On Mon, 3 Jul 2000, Hugh Irvine wrote:
> Radiator should only try to directly query the NAS if you are enforcing strict
> simultaneous use with a NasType set for your Client clauses. If you don't have
> a NasType set, it won't be queried.
The funny part here is it's querying NASes that _aren't_ in my client
list. It's querying a NAS to which one of my users is logged in but that
NAS talks is talking to a RADIUS server one or more "proxy hops" away.
> And when you mention stuck sessions, are these really stuck on the NAS, or are
> they simply remnants in the session database?
They're not stuck on the NASes, just in my session database. It primarily
seems to be happening to users who come in to the numbers where the
authentication goes through another RADIUS server that's proxying from
me. I see very few happening on my numbers,
> It would be useful to see a copy of your configuration file (no secrets)
> together with an example trace 4 debug showing what is happening.
I'l have to catch the trace sometime today, but I've started by attaching
my radius.cfg. Beware, it's big and hairy, mostly owing to having to sort
out classes of service based only on packet contents (such as
distinguishing Merit calls from everything else by looking for a
Huntgroup-Name attribute). The MARVIN stuff is a custom auth module that
talks to our proprietary MySQL billing and provisioning system. It
shouldn't be causing any problems since it's only doing authentications
and not logging or session management.
> BTW - the latest version of Radiator is 2.16.1.
Yep I noticed that after I sent my letter...I've been neglecting to keep
up with the list for the past three or four months. I'll have to install a
test copy around here and validate the MARVIN module with it so I can
deploy it.
--
Senior Systems Engineer | "Where are we going, and what am I doing in
BigNet, Inc. | this handbasket?"
Phone: 248-771-1261 | - Paraphrased from various people's .sigs
Fax: 248-771-1269 |
LogDir /var/log/radius
DbDir /usr/local/etc/raddb
Trace 3
# We'll use the official IANA assignments
AuthPort 1812
AcctPort 1813
# Skip S23 on Portmasters since it's the D channel on PRIs.
LivingstonOffs 22
LivingstonHole 1
# Default local client
<Client localhost>
Secret xxxxxxx
DupInterval 0
DefaultRealm mich.com
</Client>
# Pull the rest of the client list from the SQL server
<ClientListSQL>
DBSource DBI:mysql:xxxx:xxxxx.xx.xx
DBUsername xxxx
DBAuth xxxx
GetClientQuery SELECT HIGH_PRIORITY
\
NASIdentifier,SharedSecret,NULL,NULL,DefaultRealm,NASType, \
SNMPCommunity, NULL,NULL,NULL,NULL,NULL
\
FROM RadiatorClients
</ClientList>
# Keep the session list in the SQL server
<SessionDatabase SQL>
DBSource DBI:mysql:xxxx:xxxxx.xx.xx
DBUsername xxxx
DBAuth xxxx
AddQuery INSERT INTO RadiatorSessions
\
(UserName, NASIdentifier, NASPort, AcctSessionID,
When, FramedIPAddress, \
PortType, ServiceType)
\
VALUES
\
('%n', '%N', '%{NAS-Port}', '%{Acct-Session-Id}',
%{Timestamp}, \
'%{Framed-IP-Address}', '%{NAS-Port-Type}',
'%{Service-Type}')
DeleteQuery DELETE FROM RadiatorSessions
\
WHERE UserName = '%n' AND NASIdentifier = '%N' AND NASPort =
'%{NAS-Port}'
ClearNasQuery DELETE FROM RadiatorSessions WHERE NASIdentifier = '%N'
CountQuery SELECT HIGH_PRIORITY
\
NASIdentifier,NASPort,AcctSessionID
\
FROM RadiatorSessions WHERE UserName = '%n'
</SessionDatabase>
# Authentication definition for BigNet Standard service
<AuthBy MARVIN>
Identifier BigNetStandard
DBSource DBI:mysql:xxxx:xxxxx.xx.xx
DBUsername xxxx
DBAuth xxxx
ServiceCode 0
</AuthBy>
# Authentication definition for BigNet Toll-Free Service.
<AuthBy MARVIN>
Identifier BigNetTollFree
DBSource DBI:mysql:xxxx:xxxxx.xx.xx
DBUsername xxxx
DBAuth xxxx
ServiceCode 1
</AuthBy>
# Authentication definition for Merit Standard Service
<AuthBy MARVIN>
Identifier MeritStandard
DBSource DBI:mysql:xxxx:xxxxx.xx.xx
DBUsername xxxx
DBAuth xxxx
ServiceCode 100
</AuthBy>
# Authentication definition for Merit Global Service
<AuthBy MARVIN>
Identifier MeritGlobalService
DBSource DBI:mysql:xxxx:xxxxx.xx.xx
DBUsername xxxx
DBAuth xxxx
ServiceCode 102
</AuthBy>
# Authentication definition for logging to the SQL database
<AuthBy SQL>
Identifier LogToSQL
DBSource DBI:mysql:xxxx:xxxxx.xx.xx
DBUsername xxxx
DBAuth xxxx
AuthSelect
AccountingTable RadiatorDaily
AcctColumnDef UserName, User-Name
AcctColumnDef When, Timestamp, integer
AcctColumnDef AcctStatusType, Acct-Status-Type, integer
AcctColumnDef AcctDelayTime, Acct-Delay-Time, integer
AcctColumnDef AcctInputOctets, Acct-Input-Octets, integer
AcctColumnDef AcctOutputOctets, Acct-Output-Octets, integer
AcctColumnDef AcctSessionID, Acct-Session-Id
AcctColumnDef AcctSessionTime, Acct-Session-Time, integer
AcctColumnDef AcctTerminateCause, Acct-Terminate-Cause, integer
AcctColumnDef NASIPAddress, NAS-IP-Address
AcctColumnDef NASPort, NAS-Port, integer
AcctColumnDef PortType, Port-Type, integer
AcctColumnDef ServiceType, Service-Type, integer
AcctColumnDef FramedProtocol, Framed-Protocol, integer
AcctColumnDef FramedIPAddress, Framed-IP-Address
AcctColumnDef AscendDataRate, Ascend-Data-Rate, integer
AcctColumnDef ConnectInfo, Connect-Info
AcctColumnDef Huntgroup, Huntgroup-Name
AcctColumnDef Ownership, Ownership, integer
AcctColumnDef CallingStationID, Calling-Station-Id
AcctColumnDef CalledStationID, Called-Station-Id
</AuthBy>
# Island Connection
<AuthBy RADIUS>
Identifier IslandConnection
Host 1.1.1.1
Secret xxxxxxx
AuthPort 1645
AcctPort 1646
</AuthBy>
# Legacy authentication definitions
<AuthBy RADIUS>
Identifier OldNorthLink
Host xxxxxxx.xxx.xx
Secret xxxxxxx
AuthPort 1812
AcctPort 1813
</AuthBy>
# Authentication for the MichTel toll-free numbers. These show up
# as called to a specific Called-Station-Id.
<Handler Called-Station-Id = 7711112, Realm = northlink.net>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy BigNetTollFree
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
<Handler Called-Station-Id = 7711112, Realm = benzie.com>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy BigNetTollFree
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
<Handler Called-Station-Id = 7711112, Realm = straitsarea.com>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy BigNetTollFree
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
<Handler Called-Station-Id = 7711112, Realm = galsys.com>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy BigNetTollFree
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
<Handler Called-Station-Id = 7711112>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy BigNetTollFree
</AuthBy>
</Handler>
# Authentication for the Merit Global Service numbers. These show up
# with a specific huntgroup name.
<Handler Huntgroup-Name = merit-global-service, Realm = northlink.net>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy MeritGlobalService
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
<Handler Huntgroup-Name = merit-global-service, Realm = benzie.com>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy MeritGlobalService
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
<Handler Huntgroup-Name = merit-global-service, Realm = straitsarea.com>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy MeritGlobalService
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
<Handler Huntgroup-Name = merit-global-service, Realm = galsys.com>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy MeritGlobalService
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
<Handler Huntgroup-Name = merit-global-service>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy MeritGlobalService
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route,Token
</AuthBy>
</Handler>
# Authentication for BigNet Standard Service. We differentiate this from
# Merit Standard service by the lack of a realm name.
<Handler Huntgroup-Name = , Realm = islandconnection.net>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy IslandConnection
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Realm>
<Handler Huntgroup-Name = , Realm = northlink.net>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy OldNorthLink
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Realm>
<Handler Huntgroup-Name = , Realm = benzie.com>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy OldNorthLink
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Realm>
<Handler Huntgroup-Name = , Realm = straitsarea.com>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy OldNorthLink
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Realm>
<Handler Huntgroup-Name = , Realm = galsys.com>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy OldNorthLink
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Realm>
<Handler Huntgroup-Name = >
PostAuthHook file:"%D/tracking.pl"
PasswordLogFileName %L/password.log
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy BigNetStandard
</AuthBy>
</Realm>
# Finally, here is the authentication for Merit Standard Service.
# It should be matched only if the huntgroup name is present,
# and it isn't the MGS huntgroup, and the called station ID isn't
# the toll-free number.
<Handler Realm = northlink.net>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy OldNorthLink
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
<Handler Realm = benzie.com>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy OldNorthLink
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
<Handler Realm = straitsarea.com>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy OldNorthLink
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
<Handler Realm = galsys.com>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy OldNorthLink
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
<Handler>
PostAuthHook file:"%D/tracking.pl"
<AuthBy GROUP>
AuthByPolicy ContinueUntilAccept
AuthBy LogToSQL
AuthBy MeritStandard
StripFromReply Framed-IP-Address,Framed-IP-Netmask,Framed-Route
</AuthBy>
</Handler>
