(RADIATOR) clarity on the ContinueXXXYYY statements

Stuart Kendrick skendric at fhcrc.org
Thu Sep 7 10:04:56 CDT 2006 

hi,

i want to better understand the various ContinueXxxxYxxx statements 
(ContinueWhileAccept and ContinueUntilAccept and so forth)


-i want to use RSA tokens to authenticate users

-here's my config:

# Typical VDOPS devices (switches, routers, WAPs, Hardware VPN Clients, 
IPSCON)
# Clump any client which sends us the standard shared secret into the 
'vdops-gear' Handler
<Client DEFAULT>
	Secret moozle
	Identifier vdops-gear
</Client>


#### ACE authentication #####
<Handler Client-Identifier=vdops-gear>
	AuthByPolicy	ContinueWhileAccept
	RejectHasReason

	# Ask for the tokencode
	<AuthBy ACE>
	</AuthBy>
	AuthByPolicy ContinueUntilAccept

	# Check and respond to group membership:  administrative
	<AuthBy NT>
		GroupRequired EnableGroup
		NoCheckPassword
		AddToReply Service-Type = "Administrative-User"
	</AuthBy>

	# Check and respond to group membership:  read-only
	<AuthBy NT>
		GroupRequired ReadOnlyGroup
		NoCheckPassword
		AddToReply Service-Type = "NAS-Prompt-User"
	</AuthBy>

	# Log it
	AcctLogFileName	%L/Acct/%Y-%m-%d-acct
	AuthLog rsa-authlog
</Handler>


[i've also tried moving the 'AuthByPolicy ContinueUntilAccept' line to 
just above the '# Check and respond to group membership:  read-only' 
line -- same results]


-i can see from a packet trace, and from logfile, that Radiator returns 
an 'Access-Accept' ... but nothing more.  the client refuses the login. 
  i believe that the client refuses the login because the client 
requires more than an 'Access-Accept' ... it requires Service-Type as well

Thu Sep  7 07:42:47 2006: DEBUG: Finished reading configuration file 
'c:\Program Files\Radiator\radius-mgmt.cfg'
Thu Sep  7 07:42:47 2006: DEBUG: Reading dictionary file 'C:/Program 
Files/Radiator/dictionary'
Thu Sep  7 07:42:48 2006: DEBUG: Creating authentication port 0.0.0.0:1812
Thu Sep  7 07:42:48 2006: DEBUG: Creating accounting port 0.0.0.0:1813
Thu Sep  7 07:42:48 2006: NOTICE: Server started: Radiator 3.15 on vidal
Thu Sep  7 07:43:06 2006: DEBUG: Packet dump:
*** Received from 140.107.6.205 port 1645 ....
Code:       Access-Request
Identifier: 7
Authentic:  [...]
Attributes:
         NAS-IP-Address = 140.107.6.5
         NAS-Port = 1
         NAS-Port-Type = Virtual
         User-Name = "skendric"
         Calling-Station-Id = "140.107.41.9"
         User-Password = "[...]"

Thu Sep  7 07:43:06 2006: DEBUG: Handling request with Handler 
'Client-Identifier=vdops-gear'
Thu Sep  7 07:43:06 2006: DEBUG:  Deleting session for skendric, 
140.107.6.5,1
Thu Sep  7 07:43:06 2006: DEBUG: Handling with Radius::AuthACE:
Thu Sep  7 07:43:06 2006: DEBUG: Radius::AuthACE looks for match with 
skendric [skendric]
Thu Sep  7 07:43:08 2006: DEBUG: Radius::AuthACE ACCEPT: : skendric 
[skendric]
Thu Sep  7 07:43:08 2006: DEBUG: AuthBy ACE result: ACCEPT,
Thu Sep  7 07:43:08 2006: DEBUG: Access accepted for skendric
Thu Sep  7 07:43:08 2006: DEBUG: Packet dump:


-so, i'm guessing that Radiator processes the <AuthBy ACE><\AuthBy> 
section ... and then quits processing this Handler.  why? wouldn't the 
'AuthByPolicy	ContinueWhileAccept' phrase instruct Radiator to continue 
to the next stanza within this Handler, i.e. to the first <AuthBy NT> 
stanza? [btw: user 'skendric' belongs to EnableGroup]


-i have a working config file ... when this config file is in place, i 
can successfully login.  [but i'd like to simplify it ... ergo my 
efforts above]

here is the working config file:

########## CLIENT DEFINITIONS ############

# Typical VDOPS devices (switches, routers, WAPs, Hardware VPN Clients, 
IPSCON)
# Clump any client which sends us the standard shared secret into the 
'vdops-gear' Handler
<Client DEFAULT>
	Secret Spann1n9
	Identifier vdops-gear
</Client>


########## AUTHENTICATION HANDLERS ############

<AuthBy FILE>
	Identifier CheckCiscoEnable
	Filename	C:\Program Files\Radiator\ChKCiscoEnable
</AuthBy>

<AuthBy FILE>
	Identifier CheckCiscoReadOnly
	Filename	C:\Program Files\Radiator\ChKCiscoReadOnly
</AuthBy>

<AuthBy NT>
	Identifier CheckNT
	GroupRequired
	NoCheckPassword
</AuthBy>



##### ACE Authentication #####

<Handler Client-Identifier=vdops-gear>
	<AuthBy GROUP>
   		AuthByPolicy ContinueWhileAccept
		<AuthBy ACE>
		</AuthBy>
	<AuthBy GROUP>

  	AuthByPolicy ContinueWhileReject
  	AuthBy CheckCiscoEnable
  	AuthBy CheckCiscoReadOnly
</Handler>

C:\Program Files\Radiator>type ChkCiscoEnable
DEFAULT Auth-Type = CheckNT, Group = CiscoEnable
         Service-Type = "Administrative-User"

C:\Program Files\Radiator>type ChkCiscoReadOnly
DEFAULT Auth-Type = CheckNT, Group = CiscoReadOnly
         Service-Type = "NAS-Prompt-User"

C:\Program Files\Radiator>


-when this config file is in place, the logfile output looks the same 
... and from the packet trace, i can see that in addition to returning 
an 'Access-Accept', Radiator also returns "Service-Type(6): 
Administrative-User(6)" ... and i successfully login to the device


insights or additional trouble-shooting steps solicted

--sk

stuart kendrick
fhcrc


--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.

More information about the radiator mailing list