[RADIATOR] Radiator with RSA AM7, Radiator failes to continue after timeout on SOAP channel
Hugh Irvine
hugh at open.com.au
Wed Sep 23 17:14:46 CDT 2009
Hello Erwin -
Have you tried setting a shorter timeout in the AuthBy RSAAM clause
(using the "Timeout ..." paramter)?
And have you tried running Radiator on the RSAAM Windows host directly?
regards
Hugh
On 23 Sep 2009, at 20:05, Boon, E.J.C. wrote:
>
> Hi all,
>
> Since a week I'm playing with RSA via the RSAAM module in Radiator.
>
> Our setup is 2 radius servers (SLES10SP2) with Radiator 4.4 and 2
> RSA servers with RSA AM 7. The communication between radiator and
> RSA is via SOAP (the only way?).
>
> We'd like to have some failover constructions in our setup, so I
> tried to fail-over between RSA servers by defining a non-existent
> ipaddress for one of the RSA servers.
>
> Now my probleem is this; it seems that the SOAP call is taking to
> long with responding that the host is not reachable for radiator to
> continue with its AuthBy GROUP clause.
>
> - The timeout lets say 180seconds is still to short for the HTTP/
> SOAP channel to timeout.
> - What I also see, is that the RSAAM authentication is not returning
> an IGNORE but a REJECT on timeout
>
> Am I doing something wrong? Is there anyway to get around this way
> of behaviour?
>
> Im following a piece of manual : Radiator RADIUS Server, with AuthBy
> RSAAM. PDF from OSC:
> ======
> Example from manual
>
> Radiator can be configured to implement failover between 2 or more
> RSA Authentication Manager Servers. Whenever an RSA Authentication
> Manager Server cannot be contacted, the AuthBy RSAAM clause returns
> IGNORE. If the AuthByPolicy is ContinueWhileIgnore, then Radiator
> will try the next AuthBy RSAAM in sequence until a server is
> successfully contacted. A typical configuration excerpt might be:
>
> # Failover from amserver1 to amserver2
> <Realm DEFAULT>
> AuthByPolicy ContinueWhileIgnore
> <AuthBy RSAAM>
> Host amserver1.company.com:7002
> …
> </AuthBy>
> <AuthBy RSAAM>
> Host amserver2.company.com:7002
> …
> </AuthBy>
> </Realm>
> ======
>
> Real Config:
>
> Trace 5
> PidFile /var/run/radiusd.pid
> LogDir /var/log/radius/
> DbDir /etc/radiator
>
> AuthPort 1812
> AcctPort 1813
>
> <Client DEFAULT>
> Secret mysecret
> </Client>
> <Realm DEFAULT>
> AuthByPolicy ContinueWhileIgnore
> <AuthBy RSAAM>
> #Host 132.229.43.29:7002
> Host 132.229.43.20:7002
> SessionUsername CmdClient_inf****
> SessionPassword **********
> NoDefault
> SOAPTrace all
> EAPType Generic-Token
> Policy SecurID_Native
> </AuthBy>
> <AuthBy RSAAM>
> Host 132.229.88.87:7002
> SessionUsername CmdClient_inf****
> SessionPassword ************
> NoDefault
> SOAPTrace all
> EAPType Generic-Token
> Policy SecurID_Native
> </AuthBy>
> </Realm>
> ======
>
> Log:
>
> Wed Sep 23 11:31:00 2009: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> Wed Sep 23 11:31:00 2009: DEBUG: Reading dictionary file '/etc/
> radiator/dictionary'
> Wed Sep 23 11:31:00 2009: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Wed Sep 23 11:31:00 2009: DEBUG: Creating accounting port 0.0.0.0:1813
> Wed Sep 23 11:31:00 2009: NOTICE: Server started: Radiator 4.4 on
> bonnie
> Wed Sep 23 11:31:10 2009: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 32810 ....
>
> Packet length = 126
> 01 cd 00 7e 7c bf 97 1f 3f 28 c0 b4 1f 19 0c 5c
> aa 69 9a aa 01 09 62 6f 6f 6e 65 6a 63 06 06 00
> 00 00 02 04 06 7f 00 00 01 20 13 4c 6f 63 61 6c
> 68 6f 73 74 20 74 65 73 74 69 6e 67 05 06 00 00
> 04 d2 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39
> 38 37 36 35 34 33 32 31 3d 06 00 00 00 00 4f 0e
> 02 00 00 0c 01 62 6f 6f 6e 65 6a 63 50 12 cd 0a
> 06 1d 30 ac 64 58 32 67 3d 46 ad 26 f0 aa
> Code: Access-Request
> Identifier: 205
> Authentic: |<191><151><31>?(<192><180><31><25><12>\<170>i<154><170>
> Attributes:
> User-Name = "user"
> Service-Type = Framed-User
> NAS-IP-Address = 127.0.0.1
> NAS-Identifier = "Localhost testing"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Async
> EAP-Message = <2><0><0><12><1>user
> Message-Authenticator =
> <205><10><6><29>0<172>dX2g=F<173>&<240><170>
>
> Wed Sep 23 11:31:10 2009: DEBUG: Handling request with Handler
> 'Realm=DEFAULT'
> Wed Sep 23 11:31:10 2009: DEBUG: Deleting session for user,
> 127.0.0.1, 1234
> Wed Sep 23 11:31:10 2009: DEBUG: Handling with Radius::AuthRSAAM:
> Wed Sep 23 11:31:10 2009: DEBUG: Handling with EAP: code 2, 0, 12, 1
> Wed Sep 23 11:31:10 2009: DEBUG: Response type 1
> Wed Sep 23 11:31:10 2009: DEBUG: RSA AM start https://132.229.43.20:7002/ims-ws/services/CommandServer
> Wed Sep 23 11:31:10 2009: DEBUG: Calling SOAP LoginCommand
> Wed Sep 23 11:34:20 2009: WARNING: SOAP call failed: 500 Can't
> connect to 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/site_perl/
> 5.8.8/Radius/AuthRSAAM.pm line 526
>
> Wed Sep 23 11:34:20 2009: DEBUG: EAP result: 1, EAP Generic Token
> Card failed: SOAP call failed: 500 Can't connect to
> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/site_perl/5.8.8
>
> /Radius/AuthRSAAM.pm line 526
>
> Wed Sep 23 11:34:20 2009: DEBUG: AuthBy RSAAM result: REJECT, EAP
> Generic Token Card failed: SOAP call failed: 500 Can't connect to
> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/s
>
> ite_perl/5.8.8/Radius/AuthRSAAM.pm line 526
>
> Wed Sep 23 11:34:20 2009: INFO: Access rejected for user: EAP
> Generic Token Card failed: SOAP call failed: 500 Can't connect to
> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/si
>
> te_perl/5.8.8/Radius/AuthRSAAM.pm line 526
>
> Wed Sep 23 11:34:20 2009: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 32810 ....
> Packet length = 60
> 03 cd 00 3c 63 fb b6 08 7f 5b 79 ef 9f f2 d8 65
> d6 3a ce 49 4f 06 04 00 00 04 50 12 fb 25 51 d0
> 3e 16 c9 b8 f2 99 f0 71 9f e5 0a 4f 12 10 52 65
> 71 75 65 73 74 20 44 65 6e 69 65 64
> Code: Access-Reject
> Identifier: 205
> Authentic: c<251><182><8><127>[y<239><159><242><216>e<214>:<206>I
> Attributes:
> EAP-Message = <4><0><0><4>
> Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Reply-Message = "Request Denied"
>
> =====
> Cmdline:
> radpwtst -eapgtc -user user -s localhost -auth_port 1812 -acct_port
> 1813 -secret mysecret -interactive -noacct -trace 5 -nas_ip_address
> 127.0.0.1 -nas_identifier "Localhost testing"
>
> ======
>
> Regards,
>
> Erwin Boon
> Team middleware
> Leiden University
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
More information about the radiator
mailing list