[RADIATOR] Fidelio authentication module: Some suggestions

Mike McCauley mikem at open.com.au
Mon May 9 17:37:20 CDT 2011 

Hi Ralf,

thanks for your note.
Responses inline below....

On Monday 09 May 2011 05:24:08 pm Ralf Ertzinger wrote:
> Hi all.
>
> As mentioned some time ago we have a customer interested in using
> Radiator to authenticate against an existing Micros Fidelio infrastructure.
>
> Last week I was finally able to do an on site visit to test the basic
> functionality of the system.
>
> Good news first: the Fidelio connector worked as expected, it was able
> to connect to the Fidelio system without too much trouble and get the
> guest data, and I was able to successfully authenticate against the
> Radius server using that data.
>
> All tests were done using a TCP connection to the Fidelio server.
>
> However, there are some minor problems I would love to get out of the way.
>
> - Reload failure
>    When Radiator is reloaded using SIGHUP it throws away it's internal copy
>    of the Fidelio database. However, it does not cleanly shut down the TCP
>    connection, and it also does not send a LE (link end) message to the
>    Fildelio system.
>    When Radiator then reconnects to the Fidelio server the latter does
>    not consider the connection as "new", and assumes that the Radius
>    server already has a copy of the database. So the Radius server does
>    not receive a new copy of the database and ends up with no data at
>    all.
>
>    Suggested fix (as recommended by the Micros engineer on site with
>    me): either send a LE (link end) record on connection shutdown,
>    or completely close the TCP connection. Preferrably both.


Hmmmm.
Tests here show that when a SIGHUP is received AuthFIDELIO reconnects and 
sends a link start and gets the latest database just fine. 

Nevertheless we have now made a change so that LE is sent and the TCP 
connection is closed during a SIGHUP, as suggested.

It would be good if you could test this change at your location.


>
>    Workaround: do a complete restart of the Radius server
>
>
> - Keepalive
>    When the network connection between the Radius server and the Fidelio
>    server fails for some reason the Fidelio server aggressively times out
>    and closes the TCP connection when it cannot send database updates.
>    The Radius server may not notice this in a timely manner and thus may
>    not receive database update messages.
>
>    Suggested fix (as recommended by the Micros engineer on site with
>    me): have the Radius server send LS (link start) messages in regular
>    intervals and wait for the Fidelio system to answer with LA (link
> alive).

OK.
We disagree with the engineer. We think Radiator should send LA to check for 
connectivity, not LS.

We have now made a change to send LA every 60 seconds (configurable).

It would be good if you could test this change at your location.


>
>    Workaround: this can be somewhat worked around by sending accounting
>    messages to the Fidelio system (in this particular setup accounting to
>    the Fidelio system is not part of the planned setup). Failure to send
>    an accounting message will cause a restart of the connection.
>
>
> - Data mangle hook
>    This is more of a "nice to have". Provide a hook to mangle data received
>    from the Fidelio system before it is entered into the internal Radiator
>    database. Primary use case (for me) would be to lower case the guest
>    names.

Not sure where you need this. A patch would be good.

>
>
> I think I can provide a patch for the last point, but I have not found
> an easy hook into the system reload functionality (from a module point
> of view) or a way to regularily call a function from a module. If someone
> could point me in the right direction I'd be quite grateful.

Use 
&Radius::Select::add_timeout
see the latest patch set for example in AuthFIDELIO.pm

Cheers.


-- 
Mike McCauley                               mikem at open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474                       Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

More information about the radiator mailing list