[RADIATOR] Radius problem
Hugh Irvine
hugh at open.com.au
Fri Dec 11 17:02:31 CST 2009
Hello Colin -
This sounds more like a network issue than a Radiator issue, as Radiator can't do much if it isn't receiving any requests.
Have you checked a low-level tcpdump or Wireshark capture to verify that the RADIUS requests are not getting to this host?
If the RADIUS requests are not getting to the Radiator host, it therefore follows that the requests are getting blocked or dropped or redirected.
Have you checked any firewall and/or ACL settings?
regards
Hugh
On 11 Dec 2009, at 22:27, Colin Byelong wrote:
> Hi,
>
> We have been using radiator to authenticate our wireless users and
> provide EAP-TTLS support in our wireless infrastructure.
> The server is running a old version of radiator 4.3.1 and we have been
> trying to move to new hardware and a new version of radiator.
>
> Most of our requests come from one NAS when we introduce the new server
> everything looks good then after ~1 hour we stop seeing requests from
> the NAS this may be load related as we tend to swap the box at the start
> of the day.
> We have tried restarting the system when this happens but we still cant
> see requests from the NAS, when we revert to the old server thats using
> the same config file everything starts working again.
>
> Has anyone seen anything similar ?
>
>
> Is there any "load limits" on the server that would cause this behaviour ?
> Can we adjust queues or buffers to cope with many requests from the same
> host ?
>
> #
> Foreground
> LogStdout
> LogDir .
> DbDir .
> #
> #Logfiles
> #
> <Log FILE>
> Filename %L/radiator.%Y_%m_%d.log
> LogIdent log-file
> Trace 4
> </Log>
> #
> #
> #
> #
> #Use port 1812 for Authentication
> AuthPort 1812,1645
> #Use port 1813 for accounting
> AcctPort 1813,1646
> Trace 4
> #
> #
> #
> #
> #Logging for users with no realm
> #
> #
> <AuthLog FILE>
> Identifier AUTH-DENY-NOREALM
> Filename %L/NOREALM-deny-%d-%m-%y.log
> FailureFormat %1:%T from Client:%c %a (%C) %n from NAS:%N
> LogSuccess 0
> LogFailure 1
> </AuthLog>
> #
> #
> #Logging for NRPS
> #
> <AuthLog FILE>
> Identifier NRPSSTATS
> Filename %L/NRPS-STATS-%Y-%m-%d.log
> SuccessFormat %l: from Client:%c(NAS:%N) User=%u Reply-User
> =%{Reply:User-Name} :OK
> FailureFormat %l: from Client:%c(NAS:%N) User=%u:FAIL
> LogSuccess 1
> LogFailure 1
> </AuthLog>
> #
> #
> #
> #Logfile for local users
> <AuthLog FILE>
> Identifier LOCALUSERS
> Filename %L/localusers.%Y-%m-%d.log
> SuccessFormat :%l:%o %T:%{Calling-Station-Id} from %u at %N:OK
> FailureFormat :%l:%o %T from %u at %N:FAIL
> LogSuccess 1
> LogFailure 1
> </AuthLog>
> #
> #Logfile for local pap
> <AuthLog FILE>
> Identifier UCL_PAP
> Filename %L/UCLPAP.%Y-%m-%d.log
> SuccessFormat :%l:%o %T from %u at %N:OK
> FailureFormat :%l:%o %T from %u at %N:FAIL
> LogSuccess 1
> LogFailure 1
> </AuthLog>
> #
> #
>
> <Client roaming0.ja.net>
> Secret <REMOVED>
> StatusServerShowClientDetails
> Identifier NRPS
> StripFromReply
> Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
> cisco-avpair
> NoIgnoreDuplicates Accounting-Request
> </Client>
> #
> #
> #
> #
> <Client roaming1.ja.net>
> Secret <REMOVED>
> StatusServerShowClientDetails
> Identifier NRPS
> StripFromReply
> Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
> cisco-avpair
> NoIgnoreDuplicates Accounting-Request
> </Client>
> #
> #
> <Client roaming2.ja.net>
> Secret <REMOVED>
> StatusServerShowClientDetails
> Identifier NRPS
> StripFromReply
> Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
> cisco-avpair
> NoIgnoreDuplicates Accounting-Request
> </Client>
>
> #
> <Client localhost>
> Secret <REMOVED>
> DupInterval 0
> </Client>
> #
>
> #
> #
> #
> #
> #
> #
> <Client DEFAULT>
> Secret <REMOVED>
> DupInterval 2
> StatusServerShowClientDetails
> </Client>
> #
> #Handlers with authentication
> <Handler TunnelledByTTLS=1>
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
> AcctLogFileName %L/ucl-detail.%m%y
> <AuthBy LDAP2>
> # Identifier UCL
> Host <REMOVED>
>
> # Microsoft AD also listens on port 3268, and
> # requests received on that port are reported to be
> # more compliant with standfard LDAP, so you may want to use:
> # Port 3268
>
> AuthDN cn=locindnet,ou=System
> Users,dc=uclusers,dc=ucl,dc=ac,dc=uk
> # AuthPassword yourADadminpasswordhere
> AuthPassword <REMOVED>
> BaseDN ou=departments,dc=uclusers,dc=ucl,dc=ac,dc=uk
> ServerChecksPassword
> EAPType MSCHAP-V2,TTLS,PAP,PEAP
> UsernameAttr sAMAccountName
> # EncryptedPasswordAttr sn
> #
> # AuthAttrDef logonHours,MS-Login-Hours,check
>
>
> </AuthBy>
> #
> #
> #
> AuthLog LOCALUSERS
> </Handler>
> #
> #
> #EAPOUTER
> <Handler Realm=ucl.ac.uk, EAP-Message = /.+/>
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
> AcctLogFileName %L/ucl-detail.eapout.%m%y
> <AuthBy FILE>
> Filename %D/users
> EAPType TTLS,pap,PEAP,MSCHAP-V2
> EAPTLS_CAFile %D/certs/sureserverEDU.pem
> EAPTLS_CertificateFile %D/certs/orps.pem
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile %D/certs/<REMOVED>
> EAPTLS_MaxFragmentSize 1500
> AutoMPPEKeys
> EAPAnonymous anonymous
> </AuthBy>
> </Handler>
> #
> #
> #Non EAP
> <Handler Realm=ucl.ac.uk>
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername tr/A-Z/a-z/
> AcctLogFileName %L/ucl-detailplain.%m%y
> <AuthBy LDAP2>
> # Identifier UCL
> Host <REMOVED>
>
> # Microsoft AD also listens on port 3268, and
> # requests received on that port are reported to be
> # more compliant with standfard LDAP, so you may want to use:
> # Port 3268
>
> AuthDN cn=locindnet,ou=System
> Users,dc=uclusers,dc=ucl,dc=ac,dc=uk
> # AuthPassword yourADadminpasswordhere
> AuthPassword <REMOVED>
> BaseDN ou=departments,dc=uclusers,dc=ucl,dc=ac,dc=uk
> ServerChecksPassword
> UsernameAttr sAMAccountName
> # EncryptedPasswordAttr sn
> #
> # AuthAttrDef logonHours,MS-Login-Hours,check
>
>
> </AuthBy>
> AcctLogFileName %L/detail
> AuthLog UCL_PAP
> </Handler>
> #
> #
> #Send Everything else to the NRPS
> #
> #
> #Handler for users with no realm
> <Handler Realm = "">
> <AuthBy INTERNAL>
> DefaultResult REJECT
> </AuthBy>
> AuthLog AUTH-DENY-NOREALM
> </Handler>
> #
> #
> <Handler>
> #<AuthBy GROUP>
> # AuthByPolicy ContinueUntilReject
> # NoEAP
> <AuthBy HASHBALANCE>
> # NoEAP
> EAPType MSCHAP-V2,TTLS,PAP,PEAP
> <Host roaming0.ja.net>
> Secret <REMOVED>
> AuthPort 1812
> AcctPort 1813
> RetryTimeout 8
> StripFromReply
> Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
> cisco-avpair
> </host>
> #Second NRPS
> <Host roaming1.ja.net>
> Secret <REMOVED>
> AuthPort 1812
> AcctPort 1813
> RetryTimeout 8
> StripFromReply
> Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
> cisco-avpair
> </host>
> #Third NRPS
> <Host <REMOVED>
> Secret j<REMOVED>
> AuthPort 1812
> AcctPort 1813
> RetryTimeout 8
> StripFromReply
> Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
> cisco-avpair
> </host>
> </AuthBy>
> # AuthLog NRPSSTATS
> #</AuthBy>
> AuthLog NRPSSTATS
> </Handler>
> #
>
> Thanks
>
> Colin
>
>
>
> --
> -----------------------------------------------------------------------
>
>
> Colin Byelong Email: C.Byelong at ucl.ac.uk
> Senior Network Development Officer
> Network Group
> Information Systems Division
> University College London
> Gower Street Phone: 020 7679-2572
> London WC1E 6BT
> ------------------------------------------------------------------------
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list