Re: (RADIATOR) Input queue size
Cheers, this may be unrelated, but I am interested to any and all tuning listmembers have done in the OS for Radiator performance. We are running two radiator servers with one proxy radiator in front and a seperate sql machine and ldap machine. Since we perform ldap auth the incoming requests are sequential which limits our rate of authentication. We have seen that we can handle at most about 1500 requests per minute per server during peak loads (server restarts etc.) This is mostly load from xDSL users (we do periodic tarpitting for bad users). We have also seen that at these peaks udp packets begin to be dropped (by the os I imagine) and aaa rates start to get worse. This drop in rates seems to related to the fact that if the radius servers do not respond in a timely fashion the NAS's begin to resend the radius requests adding to the incoming rate of packets, increasing the udp drop etc. We actually monitor udp packet drops and restart the radiators which increases the rate for a while, until there is another udp queue buildup and udp packets start to be dropped, nas's start to resend packets etc.until the monitor script restarts the servers. Lengthening the udp queues seems to really have adverse effects on this situation. We have not really tried shortening the queue which might really have even more adverse effects, without testing though I can't tell. To counter this we have configured multiple instances of radiators for authenticationauthorization and accounting and instances for seperate NAS's or NAS groups. This in effect simulates having a threaded radiator to reduce the effect of this sequential processing. This has not seemed to be related to CPU load or network performance, we have looked at these in detail. We also looked at dropping radius packets which were x seconds old but there is no practical way to do this, since we really have no way of knowing when the NAS sent the udp packet (I wish radius supported tcp, it's much better situated for high traffic rates). We did an estimate once for how many packets would fit in the queue based on some average size but this did in the end have really no purpose. If anyone has input on this issue or OS tuning for Radiator I'd love to hear about it. Hope you understand my attempt to explain the above scenario. Basically we have a pretty stable environment today, but perhaps overly complex to manage because of the multiple instances. Hugh, is a threaded ldap handler on the horizon? Is this perl or radiator related? Rgds, -GSH - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Claudio Lapidus [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 3:02 AM Subject: Re: (RADIATOR) Input queue size Hello Claudio - This is really an operating system issue, as the UDP buffer space is managed by the OS. You should have a look at netstat and friends. Solaris may also have addtional tools that allow you to look at what the system is doing. regards Hugh On 12/11/2003, at 1:28 PM, Claudio Lapidus wrote: Hello Hugh, Is there a way to inspect the length of the input queue during runtime? I'm running Radiator 3.6 on Solaris 8, Perl 5.8.0, no monitor setup. thanks in advance cl. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Cisco NAS dont sent password to radiator. Why? DEBUG: Check item user-password expression 'kkk' does not match '' in request
Hi! I have Cisco 2621 (IOS 12.2). When I use folloed radiator config: users file: qqq user-password=kkk, Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500 conf file: Realm DEFAULT AuthBy FILE Filename %D/users AddToReply Service-Type=Framed-User,Framed-Protocol=PPP /AuthBy AcctLogFileName %L/detail PasswordLogFileName %L/passwd /Realm I found followed in log file: Wed Nov 12 12:33:01 2003: DEBUG: Packet dump: *** Received from 192.168.0.254 port 1645 Packet length = 81 01 22 00 51 c1 0b b7 a4 7f 2f d6 6d f1 81 84 fc 00 ca 95 46 07 06 00 00 00 01 01 05 71 71 71 03 13 0a 98 b9 72 2d 87 44 c4 7d e0 e8 d8 e6 ae 1e 44 5d 05 06 00 00 00 21 3d 06 00 00 00 00 1f 07 61 73 79 6e 63 06 06 00 00 00 02 04 06 c0 a8 00 fe Code:Access-Request Identifier: 34 Authentic: 19311183164127/214m2411291322520202149F Attributes: Framed-Protocol = PPP User-Name = qqq CHAP-Password = 10152185r-135D196}22423221623017430D] NAS-Port = 33 NAS-Port-Type = Async Calling-Station-Id = async Service-Type = Framed-User NAS-IP-Address = 192.168.0.254 Wed Nov 12 12:33:01 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Nov 12 12:33:01 2003: DEBUG: Deleting session for qqq, 192.168.0.254, 33 Wed Nov 12 12:33:01 2003: DEBUG: Handling with Radius::AuthFILE: Wed Nov 12 12:33:01 2003: DEBUG: Reading users file /etc/radiator/users Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE looks for match with qqq Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE REJECT: Check item user-password _expression_ 'kkk' does not match '' in request Wed Nov 12 12:33:01 2003: INFO: Access rejected for qqq: Check item user-password _expression_ 'kkk' does not match '' in request Wed Nov 12 12:33:01 2003: DEBUG: Packet dump: *** Sending to 192.168.0.254 port 1645 Packet length = 36 03 22 00 24 08 fd ac e8 b2 2d 66 6e c5 97 98 f6 96 3d 58 1a 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Code:Access-Reject Identifier: 34 Authentic: 19311183164127/214m2411291322520202149F Attributes: Reply-Message = Request Denied Cisco's debug: Nov 12 09:33:00.713: As33 LCP: Lower layer not up, Fast Starting Nov 12 09:33:00.717: As33 PPP: Treating connection as a dedicated line Nov 12 09:33:00.717: As33 PPP: Authorization required Nov 12 09:33:00.717: As33 AAA/AUTHOR/LCP: Authorization succeeds trivially Nov 12 12:33:00 MSK: %LINK-3-UPDOWN: Interface Async33, changed state to up Nov 12 09:33:00.969: As33 CHAP: O CHALLENGE id 10 len 27 from gdc-gw Nov 12 09:33:01.205: As33 CHAP: I RESPONSE id 10 len 24 from qqq Nov 12 09:33:01.209: AAA/AUTHEN/PPP (DB31): Pick method list 'DIAL-UP' Nov 12 09:33:01.209: As33 PPP: Sent CHAP LOGIN Request to AAA Nov 12 09:33:01.209: RADIUS: AAA Unsupported [134] 7 Nov 12 09:33:01.209: RADIUS: 41 73 79 6E 63 [Async] Nov 12 09:33:01.209: RADIUS(DB31): Storing nasport 33 in rad_db Nov 12 09:33:01.209: RADIUS/ENCODE(DB31): acct_session_id: 56116 Nov 12 09:33:01.213: RADIUS(DB31): sending Nov 12 09:33:01.213: RADIUS: Send to unknown id 34 192.168.0.1:1645, Access-Request, len 81 Nov 12 09:33:01.213: RADIUS: authenticator C1 0B B7 A4 7F 2F D6 6D - F1 81 84 FC 00 CA 95 46 Nov 12 09:33:01.213: RADIUS: Framed-Protocol [7] 6 PPP [1] Nov 12 09:33:01.213: RADIUS: User-Name [1] 5 qqq Nov 12 09:33:01.213: RADIUS: CHAP-Password [3] 19 * Nov 12 09:33:01.213: RADIUS: NAS-Port [5] 6 33 Nov 12 09:33:01.213: RADIUS: NAS-Port-Type [61] 6 Async [0] Nov 12 09:33:01.213: RADIUS: Calling-Station-Id [31] 7 async Nov 12 09:33:01.217: RADIUS: Service-Type [6] 6 Framed [2] Nov 12 09:33:01.217: RADIUS: NAS-IP-Address [4] 6 192.168.0.254 Nov 12 09:33:01.225: RADIUS: Received from id 34 192.168.0.1:1645, Access-Reject, len 36 Nov 12 09:33:01.225: RADIUS: authenticator 08 FD AC E8 B2 2D 66 6E - C5 97 98 F6 96 3D 58 1A Nov 12 09:33:01.229: RADIUS: Reply-Message [18] 16 Nov 12 09:33:01.229: RADIUS: 52 65 71 75 65 73 74 20 44 65 6E 69 65 64[Request Denied] Nov 12 09:33:01.229: RADIUS: Received from id DB31 Nov 12 09:33:01.229: As33 PPP: Received LOGIN Response from AAA = FAIL Nov 12 09:33:01.229: As33 CHAP: O FAILURE id 10 len 18 msg is Request Denied Nov 12 12:33:03 MSK: %LINK-5-CHANGED: Interface Async33, changed state to reset Nov 12 12:33:08 MSK: %LINK-3-UPDOWN: Interface Async33, changed state to down So, as I understand cisco didnt send user password to radius??? What to do? :-( Sergei N Keler IT-Manager General DataComm [EMAIL PROTECTED] [www.gdc.ru] [tel. +7(812)325-1085 (ext. 0723)] [fax +7(812)325-1086]
(RADIATOR) LDAP COnnection
Hello Hugh
I understand that Radiator is supposed to drop the
connection after it connects and talks to the LDAP Server. But I can see a
connection for each of my incoming requests. I changed the configuration file
for Radiator to sustain one connection, which is not the ideal situation as far
as my project is concerned. I would like to know if I am missing something in
my config or is this a bug in radiator. I am attaching my config without the
secrets. I am using Radiator-3.5 on solaris 8 with perl 5.6.1
Thanks
Foreground
LogStdout
LogDir /var/log/radius3.5.1
DbDir .
Trace 4
PidFile /var/log/radius3.5.1/radiusd.pid
AuthPort 11645
AcctPort 11646
DefineGlobalVar Max 7200
DictionaryFile
/usr/local/adm/src/Radiator-3.5/dictionary
# Clients to suit your site.
###
Client xx.xx.xx.xx
Secret xx
DupInterval
0
/Client
##
Client .fdu.edu
Secret
x
DupInterval
0
/Client
##
Client xxx
Secret
DupInterval
0
/Client
#
Client xxx.xx.xx.xxx
Secret
xxx
DupInterval
0
/Client
Client xx.xx.xx.xx
#Description
Cisco AS5300
Secret
x
DupInterval
0
/Client
Client xx.xx.xx.xx
#Description
Cisco AS5300
Secret
DupInterval
1
/Client
Client DEFAULT
Secret
DupInterval 0
/Client
AuthBy LDAP2
Identifier CheckLDAP
Host xxx.fdu.edu
Port
636
UseSSL
SSLCAPath
/usr/local/adm/etc/
BaseDN
dc=xxx, dc=xxx
Scope
subtree
UsernameAttr
x
PasswordAttr
userPassword
ServerChecksPassword
Timeout
2
FailureBackoffTime 30
HoldServerConnection
#CheckAttr
cn
#AuthAttrDef
ipaddress,Framed-IP-Address,reply
AddToReply
Framed-Protocol = PPP,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression
= Van-Jacobson-TCP-IP,\
Service-Type
= Framed-User,\
Idle-Timeout
= 300
Debug
255
/AuthBy
#
AuthBy SQL
Identifier
Block-Time-SQL
DBSource
dbi:mysql::localhost
DBUsername
xx
DBAuth
xxx
DefaultSimultaneousUse
1
AccountingTable
x
AuthSelect
Select Time_Left from RADUSERS where User_Name='%n'
AuthColumnDef
0, Session-Timeout,reply
AcctSQLStatement
Update RADUSERS set Time_Left=Time_Left -'%{Acct-Session-Time}'
\
where
User_Name='%n';
/AuthBy
AuthLog SQL
Identifier
REQUEST
DBSource
dbi:mysql::localhost
DBUsername
xx
DBAuth xx
LogSuccess
SuccessQuery
insert into RADAUTHLOG (TIME_STAMP,USERNAME,TYPE) values ('%l','%n',1)
LogFailure
FailureQuery
insert into RADAUTHLOG (TIME_STAMP,USERNAME,TYPE,REASON) values
('%l','%n',0,%1) /AuthLog
#
Realm 1.1
AuthByPolicy
ContinueWhileAccept
PreAuthHook
file:/usr/local/adm/bin/filename.pl
AuthBy
CheckLDAP
AuthBy
Block-Time-SQL
AuthLog
REQUEST
MaxSessions
1
PostAuthHook
file:/usr/local/adm/bin/filename.pl
SessionDatabase
SQLDB
/Realm
Realm 1.1.1
AccountingHandled
AuthByPolicy
ContinueWhileAccept
PreAuthHook
file:/usr/local/adm/bin/filename.pl
AuthBy
CheckLDAP
AuthBy
Block-Time-SQL
PostAuthHook
file:/usr/local/adm/bin/filename.pl
MaxSessions
1
SessionDatabase
SQLDB
AcctLogFileName
/var/radius/Acct
/Realm
###
SessionDatabase SQL
Identifier SQLDB
DBSource dbi:mysql:xxx:localhost
DBUsername x
DBAuth x
/SessionDatabase
Jaskaran Singh
University Systems Security
Fairleigh Dickinson
University
Teaneck, NJ
07666
(RADIATOR) Cisco VPDN troubles
Hi! I have Cisco 26xx (IOS 12.2) and several windows workstations (win2k). What I need to do with cisco and radiator to allow win2k users connect to encrypted vpn with cisco? Now it is: cisco: interface Virtual-Template1 ppp encrypt mppe 40 ppp authentication ms-chap VPDN radiator: Realm VPDN RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ AuthBy FILE Filename %D/users.vpdn AutoMPPEKeys Yes AddToReply Service-Type = Framed,\ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Message-Authenticator = ,\ MS-MPPE-Encryption-Policy = Encryption-Allowed,\ MS-MPPE-Encryption-Types = Encryption-Any /AuthBy #Framed-Compression = Van-Jacobson-TCP-IP,\ # Log accounting to a detail file AcctLogFileName %L/detail.vpdn PasswordLogFileName %L/passwd.vpdn /Realm win2k (sorry, m$win doesnt allow text configs:) A simple 'add new connection' - VPN. So, MS-CHAP v1 and v2. And as I understand using encrypted passwords. Sergei N Keler IT-Manager General DataComm [EMAIL PROTECTED] [www.gdc.ru] [tel. +7(812)325-1085 (ext. 0723)] [fax +7(812)325-1086]
(RADIATOR) Profiles problems
Hi List,
I cannot get the radius server to return the profile while using
the following configuration:
--START-
LogStdout c:/radiator/stdout.txt
LogDir c:/radiator
DbDir c:/radiator.
Client DEFAULT
Secret !removed for my protection!
DupInterval 0
/Client
Realm DEFAULT
AuthByPolicy ContinueAlways
AuthBy SQL
Identifier ACCT1
DBSource dbi:ODBC:!removed for my protection!
DBUsername !removed for my protection!
DBAuth !removed for my protection!
AuthSelect
AccountingTable radacct1
AcctColumnDef UserName,User-Name
AcctColumnDef LogDateTime,Timestamp,integer-date
AcctColumnDef AcctStatusType,Acct-Status-Type
AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer
AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer
AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer
AcctColumnDef AcctInputPackets,Acct-Input-Packets,integer
AcctColumnDef AcctOutputPackets,Acct-Output-Packets,integer
AcctColumnDef AcctSessionTime,Acct-Session-Time,integer
AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause
AcctColumnDef NasIPAddress,NAS-IP-Address
AcctColumnDef NasIdentifier,NAS-Identifier
AcctColumnDef NasPortId,NAS-Port,integer
AcctColumnDef NasPortType,NAS-Port-Type,integer
AcctColumnDef ConnectInfo,Connect-Info
AcctColumnDef ServiceType,Service-Type
AcctColumnDef FramedProtocol,Framed-Protocol
AcctColumnDef FramedAddress,Framed-IP-Address
AcctColumnDef CallingStationId,Calling-Station-Id
/AuthBy
AuthBy SQL
Identifier AUTH1
DBSource dbi:ODBC:!removed for my protection!
DBUsername !removed for my protection!
DBAuth !removed for my protection!
AuthSelect select ClearTextPassword,ServiceType,SessionLimit, \
IdleLimit,StaticIP,IPNetmask,FramedRoute,PortLimit, \
PortLimit,ProfileID from Customers where CustomerID=%0 \
and Disable is null
AuthColumnDef 0,Password,check
AuthColumnDef 1,Service-Type,reply
AuthColumnDef 2,Session-Timeout,reply
AuthColumnDef 3,Idle-Timeout,reply
AuthColumnDef 4,Framed-IP-Address,reply
AuthColumnDef 5,Framed-IP-Netmask,reply
AuthColumnDef 6,Framed-Route,reply
AuthColumnDef 7,Port-Limit,reply
AuthColumnDef 8,Simultaneous-Use,check
AuthColumnDef 9,Profile,reply
/AuthBy
AuthBy SQL
DBSource dbi:ODBC:!removed for my protection!
DBUsername !removed for my protection!
DBAuth !removed for my protection!
AuthSelect SELECT timeofday FROM profiles WHERE \
[profile]='%{Reply:Profile}'
AuthColumnDef 0,TimeOfDay,reply
StripFromReply Profile
/AuthBy
SessionDatabase SDB1
/Realm
SessionDatabase SQL
Identifier SDB1
DBSource dbi:ODBC:!removed for my protection!
DBUsername !removed for my protection!
DBAuth !removed for my protection!
/SessionDatabase
---END
If I change AuthByPolicy ContinueAlways to AuthByPolicy
ContinueWhileAccept then the server always returns Request Denied. Any
input would be greatly appreciated. Note: I have already searched the list
archives, nothing seems to work.
Thank you,
Brandon Lehmann
Network Administrator
Great Lakes Internet Service, LLC.
The Computer Loft, Inc.
218 Justice St
Fremont, Ohio 43420
419.332.3553
[EMAIL PROTECTED]
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Profiles problems
Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 Packet dump: *** Received from 63.148.117.3 port 1645 Code: Access-Reject Identifier: 81 Authentic: 201KV189Ao213235254322zh2394 Attributes: Reply-Message = Request Denied Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 82 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 82 Authentic: 237157221248311235207167t226SVQ227 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 83 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 83 Authentic: 4\212g'`25221423246A]136172174 Attributes: OK END- Removing the Authby clause for the profile timeofday returns this (with ContinueWhileAccept): START-- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 251 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 Packet dump: *** Received from 63.148.117.3 port 1645 Code: Access-Reject Identifier: 251 Authentic: 2I24 1807222164151k21322O15255N Attributes: Reply-Message = Request Denied Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 252 Authentic:
Re: (RADIATOR) Profiles problems
Hugh, Note: I don't care that I left my ip address in there or the encrypted password. This is a test server with test data. Brandon - Original Message - From: Brandon Lehmann [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 Packet dump: *** Received from 63.148.117.3 port 1645 Code: Access-Reject Identifier: 81 Authentic: 201KV189Ao213235254322zh2394 Attributes: Reply-Message = Request Denied Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 82 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 82 Authentic: 237157221248311235207167t226SVQ227 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 83 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 83 Authentic: 4\212g'`25221423246A]136172174 Attributes: OK END- Removing the Authby clause for the profile timeofday returns this (with ContinueWhileAccept): START-- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 251 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address =
Re: (RADIATOR) Cisco NAS dont sent password to radiator. Why? DEBUG: Check item user-password expression 'kkk' does not match '' in request
Hello Sergei So, as I understand cisco didnt send user password to radius??? What to do? :-( If you want the Cisco router to send User-Password you'll need to change the configuration in the virtual template to ppp authentication pap and it won't send CHAP anymore, just PAP. regards cl. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Input queue size
Hello Guðbjörn this may be unrelated, but I am interested to any and all tuning listmembers have done in the OS for Radiator performance. We are running two radiator servers with one proxy radiator in front and a seperate sql machine and ldap machine. Fine, but what OS do you use? It might be interesting to have a hardware summary too. [snip] Lengthening the udp queues seems to really have adverse effects on this situation. We have not really tried shortening the queue which might really have even more adverse effects, without testing though I can't tell. I can imagine that lengthening the queue only adds to the effect of the server processing old packets, i.e. packets whose original timer (at the NAS) has already expired. The root problem is the mismatch between the speed of the NAS sending packets and the server processing them. Probably is worth trying to increase the timeout setting at the NAS, at least to diminish retransmissions (but beware of total authentication time then). A quicker failover to a less loaded secondary might help too. To counter this we have configured multiple instances of radiators for authenticationauthorization and accounting and instances for seperate NAS's or NAS groups. This in effect simulates having a threaded radiator to reduce the effect of this sequential processing. OK, but are you sure that the bottleneck is in at the Radiator level or might it be at the LDAP server? In the latter case it probably won't be of much help anyway. This has not seemed to be related to CPU load or network performance, we have looked at these in detail. No, it's probably more I/O bound, (disk, I mean). If anyone has input on this issue or OS tuning for Radiator I'd love to hear about it. Hope you understand my attempt to explain the above scenario. Basically we have a pretty stable environment today, but perhaps overly complex to manage because of the multiple instances. Back to my original question then, I'm struggling to measure the effective length of the input queue in Solaris. Linux's netstat shows it readily, and I remember Tru64 doing the same. But Solaris' netstat lacks this one, apparently. I'll have to continue my quest... Hugh, is a threaded ldap handler on the horizon? Is this perl or radiator related? From my own corner, I wish it were possible to have more than one established connection with the SQL backend, so as to paralellize requests to a certain degree. But yes, I suppose that means multithreading, and AFAIK that's not possible under perl 5.6 nor 5.8 I think. Perhaps Perl 6 would do it? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Input queue size
Hello Claudio, Hello Guðbjörn - Comments below. On 13/11/2003, at 1:18 PM, Claudio Lapidus wrote: Hello Guðbjörn this may be unrelated, but I am interested to any and all tuning listmembers have done in the OS for Radiator performance. We are running two radiator servers with one proxy radiator in front and a seperate sql machine and ldap machine. Fine, but what OS do you use? It might be interesting to have a hardware summary too. Yes its useful to know the hardware/software platform and the various versions of Perl, etc. [snip] Lengthening the udp queues seems to really have adverse effects on this situation. We have not really tried shortening the queue which might really have even more adverse effects, without testing though I can't tell. I can imagine that lengthening the queue only adds to the effect of the server processing old packets, i.e. packets whose original timer (at the NAS) has already expired. The root problem is the mismatch between the speed of the NAS sending packets and the server processing them. Probably is worth trying to increase the timeout setting at the NAS, at least to diminish retransmissions (but beware of total authentication time then). A quicker failover to a less loaded secondary might help too. Claudio is correct, the usual cause of problems of this sort is the backend delay associated with querying the LDAP and/or SQL database. It is very helpful to look at a trace 4 debug with LogMicroseconds turned on (requires Time-HiRes from CPAN). This will show exactly how much time is being spent waiting for the queries to complete. And you are correct in your observation that increasing the queue size can adversely affect performance due to the increased number of retry requests that build up in the queue. To counter this we have configured multiple instances of radiators for authenticationauthorization and accounting and instances for seperate NAS's or NAS groups. This in effect simulates having a threaded radiator to reduce the effect of this sequential processing. OK, but are you sure that the bottleneck is in at the Radiator level or might it be at the LDAP server? In the latter case it probably won't be of much help anyway. Correct again. We have observed these problems too, when parallel requests can also slow things down. BTW - this is one of the strong arguments against a multi-threaded server, which may not help at all in some situations. In general it is easier in the first instance to do what you have done with multiple instances and a front end load balancer. Just out of interest the largest Radiator setup we are familiar with is using this architecture, with a load balancer feeding 6 Radiator hosts, each one with an authentication and an accounting instance. The backend is a *very* fast Oracle database server and the overall throughput has been tested to over 1200 radius requests per second. This has not seemed to be related to CPU load or network performance, we have looked at these in detail. No, it's probably more I/O bound, (disk, I mean). I would agree - again a trace 4 debug with LogMicroseconds will show us exactly what is happening. If anyone has input on this issue or OS tuning for Radiator I'd love to hear about it. Hope you understand my attempt to explain the above scenario. Basically we have a pretty stable environment today, but perhaps overly complex to manage because of the multiple instances. Back to my original question then, I'm struggling to measure the effective length of the input queue in Solaris. Linux's netstat shows it readily, and I remember Tru64 doing the same. But Solaris' netstat lacks this one, apparently. I'll have to continue my quest... On this topic, have you checked the Sunfreeware site to see if there are any useful tools in this regard? www.sunfreeware.com Hugh, is a threaded ldap handler on the horizon? Is this perl or radiator related? This topic comes up from time to time and the fundamental problem at the moment is that Perl itself does not currently have production quality threading support. This being the case, we have not pursued it actively. And note my previous comments about whether or not this would be a good thing in any case. From my own corner, I wish it were possible to have more than one established connection with the SQL backend, so as to paralellize requests to a certain degree. But yes, I suppose that means multithreading, and AFAIK that's not possible under perl 5.6 nor 5.8 I think. Perhaps Perl 6 would do it? As mentioned above, the easiest way to do this currently is with a load balancer (you could use the AuthBy ROUNDROBIN, VOLUMEBALANCE, LOADBALANCE modules) and multiple instances of Radiator. Note that in most cases, at least using one instance for authentication and another for accounting is a good first step. We will continue to monitor the Perl support for multi-threading too, of course. regards Hugh NB: have you included a copy of
Re: (RADIATOR) Profiles problems
Hello Brandon - Thanks for your mail. Unfortunately I meant a trace 4 debug from Radiator (not a trace 4 debug from radpwtst). In any event, I suspect that at the very least the TimeOfDay radius attribute is not defined in your Radiator dictionary. regards Hugh On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote: Hugh, Note: I don't care that I left my ip address in there or the encrypted password. This is a test server with test data. Brandon - Original Message - From: Brandon Lehmann [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 Packet dump: *** Received from 63.148.117.3 port 1645 Code: Access-Reject Identifier: 81 Authentic: 201KV189Ao213235254322zh2394 Attributes: Reply-Message = Request Denied Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 82 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 82 Authentic: 237157221248311235207167t226SVQ227 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 83 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 83 Authentic: 4\212g'`25221423246A]136172174 Attributes: OK END- Removing the Authby clause for the profile timeofday returns this (with ContinueWhileAccept): START-- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code:
RE: (RADIATOR) Input queue size
It's really not that hard. You run a number of Radiator instances, with each one having it's own connection to the LDAP, SQL, or whatever backend. Then you front end those with an instance or two of Radiator running AuthBy ROUNDROBIN or AuthBy LOADBALANCE to distribute the requests among them. You can process quite a lot of requests simultaneously this way. If your current server is not responding fast enough but the CPU utilization is not maxed out you are probably just hitting the ceiling on how many requests a single instance can process at a time. Start up some more processes on the box and use all those processor cycles that you paid for. -Frank -Original Message- From: Claudio Lapidus [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 9:19 PM To: Guðbjörn S. Hreinsson; [EMAIL PROTECTED] Subject: Re: (RADIATOR) Input queue size .. From my own corner, I wish it were possible to have more than one established connection with the SQL backend, so as to paralellize requests to a certain degree. But yes, I suppose that means multithreading, and AFAIK that's not possible under perl 5.6 nor 5.8 I think. Perhaps Perl 6 would do it? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) LDAP COnnection
Hello Jaskaran -
Can you please send me a trace 4 debug showing what is happening?
thanks
Hugh
On 13/11/2003, at 3:04 AM, jsingh wrote:
Hello Hugh
I understand that Radiator is supposed to drop the connection after
it connects and talks to the LDAP Server. But I can see a connection
for each of my incoming requests. I changed the configuration file for
Radiator to sustain one connection, which is not the ideal situation
as far as my project is concerned. I would like to know if I am
missing something in my config or is this a bug in radiator. I am
attaching my config without the secrets. I am using Radiator-3.5 on
solaris 8 with perl 5.6.1
Thanks
Foreground
LogStdout
LogDir /var/log/radius3.5.1
DbDir .
Trace 4
PidFile /var/log/radius3.5.1/radiusd.pid
AuthPort 11645
AcctPort 11646
DefineGlobalVar Max 7200
DictionaryFile /usr/local/adm/src/Radiator-3.5/dictionary
# Clients to suit your site. ###
Client xx.xx.xx.xx
Secret xx
DupInterval 0
/Client
##
Client .fdu.edu
Secret x
DupInterval 0
/Client
##
Client xxx
Secret
DupInterval 0
/Client
#
Client xxx.xx.xx.xxx
Secret xxx
DupInterval 0
/Client
Client xx.xx.xx.xx
#Description Cisco AS5300
Secret x
DupInterval 0
/Client
Client xx.xx.xx.xx
#Description Cisco AS5300
Secret
DupInterval 1
/Client
Client DEFAULT
Secret
DupInterval 0
/Client
AuthBy LDAP2
Identifier CheckLDAP
Host xxx.fdu.edu
Port 636
UseSSL
SSLCAPath /usr/local/adm/etc/
BaseDN dc=xxx, dc=xxx
Scope subtree
UsernameAttr x
PasswordAttr userPassword
ServerChecksPassword
Timeout 2
FailureBackoffTime 30
HoldServerConnection
#CheckAttr cn
#AuthAttrDef ipaddress,Framed-IP-Address,reply
AddToReply Framed-Protocol = PPP,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP,\
Service-Type = Framed-User,\
Idle-Timeout = 300
Debug 255
/AuthBy
###
##
AuthBy SQL
Identifier Block-Time-SQL
DBSource dbi:mysql::localhost
DBUsername xx
DBAuth xxx
DefaultSimultaneousUse 1
AccountingTable x
AuthSelect Select Time_Left from RADUSERS where User_Name='%n'
AuthColumnDef 0, Session-Timeout,reply
AcctSQLStatement Update RADUSERS set Time_Left=Time_Left
-'%{Acct-Session-Time}' \
where User_Name='%n';
/AuthBy
###
#
AuthLog SQL
Identifier REQUEST
DBSource dbi:mysql::localhost
DBUsername xx
DBAuth xx
LogSuccess
SuccessQuery insert into RADAUTHLOG (TIME_STAMP,USERNAME,TYPE)
values ('%l','%n',1)
LogFailure
FailureQuery insert into RADAUTHLOG
(TIME_STAMP,USERNAME,TYPE,REASON) values ('%l','%n',0,%1) /AuthLog
###
##
Realm 1.1
AuthByPolicy ContinueWhileAccept
PreAuthHookfile:/usr/local/adm/bin/filename.pl
AuthBy CheckLDAP
AuthBy Block-Time-SQL
AuthLog REQUEST
MaxSessions 1
PostAuthHookfile:/usr/local/adm/bin/filename.pl
SessionDatabase SQLDB
/Realm
Realm 1.1.1
AccountingHandled
AuthByPolicy ContinueWhileAccept
PreAuthHookfile:/usr/local/adm/bin/filename.pl
AuthBy CheckLDAP
AuthBy Block-Time-SQL
PostAuthHookfile:/usr/local/adm/bin/filename.pl
MaxSessions 1
SessionDatabase SQLDB
AcctLogFileName /var/radius/Acct
/Realm
###
SessionDatabase SQL
Identifier SQLDB
DBSource dbi:mysql:xxx:localhost
DBUsername x
DBAuth x
/SessionDatabase
Jaskaran Singh
University Systems Security
Fairleigh Dickinson University
Teaneck,NJ 07666
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Re: (RADIATOR) Cisco NAS dont sent password to radiator. Why? DEBUG: Check item user-password expression 'kkk' does not match '' in request
Hello Sergei - See my other mail, but what is shown below is a NAS configured for CHAP, hence the CHAP-Password in the request. You should use something like this: qqq Password = kkk or qqq User-Password = kkk which will work for both forms (note that the spelling is important). See section 13.1.1 in the Radiator 3.7.1 reference manual (doc/ref.html). regards Hugh On 12/11/2003, at 8:45 PM, Sergei Keler wrote: Hi! I have Cisco 2621 (IOS 12.2). When I use folloed radiator config: users file: qqq user-password=kkk, Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500 conf file: Realm DEFAULT AuthBy FILE Filename %D/users AddToReply Service-Type=Framed-User,Framed-Protocol=PPP /AuthBy AcctLogFileName %L/detail PasswordLogFileName %L/passwd /Realm I found followed in log file: Wed Nov 12 12:33:01 2003: DEBUG: Packet dump: *** Received from 192.168.0.254 port 1645 Packet length = 81 01 22 00 51 c1 0b b7 a4 7f 2f d6 6d f1 81 84 fc 00 ca 95 46 07 06 00 00 00 01 01 05 71 71 71 03 13 0a 98 b9 72 2d 87 44 c4 7d e0 e8 d8 e6 ae 1e 44 5d 05 06 00 00 00 21 3d 06 00 00 00 00 1f 07 61 73 79 6e 63 06 06 00 00 00 02 04 06 c0 a8 00 fe Code: Access-Request Identifier: 34 Authentic: 19311183164127/214m2411291322520202149F Attributes: Framed-Protocol = PPP User-Name = qqq CHAP-Password = 10152185r-135D196}22423221623017430D] NAS-Port = 33 NAS-Port-Type = Async Calling-Station-Id = async Service-Type = Framed-User NAS-IP-Address = 192.168.0.254 Wed Nov 12 12:33:01 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Nov 12 12:33:01 2003: DEBUG: Deleting session for qqq, 192.168.0.254, 33 Wed Nov 12 12:33:01 2003: DEBUG: Handling with Radius::AuthFILE: Wed Nov 12 12:33:01 2003: DEBUG: Reading users file /etc/radiator/users Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE looks for match with qqq Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE REJECT: Check item user-password expression'kkk' does not match '' in request Wed Nov 12 12:33:01 2003: INFO: Access rejected for qqq: Check item user-password expression 'kkk' does not match '' in request Wed Nov 12 12:33:01 2003: DEBUG: Packet dump: *** Sending to 192.168.0.254 port 1645 Packet length = 36 03 22 00 24 08 fd ac e8 b2 2d 66 6e c5 97 98 f6 96 3d 58 1a 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Code: Access-Reject Identifier: 34 Authentic: 19311183164127/214m2411291322520202149F Attributes: Reply-Message = Request Denied Cisco's debug: Nov 12 09:33:00.713: As33 LCP: Lower layer not up, Fast Starting Nov 12 09:33:00.717: As33 PPP: Treating connection as a dedicated line Nov 12 09:33:00.717: As33 PPP: Authorization required Nov 12 09:33:00.717: As33 AAA/AUTHOR/LCP: Authorization succeeds trivially Nov 12 12:33:00 MSK: %LINK-3-UPDOWN: Interface Async33, changed state to up Nov 12 09:33:00.969: As33 CHAP: O CHALLENGE id 10 len 27 from gdc-gw Nov 12 09:33:01.205: As33 CHAP: I RESPONSE id 10 len 24 from qqq Nov 12 09:33:01.209: AAA/AUTHEN/PPP (DB31): Pick method list 'DIAL-UP' Nov 12 09:33:01.209: As33 PPP: Sent CHAP LOGIN Request to AAA Nov 12 09:33:01.209: RADIUS: AAA Unsupported [134] 7 Nov 12 09:33:01.209: RADIUS: 41 73 79 6E 63 [Async] Nov 12 09:33:01.209: RADIUS(DB31): Storing nasport 33 in rad_db Nov 12 09:33:01.209: RADIUS/ENCODE(DB31): acct_session_id: 56116 Nov 12 09:33:01.213: RADIUS(DB31): sending Nov 12 09:33:01.213: RADIUS: Send to unknown id 34 192.168.0.1:1645, Access-Request, len 81 Nov 12 09:33:01.213: RADIUS: authenticator C1 0B B7 A4 7F 2F D6 6D - F1 81 84 FC 00 CA 95 46 Nov 12 09:33:01.213: RADIUS: Framed-Protocol [7] 6 PPP [1] Nov 12 09:33:01.213: RADIUS: User-Name [1] 5 qqq Nov 12 09:33:01.213: RADIUS: CHAP-Password [3] 19 * Nov 12 09:33:01.213: RADIUS: NAS-Port [5] 6 33 Nov 12 09:33:01.213: RADIUS: NAS-Port-Type [61] 6 Async [0] Nov 12 09:33:01.213: RADIUS: Calling-Station-Id [31] 7 async Nov 12 09:33:01.217: RADIUS: Service-Type [6] 6 Framed [2] Nov 12 09:33:01.217: RADIUS: NAS-IP-Address [4] 6 192.168.0.254 Nov 12 09:33:01.225: RADIUS: Received from id 34 192.168.0.1:1645, Access-Reject, len 36 Nov 12 09:33:01.225: RADIUS: authenticator 08 FD AC E8 B2 2D 66 6E - C5 97 98 F6 96 3D 58 1A Nov 12 09:33:01.229: RADIUS: Reply-Message [18] 16 Nov 12 09:33:01.229: RADIUS: 52 65 71 75 65 73 74 20 44 65 6E 69 65 64 [Request Denied] Nov 12 09:33:01.229: RADIUS: Received from id DB31 Nov 12 09:33:01.229: As33 PPP: Received LOGIN Response from AAA = FAIL Nov 12 09:33:01.229: As33 CHAP:
Re: (RADIATOR) Profiles problems
Hugh, Sorry. I'm a fool somedays. The problem is I don't get a response if i change the sql column to say... SessionLimit and define the session-limit through the profile either. I'll give it another try and check the dictionary. Maybe I'm just going crazy but this will be day 6. I'll let you know if I get it to work. Brandon - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Brandon Lehmann [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 11:20 PM Subject: Re: (RADIATOR) Profiles problems Hello Brandon - Thanks for your mail. Unfortunately I meant a trace 4 debug from Radiator (not a trace 4 debug from radpwtst). In any event, I suspect that at the very least the TimeOfDay radius attribute is not defined in your Radiator dictionary. regards Hugh On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote: Hugh, Note: I don't care that I left my ip address in there or the encrypted password. This is a test server with test data. Brandon - Original Message - From: Brandon Lehmann [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 Packet dump: *** Received from 63.148.117.3 port 1645 Code: Access-Reject Identifier: 81 Authentic: 201KV189Ao213235254322zh2394 Attributes: Reply-Message = Request Denied Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 82 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 82 Authentic: 237157221248311235207167t226SVQ227 Attributes: OK sending Accounting-Request Stop... Packet dump: ***
Re: (RADIATOR) Profiles problems
Hugh, I just took a look around. Changed it to Time set it correctly in the SQL database, made it a check item. Set to ContinueWhileAccept. Trace -4 reveals that Authentication is Disabled I'm confused... Brandon - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Brandon Lehmann [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 11:20 PM Subject: Re: (RADIATOR) Profiles problems Hello Brandon - Thanks for your mail. Unfortunately I meant a trace 4 debug from Radiator (not a trace 4 debug from radpwtst). In any event, I suspect that at the very least the TimeOfDay radius attribute is not defined in your Radiator dictionary. regards Hugh On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote: Hugh, Note: I don't care that I left my ip address in there or the encrypted password. This is a test server with test data. Brandon - Original Message - From: Brandon Lehmann [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 Packet dump: *** Received from 63.148.117.3 port 1645 Code: Access-Reject Identifier: 81 Authentic: 201KV189Ao213235254322zh2394 Attributes: Reply-Message = Request Denied Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 82 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 82 Authentic: 237157221248311235207167t226SVQ227 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 83 Authentic:
Re: (RADIATOR) Profiles problems
Hugh, I have solved my problem... I totally forgot about SQL join statements... I have no clue why I was making this so hard... From my original config (authbypolicy ContinueAlways) I changed the following in my AuthSelect Column Definitions (and of course removed my second AuthSelect AuthBy grouping)...: --START-- AuthSelect select ClearTextPassword,ServiceType,SessionLimit,IdleLimit,StaticIP, \ IPNetmask,FramedRoute,PortLimit,PortLimit,profiles.timeofday,profiles.sessio ntimeout \ from Customers left join profiles on customers.profileid = profiles.profile where \ CustomerID=%0 and Disable is null AuthColumnDef 0,Password,check AuthColumnDef 1,Service-Type,reply AuthColumnDef 2,Session-Timeout,reply AuthColumnDef 3,Idle-Timeout,reply AuthColumnDef 4,Framed-IP-Address,reply AuthColumnDef 5,Framed-IP-Netmask,reply AuthColumnDef 6,Framed-Route,reply AuthColumnDef 7,Port-Limit,reply AuthColumnDef 8,Simultaneous-Use,check AuthColumnDef 9,Time,check AuthColumnDef 10,Session-Timeout,reply --END--- Assuming that the DEFAULT profile has a blank TimeofDay field and blank SessionTimeout field. The profile I wanted to limit has the following values; Al0730-1530 and until Time respectively. This now works flawlessly. No more Authentication Disabled messages. I'm sure I'll add a General field somewhere down the line for other attributes such as IP filters but this is enough for the last 6 days. Thanks for the help, Brandon Lehmann - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Brandon Lehmann [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 11:20 PM Subject: Re: (RADIATOR) Profiles problems Hello Brandon - Thanks for your mail. Unfortunately I meant a trace 4 debug from Radiator (not a trace 4 debug from radpwtst). In any event, I suspect that at the very least the TimeOfDay radius attribute is not defined in your Radiator dictionary. regards Hugh On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote: Hugh, Note: I don't care that I left my ip address in there or the encrypted password. This is a test server with test data. Brandon - Original Message - From: Brandon Lehmann [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = brandon
Re: (RADIATOR) Profiles problems
Hugh, As a reply to this, though I just sent out my last message to you and the list saying that I fixed it, this was the base hawki.cfg file included with the Radiator distrobution. As I'm sure you know, its in the goodies folder. However, I will keep your message for future reference. Thanks, Brandon - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Brandon Lehmann [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, November 13, 2003 1:31 AM Subject: Re: (RADIATOR) Profiles problems Hello Brandon - You have set the AuthByPolicy ContinueWhileAccept, but your first AuthBy clause has AuthSelect to disable authentication. Why do you have different AuthBy clauses for authentication and accounting? If you want to keep this structure, you will need to use an AuthBy GROUP and alter the AuthByPolicy inside it: Realm DEFAULT . # AuthByPolicy to do both accounting and authentication AuthByPolicy ContinueAlways AuthBy SQL . # disable authentication AuthSelect # do accounting . /AuthBy #define AuthBy GROUP # use different AuthByPolicy AuthBy GROUP AuthByPolicy ContinueWhileAccept AuthBy SQL # do authentication . /AuthBy AuthBy SQL # check time . /AuthBy /AuthBy /Realm regards Hugh On 13/11/2003, at 5:03 PM, Brandon Lehmann wrote: Hugh, I just took a look around. Changed it to Time set it correctly in the SQL database, made it a check item. Set to ContinueWhileAccept. Trace -4 reveals that Authentication is Disabled I'm confused... Brandon - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Brandon Lehmann [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 11:20 PM Subject: Re: (RADIATOR) Profiles problems Hello Brandon - Thanks for your mail. Unfortunately I meant a trace 4 debug from Radiator (not a trace 4 debug from radpwtst). In any event, I suspect that at the very least the TimeOfDay radius attribute is not defined in your Radiator dictionary. regards Hugh On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote: Hugh, Note: I don't care that I left my ip address in there or the encrypted password. This is a test server with test data. Brandon - Original Message - From: Brandon Lehmann [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port
