Troubleshooting

This appendix presents strategies for how to diagnose and resolve problems that may occur when you set up and use the MAX with RADIUS. This appendix contains:

RADIUS authentication problems

RADIUS accounting problems

Connect progress codes

Disconnect progress codes

RADIUS authentication problems
RADIUS accounting problems
Connect progress codes
Disconnect progress codes

RADIUS authentication problems

General authentication failures

If RADIUS is not properly authenticating dial-in users, follow these steps to pinpoint the source of the problem:

To isolate the problem to the RADIUS server, try to authenticate a user with a local
Connection profile.
If the Connection profile authenticates the user, you can feel certain that your RADIUS configuration is the source of the problem.
In the Ethernet > Mod Config > Auth menu, check the settings for these parameters:
- Auth. You must set this parameter to RADIUS or RADIUS/LOGOUT.
- Auth Host #n. This parameter must indicate the correct IP address of the RADIUS server.
- Auth Port. This parameter must indicate the RADIUS daemon's authentication port as specified in the /etc/services file.
- Auth Key. This parameter must indicate the MAX unit's password as specified in the
  /etc/raddb/clients file. If the accounting process of the daemon is running on the same server as the authentication process (rather than on a separate host), the Acct Key parameter in the Ethernet > Mod Config > Accounting must specify the same password as the Auth Key parameter.
Check these settings in the MAX configuration interface:
- The Name parameter in the System profile must indicate the MAX unit's name as specified in the /etc/raddb/clients file. Verify that the IP address of the MAX can be resolved from the name.
- In the Ethernet > Answer menu, you must set Profile Reqd=Yes.
- If you are using PAP, CHAP, or MS-CHAP authentication of incoming PPP, MP, and MP+ calls, you must set Recv Auth to the appropriate value in the Ethernet > Answer > PPP Options menu.
- If you want modem callers to dial into the terminal server, you must set Security=Full in the Ethernet > Mod Config > TServ Options menu.
Make sure that you have copied all these files into the /etc/raddb directory:
- dictionary
- users
- clients
Verify that you are using the latest version of the Ascend RADIUS daemon.
Confirm that there are no syntax errors in the user profile.
To isolate the source of the problem, run the RADIUS daemon in debug mode by entering one of these commands:
radiusd -x (for the flat ASCII users file)
radiusd.dbm -x (for the DBM database)
Confirm whether all users are failing authentication.
If all modem users can connect except for users on a particular platform, contact Ascend technical support for assistance.
If you are using the HPUX platform, problems may occur when you compile RADIUS with the proprietary compiler.
Try to use a gcc compiler instead.
Keep this additional information in mind:
- Authentication using the /etc/passwd file (with the UNIX keyword) is incompatible with CHAP. For a user dialing in with CHAP, you must specify a static password in the user profile.
- A comma must appear at the end of every line in a user profile except the first and last lines.
- The Default profile in the users file must be the last entry in the file.
- You need not restart the RADIUS daemon every time you add an entry to the users file.
- You must restart the RADIUS daemon if you modify the clients file.
- You need only specify an attribute in a user profile when you want to change the value from its default setting.

Checking the logfile

RADIUS writes error messages to /etc/raddb/logfile. The Syslog daemon does not create the RADIUS log file, so you must create the file yourself. Table A-1 provides a partial list of error messages.

Table A-1. Error messages
Message	Description
CALC_DIGEST	The clients file contains an incorrect entry. Or, the name of the MAX is correct, but the RADIUS server is unable to resolve the IP address from the name you specified.
DICT_VAL_FIND	In a user profile, you specified a setting that the dictionary does not support. This error could signal a simple misspelling or a syntax error.
BAD AUTHENTICATOR	You might have specified an incorrect password in the clients file, or in the value of the Auth Key parameter in the Ethernet > Mod Config > Auth menu.
CHAP UNIX FAILURE	You can use the UNIX password only with PAP authentication. In a user profile, the setting Password= "UNIX" causes RADIUS to use the /etc/passwd file for authentication.
WRONG NAS ADDRESS	The entry in the clients file may have the incorrect IP address for the MAX. Or, the RADIUS server may be unable to resolve the IP address from the name of the MAX in the clients file. To resolve this error, specify the correct IP address of the MAX in the clients file.

RADIUS accounting problems

General accounting failures

If RADIUS is not properly providing accounting information, follow these steps to pinpoint the source of the problem:

Make sure that the RADIUS daemon is running with the -A option enabled.
- The -A option specifies that the RADIUS daemon creates the accounting process.
If you are using a flat ASCII users file, start the RADIUS daemon with the -A option by entering this command:
When you specify the services argument, the daemon creates the accounting process only if a line defining the UDP port to use for accounting appears in the /etc/services file. Otherwise, the daemon does not start.
When you specify the incr argument, the daemon creates the accounting process with the UDP port specified as the accounting port in the /etc/services file. If you have not defined the port, the daemon increments the UDP port specified for radiusd and uses that port number. This action is the default when you do not specify the -A argument.
- If you are using a DBM database, start the RADIUS daemon with the -A option by entering this command:
You must specify the services argument when you start the daemon in DBM mode.
Check to see that the /usr/adm/radacct directory exists.
If it does not exist, you can perform either of these tasks:
- Create the /usr/adm/radacct directory.
- Use the -a option when starting the daemon, and specify a different directory in which to store accounting information.
The accounting process in the daemon creates a file named detail in /usr/adm/radacct, or in the directory you specify using the -a option. The detail file contains accounting records.
In the Ethernet > Mod Config > Auth menu, make sure that Auth=RADIUS.
Accounting is available only with RADIUS authentication. It is not available when Auth=None, TACACS, or RADIUS/LOGOUT.
In the Ethernet > Mod Config > Accounting menu, check the settings of these parameters:
- Acct: You must set this parameter to RADIUS.
- Acct Host #n. For this parameter, you must specify the IP address of the RADIUS host.
- Acct Port. For this parameter, you must indicate the UDP port number you specified for the accounting process of the daemon in /etc/services. Or, if you used the incr keyword for the -A option when starting the daemon, you must specify the number of the UDP port for authentication services + 1.
- Acct Key. For this parameter, you must indicate the RADIUS client password exactly as it appears in the RADIUS clients file.
- Sess Timer. The MAX can report the number of sessions by class to a RADIUS accounting server. The Sess Timer parameter specifies the interval in seconds in which the MAX sends session reports. You can specify a number between 0 and 65535. The default value is 0 (zero), which indicates that the MAX does not send reports on session events.

Duplicate or deleted records

If the MAX sends an authentication packet to the RADIUS server and does not receive an acknowledgment from the RADIUS daemon within the time specified by the Auth Timeout parameter in the Ethernet > Mod Config > Auth menu, it resends the packet. Because RADIUS did not see the original packet, it reports the resent packet as a duplicate. This message appears on the console:

Dropping duplicate from MAX, id=num

This message can also appear if the MAX sends an accounting request to the RADIUS server and does not receive an acknowledgment from the RADIUS daemon within the time specified by the Acct Timeout parameter in the Ethernet > Mod Config > Accounting menu. Delays in the link between the MAX and the RADIUS server can cause these duplications. In addition, these delays can cause accounting records to be lost when the MAX unit's accounting buffer overflows.

These devices can cause delays in the link between the MAX and the RADIUS server:

An intermediate router or other communication device that stores accounting request packets
A busy accounting server

Backoff queue error message

The accounting server stores unacknowledged records in the backoff queue. If the unit never receives an acknowledgment to an accounting request, it will eventually run out of memory. In order to keep this situation from occurring, the unit deletes the accounting records and displays this error message:

Backoff Q full, discarding user username

This error generally occurs for one of two reasons:

You enabled RADIUS accounting on the MAX, but not on the RADIUS server.
You are using the Livingston server instead of the Ascend server.

Understanding V.110 module call status information

The MAX supports V.110 module call status information for RADIUS accounting. Table A-2 lists the V.110 call status values for RADIUS attributes for each channel/ITAC in each V.110 interface card.

Table A-2. V.110 call status values
Value	Description
DisconnectReasonType (Ascend-Disconnect-Cause attribute)	DIS_V110_TIMEOUT=160-This value specifies the number of retries for timeouts and resynchronization over MAX_V110_RETRIES.
ProgressType (Ascend-Connect-Progress attribute)	PR_V110_UP=90-A V.110 connection is up. PR_V110_STATE_OPENED-An open has been issued, but the MAX has not yet synched up with the remote end. PR_V110_STATE_CARRIER-The remote end detected a carrier. PR_V110_STATE_RESET-The V.110 connection has reset. PR_V110_STATE_CLOSED-The V.110 connection has closed.
AcctEventType	ACCT_EVNT_V110_BAUD-This value supports the V.110 baud rate, and works exactly like ACCT_EVNT_MODEM_BAUD.

Connect progress codes

The Ascend-Connect-Progress attribute specifies the state of the connection before it is disconnected. The MAX includes Ascend-Connect-Progress in an Accounting-Request packet when both of these conditions are true:

The session has ended or has failed to authenticate (Acct-Status-Type=Stop).
The Auth parameter is not set to RADIUS/LOGOUT.

Ascend-Connect-Progress can have any one of values specified in Table A-3

Table A-3. Ascend-Connect-Progress codes
Code	Explanation
0	No progress.
1	Not applicable.
2	The progress of the call is unknown.
10	The call is up.
30	The modem is up.
31	The modem is waiting for DCD.
32	The modem is waiting for result codes.
40	The terminal server session has started up.
41	The MAX is establishing the TCP connection.
42	The MAX is establishing the immediate Telnet connection.
43	The MAX has established a raw TCP session with the host. This code does not imply that the user has logged into the host.
44	The MAX has established an immediate Telnet connection with the host. This code does not imply that the user has logged into the host.
45	The MAX is establishing an Rlogin session.
46	The MAX has established an Rlogin session with the host. This code does not imply that the user has logged into the host.
60	The LAN session is up.
61	LCP negotiations are allowed.
62	CCP negotiations are allowed.
63	IPNCP negotiations are allowed.
64	Bridging NCP negotiations are allowed.
65	LCP is in the Open state.
66	CCP is in the Open state.
67	IPNCP is in the Open state.
68	Bridging NCP is in the Open state.
69	LCP is in the Initial state.
70	LCP is in the Starting state.
71	LCP is in the Closed state.
72	LCP is in the Stopped state.
73	LCP is in the Closing state.
74	LCP is in the Stopping state.
75	LCP is in the Request Sent state.
76	LCP is in the ACK Received state.
77	LCP is in the ACK Sent state.
80	IPXNCP is in the Open state.
90	V.110 is up.
91	V.110 is in the Open state.
92	V.110 is in the Carrier state.
93	V.110 is in the Reset state.
94	V.110 is in the Closed state.

Disconnect progress codes

The Ascend-Disconnect-Cause attribute specifies the reason a connection was taken offline. The MAX includes Ascend-Disconnect-Cause in an Accounting-Request packet when both of these conditions are true:

The session has ended or has failed to authenticate (Acct-Status-Type=Stop).
The Auth parameter is not set to RADIUS/LOGOUT.

Ascend-Disconnect-Cause can return any of the values listed in Table A-4.

Table A-4. Ascend-Disconnect-Cause codes
Code	Description
0	No reason.
1	The event was not a disconnect.
2	The reason for the disconnect is unknown. This code can appear when the remote connection goes down.
3	The call has disconnected.
4	CLID authentication has failed.
These codes can appear if a disconnect occurs during the initial modem connection.
10	The modem never detected DCD.
11	The modem detected DCD, but became inactive.
12	The result codes could not be parsed.
These codes are related to immediate Telnet and raw TCP disconnects during a terminal server session.
20	The user exited normally from the terminal server.
21	The user exited from the terminal server because the idle timer expired.
22	The user exited normally from a Telnet session.
23	The user could not switch to SLIP or PPP because the remote host had no IP address or because the dynamic pool could not assign one.
24	The user exited normally from a raw TCP session.
25	The login process ended because the user failed to enter a correct password after three attempts.
26	The raw TCP option is not enabled.
27	The login process ended because the user typed Ctrl-C.
28	The terminal server session has ended.
29	The user closed the virtual connection
30	The virtual connection has ended.
31	The user exited normally from an Rlogin session
32	The user selected an invalid Rlogin option.
33	The MAX has insufficient resources for the terminal server session.
These codes concern PPP connections.
40	PPP LCP negotiation timed out while waiting for a response from a peer.
41	There was a failure to converge on PPP LCP negotiations.
42	PPP PAP authentication failed.
43	PPP CHAP authentication failed.
44	Authentication failed from the remote server.
45	The peer sent a PPP Terminate Request.
46	LCP got a close request from the upper layer while LCP was in an open state.
47	LCP closed because no NCPs were open.
48	LCP closed because it could not determine to which MP bundle it should add the user.
49	LCP closed because the MAX could not add any more channels to an MP session.
These codes are related to immediate Telnet and raw TCP disconnects, and contain more specific information than the Telnet and TCP codes listed earlier in this table.
50	The Raw TCP or Telnet internal session tables are full.
51	Internal resources are full.
52	The IP address for the Telnet host is invalid.
53	The MAX could not resolve the hostname.
54	The MAX detected a bad or missing port number.
The TCP stack can return these disconnect codes during an immediate Telnet or raw TCP session.
60	The host reset the TCP connection.
61	The host refused the TCP connection.
62	The TCP connection timed out.
63	A foreign host closed the TCP connection.
64	The TCP network was unreachable.
65	The TCP host was unreachable.
66	The TCP network was administratively unreachable.
67	The TCP host was administratively unreachable.
68	The TCP port was unreachable.
These are additional disconnect codes.
100	The session timed out because there was no activity on a PPP link.
101	The session failed for security reasons.
102	The session ended for callback.
120	One end refused the call because the protocol was disabled or unsupported.
150	RADIUS requested the disconnect.
160	The allowed retries for V.110 synchronization have been exceeded.
170	PPP authentication has timed out.
180	The call disconnected as the result of a local hangup.
185	The call disconnected because the remote end hung up.
190	The call disconnected because the T1 line that carried it was quiesced.
195	The call disconnected because the call duration exceeded the maximum amount of time allowed by the Max Call Mins or Max DS0 Mins parameter on the MAX.

techpubs@eng.ascend.com

Troubleshooting

RADIUS authentication problems

General authentication failures

Checking the logfile

Message

Description

RADIUS accounting problems

General accounting failures

Duplicate or deleted records

Backoff queue error message

Understanding V.110 module call status information

Value

Description

Connect progress codes

Code

Explanation

Disconnect progress codes

Code

Description