(RADIATOR)

Robin Gruyters Thu, 24 Aug 2000 11:23:36 -0700
Hi,

Found a problem. We got a configuration with 3 AuthBy Radius. 2 are going
to the internal network and 1 is going to the internet.

Here is my configuration:

AuthPort 1645
AcctPort 1646
BindAddress 212.123.129.70
LogDir /var/log/radiusd
DbDir /usr/local/etc/raddb
LogFile %L/%d%m%Y-proxy-vtel.log
PidFile /var/run/proxy.pid
DictionaryFile %D/dictionary
RewriteUsername tr/[A-Z]/[a-z]/
Trace 3

<Client 212.123.129.68>
        Secret free4all
</Client>

<Client 212.48.47.15>
        Secret verwish
        IdenticalClients 212.48.47.130 212.48.47.131 212.48.47.132 212.48.47.135

PreHandlerHook sub { \
  my $calledid = ${$_[0]}->get_attr('Calling-Station-Id');\
  if (${calledid} =~ /0302413197/) {\
     ${$_[0]}->add_attr('backbone','baduser'); return;\
}\
}
</Client>

<AuthBy FILE>
 Identifier reject
 Filename %D/reject-users
</AuthBy>

<AuthBy RADIUS>
 Identifier radius
 Host           10.1.0.18
 AuthPort       1645
 AcctPort
 Secret         <secret>
 LocalAddress   10.1.0.12
 NoForwardAccounting
</AuthBy>

<AuthBy RADIUS>
 Identifier accounting
 Host           10.1.0.19
 AuthPort
 AcctPort       1646
 Secret         <secret>
 LocalAddress   10.1.0.12
 NoForwardAuthentication
</AuthBy>

<AuthBy RADIUS>
 Identifier other
 Host           212.123.129.38
 AuthPort
 AcctPort       1299
 Secret         <secret>
 LocalAddress   212.123.129.70
 NoForwardAuthentication
 Retries 1
</AuthBy>

<AuthBy RADIUS>
 Identifier details
 Host           10.1.0.11
 AuthPort
 AcctPort       1646
 Secret         <secret>
 LocalAddress   10.1.0.12
 NoForwardAuthentication
</AuthBy>
  
<Handler backbone="baduser">
AuthBy reject
</Handler>
  
<Handler User-Name = /[^a-zA-Z0-9_-]/>
 AuthBy reject
</Handler>
  
<Handler>
 AuthByPolicy ContinueWhileIgnore
 AuthBy radius
 AuthBy accounting
 AuthBy other
</Handler>

** END **

Ok, so you can see i'm sending the information to radius then to accounting
after that to other.

If i'm starting Radiator I'll recieve on 212.123.129.38 this kind of packages:

fw01# tcpdump host 10.1.0.12
tcpdump: listening on fxp0
21:07:08.616258 10.1.0.12.4218 > 212.123.129.38.1299:  udp 108
21:07:09.995647 10.1.0.12.4218 > 212.123.129.38.1299:  udp 171
21:07:11.295933 10.1.0.12.4218 > 212.123.129.38.1299:  udp 162
21:07:13.502698 10.1.0.12.4218 > 212.123.129.38.1299:  udp 111
21:07:13.505383 10.1.0.12.4218 > 212.123.129.38.1299:  udp 108
21:07:14.116588 10.1.0.12.4218 > 212.123.129.38.1299:  udp 109
21:07:14.646102 10.1.0.12.4218 > 212.123.129.38.1299:  udp 171
21:07:14.932085 10.1.0.12.4218 > 212.123.129.38.1299:  udp 109

If I'm changing it in our configuration that the information goes first to other
then to radius and then to accounting, i'll get information on my 'Authby
radius' server:

Thu Aug 24 18:47:59 2000: DEBUG: Packet dump:
*** Sending to 10.1.0.12 port 4199 ....
Code:       Access-Accept
Identifier: 183
Authentic:  1<194><159><229><21><14><190><178>>B<191><228>R<183>|b
Attributes:
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 1500
        Port-Limit = 2
        Framed-Compression = Van-Jacobson-TCP-IP
        Ascend-Client-Primary-DNS = 212.123.129.79
        Ascend-Client-Secondary-DNS = 212.123.128.16

Thu Aug 24 18:48:04 2000: DEBUG: Packet dump:
*** Received from 212.123.129.70 port 4210 ....
Code:       Access-Request
Identifier: 1
Authentic:  >H7<192>a<252>C`Z<212><1><187>`<20>BV
Attributes:
        User-Password =
"<230><173><244>p<201>A<173><205><189><180>iL<231><3><25>0"
        User-Name = "jcstraver"
        NAS-Identifier = "cvx_rot_03"
        Called-Station-Id = "183750045"
        Calling-Station-Id = "184685227"
        NAS-Port = 16385
        NAS-Port-Type = Async
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Nortel = " $Id: Aptis.vinfo  ImageName=fepmd  Version=2.0.3p12
BuildNumber=1892  BuildDate=01/18/2000
  BuildTime=16:32:43  Machine=BUILD02  User=Build  TargetBoard=scc
TargetProcessor=PPC603  Branch=p202  Exp $
"

Thu Aug 24 18:48:04 2000: DEBUG: Check if Handler  should be used to handle this
request
Thu Aug 24 18:48:04 2000: DEBUG: Handling request with Handler ''
Thu Aug 24 18:48:04 2000: DEBUG:  Deleting session for jcstraver,
212.123.129.70, 16385
Thu Aug 24 18:48:04 2000: DEBUG: Handling with Radius::AuthLDAP2
Thu Aug 24 18:48:04 2000: DEBUG: LDAP got result for cn=jcstraver, o=Wish, c=NL
Thu Aug 24 18:48:04 2000: DEBUG: LDAP got userpassword:
<secret>
Thu Aug 24 18:48:04 2000: DEBUG: Radius::AuthLDAP2 looks for match with
jcstraver
Thu Aug 24 18:48:04 2000: DEBUG: Radius::AuthLDAP2 ACCEPT:
Thu Aug 24 18:48:04 2000: DEBUG: Access accepted for jcstraver
Thu Aug 24 18:48:04 2000: DEBUG: Packet dump:
*** Sending to 212.123.129.70 port 4210 ....
Code:       Access-Accept
Identifier: 1
Authentic:  >H7<192>a<252>C`Z<212><1><187>`<20>BV
Attributes:
        Service-Type = Framed-User
        Framed-Protocol = PPP
        Framed-IP-Address = 255.255.255.254
        Framed-MTU = 1500
        Port-Limit = 2
        Framed-Compression = Van-Jacobson-TCP-IP
        Ascend-Client-Primary-DNS = 212.123.129.79
        Ascend-Client-Secondary-DNS = 212.123.128.16

Thu Aug 24 18:48:04 2000: ERR: sendTo: send failed: No route to host

** END **

What u can see above is that normally i'll recieve packages from 10.1.0.12 but
if I restart the radius proxy, then i'll recieve auth. packages from
212.123.129.70!!!

Is this a known problem or this new problem.

-- 
Regards,

 Robin Gruyters - [EMAIL PROTECTED] - WISH BV - nic-hdl: RG3771-RIPE
 http://www.wish.nl - tel: +31(0)413242500 - fax. +31(0)208762628
 PGP key ID DEB8C991 - Head Engineering / Web Designer / B.O.F.H.
 BOFH excuse: Boss' kid fucked up the machine

===
Archive at http://www.starport.net/~radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
(RADIATOR)

Reply via email to
