<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
<title>Problems Getting mod_auth_xradius to work with Apache2 (with modssl) on FreeBSD</title>
</head>
<body>
<font face="Calibri, Verdana, Helvetica, Arial"><span style="font-size:11pt">Hi List<br>
<br>
I’m struggling to get mod_auth_xradius working with apache2 on FreeBSD: I’ve troubleshooted the communication between the apache2 and the radius system, and it seems fine, I’ve also checked the configuration of mod_auth_xradius in apache2, and other details
like password and username, but for some reason I still get the following error in the apache logs when I try to authenticate via my web page of choice:<br>
<br>
---<br>
[Fri Jan 15 09:34:51 2010] [error] [client xx.xx.xx.xx] xradius: RADIUS Request for user 'joebloggs' failed: (-1) No valid RADIUS responses received<br>
[Fri Jan 15 09:34:51 2010] [error] [client xx.xx.xx.xx] user joebloggs: authentication failure for "/": Password Mismatch<br>
---<br>
<br>
Software versions:<br>
<br>
----<br>
FreeBSD: 7.2-RELEASE-p3<br>
Mod_auth_xradius: mod_auth_xradius-0.4.6 (from the freebsd ports tree)<br>
apache2: apache-2.2.13<br>
----<br>
<br>
<br>
The full log segment corresponding to the transaction:<br>
<br>
---<br>
[Fri Jan 15 08:50:49 2010] [info] Subsequent (No.2) HTTPS request received for child 0 (server server.noc.somewhere.ca.cn:443)<br>
[Fri Jan 15 08:50:55 2010] [debug] ssl_engine_io.c(1869): OpenSSL: I/O error, 5 bytes expected to read on BIO#804d890f0 [mem: 804d99000]<br>
[Fri Jan 15 08:50:55 2010] [info] [client xx.xx.xx.xx] (70007)The timeout specified has expired: SSL input filter read failed.<br>
[Fri Jan 15 08:50:55 2010] [debug] ssl_engine_kernel.c(1893): OpenSSL: Write: SSL negotiation finished successfully<br>
[Fri Jan 15 08:50:55 2010] [info] [client xx.xx.xx.xx] Connection closed to child 0 with standard shutdown (server server.noc.somewhere.ca.cn:443)<br>
[Fri Jan 15 09:34:11 2010] [info] Loading certificate & private key of SSL-aware server<br>
[Fri Jan 15 09:34:11 2010] [info] server.noc.somewhere.ca.cn:443 reusing existing RSA private key on restart<br>
[Fri Jan 15 09:34:11 2010] [info] Configuring server for SSL protocol<br>
[Fri Jan 15 09:34:44 2010] [info] [client xx.xx.xx.xx] Connection to child 0 established (server server.noc.somewhere.ca.cn:443)<br>
[Fri Jan 15 09:34:44 2010] [info] Seeding PRNG with 288 bytes of entropy<br>
[Fri Jan 15 09:34:44 2010] [info] Initial (No.1) HTTPS request received for child 0 (server server.noc.somewhere.ca.cn:443)<br>
[Fri Jan 15 09:34:49 2010] [info] [client xx.xx.xx.xx] (70007)The timeout specified has expired: SSL input filter read failed.<br>
[Fri Jan 15 09:34:49 2010] [info] [client xx.xx.xx.xx] Connection closed to child 0 with standard shutdown (server server.noc.somewhere.ca.cn:443)<br>
[Fri Jan 15 09:34:51 2010] [info] [client xx.xx.xx.xx] Connection to child 1 established (server server.noc.somewhere.ca.cn:443)<br>
[Fri Jan 15 09:34:51 2010] [info] Seeding PRNG with 288 bytes of entropy<br>
[Fri Jan 15 09:34:51 2010] [info] Initial (No.1) HTTPS request received for child 1 (server server.noc.somewhere.ca.cn:443)<br>
[Fri Jan 15 09:34:51 2010] [error] [client xx.xx.xx.xx] xradius: RADIUS Request for user 'joebloggs' failed: (-1) No valid RADIUS responses received<br>
[Fri Jan 15 09:34:51 2010] [error] [client xx.xx.xx.xx] user joebloggs: authentication failure for "/": Password Mismatch<br>
[Fri Jan 15 09:34:56 2010] [info] [client xx.xx.xx.xx] (70007)The timeout specified has expired: SSL input filter read failed.<br>
[Fri Jan 15 09:34:56 2010] [info] [client xx.xx.xx.xx] Connection closed to child 1 with standard shutdown (server server.noc.somewhere.ca.cn:443)<br>
<br>
---<br>
<br>
<br>
Is there any bug (or compilation option, or lack thereof) that might be causing this behaviour in mod_uth_xradius, or in apache2? Alternatively, is there another method of debugging mod_auth_xradius I could use to find out what the issue might be?<br>
<br>
Here are the relevant configs for apache and mod_auth_xradius:<br>
<br>
Below is the apache2 mod_auth_xradius configuration in my .htaccess:<br>
<br>
---<br>
AuthName "Some Company"<br>
AuthType basic<br>
AuthBasicProvider xradius<br>
AuthXRadiusAddServer "xxx.xxx.xxx.xxx:1812" "XXXXXXXXX"<br>
AuthXRadiusTimeout 2<br>
AuthXRadiusRetries 2<br>
require valid-user<br>
<br>
RewriteEngine on<br>
<br>
#RewriteCond %{HTTP_HOST} !^servername.noc.somewhere.ca.cn [NC]<br>
#RewriteCond %{HTTP_HOST} !^$<br>
#RewriteRule ^/?(.*) <font color="#0000FF"><u><a href="https://servername.noc.somewhere.ca.cn/$1">https://servername.noc.somewhere.ca.cn/$1</a></u></font> [L,R,NE]<br>
<br>
RewriteRule ^$ /live/ntable.cgi?method=home [L]<br>
<br>
# reports<br>
RewriteRule ^reports$ /live/reports/ng_report.cgi [L]<br>
RewriteRule ^reports/errors$ /live/reports/ng_report.cgi?type=errors [L]<br>
RewriteRule ^reports/([^/]+)/([^/]+) /live/reports/ng_report.cgi?regex=$1&type=$2 [L]<br>
RewriteRule ^reports/([^/]+) /live/reports/ng_report.cgi?regex=$1 [L]<br>
<br>
# web<br>
RewriteRule ^stuff/out/([^/.]+) /live/stuff/stuff_parsed.cgi?&mnemonic=$1 [L]<br>
RewriteRule ^stuff/([^/]+) /live/stuff/stuff_view.cgi?&mnemonic=$1 [L]<br>
<br>
RewriteRule ^home$ /live/ntable.cgi?method=home [L]<br>
RewriteRule ^regex$ /live/ntable.cgi?regex= [L]<br>
RewriteRule ^regex/([^/]+)/([^/]+) /live/ntable.cgi?regex=$1&ds=$2&generate=1 [L]<br>
RewriteRule ^regex/([^/]+) /live/ntable.cgi?regex=$1&ds=traffic&generate=1 [L]<br>
<br>
RewriteRule ^aggregate$ /live/ntable_agg.cgi?regex= [L]<br>
RewriteRule ^aggregate/([^/]+)/([^/]+) /live/ntable_agg.cgi?regex=$1&ds=traffic&title=$2&generate=1 [L]<br>
RewriteRule ^aggregate/([^/]+) /live/ntable_agg.cgi?regex=$1&ds=traffic&generate=1 [L]<br>
<br>
RewriteRule ^([^/]+)/([^/.]+)$ /live/ntable.cgi?method=dwmy&mnemonic=$1&ds=$2 [L]<br>
RewriteRule ^([^/]+)$ /live/ntable_glance.cgi?regex=$1&generate=1 [L]<br>
<br>
# images<br>
RewriteRule ^img/([^/]+)/([^/]+)/([^/]+)$ /live/rrdimage_new.cgi?mnemonic=$1&ds=$2&scale=$3 [L]<br>
RewriteRule ^img/([^/]+)/([^/]+)/([^/]+)/([^/]+) /live/rrdimage_new.cgi?mnemonic=$1&ds=$2&scale=$3&size=$4 [L]<br>
<br>
# tree<br>
RewriteRule ^tree/([^/]+)/([^/.]+)/([^/.]+)$ /live/xport/tree.cgi?want=$1&source=$2&regex_source=$3 [L]<br>
<br>
ExpiresActive On<br>
#ExpiresDefault "modification plus 2 months"<br>
----<br>
<br>
<br>
Below is my sanitised apache2 virtual conf:<br>
<br>
--<br>
VirtualHost servername.noc.somewhere.ca.cn:443><br>
DocumentRoot "/usr/local/table/ntable/www/data"<br>
ServerName servername.noc.somewhere.ca.cn:443<br>
ServerAdmin <font color="#0000FF"><u><a href="network_systems@somewhere.ca.cn">network_systems@somewhere.ca.cn</a><br>
</u></font>ErrorLog /usr/local/table/ntable/www/logs/servername.noc.somewhere.ca.cn-error.log<br>
TransferLog /usr/local/table/ntable/www/logs/servername.noc.somewhere.ca.cn-access.log<br>
<br>
SSLEngine on<br>
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL<br>
SSLCertificateFile /usr/local/etc/apache22/ssl/servername.noc.somewhere.ca.cn.pem<br>
SSLCertificateKeyFile /usr/local/etc/apache22/ssl/servername.noc.somewhere.ca.cn-key.pem<br>
<br>
<FilesMatch "\.(fcgi|cgi|shtml|phtml|php3?)$"><br>
SSLOptions +StdEnvVars<br>
</FilesMatch><br>
<Directory "/usr/local/table/ntable/www/data"><br>
SSLOptions +StdEnvVars<br>
Options Indexes FollowSymLinks MultiViews ExecCGI<br>
AllowOverride all<br>
#AllowOverride AuthConfig<br>
Order allow,deny<br>
Allow from all<br>
RewriteEngine on<br>
</Directory><br>
<br>
SetEnvIf User-Agent ".*MSIE.*" \<br>
nokeepalive ssl-unclean-shutdown \<br>
downgrade-1.0 force-response-1.0<br>
<br>
CustomLog /usr/local/table/ntable/www/logs/servername.noc.somewhere.ca.cn-ssl_request.log \<br>
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"<br>
<br>
</VirtualHost><br>
---<br>
<br>
<br>
<br>
<br>
Thanks,<br>
Traiano</span></font> <br>
<hr>
<font face="Arial" color="Gray" size="1">NOTE: This e-mail message and all attachments thereto contain confidential information intended for a specific addressee and purpose. If you are not the addressee (a) you may not disclose, copy, distribute or take any
action based on the contents hereof; (b) kindly inform the sender immediately and destroy all copies hereof. Any copying, publication or disclosure of this message, or part hereof, in any form whatsoever, without the sender's express written consent, is prohibited.
No opinion expressed or implied by the sender necessarily constitutes the opinion of MTN. This message does not constitute a guarantee or proof of the facts mentioned herein. No Employee or intermediary is authorised to conclude a binding agreement on behalf
of MTN Group Limited, or any of its subsidiary companies, by e-mail without the express written confirmation by a duly authorised representative of MTN Group Limited.<br>
</font>
</body>
</html>