(RADIATOR) Re: radiusclient-0.3.2
Hugh Irvine
hugh at open.com.au
Tue Mar 9 14:30:38 CST 2004
Hello Bon -
If you are not seeing any network traffic at all then there is
something seriously broken.
Why don't you just use "radpwtst"?
regards
Hugh
On 9 Mar 2004, at 23:11, Bon sy wrote:
>
> On Tue, 9 Mar 2004, Hugh Irvine wrote:
>
>>
>> Hello Bon -
>>
>> What does ethereal show on the radlogin host?
>
> The ethereal showed no activity of radius protocol, only TCP, from the
> machine I used to remote access the radiusclient machine.
>
>>
>> Does radlogin have a debug mode?
>>
>
> Unfortunately there is no debug mode as shown below:
>
> # radlogin -help
> Usage: radlogin [-Vhnd] [-f <config_file>] [-i <client_port>] [-m
> <login_tries>]
>
> -V output version information
> -h output this text
> -n don't display issue file
> -f filename of alternate config file
> -i ttyname to send to the server
> -m maximum login tries (overrides value in config file)
>
>
>> I suspect you may be sending to a different port number and/or IP
>> address than the one Radiator is listening on.
>
> I have added the 1645 and 1646 to the /etc/services. No filtering
> rules in
> iptables.
>
> Below are the radius.login and radisuclient.conf configuration files. I
> just noticed that the "server" file containing the shared secret did
> not
> get copied to the proper location during "make install". This is
> fixed and I still have problems. I suspect there are more than
> that. For example, in the radius.login file, there is
> a line:
>
> my $path_portinfo = "/var/ipoint/acct/portinfo";
>
> But I do not have the file "portinfo" and there is no documentation on
> what should be in there. I guess that is where to specify the port
> number,
> which I enter 1645/1646. This is then later used in the subsequent Perl
> script in the same file:
>
> tie (%db_portinfo, "GDBM_File", $path_portinfo, GDBM_WRCREAT, 0600);
>
> I could not find sufficient information to understand what the
> above statement is really doingother than creating a binding of a
> variable
> to a classname that implements the variable.
>
> #!/usr/bin/perl
> #
> # login program to invoke PPP.
> # RADIUS accounting is NOT handled by this; it is handled by /etc/ppp/
> # ip-up and ip-down which are invoked when the TCP/IP connection is up.
>
> # version 0.1 November 5 1996
> # clean up the code, minor features.
>
> # version 0.02 May 8 1996
> #
> # start implementing other types of logins, not only Framed.
> # Also honor static IP addresses.
> #
> # version 0.01 April 1 1996
> #
> # - ignore RADIUS server requests for Framed-User, just
> # do PPP. Later, this should be honored. For now,
> # just use RADIUS for authentication; it's much simpler.
> # Always use dynamic addresses.
> #
>
> use strict;
> use GDBM_File;
>
> #### CONFIGURATION SECTION
> ##################################################
>
> # Local IP address for the PPP connection.
> #my $ip_address_local = "203.176.0.3";
> my $ip_address_local = "192.168.2.217";
>
> # First IP address for this terminal server, if dynamic addressing
> # is requested, or if nothing is specified for Framed-IP-Address.
> #my $ip_address_begin = "203.176.0.161";
> my $ip_address_begin = "192.168.2.11";
>
> # IP translation factor; subtract this value from radclient before
> adding
> # the beginning IP address.
> #my $ip_translate_factor = 32;
> my $ip_translate_factor = 0;
>
> # Debugging to screen?
> my $debug = 1;
>
> # PPP parameters:
>
> # Async map - this one escapes only XON and XOFF characters.
> my $asyncmap = "0x000A0000";
>
> # MTU and MRU. 296 is good for interactive performance,
> # but larger ones will lead to less overhead for file transfers.
> # Maximum is 1500.
> my ($mtu, $mru) = (296, 296);
>
> # If we're using proxy ARP, set this to "proxyarp", else leave it
> blank.
> # my $proxyarp = "proxyarp";
> my $proxyarp = "";
>
> # Login host for non-framed connections.
> # This should only be an IP address, since that's what
> # Login-IP-Host should be.
> # my $login_host = "203.176.0.4"; # marikit.iphil.net
> my $login_host = "192.168.2.218";
>
> # Programs and files.
> my $prog_pppd = "/usr/sbin/pppd";
> #my $prog_radacct = "/usr/local/lib/radiusclient/radacct";
> my $prog_radacct = "/usr/local/sbin/radacct";
> my $prog_rlogin = "/usr/bin/rlogin";
> #my $prog_telnet = "/bin/telnet";
> my $prog_telnet = "/usr/bin/telnet";
> #my $prog_tcpclear = "/bin/telnet -e ''";
> my $prog_tcpclear = "/usr/bin/telnet -e ''";
> my $prog_tty = "/usr/bin/tty";
> my $prog_who = "/usr/bin/who";
>
> my $path_portinfo = "/var/ipoint/acct/portinfo";
> #my $path_radiusclient_map = "/etc/radclient/port-id-map";
> my $path_radiusclient_map = "/usr/local/etc/radiusclient/port-id-map";
>
> #######################################################################
> ######
>
> # Main program.
>
> print "Starting.\n" if ($debug);
>
> # Run 'who am i' to determine the current port.
> my $port = `$prog_tty`;
> chomp ($port);
>
> # Translate port numbers to numbers for RADIUS.
> # This translation is done again by radacct, but it may be useful here.
> # Remove if CPU time is a problem.
>
> my ($portid, $line);
> open (H, $path_radiusclient_map);
> while (($line = <H>) && (!$portid))
> {
> my @info = split (/\s+/, $line);
> $portid = $info[1] if ($info[0] eq $port);
> }
> close (H);
>
> if ($debug)
> {
> # Print out all the RADIUS variables.
> my @el = grep (/^RADIUS/, keys (%ENV));
> my $e;
> foreach $e (@el)
> {
> print "$e = " . $ENV{$e} . "\n";
> }
> }
>
> # If the service type is Framed, then give them PPP.
> # SLIP is not implemented (and will probably never be).
>
> my $username = $ENV{"RADIUS_USER_NAME"};
>
> # Generate a "unique" string for the session ID.
> my $sessionid = "$$" . time ();
>
> if ($ENV{"RADIUS_SERVICE_TYPE"} =~ /^Framed$/)
> {
>
> # Use the specified IP address, or generate one if none is specified,
> # or a dynamic one requested. Or, let the user negotiate the address.
>
> my $ip_address = $ENV{"RADIUS_FRAMED_IP_ADDRESS"};
>
> if (!$ip_address || ($ip_address eq "255.255.255.254"))
> {
> my @ipn = split (/\./, $ip_address_begin);
> $ipn[3] += $portid - $ip_translate_factor;
> $ip_address = join ('.', @ipn);
>
> if ($debug)
> {
> print "port: $port\n";
> print "portid: $portid\n";
> print "ip_translate_factor: $ip_translate_factor\n";
> print "ip_address: $ip_address\n";
> print "mru: $mru\n";
> }
>
> }
> elsif ($ip_address eq "255.255.255.255")
> {
> # Clear it out so that pppd will let the remote end specify the
> # IP address.
> $ip_address = "";
> }
>
> # Override the specified MTU.
> $mtu = $ENV{"RADIUS_FRAMED_MTU"} if $ENV{"RADIUS_FRAMED_MTU"};
>
> # If no compression is specified, turn it off.
> my $compress;
> if (!$ENV{"RADIUS_FRAMED_COMPRESSION"})
> {
> $compress = "-vj";
> }
>
> # Fix up the parameters to be passed to ip-up. Include Framed-Route.
> # Escape spaces with %20's.
>
> # Split up the framed route into multiple parts.
> # Separate the different given routes with bars.
> my $routelist = join ("@", map {$ENV{$_}}
> grep {/^RADIUS_FRAMED_ROUTE/} keys (%ENV)
> );
> $routelist =~ s/ /%20/g;
>
> my $param = join (':', $sessionid, $username, $port, $portid,
> $ENV{"RADIUS_SESSION_TIMEOUT"}, $routelist);
>
> # Run pppd through exec, so that it grabs hold of the terminal
> # and catches disconnections.
>
> # Portmaster-style prompt.
> if ($ENV{"RADIUS_SESSION_TIMEOUT"})
> {
> print "Session timeout: " . $ENV{"RADIUS_SESSION_TIMEOUT"} .
> " seconds.\n";
> }
> print "PPP session from ($ip_address_local) to $ip_address
> beginning....";
> my $pppdcmd =
> "$prog_pppd $ip_address_local:$ip_address modem crtscts " .
> "asyncmap $asyncmap lock -detach $compress " .
> "ipparam $param mtu $mtu mru $mru $proxyarp";
>
> exec ($pppdcmd);
> }
> elsif ($ENV{"RADIUS_SERVICE_TYPE"} =~ /Login/)
> {
> # Warning: This code has not been tested as well as the PPP
> version,
> # as of now (19961107).
>
> # Determine what host to connect to.
> if (($ENV{"RADIUS_LOGIN_IP_HOST"} eq "0.0.0.0") ||
> !defined ($ENV{"RADIUS_LOGIN_IP_HOST"}))
> {
> # Do nothing, it's already specified above in the config
> section.
> }
> elsif ($ENV{"RADIUS_LOGIN_IP_HOST"} eq "255.255.255.255")
> {
> # The user should be able to choose. Prompt the user.
> print "Host to connect to? ";
> $login_host = <STDIN>;
> chomp ($login_host);
> }
> else
> {
> # Use what's specified by the RADIUS server.
> $login_host = $ENV{"RADIUS_LOGIN_IP_HOST"};
> }
>
> # Log into a host. Default to telnet. Do the accounting
> # now, since the target of the login wouldn't know how to
> # account for it.
>
> # Start accounting. Send the record.
> open (H, "| $prog_radacct") || die ("Cannot run $prog_radacct");
>
> my $login_service = $ENV{"RADIUS_LOGIN_SERVICE"};
>
> my $cmd =
> "Acct-Session-ID = \"$sessionid\"\n" .
> "User-Name = \"$username\"\n" .
> "Acct-Status-Type = Start\n" .
> "Acct-Authentic = RADIUS\n" .
> "Service-Type = Login\n" .
> "Login-Service = " . $login_service . "\n" .
> "Login-IP-Host = $login_host\n";
>
> print H $cmd;
> close (H);
>
> # Time.
> my $timestart = time ();
>
> # What protocol are we running?
> my ($prog_run, $login_port);
>
> if ($login_service eq "Rlogin")
> {
> $prog_run = $prog_rlogin;
> }
> elsif ($login_service eq "Telnet")
> {
> $prog_run = $prog_telnet;
> $login_port = $ENV{"RADIUS_LOGIN_PORT"};
> }
> elsif ($login_service eq "TCP-Clear")
> {
> $prog_run = $prog_tcpclear;
> $login_port = $ENV{"RADIUS_LOGIN_PORT"};
> }
>
> # Store the user information into portinfo. We need to
> # manually fork, since we have to know the PID of the program.
>
> my $pid = fork ();
> if ($pid == 0)
> {
> # Child. Run the program.
> # print "Connecting to $login_host:\n";
> my $cmd = "$prog_run $login_host $login_port";
> exec ("$cmd");
> }
> else
> {
> # Parent.
> # Create the portinfo record, which needs the pid of the
> program
> # to kill.
> # The IP address is all zero, as it is not applicable here.
> # Store the time now, and the Session-Timeout.
>
> my %db_portinfo;
>
> tie (%db_portinfo, "GDBM_File", $path_portinfo, GDBM_WRCREAT,
> 0600);
> $db_portinfo{$portid} =
> join (':', $username, "Login/$login_service",
> "0.0.0.0", $pid, $timestart,
> $ENV{"RADIUS_SESSION_TIMEOUT"});
> untie (%db_portinfo);
> # Wait for the session to finish.
> waitpid ($pid, 0);
> }
> # Stop. Send the record.
> open (H, "| $prog_radacct") || die ("Cannot run $prog_radacct");
>
> my $timespent = time () - $timestart;
>
> my $cmd =
> "Acct-Session-ID = \"$sessionid\"\n" .
> "User-Name = \"$username\"\n" .
> "Acct-Status-Type = Stop\n" .
> "Acct-Authentic = RADIUS\n" .
> "Service-Type = Login\n" .
> "Login-Service = " . $login_service . "\n" .
> "Login-IP-Host = $login_host\n" .
> "Acct-Session-Time = $timespent\n";
>
> print H $cmd;
> close (H);
>
> # Remove the record from portinfo.
> my %db_portinfo;
> tie (%db_portinfo, "GDBM_File", $path_portinfo, GDBM_WRCREAT,
> 0600);
> delete $db_portinfo{$portid};
> untie (%db_portinfo);
> }
>
> ### END ####
>
>
> ###### radiusclient.conf ###########
>
> [bonnet18 radiusclient]# more radiusclient.conf
> # General settings
>
> # specify which authentication comes first respectively which
> # authentication is used. possible values are: "radius" and "local".
> # if you specify "radius,local" then the RADIUS server is asked
> # first then the local one. if only one keyword is specified only
> # this server is asked.
> auth_order radius,local
>
> # maximum login tries a user has
> login_tries 4
>
> # timeout for all login tries
> # if this time is exceeded the user is kicked out
> login_timeout 60
>
> # name of the nologin file which when it exists disables logins.
> # it may be extended by the ttyname which will result in
> # a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
> # logins on /dev/ttyS2)
> nologin /etc/nologin
>
> # name of the issue file. it's only display when no username is passed
> # on the radlogin command line
> issue /usr/local/etc/radiusclient/issue
>
> # RADIUS settings
>
> # RADIUS server to use for authentication requests. this config
> # item can appear more then one time. if multiple servers are
> # defined they are tried in a round robin fashion if one
> # server is not answering.
> # optionally you can specify a the port number on which is remote
> # RADIUS listens separated by a colon from the hostname. if
> # no port is specified /etc/services is consulted of the radius
> # service. if this fails also a compiled in default is used.
> #authserver localhost
> authserver 192.168.2.254
>
> # RADIUS server to use for accouting requests. All that I
> # said for authserver applies, too.
> #
> #acctserver localhost
> acctserver 192.168.2.254
>
> # file holding shared secrets used for the communication
> # between the RADIUS client and server
> servers /usr/local/etc/radiusclient/servers
>
> # dictionary of allowed attributes and values
> # just like in the normal RADIUS distributions
> dictionary /usr/local/etc/radiusclient/dictionary
>
> # program to call for a RADIUS authenticated login
> login_radius /usr/local/sbin/login.radius
>
> # file which holds sequence number for communication with the
> # RADIUS server
> seqfile /var/run/radius.seq
>
> # file which specifies mapping between ttyname and NAS-Port attribute
> mapfile /usr/local/etc/radiusclient/port-id-map
>
> # default authentication realm to append to all usernames if no
> # realm was explicitly specified by the user
> # the radiusd directly form Livingston doesnt use any realms, so leave
> # it blank then
> default_realm
>
> # time to wait for a reply from the RADIUS server
> radius_timeout 10
>
> # resend request this many times before trying the next server
> radius_retries 3
>
> # LOCAL settings
>
> # program to execute for local login
> # it must support the -f flag for preauthenticated login
> login_local /bin/login
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>>
>> regards
>>
>> Hugh
>>
>>
>> On 9 Mar 2004, at 10:21, Bon sy wrote:
>>
>>> Hi,
>>> I wonder anyone in the list or Hugh/Mike has tried using
>>> radiusclient-0.3.2 to talk to Radiator.
>>>
>>> I have made all the appropriate changes necessary (such as the
>>> server file for shared secret, radiusclient.conf, login.radius). The
>>> installation process went through without any complain.
>>>
>>> But when I use the radlogin (part of the radiusclient-0.3.2), it
>>> does not seem to have any request getting to radiator from
>>> radiusclient. Ethreal log did not show packets sending over to the
>>> radiator too. This suggests the problem is on the radiusclient side.
>>> But I
>>> could not tell what's wrong. Below is the response from the radlogin
>>> utility:
>>>
>>> [bonnet28 /]# radlogin
>>> ($Id: radlogin.c,v 1.3 1997/12/29 23:07:25 lf Exp $)
>>> -----------------------------------------------------
>>> Linux 2.4.20-8 (bonnet28) (port 0)
>>> -----------------------------------------------------
>>>
>>> login: test
>>> Password:
>>> RADIUS: /dev/pts/0local: Authentication failure
>>>
>>> Please advise if anyone has any insight into this problem. Thanks
>>> in advance!
>>>
>>> Bon
>>>
>>>
>>
>> NB: have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>> --
>> Archive at http://www.open.com.au/archives/radiator/
>> Announcements on radiator-announce at open.com.au
>> To unsubscribe, email 'majordomo at open.com.au' with
>> 'unsubscribe radiator' in the body of the message.
>>
>
>
NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list