I have attached my radius.cfg file. Currently, I don't have the ability to capture a snoop showing the problem. Basically, here's what I saw during the snoop:
# snoop port 1812 ns1 <NAS A> -> ns1 <NAS A> -> ns1 <NAS A> -> ns1 <NAS B> -> ns1 <NAS B> -> ns1 <NAS B> -> ns1 . . .
As far as a level 4 trace, it showed nothing from the NASes it decided to ignore (like A and B in the example snoop). According to the logs, all the other NASes were behaving normally.
Thanks, jason
Frank Danielson wrote:
It's hard to say from the info you have provided. How about providing the
config file, a level 4 trace, and doing a snoop -o to capture some of this
unanswered traffic to a file and send that as well?
-----Original Message----- From: Jason Signalness [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 17, 2003 2:11 PM To: [EMAIL PROTECTED] Subject: (RADIATOR) Radiator ignoring some clients
Hello,
We are having serious issues with Radiator. I tried e-mailing this to radius-support and to the list, but have not received a response from either. It doesn't appear the message posted to the list, so I will try again using my other address.
Our environment: Radiator 3.7.1 Perl 5.8.1 Solaris 9
Basically, we tried to upgrade from Radiator 3.3.1 running on Solaris 8 with Perl 5.6 to the new setup. On the new server (Solaris 9) I installed Radiator, copied over the config files, updated the environment variables (ORACLE_HOME, etc) and started it up. No problems. I used radpwtst to test users in our various databases (LDAP, Oracle, and a flat file) and it all seemed fine.
Then we put this upgraded system (actually 2 identical systems) into production. Requests from certain access servers are handled and answered by Radiator. Requests from other access servers seem to be completely ignored. By "completely ignored," I mean that nothing shows up at all in a DEBUG level log. If I run a snoop on the radius server, I see a ton of traffic from a given NAS to the radius server on port 1812, but not a single response going the other way.
We have cleared the ARP entries in our switches and rebooted one of the NASes. Same behavior. It is as if Radiator simply doesn't pay attention to some access servers or some requests from some access servers.
Eventually, we gave up and powered on our old servers (Radiator 3.3.1, Perl 5.6, Solaris 8). The really weird thing is that we see this behavior on these servers as well... and they worked perfectly earlier.
When I launch Radar, I see the clients listed. And like I said before, I'm not getting any "bad authenticator" errors in the logs. Nothing shows up at all for most of our access servers.
I'm desparate for assistance.
Thanks,
# radius.cfg
Trace 4 # Set this to the database directory. It should contain these files: # users The user database/file # dictionary The NAS dictionary DbDir /opt/share/radiator/configs DictionaryFile %D/dictionary LogDir /var/log/radius LogFile %L/%m-%d-%Y-radius.log PidFile %L/radius.pid # Used to check NAS for Simultaneous-Use SnmpgetProg /opt/share/net-snmp/bin/snmpget AuthPort 1812 AcctPort 1813 # Remove any non-alphanumeric characters RewriteUsername s/[EMAIL PROTECTED]//g # Remove any spaces from usernames RewriteUsername s/\s+//g # Converts anything uppercase to lowercase RewriteUsername tr/A-Z/a-z/ # Allow SNMP tests <SNMPAgent> ROCommunity xxxxxxxx Port 1983 </SNMPAgent> # Log authentication FAILURES to the database for BTI customers. <AuthLog SQL> Identifier BTIAuthLoggerSQL DBSource dbi:Oracle:xxxxxxxxxxxxxxxxxxx DBUsername btiauth DBAuth xxxxxxxxxxxxx Timeout 10 FailureBackoffTime 60 FailureQuery BEGIN radius.logAppAction('%n','rad','LOGIN FAILED (%h): %n ('%1')','error','%c'); END; </AuthLog> <AuthLog FILE> Identifier BTIAuthLoggerFile Filename %L/%m-%d-%Y-btiauth.log </AuthLog> # Handler to immediately reject the premastack user # which is something that the routers at PREMA use and # is NOT an actual user. <Handler [EMAIL PROTECTED]> <AuthBy FILE> Filename %D/reject_user </AuthBy> </Handler> <AuthBy PLSQL> Identifier BTICheckDB NoDefault #DefaultSimultaneousUse 1 DBSource dbi:Oracle:xxxxxxxxxxxxxxxx DBUsername btiauth DBAuth xxxxxxxxxxxxxx Timeout 10 FailureBackoffTime 60 # Authentication. Note that getUser searches on a username field that contains [EMAIL PROTECTED], not just username. # Note that the view being searched also contains only users who have the "rad" application # enabled and are active. AuthBlock BEGIN radius.getUser('%n',:passwd,:check_item,:reply_item); END; EncryptedPassword AuthParamDef :passwd, Encrypted-Password, check AuthParamDef :check_item, GENERIC, check AuthParamDef :reply_item, GENERIC, reply </AuthBy> <AuthBy PLSQL> Identifier BTIWireless NoDefault #DefaultSimultaneousUse 1 DBSource dbi:Oracle:xxxxxxxxxxxxxxx DBUsername btiauth DBAuth xxxxxxxxxxxxxx Timeout 10 FailureBackoffTime 60 # Authentication. Note that getUser searches on a username field that contains [EMAIL PROTECTED], not just username. # Note that the view being searched also contains only users who have the "rad" application # enabled and are active. AuthBlock BEGIN radius.getUser('%n',:passwd,:check_item,:reply_item); END; AuthParamDef :passwd, Password, check AuthParamDef :check_item, GENERIC, check AuthParamDef :reply_item, GENERIC, reply </AuthBy> <AuthBy FILE> Identifier BTICheckFILE #DefaultSimultaneousUse 1 Filename %D/users </AuthBy> <AuthBy LDAP2> Identifier BTICheckLDAP_ns1 NoDefault # DefaultSimultaneousUse 1 AuthDN cn=proxyagent,ou=people,o=bti AuthPassword xxxxxxxxxxxxxx Debug 255 Host ns1.btinet.net SearchFilter (&(btiallowedapplications=rad)(uid=%U)) BaseDN ou=People,o=%R,o=bti EncryptedPasswordAttr userPassword AuthAttrDef bticheckattr,GENERIC,check AuthAttrDef btireplyattr,GENERIC,reply </AuthBy> <AuthBy LDAP2> Identifier BTICheckLDAP_ns2 NoDefault # DefaultSimultaneousUse 1 AuthDN cn=proxyagent,ou=people,o=bti AuthPassword xxxxxxxxxxxxxx Debug 255 Host ns2.btinet.net SearchFilter (&(btiallowedapplications=rad)(uid=%U)) BaseDN ou=People,o=%R,o=bti EncryptedPasswordAttr userPassword AuthAttrDef bticheckattr,GENERIC,check AuthAttrDef btireplyattr,GENERIC,reply </AuthBy> <AuthBy LDAP2> Identifier BTICheckLDAP_ds1v NoDefault # DefaultSimultaneousUse 1 AuthDN cn=proxyagent,ou=people,o=bti AuthPassword xxxxxxxxxxxxx Debug 255 Host ds1v.btinet.net SearchFilter (&(btiallowedapplications=rad)(uid=%U)) BaseDN ou=People,o=%R,o=bti EncryptedPasswordAttr userPassword AuthAttrDef bticheckattr,GENERIC,check AuthAttrDef btireplyattr,GENERIC,reply </AuthBy> <AuthBy GROUP> Identifier BTIAuthUser AuthByPolicy ContinueWhileReject AuthBy BTICheckLDAP_ns2 AuthBy BTICheckLDAP_ns1 # AuthBy BTICheckLDAP_ds1v AuthBy BTICheckFILE AuthBy BTICheckDB </AuthBy> <AuthBy GROUP> # This AuthBy should be removed after LDAP migration. Identifier BTIAuthUserNoLDAP AuthByPolicy ContinueWhileReject AuthBy BTICheckFILE AuthBy BTICheckDB </AuthBy> <SessionDatabase SQL> Identifier SessionDB DBSource dbi:Oracle:xxxxxxxxxxxxxxxxxxxxx DBUsername btiauth DBAuth xxxxxxxxxxxxxx Timeout 10 FailureBackoffTime 60 #NOTE: queries are kept to a single line to increase readability in the log files AddQuery BEGIN radius.insertRADOnline('%n','%c',%{NAS-Port},'%{Acct-Session-Id}','%{Framed-IP-Address}','%{NAS-Port-Type}','%{Service-Type}'); END; # DeleteQuery BEGIN radius.deleteRADOnline('%n','%c', %{NAS-Port}); END; DeleteQuery BEGIN radius.deleteRADOnline('%n','%c', 0%2); END; ClearNasQuery BEGIN radius.clearRADClient('%c'); END; CountQuery SELECT rc.ipaddress, ro.nasport, ro.acctsessionid, ro.framedipaddress FROM radonline ro, radclient rc WHERE username = '%n' AND ro.radclient_id = rc.id # CountQuery SELECT rc.nasidentifier, ro.nasport, ro.acctsessionid, ro.framedipaddress FROM radonline ro, radclient rc WHERE username = '%n' AND ro.radclient_id = rc.id </SessionDatabase> # # Handlers Section: # This section is what is "executed" by radius and determines # which of the above "sections" to call. # # This Handler may be deleted once migration to LDAP is complete <Handler Acct-Status-Type=Stop,Realm=umary.edu> # The following line directly inserts accounting records into the database # AuthBy insertAccountingRecord # # Create an accounting "log" file that can be directly run in batch mode. # # This clause automatically returns an ACCEPT to the NAS for this # accounting record. This is necessary so that the NAS does not # keep sending accounting records. # <AuthBy INTERNAL> AcctResult ACCEPT </AuthBy> AcctLogFileName %L/%m-%d-%Y-acct.log AcctLogFileFormat BEGIN radius.insertAccountingRecord('%n','%c','%C','%{Acct-Status-Type}',TO_NUMBER('%{Acct-Delay-Time}'),TO_NUMBER('%{Acct-Input-Octets}'),TO_NUMBER('%{Acct-Output-Octets}'),TO_NUMBER('%{Acct-Input-Packets}'),TO_NUMBER('%{Acct-Output-Packets}'),'%{Acct-Session-Id}',TO_NUMBER('%{Acct-Session-Time}'),'%{Acct-Terminate-Cause}',TO_NUMBER('%{NAS-Port}'),'%{Framed-IP-Address}',TO_DATE('%i %m %Y %H:%M:%S', 'DD MM YYYY HH24:MI:SS')); END; %r/%r </Handler> <Handler Acct-Status-Type=Stop> # The following line directly inserts accounting records into the database # AuthBy insertAccountingRecord # # Create an accounting "log" file that can be directly run in batch mode. # # This clause automatically returns an ACCEPT to the NAS for this # accounting record. This is necessary so that the NAS does not # keep sending accounting records. # <AuthBy INTERNAL> AcctResult ACCEPT </AuthBy> AcctLogFileName %L/%m-%d-%Y-acct.log AcctLogFileFormat BEGIN radius.insertAccountingRecord('%n','%c','%C','%{Acct-Status-Type}',TO_NUMBER('%{Acct-Delay-Time}'),TO_NUMBER('%{Acct-Input-Octets}'),TO_NUMBER('%{Acct-Output-Octets}'),TO_NUMBER('%{Acct-Input-Packets}'),TO_NUMBER('%{Acct-Output-Packets}'),'%{Acct-Session-Id}',TO_NUMBER('%{Acct-Session-Time}'),'%{Acct-Terminate-Cause}',TO_NUMBER('%{NAS-Port}'),'%{Framed-IP-Address}',TO_DATE('%i %m %Y %H:%M:%S', 'DD MM YYYY HH24:MI:SS')); END; %r/%r </Handler> <Handler NAS-Identifier="MikroTik"> AuthBy BTIWireless AuthLog BTIAuthLoggerSQL # AuthLog BTIAuthLoggerFile </Handler> <Handler> # Handles all requests not handled by other handlers # This will eventually be the only AuthUser handler (ideally). # (Checks LDAP then the database). AuthBy BTIAuthUser AuthLog BTIAuthLoggerSQL # AuthLog BTIAuthLoggerFile </Handler> # # For Radar access: # <Monitor> Username btiRadar Password li8823YY </Monitor> # # Client Section: # <ClientListSQL> # If the database is unavailable, clients will not be # added. Big Brother will notice this, as it connects # from a client listed in the database. Note, this has not # yet been tested. DBSource dbi:Oracle:xxxxxxxxxxxxxxxxx DBUsername btiauth DBAuth xxxxxxxxxxxxxxx GetClientQuery SELECT \ IPADDRESS, \ SECRET, \ NULL, \ DUPINTERVAL, \ DEFAULTREALM, \ NASTYPE, \ SNMPCOMMUNITY \ FROM RADCLIENT \ WHERE STATUS = 'Active' \ ORDER BY IPADDRESS Timeout 10 FailureBackoffTime 60 </ClientListSQL> <Client localhost> Secret mysecret DefaultRealm btigate.com </Client>