[Top][Contents][Prev][Next][Last]Search

Troubleshooting

This chapter presents strategies for how to diagnose and resolve problems that might occur when you set up and use the MAX TNT with RADIUS. It consists of the following sections:

RADIUS authentication problems
RADIUS accounting problems
Connect progress codes
Disconnect cause codes

RADIUS authentication problems

If RADIUS is not properly authenticating dial-in users, you must carry out the following tasks until you locate the source of the problem:

  1. Isolate the problem to the RADIUS server.

  2. Check the RADIUS configuration and program files.

  3. Check the MAX TNT parameters for proper configuration.

  4. Run the RADIUS daemon in debug mode.

  5. Check the log file.

  6. Determine whether all users are failing authentication.

Isolating the problem to the RADIUS server

 To isolate the problem to the RADIUS server, try to authenticate a user with a local Connection profile. If the Connection profile authenticates the user, your RADIUS configuration is the source of the problem.

Checking the RADIUS configuration and program files

Check the RADIUS files for proper installation and configuration:

  1. Make sure that you have copied the dictionary, users, and clients files into the
    /etc/raddb directory. If you modify the clients file, you must restart the RADIUS daemon.

  2. Verify that you are using the latest version of the Ascend RADIUS daemon.

  3. Confirm that there are no syntax errors in the user profile. A comma must appear at the end of every line, except the first and last lines. The Default entry in the users file must be the last entry in the file. You need not specify an attribute in a profile unless you want to change the value from its default setting.

  4. Check whether you are attempting to authenticate a UNIX user with CHAP. Authentication using the /etc/passwd file (with the UNIX keyword) is incompatible with CHAP. For a user dialing in with CHAP, you must specify a static password in the user profile.

Checking the MAX TNT parameters

 In the External-Auth profile on the MAX TNT, make sure that Auth-Type=RADIUS. Then, open the Rad-Auth-Client subprofile, and verify the following settings:

  1. The Auth-Server-n parameter must specify the correct IP address of the RADIUS server.

  2. The Auth-Port parameter must specify the RADIUS daemon's authentication port as entered in the /etc/services file.

  3. The Auth-Key parameter must specify the MAX TNT unit's password as entered in the
    /etc/raddb/clients file. If the accounting process of the daemon is running on the same server as the authentication process (rather than on a separate host), the Acct-Key parameter in the Rad-Acct-Client subprofile on the MAX TNT must specify the same password as the Auth-Key parameter.

  4. The Name parameter in the System profile must specify the MAX TNT unit's name as entered in the /etc/raddb/clients file. Verify that the IP address of the MAX TNT can be resolved from the name.

  5. In the Answer-Defaults profile, make sure that Profiles-Required=Yes.

  6. If you are using PAP, CHAP, or MS-CHAP authentication for incoming PPP, MP, and MP+ calls, you must set Recv-Auth-Mode in the PPP-Answer subprofile of the Answer-Defaults profile to the appropriate value.

  7. If you want modem callers to dial into the terminal server, you must set Security-Mode=Full in the Terminal-Server profile.

Running the RADIUS daemon in debug mode

 Run the RADIUS daemon in debug mode by entering one of the following commands:

Checking the log file

 RADIUS writes error messages to /etc/raddb/logfile. The Syslog daemon does not create the RADIUS log file, so you must create the file yourself. Table A-1 provides a partial list of error messages.

Table A-1. Log file error messages

Message

Explanation
CALC_DIGEST

 The clients file contains an incorrect entry. Or, the name of the MAX TNT is correct, but the RADIUS server is unable to resolve the IP address from the name you specified.

DICT_VAL_FIND

 In a user profile, you specified a setting that the dictionary does not support. This message could signal a simple misspelling or a syntax error.

BAD AUTHENTICATOR

 You might have specified an incorrect password in the clients file, or in the value of the Auth-Key parameter in the Rad-Auth-Client subprofile of the External-Auth profile.

CHAP UNIX FAILURE

 You can use the UNIX password only with PAP authentication. In a user profile, the setting Password= "UNIX" causes RADIUS to use the /etc/passwd file for authentication.

WRONG NAS ADDRESS

 The entry in the clients file might have the incorrect IP address for the MAX TNT. Or, the RADIUS server might be unable to resolve the IP address from the name of the MAX TNT in the clients file. To resolve this error, specify the correct IP address of the MAX TNT in the clients file.

Determining whether all users are failing authentication

If all modem users except those on a particular platform can connect, contact Ascend technical support for assistance.

RADIUS accounting problems

This section describes the following types of problems:

General accounting errors

 If RADIUS is not properly providing accounting information, proceed as follows:

  1. Make sure that the RADIUS daemon is running with the -A argument specified.

  2. Verify that the /usr/adm/radacct directory exists. This directory contains accounting information. If it does not exist, create it. Or, use the -a argument when starting the daemon, and specify a different directory in which to store accounting information.

  3. In the External-Auth profile on the MAX TNT, make sure that Acct-Type=Acct-RADIUS.

  4. Open the Rad-Auth-Client subprofile.

  5. Make sure that the Acct-Server-n parameter specifies the IP address of the RADIUS host.

  6. Verify that the Acct-Port indicates the UDP port number you specified for the accounting process of the daemon in /etc/services. If you used the incr keyword for the -A argument when starting the daemon, make sure that the parameter specifies the UDP port for authentication services plus 1.

  7. Make sure that the Acct-Key specifies the RADIUS client password exactly as it appears in the RADIUS clients file.

Duplicate or deleted records

 If the MAX TNT sends an authentication packet to the RADIUS server and does not receive an acknowledgment from the RADIUS daemon within the time specified by the Auth-Timeout parameter, it resends the packet. RADIUS reports the resent packet as a duplicate. The following message appears on the console:

Dropping duplicate from MAX TNT, id=num
The message can also appear if the MAX TNT sends an accounting request to the RADIUS server and does not receive an acknowledgment from the RADIUS daemon within the time specified by the Acct-Timeout parameter. Delays in the link between the MAX TNT and the RADIUS server can cause the duplications. In addition, the delays can cause the MAX TNT to lose accounting records when its accounting buffer overflows.

The following devices can cause delays in the link between the MAX TNT and the RADIUS server:

Backoff-queue error message

 The accounting server stores unacknowledged records in the backoff queue. If the unit never receives an acknowledgment to an accounting request, it eventually runs out of memory. To prevent this situation, the unit deletes the accounting records and displays the following error message:

Backoff Q full, discarding user username
This error generally occurs for one of two reasons:

Connect progress codes

The Ascend-Connect-Progress attribute specifies the state of the connection before it is disconnected. The MAX TNT includes Ascend-Connect-Progress in an Accounting-Request packet when the session has ended or has failed authentication (Acct-Status-Type=Stop).

For information about the values returned for the Ascend-Connect-Progress attribute, see Table 14-5.

Disconnect cause codes

The Ascend-Disconnect-Cause attribute specifies the reason a connection is offline. The MAX TNT includes Ascend-Disconnect-Cause in an Accounting-Request packet when the session has ended or has failed authentication (Acct-Status-Type=Stop).

For information about the values returned for the Ascend-Disconnect-Cause attribute, see Table 14-10.


[Top][Contents][Prev][Next][Last]Search

techpubs@eng.ascend.com

Copyright © 1998, Ascend Communications, Inc. All rights reserved.