[RADIATOR] Radiator with RSA AM7, Radiator failes to continue after timeout on SOAP channel
Boon, E.J.C.
E.J.C.Boon at i-groep.leidenuniv.nl
Wed Sep 23 05:05:19 CDT 2009
Hi all,
Since a week I'm playing with RSA via the RSAAM module in Radiator.
Our setup is 2 radius servers (SLES10SP2) with Radiator 4.4 and 2 RSA
servers with RSA AM 7. The communication between radiator and RSA is via
SOAP (the only way?).
We'd like to have some failover constructions in our setup, so I tried
to fail-over between RSA servers by defining a non-existent ipaddress
for one of the RSA servers.
Now my probleem is this; it seems that the SOAP call is taking to long
with responding that the host is not reachable for radiator to continue
with its AuthBy GROUP clause.
- The timeout lets say 180seconds is still to short for the HTTP/SOAP
channel to timeout.
- What I also see, is that the RSAAM authentication is not returning an
IGNORE but a REJECT on timeout
Am I doing something wrong? Is there anyway to get around this way of
behaviour?
Im following a piece of manual : Radiator RADIUS Server, with AuthBy
RSAAM. PDF from OSC:
======
Example from manual
Radiator can be configured to implement failover between 2 or more RSA
Authentication Manager Servers. Whenever an RSA Authentication Manager
Server cannot be contacted, the AuthBy RSAAM clause returns IGNORE. If
the AuthByPolicy is ContinueWhileIgnore, then Radiator will try the next
AuthBy RSAAM in sequence until a server is successfully contacted. A
typical configuration excerpt might be:
# Failover from amserver1 to amserver2
<Realm DEFAULT>
AuthByPolicy ContinueWhileIgnore
<AuthBy RSAAM>
Host amserver1.company.com:7002
...
</AuthBy>
<AuthBy RSAAM>
Host amserver2.company.com:7002
...
</AuthBy>
</Realm>
======
Real Config:
Trace 5
PidFile /var/run/radiusd.pid
LogDir /var/log/radius/
DbDir /etc/radiator
AuthPort 1812
AcctPort 1813
<Client DEFAULT>
Secret mysecret
</Client>
<Realm DEFAULT>
AuthByPolicy ContinueWhileIgnore
<AuthBy RSAAM>
#Host 132.229.43.29:7002
Host 132.229.43.20:7002
SessionUsername CmdClient_inf****
SessionPassword **********
NoDefault
SOAPTrace all
EAPType Generic-Token
Policy SecurID_Native
</AuthBy>
<AuthBy RSAAM>
Host 132.229.88.87:7002
SessionUsername CmdClient_inf****
SessionPassword ************
NoDefault
SOAPTrace all
EAPType Generic-Token
Policy SecurID_Native
</AuthBy>
</Realm>
======
Log:
Wed Sep 23 11:31:00 2009: DEBUG: Finished reading configuration file
'/etc/radiator/radius.cfg'
Wed Sep 23 11:31:00 2009: DEBUG: Reading dictionary file
'/etc/radiator/dictionary'
Wed Sep 23 11:31:00 2009: DEBUG: Creating authentication port
0.0.0.0:1812
Wed Sep 23 11:31:00 2009: DEBUG: Creating accounting port 0.0.0.0:1813
Wed Sep 23 11:31:00 2009: NOTICE: Server started: Radiator 4.4 on bonnie
Wed Sep 23 11:31:10 2009: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 32810 ....
Packet length = 126
01 cd 00 7e 7c bf 97 1f 3f 28 c0 b4 1f 19 0c 5c
aa 69 9a aa 01 09 62 6f 6f 6e 65 6a 63 06 06 00
00 00 02 04 06 7f 00 00 01 20 13 4c 6f 63 61 6c
68 6f 73 74 20 74 65 73 74 69 6e 67 05 06 00 00
04 d2 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39
38 37 36 35 34 33 32 31 3d 06 00 00 00 00 4f 0e
02 00 00 0c 01 62 6f 6f 6e 65 6a 63 50 12 cd 0a
06 1d 30 ac 64 58 32 67 3d 46 ad 26 f0 aa
Code: Access-Request
Identifier: 205
Authentic: |<191><151><31>?(<192><180><31><25><12>\<170>i<154><170>
Attributes:
User-Name = "user"
Service-Type = Framed-User
NAS-IP-Address = 127.0.0.1
NAS-Identifier = "Localhost testing"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Async
EAP-Message = <2><0><0><12><1>user
Message-Authenticator =
<205><10><6><29>0<172>dX2g=F<173>&<240><170>
Wed Sep 23 11:31:10 2009: DEBUG: Handling request with Handler
'Realm=DEFAULT'
Wed Sep 23 11:31:10 2009: DEBUG: Deleting session for user, 127.0.0.1,
1234
Wed Sep 23 11:31:10 2009: DEBUG: Handling with Radius::AuthRSAAM:
Wed Sep 23 11:31:10 2009: DEBUG: Handling with EAP: code 2, 0, 12, 1
Wed Sep 23 11:31:10 2009: DEBUG: Response type 1
Wed Sep 23 11:31:10 2009: DEBUG: RSA AM start
https://132.229.43.20:7002/ims-ws/services/CommandServer
Wed Sep 23 11:31:10 2009: DEBUG: Calling SOAP LoginCommand
Wed Sep 23 11:34:20 2009: WARNING: SOAP call failed: 500 Can't connect
to 132.229.43.20:7002 (Timeout) at
/usr/lib/perl5/site_perl/5.8.8/Radius/AuthRSAAM.pm line 526
Wed Sep 23 11:34:20 2009: DEBUG: EAP result: 1, EAP Generic Token Card
failed: SOAP call failed: 500 Can't connect to 132.229.43.20:7002
(Timeout) at /usr/lib/perl5/site_perl/5.8.8
/Radius/AuthRSAAM.pm line 526
Wed Sep 23 11:34:20 2009: DEBUG: AuthBy RSAAM result: REJECT, EAP
Generic Token Card failed: SOAP call failed: 500 Can't connect to
132.229.43.20:7002 (Timeout) at /usr/lib/perl5/s
ite_perl/5.8.8/Radius/AuthRSAAM.pm line 526
Wed Sep 23 11:34:20 2009: INFO: Access rejected for user: EAP Generic
Token Card failed: SOAP call failed: 500 Can't connect to
132.229.43.20:7002 (Timeout) at /usr/lib/perl5/si
te_perl/5.8.8/Radius/AuthRSAAM.pm line 526
Wed Sep 23 11:34:20 2009: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 32810 ....
Packet length = 60
03 cd 00 3c 63 fb b6 08 7f 5b 79 ef 9f f2 d8 65
d6 3a ce 49 4f 06 04 00 00 04 50 12 fb 25 51 d0
3e 16 c9 b8 f2 99 f0 71 9f e5 0a 4f 12 10 52 65
71 75 65 73 74 20 44 65 6e 69 65 64
Code: Access-Reject
Identifier: 205
Authentic: c<251><182><8><127>[y<239><159><242><216>e<214>:<206>I
Attributes:
EAP-Message = <4><0><0><4>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
Reply-Message = "Request Denied"
=====
Cmdline:
radpwtst -eapgtc -user user -s localhost -auth_port 1812 -acct_port 1813
-secret mysecret -interactive -noacct -trace 5 -nas_ip_address 127.0.0.1
-nas_identifier "Localhost testing"
======
Regards,
Erwin Boon
Team middleware
Leiden University
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20090923/88ba9b5c/attachment.html
More information about the radiator
mailing list