[RADIATOR] Client erratic selection of handlers

Hugh Irvine hugh at open.com.au
Fri Aug 28 03:58:09 CDT 2009 

Hello Michael -

What version of Radiator are you running?

There was a patch for this some time ago.

Current version is Radiator 4.4 (plus patches).

regards

Hugh


On 28 Aug 2009, at 18:22, Michael Harlow wrote:

> Hi,
>
> I've having some erratic behaviour with Handler selection. I fetch  
> most of my client IP from SQL with ClientListSQL (about 900), but  
> some special clients, I manually define in the configuration so I  
> can set "Identifier" labels so they can be treated correctly and get  
> special handling.
>
> When I start Radiator, all seems fine, and it works for a period.  
> But later, perhaps after another refresh from the SQL, Radiator seem  
> to be no longer able to recognise the client, and cannot find the  
> handler.
>
> If I "restart" radiator, no config changes, it starts to work again,  
> but after a period will stop working. It does not seem to affect all  
> the special cases, just the "ACE" case as show in the config at the  
> bottom.
>
> Does anyone know what might be going on?
>
> Cheers, Michael
>
>
> #####################################
>
> THIS is a functioning request that occurs after I restart Radiator.
>
> Fri Aug 28 15:38:53 2009: DEBUG: Gigawords - Check for Counter Wrap.
> Fri Aug 28 15:38:53 2009: DEBUG: Packet dump:
> *** Received from 172.31.146.131 port 1031 ....
> Code:       Access-Request
> Identifier: 171
> Authentic:  <181><4><219>@+<0><0>\<175>"<210>\<132><19><179>V
> Attributes:
> 	User-Name = "ocsic"
> 	User-Password = XXXXXXXXXXXXXXXXXXXXXX
> 	NAS-Port-Type = Virtual
> 	NAS-Port = 0
> 	Service-Type = NAS-Prompt-User
> 	NAS-IP-Address = 172.31.146.131
>
> Fri Aug 28 15:38:53 2009: DEBUG: Handling request with Handler  
> 'Client-Identifier=ACE-Interfaces'
> Fri Aug 28 15:38:53 2009: DEBUG: Handling with Radius::AuthLSA:
> Fri Aug 28 15:38:53 2009: DEBUG: Radius::AuthLSA looks for match  
> with ocsic [ocsic]
> Fri Aug 28 15:38:53 2009: DEBUG: Radius::AuthLSA ACCEPT: : ocsic  
> [ocsic]
> Fri Aug 28 15:38:53 2009: DEBUG: AuthBy LSA result: ACCEPT,
> Fri Aug 28 15:38:53 2009: DEBUG: Access accepted for ocsic
> Fri Aug 28 15:38:53 2009: DEBUG: Packet dump:
> *** Sending to 172.31.146.131 port 1031 ....
> Code:       Access-Accept
> Identifier: 171
> Authentic:   
> g<11>M`<202><154><137><199><167><152><163><179>M<234><225><138>
> Attributes:
> 	cisco-avpair = "shell:Admin=Admin default-domain"
>
> ##################################
>
> A little later, a ClientListSQL refresh occurs
>
> Fri Aug 28 15:40:04 2009: DEBUG: ClientListSQL automatic refresh
> Fri Aug 28 15:40:04 2009: DEBUG: ClientListSQL removes previously  
> added Client nh-av29-2.sw.utas.edu.au
> [LOTS of lines removed]
> Fri Aug 28 15:40:06 2009: DEBUG: ClientListSQL removes previously  
> added Client cm-mz-2.sw.utas.edu.au.
> Fri Aug 28 15:40:06 2009: DEBUG: Adding Clients from SQL database
> Fri Aug 28 15:40:06 2009: DEBUG: Query is: 'select
> 	NASIDENTIFIER,
> 	SECRET,
> 	IGNOREACCTSIGNATURE,
> 	DUPINTERVAL,
> 	DEFAULTREALM,
> 	NASTYPE,
> 	SNMPCOMMUNITY,
> 	LIVINGSTONOFFS,
> 	LIVINGSTONHOLE,
> 	FRAMEDGROUPBASEADDRESS,
> 	FRAMEDGROUPMAXPORTSPERCLASSC,
> 	REWRITEUSERNAME,
> 	NOIGNOREDUPLICATES,
> 	PREHANDLERHOOK from RADCLIENTLIST':
> Fri Aug 28 15:40:06 2009: ERR: Execute failed for 'select
> 	NASIDENTIFIER,
> 	SECRET,
> 	IGNOREACCTSIGNATURE,
> 	DUPINTERVAL,
> 	DEFAULTREALM,
> 	NASTYPE,
> 	SNMPCOMMUNITY,
> 	LIVINGSTONOFFS,
> 	LIVINGSTONHOLE,
> 	FRAMEDGROUPBASEADDRESS,
> 	FRAMEDGROUPMAXPORTSPERCLASSC,
> 	REWRITEUSERNAME,
> 	NOIGNOREDUPLICATES,
> 	PREHANDLERHOOK from RADCLIENTLIST': Lost connection to MySQL server  
> during query
> Fri Aug 28 15:40:06 2009: DEBUG: ClientListSQL adds Client nh- 
> av29-2.sw.utas.edu.au
> Fri Aug 28 15:40:06 2009: DEBUG: ClientListSQL adds Client nh- 
> av29-1.sw.utas.edu.au
> [LOTS of lines removed]
> Fri Aug 28 15:40:09 2009: DEBUG: ClientListSQL adds Client cm- 
> mz-2.sw.utas.edu.au.
> Fri Aug 28 15:40:09 2009: DEBUG: Automatic ClientListSQL refresh has  
> succeeded, using new Client list
>
> ################################################################
>
> NOW, another identical looking request come in, but now the handler  
> cannot be found!!!
>
> *** Received from 172.31.146.131 port 1031 ....
> Code:       Access-Request
> Identifier: 203
> Authentic:  <197>2j<202><191>4<207>D<210><233><23>*<138><8><171><247>
> Attributes:
> 	User-Name = "ocsic"
> 	User-Password = XXXXXXXXXXXXXXXXX
> 	NAS-Port-Type = Virtual
> 	NAS-Port = 0
> 	Service-Type = NAS-Prompt-User
> 	NAS-IP-Address = 172.31.146.131
>
> Fri Aug 28 15:41:35 2009: WARNING: Could not find a handler for  
> ocsic: request is ignored
> Fri Aug 28 15:41:36 2009: DEBUG: Gigawords - Check for Counter Wrap.
> Fri Aug 28 15:41:36 2009: DEBUG: Packet dump:
> *** Received from 172.31.146.131 port 1031 ....
> Code:       Access-Request
> Identifier: 203
> Authentic:  <197>2j<202><191>4<207>D<210><233><23>*<138><8><171><247>
> Attributes:
> 	User-Name = "ocsic"
> 	User-Password = XXXXXXXXXXXXXXXXXXXXXX
> 	NAS-Port-Type = Virtual
> 	NAS-Port = 0
> 	Service-Type = NAS-Prompt-User
> 	NAS-IP-Address = 172.31.146.131
>
> Fri Aug 28 15:41:36 2009: WARNING: Could not find a handler for  
> ocsic: request is ignored
> Fri Aug 28 15:41:37 2009: DEBUG: Gigawords - Check for Counter Wrap.
> Fri Aug 28 15:41:37 2009: DEBUG: Packet dump:
>
>
> ###################################################################
>
> Here is the client loading section of the configuration
>
> PreClientHook file:"%D/scripts/gigawords-hook.pl"
>
> # Get client (switch/router/PDU) information from SQL
> <ClientListSQL>
>      Include "%D/configs/DataBase-Config.cfg"
>      RefreshPeriod 3600
> </ClientListSQL>
>
> # Manually define all WLC/WiSM here
> <Client 172.31.3.3>
> 	Identifier Internal-Wireless-Network
> 	Secret	XXXXXXX
> 	DupInterval 10
> 	IdenticalClients 172.31.3.2
> </Client>
>
> # Manually define all FWSM here
> <Client 172.31.255.21>
> 	Identifier Firewall-Modules
> 	Secret	XXXXXXX
> 	DupInterval 10
> 	IdenticalClients 172.31.255.22
> </Client>
>
> # Manually define all ACE Interfaces here
> <Client 172.31.2.220>
> 	IdenticalClients 172.31.146.130, 172.31.146.131, 172.31.146.132
> 	Identifier ACE-Interfaces
> 	Secret	XXXXXXXX
> 	DupInterval 5
> </Client>
>
> ##############################################
>
>
> Here is the handler...
>
> <Handler Client-Identifier=ACE-Interfaces>
>      SessionDatabase  Null-Session-DB
>      RejectHasReason
>      <AuthBy LSA>
>           NoDefault
>           EAPType PAP
>           Group ITS-NetFWAdmin
>      </AuthBy>
>      AddToReply cisco-avpair="shell:Admin=Admin default-domain"
> </Handler>
>
> #####################
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list