[nsp] AS5300 error resolving radius server - denies access - inproper reverse dns?

From: Dave VanAuken (dave@hawk-systems.com)
Date: Mon May 28 2001 - 14:50:54 EDT


want to ensure that we've correctly identified the cause for a radius
authentication problem.

Info

----
access server on ip .5

radius server on machine 1 ip .10 dns1 server on machine 1 ip .6 dns2 server on machine 2 ip .7

the access server has the radius server identified by IP address.

it will function fine, performing authentication against the radius database, but then time out for minutes or longer, unable to access the radius server.

**source of the problem? ------------------------ Sprint incorrectly delegated the ip block to us, listing our two name servers as the authoritative servers for this block, ALONG WITH another name server which has NO information about our IP block but it is listed as the third authority for it

Theory ------ - AS5300 performed reverse DNS on the ip address for the radius server, randomly, or cycling through the available 3 "autoritative" servers - it hits dns1 or dns2 and correctly identifies them as who they are and keeps these records for a period of time before verifying reverse DNS again. - it occasionally hits the third "authoritative" server which has no information on the domain name or ip block, and doesn't respond for a period of time before trying to resolve the reverse dns again, hopefully getting an actual name server the next time - if it gets an actual name server, the problems clears, if it doesn't and hits the third dumb server again, it again refuses to blindly authenticate against the radius server until the next successful check against an authoritative nam eserver...

does this track as a potential cause and circumstance for the apparent random and non terminal loss of communication between the NAS and the radius server?

feedback appreciated

Dave



This archive was generated by hypermail 2b29 : Sun Aug 04 2002 - 04:12:39 EDT