[RADIATOR] proxying POD reply packets

Michael ringo at vianet.ca
Sat Jul 13 12:20:02 CDT 2013


Heikki, to answer your questions at bottom

<snip>
I wonder if you have a (very) old Radiator or more likely, a
configuration that causes NAKed messages to be rejected.
<snip>

I'm using v4.10 so it's not old.  I do however have a quite complicated radiator configuration.  Mainly, i inject POD's and COA's into radiator rather than sending directly to devices because i have many different cisco devices, some using different commands to accomplish the POD and COA.  radiator applies the necessary commands for the given device before proxying.  Also, i wanted these requests to be logged.  So, my complicated config determines what device the request needs to go to and sends, and then it converts the POD and COA packets to accounting packets using scripting, then sends to my accounting handler and that POD/COA request is logged.  So yes, i will have to review my config.

For now though, adding the NAKed requests to the list in the code i described does make sure the reply packets coming back from the nas's are proxied to the radpwtst client.

There's probably a better way of accomplishing this for sure.  I'll look into this further
Thanks.


Michael





On 13/07/13 03:25 AM, Heikki Vatiainen wrote:
> On 07/12/2013 06:46 PM, Michael wrote:
>
>> also, Change-Filter-Request-NAKed would also need to be in that list.
> Hello Michael,
>
> I tested with this setup:
> radpwtst ->  R1 ->  R2
>
> where R1 is a simple proxy Radiator and R2 is Radiator that replies with
> Change-Filter-NAKed or Disconnect-Request-NAKed. It also adds
> Error-Cause and Reply-Message to the responses. This is done with AuthBy
> INTERNAL.
>
> R1 config is simply this:
>
> <Client DEFAULT>
>          Secret  mysecret
> </Client>
>
> <Handler>
>    <AuthBy RADIUS>
>          Secret mysecret
>          Host 127.0.0.1
>          AuthPort 1812
>          AcctPort 1813
>    </AuthBy>
> </Handler>
>
> With the above setup the NAKed responses were proxied back to radpwtst
> correctly. Also the ACKed responses were proxied fine. R1 logs the
> message from R2 like this:
>
>
> DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 1812 ....
> Code:       Disconnect-Request-NAKed
> Identifier: 1
> Authentic:  C<235><235>T<17><153>RG<130><221><213><213><27><223>"<184>
> Attributes:
>          Reply-Message = "No Matching Session"
>          Error-Cause = Session-Context-Not-Found
>
> INFO: Disconnect-Request rejected: No Matching Session
> DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 44624 ....
> Code:       Disconnect-Request-NAKed
> Identifier: 90
> Authentic:   ZNg<23>3<165>a<23>'<222><235><201><189><155><14>
> Attributes:
>          Reply-Message = "No Matching Session"
>          Error-Cause = Session-Context-Not-Found
>
> The INFO line is logged by Handler which forwards the request back to
> radpwtst even if the request type was not added the the ACCEPTed request
> types.
>
> I wonder if you have a (very) old Radiator or more likely, a
> configuration that causes NAKed messages to be rejected.
>
> Thanks,
> Heikki
>


More information about the radiator mailing list