Re: (RADIATOR) Input queue size
Cheers, this may be unrelated, but I am interested to any and all tuning listmembers have done in the OS for Radiator performance. We are running two radiator servers with one proxy radiator in front and a seperate sql machine and ldap machine. Since we perform ldap auth the incoming requests are sequential which limits our rate of authentication. We have seen that we can handle at most about 1500 requests per minute per server during peak loads (server restarts etc.) This is mostly load from xDSL users (we do periodic tarpitting for bad users). We have also seen that at these peaks udp packets begin to be dropped (by the os I imagine) and aaa rates start to get worse. This drop in rates seems to related to the fact that if the radius servers do not respond in a timely fashion the NAS's begin to resend the radius requests adding to the incoming rate of packets, increasing the udp drop etc. We actually monitor udp packet drops and restart the radiators which increases the rate for a while, until there is another udp queue buildup and udp packets start to be dropped, nas's start to resend packets etc.until the monitor script restarts the servers. Lengthening the udp queues seems to really have adverse effects on this situation. We have not really tried shortening the queue which might really have even more adverse effects, without testing though I can't tell. To counter this we have configured multiple instances of radiators for authenticationauthorization and accounting and instances for seperate NAS's or NAS groups. This in effect simulates having a threaded radiator to reduce the effect of this sequential processing. This has not seemed to be related to CPU load or network performance, we have looked at these in detail. We also looked at dropping radius packets which were x seconds old but there is no practical way to do this, since we really have no way of knowing when the NAS sent the udp packet (I wish radius supported tcp, it's much better situated for high traffic rates). We did an estimate once for how many packets would fit in the queue based on some average size but this did in the end have really no purpose. If anyone has input on this issue or OS tuning for Radiator I'd love to hear about it. Hope you understand my attempt to explain the above scenario. Basically we have a pretty stable environment today, but perhaps overly complex to manage because of the multiple instances. Hugh, is a threaded ldap handler on the horizon? Is this perl or radiator related? Rgds, -GSH - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Claudio Lapidus [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 3:02 AM Subject: Re: (RADIATOR) Input queue size Hello Claudio - This is really an operating system issue, as the UDP buffer space is managed by the OS. You should have a look at netstat and friends. Solaris may also have addtional tools that allow you to look at what the system is doing. regards Hugh On 12/11/2003, at 1:28 PM, Claudio Lapidus wrote: Hello Hugh, Is there a way to inspect the length of the input queue during runtime? I'm running Radiator 3.6 on Solaris 8, Perl 5.8.0, no monitor setup. thanks in advance cl. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Cisco NAS dont sent password to radiator. Why? DEBUG: Check item user-password expression 'kkk' does not match '' in request
Hi! I have Cisco 2621 (IOS 12.2). When I use folloed radiator config: users file: qqq user-password=kkk, Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500 conf file: Realm DEFAULT AuthBy FILE Filename %D/users AddToReply Service-Type=Framed-User,Framed-Protocol=PPP /AuthBy AcctLogFileName %L/detail PasswordLogFileName %L/passwd /Realm I found followed in log file: Wed Nov 12 12:33:01 2003: DEBUG: Packet dump: *** Received from 192.168.0.254 port 1645 Packet length = 81 01 22 00 51 c1 0b b7 a4 7f 2f d6 6d f1 81 84 fc 00 ca 95 46 07 06 00 00 00 01 01 05 71 71 71 03 13 0a 98 b9 72 2d 87 44 c4 7d e0 e8 d8 e6 ae 1e 44 5d 05 06 00 00 00 21 3d 06 00 00 00 00 1f 07 61 73 79 6e 63 06 06 00 00 00 02 04 06 c0 a8 00 fe Code:Access-Request Identifier: 34 Authentic: 19311183164127/214m2411291322520202149F Attributes: Framed-Protocol = PPP User-Name = qqq CHAP-Password = 10152185r-135D196}22423221623017430D] NAS-Port = 33 NAS-Port-Type = Async Calling-Station-Id = async Service-Type = Framed-User NAS-IP-Address = 192.168.0.254 Wed Nov 12 12:33:01 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Nov 12 12:33:01 2003: DEBUG: Deleting session for qqq, 192.168.0.254, 33 Wed Nov 12 12:33:01 2003: DEBUG: Handling with Radius::AuthFILE: Wed Nov 12 12:33:01 2003: DEBUG: Reading users file /etc/radiator/users Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE looks for match with qqq Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE REJECT: Check item user-password _expression_ 'kkk' does not match '' in request Wed Nov 12 12:33:01 2003: INFO: Access rejected for qqq: Check item user-password _expression_ 'kkk' does not match '' in request Wed Nov 12 12:33:01 2003: DEBUG: Packet dump: *** Sending to 192.168.0.254 port 1645 Packet length = 36 03 22 00 24 08 fd ac e8 b2 2d 66 6e c5 97 98 f6 96 3d 58 1a 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Code:Access-Reject Identifier: 34 Authentic: 19311183164127/214m2411291322520202149F Attributes: Reply-Message = Request Denied Cisco's debug: Nov 12 09:33:00.713: As33 LCP: Lower layer not up, Fast Starting Nov 12 09:33:00.717: As33 PPP: Treating connection as a dedicated line Nov 12 09:33:00.717: As33 PPP: Authorization required Nov 12 09:33:00.717: As33 AAA/AUTHOR/LCP: Authorization succeeds trivially Nov 12 12:33:00 MSK: %LINK-3-UPDOWN: Interface Async33, changed state to up Nov 12 09:33:00.969: As33 CHAP: O CHALLENGE id 10 len 27 from gdc-gw Nov 12 09:33:01.205: As33 CHAP: I RESPONSE id 10 len 24 from qqq Nov 12 09:33:01.209: AAA/AUTHEN/PPP (DB31): Pick method list 'DIAL-UP' Nov 12 09:33:01.209: As33 PPP: Sent CHAP LOGIN Request to AAA Nov 12 09:33:01.209: RADIUS: AAA Unsupported [134] 7 Nov 12 09:33:01.209: RADIUS: 41 73 79 6E 63 [Async] Nov 12 09:33:01.209: RADIUS(DB31): Storing nasport 33 in rad_db Nov 12 09:33:01.209: RADIUS/ENCODE(DB31): acct_session_id: 56116 Nov 12 09:33:01.213: RADIUS(DB31): sending Nov 12 09:33:01.213: RADIUS: Send to unknown id 34 192.168.0.1:1645, Access-Request, len 81 Nov 12 09:33:01.213: RADIUS: authenticator C1 0B B7 A4 7F 2F D6 6D - F1 81 84 FC 00 CA 95 46 Nov 12 09:33:01.213: RADIUS: Framed-Protocol [7] 6 PPP [1] Nov 12 09:33:01.213: RADIUS: User-Name [1] 5 qqq Nov 12 09:33:01.213: RADIUS: CHAP-Password [3] 19 * Nov 12 09:33:01.213: RADIUS: NAS-Port [5] 6 33 Nov 12 09:33:01.213: RADIUS: NAS-Port-Type [61] 6 Async [0] Nov 12 09:33:01.213: RADIUS: Calling-Station-Id [31] 7 async Nov 12 09:33:01.217: RADIUS: Service-Type [6] 6 Framed [2] Nov 12 09:33:01.217: RADIUS: NAS-IP-Address [4] 6 192.168.0.254 Nov 12 09:33:01.225: RADIUS: Received from id 34 192.168.0.1:1645, Access-Reject, len 36 Nov 12 09:33:01.225: RADIUS: authenticator 08 FD AC E8 B2 2D 66 6E - C5 97 98 F6 96 3D 58 1A Nov 12 09:33:01.229: RADIUS: Reply-Message [18] 16 Nov 12 09:33:01.229: RADIUS: 52 65 71 75 65 73 74 20 44 65 6E 69 65 64[Request Denied] Nov 12 09:33:01.229: RADIUS: Received from id DB31 Nov 12 09:33:01.229: As33 PPP: Received LOGIN Response from AAA = FAIL Nov 12 09:33:01.229: As33 CHAP: O FAILURE id 10 len 18 msg is Request Denied Nov 12 12:33:03 MSK: %LINK-5-CHANGED: Interface Async33, changed state to reset Nov 12 12:33:08 MSK: %LINK-3-UPDOWN: Interface Async33, changed state to down So, as I understand cisco didnt send user password to radius??? What to do? :-( Sergei N Keler IT-Manager General DataComm [EMAIL PROTECTED] [www.gdc.ru] [tel. +7(812)325-1085 (ext. 0723)] [fax +7(812)325-1086]
(RADIATOR) LDAP COnnection
Hello Hugh I understand that Radiator is supposed to drop the connection after it connects and talks to the LDAP Server. But I can see a connection for each of my incoming requests. I changed the configuration file for Radiator to sustain one connection, which is not the ideal situation as far as my project is concerned. I would like to know if I am missing something in my config or is this a bug in radiator. I am attaching my config without the secrets. I am using Radiator-3.5 on solaris 8 with perl 5.6.1 Thanks Foreground LogStdout LogDir /var/log/radius3.5.1 DbDir . Trace 4 PidFile /var/log/radius3.5.1/radiusd.pid AuthPort 11645 AcctPort 11646 DefineGlobalVar Max 7200 DictionaryFile /usr/local/adm/src/Radiator-3.5/dictionary # Clients to suit your site. ### Client xx.xx.xx.xx Secret xx DupInterval 0 /Client ## Client .fdu.edu Secret x DupInterval 0 /Client ## Client xxx Secret DupInterval 0 /Client # Client xxx.xx.xx.xxx Secret xxx DupInterval 0 /Client Client xx.xx.xx.xx #Description Cisco AS5300 Secret x DupInterval 0 /Client Client xx.xx.xx.xx #Description Cisco AS5300 Secret DupInterval 1 /Client Client DEFAULT Secret DupInterval 0 /Client AuthBy LDAP2 Identifier CheckLDAP Host xxx.fdu.edu Port 636 UseSSL SSLCAPath /usr/local/adm/etc/ BaseDN dc=xxx, dc=xxx Scope subtree UsernameAttr x PasswordAttr userPassword ServerChecksPassword Timeout 2 FailureBackoffTime 30 HoldServerConnection #CheckAttr cn #AuthAttrDef ipaddress,Framed-IP-Address,reply AddToReply Framed-Protocol = PPP,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP,\ Service-Type = Framed-User,\ Idle-Timeout = 300 Debug 255 /AuthBy # AuthBy SQL Identifier Block-Time-SQL DBSource dbi:mysql::localhost DBUsername xx DBAuth xxx DefaultSimultaneousUse 1 AccountingTable x AuthSelect Select Time_Left from RADUSERS where User_Name='%n' AuthColumnDef 0, Session-Timeout,reply AcctSQLStatement Update RADUSERS set Time_Left=Time_Left -'%{Acct-Session-Time}' \ where User_Name='%n'; /AuthBy AuthLog SQL Identifier REQUEST DBSource dbi:mysql::localhost DBUsername xx DBAuth xx LogSuccess SuccessQuery insert into RADAUTHLOG (TIME_STAMP,USERNAME,TYPE) values ('%l','%n',1) LogFailure FailureQuery insert into RADAUTHLOG (TIME_STAMP,USERNAME,TYPE,REASON) values ('%l','%n',0,%1) /AuthLog # Realm 1.1 AuthByPolicy ContinueWhileAccept PreAuthHook file:/usr/local/adm/bin/filename.pl AuthBy CheckLDAP AuthBy Block-Time-SQL AuthLog REQUEST MaxSessions 1 PostAuthHook file:/usr/local/adm/bin/filename.pl SessionDatabase SQLDB /Realm Realm 1.1.1 AccountingHandled AuthByPolicy ContinueWhileAccept PreAuthHook file:/usr/local/adm/bin/filename.pl AuthBy CheckLDAP AuthBy Block-Time-SQL PostAuthHook file:/usr/local/adm/bin/filename.pl MaxSessions 1 SessionDatabase SQLDB AcctLogFileName /var/radius/Acct /Realm ### SessionDatabase SQL Identifier SQLDB DBSource dbi:mysql:xxx:localhost DBUsername x DBAuth x /SessionDatabase Jaskaran Singh University Systems Security Fairleigh Dickinson University Teaneck, NJ 07666
(RADIATOR) Cisco VPDN troubles
Hi! I have Cisco 26xx (IOS 12.2) and several windows workstations (win2k). What I need to do with cisco and radiator to allow win2k users connect to encrypted vpn with cisco? Now it is: cisco: interface Virtual-Template1 ppp encrypt mppe 40 ppp authentication ms-chap VPDN radiator: Realm VPDN RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ AuthBy FILE Filename %D/users.vpdn AutoMPPEKeys Yes AddToReply Service-Type = Framed,\ Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Message-Authenticator = ,\ MS-MPPE-Encryption-Policy = Encryption-Allowed,\ MS-MPPE-Encryption-Types = Encryption-Any /AuthBy #Framed-Compression = Van-Jacobson-TCP-IP,\ # Log accounting to a detail file AcctLogFileName %L/detail.vpdn PasswordLogFileName %L/passwd.vpdn /Realm win2k (sorry, m$win doesnt allow text configs:) A simple 'add new connection' - VPN. So, MS-CHAP v1 and v2. And as I understand using encrypted passwords. Sergei N Keler IT-Manager General DataComm [EMAIL PROTECTED] [www.gdc.ru] [tel. +7(812)325-1085 (ext. 0723)] [fax +7(812)325-1086]
(RADIATOR) Profiles problems
Hi List, I cannot get the radius server to return the profile while using the following configuration: --START- LogStdout c:/radiator/stdout.txt LogDir c:/radiator DbDir c:/radiator. Client DEFAULT Secret !removed for my protection! DupInterval 0 /Client Realm DEFAULT AuthByPolicy ContinueAlways AuthBy SQL Identifier ACCT1 DBSource dbi:ODBC:!removed for my protection! DBUsername !removed for my protection! DBAuth !removed for my protection! AuthSelect AccountingTable radacct1 AcctColumnDef UserName,User-Name AcctColumnDef LogDateTime,Timestamp,integer-date AcctColumnDef AcctStatusType,Acct-Status-Type AcctColumnDef AcctDelayTime,Acct-Delay-Time,integer AcctColumnDef AcctInputOctets,Acct-Input-Octets,integer AcctColumnDef AcctOutputOctets,Acct-Output-Octets,integer AcctColumnDef AcctInputPackets,Acct-Input-Packets,integer AcctColumnDef AcctOutputPackets,Acct-Output-Packets,integer AcctColumnDef AcctSessionTime,Acct-Session-Time,integer AcctColumnDef AcctTerminateCause,Acct-Terminate-Cause AcctColumnDef NasIPAddress,NAS-IP-Address AcctColumnDef NasIdentifier,NAS-Identifier AcctColumnDef NasPortId,NAS-Port,integer AcctColumnDef NasPortType,NAS-Port-Type,integer AcctColumnDef ConnectInfo,Connect-Info AcctColumnDef ServiceType,Service-Type AcctColumnDef FramedProtocol,Framed-Protocol AcctColumnDef FramedAddress,Framed-IP-Address AcctColumnDef CallingStationId,Calling-Station-Id /AuthBy AuthBy SQL Identifier AUTH1 DBSource dbi:ODBC:!removed for my protection! DBUsername !removed for my protection! DBAuth !removed for my protection! AuthSelect select ClearTextPassword,ServiceType,SessionLimit, \ IdleLimit,StaticIP,IPNetmask,FramedRoute,PortLimit, \ PortLimit,ProfileID from Customers where CustomerID=%0 \ and Disable is null AuthColumnDef 0,Password,check AuthColumnDef 1,Service-Type,reply AuthColumnDef 2,Session-Timeout,reply AuthColumnDef 3,Idle-Timeout,reply AuthColumnDef 4,Framed-IP-Address,reply AuthColumnDef 5,Framed-IP-Netmask,reply AuthColumnDef 6,Framed-Route,reply AuthColumnDef 7,Port-Limit,reply AuthColumnDef 8,Simultaneous-Use,check AuthColumnDef 9,Profile,reply /AuthBy AuthBy SQL DBSource dbi:ODBC:!removed for my protection! DBUsername !removed for my protection! DBAuth !removed for my protection! AuthSelect SELECT timeofday FROM profiles WHERE \ [profile]='%{Reply:Profile}' AuthColumnDef 0,TimeOfDay,reply StripFromReply Profile /AuthBy SessionDatabase SDB1 /Realm SessionDatabase SQL Identifier SDB1 DBSource dbi:ODBC:!removed for my protection! DBUsername !removed for my protection! DBAuth !removed for my protection! /SessionDatabase ---END If I change AuthByPolicy ContinueAlways to AuthByPolicy ContinueWhileAccept then the server always returns Request Denied. Any input would be greatly appreciated. Note: I have already searched the list archives, nothing seems to work. Thank you, Brandon Lehmann Network Administrator Great Lakes Internet Service, LLC. The Computer Loft, Inc. 218 Justice St Fremont, Ohio 43420 419.332.3553 [EMAIL PROTECTED] === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Profiles problems
Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 Packet dump: *** Received from 63.148.117.3 port 1645 Code: Access-Reject Identifier: 81 Authentic: 201KV189Ao213235254322zh2394 Attributes: Reply-Message = Request Denied Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 82 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 82 Authentic: 237157221248311235207167t226SVQ227 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 83 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 83 Authentic: 4\212g'`25221423246A]136172174 Attributes: OK END- Removing the Authby clause for the profile timeofday returns this (with ContinueWhileAccept): START-- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 251 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 Packet dump: *** Received from 63.148.117.3 port 1645 Code: Access-Reject Identifier: 251 Authentic: 2I24 1807222164151k21322O15255N Attributes: Reply-Message = Request Denied Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 252 Authentic:
Re: (RADIATOR) Profiles problems
Hugh, Note: I don't care that I left my ip address in there or the encrypted password. This is a test server with test data. Brandon - Original Message - From: Brandon Lehmann [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 Packet dump: *** Received from 63.148.117.3 port 1645 Code: Access-Reject Identifier: 81 Authentic: 201KV189Ao213235254322zh2394 Attributes: Reply-Message = Request Denied Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 82 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 82 Authentic: 237157221248311235207167t226SVQ227 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 83 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 83 Authentic: 4\212g'`25221423246A]136172174 Attributes: OK END- Removing the Authby clause for the profile timeofday returns this (with ContinueWhileAccept): START-- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 251 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address =
Re: (RADIATOR) Cisco NAS dont sent password to radiator. Why? DEBUG: Check item user-password expression 'kkk' does not match '' in request
Hello Sergei So, as I understand cisco didnt send user password to radius??? What to do? :-( If you want the Cisco router to send User-Password you'll need to change the configuration in the virtual template to ppp authentication pap and it won't send CHAP anymore, just PAP. regards cl. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Input queue size
Hello Guðbjörn this may be unrelated, but I am interested to any and all tuning listmembers have done in the OS for Radiator performance. We are running two radiator servers with one proxy radiator in front and a seperate sql machine and ldap machine. Fine, but what OS do you use? It might be interesting to have a hardware summary too. [snip] Lengthening the udp queues seems to really have adverse effects on this situation. We have not really tried shortening the queue which might really have even more adverse effects, without testing though I can't tell. I can imagine that lengthening the queue only adds to the effect of the server processing old packets, i.e. packets whose original timer (at the NAS) has already expired. The root problem is the mismatch between the speed of the NAS sending packets and the server processing them. Probably is worth trying to increase the timeout setting at the NAS, at least to diminish retransmissions (but beware of total authentication time then). A quicker failover to a less loaded secondary might help too. To counter this we have configured multiple instances of radiators for authenticationauthorization and accounting and instances for seperate NAS's or NAS groups. This in effect simulates having a threaded radiator to reduce the effect of this sequential processing. OK, but are you sure that the bottleneck is in at the Radiator level or might it be at the LDAP server? In the latter case it probably won't be of much help anyway. This has not seemed to be related to CPU load or network performance, we have looked at these in detail. No, it's probably more I/O bound, (disk, I mean). If anyone has input on this issue or OS tuning for Radiator I'd love to hear about it. Hope you understand my attempt to explain the above scenario. Basically we have a pretty stable environment today, but perhaps overly complex to manage because of the multiple instances. Back to my original question then, I'm struggling to measure the effective length of the input queue in Solaris. Linux's netstat shows it readily, and I remember Tru64 doing the same. But Solaris' netstat lacks this one, apparently. I'll have to continue my quest... Hugh, is a threaded ldap handler on the horizon? Is this perl or radiator related? From my own corner, I wish it were possible to have more than one established connection with the SQL backend, so as to paralellize requests to a certain degree. But yes, I suppose that means multithreading, and AFAIK that's not possible under perl 5.6 nor 5.8 I think. Perhaps Perl 6 would do it? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Input queue size
Hello Claudio, Hello Guðbjörn - Comments below. On 13/11/2003, at 1:18 PM, Claudio Lapidus wrote: Hello Guðbjörn this may be unrelated, but I am interested to any and all tuning listmembers have done in the OS for Radiator performance. We are running two radiator servers with one proxy radiator in front and a seperate sql machine and ldap machine. Fine, but what OS do you use? It might be interesting to have a hardware summary too. Yes its useful to know the hardware/software platform and the various versions of Perl, etc. [snip] Lengthening the udp queues seems to really have adverse effects on this situation. We have not really tried shortening the queue which might really have even more adverse effects, without testing though I can't tell. I can imagine that lengthening the queue only adds to the effect of the server processing old packets, i.e. packets whose original timer (at the NAS) has already expired. The root problem is the mismatch between the speed of the NAS sending packets and the server processing them. Probably is worth trying to increase the timeout setting at the NAS, at least to diminish retransmissions (but beware of total authentication time then). A quicker failover to a less loaded secondary might help too. Claudio is correct, the usual cause of problems of this sort is the backend delay associated with querying the LDAP and/or SQL database. It is very helpful to look at a trace 4 debug with LogMicroseconds turned on (requires Time-HiRes from CPAN). This will show exactly how much time is being spent waiting for the queries to complete. And you are correct in your observation that increasing the queue size can adversely affect performance due to the increased number of retry requests that build up in the queue. To counter this we have configured multiple instances of radiators for authenticationauthorization and accounting and instances for seperate NAS's or NAS groups. This in effect simulates having a threaded radiator to reduce the effect of this sequential processing. OK, but are you sure that the bottleneck is in at the Radiator level or might it be at the LDAP server? In the latter case it probably won't be of much help anyway. Correct again. We have observed these problems too, when parallel requests can also slow things down. BTW - this is one of the strong arguments against a multi-threaded server, which may not help at all in some situations. In general it is easier in the first instance to do what you have done with multiple instances and a front end load balancer. Just out of interest the largest Radiator setup we are familiar with is using this architecture, with a load balancer feeding 6 Radiator hosts, each one with an authentication and an accounting instance. The backend is a *very* fast Oracle database server and the overall throughput has been tested to over 1200 radius requests per second. This has not seemed to be related to CPU load or network performance, we have looked at these in detail. No, it's probably more I/O bound, (disk, I mean). I would agree - again a trace 4 debug with LogMicroseconds will show us exactly what is happening. If anyone has input on this issue or OS tuning for Radiator I'd love to hear about it. Hope you understand my attempt to explain the above scenario. Basically we have a pretty stable environment today, but perhaps overly complex to manage because of the multiple instances. Back to my original question then, I'm struggling to measure the effective length of the input queue in Solaris. Linux's netstat shows it readily, and I remember Tru64 doing the same. But Solaris' netstat lacks this one, apparently. I'll have to continue my quest... On this topic, have you checked the Sunfreeware site to see if there are any useful tools in this regard? www.sunfreeware.com Hugh, is a threaded ldap handler on the horizon? Is this perl or radiator related? This topic comes up from time to time and the fundamental problem at the moment is that Perl itself does not currently have production quality threading support. This being the case, we have not pursued it actively. And note my previous comments about whether or not this would be a good thing in any case. From my own corner, I wish it were possible to have more than one established connection with the SQL backend, so as to paralellize requests to a certain degree. But yes, I suppose that means multithreading, and AFAIK that's not possible under perl 5.6 nor 5.8 I think. Perhaps Perl 6 would do it? As mentioned above, the easiest way to do this currently is with a load balancer (you could use the AuthBy ROUNDROBIN, VOLUMEBALANCE, LOADBALANCE modules) and multiple instances of Radiator. Note that in most cases, at least using one instance for authentication and another for accounting is a good first step. We will continue to monitor the Perl support for multi-threading too, of course. regards Hugh NB: have you included a copy of
Re: (RADIATOR) Profiles problems
Hello Brandon - Thanks for your mail. Unfortunately I meant a trace 4 debug from Radiator (not a trace 4 debug from radpwtst). In any event, I suspect that at the very least the TimeOfDay radius attribute is not defined in your Radiator dictionary. regards Hugh On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote: Hugh, Note: I don't care that I left my ip address in there or the encrypted password. This is a test server with test data. Brandon - Original Message - From: Brandon Lehmann [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 Packet dump: *** Received from 63.148.117.3 port 1645 Code: Access-Reject Identifier: 81 Authentic: 201KV189Ao213235254322zh2394 Attributes: Reply-Message = Request Denied Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 82 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 82 Authentic: 237157221248311235207167t226SVQ227 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 83 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 83 Authentic: 4\212g'`25221423246A]136172174 Attributes: OK END- Removing the Authby clause for the profile timeofday returns this (with ContinueWhileAccept): START-- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code:
RE: (RADIATOR) Input queue size
It's really not that hard. You run a number of Radiator instances, with each one having it's own connection to the LDAP, SQL, or whatever backend. Then you front end those with an instance or two of Radiator running AuthBy ROUNDROBIN or AuthBy LOADBALANCE to distribute the requests among them. You can process quite a lot of requests simultaneously this way. If your current server is not responding fast enough but the CPU utilization is not maxed out you are probably just hitting the ceiling on how many requests a single instance can process at a time. Start up some more processes on the box and use all those processor cycles that you paid for. -Frank -Original Message- From: Claudio Lapidus [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 9:19 PM To: Guðbjörn S. Hreinsson; [EMAIL PROTECTED] Subject: Re: (RADIATOR) Input queue size .. From my own corner, I wish it were possible to have more than one established connection with the SQL backend, so as to paralellize requests to a certain degree. But yes, I suppose that means multithreading, and AFAIK that's not possible under perl 5.6 nor 5.8 I think. Perhaps Perl 6 would do it? === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) LDAP COnnection
Hello Jaskaran - Can you please send me a trace 4 debug showing what is happening? thanks Hugh On 13/11/2003, at 3:04 AM, jsingh wrote: Hello Hugh I understand that Radiator is supposed to drop the connection after it connects and talks to the LDAP Server. But I can see a connection for each of my incoming requests. I changed the configuration file for Radiator to sustain one connection, which is not the ideal situation as far as my project is concerned. I would like to know if I am missing something in my config or is this a bug in radiator. I am attaching my config without the secrets. I am using Radiator-3.5 on solaris 8 with perl 5.6.1 Thanks Foreground LogStdout LogDir /var/log/radius3.5.1 DbDir . Trace 4 PidFile /var/log/radius3.5.1/radiusd.pid AuthPort 11645 AcctPort 11646 DefineGlobalVar Max 7200 DictionaryFile /usr/local/adm/src/Radiator-3.5/dictionary # Clients to suit your site. ### Client xx.xx.xx.xx Secret xx DupInterval 0 /Client ## Client .fdu.edu Secret x DupInterval 0 /Client ## Client xxx Secret DupInterval 0 /Client # Client xxx.xx.xx.xxx Secret xxx DupInterval 0 /Client Client xx.xx.xx.xx #Description Cisco AS5300 Secret x DupInterval 0 /Client Client xx.xx.xx.xx #Description Cisco AS5300 Secret DupInterval 1 /Client Client DEFAULT Secret DupInterval 0 /Client AuthBy LDAP2 Identifier CheckLDAP Host xxx.fdu.edu Port 636 UseSSL SSLCAPath /usr/local/adm/etc/ BaseDN dc=xxx, dc=xxx Scope subtree UsernameAttr x PasswordAttr userPassword ServerChecksPassword Timeout 2 FailureBackoffTime 30 HoldServerConnection #CheckAttr cn #AuthAttrDef ipaddress,Framed-IP-Address,reply AddToReply Framed-Protocol = PPP,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP,\ Service-Type = Framed-User,\ Idle-Timeout = 300 Debug 255 /AuthBy ### ## AuthBy SQL Identifier Block-Time-SQL DBSource dbi:mysql::localhost DBUsername xx DBAuth xxx DefaultSimultaneousUse 1 AccountingTable x AuthSelect Select Time_Left from RADUSERS where User_Name='%n' AuthColumnDef 0, Session-Timeout,reply AcctSQLStatement Update RADUSERS set Time_Left=Time_Left -'%{Acct-Session-Time}' \ where User_Name='%n'; /AuthBy ### # AuthLog SQL Identifier REQUEST DBSource dbi:mysql::localhost DBUsername xx DBAuth xx LogSuccess SuccessQuery insert into RADAUTHLOG (TIME_STAMP,USERNAME,TYPE) values ('%l','%n',1) LogFailure FailureQuery insert into RADAUTHLOG (TIME_STAMP,USERNAME,TYPE,REASON) values ('%l','%n',0,%1) /AuthLog ### ## Realm 1.1 AuthByPolicy ContinueWhileAccept PreAuthHookfile:/usr/local/adm/bin/filename.pl AuthBy CheckLDAP AuthBy Block-Time-SQL AuthLog REQUEST MaxSessions 1 PostAuthHookfile:/usr/local/adm/bin/filename.pl SessionDatabase SQLDB /Realm Realm 1.1.1 AccountingHandled AuthByPolicy ContinueWhileAccept PreAuthHookfile:/usr/local/adm/bin/filename.pl AuthBy CheckLDAP AuthBy Block-Time-SQL PostAuthHookfile:/usr/local/adm/bin/filename.pl MaxSessions 1 SessionDatabase SQLDB AcctLogFileName /var/radius/Acct /Realm ### SessionDatabase SQL Identifier SQLDB DBSource dbi:mysql:xxx:localhost DBUsername x DBAuth x /SessionDatabase Jaskaran Singh University Systems Security Fairleigh Dickinson University Teaneck,NJ 07666 NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. -
Re: (RADIATOR) Cisco NAS dont sent password to radiator. Why? DEBUG: Check item user-password expression 'kkk' does not match '' in request
Hello Sergei - See my other mail, but what is shown below is a NAS configured for CHAP, hence the CHAP-Password in the request. You should use something like this: qqq Password = kkk or qqq User-Password = kkk which will work for both forms (note that the spelling is important). See section 13.1.1 in the Radiator 3.7.1 reference manual (doc/ref.html). regards Hugh On 12/11/2003, at 8:45 PM, Sergei Keler wrote: Hi! I have Cisco 2621 (IOS 12.2). When I use folloed radiator config: users file: qqq user-password=kkk, Service-Type = Framed-User Framed-Protocol = PPP, Framed-IP-Netmask = 255.255.255.0, Framed-Routing = None, Framed-MTU = 1500 conf file: Realm DEFAULT AuthBy FILE Filename %D/users AddToReply Service-Type=Framed-User,Framed-Protocol=PPP /AuthBy AcctLogFileName %L/detail PasswordLogFileName %L/passwd /Realm I found followed in log file: Wed Nov 12 12:33:01 2003: DEBUG: Packet dump: *** Received from 192.168.0.254 port 1645 Packet length = 81 01 22 00 51 c1 0b b7 a4 7f 2f d6 6d f1 81 84 fc 00 ca 95 46 07 06 00 00 00 01 01 05 71 71 71 03 13 0a 98 b9 72 2d 87 44 c4 7d e0 e8 d8 e6 ae 1e 44 5d 05 06 00 00 00 21 3d 06 00 00 00 00 1f 07 61 73 79 6e 63 06 06 00 00 00 02 04 06 c0 a8 00 fe Code: Access-Request Identifier: 34 Authentic: 19311183164127/214m2411291322520202149F Attributes: Framed-Protocol = PPP User-Name = qqq CHAP-Password = 10152185r-135D196}22423221623017430D] NAS-Port = 33 NAS-Port-Type = Async Calling-Station-Id = async Service-Type = Framed-User NAS-IP-Address = 192.168.0.254 Wed Nov 12 12:33:01 2003: DEBUG: Handling request with Handler 'Realm=DEFAULT' Wed Nov 12 12:33:01 2003: DEBUG: Deleting session for qqq, 192.168.0.254, 33 Wed Nov 12 12:33:01 2003: DEBUG: Handling with Radius::AuthFILE: Wed Nov 12 12:33:01 2003: DEBUG: Reading users file /etc/radiator/users Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE looks for match with qqq Wed Nov 12 12:33:01 2003: DEBUG: Radius::AuthFILE REJECT: Check item user-password expression'kkk' does not match '' in request Wed Nov 12 12:33:01 2003: INFO: Access rejected for qqq: Check item user-password expression 'kkk' does not match '' in request Wed Nov 12 12:33:01 2003: DEBUG: Packet dump: *** Sending to 192.168.0.254 port 1645 Packet length = 36 03 22 00 24 08 fd ac e8 b2 2d 66 6e c5 97 98 f6 96 3d 58 1a 12 10 52 65 71 75 65 73 74 20 44 65 6e 69 65 64 Code: Access-Reject Identifier: 34 Authentic: 19311183164127/214m2411291322520202149F Attributes: Reply-Message = Request Denied Cisco's debug: Nov 12 09:33:00.713: As33 LCP: Lower layer not up, Fast Starting Nov 12 09:33:00.717: As33 PPP: Treating connection as a dedicated line Nov 12 09:33:00.717: As33 PPP: Authorization required Nov 12 09:33:00.717: As33 AAA/AUTHOR/LCP: Authorization succeeds trivially Nov 12 12:33:00 MSK: %LINK-3-UPDOWN: Interface Async33, changed state to up Nov 12 09:33:00.969: As33 CHAP: O CHALLENGE id 10 len 27 from gdc-gw Nov 12 09:33:01.205: As33 CHAP: I RESPONSE id 10 len 24 from qqq Nov 12 09:33:01.209: AAA/AUTHEN/PPP (DB31): Pick method list 'DIAL-UP' Nov 12 09:33:01.209: As33 PPP: Sent CHAP LOGIN Request to AAA Nov 12 09:33:01.209: RADIUS: AAA Unsupported [134] 7 Nov 12 09:33:01.209: RADIUS: 41 73 79 6E 63 [Async] Nov 12 09:33:01.209: RADIUS(DB31): Storing nasport 33 in rad_db Nov 12 09:33:01.209: RADIUS/ENCODE(DB31): acct_session_id: 56116 Nov 12 09:33:01.213: RADIUS(DB31): sending Nov 12 09:33:01.213: RADIUS: Send to unknown id 34 192.168.0.1:1645, Access-Request, len 81 Nov 12 09:33:01.213: RADIUS: authenticator C1 0B B7 A4 7F 2F D6 6D - F1 81 84 FC 00 CA 95 46 Nov 12 09:33:01.213: RADIUS: Framed-Protocol [7] 6 PPP [1] Nov 12 09:33:01.213: RADIUS: User-Name [1] 5 qqq Nov 12 09:33:01.213: RADIUS: CHAP-Password [3] 19 * Nov 12 09:33:01.213: RADIUS: NAS-Port [5] 6 33 Nov 12 09:33:01.213: RADIUS: NAS-Port-Type [61] 6 Async [0] Nov 12 09:33:01.213: RADIUS: Calling-Station-Id [31] 7 async Nov 12 09:33:01.217: RADIUS: Service-Type [6] 6 Framed [2] Nov 12 09:33:01.217: RADIUS: NAS-IP-Address [4] 6 192.168.0.254 Nov 12 09:33:01.225: RADIUS: Received from id 34 192.168.0.1:1645, Access-Reject, len 36 Nov 12 09:33:01.225: RADIUS: authenticator 08 FD AC E8 B2 2D 66 6E - C5 97 98 F6 96 3D 58 1A Nov 12 09:33:01.229: RADIUS: Reply-Message [18] 16 Nov 12 09:33:01.229: RADIUS: 52 65 71 75 65 73 74 20 44 65 6E 69 65 64 [Request Denied] Nov 12 09:33:01.229: RADIUS: Received from id DB31 Nov 12 09:33:01.229: As33 PPP: Received LOGIN Response from AAA = FAIL Nov 12 09:33:01.229: As33 CHAP:
Re: (RADIATOR) Profiles problems
Hugh, Sorry. I'm a fool somedays. The problem is I don't get a response if i change the sql column to say... SessionLimit and define the session-limit through the profile either. I'll give it another try and check the dictionary. Maybe I'm just going crazy but this will be day 6. I'll let you know if I get it to work. Brandon - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Brandon Lehmann [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 11:20 PM Subject: Re: (RADIATOR) Profiles problems Hello Brandon - Thanks for your mail. Unfortunately I meant a trace 4 debug from Radiator (not a trace 4 debug from radpwtst). In any event, I suspect that at the very least the TimeOfDay radius attribute is not defined in your Radiator dictionary. regards Hugh On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote: Hugh, Note: I don't care that I left my ip address in there or the encrypted password. This is a test server with test data. Brandon - Original Message - From: Brandon Lehmann [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 Packet dump: *** Received from 63.148.117.3 port 1645 Code: Access-Reject Identifier: 81 Authentic: 201KV189Ao213235254322zh2394 Attributes: Reply-Message = Request Denied Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 82 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 82 Authentic: 237157221248311235207167t226SVQ227 Attributes: OK sending Accounting-Request Stop... Packet dump: ***
Re: (RADIATOR) Profiles problems
Hugh, I just took a look around. Changed it to Time set it correctly in the SQL database, made it a check item. Set to ContinueWhileAccept. Trace -4 reveals that Authentication is Disabled I'm confused... Brandon - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Brandon Lehmann [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 11:20 PM Subject: Re: (RADIATOR) Profiles problems Hello Brandon - Thanks for your mail. Unfortunately I meant a trace 4 debug from Radiator (not a trace 4 debug from radpwtst). In any event, I suspect that at the very least the TimeOfDay radius attribute is not defined in your Radiator dictionary. regards Hugh On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote: Hugh, Note: I don't care that I left my ip address in there or the encrypted password. This is a test server with test data. Brandon - Original Message - From: Brandon Lehmann [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 Packet dump: *** Received from 63.148.117.3 port 1645 Code: Access-Reject Identifier: 81 Authentic: 201KV189Ao213235254322zh2394 Attributes: Reply-Message = Request Denied Rejected: Request Denied sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 82 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 82 Authentic: 237157221248311235207167t226SVQ227 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 83 Authentic:
Re: (RADIATOR) Profiles problems
Hugh, I have solved my problem... I totally forgot about SQL join statements... I have no clue why I was making this so hard... From my original config (authbypolicy ContinueAlways) I changed the following in my AuthSelect Column Definitions (and of course removed my second AuthSelect AuthBy grouping)...: --START-- AuthSelect select ClearTextPassword,ServiceType,SessionLimit,IdleLimit,StaticIP, \ IPNetmask,FramedRoute,PortLimit,PortLimit,profiles.timeofday,profiles.sessio ntimeout \ from Customers left join profiles on customers.profileid = profiles.profile where \ CustomerID=%0 and Disable is null AuthColumnDef 0,Password,check AuthColumnDef 1,Service-Type,reply AuthColumnDef 2,Session-Timeout,reply AuthColumnDef 3,Idle-Timeout,reply AuthColumnDef 4,Framed-IP-Address,reply AuthColumnDef 5,Framed-IP-Netmask,reply AuthColumnDef 6,Framed-Route,reply AuthColumnDef 7,Port-Limit,reply AuthColumnDef 8,Simultaneous-Use,check AuthColumnDef 9,Time,check AuthColumnDef 10,Session-Timeout,reply --END--- Assuming that the DEFAULT profile has a blank TimeofDay field and blank SessionTimeout field. The profile I wanted to limit has the following values; Al0730-1530 and until Time respectively. This now works flawlessly. No more Authentication Disabled messages. I'm sure I'll add a General field somewhere down the line for other attributes such as IP filters but this is enough for the last 6 days. Thanks for the help, Brandon Lehmann - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Brandon Lehmann [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 11:20 PM Subject: Re: (RADIATOR) Profiles problems Hello Brandon - Thanks for your mail. Unfortunately I meant a trace 4 debug from Radiator (not a trace 4 debug from radpwtst). In any event, I suspect that at the very least the TimeOfDay radius attribute is not defined in your Radiator dictionary. regards Hugh On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote: Hugh, Note: I don't care that I left my ip address in there or the encrypted password. This is a test server with test data. Brandon - Original Message - From: Brandon Lehmann [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 81 Authentic: 1234567890123456 Attributes: User-Name = brandon
Re: (RADIATOR) Profiles problems
Hugh, As a reply to this, though I just sent out my last message to you and the list saying that I fixed it, this was the base hawki.cfg file included with the Radiator distrobution. As I'm sure you know, its in the goodies folder. However, I will keep your message for future reference. Thanks, Brandon - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Brandon Lehmann [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, November 13, 2003 1:31 AM Subject: Re: (RADIATOR) Profiles problems Hello Brandon - You have set the AuthByPolicy ContinueWhileAccept, but your first AuthBy clause has AuthSelect to disable authentication. Why do you have different AuthBy clauses for authentication and accounting? If you want to keep this structure, you will need to use an AuthBy GROUP and alter the AuthByPolicy inside it: Realm DEFAULT . # AuthByPolicy to do both accounting and authentication AuthByPolicy ContinueAlways AuthBy SQL . # disable authentication AuthSelect # do accounting . /AuthBy #define AuthBy GROUP # use different AuthByPolicy AuthBy GROUP AuthByPolicy ContinueWhileAccept AuthBy SQL # do authentication . /AuthBy AuthBy SQL # check time . /AuthBy /AuthBy /Realm regards Hugh On 13/11/2003, at 5:03 PM, Brandon Lehmann wrote: Hugh, I just took a look around. Changed it to Time set it correctly in the SQL database, made it a check item. Set to ContinueWhileAccept. Trace -4 reveals that Authentication is Disabled I'm confused... Brandon - Original Message - From: Hugh Irvine [EMAIL PROTECTED] To: Brandon Lehmann [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 11:20 PM Subject: Re: (RADIATOR) Profiles problems Hello Brandon - Thanks for your mail. Unfortunately I meant a trace 4 debug from Radiator (not a trace 4 debug from radpwtst). In any event, I suspect that at the very least the TimeOfDay radius attribute is not defined in your Radiator dictionary. regards Hugh On 13/11/2003, at 9:45 AM, Brandon Lehmann wrote: Hugh, Note: I don't care that I left my ip address in there or the encrypted password. This is a test server with test data. Brandon - Original Message - From: Brandon Lehmann [EMAIL PROTECTED] To: Hugh Irvine [EMAIL PROTECTED] Cc: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Wednesday, November 12, 2003 5:43 PM Subject: Re: (RADIATOR) Profiles problems Hugh, Trace 4 with the config in my original message shows: --- START Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port 1645 Code: Access-Request Identifier: 120 Authentic: 1234567890123456 Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = .255x]2052212197219Sj143221224129 No reply sending Accounting-Request Start... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 121 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Start Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 121 Authentic: fe#O#156150S239N24023418223229 Attributes: OK sending Accounting-Request Stop... Packet dump: *** Sending to 63.148.117.3 port 1646 Code: Accounting-Request Identifier: 122 Authentic: Attributes: User-Name = brandon Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Port = 1234 NAS-Port-Type = Async Acct-Session-Id = 1234 Acct-Status-Type = Stop Called-Station-Id = 123456789 Calling-Station-Id = 987654321 Acct-Delay-Time = 0 Acct-Session-Time = 1000 Acct-Input-Octets = 2 Acct-Output-Octets = 3 Packet dump: *** Received from 63.148.117.3 port 1646 Code: Accounting-Response Identifier: 122 Authentic: 5Y2V137180L2R138vzai248184 Attributes: OK -END Chaning AuthByPolicy to ContinueWhileAccept returns this: -START- Reading dictionary file './dictionary' sending Access-Request... Packet dump: *** Sending to 63.148.117.3 port