[RADIATOR] 3 Quick Assorted Queries
Adam Bishop
Adam.Bishop at ja.net
Thu Feb 10 06:23:38 CST 2011
Adding a handler has worked for PAP and null-user accounting worked,
thanks for that.
Just using fork on whim in case ntlm_auth decides to be slow (which it
normally isn't, so it doesn't matter too much if it doesn't work).
It seems that the child never returns a response - just now I ssh'd in to
the server and there are about 30 copies of ntlm-auth running, so I would
assume something is not going right with the forking.
Running Radiator as root allows the ntlm_auth processes to be cleaned up,
but it's still showing the same lines in the log and the client doesn't
seem to be receiving a response.
Thanks,
Adam Bishop
Config file follows:
AcctPort 1813
AuthPort 1812
BindAddress 0.0.0.0
DbDir /etc/radiator/
DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.aerohive
Foreground 0
LicenseOwner UKERNA
LivingstonHole 2
LivingstonMIB .iso.org.dod.internet.private.enterprises.307
LivingstonOffs 29
LogDir /var/log/radiator/
LogFile %L/logfile
LogStdout 1
MaxChildren 0
PidFile %L/radiusd.pid
PmwhoProg /usr/local/sbin/pmwho
SnmpNASErrorTimeout 60
SnmpgetProg /usr/bin/snmpget
SnmpsetProg /usr/bin/snmpset
SnmpwalkProg /usr/bin/snmpwalk
Trace 4
<AuthBy NTLM>
AcctFailedLogFileName %L/accounting-failed
AutoMPPEKeys 1
CachePasswordExpiry 86400
DomainFormat %0
EAPAnonymous anonymous
EAPContextTimeout 1000
EAPErrorReject 1
EAPFAST_PAC_Lifetime 7776000
EAPFAST_PAC_Reprovision 2592000
EAPTLS_CAFile %D/certificates/chain
EAPTLS_CertificateFile %D/certificates/orps3.dev.ja.net.crt
EAPTLS_CertificateType PEM
EAPTLS_MaxFragmentSize 1000
EAPTLS_PEAPBrokenV1Label 1
EAPTLS_PEAPVersion 1
EAPTLS_PrivateKeyFile %D/certificates/private.pem
EAPTLS_SessionResumption 1
EAPTLS_SessionResumptionLimit 43200
EAPTLS_VerifyDepth 1
EAPTTLS_NoAckRequired 1
EAPType PEAP
EAPType TTLS
EAPType MSCHAP-V2
EAP_PEAP_MSCHAP_Convert 1
Fork 1
Identifier DEV-ADIR-ANY
NoDefault 1
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
PasswordPrompt password
SIPDigestRealm DefaultSipRealm
UsernameFormat %0
UsernameMatchesWithoutRealm 1
</AuthBy>
<AuthBy NTLM>
CachePasswordExpiry 86400
DomainFormat %0
EAPAnonymous anonymous
EAPContextTimeout 1000
EAPFAST_PAC_Lifetime 7776000
EAPFAST_PAC_Reprovision 2592000
EAPTLS_CertificateType PEM
EAPTLS_MaxFragmentSize 2048
EAPTLS_PEAPVersion 1
EAPTLS_SessionResumption 1
EAPTLS_SessionResumptionLimit 43200
EAPTLS_VerifyDepth 1
Identifier DEV-ADIR-DOMADMIN
NoDefault 1
NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
--require-membership-of='DEV\Domain Admins'
PasswordPrompt password
SIPDigestRealm DefaultSipRealm
UsernameFormat %0
</AuthBy>
<Client 193.63.63.101>
DupInterval 10
FramedGroupMaxPortsPerClassC 255
IdenticalClients 193.63.63.102
IdenticalClients 193.63.63.103
IdenticalClients 193.63.63.104
IgnoreAcctSignature 1
LivingstonHole 2
LivingstonOffs 29
NasType unknown
SNMPCommunity public
</Client>
<Client roaming0.ja.net>
AddToReplyIfNotExist Operator-Name=The JNT Association
AllowInReply
User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I
D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct-
Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name
DupInterval 10
FramedGroupMaxPortsPerClassC 255
IgnoreAcctSignature 1
LivingstonHole 2
LivingstonOffs 29
NasType unknown
SNMPCommunity public
</Client>
<Client roaming1.ja.net>
AddToReplyIfNotExist Operator-Name=The JNT Association
AllowInReply
User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I
D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct-
Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name
DupInterval 10
FramedGroupMaxPortsPerClassC 255
IgnoreAcctSignature 1
LivingstonHole 2
LivingstonOffs 29
NasType unknown
SNMPCommunity public
</Client>
<Client roaming2.ja.net>
AddToReplyIfNotExist Operator-Name=The JNT Association
AllowInReply
User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I
D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct-
Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name
DupInterval 10
FramedGroupMaxPortsPerClassC 255
IgnoreAcctSignature 1
LivingstonHole 2
LivingstonOffs 29
NasType unknown
SNMPCommunity public
</Client>
<Handler TunnelledByPEAP = 1>
AccountingHandled 1
AcctLogFileName %L/account.log
AuthByPolicy ContinueUntilReject
RejectHasReason 1
AuthBy DEV-ADIR-ANY
</Handler>
<Handler Realm = dev.ja.net>
AccountingHandled 1
AcctLogFileName %L/account.log
AuthByPolicy ContinueUntilReject
RejectHasReason 1
AuthBy DEV-ADIR-ANY
</Handler>
<Handler Realm = >
AccountingHandled 1
AcctLogFileName %L/account.log
AuthByPolicy ContinueUntilReject
RejectHasReason 1
</Handler>
<ServerHTTP >
AuditTrail %D/audit.txt
AuthByPolicy ContinueWhileIgnore
BindAddress 0.0.0.0
DefaultPrivilegeLevel 15
LogMaxLines 500
MaxBufferSize 100000
Port 9048
Protocol tcp
SessionTimeout 3600
TLS_CAFile %D/certificates/chain
TLS_CertificateFile %D/certificates/orps3.dev.ja.net.crt
TLS_CertificateType PEM
TLS_ExpectedPeerName .+
TLS_PrivateKeyFile %D/certificates/private.pem
Trace 4
UseSSL 1
UseTLS 1
AuthBy DEV-ADIR-DOMADMIN
</ServerHTTP>
<StatsLog FILE>
Filename %L/statistics
Interval 600
</StatsLog>
On 09/02/2011 16:42, "Heikki Vatiainen" <hvn at open.com.au> wrote:
>On 02/09/2011 05:37 PM, Adam Bishop wrote:
>
>> * Can I disable PAP?
>
>You can not stop client sending User-Password attribute, but you can
>create a handler that rejects the request if the attribute is present.
>
>That could direct the users to move e.g. from TTLS/PAP to TTLS/MSCHAPv2
>or something else that does not cause passwords to be logged with Trace 4.
>
>> * Using fork with AuthByNTLM causes the request to fail:
>>
>> Wed Feb 9 15:22:24 2011: DEBUG: Handling with Radius::AuthNTLM: Wed Feb
>>9 15:22:24 2011: DEBUG: AuthBy NTLM result: IGNORE, forked
>>
>> Anyone used fork with NTLM?
>
>This does not look like failure to me. This is logged by the parent
>meanwhile the newly forked child is handling the request. The real
>result should come from the child process once it finishes.
>
>You should see messages from the child in the logs while it does NTLM
>authentication.
>
>Why would you need to use fork with NTLM?
>
>> * What do I need to do to get these types of accounting requests
>>handled? The standard user accounting packets are handled fine, but the
>>NAS status updates aren't:
>
>Just guessing here, but if you use Handlers that try to match realms
>there is no User-Name where the realm comes from.
>
>You could try a Handler that has Request-Type = Accounting-Request,
>Acct-Status-Type = Accounting-On
>
>> *** Received from 193.63.63.103 port 1814 ....
>> Code: Accounting-Request
>> Identifier: 217
>> Authentic:
>><6><7><204><18><175><169>.<176><146>$<30><168><221><255>l<143>
>> Attributes:
>> Acct-Status-Type = Accounting-On
>> Acct-Authentic = RADIUS
>> NAS-IP-Address = 193.63.63.103
>> NAS-Identifier = "HiveAP3"
>> Called-Station-Id = "00-19-77-1B-CD-60:eduroam-dev"
>> Acct-Terminate-Cause = NAS-Reboot
>> Proxy-State = 0
>>
>> Wed Feb 9 15:21:40 2011: WARNING: Could not find a handler for :
>>request is ignored
>>
>> Thanks for your help,
>
>No problem. Please send your config file (no secrets) if you need
>further comments.
>
>Thanks!
>
>--
>Heikki Vatiainen <hvn at open.com.au>
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.
JANET(UK) is a trading name of The JNT Association, a company limited
by guarantee which is registered in England under No. 2881024
and whose Registered Office is at Lumen House, Library Avenue,
Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
More information about the radiator
mailing list