Hello Todd,
thanks for that.
We have now been able to reproduce this problem here on your target system.
It was crashing inside OpenSSL BIO_read.
The problem is apparently due to a bug in the Net-SSLeay 1.30 that Ubuntu 8.04
installs from the repository.
If you download, compile and install the latest Net-SSLeay 1.36 from CPAN, it
should fix this problem. We recommend this later version in any case.
Cheers.
On Thursday 14 October 2010 10:43:07 pm Smith, Todd wrote:
> This is a just some modifvcations to a copy of the ntlm_eap_peap file in
> the goodies directory. I am still testing and configuring so I haven't
> changed the default serect yet or made any serious security hardening. The
> file seems so very long to post since it still has so many comments in it.
> Do you have a perfered style that you want to see a config file in? I
> guessing that I could have stripped out the comments before I posted it but
> I don't know what you want to see.
>
> Todd
>
> # ntlm_eap_peap.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # PEAP authentication as used by Windows XP (starting with SP1)
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example will authenticate Wireless PEAP users from a Windows
> # Domain when Radiator runs on a Linux or Unix host, with the
> # assistance of utilities from the Samba suite (www.samba.org).
> #
> # AuthBy NTLM requires that ntlm_auth (and winbindd), both part of Samba,
> # are installed and configured
> # correctly. See goodies/smb.conf.winbindd for sample configuration and
> installa tion hints.
> #
> # AuthBy NTLM runs the Samba utility ntlm_auth as a child process in order
> to au thenticate
> # requests. It keeps ntlm_auth running between requests and passes it
> authentica tion
> # information on stdin, and gets back the authentication results from
> stdout. # Caution: AuthBy NTLM blocks while waiting for the result output
> of ntlm_auth. #
> # Because AuthBy NTLM requires that ntlm_auth be properly installed and
> configur ed with winbindd,
> # it is vitally important that you confirm that ntlm_auth is working
> properly be fore trying
> # to use AuthBy NTLM. You can test ntlm_auth like this:
> # ntlm_auth --username=yourusername --domain=yourdomain
> --password=yourpassword # if that does not work for a valid username and
> password, there is no way that # AuthBy NTLM will work. Make sure
> ntlm_auth works first!
> #
> # Works with PAP, MSCHAP, MSCHAPV2
> # Radiator must be run as root in order to do MSCHAP or MSCHAPV2 via
> ntlm_auth #
> # In order to test this, you can user the sample test certificates
> # supplied with Radiator. For production, you
> # WILL need to install a real valid server certificate and
> # key for Radiator to use. Runs with openssl on Unix and Windows.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # Requires openssl and Net_SSLeay.
> #
> # You should consider this file to be a starting point only
> # $Id: ntlm_eap_peap.cfg,v 1.5 2007/12/18 21:23:50 mikem Exp $
>
> LogDir /var/log/radius
> LogFile %L/logfile-%Y-%m-%d
> DbDir /usr/local/etc/raddb
> # User a lower trace level in production systems:
> Trace 4
> AuthPort 1645,1812
>
> # CAUTION: Careless configuration of this clause can open security holes in
> # your RADIUS host. The following example configuration is for testing
> only. # It is recommended that you:
> # 1. limit the clients that can connect with the Clients parameter
> # 2. Make sure this configuration file is only readable by root
> # 3. Consider making radiusd run as a non-priveleged user
> # 4. Use secure usernames and password to authenticate access to this
> server. # 5. Disable this clause when not required.
> <ServerHTTP>
> # Specifies the TCP port to use. Defaults to 9048
> #Port %{GlobalVar:serverhttpport}
> Port 9048
>
> # ServerHTTP saves for viewing the last LogMaxLines log entries
> # at or below this trace level.
> Trace 4
>
> # LogMaxLines specifies the max number of recent log messages that
> are # saved. Defaults to 500. If you set this to 0, then no
> # logger will be created for ServerHTTP, slightly improving
> performance #LogMaxLines 1000
>
> # BindAddress allows you to bind to a different network address
> # for multihomed hosts. Defaults to 0.0.0.0
> #BindAddress 203.63.154.29, 127.0.0.1
>
> # You can have one or more AuthBy clauses or AuthBy parameters
> # to specify how to authenticate HTTP connections. AuthByPolicy is
> also # supported. If the last AuthBy returns ACCEPT, the connection # is
> accepted. If the last AuthBy returns IGNORE, or there are # no AuthBy, then
> fall back to the hardwired Username and
> # Password parameters
> # If the authenticated user has a Management-Policy-Id reply item,
> # it will be used
> # as that users privilege level, instead of DefaultPrivilegeLevel.
>
> <AuthBy NTLM>
> NtlmAuthProg /usr/bin/ntlm_auth
> --helper-protocol=ntlm-server-1 --require-membership-of='CAMC+netwkgrp'
> DefaultDomain CAMC
> </AuthBy>
>
> # This is the fallback username and password that clients must
> LOGIN as # if there are no AuthBy clauses, or if they return IGNORE # If
> there are no AuthBys (or the last returns IGNORE) and there is no #
> Username, you can connect to this interface anonymously (not # recommended
> except for testing in secure enviromnents).
> Username mikem
> # Password can be plaintext or any of the encrypted formats such as
> # {crypt}....., {nthash}....., {SHA}...., {SSHA}....., {mysql}....,
> # {msssql}...., {dechpwd}...., {MD5}......, {clear}....
> Password fred
>
> # Controls the ServerHTTP users privilege level if
> # a per-user Management-Policy-Id is not available from a
> successful # authentication from the AuthBy list.
> # The privilege level is a bitmask. The following privilege levels
> are # defined, and may be logically or'd together
> # 0 means no access, including no login permission.
> # 1 means viewing basic status only.
> # 2 means ability to reset the server
> # 4 means the ability to edit and change the running config (but
> not # save it)
> # 8 means the ability to save changes to the configuration
> # 15 means all privileges
> # Defaults to 1
> DefaultPrivilegeLevel 15
>
> # Clients let you limit which clients you will accept connects from
> # You can specify one or more comma or space separated IP addresses
> # Use this parameter to make your server more secure by limiting
> # which clients can connect.
> #Clients 127.0.0.2, 203.63.154.29
> # This one limits access to the same host that Radiator runs on:
> Clients 127.0.0.1 10.2.96.125
>
> # If AuditTrail is defined, all editing operations and changes will
> be # logged to the file (as well as to the normal log file at trace level 3
> )
>
> AuditTrail %D/audit-%Y-%m-%d.txt
>
> # Like most loggers, you can enable LogMicroseconds to get
> # microsecond accuracy in log messages. Requires the
> # Time::HiRes module from CPAN.
> #LogMicroseconds
>
> # Specifies the maximum time before the user has to log in again
> # Defaults to 1 hour
> #SessionTimeout 3600
>
> # You can force SSL connections, and use all the standard TLS
> # certificate and verification mechanisms
> UseSSL 1
> TLS_CAFile %D/certificates/DigiCert/CAChain.crt
> TLS_CertificateFile %D/certificates/DigiCert/weiland_camc_hsi.crt
> TLS_CertificateType PEM
> TLS_PrivateKeyFile %D/certificates/DigiCert/weiland_camc_hsi.key
> #TLS_PrivateKeyPassword whatever
> #TLS_RequireClientCert
> #TLS_ExpectedPeerName .+
> #TLS_SubjectAltNameURI .*open.com.au
> #TLS_CRLCheck
> #TLS_CRLFile %D/certificates/revocations.pem
> #TLS_CRLFile %D/certificates/revocations2.pem
>
> # Users that log in to the Server HTTP interface can be logged with
> an # AuthLog clause:
> <AuthLog FILE>
> Filename %L/authlog-%Y-%m-%d
> </AuthLog>
>
> # If a page is requested but not found in the set of built-in pages
> # PageNotFoundHook is called to try to handle the request.
> # PageNotFoundHook is passed the requested URI and a reference to
> the # ServerHTTP connection. If it can handle the request, it returns an #
> array of ($httpcode, $content, @httpheaders) else undef. #PageNotFoundHook
> sub {return (200, "your HTML content");}
>
> </ServerHTTP>
>
>
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> Secret mysecret
> DupInterval 0
> </Client>
>
> # This is where we authenticate a PEAP inner request, which will be an EAP
> # request. The username of the inner request will be anonymous, although
> # the identity of the EAP request will be the real username we are
> # trying to authenticate.
> <Handler TunnelledByPEAP=1>
> <AuthBy NTLM>
> # The name of the ntlm_auth program, supplied with
> # Samba. Defaults to '/usr/bin/ntlm_auth
> --helper-protocol=ntlm -server-1'
> # You can require that authenticated users belong to a
> certain g roup with:
> #NtlmAuthProg /usr/bin/ntlm_auth
> --helper-protocol=ntlm-server- 1 --require-membership-of=MyGroupName
> # or you can specify that the NTLM authenticaiton requests
> appea r to come from a workstation with
> # a specified name. This can be used to restrict
> authentication for certain users by setting
> # workstation requirements in their Windows user
> configuration. #NtlmAuthProg /usr/bin/ntlm_auth
> --helper-protocol=ntlm-server- 1 --workstation=MyWorkstationName
>
> # Specifies which Windows Domain is ALWAYS to be used to
> authent icate
> # users (even if they specify a different domain in their
> userna me).
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> #Domain OPEN
>
> # Specifies the Windows Domain to use if the user does not
> # specify a domain in their username.
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> DefaultDomain CAMC
>
> # This tells the PEAP client what types of inner EAP
> requests # we will honour
> EAPType MSCHAP-V2
>
> </AuthBy>
> </Handler>
>
>
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and the
> inner aut hentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to
> sele ct
> # a specific handler, or else you can use EAPAnonymous to set a username
> and rea lm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on Realm,
> and/o r the
> # fact that they were tunnelled. You can therfore act just as a PEAP
> server, or also
> # act as the AAA/H home server, and authenticate PEAP requests locally or
> proxy # them to another remote server based on the realm of the inner
> authenticaiton r equest.
> # In this basic example, both the inner and outer authentication are
> authenticat ed
> # from a file by AuthBy FILE
> <Handler>
> <AuthBy FILE>
> # The username of the outer authentication
> # must be in this file to get anywhere. In this example,
> # it requires an entry for 'anonymous' which is the
> standard use rname
> # in the outer requests, and it also requires an entry for
> the # actual user name who is trying to connect (ie the 'Login name'
> entered
> # in the Funk Odyssey 'Edit Profile Properties' page
> Filename %D/users
>
> # EAPType sets the EAP type(s) that Radiator will honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the default
> (most # preferred) type given first
> EAPType PEAP
>
> # EAPTLS_CAFile is the name of a file of CA certificates
> # in PEM format. The file can contain several CA
> certificates # Radiator will first look in EAPTLS_CAFile then in #
> EAPTLS_CAPath, so there usually is no need to set both # EAPTLS_CAFile
> %D/certificates/demoCA/cacert.pem
> EAPTLS_CAFile %D/certificates/DigiCert/CAChain.crt
>
>
> # EAPTLS_CAPath is the name of a directory containing CA
> # certificates in PEM format. The files each contain one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> # EAPTLS_CAPath
>
> # EAPTLS_CertificateFile is the name of a file containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> EAPTLS_CertificateFile
> %D/certificates/DigiCert/weiland_camc_hsi .crt
> EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file containing
> # the servers private key. It is sometimes in the same file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to descrypt it
> EAPTLS_PrivateKeyFile
> %D/certificates/DigiCert/weiland_camc_hsi. key
> #EAPTLS_PrivateKeyPassword whatever
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> # EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be small
> # enough to fit in a single Radius request (ie less than
> 4096) # and still leave enough space for other attributes # Aironet APs
> seem to need a smaller MaxFragmentSize # (eg 1024) than the default of
> 2048. Others need even smaller s izes.
> EAPTLS_MaxFragmentSize 1000
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> # EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a
> certifica te
> # then Radiator will look for a certificate revocation list
> (CRL )
> # for the certificate issuer
> # when authenticating each client. If a CRL file is not
> found, o r
> # if the CRL says the certificate has neen revoked, the
> authenti cation will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the EAPTLS_CRLFile
> paramete r.
> # Alternatively, CRLs may follow a file naming convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a CRL
> with # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the openssl
> # certificates directory typically
> /usr/local/openssl/certs/ # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may
> require yo u to specify
> # MPPE send and receive keys. This _will_ be required if
> you sel ect
> # 'Keys will be generated automatically for data privacy'
> in the Funk Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can configure the User-Name that will be used for the
> inne r
> # authentication. Defaults to 'anonymous'. This can be
> useful # when proxying the inner authentication. If tehre is a realm, i t
> can
> # be used to choose a local Realm to handle the inner
> authentica tion.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonym...@some.other.realm
>
> # You can enable or disable support for TTLS Session
> Resumption and
> # PEAP Fast Reconnect with the EAPTLS_SessionResumption
> flag. # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session that a
> sessio n can be resumed
> # with EAPTLS_SessionResumptionLimit (time in seconds).
> Defaults to 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
>
> # You can control which version of the draft PEAP protocol
> to ho nour
> # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for
> unusua l clients,
> # such as Funk Odyssey Client 2.22 or later.
> EAPTLS_PEAPVersion 0
> </AuthBy>
> </Handler>
>
> tssm...@weiland:/etc/radiator$
>
> -----Original Message-----
> From: Mike McCauley [mailto:mi...@open.com.au]
> Sent: Thursday, October 14, 2010 07:27
> To: radiator@open.com.au
> Cc: Smith, Todd
> Subject: Re: [RADIATOR] ServerHTTP
>
> Hi Todd,
>
> On Thursday 14 October 2010 07:15:51 am Smith, Todd wrote:
> > The server is x86 32 bit Ubuntu 8.04 LTS running Linux kernel
> > 2.6.24-28-server with Perl version 5.8.8 fully patched from standard
> > Ubuntu sources.
>
> We have tried, but havent been able to reproduce this problem on that
> platform (or any other)
>
> Looks like you have your ServerHTTP configured for UseSSL? And that the
> connection from your browser was an SSL connection. How and where from did
> you install the perl Net::SSLeay module?
> Have you updated or changed your openssl install?
> What browser were you using?
>
> I think I need to see your complete config file (no secrets)
>
> Cheers.
>
>
> Confidentiality Note: The information contained in this message
> may be privileged and confidential. If this e-mail contains
> protected health information, you are hereby notified that any
> dissemination, distribution or copying of this communication is
> strictly prohibited,except as permitted by law. If you have
> received this communication in error, please notify the sender
> immediately by replying to this message and deleting it from your
> computer. Thank you.
> _______________________________________________
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
_______________________________________________
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
