-----Original Message-----
From: Bernhard Conoplia [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, July 10, 2002 7:12 PM
To: Dave Kitabjian
Subject: RE: (RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DBHi Dave,Have a try with the IOS command "radius-server attribute nas-port format c". From memory this command is designed to ensure that the NAS-port format in preauth and user authentications match appropriately, ie. the id is the same before and after an Async port has been assigned, so it must be based on the ISDN channel. Our 5400's present a 4 digit NAS-Port-Id, obviously more granular than the 3 digit id. Cisco says that "theoretically" there are still circumstances when duplicates can occur, but we've had no problems with approx 150 NAS's.Probably worth a try - let me know how you go.Regards,Bernhard-----Original Message-----
From: Dave Kitabjian [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 11, 2002 7:25 AM
To: [EMAIL PROTECTED]
Subject: (RADIATOR) Cisco, non-unique NAS-Ports, clobbering Online DBI finally tracked down the reason why our Online DB has been reporting a much lower count of onliners than are actually online.
Look at the attached sequence of two accounting records. tmeyers logs on to NAS 216.118.66.25 and Port 105. Then, 3 minutes later, while he's still online, cheezwhiz logs off of the same NAS and Port, clobbering tmeyers' entry in the online DB.
But how can two people have been on the same port at the same time, you ask? The answer is that when Cisco is (again) lazy, it's easy to happen. If you look at the Cisco-NAS-Port attribute, you'll see that they are really on two distinct ports. Cisco is just taking a portion of the info and plopping it in NAS-Port, even though that means that many people can be on the same NAS-Port at once. Most manufacturers come up with a procedure for encoding all that "Async4/105*Serial7/0:25:3" stuff into some unique, numeric port number and then put that in NAS-Port.
Now, if we were enforcing concurrency limits we'd be even more screwed.
Has anyone else experienced this? How are you dealing with it? Does Radiator have any solutions? I wonder if using the Acct-Session-Id for deletions would be more reliable than matching NAS/Port combos. Comments welcome!
Dave
_____________________________Wed Jul 10 15:23:21 2002: DEBUG: Packet dump:
*** Received from 216.118.66.25 port 1646 ....
Code: Accounting-Request
Identifier: 188
Authentic: <218><232>t<199>j<163><234><138><27><251><221><133>HsX<142>
Attributes:
Acct-Session-Id = "000087C2"
Framed-Protocol = PPP
Connect-Info = "46667/24000 V90/V42bis/LAPM"
cisco-avpair = "connect-progress=Call Up"
Acct-Authentic = RADIUS
Acct-Status-Type = Start
User-Name = "tmeyers"
Acct-Multi-Session-Id = "0000511D"
Acct-Link-Count = "<0><0><0><2>"
Framed-Address = 216.118.88.4
Cisco-NAS-Port = "Async4/105*Serial7/0:25:3"
NAS-Port = 105
NAS-Port-Type = Async
Class = "netcarrier.com"
Service-Type = Framed-User
NAS-IP-Address = 216.118.66.25
Event-Timestamp = 1026329001
Acct-Delay-Time = 0
Wed Jul 10 15:26:16 2002: DEBUG: Packet dump:
*** Received from 216.118.66.25 port 1646 ....
Code: Accounting-Request
Identifier: 239
Authentic: <30>u<226><4><138><177><143><248><254>:<165>d<182><<200>?
Attributes:
Acct-Session-Id = "000084AB"
Framed-Protocol = PPP
cisco-avpair = "connect-progress=Call Up"
Acct-Session-Time = 2897
Connect-Info = "49333/24000 V90/V42bis/LAPM"
Acct-Input-Octets = 349671
Acct-Output-Octets = 2362531
Acct-Input-Packets = 3246
Acct-Output-Packets = 2835
Acct-Terminate-Cause = User-Request
cisco-avpair = "disc-cause-ext=PPP Receive Term"
Acct-Authentic = RADIUS
Acct-Status-Type = Stop
User-Name = "cheezwhiz"
Acct-Multi-Session-Id = "00004F51"
Acct-Link-Count = "<0><0><0><1>"
Framed-Address = 216.118.90.220
Cisco-NAS-Port = "Async3/105*Serial7/0:18:21"
NAS-Port = 105
NAS-Port-Type = Async
Class = "netcarrier.com"
Service-Type = Framed-User
NAS-IP-Address = 216.118.66.25
Event-Timestamp = 1026329176
Acct-Delay-Time = 0
Title: Message
Bernhard and Claudio,
Thanks
so much for the heads up!
That
seems to have fixed it. Since I can't find specs on exactly how format
"c" is encoding info into that port, I don't really know for sure. But the
count of onliners has gone up rapidly as soon as I added that line to our
configs.
The
ports being reported are all in the 7000 and 8000 ranges, for whatever reason.
If anyone has a info about exactly how they encode the slot and
shelf into this value, I'd be interested in checking it out.
Thanks
again to all!
Dave
- (RADIATOR) Cisco, non-unique NAS-Ports, clobbering Onl... Dave Kitabjian
- Re: (RADIATOR) Cisco, non-unique NAS-Ports, clobb... Vangelis Kyriakakis
- Re: (RADIATOR) Cisco, non-unique NAS-Ports, clobb... Claudio Lapidus
- RE: (RADIATOR) Cisco, non-unique NAS-Ports, clobb... Frank Danielson
- Re: (RADIATOR) Cisco, non-unique NAS-Ports, c... Hugh Irvine
- RE: (RADIATOR) Cisco, non-unique NAS-Ports, clobb... Dave Kitabjian
- RE: (RADIATOR) Cisco, non-unique NAS-Ports, clobb... Dave Kitabjian
- RE: (RADIATOR) Cisco, non-unique NAS-Ports, clobb... Dave Kitabjian
- RE: (RADIATOR) Cisco, non-unique NAS-Ports, clobb... Claudio Lapidus