[RADIATOR] Is StatusServer broken in 4.19 and latest patches?

Karl Gaissmaier karl.gaissmaier at uni-ulm.de
Tue Aug 8 09:36:25 UTC 2017 

Hi Heikki,

Am 08.08.2017 um 11:15 schrieb Heikki Vatiainen:
> On 8.8.2017 11.46, Karl Gaissmaier wrote:
>
>> just as info before I'll do more debugging.
>>
>> StatusServer seems to be broken in 4.19 and latest patches applies at 
>> least here at Ulm University.
>
> Quick check: does the upstream add Message-Authenticator attribute in 
> Status-Server requests and do they accept Message-Authenticator in 
> replies?

nothing has changed at the upstream since I upgraded yesterday, here you 
see it after I switched back to 4.17:

Tue Aug  8 09:07:43 2017 099341: DEBUG: Packet dump:
*** Received from 193.174.XX.YY port 33333 ....
Code:       Status-Server
Identifier: 0
Authentic: <230>)t<226><6><166><174><232><20>$<9>O<184>vfB
Attributes:
     Message-Authenticator = 
b<165><188><140>C<231><209><15>\<160>c<205><174><242>=<6>
Tue Aug  8 09:07:43 2017 099988: DEBUG: Packet dump:


*** Sending reply to RadSec 193.174.75.134:33333 ....
Code:       Access-Accept
Identifier: 0
Authentic: <230>)t<226><6><166><174><232><20>$<9>O<184>vfB
Attributes:
     Reply-Message = "Radiator Radius server version 4.17"
     Reply-Message = "Running on mizar since Tue Aug  8 09:05:44 2017"


>
> Since Message-Authenticator uses the shared secret, is the secret 
> correct in case you have, for example, a separate monitoring going on 
> somewhere where there is no other traffic.

yes, nothing changed
>
>> I had to go back in panic to 4.17, since my eduroam upstream with the 
>> germany NREN stopped talking to me and a quick local test showed me, 
>> that something is wrong with StatusServer in Radiator 4.19.
>
> There have been changes in Status-Server handling where the 
> requirement of Message-Authenticator is likely the main thing that 
> could cause drops.
>
>> More tests will follow but maybe it is already helpful for you and 
>> you can look at your release tests too.
>
> I'll check. One more question: is it over RADIUS or RadSec where you 
> see the problem?

both, I've local checks with nagios, personally scripted with 
Authen::Radius, stopped working too, and remote via Server RADSEC from 
the german NREN.

Thanks for help. Great service, as always!

Best Regards
    Charly

-- 
Karl Gaissmaier
Universität Ulm
kiz, Kommunikations und Informationszentrum
89069 Ulm
Tel.: 49(0)731/50-22499
Fax : 49(0)731/50-12-22499

More information about the radiator mailing list