(RADIATOR) Re: radiusclient-0.3.2
Bon sy
bon at bunny.cs.qc.edu
Tue Mar 9 06:11:54 CST 2004
On Tue, 9 Mar 2004, Hugh Irvine wrote:
>
> Hello Bon -
>
> What does ethereal show on the radlogin host?
The ethereal showed no activity of radius protocol, only TCP, from the
machine I used to remote access the radiusclient machine.
>
> Does radlogin have a debug mode?
>
Unfortunately there is no debug mode as shown below:
# radlogin -help
Usage: radlogin [-Vhnd] [-f <config_file>] [-i <client_port>] [-m
<login_tries>]
-V output version information
-h output this text
-n don't display issue file
-f filename of alternate config file
-i ttyname to send to the server
-m maximum login tries (overrides value in config file)
> I suspect you may be sending to a different port number and/or IP
> address than the one Radiator is listening on.
I have added the 1645 and 1646 to the /etc/services. No filtering rules in
iptables.
Below are the radius.login and radisuclient.conf configuration files. I
just noticed that the "server" file containing the shared secret did not
get copied to the proper location during "make install". This is
fixed and I still have problems. I suspect there are more than
that. For example, in the radius.login file, there is
a line:
my $path_portinfo = "/var/ipoint/acct/portinfo";
But I do not have the file "portinfo" and there is no documentation on
what should be in there. I guess that is where to specify the port number,
which I enter 1645/1646. This is then later used in the subsequent Perl
script in the same file:
tie (%db_portinfo, "GDBM_File", $path_portinfo, GDBM_WRCREAT, 0600);
I could not find sufficient information to understand what the
above statement is really doingother than creating a binding of a variable
to a classname that implements the variable.
#!/usr/bin/perl
#
# login program to invoke PPP.
# RADIUS accounting is NOT handled by this; it is handled by /etc/ppp/
# ip-up and ip-down which are invoked when the TCP/IP connection is up.
# version 0.1 November 5 1996
# clean up the code, minor features.
# version 0.02 May 8 1996
#
# start implementing other types of logins, not only Framed.
# Also honor static IP addresses.
#
# version 0.01 April 1 1996
#
# - ignore RADIUS server requests for Framed-User, just
# do PPP. Later, this should be honored. For now,
# just use RADIUS for authentication; it's much simpler.
# Always use dynamic addresses.
#
use strict;
use GDBM_File;
#### CONFIGURATION SECTION
##################################################
# Local IP address for the PPP connection.
#my $ip_address_local = "203.176.0.3";
my $ip_address_local = "192.168.2.217";
# First IP address for this terminal server, if dynamic addressing
# is requested, or if nothing is specified for Framed-IP-Address.
#my $ip_address_begin = "203.176.0.161";
my $ip_address_begin = "192.168.2.11";
# IP translation factor; subtract this value from radclient before adding
# the beginning IP address.
#my $ip_translate_factor = 32;
my $ip_translate_factor = 0;
# Debugging to screen?
my $debug = 1;
# PPP parameters:
# Async map - this one escapes only XON and XOFF characters.
my $asyncmap = "0x000A0000";
# MTU and MRU. 296 is good for interactive performance,
# but larger ones will lead to less overhead for file transfers.
# Maximum is 1500.
my ($mtu, $mru) = (296, 296);
# If we're using proxy ARP, set this to "proxyarp", else leave it blank.
# my $proxyarp = "proxyarp";
my $proxyarp = "";
# Login host for non-framed connections.
# This should only be an IP address, since that's what
# Login-IP-Host should be.
# my $login_host = "203.176.0.4"; # marikit.iphil.net
my $login_host = "192.168.2.218";
# Programs and files.
my $prog_pppd = "/usr/sbin/pppd";
#my $prog_radacct = "/usr/local/lib/radiusclient/radacct";
my $prog_radacct = "/usr/local/sbin/radacct";
my $prog_rlogin = "/usr/bin/rlogin";
#my $prog_telnet = "/bin/telnet";
my $prog_telnet = "/usr/bin/telnet";
#my $prog_tcpclear = "/bin/telnet -e ''";
my $prog_tcpclear = "/usr/bin/telnet -e ''";
my $prog_tty = "/usr/bin/tty";
my $prog_who = "/usr/bin/who";
my $path_portinfo = "/var/ipoint/acct/portinfo";
#my $path_radiusclient_map = "/etc/radclient/port-id-map";
my $path_radiusclient_map = "/usr/local/etc/radiusclient/port-id-map";
#############################################################################
# Main program.
print "Starting.\n" if ($debug);
# Run 'who am i' to determine the current port.
my $port = `$prog_tty`;
chomp ($port);
# Translate port numbers to numbers for RADIUS.
# This translation is done again by radacct, but it may be useful here.
# Remove if CPU time is a problem.
my ($portid, $line);
open (H, $path_radiusclient_map);
while (($line = <H>) && (!$portid))
{
my @info = split (/\s+/, $line);
$portid = $info[1] if ($info[0] eq $port);
}
close (H);
if ($debug)
{
# Print out all the RADIUS variables.
my @el = grep (/^RADIUS/, keys (%ENV));
my $e;
foreach $e (@el)
{
print "$e = " . $ENV{$e} . "\n";
}
}
# If the service type is Framed, then give them PPP.
# SLIP is not implemented (and will probably never be).
my $username = $ENV{"RADIUS_USER_NAME"};
# Generate a "unique" string for the session ID.
my $sessionid = "$$" . time ();
if ($ENV{"RADIUS_SERVICE_TYPE"} =~ /^Framed$/)
{
# Use the specified IP address, or generate one if none is specified,
# or a dynamic one requested. Or, let the user negotiate the address.
my $ip_address = $ENV{"RADIUS_FRAMED_IP_ADDRESS"};
if (!$ip_address || ($ip_address eq "255.255.255.254"))
{
my @ipn = split (/\./, $ip_address_begin);
$ipn[3] += $portid - $ip_translate_factor;
$ip_address = join ('.', @ipn);
if ($debug)
{
print "port: $port\n";
print "portid: $portid\n";
print "ip_translate_factor: $ip_translate_factor\n";
print "ip_address: $ip_address\n";
print "mru: $mru\n";
}
}
elsif ($ip_address eq "255.255.255.255")
{
# Clear it out so that pppd will let the remote end specify the
# IP address.
$ip_address = "";
}
# Override the specified MTU.
$mtu = $ENV{"RADIUS_FRAMED_MTU"} if $ENV{"RADIUS_FRAMED_MTU"};
# If no compression is specified, turn it off.
my $compress;
if (!$ENV{"RADIUS_FRAMED_COMPRESSION"})
{
$compress = "-vj";
}
# Fix up the parameters to be passed to ip-up. Include Framed-Route.
# Escape spaces with %20's.
# Split up the framed route into multiple parts.
# Separate the different given routes with bars.
my $routelist = join ("@", map {$ENV{$_}}
grep {/^RADIUS_FRAMED_ROUTE/} keys (%ENV)
);
$routelist =~ s/ /%20/g;
my $param = join (':', $sessionid, $username, $port, $portid,
$ENV{"RADIUS_SESSION_TIMEOUT"}, $routelist);
# Run pppd through exec, so that it grabs hold of the terminal
# and catches disconnections.
# Portmaster-style prompt.
if ($ENV{"RADIUS_SESSION_TIMEOUT"})
{
print "Session timeout: " . $ENV{"RADIUS_SESSION_TIMEOUT"} .
" seconds.\n";
}
print "PPP session from ($ip_address_local) to $ip_address
beginning....";
my $pppdcmd =
"$prog_pppd $ip_address_local:$ip_address modem crtscts " .
"asyncmap $asyncmap lock -detach $compress " .
"ipparam $param mtu $mtu mru $mru $proxyarp";
exec ($pppdcmd);
}
elsif ($ENV{"RADIUS_SERVICE_TYPE"} =~ /Login/)
{
# Warning: This code has not been tested as well as the PPP version,
# as of now (19961107).
# Determine what host to connect to.
if (($ENV{"RADIUS_LOGIN_IP_HOST"} eq "0.0.0.0") ||
!defined ($ENV{"RADIUS_LOGIN_IP_HOST"}))
{
# Do nothing, it's already specified above in the config section.
}
elsif ($ENV{"RADIUS_LOGIN_IP_HOST"} eq "255.255.255.255")
{
# The user should be able to choose. Prompt the user.
print "Host to connect to? ";
$login_host = <STDIN>;
chomp ($login_host);
}
else
{
# Use what's specified by the RADIUS server.
$login_host = $ENV{"RADIUS_LOGIN_IP_HOST"};
}
# Log into a host. Default to telnet. Do the accounting
# now, since the target of the login wouldn't know how to
# account for it.
# Start accounting. Send the record.
open (H, "| $prog_radacct") || die ("Cannot run $prog_radacct");
my $login_service = $ENV{"RADIUS_LOGIN_SERVICE"};
my $cmd =
"Acct-Session-ID = \"$sessionid\"\n" .
"User-Name = \"$username\"\n" .
"Acct-Status-Type = Start\n" .
"Acct-Authentic = RADIUS\n" .
"Service-Type = Login\n" .
"Login-Service = " . $login_service . "\n" .
"Login-IP-Host = $login_host\n";
print H $cmd;
close (H);
# Time.
my $timestart = time ();
# What protocol are we running?
my ($prog_run, $login_port);
if ($login_service eq "Rlogin")
{
$prog_run = $prog_rlogin;
}
elsif ($login_service eq "Telnet")
{
$prog_run = $prog_telnet;
$login_port = $ENV{"RADIUS_LOGIN_PORT"};
}
elsif ($login_service eq "TCP-Clear")
{
$prog_run = $prog_tcpclear;
$login_port = $ENV{"RADIUS_LOGIN_PORT"};
}
# Store the user information into portinfo. We need to
# manually fork, since we have to know the PID of the program.
my $pid = fork ();
if ($pid == 0)
{
# Child. Run the program.
# print "Connecting to $login_host:\n";
my $cmd = "$prog_run $login_host $login_port";
exec ("$cmd");
}
else
{
# Parent.
# Create the portinfo record, which needs the pid of the program
# to kill.
# The IP address is all zero, as it is not applicable here.
# Store the time now, and the Session-Timeout.
my %db_portinfo;
tie (%db_portinfo, "GDBM_File", $path_portinfo, GDBM_WRCREAT,
0600);
$db_portinfo{$portid} =
join (':', $username, "Login/$login_service",
"0.0.0.0", $pid, $timestart,
$ENV{"RADIUS_SESSION_TIMEOUT"});
untie (%db_portinfo);
# Wait for the session to finish.
waitpid ($pid, 0);
}
# Stop. Send the record.
open (H, "| $prog_radacct") || die ("Cannot run $prog_radacct");
my $timespent = time () - $timestart;
my $cmd =
"Acct-Session-ID = \"$sessionid\"\n" .
"User-Name = \"$username\"\n" .
"Acct-Status-Type = Stop\n" .
"Acct-Authentic = RADIUS\n" .
"Service-Type = Login\n" .
"Login-Service = " . $login_service . "\n" .
"Login-IP-Host = $login_host\n" .
"Acct-Session-Time = $timespent\n";
print H $cmd;
close (H);
# Remove the record from portinfo.
my %db_portinfo;
tie (%db_portinfo, "GDBM_File", $path_portinfo, GDBM_WRCREAT, 0600);
delete $db_portinfo{$portid};
untie (%db_portinfo);
}
### END ####
###### radiusclient.conf ###########
[bonnet18 radiusclient]# more radiusclient.conf
# General settings
# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order radius,local
# maximum login tries a user has
login_tries 4
# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout 60
# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin
# name of the issue file. it's only display when no username is passed
# on the radlogin command line
issue /usr/local/etc/radiusclient/issue
# RADIUS settings
# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
#authserver localhost
authserver 192.168.2.254
# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too.
#
#acctserver localhost
acctserver 192.168.2.254
# file holding shared secrets used for the communication
# between the RADIUS client and server
servers /usr/local/etc/radiusclient/servers
# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
dictionary /usr/local/etc/radiusclient/dictionary
# program to call for a RADIUS authenticated login
login_radius /usr/local/sbin/login.radius
# file which holds sequence number for communication with the
# RADIUS server
seqfile /var/run/radius.seq
# file which specifies mapping between ttyname and NAS-Port attribute
mapfile /usr/local/etc/radiusclient/port-id-map
# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm
# time to wait for a reply from the RADIUS server
radius_timeout 10
# resend request this many times before trying the next server
radius_retries 3
# LOCAL settings
# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local /bin/login
>
> regards
>
> Hugh
>
>
> On 9 Mar 2004, at 10:21, Bon sy wrote:
>
> > Hi,
> > I wonder anyone in the list or Hugh/Mike has tried using
> > radiusclient-0.3.2 to talk to Radiator.
> >
> > I have made all the appropriate changes necessary (such as the
> > server file for shared secret, radiusclient.conf, login.radius). The
> > installation process went through without any complain.
> >
> > But when I use the radlogin (part of the radiusclient-0.3.2), it
> > does not seem to have any request getting to radiator from
> > radiusclient. Ethreal log did not show packets sending over to the
> > radiator too. This suggests the problem is on the radiusclient side.
> > But I
> > could not tell what's wrong. Below is the response from the radlogin
> > utility:
> >
> > [bonnet28 /]# radlogin
> > ($Id: radlogin.c,v 1.3 1997/12/29 23:07:25 lf Exp $)
> > -----------------------------------------------------
> > Linux 2.4.20-8 (bonnet28) (port 0)
> > -----------------------------------------------------
> >
> > login: test
> > Password:
> > RADIUS: /dev/pts/0local: Authentication failure
> >
> > Please advise if anyone has any insight into this problem. Thanks
> > in advance!
> >
> > Bon
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list