Hello Simon -
This problem is in fact caused by your use of "Fork".
You should use neither "Fork" nor "Synchronous" in an AuthBy [SQL]RADIUS clause, as it operates asynchronously and maintains a table of outstanding requests for which it is awaiting a response. When you use "Fork" the new child instance of radiusd will send the proxy request, however the reply will come back to the parent process, which is why you are seeing the "Unknown reply ..." messages.
The "FailureBackoffTime" parameter really only applies to the SQL database, because the RADIUS Host objects are created dynamically out of the database for each request that is proxied.
regards
Hugh
On Tuesday, Jul 29, 2003, at 10:43 Australia/Melbourne, [EMAIL PROTECTED] wrote:
Hi Guys,
I have a problem in that I keep getting the following error from the current
config that I am running.
WARNING: Unknown reply received in AuthRADIUS for request 1 from xx.xx.xx.xx:1645
WARNING: Unknown reply received in AuthRADIUS for request 1 from yy.yy.yy.yy:1645
WARNING: Unknown reply received in AuthRADIUS for request 1 from xx.xx.xx.xx:1645
WARNING: Unknown reply received in AuthRADIUS for request 1 from xx.xx.xx.xx:1646
I am trying look in one database for a user, and if they exist then proxy the
request to another radius server based on the realm.
This config works fine If I just use it with only one user (me) using it. When
a lot of different user use it though, I find that radiator starts to ignore
alot of the reply packets from the downstream radius servers.
It looks like radiator sends out the packet but then receives a reply from one
of the other servers, so it ignores the correct reply, as though it can not tell
the difference between the various replys it has received.
Some of the realms use the same proxy as each other, but other realms that have
one unique server to themselves still get unknown replys.
I think the problem may be stemming from my use of the 'Syncronous' flag but
from what I have checked in the documentation I beleive it is right.
For what It is worth I have included a trace at the end, which shows
request received-> request checked at first db-> proxed to other server-> reply received.
But then I get the unknown reply error.
On another note there is a but of ambiguity with the use of the
FailureBackoffTime in <authby SQLRADIUS> does it relate to the sql server back
off time or the radius proxy backoff time.
My Config... Basically this is the handler that is hit for almost all the realms...
<Handler Realm = /*.net/>
Identifier RADallusers
AuthBy RADUser
AuthBy RADUserLog
AcctLogFileName /var/log/radacct/details/%R.detail
</Handler>
which then gets passed to this auth module...
<authBy GROUP> Identifier RADUser AuthByPolicy ContinueUntilReject Fork
<authBy SQL> Identifier RADUserCheck
DBSource dbi:mysql:%{GlobalVar:DBNAME}:%{GlobalVar:DBSERVER}
DBUsername %{GlobalVar:DBUSER}
DBAuth %{GlobalVar:DBPASS}
FailureBackoffTime %{GlobalVar:DBBACKOFFTIME}
IgnoreAccounting NoDefault
AuthSelect select username, extra from users where username=%0
AuthColumnDef 0, User-Name, check
AuthColumnDef 1, GENERIC, reply
</AuthBy> <authBy SQLRADIUS> Identifier RADProxy
Synchronous # I have tried every combo of these to no availe. #UseExtendedIds
#IgnoreReplySignature
#ServerHasBrokenAddresses
Retries 2
RetryTimeout 15
DBSource dbi:mysql:%{GlobalVar:DBNAME}:%{GlobalVar:DBSERVER}
DBUsername %{GlobalVar:DBUSER}
DBAuth %{GlobalVar:DBPASS}
FailureBackoffTime %{GlobalVar:DBBACKOFFTIME}
HostSelect select R.host%0, R.secret, R.authport, \
R.acctport, R.rewriteusername from radiusservers R \
where R.dsl_domain='%R'
NumHosts 2
HostColumnDef 0, Host
HostColumnDef 1, Secret
HostColumnDef 2, AuthPort
HostColumnDef 3, AcctPort
HostColumnDef 4, RewriteUsername
</AuthBy>
</AuthBy>
And then this bit...(but no problems here.)
<authBy SQL> Identifier RADUserLog
DBSource dbi:mysql:%{GlobalVar:DBNAME}:%{GlobalVar:DBSERVER} DBUsername %{GlobalVar:DBUSER} DBAuth %{GlobalVar:DBPASS} FailureBackoffTime %{GlobalVar:DBBACKOFFTIME}
AcctFailedLogFileName %Y%m/%R.detail AccountingTable detail_%Y%m
IgnoreAuthentication
AcctColumnDef loggin stuff... </AuthBy>
I do have other Handles in the file that are just strait out <authBy RADIUS>.
Thanks for any help, Simon Woodward One Earth Internet
Mon Jul 28 18:45:03 2003: DEBUG: Timed out, retransmitting Mon Jul 28 18:45:03 2003: DEBUG: Packet dump: *** Sending to 203.26.199.6 port 1646 .... Code: Accounting-Request Identifier: 2 Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Attributes: Acct-Session-Id = "0006A8F5" Tunnel-Server-Endpoint = 203.194.30.234 Tunnel-Client-Endpoint = 172.31.148.87 Tunnel-Assignment-ID = 1 Tunnel-Type = 0:L2TP Tunnel-ID = 1956114 Tunnel-Client-Auth-ID = n2563728k-vez2 Tunnel-Server-Auth-ID = LNS02-DRYB-MEL Framed-Protocol = PPP Framed-IP-Address = 220.240.71.96 Ascend-Connect-Progress = 60 Ascend-PreSession-Time = 2 Ascend-Xmit-Rate = 512 Ascend-Data-Rate = 512 Acct-Session-Time = 13962 Acct-Input-Octets = 43904 Acct-Output-Octets = 48593 Ascend-Pre-Input-Octets = 0 Ascend-Pre-Output-Octets = 98 Acct-Input-Packets = 2820 Acct-Output-Packets = 2827 Ascend-Pre-Input-Packets = 0 Ascend-Pre-Output-Packets = 6 Acct-Authentic = RADIUS Acct-Status-Type = Alive NAS-Port = 1310 Calling-Station-Id = "atm 9" Called-Station-Id = "3:2.184#184569834##speed:UBR:512#pppoe 00:09:f3:00:ab:3b#/" Service-Type = Framed-User NAS-IP-Address = 203.220.79.62 Ascend-Session-Svr-Key = "91DA2645" Event-Timestamp = 1059381899 NAS-Identifier = "LNS02-DRYB-MEL.comindico.com.au" Acct-Delay-Time = 5 User-Name = "[EMAIL PROTECTED]" NAS-Port-Type = ADSL-DMT Timestamp = 1059381898
Mon Jul 28 18:45:03 2003: DEBUG: Packet dump: *** Received from 203.194.28.132 port 1813 .... Code: Accounting-Request Identifier: 147 Authentic: <248><147>Ud]<0><254><227>LI<182><9>J<173><128>8 Attributes: Acct-Session-Id = "000DB306" Tunnel-Server-Endpoint = 203.194.30.234 Tunnel-Client-Endpoint = 172.31.147.87 Tunnel-Assignment-ID = 1 Tunnel-Type = 0:L2TP Tunnel-ID = 1048028 Tunnel-Client-Auth-ID = n2563728k-nky2 Tunnel-Server-Auth-ID = LNS02-KENT-SYD Framed-Protocol = PPP Framed-IP-Address = 220.240.4.159 Ascend-Connect-Progress = 60 Ascend-PreSession-Time = 2 Ascend-Xmit-Rate = 512 Ascend-Data-Rate = 512 Acct-Session-Time = 566934 Acct-Input-Octets = 64704547 Acct-Output-Octets = 103235506 Ascend-Pre-Input-Octets = 0 Ascend-Pre-Output-Octets = 101 Acct-Input-Packets = 260287 Acct-Output-Packets = 274132 Ascend-Pre-Input-Packets = 0 Ascend-Pre-Output-Packets = 5 Acct-Authentic = RADIUS Acct-Status-Type = Alive NAS-Port = 1642 Calling-Station-Id = "atm 10" Called-Station-Id = "0:2.299#184550311##speed:UBR:512#pppoe 00:50:ba:99:e8:b4#/" Service-Type = Framed-User NAS-IP-Address = 203.194.30.241 Ascend-Session-Svr-Key = "189124C2" Event-Timestamp = 1059381904 NAS-Identifier = "LNS02-KENT-SYD.comindico.com.au" Acct-Delay-Time = 0 User-Name = "[EMAIL PROTECTED]" NAS-Port-Type = ADSL-DMT Proxy-State =
BSP2ims01-syd/ 6A8327DD60A0ED5525616BCEE8C7A478A18777C27B90B583A712D0B6F52951109EA394B B7B90B0436CD0CCE8A1805778425391
CD9798AD449F71BA7887426403FCCCE02019FFDF76E723B778875D3F54E7CCE02056F4C 228897CB76D
Mon Jul 28 18:45:03 2003: DEBUG: Rewrote user name to [EMAIL PROTECTED]
Mon Jul 28 18:45:03 2003: DEBUG: Rewrote user name to [EMAIL PROTECTED]
Mon Jul 28 18:45:03 2003: DEBUG: Handling request with Handler 'Realm = 1earth.net'
Mon Jul 28 18:45:03 2003: DEBUG: Adding session for [EMAIL PROTECTED],
203.194.30.241, 1642
Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthGROUP
Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthSQL
Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthRADIUS
Mon Jul 28 18:45:03 2003: DEBUG: Query is: 'select R.host1, R.secret,
R.authport, R.acctport, R.rewriteusername,
R.extras from radius R where R.domain='1earth.net'':
Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthSQL
Mon Jul 28 18:45:03 2003: DEBUG: Handling accounting with Radius::AuthSQL
Mon Jul 28 18:45:03 2003: DEBUG: Accounting accepted Mon Jul 28 18:45:03 2003: DEBUG: Packet dump: *** Sending to 203.194.28.132 port 1813 .... Code: Accounting-Response Identifier: 147 Authentic: <248><147>Ud]<0><254><227>LI<182><9>J<173><128>8 Attributes: Proxy-State =
BSP2ims01-syd/ 6A8327DD60A0ED5525616BCEE8C7A478A18777C27B90B583A712D0B6F52951109EA394B B7B90B0436CD0CCE8A1805778425391
CD9798AD449F71BA7887426403FCCCE02019FFDF76E723B778875D3F54E7CCE02056F4C 228897CB76D
Mon Jul 28 18:45:03 2003: DEBUG: Packet dump: *** Sending to 203.132.224.18 port 1646 .... Code: Accounting-Request Identifier: 7 Authentic: <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> Attributes: Acct-Session-Id = "000DB306" Tunnel-Server-Endpoint = 203.194.30.234 Tunnel-Client-Endpoint = 172.31.147.87 Tunnel-Assignment-ID = 1 Tunnel-Type = 0:L2TP Tunnel-ID = 1048028 Tunnel-Client-Auth-ID = n2563728k-nky2 Tunnel-Server-Auth-ID = LNS02-KENT-SYD Framed-Protocol = PPP Framed-IP-Address = 220.240.4.159 Ascend-Connect-Progress = 60 Ascend-PreSession-Time = 2 Ascend-Xmit-Rate = 512 Ascend-Data-Rate = 512 Acct-Session-Time = 566934 Acct-Input-Octets = 64704547 Acct-Output-Octets = 103235506 Ascend-Pre-Input-Octets = 0 Ascend-Pre-Output-Octets = 101 Acct-Input-Packets = 260287 Acct-Output-Packets = 274132 Ascend-Pre-Input-Packets = 0 Ascend-Pre-Output-Packets = 5 Acct-Authentic = RADIUS Acct-Status-Type = Alive NAS-Port = 1642 Calling-Station-Id = "atm 10" Called-Station-Id = "0:2.299#184550311##speed:UBR:512#pppoe 00:50:ba:99:e8:b4#/" Service-Type = Framed-User NAS-IP-Address = 203.194.30.241 Ascend-Session-Svr-Key = "189124C2" Event-Timestamp = 1059381904 NAS-Identifier = "LNS02-KENT-SYD.comindico.com.au" Acct-Delay-Time = 0 User-Name = "[EMAIL PROTECTED]" NAS-Port-Type = ADSL-DMT Timestamp = 1059381903
Mon Jul 28 18:45:03 2003: DEBUG: Packet dump:
*** Received from 203.132.224.18 port 1646 ....
Code: Accounting-Response
Identifier: 7
Authentic: <222><133><178><141><175><174><220>b<234><19><1><129><28><183><196><180 >
Attributes:
Mon Jul 28 18:45:03 2003: WARNING: Unknown reply received in AuthRADIUS for
request 7 from 203.132.224.18:1646
Mon Jul 28 18:45:03 2003: DEBUG: Packet dump:
*** Received from 203.194.28.131 port 1812 ....
Code: Access-Request
Identifier: 149
Authentic: <245>H<13><241><167>yD<19>Zz<177><139>j<14><187>?
Attributes:
Framed-Protocol = PPP
NAS-Port = 2195
Calling-Station-Id = "atm 10"
Called-Station-Id = "0:2.219#184550111##speed:UBR:256#/"
Service-Type = Framed-User
NAS-IP-Address = 203.194.30.241
NAS-Identifier = "LNS02-KENT-SYD.comindico.com.au"
User-Password = "<142><7><209>0K$<146><168>~<249>!<17>c<179>6y"
User-Name = "[EMAIL PROTECTED]"
NAS-Port-Type = ADSL-DMT
Proxy-State =
BSP2ims01-syd/ F5480DF1A77944135A7AB18B6A0EBB3FC0461D8175533E662DEE5203BCF5406FFF62FEF 875533BA6E62C4E5DE85C48FE009D00
EE995B23A1158D38CDCE9E7B858C0B927E1B130BC44C9C24C4928C27898D4F9B62197D5 4C459
Mon Jul 28 18:45:03 2003: DEBUG: Rewrote user name to [EMAIL PROTECTED]
Mon Jul 28 18:45:03 2003: DEBUG: Rewrote user name to [EMAIL PROTECTED]
Mon Jul 28 18:45:03 2003: DEBUG: Handling request with Handler 'User-Name =
[EMAIL PROTECTED]'
Mon Jul 28 18:45:03 2003: DEBUG: Deleting session for [EMAIL PROTECTED],
203.194.30.241, 2195
Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthGROUP
Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthSQL
Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthSQL
Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthSQL: DSLUserCheck
Mon Jul 28 18:45:03 2003: DEBUG: Query is: 'select username, extra from users
where username='[EMAIL PROTECTED]'':
Mon Jul 28 18:45:03 2003: DEBUG: Radius::AuthSQL looks for match with
[EMAIL PROTECTED]
Mon Jul 28 18:45:03 2003: DEBUG: Query is: 'select username, extra from users
where username='DEFAULT'':
Mon Jul 28 18:45:03 2003: DEBUG: Radius::AuthSQL looks for match with DEFAULT
Mon Jul 28 18:45:03 2003: DEBUG: Radius::AuthSQL ACCEPT:
Mon Jul 28 18:45:03 2003: DEBUG: Handling with Radius::AuthRADIUS
Mon Jul 28 18:45:03 2003: DEBUG: Query is: 'select R.host1, R.secret,
R.authport, R.acctport, R.rewriteusername,
R.extras from radius R where R.domain='1earth.net'':
Mon Jul 28 18:45:03 2003: DEBUG: Packet dump:
*** Sending to 203.132.224.18 port 1645 ....
Code: Access-Request
Identifier: 2
Authentic: <245>H<13><241><167>yD<19>Zz<177><139>j<14><187>?
Attributes:
Framed-Protocol = PPP
NAS-Port = 2195
Calling-Station-Id = "atm 10"
Called-Station-Id = "0:2.219#184550111##speed:UBR:256#/"
Service-Type = Framed-User
NAS-IP-Address = 203.194.30.241
NAS-Identifier = "LNS02-KENT-SYD.comindico.com.au"
User-Password = "<166>UD<162><159>'<186><205>+Oz<149>L<246><253>-"
User-Name = "[EMAIL PROTECTED]"
NAS-Port-Type = ADSL-DMT
Mon Jul 28 18:45:03 2003: DEBUG: Packet dump: *** Received from 203.132.224.18 port 1645 .... Code: Access-Accept Identifier: 2 Authentic: v<241><242>y<182><254><4><154>bz<245><127><19><238><133>* Attributes: Service-Type = Framed-User Framed-Protocol = PPP Framed-Compression = Van-Jacobson-TCP-IP
Mon Jul 28 18:45:03 2003: WARNING: Unknown reply received in AuthRADIUS for
request 2 from 203.132.224.18:1645
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
