[RADIATOR] ServerHTTP

Mike McCauley mikem at open.com.au
Thu Oct 14 17:49:05 CDT 2010


Hello Todd,

thanks for that.
We have now been able to reproduce this problem here on your target system.
It was crashing inside OpenSSL BIO_read.

The problem is apparently due to a bug in the Net-SSLeay 1.30 that Ubuntu 8.04 
installs from the repository.

If you download, compile and install the latest Net-SSLeay 1.36 from CPAN, it 
should fix this problem. We recommend this later version in any case.

Cheers.


On Thursday 14 October 2010 10:43:07 pm Smith, Todd wrote:
> This is a just some modifvcations to a copy of the ntlm_eap_peap file in
> the goodies directory.  I am still testing and configuring so I haven't
> changed the default serect yet or made any serious security hardening.  The
> file seems so very long to post since it still has so many comments in it. 
> Do you have a perfered style that you want to see a config file in?  I
> guessing that I could have stripped out the comments before I posted it but
> I don't know what you want to see.
>
> Todd
>
> # ntlm_eap_peap.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # PEAP authentication as used by Windows XP (starting with SP1)
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example will authenticate Wireless PEAP users from a Windows
> # Domain when Radiator runs on a Linux or Unix host, with the
> # assistance of utilities from the Samba suite (www.samba.org).
> #
> # AuthBy NTLM requires that ntlm_auth (and winbindd), both part of Samba,
> # are installed and configured
> # correctly. See goodies/smb.conf.winbindd for sample configuration and
> installa tion hints.
> #
> # AuthBy NTLM runs the Samba utility ntlm_auth as a child process in order
> to au thenticate
> # requests. It keeps ntlm_auth running between requests and passes it
> authentica tion
> # information on stdin, and gets back the authentication results from
> stdout. # Caution:  AuthBy NTLM blocks while waiting for the result output
> of ntlm_auth. #
> # Because AuthBy NTLM requires that ntlm_auth be properly installed and
> configur ed with winbindd,
> # it is vitally important that you confirm that ntlm_auth is working
> properly be fore trying
> # to use AuthBy NTLM. You can test ntlm_auth like this:
> #  ntlm_auth --username=yourusername --domain=yourdomain
> --password=yourpassword # if that does not work for a valid username and
> password, there is no way that # AuthBy NTLM will work. Make sure 
> ntlm_auth works first!
> #
> # Works with PAP, MSCHAP, MSCHAPV2
> # Radiator must be run as root in order to do MSCHAP or MSCHAPV2 via
> ntlm_auth #
> # In order to test this, you can user the sample test certificates
> # supplied with Radiator. For production, you
> # WILL need to install a real valid server certificate and
> # key for Radiator to use. Runs with openssl on Unix and Windows.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # Requires openssl and Net_SSLeay.
> #
> # You should consider this file to be a starting point only
> # $Id: ntlm_eap_peap.cfg,v 1.5 2007/12/18 21:23:50 mikem Exp $
>
> LogDir          /var/log/radius
> LogFile         %L/logfile-%Y-%m-%d
> DbDir           /usr/local/etc/raddb
> # User a lower trace level in production systems:
> Trace           4
> AuthPort 1645,1812
>
> # CAUTION: Careless configuration of this clause can open security holes in
> # your RADIUS host. The following example configuration is for testing
> only. # It is recommended that you:
> #  1. limit the clients that can connect with the Clients parameter
> #  2. Make sure this configuration file is only readable by root
> #  3. Consider making radiusd run as a non-priveleged user
> #  4. Use secure usernames and password to authenticate access to this
> server. #  5. Disable this clause when not required.
> <ServerHTTP>
>         # Specifies the TCP port to use. Defaults to 9048
>         #Port %{GlobalVar:serverhttpport}
>         Port 9048
>
>         # ServerHTTP saves for viewing the last LogMaxLines log entries
>         # at or below this trace level.
>         Trace 4
>
>         # LogMaxLines specifies the max number of recent log messages that
> are # saved. Defaults to 500. If you set this to 0, then no
>         # logger will be created for ServerHTTP, slightly improving
> performance #LogMaxLines 1000
>
>         # BindAddress allows you to bind to a different network address
>         # for multihomed hosts. Defaults to 0.0.0.0
>         #BindAddress 203.63.154.29, 127.0.0.1
>
>         # You can have one or more AuthBy clauses or AuthBy parameters
>         # to specify how to authenticate HTTP connections. AuthByPolicy is
> also # supported. If the last AuthBy returns ACCEPT, the connection # is
> accepted. If the last AuthBy returns IGNORE, or there are # no AuthBy, then
> fall back to the hardwired Username and
>         # Password parameters
>         # If the authenticated user has a Management-Policy-Id reply item,
>         # it will be used
>         # as that users privilege level, instead of DefaultPrivilegeLevel.
>
>         <AuthBy NTLM>
>                 NtlmAuthProg /usr/bin/ntlm_auth 
> --helper-protocol=ntlm-server-1 --require-membership-of='CAMC+netwkgrp'
>                 DefaultDomain CAMC
>         </AuthBy>
>
>         # This is the fallback username and password that clients must
> LOGIN as # if there are no AuthBy clauses, or if they return IGNORE # If
> there are no AuthBys (or the last returns IGNORE) and there is no #
> Username, you can connect to this interface anonymously (not # recommended
> except for testing in secure enviromnents).
>         Username mikem
>         # Password can be plaintext or any of the encrypted formats such as
>         # {crypt}....., {nthash}....., {SHA}...., {SSHA}....., {mysql}....,
>         # {msssql}...., {dechpwd}...., {MD5}......, {clear}....
>         Password fred
>
>         # Controls the ServerHTTP users privilege level if
>         # a per-user Management-Policy-Id is not available from a
> successful # authentication from the AuthBy list.
>         # The privilege level is a bitmask. The following privilege levels
> are # defined, and may be logically or'd together
>         #  0 means no access, including no login permission.
>         #  1 means viewing basic status only.
>         #  2 means ability to reset the server
>         #  4 means the ability to edit and change the running config (but
> not #    save it)
>         #  8 means the ability to save changes to the configuration
>         #  15 means all privileges
>         # Defaults to 1
>         DefaultPrivilegeLevel 15
>
>         # Clients let you limit which clients you will accept connects from
>         # You can specify one or more comma or space separated IP addresses
>         # Use this parameter to make your server more secure by limiting
>         # which clients can connect.
>         #Clients 127.0.0.2, 203.63.154.29
>         # This one limits access to the same host that Radiator runs on:
>         Clients 127.0.0.1 10.2.96.125
>
>         # If AuditTrail is defined, all editing operations and changes will
> be # logged to the file (as well as to the normal log file at trace level 3
> )
>
>         AuditTrail %D/audit-%Y-%m-%d.txt
>
>         # Like most loggers, you can enable LogMicroseconds to get
>         # microsecond accuracy in log messages. Requires the
>         # Time::HiRes module from CPAN.
>         #LogMicroseconds
>
>         # Specifies the maximum time before the user has to log in again
>         # Defaults to 1 hour
>         #SessionTimeout 3600
>
>         # You can force SSL connections, and use all the standard TLS
>         # certificate and verification mechanisms
>         UseSSL 1
>         TLS_CAFile %D/certificates/DigiCert/CAChain.crt
>         TLS_CertificateFile %D/certificates/DigiCert/weiland_camc_hsi.crt
>         TLS_CertificateType PEM
>         TLS_PrivateKeyFile %D/certificates/DigiCert/weiland_camc_hsi.key
>         #TLS_PrivateKeyPassword whatever
>         #TLS_RequireClientCert
>         #TLS_ExpectedPeerName .+
>         #TLS_SubjectAltNameURI .*open.com.au
>         #TLS_CRLCheck
>         #TLS_CRLFile %D/certificates/revocations.pem
>         #TLS_CRLFile %D/certificates/revocations2.pem
>
>         # Users that log in to the Server HTTP interface can be logged with
> an # AuthLog clause:
>         <AuthLog FILE>
>                  Filename %L/authlog-%Y-%m-%d
>         </AuthLog>
>
>         # If a page is requested but not found in the set of built-in pages
>         # PageNotFoundHook is called to try to handle the request.
>         # PageNotFoundHook is passed the requested URI and a reference to
> the # ServerHTTP connection. If it can handle the request, it returns an #
> array of ($httpcode, $content, @httpheaders) else undef. #PageNotFoundHook
> sub {return (200, "your HTML content");}
>
> </ServerHTTP>
>
>
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
>         Secret  mysecret
>         DupInterval 0
> </Client>
>
> # This is where we authenticate a PEAP inner request, which will be an EAP
> # request. The username of the inner request will be anonymous, although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> <Handler TunnelledByPEAP=1>
>         <AuthBy NTLM>
>                 # The name of the ntlm_auth program, supplied with
>                 # Samba. Defaults to '/usr/bin/ntlm_auth 
> --helper-protocol=ntlm -server-1'
>                 # You can require that authenticated users belong to a
> certain g roup with:
>                 #NtlmAuthProg /usr/bin/ntlm_auth 
> --helper-protocol=ntlm-server- 1 --require-membership-of=MyGroupName
>                 # or you can specify that the NTLM authenticaiton requests
> appea r to come from a workstation with
>                 # a specified name. This can be used to restrict
> authentication for certain users by setting
>                 # workstation requirements in their Windows user
> configuration. #NtlmAuthProg /usr/bin/ntlm_auth 
> --helper-protocol=ntlm-server- 1 --workstation=MyWorkstationName
>
>                 # Specifies which Windows Domain is ALWAYS to be used to
> authent icate
>                 # users (even if they specify a different domain in their
> userna me).
>                 # Special characters are supported. Can be an Active
>                 # directory domain or a Windows NT domain controller
>                 # domain name
>                 #Domain OPEN
>
>                 # Specifies the Windows Domain to use if the user does not
>                 # specify a domain in their username.
>                 # Special characters are supported. Can be an Active
>                 # directory domain or a Windows NT domain controller
>                 # domain name
>                 DefaultDomain CAMC
>
>                 # This tells the PEAP client what types of inner EAP
> requests # we will honour
>                 EAPType MSCHAP-V2
>
>         </AuthBy>
> </Handler>
>
>
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and the
> inner aut hentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to
> sele ct
> # a specific handler, or else you can use EAPAnonymous to set a username
> and rea lm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on Realm,
> and/o r the
> # fact that they were tunnelled. You can therfore act just as a PEAP
> server, or also
> # act as the AAA/H home server, and authenticate PEAP requests locally or
> proxy # them to another remote server based on the realm of the inner
> authenticaiton r equest.
> # In this basic example, both the inner and outer authentication are
> authenticat ed
> # from a file by AuthBy FILE
> <Handler>
>         <AuthBy FILE>
>                 # The username of the outer authentication
>                 #  must be in this file to get anywhere. In this example,
>                 # it requires an entry for 'anonymous' which is the
> standard use rname
>                 # in the outer requests, and it also requires an entry for
> the # actual user name who is trying to connect (ie the 'Login name'
> entered
>                 # in the Funk Odyssey 'Edit Profile Properties' page
>                 Filename %D/users
>
>                 # EAPType sets the EAP type(s) that Radiator will honour.
>                 # Options are: MD5-Challenge, One-Time-Password
>                 # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>                 # Multiple types can be comma separated. With the default
> (most # preferred) type given first
>                 EAPType PEAP
>
>                 # EAPTLS_CAFile is the name of a file of CA certificates
>                 # in PEM format. The file can contain several CA
> certificates # Radiator will first look in EAPTLS_CAFile then in #
> EAPTLS_CAPath, so there usually is no need to set both # EAPTLS_CAFile
> %D/certificates/demoCA/cacert.pem
>                 EAPTLS_CAFile %D/certificates/DigiCert/CAChain.crt
>
>
>                 # EAPTLS_CAPath is the name of a directory containing CA
>                 # certificates in PEM format. The files each contain one
>                 # CA certificate. The files are looked up by the CA
>                 # subject name hash value
> #               EAPTLS_CAPath
>
>                 # EAPTLS_CertificateFile is the name of a file containing
>                 # the servers certificate. EAPTLS_CertificateType
>                 # specifies the type of the file. Can be PEM or ASN1
>                 # defaults to ASN1
>                 EAPTLS_CertificateFile
> %D/certificates/DigiCert/weiland_camc_hsi .crt
>                 EAPTLS_CertificateType PEM
>
>                 # EAPTLS_PrivateKeyFile is the name of the file containing
>                 # the servers private key. It is sometimes in the same file
>                 # as the server certificate (EAPTLS_CertificateFile)
>                 # If the private key is encrypted (usually the case)
>                 # then EAPTLS_PrivateKeyPassword is the key to descrypt it
>                 EAPTLS_PrivateKeyFile
> %D/certificates/DigiCert/weiland_camc_hsi. key
>                 #EAPTLS_PrivateKeyPassword whatever
>
>                 # EAPTLS_RandomFile is an optional file containing
>                 # randdomness
> #               EAPTLS_RandomFile %D/certificates/random
>
>                 # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
>                 # size that will be replied by Radiator. It must be small
>                 # enough to fit in a single Radius request (ie less than
> 4096) # and still leave enough space for other attributes # Aironet APs
> seem to need a smaller MaxFragmentSize # (eg 1024) than the default of
> 2048. Others need even smaller s izes.
>                 EAPTLS_MaxFragmentSize 1000
>
>                 # EAPTLS_DHFile if set specifies the DH group file. It
>                 # may be required if you need to use ephemeral DH keys.
> #               EAPTLS_DHFile %D/certificates/cert/dh
>
>
>                 # If EAPTLS_CRLCheck is set  and the client presents a
> certifica te
>                 # then Radiator will look for a certificate revocation list
> (CRL )
>                 # for the certificate issuer
>                 # when authenticating each client. If a CRL file is not
> found, o r
>                 # if the CRL says the certificate has neen revoked, the
> authenti cation will
>                 # fail with an error:
>                 #   SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
>                 # One or more CRLs can be named with the EAPTLS_CRLFile
> paramete r.
>                 # Alternatively, CRLs may follow a file naming convention:
>                 #  the hash of the issuer subject name
>                 # and a suffix that depends on the serial number.
>                 # eg ab1331b2.r0, ab1331b2.r1 etc.
>                 # You can find out the hash of the issuer name in a CRL
> with #  openssl crl -in crl.pem -hash -noout
>                 # CRLs with tis name convention
>                 # will be searched in EAPTLS_CAPath, else in the openssl
>                 # certificates directory typically
> /usr/local/openssl/certs/ # CRLs are expected to be in PEM format.
>                 # A CRL files can be generated with openssl like this:
>                 #  openssl ca -gencrl -revoke cert-clt.pem
>                 #  openssl ca -gencrl -out crl.pem
>                 # Use of these flags requires Net_SSLeay-1.21 or later
>                 #EAPTLS_CRLCheck
>                 #EAPTLS_CRLFile %D/certificates/crl.pem
>                 #EAPTLS_CRLFile %D/certificates/revocations.pem
>
>                 # Some clients, depending on their configuration, may
> require yo u to specify
>                 # MPPE send and receive keys. This _will_ be required if
> you sel ect
>                 # 'Keys will be generated automatically for data privacy'
> in the Funk Odyssey
>                 # client Network Properties dialog.
>                 # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
>                 # in the final Access-Accept
>                 AutoMPPEKeys
>
>                 # You can configure the User-Name that will be used for the
> inne r
>                 # authentication. Defaults to 'anonymous'. This can be
> useful # when proxying the inner authentication. If tehre is a realm, i t
> can
>                 # be used to choose a local Realm to handle the inner
> authentica tion.
>                 # %0 is replaced with the EAP identitiy
>                 # EAPAnonymous anonymous at some.other.realm
>
>                 # You can enable or disable support for TTLS Session
> Resumption and
>                 # PEAP Fast Reconnect with the EAPTLS_SessionResumption
> flag. # Default is enabled
>                 #EAPTLS_SessionResumption 0
>
>                 # You can limit how long after the initial session that a
> sessio n can be resumed
>                 # with EAPTLS_SessionResumptionLimit (time in seconds).
> Defaults to 43200
>                 # (12 hours)
>                 #EAPTLS_SessionResumptionLimit 10
>
>                 # You can control which version of the draft PEAP protocol
> to ho nour
>                 # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for
> unusua l clients,
>                 # such as Funk Odyssey Client 2.22 or later.
>                 EAPTLS_PEAPVersion 0
>         </AuthBy>
> </Handler>
>
> tssmith at weiland:/etc/radiator$
>
> -----Original Message-----
> From: Mike McCauley [mailto:mikem at open.com.au]
> Sent: Thursday, October 14, 2010 07:27
> To: radiator at open.com.au
> Cc: Smith, Todd
> Subject: Re: [RADIATOR] ServerHTTP
>
> Hi Todd,
>
> On Thursday 14 October 2010 07:15:51 am Smith, Todd wrote:
> > The server is x86 32 bit Ubuntu 8.04 LTS running Linux kernel
> > 2.6.24-28-server with Perl version 5.8.8 fully patched from standard
> > Ubuntu sources.
>
> We have tried, but havent been able to reproduce this problem on that
> platform (or any other)
>
> Looks like you have your ServerHTTP configured for UseSSL? And that the
> connection from your browser was an SSL connection. How and where from did
> you install the perl Net::SSLeay module?
> Have you updated or changed your openssl install?
> What browser were you using?
>
> I think I need to see your complete config file (no secrets)
>
> Cheers.
>
>
> Confidentiality Note: The information contained in this message
> may be privileged and confidential. If this e-mail contains
> protected health information, you are hereby notified that any
> dissemination, distribution or copying of this communication is
> strictly prohibited,except as permitted by law. If you have
> received this communication in error, please notify the sender
> immediately by replying to this message and deleting it from your
> computer.  Thank you.
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.


More information about the radiator mailing list