Troubleshooting

This appendix presents strategies for how to diagnose and resolve problems that may occur when you set up and use the MAX with RADIUS. This appendix contains the following topics:

RADIUS authentication problems

RADIUS accounting problems

Connect progress codes

Disconnect progress codes

RADIUS authentication problems
RADIUS accounting problems
Connect progress codes
Disconnect progress codes

RADIUS authentication problems

General authentication failures

If RADIUS is not properly authenticating dial-in users, follow these steps to pinpoint the source of the problem:

To isolate the problem to the RADIUS server, try to authenticate a user with a local
Connection profile.
If the Connection profile authenticates the user, you can feel certain that your RADIUS configuration is the source of the problem.
In the Ethernet > Mod Config > Auth menu, check the settings for these parameters:
- Auth. You must set this parameter to RADIUS or RADIUS/LOGOUT.
- Auth Host #n. This parameter must indicate the correct IP address of the RADIUS server.
- Auth Port. This parameter must indicate the RADIUS daemon's authentication port as specified in the /etc/services file.
- Auth Key. This parameter must indicate the MAX unit's password as specified in the
  /etc/raddb/clients file. If the accounting process of the daemon is running on the same server as the authentication process (rather than on a separate host), the Acct Key parameter in the Ethernet > Mod Config > Accounting must specify the same password as the Auth Key parameter.
Check these settings in the MAX configuration interface:
- The Name parameter in the System profile must indicate the MAX unit's name as specified in the /etc/raddb/clients file. Verify that the IP address of the MAX can be resolved from the name.
- In the Ethernet > Answer menu, you must set Profile Reqd=Yes.
- If you are using PAP, CHAP, or MS-CHAP authentication of incoming PPP, MP, and MP+ calls, you must set Recv Auth to the appropriate value in the Ethernet > Answer > PPP Options menu.
- If you want modem callers to dial into the terminal server, you must set Security=Full in the Ethernet > Mod Config > TServ Options menu.
Make sure that you have copied all these files into the /etc/raddb directory:
- dictionary
- users
- clients
Verify that you are using the latest version of the Ascend RADIUS daemon.
Confirm that there are no syntax errors in the user profile.
To isolate the source of the problem, run the RADIUS daemon in debug mode by entering one of these commands:
radiusd -x (for the flat ASCII users file)
radiusd.dbm -x (for the DBM database)
Confirm whether all users are failing authentication.
If all modem users can connect except for users on a particular platform, contact Ascend technical support for assistance.
If you are using the HPUX platform, problems may occur when you compile RADIUS with the proprietary compiler.
Try to use a gcc compiler instead.
Keep this additional information in mind:
- Authentication using the /etc/passwd file (with the UNIX keyword) is incompatible with CHAP. For a user dialing in with CHAP, you must specify a static password in the user profile.
- A comma must appear at the end of every line in a user profile except the first and last lines.
- The Default profile in the users file must be the last entry in the file.
- You need not restart the RADIUS daemon every time you add an entry to the users file.
- You must restart the RADIUS daemon if you modify the clients file.
- You need only specify an attribute in a user profile when you want to change the value from its default setting.

Checking the logfile

RADIUS writes error messages to /etc/raddb/logfile. The Syslog daemon does not create the RADIUS log file, so you must create the file yourself. Table A-1 provides a partial list of error messages.

Table A-1. Error messages


Message	Description
CALC_DIGEST	The clients file contains an incorrect entry. Or, the name of the MAX is correct, but the RADIUS server is unable to resolve the IP address from the name you specified.
DICT_VAL_FIND	In a user profile, you specified a setting that the dictionary does not support. This error could signal a simple misspelling or a syntax error.
BAD AUTHENTICATOR	You might have specified an incorrect password in the clients file, or in the value of the Auth Key parameter in the Ethernet > Mod Config > Auth menu.
CHAP UNIX FAILURE	You can use the UNIX password only with PAP authentication. In a user profile, the setting Password= "UNIX" causes RADIUS to use the /etc/passwd file for authentication.
WRONG NAS ADDRESS	The entry in the clients file may have the incorrect IP address for the MAX. Or, the RADIUS server may be unable to resolve the IP address from the name of the MAX in the clients file. To resolve this error, specify the correct IP address of the MAX in the clients file.

RADIUS accounting problems

General accounting failures

If RADIUS is not properly providing accounting information, follow these steps to pinpoint the source of the problem:

Make sure that the RADIUS daemon is running with the -A option enabled.
- The -A option specifies that the RADIUS daemon creates the accounting process.
  If you are using a flat ASCII users file, start the RADIUS daemon with the -A option by entering this command:
  When you specify the services argument, the daemon creates the accounting process only if a line defining the UDP port to use for accounting appears in the /etc/services file. Otherwise, the daemon does not start.
  When you specify the incr argument, the daemon creates the accounting process with the UDP port specified as the accounting port in the /etc/services file. If you have not defined the port, the daemon increments the UDP port specified for radiusd and uses that port number. This action is the default when you do not specify the -A argument.
- If you are using a DBM database, start the RADIUS daemon with the -A option by entering this command:
  You must specify the services argument when you start the daemon in DBM mode.
Check to see that the /usr/adm/radacct directory exists.
If it does not exist, you can perform either of these tasks:
- Create the /usr/adm/radacct directory.
- Use the -a option when starting the daemon, and specify a different directory in which to store accounting information.
  The accounting process in the daemon creates a file named detail in /usr/adm/radacct, or in the directory you specify using the -a option. The detail file contains accounting records.
In the Ethernet > Mod Config > Auth menu, make sure that Auth=RADIUS.
Accounting is available only with RADIUS authentication. It is not available when Auth=None, TACACS, or RADIUS/LOGOUT.
In the Ethernet > Mod Config > Accounting menu, check the settings of these parameters:
- Acct: You must set this parameter to RADIUS.
- Acct Host #n. For this parameter, you must specify the IP address of the RADIUS host.
- Acct Port. For this parameter, you must indicate the UDP port number you specified for the accounting process of the daemon in /etc/services. Or, if you used the incr keyword for the -A option when starting the daemon, you must specify the number of the UDP port for authentication services + 1.
- Acct Key. For this parameter, you must indicate the RADIUS client password exactly as it appears in the RADIUS clients file.
- Sess Timer. The MAX can report the number of sessions by class to a RADIUS accounting server. The Sess Timer parameter specifies the interval in seconds in which the MAX sends session reports. You can specify a number between 0 and 65535. The default value is 0 (zero), which indicates that the MAX does not send reports on session events.

Duplicate or deleted records

If the MAX sends an authentication packet to the RADIUS server and does not receive an acknowledgment from the RADIUS daemon within the time specified by the Auth Timeout parameter in the Ethernet > Mod Config > Auth menu, it resends the packet. Because RADIUS did not see the original packet, it reports the resent packet as a duplicate. This message appears on the console:

Dropping duplicate from MAX, id=num

This message can also appear if the MAX sends an accounting request to the RADIUS server and does not receive an acknowledgment from the RADIUS daemon within the time specified by the Acct Timeout parameter in the Ethernet > Mod Config > Accounting menu. Delays in the link between the MAX and the RADIUS server can cause these duplications. In addition, these delays can cause accounting records to be lost when the MAX unit's accounting buffer overflows.

These devices can cause delays in the link between the MAX and the RADIUS server:

An intermediate router or other communication device that stores accounting request packets
A busy accounting server

Backoff queue error message

The accounting server stores unacknowledged records in the backoff queue. If the unit never receives an acknowledgment to an accounting request, it will eventually run out of memory. In order to keep this situation from occurring, the unit deletes the accounting records and displays this error message:

Backoff Q full, discarding user username

This error generally occurs for one of two reasons:

You enabled RADIUS accounting on the MAX, but not on the RADIUS server.
You are using the Livingston server instead of the Ascend server.

Understanding V.110 module call status information

The MAX supports V.110 module call status information for RADIUS accounting. Table A-2 lists the V.110 call status values for RADIUS attributes for each channel/ITAC in each V.110 interface card.

Table A-2. V.110 call status values


Value	Description
DisconnectReasonType (Ascend-Disconnect-Cause attribute)	DIS_V110_TIMEOUT=160-This value specifies the number of retries for timeouts and resynchronization over MAX_V110_RETRIES.
ProgressType (Ascend-Connect-Progress attribute)	PR_V110_UP=90-A V.110 connection is up. PR_V110_STATE_OPENED-An open has been issued, but the MAX has not yet synched up with the remote end. PR_V110_STATE_CARRIER-The remote end detected a carrier. PR_V110_STATE_RESET-The V.110 connection has reset. PR_V110_STATE_CLOSED-The V.110 connection has closed.
AcctEventType	ACCT_EVNT_V110_BAUD-This value supports the V.110 baud rate, and works exactly like ACCT_EVNT_MODEM_BAUD.

Connect progress codes

The Ascend-Connect-Progress attribute specifies the state of the connection before it is disconnected. The MAX includes Ascend-Connect-Progress in an Accounting-Request packet when both of these conditions are true:

The session has ended or has failed to authenticate (Acct-Status-Type=Stop).
The Auth parameter is not set to RADIUS/LOGOUT.

Ascend-Connect-Progress can have any one of values specified in Table A-3

Table A-3. Ascend-Connect-Progress codes


Progress code	Description
1	Not applied to any call.
2	Unknown progress.
10	Ascend unit has detected and accepted call.
30	Ascend unit has assigned modem to call.
31	Modem is awaiting DCD from far-end modem.
32	Modem is awaiting result codes from far-end modem.
40	Terminal server session started.
41	Raw TCP session started.
42	Immediate Telnet session started.
43	Connection made to raw TCP host.
44	Connection made to Telnet host.
45	Rlogin session started.
46	Connection made with Rlogin session.
47	Terminal server authentication started.
50	Modem outdial session started.
60	LAN session is up.
61	Opening LCP.
62	Opening CCP.
63	Opening IPNCP.
64	Opening BNCP.
65	LCP opened.
66	CCP opened.
67	IPNCP opened.
68	BNCP opened.
69	LCP in initial state.
70	LCP in Starting state.
71	LCP in Closed state.
72	LCP in Stopped state.
73	LCP in Closing state.
74	LCP in Stopping state.
75	LCP in Req-Sent state.
76	LCP in Ack-Rcvd state.
77	LCP in Ack-Sent state.
80	IPX NCP in Open state.
81	AT NCP in Open state.
82	BACP being opened.
83	BACP is now open.
84	CBCP being opened.

Disconnect progress codes

The Ascend-Disconnect-Cause attribute specifies the reason a connection was taken offline. The MAX includes Ascend-Disconnect-Cause in an Accounting-Request packet when both of these conditions are true:

The session has ended or has failed to authenticate (Acct-Status-Type=Stop).
The Auth parameter is not set to RADIUS/LOGOUT.

Ascend-Disconnect-Cause can return any of the values listed in Table A-4.

Table A-4. Ascend-Disconnect-Cause codes


Disconnect code	Description
1	Not applied to any call.
2	Unknown disconnect.
3	Call disconnected.
4	CLID authentication failed.
5	RADIUS timeout during authentication.
6	Successful authentication. Ascend unit is configured to callback user.
7	Pre-T310 Send Disc timer triggered.
9	No modem is available to accept call.
10	Modem never detected Data Carrier Detect (DCD).
11	Modem detected DCD, but modem carrier was lost.
12	Ascend unit failed to successfully detect modem result codes.
13	Ascend unit failed to open a modem for outgoing call.
14	Ascend unit failed to open a modem for outgoing call while `modemdiag` diagnostic command is enabled.
20	User exited normally from the terminal server.
21	Terminal server timed out waiting for user input.
22	Forced disconnect when exiting telnet session.
23	No IP address available when invoking PPP or SLIP command.
24	Forced disconnect when exiting raw TCP session.
25	Exceeded maximum login attempts.
26	Attempt to start a raw TCP session, but raw TCP is disabled on Ascend unit.
27	Control-C characters received during login.
28	Terminal server session cleared ungracefully.
29	User closed a Terminal server virtual connect normally.
30	Terminal server virtual connect cleared ungracefully.
31	Exit from rlogin session.
32	Establishment of rlogin session failed because of bad options.
33	Ascend unit lacks resources to process terminal server request.
35	MP+ session cleared because no null MP packets received. An Ascend unit sends (and should receive) null MP packets throughout an MP+ session.
40	LCP timed out waiting for a response.
41	LCP negotiations failed, usually because user is configured to send passwords via PAP, and Ascend unit is configured to only accept passwords via CHAP (or vice versa).
42	PAP authentication failed.
43	CHAP authentication failed.
44	Authentication failed from remote server.
45	Ascend unit received Terminate Request packet while LCP was in open state.
46	Ascend unit received Close Request from upper layer, indicating graceful LCP closure.
47	Ascend unit cleared call because no PPP Network Core Protocols (NCPs) were successfully negotiated. Typically, there is no agreement on the type of routing or bridging that is supported for the session.
48	Disconnected MP session. The Ascend unit accepted a added channel, but cannot determine which call to which to add the new channel.
49	Disconnected MP call because no more channels can be added.
50	Telnet or raw TCP session tables full.
51	Ascend unit has exhausted Telnet or raw TCP resources.
52	For Telnet or raw TCP session, IP address is invalid.
53	For Telnet or raw TCP session, Ascend unit cannot resolve host name.
54	For Telnet or raw TCP session, Ascend unit received bad or missing port number.
60	For Telnet or raw TCP session, host reset.
61	For Telnet or raw TCP session, connection was refused.
62	For Telnet or raw TCP session, connection timed out.
63	For Telnet or raw TCP session, connection closed by foreign host.
64	For Telnet or raw TCP session, network unreachable.
65	For Telnet or raw TCP session, host unreachable.
66	For Telnet or raw TCP session, network admin unreachable.
67	For Telnet or raw TCP session, host admin unreachable.
68	For Telnet or raw TCP session, port unreachable.
100	Session timed out.
101	Invalid user.
102	Callback enabled.
105	Session timeout on the basis of encapsulation negotiations.
106	MP session timeout.
115	Instigating call no longer active.
120	Requested protocol is disabled or unsupported.
150	Disconnect requested by RADIUS server.
151	Call disconnected by local administrator.
152	Call disconnected via SNMP.
160	Exceeded maximum amount of V.110 retries.

techpubs@ascend.com

Troubleshooting

RADIUS authentication problems

General authentication failures

Checking the logfile

Message

Description

RADIUS accounting problems

General accounting failures

Duplicate or deleted records

Backoff queue error message

Understanding V.110 module call status information

Value

Description

Connect progress codes

Progress code

Description

Disconnect progress codes

Disconnect code

Description