[RADIATOR] 3 Quick Assorted Queries

Adam Bishop Adam.Bishop at ja.net
Thu Feb 10 06:23:38 CST 2011


Adding a handler has worked for PAP and null-user accounting worked,
thanks for that.

Just using fork on whim in case ntlm_auth decides to be slow (which it
normally isn't, so it doesn't matter too much if it doesn't work).
It seems that the child never returns a response - just now I ssh'd in to
the server and there are about 30 copies of ntlm-auth running, so I would
assume something is not going right with the forking.

Running Radiator as root allows the ntlm_auth processes to be cleaned up,
but it's still showing the same lines in the log and the client doesn't
seem to be receiving a response.

Thanks,

Adam Bishop

Config file follows:

AcctPort 1813
AuthPort 1812
BindAddress 0.0.0.0
DbDir /etc/radiator/
DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.aerohive
Foreground 0
LicenseOwner UKERNA
LivingstonHole 2
LivingstonMIB .iso.org.dod.internet.private.enterprises.307
LivingstonOffs 29
LogDir /var/log/radiator/
LogFile %L/logfile
LogStdout 1
MaxChildren 0
PidFile %L/radiusd.pid
PmwhoProg /usr/local/sbin/pmwho
SnmpNASErrorTimeout 60
SnmpgetProg /usr/bin/snmpget
SnmpsetProg /usr/bin/snmpset
SnmpwalkProg /usr/bin/snmpwalk
Trace 4

<AuthBy NTLM>
 AcctFailedLogFileName %L/accounting-failed
 AutoMPPEKeys 1
 CachePasswordExpiry 86400
 DomainFormat %0
 EAPAnonymous anonymous
 EAPContextTimeout 1000
 EAPErrorReject 1
 EAPFAST_PAC_Lifetime 7776000
 EAPFAST_PAC_Reprovision 2592000
 EAPTLS_CAFile %D/certificates/chain
 EAPTLS_CertificateFile %D/certificates/orps3.dev.ja.net.crt
 EAPTLS_CertificateType PEM
 EAPTLS_MaxFragmentSize 1000
 EAPTLS_PEAPBrokenV1Label 1
 EAPTLS_PEAPVersion 1
 EAPTLS_PrivateKeyFile %D/certificates/private.pem
 EAPTLS_SessionResumption 1
 EAPTLS_SessionResumptionLimit 43200
 EAPTLS_VerifyDepth 1
 EAPTTLS_NoAckRequired 1
 EAPType PEAP
 EAPType TTLS
 EAPType MSCHAP-V2
 EAP_PEAP_MSCHAP_Convert 1
 Fork 1
 Identifier DEV-ADIR-ANY
 NoDefault 1
 NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
 PasswordPrompt password
 SIPDigestRealm DefaultSipRealm
 UsernameFormat %0
 UsernameMatchesWithoutRealm 1
</AuthBy>

<AuthBy NTLM>
 CachePasswordExpiry 86400
 DomainFormat %0
 EAPAnonymous anonymous
 EAPContextTimeout 1000
 EAPFAST_PAC_Lifetime 7776000
 EAPFAST_PAC_Reprovision 2592000
 EAPTLS_CertificateType PEM
 EAPTLS_MaxFragmentSize 2048
 EAPTLS_PEAPVersion 1
 EAPTLS_SessionResumption 1
 EAPTLS_SessionResumptionLimit 43200
 EAPTLS_VerifyDepth 1
 Identifier DEV-ADIR-DOMADMIN
 NoDefault 1
 NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
--require-membership-of='DEV\Domain Admins'
 PasswordPrompt password
 SIPDigestRealm DefaultSipRealm
 UsernameFormat %0
</AuthBy>

<Client 193.63.63.101>
 DupInterval 10
 FramedGroupMaxPortsPerClassC 255
 IdenticalClients 193.63.63.102
 IdenticalClients 193.63.63.103
 IdenticalClients 193.63.63.104
 IgnoreAcctSignature 1
 LivingstonHole 2
 LivingstonOffs 29
 NasType unknown
 SNMPCommunity public
</Client>

<Client roaming0.ja.net>
 AddToReplyIfNotExist Operator-Name=The JNT Association
 AllowInReply 
User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I
D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct-
Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name
 DupInterval 10
 FramedGroupMaxPortsPerClassC 255
 IgnoreAcctSignature 1
 LivingstonHole 2
 LivingstonOffs 29
 NasType unknown
 SNMPCommunity public
</Client>

<Client roaming1.ja.net>
 AddToReplyIfNotExist Operator-Name=The JNT Association
 AllowInReply 
User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I
D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct-
Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name
 DupInterval 10
 FramedGroupMaxPortsPerClassC 255
 IgnoreAcctSignature 1
 LivingstonHole 2
 LivingstonOffs 29
 NasType unknown
 SNMPCommunity public
</Client>

<Client roaming2.ja.net>
 AddToReplyIfNotExist Operator-Name=The JNT Association
 AllowInReply 
User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I
D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct-
Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name
 DupInterval 10
 FramedGroupMaxPortsPerClassC 255
 IgnoreAcctSignature 1
 LivingstonHole 2
 LivingstonOffs 29
 NasType unknown
 SNMPCommunity public
</Client>

<Handler TunnelledByPEAP = 1>
 AccountingHandled 1
 AcctLogFileName %L/account.log
 AuthByPolicy ContinueUntilReject
 RejectHasReason 1
 AuthBy DEV-ADIR-ANY
</Handler>

<Handler Realm = dev.ja.net>
 AccountingHandled 1
 AcctLogFileName %L/account.log
 AuthByPolicy ContinueUntilReject
 RejectHasReason 1
 AuthBy DEV-ADIR-ANY
</Handler>

<Handler Realm = >
 AccountingHandled 1
 AcctLogFileName %L/account.log
 AuthByPolicy ContinueUntilReject
 RejectHasReason 1
</Handler>

<ServerHTTP >
 AuditTrail %D/audit.txt
 AuthByPolicy ContinueWhileIgnore
 BindAddress 0.0.0.0
 DefaultPrivilegeLevel 15
 LogMaxLines 500
 MaxBufferSize 100000
 Port 9048
 Protocol tcp
 SessionTimeout 3600
 TLS_CAFile %D/certificates/chain
 TLS_CertificateFile %D/certificates/orps3.dev.ja.net.crt
 TLS_CertificateType PEM
 TLS_ExpectedPeerName .+
 TLS_PrivateKeyFile %D/certificates/private.pem
 Trace 4
 UseSSL 1
 UseTLS 1
 AuthBy DEV-ADIR-DOMADMIN
</ServerHTTP>

<StatsLog FILE>
 Filename %L/statistics
 Interval 600
</StatsLog>



On 09/02/2011 16:42, "Heikki Vatiainen" <hvn at open.com.au> wrote:

>On 02/09/2011 05:37 PM, Adam Bishop wrote:
>
>> * Can I disable PAP?
>
>You can not stop client sending User-Password attribute, but you can
>create a handler that rejects the request if the attribute is present.
>
>That could direct the users to move e.g. from TTLS/PAP to TTLS/MSCHAPv2
>or something else that does not cause passwords to be logged with Trace 4.
>
>> * Using fork with AuthByNTLM causes the request to fail:
>> 
>> Wed Feb 9 15:22:24 2011: DEBUG: Handling with Radius::AuthNTLM: Wed Feb
>>9 15:22:24 2011: DEBUG: AuthBy NTLM result: IGNORE, forked
>> 
>> Anyone used fork with NTLM?
>
>This does not look like failure to me. This is logged by the parent
>meanwhile the newly forked child is handling the request. The real
>result should come from the child process once it finishes.
>
>You should see messages from the child in the logs while it does NTLM
>authentication.
>
>Why would you need to use fork with NTLM?
>
>> * What do I need to do to get these types of accounting requests
>>handled?  The standard user accounting packets are handled fine, but the
>>NAS status updates aren't:
>
>Just guessing here, but if you use Handlers that try to match realms
>there is no User-Name where the realm comes from.
>
>You could try a Handler that has Request-Type = Accounting-Request,
>Acct-Status-Type = Accounting-On
>
>> *** Received from 193.63.63.103 port 1814 ....
>> Code:       Accounting-Request
>> Identifier: 217
>> Authentic:  
>><6><7><204><18><175><169>.<176><146>$<30><168><221><255>l<143>
>> Attributes:
>> Acct-Status-Type = Accounting-On
>> Acct-Authentic = RADIUS
>> NAS-IP-Address = 193.63.63.103
>> NAS-Identifier = "HiveAP3"
>> Called-Station-Id = "00-19-77-1B-CD-60:eduroam-dev"
>> Acct-Terminate-Cause = NAS-Reboot
>> Proxy-State = 0
>> 
>> Wed Feb  9 15:21:40 2011: WARNING: Could not find a handler for :
>>request is ignored
>> 
>> Thanks for your help,
>
>No problem. Please send your config file (no secrets) if you need
>further comments.
>
>Thanks!
>
>-- 
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.


JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024 
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG



More information about the radiator mailing list