[RADIATOR] AuthBy LDAP2 and FailureBackoffTime

Jan Tomasek jan at tomasek.cz
Tue Jun 8 13:16:15 UTC 2021 

Hi Heikki,

On 07. 06. 21 16:06, Heikki Vatiainen wrote:
>> At this moment I reduced FailureBackoffTime from 600s to 60s and 
>> provided multiple LDAP servers to AuthBy LDAP2. Which seems to be 
>> working.
> 
> It's good to hear that the above helps but the AuthBy itself should also 
> work so that it can signal LDAP failure by using ignore and allowing the 
> client to a proper failover.
> 
> Can you check if your config has something that does this? If not, I'd 
> like to see the logs to see why AuthBy LDAP2 does not return IGNORE.
> 
>> My config:
> 
> Looks good but please check if there are additional hooks or AuthBys 
> that may turn IGNORE to a REJECT.

I reduced config as much as possible it is attached.

I also attached log example. I just realized, that access-reject is 
produced for transmitted request. Maybe that is is source of problem??

See, here LDAP fails and result is IGNORE:

Tue Jun  8 15:03:10 2021: INFO: AuthLDAP2 'Check2017LDAP' Connecting to 
ldap33.cesnet.cz port 636
Tue Jun  8 15:03:10 2021: ERR: AuthLDAP2 'Check2017LDAP' Could not open 
LDAP connection to ldap33.cesnet.cz port 636. Backing off for 600 seconds.
Tue Jun  8 15:03:10 2021: DEBUG: EAP Failure, elapsed time 0.024032
Tue Jun  8 15:03:10 2021: DEBUG: EAP result: 2, User database access error
Tue Jun  8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: IGNORE, User 
database access error
Tue Jun  8 15:03:10 2021: DEBUG: Access ignored for netsaint at cesnet.cz: 
User database access error
Tue Jun  8 15:03:10 2021: DEBUG: EAP result: 2, EAP PEAP inner 
authentication redispatched to a Handler
Tue Jun  8 15:03:10 2021: DEBUG: AuthBy LDAP2 result: IGNORE, EAP PEAP 
inner authentication redispatched to a Handler

And here is retransmited access request 3 sec later:

Tue Jun  8 15:03:13 2021: DEBUG: Packet dump:
*** Received from 127.0.0.1 port 52252 ....
Code:       Access-Request
Identifier: 7
Authentic:  <253><3><159><173>.k+<177>B<4><237>V<138>p<211><254>
Attributes:
         User-Name = "netsaint at cesnet.cz"

And authby LDAP2 produces error and access reject:

Tue Jun  8 15:03:13 2021: DEBUG: Handling with Radius::AuthLDAP2: 
Check2017LDAP
Tue Jun  8 15:03:13 2021: DEBUG: Handling with EAP: code 2, 34, 108, 25
Tue Jun  8 15:03:13 2021: DEBUG: Response type 25
Tue Jun  8 15:03:13 2021: DEBUG: EAP Failure, elapsed time 3.029766
Tue Jun  8 15:03:13 2021: ERR: EAP PEAP TLS read failed:  4759: 1 - 
error:1408F119:SSL routines:ssl3_get_record:decryption failed or bad 
record mac

Tue Jun  8 15:03:13 2021: DEBUG: EAP result: 1, EAP PEAP TLS read 
failed: decryption failed or bad record mac
Tue Jun  8 15:03:13 2021: DEBUG: AuthBy LDAP2 result: REJECT, EAP PEAP 
TLS read failed: decryption failed or bad record mac
Tue Jun  8 15:03:13 2021: INFO: Access rejected for netsaint at cesnet.cz: 
EAP PEAP TLS read failed: decryption failed or bad record mac


Best regards
-- 
-----------------------
Jan Tomasek aka Semik
http://www.tomasek.cz/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: radiator.2021_06_08.log
Type: text/x-log
Size: 27229 bytes
Desc: not available
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20210608/316fb89c/attachment-0001.bin>
-------------- next part --------------
#Foreground
Trace		4
LogDir		/var/log/arch/radiator
LogFile     	%L/radiator.%Y_%m_%d.log
DbDir		/opt/radiator/radiator

User		radiator
Group		radiator

AuthPort	1812
AcctPort	1813

<Client localhost>
	Secret		mysecret
	DupInterval 	0
</Client>

<Handler>
<AuthBy LDAP2>
	Identifier Check2017LDAP

	UsernameMatchesWithoutRealm yes

	Host			ldap33.cesnet.cz
	Port			636
	UseSSL
	SSLCAFile		/etc/radiator/certs/chain_CESNET_CA4.pem

	AuthDN			xxx
	AuthPassword		xxx

	BaseDN		        dc=cesnet,dc=cz
	UsernameAttr		uid
	PasswordAttr    	radiusPassword
	AuthAttrDef		radiusTunnelPrivateGroupID, Tunnel-Private-Group-ID, reply
	SearchFilter	        (&(%0=%1)(|(objectClass=eduroamTestAccount)(objectClass=radiusUser)))
	EAPType			PEAP,MSCHAP-V2,LEAP,TTLS

	# 2. 11. 2018 Semik - prestavame posilat korenovy certifikat
	EAPTLS_CAPath		/etc/ssl/certs/null
	EAPTLS_CertificateFile	/etc/radiator/certs/radius.cesnet.cz.crt
	EAPTLS_CertificateType	PEM
	EAPTLS_PrivateKeyFile	/etc/radiator/certs/radius.cesnet.cz.key
	EAPTLS_PrivateKeyPassword xxx
	EAPTLS_MaxFragmentSize	1000
	EAPTLS_SessionContextId	%0%n%2%{Called-Station-Id}

	EAPAnonymous		%n
</AuthBy>
</Handler>

More information about the radiator mailing list