RE: (RADIATOR) hostslect FAILUREPOLICY bug!
Yeah, this is the similar effect I have seen as well. For instance, it was falling back to the default defined AuthBy RADIUS within SQL RADIUS, after NumHosts was reached, instead of adhering to the selected Failure Policy. If there was not one defined, it simply ignored. This is what made me nervous about just letting NumHosts be static. Oh, the other reason my NumHostSelect query was so important, what about when there isn't as many authentication servers as there is accounting servers? This is the extract from AuthSQLRADIUS that speaks of failurepolicy : # # Called when no reply is received fromn any of the attempted # hosts. # Look at the failure policy we recorded from the database # and maybe implement it sub noreply { my ($self, $fp, $p) = @_; # Call the NoReply hook if there is one, you could adjust the pending reply here $self-SUPER::noreply($fp, $p, $p-{rp}); if (defined $fp-{failurePolicy}) { # The database told us how to deal with failure $self-adjustReply($p); $p-{Handler}-handlerResult ($p, $fp-{failurePolicy}, 'SQLRADIUS Proxy failed'); } return; } However, in adjustReply there is no mention of FailurePolicy.. I couldn't find anything in handlerResult either.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Mohamed Majdoubi Sent: Wednesday, September 11, 2002 10:53 PM To: [EMAIL PROTECTED] Subject: (RADIATOR) hostslect FAILUREPOLICY bug! Hi i am trying to use FAILUREPOLICY field in the hostselect statement. The value FAILUREPOLICY is set to 1 (see the database output), this should result in a reject to NAS if the host radius does not respond. unfortunatly this is not happening, the NAS gets still no answer from the proxy radius. i can conclude that the proxy radius does use the failure policy to send a reject instead of a ignore. below you can find configuration and the output with kind regards Mohamed Majdoubi KPN Telecom # radius setup # |||| || | NAS | - proxy | radius |||| || # Configuration # AuthBy SQLRADIUS Identifier ProxyToOffice FailureBackoffTime 60 DBSource dbi:mysql:ProxyDB DBUsername root DBAuth HostSelect select HOST%0, SECRET, AUTHPORT, ACCTPORT, RETRIES, RETRYTIMEOUT, FAILUREPOLICY from \ RADSQLRADIUS where TARGETNAME='%R' StripFromRequest Cisco-NAS-Port, \ NAS-Port, \ NAS-Port-Type, \ NAS-IP-Address, \ Called-Station-Id, \ Calling-Station-Id AddToRequest Service-Class = %{Reply:Service-Class} AllowInReply Service-Type, \ Framed-Protocol, \ Framed-IP-Netmask, \ Framed-IP-Address, \ Ascend-Client-Primary-DNS, \ Ascend-Client-Secondary-DNS, \ Loopback-Tag, \ Release-Name, \ VRF-Tag ReplyHook file:%D/reply.pl /AuthBy # Database output # mysql select HOST1, SECRET, AUTHPORT, ACCTPORT, RETRIES, RETRYTIMEOUT, FAILUREPOLICY from RADSQLRADIUS where TARGETNAME='office1'; +---++--+--+-+--+--- + | HOST1 | SECRET | AUTHPORT | ACCTPORT | RETRIES | RETRYTIMEOUT | FAILUREPOLICY | +---++--+--+-+--+--- + | 127.0.0.1 | kpn| 1812 | 1813 | 2 |5 | 1 | +---++--+--+-+--+--- + 1 row in set (0.00 sec) # Debug # Code: Access-Request Identifier: 2 Authentic: 1234567890123456 Attributes: User-Name = mohamed@office1 Service-Type = Framed-User User-Password = 166186H1By%222155151153171216!U133 Service-Class = office2-1.1.1.1- Wed Sep 11 11:03:22 2002: DEBUG: Timed out, retransmitting Wed Sep 11 11:03:22 2002: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 1812 Packet length = 83 01 02 00 53 31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 01 11 6d 6f 68 61 6d 65 64 40 6f 66 66 69 63 65 31 06 06 00 00 00 02
Re: (RADIATOR) hostslect FAILUREPOLICY bug!
Hello Mohamed - Thanks for sending the debug information. The following is taken from the source code in the file "Radius/AuthSQLRADIUS.pm". The default HostSelect query is this: $self->{HostSelect} = 'select HOST%0, SECRET, AUTHPORT, ACCTPORT, RETRIES, RETRYTIMEOUT, USEOLDASCENDPASSWORDS, SERVERHASBROKENPORTNUMBERS, SERVERHASBROKENADDRESSES, IGNOREREPLYSIGNATURE, FAILUREPOLICY from RADSQLRADIUS where TARGETNAME=\'%R\''; Which is processed with this code: $fp->{failurePolicy} = $row[10] if defined $row[10]; $host = Radius::Host->new (undef, $row[0], defined $row[1] ? (Secret => $row[1]) : (), defined $row[2] ? (AuthPort => $row[2]) : (), defined $row[3] ? (AcctPort => $row[3]) : (), defined $row[4] ? (Retries=> $row[4]) : (), defined $row[5] ? (RetryTimeout => $row[5]) : (), defined $row[6] ? (UseOldAscendPasswords => $row[6]) : (), defined $row[7] ? (ServerHasBrokenPortNumbers => $row[7]) : (), defined $row[8] ? (ServerHasBrokenAddresses => $row[8]) : (), defined $row[9] ? (IgnoreReplySignature => $row[9]) : (), ); In other words, the FailurePolicy is expected to be the 11th element of the row returned by the query. To fix your problem the simplest thing to do is use NULL's for the elements you are not using in the query: HostSelect select HOST%0, SECRET, AUTHPORT, ACCTPORT, RETRIES, RETRYTIMEOUT, NULL, NULL, NULL, NULL, \ FAILUREPOLICY from RADSQLRADIUS where TARGETNAME='%R' Otherwise, you could use HostColumnDef's as described in section 6.45.3 in the Radiator 3.3.1 reference manual. ("doc/ref.html"). regards Hugh On Wednesday, September 11, 2002, at 10:52 PM, Mohamed Majdoubi wrote: Hi i am trying to use FAILUREPOLICY field in the hostselect statement. The value FAILUREPOLICY is set to 1 (see the database output), this should result in a reject to NAS if the host radius does not respond. unfortunatly this is not happening, the NAS gets still no answer from the proxy radius. i can conclude that the proxy radius does use the failure policy to send a reject instead of a ignore. below you can find configuration and the output with kind regards Mohamed Majdoubi KPN Telecom # radius setup # |||||| | NAS | - proxy | radius || || || # Configuration # AuthBy SQLRADIUS> Identifier ProxyToOffice FailureBackoffTime 60 DBSource dbi:mysql:ProxyDB DBUsername root DBAuth HostSelect select HOST%0, SECRET, AUTHPORT, ACCTPORT, RETRIES, RETRYTIMEOUT, FAILUREPOLICY from \ RADSQLRADIUS where TARGETNAME='%R' StripFromRequest Cisco-NAS-Port, \ NAS-Port, \ NAS-Port-Type, \ NAS-IP-Address, \ Called-Station-Id, \ Calling-Station-Id AddToRequest Service-Class = %{Reply:Service-Class} AllowInReply Service-Type, \ Framed-Protocol, \ Framed-IP-Netmask, \ Framed-IP-Address, \ Ascend-Client-Primary-DNS, \ Ascend-Client-Secondary-DNS, \ Loopback-Tag, \ Release-Name, \ VRF-Tag ReplyHook file:"%D/reply.pl" /AuthBy> # Database output # mysql> select HOST1, SECRET, AUTHPORT, ACCTPORT, RETRIES, RETRYTIMEOUT, FAILUREPOLICY from RADSQLRADIUS where TARGETNAME='office1'; +---++--+--+-+--+---+ | HOST1 | SECRET | AUTHPORT | ACCTPORT | RETRIES | RETRYTIMEOUT | FAILUREPOLICY | +---++--+--+-+--+---+ | 127.0.0.1 | kpn | 1812 | 1813 | 2 | 5 | 1 | +---++--+--+-+--+---+ 1 row in set (0.00 sec) # Debug # Code: Access-Request Identifier: 2 Authentic: 1234567890123456 Attributes: User-Name = "mohamed@office1" Service-Type = Framed-User User-Password = "166>186>H1By%222>155>151>153>171>216>!U133>" Service-Class = "office2-1.1.1.1-" Wed Sep 11 11:03:22