Re: [RADIATOR] CoA / Change-of-Authorization / Change-Filter-Request
On Fri, 28 Jan 2011, Steve Lalonde wrote: On 28 Jan 2011, at 02:30, Michael wrote: I give up. I've searched for hours for a hint at what this CoA / Change-of-Authorization / Change-Filter-Request is. I think it is what i'm looking for. I was kinda hoping something like this would work: -code Change-Filter-Request User-Name=test cisco-Policy-Down=rate1M or: code Change-Filter-Request Acct-Session-Id=0012 cisco-Policy-Down=rate1M My Disconnect-Request process works fine which uses a similar process. Michael Hi I had the same problem and eventually got it working using the following /usr/local/bin/radpwtst -noauth -noacct -code Change-Filter-Request -secret -s $nas-ip -auth_port 1700 Framed-IP-Address=$ip cisco-avpair=ip:sub-qos-policy-out=$policy that worked but i had scaling issues, only solved when i moved the traffic management to Cisco SCE devices. -- Steve Lalonde RTFM Chief Technical Officer Entanet International Ltd http://www.enta.net/ Thanks for the suggestion. I never thought to try to match by IP alone, but it didn't seem to work. The router shows the attributes i enter with radpwtst, it just refuses to match anything. COA: x.x.x.x request queued ++ CoA Attribute List ++ 86124E38 0 0001 addr(7) 4 x.x.x.x 857EA738 0 0009 sub-qos-policy-out(348) 6 RATE1M COA: No matching entry found COA: Added Reply Message: No Matching Session COA: Added NACK Error Cause: Session Context Not Found COA: Sending NAK from port 1700 to x.x.x.x There must be more strict limitations/requirments in order to match a session for CoA? maybe something else has to be used as matching attributes? I do have the match policy set for ANY for now during testing: aaa server radius dynamic-author ... auth-type any This to me is suppose to tell the router to match a session if ANY attribute at all match. There must me something more that's required that most people unknowingly adhere to? ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CoA / Change-of-Authorization / Change-Filter-Request
On Fri, 28 Jan 2011, Michael wrote: On Fri, 28 Jan 2011, Steve Lalonde wrote: On 28 Jan 2011, at 02:30, Michael wrote: I give up. I've searched for hours for a hint at what this CoA / Change-of-Authorization / Change-Filter-Request is. I think it is what i'm looking for. I was kinda hoping something like this would work: -code Change-Filter-Request User-Name=test cisco-Policy-Down=rate1M or: code Change-Filter-Request Acct-Session-Id=0012 cisco-Policy-Down=rate1M My Disconnect-Request process works fine which uses a similar process. Michael Hi I had the same problem and eventually got it working using the following /usr/local/bin/radpwtst -noauth -noacct -code Change-Filter-Request -secret -s $nas-ip -auth_port 1700 Framed-IP-Address=$ip cisco-avpair=ip:sub-qos-policy-out=$policy that worked but i had scaling issues, only solved when i moved the traffic management to Cisco SCE devices. -- Steve Lalonde RTFM Chief Technical Officer Entanet International Ltd http://www.enta.net/ Thanks for the suggestion. I never thought to try to match by IP alone, but it didn't seem to work. The router shows the attributes i enter with radpwtst, it just refuses to match anything. COA: x.x.x.x request queued ++ CoA Attribute List ++ 86124E38 0 0001 addr(7) 4 x.x.x.x 857EA738 0 0009 sub-qos-policy-out(348) 6 RATE1M COA: No matching entry found COA: Added Reply Message: No Matching Session COA: Added NACK Error Cause: Session Context Not Found COA: Sending NAK from port 1700 to x.x.x.x There must be more strict limitations/requirments in order to match a session for CoA? maybe something else has to be used as matching attributes? I do have the match policy set for ANY for now during testing: aaa server radius dynamic-author ... auth-type any This to me is suppose to tell the router to match a session if ANY attribute at all match. There must me something more that's required that most people unknowingly adhere to? ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator I tried this on a production router, getting frustrated!! A little risky I know. Last time I tried this for Disconnect-Request, a bug matched ALL SESSIONS and kicked everyone offline. DAMN CISCO Anyways, the CoA matched the session and appears to have accepted the CoA. gonna have to test this later to see if the rate limit was applied. the show aaa user showed the rate limit before i tried it, and now shows nothing so i'm not sure if it broke the policy, or applied what i wanted and it just doesn't show me. Looks like another IOS bug with my test lns. DAMN YOU cisco. I'm not even a network person. I'm a systems person that has to learn cisco because it seems the cisco people don't know how to do what I want to do. But, i don't blame them now that i've started to learn it. Stick that in your mailing list archive!!! ;) ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CoA / Change-of-Authorization / Change-Filter-Request
On Fri, 28 Jan 2011, Michael wrote: On Fri, 28 Jan 2011, Michael wrote: On Fri, 28 Jan 2011, Steve Lalonde wrote: On 28 Jan 2011, at 02:30, Michael wrote: I give up. I've searched for hours for a hint at what this CoA / Change-of-Authorization / Change-Filter-Request is. I think it is what i'm looking for. I was kinda hoping something like this would work: -code Change-Filter-Request User-Name=test cisco-Policy-Down=rate1M or: code Change-Filter-Request Acct-Session-Id=0012 cisco-Policy-Down=rate1M My Disconnect-Request process works fine which uses a similar process. Michael Hi I had the same problem and eventually got it working using the following /usr/local/bin/radpwtst -noauth -noacct -code Change-Filter-Request -secret -s $nas-ip -auth_port 1700 Framed-IP-Address=$ip cisco-avpair=ip:sub-qos-policy-out=$policy that worked but i had scaling issues, only solved when i moved the traffic management to Cisco SCE devices. -- Steve Lalonde RTFM Chief Technical Officer Entanet International Ltd http://www.enta.net/ Thanks for the suggestion. I never thought to try to match by IP alone, but it didn't seem to work. The router shows the attributes i enter with radpwtst, it just refuses to match anything. COA: x.x.x.x request queued ++ CoA Attribute List ++ 86124E38 0 0001 addr(7) 4 x.x.x.x 857EA738 0 0009 sub-qos-policy-out(348) 6 RATE1M COA: No matching entry found COA: Added Reply Message: No Matching Session COA: Added NACK Error Cause: Session Context Not Found COA: Sending NAK from port 1700 to x.x.x.x There must be more strict limitations/requirments in order to match a session for CoA? maybe something else has to be used as matching attributes? I do have the match policy set for ANY for now during testing: aaa server radius dynamic-author ... auth-type any This to me is suppose to tell the router to match a session if ANY attribute at all match. There must me something more that's required that most people unknowingly adhere to? ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator I tried this on a production router, getting frustrated!! A little risky I know. Last time I tried this for Disconnect-Request, a bug matched ALL SESSIONS and kicked everyone offline. DAMN CISCO Anyways, the CoA matched the session and appears to have accepted the CoA. gonna have to test this later to see if the rate limit was applied. the show aaa user showed the rate limit before i tried it, and now shows nothing so i'm not sure if it broke the policy, or applied what i wanted and it just doesn't show me. Looks like another IOS bug with my test lns. DAMN YOU cisco. I'm not even a network person. I'm a systems person that has to learn cisco because it seems the cisco people don't know how to do what I want to do. But, i don't blame them now that i've started to learn it. Stick that in your mailing list archive!!! ;) ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator CONFIRMED. i just noticed now, it changed the order of the attributes. I didn't see notice at first. It did apply the new policy. looks like it worked fine with my production router. must be a bug in my test lns. damn you cisco. there's hours of my life i'll never get back. Are we allowed to swear in this mailing list? :D ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator version
On Fri, 28 Jan 2011, Leon Li wrote: Sorry for a dumb question, How do I check the version of Radiator on a Windows server 2003? How would you do it on a UNIX system? Lots of possibilities: 1) check your log files from the last restart. It might be in there. 2) open command (adjust paths) and try: perl -e 'use Radius::Util; printf You are running Radiator %s\n, $main::VERSION;' 3) Locate Radius\Util.pm and open it in any text editor and search for VERSION. 4) .. 5) .. 6) .. -- Bjoern A. Zeeb You have to have visions! ks Going to jail sucks -- bz All my daemons like it! http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails.html ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Accounting process dying
Hi Jim, On Fri, 28 Jan 2011, Jim wrote: snipp/ Thanks that's was very useful. I have done some more debugging and its apparent that whenever the process dies the last thing it was doing was a SQL update to a MS-SQL server. Doing some digging and it looks like we are connecting to MS-SQL via Freetds. Radiator connection: Identifier MSSQL-SessionDB DBSourcedbi:Sybase:MSDBServerX DBUsername dbuser DBAuth dbpassword Timeout 5 /usr/local/freetds/etc/freetds.conf: [MSDBServerX] host = x.x.x.x port = 1433 tds version = 7.0 I think the FreeTDS version we have maybe to recent as its newer than the FAQ recommends - although the FAQ says As of September 2003... What is the best way, if there is one, to connect to a Windows MS-SQL 2008 server? I have no Idea how well maintained FreeTDS is these days. Last time I saw it 10 years ago it had lots of issues. I also do not know if they have kept up with MS-SQL and it's development. As an alternative you might want to try DBD::proxy together with DBD::OBDC on your Windows Server. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator