[RADIATOR] Radiator with RSA AM7, Radiator failes to continue after timeout on SOAP channel

Hugh Irvine hugh at open.com.au
Thu Sep 24 03:38:10 CDT 2009


Hello Erwin -

Unfortunately Mike is overseas for a couple of weeks and not easily  
contactable.

He won't be able to look at this until his return.

Can you try running Radiator on the RSAAM host for comparison purposes?

regards

Hugh


On 24 Sep 2009, at 17:27, Boon, E.J.C. wrote:

> Hi Hugh,
>
> Thank you for the fast reply, yes I did try the timeout setting.
> I tried values between 4 and 60 seconds however the result is the  
> same.
>
> The Client ends on specified time out with:
> ===========
> # radpwtst -eapgtc -user user -s localhost -auth_port 1812 -acct_port
> 1813 -secret mysecret -noacct -trace 5 -nas_ip_address 127.0.0.1
> -nas_identifier "Localhost testing"
>
> Thu Sep 24 09:19:01 2009: DEBUG: Reading dictionary file './ 
> dictionary'
> sending Access-Request...
> Thu Sep 24 09:19:01 2009: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 1812 ....
>
> Packet length = 126
> 01 88 00 7e ff d7 4b 28 81 d4 61 08 cf e5 93 e1
> 89 f4 fb d3 01 09 62 6f 6f 6e 65 6a 63 06 06 00
> 00 00 02 04 06 7f 00 00 01 20 13 4c 6f 63 61 6c
> 68 6f 73 74 20 74 65 73 74 69 6e 67 05 06 00 00
> 04 d2 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39
> 38 37 36 35 34 33 32 31 3d 06 00 00 00 00 4f 0e
> 02 00 00 0c 01 62 6f 6f 6e 65 6a 63 50 12 d3 7f
> a1 be 8e 20 6c d3 fe 00 7b 67 7e 6d f2 02
> Code:       Access-Request
> Identifier: 136
> Authentic:
> <255><215>K(<129><212>a<8><207><229><147><225><137><244><251><211>
> Attributes:
>        User-Name = "user"
>        Service-Type = Framed-User
>        NAS-IP-Address = 127.0.0.1
>        NAS-Identifier = "Localhost testing"
>        NAS-Port = 1234
>        Called-Station-Id = "123456789"
>        Calling-Station-Id = "987654321"
>        NAS-Port-Type = Async
>        EAP-Message = <2><0><0><12><1>boonejc
>        Message-Authenticator =
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>
> No reply
> ===========
> And the radiator log file ends at the same moment with:
>
> Thu Sep 24 09:19:01 2009: DEBUG: Response type 1
> Thu Sep 24 09:19:01 2009: DEBUG: RSA AM start
> https://132.229.43.20:7002/ims-ws/services/CommandServer
> Thu Sep 24 09:19:01 2009: DEBUG: Calling SOAP LoginCommand
>
> Then after 3 minutes and 10seconds the rest of the log lines appears.
>
> Regards,
>
> Erwin Boon
> Team Middleware
> Leiden University
>
> -----Original Message-----
> From: Hugh Irvine Sent: donderdag 24 september 2009 0:15
>
> Hello Erwin -
>
> Have you tried setting a shorter timeout in the AuthBy RSAAM clause
> (using the "Timeout ..." paramter)?
>
> And have you tried running Radiator on the RSAAM Windows host  
> directly?
>
> regards
>
> Hugh
>
>
> On 23 Sep 2009, at 20:05, Boon, E.J.C. wrote:
>
>>
>> Hi all,
>>
>> Since a week I'm playing with RSA via the RSAAM module in Radiator.
>>
>> Our setup is 2 radius servers (SLES10SP2) with Radiator 4.4 and 2 RSA
>> servers with RSA AM 7. The communication between radiator and RSA is
>> via SOAP (the only way?).
>>
>> We'd like to have some failover constructions in our setup, so I  
>> tried
>
>> to fail-over between RSA servers by defining a non-existent ipaddress
>> for one of the RSA servers.
>>
>> Now my probleem is this; it seems that the SOAP call is taking to  
>> long
>
>> with responding that the host is not reachable for radiator to
>> continue with its AuthBy GROUP clause.
>>
>> - The timeout lets say 180seconds is still to short for the HTTP/  
>> SOAP
>
>> channel to timeout.
>> - What I also see, is that the RSAAM authentication is not returning
>> an IGNORE but a REJECT on timeout
>>
>> Am I doing something wrong? Is there anyway to get around this way of
>> behaviour?
>>
>> Im following a piece of manual : Radiator RADIUS Server, with AuthBy
>> RSAAM. PDF from OSC:
>> ======
>> Example from manual
>>
>> Radiator can be configured to implement failover between 2 or more  
>> RSA
>
>> Authentication Manager Servers. Whenever an RSA Authentication  
>> Manager
>
>> Server cannot be contacted, the AuthBy RSAAM clause returns IGNORE.  
>> If
>
>> the AuthByPolicy is ContinueWhileIgnore, then Radiator will try the
>> next AuthBy RSAAM in sequence until a server is successfully
>> contacted. A typical configuration excerpt might be:
>>
>> # Failover from amserver1 to amserver2 <Realm DEFAULT>
>>        AuthByPolicy ContinueWhileIgnore
>>        <AuthBy RSAAM>
>>        Host amserver1.company.com:7002
>>        ...
>>        </AuthBy>
>>        <AuthBy RSAAM>
>>        Host amserver2.company.com:7002
>>        ...
>>        </AuthBy>
>> </Realm>
>> ======
>>
>> Real Config:
>>
>> Trace 5
>> PidFile /var/run/radiusd.pid
>> LogDir /var/log/radius/
>> DbDir /etc/radiator
>>
>> AuthPort 1812
>> AcctPort 1813
>>
>> <Client DEFAULT>
>>        Secret mysecret
>> </Client>
>> <Realm DEFAULT>
>>        AuthByPolicy ContinueWhileIgnore
>>        <AuthBy RSAAM>
>>                #Host 132.229.43.29:7002
>>                Host 132.229.43.20:7002
>>                SessionUsername CmdClient_inf****
>>                SessionPassword **********
>>                NoDefault
>>                SOAPTrace all
>>                EAPType Generic-Token
>>                Policy SecurID_Native
>>        </AuthBy>
>>        <AuthBy RSAAM>
>>                Host 132.229.88.87:7002
>>                SessionUsername CmdClient_inf****
>>                SessionPassword ************
>>                NoDefault
>>                SOAPTrace all
>>                EAPType Generic-Token
>>                Policy SecurID_Native
>>        </AuthBy>
>> </Realm>
>> ======
>>
>> Log:
>>
>> Wed Sep 23 11:31:00 2009: DEBUG: Finished reading configuration file
>> '/etc/radiator/radius.cfg'
>> Wed Sep 23 11:31:00 2009: DEBUG: Reading dictionary file '/etc/
>> radiator/dictionary'
>> Wed Sep 23 11:31:00 2009: DEBUG: Creating authentication port
>> 0.0.0.0:1812
>> Wed Sep 23 11:31:00 2009: DEBUG: Creating accounting port  
>> 0.0.0.0:1813
>
>> Wed Sep 23 11:31:00 2009: NOTICE: Server started: Radiator 4.4 on
>> bonnie Wed Sep 23 11:31:10 2009: DEBUG: Packet dump:
>> *** Received from 127.0.0.1 port 32810 ....
>>
>> Packet length = 126
>> 01 cd 00 7e 7c bf 97 1f 3f 28 c0 b4 1f 19 0c 5c aa 69 9a aa 01 09 62
>> 6f 6f 6e 65 6a 63 06 06 00 00 00 02 04 06 7f 00 00 01 20 13 4c 6f 63
>> 61 6c
>> 68 6f 73 74 20 74 65 73 74 69 6e 67 05 06 00 00
>> 04 d2 1e 0b 31 32 33 34 35 36 37 38 39 1f 0b 39
>> 38 37 36 35 34 33 32 31 3d 06 00 00 00 00 4f 0e
>> 02 00 00 0c 01 62 6f 6f 6e 65 6a 63 50 12 cd 0a
>> 06 1d 30 ac 64 58 32 67 3d 46 ad 26 f0 aa
>> Code:       Access-Request
>> Identifier: 205
>> Authentic:  |<191><151><31>?(<192><180><31><25><12>\<170>i<154><170>
>> Attributes:
>>        User-Name = "user"
>>        Service-Type = Framed-User
>>        NAS-IP-Address = 127.0.0.1
>>        NAS-Identifier = "Localhost testing"
>>        NAS-Port = 1234
>>        Called-Station-Id = "123456789"
>>        Calling-Station-Id = "987654321"
>>        NAS-Port-Type = Async
>>        EAP-Message = <2><0><0><12><1>user
>>        Message-Authenticator =
>> <205><10><6><29>0<172>dX2g=F<173>&<240><170>
>>
>> Wed Sep 23 11:31:10 2009: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Wed Sep 23 11:31:10 2009: DEBUG:  Deleting session for user,
>> 127.0.0.1, 1234 Wed Sep 23 11:31:10 2009: DEBUG: Handling with
>> Radius::AuthRSAAM:
>> Wed Sep 23 11:31:10 2009: DEBUG: Handling with EAP: code 2, 0, 12, 1
>> Wed Sep 23 11:31:10 2009: DEBUG: Response type 1 Wed Sep 23 11:31:10
>> 2009: DEBUG: RSA AM start
>> https://132.229.43.20:7002/ims-ws/services/CommandServer
>> Wed Sep 23 11:31:10 2009: DEBUG: Calling SOAP LoginCommand Wed Sep 23
>> 11:34:20 2009: WARNING: SOAP call failed: 500 Can't connect to
>> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/site_perl/
>> 5.8.8/Radius/AuthRSAAM.pm line 526
>>
>> Wed Sep 23 11:34:20 2009: DEBUG: EAP result: 1, EAP Generic Token  
>> Card
>
>> failed: SOAP call failed: 500 Can't connect to
>> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/site_perl/5.8.8
>>
>> /Radius/AuthRSAAM.pm line 526
>>
>> Wed Sep 23 11:34:20 2009: DEBUG: AuthBy RSAAM result: REJECT, EAP
>> Generic Token Card failed: SOAP call failed: 500 Can't connect to
>> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/s
>>
>> ite_perl/5.8.8/Radius/AuthRSAAM.pm line 526
>>
>> Wed Sep 23 11:34:20 2009: INFO: Access rejected for user: EAP Generic
>> Token Card failed: SOAP call failed: 500 Can't connect to
>> 132.229.43.20:7002 (Timeout) at /usr/lib/perl5/si
>>
>> te_perl/5.8.8/Radius/AuthRSAAM.pm line 526
>>
>> Wed Sep 23 11:34:20 2009: DEBUG: Packet dump:
>> *** Sending to 127.0.0.1 port 32810 ....
>> Packet length = 60
>> 03 cd 00 3c 63 fb b6 08 7f 5b 79 ef 9f f2 d8 65
>> d6 3a ce 49 4f 06 04 00 00 04 50 12 fb 25 51 d0 3e 16 c9 b8 f2 99 f0
>> 71 9f e5 0a 4f 12 10 52 65
>> 71 75 65 73 74 20 44 65 6e 69 65 64
>> Code:       Access-Reject
>> Identifier: 205
>> Authentic:  c<251><182><8><127>[y<239><159><242><216>e<214>:<206>I
>> Attributes:
>>        EAP-Message = <4><0><0><4>
>>        Message-Authenticator =
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>>        Reply-Message = "Request Denied"
>>
>> =====
>> Cmdline:
>> radpwtst -eapgtc -user user -s localhost -auth_port 1812 -acct_port
>> 1813 -secret mysecret -interactive -noacct -trace 5 -nas_ip_address
>> 127.0.0.1 -nas_identifier "Localhost testing"
>>
>> ======
>>
>> Regards,
>>
>> Erwin Boon
>> Team middleware
>> Leiden University
>>
>>
>>
>>
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive
> (www.open.com.au/archives/radiator
> )?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
> Have you checked the RadiusExpert wiki:
> http://www.open.com.au/wiki/index.php/Main_Page
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec), and DIAMETER
> translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator 
)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list