[RADIATOR] Client erratic selection of handlers
Hugh Irvine
hugh at open.com.au
Fri Aug 28 03:58:09 CDT 2009
Hello Michael -
What version of Radiator are you running?
There was a patch for this some time ago.
Current version is Radiator 4.4 (plus patches).
regards
Hugh
On 28 Aug 2009, at 18:22, Michael Harlow wrote:
> Hi,
>
> I've having some erratic behaviour with Handler selection. I fetch
> most of my client IP from SQL with ClientListSQL (about 900), but
> some special clients, I manually define in the configuration so I
> can set "Identifier" labels so they can be treated correctly and get
> special handling.
>
> When I start Radiator, all seems fine, and it works for a period.
> But later, perhaps after another refresh from the SQL, Radiator seem
> to be no longer able to recognise the client, and cannot find the
> handler.
>
> If I "restart" radiator, no config changes, it starts to work again,
> but after a period will stop working. It does not seem to affect all
> the special cases, just the "ACE" case as show in the config at the
> bottom.
>
> Does anyone know what might be going on?
>
> Cheers, Michael
>
>
> #####################################
>
> THIS is a functioning request that occurs after I restart Radiator.
>
> Fri Aug 28 15:38:53 2009: DEBUG: Gigawords - Check for Counter Wrap.
> Fri Aug 28 15:38:53 2009: DEBUG: Packet dump:
> *** Received from 172.31.146.131 port 1031 ....
> Code: Access-Request
> Identifier: 171
> Authentic: <181><4><219>@+<0><0>\<175>"<210>\<132><19><179>V
> Attributes:
> User-Name = "ocsic"
> User-Password = XXXXXXXXXXXXXXXXXXXXXX
> NAS-Port-Type = Virtual
> NAS-Port = 0
> Service-Type = NAS-Prompt-User
> NAS-IP-Address = 172.31.146.131
>
> Fri Aug 28 15:38:53 2009: DEBUG: Handling request with Handler
> 'Client-Identifier=ACE-Interfaces'
> Fri Aug 28 15:38:53 2009: DEBUG: Handling with Radius::AuthLSA:
> Fri Aug 28 15:38:53 2009: DEBUG: Radius::AuthLSA looks for match
> with ocsic [ocsic]
> Fri Aug 28 15:38:53 2009: DEBUG: Radius::AuthLSA ACCEPT: : ocsic
> [ocsic]
> Fri Aug 28 15:38:53 2009: DEBUG: AuthBy LSA result: ACCEPT,
> Fri Aug 28 15:38:53 2009: DEBUG: Access accepted for ocsic
> Fri Aug 28 15:38:53 2009: DEBUG: Packet dump:
> *** Sending to 172.31.146.131 port 1031 ....
> Code: Access-Accept
> Identifier: 171
> Authentic:
> g<11>M`<202><154><137><199><167><152><163><179>M<234><225><138>
> Attributes:
> cisco-avpair = "shell:Admin=Admin default-domain"
>
> ##################################
>
> A little later, a ClientListSQL refresh occurs
>
> Fri Aug 28 15:40:04 2009: DEBUG: ClientListSQL automatic refresh
> Fri Aug 28 15:40:04 2009: DEBUG: ClientListSQL removes previously
> added Client nh-av29-2.sw.utas.edu.au
> [LOTS of lines removed]
> Fri Aug 28 15:40:06 2009: DEBUG: ClientListSQL removes previously
> added Client cm-mz-2.sw.utas.edu.au.
> Fri Aug 28 15:40:06 2009: DEBUG: Adding Clients from SQL database
> Fri Aug 28 15:40:06 2009: DEBUG: Query is: 'select
> NASIDENTIFIER,
> SECRET,
> IGNOREACCTSIGNATURE,
> DUPINTERVAL,
> DEFAULTREALM,
> NASTYPE,
> SNMPCOMMUNITY,
> LIVINGSTONOFFS,
> LIVINGSTONHOLE,
> FRAMEDGROUPBASEADDRESS,
> FRAMEDGROUPMAXPORTSPERCLASSC,
> REWRITEUSERNAME,
> NOIGNOREDUPLICATES,
> PREHANDLERHOOK from RADCLIENTLIST':
> Fri Aug 28 15:40:06 2009: ERR: Execute failed for 'select
> NASIDENTIFIER,
> SECRET,
> IGNOREACCTSIGNATURE,
> DUPINTERVAL,
> DEFAULTREALM,
> NASTYPE,
> SNMPCOMMUNITY,
> LIVINGSTONOFFS,
> LIVINGSTONHOLE,
> FRAMEDGROUPBASEADDRESS,
> FRAMEDGROUPMAXPORTSPERCLASSC,
> REWRITEUSERNAME,
> NOIGNOREDUPLICATES,
> PREHANDLERHOOK from RADCLIENTLIST': Lost connection to MySQL server
> during query
> Fri Aug 28 15:40:06 2009: DEBUG: ClientListSQL adds Client nh-
> av29-2.sw.utas.edu.au
> Fri Aug 28 15:40:06 2009: DEBUG: ClientListSQL adds Client nh-
> av29-1.sw.utas.edu.au
> [LOTS of lines removed]
> Fri Aug 28 15:40:09 2009: DEBUG: ClientListSQL adds Client cm-
> mz-2.sw.utas.edu.au.
> Fri Aug 28 15:40:09 2009: DEBUG: Automatic ClientListSQL refresh has
> succeeded, using new Client list
>
> ################################################################
>
> NOW, another identical looking request come in, but now the handler
> cannot be found!!!
>
> *** Received from 172.31.146.131 port 1031 ....
> Code: Access-Request
> Identifier: 203
> Authentic: <197>2j<202><191>4<207>D<210><233><23>*<138><8><171><247>
> Attributes:
> User-Name = "ocsic"
> User-Password = XXXXXXXXXXXXXXXXX
> NAS-Port-Type = Virtual
> NAS-Port = 0
> Service-Type = NAS-Prompt-User
> NAS-IP-Address = 172.31.146.131
>
> Fri Aug 28 15:41:35 2009: WARNING: Could not find a handler for
> ocsic: request is ignored
> Fri Aug 28 15:41:36 2009: DEBUG: Gigawords - Check for Counter Wrap.
> Fri Aug 28 15:41:36 2009: DEBUG: Packet dump:
> *** Received from 172.31.146.131 port 1031 ....
> Code: Access-Request
> Identifier: 203
> Authentic: <197>2j<202><191>4<207>D<210><233><23>*<138><8><171><247>
> Attributes:
> User-Name = "ocsic"
> User-Password = XXXXXXXXXXXXXXXXXXXXXX
> NAS-Port-Type = Virtual
> NAS-Port = 0
> Service-Type = NAS-Prompt-User
> NAS-IP-Address = 172.31.146.131
>
> Fri Aug 28 15:41:36 2009: WARNING: Could not find a handler for
> ocsic: request is ignored
> Fri Aug 28 15:41:37 2009: DEBUG: Gigawords - Check for Counter Wrap.
> Fri Aug 28 15:41:37 2009: DEBUG: Packet dump:
>
>
> ###################################################################
>
> Here is the client loading section of the configuration
>
> PreClientHook file:"%D/scripts/gigawords-hook.pl"
>
> # Get client (switch/router/PDU) information from SQL
> <ClientListSQL>
> Include "%D/configs/DataBase-Config.cfg"
> RefreshPeriod 3600
> </ClientListSQL>
>
> # Manually define all WLC/WiSM here
> <Client 172.31.3.3>
> Identifier Internal-Wireless-Network
> Secret XXXXXXX
> DupInterval 10
> IdenticalClients 172.31.3.2
> </Client>
>
> # Manually define all FWSM here
> <Client 172.31.255.21>
> Identifier Firewall-Modules
> Secret XXXXXXX
> DupInterval 10
> IdenticalClients 172.31.255.22
> </Client>
>
> # Manually define all ACE Interfaces here
> <Client 172.31.2.220>
> IdenticalClients 172.31.146.130, 172.31.146.131, 172.31.146.132
> Identifier ACE-Interfaces
> Secret XXXXXXXX
> DupInterval 5
> </Client>
>
> ##############################################
>
>
> Here is the handler...
>
> <Handler Client-Identifier=ACE-Interfaces>
> SessionDatabase Null-Session-DB
> RejectHasReason
> <AuthBy LSA>
> NoDefault
> EAPType PAP
> Group ITS-NetFWAdmin
> </AuthBy>
> AddToReply cisco-avpair="shell:Admin=Admin default-domain"
> </Handler>
>
> #####################
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list