[RADIATOR] Radiator with RSA AM7, Radiator failes to continue after timeout on SOAP channel
Boon, E.J.C.
E.J.C.Boon at i-groep.leidenuniv.nl
Thu Oct 15 09:25:47 CDT 2009
Hi Hugh,
It toke a while but I have the result on your request for trying the RSA
timeout on a Windows server. There are some dictionary messages which
are caused by improper configuration. However, the timeout the windows
server has before closing the channel to the RSA server is only 20sec
AND it walks through my failover construction by trying the second
server.
Even, if I add the client timeout parameter of 43seconds I think I can
get an valid response. The windows server didn't have access to the RSA
server so I couldn't test that one.
The used versions:
ActivePerl-5.10.1.1006-MSWin32-x86-291086.msi
SOAP-Lite 0.710.08
Thu Oct 15 15:41:29 2009: ERR: Attribute number 1 is not defined in your
dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 6 is not defined in your
dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 4 is not defined in your
dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 32 is not defined in
your dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 5 is not defined in your
dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 30 is not defined in
your dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 31 is not defined in
your dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 61 is not defined in
your dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 79 is not defined in
your dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 80 is not defined in
your dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 1 is not defined in your
dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 30 is not defined in
your dictionary
Thu Oct 15 15:41:29 2009: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 1268 ....
Packet length = 122
01 d1 00 7a 88 09 8a fe 3d b7 0a 17 89 e2 d0 89
12 2c c9 a3 01 07 6d 69 6b 65 6d 06 06 00 00 00
02 04 06 7f 00 00 01 20 13 4c 6f 63 61 6c 68 6f
73 74 20 74 65 73 74 69 6e 67 05 06 00 00 04 d2
1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39 38 37
36 35 34 33 32 31 3d 06 00 00 00 00 4f 0c 02 00
00 0a 01 6d 69 6b 65 6d 50 12 ed 39 32 05 a1 6e
61 e6 4f c5 28 50 d5 4c c0 11
Code: Access-Request
Identifier: 209
Authentic:
<136><9><138><254>=<183><10><23><137><226><208><137><18>,<201><163>
Attributes:
Thu Oct 15 15:41:29 2009: ERR: Attribute number 5 is not defined in your
dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 40 is not defined in
your dictionary
Thu Oct 15 15:41:29 2009: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Thu Oct 15 15:41:29 2009: ERR: Attribute number 4 is not defined in your
dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 32 is not defined in
your dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 44 is not defined in
your dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 8 is not defined in your
dictionary
Thu Oct 15 15:41:29 2009: DEBUG: Deleting session for , 127.0.0.1,
Thu Oct 15 15:41:29 2009: DEBUG: Handling with Radius::AuthRSAAM:
Thu Oct 15 15:41:29 2009: ERR: Attribute number 79 is not defined in
your dictionary
Thu Oct 15 15:41:29 2009: DEBUG: Radius::AuthRSAAM looks for match with
[]
Thu Oct 15 15:41:29 2009: ERR: Attribute number 2 is not defined in your
dictionary
Thu Oct 15 15:41:29 2009: ERR: Attribute number 24 is not defined in
your dictionary
Thu Oct 15 15:41:29 2009: DEBUG: RSA AM start
https://132.229.43.20:7002/ims-ws/services/CommandServer
Thu Oct 15 15:41:29 2009: DEBUG: Calling SOAP LoginCommand
Thu Oct 15 15:41:50 2009: WARNING: SOAP call failed: 500 Connect failed:
connect: Unknown error; Unknown error at Radius/AuthRSAAM.pm line 526
Thu Oct 15 15:41:50 2009: DEBUG: Radius::AuthRSAAM IGNORE: RSA AM
session failure: []
Thu Oct 15 15:41:50 2009: DEBUG: AuthBy RSAAM result: IGNORE, RSA AM
session failure
Thu Oct 15 15:41:50 2009: DEBUG: Handling with Radius::AuthRSAAM:
Thu Oct 15 15:41:50 2009: DEBUG: Radius::AuthRSAAM looks for match with
[]
Thu Oct 15 15:41:50 2009: DEBUG: RSA AM start
https://132.229.88.87:7002/ims-ws/services/CommandServer
Thu Oct 15 15:41:50 2009: DEBUG: Calling SOAP LoginCommand
Thu Oct 15 15:42:11 2009: WARNING: SOAP call failed: 500 Connect failed:
connect: Unknown error; Unknown error at Radius/AuthRSAAM.pm line 526
Thu Oct 15 15:42:11 2009: DEBUG: Radius::AuthRSAAM IGNORE: RSA AM
session failure: []
Thu Oct 15 15:42:11 2009: DEBUG: AuthBy RSAAM result: IGNORE, RSA AM
session failure
Regards,
Erwin Boon
Team middleware
Leiden University
-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au]
Sent: donderdag 24 september 2009 13:27
To: Boon, E.J.C.
Subject: Re: [RADIATOR] Radiator with RSA AM7, Radiator failes to
continue after timeout on SOAP channel
Hello Erwin -
I just want to see what effect (if any) there is on a different
platform. You can use any Windows machine - not necessarily the RSAAM
server.
We may be able to see if the problem is platform-specific and/or Perl
version specific.
regards
Hugh
On 24 Sep 2009, at 18:57, Boon, E.J.C. wrote:
> Hi Hugh,
>
> I'am not sure, it is an appliance which is also not mine.
> The box is not windows, I'am told it is based on Ubuntu Server.
>
> As I told in my first email, this problem occurs only when the RSAAM
> server is not online, when it is online and responding all works fine.
> Hypothetically when I'am able to install perl and radiator on that
> appliance I'am not sure what difference it should make when I try to
> connect to the RSAAM server which is not online.
>
> Ill open the request to the RSA system owner, however I doubt he will
> comply.
>
> Regards,
>
> Erwin
>
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: donderdag 24 september 2009 10:38
> To: Boon, E.J.C.
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] Radiator with RSA AM7, Radiator failes to
> continue after timeout on SOAP channel
>
>
> Hello Erwin -
>
> Unfortunately Mike is overseas for a couple of weeks and not easily
> contactable.
>
> He won't be able to look at this until his return.
>
> Can you try running Radiator on the RSAAM host for comparison
> purposes?
>
> regards
>
> Hugh
>
>
> On 24 Sep 2009, at 17:27, Boon, E.J.C. wrote:
>
>> Hi Hugh,
>>
>> Thank you for the fast reply, yes I did try the timeout setting.
>> I tried values between 4 and 60 seconds however the result is the
>> same.
>>
>> The Client ends on specified time out with:
>> ===========
>> # radpwtst -eapgtc -user user -s localhost -auth_port 1812 -acct_port
>> 1813 -secret mysecret -noacct -trace 5 -nas_ip_address 127.0.0.1
>> -nas_identifier "Localhost testing"
>>
>> Thu Sep 24 09:19:01 2009: DEBUG: Reading dictionary file './
>> dictionary'
>> sending Access-Request...
>> Thu Sep 24 09:19:01 2009: DEBUG: Packet dump:
>> *** Sending to 127.0.0.1 port 1812 ....
>>
>> Packet length = 126
>> 01 88 00 7e ff d7 4b 28 81 d4 61 08 cf e5 93 e1
>> 89 f4 fb d3 01 09 62 6f 6f 6e 65 6a 63 06 06 00 00 00 02 04 06 7f 00
>> 00 01 20 13 4c 6f 63 61 6c
>> 68 6f 73 74 20 74 65 73 74 69 6e 67 05 06 00 00
>> 04 d2 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39
>> 38 37 36 35 34 33 32 31 3d 06 00 00 00 00 4f 0e
>> 02 00 00 0c 01 62 6f 6f 6e 65 6a 63 50 12 d3 7f
>> a1 be 8e 20 6c d3 fe 00 7b 67 7e 6d f2 02
>> Code: Access-Request
>> Identifier: 136
>> Authentic:
>> <255><215>K(<129><212>a<8><207><229><147><225><137><244><251><211>
>> Attributes:
>> User-Name = "user"
>> Service-Type = Framed-User
>> NAS-IP-Address = 127.0.0.1
>> NAS-Identifier = "Localhost testing"
>> NAS-Port = 1234
>> Called-Station-Id = "123456789"
>> Calling-Station-Id = "987654321"
>> NAS-Port-Type = Async
>> EAP-Message = <2><0><0><12><1>boonejc
>> Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>
>> No reply
>> ===========
>> And the radiator log file ends at the same moment with:
>>
>> Thu Sep 24 09:19:01 2009: DEBUG: Response type 1 Thu Sep 24 09:19:01
>> 2009: DEBUG: RSA AM start
>> https://132.229.43.20:7002/ims-ws/services/CommandServer
>> Thu Sep 24 09:19:01 2009: DEBUG: Calling SOAP LoginCommand
>>
>> Then after 3 minutes and 10seconds the rest of the log lines appears.
>>
>> Regards,
>>
>> Erwin Boon
>> Team Middleware
>> Leiden University
>>
>> -----Original Message-----
>> From: Hugh Irvine Sent: donderdag 24 september 2009 0:15
>>
>> Hello Erwin -
>>
>> Have you tried setting a shorter timeout in the AuthBy RSAAM clause
>> (using the "Timeout ..." paramter)?
>>
>> And have you tried running Radiator on the RSAAM Windows host
>> directly?
>>
>> regards
>>
>> Hugh
>>
>>
>> On 23 Sep 2009, at 20:05, Boon, E.J.C. wrote:
>>
>>>
>>> Hi all,
>>>
>>> Since a week I'm playing with RSA via the RSAAM module in Radiator.
>>>
>>> Our setup is 2 radius servers (SLES10SP2) with Radiator 4.4 and 2
>>> RSA
>
>>> servers with RSA AM 7. The communication between radiator and RSA is
>>> via SOAP (the only way?).
>>>
>>> We'd like to have some failover constructions in our setup, so I
>>> tried
>>
>>> to fail-over between RSA servers by defining a non-existent
>>> ipaddress
>
>>> for one of the RSA servers.
>>>
>>> Now my probleem is this; it seems that the SOAP call is taking to
>>> long
>>
>>> with responding that the host is not reachable for radiator to
>>> continue with its AuthBy GROUP clause.
>>>
>>> - The timeout lets say 180seconds is still to short for the HTTP/
>>> SOAP
>>
>>> channel to timeout.
>>> - What I also see, is that the RSAAM authentication is not returning
>>> an IGNORE but a REJECT on timeout
>>>
>>> Am I doing something wrong? Is there anyway to get around this way
>>> of
>
>>> behaviour?
>>>
>>> Im following a piece of manual : Radiator RADIUS Server, with AuthBy
>>> RSAAM. PDF from OSC:
>>> ======
>>> Example from manual
>>>
>>> Radiator can be configured to implement failover between 2 or more
>>> RSA
>>
>>> Authentication Manager Servers. Whenever an RSA Authentication
>>> Manager
>>
>>> Server cannot be contacted, the AuthBy RSAAM clause returns IGNORE.
>>> If
>>
>>> the AuthByPolicy is ContinueWhileIgnore, then Radiator will try the
>>> next AuthBy RSAAM in sequence until a server is successfully
>>> contacted. A typical configuration excerpt might be:
>>>
>>> # Failover from amserver1 to amserver2 <Realm DEFAULT>
>>> AuthByPolicy ContinueWhileIgnore
>>> <AuthBy RSAAM>
>>> Host amserver1.company.com:7002
>>> ...
>>> </AuthBy>
>>> <AuthBy RSAAM>
>>> Host amserver2.company.com:7002
>>> ...
>>> </AuthBy>
>>> </Realm>
>>> ======
>>>
>>> Real Config:
>>>
>>> Trace 5
>>> PidFile /var/run/radiusd.pid
>>> LogDir /var/log/radius/
>>> DbDir /etc/radiator
>>>
>>> AuthPort 1812
>>> AcctPort 1813
>>>
>>> <Client DEFAULT>
>>> Secret mysecret
>>> </Client>
>>> <Realm DEFAULT>
>>> AuthByPolicy ContinueWhileIgnore
>>> <AuthBy RSAAM>
>>> #Host 132.229.43.29:7002
>>> Host 132.229.43.20:7002
>>> SessionUsername CmdClient_inf****
>>> SessionPassword **********
>>> NoDefault
>>> SOAPTrace all
>>> EAPType Generic-Token
>>> Policy SecurID_Native
>>> </AuthBy>
>>> <AuthBy RSAAM>
>>> Host 132.229.88.87:7002
>>> SessionUsername CmdClient_inf****
>>> SessionPassword ************
>>> NoDefault
>>> SOAPTrace all
>>> EAPType Generic-Token
>>> Policy SecurID_Native
>>> </AuthBy>
>>> </Realm>
>>> ======
>>>
>>> Log:
>>>
>>> Wed Sep 23 11:31:00 2009: DEBUG: Finished reading configuration file
>>> '/etc/radiator/radius.cfg'
>>> Wed Sep 23 11:31:00 2009: DEBUG: Reading dictionary file '/etc/
>>> radiator/dictionary'
>>> Wed Sep 23 11:31:00 2009: DEBUG: Creating authentication port
>>> 0.0.0.0:1812
>>> Wed Sep 23 11:31:00 2009: DEBUG: Creating accounting port
>>> 0.0.0.0:1813
>>
>>> Wed Sep 23 11:31:00 2009: NOTICE: Server started: Radiator 4.4 on
>>> bonnie Wed Sep 23 11:31:10 2009: DEBUG: Packet dump:
>>> *** Received from 127.0.0.1 port 32810 ....
>>>
>>> Packet length = 126
>>> 01 cd 00 7e 7c bf 97 1f 3f 28 c0 b4 1f 19 0c 5c aa 69 9a aa 01 09 62
>>> 6f 6f 6e 65 6a 63 06 06 00 00 00 02 04 06 7f 00 00 01 20 13 4c 6f 63
>>> 61 6c
>>> 68 6f 73 74 20 74 65 73 74 69 6e 67 05 06 00 00
>>> 04 d2 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39
>>> 38 37 36 35 34 33 32 31 3d 06 00 00 00 00 4f 0e
>>> 02 00 00 0c 01 62 6f 6f 6e 65 6a 63 50 12 cd 0a
>>> 06 1d 30 ac 64 58 32 67 3d 46 ad 26 f0 aa
>>> Code: Access-Request
>>> Identifier: 205
>>> Authentic: |<191><151><31>?(<192><180><31><25><12>\<170>i<154><170>
>>> Attributes:
>>> User-Name = "user"
>>> Service-Type = Framed-User
>>> NAS-IP-Address = 127.0.0.1
>>> NAS-Identifier = "Localhost testing"
>>> NAS-Port = 1234
>>> Called-Station-Id = "123456789"
>>> Calling-Station-Id = "987654321"
>>> NAS-Port-Type = Async
>>> EAP-Message = <2><0><0><12><1>user
>>> Message-Authenticator =
>>> <205><10><6><29>0<172>dX2g=F<173>&<240><170>
>>>
>>> Wed Sep 23 11:31:10 2009: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Wed Sep 23 11:31:10 2009: DEBUG: Deleting session for user,
>>> 127.0.0.1, 1234 Wed Sep 23 11:31:10 2009: DEBUG: Handling with
>>> Radius::AuthRSAAM:
>>> Wed Sep 23 11:31:10 2009: DEBUG: Handling with EAP: code 2, 0, 12, 1
>>> Wed Sep 23 11:31:10 2009: DEBUG: Response type 1 Wed Sep 23 11:31:10
>>> 2009: DEBUG: RSA AM start
>>> https://132.229.43.20:7002/ims-ws/services/CommandServer
>>> Wed Sep 23 11:31:10 2009: DEBUG: Calling SOAP LoginCommand Wed Sep
>>> 23
>
>>> 11:34:20 2009: WARNING: SOAP call failed: 500 Can't connect to
>>> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/site_perl/
>>> 5.8.8/Radius/AuthRSAAM.pm line 526
>>>
>>> Wed Sep 23 11:34:20 2009: DEBUG: EAP result: 1, EAP Generic Token
>>> Card
>>
>>> failed: SOAP call failed: 500 Can't connect to
>>> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/site_perl/5.8.8
>>>
>>> /Radius/AuthRSAAM.pm line 526
>>>
>>> Wed Sep 23 11:34:20 2009: DEBUG: AuthBy RSAAM result: REJECT, EAP
>>> Generic Token Card failed: SOAP call failed: 500 Can't connect to
>>> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/s
>>>
>>> ite_perl/5.8.8/Radius/AuthRSAAM.pm line 526
>>>
>>> Wed Sep 23 11:34:20 2009: INFO: Access rejected for user: EAP
>>> Generic
>
>>> Token Card failed: SOAP call failed: 500 Can't connect to
>>> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/si
>>>
>>> te_perl/5.8.8/Radius/AuthRSAAM.pm line 526
>>>
>>> Wed Sep 23 11:34:20 2009: DEBUG: Packet dump:
>>> *** Sending to 127.0.0.1 port 32810 ....
>>> Packet length = 60
>>> 03 cd 00 3c 63 fb b6 08 7f 5b 79 ef 9f f2 d8 65
>>> d6 3a ce 49 4f 06 04 00 00 04 50 12 fb 25 51 d0 3e 16 c9 b8 f2 99 f0
>>> 71 9f e5 0a 4f 12 10 52 65
>>> 71 75 65 73 74 20 44 65 6e 69 65 64
>>> Code: Access-Reject
>>> Identifier: 205
>>> Authentic: c<251><182><8><127>[y<239><159><242><216>e<214>:<206>I
>>> Attributes:
>>> EAP-Message = <4><0><0><4>
>>> Message-Authenticator =
>>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>> Reply-Message = "Request Denied"
>>>
>>> =====
>>> Cmdline:
>>> radpwtst -eapgtc -user user -s localhost -auth_port 1812 -acct_port
>>> 1813 -secret mysecret -interactive -noacct -trace 5 -nas_ip_address
>>> 127.0.0.1 -nas_identifier "Localhost testing"
>>>
>>> ======
>>>
>>> Regards,
>>>
>>> Erwin Boon
>>> Team middleware
>>> Leiden University
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> radiator mailing list
>>> radiator at open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator
>> )?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>> Have you checked the RadiusExpert wiki:
>> http://www.open.com.au/wiki/index.php/Main_Page
>>
>> --
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>> Includes support for reliable RADIUS transport (RadSec), and DIAMETER
>> translation agent.
>> -
>> Nets: internetwork inventory and management - graphical, extensible,
>> flexible with hardware, software, platform and database independence.
>> -
>> CATool: Private Certificate Authority for Unix and Unix-like systems.
>>
>>
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator
> )?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec), and DIAMETER
> translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec), and DIAMETER
translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list