(RADIATOR) Re: radiusclient-0.3.2 (and iptel SER)
Bon sy
bon at bunny.cs.qc.edu
Thu Mar 11 08:44:20 CST 2004
Hugh and all,
The bottom line of our attempt is to get iptel SER to talk to the
radiator. I wonder anyone in the list has any success and is willing to
share details or pointers on how to get it to work. We are using iptel SER
0.8.12 and radiator 3.8.
Many thanks in advance!
Bon
On Wed, 10 Mar 2004, Hugh Irvine wrote:
>
> Hello Bon -
>
> If you are not seeing any network traffic at all then there is
> something seriously broken.
>
> Why don't you just use "radpwtst"?
>
> regards
>
> Hugh
>
>
> On 9 Mar 2004, at 23:11, Bon sy wrote:
>
> >
> > On Tue, 9 Mar 2004, Hugh Irvine wrote:
> >
> >>
> >> Hello Bon -
> >>
> >> What does ethereal show on the radlogin host?
> >
> > The ethereal showed no activity of radius protocol, only TCP, from the
> > machine I used to remote access the radiusclient machine.
> >
> >>
> >> Does radlogin have a debug mode?
> >>
> >
> > Unfortunately there is no debug mode as shown below:
> >
> > # radlogin -help
> > Usage: radlogin [-Vhnd] [-f <config_file>] [-i <client_port>] [-m
> > <login_tries>]
> >
> > -V output version information
> > -h output this text
> > -n don't display issue file
> > -f filename of alternate config file
> > -i ttyname to send to the server
> > -m maximum login tries (overrides value in config file)
> >
> >
> >> I suspect you may be sending to a different port number and/or IP
> >> address than the one Radiator is listening on.
> >
> > I have added the 1645 and 1646 to the /etc/services. No filtering
> > rules in
> > iptables.
> >
> > Below are the radius.login and radisuclient.conf configuration files. I
> > just noticed that the "server" file containing the shared secret did
> > not
> > get copied to the proper location during "make install". This is
> > fixed and I still have problems. I suspect there are more than
> > that. For example, in the radius.login file, there is
> > a line:
> >
> > my $path_portinfo = "/var/ipoint/acct/portinfo";
> >
> > But I do not have the file "portinfo" and there is no documentation on
> > what should be in there. I guess that is where to specify the port
> > number,
> > which I enter 1645/1646. This is then later used in the subsequent Perl
> > script in the same file:
> >
> > tie (%db_portinfo, "GDBM_File", $path_portinfo, GDBM_WRCREAT, 0600);
> >
> > I could not find sufficient information to understand what the
> > above statement is really doingother than creating a binding of a
> > variable
> > to a classname that implements the variable.
> >
> > #!/usr/bin/perl
> > #
> > # login program to invoke PPP.
> > # RADIUS accounting is NOT handled by this; it is handled by /etc/ppp/
> > # ip-up and ip-down which are invoked when the TCP/IP connection is up.
> >
> > # version 0.1 November 5 1996
> > # clean up the code, minor features.
> >
> > # version 0.02 May 8 1996
> > #
> > # start implementing other types of logins, not only Framed.
> > # Also honor static IP addresses.
> > #
> > # version 0.01 April 1 1996
> > #
> > # - ignore RADIUS server requests for Framed-User, just
> > # do PPP. Later, this should be honored. For now,
> > # just use RADIUS for authentication; it's much simpler.
> > # Always use dynamic addresses.
> > #
> >
> > use strict;
> > use GDBM_File;
> >
> > #### CONFIGURATION SECTION
> > ##################################################
> >
> > # Local IP address for the PPP connection.
> > #my $ip_address_local = "203.176.0.3";
> > my $ip_address_local = "192.168.2.217";
> >
> > # First IP address for this terminal server, if dynamic addressing
> > # is requested, or if nothing is specified for Framed-IP-Address.
> > #my $ip_address_begin = "203.176.0.161";
> > my $ip_address_begin = "192.168.2.11";
> >
> > # IP translation factor; subtract this value from radclient before
> > adding
> > # the beginning IP address.
> > #my $ip_translate_factor = 32;
> > my $ip_translate_factor = 0;
> >
> > # Debugging to screen?
> > my $debug = 1;
> >
> > # PPP parameters:
> >
> > # Async map - this one escapes only XON and XOFF characters.
> > my $asyncmap = "0x000A0000";
> >
> > # MTU and MRU. 296 is good for interactive performance,
> > # but larger ones will lead to less overhead for file transfers.
> > # Maximum is 1500.
> > my ($mtu, $mru) = (296, 296);
> >
> > # If we're using proxy ARP, set this to "proxyarp", else leave it
> > blank.
> > # my $proxyarp = "proxyarp";
> > my $proxyarp = "";
> >
> > # Login host for non-framed connections.
> > # This should only be an IP address, since that's what
> > # Login-IP-Host should be.
> > # my $login_host = "203.176.0.4"; # marikit.iphil.net
> > my $login_host = "192.168.2.218";
> >
> > # Programs and files.
> > my $prog_pppd = "/usr/sbin/pppd";
> > #my $prog_radacct = "/usr/local/lib/radiusclient/radacct";
> > my $prog_radacct = "/usr/local/sbin/radacct";
> > my $prog_rlogin = "/usr/bin/rlogin";
> > #my $prog_telnet = "/bin/telnet";
> > my $prog_telnet = "/usr/bin/telnet";
> > #my $prog_tcpclear = "/bin/telnet -e ''";
> > my $prog_tcpclear = "/usr/bin/telnet -e ''";
> > my $prog_tty = "/usr/bin/tty";
> > my $prog_who = "/usr/bin/who";
> >
> > my $path_portinfo = "/var/ipoint/acct/portinfo";
> > #my $path_radiusclient_map = "/etc/radclient/port-id-map";
> > my $path_radiusclient_map = "/usr/local/etc/radiusclient/port-id-map";
> >
> > #######################################################################
> > ######
> >
> > # Main program.
> >
> > print "Starting.\n" if ($debug);
> >
> > # Run 'who am i' to determine the current port.
> > my $port = `$prog_tty`;
> > chomp ($port);
> >
> > # Translate port numbers to numbers for RADIUS.
> > # This translation is done again by radacct, but it may be useful here.
> > # Remove if CPU time is a problem.
> >
> > my ($portid, $line);
> > open (H, $path_radiusclient_map);
> > while (($line = <H>) && (!$portid))
> > {
> > my @info = split (/\s+/, $line);
> > $portid = $info[1] if ($info[0] eq $port);
> > }
> > close (H);
> >
> > if ($debug)
> > {
> > # Print out all the RADIUS variables.
> > my @el = grep (/^RADIUS/, keys (%ENV));
> > my $e;
> > foreach $e (@el)
> > {
> > print "$e = " . $ENV{$e} . "\n";
> > }
> > }
> >
> > # If the service type is Framed, then give them PPP.
> > # SLIP is not implemented (and will probably never be).
> >
> > my $username = $ENV{"RADIUS_USER_NAME"};
> >
> > # Generate a "unique" string for the session ID.
> > my $sessionid = "$$" . time ();
> >
> > if ($ENV{"RADIUS_SERVICE_TYPE"} =~ /^Framed$/)
> > {
> >
> > # Use the specified IP address, or generate one if none is specified,
> > # or a dynamic one requested. Or, let the user negotiate the address.
> >
> > my $ip_address = $ENV{"RADIUS_FRAMED_IP_ADDRESS"};
> >
> > if (!$ip_address || ($ip_address eq "255.255.255.254"))
> > {
> > my @ipn = split (/\./, $ip_address_begin);
> > $ipn[3] += $portid - $ip_translate_factor;
> > $ip_address = join ('.', @ipn);
> >
> > if ($debug)
> > {
> > print "port: $port\n";
> > print "portid: $portid\n";
> > print "ip_translate_factor: $ip_translate_factor\n";
> > print "ip_address: $ip_address\n";
> > print "mru: $mru\n";
> > }
> >
> > }
> > elsif ($ip_address eq "255.255.255.255")
> > {
> > # Clear it out so that pppd will let the remote end specify the
> > # IP address.
> > $ip_address = "";
> > }
> >
> > # Override the specified MTU.
> > $mtu = $ENV{"RADIUS_FRAMED_MTU"} if $ENV{"RADIUS_FRAMED_MTU"};
> >
> > # If no compression is specified, turn it off.
> > my $compress;
> > if (!$ENV{"RADIUS_FRAMED_COMPRESSION"})
> > {
> > $compress = "-vj";
> > }
> >
> > # Fix up the parameters to be passed to ip-up. Include Framed-Route.
> > # Escape spaces with %20's.
> >
> > # Split up the framed route into multiple parts.
> > # Separate the different given routes with bars.
> > my $routelist = join ("@", map {$ENV{$_}}
> > grep {/^RADIUS_FRAMED_ROUTE/} keys (%ENV)
> > );
> > $routelist =~ s/ /%20/g;
> >
> > my $param = join (':', $sessionid, $username, $port, $portid,
> > $ENV{"RADIUS_SESSION_TIMEOUT"}, $routelist);
> >
> > # Run pppd through exec, so that it grabs hold of the terminal
> > # and catches disconnections.
> >
> > # Portmaster-style prompt.
> > if ($ENV{"RADIUS_SESSION_TIMEOUT"})
> > {
> > print "Session timeout: " . $ENV{"RADIUS_SESSION_TIMEOUT"} .
> > " seconds.\n";
> > }
> > print "PPP session from ($ip_address_local) to $ip_address
> > beginning....";
> > my $pppdcmd =
> > "$prog_pppd $ip_address_local:$ip_address modem crtscts " .
> > "asyncmap $asyncmap lock -detach $compress " .
> > "ipparam $param mtu $mtu mru $mru $proxyarp";
> >
> > exec ($pppdcmd);
> > }
> > elsif ($ENV{"RADIUS_SERVICE_TYPE"} =~ /Login/)
> > {
> > # Warning: This code has not been tested as well as the PPP
> > version,
> > # as of now (19961107).
> >
> > # Determine what host to connect to.
> > if (($ENV{"RADIUS_LOGIN_IP_HOST"} eq "0.0.0.0") ||
> > !defined ($ENV{"RADIUS_LOGIN_IP_HOST"}))
> > {
> > # Do nothing, it's already specified above in the config
> > section.
> > }
> > elsif ($ENV{"RADIUS_LOGIN_IP_HOST"} eq "255.255.255.255")
> > {
> > # The user should be able to choose. Prompt the user.
> > print "Host to connect to? ";
> > $login_host = <STDIN>;
> > chomp ($login_host);
> > }
> > else
> > {
> > # Use what's specified by the RADIUS server.
> > $login_host = $ENV{"RADIUS_LOGIN_IP_HOST"};
> > }
> >
> > # Log into a host. Default to telnet. Do the accounting
> > # now, since the target of the login wouldn't know how to
> > # account for it.
> >
> > # Start accounting. Send the record.
> > open (H, "| $prog_radacct") || die ("Cannot run $prog_radacct");
> >
> > my $login_service = $ENV{"RADIUS_LOGIN_SERVICE"};
> >
> > my $cmd =
> > "Acct-Session-ID = \"$sessionid\"\n" .
> > "User-Name = \"$username\"\n" .
> > "Acct-Status-Type = Start\n" .
> > "Acct-Authentic = RADIUS\n" .
> > "Service-Type = Login\n" .
> > "Login-Service = " . $login_service . "\n" .
> > "Login-IP-Host = $login_host\n";
> >
> > print H $cmd;
> > close (H);
> >
> > # Time.
> > my $timestart = time ();
> >
> > # What protocol are we running?
> > my ($prog_run, $login_port);
> >
> > if ($login_service eq "Rlogin")
> > {
> > $prog_run = $prog_rlogin;
> > }
> > elsif ($login_service eq "Telnet")
> > {
> > $prog_run = $prog_telnet;
> > $login_port = $ENV{"RADIUS_LOGIN_PORT"};
> > }
> > elsif ($login_service eq "TCP-Clear")
> > {
> > $prog_run = $prog_tcpclear;
> > $login_port = $ENV{"RADIUS_LOGIN_PORT"};
> > }
> >
> > # Store the user information into portinfo. We need to
> > # manually fork, since we have to know the PID of the program.
> >
> > my $pid = fork ();
> > if ($pid == 0)
> > {
> > # Child. Run the program.
> > # print "Connecting to $login_host:\n";
> > my $cmd = "$prog_run $login_host $login_port";
> > exec ("$cmd");
> > }
> > else
> > {
> > # Parent.
> > # Create the portinfo record, which needs the pid of the
> > program
> > # to kill.
> > # The IP address is all zero, as it is not applicable here.
> > # Store the time now, and the Session-Timeout.
> >
> > my %db_portinfo;
> >
> > tie (%db_portinfo, "GDBM_File", $path_portinfo, GDBM_WRCREAT,
> > 0600);
> > $db_portinfo{$portid} =
> > join (':', $username, "Login/$login_service",
> > "0.0.0.0", $pid, $timestart,
> > $ENV{"RADIUS_SESSION_TIMEOUT"});
> > untie (%db_portinfo);
> > # Wait for the session to finish.
> > waitpid ($pid, 0);
> > }
> > # Stop. Send the record.
> > open (H, "| $prog_radacct") || die ("Cannot run $prog_radacct");
> >
> > my $timespent = time () - $timestart;
> >
> > my $cmd =
> > "Acct-Session-ID = \"$sessionid\"\n" .
> > "User-Name = \"$username\"\n" .
> > "Acct-Status-Type = Stop\n" .
> > "Acct-Authentic = RADIUS\n" .
> > "Service-Type = Login\n" .
> > "Login-Service = " . $login_service . "\n" .
> > "Login-IP-Host = $login_host\n" .
> > "Acct-Session-Time = $timespent\n";
> >
> > print H $cmd;
> > close (H);
> >
> > # Remove the record from portinfo.
> > my %db_portinfo;
> > tie (%db_portinfo, "GDBM_File", $path_portinfo, GDBM_WRCREAT,
> > 0600);
> > delete $db_portinfo{$portid};
> > untie (%db_portinfo);
> > }
> >
> > ### END ####
> >
> >
> > ###### radiusclient.conf ###########
> >
> > [bonnet18 radiusclient]# more radiusclient.conf
> > # General settings
> >
> > # specify which authentication comes first respectively which
> > # authentication is used. possible values are: "radius" and "local".
> > # if you specify "radius,local" then the RADIUS server is asked
> > # first then the local one. if only one keyword is specified only
> > # this server is asked.
> > auth_order radius,local
> >
> > # maximum login tries a user has
> > login_tries 4
> >
> > # timeout for all login tries
> > # if this time is exceeded the user is kicked out
> > login_timeout 60
> >
> > # name of the nologin file which when it exists disables logins.
> > # it may be extended by the ttyname which will result in
> > # a terminal specific lock (e.g. /etc/nologin.ttyS2 will disable
> > # logins on /dev/ttyS2)
> > nologin /etc/nologin
> >
> > # name of the issue file. it's only display when no username is passed
> > # on the radlogin command line
> > issue /usr/local/etc/radiusclient/issue
> >
> > # RADIUS settings
> >
> > # RADIUS server to use for authentication requests. this config
> > # item can appear more then one time. if multiple servers are
> > # defined they are tried in a round robin fashion if one
> > # server is not answering.
> > # optionally you can specify a the port number on which is remote
> > # RADIUS listens separated by a colon from the hostname. if
> > # no port is specified /etc/services is consulted of the radius
> > # service. if this fails also a compiled in default is used.
> > #authserver localhost
> > authserver 192.168.2.254
> >
> > # RADIUS server to use for accouting requests. All that I
> > # said for authserver applies, too.
> > #
> > #acctserver localhost
> > acctserver 192.168.2.254
> >
> > # file holding shared secrets used for the communication
> > # between the RADIUS client and server
> > servers /usr/local/etc/radiusclient/servers
> >
> > # dictionary of allowed attributes and values
> > # just like in the normal RADIUS distributions
> > dictionary /usr/local/etc/radiusclient/dictionary
> >
> > # program to call for a RADIUS authenticated login
> > login_radius /usr/local/sbin/login.radius
> >
> > # file which holds sequence number for communication with the
> > # RADIUS server
> > seqfile /var/run/radius.seq
> >
> > # file which specifies mapping between ttyname and NAS-Port attribute
> > mapfile /usr/local/etc/radiusclient/port-id-map
> >
> > # default authentication realm to append to all usernames if no
> > # realm was explicitly specified by the user
> > # the radiusd directly form Livingston doesnt use any realms, so leave
> > # it blank then
> > default_realm
> >
> > # time to wait for a reply from the RADIUS server
> > radius_timeout 10
> >
> > # resend request this many times before trying the next server
> > radius_retries 3
> >
> > # LOCAL settings
> >
> > # program to execute for local login
> > # it must support the -f flag for preauthenticated login
> > login_local /bin/login
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >>
> >> regards
> >>
> >> Hugh
> >>
> >>
> >> On 9 Mar 2004, at 10:21, Bon sy wrote:
> >>
> >>> Hi,
> >>> I wonder anyone in the list or Hugh/Mike has tried using
> >>> radiusclient-0.3.2 to talk to Radiator.
> >>>
> >>> I have made all the appropriate changes necessary (such as the
> >>> server file for shared secret, radiusclient.conf, login.radius). The
> >>> installation process went through without any complain.
> >>>
> >>> But when I use the radlogin (part of the radiusclient-0.3.2), it
> >>> does not seem to have any request getting to radiator from
> >>> radiusclient. Ethreal log did not show packets sending over to the
> >>> radiator too. This suggests the problem is on the radiusclient side.
> >>> But I
> >>> could not tell what's wrong. Below is the response from the radlogin
> >>> utility:
> >>>
> >>> [bonnet28 /]# radlogin
> >>> ($Id: radlogin.c,v 1.3 1997/12/29 23:07:25 lf Exp $)
> >>> -----------------------------------------------------
> >>> Linux 2.4.20-8 (bonnet28) (port 0)
> >>> -----------------------------------------------------
> >>>
> >>> login: test
> >>> Password:
> >>> RADIUS: /dev/pts/0local: Authentication failure
> >>>
> >>> Please advise if anyone has any insight into this problem. Thanks
> >>> in advance!
> >>>
> >>> Bon
> >>>
> >>>
> >>
> >> NB: have you included a copy of your configuration file (no secrets),
> >> together with a trace 4 debug showing what is happening?
> >>
> >> --
> >> Radiator: the most portable, flexible and configurable RADIUS server
> >> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> >> -
> >> Nets: internetwork inventory and management - graphical, extensible,
> >> flexible with hardware, software, platform and database independence.
> >> -
> >> CATool: Private Certificate Authority for Unix and Unix-like systems.
> >>
> >> --
> >> Archive at http://www.open.com.au/archives/radiator/
> >> Announcements on radiator-announce at open.com.au
> >> To unsubscribe, email 'majordomo at open.com.au' with
> >> 'unsubscribe radiator' in the body of the message.
> >>
> >
> >
>
> NB: have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list