(RADIATOR) Radius eap_anon_hook.pl Problems
Steve Caporossi
capoross at musc.edu
Thu May 27 09:26:54 CDT 2004
*Problem Description* :
The eap_anon_hook.pl hook never sucessfully writes an entry into the
RADLASTAUTH table.
*Problem Analysis* :
After adding several print statements throughout the eap_anon_hook.pl
script I've discovered
that the following variable never get set : ${$p}->{outerRequest}.
This is causing the following
statement to fail.
if (${$p}->code() eq 'Access-Request' && $$handled == 0 &&
${$p}->{outerRequest})
which prevents the "replace into RADLASTAUTH" from ever being executed.
Obviously,
I could remove the && ${$p}->{outerRequest} condition to allow the
execution to flow into
the if branch, however, the nasidentifier, nasport and acctsessionid,
are never defined and
therefore can not be updated in the ACCOUNTING table.
I've searched through all the Radiator perl modules and found only a few
references to
the outerRequest hash element (or object variable).
> cd /usr/local/radiator
> grep -r 'outerRequest' ./*
./Radius/EAP_21.pm: $tp->{outerRequest} = $p;
./Radius/EAP_21.pm: my $op = $tp->{outerRequest};
./Radius/EAP_26.pm: $tp->{outerRequest} = $p;
./Radius/EAP_26.pm: my $op = $tp->{outerRequest}; # This is the EAP
26 request that was converted
./Radius/EAP_25.pm: $tp->{outerRequest} = $p;
./Radius/EAP_25.pm: my $op = $tp->{outerRequest};
When I perform a search for a package "use" or "require" for EAP_21 ,
which corresponds to EAP TTLS, I find :
> grep -r 'EAP_21' ./*
./Radius/EAP_21.pm:# EAP_21.pm
./Radius/EAP_21.pm:# $Id: EAP_21.pm,v 1.24 2004/04/23 05:39:44 mikem Exp $
./Radius/EAP_21.pm:package Radius::EAP_21;
./Radius/EAP_21.pm: $tp->{replyFn} = [\&Radius::EAP_21::replyFn,
$context];
./Radius/AuthRADIUS.pm: # Tell callers the packet was proxied. Some
callers like EAP_21 need to know.
./doc/history.html: <li>Changes to EAP_21.pm for improved
interoperation with Meetinghouse Aegis TTLS clients.
There doesn't seem to be a call in the radiusd or any included libraries
to the EAP_21 perl module, which would
actually set the {outerRequest} variable.
*Attempted Solutions :
*We've updated to Radiator 3.9 and installed the newest patches
(05/25/04), however the problem still persists.
Any thoughts would be appreciated,
-Chris
------------------------------------------------
Our Radius configuration info :
<Handler TunnelledByTTLS=1>
AuthByPolicy ContinueUntilAccept
# Strip realm if in MSN format
RewriteUsername s/(.*)\\(.*)/$2/
# strips the realm from a User-Name before authenticating it
RewriteUsername s/^([^@]+).*/$1/
<AuthBy LDAP2>
Identifier xxxxxxxxxxxxxxx
Host xxxxx.xxxx.xxx
AuthDN xxxx=xxx, xx=xxx.....
AuthPassword xxxxxxx
BaseDN xx=xxxx, xx=xxx
UsernameAttr xx=xxx
ServerChecksPassword
Debug 255
Timeout 2
FailureBackoffTime 1
</AuthBy>
<AuthBy UNIX>
Filename /etc/passwd.ppp
</AuthBy>
<AuthBy UNIX>
Filename /etc/passwd.dal
</AuthBy>
AcctLogFileName %L/wlan/%m%d%y.log
</Handler>
<Handler Client-Identifier=wlan>
AuthByPolicy ContinueWhileIgnore
AddToRequestIfNotExist Framed-IP-Address=%a
<AuthBy SQL>
DBSource %{GlobalVar:dbsource}
DBUsername %{GlobalVar:dbuser}
DBAuth %{GlobalVar:dbpass}
AuthSelect
# Only insert Start and Stop requests, ack everything else
HandleAcctStatusTypes Start,Stop
AccountingTable ACCOUNTING
AcctColumnDef USERNAME,User-Name
AcctColumnDef CONNTYPE,%{Client:Identifier},formatted
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef
TEXT_TIME_STAMP,Timestamp,integer-date,%Y-%m-%d %H:%M:%S
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASIPADDRESS,NAS-IP-Address
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctColumnDef ACCTAUTHENTIC,Acct-Authentic
AcctColumnDef NASPORTTYPE, NAS-Port-Type
AcctColumnDef ACCTINPUTOCTETS, Acct-Input-Octets, integer
AcctColumnDef ACCTOUTPUTOCTETS, Acct-Output-Octets,
integer
AcctColumnDef ACCTINPUTPACKETS, Acct-Input-Packets,
integer
AcctColumnDef ACCTOUTPUTPACKETS, Acct-Output-Packets,
integer
AcctColumnDef CISCONASPORT, Cisco-NAS-Port
AcctColumnDef CISCOAVPAIR, cisco-avpair
AcctColumnDef EVENTTIMESTAMP, Event-Timestamp, integer
AcctColumnDef CALLINGSTATIONID, Calling-Station-Id
AcctColumnDef AUTHSERVER,
%{GlobalVar:servername},formatted
AcctFailedLogFileName
%L/%{Client:Identifier}/%m%d%y.missedaccountin.log
</AuthBy>
<AuthBy FILE>
# Filename %D/users
<AuthLog SYSLOG>
Facility auth
LogSuccess 0
LogFailure 1
FailureFormat '%{Client:Identifier}:%Y/%m/%d
%H:%M.%S :%U:FAIL'
SuccessFormat '%{Client:Identifier}:%Y/%m/%d
%H:%M.%S :%U:OK'
</AuthLog>
EAPType TTLS
EAPTLS_CAFile /usr/local/certs/%{GlobalVar:servername}.pem
# EAPTLS_CAPath /usr/local/certs/
EAPTLS_CertificateFile
/usr/local/certs/%{GlobalVar:servername}.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile
/usr/local/certs/%{GlobalVar:servername}.pem
EAPTLS_PrivateKeyPassword password
# EAPTLS_RandomFile %D/certificates/random
EAPTLS_MaxFragmentSize 1024
# EAPTLS_DHFile %D/certificates/dh
# Use of these flags requires Net_SSLeay-1.21 or later
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
AutoMPPEKeys
SSLeayTrace 4
# EAPAnonymous anonymous
# Default is enabled
#EAPTLS_SessionResumption 0
#EAPTLS_SessionResumptionLimit 10
</AuthBy>
PreProcessingHook file:"/etc/radiator/eap_anon_hook.pl"
PostAuthHook file:"/etc/radiator/eap_anon_hook.pl"
# Log accounting to a detail file
AcctLogFileName %L/%{Client:Identifier}/%m%d%y.log
</Handler>
--
************************************************
Christopher M Dufala
System Security Officer
Medical University of South Carolina
Center for Computing and Information Technology
Work Phone : (843) 876-5111
E-Mail : dufalac at musc.edu
http : https://talon.musc.edu
************************************************
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list