Re: [RADIATOR] How to increase session time

2014-05-07 Thread Qiu, Dennis 
Thank you very much. I will give a try tomorrow.

Dennis Qiu
Information Systems
Davis Polk & Wardwell LLP
450 Lexington Avenue
New York, NY 10017
212 450 5651   tel
dennis@davispolk.com



Confidentiality Note: This email is intended only for the person or entity to 
which it is addressed and may contain information that is privileged, 
confidential or otherwise protected from disclosure. Unauthorized use, 
dissemination, distribution or copying of this email or the information herein 
or taking any action in reliance on the contents of this email or the 
information herein, by anyone other than the intended recipient, or an employee 
or agent responsible for delivering the message to the intended recipient, is 
strictly prohibited. If you have received this email in error, please notify 
the sender immediately and destroy the original message, any attachments 
thereto and all copies. Please refer to the firm's privacy policy located at 
www.davispolk.com for important information on this policy.

-Original Message-
From: Hugh Irvine [mailto:h...@open.com.au] 
Sent: Wednesday, May 07, 2014 10:55 PM
To: Qiu, Dennis
Cc: radiator@open.com.au
Subject: Re: [RADIATOR] How to increase session time


Hello Dennis -

If you want different values for your different user groups, you would put 
something like this in your AuthBy LSA clauses:

.

# Session-Timeout = nnn 
# where nnn is the number of seconds

# netadmin

AddToReply Session-Timeout = nnn
.


# users

AddToReply Session-Timeout = nnn
.


.

Otherwise if you want the same one for both groups you can do this instead:

.


AddToReply Session-Timeout = nnn
.


.

BTW - I am located in Australia, so no need to send your email twice.

regards

Hugh


On 8 May 2014, at 06:35, Qiu, Dennis  wrote:

> Hugh,
> 
> Can you let me know where I can put Session-Timeout attribute in my 
> radius.cfg file?
> 
> Thank you
> 
> Dennis Qiu
> Information Systems
> Davis Polk & Wardwell LLP
> 450 Lexington Avenue
> New York, NY 10017
> 212 450 5651   tel
> dennis@davispolk.com
> 
> 
> __
> __ Confidentiality Note: This email is intended only for the 
> person or entity to which it is addressed and may contain information that is 
> privileged, confidential or otherwise protected from disclosure. Unauthorized 
> use, dissemination, distribution or copying of this email or the information 
> herein or taking any action in reliance on the contents of this email or the 
> information herein, by anyone other than the intended recipient, or an 
> employee or agent responsible for delivering the message to the intended 
> recipient, is strictly prohibited. If you have received this email in error, 
> please notify the sender immediately and destroy the original message, any 
> attachments thereto and all copies. Please refer to the firm's privacy policy 
> located at www.davispolk.com for important information on this policy.
> 
> 
> -Original Message-
> From: Qiu, Dennis
> Sent: Tuesday, May 06, 2014 9:15 PM
> To: 'Hugh Irvine'
> Cc: radiator@open.com.au
> Subject: RE: [RADIATOR] How to increase session time
> 
> Hugh,
> 
> I only see sessiontime in my HTTP session. That session is not used by 
> network device.
> 
> I  do not see such attribute as "Session-Timeout". Do I need to add this 
> attribute into radius.cfg file? If I need to add, where I should add.
> 
> Following is my radius.cfg. Can you advise?
> 
> Thank you
> 
> ##
> #
> # windows.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with # a simple system 
> on Windows. You can then add and change features.
> # We suggest you start simple, prove to yourself that it # works and then 
> develop a more complicated configuration.
> #
> # This example is expected to be installed in 
> #   c:\Program Files\Radiator\radius.cfg
> # It will authenticate from a standard users file in
> #   c:\Program Files\Radiator\users
> # it will log debug and other messages to
> #   c:\Program Files\Radiator\logfile
> # and log accounting to a file in
> #   c:\Program Files\Radiator\detail
> # (of course you can change all these by editing this config file if you 
> wish) # # It will accept requests from any client and try to handle requests 
> # for any realm.
> # And it will print out what its doing in great detail to the log file.
> #
> # See radius.cfg for more complete examples of features and # syntax, and 
> refer to the reference manual for a complete description # of all the 
> features an

Re: [RADIATOR] How to increase session time

2014-05-07 Thread Hugh Irvine 

Hello Dennis -

If you want different values for your different user groups, you would put 
something like this in your AuthBy LSA clauses:

…..

# Session-Timeout = nnn 
# where nnn is the number of seconds

# netadmin

AddToReply Session-Timeout = nnn
…..


# users

AddToReply Session-Timeout = nnn
…..


…..

Otherwise if you want the same one for both groups you can do this instead:

…..


AddToReply Session-Timeout = nnn
…..


…..

BTW - I am located in Australia, so no need to send your email twice.

regards

Hugh


On 8 May 2014, at 06:35, Qiu, Dennis  wrote:

> Hugh,
> 
> Can you let me know where I can put Session-Timeout attribute in my 
> radius.cfg file?
> 
> Thank you
> 
> Dennis Qiu
> Information Systems
> Davis Polk & Wardwell LLP
> 450 Lexington Avenue
> New York, NY 10017
> 212 450 5651   tel
> dennis@davispolk.com
> 
> 
> 
> Confidentiality Note: This email is intended only for the person or entity to 
> which it is addressed and may contain information that is privileged, 
> confidential or otherwise protected from disclosure. Unauthorized use, 
> dissemination, distribution or copying of this email or the information 
> herein or taking any action in reliance on the contents of this email or the 
> information herein, by anyone other than the intended recipient, or an 
> employee or agent responsible for delivering the message to the intended 
> recipient, is strictly prohibited. If you have received this email in error, 
> please notify the sender immediately and destroy the original message, any 
> attachments thereto and all copies. Please refer to the firm's privacy policy 
> located at www.davispolk.com for important information on this policy.
> 
> 
> -Original Message-
> From: Qiu, Dennis 
> Sent: Tuesday, May 06, 2014 9:15 PM
> To: 'Hugh Irvine'
> Cc: radiator@open.com.au
> Subject: RE: [RADIATOR] How to increase session time
> 
> Hugh,
> 
> I only see sessiontime in my HTTP session. That session is not used by 
> network device.
> 
> I  do not see such attribute as "Session-Timeout". Do I need to add this 
> attribute into radius.cfg file? If I need to add, where I should add.
> 
> Following is my radius.cfg. Can you advise?
> 
> Thank you
> 
> ###
> # windows.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with # a simple system 
> on Windows. You can then add and change features.
> # We suggest you start simple, prove to yourself that it # works and then 
> develop a more complicated configuration.
> #
> # This example is expected to be installed in 
> #   c:\Program Files\Radiator\radius.cfg
> # It will authenticate from a standard users file in
> #   c:\Program Files\Radiator\users
> # it will log debug and other messages to
> #   c:\Program Files\Radiator\logfile
> # and log accounting to a file in
> #   c:\Program Files\Radiator\detail
> # (of course you can change all these by editing this config file if you 
> wish) # # It will accept requests from any client and try to handle requests 
> # for any realm.
> # And it will print out what its doing in great detail to the log file.
> #
> # See radius.cfg for more complete examples of features and # syntax, and 
> refer to the reference manual for a complete description # of all the 
> features and syntax.
> #
> # You should consider this file to be a starting point only # $Id: 
> windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $
> 
> AcctPort 1646,1813
> AuthPort 1645,1812
> BindAddress 144.211.2.97
> #BindAddress 0.0.0.0
> DbDir c:/Program Files/Radiator
> DictionaryFile %D/dictionary
> Foreground 1
> LogDir c:/Program Files/Radiator/Logs
> #LogFile logfile
> LogStdout 1
> 
> MaxChildren 0
> PidFile %L/radiusd.pid
> PmwhoProg /usr/local/sbin/pmwho
> SnmpNASErrorTimeout 60
> SnmpgetProg /usr/bin/snmpget
> SnmpsetProg /usr/bin/snmpset
> SnmpwalkProg /usr/bin/snmpwalk
> Trace 4
> 
> 
>   DupInterval 0
>   FramedGroupMaxPortsPerClassC 255
>   LivingstonHole 2
>   LivingstonOffs 29
>   NasType unknown
>   SNMPCommunity 450dpw$
>   Secret mysecret
> 
> 
> 
>   AuthByPolicy ContinueWhileIgnore
> 
>   
>   AuthByPolicy ContinueUntilAccept
>   CachePasswordExpiry 86400
>   EAPAnonymous anonymous
>   EAPContextTimeout 1000
>   EAPFAST_PAC_Lifetime 7776000
>   EAPFAST_PAC_Reprovision 2592000
>   EAPTLS_MaxFragmentSize 2048
>   EAPTLS_PEAPVersion 0
>   EAPTLS_SessionResumption 1
>   EAPTLS_SessionResumptionLimit 43200
>   EAPTLS_VerifyDe

Re: [RADIATOR] LDAP forwarding to two Active Directory Servers

2014-05-07 Thread Heikki Vatiainen 
On 05/07/2014 07:46 PM, CLAdirect - Sergei Kortscheff wrote:

> A hotspot service uses forms authentication to validate users against an
> Active Directory server, using LDAP port 389, so far so good.
> 
> The problem begins when we require to authenticate against two active
> directory servers on two separate domains, since the WiFi solution only
> allows to associate one single server to authenticate maybe I could use
> radiator as a proxy to relay all LDAP data to both Active Directory servers.
> 
> Can something like this be done? 

Maybe something like this would work:


  AuthByPolicy ContinueUntilAccept
  
  # Settings for AD 1
  
  
  # Settings for AD 2
  


The above would try AD 1 first and if it does not accept the attempt
(password is wrong, the AD itself is unreachable, anything else), then
AD 2 would be tried.

Note: this works for plain password based authentication (PAP) where no
Access-Challenges are needed.

There are other possible AuthByPolicies too. Please see the reference
manual for the details.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] How to increase session time

2014-05-07 Thread Qiu, Dennis 
Hugh,

Can you let me know where I can put Session-Timeout attribute in my radius.cfg 
file?

Thank you

Dennis Qiu
Information Systems
Davis Polk & Wardwell LLP
450 Lexington Avenue
New York, NY 10017
212 450 5651   tel
dennis@davispolk.com



Confidentiality Note: This email is intended only for the person or entity to 
which it is addressed and may contain information that is privileged, 
confidential or otherwise protected from disclosure. Unauthorized use, 
dissemination, distribution or copying of this email or the information herein 
or taking any action in reliance on the contents of this email or the 
information herein, by anyone other than the intended recipient, or an employee 
or agent responsible for delivering the message to the intended recipient, is 
strictly prohibited. If you have received this email in error, please notify 
the sender immediately and destroy the original message, any attachments 
thereto and all copies. Please refer to the firm's privacy policy located at 
www.davispolk.com for important information on this policy.


-Original Message-
From: Qiu, Dennis 
Sent: Tuesday, May 06, 2014 9:15 PM
To: 'Hugh Irvine'
Cc: radiator@open.com.au
Subject: RE: [RADIATOR] How to increase session time

Hugh,

I only see sessiontime in my HTTP session. That session is not used by network 
device.

I  do not see such attribute as "Session-Timeout". Do I need to add this 
attribute into radius.cfg file? If I need to add, where I should add.

Following is my radius.cfg. Can you advise?

Thank you

###
# windows.cfg
#
# Example Radiator configuration file.
# This very simple file will allow you to get started with # a simple system on 
Windows. You can then add and change features.
# We suggest you start simple, prove to yourself that it # works and then 
develop a more complicated configuration.
#
# This example is expected to be installed in 
#   c:\Program Files\Radiator\radius.cfg
# It will authenticate from a standard users file in
#   c:\Program Files\Radiator\users
# it will log debug and other messages to
#   c:\Program Files\Radiator\logfile
# and log accounting to a file in
#   c:\Program Files\Radiator\detail
# (of course you can change all these by editing this config file if you wish) 
# # It will accept requests from any client and try to handle requests # for 
any realm.
# And it will print out what its doing in great detail to the log file.
#
# See radius.cfg for more complete examples of features and # syntax, and refer 
to the reference manual for a complete description # of all the features and 
syntax.
#
# You should consider this file to be a starting point only # $Id: 
windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $

AcctPort 1646,1813
AuthPort 1645,1812
BindAddress 144.211.2.97
#BindAddress 0.0.0.0
DbDir c:/Program Files/Radiator
DictionaryFile %D/dictionary
Foreground 1
LogDir c:/Program Files/Radiator/Logs
#LogFile logfile
LogStdout 1

MaxChildren 0
PidFile %L/radiusd.pid
PmwhoProg /usr/local/sbin/pmwho
SnmpNASErrorTimeout 60
SnmpgetProg /usr/bin/snmpget
SnmpsetProg /usr/bin/snmpset
SnmpwalkProg /usr/bin/snmpwalk
Trace 4


DupInterval 0
FramedGroupMaxPortsPerClassC 255
LivingstonHole 2
LivingstonOffs 29
NasType unknown
SNMPCommunity 450dpw$
Secret mysecret



AuthByPolicy ContinueWhileIgnore


AuthByPolicy ContinueUntilAccept
CachePasswordExpiry 86400
EAPAnonymous anonymous
EAPContextTimeout 1000
EAPFAST_PAC_Lifetime 7776000
EAPFAST_PAC_Reprovision 2592000
EAPTLS_MaxFragmentSize 2048
EAPTLS_PEAPVersion 0
EAPTLS_SessionResumption 1
EAPTLS_SessionResumptionLimit 43200
EAPTLS_VerifyDepth 1
Identifier GetUser
PasswordPrompt password
SIPDigestRealm DefaultSipRealm


AddToReply tacacsgroup = netadmin
CachePasswordExpiry 86400
Domain ad.dpw.com
DomainController server1
EAPAnonymous anonymous
EAPContextTimeout 1000
EAPFAST_PAC_Lifetime 7776000
EAPFAST_PAC_Reprovision 2592000
EAPTLS_MaxFragmentSize 2048
EAPTLS_PEAPVersion 0
EAPTLS_SessionResumption 1
EAPTLS_SessionResumptionLimit 43200
EAPTLS_VerifyDepth 1
EAPType MSCHAP-V2
Group networking_staff
NoDefault 1
Origin Radiator

[RADIATOR] LDAP forwarding to two Active Directory Servers

2014-05-07 Thread CLAdirect - Sergei Kortscheff 
Hello,

I'm fairly inexperienced with AAA solutions so please forgive me.

I'm presented with the following scenario:

A hotspot service uses forms authentication to validate users against an
Active Directory server, using LDAP port 389, so far so good.

The problem begins when we require to authenticate against two active
directory servers on two separate domains, since the WiFi solution only
allows to associate one single server to authenticate maybe I could use
radiator as a proxy to relay all LDAP data to both Active Directory servers.

Can something like this be done?

Kind regards.
..



*Sergei Wladimir Kortscheff*
CLAdirect
Field Services

21 Avenida "B" 0-10 zona 15 Vista Hermosa II
Guatemala
23907732
skortsch...@cladirect.com
www.CLAdirect.com

*USA - Argentina - Chile - Colombia - Ecuador - Guatemala – México - Panamá
- Perú - Puerto Rico -  Rep. Dominicana - Venezuela*

*AVISO DE CONFIDENCIALIDAD*
Este e-mail contiene información confidencial y legalmente protegida. Está
dirigido solamente al destinatario mencionado en el epígrafe. Si Ud. no es
el destinatario del mensaje, tenga en cuenta que está prohibida cualquier
divulgación, copia, distribución o uso de su contenido. Por favor responda
a este mensaje inmediatamente informando al emisor que ha sido erróneamente
dirigido y luego elimínelo de su sistema. Muchas gracias.

*CONFIDENTIALITY STATEMENT*
This e-mail contains information that is intended to be confidential and
privileged or otherwise legally exempt from disclosure. It is intended only
for the addressee named above. If you are not the intended recipient, any
disclosure, copying, distribution or use of the contents of this
information is prohibited. Please reply to the message immediately by
informing the sender that the message was misdirected. After replying,
please erase it from your computer system. Thank you.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator