Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

TNC19 Radiator Technical Workshop -- Meet Radiator developers

55 views

Published on

TNC19 Radiator technical workshop presentation about Radiator AAA server software's new features and fine tuning tips.

Published in: Software
  • Be the first to comment

TNC19 Radiator Technical Workshop -- Meet Radiator developers

  1. 1. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software TNC19 Radiator Technical Workshop Meet Radiator developers
  2. 2. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator Software ● Former (Australian) Open System Consultants and (Finnish) Arch Red ● Maker of Radiator AAA server ○ Formerly Radiator RADIUS server
  3. 3. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Hi! ● Senior Software Engineer at Radiator Software 1. Radiator fine tuning and configuration hints Radiator reference manual: https://www.open.com.au/radiator/ref 2. Use cases 3. Open discussion, questions, feature requests, etc.
  4. 4. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging ● Use Identifiers in configuration stanzas, e.g. <Client 10.20.30.40> Identifier SomeClient ... </Client> <AuthBy LDAP2> Identifier MyLDAPauthN ... </AuthBy> <Handler Client-Identifier=SomeClient> Identifier MyFirstHandler ... # Refer to AuthBy "MyLDAPauthN" AuthBy MyLDAPauthN </Handler> DEBUG: Handling request with Handler 'Client-Identifier=SomeClient', Identifier 'MyFirstHandler' ... DEBUG: Handling with Radius::AuthLDAP2: MyLDAPauthN
  5. 5. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging ● Include microsecond timestamp in log messages with LogMicroseconds ● Include per request identifier in log messages with LogTraceId ● Include FarmSize process number (not PID) in log messages with LogFarmInstance
  6. 6. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging 0 00000000 Wed Jun 19 12:02:22 2019 848353: NOTICE: Server started: Radiator 4.23 on MacBook.local 0 00000000 Wed Jun 19 12:02:22 2019 848723: DEBUG: Forking server farm instance 1 0 00000000 Wed Jun 19 12:02:22 2019 850548: DEBUG: Forking server farm instance 2 ... 1 d6ee82e0 Wed Jun 19 12:02:25 2019 326192: DEBUG: Handling request with Handler 'Client-Identifier=DefaultClient', Identifier 'MyFirstHandler' 1 d6ee82e0 Wed Jun 19 12:02:25 2019 329508: DEBUG: Handling with Radius::AuthLDAP2: MyLDAPauthN ... 1 d6ee82e0 Wed Jun 19 12:02:25 2019 336772: DEBUG: Access accepted for mikem ... 2 429ddd20 Wed Jun 19 12:02:46 2019 291892: DEBUG: Handling request with Handler 'Client-Identifier=DefaultClient', Identifier 'MyFirstHandler' 2 429ddd20 Wed Jun 19 12:02:46 2019 297315: DEBUG: Handling with Radius::AuthLDAP2: MyLDAPauthN ... 2 429ddd20 Wed Jun 19 12:02:46 2019 308468: DEBUG: Access accepted for mikem
  7. 7. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging ● Logging to a file is faster than logging to Syslog or SQL ○ Output format can also be JSON, but make sure to use XS for speed # This auth logger logs both success and failure to a file in # JSON format. The JSON Perl module must be installed. <AuthLog FILE> Identifier myauthlogger-json Filename %L/authlog.json LogFormatHook sub { Radius::LogFormat::format_authlog_json(@_); } LogSuccess 1 LogFailure 1 LogIgnore 1 </AuthLog> {"username":"mikem","type":"authentication","source_host":"MacBook.local", "timestamp":"Wed Jun 19 12:13:13 2019", "Trace_id":"75b0de60","result":"accept","nas_port":"1234", "Called_station_id":"123456789","time":1560935593.70994, "Nas_ip_address":"203.63.154.1","nas_identifier":"203.63.154.1", "calling_station_id":"987654321"}
  8. 8. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging ● Logging to a file is faster than logging to Syslog or SQL ○ Output format can also be JSON, but make sure to use XS for speed # This acct logger logs accounting to a file in # JSON format. The JSON Perl module must be installed. <AcctLog FILE> Identifier myacctlogger-json OutputFormat JSON Filename %L/acctlog.json # Use RADIUS attribute as JSON field name #AcctLogOutputDef Connect-Info # Map attribute to JSON field #AcctLogOutputDef Custom-Event-Timestamp, Event-Timestamp # Use special variables #AcctLogOutputDef Custom-Original-Username, %u #AcctLogOutputDef Custom-User-Name, %n </AcctLog> {"Acct-Delay-Time":"0","Acct-Input-Octets":"20000","NAS-Port":"1234", "type":"accounting","timestamp":"Wed Jun 19 14:15:22 2019", "NAS-Port-Type":"Async","User-Name":"mikem", "Calling-Station-Id":"987654321","time":1560942922.2841, "Service-Type":"Framed-User","trace_id":"405e1d10", "NAS-IP-Address":"203.63.154.1","Acct-Status-Type":"Stop", "Acct-Output-Octets":"30000","Event-Timestamp":"1560942921", "Called-Station-Id":"123456789","source_host":"MacBook.local", "Timestamp":"1560942921","NAS-Identifier":"203.63.154.1", "result":"accept","Acct-Session-Time":"1000", "Acct-Session-Id":"00001234"}
  9. 9. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging ● Include a reject reason in <AuthLog> <AuthLog FILE> Identifier authlog-file Filename %L/authentication.log ... SuccessFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' called-station='%{Called-Station-Id}' result='OK' FailureFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' called-station='%{Called-Station-Id}' reason='%1' result='FAIL' IgnoreFormat %l trace_id='%2' user='%u' client='%c/%{Client:Identifier}' nas='%N/%{NAS-Identifier}' handler='%{Handler:Identifier}' calling-station='%{Request:Calling-Station-Id}' called-station='%{Called-Station-Id}' reason='%1' result='IGNORE' </AuthLog>
  10. 10. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging % tail -n 2 authentication.log Wed Jun 19 12:22:37 2019 trace_id='70077480' user='mikem' client='127.0.0.1/loopback-client' nas='203.63.154.1/203.63.154.1' handler='default-handler' calling-station='987654321' called-station='123456789' reason='Bad Password' result='FAIL' Wed Jun 19 12:28:40 2019 trace_id='2c9218b0' user='mikem' client='127.0.0.1/loopback-client' nas='203.63.154.1/203.63.154.1' handler='default-handler' calling-station='987654321' called-station='123456789' reason='User database access error' result='IGNORE' %
  11. 11. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Radiator fine tuning: Config and logging ● Use ResponseTimeThreshold to define a response time threshold # Log if request handling takes more than 0.1 seconds ResponseTimeThreshold 100 0 0c886b10 Wed Jun 19 13:57:32 2019 174079: WARNING: Response time 1012.875 ms for Access-Request id 105 exceeded 100 ms. (User: 'mikem', Client: 'DEFAULT' (DefaultClient), Handler: 'Client-Identifier=DefaultClient' (MyFirstHandler), Last AuthBy: 'LDAP2' (MyLDAPauthN))
  12. 12. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: SessionDatabase ● Configure <SessionDatabase NULL> to disable SessionDatabase # Disable SessionDatabase <SessionDatabase NULL> Identifier SessDBNull </SessionDatabase> ● By default in-memory <SessionDatabase INTERNAL> is used ... 2c9218b0 Wed Jun 19 12:28:40 2019 194849: DEBUG: Handling request with Handler '', Identifier 'MyFirstHandler' 2c9218b0 Wed Jun 19 12:28:40 2019 195350: DEBUG: SessINTERNAL: Deleting session for mikem, 203.63.154.1, 1234 2c9218b0 Wed Jun 19 12:28:40 2019 195712: DEBUG: Handling with Radius::AuthLDAP2: MyLDAPauthN ...
  13. 13. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: AuthN protocols ● Use AuthenProto in <AuthBy> to allow only certain authN protocols, e.g. only PAP or only EAP. <AuthBy LDAP2> Identifier MyLDAPauthN … # Allow only EAP and MSCHAPv2 AuthenProto EAP, MSCHAPv2 </AuthBy> … 1 c70b33d0 Wed Jun 19 12:48:08 2019 858532: DEBUG: Handling request with Handler 'Client-Identifier=DefaultClient', Identifier 'MyFirstHandler' 1 c70b33d0 Wed Jun 19 12:48:08 2019 862880: DEBUG: Handling with Radius::AuthLDAP2: MyLDAPauthN 1 c70b33d0 Wed Jun 19 12:48:08 2019 864139: DEBUG: AuthBy FILE result: REJECT, Authentication protocol PAP not allowed by AuthenProto configuration parameter 1 c70b33d0 Wed Jun 19 12:48:08 2019 865404: INFO: Access rejected for mikem: Authentication protocol PAP not allowed by AuthenProto configuration parameter ...
  14. 14. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: Usernames and realms ● Use UsernameCharset to refuse username with garbage bytes # Permit only alphanumeric, period, underscore, the @-sign, and dash UsernameCharset a-zA-Z0-9._@- ● Use RewriteUsername and RewriteFunction hook to rewrite username realms before authenticating against the backend # Rewrite user realms with “domain.local” before authentication RewriteUsername s/^([^@]+)@.*/$1@domain.local/ ● <AuthBy LSA> has LSARewriteHook to rewrite NTLM username realm with “domain.local” before AD LSA authentication
  15. 15. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: Proxy health check ● Instead of Status-Server keepalives, Access-Request can be used to check proxy server health with RADIUS PAP authentication <AuthBy RADIUS> Identifier SomeProxyServer Host 20.30.40.50 ... # Send Access-Request as keepalive probe UseStatusServerForFailureDetect KeepaliveTimeout 15 KeepaliveRequestType Access-Request AddToKeepaliveRequest User-Name=mikem,User-Password=fred KeepaliveNoreplyTimeout 3 Retries 2 RetryTimeout 5 FailureBackoffTime 900 MaxFailedRequests 3 MaxFailedGraceTime 60 </AuthBy>
  16. 16. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: Combining AuthBys ● Add Asynchronous to <AuthBy RADIUS> and <AuthBy RADSEC> when combined with other AuthBys <Handler ...> Identifier ProxyAndAuthorize <AuthBy RADSEC> Identifier UpstreamProxy Asynchronous </AuthBy> # Local SQL for authZ and/or reply attributes (VLAN ID etc.) <AuthBy SQL> Identifier AuthorizeLocally NoCheckPassword NoDefault … </AuthBy> </Handler>
  17. 17. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: EAP ● Use separate <Handler ...> for outer and inner EAP ○ <AuthLog> in inner <Handler> can log the real EAP identity! # Inner EAP <Handler TunnelledByPEAP=1> Identifier Inner-EAP <AuthBy LDAP2> ... EAPType MSCHAP-V2 </AuthBy> AuthLog MyAuthLog </Handler> # Outer EAP (will match just PEAP) <Handler EAPTypeName=PEAP> Identifier Outer-EAP <AuthBy FILE> Identifier Terminate-PEAP EAPType PEAP ... </AuthBy> AuthLog MyAuthLog </Handler> # Handle everything by a single handler <Handler> <AuthBy ...> EAPType PEAP, MSCHAP-V2 </AuthBy> </Handler> NOT LIKE THIS
  18. 18. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: EAP contexts ● Use EAPContextTimeout to configure max time for EAP authentications ● Unfinished PEAP, EAP-TLS, EAP-TTLS authentications often caused by EAP client failing to verify AAA server’s certificate. % tail -n 1 authentication.log Wed Jun 19 13:51:12 2019 trace_id='786c3290' user='anonuser' client='127.0.0.1/' nas='127.0.0.1/' handler='' calling-station='02-00-00-00-00-01' called-station='' reason='Cleared expired unfinished EAP-PEAP context, elapsed time 10.10998. Client never finished authentication.' result='FAIL' %
  19. 19. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: EAP contexts ● Use EAP_UseState to use RADIUS State attr. for identifying EAP contexts Wed Jun 19 13:40:49 2019: DEBUG: Access challenged for anonuser: EAP PEAP Challenge Wed Jun 19 13:40:49 2019: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 55851 .... Code: Access-Challenge Identifier: 0 Authentic: <0>(<13>u<194><185>9b<30><152><7><231><8><0><10>_ Attributes: EAP-Message = <1><1><0><6><25> State = 01:d41d8cd98f00b204e9800998ecf8427e:23b104f0:6d524d61854712704f5b88abe726dd1d: Message-Authenticator = yQFMjhK<229><31><179><250><219>YeA<160> Wed Jun 19 13:40:49 2019: DEBUG: Packet dump: *** Received from 127.0.0.1 port 55851 .... Code: Access-Request Identifier: 1 Authentic: <191><26>&<191>)<173><145><212><190><248><174><225><247>[L<230> Attributes: User-Name = "anonuser" NAS-IP-Address = 127.0.0.1 Calling-Station-Id = "02-00-00-00-00-01" Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 Service-Type = Framed-User Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = <2><1><1>F<25><128><0><0><1>...*redacted* State = 01:d41d8cd98f00b204e9800998ecf8427e:23b104f0:6d524d61854712704f5b88abe726dd1d: Message-Authenticator = Z<157>$k<239><160><9><181><233>@<144><200><128>6O<240>
  20. 20. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Configuration hints: Statistics ● Use <StatsLog …> for monitoring Radiator usage <StatsLog FILE> Identifier MyStatsLogFILE Interval 600 Filename %L/radiator.statistics-%Y-%m-%d # Don't print headers #Header # Output format either text or json OutputFormat text # Counters type can be either # cumulative, derivative, or packet_rate StatsType derivative </StatsLog> #*StatsLog FILE header redacted from here* 1012954338:ServerConfig:server1:46:0:0:46:90:90:0:0:0:0:0:0:0:0:0:0:0:0:0:136:0.0634664733232673 1012954338:Client:DEFAULT:46:0:0:46:90:90:0:0:0:0:0:0:0:0:0:0:0:0:0:136:0.0634664733232673 1012954338:Client:10.20.30.40:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 1012954338:Handler:Realm=DEFAULT:46:0:0:46:90:90:0:0:0:0:0:0:0:0:0:0:0:0:0:136:0.0634664733232673 1012954338:AuthBy:id1:46:0:0:46:90:90:0:0:0:0:0:0:0:0:0:0:0:0:0:136:0.0634664733232673 1012954338:Handler:Realm=my.realm:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 1012954338:AuthBy:id2:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0:0 ...
  21. 21. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Use case examples: Group based VLAN ID ● User group based VLAN ID assignment ○ goodies/authorize-group1.cfg ○ goodies/authorize-group2.cfg
  22. 22. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Use case examples: TACACS+ server ● <ServerTACACSPLUS> stanza enables Radiator to work as TACACS+ server for network device authN/authZ/acct ○ goodies/tacacsplusserver.cfg
  23. 23. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Use case examples: Standard TOTP 2FA ● Combining different <AuthBy>(s) for authN and authZ ● E.g. Using standard TOTP/HOTP 2FA with LDAP or SQL ○ goodies/radmin_totp.cfg (password format used: <password><totp_code>, E.g. “my#Secret!Password654321”) Time based TOTP code
  24. 24. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Use case examples: Chef and Ansible ● Radiator Chef cookbook https://supermarket.chef.io/cookbooks/radiator ● Radiator Ansible role to be published https://galaxy.ansible.com/
  25. 25. Radiator Technical Workshop at TNC19 (20th of June 2019) - Tuure Vartiainen Radiator Software Questions, comments, stories? ● Your experience and feedback? ● Missing features big and small? ● Radiator container images?

×