[RADIATOR] AuthBy Safeword problem

Hugh Irvine hugh at open.com.au
Tue Jul 1 01:05:24 CDT 2008 

Hello Johan -

Is there perhaps a firewall between the Radiator host and the  
Safeword host?

It looks to me like the connection to the Safeword host is lost and  
Radiator waits 10 seconds before retrying.

You can try altering the Timeout parameter in the AuthBy SAFEWORD  
clause to something more aggressive than 10 seconds.

regards

Hugh


On 30 Jun 2008, at 22:59, Johan Frid wrote:

> I'm having problem with AuthBy Safeword. I'm getting ERR: AuthBy  
> SAFEWORD
> read error, disconnecting. That causing clients to time out. Any  
> idea what
> the problem could be? cant find anything in Safewods log file that
> indicates that the problem is in Safeword.
>
> //Johan Frid
> TeliaSonera
>
> ------------------Debug level 4 ------------------
> Thu Jun 26 14:46:07 2008: DEBUG: Packet dump:
> *** Received from 192.168.0.199 port 1104 ....
> Code:       Access-Request
> Identifier: 25
> Authentic:        1214477169
> Attributes:
>         User-Name = "STUDENT2"
>         User-Password = <241>8<246><222>w<213>CB  
> <172><177>SDn<243><168>
>
> Thu Jun 26 14:46:07 2008: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Thu Jun 26 14:46:07 2008: DEBUG: Rewrote user name to student2
> Thu Jun 26 14:46:07 2008: DEBUG:  Deleting session for STUDENT2,
> 192.168.0.199,
> Thu Jun 26 14:46:07 2008: DEBUG: Handling with Radius::AuthSAFEWORD:
> Thu Jun 26 14:46:07 2008: DEBUG: Radius::AuthSAFEWORD looks for  
> match with
> student2 [STUDENT2]
> Thu Jun 26 14:46:07 2008: ERR: AuthBy SAFEWORD read error,  
> disconnecting:
> Thu Jun 26 14:46:07 2008: DEBUG: AuthBy SAFEWORD connecting to
> 192.168.0.205:5031
> Thu Jun 26 14:46:17 2008: DEBUG: Radius::AuthSAFEWORD ACCEPT: :  
> student2
> [STUDENT2]
> Thu Jun 26 14:46:17 2008: DEBUG: AuthBy SAFEWORD result: ACCEPT,
> Thu Jun 26 14:46:17 2008: DEBUG: Access accepted for student2
> Thu Jun 26 14:46:17 2008: DEBUG: Packet dump:
> *** Sending to 192.168.0.199 port 1104 ....
> Code:       Access-Accept
> Identifier: 25
> Authentic:        1214477169
> Attributes:
>         Service-Type = Administrative-User
>         cisco-avpair = "shell:priv-lvl=15"
>         Juniper-Local-User-Name = "remote1"
>         RB-TTY-Level-Start = 15
>         RB-TTY-Level-Max = 15
>         Unisphere-Init-CLI-Access-Level = "1"
>         Unisphere-Alt-CLI-Access-Level = "10"
>         Login-Service = 0
>         Huawei-Exec-Privilege = 3
> ------------------End Debug level 4 -------------------
>
> config file I'm using
> ------------------safeword.cfg------------------
>
> Foreground
> LogStdout
> LogDir	/var/log/radius
> DbDir		
> Trace 		4
> AuthPort	1645
> AcctPort	1646
> DictionaryFile /etc/radiusradiator/dictionary/dictionary
> <Client DEFAULT>
>
> Secret	mysecret
>
> DupInterval 0
> </Client>
>
> <Realm DEFAULT>
> 	# This one translates all uppercase chars to lowercase
> 	RewriteUsername	tr/A-Z/a-z/
>
> 	<AuthBy SAFEWORD>
> 		# The name or address of the host where the SafeWord
> 		# PremierAccess server runs
> 		# Defaults to localhost.
> 		# Set this to the address of the SafeWord PremierAccess server
> 		#Host localhost
> 		Host 192.168.0.205
>
> 		# Port to connet to on Host.
> 		# Defaults to 5031, the default SafeWord EASSP2 port
> 		Port 5031
>
> 		# You can specify which EAP types can be used
> 		# One-Time-Password and Generic-Token are supported
> 		EAPType One-Time-Password,Generic-Token
> 		
> 		#AgentName 		
> 		AgentName secore
> 		
> 		# You can make different types of reply depending on the group
> 		# of the authenticated user, if there are ActionData groups
> 		# sent back by SafeWord server
> 		
> 		GroupReply RO,\
> 		Service-Type = Administrative-User,\
> 		cisco-avpair = "shell:priv-lvl=1",\
> 		Juniper-Local-User-Name = "remote2",\
> 		RB-TTY-Level-Start = 5,\
> 		RB-TTY-Level-Max = 5
> 		
> 		GroupReply RW,\
> 		Service-Type = Administrative-User,\
> 		cisco-avpair = "shell:priv-lvl=15",\
> 		Juniper-Local-User-Name = "remote1",\
>       		RB-TTY-Level-Start = 15,\
>        		RB-TTY-Level-Max = 15
> 	</AuthBy>
>
> </Realm>
>
> ------------------End safeword.cfg------------------
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.

More information about the radiator mailing list