[RADIATOR] AuthBy Safeword problem

Hugh Irvine hugh at open.com.au
Wed Jul 2 20:57:48 CDT 2008


Hello Johan -

This is odd - are you running Radiator 4.2? And do you mean the  
Timeout parameter is not accepted in your configuration, or just that  
it seems to do nothing?

Have you restarted Radiator to re-read the configuration file?

regards

Hugh


On 2 Jul 2008, at 18:19, Johan Frid wrote:

> Theirs no firewall between and Timeout doesn't work in AuthBy  
> SAFEWORD.
> Have attempted to add Timeout 3 in AuthBy SAFEWORD clause but nothing
> changes.
>
> Does there exist any keep live function against the Safeword server?
>
> //Johan Frid
> TeliaSonera
>
>
> On 8:05 am 07/01/08 Hugh Irvine <hugh at open.com.au> wrote:
>>
>> Hello Johan -
>>
>> Is there perhaps a firewall between the Radiator host and the
>> Safeword host?
>>
>> It looks to me like the connection to the Safeword host is lost and
>> Radiator waits 10 seconds before retrying.
>>
>> You can try altering the Timeout parameter in the AuthBy SAFEWORD
>> clause to something more aggressive than 10 seconds.
>>
>> regards
>>
>> Hugh
>>
>>
>> On 30 Jun 2008, at 22:59, Johan Frid wrote:
>>
>>>  I'm having problem with AuthBy Safeword. I'm getting ERR: AuthBy
>>>  SAFEWORD
>>>  read error, disconnecting. That causing clients to time out. Any
>>>  idea what
>>>  the problem could be? cant find anything in Safewods log file that
>>>  indicates that the problem is in Safeword.
>>>
>>>  //Johan Frid
>>>  TeliaSonera
>>>
>>>  ------------------Debug level 4 ------------------
>>>  Thu Jun 26 14:46:07 2008: DEBUG: Packet dump:
>>>  *** Received from 192.168.0.199 port 1104 ....
>>>  Code:       Access-Request
>>>  Identifier: 25
>>>  Authentic:        1214477169
>>>  Attributes:
>>>          User-Name = "STUDENT2"
>>>          User-Password = <241>8<246><222>w<213>CB
>>>  <172><177>SDn<243><168>
>>>
>>>  Thu Jun 26 14:46:07 2008: DEBUG: Handling request with Handler
>>>  'Realm=DEFAULT'
>>>  Thu Jun 26 14:46:07 2008: DEBUG: Rewrote user name to student2
>>>  Thu Jun 26 14:46:07 2008: DEBUG:  Deleting session for STUDENT2,
>>>  192.168.0.199,
>>>  Thu Jun 26 14:46:07 2008: DEBUG: Handling with Radius::AuthSAFEWORD
>> :
>>>  Thu Jun 26 14:46:07 2008: DEBUG: Radius::AuthSAFEWORD looks for
>>>  match with
>>>  student2 [STUDENT2]
>>>  Thu Jun 26 14:46:07 2008: ERR: AuthBy SAFEWORD read error,
>>>  disconnecting:
>>>  Thu Jun 26 14:46:07 2008: DEBUG: AuthBy SAFEWORD connecting to
>>>  192.168.0.205:5031
>>>  Thu Jun 26 14:46:17 2008: DEBUG: Radius::AuthSAFEWORD ACCEPT: :
>>>  student2
>>>  [STUDENT2]
>>>  Thu Jun 26 14:46:17 2008: DEBUG: AuthBy SAFEWORD result: ACCEPT,
>>>  Thu Jun 26 14:46:17 2008: DEBUG: Access accepted for student2
>>>  Thu Jun 26 14:46:17 2008: DEBUG: Packet dump:
>>>  *** Sending to 192.168.0.199 port 1104 ....
>>>  Code:       Access-Accept
>>>  Identifier: 25
>>>  Authentic:        1214477169
>>>  Attributes:
>>>          Service-Type = Administrative-User
>>>          cisco-avpair = "shell:priv-lvl=15"
>>>          Juniper-Local-User-Name = "remote1"
>>>          RB-TTY-Level-Start = 15
>>>          RB-TTY-Level-Max = 15
>>>          Unisphere-Init-CLI-Access-Level = "1"
>>>          Unisphere-Alt-CLI-Access-Level = "10"
>>>          Login-Service = 0
>>>          Huawei-Exec-Privilege = 3
>>>  ------------------End Debug level 4 -------------------
>>>
>>>  config file I'm using
>>>  ------------------safeword.cfg------------------
>>>
>>>  Foreground
>>>  LogStdout
>>>  LogDir    /var/log/radius
>>>  DbDir
>>>  Trace         4
>>>  AuthPort    1645
>>>  AcctPort    1646
>>>  DictionaryFile /etc/radiusradiator/dictionary/dictionary
>>>  <Client DEFAULT>
>>>
>>>  Secret    mysecret
>>>
>>>  DupInterval 0
>>>  </Client>
>>>
>>>  <Realm DEFAULT>
>>>      # This one translates all uppercase chars to lowercase
>>>      RewriteUsername    tr/A-Z/a-z/
>>>
>>>      <AuthBy SAFEWORD>
>>>          # The name or address of the host where the SafeWord
>>>          # PremierAccess server runs
>>>          # Defaults to localhost.
>>>          # Set this to the address of the SafeWord PremierAccess
>>>          server #Host localhost
>>>          Host 192.168.0.205
>>>
>>>          # Port to connet to on Host.
>>>          # Defaults to 5031, the default SafeWord EASSP2 port
>>>          Port 5031
>>>
>>>          # You can specify which EAP types can be used
>>>          # One-Time-Password and Generic-Token are supported
>>>          EAPType One-Time-Password,Generic-Token
>>>
>>>          #AgentName
>>>          AgentName secore
>>>
>>>          # You can make different types of reply depending on the
>>>          group # of the authenticated user, if there are ActionData
>>>          groups # sent back by SafeWord server
>>>
>>>          GroupReply RO,\
>>>          Service-Type = Administrative-User,\
>>>          cisco-avpair = "shell:priv-lvl=1",\
>>>          Juniper-Local-User-Name = "remote2",\
>>>          RB-TTY-Level-Start = 5,\
>>>          RB-TTY-Level-Max = 5
>>>
>>>          GroupReply RW,\
>>>          Service-Type = Administrative-User,\
>>>          cisco-avpair = "shell:priv-lvl=15",\
>>>          Juniper-Local-User-Name = "remote1",\
>>>                RB-TTY-Level-Start = 15,\
>>>                 RB-TTY-Level-Max = 15
>>>      </AuthBy>
>>>
>>>  </Realm>
>>>
>>>  ------------------End safeword.cfg------------------
>>>
>>>  _______________________________________________
>>>  radiator mailing list
>>>  radiator at open.com.au
>>>  http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive (www.open.com.au/archives/
>> radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec),
>> and DIAMETER translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/ 
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list