On 02/10/2011 02:23 PM, Adam Bishop wrote: > Adding a handler has worked for PAP and null-user accounting worked, > thanks for that.
Good to hear. > Just using fork on whim in case ntlm_auth decides to be slow (which it > normally isn't, so it doesn't matter too much if it doesn't work). > It seems that the child never returns a response - just now I ssh'd in to > the server and there are about 30 copies of ntlm-auth running, so I would > assume something is not going right with the forking. It could be that auth_ntlm is one of the cases where fork does not work. Since Radiator starts ntlm_auth only once, starting ntlm_auth is not be a performance problem either. The config you have seems to do only AuthBy NTLM so I would say it does not make sense to create a Radiator instance that does only NTLM authentication. This approach might be useful in case Radiator did something else too and there is a concern that NTLM auth can be slow sometimes. > Running Radiator as root allows the ntlm_auth processes to be cleaned up, > but it's still showing the same lines in the log and the client doesn't > seem to be receiving a response. Ok, thanks for letting us know about the fork behaviour. At least currently there are no plans to work with fork and ntlm_auth, but I suspect the problem lies with handling sockets and other inter process communication between the processes (parent, child and ntlm_auth forked by the child). > Thanks, > > Adam Bishop > > Config file follows: > > AcctPort 1813 > AuthPort 1812 > BindAddress 0.0.0.0 > DbDir /etc/radiator/ > DictionaryFile /etc/radiator/dictionary,/etc/radiator/dictionary.aerohive > Foreground 0 > LicenseOwner UKERNA > LivingstonHole 2 > LivingstonMIB .iso.org.dod.internet.private.enterprises.307 > LivingstonOffs 29 > LogDir /var/log/radiator/ > LogFile %L/logfile > LogStdout 1 > MaxChildren 0 > PidFile %L/radiusd.pid > PmwhoProg /usr/local/sbin/pmwho > SnmpNASErrorTimeout 60 > SnmpgetProg /usr/bin/snmpget > SnmpsetProg /usr/bin/snmpset > SnmpwalkProg /usr/bin/snmpwalk > Trace 4 > > <AuthBy NTLM> > AcctFailedLogFileName %L/accounting-failed > AutoMPPEKeys 1 > CachePasswordExpiry 86400 > DomainFormat %0 > EAPAnonymous anonymous > EAPContextTimeout 1000 > EAPErrorReject 1 > EAPFAST_PAC_Lifetime 7776000 > EAPFAST_PAC_Reprovision 2592000 > EAPTLS_CAFile %D/certificates/chain > EAPTLS_CertificateFile %D/certificates/orps3.dev.ja.net.crt > EAPTLS_CertificateType PEM > EAPTLS_MaxFragmentSize 1000 > EAPTLS_PEAPBrokenV1Label 1 > EAPTLS_PEAPVersion 1 > EAPTLS_PrivateKeyFile %D/certificates/private.pem > EAPTLS_SessionResumption 1 > EAPTLS_SessionResumptionLimit 43200 > EAPTLS_VerifyDepth 1 > EAPTTLS_NoAckRequired 1 > EAPType PEAP > EAPType TTLS > EAPType MSCHAP-V2 > EAP_PEAP_MSCHAP_Convert 1 > Fork 1 > Identifier DEV-ADIR-ANY > NoDefault 1 > NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 > PasswordPrompt password > SIPDigestRealm DefaultSipRealm > UsernameFormat %0 > UsernameMatchesWithoutRealm 1 > </AuthBy> > > <AuthBy NTLM> > CachePasswordExpiry 86400 > DomainFormat %0 > EAPAnonymous anonymous > EAPContextTimeout 1000 > EAPFAST_PAC_Lifetime 7776000 > EAPFAST_PAC_Reprovision 2592000 > EAPTLS_CertificateType PEM > EAPTLS_MaxFragmentSize 2048 > EAPTLS_PEAPVersion 1 > EAPTLS_SessionResumption 1 > EAPTLS_SessionResumptionLimit 43200 > EAPTLS_VerifyDepth 1 > Identifier DEV-ADIR-DOMADMIN > NoDefault 1 > NtlmAuthProg /usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 > --require-membership-of='DEV\Domain Admins' > PasswordPrompt password > SIPDigestRealm DefaultSipRealm > UsernameFormat %0 > </AuthBy> > > <Client 193.63.63.101> > DupInterval 10 > FramedGroupMaxPortsPerClassC 255 > IdenticalClients 193.63.63.102 > IdenticalClients 193.63.63.103 > IdenticalClients 193.63.63.104 > IgnoreAcctSignature 1 > LivingstonHole 2 > LivingstonOffs 29 > NasType unknown > SNMPCommunity public > </Client> > > <Client roaming0.ja.net> > AddToReplyIfNotExist Operator-Name=The JNT Association > AllowInReply > User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I > D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct- > Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name > DupInterval 10 > FramedGroupMaxPortsPerClassC 255 > IgnoreAcctSignature 1 > LivingstonHole 2 > LivingstonOffs 29 > NasType unknown > SNMPCommunity public > </Client> > > <Client roaming1.ja.net> > AddToReplyIfNotExist Operator-Name=The JNT Association > AllowInReply > User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I > D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct- > Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name > DupInterval 10 > FramedGroupMaxPortsPerClassC 255 > IgnoreAcctSignature 1 > LivingstonHole 2 > LivingstonOffs 29 > NasType unknown > SNMPCommunity public > </Client> > > <Client roaming2.ja.net> > AddToReplyIfNotExist Operator-Name=The JNT Association > AllowInReply > User-Name,Reply-Message,State,Class,Message-Authenticator,Calling-Station-I > D,Proxy-State,EAP-Message,MS-MPPE-Send-Key,MS-MPPE-Recv-Key,User-Name,Acct- > Status-Type,Acct-Session-ID,Class,Proxy-State,Operator-Name > DupInterval 10 > FramedGroupMaxPortsPerClassC 255 > IgnoreAcctSignature 1 > LivingstonHole 2 > LivingstonOffs 29 > NasType unknown > SNMPCommunity public > </Client> > > <Handler TunnelledByPEAP = 1> > AccountingHandled 1 > AcctLogFileName %L/account.log > AuthByPolicy ContinueUntilReject > RejectHasReason 1 > AuthBy DEV-ADIR-ANY > </Handler> > > <Handler Realm = dev.ja.net> > AccountingHandled 1 > AcctLogFileName %L/account.log > AuthByPolicy ContinueUntilReject > RejectHasReason 1 > AuthBy DEV-ADIR-ANY > </Handler> > > <Handler Realm = > > AccountingHandled 1 > AcctLogFileName %L/account.log > AuthByPolicy ContinueUntilReject > RejectHasReason 1 > </Handler> > > <ServerHTTP > > AuditTrail %D/audit.txt > AuthByPolicy ContinueWhileIgnore > BindAddress 0.0.0.0 > DefaultPrivilegeLevel 15 > LogMaxLines 500 > MaxBufferSize 100000 > Port 9048 > Protocol tcp > SessionTimeout 3600 > TLS_CAFile %D/certificates/chain > TLS_CertificateFile %D/certificates/orps3.dev.ja.net.crt > TLS_CertificateType PEM > TLS_ExpectedPeerName .+ > TLS_PrivateKeyFile %D/certificates/private.pem > Trace 4 > UseSSL 1 > UseTLS 1 > AuthBy DEV-ADIR-DOMADMIN > </ServerHTTP> > > <StatsLog FILE> > Filename %L/statistics > Interval 600 > </StatsLog> > > > > On 09/02/2011 16:42, "Heikki Vatiainen" <h...@open.com.au> wrote: > >> On 02/09/2011 05:37 PM, Adam Bishop wrote: >> >>> * Can I disable PAP? >> >> You can not stop client sending User-Password attribute, but you can >> create a handler that rejects the request if the attribute is present. >> >> That could direct the users to move e.g. from TTLS/PAP to TTLS/MSCHAPv2 >> or something else that does not cause passwords to be logged with Trace 4. >> >>> * Using fork with AuthByNTLM causes the request to fail: >>> >>> Wed Feb 9 15:22:24 2011: DEBUG: Handling with Radius::AuthNTLM: Wed Feb >>> 9 15:22:24 2011: DEBUG: AuthBy NTLM result: IGNORE, forked >>> >>> Anyone used fork with NTLM? >> >> This does not look like failure to me. This is logged by the parent >> meanwhile the newly forked child is handling the request. The real >> result should come from the child process once it finishes. >> >> You should see messages from the child in the logs while it does NTLM >> authentication. >> >> Why would you need to use fork with NTLM? >> >>> * What do I need to do to get these types of accounting requests >>> handled? The standard user accounting packets are handled fine, but the >>> NAS status updates aren't: >> >> Just guessing here, but if you use Handlers that try to match realms >> there is no User-Name where the realm comes from. >> >> You could try a Handler that has Request-Type = Accounting-Request, >> Acct-Status-Type = Accounting-On >> >>> *** Received from 193.63.63.103 port 1814 .... >>> Code: Accounting-Request >>> Identifier: 217 >>> Authentic: >>> <6><7><204><18><175><169>.<176><146>$<30><168><221><255>l<143> >>> Attributes: >>> Acct-Status-Type = Accounting-On >>> Acct-Authentic = RADIUS >>> NAS-IP-Address = 193.63.63.103 >>> NAS-Identifier = "HiveAP3" >>> Called-Station-Id = "00-19-77-1B-CD-60:eduroam-dev" >>> Acct-Terminate-Cause = NAS-Reboot >>> Proxy-State = 0 >>> >>> Wed Feb 9 15:21:40 2011: WARNING: Could not find a handler for : >>> request is ignored >>> >>> Thanks for your help, >> >> No problem. Please send your config file (no secrets) if you need >> further comments. >> >> Thanks! >> >> -- >> Heikki Vatiainen <h...@open.com.au> >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >> NetWare etc. > > > JANET(UK) is a trading name of The JNT Association, a company limited > by guarantee which is registered in England under No. 2881024 > and whose Registered Office is at Lumen House, Library Avenue, > Harwell Oxford, Didcot, Oxfordshire. OX11 0SG > > _______________________________________________ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. _______________________________________________ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
