Hello Bogdan -
It looks to me like the Max has timed out and is retrying the request 10 seconds later.
I would suspect that there are filters or access lists blocking the return path so the access accept that is sent from Radiator never gets back to the Max.
regards
Hugh
On 20/11/2003, at 10:47 PM, Bogdan TARU wrote:
Hi everyone,
I just installed a Max 6000 as an RAS, with authentification and accounting to a radiator server. But the authentification isn't succesfull, even though I can see the radiator server sending the 'Accesss-Accept' packets to the Ascend box.
Here is the log file:
Thu Nov 20 12:31:03 2003: DEBUG: Packet dump: *** Received from 192.168.0.3 port 1025 .... Code: Access-Request Identifier: 3 Authentic: <184><247><1><127><146><180><157>Df<174>(<196><22><217><216><11> Attributes: User-Name = "bgd" CHAP-Password = <1><24><25><233>S"=<219><226><237>0<162><255>[<19>:<233> NAS-IP-Address = 192.168.0.3 NAS-Port = 10204 NAS-Port-Type = Sync Service-Type = Framed-User Framed-Protocol = PPP State = "" Called-Station-Id = "90407500" Acct-Session-Id = "436366998" Ascend-Data-Rate = 64000 Ascend-Xmit-Rate = 64000
Thu Nov 20 12:31:03 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Thu Nov 20 12:31:03 2003: DEBUG: Rewrote user name to bgd Thu Nov 20 12:31:03 2003: DEBUG: SessionsDSX Deleting session for bgd, 192.168.0 .3, 10204 Thu Nov 20 12:31:03 2003: DEBUG: do query is: 'delete from online where NASID='1 92.168.0.3' and NASPort='010204'':
Thu Nov 20 12:31:03 2003: DEBUG: Handling with Radius::AuthSQL Thu Nov 20 12:31:03 2003: DEBUG: Handling with Radius::AuthSQL: Thu Nov 20 12:31:03 2003: DEBUG: Query is: 'select users.attribute from users le ft join users AS tmp on tmp.User='bgd' where (tmp.User IS NULL AND users.User='D efault')':
Thu Nov 20 12:31:03 2003: DEBUG: Radius::AuthSQL looks for match with bgd Thu Nov 20 12:31:03 2003: DEBUG: Radius::AuthSQL ACCEPT: Thu Nov 20 12:31:03 2003: DEBUG: Handling with Radius::AuthDYNADDRESS Thu Nov 20 12:31:03 2003: DEBUG: Query is: 'select Time, IPAddr from pools where Pool='192.168.0.3' and State=0 order by Time limit 1':
Thu Nov 20 12:31:03 2003: DEBUG: do query is: 'update pools set State=1,Time=106 9327863,Expiry=1069331463,User='bgd',NASPort=010204 where IPAddr='10.1.1.5' and Time =0':
Thu Nov 20 12:31:03 2003: DEBUG: Access accepted for bgd Thu Nov 20 12:31:03 2003: DEBUG: Packet dump: *** Sending to 192.168.0.3 port 1025 .... Code: Access-Accept Identifier: 3 Authentic: <184><247><1><127><146><180><157>Df<174>(<196><22><217><216><11> Attributes: Service-Type = Framed-User Framed-Protocol = PPP Session-Timeout = 3600 Framed-IP-Address = 10.1.1.5
Thu Nov 20 12:31:13 2003: DEBUG: Packet dump: *** Received from 192.168.0.3 port 1025 .... Code: Access-Request Identifier: 3 Authentic: <184><247><1><127><146><180><157>Df<174>(<196><22><217><216><11> Attributes: User-Name = "bgd" CHAP-Password = <1><24><25><233>S"=<219><226><237>0<162><255>[<19>:<233> NAS-IP-Address = 192.168.0.3 NAS-Port = 10204 NAS-Port-Type = Sync Service-Type = Framed-User Framed-Protocol = PPP
As you can see, the ascend receives the 'Access-Accept' packet, but sends an 'Access-Request' immediately afterwards. Any idea what could be wrong? Here is my radius configuration:
### Begin of global configuration
### Some easy parameters #BackGround LogDir . DbDir . Trace 4
AuthPort 1900 AcctPort 1901
#RewriteUsername s/\*/@/
### Fetch all allowed Dialinrouters from the DB <ClientListSQL> DBSource dbi:mysql:radius DBUsername radius DBAuth ***
GetClientQuery select Name,Secret,NasType from clients </ClientListSQL>
### IPCP Parameters are fetched from here <AddressAllocator SQL> Identifier POOL DBSource dbi:mysql:radius DBUsername radius DBAuth ***
DefaultLeasePeriod 7200 LeaseReclaimInterval 1800
FindQuery select Time, IPAddr from pools \ where Pool='%{NAS-IP-Address}' and State=0 order by Time limit 1 AllocateQuery update pools set State=1,Time=%0,Expiry=%1,User=%2,NASPort=0%{NAS-Port} \ where IPAddr='%3' and Time %4 CheckPoolQuery select State from pools where IPAddr='%0' AddAddressQuery insert into pools (State,Time,Pool,IPAddr) \ values (0, %t, '%0', '%1') # DeallocateQuery has this (IP=%0 or NASPort=0%{NAS-Port} because # when I send a session-timeout, the IP isn't returned in the Cisco reply, # so I don't know what to deallocate DeallocateQuery update pools set State=0,Time=%t,NASPort=0 where (IPAddr='%0' OR NASPort=0%{NAS-Port}) AND Pool='%{NAS-IP-Address}' ReclaimQuery update pools set State=0 where State!=0 and Expiry < %0
### This ensures a sync between database and the router-status ### of allocated IPs at startup of radiator <AddressPool 192.168.0.3> Range 10.1.1.2 10.1.1.129 </AddressPool> </AddressAllocator> ### End of global configuration
### Used for "who's online now" stats.. basically optional <SessionDatabase SQL> Identifier SessionsDSX DBSource dbi:mysql:radius DBUsername radius DBAuth ***
AddQuery insert into online (User, NASID, NASPort, \ AcctSessionID, Time, FramedIPAddress, NASPortType ) \ values ('%U', '%N', 0%{NAS-Port}, '%{Acct-Session-Id}',\ %{Timestamp}, '%{Framed-IP-Address}', '%{NAS-Port-Type}') DeleteQuery delete from online \ where NASID='%N' and NASPort='0%2' ClearNasQuery delete from online where NASID='%N' CountQuery select NASID, NASPort, AcctSessionID from online \ where User='%U'
### This ensures a sync between database and the router-status ### of allocated IPs at startup of radiator <AddressPool 192.168.0.3> Range 10.1.1.2 10.1.1.129 </AddressPool> </AddressAllocator> ### End of global configuration
### Used for "who's online now" stats.. basically optional <SessionDatabase SQL> Identifier SessionsDSX DBSource dbi:mysql:radius DBUsername radius DBAuth ***
AddQuery insert into online (User, NASID, NASPort, \ AcctSessionID, Time, FramedIPAddress, NASPortType ) \ values ('%U', '%N', 0%{NAS-Port}, '%{Acct-Session-Id}',\ %{Timestamp}, '%{Framed-IP-Address}', '%{NAS-Port-Type}') DeleteQuery delete from online \ where NASID='%N' and NASPort='0%2' ClearNasQuery delete from online where NASID='%N' CountQuery select NASID, NASPort, AcctSessionID from online \ where User='%U'
</SessionDatabase>
####################################################################### ###
# Only one realm for now, the default one (everything goes in one
table)
####################################################################### ###
<Realm DEFAULT>
SessionDatabase SessionsDSX
# AuthByPolicy ContinueWhileAccept # This is needed for multiple
Auth-by statements being non-blocking
AuthByPolicy ContinueUntilReject
### Kill off trailing '\'`s cause this would cause errors while
writing into DB
RewriteUsername s/(.*)\\+$/$1/
### Authenticate the user, and write accounting stats <AuthBy SQL> DBSource dbi:mysql:radius DBUsername radius DBAuth *** # AuthSelect select attribute from users where \ # User='DEFAULT' order by id AuthSelect select users.attribute from users left join users AS tmp on \ tmp.User='%{User-Name}' where (tmp.User IS NULL AND users.User='Default') AuthColumnDef 0, GENERIC, reply
AccountingStopsOnly # we dont need starts, we are just calculating start time later on AcctSQLStatement insert into dialer \ (AcctID, User, PhoneNr, \ NASIPAddr, NASPortType, \ AcctStartTime, AcctStopTime, AcctSessionTime, \ AcctTerminateCause) \ values \ ( NULL, '%U', '%{Calling-Station-Id}', \ '%{NAS-IP-Address}', '%{NAS-Port-Type}', \ %t-%{Acct-Session-Time}, %t, '%{Acct-Session-Time}', \ '%{Ascend-Disconnect-Cause}')
</AuthBy> ### allocate an IP for the user, and set the maximum session time per country <AuthBy DYNADDRESS> Allocator POOL PoolHint %{NAS-IP-Address} MapAttribute yiaddr, Framed-IP-Address </AuthBy> </Realm> ############################################################
Thanks, bogdan
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
