(RADIATOR) Re: radiusclient-0.3.2

Bon sy bon at bunny.cs.qc.edu
Tue Mar 9 06:11:54 CST 2004


On Tue, 9 Mar 2004, Hugh Irvine wrote:

> 
> Hello Bon -
> 
> What does ethereal show on the radlogin host?

The ethereal showed no activity of radius protocol, only TCP, from the
machine I used to remote access the radiusclient machine. 

> 
> Does radlogin have a debug mode?
> 

Unfortunately there is no debug mode as shown below:

# radlogin -help
Usage: radlogin [-Vhnd] [-f <config_file>] [-i <client_port>] [-m
<login_tries>]

  -V            output version information
  -h            output this text
  -n            don't display issue file
  -f            filename of alternate config file
  -i            ttyname to send to the server
  -m            maximum login tries (overrides value in config file)


> I suspect you may be sending to a different port number and/or IP 
> address than the one Radiator is listening on.

I have added the 1645 and 1646 to the /etc/services. No filtering rules in
iptables. 

Below are the radius.login and radisuclient.conf configuration files. I
just noticed that the "server" file containing the shared secret did not
get copied to the proper location during "make install". This is
fixed and I still have problems. I suspect there are more than
that. For example, in the radius.login file, there is
a line:

my $path_portinfo         = "/var/ipoint/acct/portinfo"; 

But I do not have the file "portinfo" and there is no documentation on
what should be in there. I guess that is where to specify the port number,
which I enter 1645/1646. This is then later used in the subsequent Perl
script in the same file: 

tie (%db_portinfo, "GDBM_File", $path_portinfo, GDBM_WRCREAT, 0600);

	I could not find sufficient information to understand what the
above statement is really doingother than creating a binding of a variable
to a classname that implements the variable.

#!/usr/bin/perl
#
# login program to invoke PPP.
# RADIUS accounting is NOT handled by this; it is handled by /etc/ppp/
# ip-up and ip-down which are invoked when the TCP/IP connection is up.

# version 0.1   November 5 1996
# clean up the code, minor features.

# version 0.02  May 8 1996
#
# start implementing other types of logins, not only Framed.
# Also honor static IP addresses.
#
# version 0.01  April 1 1996
#
# - ignore RADIUS server requests for Framed-User, just
#   do PPP.  Later, this should be honored.  For now,
#   just use RADIUS for authentication; it's much simpler.
#   Always use dynamic addresses.
#

use strict;
use GDBM_File;

#### CONFIGURATION SECTION
##################################################

# Local IP address for the PPP connection.
#my $ip_address_local = "203.176.0.3";
my $ip_address_local = "192.168.2.217";

# First IP address for this terminal server, if dynamic addressing
# is requested, or if nothing is specified for Framed-IP-Address.
#my $ip_address_begin = "203.176.0.161"; 
my $ip_address_begin = "192.168.2.11";

# IP translation factor; subtract this value from radclient before adding
# the beginning IP address.
#my $ip_translate_factor = 32;
my $ip_translate_factor = 0;

# Debugging to screen?
my $debug = 1;

# PPP parameters:

# Async map - this one escapes only XON and XOFF characters.
my $asyncmap = "0x000A0000";

# MTU and MRU. 296 is good for interactive performance,
# but larger ones will lead to less overhead for file transfers.
# Maximum is 1500.
my ($mtu, $mru) = (296, 296);

# If we're using proxy ARP, set this to "proxyarp", else leave it blank.
# my $proxyarp = "proxyarp";
my $proxyarp = "";

# Login host for non-framed connections.
# This should only be an IP address, since that's what
# Login-IP-Host should be.
# my $login_host = "203.176.0.4"; # marikit.iphil.net
my $login_host = "192.168.2.218";

# Programs and files.
my $prog_pppd     = "/usr/sbin/pppd";
#my $prog_radacct  = "/usr/local/lib/radiusclient/radacct";
my $prog_radacct   = "/usr/local/sbin/radacct";
my $prog_rlogin   = "/usr/bin/rlogin";
#my $prog_telnet   = "/bin/telnet";
my $prog_telnet   = "/usr/bin/telnet";
#my $prog_tcpclear = "/bin/telnet -e ''";
my $prog_tcpclear = "/usr/bin/telnet -e ''";
my $prog_tty      = "/usr/bin/tty";
my $prog_who      = "/usr/bin/who";

my $path_portinfo         = "/var/ipoint/acct/portinfo";
#my $path_radiusclient_map = "/etc/radclient/port-id-map";
my $path_radiusclient_map = "/usr/local/etc/radiusclient/port-id-map";
  
#############################################################################

# Main program.

print "Starting.\n" if ($debug);

# Run 'who am i' to determine the current port.
my $port = `$prog_tty`;
chomp ($port);

# Translate port numbers to numbers for RADIUS.
# This translation is done again by radacct, but it may be useful here.
# Remove if CPU time is a problem.

my ($portid, $line);
open (H, $path_radiusclient_map);
while (($line = <H>) && (!$portid))
{
    my @info = split (/\s+/, $line);
    $portid = $info[1] if ($info[0] eq $port);
}
close (H);

if ($debug)
{
    # Print out all the RADIUS variables.
    my @el = grep (/^RADIUS/, keys (%ENV));
    my $e;
    foreach $e (@el)
    {
        print "$e = " . $ENV{$e} . "\n";
    }
}

# If the service type is Framed, then give them PPP.
# SLIP is not implemented (and will probably never be).

my $username = $ENV{"RADIUS_USER_NAME"};

# Generate a "unique" string for the session ID.
my $sessionid = "$$" . time ();

if ($ENV{"RADIUS_SERVICE_TYPE"} =~ /^Framed$/)
{
   
# Use the specified IP address, or generate one if none is specified,
# or a dynamic one requested.  Or, let the user negotiate the address.

    my $ip_address = $ENV{"RADIUS_FRAMED_IP_ADDRESS"};

    if (!$ip_address || ($ip_address eq "255.255.255.254"))
    {
        my @ipn = split (/\./, $ip_address_begin);
        $ipn[3] += $portid - $ip_translate_factor;
        $ip_address = join ('.', @ipn);

        if ($debug)
        {
            print "port: $port\n";
            print "portid: $portid\n";
            print "ip_translate_factor: $ip_translate_factor\n";
            print "ip_address: $ip_address\n";
            print "mru: $mru\n";
        }

    }
    elsif ($ip_address eq "255.255.255.255")
    {
        # Clear it out so that pppd will let the remote end specify the
        # IP address.
        $ip_address = "";
    }

    # Override the specified MTU.
    $mtu = $ENV{"RADIUS_FRAMED_MTU"} if $ENV{"RADIUS_FRAMED_MTU"};

    # If no compression is specified, turn it off.
    my $compress;
    if (!$ENV{"RADIUS_FRAMED_COMPRESSION"})
    {
        $compress = "-vj";
    }

# Fix up the parameters to be passed to ip-up.  Include Framed-Route.
# Escape spaces with %20's.

    # Split up the framed route into multiple parts.
    # Separate the different given routes with bars.
    my $routelist = join ("@", map {$ENV{$_}}
                             grep {/^RADIUS_FRAMED_ROUTE/} keys (%ENV)
                            );
    $routelist =~ s/ /%20/g;

    my $param = join (':', $sessionid, $username, $port, $portid,
                      $ENV{"RADIUS_SESSION_TIMEOUT"}, $routelist);
                      
# Run pppd through exec, so that it grabs hold of the terminal
# and catches disconnections.

    # Portmaster-style prompt.
    if ($ENV{"RADIUS_SESSION_TIMEOUT"})
    {
        print "Session timeout: " . $ENV{"RADIUS_SESSION_TIMEOUT"} .
            " seconds.\n";
    }
    print "PPP session from ($ip_address_local) to $ip_address
beginning....";
    my $pppdcmd =
        "$prog_pppd $ip_address_local:$ip_address modem crtscts " .
        "asyncmap $asyncmap lock -detach $compress " .
        "ipparam $param mtu $mtu mru $mru $proxyarp";

    exec ($pppdcmd);
}
elsif ($ENV{"RADIUS_SERVICE_TYPE"} =~ /Login/)
{
    # Warning:  This code has not been tested as well as the PPP version,
    # as of now (19961107).

    # Determine what host to connect to.
    if (($ENV{"RADIUS_LOGIN_IP_HOST"} eq "0.0.0.0") ||
        !defined ($ENV{"RADIUS_LOGIN_IP_HOST"}))
    {
        # Do nothing, it's already specified above in the config section.
    }
    elsif ($ENV{"RADIUS_LOGIN_IP_HOST"} eq "255.255.255.255")
    {
        # The user should be able to choose.  Prompt the user.
        print "Host to connect to?  ";
        $login_host = <STDIN>;
        chomp ($login_host);
    }
    else
    {
        # Use what's specified by the RADIUS server.
        $login_host = $ENV{"RADIUS_LOGIN_IP_HOST"};
    }
    
    # Log into a host.  Default to telnet.  Do the accounting
    # now, since the target of the login wouldn't know how to
    # account for it.

    # Start accounting.  Send the record.
    open  (H, "| $prog_radacct") || die ("Cannot run $prog_radacct");

    my $login_service = $ENV{"RADIUS_LOGIN_SERVICE"};

    my $cmd =
        "Acct-Session-ID = \"$sessionid\"\n" .
        "User-Name = \"$username\"\n" .
        "Acct-Status-Type = Start\n" .
        "Acct-Authentic = RADIUS\n" .
        "Service-Type = Login\n" .
        "Login-Service = " . $login_service . "\n" .
        "Login-IP-Host = $login_host\n";

    print H $cmd;
    close (H);

    # Time.
    my $timestart = time ();

    # What protocol are we running?
    my ($prog_run, $login_port);

    if ($login_service eq "Rlogin")
    {
        $prog_run = $prog_rlogin;
    }
    elsif ($login_service eq "Telnet")
    {
        $prog_run = $prog_telnet;
        $login_port = $ENV{"RADIUS_LOGIN_PORT"};
    }
    elsif ($login_service eq "TCP-Clear")
    {
        $prog_run = $prog_tcpclear;
        $login_port = $ENV{"RADIUS_LOGIN_PORT"};
    }

    # Store the user information into portinfo.  We need to
    # manually fork, since we have to know the PID of the program.

    my $pid = fork ();
    if ($pid == 0)
    {
        # Child.  Run the program.
        # print "Connecting to $login_host:\n";
        my $cmd = "$prog_run $login_host $login_port";
        exec ("$cmd");
    }
    else
    {
        # Parent.  
        # Create the portinfo record, which needs the pid of the program
        # to kill.
        # The IP address is all zero, as it is not applicable here.
        # Store the time now, and the Session-Timeout.

        my %db_portinfo;

        tie (%db_portinfo, "GDBM_File", $path_portinfo, GDBM_WRCREAT,
0600);
        $db_portinfo{$portid} =
            join (':', $username, "Login/$login_service",
                  "0.0.0.0", $pid, $timestart,
$ENV{"RADIUS_SESSION_TIMEOUT"});
        untie (%db_portinfo);
        # Wait for the session to finish.
        waitpid ($pid, 0);
    }
    # Stop.  Send the record.
    open  (H, "| $prog_radacct") || die ("Cannot run $prog_radacct");

    my $timespent = time () - $timestart;

    my $cmd =
        "Acct-Session-ID = \"$sessionid\"\n" .
        "User-Name = \"$username\"\n" .
        "Acct-Status-Type = Stop\n" .
        "Acct-Authentic = RADIUS\n" .
        "Service-Type = Login\n" .
        "Login-Service = " . $login_service . "\n" .
        "Login-IP-Host = $login_host\n" .
        "Acct-Session-Time = $timespent\n";

    print H $cmd;
    close (H);

    # Remove the record from portinfo.
    my %db_portinfo;
    tie (%db_portinfo, "GDBM_File", $path_portinfo, GDBM_WRCREAT, 0600);
    delete $db_portinfo{$portid};
    untie (%db_portinfo);
}

### END ####


###### radiusclient.conf ###########

[bonnet18 radiusclient]# more radiusclient.conf
# General settings

# specify which authentication comes first respectively which
# authentication is used. possible values are: "radius" and "local".
# if you specify "radius,local" then the RADIUS server is asked
# first then the local one. if only one keyword is specified only
# this server is asked.
auth_order      radius,local

# maximum login tries a user has
login_tries     4

# timeout for all login tries
# if this time is exceeded the user is kicked out
login_timeout   60

# name of the nologin file which when it exists disables logins.
# it may be extended by the ttyname which will result in
# a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
# logins on /dev/ttyS2)
nologin /etc/nologin

# name of the issue file. it's only display when no username is passed
# on the radlogin command line
issue   /usr/local/etc/radiusclient/issue

# RADIUS settings

# RADIUS server to use for authentication requests. this config
# item can appear more then one time. if multiple servers are
# defined they are tried in a round robin fashion if one
# server is not answering.
# optionally you can specify a the port number on which is remote
# RADIUS listens separated by a colon from the hostname. if
# no port is specified /etc/services is consulted of the radius
# service. if this fails also a compiled in default is used.
#authserver     localhost
authserver      192.168.2.254

# RADIUS server to use for accouting requests. All that I
# said for authserver applies, too. 
#
#acctserver     localhost
acctserver      192.168.2.254

# file holding shared secrets used for the communication
# between the RADIUS client and server
servers         /usr/local/etc/radiusclient/servers

# dictionary of allowed attributes and values
# just like in the normal RADIUS distributions
dictionary      /usr/local/etc/radiusclient/dictionary

# program to call for a RADIUS authenticated login
login_radius    /usr/local/sbin/login.radius

# file which holds sequence number for communication with the
# RADIUS server
seqfile         /var/run/radius.seq

# file which specifies mapping between ttyname and NAS-Port attribute
mapfile         /usr/local/etc/radiusclient/port-id-map

# default authentication realm to append to all usernames if no
# realm was explicitly specified by the user
# the radiusd directly form Livingston doesnt use any realms, so leave
# it blank then
default_realm

# time to wait for a reply from the RADIUS server
radius_timeout  10

# resend request this many times before trying the next server
radius_retries  3

# LOCAL settings

# program to execute for local login
# it must support the -f flag for preauthenticated login
login_local     /bin/login




















> 
> regards
> 
> Hugh
> 
> 
> On 9 Mar 2004, at 10:21, Bon sy wrote:
> 
> > Hi,
> > 	I wonder anyone in the list or Hugh/Mike has tried using
> > radiusclient-0.3.2 to talk to Radiator.
> >
> > 	I have made all the appropriate changes necessary (such as the
> > server file for shared secret, radiusclient.conf, login.radius). The
> > installation process went through without any complain.
> >
> > 	But when I use the radlogin (part of the radiusclient-0.3.2), it
> > does not seem to have any request getting to radiator from
> > radiusclient. Ethreal log did not show packets sending over to the
> > radiator too. This suggests the problem is on the radiusclient side. 
> > But I
> > could not tell what's wrong. Below is the response from the radlogin
> > utility:
> >
> > [bonnet28 /]# radlogin
> > ($Id: radlogin.c,v 1.3 1997/12/29 23:07:25 lf Exp $)
> > -----------------------------------------------------
> > Linux 2.4.20-8 (bonnet28) (port 0)
> > -----------------------------------------------------
> >
> > login: test
> > Password:
> > RADIUS: /dev/pts/0local: Authentication failure
> >
> > 	Please advise if anyone has any insight into this problem. Thanks
> > in advance!
> >
> > Bon
> >
> >
> 
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> 
> -- 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
> 
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
> 

--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.


More information about the radiator mailing list