TNC19 Radiator Technical Workshop -- Meet Radiator developers

TNC19 Radiator Technical Workshop -- Meet Radiator developers
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software TNC19 Radiator Technical Workshop Meet Radiator developers
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator Software ● Former (Australian) Open System Consultants and (Finnish) Arch Red ● Maker of Radiator AAA server ○ Formerly Radiator RADIUS server
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Hi! ● Senior Software Engineer at Radiator Software 1. Radiator fine tuning and configuration hints Radiator reference manual: https://www.open.com.au/radiator/ref 2. Use cases 3. Open discussion, questions, feature requests, etc.
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging ● Use Identifiers in configuration stanzas, e.g. <Client 10.20.30.40> Identifier SomeClient ... </Client> <AuthBy LDAP2> Identifier MyLDAPauthN ... </AuthBy> <Handler Client-Identifier=SomeClient> Identifier MyFirstHandler ... # Refer to AuthBy "MyLDAPauthN" AuthBy MyLDAPauthN </Handler> DEBUG: Handling request with Handler 'Client-Identifier=SomeClient', Identifier 'MyFirstHandler' ... DEBUG: Handling with Radius::AuthLDAP2: MyLDAPauthN
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging ● Include microsecond timestamp in log messages with LogMicroseconds ● Include per request identifier in log messages with LogTraceId ● Include FarmSize process number (not PID) in log messages with LogFarmInstance
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging 0 00000000 Wed Jun 19 12:02:22 2019 848353: NOTICE: Server started: Radiator 4.23 on MacBook.local 0 00000000 Wed Jun 19 12:02:22 2019 848723: DEBUG: Forking server farm instance 1 0 00000000 Wed Jun 19 12:02:22 2019 850548: DEBUG: Forking server farm instance 2 ... 1 d6ee82e0 Wed Jun 19 12:02:25 2019 326192: DEBUG: Handling request with Handler 'Client-Identifier=DefaultClient', Identifier 'MyFirstHandler' 1 d6ee82e0 Wed Jun 19 12:02:25 2019 329508: DEBUG: Handling with Radius::AuthLDAP2: MyLDAPauthN ... 1 d6ee82e0 Wed Jun 19 12:02:25 2019 336772: DEBUG: Access accepted for mikem ... 2 429ddd20 Wed Jun 19 12:02:46 2019 291892: DEBUG: Handling request with Handler 'Client-Identifier=DefaultClient', Identifier 'MyFirstHandler' 2 429ddd20 Wed Jun 19 12:02:46 2019 297315: DEBUG: Handling with Radius::AuthLDAP2: MyLDAPauthN ... 2 429ddd20 Wed Jun 19 12:02:46 2019 308468: DEBUG: Access accepted for mikem
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging ● Logging to a file is faster than logging to Syslog or SQL ○ Output format can also be JSON, but make sure to use XS for speed # This auth logger logs both success and failure to a file in # JSON format. The JSON Perl module must be installed. <AuthLog FILE> Identifier myauthlogger-json Filename %L/authlog.json LogFormatHook sub { Radius::LogFormat::format_authlog_json(@_); } LogSuccess 1 LogFailure 1 LogIgnore 1 </AuthLog> {"username":"mikem","type":"authentication","source_host":"MacBook.local", "timestamp":"Wed Jun 19 12:13:13 2019", "Trace_id":"75b0de60","result":"accept","nas_port":"1234", "Called_station_id":"123456789","time":1560935593.70994, "Nas_ip_address":"203.63.154.1","nas_identifier":"203.63.154.1", "calling_station_id":"987654321"}
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging ● Logging to a file is faster than logging to Syslog or SQL ○ Output format can also be JSON, but make sure to use XS for speed # This acct logger logs accounting to a file in # JSON format. The JSON Perl module must be installed. <AcctLog FILE> Identifier myacctlogger-json OutputFormat JSON Filename %L/acctlog.json # Use RADIUS attribute as JSON field name #AcctLogOutputDef Connect-Info # Map attribute to JSON field #AcctLogOutputDef Custom-Event-Timestamp, Event-Timestamp # Use special variables #AcctLogOutputDef Custom-Original-Username, %u #AcctLogOutputDef Custom-User-Name, %n </AcctLog> {"Acct-Delay-Time":"0","Acct-Input-Octets":"20000","NAS-Port":"1234", "type":"accounting","timestamp":"Wed Jun 19 14:15:22 2019", "NAS-Port-Type":"Async","User-Name":"mikem", "Calling-Station-Id":"987654321","time":1560942922.2841, "Service-Type":"Framed-User","trace_id":"405e1d10", "NAS-IP-Address":"203.63.154.1","Acct-Status-Type":"Stop", "Acct-Output-Octets":"30000","Event-Timestamp":"1560942921", "Called-Station-Id":"123456789","source_host":"MacBook.local", "Timestamp":"1560942921","NAS-Identifier":"203.63.154.1", "result":"accept","Acct-Session-Time":"1000", "Acct-Session-Id":"00001234"}
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging ● Include a reject reason in <AuthLog> <AuthLog FILE> Identifier authlog-file Filename %L/authentication.log ... SuccessFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' called-station='%{Called-Station-Id}' result='OK' FailureFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' called-station='%{Called-Station-Id}' reason='%1' result='FAIL' IgnoreFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' called-station='%{Called-Station-Id}' reason='%1' result='IGNORE' </AuthLog>
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging % tail -n 2 authentication.log Wed Jun 19 12:22:37 2019 trace_id='70077480' user='mikem' client='127.0.0.1/loopback-client' nas='203.63.154.1/203.63.154.1' handler='default-handler' calling-station='987654321' called-station='123456789' reason='Bad Password' result='FAIL' Wed Jun 19 12:28:40 2019 trace_id='2c9218b0' user='mikem' client='127.0.0.1/loopback-client' nas='203.63.154.1/203.63.154.1' handler='default-handler' calling-station='987654321' called-station='123456789' reason='User database access error' result='IGNORE' %
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging ● Use ResponseTimeThreshold to define a response time threshold # Log if request handling takes more than 0.1 seconds ResponseTimeThreshold 100 0 0c886b10 Wed Jun 19 13:57:32 2019 174079: WARNING: Response time 1012.875 ms for Access-Request id 105 exceeded 100 ms. (User: 'mikem', Client: 'DEFAULT' (DefaultClient), Handler: 'Client-Identifier=DefaultClient' (MyFirstHandler), Last AuthBy: 'LDAP2' (MyLDAPauthN))
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: SessionDatabase ● Configure <SessionDatabase NULL> to disable SessionDatabase # Disable SessionDatabase <SessionDatabase NULL> Identifier SessDBNull </SessionDatabase> ● By default in-memory <SessionDatabase INTERNAL> is used ... 2c9218b0 Wed Jun 19 12:28:40 2019 194849: DEBUG: Handling request with Handler '', Identifier 'MyFirstHandler' 2c9218b0 Wed Jun 19 12:28:40 2019 195350: DEBUG: SessINTERNAL: Deleting session for mikem, 203.63.154.1, 1234 2c9218b0 Wed Jun 19 12:28:40 2019 195712: DEBUG: Handling with Radius::AuthLDAP2: MyLDAPauthN ...
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: AuthN protocols ● Use AuthenProto in <AuthBy> to allow only certain authN protocols, e.g. only PAP or only EAP. <AuthBy LDAP2> Identifier MyLDAPauthN … # Allow only EAP and MSCHAPv2 AuthenProto EAP, MSCHAPv2 </AuthBy> … 1 c70b33d0 Wed Jun 19 12:48:08 2019 858532: DEBUG: Handling request with Handler 'Client-Identifier=DefaultClient', Identifier 'MyFirstHandler' 1 c70b33d0 Wed Jun 19 12:48:08 2019 862880: DEBUG: Handling with Radius::AuthLDAP2: MyLDAPauthN 1 c70b33d0 Wed Jun 19 12:48:08 2019 864139: DEBUG: AuthBy FILE result: REJECT, Authentication protocol PAP not allowed by AuthenProto configuration parameter 1 c70b33d0 Wed Jun 19 12:48:08 2019 865404: INFO: Access rejected for mikem: Authentication protocol PAP not allowed by AuthenProto configuration parameter ...
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: Usernames and realms ● Use UsernameCharset to refuse username with garbage bytes # Permit only alphanumeric, period, underscore, the @-sign, and dash UsernameCharset a-zA-Z0-9._@- ● Use RewriteUsername and RewriteFunction hook to rewrite username realms before authenticating against the backend # Rewrite user realms with “domain.local” before authentication RewriteUsername s/^([^@]+)@.*/$1@domain.local/ ● <AuthBy LSA> has LSARewriteHook to rewrite NTLM username realm with “domain.local” before AD LSA authentication
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: Proxy health check ● Instead of Status-Server keepalives, Access-Request can be used to check proxy server health with RADIUS PAP authentication <AuthBy RADIUS> Identifier SomeProxyServer Host 20.30.40.50 ... # Send Access-Request as keepalive probe UseStatusServerForFailureDetect KeepaliveTimeout 15 KeepaliveRequestType Access-Request AddToKeepaliveRequest User-Name=mikem,User-Password=fred KeepaliveNoreplyTimeout 3 Retries 2 RetryTimeout 5 FailureBackoffTime 900 MaxFailedRequests 3 MaxFailedGraceTime 60 </AuthBy>
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: Combining AuthBys ● Add Asynchronous to <AuthBy RADIUS> and <AuthBy RADSEC> when combined with other AuthBys <Handler ...> Identifier ProxyAndAuthorize <AuthBy RADSEC> Identifier UpstreamProxy Asynchronous </AuthBy> # Local SQL for authZ and/or reply attributes (VLAN ID etc.) <AuthBy SQL> Identifier AuthorizeLocally NoCheckPassword NoDefault … </AuthBy> </Handler>
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: EAP ● Use separate <Handler ...> for outer and inner EAP ○ <AuthLog> in inner <Handler> can log the real EAP identity! # Inner EAP <Handler TunnelledByPEAP=1> Identifier Inner-EAP <AuthBy LDAP2> ... EAPType MSCHAP-V2 </AuthBy> AuthLog MyAuthLog </Handler> # Outer EAP (will match just PEAP) <Handler EAPTypeName=PEAP> Identifier Outer-EAP <AuthBy FILE> Identifier Terminate-PEAP EAPType PEAP ... </AuthBy> AuthLog MyAuthLog </Handler> # Handle everything by a single handler <Handler> <AuthBy ...> EAPType PEAP, MSCHAP-V2 </AuthBy> </Handler> NOT LIKE THIS
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: EAP contexts ● Use EAPContextTimeout to configure max time for EAP authentications ● Unfinished PEAP, EAP-TLS, EAP-TTLS authentications often caused by EAP client failing to verify AAA server’s certificate. % tail -n 1 authentication.log Wed Jun 19 13:51:12 2019 trace_id='786c3290' user='anonuser' client='127.0.0.1/' nas='127.0.0.1/' handler='' calling-station='02-00-00-00-00-01' called-station='' reason='Cleared expired unfinished EAP-PEAP context, elapsed time 10.10998. Client never finished authentication.' result='FAIL' %
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: EAP contexts ● Use EAP_UseState to use RADIUS State attr. for identifying EAP contexts Wed Jun 19 13:40:49 2019: DEBUG: Access challenged for anonuser: EAP PEAP Challenge Wed Jun 19 13:40:49 2019: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 55851 .... Code: Access-Challenge Identifier: 0 Authentic: <0>(<13>u<194><185>9b<30><152><7><231><8><0><10>_ Attributes: EAP-Message = <1><1><0><6><25> State = 01:d41d8cd98f00b204e9800998ecf8427e:23b104f0:6d524d61854712704f5b88abe726dd1d: Message-Authenticator = yQFMjhK<229><31><179><250><219>YeA<160> Wed Jun 19 13:40:49 2019: DEBUG: Packet dump: *** Received from 127.0.0.1 port 55851 .... Code: Access-Request Identifier: 1 Authentic: <191><26>&<191>)<173><145><212><190><248><174><225><247>[L<230> Attributes: User-Name = "anonuser" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = <2><1><1>F<25><128><0><0><1>...*redacted* State = 01:d41d8cd98f00b204e9800998ecf8427e:23b104f0:6d524d61854712704f5b88abe726dd1d: Message-Authenticator = Z<157>$k<239><160><9><181><233>@<144><200><128>6O<240>
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: Statistics ● Use <StatsLog …> for monitoring Radiator usage <StatsLog FILE> Identifier MyStatsLogFILE Interval 600 Filename %L/radiator.statistics-%Y-%m-%d # Don't print headers #Header # Output format either text or json OutputFormat text # Counters type can be either # cumulative, derivative, or packet_rate StatsType derivative </StatsLog> #*StatsLog FILE header redacted from here* 1012954338:ServerConfig:server1:46:0:0:46:90:90:0:0:0:0:0:0:0:0:0:0:0:0:0:136:0.0634664733232673 1012954338:Client:DEFAULT:46:0:0:46:90:90:0:0:0:0:0:0:0:0:0:0:0:0:0:136:0.0634664733232673 1012954338:Client:10.20.30.40:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 1012954338:Handler:Realm=DEFAULT:46:0:0:46:90:90:0:0:0:0:0:0:0:0:0:0:0:0:0:136:0.0634664733232673 1012954338:AuthBy:id1:46:0:0:46:90:90:0:0:0:0:0:0:0:0:0:0:0:0:0:136:0.0634664733232673 1012954338:Handler:Realm=my.realm:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 1012954338:AuthBy:id2:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 ...
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Use case examples: Group based VLAN ID ● User group based VLAN ID assignment ○ goodies/authorize-group1.cfg ○ goodies/authorize-group2.cfg
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Use case examples: TACACS+ server ● <ServerTACACSPLUS> stanza enables Radiator to work as TACACS+ server for network device authN/authZ/acct ○ goodies/tacacsplusserver.cfg
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Use case examples: Standard TOTP 2FA ● Combining different <AuthBy>(s) for authN and authZ ● E.g. Using standard TOTP/HOTP 2FA with LDAP or SQL ○ goodies/radmin_totp.cfg (password format used: <password><totp_code>, E.g. “my#Secret!Password654321”) Time based TOTP code
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Use case examples: Chef and Ansible ● Radiator Chef cookbook https://supermarket.chef.io/cookbooks/radiator ● Radiator Ansible role to be published https://galaxy.ansible.com/
Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Questions, comments, stories? ● Your experience and feedback? ● Missing features big and small? ● Radiator container images?

Check these out next

TNC19 Radiator Technical Workshop -- Meet Radiator developers

Recomendados

Más contenido relacionado

Presentaciones para ti(20)

Similar a TNC19 Radiator Technical Workshop -- Meet Radiator developers(17)

Más de Radiator Software(8)

Último(20)

TNC19 Radiator Technical Workshop -- Meet Radiator developers