(RADIATOR) Only one <AuthBy RADSEC> per one Radiator instance?
Jan Tomasek
jan at tomasek.cz
Thu Nov 17 15:48:38 CST 2005
Hi,
I just discovered bug that causes that only one AuthBy RADSEC per one
Radiator can be used.
I'm using my radsec1.cesnet.cz as home radius for realms cesnet.cz and
tomasek.cz.
At my radsec1.eduroam.cz(Czech level) radius server I've this configuration:
# -- Forward cesnet.cz realm to radsec1.cesnet.cz
-----------------------------
<Handler Realm=/^cesnet\.cz$/i>
<AuthBy RADSEC>
Host radsec1.cesnet.cz
Port 2083
Protocol tcp
UseTLS
TLS_CAPath /etc/ssl/certs
TLS_CertificateFile
/etc/ssl/certs/cz.eduroam.org.crt.pem
TLS_CertificateType PEM
TLS_PrivateKeyFile
/etc/ssl/private/cz.eduroam.org.key.pem
</AuthBy>
</Handler>
#
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
# -- Forward cesnet.cz realm to radsec1.cesnet.cz
-----------------------------
<Handler Realm=/^tomasek\.cz$/i>
<AuthBy RADSEC>
Host radsec1.cesnet.cz
Port 2083
Protocol tcp
UseTLS
TLS_CAPath /etc/ssl/certs
TLS_CertificateFile
/etc/ssl/certs/cz.eduroam.org.crt.pem
TLS_CertificateType PEM
TLS_PrivateKeyFile
/etc/ssl/private/cz.eduroam.org.key.pem
</AuthBy>
</Handler>
#
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If I'm sending requests to tomasek.cz (2nd realm!) everything is working
fine.
After that I start sending some requests to cesnet.cz (1st realm!) than
radsec1.edu says:
*** Received from 195.113.134.138 port 32860 ....
Code: Access-Request
Identifier: 0
Authentic: 1<181><17>(<134><223><23>~?<226>L)<194><4><197>c
Attributes:
User-Name = "semik at cesnet.cz"
User-Password = <160><151>j<27>6<234>T^~<236><11><19>0f<151>R
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Thu Nov 17 22:32:09 2005: DEBUG: Handling request with Handler
'Realm=/^cesnet\.cz$/i'
Thu Nov 17 22:32:09 2005: DEBUG: Deleting session for semik at cesnet.cz,
255.255.255.255, 0
Thu Nov 17 22:32:09 2005: DEBUG: Handling with Radius::AuthRADSEC
Thu Nov 17 22:32:09 2005: DEBUG: Packet dump:
*** Sending request to RadSec radsec1.cesnet.cz:2083 ....
Code: Access-Request
Identifier: 3
Authentic: 1<181><17>(<134><223><23>~?<226>L)<194><4><197>c
Attributes:
User-Name = "semik at cesnet.cz"
User-Password = <247>$&N<182>'<25>F<194><223>H<181><13>d{<179>
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Proxy-State = OSC-Extended-Id=3
Thu Nov 17 22:32:09 2005: DEBUG: AuthBy RADSEC result: IGNORE,
Thu Nov 17 22:32:11 2005: INFO: AuthRADSEC: No reply from
radsec1.cesnet.cz:2083 for semik at cesn
et.cz (0)
Thu Nov 17 22:32:14 2005: INFO: AuthRADSEC: No reply from
radsec1.cesnet.cz:2083 for semik at cesn
et.cz (0)
So client running at 195.113.134.138/semik.cesnet.cz is getting no
response and timeousts.
And when I finaly try to send another request to tomasek.cz again,
Radiator crashes:
Thu Nov 17 22:32:16 2005: DEBUG: Packet dump:
*** Sending request to RadSec radsec1.cesnet.cz:2083 ....
Code: Access-Request
Identifier: 6
Authentic: ,i<159><2><17><249><225><236>#s<28><15>><198>+<128>
Attributes:
User-Name = "semik at tomasek.cz"
User-Password = q<251><159><162>P;<234>Bc<142>Q<7>[&H=
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Proxy-State = OSC-Extended-Id=6
Thu Nov 17 22:32:16 2005: DEBUG: AuthBy RADSEC result: IGNORE,
Thu Nov 17 22:32:16 2005: ERR: TLS read failed: 17737: 1 -
error:2006F079:BIO routines:BIO_rea
d:unsupported method
17737: 2 - error:2006F079:BIO routines:BIO_read:unsupported method
17737: 3 - error:2006F079:BIO routines:BIO_read:unsupported method
Thu Nov 17 22:32:19 2005: DEBUG: Packet dump:
*** Received from 195.113.134.138 port 32860 ....
Code: Access-Request
Identifier: 22
Authentic: ,i<159><2><17><249><225><236>#s<28><15>><198>+<128>
Attributes:
User-Name = "semik at tomasek.cz"
User-Password =
<238><4><150><218>|<171>6<142><<14><222><3>.<173><212><153>
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Thu Nov 17 22:32:19 2005: DEBUG: Handling request with Handler
'Realm=/^tomasek\.cz$/i'
Thu Nov 17 22:32:19 2005: DEBUG: Deleting session for semik at tomasek.cz,
255.255.255.255, 0
Thu Nov 17 22:32:19 2005: DEBUG: Handling with Radius::AuthRADSEC
Thu Nov 17 22:32:19 2005: DEBUG: Packet dump:
*** Sending request to RadSec radsec1.cesnet.cz:2083 ....
Code: Access-Request
Identifier: 7
Authentic: ,i<159><2><17><249><225><236>#s<28><15>><198>+<128>
Attributes:
User-Name = "semik at tomasek.cz"
User-Password = q<251><159><162>P;<234>Bc<142>Q<7>[&H=
NAS-IP-Address = 255.255.255.255
NAS-Port = 0
Proxy-State = OSC-Extended-Id=7
Segmentation fault
So... only one AuthBy RADSEC per server at this moment... emh.. that
is't much usefull ;) I noted that for those two realms is radsec1.edu
opening TWO connections to radsec.cesnet.cz. Mike I think that in
openssl handling code you somehow mismatch SSL sessions.
I promise, this is goin' to be last email from me today. My eyes are
closing... ;)
--
--------------------------------------------------------------
Jan Tomasek aka Semik work: CESNET, z.s.p.o.
http://www.tomasek.cz/ Zikova 4, 160 00 Praha 6
phone(work): +420 2 2435 5279 Czech Republic
phone(home): +420 312 661 386 http://www.cesnet.cz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://www.open.com.au/pipermail/radiator/attachments/20051117/ea539305/attachment.bin>
More information about the radiator
mailing list