[RADIATOR] Radius problem
Colin Byelong
c.byelong at ucl.ac.uk
Fri Dec 11 05:27:00 CST 2009
Hi,
We have been using radiator to authenticate our wireless users and
provide EAP-TTLS support in our wireless infrastructure.
The server is running a old version of radiator 4.3.1 and we have been
trying to move to new hardware and a new version of radiator.
Most of our requests come from one NAS when we introduce the new server
everything looks good then after ~1 hour we stop seeing requests from
the NAS this may be load related as we tend to swap the box at the start
of the day.
We have tried restarting the system when this happens but we still cant
see requests from the NAS, when we revert to the old server thats using
the same config file everything starts working again.
Has anyone seen anything similar ?
Is there any "load limits" on the server that would cause this behaviour ?
Can we adjust queues or buffers to cope with many requests from the same
host ?
#
Foreground
LogStdout
LogDir .
DbDir .
#
#Logfiles
#
<Log FILE>
Filename %L/radiator.%Y_%m_%d.log
LogIdent log-file
Trace 4
</Log>
#
#
#
#
#Use port 1812 for Authentication
AuthPort 1812,1645
#Use port 1813 for accounting
AcctPort 1813,1646
Trace 4
#
#
#
#
#Logging for users with no realm
#
#
<AuthLog FILE>
Identifier AUTH-DENY-NOREALM
Filename %L/NOREALM-deny-%d-%m-%y.log
FailureFormat %1:%T from Client:%c %a (%C) %n from NAS:%N
LogSuccess 0
LogFailure 1
</AuthLog>
#
#
#Logging for NRPS
#
<AuthLog FILE>
Identifier NRPSSTATS
Filename %L/NRPS-STATS-%Y-%m-%d.log
SuccessFormat %l: from Client:%c(NAS:%N) User=%u Reply-User
=%{Reply:User-Name} :OK
FailureFormat %l: from Client:%c(NAS:%N) User=%u:FAIL
LogSuccess 1
LogFailure 1
</AuthLog>
#
#
#
#Logfile for local users
<AuthLog FILE>
Identifier LOCALUSERS
Filename %L/localusers.%Y-%m-%d.log
SuccessFormat :%l:%o %T:%{Calling-Station-Id} from %u at %N:OK
FailureFormat :%l:%o %T from %u at %N:FAIL
LogSuccess 1
LogFailure 1
</AuthLog>
#
#Logfile for local pap
<AuthLog FILE>
Identifier UCL_PAP
Filename %L/UCLPAP.%Y-%m-%d.log
SuccessFormat :%l:%o %T from %u at %N:OK
FailureFormat :%l:%o %T from %u at %N:FAIL
LogSuccess 1
LogFailure 1
</AuthLog>
#
#
<Client roaming0.ja.net>
Secret <REMOVED>
StatusServerShowClientDetails
Identifier NRPS
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
NoIgnoreDuplicates Accounting-Request
</Client>
#
#
#
#
<Client roaming1.ja.net>
Secret <REMOVED>
StatusServerShowClientDetails
Identifier NRPS
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
NoIgnoreDuplicates Accounting-Request
</Client>
#
#
<Client roaming2.ja.net>
Secret <REMOVED>
StatusServerShowClientDetails
Identifier NRPS
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
NoIgnoreDuplicates Accounting-Request
</Client>
#
<Client localhost>
Secret <REMOVED>
DupInterval 0
</Client>
#
#
#
#
#
#
#
<Client DEFAULT>
Secret <REMOVED>
DupInterval 2
StatusServerShowClientDetails
</Client>
#
#Handlers with authentication
<Handler TunnelledByTTLS=1>
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/
AcctLogFileName %L/ucl-detail.%m%y
<AuthBy LDAP2>
# Identifier UCL
Host <REMOVED>
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standfard LDAP, so you may want to use:
# Port 3268
AuthDN cn=locindnet,ou=System
Users,dc=uclusers,dc=ucl,dc=ac,dc=uk
# AuthPassword yourADadminpasswordhere
AuthPassword <REMOVED>
BaseDN ou=departments,dc=uclusers,dc=ucl,dc=ac,dc=uk
ServerChecksPassword
EAPType MSCHAP-V2,TTLS,PAP,PEAP
UsernameAttr sAMAccountName
# EncryptedPasswordAttr sn
#
# AuthAttrDef logonHours,MS-Login-Hours,check
</AuthBy>
#
#
#
AuthLog LOCALUSERS
</Handler>
#
#
#EAPOUTER
<Handler Realm=ucl.ac.uk, EAP-Message = /.+/>
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/
AcctLogFileName %L/ucl-detail.eapout.%m%y
<AuthBy FILE>
Filename %D/users
EAPType TTLS,pap,PEAP,MSCHAP-V2
EAPTLS_CAFile %D/certs/sureserverEDU.pem
EAPTLS_CertificateFile %D/certs/orps.pem
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile %D/certs/<REMOVED>
EAPTLS_MaxFragmentSize 1500
AutoMPPEKeys
EAPAnonymous anonymous
</AuthBy>
</Handler>
#
#
#Non EAP
<Handler Realm=ucl.ac.uk>
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername tr/A-Z/a-z/
AcctLogFileName %L/ucl-detailplain.%m%y
<AuthBy LDAP2>
# Identifier UCL
Host <REMOVED>
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standfard LDAP, so you may want to use:
# Port 3268
AuthDN cn=locindnet,ou=System
Users,dc=uclusers,dc=ucl,dc=ac,dc=uk
# AuthPassword yourADadminpasswordhere
AuthPassword <REMOVED>
BaseDN ou=departments,dc=uclusers,dc=ucl,dc=ac,dc=uk
ServerChecksPassword
UsernameAttr sAMAccountName
# EncryptedPasswordAttr sn
#
# AuthAttrDef logonHours,MS-Login-Hours,check
</AuthBy>
AcctLogFileName %L/detail
AuthLog UCL_PAP
</Handler>
#
#
#Send Everything else to the NRPS
#
#
#Handler for users with no realm
<Handler Realm = "">
<AuthBy INTERNAL>
DefaultResult REJECT
</AuthBy>
AuthLog AUTH-DENY-NOREALM
</Handler>
#
#
<Handler>
#<AuthBy GROUP>
# AuthByPolicy ContinueUntilReject
# NoEAP
<AuthBy HASHBALANCE>
# NoEAP
EAPType MSCHAP-V2,TTLS,PAP,PEAP
<Host roaming0.ja.net>
Secret <REMOVED>
AuthPort 1812
AcctPort 1813
RetryTimeout 8
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
</host>
#Second NRPS
<Host roaming1.ja.net>
Secret <REMOVED>
AuthPort 1812
AcctPort 1813
RetryTimeout 8
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
</host>
#Third NRPS
<Host <REMOVED>
Secret j<REMOVED>
AuthPort 1812
AcctPort 1813
RetryTimeout 8
StripFromReply
Tunnel-Type,Tunnel-Medium-Type,Tunnel-Private-Group-ID,Filter-Id,
cisco-avpair
</host>
</AuthBy>
# AuthLog NRPSSTATS
#</AuthBy>
AuthLog NRPSSTATS
</Handler>
#
Thanks
Colin
--
-----------------------------------------------------------------------
Colin Byelong Email: C.Byelong at ucl.ac.uk
Senior Network Development Officer
Network Group
Information Systems Division
University College London
Gower Street Phone: 020 7679-2572
London WC1E 6BT
------------------------------------------------------------------------
More information about the radiator
mailing list