2009: DEBUG: ClientListSQL adds Client nh-av29-1.sw.utas.edu.au
[LOTS of lines removed]
Fri Aug 28 15:40:09 2009: DEBUG: ClientListSQL adds Client cm-mz-2.sw.utas.edu.au.
Fri Aug 28 15:40:09 2009: DEBUG: Automatic ClientListSQL refresh has succeeded, using new Client list

################################################################

NOW, another identical looking request come in, but now the handler cannot be found!!!

*** Received from 172.31.146.131 port 1031 ....
Code:       Access-Request
Identifier: 203
Authentic:  <197>2j<202><191>4<207>D<210><233><23>*<138><8><171><247>
Attributes:
	User-Name = "ocsic"
	User-Password = XXXXXXXXXXXXXXXXX
	NAS-Port-Type = Virtual
	NAS-Port = 0
	Service-Type = NAS-Prompt-User
	NAS-IP-Address = 172.31.146.131

Fri Aug 28 15:41:35 2009: WARNING: Could not find a handler for ocsic: request is ignored
Fri Aug 28 15:41:36 2009: DEBUG: Gigawords - Check for Counter Wrap.
Fri Aug 28 15:41:36 2009: DEBUG: Packet dump:
*** Received from 172.31.146.131 port 1031 ....
Code:       Access-Request
Identifier: 203
Authentic:  <197>2j<202><191>4<207>D<210><233><23>*<138><8><171><247>
Attributes:
	User-Name = "ocsic"
	User-Password = XXXXXXXXXXXXXXXXXXXXXX
	NAS-Port-Type = Virtual
	NAS-Port = 0
	Service-Type = NAS-Prompt-User
	NAS-IP-Address = 172.31.146.131

Fri Aug 28 15:41:36 2009: WARNING: Could not find a handler for ocsic: request is ignored
Fri Aug 28 15:41:37 2009: DEBUG: Gigawords - Check for Counter Wrap.
Fri Aug 28 15:41:37 2009: DEBUG: Packet dump:


###################################################################

Here is the client loading section of the configuration

PreClientHook file:"%D/scripts/gigawords-hook.pl"

# Get client (switch/router/PDU) information from SQL
<ClientListSQL>
      Include "%D/configs/DataBase-Config.cfg"
      RefreshPeriod 3600
</ClientListSQL>

# Manually define all WLC/WiSM here
<Client 172.31.3.3>
	Identifier Internal-Wireless-Network
	Secret	XXXXXXX
	DupInterval 10
	IdenticalClients 172.31.3.2
</Client>

# Manually define all FWSM here
<Client 172.31.255.21>
	Identifier Firewall-Modules
	Secret	XXXXXXX
	DupInterval 10
	IdenticalClients 172.31.255.22
</Client>

# Manually define all ACE Interfaces here
<Client 172.31.2.220>
	IdenticalClients 172.31.146.130, 172.31.146.131, 172.31.146.132
	Identifier ACE-Interfaces
	Secret	XXXXXXXX
	DupInterval 5
</Client>

##############################################


Here is the handler...

<Handler Client-Identifier=ACE-Interfaces>
      SessionDatabase  Null-Session-DB
      RejectHasReason
      <AuthBy LSA>
           NoDefault
           EAPType PAP
           Group ITS-NetFWAdmin
      </AuthBy>
      AddToReply cisco-avpair="shell:Admin=Admin default-domain"
</Handler>

#####################

 


More information about the radiator mailing list