[RADIATOR] Unknown reply received in AuthRADIUS

Jim Tyrrell jim at scusting.com
Wed May 1 13:49:28 CDT 2013 

Hi,

I have a default accounting handler which currently formats a few 
attributes via a hook, updates a MySQL database with session info, and 
then relays the RADIUS packet onto a couple of Cisco management servers 
(so they can maintain a mapping of user to IP).

We have always had a few "Unknown reply received in AuthRADIUS", but 
quite rarely and then only a handful at a time so ignored them.  I had 
assumed it was down to the remote RADIUS replying after Radiator had 
timed out the request (RetryTimeout 5) and so it was no longer valid - 
is that a correct assumption?

However, I then added another AuthBy between the MySQL update and the 
RADIUS proxy to update a 2nd MySQL server (that will eventually replace 
the current MySQL), and now I get floods of "Unknown reply received in 
AuthRADIUS" approx 10 seconds after starting the RADUS process.  I have 
'Retries 2' so 10 seconds would be the time taken before giving up the 
AuthBy RADIUS.

I dont understand why adding in an AuthBy before the AuthBy RADIUS could 
have an impact?  Even if the new AuthBy is slow, and I dont believe it 
is as I have seen no timeouts for it, then wouldnt that just delay the 
RADIUS proxy sending rather than effect its performance?  My accounting 
handler is as follows:

<Handler>
     AuthByPolicy ContinueAlways
     AccountingHandled
     PreProcessingHook file:"%D/scripts/format_attributes.pl"

## Log User session status to MySQL servers via insert/update/delete 
statements
     AuthBy RadiusOnline-Start
     AuthBy RadiusOnline-Alive
     AuthBy RadiusOnline-Stop

##  NEW AuthBy to log to new MySQL server via stored procedure
     AuthBy RadiusSessionUpdate

## Proxy accounting packet to Cisco management server 10.153.253.1
     AuthBy Proxy-to-CiscoSM

## Proxy accounting packet to Cisco management server 10.153.253.12
     AuthBy Proxy-to-CiscoSM_lab

</Handler>

The remote RADIUS servers are defined as such:
<AuthBy RADIUS>
         Identifier Proxy-to-CiscoSM
         <Host 10.153.253.1>
                 Secret mypassword
                 RetryTimeout 5
                 Retries 2
         </Host>
         IgnoreAccountingResponse
         NoDefault
</AuthBy>

The messages I get are:
Wed May  1 19:18:53 2013: WARNING: Unknown reply received in AuthRADIUS 
for request 26 from 10.153.253.1:1646
Wed May  1 19:18:53 2013: WARNING: Unknown reply received in AuthRADIUS 
for request 26 from 10.153.253.12:1646
Wed May  1 19:18:53 2013: WARNING: Unknown reply received in AuthRADIUS 
for request 27 from 10.153.253.1:1646
Wed May  1 19:18:53 2013: WARNING: Unknown reply received in AuthRADIUS 
for request 27 from 10.153.253.12:1646
Wed May  1 19:18:54 2013: WARNING: Unknown reply received in AuthRADIUS 
for request 29 from 10.153.253.1:1646

I thought about changing the order of the AuthBy's and tweaking the 
timeouts but want to try and understand how the additional AuthBy could 
of resulted in this issue before blindly try other things.  I guess 
ideally I need to do trace 4 debugs and packet captures to verify delays 
in the remote RADIUS replying, but the server is very busy and its hard 
to piece the incoming and outgoing Radius packets together in all the noise.

Thanks.

Jim.

More information about the radiator mailing list