Comments (23)
vforteli
commented on May 24, 2024
Hi, I'll have a look later today.
Did you configure the logging to see if it logs anything meaningful in the
server? Radius being UDP is of course quite picky with in and outbound FW
rules. I haven't installed freeradius in a while, but is it possible it
configures the required rules on installation?
Otherwise at least on Windows the rules need to be configured manually if
nothing else has created them previously
…On Tue, Jul 17, 2018, 07:06 Josh Close ***@***.***> wrote:
I have a radius server running on both a Windows server and a Linux
server. On both of them I'm able to hit the server and get a response while
on the server. On Windows I'm using NTRadPing and on Linux I'm using
radtest (from freeradius). When trying to hit the server from outside of
the hosted servers, the radius server nets gets the request.
I thought this was happening because of ports being blocked. I setup a
freeradius server though, and I'm able to hit it just fine and it responds
properly, so it has something to do with the RadiusServer code, or my code.
Do you have any clue what could be causing this?
I'd really like to use this library for a very lightweight radius server,
and have it seamlessly integrated into the other apps that work with it.
Program.cs
using System;using System.IO;using System.Net;using System.Reflection;using Flexinets.Net;using Flexinets.Radius;using Flexinets.Radius.Core;
namespace InfinitWifi.RadiusServer
{
class Program
{
static void Main(string[] args)
{
var ip = "the servers external ip address";
var dictionaryPath = Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "radius.dictionary");
var dictionary = new RadiusDictionary(dictionaryPath);
var localEndpoint = new IPEndPoint(IPAddress.Any, 1812);
var server = new Flexinets.Radius.RadiusServer(new UdpClientFactory(), localEndpoint, dictionary, RadiusServerType.Authentication);
var packetHandler = new PacketHandler();
server.AddPacketHandler(IPAddress.Parse(ip), "12345", packetHandler);
server.Start();
Console.WriteLine($"Listening on ip '{ip}'.");
Console.ReadKey();
}
}
}
PacketHandler.cs
using Flexinets.Radius.Core;using System;using System.Collections.Generic;using System.Linq;using System.Text;using System.Threading.Tasks;
namespace InfinitWifi.RadiusServer
{
public class PacketHandler : IPacketHandler
{
public IRadiusPacket HandlePacket(IRadiusPacket packet)
{
return packet.CreateResponsePacket(PacketCode.AccessAccept);
}
public void Dispose()
{
}
}
}
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
<#6>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/ADFX3iIQawpWtKukzA3TKRW-63oCQ9FCks5uHXCvgaJpZM4VSMHK>
.
from flexinets.radius.radiusserver.
JoshClose
commented on May 24, 2024
I didn't even know logging was an option. I'll turn that in and see what it says.
My plan was to run this behind an nginx reverse proxy, which would make it run on localhost anyways, so this may be a non issue in the long run. I'm in the process of setting that up and I'll see if that works.
The reverse proxy will be good for running in production, but it would be nice to have it running on the Windows server too so I can debug while developing.
from flexinets.radius.radiusserver.
vforteli
commented on May 24, 2024
The logging relies on log4net, so configuring log4net to use a
consoleappender is probably the easiest solution
…On Tue, Jul 17, 2018, 08:26 Josh Close ***@***.***> wrote:
I didn't even know logging was an option. I'll turn that in and see what
it says.
My plan was to run this behind an nginx reverse proxy, which would make it
run on localhost anyways, so this may be a non issue in the long run. I'm
in the process of setting that up and I'll see if that works.
The reverse proxy will be good for running in production, but it would be
nice to have it running on the Windows server too so I can debug while
developing.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#6 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADFX3tBowAdo_ayjcmQ0ZQvw1O01liINks5uHYOCgaJpZM4VSMHK>
.
from flexinets.radius.radiusserver.
vforteli
commented on May 24, 2024
As a side note, I will change the logging to use the new
Microsoft.extensions.logging in the near future, to get rid of the log4net
dependency
…On Tue, Jul 17, 2018, 08:26 Josh Close ***@***.***> wrote:
I didn't even know logging was an option. I'll turn that in and see what
it says.
My plan was to run this behind an nginx reverse proxy, which would make it
run on localhost anyways, so this may be a non issue in the long run. I'm
in the process of setting that up and I'll see if that works.
The reverse proxy will be good for running in production, but it would be
nice to have it running on the Windows server too so I can debug while
developing.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#6 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADFX3tBowAdo_ayjcmQ0ZQvw1O01liINks5uHYOCgaJpZM4VSMHK>
.
from flexinets.radius.radiusserver.
vforteli
commented on May 24, 2024
Hi again,
I just tested this in a .Net 4.7.1 console application over a network without problems on Windows 2016. Previously I have only used this in production as a windows service. I did manually have to open the UDP port in Windows Firewall though.
For logging I suggest creating a log4net.config file like this:
<?xml version="1.0" encoding="utf-8" ?>
<log4net>
<appender name="ConsoleAppender" type="log4net.Appender.ConsoleAppender">
<layout type="log4net.Layout.PatternLayout">
<conversionPattern value="%date [%thread] %-5level %logger [%property{NDC}] - %message%newline" />
</layout>
</appender>
<root>
<level value="DEBUG" />
<appender-ref ref="ConsoleAppender" />
</root>
</log4net>
and then in main do something like
XmlConfigurator.Configure(LogManager.GetRepository(Assembly.GetEntryAssembly()), new FileInfo(Path.Combine(Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location), "log4net.config")));
Then you will get the logs from RadiusServer in the console
from flexinets.radius.radiusserver.
JoshClose
commented on May 24, 2024
Just woke up. :) I'll put the logging in and see what it says. Also, I'm using dotnet core 2.1. Not sure if that would make a difference or not.
from flexinets.radius.radiusserver.
vforteli
commented on May 24, 2024
I actually tried it with a netcore2.1 console app as well. Also worked nicely. So my bet would still be on some firewall rule or IP/port not matching somewhere. Anyway, the logs should say something
from flexinets.radius.radiusserver.
JoshClose
commented on May 24, 2024
Got logging in place and started up the server (console app).
2018-07-17 13:42:07,082 [5] DEBUG Flexinets.Radius.RadiusServer [(null)] - Received packet from [my ip address]:56408, Concurrent handlers count: 1
2018-07-17 13:42:07,084 [5] ERROR Flexinets.Radius.RadiusServer [(null)] - No packet handler found for remote ip [my ip address]:56408
2018-07-17 13:42:07,111 [5] ERROR Flexinets.Radius.RadiusServer [(null)] - Failed to receive packet from [my ip address]:56408
System.InvalidOperationException: Invalid Message-Authenticator in packet 132
at Flexinets.Radius.Core.RadiusPacket.Parse(Byte[] packetBytes, IRadiusDictionary dictionary, Byte[] sharedSecret)
at Flexinets.Radius.RadiusServer.HandlePacket(IPEndPoint remoteEndpoint, Byte[] packetBytes)
2018-07-17 13:42:07,147 [5] DEBUG Flexinets.Radius.RadiusServer [(null)] - 0184004acb3a2a9d231addbf1dc8fc2a31270c8b0106757365720212b50628ec8d57514a28c0f2371592e6cc04067f000101050600000000501200000000000000000000000000000000
from flexinets.radius.radiusserver.
JoshClose
commented on May 24, 2024
I tried changing the packet handler to handle IPAddress.Any, but I still get a message that there is no handler for that ip.
from flexinets.radius.radiusserver.
JoshClose
commented on May 24, 2024
I changed the packet handler to accept on 127.0.0.1 and it works. You'll need to explain this one to me.
I still get the exception message though.
System.InvalidOperationException: Invalid Message-Authenticator in packet 187
at Flexinets.Radius.Core.RadiusPacket.Parse(Byte[] packetBytes, IRadiusDictionary dictionary, Byte[] sharedSecret)
at Flexinets.Radius.RadiusServer.HandlePacket(IPEndPoint remoteEndpoint, Byte[] packetBytes)
2018-07-17 13:53:01,806 [5] DEBUG Flexinets.Radius.RadiusServer [(null)] - 01bb004a565eaf57ac5040961ca4bb9d9a81551401067573657202122cf78ce1ff59c3319b08805e891a3d0904067f000101050600000000501200000000000000000000000000000000
from flexinets.radius.radiusserver.
vforteli
commented on May 24, 2024
Are you using ipv6 addresses btw?
…On Tue, Jul 17, 2018, 15:44 Josh Close ***@***.***> wrote:
Got logging in place and started up the server (console app).
2018-07-17 13:42:07,082 [5] DEBUG Flexinets.Radius.RadiusServer [(null)] - Received packet from [my ip address]:56408, Concurrent handlers count: 1
2018-07-17 13:42:07,084 [5] ERROR Flexinets.Radius.RadiusServer [(null)] - No packet handler found for remote ip [my ip address]:56408
2018-07-17 13:42:07,111 [5] ERROR Flexinets.Radius.RadiusServer [(null)] - Failed to receive packet from [my ip address]:56408
System.InvalidOperationException: Invalid Message-Authenticator in packet 132
at Flexinets.Radius.Core.RadiusPacket.Parse(Byte[] packetBytes, IRadiusDictionary dictionary, Byte[] sharedSecret)
at Flexinets.Radius.RadiusServer.HandlePacket(IPEndPoint remoteEndpoint, Byte[] packetBytes)
2018-07-17 13:42:07,147 [5] DEBUG Flexinets.Radius.RadiusServer [(null)] - 0184004acb3a2a9d231addbf1dc8fc2a31270c8b0106757365720212b50628ec8d57514a28c0f2371592e6cc04067f000101050600000000501200000000000000000000000000000000
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#6 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADFX3npN21b7FPpBMmkf3u0bfms3-4xmks5uHepQgaJpZM4VSMHK>
.
from flexinets.radius.radiusserver.
JoshClose
commented on May 24, 2024
Not intentionally. ;)
I'm sorry, it looks like it still says no packet handler found for the ip address. Do I need to have a handler for every client that is connecting?
from flexinets.radius.radiusserver.
vforteli
commented on May 24, 2024
Yep, with radius you need to explicitly register all client ip addresses
and their secrets. Using the same packethandler object is no problem as
long as it's stateless or otherwise thread safe.
It would of course be possible to have some catch all packethandler which
handles unknown ip addresses with some secret, but I think that violates
the rfc, iirc.
…On Tue, Jul 17, 2018, 16:14 Josh Close ***@***.***> wrote:
Not intentionally. ;)
I'm sorry, it looks like it still says no packet handler found for the ip
address. Do I need to have a handler for every client that is connecting?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#6 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADFX3nwOTninyApw9-jYWS6fG7QYh_86ks5uHfECgaJpZM4VSMHK>
.
from flexinets.radius.radiusserver.
JoshClose
commented on May 24, 2024
The IP address will be the AP hotpot's IP address then, right? I'm making a captive portal also, so I can capture the IP address to use there, then add them on startup, and whenever a new one is added. Do you have any suggestions on how to load new IPs on the fly? Worst case scenario, I could watch a file for changes. Maybe having another socket open that I can hit to tell it to reload the IPs from the database.
from flexinets.radius.radiusserver.
vforteli
commented on May 24, 2024
Yup, the client (or network access server in radius terms in this case)
would be the AP and it's IP.
Regarding the captive portal, I guess it should only be interested in the
IP of the user, and radius doesn't really care about that. It should be
included in the framed-ip-address attribute if the packethandler needs it.
If you really need a catch all packethandler that wouldn't be more than ~3
lines of code though
…On Tue, Jul 17, 2018, 17:15 Josh Close ***@***.***> wrote:
The IP address will be the AP hotpot's IP address then, right? I'm making
a captive portal also, so I can capture the IP address to use there, then
add them on startup, and whenever a new one is added. Do you have any
suggestions on how to load new IPs on the fly? Worst case scenario, I could
watch a file for changes. Maybe having another socket open that I can hit
to tell it to reload the IPs from the database.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#6 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADFX3pAWnuMq2hyxY6pEv6Lzw3_oddisks5uHf9vgaJpZM4VSMHK>
.
from flexinets.radius.radiusserver.
vforteli
commented on May 24, 2024
Another thing that crossed my mind is that having up ranges for packet
handlers could be an idea to implement
…On Tue, Jul 17, 2018, 18:33 Verner Fortelius ***@***.***> wrote:
Yup, the client (or network access server in radius terms in this case)
would be the AP and it's IP.
Regarding the captive portal, I guess it should only be interested in the
IP of the user, and radius doesn't really care about that. It should be
included in the framed-ip-address attribute if the packethandler needs it.
If you really need a catch all packethandler that wouldn't be more than ~3
lines of code though
On Tue, Jul 17, 2018, 17:15 Josh Close ***@***.***> wrote:
> The IP address will be the AP hotpot's IP address then, right? I'm making
> a captive portal also, so I can capture the IP address to use there, then
> add them on startup, and whenever a new one is added. Do you have any
> suggestions on how to load new IPs on the fly? Worst case scenario, I could
> watch a file for changes. Maybe having another socket open that I can hit
> to tell it to reload the IPs from the database.
>
> —
> You are receiving this because you commented.
> Reply to this email directly, view it on GitHub
> <#6 (comment)>,
> or mute the thread
> <https://github.com/notifications/unsubscribe-auth/ADFX3pAWnuMq2hyxY6pEv6Lzw3_oddisks5uHf9vgaJpZM4VSMHK>
> .
>
from flexinets.radius.radiusserver.
JoshClose
commented on May 24, 2024
I'm currently working through how the protocol works.
- The AP goes to the CP (captive portal) site.
- User clicks a button a login button.
- CP makes some xhr requests to some endpoints to setup some stuff, like a chap password (I think).
- CP is redirected to a UAM address that the AP supplied.
- AP sets up some CHAP info based on the UAM requests parameters, and makes a request to the RADIUS server, passing the CHAP name, password and challenge.
- Radius server need to look at the CHAP info supplied and find out if it's valid, then return an AccessAccept response, along with some other attributes, like Session-Timeout.
- If there is an AccessAccept response, the user is forwarded to the success page.
Does that sound about right? What authentication methods have you used with RADIUS before?
from flexinets.radius.radiusserver.
vforteli
commented on May 24, 2024
Sounds about right, although captive portals are not exactly my field of
expertise.
I have only used PAP and some custom authentication methods. Basically
anything else could be implemented in the packet handler. Using plain CHAP
is a bad idea though, since it requires the user password to be stored in
plain text.
Also, the cryptographic features of the radius protocol have been broken
since pretty much forever, so ideally packets should be tunneled or
otherwise isolated from public networks
…On Tue, Jul 17, 2018, 21:00 Josh Close ***@***.***> wrote:
I'm currently working through how the protocol works.
1. The AP goes to the CP (captive portal) site.
2. User clicks a button a login button.
3. CP makes some xhr requests to some endpoints to setup some stuff,
like a chap password (I think).
4. CP is redirected to a UAM address that the AP supplied.
5. AP sets up some CHAP info based on the UAM requests parameters, and
makes a request to the RADIUS server, passing the CHAP name, password and
challenge.
6. Radius server need to look at the CHAP info supplied and find out
if it's valid, then return an AccessAccept response, along with some other
attributes, like Session-Timeout.
7. If there is an AccessAccept response, the user is forwarded to the
success page.
Does that sound about right? What authentication methods have you used
with RADIUS before?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#6 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ADFX3hN8Cn_bdYn3Y14PaqxJrVfYbSg1ks5uHiq-gaJpZM4VSMHK>
.
from flexinets.radius.radiusserver.
JoshClose
commented on May 24, 2024
I was able to get a working captive portal site up where you click a button, it redirets to the uam ip, the ap calls the radius server, then it redirects after authenticated. I also just forgot I was on the hotspot connection and when trying to access a site, I go redirected back to the login. I have a bit of a ways to go to make it fully functional, but I believe the hard part is over.
Thanks so much for the help and this awesome library.
Btw, have you done any load testing on it? How many connections at once can it handle? I'm thinking I probably should still put this behind a reverse proxy and start it as a service that will restart if it does. Basically what aspnet core does when running kestrel on linux.
from flexinets.radius.radiusserver.
vforteli
commented on May 24, 2024
I havent done any general load testing, only very specific testing for our own use cases. I don’t think the radius server itself would be a bottleneck with sane amounts of traffic.
How much it can handle is pretty much up to how the packet handler is implemented. You could of course use this radius server as a “proxy” and then have the packet handler asynchronously call some other (REST perhaps) service. This was actually the primary reason for starting this project in the first place. Most radius servers for windows seem to handle packets synchronously which was a bad idea because we had some very slow external dependencies (several seconds per packet).
from flexinets.radius.radiusserver.
JoshClose
commented on May 24, 2024
Awesome. Thanks for all your help!
from flexinets.radius.radiusserver.
JoshClose
commented on May 24, 2024
What are those few lines of code to get it to accept any IP address? The catch all packet handler. It might come in handy for me.
from flexinets.radius.radiusserver.
vforteli
commented on May 24, 2024
Something like this probably 41775d8
from flexinets.radius.radiusserver.
Related Issues (14)
- I would like to consult, you successfully set up radius server? HOT 17
- Vendors for the dictionary HOT 7
- Current example of running the server? HOT 2
- Add Handlers Obsolete? What is the alternative HOT 3
- EAP Support HOT 1
- Can I authenticate VPN?
- CHAP-MSCHAP
- PacketHandler sharedSecret HOT 2
- Validate request authenticator
- Set proper request authenticator in new accounting request packets
- Support radsec
- Invalid Message-Authenticator in packet 224 when using radtest HOT 4
- Add/remove IPs dynamically HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from flexinets.radius.radiusserver.