[RADIATOR] 3 Quick Assorted Queries
Heikki Vatiainen
hvn at open.com.au
Mon Feb 14 03:12:33 CST 2011
On 02/10/2011 02:23 PM, Adam Bishop wrote:
> Adding a handler has worked for PAP and null-user accounting worked,
> thanks for that.
Good to hear.
> Just using fork on whim in case ntlm_auth decides to be slow (which it
> normally isn't, so it doesn't matter too much if it doesn't work).
> It seems that the child never returns a response - just now I ssh'd in to
> the server and there are about 30 copies of ntlm-auth running, so I would
> assume something is not going right with the forking.
It could be that auth_ntlm is one of the cases where fork does not work.
Since Radiator starts ntlm_auth only once, starting ntlm_auth is not be
a performance problem either.
The config you have seems to do only AuthBy NTLM so I would say it does
not make sense to create a Radiator instance that does only NTLM
authentication. This approach might be useful in case Radiator did
something else too and there is a concern that NTLM auth can be slow
sometimes.
> Running Radiator as root allows the ntlm_auth processes to be cleaned up,
> but it's still showing the same lines in the log and the client doesn't
> seem to be receiving a response.
Ok, thanks for letting us know about the fork behaviour.
At least currently there are no plans to work with fork and ntlm_auth,
but I suspect the problem lies with handling sockets and other inter
process communication between the processes (parent, child and ntlm_auth
forked by the child).
> Thanks,
>
> Adam Bishop
>
> Config file follows:
>
> AcctPort 1813
> AuthPort 1812
> BindAddress 0.0.0.0
> DbDir /etc/radiator/
> DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.aerohive
> Foreground 0
> LicenseOwner UKERNA
> LivingstonHole 2
> LivingstonMIB .iso.org.dod.internet.private.enterprises.307
> LivingstonOffs 29
> LogDir /var/log/radiator/
> LogFile %L/logfile
> LogStdout 1
> MaxChildren 0
> PidFile %L/radiusd.pid
> PmwhoProg /usr/local/sbin/pmwho
> SnmpNASErrorTimeout 60
> SnmpgetProg /usr/bin/snmpget
> SnmpsetProg /usr/bin/snmpset
> SnmpwalkProg /usr/bin/snmpwalk
> Trace 4
>
> <AuthBy NTLM>
> AcctFailedLogFileName %L/accounting-failed
> AutoMPPEKeys 1
> CachePasswordExpiry 86400
> DomainFormat %0
> EAPAnonymous anonymous
> EAPContextTimeout 1000
> EAPErrorReject 1
> EAPFAST_PAC_Lifetime 7776000
> EAPFAST_PAC_Reprovision 2592000
> EAPTLS_CAFile %D/certificates/chain
> EAPTLS_CertificateFile %D/certificates/orps3.dev.ja.net.crt
> EAPTLS_CertificateType PEM
> EAPTLS_MaxFragmentSize 1000
> EAPTLS_PEAPBrokenV1Label 1
> EAPTLS_PEAPVersion 1
> EAPTLS_PrivateKeyFile %D/certificates/private.pem
> EAPTLS_SessionResumption 1
> EAPTLS_SessionResumptionLimit 43200
> EAPTLS_VerifyDepth 1
> EAPTTLS_NoAckRequired 1
> EAPType PEAP
> EAPType TTLS
> EAPType MSCHAP-V2
> EAP_PEAP_MSCHAP_Convert 1
> Fork 1
> Identifier DEV-ADIR-ANY
> NoDefault 1
> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> PasswordPrompt password
> SIPDigestRealm DefaultSipRealm
> UsernameFormat %0
> UsernameMatchesWithoutRealm 1
> </AuthBy>
>
> <AuthBy NTLM>
> CachePasswordExpiry 86400
> DomainFormat %0
> EAPAnonymous anonymous
> EAPContextTimeout 1000
> EAPFAST_PAC_Lifetime 7776000
> EAPFAST_PAC_Reprovision 2592000
> EAPTLS_CertificateType PEM
> EAPTLS_MaxFragmentSize 2048
> EAPTLS_PEAPVersion 1
> EAPTLS_SessionResumption 1
> EAPTLS_SessionResumptionLimit 43200
> EAPTLS_VerifyDepth 1
> Identifier DEV-ADIR-DOMADMIN
> NoDefault 1
> NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1
> --require-membership-of='DEV\Domain Admins'
> PasswordPrompt password
> SIPDigestRealm DefaultSipRealm
> UsernameFormat %0
> </AuthBy>
>
> <Client 193.63.63.101>
> DupInterval 10
> FramedGroupMaxPortsPerClassC 255
> IdenticalClients 193.63.63.102
> IdenticalClients 193.63.63.103
> IdenticalClients 193.63.63.104
> IgnoreAcctSignature 1
> LivingstonHole 2
> LivingstonOffs 29
> NasType unknown
> SNMPCommunity public
> </Client>
>
> <Client roaming0.ja.net>
> AddToReplyIfNotExist Operator-Name=The JNT Association
> AllowInReply
> User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I
> D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct-
> Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name
> DupInterval 10
> FramedGroupMaxPortsPerClassC 255
> IgnoreAcctSignature 1
> LivingstonHole 2
> LivingstonOffs 29
> NasType unknown
> SNMPCommunity public
> </Client>
>
> <Client roaming1.ja.net>
> AddToReplyIfNotExist Operator-Name=The JNT Association
> AllowInReply
> User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I
> D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct-
> Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name
> DupInterval 10
> FramedGroupMaxPortsPerClassC 255
> IgnoreAcctSignature 1
> LivingstonHole 2
> LivingstonOffs 29
> NasType unknown
> SNMPCommunity public
> </Client>
>
> <Client roaming2.ja.net>
> AddToReplyIfNotExist Operator-Name=The JNT Association
> AllowInReply
> User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I
> D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct-
> Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name
> DupInterval 10
> FramedGroupMaxPortsPerClassC 255
> IgnoreAcctSignature 1
> LivingstonHole 2
> LivingstonOffs 29
> NasType unknown
> SNMPCommunity public
> </Client>
>
> <Handler TunnelledByPEAP = 1>
> AccountingHandled 1
> AcctLogFileName %L/account.log
> AuthByPolicy ContinueUntilReject
> RejectHasReason 1
> AuthBy DEV-ADIR-ANY
> </Handler>
>
> <Handler Realm = dev.ja.net>
> AccountingHandled 1
> AcctLogFileName %L/account.log
> AuthByPolicy ContinueUntilReject
> RejectHasReason 1
> AuthBy DEV-ADIR-ANY
> </Handler>
>
> <Handler Realm = >
> AccountingHandled 1
> AcctLogFileName %L/account.log
> AuthByPolicy ContinueUntilReject
> RejectHasReason 1
> </Handler>
>
> <ServerHTTP >
> AuditTrail %D/audit.txt
> AuthByPolicy ContinueWhileIgnore
> BindAddress 0.0.0.0
> DefaultPrivilegeLevel 15
> LogMaxLines 500
> MaxBufferSize 100000
> Port 9048
> Protocol tcp
> SessionTimeout 3600
> TLS_CAFile %D/certificates/chain
> TLS_CertificateFile %D/certificates/orps3.dev.ja.net.crt
> TLS_CertificateType PEM
> TLS_ExpectedPeerName .+
> TLS_PrivateKeyFile %D/certificates/private.pem
> Trace 4
> UseSSL 1
> UseTLS 1
> AuthBy DEV-ADIR-DOMADMIN
> </ServerHTTP>
>
> <StatsLog FILE>
> Filename %L/statistics
> Interval 600
> </StatsLog>
>
>
>
> On 09/02/2011 16:42, "Heikki Vatiainen" <hvn at open.com.au> wrote:
>
>> On 02/09/2011 05:37 PM, Adam Bishop wrote:
>>
>>> * Can I disable PAP?
>>
>> You can not stop client sending User-Password attribute, but you can
>> create a handler that rejects the request if the attribute is present.
>>
>> That could direct the users to move e.g. from TTLS/PAP to TTLS/MSCHAPv2
>> or something else that does not cause passwords to be logged with Trace 4.
>>
>>> * Using fork with AuthByNTLM causes the request to fail:
>>>
>>> Wed Feb 9 15:22:24 2011: DEBUG: Handling with Radius::AuthNTLM: Wed Feb
>>> 9 15:22:24 2011: DEBUG: AuthBy NTLM result: IGNORE, forked
>>>
>>> Anyone used fork with NTLM?
>>
>> This does not look like failure to me. This is logged by the parent
>> meanwhile the newly forked child is handling the request. The real
>> result should come from the child process once it finishes.
>>
>> You should see messages from the child in the logs while it does NTLM
>> authentication.
>>
>> Why would you need to use fork with NTLM?
>>
>>> * What do I need to do to get these types of accounting requests
>>> handled? The standard user accounting packets are handled fine, but the
>>> NAS status updates aren't:
>>
>> Just guessing here, but if you use Handlers that try to match realms
>> there is no User-Name where the realm comes from.
>>
>> You could try a Handler that has Request-Type = Accounting-Request,
>> Acct-Status-Type = Accounting-On
>>
>>> *** Received from 193.63.63.103 port 1814 ....
>>> Code: Accounting-Request
>>> Identifier: 217
>>> Authentic:
>>> <6><7><204><18><175><169>.<176><146>$<30><168><221><255>l<143>
>>> Attributes:
>>> Acct-Status-Type = Accounting-On
>>> Acct-Authentic = RADIUS
>>> NAS-IP-Address = 193.63.63.103
>>> NAS-Identifier = "HiveAP3"
>>> Called-Station-Id = "00-19-77-1B-CD-60:eduroam-dev"
>>> Acct-Terminate-Cause = NAS-Reboot
>>> Proxy-State = 0
>>>
>>> Wed Feb 9 15:21:40 2011: WARNING: Could not find a handler for :
>>> request is ignored
>>>
>>> Thanks for your help,
>>
>> No problem. Please send your config file (no secrets) if you need
>> further comments.
>>
>> Thanks!
>>
>> --
>> Heikki Vatiainen <hvn at open.com.au>
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
>
>
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen <hvn at open.com.au>
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
More information about the radiator
mailing list