[Modules] Problems Getting mod_auth_xradius to work with Apache2 (with modssl) on FreeBSD

Traiano Welcome Traiano.Welcome at mtnbusiness.co.za
Fri Jan 15 03:16:24 EST 2010


Hi List

 I'm struggling to get mod_auth_xradius working with apache2 on FreeBSD: I've troubleshooted the communication between the apache2 and the radius system, and it seems fine, I've also checked the configuration of mod_auth_xradius in apache2, and other details like password and username, but for some reason I still get the following error in the apache logs when I try to authenticate via my web page of choice:

---
[Fri Jan 15 09:34:51 2010] [error] [client xx.xx.xx.xx] xradius: RADIUS Request for user 'joebloggs' failed: (-1) No valid RADIUS responses received
[Fri Jan 15 09:34:51 2010] [error] [client xx.xx.xx.xx] user joebloggs: authentication failure for "/": Password Mismatch
---

Software versions:

----
FreeBSD: 7.2-RELEASE-p3
Mod_auth_xradius: mod_auth_xradius-0.4.6 (from the freebsd ports tree)
apache2:  apache-2.2.13
----


The full log segment corresponding to the transaction:

---
[Fri Jan 15 08:50:49 2010] [info] Subsequent (No.2) HTTPS request received for child 0 (server server.noc.somewhere.ca.cn:443)
[Fri Jan 15 08:50:55 2010] [debug] ssl_engine_io.c(1869): OpenSSL: I/O error, 5 bytes expected to read on BIO#804d890f0 [mem: 804d99000]
[Fri Jan 15 08:50:55 2010] [info] [client xx.xx.xx.xx] (70007)The timeout specified has expired: SSL input filter read failed.
[Fri Jan 15 08:50:55 2010] [debug] ssl_engine_kernel.c(1893): OpenSSL: Write: SSL negotiation finished successfully
[Fri Jan 15 08:50:55 2010] [info] [client xx.xx.xx.xx] Connection closed to child 0 with standard shutdown (server server.noc.somewhere.ca.cn:443)
[Fri Jan 15 09:34:11 2010] [info] Loading certificate & private key of SSL-aware server
[Fri Jan 15 09:34:11 2010] [info] server.noc.somewhere.ca.cn:443 reusing existing RSA private key on restart
[Fri Jan 15 09:34:11 2010] [info] Configuring server for SSL protocol
[Fri Jan 15 09:34:44 2010] [info] [client xx.xx.xx.xx] Connection to child 0 established (server server.noc.somewhere.ca.cn:443)
[Fri Jan 15 09:34:44 2010] [info] Seeding PRNG with 288 bytes of entropy
[Fri Jan 15 09:34:44 2010] [info] Initial (No.1) HTTPS request received for child 0 (server server.noc.somewhere.ca.cn:443)
[Fri Jan 15 09:34:49 2010] [info] [client xx.xx.xx.xx] (70007)The timeout specified has expired: SSL input filter read failed.
[Fri Jan 15 09:34:49 2010] [info] [client xx.xx.xx.xx] Connection closed to child 0 with standard shutdown (server server.noc.somewhere.ca.cn:443)
[Fri Jan 15 09:34:51 2010] [info] [client xx.xx.xx.xx] Connection to child 1 established (server server.noc.somewhere.ca.cn:443)
[Fri Jan 15 09:34:51 2010] [info] Seeding PRNG with 288 bytes of entropy
[Fri Jan 15 09:34:51 2010] [info] Initial (No.1) HTTPS request received for child 1 (server server.noc.somewhere.ca.cn:443)
[Fri Jan 15 09:34:51 2010] [error] [client xx.xx.xx.xx] xradius: RADIUS Request for user 'joebloggs' failed: (-1) No valid RADIUS responses received
[Fri Jan 15 09:34:51 2010] [error] [client xx.xx.xx.xx] user joebloggs: authentication failure for "/": Password Mismatch
[Fri Jan 15 09:34:56 2010] [info] [client xx.xx.xx.xx] (70007)The timeout specified has expired: SSL input filter read failed.
[Fri Jan 15 09:34:56 2010] [info] [client xx.xx.xx.xx] Connection closed to child 1 with standard shutdown (server server.noc.somewhere.ca.cn:443)

---


Is there any bug (or compilation option, or lack thereof) that might be causing this behaviour in mod_uth_xradius, or in apache2? Alternatively, is there another method of debugging mod_auth_xradius I could use to find out what the issue might be?

Here are the relevant configs for apache and mod_auth_xradius:

Below is the apache2 mod_auth_xradius configuration in my .htaccess:

---
AuthName "Some Company"
AuthType basic
AuthBasicProvider xradius
AuthXRadiusAddServer "xxx.xxx.xxx.xxx:1812" "XXXXXXXXX"
AuthXRadiusTimeout 2
AuthXRadiusRetries 2
require valid-user

RewriteEngine on

#RewriteCond %{HTTP_HOST} !^servername.noc.somewhere.ca.cn [NC]
#RewriteCond %{HTTP_HOST} !^$
#RewriteRule ^/?(.*) https://servername.noc.somewhere.ca.cn/$1 [L,R,NE]

RewriteRule ^$                            /live/ntable.cgi?method=home   [L]

# reports
RewriteRule ^reports$                     /live/reports/ng_report.cgi   [L]
RewriteRule ^reports/errors$              /live/reports/ng_report.cgi?type=errors   [L]
RewriteRule ^reports/([^/]+)/([^/]+)      /live/reports/ng_report.cgi?regex=$1&type=$2        [L]
RewriteRule ^reports/([^/]+)              /live/reports/ng_report.cgi?regex=$1   [L]

# web
RewriteRule ^stuff/out/([^/.]+)             /live/stuff/stuff_parsed.cgi?&mnemonic=$1        [L]
RewriteRule ^stuff/([^/]+)                 /live/stuff/stuff_view.cgi?&mnemonic=$1        [L]

RewriteRule ^home$                        /live/ntable.cgi?method=home   [L]
RewriteRule ^regex$                       /live/ntable.cgi?regex=   [L]
RewriteRule ^regex/([^/]+)/([^/]+)        /live/ntable.cgi?regex=$1&ds=$2&generate=1        [L]
RewriteRule ^regex/([^/]+)                /live/ntable.cgi?regex=$1&ds=traffic&generate=1   [L]

RewriteRule ^aggregate$                   /live/ntable_agg.cgi?regex=   [L]
RewriteRule ^aggregate/([^/]+)/([^/]+)    /live/ntable_agg.cgi?regex=$1&ds=traffic&title=$2&generate=1        [L]
RewriteRule ^aggregate/([^/]+)            /live/ntable_agg.cgi?regex=$1&ds=traffic&generate=1   [L]

RewriteRule ^([^/]+)/([^/.]+)$           /live/ntable.cgi?method=dwmy&mnemonic=$1&ds=$2        [L]
RewriteRule ^([^/]+)$                    /live/ntable_glance.cgi?regex=$1&generate=1        [L]

# images
RewriteRule ^img/([^/]+)/([^/]+)/([^/]+)$         /live/rrdimage_new.cgi?mnemonic=$1&ds=$2&scale=$3   [L]
RewriteRule ^img/([^/]+)/([^/]+)/([^/]+)/([^/]+)  /live/rrdimage_new.cgi?mnemonic=$1&ds=$2&scale=$3&size=$4   [L]

# tree
RewriteRule ^tree/([^/]+)/([^/.]+)/([^/.]+)$            /live/xport/tree.cgi?want=$1&source=$2&regex_source=$3   [L]

ExpiresActive On
#ExpiresDefault "modification plus 2 months"
----


Below is my sanitised apache2 virtual conf:

--
VirtualHost servername.noc.somewhere.ca.cn:443>
DocumentRoot "/usr/local/table/ntable/www/data"
ServerName servername.noc.somewhere.ca.cn:443
ServerAdmin network_systems at somewhere.ca.cn
ErrorLog /usr/local/table/ntable/www/logs/servername.noc.somewhere.ca.cn-error.log
TransferLog /usr/local/table/ntable/www/logs/servername.noc.somewhere.ca.cn-access.log

SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile    /usr/local/etc/apache22/ssl/servername.noc.somewhere.ca.cn.pem
SSLCertificateKeyFile /usr/local/etc/apache22/ssl/servername.noc.somewhere.ca.cn-key.pem

<FilesMatch "\.(fcgi|cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</FilesMatch>
<Directory "/usr/local/table/ntable/www/data">
  SSLOptions +StdEnvVars
  Options Indexes FollowSymLinks MultiViews ExecCGI
  AllowOverride all
  #AllowOverride AuthConfig
  Order allow,deny
  Allow from all
  RewriteEngine on
</Directory>

SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

CustomLog /usr/local/table/ntable/www/logs/servername.noc.somewhere.ca.cn-ssl_request.log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

</VirtualHost>
---




Thanks,
Traiano
________________________________
NOTE: This e-mail message and all attachments thereto contain confidential information intended for a specific addressee and purpose. If you are not the addressee (a) you may not disclose, copy, distribute or take any action based on the contents hereof; (b) kindly inform the sender immediately and destroy all copies hereof. Any copying, publication or disclosure of this message, or part hereof, in any form whatsoever, without the sender's express written consent, is prohibited. No opinion expressed or implied by the sender necessarily constitutes the opinion of MTN. This message does not constitute a guarantee or proof of the facts mentioned herein. No Employee or intermediary is authorised to conclude a binding agreement on behalf of MTN Group Limited, or any of its subsidiary companies, by e-mail without the express written confirmation by a duly authorised representative of MTN Group Limited.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.outoforder.cc/pipermail/modules/attachments/20100115/9cae1f92/attachment.html 


More information about the Modules mailing list