Re: Authentication bug

Dale E. Reed Jr. ( (no email) )
Wed, 05 Mar 1997 11:00:24 -0800

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Previous message: Dale E. Reed Jr.: "Re: Cisco 2511 & Session-timeout problem"
Next message: daniel: "Authentication and Concurrency Control"
Maybe in reply to: Eduardo Antonio Zappi: "Authentication bug"
Next in thread: Eduardo Antonio Zappi: "Re: Authentication bug"

Eduardo Antonio Zappi wrote:
>
> Hi.
>
> I am having two problems.
>
> 1. Consider a user called John Doe. His username is john and he uses his entire name to perform a logon. Radius accepts the logon and puts the entire name on the table "Calls", instead of the username only, as we would prefer.
> Is there anything I can do to allow radius not to accept such login in this case?

logins with spaces are legal in RadiusNT and it performs a
authentication
on the entire name. Are you saying its only authenticating to the name
up to
the space?

> 2. Sometimes (once a week) radius generates more than on line on the table "calls" for a login or a logout. Once I have found 15 entries for one single user log!
>
> example
>
> Calldate .......... UserName .... Acctstatustype .... acctdelaytime ... acctsessiontime
>
> 03/01/97 10:00:00 david 1 0
> 03/01/97 10:00:00 david 1 20

These are the SAME start record. The acctdelaytime means we received
this 20 seconds after the NAS logged the user on. What kind of NAS are
you
using? Typically you use a key on several fields (like the default DB
uses) to prevent this.

> 03/01/97 11:01:30 david 2 100 3600
> 03/01/97 11:02:04 david 2 134 3600
> 03/01/97 11:03:14 david 2 234 3600
> 03/01/97 11:05:00 david 2 390 3600
> 03/01/97 11:01:00 david 2 80 3600
> 03/01/97 11:00:00 david 2 0 3600

These are all he same stop record. You ommitted to show the
AcctSessionID, which
is typically the best field to show these are all the same.

> Time in the field "calldate" is not the actual values, but the example ilustrates what is happening.

Actually, its incorrect Above. Assuming the first (0 acctdelaytime) is
correct,
the times would be:

03/01/97 11:01:40 david 2
100 3600
03/01/97 11:02:14 david 2
134 3600
03/01/97 11:03:54 david 2
234 3600
03/01/97 11:05:30 david 2
390 3600
03/01/97 11:01:20 david 2
80 3600
03/01/97 11:00:00 david 2
0 3600

If you notice in the above, the Call Date is when RadiusNT actually
receives the packet from teh NAS. You backtrack the calldate x secs
(the value of the acctdelaytime field) to figure out the REAL calldate.
I have been thinking about putting this logic into RadiusNT so that
teh call date would be correct.

> Does anybody know why this happens and what to do to fix it?

Use the DB key, unless you have a Cisco. In that case, its a
tough one to fix. :( The main reason why this happens is slow
response times from RadiusNT. If you are using an Access database,
I would recommend going with something that doesn't have the
irratic latency times.

-- Dale E. Reed Jr.  (daler@iea.com)_________________________________________________________________       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs Internet Solutions for Today  |    http://www.emerald.iea.com

Previous message: Dale E. Reed Jr.: "Re: Cisco 2511 & Session-timeout problem"
Next message: daniel: "Authentication and Concurrency Control"
Maybe in reply to: Eduardo Antonio Zappi: "Authentication bug"
Next in thread: Eduardo Antonio Zappi: "Re: Authentication bug"