Hello Brian -
Thanks for letting me know.
regards
Hugh
On Friday, Jun 27, 2003, at 23:12 Australia/Melbourne, Brian Fisk wrote:
Well after fooling around with it, I found that the problem was not an ip
issue, but with accounting. The message I was getting from my RAS was AUTH:
client/server failure which I found usually meant a secret mismatch. I
turned on monitoring for auth and accounting on the ras, and I saw I was
getting the error message in my RAS syslog ever time it sent an accounting
request. I turned off Accounting on my ras and the problem went away and
users could authenticate. So I redid my accounting statements in my
radius.cfg to be a bit more simple and only logg what I need. I also
cleared the mysql accounting table which had around 20k entries in it. It
is a slower machine and maybe from what Matt said, it could have been too
much. But it seams to be holding steady.
Brian
----- Original Message ----- From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "Brian Fisk" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, June 26, 2003 8:07 PM Subject: Re: (RADIATOR) Radiator freezing intermitantly
Hello Brian -
If the machine running Radiator only has a single interface and a
single IP address, then the only reason that the NAS will not receive a
reply and send a retransmission must be due to packets being dropped on
the return path, either because of filters or firewalls or
misconfigured interfaces.
By definition, if Radiator is receiving the request, processing it and sending back a reply, then Radiator is operating correctly.
As mentioned in my previous mail, this sort of problem usually requires
debugging with a packet sniffer to ascertain exactly what is going on.
regards
Hugh
On Thursday, Jun 26, 2003, at 23:27 Australia/Melbourne, Brian Fisk wrote:
Update:
We are running into the same problem on a machine where we are using
the
primary ip address of the system for radiator. A user will dial in
and our
equipment will run the radius request, at which I can see radius
authenticating the user in authlog, but the dialup equip isn't getting
it
cause it tries 5 times to auth (the set value) and tells users their
username and password is invalid. We are using 3com (now utstarcom)
hiperarc running TCS 4.2 and the newest version of radiator.
Attached is
my conf file. I have radius stable on a system now, but when I tried
to
move it to this new system it worked. The problem is intermitent.
# radius.cfg -JJGracia - Jan2003 # #Foreground #LogStdout
# Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd
PidFile /var/run/radiusd.pid AuthPort 1645 AcctPort 1646 #BindAddress 199.234.153.42,199.234.153.3 #NasType TotalControlSNMP #trace 3
DbDir /etc/radiator DictionaryFile %D/dictionary.usr
LogDir /var/log/radius #LogFile %L/%Y%m.log #Trace 3
<Log FILE> Filename %L/%Y%m.log Trace 3 #LogFormat %0:%1:%2 LogMicroseconds </Log>
<AuthLog FILE> Identifier myauthlogger Filename %L/authlog LogSuccess 1 LogFailure 1 SuccessFormat %l:%U:%P:OK FailureFormat %l:%U:%P:FAIL </AuthLog>
<StatsLog FILE> Identifier mystatslogger Filename %L/statslog # Format %0:%1:%2:%23 </StatsLog>
<Client localhost> Secret tempest DupInterval 0 </Client>
<Client DEFAULT> Secret tempest DupInterval 0 # NasType TotalControl SNMPCommunity private </Client>
<SessionDatabase SQL> DBSource dbi:mysql:radius:localhost DBUsername blue DBAuth green </SessionDatabase>
<ClientListSQL> DBSource dbi:mysql:radius DBUsername blue DBAuth green </ClientListSQL>
<Realm DEFAULT>
RewriteUsername s/^([EMAIL PROTECTED]).*/$1/ RewriteUsername tr/[A-Z]/[a-z]/ RewriteUsername s/\s+//g # RewriteUsername tr/A-Za-z0-9_@//cd # AcctLogFileName %L/detail # WtmpFileName %L/wtmp
<AuthBy SQL>
DBSource dbi:mysql:radius:localhost DBUsername blue DBAuth green
AuthSelect select PASSWORD,CHECKATTR,REPLYATTR from SUBSCRIBERS where USERNAME='%n'
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef
ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef
ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef
ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct_Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-IP-Address
AcctColumnDef NASIPADDRESS,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef ACCTFRAMEDIP,Framed-IP-Address
AcctColumnDef ACCTFRAMEDNETMASK,Framed-Netmask
AcctColumnDef ACCTCALLERID,Calling-Station-Id
AcctColumnDef ACCTCALLEDID,Called-Station-Id
AcctColumnDef
MODEMTRAININGTIME,Modem-Training-Time,integer
AcctColumnDef
CHASISCALLSLOT,Chassis-Call-Slot,integer
AcctColumnDef
CHASISCALLSPAN,Chassis-Call-Span,integer
AcctColumnDef
CHASISCALLCHAN,Chassis-Call-Channel,integer
AcctColumnDef MODULATIONTYPE,Modulation-Type
AcctColumnDef ERRORCNTL,Error-Control
AcctColumnDef COMPRESSTYPE,Compression-Type
AcctColumnDef INTICONNECTRATE,Initial-Connect-Rate
AcctColumnDef FRAMEDPROTOCOL,Framed-Protocol
AcctColumnDef SPEEDOFCONNECT, Speed-Of-Connection
# AcctFailedLogFileName %D/missedaccounting
</AuthBy>
AuthLog myauthlogger
#StatsLog mystatslogger
</Realm>
----- Original Message ----- From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "Brian Fisk" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Friday, June 20, 2003 7:41 PM Subject: Re: (RADIATOR) Radiator freezing intermitantly
Hello Brian -
On machines with multiple interfaces, this is usually due to the
radius
response being sent back to the client from a different IP address to
that from which the request was received (ie the response was sent via
a different interface).
Using a sniffer to check the packet flow is usually very helpful (snoop, tcpdump, ethereal, ...).
regards
Hugh
On Friday, Jun 20, 2003, at 23:12 Australia/Melbourne, Brian Fisk wrote:
We had more troubles yesterday and the problem that is happening is
when we
have radiator setup to bind on a secondary ip of the machine. When I
took
out the bind address statement, which should make radiator listen on
all
ip's, it still wouldn't work. I had to set our dialup equipment to
use the
base ip of the machine and then it started working. When a user
tried
to
dial up, they would authenticate, as I could see in my authlog, but
the
dialup equipment kept authenticating them for around 3-4 times before
it
hung up on them. The dialup equipment (total control) was giving me
error
messages that according to the total control website, said that the
secret
key was a mismatch. I think it's an ip issue with the machine but we
will
find out more from testing on monday.
Brian Fisk
----- Original Message ----- From: "Hugh Irvine" <[EMAIL PROTECTED]> To: "Brian Fisk" <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Thursday, June 19, 2003 8:03 PM Subject: Re: (RADIATOR) Radiator freezing intermitantly
Hello Brian -
I will need to see a copy of the configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening.
There is also a FAQ item regarding Redhat 8 here:
http://www.open.com.au/radiator/faq.html#127
regards
Hugh
On Friday, Jun 20, 2003, at 02:20 Australia/Melbourne, Brian Fisk wrote:
I have been running radiator on the same server for the last 3
years
and it
worked perfect. I am now setting up radiator 3.6 on another server
using
the old config file which was version 2.18.1
I am noticing that radiator will just freeze up for a period of 5 minutes or so. Is there any incompatabilities between the versions for the config file, or can someone suggest a way of logging to diagnose the problem?
I am running Redhat 8.0 Linux server1 2.4.18-24.8.0smp #1 SMP Fri Jan 31 06:03:47 EST 2003 i686 i686 i386 GNU/Linux)
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database
independence.
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening?
-- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence.
=== Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
