Re: (ASCEND) junk username in RADIUS stop packets

To: Josh Bailey <joshb@xtra.co.nz>
Subject: Re: (ASCEND) junk username in RADIUS stop packets
From: "Dale E. Reed Jr." <daler@iea.com>
Date: Sun, 10 Aug 1997 10:45:23 -0700
CC: ascend-users@bungi.com
Organization: IEA Software, Inc.
References: <Pine.LNX.3.96.970810205013.11129E-100000@fell-light>
Sender: owner-ascend-users@max.bungi.com

Josh Bailey wrote:
> 
> We're seeing a lot of junk in our RADIUS logs:
> 
> Sun Aug 10 19:11:15 1997: rad_recv:* MISSING User-Name (1) in acct-req
> (type 4) request 3 from 203.96.111.165 via. 203.96.111.165[1026]
> 
> And, correspondingly in the syslogs:
> 
> 970810 19:10:01 Backoff Q full, discarding user ^P0^?^?^O[239278094]
> 970810 19:10:01 Backoff Q full, discarding user ^P0^?^?^O[239278095]
> 970810 19:10:32 Backoff Q full, discarding user ^P0^?^?^O[239278096]
> 970810 19:11:07 Backoff Q full, discarding user ^P0^?^?^O[239278097]
> 970810 19:11:07 Backoff Q full, discarding user ^P0^?^?^O[239278098]
> 
> We see these from all Maxes - ISDN, R2, busy, not so busy. Seems this
> background rubbish is happening all the time.
> 
> Normally it isn't a problem - but very occasionally, our RADIUS servers
> get overwhelmed with acknowledging these junk accounting records, and the
> backoff queues overflow.
> 
> Please, does anyone know:
> 
> 1. What causes these junk records?

Ascend came up with a not-so wonderful idea.  If the RADIUS accounting
packet is re-sent five times and still not ack'ed, it will trim the
packet down from all the goodies it normally would to something with
only about four attributes, which username is *NOT* one of them trimmed.

After that, you get these little accounting records that are just a tad
annoying.  I'm sure someone in Engineering thought they were a genious
when they came up with this one, but reallys its quite stupid.

> 2. How can we get rid of them?

Its difficult to really figure out why.  The first thing I would do is
up
your timesouts for auth and accounting to atleast 5, 7-10 can bring it
down more.  I have found that Ascend's are very "trigger" happy and
don't always wait the full timeout, and thats the major cause of it.
They also like to flood requests when they backup, almost in a parallel
fashion rather than serially, and this can pretty much wipe out most
RADIUS servers.

> 3. Why isn't RADIUS/LOGOUT documented anywhere?

I am not that familiar with it, but I believe its just sending
a RADIUS authentication-like request when the user logs outs and
pre-dates RADIUS accounting.  Its not really used much anymore.

-- 
Dale E. Reed Jr.  (daler@iea.com)
_________________________________________________________________
       IEA Software, Inc.      |  RadiusNT, Emerald, and NT FAQs
 Internet Solutions for Today  |   http://www.iea-software.com
++ Ascend Users Mailing List ++
To unsubscribe:	send unsubscribe to ascend-users-request@bungi.com
To get FAQ'd:	<http://www.nealis.net/ascend/faq>

Follow-Ups:

Re: (ASCEND) junk username in RADIUS stop packets

From: Josh Bailey <joshb@xtra.co.nz>

References:

(ASCEND) junk username in RADIUS stop packets

From: Josh Bailey <joshb@xtra.co.nz>

Prev by Date: Re: (ASCEND) RADIUS - Blocking multiple logins by same user (fwd)
Next by Date: Re: (ASCEND) Pipeline 75: single address NAT in version 5.0B?
Prev by thread: (ASCEND) 56KBits, sudden disconnects with GVC modems
Next by thread: Re: (ASCEND) junk username in RADIUS stop packets
Index(es):
- Main
- Thread