[RADIATOR] Radiator with RSA AM7, Radiator failes to continue after timeout on SOAP channel

Boon, E.J.C. E.J.C.Boon at i-groep.leidenuniv.nl
Thu Sep 24 02:27:03 CDT 2009


Hi Hugh,

Thank you for the fast reply, yes I did try the timeout setting.
I tried values between 4 and 60 seconds however the result is the same.

The Client ends on specified time out with:
===========
# radpwtst -eapgtc -user user -s localhost -auth_port 1812 -acct_port
1813 -secret mysecret -noacct -trace 5 -nas_ip_address 127.0.0.1
-nas_identifier "Localhost testing"

Thu Sep 24 09:19:01 2009: DEBUG: Reading dictionary file './dictionary'
sending Access-Request...
Thu Sep 24 09:19:01 2009: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1812 ....

Packet length = 126
01 88 00 7e ff d7 4b 28 81 d4 61 08 cf e5 93 e1
89 f4 fb d3 01 09 62 6f 6f 6e 65 6a 63 06 06 00
00 00 02 04 06 7f 00 00 01 20 13 4c 6f 63 61 6c
68 6f 73 74 20 74 65 73 74 69 6e 67 05 06 00 00
04 d2 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39
38 37 36 35 34 33 32 31 3d 06 00 00 00 00 4f 0e
02 00 00 0c 01 62 6f 6f 6e 65 6a 63 50 12 d3 7f
a1 be 8e 20 6c d3 fe 00 7b 67 7e 6d f2 02
Code:       Access-Request
Identifier: 136
Authentic:
<255><215>K(<129><212>a<8><207><229><147><225><137><244><251><211>
Attributes:
        User-Name = "user"
        Service-Type = Framed-User
        NAS-IP-Address = 127.0.0.1
        NAS-Identifier = "Localhost testing"
        NAS-Port = 1234
        Called-Station-Id = "123456789"
        Calling-Station-Id = "987654321"
        NAS-Port-Type = Async
        EAP-Message = <2><0><0><12><1>boonejc
        Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>

No reply
===========
And the radiator log file ends at the same moment with:

Thu Sep 24 09:19:01 2009: DEBUG: Response type 1
Thu Sep 24 09:19:01 2009: DEBUG: RSA AM start
https://132.229.43.20:7002/ims-ws/services/CommandServer
Thu Sep 24 09:19:01 2009: DEBUG: Calling SOAP LoginCommand 

Then after 3 minutes and 10seconds the rest of the log lines appears.

Regards,

Erwin Boon
Team Middleware
Leiden University

-----Original Message-----
From: Hugh Irvine Sent: donderdag 24 september 2009 0:15

Hello Erwin -

Have you tried setting a shorter timeout in the AuthBy RSAAM clause
(using the "Timeout ..." paramter)?

And have you tried running Radiator on the RSAAM Windows host directly?

regards

Hugh


On 23 Sep 2009, at 20:05, Boon, E.J.C. wrote:

>
> Hi all,
>
> Since a week I'm playing with RSA via the RSAAM module in Radiator.
>
> Our setup is 2 radius servers (SLES10SP2) with Radiator 4.4 and 2 RSA 
> servers with RSA AM 7. The communication between radiator and RSA is 
> via SOAP (the only way?).
>
> We'd like to have some failover constructions in our setup, so I tried

> to fail-over between RSA servers by defining a non-existent ipaddress 
> for one of the RSA servers.
>
> Now my probleem is this; it seems that the SOAP call is taking to long

> with responding that the host is not reachable for radiator to 
> continue with its AuthBy GROUP clause.
>
> - The timeout lets say 180seconds is still to short for the HTTP/ SOAP

> channel to timeout.
> - What I also see, is that the RSAAM authentication is not returning 
> an IGNORE but a REJECT on timeout
>
> Am I doing something wrong? Is there anyway to get around this way of 
> behaviour?
>
> Im following a piece of manual : Radiator RADIUS Server, with AuthBy 
> RSAAM. PDF from OSC:
> ======
> Example from manual
>
> Radiator can be configured to implement failover between 2 or more RSA

> Authentication Manager Servers. Whenever an RSA Authentication Manager

> Server cannot be contacted, the AuthBy RSAAM clause returns IGNORE. If

> the AuthByPolicy is ContinueWhileIgnore, then Radiator will try the 
> next AuthBy RSAAM in sequence until a server is successfully 
> contacted. A typical configuration excerpt might be:
>
> # Failover from amserver1 to amserver2 <Realm DEFAULT>
>         AuthByPolicy ContinueWhileIgnore
>         <AuthBy RSAAM>
>         Host amserver1.company.com:7002
>         ...
>         </AuthBy>
>         <AuthBy RSAAM>
>         Host amserver2.company.com:7002
>         ...
>         </AuthBy>
> </Realm>
> ======
>
> Real Config:
>
> Trace 5
> PidFile /var/run/radiusd.pid
> LogDir /var/log/radius/
> DbDir /etc/radiator
>
> AuthPort 1812
> AcctPort 1813
>
> <Client DEFAULT>
>         Secret mysecret
> </Client>
> <Realm DEFAULT>
>         AuthByPolicy ContinueWhileIgnore
>         <AuthBy RSAAM>
>                 #Host 132.229.43.29:7002
>                 Host 132.229.43.20:7002
>                 SessionUsername CmdClient_inf****
>                 SessionPassword **********
>                 NoDefault
>                 SOAPTrace all
>                 EAPType Generic-Token
>                 Policy SecurID_Native
>         </AuthBy>
>         <AuthBy RSAAM>
>                 Host 132.229.88.87:7002
>                 SessionUsername CmdClient_inf****
>                 SessionPassword ************
>                 NoDefault
>                 SOAPTrace all
>                 EAPType Generic-Token
>                 Policy SecurID_Native
>         </AuthBy>
> </Realm>
> ======
>
> Log:
>
> Wed Sep 23 11:31:00 2009: DEBUG: Finished reading configuration file 
> '/etc/radiator/radius.cfg'
> Wed Sep 23 11:31:00 2009: DEBUG: Reading dictionary file '/etc/ 
> radiator/dictionary'
> Wed Sep 23 11:31:00 2009: DEBUG: Creating authentication port
> 0.0.0.0:1812
> Wed Sep 23 11:31:00 2009: DEBUG: Creating accounting port 0.0.0.0:1813

> Wed Sep 23 11:31:00 2009: NOTICE: Server started: Radiator 4.4 on 
> bonnie Wed Sep 23 11:31:10 2009: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 32810 ....
>
> Packet length = 126
> 01 cd 00 7e 7c bf 97 1f 3f 28 c0 b4 1f 19 0c 5c aa 69 9a aa 01 09 62 
> 6f 6f 6e 65 6a 63 06 06 00 00 00 02 04 06 7f 00 00 01 20 13 4c 6f 63 
> 61 6c
> 68 6f 73 74 20 74 65 73 74 69 6e 67 05 06 00 00
> 04 d2 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39
> 38 37 36 35 34 33 32 31 3d 06 00 00 00 00 4f 0e
> 02 00 00 0c 01 62 6f 6f 6e 65 6a 63 50 12 cd 0a
> 06 1d 30 ac 64 58 32 67 3d 46 ad 26 f0 aa
> Code:       Access-Request
> Identifier: 205
> Authentic:  |<191><151><31>?(<192><180><31><25><12>\<170>i<154><170>
> Attributes:
>         User-Name = "user"
>         Service-Type = Framed-User
>         NAS-IP-Address = 127.0.0.1
>         NAS-Identifier = "Localhost testing"
>         NAS-Port = 1234
>         Called-Station-Id = "123456789"
>         Calling-Station-Id = "987654321"
>         NAS-Port-Type = Async
>         EAP-Message = <2><0><0><12><1>user
>         Message-Authenticator =
> <205><10><6><29>0<172>dX2g=F<173>&<240><170>
>
> Wed Sep 23 11:31:10 2009: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Wed Sep 23 11:31:10 2009: DEBUG:  Deleting session for user, 
> 127.0.0.1, 1234 Wed Sep 23 11:31:10 2009: DEBUG: Handling with 
> Radius::AuthRSAAM:
> Wed Sep 23 11:31:10 2009: DEBUG: Handling with EAP: code 2, 0, 12, 1 
> Wed Sep 23 11:31:10 2009: DEBUG: Response type 1 Wed Sep 23 11:31:10 
> 2009: DEBUG: RSA AM start 
> https://132.229.43.20:7002/ims-ws/services/CommandServer
> Wed Sep 23 11:31:10 2009: DEBUG: Calling SOAP LoginCommand Wed Sep 23 
> 11:34:20 2009: WARNING: SOAP call failed: 500 Can't connect to 
> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/site_perl/ 
> 5.8.8/Radius/AuthRSAAM.pm line 526
>
> Wed Sep 23 11:34:20 2009: DEBUG: EAP result: 1, EAP Generic Token Card

> failed: SOAP call failed: 500 Can't connect to
> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/site_perl/5.8.8
>
> /Radius/AuthRSAAM.pm line 526
>
> Wed Sep 23 11:34:20 2009: DEBUG: AuthBy RSAAM result: REJECT, EAP 
> Generic Token Card failed: SOAP call failed: 500 Can't connect to
> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/s
>
> ite_perl/5.8.8/Radius/AuthRSAAM.pm line 526
>
> Wed Sep 23 11:34:20 2009: INFO: Access rejected for user: EAP Generic 
> Token Card failed: SOAP call failed: 500 Can't connect to
> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/si
>
> te_perl/5.8.8/Radius/AuthRSAAM.pm line 526
>
> Wed Sep 23 11:34:20 2009: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 32810 ....
> Packet length = 60
> 03 cd 00 3c 63 fb b6 08 7f 5b 79 ef 9f f2 d8 65
> d6 3a ce 49 4f 06 04 00 00 04 50 12 fb 25 51 d0 3e 16 c9 b8 f2 99 f0 
> 71 9f e5 0a 4f 12 10 52 65
> 71 75 65 73 74 20 44 65 6e 69 65 64
> Code:       Access-Reject
> Identifier: 205
> Authentic:  c<251><182><8><127>[y<239><159><242><216>e<214>:<206>I
> Attributes:
>         EAP-Message = <4><0><0><4>
>         Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>         Reply-Message = "Request Denied"
>
> =====
> Cmdline:
> radpwtst -eapgtc -user user -s localhost -auth_port 1812 -acct_port
> 1813 -secret mysecret -interactive -noacct -trace 5 -nas_ip_address
> 127.0.0.1 -nas_identifier "Localhost testing"
>
> ======
>
> Regards,
>
> Erwin Boon
> Team middleware
> Leiden University
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive
(www.open.com.au/archives/radiator
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec), and DIAMETER
translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list