(RADIATOR) Help With Configuration

Sergio Pantoja H. sergio at pantoja.cl
Tue Jun 21 13:56:16 CDT 2005 

Hello,

I having perfomance issues with radiator, this radius it's receive request 
from 2 redbacks,
this is a legacy implementation so i don't know the deep details about it.

Regullary the radius receive excesive petitions from the redbacks causing a 
huge number
of time outs.

Here is my actual config, if anyone can see something duplicate, strange or 
misconf.

Regards
--
Sergio Pantoja H.
sergio at pantoja.cl

----- Original Message ----- 
From: "Bosse Klykken" <bosse at linpro.no>
To: <radiator at open.com.au>
Sent: Tuesday, June 21, 2005 8:54 AM
Subject: (RADIATOR) Digipass+password checking


> In the implementation process I'm currently in, I've discovered that there
> are several routers and other equipment that needs to authenticate to 
> RADIUS
> through static passwords. As the Digipass module rejects requests where it
> can't find the username in the RADDIGIPASS database, I've looked at using
> Handlers to check the password field so that the request can be handled by
> the correct chain. Unfortunately, as the passwords are MD5, I believe
> that this might be somewhat problematic.
>
> But as AuthBy EXTERNAL allows me to decrypt the password before sending it
> to an external program, I thought I might try that as a workaround. The
> script looks like this:
>
> ---8<--- radchkpwd.sh
> #!/bin/sh
>
> if echo $1 | grep -q ^[0-9][0-9][0-9][0-9][0-9][0-9]$
> then
>    echo "REJECT"
>    exit 1 # This is probably a digipass token
> else
>    echo "ACCEPT"
>    exit 0 # This is something else
> fi
> ---8<---
>
> When I call this script from the commandline with some test parameter,
> the output looks okay, and if it contains six digits, it responds with
> "REJECT", as it (probably) should. I also verified through the log that
> the $1 parameter is correct.
>
> Here's the relevant parts of radius.cfg that calls the script:
>
> ---8<--- radius.cfg
> <Realm DEFAULT>
> <AuthBy GROUP>
> AuthByPolicy ContiniueWhileAccept
>        <AuthBy EXTERNAL>
>        # If exit 0 then password is NOT Digipass, and the chain should 
> continiue
>        # If exit 1 then password is Digipass, and the chain should be 
> broken
> # and hopefully pass on to the next AuthBy GROUP.
>        DecryptPassword
>        Command /usr/bin/radchkpwd.sh %P
>        # ResultInOutput
> </AuthBy>
>
> <AuthBy RADMIN>
> # Standard AuthBy RADMIN information here, but removed NoCheckPassword
> </AuthBy>
> </AuthBy>
> <AuthBy GROUP>
> AuthByPolicy ContiniueWhileAccept
> <AuthBy DIGIPASS>
> # Standard DIGIPASS stuff here
> </AuthBy>
> <AuthBy RADMIN>
> # Standard RADMIN stuff here
> </AuthBy>
> </AuthBy>
> # Some AuthLog stuff here
> </Realm>
> ---8<---
>
> The following log snippet is from an attempt logging on with digipass. It
> runs the radchkpwd.sh script with a correct six-digit parameter, and 
> should
> give a REJECT so that the AuthBy should stop traversing downwards, 
> according
> to the AuthByPolicy ContiniueWhileAccept - but as you see from the log, it
> gets handled by Radius::AuthRADMIN.
>
> ---8<--- logfile
> Tue Jun 21 14:19:23 2005: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Tue Jun 21 14:19:23 2005: DEBUG:  Deleting session for sttest, 127.0.0.1,
> Tue Jun 21 14:19:23 2005: DEBUG: do query is: 'delete from RADONLINE where 
> NASIDENTIFIER='127.0.0.1' and NASPORT=0':
> Tue Jun 21 14:19:23 2005: DEBUG: Handling with Radius::AuthGROUP
> Tue Jun 21 14:19:23 2005: DEBUG: Running command: /usr/bin/radchkpwd.sh 
> 444872
> Tue Jun 21 14:19:23 2005: DEBUG: Handling with Radius::AuthRADMIN
> Tue Jun 21 14:19:23 2005: DEBUG: Handling with Radius::AuthRADMIN:
> ---8<---
>
> Now, as this is now, it works with password auth, but not digipass. I 
> guess
> that it would work with digipass again if I reordered the radmin.cfg a 
> bit,
> so from what I can tell, I might have misunderstood the concept of AuthBy
> GROUP and AuthByPolicy.
>
> Could anyone here help me by pointing me in the right direction, 
> considering
> my objective of having both digipass and password authentication? I 
> believe
> I could use Handlers with triggers on NAS-identifiers in order to set up
> static password handling in radmin.cfg for requests from certain NASes or
> User-IDs, but this really isn't what I had in mind.
>
> .../Bosse
> -- 
> Bosse Klykken, operations consultant
> Linpro AS - http://www.linpro.no
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message. 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radius.cfg
Type: application/octet-stream
Size: 12991 bytes
Desc: not available
URL: <http://www.open.com.au/pipermail/radiator/attachments/20050621/6e54ed73/attachment.obj>

More information about the radiator mailing list