I have attached my radius.cfg file. Currently, I don't have the ability to capture a snoop showing the problem. Basically, here's what I saw during the snoop:
# snoop port 1812 ns1 <NAS A> -> ns1 <NAS A> -> ns1 <NAS A> -> ns1 <NAS B> -> ns1 <NAS B> -> ns1 <NAS B> -> ns1 . . .
As far as a level 4 trace, it showed nothing from the NASes it decided to ignore (like A and B in the example snoop). According to the logs, all the other NASes were behaving normally.
Thanks, jason
Frank Danielson wrote:
It's hard to say from the info you have provided. How about providing the
config file, a level 4 trace, and doing a snoop -o to capture some of this
unanswered traffic to a file and send that as well?
-----Original Message----- From: Jason Signalness [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 17, 2003 2:11 PM To: [EMAIL PROTECTED] Subject: (RADIATOR) Radiator ignoring some clients
Hello,
We are having serious issues with Radiator. I tried e-mailing this to radius-support and to the list, but have not received a response from either. It doesn't appear the message posted to the list, so I will try again using my other address.
Our environment: Radiator 3.7.1 Perl 5.8.1 Solaris 9
Basically, we tried to upgrade from Radiator 3.3.1 running on Solaris 8 with Perl 5.6 to the new setup. On the new server (Solaris 9) I installed Radiator, copied over the config files, updated the environment variables (ORACLE_HOME, etc) and started it up. No problems. I used radpwtst to test users in our various databases (LDAP, Oracle, and a flat file) and it all seemed fine.
Then we put this upgraded system (actually 2 identical systems) into production. Requests from certain access servers are handled and answered by Radiator. Requests from other access servers seem to be completely ignored. By "completely ignored," I mean that nothing shows up at all in a DEBUG level log. If I run a snoop on the radius server, I see a ton of traffic from a given NAS to the radius server on port 1812, but not a single response going the other way.
We have cleared the ARP entries in our switches and rebooted one of the NASes. Same behavior. It is as if Radiator simply doesn't pay attention to some access servers or some requests from some access servers.
Eventually, we gave up and powered on our old servers (Radiator 3.3.1, Perl 5.6, Solaris 8). The really weird thing is that we see this behavior on these servers as well... and they worked perfectly earlier.
When I launch Radar, I see the clients listed. And like I said before, I'm not getting any "bad authenticator" errors in the logs. Nothing shows up at all for most of our access servers.
I'm desparate for assistance.
Thanks,
# radius.cfg
Trace 4
# Set this to the database directory. It should contain these files:
# users The user database/file
# dictionary The NAS dictionary
DbDir /opt/share/radiator/configs
DictionaryFile %D/dictionary
LogDir /var/log/radius
LogFile %L/%m-%d-%Y-radius.log
PidFile %L/radius.pid
# Used to check NAS for Simultaneous-Use
SnmpgetProg /opt/share/net-snmp/bin/snmpget
AuthPort 1812
AcctPort 1813
# Remove any non-alphanumeric characters
RewriteUsername s/[EMAIL PROTECTED]//g
# Remove any spaces from usernames
RewriteUsername s/\s+//g
# Converts anything uppercase to lowercase
RewriteUsername tr/A-Z/a-z/
# Allow SNMP tests
<SNMPAgent>
ROCommunity xxxxxxxx
Port 1983
</SNMPAgent>
# Log authentication FAILURES to the database for BTI customers.
<AuthLog SQL>
Identifier BTIAuthLoggerSQL
DBSource dbi:Oracle:xxxxxxxxxxxxxxxxxxx
DBUsername btiauth
DBAuth xxxxxxxxxxxxx
Timeout 10
FailureBackoffTime 60
FailureQuery BEGIN radius.logAppAction('%n','rad','LOGIN FAILED (%h): %n
('%1')','error','%c'); END;
</AuthLog>
<AuthLog FILE>
Identifier BTIAuthLoggerFile
Filename %L/%m-%d-%Y-btiauth.log
</AuthLog>
# Handler to immediately reject the premastack user
# which is something that the routers at PREMA use and
# is NOT an actual user.
<Handler [EMAIL PROTECTED]>
<AuthBy FILE>
Filename %D/reject_user
</AuthBy>
</Handler>
<AuthBy PLSQL>
Identifier BTICheckDB
NoDefault
#DefaultSimultaneousUse 1
DBSource dbi:Oracle:xxxxxxxxxxxxxxxx
DBUsername btiauth
DBAuth xxxxxxxxxxxxxx
Timeout 10
FailureBackoffTime 60
# Authentication. Note that getUser searches on a username field that
contains [EMAIL PROTECTED], not just username.
# Note that the view being searched also contains only users
who have the "rad" application
# enabled and are active.
AuthBlock BEGIN radius.getUser('%n',:passwd,:check_item,:reply_item);
END;
EncryptedPassword
AuthParamDef :passwd, Encrypted-Password, check
AuthParamDef :check_item, GENERIC, check
AuthParamDef :reply_item, GENERIC, reply
</AuthBy>
<AuthBy PLSQL>
Identifier BTIWireless
NoDefault
#DefaultSimultaneousUse 1
DBSource dbi:Oracle:xxxxxxxxxxxxxxx
DBUsername btiauth
DBAuth xxxxxxxxxxxxxx
Timeout 10
FailureBackoffTime 60
# Authentication. Note that getUser searches on a username field that
contains [EMAIL PROTECTED], not just username.
# Note that the view being searched also contains only users
who have the "rad" application
# enabled and are active.
AuthBlock BEGIN radius.getUser('%n',:passwd,:check_item,:reply_item);
END;
AuthParamDef :passwd, Password, check
AuthParamDef :check_item, GENERIC, check
AuthParamDef :reply_item, GENERIC, reply
</AuthBy>
<AuthBy FILE>
Identifier BTICheckFILE
#DefaultSimultaneousUse 1
Filename %D/users
</AuthBy>
<AuthBy LDAP2>
Identifier BTICheckLDAP_ns1
NoDefault
# DefaultSimultaneousUse 1
AuthDN cn=proxyagent,ou=people,o=bti
AuthPassword xxxxxxxxxxxxxx
Debug 255
Host ns1.btinet.net
SearchFilter (&(btiallowedapplications=rad)(uid=%U))
BaseDN ou=People,o=%R,o=bti
EncryptedPasswordAttr userPassword
AuthAttrDef bticheckattr,GENERIC,check
AuthAttrDef btireplyattr,GENERIC,reply
</AuthBy>
<AuthBy LDAP2>
Identifier BTICheckLDAP_ns2
NoDefault
# DefaultSimultaneousUse 1
AuthDN cn=proxyagent,ou=people,o=bti
AuthPassword xxxxxxxxxxxxxx
Debug 255
Host ns2.btinet.net
SearchFilter (&(btiallowedapplications=rad)(uid=%U))
BaseDN ou=People,o=%R,o=bti
EncryptedPasswordAttr userPassword
AuthAttrDef bticheckattr,GENERIC,check
AuthAttrDef btireplyattr,GENERIC,reply
</AuthBy>
<AuthBy LDAP2>
Identifier BTICheckLDAP_ds1v
NoDefault
# DefaultSimultaneousUse 1
AuthDN cn=proxyagent,ou=people,o=bti
AuthPassword xxxxxxxxxxxxx
Debug 255
Host ds1v.btinet.net
SearchFilter (&(btiallowedapplications=rad)(uid=%U))
BaseDN ou=People,o=%R,o=bti
EncryptedPasswordAttr userPassword
AuthAttrDef bticheckattr,GENERIC,check
AuthAttrDef btireplyattr,GENERIC,reply
</AuthBy>
<AuthBy GROUP>
Identifier BTIAuthUser
AuthByPolicy ContinueWhileReject
AuthBy BTICheckLDAP_ns2
AuthBy BTICheckLDAP_ns1
# AuthBy BTICheckLDAP_ds1v
AuthBy BTICheckFILE
AuthBy BTICheckDB
</AuthBy>
<AuthBy GROUP>
# This AuthBy should be removed after LDAP migration.
Identifier BTIAuthUserNoLDAP
AuthByPolicy ContinueWhileReject
AuthBy BTICheckFILE
AuthBy BTICheckDB
</AuthBy>
<SessionDatabase SQL>
Identifier SessionDB
DBSource dbi:Oracle:xxxxxxxxxxxxxxxxxxxxx
DBUsername btiauth
DBAuth xxxxxxxxxxxxxx
Timeout 10
FailureBackoffTime 60
#NOTE: queries are kept to a single line to increase readability in the log
files
AddQuery BEGIN
radius.insertRADOnline('%n','%c',%{NAS-Port},'%{Acct-Session-Id}','%{Framed-IP-Address}','%{NAS-Port-Type}','%{Service-Type}');
END;
# DeleteQuery BEGIN radius.deleteRADOnline('%n','%c', %{NAS-Port}); END;
DeleteQuery BEGIN radius.deleteRADOnline('%n','%c', 0%2); END;
ClearNasQuery BEGIN radius.clearRADClient('%c'); END;
CountQuery SELECT rc.ipaddress, ro.nasport, ro.acctsessionid,
ro.framedipaddress FROM radonline ro, radclient rc WHERE username = '%n' AND
ro.radclient_id = rc.id
# CountQuery SELECT rc.nasidentifier, ro.nasport, ro.acctsessionid,
ro.framedipaddress FROM radonline ro, radclient rc WHERE username = '%n' AND
ro.radclient_id = rc.id
</SessionDatabase>
#
# Handlers Section:
# This section is what is "executed" by radius and determines
# which of the above "sections" to call.
#
# This Handler may be deleted once migration to LDAP is complete
<Handler Acct-Status-Type=Stop,Realm=umary.edu>
# The following line directly inserts accounting records into the database
# AuthBy insertAccountingRecord
#
# Create an accounting "log" file that can be directly run in batch mode.
#
# This clause automatically returns an ACCEPT to the NAS for this
# accounting record. This is necessary so that the NAS does not
# keep sending accounting records.
#
<AuthBy INTERNAL>
AcctResult ACCEPT
</AuthBy>
AcctLogFileName %L/%m-%d-%Y-acct.log
AcctLogFileFormat BEGIN
radius.insertAccountingRecord('%n','%c','%C','%{Acct-Status-Type}',TO_NUMBER('%{Acct-Delay-Time}'),TO_NUMBER('%{Acct-Input-Octets}'),TO_NUMBER('%{Acct-Output-Octets}'),TO_NUMBER('%{Acct-Input-Packets}'),TO_NUMBER('%{Acct-Output-Packets}'),'%{Acct-Session-Id}',TO_NUMBER('%{Acct-Session-Time}'),'%{Acct-Terminate-Cause}',TO_NUMBER('%{NAS-Port}'),'%{Framed-IP-Address}',TO_DATE('%i
%m %Y %H:%M:%S', 'DD MM YYYY HH24:MI:SS')); END; %r/%r
</Handler>
<Handler Acct-Status-Type=Stop>
# The following line directly inserts accounting records into the database
# AuthBy insertAccountingRecord
#
# Create an accounting "log" file that can be directly run in batch mode.
#
# This clause automatically returns an ACCEPT to the NAS for this
# accounting record. This is necessary so that the NAS does not
# keep sending accounting records.
#
<AuthBy INTERNAL>
AcctResult ACCEPT
</AuthBy>
AcctLogFileName %L/%m-%d-%Y-acct.log
AcctLogFileFormat BEGIN
radius.insertAccountingRecord('%n','%c','%C','%{Acct-Status-Type}',TO_NUMBER('%{Acct-Delay-Time}'),TO_NUMBER('%{Acct-Input-Octets}'),TO_NUMBER('%{Acct-Output-Octets}'),TO_NUMBER('%{Acct-Input-Packets}'),TO_NUMBER('%{Acct-Output-Packets}'),'%{Acct-Session-Id}',TO_NUMBER('%{Acct-Session-Time}'),'%{Acct-Terminate-Cause}',TO_NUMBER('%{NAS-Port}'),'%{Framed-IP-Address}',TO_DATE('%i
%m %Y %H:%M:%S', 'DD MM YYYY HH24:MI:SS')); END; %r/%r
</Handler>
<Handler NAS-Identifier="MikroTik">
AuthBy BTIWireless
AuthLog BTIAuthLoggerSQL
# AuthLog BTIAuthLoggerFile
</Handler>
<Handler>
# Handles all requests not handled by other handlers
# This will eventually be the only AuthUser handler (ideally).
# (Checks LDAP then the database).
AuthBy BTIAuthUser
AuthLog BTIAuthLoggerSQL
# AuthLog BTIAuthLoggerFile
</Handler>
#
# For Radar access:
#
<Monitor>
Username btiRadar
Password li8823YY
</Monitor>
#
# Client Section:
#
<ClientListSQL>
# If the database is unavailable, clients will not be
# added. Big Brother will notice this, as it connects
# from a client listed in the database. Note, this has not
# yet been tested.
DBSource dbi:Oracle:xxxxxxxxxxxxxxxxx
DBUsername btiauth
DBAuth xxxxxxxxxxxxxxx
GetClientQuery SELECT \
IPADDRESS, \
SECRET, \
NULL, \
DUPINTERVAL, \
DEFAULTREALM, \
NASTYPE, \
SNMPCOMMUNITY \
FROM RADCLIENT \
WHERE STATUS = 'Active' \
ORDER BY IPADDRESS
Timeout 10
FailureBackoffTime 60
</ClientListSQL>
<Client localhost>
Secret mysecret
DefaultRealm btigate.com
</Client>
