Adding a handler has worked for PAP and null-user accounting worked, thanks for that.
Just using fork on whim in case ntlm_auth decides to be slow (which it normally isn't, so it doesn't matter too much if it doesn't work). It seems that the child never returns a response - just now I ssh'd in to the server and there are about 30 copies of ntlm-auth running, so I would assume something is not going right with the forking. Running Radiator as root allows the ntlm_auth processes to be cleaned up, but it's still showing the same lines in the log and the client doesn't seem to be receiving a response. Thanks, Adam Bishop Config file follows: AcctPort 1813 AuthPort 1812 BindAddress 0.0.0.0 DbDir /etc/radiator/ DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.aerohive Foreground 0 LicenseOwner UKERNA LivingstonHole 2 LivingstonMIB .iso.org.dod.internet.private.enterprises.307 LivingstonOffs 29 LogDir /var/log/radiator/ LogFile %L/logfile LogStdout 1 MaxChildren 0 PidFile %L/radiusd.pid PmwhoProg /usr/local/sbin/pmwho SnmpNASErrorTimeout 60 SnmpgetProg /usr/bin/snmpget SnmpsetProg /usr/bin/snmpset SnmpwalkProg /usr/bin/snmpwalk Trace 4 <AuthBy NTLM> AcctFailedLogFileName %L/accounting-failed AutoMPPEKeys 1 CachePasswordExpiry 86400 DomainFormat %0 EAPAnonymous anonymous EAPContextTimeout 1000 EAPErrorReject 1 EAPFAST_PAC_Lifetime 7776000 EAPFAST_PAC_Reprovision 2592000 EAPTLS_CAFile %D/certificates/chain EAPTLS_CertificateFile %D/certificates/orps3.dev.ja.net.crt EAPTLS_CertificateType PEM EAPTLS_MaxFragmentSize 1000 EAPTLS_PEAPBrokenV1Label 1 EAPTLS_PEAPVersion 1 EAPTLS_PrivateKeyFile %D/certificates/private.pem EAPTLS_SessionResumption 1 EAPTLS_SessionResumptionLimit 43200 EAPTLS_VerifyDepth 1 EAPTTLS_NoAckRequired 1 EAPType PEAP EAPType TTLS EAPType MSCHAP-V2 EAP_PEAP_MSCHAP_Convert 1 Fork 1 Identifier DEV-ADIR-ANY NoDefault 1 NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 PasswordPrompt password SIPDigestRealm DefaultSipRealm UsernameFormat %0 UsernameMatchesWithoutRealm 1 </AuthBy> <AuthBy NTLM> CachePasswordExpiry 86400 DomainFormat %0 EAPAnonymous anonymous EAPContextTimeout 1000 EAPFAST_PAC_Lifetime 7776000 EAPFAST_PAC_Reprovision 2592000 EAPTLS_CertificateType PEM EAPTLS_MaxFragmentSize 2048 EAPTLS_PEAPVersion 1 EAPTLS_SessionResumption 1 EAPTLS_SessionResumptionLimit 43200 EAPTLS_VerifyDepth 1 Identifier DEV-ADIR-DOMADMIN NoDefault 1 NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of='DEV\Domain Admins' PasswordPrompt password SIPDigestRealm DefaultSipRealm UsernameFormat %0 </AuthBy> <Client 193.63.63.101> DupInterval 10 FramedGroupMaxPortsPerClassC 255 IdenticalClients 193.63.63.102 IdenticalClients 193.63.63.103 IdenticalClients 193.63.63.104 IgnoreAcctSignature 1 LivingstonHole 2 LivingstonOffs 29 NasType unknown SNMPCommunity public </Client> <Client roaming0.ja.net> AddToReplyIfNotExist Operator-Name=The JNT Association AllowInReply User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct- Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name DupInterval 10 FramedGroupMaxPortsPerClassC 255 IgnoreAcctSignature 1 LivingstonHole 2 LivingstonOffs 29 NasType unknown SNMPCommunity public </Client> <Client roaming1.ja.net> AddToReplyIfNotExist Operator-Name=The JNT Association AllowInReply User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct- Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name DupInterval 10 FramedGroupMaxPortsPerClassC 255 IgnoreAcctSignature 1 LivingstonHole 2 LivingstonOffs 29 NasType unknown SNMPCommunity public </Client> <Client roaming2.ja.net> AddToReplyIfNotExist Operator-Name=The JNT Association AllowInReply User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct- Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name DupInterval 10 FramedGroupMaxPortsPerClassC 255 IgnoreAcctSignature 1 LivingstonHole 2 LivingstonOffs 29 NasType unknown SNMPCommunity public </Client> <Handler TunnelledByPEAP = 1> AccountingHandled 1 AcctLogFileName %L/account.log AuthByPolicy ContinueUntilReject RejectHasReason 1 AuthBy DEV-ADIR-ANY </Handler> <Handler Realm = dev.ja.net> AccountingHandled 1 AcctLogFileName %L/account.log AuthByPolicy ContinueUntilReject RejectHasReason 1 AuthBy DEV-ADIR-ANY </Handler> <Handler Realm = > AccountingHandled 1 AcctLogFileName %L/account.log AuthByPolicy ContinueUntilReject RejectHasReason 1 </Handler> <ServerHTTP > AuditTrail %D/audit.txt AuthByPolicy ContinueWhileIgnore BindAddress 0.0.0.0 DefaultPrivilegeLevel 15 LogMaxLines 500 MaxBufferSize 100000 Port 9048 Protocol tcp SessionTimeout 3600 TLS_CAFile %D/certificates/chain TLS_CertificateFile %D/certificates/orps3.dev.ja.net.crt TLS_CertificateType PEM TLS_ExpectedPeerName .+ TLS_PrivateKeyFile %D/certificates/private.pem Trace 4 UseSSL 1 UseTLS 1 AuthBy DEV-ADIR-DOMADMIN </ServerHTTP> <StatsLog FILE> Filename %L/statistics Interval 600 </StatsLog> On 09/02/2011 16:42, "Heikki Vatiainen" <h...@open.com.au> wrote: >On 02/09/2011 05:37 PM, Adam Bishop wrote: > >> * Can I disable PAP? > >You can not stop client sending User-Password attribute, but you can >create a handler that rejects the request if the attribute is present. > >That could direct the users to move e.g. from TTLS/PAP to TTLS/MSCHAPv2 >or something else that does not cause passwords to be logged with Trace 4. > >> * Using fork with AuthByNTLM causes the request to fail: >> >> Wed Feb 9 15:22:24 2011: DEBUG: Handling with Radius::AuthNTLM: Wed Feb >>9 15:22:24 2011: DEBUG: AuthBy NTLM result: IGNORE, forked >> >> Anyone used fork with NTLM? > >This does not look like failure to me. This is logged by the parent >meanwhile the newly forked child is handling the request. The real >result should come from the child process once it finishes. > >You should see messages from the child in the logs while it does NTLM >authentication. > >Why would you need to use fork with NTLM? > >> * What do I need to do to get these types of accounting requests >>handled? The standard user accounting packets are handled fine, but the >>NAS status updates aren't: > >Just guessing here, but if you use Handlers that try to match realms >there is no User-Name where the realm comes from. > >You could try a Handler that has Request-Type = Accounting-Request, >Acct-Status-Type = Accounting-On > >> *** Received from 193.63.63.103 port 1814 .... >> Code: Accounting-Request >> Identifier: 217 >> Authentic: >><6><7><204><18><175><169>.<176><146>$<30><168><221><255>l<143> >> Attributes: >> Acct-Status-Type = Accounting-On >> Acct-Authentic = RADIUS >> NAS-IP-Address = 193.63.63.103 >> NAS-Identifier = "HiveAP3" >> Called-Station-Id = "00-19-77-1B-CD-60:eduroam-dev" >> Acct-Terminate-Cause = NAS-Reboot >> Proxy-State = 0 >> >> Wed Feb 9 15:21:40 2011: WARNING: Could not find a handler for : >>request is ignored >> >> Thanks for your help, > >No problem. Please send your config file (no secrets) if you need >further comments. > >Thanks! > >-- >Heikki Vatiainen <h...@open.com.au> > >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >NetWare etc. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
