Re: [squid-users] Further diagnosis on squid/radius auth problems

On Wed, May 24, 2006 at 02:14:17PM +0200, Henrik Nordstrom wrote:
> tis 2006-05-23 klockan 12:53 -0400 skrev Michael W. Lucas:
>
> > At times it has seemed that clients attempting to authenticate are
> > being rejected despite having good passwords. Similarly, users have
> > been able to get out to the Internet without a legitimate username and
> > password. Squid's debugging output shows that the authenticator was
> > returning an "ok" response for these nonexistent usernames and
> > passwords. At the time this happened, we would see "Warning: Received
> > invalid reply digest from server" errors. A "squid -k reconfigure"
> > made those go away by restarting the authenticator children, of
> > course, but running that once a minute is not an ideal solution.
>
> The "invalid digest" indicates the radius server and squid_radius_auth
> didn't agree on the shared secret authentication.

That's what I guessed, but I thought I'd leave that to you guys.

> As the problem is seen with both radius client implementations I would
> suspect there is something fishy going on with your server making it
> send out either malformed responses or changing between different
> secrets..

Could be. This happened on the previous server (running RHEL ES 3)
and this new server (running RHEL ES 4).

> > At the time of the error, netstat -na -u on the RHEL box shows:
> >
> > udp 2352 0 10.184.1.94:33009 10.184.1.56:1812 ESTABLISHED
>
> > lsof shows that the process with the big recv queue is the
> > authenticator. This happens with both squid_radius_auth and my perl
> > applet.
>
> This is a good hint, especially if combined with the digest error
> above..

One way I could trigger this was to run squid_radius_auth in a tight
loop. Give it enough credentials close enough together and it chokes.

> I think I know what is going in squid_radius_auth here. The code dealing
> with retransmits looks a bit fishy..

Any assistance would be vastly appreciated.

In case it helps, here's my perl Radius code. Anyone who has read the
test for auth::radius should recognize its origins.

#!/usr/bin/perl
#$Id: radius_mwl.pl,v 1.2 2006/05/22 14:49:34 system_mwl Exp $

#basic Radius authenticator, for debugging

$host="x.y.z.a"
$secret = secret1;

$|=1;
use Authen::Radius;
use Sys::Syslog;

openlog("squid", "pid", "local0");

$request = new Authen::Radius(Host => $host, Secret => $secret);
# $request = new Authen::Radius(Host => $host, Secret => $secret, Debug => 1);

while (<STDIN>) {
    chop ($_);
    @creds=split (/ /, $_);
    
    if ($request -> check_pwd(@creds[0], @creds[1])) {
        print "OK\n";
        syslog (notice, "user @creds[0] radius auth correct");
    } else {
        print "ERR\n";
        syslog (notice, "user @creds[0] radius auth error");
    }
}

-- 
Michael W. Lucas	mwlucas@FreeBSD.org, mwlucas@BlackHelicopters.org
		http://www.BlackHelicopters.org/~mwlucas/
	    Latest book: PGP & GPG -- http://www.pgpandgpg.com
"The cloak of anonymity protects me from the nuisance of caring." -Non Sequitur