[RADIATOR] RadSec and Local DBM Users
Patrik Forsberg
patrik.forsberg at ip-only.se
Thu Feb 17 04:28:34 CST 2011
Hi,
I'm currently setting up an environment where I use RadSec to authenticate to another Radiator and if that fails(with ignore or reject) it should continue to a local user database.
This should be pretty simple I think and it does work.. almost.
What is really weird about this, I think, is that I get a access request - it goes to the handler that calls the radsec identifier - so far correct, but radsec seem to respond "IGNORE" before it is even close to done - I've done a tcpdump and this response get in the log even before the request has left the server ??
And of course it continues to the local database where it gets a reject, because the user doesn't exist there.. and after that it gets a access-accept from radsec ??
And because it has already responded to the access-request it has nowhere to send the access-accept :)
If I shuffle these two authentication methods around it works perfectly.. but that is now how I want it to be ;)
<snip from conf>
<AuthBy DBFILE>
Identifier AuthenticateLocal
Filename %D/users
</AuthBy>
<AuthBy RADSEC>
Identifier AuthenticateRADSEC
Secret <somesecret>
Protocol tcp
ReconnectTimeout 5
NoreplyTimeout 2
UseTLS
TLS_CAFile %D/../ssl-certs/cacert.pem
TLS_CertificateFile %D/../ssl-certs/<acert>.crt
TLS_CertificateType PEM
TLS_PrivateKeyFile %D/../ssl-certs/<acert>.key
TLS_PrivateKeyPassword <somepass>
TLS_ExpectedPeerName CN=<remote_cert_peer>
Host 192.0.2.131
</AuthBy>
<Handler>
AuthByPolicy ContinueUntilAccept
AuthBy AuthenticateRADSEC
AuthBy AuthenticateLocal
</Handler>
</snip from conf>
But during the RadSec negotiation something weird happens..
<snip from trace 4 log>
Thu Feb 17 10:45:56 2011: DEBUG: New TacacsplusConnection created for 192.0.2.124:60130
Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection request 192, 1, 1, 4, 2671080192, 14
Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection Authentication START 1, 1, 1 for someuser, ,
Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection Authentication REPLY 5, 1, Password: ,
Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 2671080192, 14
Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection Authentication CONTINUE 0, <SNIP>,
Thu Feb 17 10:45:56 2011: DEBUG: TACACSPLUS derived Radius request packet dump:
Code: Access-Request
Identifier: UNDEF
Authentic: @vg<173><181><209><149><211>O<140><28><133>,<160><173>~
Attributes:
NAS-IP-Address = 192.0.2.124
Service-Type = Login-User
NAS-Identifier = "TACACS"
User-Name = "someuser"
User-Password = "<SNIP>"
cisco-avpair = "action=1"
cisco-avpair = "authen_type=1"
cisco-avpair = "priv-lvl=1"
cisco-avpair = "service=1"
OSC-Version-Identifier = "192"
Thu Feb 17 10:45:56 2011: DEBUG: Handling request with Handler 'NAS-Identifier=TACACS', Identifier ''
Thu Feb 17 10:45:56 2011: DEBUG: Deleting session for someuser, 192.0.2.124,
Thu Feb 17 10:45:56 2011: DEBUG: Handling with Radius::AuthRADSEC
Thu Feb 17 10:45:56 2011: DEBUG: Packet dump:
*** Sending request to RadSec 192.0.2.131:2083 ....
Code: Access-Request
Identifier: 1
Authentic: @vg<173><181><209><149><211>O<140><28><133>,<160><173>~
Attributes:
NAS-IP-Address = 192.0.2.124
Service-Type = Login-User
NAS-Identifier = "TACACS"
User-Name = "someuser"
User-Password = "<SNIP>"
cisco-avpair = "action=1"
cisco-avpair = "authen_type=1"
cisco-avpair = "priv-lvl=1"
cisco-avpair = "service=1"
OSC-Version-Identifier = "192"
Proxy-State = OSC-Extended-Id=1
Thu Feb 17 10:45:56 2011: DEBUG: AuthBy RADSEC result: IGNORE,
Thu Feb 17 10:45:56 2011: DEBUG: Handling with Radius::AuthDBFILE: AuthenticateLocal
Thu Feb 17 10:45:56 2011: DEBUG: Radius::AuthDBFILE looks for match with someuser [someuser]
Thu Feb 17 10:45:56 2011: DEBUG: Radius::AuthDBFILE REJECT: No such user: someuser [someuser]
Thu Feb 17 10:45:56 2011: DEBUG: AuthBy DBFILE result: REJECT, No such user
Thu Feb 17 10:45:56 2011: INFO: Access rejected for someuser: No such user
Thu Feb 17 10:45:56 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code: Access-Reject
Identifier: UNDEF
Authentic: @vg<173><181><209><149><211>O<140><28><133>,<160><173>~
Attributes:
Reply-Message = "No such user"
Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection result Access-Reject
Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection Authentication REPLY 2, 0, No such user,
Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection disconnected from 192.0.2.124:60130
Thu Feb 17 10:45:56 2011: DEBUG: Received reply in AuthRADSEC for req 1 from 192.0.2.131:2083
Thu Feb 17 10:45:56 2011: DEBUG: Packet dump:
*** Received from 192.0.2.131 port 2083 ....
Code: Access-Accept
Identifier: 1
Authentic: )-<164><24> <198><143><220><229><11>^<187><213><210>1<155>
Attributes:
Service-Type = Administrative-User
Mikrotik-Group = "full"
Tacacs-AuthGroup = "manager"
cisco-avpair = "priv-lvl=15"
Management-Policy-Id = "15"
Extreme-EPICenter-Role = "Administrator"
Proxy-State = OSC-Extended-Id=1
Thu Feb 17 10:45:56 2011: DEBUG: Access accepted for someuser
Thu Feb 17 10:45:56 2011: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code: Access-Accept
Identifier: UNDEF
Authentic: @vg<173><181><209><149><211>O<140><28><133>,<160><173>~
Attributes:
Reply-Message = "No such user"
Service-Type = Administrative-User
Mikrotik-Group = "full"
Tacacs-AuthGroup = "manager"
cisco-avpair = "priv-lvl=15"
Management-Policy-Id = "15"
Extreme-EPICenter-Role = "Administrator"
Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection result Access-Accept
Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection Authentication REPLY 1, 0, ,
Thu Feb 17 10:45:56 2011: ERR: TacacsplusConnection write error, disconnecting: Bad file descriptor
Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection disconnected from 192.0.2.124:60130
Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection disconnected from 192.0.2.124:60130
</snip from trace 4 log>
Is this a "bug" or is it working "as-intended" ?
The server has the following setup
Radiator Version: 4.7 - latest patches as of today(20110217)
FreeBSD: 7.2-RELEASE-p7
Perl Modules: Digest::HMAC 1.02, Digest::MD5 2.38, Digest::SHA1 2.12, Net::SSLeay 1.36
Thanks,
Patrik
More information about the radiator
mailing list