Hello,
We are using Radiator-2.18.1 on FreeBSD-4.3-STABLE.
It is working very well and good enough.
I have using AuthBySQL for dial-up subscribers and AuthByRadius for
iPass outbound authentication.
Just yesterday I added another AuthByRadius for proxy authentication to
our old Merit AAA-4.2.1E.
After that Merit AAA-4.2.1E radius users can't to authenticate.
They received, username/password wrong or invalid message from Radiator.
Following Radiator logfile:
---------------------------------------------
Fri Aug 17 09:57:39 2001: DEBUG: Packet dump:
*** Received from 202.179.0.135 port 1645 ....
Code: Access-Request
Identifier: 212
Authentic: <237><204><218>3y<212><208>t <153><225><241><1><219><153>b
Attributes:
NAS-IP-Address = 202.179.0.135
NAS-Port = 536
Cisco-NAS-Port = "Async3/104"
NAS-Port-Type = Async
User-Name = "stac"
Called-Station-Id = "1633"
Calling-Station-Id = "11315556"
User-Password = "<217>'<158>b#)-(u<182><24>K<25><252><134>["
Service-Type = Framed-User
Framed-Protocol = PPP
Fri Aug 17 09:57:39 2001: DEBUG: Rewrote user name to stac
Fri Aug 17 09:57:39 2001: DEBUG: Rewrote user name to stac
Fri Aug 17 09:57:39 2001: DEBUG: Check if Handler Request-Type =
Accounting-Request, Class = MERIT should be used to handle this request
Fri Aug 17 09:57:39 2001: DEBUG: Check if Handler Request-Type =
Accounting-Request, Class = IPASS should be used to handle this request
Fri Aug 17 09:57:39 2001: DEBUG: Check if Handler Request-Type =
Accounting-Request should be used to handle this request
Fri Aug 17 09:57:39 2001: DEBUG: Check if Handler NAS-IP-Address =
202.179.0.130 should be used to handle this request
Fri Aug 17 09:57:39 2001: DEBUG: Check if Handler NAS-IP-Address =
202.179.0.135 should be used to handle this request
Fri Aug 17 09:57:39 2001: DEBUG: Handling request with Handler
'NAS-IP-Address = 202.179.0.135'
Fri Aug 17 09:57:39 2001: DEBUG: SQL1 Deleting session for stac,
202.179.0.135, 536
Fri Aug 17 09:57:39 2001: DEBUG: do query is: delete from RADONLINE
where USERNAME='stac' and NASIDENTIFIER='202.179.0.135' and NASPORT=536
Fri Aug 17 09:57:40 2001: DEBUG: Handling with Radius::AuthSQL
Fri Aug 17 09:57:40 2001: DEBUG: Handling with Radius::AuthSQL
Fri Aug 17 09:57:40 2001: DEBUG: Query is: select
ENCRYPTEDPASSWORD,CHECKATTR,REPLYATTR,if(PREPAID="YES",TIMELEFT,NIGHT)
as TIME, class from
SUBSCRIBERS where USERNAME='stac' and STATUS='Active'
Fri Aug 17 09:57:40 2001: DEBUG: Radius::AuthSQL looks for match with stac
Fri Aug 17 09:57:40 2001: DEBUG: Query is: select
ENCRYPTEDPASSWORD,CHECKATTR,REPLYATTR,if(PREPAID="YES",TIMELEFT,NIGHT)
as TIME, class from
SUBSCRIBERS where USERNAME='DEFAULT' and STATUS='Active'
Fri Aug 17 09:57:40 2001: DEBUG: Handling with Radius::AuthRADIUS
Fri Aug 17 09:57:40 2001: DEBUG: Packet dump:
*** Sending to 202.179.0.106 port 1645 ....
Code: Access-Request
Identifier: 197
Authentic: <237><204><218>3y<212><208>t <153><225><241><1><219><153>b
Attributes:
NAS-IP-Address = 202.179.0.135
NAS-Port = 536
Cisco-NAS-Port = "Async3/104"
NAS-Port-Type = Async
User-Name = "stac"
Called-Station-Id = "1633"
Calling-Station-Id = "11315556"
User-Password = "M<253><156>Z<167><2>R[&T<226><210>_<220><251>-"
Service-Type = Framed-User
Framed-Protocol = PPP
Fri Aug 17 09:57:40 2001: DEBUG: Handling with Radius::AuthRADIUS
Fri Aug 17 09:57:40 2001: DEBUG: Packet dump:
*** Sending to 202.179.0.167 port 1645 ....
Code: Access-Request
Identifier: 201
Authentic: <237><204><218>3y<212><208>t <153><225><241><1><219><153>b
Attributes:
NAS-IP-Address = 202.179.0.135
NAS-Port = 536
Cisco-NAS-Port = "Async3/104"
NAS-Port-Type = Async
User-Name = "stac"
Called-Station-Id = "1633"
Calling-Station-Id = "11315556"
User-Password = "M<253><156>Z<167><2>R[&T<226><210>_<220><251>-"
Service-Type = Framed-User
Framed-Protocol = PPP
Fri Aug 17 09:57:40 2001: ERR: Attribute number 145 (vendor 61) is not
defined in your dictionary
Fri Aug 17 09:57:40 2001: DEBUG: Packet dump:
*** Received from 202.179.0.106 port 1645 ....
Code: Access-Accept
Identifier: 197
Authentic: <210>Q<139>Lp<146><146><227><146>;{<148>I<212><186><166>
Attributes:
NAS-IP-Address = 202.179.0.135
NAS-Port = 536
Cisco-NAS-Port = "Async3/104"
NAS-Port-Type = Async
User-Name = "stac"
Called-Station-Id = "1633"
Calling-Station-Id = "11315556"
User-Password = "M<253><156>Z<167><2>R[&T<226><210>_<220><251>-"
Service-Type = Framed-User
Framed-Protocol = PPP
User-Id = "stac"
NAS-Identifier = "202.179.0.135"
User-Realm = ""
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Class = "3b7c799c.e.nmc.ub.mng.net"
Fri Aug 17 09:57:40 2001: DEBUG: Received reply in AuthRADIUS for req
197 from 202.179.0.106:1645
Fri Aug 17 09:57:40 2001: DEBUG: Access accepted for stac
Fri Aug 17 09:57:40 2001: DEBUG: Packet dump:
*** Sending to 202.179.0.135 port 1645 ....
Code: Access-Accept
Identifier: 212
Authentic: <237><204><218>3y<212><208>t <153><225><241><1><219><153>b
Attributes:
NAS-IP-Address = 202.179.0.135
NAS-Port = 536
Cisco-NAS-Port = "Async3/104"
NAS-Port-Type = Async
User-Name = "stac"
Called-Station-Id = "1633"
Calling-Station-Id = "11315556"
User-Password = "M<253><156>Z<167><2>R[&T<226><210>_<220><251>-"
Service-Type = Framed-User
Framed-Protocol = PPP
User-Id = "stac"
NAS-Identifier = "202.179.0.135"
User-Realm = ""
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Class = "3b7c799c.e.nmc.ub.mng.net"
Class = "MERIT"
Fri Aug 17 09:57:40 2001: DEBUG: Packet dump:
*** Received from 202.179.0.167 port 1645 ....
Code: Access-Reject
Identifier: 201
Authentic:
c<247><16><143><203><222><144><189>x<236><215><163><6>2<176><216>
Attributes:
Fri Aug 17 09:57:40 2001: DEBUG: Received reply in AuthRADIUS for req
201 from 202.179.0.167:1645
Fri Aug 17 09:57:40 2001: INFO: Access rejected for stac: Proxied
Fri Aug 17 09:57:40 2001: DEBUG: Packet dump:
*** Sending to 202.179.0.135 port 1645 ....
Code: Access-Reject
Identifier: 212
Authentic: <237><204><218>3y<212><208>t <153><225><241><1><219><153>b
Attributes:
NAS-IP-Address = 202.179.0.135
NAS-Port = 536
Cisco-NAS-Port = "Async3/104"
NAS-Port-Type = Async
User-Name = "stac"
Called-Station-Id = "1633"
Calling-Station-Id = "11315556"
User-Password = "M<253><156>Z<167><2>R[&T<226><210>_<220><251>-"
Service-Type = Framed-User
Framed-Protocol = PPP
User-Id = "stac"
NAS-Identifier = "202.179.0.135"
User-Realm = ""
Service-Type = Framed-User
Framed-Protocol = PPP
Framed-MTU = 1500
Framed-Compression = Van-Jacobson-TCP-IP
Class = "3b7c799c.e.nmc.ub.mng.net"
Class = "MERIT"
Class = "IPASS"
Reply-Message = "Proxied"
-----------------------------------------------
I don't understand why Radiator sending Access-Request simultaneously to
both iPass outbound and Merit AAA.
Could you help me to solve it?
I think Radiator should to do authentication one-by-one. We are using
"ContinueUntilAccept" policy. Is it correct?
I attached Radiator configuration file.
Thank you,
Ganbold
# radius.cfg
Foreground
Trace 4
AuthPort 1645
AcctPort 1646
LogDir /var/log/radius
#DbDir /usr/local/mysql/var/radius
LogFile %L/logfile
DictionaryFile /root/radiator/Radiator-2.18.1/dictionary
#FingerProg /usr/bin/finger
SnmpgetProg /usr/local/bin/snmpget
<Client xxx.xxx.xxx.xxx>
Secret <removed>
DupInterval 15
# NoIgnoreDuplicates Access-Request
NasType Cisco
RewriteUsername tr/[A-Z]/[a-z]/
RewriteUsername s/^([^@]+).*/$1/
SNMPCommunity public
StatusServerShowClientDetails
</Client>
<Client xxx.xxx.xxx.xxx>
Secret <removed>
DupInterval 15
# NoIgnoreDuplicates Access-Request
NasType Cisco
RewriteUsername tr/[A-Z]/[a-z]/
RewriteUsername s/^([^@]+).*/$1/
SNMPCommunity public
StatusServerShowClientDetails
</Client>
<Client xxx.xxx.xxx.xxx>
Secret <removed>
DupInterval 15
# NoIgnoreDuplicates Access-Request
NasType AscendSNMP
#NasType Cisco
RewriteUsername tr/[A-Z]/[a-z]/
RewriteUsername s/^([^@]+).*/$1/
SNMPCommunity public
StatusServerShowClientDetails
</Client>
<Client xxx.xxx.xxx.xxx> ----> iPass outbound radius
Secret <removed>
</Client>
<Client localhost>
Secret <removed>
</Client>
<Client DEFAULT>
Secret <removed>
DupInterval 15
# NoIgnoreDuplicates Access-Request
NasType Cisco
RewriteUsername tr/[A-Z]/[a-z]/
RewriteUsername s/^([^@]+).*/$1/
SNMPCommunity public
StatusServerShowClientDetails
</Client>
<AuthBy SQL>
DBSource dbi:mysql:radius:xxx.xxx.xxx.xxx
DBUsername <removed>
DBAuth <removed>
Identifier SQLAcctOnly
AuthSelect
AccountingTable ACCOUNTING
AccountingStopsOnly
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
AcctColumnDef class,Class
AcctSQLStatement update SUBSCRIBERS set TIMELEFT=TIMELEFT-%{Acct-Session-Time}
where USERNAME='%n' and PREPAID='YES'
</AuthBy>
<AuthBy SQL>
DBSource dbi:mysql:radius:xxx.xxx.xxx.xxx
DBUsername <removed>
DBAuth <removed>
Identifier ROAMAcctOnly
AuthSelect
AccountingTable ACCOUNTINGROAM
AccountingStopsOnly
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef CALLINGSTATIONID,Calling-Station-Id
</AuthBy>
<AuthBy SQL>
DBSource dbi:mysql:radius:xxx.xxx.xxx.xxx
DBUsername <removed>
DBAuth <removed>
Identifier CiscoAuthOnly
AuthSelect select
ENCRYPTEDPASSWORD,CHECKATTR,REPLYATTR,if(PREPAID="YES",TIMELEFT,NIGHT) as TIME, class
from SUBSCRIBERS where USERNAME='%n' and STATUS='Active'
EncryptedPassword
# AuthColumnDef 0, User-Password, check
AuthColumnDef 0, Encrypted-Password, check
AuthColumnDef 1, GENERIC, check
AuthColumnDef 2, GENERIC, reply
AuthColumnDef 3, Session-Timeout, reply
AuthColumnDef 4, Class, reply
AddToReply Framed-Protocol = PPP,Service-Type = Framed-User,Framed-MTU =
1500,Framed-Compression = Van-Jacobson-TCP-IP
AccountingTable
DefaultSimultaneousUse 1
RejectEmptyPassword
</AuthBy>
<AuthBy SQL>
DBSource dbi:mysql:radius:xxx.xxx.xxx.xxx
DBUsername <removed>
DBAuth <removed>
Identifier AscendAuthOnly
AuthSelect select
ENCRYPTEDPASSWORD,CHECKATTR,REPLYATTR,if(PREPAID="YES",TIMELEFT,NIGHT) as TIME, class
from SUBSCRIBERS where USERNAME='%n' and STATUS='Active'
EncryptedPassword
# AuthColumnDef 0, User-Password, check
AuthColumnDef 0, Encrypted-Password, check
AuthColumnDef 1, GENERIC, check
AuthColumnDef 2, GENERIC, reply
AuthColumnDef 3, Session-Timeout, reply
AuthColumnDef 4, Class, reply
AddToReply Framed-Protocol = PPP,Service-Type = Framed-User,Framed-MTU =
1500,Framed-Compression = Van-Jacobson-TCP-IP
AccountingTable
DefaultSimultaneousUse 1
RejectEmptyPassword
</AuthBy>
<AuthBy RADIUS> ------------------------->New AuthByRadius
Identifier CheckMERIT
AddToReply Class = MERIT
Host xxx.xxx.xxx.xxx
Secret <removed>
AuthPort 1645
AcctPort 1646
Retries 2
RetryTimeout 30
DefaultSimultaneousUse 1
RejectEmptyPassword
</AuthBy>
<AuthBy RADIUS>
Identifier CheckIPASS
AddToReply Class = IPASS
Host xxx.xxx.xxx.xxx
Secret <removed>
AuthPort 1645
AcctPort 1646
Retries 2
RetryTimeout 30
DefaultSimultaneousUse 1
RejectEmptyPassword
</AuthBy>
<Handler Request-Type = Accounting-Request, Class = MERIT>
AuthBy ROAMAcctOnly
</Handler>
<Handler Request-Type = Accounting-Request, Class = IPASS>
AuthBy ROAMAcctOnly
</Handler>
<Handler Request-Type = Accounting-Request>
AuthBy SQLAcctOnly
</Handler>
<Handler NAS-IP-Address = xxx.xxx.xxx.xxx>
RejectHasReason
AccountingHandled
SessionDatabase SQL1
# AuthByPolicy ContinueWhileIgnore
# AuthByPolicy ContinueUntilIgnore
# AuthByPolicy ContinueWhileAccept
AuthByPolicy ContinueUntilAccept
# AuthByPolicy ContinueWhileReject
# AuthByPolicy ContinueUntilReject
AuthBy CiscoAuthOnly
AuthBy CheckIPASS
AuthBy CheckMERIT
PostAuthHook file:"/root/radiator/Radiator-2.18.1/CheckBlockTimeLeft"
</Handler>
<Handler NAS-IP-Address = xxx.xxx.xxx.xxx>
RejectHasReason
AccountingHandled
SessionDatabase SQL1
# AuthByPolicy ContinueWhileIgnore
# AuthByPolicy ContinueUntilIgnore
# AuthByPolicy ContinueWhileAccept
AuthByPolicy ContinueUntilAccept
# AuthByPolicy ContinueWhileReject
# AuthByPolicy ContinueUntilReject
AuthBy CiscoAuthOnly
AuthBy CheckIPASS
AuthBy CheckMERIT
PostAuthHook file:"/root/radiator/Radiator-2.18.1/CheckBlockTimeLeft"
</Handler>
<Handler NAS-IP-Address = xxx.xxx.xxx.xxx>
RejectHasReason
AccountingHandled
SessionDatabase SQL1
# AuthByPolicy ContinueWhileIgnore
# AuthByPolicy ContinueUntilIgnore
# AuthByPolicy ContinueWhileAccept
AuthByPolicy ContinueUntilAccept
# AuthByPolicy ContinueWhileReject
# AuthByPolicy ContinueUntilReject
AuthBy AscendAuthOnly
AuthBy CheckIPASS
AuthBy CheckMERIT
PostAuthHook file:"/root/radiator/Radiator-2.18.1/CheckBlockTimeLeft"
</Handler>
<Handler>
PasswordLogFileName %L/password.log
RejectHasReason
AccountingHandled
SessionDatabase SQL1
# AuthByPolicy ContinueWhileIgnore
# AuthByPolicy ContinueUntilIgnore
# AuthByPolicy ContinueWhileAccept
AuthByPolicy ContinueUntilAccept
# AuthByPolicy ContinueWhileReject
# AuthByPolicy ContinueUntilReject
AuthBy CiscoAuthOnly
#AuthBy CheckIPASS
PostAuthHook file:"/root/radiator/Radiator-2.18.1/CheckBlockTimeLeft"
</Handler>
<ClientListSQL>
DBSource dbi:mysql:radius:xxx.xxx.xxx.xxx
DBUsername <removed>
DBAuth <removed>
</ClientListSQL>
<SessionDatabase SQL>
DBSource dbi:mysql:radius:xxx.xxx.xxx.xxx
DBUsername <removed>
DBAuth <removed>
# Optional identifier. Its just a name
Identifier SQL1
AddQuery insert into RADONLINE
(USERNAME,NASIDENTIFIER,NASPORT,ACCTSESSIONID,TIME_STAMP,FRAMEDIPADDRESS,NASPORTTYPE,SERVICETYPE,CALLINGSTATIONID)
values('%n','%N',%{NAS-Port},'%{Acct-Session-Id}',%{Timestamp},'%{Framed-IP-Address}','%{NAS-Port-Type}','%{Service-Type}','%{Calling-Station-Id}')
DeleteQuery delete from RADONLINE where USERNAME='%n' and NASIDENTIFIER='%N'
and NASPORT=%{NAS-Port}
ClearNasQuery delete from RADONLINE where NASIDENTIFIER='%N'
CountQuery select NASIDENTIFIER,NASPORT,ACCTSESSIONID from RADONLINE where
USERNAME='%n'
</SessionDatabase>
