Re: [RADIATOR] Cisco NX-OS TACACS+ problems
On 2013-10-11 13:56, Caporossi, Steve G. wrote: We also have issues with NXOS; in our case using RADIUS. It always seems to begin with these syslog messages; 2013 Oct 10 19:56:14.103 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed looking up IP address for RADIUS server server address 2013 Oct 10 19:56:14.105 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed looking up IP address for RADIUS server server address 2013 Oct 10 19:56:14.106 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed looking up IP address for RADIUS server server address 2013 Oct 10 19:56:14.107 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: All RADIUS servers failed to respon d after retries. Authentication fails and we to fallback to local authentication to fix the issue by sending test authentication to the RADIUS servers. We have the DNS entries configured on the Nexus devices and when this is happening the device can ping the servers using the hostname. Another strange thing is it happens primarily in one VDC and much less frequently on the others using the same OOB management network. What do you mean with 'dns entries configured *on* the Nexus'? Does it happen too if you configure the radius servers ip addresses instead of their dns names? @Radiator guys: any update from you? Steve On Oct 11, 2013, at 4:38 AM, Alexander Hartmaier alexander.hartma...@t-systems.at wrote: Hi, our switching guys reported that their Cisco Nexus switches running NX-OS log that their can't reach the tacacs servers. This is what the troubleshooting brought up: 2013 Oct 11 08:47:37.061 sgv20s %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond 149) Event:E_MTS_TX, length:60, at 60683 usecs after Fri Oct 11 08:47:37 2013 [RSP] Opc:MTS_OPC_TACACS_AAA_REQ(8421), Id:0X0A287795, Ret:SUCCESS Src:0x0501/112, Dst:0x0501/111, Flags:None HA_SEQNO:0X, RRtoken:0x0A287778, Sync:UNKNOWN, Payloadsize:26 Payload: 0x: 01 03 01 00 3b a2 66 be 00 00 00 00 00 02 00 00 150) Event:E_MTS_RX, length:60, at 46447 usecs after Fri Oct 11 08:47:37 2013 [REQ] Opc:MTS_OPC_TACACS_AAA_REQ(8421), Id:0X0A287778, Ret:SUCCESS Src:0x0501/111, Dst:0x0501/0, Flags:None HA_SEQNO:0X, RRtoken:0x0A287778, Sync:UNKNOWN, Payloadsize:371 Payload: 0x: 01 03 0c 00 00 00 00 00 00 00 00 00 00 00 02 00 According to Cisco the accounting responses from Radiator (version 4.11 with patches revision 1.1530) contain errors: Accounting Statistics failed transactions: 1865 successful transactions: 0 requests sent: 1865 requests timed out: 4 responses with no matching requests: 0 responses not processed: 0 responses containing errors: 1861 Did someone else notice these problems? Authentication works without any problems. -- Best regards, Alexander Hartmaier T-Systems Austria GesmbH TSS Security Services Network Security Monitoring Engineer phone: +43(0)57057-4320 fax: +43(0)57057-954320 *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [*** Newsletter ***] Re: Cisco NX-OS TACACS+ problems
On 2013-10-18 11:07, Heikki Vatiainen wrote: On 10/18/2013 11:23 AM, Alexander Hartmaier wrote: On 2013-10-11 13:56, Caporossi, Steve G. wrote: We also have issues with NXOS; in our case using RADIUS. It always seems to begin with these syslog messages; 2013 Oct 10 19:56:14.103 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed looking up IP address for RADIUS server server address 2013 Oct 10 19:56:14.105 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed looking up IP address for RADIUS server server address 2013 Oct 10 19:56:14.106 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: Failed looking up IP address for RADIUS server server address 2013 Oct 10 19:56:14.107 mdf1 %RADIUS-3-RADIUS_ERROR_MESSAGE: All RADIUS servers failed to respon d after retries. Authentication fails and we to fallback to local authentication to fix the issue by sending test authentication to the RADIUS servers. We have the DNS entries configured on the Nexus devices and when this is happening the device can ping the servers using the hostname. Another strange thing is it happens primarily in one VDC and much less frequently on the others using the same OOB management network. What do you mean with 'dns entries configured *on* the Nexus'? Does it happen too if you configure the radius servers ip addresses instead of their dns names? @Radiator guys: any update from you? For the RADIUS/DNS problem above, I can only think of configuring the server with address instead of name. Why it fails? Maybe there's a rate limit on the DNS side. If there are lots of RADIUS requests each causing a DNS lookup, that might cause the lookup failures. What comes to NX-OS problems Alexander sees, could it be possible that accounting requests are sent to different Radiators than authentication or authorization requests? If so, then there might be a different shared key configured on the NX-OS than on Radiator? In this case Radiator logs should show errors hinting about 'Bad key?'. If Radiator thinks the key is bad, it will disconnect and this may be logged as 'All servers failed to respond'. The requests are sent to two Radiator servers forming a faiover pair which both have the same TACACS key. It only happens from time to time, the authentication and accouting requests usually work. Thanks, Heikki *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Cisco NX-OS TACACS+ problems
Hi, our switching guys reported that their Cisco Nexus switches running NX-OS log that their can't reach the tacacs servers. This is what the troubleshooting brought up: 2013 Oct 11 08:47:37.061 sgv20s %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond 149) Event:E_MTS_TX, length:60, at 60683 usecs after Fri Oct 11 08:47:37 2013 [RSP] Opc:MTS_OPC_TACACS_AAA_REQ(8421), Id:0X0A287795, Ret:SUCCESS Src:0x0501/112, Dst:0x0501/111, Flags:None HA_SEQNO:0X, RRtoken:0x0A287778, Sync:UNKNOWN, Payloadsize:26 Payload: 0x: 01 03 01 00 3b a2 66 be 00 00 00 00 00 02 00 00 150) Event:E_MTS_RX, length:60, at 46447 usecs after Fri Oct 11 08:47:37 2013 [REQ] Opc:MTS_OPC_TACACS_AAA_REQ(8421), Id:0X0A287778, Ret:SUCCESS Src:0x0501/111, Dst:0x0501/0, Flags:None HA_SEQNO:0X, RRtoken:0x0A287778, Sync:UNKNOWN, Payloadsize:371 Payload: 0x: 01 03 0c 00 00 00 00 00 00 00 00 00 00 00 02 00 According to Cisco the accounting responses from Radiator (version 4.11 with patches revision 1.1530) contain errors: Accounting Statistics failed transactions: 1865 successful transactions: 0 requests sent: 1865 requests timed out: 4 responses with no matching requests: 0 responses not processed: 0 responses containing errors: 1861 Did someone else notice these problems? Authentication works without any problems. -- Best regards, Alexander Hartmaier T-Systems Austria GesmbH TSS Security Services Network Security Monitoring Engineer phone: +43(0)57057-4320 fax: +43(0)57057-954320 *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] logging (radiator and authlog) and accounting to ElasticSearch
Hi Klara, thanks for the script! I expected that Radiator executes the configured program in a forked process once and expects it to read from STDIN in an event loop. Seems the program is executed for every log message. What are your experiences with scaling and performance? @Radiator guys: are you interessted in supporting Message::Passing, Log::Log4perl or Log::Any? They support a lot of outputs which would be a great feature addition! On 2013-09-19 19:56, Klara Mall wrote: Hi Alexander, On 09/19/2013 04:57 PM, Alexander Hartmaier wrote: Since quite some time I'm looking for a way to customize the accounting log file format but the problem I'm having with it is that there seems to be no way to log all key/value pairs contained in the accounting packet without specifying each name. The default format is nice to read but hard to search with e.g. ack or grep. I've read that using pipe followed by a program as AcctLogFileName works but passing data serialized one log per line to it would also be easier for the program to parse the log and pass it on (e.g. JSON serialized). We ran into the same problem and wrote a perl script which we pipe the Accounting Log to. It's attached. radiator config: AcctLogFileName | /usr/local/bin/radacclog.pl Regards Klara -- Best regards, Alexander Hartmaier T-Systems Austria GesmbH TSS Security Services Network Security Monitoring Engineer phone: +43(0)57057-4320 fax: +43(0)57057-954320 *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] logging (radiator and authlog) and accounting to ElasticSearch
On 2013-09-20 11:44, Heikki Vatiainen wrote: On 09/20/2013 11:35 AM, Alexander Hartmaier wrote: @Radiator guys: are you interessted in supporting Message::Passing, Log::Log4perl or Log::Any? They support a lot of outputs which would be a great feature addition! Sounds interesting. So this would be for Accounting, at least first, or do you see need for other passing other information through these too? I'd prefer having this support for all types of logs. Maybe extending Log to handle authentication, accounting and general radiator logs would make sense. AuthLog would become Log MessagePassing (or all other currently available like Log FILE) Auth 1 Acct 0 Other 0 ... /Log If you don't want to change the config DSL so much the Log and AuthLog stanzas would both need to support each output. Haven't looked at the code yet but I guess there is much too share between them and AuthLog could internally become just an alias for LogAuth 1, Acct 0, Other 0. Accounting logging is currently handled entirely different as there is no AcctLog. As always, any additional ideas and comments from the list members would be appreciated too. Yes, please, speak up everybody! *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] logging (radiator and authlog) and accounting to ElasticSearch
After pushing all our network device syslogs into ElasticSearch I'm looking into doing the same for our applications starting with Radiator. The Radiator application logs should be fairly trivial by using Log SYSLOG. The same goes for AuthLog SYSLOG where the format could be e.g. key/value pair JSON serialized. What I'm missing is the same for accounting logs. Since quite some time I'm looking for a way to customize the accounting log file format but the problem I'm having with it is that there seems to be no way to log all key/value pairs contained in the accounting packet without specifying each name. The default format is nice to read but hard to search with e.g. ack or grep. I've read that using pipe followed by a program as AcctLogFileName works but passing data serialized one log per line to it would also be easier for the program to parse the log and pass it on (e.g. JSON serialized). Is there some feature I've overlooked? -- Best regards, Alexander Hartmaier T-Systems Austria GesmbH TSS Security Services Network Security Monitoring Engineer phone: +43(0)57057-4320 fax: +43(0)57057-954320 *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthAttrDef for multi-value Radius attribute check
On 2013-09-18 12:30, Heikki Vatiainen wrote: On 09/18/2013 01:14 PM, Heikki Vatiainen wrote: Thanks, noted. Also noted Garry's message. Something like %{RequestOr:attributename} should be quite straight forward to do and understand. However, %{RequestAnd:attributename} requires a bit more. Synatax like this might be a possibility: mikem User-Password=fred, %{RequestOr:Framed-IP-Address}=1.2.3.4|2.3.4.5 The above should be RequestAnd like this. mikem User-Password=fred, %{RequestAnd:Framed-IP-Address}=1.2.3.4|2.3.4.5 That makes sense and should be understandable as the syntax follows the Handler syntax. Here the request would be accepted if: User-Password = fred, and Framed-IP-Address = 1.2.3.4, and Framed-IP-Address = 2.3.4.5 As another example, the required values (e.g., 1.2.3.4 and 2.3.4.5) could come from a multivalued LDAP attribute. If there are examples how the above would be put in use, please let us know. *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthAttrDef for multi-value Radius attribute check
On 2013-09-18 16:53, Garry Shtern wrote: Ah, I was a bit confused. That makes sense now. This begs a necessity for a method that retrieves all groups a user belongs to into a multi-value attribute that is checked against with %{RequestOr:attribute}=Group1|Group2. At least for LDAP. That's already possible: AuthAttrDef memberOf, OSC-Group-Identifier-LDAP,request I just saw in the 4.12 ref.pdf that 5.38.16 mentions the type 'request' but 5.43.4 doesn't. You might want to sync the two sections or replace one with a pointer to the other. Thanks. -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Wednesday, September 18, 2013 9:33 AM To: 'radiator@open.com.au' Subject: Re: [RADIATOR] AuthAttrDef for multi-value Radius attribute check On 09/18/2013 02:51 PM, Garry Shtern wrote: I was under the impression that RquestOr is already supported if one lists values separated by a space. Are you proposing to change the separator character to pipe and offering explicit method? I was thinking the case below. Here the request has two OSC-AVPAIR attributes. If you have a check item OSC-AVPAIR=attrname1=value1, it will match since Radiator currently takes just the first named attribute. However, if you need to check that OSC-AVPAIR=attrname2=value2, then it fails since the check is once again done against the first attribute. For example, with flat user file syntax, this will match: mikem User-Password=fred, OSC-AVPAIR=attrname1=value1 but this will not match: mikem User-Password=fred, OSC-AVPAIR=attrname2=value2 I think this would be useful for customisation, such as private attributes added for policy checks, cisco-avpair and other attributes that may be present multiple times in a request. Code: Access-Request Identifier: 103 Authentic: P13615223\|K30184?3020121220|4 Attributes: User-Name = mikem Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = ~1521835253~+Rc25+137196164d OSC-AVPAIR = attrname1=value1 OSC-AVPAIR = attrname2=value2 With pipe you can match a request like this: Code: Access-Request Identifier: 103 Authentic: P13615223\|K30184?3020121220|4 Attributes: User-Name = mikem Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = ~1521835253~+Rc25+137196164d OSC-AVPAIR = attrname1=value1 with a user file like this: mikem User-Password=fred, OSC-AVPAIR=attrname1=value1|attrname2=value2 This will allow OSC-AVPAIR to be either attrname1=value1 or attrname2=value2 If you still think space can be used, please provide an example. I'm interested to see if I have missed something :) Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthAttrDef for multi-value Radius attribute check
Hi Heikki, On 2013-09-17 14:23, Heikki Vatiainen wrote: On 09/16/2013 03:59 PM, Alexander Hartmaier wrote: I just tried to implement a check for group membership: AuthAttrDef memberOf,OSC-Group-Identifier-LDAP,check OSC-Group-Identifier-LDAP is a multi-value attribute derived from OSC-Group-Identifier with a PreAuthHook, basically just to transform the support groups of a device into the corresponding LDAP CNs. According to the trace 4 log the check runs twice but both times using the first OSC-Group-Identifier-LDAP value. Is this a bug? I think this is the intended behaviour. The code always fetches a single value for the named attribute. This means it always gets the first attribute's value. It does not try to fetch all values of the named attribute. Currently you could use a PostSearchHook to do something like this: my @ldap_groups = $p-get_attr('OSC-Group-Identifier-LDAP'); I already use get_attr in my hook that generates OSC-Group-Identifier-LDAP from OSC-Group-Identifier and found in the comments that it returns a list in list context. Had to change my hook to handle OSC-Group-Identifier in cases where it contains more than one value. Since @ldap_groups is an array, you will get all values of OSC-Group-Identifier-LDAP, not just the first one. Then you can try each LDAP memberOf attribute value with OSC-Group-Identifer-LDAP attribute values to see if there's a match: my $memberof = $entry-get_value('memberOf', asref = 1); foreach my $group (@$memberof) { return 1 if (map {lc $group eq lc $_} @ldap_groups); } return 0; 5.38.21 PostSearchHook from the 4.12 reference doc doesn't describe how the return value influences the request handling. Is this something common to all hooks and described somewhere else? Also, we discussed here about adding support for RADIUS attributes that can be present multiple times. This would mean that e.g., if there are 4 Framed-IP-Address attributes, you could have something like this (flat file format): mikem User-Password=fred, %{RequestOr:Framed-IP-Address}=1.2.3.4 This would pass if any of the 4 Framed-IP-Address attributes is 1.2.3.4. Any comments about how useful you or the others would see this is appreciated. A syntax to define if any value or all values has to match is highly anticipated! Thanks, Heikki -- Best regards, Alexander Hartmaier T-Systems Austria GesmbH TSS Security Services Network Security Monitoring Engineer phone: +43(0)57057-4320 fax: +43(0)57057-954320 *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] AuthAttrDef for multi-value Radius attribute check
I just tried to implement a check for group membership: AuthAttrDef memberOf,OSC-Group-Identifier-LDAP,check OSC-Group-Identifier-LDAP is a multi-value attribute derived from OSC-Group-Identifier with a PreAuthHook, basically just to transform the support groups of a device into the corresponding LDAP CNs. According to the trace 4 log the check runs twice but both times using the first OSC-Group-Identifier-LDAP value. Is this a bug? -- Best regards, Alexander Hartmaier T-Systems Austria GesmbH TSS Security Services Network Security Monitoring Engineer phone: +43(0)57057-4320 fax: +43(0)57057-954320 *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] IPv6 enhancements in current patches: IPV6_V6ONLY and IPv6 CIDR clients
Heikki++ I hope the reference manual was updated to reflect this feature as well. On 2013-08-22 16:37, Heikki Vatiainen wrote: Hello, there was recently discussion about IPv6 wildcard address binding and support for defining IPv6 clients with CIDR notation. Patch set for Radiator 4.11 now includes support for enabling IPV6_V6ONLY for IPv6 wildcard :: listen sockets. When enabled, this allows separate binding to IPv4 and IPv6 wildcard addresses. This also means IPv4 traffic is no more seen as IPv6 traffic with addresses like :::192.168.1.2. IPV6_V6ONLY is directly supported by Perl 5.16 and later. However, if one installs recent Socket.pm separately, the option can be used with older Perl versions too. Also, CIDR notation is now supported for IPv6 clients: Client ipv6:2001:db8:1:2::/126 ... Client ipv6::::192.168.1.0/120 ... Any comments and test reports are appreciated. Thanks, Heikki *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy RADIUS and LocalAddress
Hi Heikki, On 2013-08-19 14:22, Heikki Vatiainen wrote: On 08/16/2013 02:45 PM, Alexander Hartmaier wrote: I've migrated our main Radiator installation to new servers and just faced the problem that an AuthBy RADIUS didn't send a packet out although a trace 4 showed a Sending to IPv4. The Radiator process is bound to some virtual IPs using BindAddress which is different from the old installation where it listened on 0.0.0.0. Hello Alexander, what do you mean by *virtual* IP address in this case. Is it an alias address or something else? The server has two interfaces, both have additional, virtual ip addresses on both interfaces (eth0:0, eth0:1, eth1:0 and eth1:1 for IPv4, additional IPv6 addresses on eth0 and eth1). Also, is that unpatched or patched 4.11? patched from 2013-06-18 Adding LocalAddress using the non-virtual IPv4 address of the interface fixed it. Without that a tcpdump shows no packets on neither of the two interfaces. LocalAddress should default to BindAddress or 0.0.0.0 if LocalAddress is not set explicitly as on option. It also tries to create a socket for proxying the requests if no such socket exists already. And it seems creating that socket fails without on error message. Imho that's a bug because sending Radius requests as a Radius client should be decoupled from being a Radius Server. Do you think you could provide a minimal configuration file that reproduces the problem you see? We would be interested in taking a further look at this. Assuming the radius server has the ip 192.0.2.2 on eth0 and 10.0.0.2 on eth1 and the virtual ips 192.0.2.10 and 10.0.0.10 as 'service' ips that should work: AuthPort1812 AcctPort1813 BindAddress 127.0.0.1, 192.0.2.10, ipv6:2001:db8::10, 10.0.0.10 Handler AuthBy RADIUS Host 192.0.2.20 Secret FooBar AuthPort 1645 NoForwardAccounting LocalAddress 10.0.0.2 # without this line no radius packet is sent according to tcpdump /AuthBy /Handler Thanks, Heikki *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] AuthBy RADIUS and LocalAddress
Hi, I've migrated our main Radiator installation to new servers and just faced the problem that an AuthBy RADIUS didn't send a packet out although a trace 4 showed a Sending to IPv4. The Radiator process is bound to some virtual IPs using BindAddress which is different from the old installation where it listened on 0.0.0.0. Adding LocalAddress using the non-virtual IPv4 address of the interface fixed it. Without that a tcpdump shows no packets on neither of the two interfaces. Imho that's a bug because sending Radius requests as a Radius client should be decoupled from being a Radius Server. -- Best regards, Alexander Hartmaier T-Systems Austria GesmbH TSS Security Services Network Security Monitoring Engineer phone: +43(0)57057-4320 fax: +43(0)57057-954320 *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] ERR: Bad attribute=value pair
Hi, I've configured the following lines in an AuthBy LDAP2 block: # store the users mobile phone number in the 'mobile' attribute, # his mail address in the 'mail' attribute and # his group memberships in the 'memberof' attribute. # The 'mobile' or 'mail' attribute is copied by the hook into the # Callback-Number attribute depending on the group membership AuthAttrDef mobile,GENERIC,request AuthAttrDef mail,GENERIC,request AuthAttrDef memberof,GENERIC,request This results in error messages in the log: Tue Jul 16 08:49:46 2013: ERR: Bad attribute=value pair: n...@fqdn.org Tue Jul 16 08:49:46 2013: ERR: Bad attribute=value pair: +4312345678 Is this because mobile and mail are not in the dictionary? Why isn't the error also thrown for memberof? -- Best regards, Alexander Hartmaier T-Systems Austria GesmbH TSS Security Services Network Security Monitoring Engineer phone: +43(0)57057-4320 fax: +43(0)57057-954320 *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ERR: Bad attribute=value pair
On 2013-07-16 16:46, Heikki Vatiainen wrote: On 07/16/2013 12:03 PM, Alexander Hartmaier wrote: AuthAttrDef mobile,GENERIC,request AuthAttrDef mail,GENERIC,request AuthAttrDef memberof,GENERIC,request This results in error messages in the log: Tue Jul 16 08:49:46 2013: ERR: Bad attribute=value pair: n...@fqdn.org Tue Jul 16 08:49:46 2013: ERR: Bad attribute=value pair: +4312345678 GENERIC expects the values fetched from LDAP to be in 'AttributeName=value' format. Maybe this would work better: AuthAttrDef mobile,mobile,request AuthAttrDef mail,mail,request AuthAttrDef memberof,memberof,request Thanks, that did the trick! Is this because mobile and mail are not in the dictionary? No. Dictionary is only required if the attribute and its value need to be packed in the network transfer format. That is, numbers instead of attribute names etc. Makes sense. Why isn't the error also thrown for memberof? Most likely because the memberof LDAP attribute value is in CN=... format. When attribute is added in the request, CN is taken as the attribute name and the rest (...) as the value. Yeah, I guess it's even memberof=CN=,memberof=CN= and therefore worked as well. Thanks, Heikki *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ERR: Stream sysread for radius1.dfn.de:2083 failed: . Peer probably disconnected
Using the default isn't secure in any way... BR Alex On 2013-07-09 13:39, Karl Gaissmaier wrote: Hi Radiator team, regression tests are helpful: git diff Radius/AuthRADSEC.pm for version 4.9 to 4.11: @@ -119,13 +144,15 @@ sub initialize my ($self) = @_; $self-SUPER::initialize; -$self-{Secret} = 'mysecret'; +$self-{Secret} = 'radsec'; the default secret was changed between 4.9 and 4.11 and I used it, arrgh. I called the german-toplevel-eduroam-proxy-operator to chnage the password, and volia it works. Sorry, I'm sure it's somewhere in the relase notes, but 'read the source luke' is always true. Best Regards Charly *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ERR: Stream sysread for radius1.dfn.de:2083 failed: . Peer probably disconnected
On 2013-07-09 14:14, Karl Gaissmaier wrote: Am 09.07.2013 14:04, schrieb Alexander Hartmaier: Using the default isn't secure in any way... it's wihtin RADSEC and not RADIUS. So? You can configure the Secret in an AuthBy RADSEC section the same way you can configure it for a ServerRADSEC. Regards Charly *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] reply bug
Hi, it seems Radiator has a bug when replying to Radius requests on hosts that have more than one IPv4 address on an interface. For example with the default binding of 0.0.0.0 and a Linux server with the following ip addresses (ip addr output): inet 1.2.3.8/24 brd 1.2.3.255 scope global eth0 inet 1.2.3.9/24 brd 1.2.3.255 scope global secondary eth0:0 When sending a Radius request to 1.2.3.9 the reply is sent from 1.2.3.8. Binding Radiator only to 1.2.3.9 works around the problem. -- BR Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ipv6::: bind results in no match on IPv4 client
On 2013-06-28 16:38, Heikki Vatiainen wrote: On 06/28/2013 03:17 PM, Mueller, Jason C wrote: I am still using ipv6:::, since I have not yet convinced system administrators to change the bindv6only attribute to 1. The example above (which a couple of others also suggested) works for a single address (i.e., ipv6::::128.255.90.90). However, it does not look like you support CIDR notation for IPv6, which you do support for IPv4. I need the support of CIDR notation to avoid putting in many hundreds of client entries. That's correct. The current CIDR notation is for IPv4 only. I took an initial look about setting IPV6_V6ONLY for the listen socket so that the option could be set or unset no matter what the system default is. This would require a setsockopt() call, but it seems that the availability IPV6_V6ONLY is not guaranteed with older Perls. For example, I needed to use this in ServerRADIUS.pm: setsockopt($s, Socket::IPPROTO_IPV6, 26, 1); on Perl 5.14.2 and Ubuntu 12.04. This works, but I'd rather use a name than bare 26 for IPV6_V6ONLY. Though I did not investigate this more at this point. Socket is a dual-life module, it ships with Perl but is developed separately and published on CPAN. You could require a newer Socket version regardless of the used Perl version as long as this Socket version is backcompat with the Perl version. Any help is appreciated. Turning off the system default would be the easiest. Adding a setsockopt locally could fix it quickly too, but would mean there's the local maintenance overhead with it. CIDR support for IPv6 would require much more work. Adding the possibility for setsockopt in Radiator should be doable after some consideration how to handle it with the systems that do not support it or do not provide the option name. When you enable IPv6 for a service updating OS and Software is often required. Having minimum requirements for IPv6 the docs would help planning and prevent hidden obstacles like this. Please look into adding an option to set the IPv6 socket to IPv6 only so that the IPv4 part of the config and backends doesn't have to be touched. Thanks! Thanks, Heikki *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Debian Wheezy = memory problem?
Hi Kurt, I'm not aware of a memory leak in Perl 5.14.2 that affects Radiator but you might want to check using one of the many leak checking modules on CPAN: https://metacpan.org/search?q=leak Knowing which additional Perl modules you've installed and how your Radiator is configured (EAP?) will also help. Maybe an underlying C library leaks. On 2013-06-19 11:04, Kurt Bauer wrote: Hi, since upgrading one of our radius-servers to Debain 7 (Wheezy) we expierence serious memory problems, namely Radiator eating up all the available memory over time (see attached graph). We have a few Radiator installations running and the ones on Debian Squeeze behave fine. Radiator 4.11 plus latest patches Perl v5.14.2 (as packaged in Wheezy) Any similar experiences or hints why this could be? Restarting Radiator every few days rectifies the situation but is not the way we want to run the service ;-) Thanks for your help, best regards, Kurt -- Kurt Bauer kurt.ba...@univie.ac.at Vienna University Computer Center - ACOnet - VIX Universitaetsstrasse 7, A-1010 Vienna, Austria, Europe Tel: 43 1 4277 - 14070 (Fax: - 814070) KB1970-RIPE ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Best regards, Alexander Hartmaier T-Systems Austria GesmbH TSS Security Services Network Security Monitoring Engineer phone: 43(0)57057-4320 fax: 43(0)57057-954320 *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ERR: Attribute number 146 (vendor 3076) is not defined in your dictionary aka Cisco bought Altiga in 2000
Thanks Heikki! Best regards, Alex On 2013-04-26 16:21, Heikki Vatiainen wrote: On 04/23/2013 10:57 AM, Alexander Hartmaier wrote: will you include the dictionary in the goodies dir? I don't see it in the 4.11 patch tarball. Hello Alexander, the dictionary is now in the top level Radiator distribution. There's also a note in the main dictionary to see the new file for a more current set of Cisco/Altiga attributes. Are the names I've used ok for you? We did not touch the names. I think they are fine. Thanks for your help, Heikki *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ERR: Attribute number 146 (vendor 3076) is not defined in your dictionary aka Cisco bought Altiga in 2000
Hi Hugh and Heikki, will you include the dictionary in the goodies dir? I don't see it in the 4.11 patch tarball. Are the names I've used ok for you? Best regards, Alex On 2013-03-26 10:36, Hugh Irvine wrote: Hello Alex - I think you will find a very great number of obsolete entries in the default dictionary. Such is the burden of history - we prefer to cause the least amount of trouble to the largest number of customers. Customers such as yourself with lots of experience are in a much better position to do whatever you wish. For better or for worse we have customers with vastly differing levels of skill, so we try very hard not to cause too many problems. best regards Hugh On 26 Mar 2013, at 19:03, Alexander Hartmaier alexander.hartma...@t-systems.at wrote: So you prefer to include obsolete entries in the default dictionary instead of making them available in a separate file for backward compat? If someone upgrades Radiator this doesn't mean that he replaces his dictionary file with the one from the installation tarball. Cheers, Alex On 2013-03-25 23:04, Hugh Irvine wrote: Agreed. On 26 Mar 2013, at 08:51, Heikki Vatiainen h...@open.com.au wrote: On 03/25/2013 11:21 PM, Hugh Irvine wrote: I would probably add them to the Cisco-specific file in goodies/dictionary.cisco for those people who want to use them. Or maybe create a new file goodies/dictionary.cisco-vpn? The existing goodies/dictionary.cisco has older definitions too that are no longer in sync with IANA registry. You really don't want to change what is in the standard dictionary as that would undoubtedly break existing operations. Yes, that could easily. But a file with just vendor 3076 attributes could be easily used when the newer definitions are required. I'll ask this to be included. That was my idea anyway, but I had not done it yet. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Syntax for handler
Hi Manish, as you have to define the nas and its radius secret anyway I suggest that you configure a client-identifier for it and use that in your Handler(s), makes future changes easier because you don't have to search the IP in your whole config. Best regards, Alex On 2013-04-15 12:56, Arya, Manish Kumar wrote: Hi, I want to write a handler to entertain requests coming from a IP, is this the right syntax for this ? Handler Realm = alu,NAS-IP-Address=/10\.33\.50\.4/ AuthLog auth_log RewriteUsername s/^([^@]+).*/$1/ AuthBy alu_ldap /Handler I had tried NAS-IP-Address=10.33.50.4 but it doesn't works Regards, -Manish ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Syntax for handler
Create a separate Client block, before the network its containted in if you have already a Client block for the whole network as well, assign a client-identifier to it and use it in the Handler instead of the NAS-IP-Address. BR Alex On 2013-04-15 14:03, Arya, Manish Kumar wrote: Hi Alexander, I have already added this IP in client list with secret. usually we write handlers for networks which look like Handler NAS-IP-Address=/10\.1\.233\..*/ but I am not sure what should be the syntax for a single IP like 10.33.50.4 Regards, -Manish *From:* Alexander Hartmaier alexander.hartma...@t-systems.at *To:* radiator@open.com.au *Sent:* Monday, April 15, 2013 5:25 PM *Subject:* Re: [RADIATOR] Syntax for handler Hi Manish, as you have to define the nas and its radius secret anyway I suggest that you configure a client-identifier for it and use that in your Handler(s), makes future changes easier because you don't have to search the IP in your whole config. Best regards, Alex On 2013-04-15 12:56, Arya, Manish Kumar wrote: Hi, I want to write a handler to entertain requests coming from a IP, is this the right syntax for this ? Handler Realm = alu,NAS-IP-Address=/10\.33\.50\.4/ AuthLog auth_log RewriteUsername s/^([^@]+).*/$1/ AuthBy alu_ldap /Handler I had tried NAS-IP-Address=10.33.50.4 but it doesn't works Regards, -Manish ___ radiator mailing list radiator@open.com.au mailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au mailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ERR: Attribute number 146 (vendor 3076) is not defined in your dictionary aka Cisco bought Altiga in 2000
So you prefer to include obsolete entries in the default dictionary instead of making them available in a separate file for backward compat? If someone upgrades Radiator this doesn't mean that he replaces his dictionary file with the one from the installation tarball. Cheers, Alex On 2013-03-25 23:04, Hugh Irvine wrote: Agreed. On 26 Mar 2013, at 08:51, Heikki Vatiainen h...@open.com.au wrote: On 03/25/2013 11:21 PM, Hugh Irvine wrote: I would probably add them to the Cisco-specific file in goodies/dictionary.cisco for those people who want to use them. Or maybe create a new file goodies/dictionary.cisco-vpn? The existing goodies/dictionary.cisco has older definitions too that are no longer in sync with IANA registry. You really don't want to change what is in the standard dictionary as that would undoubtedly break existing operations. Yes, that could easily. But a file with just vendor 3076 attributes could be easily used when the newer definitions are required. I'll ask this to be included. That was my idea anyway, but I had not done it yet. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator - MSSQL 2008
Hi Matt, both DBD::Sybase and DBD::ODBC with FreeTDS where suggested on the #dbix-class irc channel where some users connect to MSSQL successfully from Linux. DBD::ODBC requires the Linux ODBC library which is included in the Debian package unixodbc if you run that. Best regards, Alex On 2013-03-05 14:55, Matt Brown wrote: Hello. I need to log some accounting data direct into a windows 2008 MSSQL server, what is available to do this? Reading the FAQ and searching the mailing list it looks like my options are either FreeTDS, though the version it lists is September 2003, or DBD::proxy together with DBD::OBDC on your windows host - but installing 3rd party software on the windows server is not an option. Is anyone using freetds, and if so what version is stable? Are there any alternative methods to connect to MSSQL that work and are more up to date? Thanks. Matt. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] laptop sending out wrong attribute
On 2013-02-28 18:08, Bao Tran wrote: Hi everyone, I'm new to this forum and of course new to linux:). I have a number of laptops on the new domain but unable to associate to the wireless network. When I try to connect my laptop to our wireless network by entering the username e.g. jsmith, and the password. Looking at the radius log below, my understanding is that he laptop unable to authenticate because the laptop sent the User-Name attribute to the radius server as host/PC12.domainA.com.au instead of username 'jsmith Is is possible to change that on radius? or I have to create a group policy to change it on the laptop? Log messages: Thu Feb 28 17:22:42 2013: DEBUG: Radius::AuthLDAP2 looks for match with host/PC12.domainA.com.au [host/PC12.domainA.com.auu] Thu Feb 28 17:22:42 2013: DEBUG: Radius::AuthLDAP2 REJECT: No such user: host/PC12.domainA.com.auu [host/PC12.domainA.com.auu] Thu Feb 28 17:22:42 2013: INFO: Access rejected for host/PC12.domainA.com.au: No such user Thu Feb 28 17:22:42 2013: DEBUG: Access challenged for host/PC12.domainA.com.au: EAP PEAP inner authentication redispatched to a Handler User-Name = host/PC12.domainA.com.au Thu Feb 28 17:22:42 2013: DEBUG: Deleting session for host/PC12.domainA.com.au, 192.168.1.1, 2 Thu Feb 28 17:22:42 2013: INFO: Access rejected for host/PC12.domainA.com.au: PEAP Authentication Failure Thanks everyone. It looks like your wireless client in configured wrong when it sends the hostname instead of the username. Which OS is running on the client? How is the wireless and the client configured? Best regards, Alex ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP-PEAP,EAP-TTLS to Radiator to LDAP
We are using Radiator successfully for wired dot1x with PEAP-TLS and wireless PEAP-TLS and EAP-TLS for years. You can find quite a lot of example configs in the goodies directory all starting with eap_. Best regards, Alex On 2013-02-27 14:34, benson, john wrote: I used radiator years ago for a much simpler task than what I have in mind now. We have a need to authenticate wired clients via Cisco switches using EAP-PEAP and EAP-TTLS to a radius server, where the radius server converts that authentication request into a secure LDAP authentication request to be passed on to our LDAP server which front-ends our Microsoft AD. We currently use Juniper SBR for similar authentication tasks, however, we've hit a limitation with this particular requirement. Can someone point me to some additional documentation that confirms or denies radiator's ability to do this? Regards John Benson ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ERR: Attribute number 146 (vendor 3076) is not defined in your dictionary aka Cisco bought Altiga in 2000
On 2013-02-26 22:35, Heikki Vatiainen wrote: On 02/26/2013 07:04 PM, Alexander Hartmaier wrote: After some googling I've found the answer to this question [1] asked on this list in 2003 [2] Seems Cisco ASAs, which where called PIX before, where called Altiga before [3] The current dictionary that ships with Radiator has the attributes up to number 137. The names in the Cisco ASA doc have some common attributes but also changed and new ones. I'd replace all Altiga definitions with Cisco-ASA- attributes with their names from the table in [2] and submit it to the list for replacement in the default dictionary, does that sound sane after 13 years? Since the attributes are in use currently, the updated entries could be shipped at least as a separate dictionary file for those who need to use the latest definitions. I have also seen Altiga attributes used in current Cisco VPN deployments, so I think it would be a good idea to have the current definitions available too. Yes, Cisco ASAs use the attributes defined in the document I've linked which use the Altiga VSA (3076) and not the Cisco VSA (9). I'd move the legacy Altiga VSAs into a separate dictionary file in the goodies dir and put the current Cisco VSAs in the default dictionary file. If you have the entries, it would be good to see them and then consider what would be the best way to include them. If there are conflicting entries, then care would be needed when considering how to add them. Otherwise any users that may have equipment using them would have an unfortunate surprise. Thanks! Heikki After an hour or typing I came up with this: VENDORATTR 3076 Cisco-VPN-Access-Hours 1 string VENDORATTR 3076 Cisco-VPN-Simultaneous-Logins 2 integer VENDORATTR 3076 Cisco-VPN-Primary-DNS 5 ipaddr VENDORATTR 3076 Cisco-VPN-Secondary-DNS 6 ipaddr VENDORATTR 3076 Cisco-VPN-Primary-WINS 7 ipaddr VENDORATTR 3076 Cisco-VPN-Secondary-WINS 8 ipaddr VENDORATTR 3076 Cisco-VPN-SEP-Card-Assignment 9 integer VENDORATTR 3076 Cisco-VPN-Tunneling-Protocols 11 integer VENDORATTR 3076 Cisco-VPN-IPsec-Sec-Association 12 string VENDORATTR 3076 Cisco-VPN-IPsec-Authentication 13 string VENDORATTR 3076 Cisco-VPN-Banner1 15 string VENDORATTR 3076 Cisco-VPN-IPsec-Allow-Passwd-Store 16 integer VENDORATTR 3076 Cisco-VPN-Use-Client-Address 17 integer VENDORATTR 3076 Cisco-VPN-PPTP-Encryption 20 integer VENDORATTR 3076 Cisco-VPN-L2TP-Encryption 21 integer VENDORATTR 3076 Cisco-VPN-Group-Policy 25 string VENDORATTR 3076 Cisco-VPN-IPsec-Split-Tunnel-List 27 string VENDORATTR 3076 Cisco-VPN-IPsec-Default-Domain 28 string VENDORATTR 3076 Cisco-VPN-IPsec-Split-DNS-Names 29 string VENDORATTR 3076 Cisco-VPN-IPsec-Tunnel-Type 30 integer VENDORATTR 3076 Cisco-VPN-IPsec-Mode-Config 31 integer VENDORATTR 3076 Cisco-VPN-IPsec-User-Group-Lock 33 integer VENDORATTR 3076 Cisco-VPN-IPsec-Over-UDP 34 integer VENDORATTR 3076 Cisco-VPN-IPsec-Over-UDP-Port 35 integer VENDORATTR 3076 Cisco-VPN-Banner2 36 string VENDORATTR 3076 Cisco-VPN-PPTP-MPPC-Compression 37 integer VENDORATTR 3076 Cisco-VPN-L2TP-MPPC-Compression 38 integer VENDORATTR 3076 Cisco-VPN-IPsec-IP-Compression 39 integer VENDORATTR 3076 Cisco-VPN-IPsec-IKE-Peer-ID-Check 40 integer VENDORATTR 3076 Cisco-VPN-IKE-Keep-Alives 41 integer VENDORATTR 3076 Cisco-VPN-IPsec-Auth-On-Rekey 42 integer VENDORATTR 3076 Cisco-VPN-Required-Client-Firewall-Vendor-Code 45 integer VENDORATTR 3076 Cisco-VPN-Required-Client-Firewall-Product-Code 46 integer VENDORATTR 3076 Cisco-VPN-Required-Client-Firewall-Description 47 string VENDORATTR 3076 Cisco-VPN-Require-HW-Client-Auth 48 integer VENDORATTR 3076 Cisco-VPN-Required-Individual-User-Auth 49 integer VENDORATTR 3076 Cisco-VPN-Authenticated-User-Idle-Timeout 50 integer VENDORATTR 3076 Cisco-VPN-Cisco-IP-Phone-Bypass 51 integer VENDORATTR 3076 Cisco-VPN-IPsec-Split-Tunneling-Policy 55 integer VENDORATTR 3076 Cisco-VPN-IPsec-Required-Client-Firewall-Capability 56 integer VENDORATTR 3076 Cisco-VPN-IPsec-Client-Firewall-Filter-Name 57 string
[RADIATOR] Fwd: Re: EAP iKev2 support in radiator 3.13
Forgot to reply also to the list. Original Message Subject:Re: [RADIATOR] EAP iKev2 support in radiator 3.13 Date: Tue, 26 Feb 2013 13:04:37 +0100 From: Alexander Hartmaier alexander.hartma...@t-systems.at Organization: T-Systems Austria GesmbH To: Arya, Manish Kumar m.a...@yahoo.com Hi Manish, I suggest you upgrade to the latest version, Radiator is very backward compatible, I can't remember a software upgrade that broke our configs and we're running Radiator since before 2000. Also check the patches if any of the fixes apply to you. You can find the list of supported EAP types in the reference manual in section 5.20.23 EAPType. Best regards, Alex On 2013-02-26 12:59, Arya, Manish Kumar wrote: Hi Alex, So Radiator 3.13 can support EAP ? or we should upgrade it ? Regards, -Manish *From:* Alexander Hartmaier alexander.hartma...@t-systems.at *To:* radiator@open.com.au *Sent:* Tuesday, February 26, 2013 3:56 PM *Subject:* Re: [RADIATOR] EAP iKev2 support in radiator 3.13 That's because IKEv2 is no EAP method but an IPSec phase 1 standard. Best regards, Alex On 2013-02-26 11:02, Arya, Manish Kumar wrote: Hi, We are currently running Radiator 3.13. I want to confirm if we can use EAP iKev2 with this radius server. if not then does the latest version of radiator supports this authentication method ? Regards, -Manish ___ radiator mailing list radiator@open.com.au mailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au mailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] ERR: Attribute number 146 (vendor 3076) is not defined in your dictionary aka Cisco bought Altiga in 2000
After some googling I've found the answer to this question [1] asked on this list in 2003 [2] Seems Cisco ASAs, which where called PIX before, where called Altiga before [3] The current dictionary that ships with Radiator has the attributes up to number 137. The names in the Cisco ASA doc have some common attributes but also changed and new ones. I'd replace all Altiga definitions with Cisco-ASA- attributes with their names from the table in [2] and submit it to the list for replacement in the default dictionary, does that sound sane after 13 years? [1] http://www.google.com/url?sa=trct=jq=esrc=ssource=webcd=1ved=0CDIQFjAAurl=http%3A%2F%2Fwww.open.com.au%2Fpipermail%2Fradiator%2F2003-October%2F008053.htmlei=LOksUebXOsvRsgaPpoDQCwusg=AFQjCNGveQ6v-u4hYtw6RZA5hP8FD_TlUgsig2=7pknyx-Cqi079pJBCP_SqAbvm=bv.42965579,d.Ymscad=rja [2] http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1753749 [3] http://www.networkworld.com/news/2000/0119cistiga.html -- Best regards, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [RFC] configurable hooks
On 2013-02-07 22:19, Mike McCauley wrote: Hello, On Thursday, February 07, 2013 04:29:56 PM Alexander Hartmaier wrote: On 2013-02-07 16:13, Heikki Vatiainen wrote: On 02/05/2013 08:39 PM, Alexander Hartmaier wrote: I've looked into it today and have some questions: - is it safe to assume that the list or arguments passed to the ChallengeHook in my case is always ($self, $user, $p, $context)? If one arg is missing my added arguments would shift and populate the wrong variables. I was thinking about passing them by name in a hashref as first instead of last argument instead. Passing your arguments first would certainly work and would guard against the problems that might come if arguments were added or removed from ChallengeHook. I'd say it's a good idea to put your own arguments first. Will do that, thanks! - is it safe to die in hook code or will that tear down the Radiator process? I'm asking because that's the preferred way of doing argument validation, e.g. die 'id missing' unless defined $id; It should be safe since hooks are run within eval block and if there are errors, they are caught and ERR with 'Error in $hookname...' is logged. Is that documented somewhere? Couldn't find it the docs. The documentation of hook processing has been enlarged to cover this and other topics in the Reference manual for the next release. Thanks. Cheers. Thanks Mike! Keep up your great work! Another note, I've used %D instead of the hardcoded path which works just as well: StartupHook sub { require %D/MyHooks.pm; } Based on your other messages, there were issues with this which were then solved. Is everything working for you now? Thanks, Heikki %D doesn't work, but my problem arised when I changed the StartupHook from a single line to multiple lines without terminating them with \. Works now but it would be great if Radiator logged such an error. Cheers, Alex ** * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b ** * Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. ** * ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [RFC] configurable hooks
On 2013-02-07 16:13, Heikki Vatiainen wrote: On 02/05/2013 08:39 PM, Alexander Hartmaier wrote: I've looked into it today and have some questions: - is it safe to assume that the list or arguments passed to the ChallengeHook in my case is always ($self, $user, $p, $context)? If one arg is missing my added arguments would shift and populate the wrong variables. I was thinking about passing them by name in a hashref as first instead of last argument instead. Passing your arguments first would certainly work and would guard against the problems that might come if arguments were added or removed from ChallengeHook. I'd say it's a good idea to put your own arguments first. Will do that, thanks! - is it safe to die in hook code or will that tear down the Radiator process? I'm asking because that's the preferred way of doing argument validation, e.g. die 'id missing' unless defined $id; It should be safe since hooks are run within eval block and if there are errors, they are caught and ERR with 'Error in $hookname...' is logged. Is that documented somewhere? Couldn't find it the docs. Another note, I've used %D instead of the hardcoded path which works just as well: StartupHook sub { require %D/MyHooks.pm; } Based on your other messages, there were issues with this which were then solved. Is everything working for you now? Thanks, Heikki %D doesn't work, but my problem arised when I changed the StartupHook from a single line to multiple lines without terminating them with \. Works now but it would be great if Radiator logged such an error. Cheers, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [RFC] configurable hooks
On 2013-02-05 20:01, Alexander Hartmaier wrote: On 2013-02-05 19:39, Alexander Hartmaier wrote: On 2013-01-31 15:31, Heikki Vatiainen wrote: On 01/31/2013 02:01 PM, Alexander Hartmaier wrote: we'd need a way to pass config parameters to hooks to be able to use them in multiple different handlers e.g. sending OTPs by SMS with different accounts. Is there already a way to do this which I've overlooked? How about this: # radiusd config file StartupHook sub { require /etc/radiator/MyHooks.pm; } Handler ... # AuthBys PostAuthHook sub { MyHooks::sendSMS(@_, 'account1', 'otherparam1'); } /Handler Handler ... # AuthBys PostAuthHook sub { MyHooks::sendSMS(@_, 'account2', 'otherparam2'); } /Handler File MyHooks.pm would be something like this: # start of MyHooks.pm package MyHooks; use strict; use warnings; # PostAuthHook # sub sendSMS { my $p = ${$_[0]}; # Request packet my $rp = ${$_[1]}; # Response packet my $result = $_[2];# Verdict: success or not my $reason = $_[3];# String that tells reason for a reject my $account = $_[4]; # Account name my $param = $_[5]; # Some other param # code goes here } 1; # end of MyHooks.pm I'm currently abusing Radius attributes to get those static parameters into the hooks but being able to pass options in the config would make the config much clearer. The above keeps the the existing PostAuthHook arguments as they are and adds the possibility for static arguments as additional options to existing PostAuthHook options. Would this work for you? Thanks, Heikki I've looked into it today and have some questions: - is it safe to assume that the list or arguments passed to the ChallengeHook in my case is always ($self, $user, $p, $context)? If one arg is missing my added arguments would shift and populate the wrong variables. I was thinking about passing them by name in a hashref as first instead of last argument instead. - is it safe to die in hook code or will that tear down the Radiator process? I'm asking because that's the preferred way of doing argument validation, e.g. die 'id missing' unless defined $id; Another note, I've used %D instead of the hardcoded path which works just as well: StartupHook sub { require %D/MyHooks.pm; } I've tested it and found out that it doesn't work: Error in ChallengeHook(): Undefined subroutine Hooks::sendSMS called at (eval 233) line 1. I've tested my modules with perl -e 'require /etc/radiator/Hooks.pm; Hooks::sendSMS();' which works fine. I've also tried replacing %D with /etc/radiator but this also fails. Adding warn's to several places doesn't show up in the radiator log, not even at trace 4. How can I debug that? Thanks to mst on #perl-help I quickly found out that my StartupHook isn't run at all because I've changed it to multiline without terminating each line with \. Please make Radiator log such an error, currently it's silently ignored! *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [RFC] configurable hooks
On 2013-01-31 15:31, Heikki Vatiainen wrote: On 01/31/2013 02:01 PM, Alexander Hartmaier wrote: we'd need a way to pass config parameters to hooks to be able to use them in multiple different handlers e.g. sending OTPs by SMS with different accounts. Is there already a way to do this which I've overlooked? How about this: # radiusd config file StartupHook sub { require /etc/radiator/MyHooks.pm; } Handler ... # AuthBys PostAuthHook sub { MyHooks::sendSMS(@_, 'account1', 'otherparam1'); } /Handler Handler ... # AuthBys PostAuthHook sub { MyHooks::sendSMS(@_, 'account2', 'otherparam2'); } /Handler File MyHooks.pm would be something like this: # start of MyHooks.pm package MyHooks; use strict; use warnings; # PostAuthHook # sub sendSMS { my $p = ${$_[0]}; # Request packet my $rp = ${$_[1]}; # Response packet my $result = $_[2];# Verdict: success or not my $reason = $_[3];# String that tells reason for a reject my $account = $_[4]; # Account name my $param = $_[5]; # Some other param # code goes here } 1; # end of MyHooks.pm I'm currently abusing Radius attributes to get those static parameters into the hooks but being able to pass options in the config would make the config much clearer. The above keeps the the existing PostAuthHook arguments as they are and adds the possibility for static arguments as additional options to existing PostAuthHook options. Would this work for you? Thanks, Heikki I've looked into it today and have some questions: - is it safe to assume that the list or arguments passed to the ChallengeHook in my case is always ($self, $user, $p, $context)? If one arg is missing my added arguments would shift and populate the wrong variables. I was thinking about passing them by name in a hashref as first instead of last argument instead. - is it safe to die in hook code or will that tear down the Radiator process? I'm asking because that's the preferred way of doing argument validation, e.g. die 'id missing' unless defined $id; Another note, I've used %D instead of the hardcoded path which works just as well: StartupHook sub { require %D/MyHooks.pm; } *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [RFC] configurable hooks
On 2013-02-05 19:39, Alexander Hartmaier wrote: On 2013-01-31 15:31, Heikki Vatiainen wrote: On 01/31/2013 02:01 PM, Alexander Hartmaier wrote: we'd need a way to pass config parameters to hooks to be able to use them in multiple different handlers e.g. sending OTPs by SMS with different accounts. Is there already a way to do this which I've overlooked? How about this: # radiusd config file StartupHook sub { require /etc/radiator/MyHooks.pm; } Handler ... # AuthBys PostAuthHook sub { MyHooks::sendSMS(@_, 'account1', 'otherparam1'); } /Handler Handler ... # AuthBys PostAuthHook sub { MyHooks::sendSMS(@_, 'account2', 'otherparam2'); } /Handler File MyHooks.pm would be something like this: # start of MyHooks.pm package MyHooks; use strict; use warnings; # PostAuthHook # sub sendSMS { my $p = ${$_[0]}; # Request packet my $rp = ${$_[1]}; # Response packet my $result = $_[2];# Verdict: success or not my $reason = $_[3];# String that tells reason for a reject my $account = $_[4]; # Account name my $param = $_[5]; # Some other param # code goes here } 1; # end of MyHooks.pm I'm currently abusing Radius attributes to get those static parameters into the hooks but being able to pass options in the config would make the config much clearer. The above keeps the the existing PostAuthHook arguments as they are and adds the possibility for static arguments as additional options to existing PostAuthHook options. Would this work for you? Thanks, Heikki I've looked into it today and have some questions: - is it safe to assume that the list or arguments passed to the ChallengeHook in my case is always ($self, $user, $p, $context)? If one arg is missing my added arguments would shift and populate the wrong variables. I was thinking about passing them by name in a hashref as first instead of last argument instead. - is it safe to die in hook code or will that tear down the Radiator process? I'm asking because that's the preferred way of doing argument validation, e.g. die 'id missing' unless defined $id; Another note, I've used %D instead of the hardcoded path which works just as well: StartupHook sub { require %D/MyHooks.pm; } I've tested it and found out that it doesn't work: Error in ChallengeHook(): Undefined subroutine Hooks::sendSMS called at (eval 233) line 1. I've tested my modules with perl -e 'require /etc/radiator/Hooks.pm; Hooks::sendSMS();' which works fine. I've also tried replacing %D with /etc/radiator but this also fails. Adding warn's to several places doesn't show up in the radiator log, not even at trace 4. How can I debug that? *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [RFC] configurable hooks
On 2013-02-01 10:08, Hugh Irvine wrote: Hello Alex - The way to do this with GlobalVar's is to use different Identifiers in the Handlers thus: ….. DefineFormattedGlobalVar Handler1-param1 whatever DefineFormattedGlobalVar Handler1-param2 whatever-else DefineFormattedGlobalVar Handler2-param1 something DefineFormattedGlobalVar Handler2-param2 something-else ….. Handler ….. Identifier Handler1 …… …… %{GlobalVar:%{Handler-Identifier}-param1} ….. …… %{GlobalVar:%{Handler-Identifier}-param2} ….. /Handler Handler ….. Identifier Handler2 …… …… %{GlobalVar:%{Handler-Identifier}-param1} ….. …… %{GlobalVar:%{Handler-Identifier}-param2} ….. /Handler ….. Here is an example: ….. Radiator-4.11 hugh$ cat global.cfg AuthPort 11645 AcctPort 11646 LogDir ./logs DbDir . Trace 4 DefineFormattedGlobalVar Handler1-param1 whatever DefineFormattedGlobalVar Handler1-param2 whatever-else DefineFormattedGlobalVar Handler2-param1 something DefineFormattedGlobalVar Handler2-param1 something-else Client localhost Secret mysecret /Client Handler Identifier Handler1 AuthBy INTERNAL DefaultResult ACCEPT AddToReply Reply-Message = %{GlobalVar:%{Handler:Identifier}-param1} /AuthBy /Handler here is the result: Radiator-4.11 hugh$ perl radpwtst -auth_port 11645 -noacct -user hugh -password hugh -trace 4 Fri Feb 1 20:02:16 2013: DEBUG: Reading dictionary file './dictionary' sending Access-Request... Fri Feb 1 20:02:16 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 11645 Code: Access-Request Identifier: 121 Authentic: 14361369o141% @1482vO15/212 Attributes: User-Name = hugh Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = T142153t137lv193$I1_24914201164 Fri Feb 1 20:02:16 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 51957 Code: Access-Request Identifier: 121 Authentic: 14361369o141% @1482vO15/212 Attributes: User-Name = hugh Service-Type = Framed-User NAS-IP-Address = 203.63.154.1 NAS-Identifier = 203.63.154.1 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = T142153t137lv193$I1_24914201164 Fri Feb 1 20:02:16 2013: DEBUG: Handling request with Handler '', Identifier 'Handler1' Fri Feb 1 20:02:16 2013: DEBUG: Deleting session for hugh, 203.63.154.1, 1234 Fri Feb 1 20:02:16 2013: DEBUG: Handling with AuthINTERNAL: Fri Feb 1 20:02:16 2013: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by DefaultResult Fri Feb 1 20:02:16 2013: DEBUG: Access accepted for hugh Fri Feb 1 20:02:16 2013: DEBUG: Packet dump: *** Sending to 127.0.0.1 port 51957 Code: Access-Accept Identifier: 121 Authentic: A195P2322z217Fmg15318514916$ Attributes: Reply-Message = whatever Fri Feb 1 20:02:16 2013: DEBUG: Packet dump: *** Received from 127.0.0.1 port 11645 Code: Access-Accept Identifier: 121 Authentic: A195P2322z217Fmg15318514916$ Attributes: Reply-Message = whatever OK ….. You can of course expand the GlobalVar's in your hook code too. regards Hugh Ah, thanks! I haven't used GlobalVars at all so far. I guess it makes sense if you need the same var more than once which is not the case for me. Best regards, Alex On 1 Feb 2013, at 18:46, Alexander Hartmaier alexander.hartma...@t-systems.at wrote: On 2013-01-31 22:58, Hugh Irvine wrote: Hello Alex - You can also use GlobalVar's for static parameters. See section 5.6.23 in the Radiator 4.11 reference manual (doc/ref.pdf). There is an example in goodies/hooks.txt. regards Hugh On 1 Feb 2013, at 01:31, Heikki Vatiainen h...@open.com.au wrote: On 01/31/2013 02:01 PM, Alexander Hartmaier wrote: we'd need a way to pass config parameters to hooks to be able to use them in multiple different handlers e.g. sending OTPs by SMS with different accounts. Is there already a way to do this which I've overlooked? How about this: # radiusd config file StartupHook sub { require /etc/radiator/MyHooks.pm; } Handler ... # AuthBys PostAuthHook sub { MyHooks::sendSMS(@_, 'account1', 'otherparam1'); } /Handler Handler ... # AuthBys PostAuthHook sub { MyHooks::sendSMS(@_, 'account2', 'otherparam2'); } /Handler File MyHooks.pm would be something like this: # start of MyHooks.pm package MyHooks; use strict; use warnings; # PostAuthHook # sub sendSMS { my $p = ${$_[0]}; # Request packet my $rp = ${$_[1]}; # Response packet my $result = $_[2];# Verdict: success
[RADIATOR] [RFC] configurable hooks
Hi, we'd need a way to pass config parameters to hooks to be able to use them in multiple different handlers e.g. sending OTPs by SMS with different accounts. Is there already a way to do this which I've overlooked? I'm currently abusing Radius attributes to get those static parameters into the hooks but being able to pass options in the config would make the config much clearer. -- Best regards, Alexander Hartmaier *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [RFC] configurable hooks
On 2013-01-31 15:31, Heikki Vatiainen wrote: On 01/31/2013 02:01 PM, Alexander Hartmaier wrote: we'd need a way to pass config parameters to hooks to be able to use them in multiple different handlers e.g. sending OTPs by SMS with different accounts. Is there already a way to do this which I've overlooked? How about this: # radiusd config file StartupHook sub { require /etc/radiator/MyHooks.pm; } Handler ... # AuthBys PostAuthHook sub { MyHooks::sendSMS(@_, 'account1', 'otherparam1'); } /Handler Handler ... # AuthBys PostAuthHook sub { MyHooks::sendSMS(@_, 'account2', 'otherparam2'); } /Handler File MyHooks.pm would be something like this: # start of MyHooks.pm package MyHooks; use strict; use warnings; # PostAuthHook # sub sendSMS { my $p = ${$_[0]}; # Request packet my $rp = ${$_[1]}; # Response packet my $result = $_[2];# Verdict: success or not my $reason = $_[3];# String that tells reason for a reject my $account = $_[4]; # Account name my $param = $_[5]; # Some other param # code goes here } 1; # end of MyHooks.pm I'm currently abusing Radius attributes to get those static parameters into the hooks but being able to pass options in the config would make the config much clearer. The above keeps the the existing PostAuthHook arguments as they are and adds the possibility for static arguments as additional options to existing PostAuthHook options. Would this work for you? Thanks, Heikki I knew you guys have a solution, as always, awesome! That's good enough for what I need and definitely better than putting parameters in Radius attributes to fetch them in the handler. Could you add that example to hooks.txt in the goodies dir? *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [RFC] configurable hooks
On 2013-01-31 22:58, Hugh Irvine wrote: Hello Alex - You can also use GlobalVar's for static parameters. See section 5.6.23 in the Radiator 4.11 reference manual (doc/ref.pdf). There is an example in goodies/hooks.txt. regards Hugh On 1 Feb 2013, at 01:31, Heikki Vatiainen h...@open.com.au wrote: On 01/31/2013 02:01 PM, Alexander Hartmaier wrote: we'd need a way to pass config parameters to hooks to be able to use them in multiple different handlers e.g. sending OTPs by SMS with different accounts. Is there already a way to do this which I've overlooked? How about this: # radiusd config file StartupHook sub { require /etc/radiator/MyHooks.pm; } Handler ... # AuthBys PostAuthHook sub { MyHooks::sendSMS(@_, 'account1', 'otherparam1'); } /Handler Handler ... # AuthBys PostAuthHook sub { MyHooks::sendSMS(@_, 'account2', 'otherparam2'); } /Handler File MyHooks.pm would be something like this: # start of MyHooks.pm package MyHooks; use strict; use warnings; # PostAuthHook # sub sendSMS { my $p = ${$_[0]}; # Request packet my $rp = ${$_[1]}; # Response packet my $result = $_[2];# Verdict: success or not my $reason = $_[3];# String that tells reason for a reject my $account = $_[4]; # Account name my $param = $_[5]; # Some other param # code goes here } 1; # end of MyHooks.pm I'm currently abusing Radius attributes to get those static parameters into the hooks but being able to pass options in the config would make the config much clearer. The above keeps the the existing PostAuthHook arguments as they are and adds the possibility for static arguments as additional options to existing PostAuthHook options. Would this work for you? Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. Hi Hugh, I haven't had time to reply to Heikki's post yesterday, his solution is what I was looking for, thanks! GlobalVars won't help help there because I need to use the same handler multiple times in a single Radiator instance with different params. *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] run exe file after accounting stop
Hi Thomas, the hooks are just regular Perl code so look at perldoc, either on the cli or perldoc.perl.org. You want system [1] but note that the Radiator process will wait for it to exit until it continues process which might introduce a performance problem. [1] http://perldoc.perl.org/functions/system.html Best regards, Alex On 2013-01-17 13:32, Thomas KCCG wrote: Hello Guys, What are the hook configuration lines required for running an .exe file after the radiator receives an accounting stop packet from the NAS (cisco ISG). As there are no examples in the radiator documentations, goodies folder or mailing lists archives I really need your help on this. Thanks Best Regards, Thomas Kurian ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] New Error messages
On 2013-01-17 17:31, Michael Hulko wrote: Lately I've been seeing these errors daily which were not there prior to the new year: Jan 8 20:18:36 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23692]: Could not load EAP module Radius::EAP_66: Can't locate Radius/EAP_66.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 3683243) line 3, GEN1 line 699827. Jan 8 21:35:18 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_155: Can't locate Radius/EAP_155.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1968782) line 3, GEN1 line 352731. Jan 8 21:47:05 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_180: Can't locate Radius/EAP_180.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1977214) line 3, GEN1 line 354206. Jan 8 22:04:02 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_29: Can't locate Radius/EAP_29.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1989895) line 3, GEN1 line 356467. Jan 8 22:19:46 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_232: Can't locate Radius/EAP_232.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2000990) line 3, GEN1 line 358402. Jan 9 00:02:52 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_239: Can't locate Radius/EAP_239.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2074832) line 3, GEN1 line 371473. [11:17:45 slogr] grep Could not load EAP module Radius::EAP console Jan 9 10:26:05 riptide-3.vm.its.uwo.pri /usr/bin/radiusd[27250]: Could not load EAP module Radius::EAP_57: Can't locate Radius/EAP_57.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2742617) line 3, GEN1 line 532256. can someone shed some lightwe are running Radiator version 10 First, there is no version 10, the latest version is 4.11. The changelog for version 4.8 says: - Fixed an issue where truncated EAP-Message requests would cause a log message like Could not load EAP module Radius::EAP_ . This is now logged as invalid EAP type in EAP request and rejected. Reported by Daniel Rocha. So i guess you're running an older version than 4.8. Update and look if the errors are still present. Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Best regards, Alexander Hartmaier *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] F5 BigIP vendor specific attributes
Hi Mike, On 2013-01-10 01:05, Mike McCauley wrote: Hello Alexander, Thanks added to the latest patch set. Question though: It appears like the values for F5-LTM-User-Role are a bit like HEX bitmasks, but they are presented here as decimal. Any idea which is correct? No, sorry. I've only copied them from the given vendor website and transformed it to Radiator dictionary format. On Wednesday, January 09, 2013 05:08:51 PM Alexander Hartmaier wrote: Hi guys, please add those to the dictionary (taken from http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html): # # F5 BigIP # VENDOR F5 3375 VENDORATTR 3375 F5-LTM-User-Role 1 integer VENDORATTR 3375 F5-LTM-User-Role-Universal 2 integer# enable/disable VENDORATTR 3375 F5-LTM-User-Partition3 string VENDORATTR 3375 F5-LTM-User-Console 4 integer # enable/disable VENDORATTR 3375 F5-LTM-User-Shell5 string # supported values are disable, tmsh, and bpsh VENDORATTR 3375 F5-LTM-User-Context-1 10 integer VENDORATTR 3375 F5-LTM-User-Context-2 11 integer VENDORATTR 3375 F5-LTM-User-Info-1 12 string VENDORATTR 3375 F5-LTM-User-Info-2 13 string VALUEF5-LTM-User-Role Administrator 0 VALUEF5-LTM-User-Role Resource-Admin20 VALUEF5-LTM-User-Role User-Manager 40 VALUEF5-LTM-User-Role Auditor 80 VALUEF5-LTM-User-Role Manager 100 VALUEF5-LTM-User-Role App-Editor 300 VALUEF5-LTM-User-Role Operator 400 VALUEF5-LTM-User-Role Guest700 VALUEF5-LTM-User-Role Policy-Editor800 VALUEF5-LTM-User-Role No-Access900 VALUEF5-LTM-User-Role-Universal Disabled 0 VALUEF5-LTM-User-Role-Universal Enabled1 VALUEF5-LTM-User-ConsoleDisabled 0 VALUEF5-LTM-User-ConsoleEnabled1 -- Best regards, Alexander Hartmaier ** * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b ** * Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. ** * -- LG Alex ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] F5 BigIP vendor specific attributes
Hi guys, please add those to the dictionary (taken from http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html): # # F5 BigIP # VENDOR F5 3375 VENDORATTR 3375 F5-LTM-User-Role 1 integer VENDORATTR 3375 F5-LTM-User-Role-Universal 2 integer# enable/disable VENDORATTR 3375 F5-LTM-User-Partition3 string VENDORATTR 3375 F5-LTM-User-Console 4 integer# enable/disable VENDORATTR 3375 F5-LTM-User-Shell5 string # supported values are disable, tmsh, and bpsh VENDORATTR 3375 F5-LTM-User-Context-1 10 integer VENDORATTR 3375 F5-LTM-User-Context-2 11 integer VENDORATTR 3375 F5-LTM-User-Info-1 12 string VENDORATTR 3375 F5-LTM-User-Info-2 13 string VALUEF5-LTM-User-Role Administrator 0 VALUEF5-LTM-User-Role Resource-Admin20 VALUEF5-LTM-User-Role User-Manager 40 VALUEF5-LTM-User-Role Auditor 80 VALUEF5-LTM-User-Role Manager 100 VALUEF5-LTM-User-Role App-Editor 300 VALUEF5-LTM-User-Role Operator 400 VALUEF5-LTM-User-Role Guest700 VALUEF5-LTM-User-Role Policy-Editor800 VALUEF5-LTM-User-Role No-Access900 VALUEF5-LTM-User-Role-Universal Disabled 0 VALUEF5-LTM-User-Role-Universal Enabled1 VALUEF5-LTM-User-ConsoleDisabled 0 VALUEF5-LTM-User-ConsoleEnabled1 -- Best regards, Alexander Hartmaier *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] OCSP support
On 2012-12-12 14:30, Heikki Vatiainen wrote: On 12/07/2012 11:02 AM, Alexander Hartmaier wrote: does Radiator support OCSP? It might be a better alternative to manually downloading CRLs and restarting Radiator because openssl caches the CRL file. Hello Alexander. Radiator does not support OCSP. I checked about the reasons, and there are two main issues: first, Net-SSLeay does not have OCSP support. The second issue is the negative effect the latency and performance are likely to cause. This of course is site specific, but there's still the issue of missing support in the underlying modules. Thanks, Heikki Thanks for the explanations Heikki! -- Best regards, Alexander Hartmaier *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] OCSP support
Hi guys, does Radiator support OCSP? It might be a better alternative to manually downloading CRLs and restarting Radiator because openssl caches the CRL file. -- Best regards, Alexander Hartmaier *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] A few tips on performance and high availabilty
Thanks for sharing those best-practises with the list! On 2012-12-03 17:17, Anders Bandholm wrote: Hi list! We have been running Radiator for several purposes for around 5 years, and I would like to share a few tricks that we have learned... Memcached - Memcached is distributed cache, with a simple Perl-api. We run an instance of memcached on each Radius-server. We use it for several things: * We use it in a PostAuthHook for rejecting users with too many login failures (to prevent brute-force password guessing) * We cache certain SOAP-calls. Since Radiator is single-threaded, fast answers from backends is imperative as you probably know. We use memcached in a defensive way: We always make the SOAP-call first, but with a low timeout (0.1 sec) If the call times out, we use the cache - if not we save the result to the cache. * we have started a service for our customers (Danish schools) where they get alerts by email when user up- or download exceeds certain thresholds. This is handled by summing up bytes from accounting records in a PostProcessingHook. The counters for each user is kept in memcached. It seems to me that memcached is a perfect companion for Radiator! Memcached is of course not a database, and if you shut down one of the memcached instances you will lose part of your cache. But for the purposes above it works very well. The Perl module is Cache::Memcached. If you run Linux memcached is probably packaged for you - on Debian/Ubuntu you need packages like these: memcached libcache-memcached-perl libmemcached-tools Two other tricks 1) We have started using Gearman to make it possible for the main radii to offload certain slow things to other servers. As explained above our radii keep track of user up/downloads through acct-records, and when a certain limit is reached we send email alerts to the relevant admin. But we don't want Radiator itself to send the email - we submit a job through Gearman (Perl: Gearman::Client and Gearman::Worker) This is a very promising technology and I expect we will use it more in the future. I'd use a local MTA for queuing the mails to simplify things. 2) Simple trick - probably used by many of you: We have the client list in an Oracle database, but since the database is sometimes down for maintenance, we generate static file-based client-lists every 10 minutes instead, and reload Radiator when they change. If Oracle is down, Radiator does not suffer. (The 10 minutes interval is overkill for most installations ;-) The client list is fine from the Oracle database directly because it isn't updated if the db query fails. But for users (AuthBy SQL) we use a local SQLite database which is created from the Oracle database via a Perl script every hour or manually. That has the advantage of being able to switch between it and the Oracle database without reconfiguring Radiator much, just the dsn. Also reloading Radiator isn't required with SQLite. Cheers, Anders -- Best regards, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] tacacs+ and command auth
Hi Murat, yes Radiator supports Tacacs and command authorization. It converts all Tacacs requests to radius requests internally so you can handle them like radius requests. The authorization is handled by an AuthGroup radius attribute that controls in which group a user is. Look at the configuration options in the Radiator reference manual. Best regards, Alexander Hartmaier Network Security Engineer T-Systems Austria GesmbH On 2012-11-07 08:58, Murat Bilal wrote: Hi all, I wonder if Radiator supports tacacs protocol and command authorization. If so, can I install this scenario on a 2 node linux(Ubuntu) mysql cluster. Thanks MURAT BLAL Services Engineer Ericsson Turkey CU Customer Support Cyber Plaza C Blok Kat:1 No:146 Cyberpark 6800 Bilkent/Ankara Mobile 90 554 898 98 43 murat.bi...@ericsson.com www.ericsson.com This Communication is Confidential. We only send and receive email on the basis of the terms set out at www.ericsson.com/email_disclaimer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] LDAPS connection problem
On 2012-10-23 23:11, Heikki Vatiainen wrote: On 10/23/2012 12:29 PM, Alexander Hartmaier wrote: In the meantime I've upgraded Net::SSLeay from version 1.32 to CPANs current 1.49 on this RHEL4 box which seems to have fixed the problem. I'll get back to you if the problem occurs again. The problem still persists. Is such an issue known to you for RHEL4 maybe? I am not aware of connect timeout problems with any OS/LDAP module version. Also, I noticed you have upgraded Net::SSLeay but LDAPS uses IO::Socket::SSL too so you could consider upgrading it if you want to make sure all modules are up-to-date. Thanks, I've upgraded IO::Socket::SSL from 1.13 to 1.77 and a bunch of other modules and will test again. I took a look at what Net::LDAPS::new() does. It loops through all the hosts it is given and uses the Timeout value for each host individually. In other words, 'Timeout 3' applies per host as opposed to both hosts in your case. Are you still using a single AuthBy LDAP2 or are you experiencing connect problems when there's just one Host in AuthBy LDAP2? I still use one AuthBy LDAP2 with two hosts. When you look at the log lines it can't be a timeout issue: Tue Oct 23 11:37:44 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636 Tue Oct 23 11:37:44 2012: ERR: Could not open LDAP connection to 10.1.2.1 10.1.2.2:636. Backing off for 5 seconds. Thanks, Heikki *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] LDAPS connection problem
On 2012-10-19 11:39, Alexander Hartmaier wrote: On 2012-10-19 11:01, Heikki Vatiainen wrote: On 10/18/2012 06:33 PM, Alexander Hartmaier wrote: I've upgraded the radiator servers from 4.8 to 4.10 with current patches in hope of a fix but it still shows the same behaviour: Sometimes it works: Thu Oct 18 12:41:42 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636 Thu Oct 18 12:41:42 2012: INFO: Attempting to bind to LDAP server 10.1.2.1 10.1.2.2:636 Sometimes it doesn't: Thu Oct 18 13:38:43 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636 Thu Oct 18 13:38:49 2012: ERR: Could not open LDAP connection to 10.1.2.1 10.1.2.2:636. Backing off for 5 seconds. BTW the debug output is really puzzling when you configure more than one server/ip-address and should be changed to only show the server/ip that's used to try the connection! The reference manual talks briefly about this: ... Multiple space separated host names can be specified and Net::LDAP will choose the first available one. ... What happens is radiusd passes all hosts to Net::LDAP which then uses its own methods for trying to contact the hosts. For this reason the log entry sort of makes sense. In other words, specifying multiple names or addresses for Host can be useful, but it takes some of the control away from radiusd. If you want full control for contacting LDAP servers, you can specify two AuthBy LDAP2 clauses both with just a single Host. When there's a connection or query problem, the AuthBy will return IGNORE and the default AuthByPolicy (ContinueWhileIgnore) will then switch to the next AuthBy. AuthBy LDAP2 also support FailureBackoffTime. In case of error, the failed AuthBy LDAP2 clause will be left alone to recover for the specified time. That's our config: AuthBy LDAP2 # Save time by never looking for a default NoDefault Host 10.1.2.1 10.1.2.2 Port 636 Here Net::LDAP will take care of retrying, timeouts etc. until all hosts have been tried. Thanks, Heikki Thanks for the explanation, can you add this to the manual in all places where multiple servers can be configured? In the meantime I've upgraded Net::SSLeay from version 1.32 to CPANs current 1.49 on this RHEL4 box which seems to have fixed the problem. I'll get back to you if the problem occurs again. The problem still persists. Is such an issue known to you for RHEL4 maybe? -- Best regards, Alexander Hartmaier *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] LDAPS connection problem
On 2012-10-19 11:01, Heikki Vatiainen wrote: On 10/18/2012 06:33 PM, Alexander Hartmaier wrote: I've upgraded the radiator servers from 4.8 to 4.10 with current patches in hope of a fix but it still shows the same behaviour: Sometimes it works: Thu Oct 18 12:41:42 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636 Thu Oct 18 12:41:42 2012: INFO: Attempting to bind to LDAP server 10.1.2.1 10.1.2.2:636 Sometimes it doesn't: Thu Oct 18 13:38:43 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636 Thu Oct 18 13:38:49 2012: ERR: Could not open LDAP connection to 10.1.2.1 10.1.2.2:636. Backing off for 5 seconds. BTW the debug output is really puzzling when you configure more than one server/ip-address and should be changed to only show the server/ip that's used to try the connection! The reference manual talks briefly about this: ... Multiple space separated host names can be specified and Net::LDAP will choose the first available one. ... What happens is radiusd passes all hosts to Net::LDAP which then uses its own methods for trying to contact the hosts. For this reason the log entry sort of makes sense. In other words, specifying multiple names or addresses for Host can be useful, but it takes some of the control away from radiusd. If you want full control for contacting LDAP servers, you can specify two AuthBy LDAP2 clauses both with just a single Host. When there's a connection or query problem, the AuthBy will return IGNORE and the default AuthByPolicy (ContinueWhileIgnore) will then switch to the next AuthBy. AuthBy LDAP2 also support FailureBackoffTime. In case of error, the failed AuthBy LDAP2 clause will be left alone to recover for the specified time. That's our config: AuthBy LDAP2 # Save time by never looking for a default NoDefault Host 10.1.2.1 10.1.2.2 Port 636 Here Net::LDAP will take care of retrying, timeouts etc. until all hosts have been tried. Thanks, Heikki Thanks for the explanation, can you add this to the manual in all places where multiple servers can be configured? In the meantime I've upgraded Net::SSLeay from version 1.32 to CPANs current 1.49 on this RHEL4 box which seems to have fixed the problem. I'll get back to you if the problem occurs again. -- Best regards, Alexander Hartmaier *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] LDAPS connection problem
We're having problems with a ldaps connection to two windows domain controllers. An ldapsearch on the cli works every time, the radiator connection only sometimes. I've upgraded the radiator servers from 4.8 to 4.10 with current patches in hope of a fix but it still shows the same behaviour: Sometimes it works: Thu Oct 18 12:41:42 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636 Thu Oct 18 12:41:42 2012: INFO: Attempting to bind to LDAP server 10.1.2.1 10.1.2.2:636 Sometimes it doesn't: Thu Oct 18 13:38:43 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636 Thu Oct 18 13:38:49 2012: ERR: Could not open LDAP connection to 10.1.2.1 10.1.2.2:636. Backing off for 5 seconds. BTW the debug output is really puzzling when you configure more than one server/ip-address and should be changed to only show the server/ip that's used to try the connection! That's our config: AuthBy LDAP2 # Save time by never looking for a default NoDefault Host 10.1.2.1 10.1.2.2 Port 636 Version 3 # request timeout in seconds Timeout 3 # don't try to reach the ldap for this amount of seconds after failure FailureBackoffTime 5 # persistent connection doesn't work with M$ AD # HoldServerConnection UnbindAfterServerChecksPassword ## Enable SSL UseSSL ## Enable TLS # UseTLS ## Name of the client certificate file: SSLCAClientCert %D/certificates/radius.fqdn.pem ## Name of the file containing the client private key SSLCAClientKey %D/certificates/radius.fqdn.key SSLCAFile %D/certificates/ad.pem ## Require ldap server certificate #SSLVerify require # LDAP access AuthDN CN=foo,OU=bar,DC=fqdn,DC=at AuthPassword foo # Start looking here BaseDN OU=bar,DC=fqdn,DC=at # base, single, subtree Scope subtree UsernameAttr samaccountname # don't check the password, just for phone number lookup PasswordAttr # store the users mobile phone number in the Callback-Number radius attribute AuthAttrDef mobile,Callback-Number,request /AuthBy -- Best regards, Alexander Hartmaier *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] webserver serving tgz files as text/html
Hi, I experience that problem since years and finally took the time to look into it. Radiator-4.10.tgz and patches-4.10.tar.gz are both served with an incorrect Content-Type which leads to Firefox saving the file decompressed due to the set Content-Encoding: gzip. Radiator-4.10.tgz is served as text/html, patches-4.10.tar.gz as text/plain. It seems the mime types for both extensions is missing or configured wrong. -- Best regards, Alexander Hartmaier *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Digest::SHA
Good move, thanks Mike! BR Alex Am 2012-06-16 00:14, schrieb Mike McCauley: Hi All, Until now, Radiator and other products in the family used a mixture of Digest::SHA and Digest::SHA1, sometimes optionally and sometimes absolutely. We recently issued patches for Radiator and friends to always use Digest::SHA instead of Digest::SHA1. We think this will make installation easier for most implementers: Digest::SHA has more features, and is now included standard with modern Perl distros. By comparison, Digest::SHA1 is now not readily available for some Linux distros. So we have elected to use _only_ Digest::SHA, and it will now be an absolute prerequisite (not an optional one). These changes are in the latest patch set and will be in the next release 4.10, due out soon. *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator evaluation - Authenticate, Authorize LDAP users through Radius server to Network Switch
Hi Pramod, check out the various ldap*.cfg config files in the goodies directory as a starting point. Radiator connects on the first use, not on startup. You can also use the radpwtst utility to test your Radiator config so be sure its ok before configuring the switch. Also enable trace level 4 to see what radius attributes the switch sends. Best regards, Alex Am 2012-05-30 08:35, schrieb Pramod Kulkarni: Hello, 1) I wanted to know How do you authenticate and authorize LDAP server users through Radiator for a network switch. 2)How do you Map Radiator attributes to the LDAP attributes , -I tried configuring LDAP in the radius.config and tried to run the C:\perl\bin\radiusd to test whether Radiator is listening to LDAP server,nothing working for me -I have configured a VSA for Ruggedcom in the dictionary of C:\Radiator ,How to map this attribute to Radiator inturn to LDAP server for authorization # VSAs for Ruggedcom VENDOR Ruggedcom 15004 VENDORATTR 15004 RuggedCom-Privilege-level2 string In the radius.cfg I have mapped LDAP attributes checkAttr and replyattr as below, LDAP attributes and Radiator attributes( taken from radiator-ldap.schema) AuthAttrDef oscRadiusIdentifier, RuggedCom-Privilege-level,reply How and where to map the Radiator attributes to LDAP server attributes in the Radiator directory?How to restart the Radius server with the new configuration ? Let me know if I can configure the switch as mentioned above through Radiator if possible provide a specific example . Waiting for your inputs. Thanks and Regards, Pramod Kulkarni ABB Global Industries and Services Limited Whitefield Road 560048, Bangalore, Karnataka, INDIA Phone: 91 80 67579950 Mobile: 919663733663 email: pramod.kulka...@in.abb.com ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Fwd: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS
Thanks for the info Mike! Do you know which devices support it? We're mainly interessted in Cisco gear. Best regards, Alex Am 2012-05-29 22:46, schrieb Mike McCauley: RadSec is now an official RFC. -- Forwarded Message -- Subject: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS Date: Tuesday, May 29, 2012, 09:38:40 AM From: rfc-edi...@rfc-editor.org To: ietf-annou...@ietf.org, rfc-d...@rfc-editor.org CC: rad...@ietf.org, rfc-edi...@rfc-editor.org A new Request for Comments is now available in online RFC libraries. RFC 6614 Title: Transport Layer Security (TLS) Encryption for RADIUS Author: S. Winter, M. McCauley, S. Venaas, K. Wierenga Status: Experimental Stream: IETF Date: May 2012 Mailbox:stefan.win...@restena.lu, mi...@open.com.au, s...@cisco.com, kl...@cisco.com Pages: 22 Characters: 48004 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-radext-radsec-12.txt URL:http://www.rfc-editor.org/rfc/rfc6614.txt This document specifies a transport profile for RADIUS using Transport Layer Security (TLS) over TCP as the transport protocol. This enables dynamic trust relationships between RADIUS servers. [STANDARDS-TRACK] This document is a product of the RADIUS EXTensions Working Group of the IETF. EXPERIMENTAL: This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see http://www.rfc-editor.org/rfc.html. Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ radext mailing list rad...@ietf.org https://www.ietf.org/mailman/listinfo/radext - *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] TLS Session Resumption does not work on Windows Server 2008 R2 64-bit.
Note that Perl 5.12 is no longer supported because 5.16 came out yesterday. The Perl community currently recommends to use Strawberry Perl for Windows: http://strawberryperl.com Best regards, Alex Am 2012-05-21 20:08, schrieb Heikki Vatiainen: On 05/18/2012 05:35 PM, Johnson, Neil M wrote: We are using Active State Perl 5.12.2 Build 1202 (64-bit). We are using your build of Net-SSLeay (1.36.0.1) The client I'm testing with is a Dell Latitude D620 with Windows 7. For the Server that seems to be working is running Active State Perl 5.12.2 (Build 1202) (32-bit) and Net-SSLeay 1.36.0.1 also. So it's either a Windows Sever 2003 to 2008 issue or a 32-bit to 64-bit issue. Ok, thanks for the information. I'll give 2008R2 with Perl 5.12.4 a try and see how it works with 32bit and 64bit Perl. Heikki *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Load balancing RADIATOR with Cisco ACE
EAP and OTP also requires pinning which I personally would always use. Am 2012-05-10 16:56, schrieb James: I've done it -- currently in production serving an environment with over 80,000 users. No issues. If you're load balancing TACACS+ you should enable stickiness so that the session remains pinned to one Radiator server. If load balancing simple RADIUS, just do a simple serverfarm and load balance with a least connections or round robin LB algorithm. Hope this helps. -james On Thu, May 10, 2012 at 5:15 AM, Janssen, G.H.C. (Gaston) g.jans...@uci.ru.nl wrote: Hi, We'd like to load balance RADIUS requests over several RADIATOR servers. Therefor we will use an external hardware load balancer: a Cisco ACE (service module). Is there anyone who has experience with this kind of combination, i.e RADIATOR Cisco ACE. Any (white) papers on this subject are welcome, either so any ACE configuration examples. We are particulairy interested in field experiences in the combination Cisco ACE / RADIATOR. (We already have taken notice of the Cisco configuration guide Configuring RADIUS Load Balancing which in genaral describes it, but is not product specific (in this case RADIATOR) :) Regards, Gaston ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Cheers, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator
Hi Sudhir, please use meaningful subjects for your mails! 'Radiator' for a mail to the Radiator mailing list makes no sense and finding useful questions and answers later hard. Thanks! Am 2012-03-31 14:28, schrieb Sudhir Harwalkar: Hi Heikki, As I want to verify security feature PEAPv1 which uses GTC as inner authentication, but I haven't find separate config file for PEAPv1. so please respond me which config file need to use for PEAPv1. Thanks Sudhir H Larsen Toubro Limited www.larsentoubro.comhttp://www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload error
Hi Heikki, Am 2012-03-22 17:16, schrieb Heikki Vatiainen: On 03/21/2012 12:11 PM, Alexander Hartmaier wrote: Now that our dot1x and WLAN Radiator needs to check three different crls I've looked into a better solution for refreshing them. While reading Radius::TLS I've stumbled over the method reloadCrls which claims to reload the crl if the timestamp changes. Has this ever worked? I asked about this, and this is the current situation: The code in Radiator works and is enabled (if so configured) by default. So the code for checking CRLs is there without modifications to Radiator sources. If the check really happens as expected depends on OpenSSL library. There is a patch for a 0.9.? version, but it doesnt work in 1.0. It could be that some distributions have applied the patch themselves, so the situation is not very clear. There are a couple of entries in OpenSSL request tracker, but it does not look like they have been processed. You could try to see if it works on your system. I didn't find anything regarding autoloading of the crl in the openssl changelog so the patch must still be not mainline. We're using Debian Squeeze (6) on the server with openssl from the testing tree to get openssl 1.0.0 which is now at version 1.0.0h. Is OCSP an option instead of a crl? Can Radiator use OCSP? In the contextInit method you've put a note # REVISIT: what if a CRL changes while we are running? Hmm, that might be a little older comment, I'll check that too. I'm trying to restart Radiator as rarely as possible to not terminate an ongoing EAP communication but the crls all have different expiration dates (two have a lifetime of a day, the third of a week which will probabliy also changed to a day or less). That's very understandable. Heikki Best regards, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload error
Now that our dot1x and WLAN Radiator needs to check three different crls I've looked into a better solution for refreshing them. While reading Radius::TLS I've stumbled over the method reloadCrls which claims to reload the crl if the timestamp changes. Has this ever worked? In the contextInit method you've put a note # REVISIT: what if a CRL changes while we are running? I'm trying to restart Radiator as rarely as possible to not terminate an ongoing EAP communication but the crls all have different expiration dates (two have a lifetime of a day, the third of a week which will probabliy also changed to a day or less). Best regards, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] missing request attributes with TunnelledByPEAP
Hi, we're doing PEAP-TLS for our WLANs and need to have different settings per SSID. The outer PEAP packet includes the Called-Station-Id attribute in the form of 01-23-45-67-89-0a:SSID which I match using: Handler Client-Identifier=wlancontroller, EAP-Message=/.+/, Called-Station-Id=/:SSID$/ The inner TLS packet is matched by Handler Client-Identifier=wlancontroller, TunnelledByPEAP=1 but in case we want to have multiple SSIDs using PEAP-something we can't distinguish the inner request because the Called-Station-Id isn't included in the inner request. Is there an option which attributes get copied to the inner request packet? Thanks! -- Cheers, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] iOS5 and untrusted/not verified EAP certificates
Hi Mike, does IOS 5.1 finally support PEAP-TLS? Best regards, Alex Am 2012-02-09 14:08, schrieb Mike Puchol: Hi all, I'm testing EAP-PEAP with an iPad running iOS5.1, and even though I'm using an SSL certificate from Digicert, signed using SHA-1, and Digicert being on the list of trusted CAs by iOS (I even checked the serial number, which is good), I get the following on the iPad's debug console: Feb 9 14:02:08 Mikes-iPad kernel[0] Debug: AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK, index = 0, flags = 0x0, key lenght 0, key rsc lenght 0 Feb 9 14:02:08 Mikes-iPad eapolclient[149] Notice: peap_verify_server: server certificate not trusted, status 3 0 Feb 9 14:02:08 Mikes-iPad Preferences[93] Warning: -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: User Information required Feb 9 14:02:10 Mikes-iPad eapolclient[149] Notice: peap_verify_server: server certificate not trusted, status 3 0 Feb 9 14:02:16 Mikes-iPad eapolclient[149] Notice: peap_verify_server: server certificate not trusted, status 3 0 The iPad then shows up an Add certificate dialog, but with a big red button and the text Not verified. My guess is that it's trying to check a CRL, but of course, being still offline, this cannot be done. Has anyone successfully connected an iOS5 device using EAP without bad certificate warnings? As clarification, I'm not using provisioning profiles, so the iPad doesn't know the network when it first connects to it. Cheers, Mike ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload error
Hi, I've encountered another problem. I've written a bash script that downloads the crl once a day at one o'clock in the morning local time and restarts radiator afterwards because of the openssl crl caching. The CRL lifetime ends about 30 minutes later and radiator rejects all auths after that time because the crl isn't up2date any more. Do you have a solution for downloading the crl in sync with its lifetime? Best regards, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] two factor authentication
Hi Hugh, should I use an AuthHook within the AuthBy INTERNAL? Documentation for the list of passed parameters for the hooks would be nice so you don't have to look in the source code, if you're a Perl developer :) That's what replaced the AuthBy HANDLER: AuthBy INTERNAL DefaultResult ACCEPT # clear the password to force AuthOTP to always generate a OTP AuthHook sub { \ my $p = ${$_[0]}; \ $p-{DecodedPassword} = ''; \ return $main::ACCEPT; \ } /AuthBy AuthBy otp_sms I hope the ACCEPT doesn't trigger a hidden security problem, the handler is configured with ContinueUntilChallenge. Best regards, Alex Am 2012-01-19 00:28, schrieb Hugh Irvine: Hello Alex - You can use an AuthBy INTERNAL between the other two clauses. See section 5.50 in the Radiator 4.9 reference manual (doc/ref.pdf). regards Hugh On 18 Jan 2012, at 21:16, Alexander Hartmaier wrote: Hi Heikki and Mike, I'm already using AuthBy OTP with my own ChallengeHook. I've read RFC2865 yesterday but missed the State attribute, thanks for the great pointer! Thats the working config I came up with: AuthLog FILE Identifier tsa-otp-client-vpn Filename %L/tsa-otp-client-vpn.authlog LogSuccess 1 LogFailure 1 # log the Handler Identifier to be able to distinguish between AD and OTP auth failures SuccessFormat %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:OK FailureFormat %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:FAIL /AuthLog Handler Callback-Number=/.+/ Identifier otp_sms_challenge AuthByPolicyContinueUntilChallenge #StripFromRequest Password # clear the password to force AuthOTP to always generate a OTP PreAuthHook sub { \ my $p = ${$_[0]}; \ my $rp = ${$_[1]}; \ $p-{DecodedPassword} = ''; \ } AuthBy otp_sms #AddToReply State=otp-challenge /Handler Handler Client-Identifier=tsa-tc-flod|localhost Request-Type=Access-Request State=otp-challenge Identifier tsa-otp-client-vpn-otp AuthLog tsa-otp-client-vpn # Show any rejection reason to the end user RejectHasReason AuthBy otp_sms /Handler Handler Client-Identifier=tsa-tc-flod|localhost Request-Type=Access-Request Identifier tsa-otp-client-vpn-ad AuthByPolicyContinueUntilChallenge # Show any rejection reason to the end user RejectHasReason AuthLog tsa-otp-client-vpn AuthBy LDAP2 # Save time by never looking for a default NoDefault Host ip1 ip2 ip3 Port 389 Version 3 # request timeout in seconds Timeout 2 # don't try to reach the ldap for this amount of seconds after failure FailureBackoffTime 0 UsernameAttr samaccountname # don't check the password, just for phone number lookup #PasswordAttr ServerChecksPassword # store the users mobile phone number in the Callback-Number radius attribute AuthAttrDef mobile,Callback-Number,request /AuthBy AuthBy HANDLER HandlerId otp_sms_challenge /AuthBy /Handler I had to use AuthBy HANDLER for forcing AuthBy OTP to generate the token by using PreAuthHook to delete the DecodedPassword. As you see I've tried StripFromRequest Password which didn't work. I was looking for a way to clear the password between the AuthBy LDAP and AuthBy OTP. Is there a way to do this? Cheers, Alex Am 2012-01-17 21:12, schrieb Mike McCauley: Hi Heikki, I wonder if he should also look at AuthBy OTP? Cheers. On Tuesday, January 17, 2012 09:39:27 PM Heikki Vatiainen wrote: On 01/17/2012 08:13 PM, Alexander Hartmaier wrote: Hello Alexander, I'm trying to implement a two factor auth where the user has to enter his Active Directory credentials. Radiator checks those against the AD, if successful creates an OTP and sends that to the mobile phone number fetched from the AD. Add State attribute to the challenge at this point. A challenge is returned to the NAS. See this for how NAS should react to challenge. http://tools.ietf.org/html/rfc2865#section-5.24 My problem is that I can't distinguish the initial request and the challenge response which should skip the AD auth because this time the password field holds the OTP response. State should be echoed back in the challenge response unless the NAS is badly broken. By looking at the radius packets with tcpdump I couldn't find a difference in the radius attributes sent that let me write two different handlers. Ideas? Try something like this. Note that I have used a fixed value for challenge, but you could make it generic to protect against replay attacks or some other information that might be useful for selecting the correct handler for verifying the challenge. Handler attribute=value,...,State=whatever
Re: [RADIATOR] Using Storable in a hook
Is it really binary data that your want to store? I suggest you serialize to a variable and log it before guessing what's happening. Also enable DBI trace mode to see what queries get executed: https://metacpan.org/module/DBI#TRACING Best regards, Alex Am 2012-01-25 18:15, schrieb Jared Watkins: I've tried storing the data a few different ways.. and I always end up with the same 3 byte value stored in the database... which sounds like a memory pointer rather than data. I found a specific reference under DBD:Pg about binary data.. and it suggests that you have to do an explicit bind and tell it you are passing binary data like so: bind_param(1, $cdr, { pg_type = PG_BYTEA }) You don't expose the DBI stuff directly though.. so it looks like that would require a change or code addition to your sql module to allow separate calls to prepare, bind, execute. I've not had time to setup a totally separate test to take Radiator out of the equation.. but that's my best guess as to why it's not working at the moment. J On Jan 25, 2012, at 8:01 AM, Heikki Vatiainen wrote: On 01/25/2012 05:44 AM, Jared Watkins wrote: I figured out that I have to call it directly like Storable::nfreeze(\%x) but the error I was getting for other way was: Bizarre copy of HASH in refgen at Now.. I'm passing the value in as a bound parameter in the hook and according to a length call on the variable.. it's going in with an average length of 1450 bytes. However.. when I fetch it from the database (postgres) I'm only getting back 3 bytes. I'm using just the attributes list out of the $p variable by $p-{'Attributes'}. Try @{$p-{Attributes}} if you want to access the attribute array instead of reference. Maybe you are already doing this, but I thought I'd check. Also Data::Dumper has sometimes been quite helpful figuring out how various items are composed. I've done binary data through DBI before (to mysql) without a problem.. so I'm not sure where it might be getting lost here. Hard to tell. I have not tried this myself. Please keep us posted how it goes. Thanks! Heikki Thanks, Jared On Jan 24, 2012, at 5:59 PM, Heikki Vatiainen wrote: On 01/24/2012 10:44 PM, Jared Watkins wrote: I'm seeing some weird errors and behavior trying to use the freeze method from Storable. Is there a special trick to making it work in hook code? I have not used Storable myself, but if you could reply with some examples I can take a a look. Note that some of the data structures, such as radius requests ($p usually) are very large. You could see e.g. with Data::Dumper to see what they look like. I saw a reference on the cpan page for special handling when used in a 'Safe' compartment.. is that what's happening here? For reference.. for development/debugging I'm attempting to serialize and store (in db field) a hash I'm creating with all the per packet name-value pairs. Hard to tell. Examples would be useful :) Thanks! Heikki -- Heikki Vatiainenh...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainenh...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Using Storable in a hook
Serializing Objects, references and regexes is no easy task. What are you trying to achieve? I suggest you switch to a different format like JSON and only serialize a data structure you created from the request attributes by yourself. The internal representation of a packet could change with every version so you shouldn't rely on it or at least be able to fix your code easily if that happens. Best regards, Alex Am 2012-01-25 04:44, schrieb Jared Watkins: I figured out that I have to call it directly like Storable::nfreeze(\%x) but the error I was getting for other way was: Bizarre copy of HASH in refgen at Now.. I'm passing the value in as a bound parameter in the hook and according to a length call on the variable.. it's going in with an average length of 1450 bytes. However.. when I fetch it from the database (postgres) I'm only getting back 3 bytes. I'm using just the attributes list out of the $p variable by $p-{'Attributes'}. I've done binary data through DBI before (to mysql) without a problem.. so I'm not sure where it might be getting lost here. Thanks, Jared On Jan 24, 2012, at 5:59 PM, Heikki Vatiainen wrote: On 01/24/2012 10:44 PM, Jared Watkins wrote: I'm seeing some weird errors and behavior trying to use the freeze method from Storable. Is there a special trick to making it work in hook code? I have not used Storable myself, but if you could reply with some examples I can take a a look. Note that some of the data structures, such as radius requests ($p usually) are very large. You could see e.g. with Data::Dumper to see what they look like. I saw a reference on the cpan page for special handling when used in a 'Safe' compartment.. is that what's happening here? For reference.. for development/debugging I'm attempting to serialize and store (in db field) a hash I'm creating with all the per packet name-value pairs. Hard to tell. Examples would be useful :) Thanks! Heikki -- Heikki Vatiainenh...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] two factor authentication
Hi Heikki and Mike, I'm already using AuthBy OTP with my own ChallengeHook. I've read RFC2865 yesterday but missed the State attribute, thanks for the great pointer! Thats the working config I came up with: AuthLog FILE Identifier tsa-otp-client-vpn Filename %L/tsa-otp-client-vpn.authlog LogSuccess 1 LogFailure 1 # log the Handler Identifier to be able to distinguish between AD and OTP auth failures SuccessFormat %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:OK FailureFormat %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:FAIL /AuthLog Handler Callback-Number=/.+/ Identifier otp_sms_challenge AuthByPolicyContinueUntilChallenge #StripFromRequest Password # clear the password to force AuthOTP to always generate a OTP PreAuthHook sub { \ my $p = ${$_[0]}; \ my $rp = ${$_[1]}; \ $p-{DecodedPassword} = ''; \ } AuthBy otp_sms #AddToReply State=otp-challenge /Handler Handler Client-Identifier=tsa-tc-flod|localhost Request-Type=Access-Request State=otp-challenge Identifier tsa-otp-client-vpn-otp AuthLog tsa-otp-client-vpn # Show any rejection reason to the end user RejectHasReason AuthBy otp_sms /Handler Handler Client-Identifier=tsa-tc-flod|localhost Request-Type=Access-Request Identifier tsa-otp-client-vpn-ad AuthByPolicyContinueUntilChallenge # Show any rejection reason to the end user RejectHasReason AuthLog tsa-otp-client-vpn AuthBy LDAP2 # Save time by never looking for a default NoDefault Host ip1 ip2 ip3 Port 389 Version 3 # request timeout in seconds Timeout 2 # don't try to reach the ldap for this amount of seconds after failure FailureBackoffTime 0 UsernameAttr samaccountname # don't check the password, just for phone number lookup #PasswordAttr ServerChecksPassword # store the users mobile phone number in the Callback-Number radius attribute AuthAttrDef mobile,Callback-Number,request /AuthBy AuthBy HANDLER HandlerId otp_sms_challenge /AuthBy /Handler I had to use AuthBy HANDLER for forcing AuthBy OTP to generate the token by using PreAuthHook to delete the DecodedPassword. As you see I've tried StripFromRequest Password which didn't work. I was looking for a way to clear the password between the AuthBy LDAP and AuthBy OTP. Is there a way to do this? Cheers, Alex Am 2012-01-17 21:12, schrieb Mike McCauley: Hi Heikki, I wonder if he should also look at AuthBy OTP? Cheers. On Tuesday, January 17, 2012 09:39:27 PM Heikki Vatiainen wrote: On 01/17/2012 08:13 PM, Alexander Hartmaier wrote: Hello Alexander, I'm trying to implement a two factor auth where the user has to enter his Active Directory credentials. Radiator checks those against the AD, if successful creates an OTP and sends that to the mobile phone number fetched from the AD. Add State attribute to the challenge at this point. A challenge is returned to the NAS. See this for how NAS should react to challenge. http://tools.ietf.org/html/rfc2865#section-5.24 My problem is that I can't distinguish the initial request and the challenge response which should skip the AD auth because this time the password field holds the OTP response. State should be echoed back in the challenge response unless the NAS is badly broken. By looking at the radius packets with tcpdump I couldn't find a difference in the radius attributes sent that let me write two different handlers. Ideas? Try something like this. Note that I have used a fixed value for challenge, but you could make it generic to protect against replay attacks or some other information that might be useful for selecting the correct handler for verifying the challenge. Handler attribute=value,...,State=whatever # Check challenge here /Handler Handler attribute=value,... # Generate OTP here and send challenge AuthBy ... # AD auth happens here AddToReply State=whatever /AuthBy /Handler Please let us know how it goes. Heikki *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] two factor authentication
Hi list, I'm trying to implement a two factor auth where the user has to enter his Active Directory credentials. Radiator checks those against the AD, if successful creates an OTP and sends that to the mobile phone number fetched from the AD. A challenge is returned to the NAS. My problem is that I can't distinguish the initial request and the challenge response which should skip the AD auth because this time the password field holds the OTP response. By looking at the radius packets with tcpdump I couldn't find a difference in the radius attributes sent that let me write two different handlers. Ideas? -- Best regards, Alexander Hartmaier *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] TACACS+ and CISCO ASA
Our config is: aaa-server tacacs protocol tacacs+ aaa-server tacacs (interface) host tacacs1.our.fqdn key *** aaa-server tacacs (interface) host tacacs2.our.fqdn key *** aaa authentication enable console tacacs LOCAL aaa authentication http console tacacs LOCAL aaa authentication ssh console tacacs LOCAL aaa authorization command LOCAL aaa authorization exec authentication-server Did you enable trace level 5 in radiator and checked the logs? Cheers, Alex Am 2011-12-12 18:40, schrieb Connolly, Robert T.: Hi Alex, I work with Steve Kim. This is what I am using on the ASA for authentication and authorization, where radiator-1 is the group name I use: aaa authorization exec authentication-server aaa authentication telnet console radiator-1 LOCAL aaa authentication http console radiator-1 LOCAL aaa authentication ssh console radiator-1 LOCAL aaa authentication serial console radiator-1 LOCAL Am I missing anything? Thank you. Robert *Robert T. Connolly, *MBA** Information Systems Senior Network Specialist Davis Polk Wardwell LLP 450 Lexington Avenue New York, NY 10017 212 450 6185 tel robert.conno...@davispolk.com mailto:robert.conno...@davispolk.com Davis Polk Confidentiality Note: This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments thereto and all copies. Please refer to the firm's privacy policy http://www.davispolk.com/files/uploads/davispolk.master.privacypolicy.sep10.pdf located at www.davispolk.com http://www.davispolk.com/ for important information on this policy. *From:*radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] *On Behalf Of *Alexander Hartmaier *Sent:* Monday, December 12, 2011 12:11 PM *Cc:* radiator@open.com.au *Subject:* Re: [RADIATOR] TACACS+ and CISCO ASA Did you enable tacacs authentication and authorization on the ASA? Am 2011-12-12 18:06, schrieb Kim, Steve: Alex, Thanks for the reply. The issue that I have is it prompts another authentication on ASA. I'm same config as you listed which works fine with routers and switch. This is config that I'm using: AuthorizeGroup netadmin permit service=shell cmd\* {priv-lvl=15} AuthorizeGroup netadmin permit .* Is there anything that I need to do on ASA? Thanks, Steve. *From:*radiator-boun...@open.com.au mailto:radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] *On Behalf Of *Alexander Hartmaier *Sent:* Monday, December 12, 2011 11:36 AM *To:* radiator@open.com.au mailto:radiator@open.com.au *Subject:* Re: [RADIATOR] TACACS+ and CISCO ASA Yes, working here fine since years, what problems are you encountering? config: AuthorizeGroup Admins permit service=shell cmd\* {priv-lvl=15} Best regards, Alex Am 2011-12-12 17:34, schrieb Kim, Steve: Does anyone try CISCO ASA authentication with TACACS+? I have TACACS+ working with CISCO routers and switch, but not on ASA. If anyone has this working, can you share what you did? Thanks, Steve. ___ radiator mailing list radiator@open.com.au mailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] TACACS+ and CISCO ASA
Yes, working here fine since years, what problems are you encountering? config: AuthorizeGroup Admins permit service=shell cmd\* {priv-lvl=15} Best regards, Alex Am 2011-12-12 17:34, schrieb Kim, Steve: Does anyone try CISCO ASA authentication with TACACS+? I have TACACS+ working with CISCO routers and switch, but not on ASA. If anyone has this working, can you share what you did? Thanks, Steve. ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] TACACS+ and CISCO ASA
Did you enable tacacs authentication and authorization on the ASA? Am 2011-12-12 18:06, schrieb Kim, Steve: Alex, Thanks for the reply. The issue that I have is it prompts another authentication on ASA. I'm same config as you listed which works fine with routers and switch. This is config that I'm using: AuthorizeGroup netadmin permit service=shell cmd\* {priv-lvl=15} AuthorizeGroup netadmin permit .* Is there anything that I need to do on ASA? Thanks, Steve. *From:*radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] *On Behalf Of *Alexander Hartmaier *Sent:* Monday, December 12, 2011 11:36 AM *To:* radiator@open.com.au *Subject:* Re: [RADIATOR] TACACS+ and CISCO ASA Yes, working here fine since years, what problems are you encountering? config: AuthorizeGroup Admins permit service=shell cmd\* {priv-lvl=15} Best regards, Alex Am 2011-12-12 17:34, schrieb Kim, Steve: Does anyone try CISCO ASA authentication with TACACS+? I have TACACS+ working with CISCO routers and switch, but not on ASA. If anyone has this working, can you share what you did? Thanks, Steve. ___ radiator mailing list radiator@open.com.au mailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] multiple hosts
Synchronous will block the Radiator process until a reply is received or the configured timeout is exceeded. During this time Radiator won't handle any other requests and will be marked as unreachable by the radius clients if their timeout*retry is lower than the combined timeout*retry of the AuthBy RADIUS clauses. I strongly recommend to *NOT* use Synchronous, *EVER*. Best regards, Alexander Hartmaier Am 2011-11-23 02:21, schrieb Martin Burton: Oops, forgot one important keyword in there. You need to put the Synchronous flag in the AuthBy RADIUS clause for host1. If you don't then Radiator will move onto the next AuthBy without waiting for a reply. AuthBy RADIUS Host host1.herts.ac.uk Secret /Host Synchronous /AuthBy Check the info in the Radiator manual about the implications of using Synchronous though. Cheers, Martin. On 23/11/2011 01:10, Martin Burton wrote: You could probably achieve what you need using an AuthByPolicy, like: Handler Realm= domain.ac.uk RewriteUsername s/^([^@]+).*/$1/ AuthByPolicy ContinueWhileReject AuthBy RADIUS Host host1.herts.ac.uk Secret /Host /AuthBy AuthBy RADIUS Host host2.herts.ac.uk Secret x /Host /AuthBy # Log accounting to the detail file in LogDir AcctLogFileName %L/detail /Handler HTH. On 23/11/2011 00:01, Judy Angel wrote: Radius V4.2. I am looking to authenticate on two servers. If the userid is not available in host1 try host2. The config below works fine on host1 but if the return fails as the userid does not exist it does not check for the userid in host2. Should this be possible? Handler Realm= domain.ac.uk RewriteUsername s/^([^@]+).*/$1/ AuthBy RADIUS Host host1.herts.ac.uk Secret /Host Host host2.herts.ac.uk Secret x /Host /AuthBy # Log accounting to the detail file in LogDir AcctLogFileName %L/detail /Handler Thanks Judy Angel University of Hertfordshire ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAPTLS_MaxFragmentSize settings
Thanks Mike! Am 2011-10-11 23:23, schrieb Mike McCauley: Hello Alex, On Tuesday 11 October 2011 09:35:08 pm Alexander Hartmaier wrote: I've tried a lot of different values and looked at the radius packets coming from our switches (for wired dot1x): peap 1350, inner tls 1300 peap 1400, inner tls 1360 peap 1412, inner tls 1350 In the end I've used 1350/1300 because increasing it any further towards the limit didn't lower the number of packets so I preferred to have a little bit of safety margin left. The EAP packet that is encapsulated inside one of the radius key/value pairs + all other radius attributes doesn't exceed one ethernet frame because EAP doesn't support fragmentation. Depending on the number of other radius attributes your switches or wlan controllers send to the radius servers you can increase the EAP payload. Decreasing the number of packets reduces the authentication time and lowers to load on both the radius client (switch, wlan controller) and radius server. @Open guys: can you please add something like my description to the docs? Done for the next release. Cheers. Am 2011-10-11 13:16, schrieb Alex Sharaz: Hi, For a long time I've had = # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt # size that will be replied by Radiator. It must be small # enough to fit in a single Radius request (ie less than 4096) # and still leave enough space for other attributes # Aironet APs seem to need a smaller MaxFragmentSize izes. EAPTLS_MaxFragmentSize 1000 == Set up in my Radiator radius.cfg file simply because it was there in the sample radius.cfg file I initially used. I'm now wondering if perhaps this is a bit small. What are other people doing? Is anyone explicitly setting this up or are people leaving it to the default value Rgds Alex Time for another Macmillan Cancer Support event. This time its the 12 day Escape to Africa challenge View route at http://maps.google.co.uk/maps/ms?ie=UTF8hl=enmsa=0msid=20377986643603501 6780.00049e867720273b73c39z=8 Please sponsor me at http://www.justgiving.com/Alex-Sharaz Checked by Hu-fw-yhman ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Cheers, Alex ** * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b ** * Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. ** * ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAPTLS_MaxFragmentSize settings
I've tried a lot of different values and looked at the radius packets coming from our switches (for wired dot1x): peap 1350, inner tls 1300 peap 1400, inner tls 1360 peap 1412, inner tls 1350 In the end I've used 1350/1300 because increasing it any further towards the limit didn't lower the number of packets so I preferred to have a little bit of safety margin left. The EAP packet that is encapsulated inside one of the radius key/value pairs + all other radius attributes doesn't exceed one ethernet frame because EAP doesn't support fragmentation. Depending on the number of other radius attributes your switches or wlan controllers send to the radius servers you can increase the EAP payload. Decreasing the number of packets reduces the authentication time and lowers to load on both the radius client (switch, wlan controller) and radius server. @Open guys: can you please add something like my description to the docs? Am 2011-10-11 13:16, schrieb Alex Sharaz: Hi, For a long time I've had = # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt # size that will be replied by Radiator. It must be small # enough to fit in a single Radius request (ie less than 4096) # and still leave enough space for other attributes # Aironet APs seem to need a smaller MaxFragmentSize izes. EAPTLS_MaxFragmentSize 1000 == Set up in my Radiator radius.cfg file simply because it was there in the sample radius.cfg file I initially used. I'm now wondering if perhaps this is a bit small. What are other people doing? Is anyone explicitly setting this up or are people leaving it to the default value Rgds Alex Time for another Macmillan Cancer Support event. This time its the 12 day Escape to Africa challenge View route at http://maps.google.co.uk/maps/ms?ie=UTF8hl=enmsa=0msid=203779866436035016780.00049e867720273b73c39z=8 Please sponsor me at http://www.justgiving.com/Alex-Sharaz Checked by Hu-fw-yhman ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Cheers, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Memory leak with Radiator?
Note that Perl never frees memory back to the OS once it has allocated it although it might be unused internally. Am 2011-09-30 14:41, schrieb Michael: I noticed an increase of memory usage over time as well on radiusd. Quite a long time though, but an increase non-the-less. 10% right now for example. When I stop/start the service, it drops and remains at about 0.5% again. I have 4 identically synced config servers, where 2 are constantly used, and 2 are not (backups). The 2 constantly used are the ones that have the increase of memory. The increase of memory is noticeable, but radiator does continue to work very well. Since this doesn't cause issues, it's not really important to me at this time, but i just thought i would mention it. Using MySQL for user authentication data, and auth/accounting logs. The one thing i would think could cause this is the session db, which i do not use. I have: SessionDatabase NULL Identifier NULL /SessionDatabase NULL And then reference it by SessionDatabase NULL in all my Handler's. My config is quite long as I handle several different services, and multiple ways of authenticating so I can't paste my config here. On 11-09-30 06:44 AM, Heikki Vatiainen wrote: On 09/30/2011 10:35 AM, Elias wrote: Hello Elias, We're running RADIATOR with Farms and have noticed that the RADIATOR processes eat up huge chunks of memory. Has anybody else experienced this? Memory leaks are very rare but certainly possible. Can you reply with your configuration (no secrets or passwords needed). The growing heap size hints this is a problem with dynamically allocated memory. Seeing the configuration, the possible hooks and learning more about what kind of traffic Radiator handles, would help diagnosing the problem. The pmap output also indicates you are using DBD::Oracle. You may want to check http://search.cpan.org/~pythian/DBD-Oracle-1.30/ and see if the memory leaks listed in the change log are relevant to your configuration. Thanks! Heikki last pid: 27248; load avg: 3.88, 3.97, 3.98; up 196+02:04:57 15:09:23 51 processes: 45 sleeping, 1 zombie, 5 on cpu CPU states: 73.9% idle, 24.1% user, 2.0% kernel, 0.0% iowait, 0.0% swap Memory: 8184M phys mem, 128M free mem, 10G swap, 4851M free swap PID USERNAME LWP PRI NICE SIZE RES STATETIMECPU COMMAND 16445 root 1 100 2410M *1393M* sleep 308.1H 84.69% radiusd 16447 root 1 100 2410M *1281M* cpu307.4H 81.52% radiusd 16443 root 1 100 2414M *1312M* cpu308.4H 80.92% radiusd 16446 root 1 100 2398M *1236M* cpu306.9H 79.59% radiusd 16444 root 1 100 2394M *1305M* cpu306.7H 75.31% radiusd The RADIUS services do not crash or anything, but its just that our low memory alert keeps on appearing every week or so. Restarting the RADIATOR daemon gets memory released again. root@radauth01 # pmap 16444 16444: /usr/bin/perl /opt/radiator/radiusd -config_file /usr/local/etc/radius 0001 960K r-x-- /usr/local/bin/perl 0010E000 48K rwx-- /usr/local/bin/perl 0011A000 24K rwx--[ heap ] 00122944K rwx--[ heap ] *0040 2428928K rwx--[ heap ]* FDA01728K r-x-- /opt/oracle/lib32/libnnz10.so FDBB 56K r-x-- /opt/oracle/lib32/libnnz10.so FDBCC000 16K rwx-- /opt/oracle/lib32/libnnz10.so FDBD 128K rwx-- dev:32,13 ino:1539 FDBF 8K rwx-- /opt/oracle/lib32/libnnz10.so FDC0 12288K r-x-- /opt/oracle/lib32/libclntsh.so.10.1 FE802752K r-x-- dev:32,13 ino:1627 FEAB 56K r-x-- /opt/oracle/lib32/libclntsh.so.10.1 FEACC000 16K rwx-- /opt/oracle/lib32/libclntsh.so.10.1 FEAD 448K rwx-- dev:32,13 ino:1627 FEB4 16K rwx-- dev:32,13 ino:1627 FEB44000 56K rwx-- /opt/oracle/lib32/libclntsh.so.10.1 FEBF 8K rwx--[ anon ] FEC0 40K r-x-- /usr/local/lib/libgcc_s.so.1 FEC18000 8K rwx-- /usr/local/lib/libgcc_s.so.1 FEC2 48K r-x-- /usr/lib/libz.so.1 FEC3A000 16K rwx-- /usr/lib/libz.so.1 FEC5 192K r-x-- /usr/local/lib/mysql/libmysqlclient.so.14.0.0 FEC8 32K r-x-- /usr/local/lib/mysql/libmysqlclient.so.14.0.0 FEC96000 40K rwx-- /usr/local/lib/mysql/libmysqlclient.so.14.0.0 FECA 64K rwx-- dev:32,11 ino:152615 FECB 56K rwx-- /usr/local/lib/mysql/libmysqlclient.so.14.0.0 FECD 64K r-x-- /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBD/mysql/mysql.so FECE 32K r-x-- /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBD/mysql/mysql.so FECF6000 24K rwx-- /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBD/mysql/mysql.so FED1 376K r---R dev:32,13 ino:1490 FED8 8K r-x-- /lib/libmd5.so.1 FED92000 8K rwx-- /lib/libmd5.so.1 FEDA 8K rwx--[ anon ] FEDB 24K r-x--
Re: [RADIATOR] 802.1x authentication questions
Hi Heikki, Am 2011-09-14 08:54, schrieb Heikki Vatiainen: On 09/13/2011 03:38 PM, Alexander Hartmaier wrote: I found out what is required to make 802.1x work with WPA2-Enterprise + AES: the AuthBy of the outer handler needs AutoMPPEKeys configured so that the Cisco WLC generates the PMK and starts the 4-way PTK handshake. This graph shows the complete flow: http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-enterprise/flow_wpa_enterprise.png Looks good. With e.g., PEAP there's also the possibility for a fast reconnect where the first full TLS negotiation is reused. This reduces the number of exchanged packets and processing time. I thought I'd add this so that in case you need to check logs you may notice not every authentication does the equal request exchange. Please add this info the the reference manual AutoMPPEKeys section and extend the the goodies/eap_peap_tls.cfg description of the config option! Hmm, true, looks like the description for AutoMPPEKeys describes the situation that was when dynamic WEP keys and such were in use. I'll make a note about upgrading the description. The option is these days required when you want to use EAP-PEAP, -TTLS, -TLS and such. Going back to original thread on June, did you get the guest access with PEAP working? At that time I thought there will be a problem with server failing to prove to the client it knows the client's credentials. This is needed with MS-CHAP-V2 and normally causes PEAP failure. No, I haven't invested any more time into this. Note that this was for the wired dot1x, now I was doing the same thing for wireless. We do PEAP-TLS for both and any Windows client we've tested (XP and 7) doesn't try to get an ip address by dhcp when the EAP auth fails (which is the case for guests that have PEAP-TLS for another CA configured or PEAP-MS-CHAP-V2). For those cases you would have to always send an EAP success message to the client but a different reply to the switch on the radius level. Can you force an EAP success? Thanks! *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] 802.1x authentication questions
I found out what is required to make 802.1x work with WPA2-Enterprise + AES: the AuthBy of the outer handler needs AutoMPPEKeys configured so that the Cisco WLC generates the PMK and starts the 4-way PTK handshake. This graph shows the complete flow: http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-enterprise/flow_wpa_enterprise.png Please add this info the the reference manual AutoMPPEKeys section and extend the the goodies/eap_peap_tls.cfg description of the config option! Best regards, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload error
Am 2011-08-09 10:35, schrieb Heikki Vatiainen: On 08/08/2011 05:59 PM, Alexander Hartmaier wrote: So a reload after every crl download is still the only solution? Unfortunately this seems to be currently the only solution. Adding the crl download and refresh functionality to Radiator would be a welcome addition! I agree this would be very useful. Then again implementing it in Radiator separately from OpenSSL would mean creating a lot of code that would have a short lifetime becoming obsolete once OpenSSL starts to fully support the functionality. The problem of course is it's not known how soon or late this happens. I was referring to the feature to specify a url and let radiator handle downloading of the crl instead of having to write a cronjob manually. Having a config option that also reloads radiator instead of waiting another five years for openssl to fix the issue would be welcome too. I wonder why nobody stepped up to fix openssl a long time ago because every product depending on it is affected. Thanks, Heikki Cheers, Alex Am 2011-08-08 09:41, schrieb Heikki Vatiainen: On 08/02/2011 01:59 PM, Alexander Hartmaier wrote: Hello Alexander, what's the status of crl reloading? CRL reloading support depends on OpenSSL. As you have found out, it appears the support is not in version 1.0.0. A quick check of 1.0.0 series change log did not show anything related to this, so I guess the wait is still on. I've installed openssl 1.0.0 from Debian testing on a Debian stable server but it still fails with ERR: Failed to add CRL file '/etc/radiator/certificates/foo.crl.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload error
So a reload after every crl download is still the only solution? Adding the crl download and refresh functionality to Radiator would be a welcome addition! Cheers, Alex Am 2011-08-08 09:41, schrieb Heikki Vatiainen: On 08/02/2011 01:59 PM, Alexander Hartmaier wrote: Hello Alexander, what's the status of crl reloading? CRL reloading support depends on OpenSSL. As you have found out, it appears the support is not in version 1.0.0. A quick check of 1.0.0 series change log did not show anything related to this, so I guess the wait is still on. I've installed openssl 1.0.0 from Debian testing on a Debian stable server but it still fails with ERR: Failed to add CRL file '/etc/radiator/certificates/foo.crl.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload error
Hi guys, what's the status of crl reloading? I've installed openssl 1.0.0 from Debian testing on a Debian stable server but it still fails with ERR: Failed to add CRL file '/etc/radiator/certificates/foo.crl.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table Cheers, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Multiple user groups for tacacs authorization possible
Hi, we have the need to map users with membership in multiple groups into tacacs groups to decide if the user is allowed to login (authentication) and what the user is allowed to do (authorization). We solved the authentication by multiple authby ldap2's for the different ldap groups in an authby group. The first matched group populates the OSC-Group-Identifier attribute which is used for the GroupMemberAttr. Because some users are in multiple groups we're looking for a way to add all of them to the GroupMemberAttr, is this possible? -- Cheers, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator exists on ClientSQL timeout
Hi Heikki, can you please give me an update on that issue?! We still have to restart radiator approximatly once a day because it either hangs or crashes. Best regards, Alex Am 2011-05-31 11:38, schrieb Hartmaier Alexander: Since running with the foreground option radiator doesn't die any more and the log only contains lines like those: Mon May 30 17:38:14 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout Mon May 30 19:40:14 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout Mon May 30 21:42:16 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout Mon May 30 23:44:18 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout Note that although the refresh interval is configured for 3600 which is one hour, it only seems to try every two hours. Am 2011-05-30 14:02, schrieb Heikki Vatiainen: On 05/25/2011 07:09 PM, Alexander Hartmaier wrote: no, this is only acting as tacacs+ server without any db logging. Thanks for confirming this. # refresh the client list every hour RefreshPeriod 3600 The intermediate firewalls will close the connection because the tcp connection is inactive for about an hour. Can we enable tcp keepalives or add a check to radiator which detects broken connections? It already does check for broken connections. Just before it prints Adding Clients from SQL database it does reconnect when needed. So it does a reconnect that succeeds, tries to execute the select for getting the client list and then hits Execute failed. Now I would be interested in seeing what else it logs before it dies or hangs completely. Can you pass me the logs? I would especially be interested in seeing if it is able to log Automatic ClientListSQL refresh failed, keeping old list DBIx::Connector was created from DBIx::Class code and would be the ideal solution for this problem. You could include the newest version with every Radiator release if the license (same as Perl) allows it. I can ask about this, but currently disconnects and reconnects should be handled already. But if you could provide the logs that show how far Radiator gets after Adding Clients from SQL database that would be very useful. Thanks! *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] BindAddress question
Does this mean that we can't bind to IPv4 and IPv6 separately on Linux to not get v6 mapped v4 addresses? Am 2011-06-09 19:50, schrieb Heikki Vatiainen: On 06/09/2011 05:37 PM, Dyonisius Visser wrote: Well, I installed a second instance on a dual stack host, and I tested various combinations: Thanks for the summary. BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31 I.e. hardcoded addresses - this works, both IPv4 and IPv6 clients work BindAddress ipv6::: IPv4 blocked (NOTICE: Request from unknown client 192.87.30.32: ignored) This should work if you specify your client like this: Client ipv6::::192.87.30.32 Since the request arrived over IPv4 but was delivered to the application by IPv6 wildcard socket, the IPv4 address is presented as an IPv6 address. See http://tools.ietf.org/html/rfc4291#section-2.5.5 section 2.5.5.2. IPv4-Mapped IPv6 Address. The purpose of this mapping is to let the application to know was the message received over IPv6 or IPv4 since the socket can handle both protocols. BindAddress 0.0.0.0 This is the default. IPv4 clients work. IPv6 clients DO NOT work, and worse, nothing is logged by radiator, no request from unknown client 2001:610:blah:blah BindAddress ipv6:::,0.0.0.0 Startup gives some errors, and only IPv6 works: Thu Jun 9 16:25:54 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Thu Jun 9 16:25:54 2011: DEBUG: Reading dictionary file '/etc/radiator/db/dictionary' Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port ipv61812 Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port ipv61813 Thu Jun 9 16:25:54 2011: DEBUG: Creating authentication port 0.0.0.0:1812 Thu Jun 9 16:25:54 2011: ERR: Could not bind authentication socket: Address already in use Thu Jun 9 16:25:54 2011: DEBUG: Creating accounting port 0.0.0.0:1813 Thu Jun 9 16:25:54 2011: ERR: Could not bind accounting socket: Address already in use Thu Jun 9 16:25:54 2011: NOTICE: Server started: Radiator 4.8 on radius Thu Jun 9 16:25:55 2011: NOTICE: Request from unknown client 145.100.98.42: ignored BindAddress 0.0.0.0,ipv6::: Also some errors, only IPv4 works, and also nothing logged when an IPv6 client connects: Thu Jun 9 16:27:42 2011: DEBUG: Finished reading configuration file '/etc/radiator/radius.cfg' Thu Jun 9 16:27:42 2011: DEBUG: Reading dictionary file '/etc/radiator/db/dictionary' Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port 0.0.0.0:1812 Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port 0.0.0.0:1813 Thu Jun 9 16:27:42 2011: DEBUG: Creating authentication port ipv61812 Thu Jun 9 16:27:42 2011: ERR: Could not bind authentication socket: Address already in use Thu Jun 9 16:27:42 2011: DEBUG: Creating accounting port ipv61813 Thu Jun 9 16:27:42 2011: ERR: Could not bind accounting socket: Address already in use Thu Jun 9 16:27:42 2011: NOTICE: Server started: Radiator 4.8 on radius So the only way I can radiator to accept requests from both protocols, is to hardcode the interface addresses. Would it be possible to have radiator listen to 4+6 without hard coding? I think that option (whatever it looks like) should be the default. If possible, can the behavior of the current default ('BindAddress 0.0.0.0') be changed so that it actually logs ignored incoming requests? I've spend quite some time figuring out what is going on, and only tcpdump revealed that requests are actually reaching my box. Thanks :-) *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] 802.1x authentication questions
Am 2011-06-02 09:54, schrieb Heikki Vatiainen: On 06/01/2011 07:17 PM, Alexander Hartmaier wrote: Everything is working good so far but for the case that a non-company client has dot1x enabled on the interface I'd like to switch the port to our guest lan. What happens when you detect a non-company client? Have you configured Radiator to return Access-Accept with appropriate attributes for guest VLAN? Yes, the switch configures the guest-vlan on the port, but the client gets an EAP auth failure through the EAP tunnel. This is working fine on the switch, but a Windows 7 client receives the EAP auth failure from Radiator and doesn't try to send a dhcp request although the switch port has already been set to the guest lan. If the Windows 7 client is using PEAP/EAP-MSCHAP-V2 and Radiator returns Access-Accept without really having access to the user's password or NThash of the password, the client will notice that Radiator did not return a correct MS-CHAP-V2 response. The response needs to prove the server (Radiator) really has access to the user's credentials. In other words, the server must be able to authenticate itself too. That is the V2 part in the protocol. We're using PEAP/EAP-TLS with machine certs. Is there a solution for this problem? For the wireless part we're getting the following error on the WLC: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: 1x_kxsm.c:128 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1 If someone encountered this error and knows a solution while we wait for the Cisco TAC please respond! If this is not a MS-CHAP-V2 problem I described above, and there is a way to do this, it would be very interesting to hear more. Also same PEAP/EAP-TLS here. Thanks! *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] 802.1x authentication questions
Hi, I'm currently implementing dot1x for our wired and wireless infrastructure (various Cisco switches, mostly 4500 and Cisco 5508 Wireless LAN Controllers). I've installed radiator in a Debian 6 VM with openssl 1.0.0d from testing for CRL reloading support although I'm not sure if this is still necessary as Radiator logs reloading CRL messages. Everything is working good so far but for the case that a non-company client has dot1x enabled on the interface I'd like to switch the port to our guest lan. This is working fine on the switch, but a Windows 7 client receives the EAP auth failure from Radiator and doesn't try to send a dhcp request although the switch port has already been set to the guest lan. Is there a solution for this problem? For the wireless part we're getting the following error on the WLC: %DOT1X-3-AUTHKEY_TX_TRANS_ERR: 1x_kxsm.c:128 Authentication state transition to state 0 failed; port status 0, key available 1, key tx enabled 1 If someone encountered this error and knows a solution while we wait for the Cisco TAC please respond! Thanks! -- Best regards, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Request rejecting from within PostSearchHook
I have a NoReplyHook that always sends accepts: NoReplyHook file:%D/reply-accept.hook $ cat reply-accept.hook sub { my $p = ${$_[0]}; my $fp = ${$_[1]}; my $rp = ${$_[2]}; $rp-set_code('Access-Accept'); # reply to the Client that sent the request $p-{Client}-replyTo($p); return; } Best regards, Alex Am 2011-05-31 10:34, schrieb Siebert Waldemar: Hello, It's possible to reject the request from within the PostSearchHook. I have tried the following: $_[2]-{RadiusResult} = $main::REJECT; and $_[5]-set_code('Access-Reject'); but none of them seems to work. Thank you Kind regards Waldemar Siebert T-Systems International GmbH *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator exists on ClientSQL timeout
Since running with the foreground option radiator doesn't die any more and the log only contains lines like those: Mon May 30 17:38:14 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout Mon May 30 19:40:14 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout Mon May 30 21:42:16 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout Mon May 30 23:44:18 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout Note that although the refresh interval is configured for 3600 which is one hour, it only seems to try every two hours. Am 2011-05-30 14:02, schrieb Heikki Vatiainen: On 05/25/2011 07:09 PM, Alexander Hartmaier wrote: no, this is only acting as tacacs+ server without any db logging. Thanks for confirming this. # refresh the client list every hour RefreshPeriod 3600 The intermediate firewalls will close the connection because the tcp connection is inactive for about an hour. Can we enable tcp keepalives or add a check to radiator which detects broken connections? It already does check for broken connections. Just before it prints Adding Clients from SQL database it does reconnect when needed. So it does a reconnect that succeeds, tries to execute the select for getting the client list and then hits Execute failed. Now I would be interested in seeing what else it logs before it dies or hangs completely. Can you pass me the logs? I would especially be interested in seeing if it is able to log Automatic ClientListSQL refresh failed, keeping old list DBIx::Connector was created from DBIx::Class code and would be the ideal solution for this problem. You could include the newest version with every Radiator release if the license (same as Perl) allows it. I can ask about this, but currently disconnects and reconnects should be handled already. But if you could provide the logs that show how far Radiator gets after Adding Clients from SQL database that would be very useful. Thanks! *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator exists on ClientSQL timeout
Hi Heikki, no, this is only acting as tacacs+ server without any db logging. # refresh the client list every hour RefreshPeriod 3600 The intermediate firewalls will close the connection because the tcp connection is inactive for about an hour. Can we enable tcp keepalives or add a check to radiator which detects broken connections? DBIx::Connector was created from DBIx::Class code and would be the ideal solution for this problem. You could include the newest version with every Radiator release if the license (same as Perl) allows it. -Alex Am 2011-05-25 17:37, schrieb Heikki Vatiainen: On 05/24/2011 05:06 PM, Alexander Hartmaier wrote: Since changing the init script line 37 from: [ -z ${RADIUSD_ARGS} ] RADIUSD_ARGS=-config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS [ -z ${RADIUSD_ARGS} ] RADIUSD_ARGS=-config_file $RADIATOR_CONFIG $RADIATOR_ARGS -foreground -log_stdout /var/log/radiator/stdout.log 2/var/log/radiator/stderr.log it doesn't crash any more but still hangs after log entries like: Tue May 24 15:54:34 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': ORA-03114: not connected to ORACLE (DBD ERROR: OCIStmtExecute/Describe) Hmm, connection was lost. I previously asked if you do LogSQL. If you do, then change SQL log config so that LogSQL and ClienetListSQL use different usernames (DBUsername) for DB access. When you do this, ClientListSQL and LogSQL will get their own handles and connections. What may happen now is ClientListSQL tries to log Adding Clients ..., which is given to LogSQL which notices closed connection and destroys the handle. Then control returns to ClientListSQL and it continues and tries to read from the handle which was just killed by LogSQL. There is actually a comment on this now in 4.8 ref.pdf. See section 5.14.1. It was noticed when LogSQL runs in parallel with other SQL users it is possible that it can close DB handles when other DB users do not expect it. Please let us know if seprate LogSQL user solves the problem. Am 2011-05-18 10:45, schrieb Hartmaier Alexander: Hi, I was referring to the MaxChildren config option which we don't use. Add the -b option to start-stop-daemon and replacing -daemon with -foreground did the trick. It occurs approximatly once per day, maybe a Monday-morning bug. Best regards, Alex Am 2011-05-16 23:02, schrieb Heikki Vatiainen: On 05/16/2011 08:33 PM, Alexander Hartmaier wrote: I haven't configured forking so we should be safe. Sorry, I may have been a bit unclear about which fork I was meaning. When Radiator is started without --foreground it will fork. If Fork has been configured for an AuthBy, Radiator will fork an additional copy to handle that authentication. What is important that there are no forks, not even the initial fork when Radiator backgrounds itself. If possible, can you send your configuration file. If not possible, I would like to know if you are usingLog SQL. If you are, try creating another username that Log SQL uses for accessing the DB. This will give SQL logging another DB handle which may help. This is mentioned in 4.8 ref.pdf Am 2011-05-16 19:05, schrieb Heikki Vatiainen: On 05/16/2011 07:58 PM, Alexander Hartmaier wrote: My init file is from the goodies dir. Ok, then we have to work around Debian specific things a bit. Because I'm running debian the command used is /sbin/start-stop-daemon --start --pidfile /var/run/radiusd.pid --exec $RADIUSD -- $RADIUSD_ARGS where $RADIUSD_ARGS is the default of -config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS I've now changed it to: -z ${RADIUSD_ARGS} ] RADIUSD_ARGS=-config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS -log_stdout /var/log/radiator/stdout.log 2/var/log/radiator/stderr.log The -foreground option isn't compatible with start-stop-daemon but I hope -log_stdout is compatible with -daemon too. That may not work since -foreground keeps Radiator from forking and closing stdout. In other words, -foreground is needed for catching all messages. Would it be possible to do the following: 1. Start Radiator with unmodified start script 2. Observe what the actual command is (radiusd + all arguments) 3. Run radiusd from command line with the observed arguments plus -foreground and -log_stdout Thanks again! *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately
Re: [RADIATOR] radiator exists on ClientSQL timeout
Since changing the init script line 37 from: [ -z ${RADIUSD_ARGS} ] RADIUSD_ARGS=-config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS [ -z ${RADIUSD_ARGS} ] RADIUSD_ARGS=-config_file $RADIATOR_CONFIG $RADIATOR_ARGS -foreground -log_stdout /var/log/radiator/stdout.log 2/var/log/radiator/stderr.log it doesn't crash any more but still hangs after log entries like: Tue May 24 15:54:34 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': ORA-03114: not connected to ORACLE (DBD ERROR: OCIStmtExecute/Describe) Am 2011-05-18 10:45, schrieb Hartmaier Alexander: Hi, I was referring to the MaxChildren config option which we don't use. Add the -b option to start-stop-daemon and replacing -daemon with -foreground did the trick. It occurs approximatly once per day, maybe a Monday-morning bug. Best regards, Alex Am 2011-05-16 23:02, schrieb Heikki Vatiainen: On 05/16/2011 08:33 PM, Alexander Hartmaier wrote: I haven't configured forking so we should be safe. Sorry, I may have been a bit unclear about which fork I was meaning. When Radiator is started without --foreground it will fork. If Fork has been configured for an AuthBy, Radiator will fork an additional copy to handle that authentication. What is important that there are no forks, not even the initial fork when Radiator backgrounds itself. If possible, can you send your configuration file. If not possible, I would like to know if you are usingLog SQL. If you are, try creating another username that Log SQL uses for accessing the DB. This will give SQL logging another DB handle which may help. This is mentioned in 4.8 ref.pdf Am 2011-05-16 19:05, schrieb Heikki Vatiainen: On 05/16/2011 07:58 PM, Alexander Hartmaier wrote: My init file is from the goodies dir. Ok, then we have to work around Debian specific things a bit. Because I'm running debian the command used is /sbin/start-stop-daemon --start --pidfile /var/run/radiusd.pid --exec $RADIUSD -- $RADIUSD_ARGS where $RADIUSD_ARGS is the default of -config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS I've now changed it to: -z ${RADIUSD_ARGS} ]RADIUSD_ARGS=-config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS -log_stdout/var/log/radiator/stdout.log 2/var/log/radiator/stderr.log The -foreground option isn't compatible with start-stop-daemon but I hope -log_stdout is compatible with -daemon too. That may not work since -foreground keeps Radiator from forking and closing stdout. In other words, -foreground is needed for catching all messages. Would it be possible to do the following: 1. Start Radiator with unmodified start script 2. Observe what the actual command is (radiusd + all arguments) 3. Run radiusd from command line with the observed arguments plus -foreground and -log_stdout Thanks again! *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] linux init script patch
In my endless quest for a working init script to ease config for new users here's a patch against Radiator-4.8 + patches from today (this includes two patches to the linux init script). This is to make it work on a Debian 6 box with Radiator installed with perl Makefile.PL; make install which installs into /usr/local/bin and not /usr/bin as the default init script points at. I assume that the rpm installs a working init script so the one in the goodies dir should work for people installing from the tar.gz. Also as I pointed out before the pid file should be in the /var/run dir to be LSB conform. If you want to run radiator as non-root it has to go in a /var/run subdir that is owned or at least writeable by the user. Please also take a look at my mail from the 24th January! I've also added an error message if the radiator binary can't be executed, occured for me because it couldn't be found at all, maybe a -f check should go in there before the -x. Cheers, Alex root@radiator:/etc/init.d# diff -u radiator /root/Radiator-4.8/goodies/linux-radiator.init --- radiator2011-05-20 10:58:06.0 +0200 +++ /root/Radiator-4.8/goodies/linux-radiator.init2011-05-19 23:36:28.0 +0200 @@ -6,7 +6,7 @@ # chkconfig: 2345 90 15 # description: radiator is the radius daemon required for RAS AAA. # processname: /usr/bin/radiusd -# pidfile: /var/run/radiator.pid +# pidfile: /var/log/radius/radiusd.pid # config: /etc/radiator/radius.cfg # config: /etc/sysconfig/radiator # @@ -41,9 +41,9 @@ [ -f ${SYSCONFIG} ] . ${SYSCONFIG} -[ -z ${RADIUSD} ] RADIUSD=/usr/local/bin/radiusd +[ -z ${RADIUSD} ] RADIUSD=/usr/bin/radiusd [ -z ${RADIATOR_CONFIG} ] RADIATOR_CONFIG=/etc/radiator/radius.cfg -[ -z ${RADIUSD_PIDFILE} ] RADIUSD_PIDFILE=/var/run/radiator.pid +[ -z ${RADIUSD_PIDFILE} ] RADIUSD_PIDFILE=/var/log/radius/radiusd.pid [ -z ${RADIATOR_ARGS} ] RADIATOR_ARGS= [ -z ${RADIUSD_ARGS} ] RADIUSD_ARGS=-pid_file $RADIUSD_PIDFILE -config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS @@ -60,10 +60,7 @@ elif [ -x /sbin/start-stop-daemon ]; then # Debian STARTPROC=/sbin/start-stop-daemon --start --pidfile ${RADIUSD_PIDFILE} --exec $RADIUSD -- $RADIUSD_ARGS -CHECKPROC= -if [ -f ${RADIUSD_PIDFILE} ]; then CHECKPROC=ps -fp `cat ${RADIUSD_PIDFILE}` -fi KILLPROC=/sbin/start-stop-daemon --stop --pidfile ${RADIUSD_PIDFILE} RELOADPROC=/sbin/start-stop-daemon --stop --signal HUP --pidfile ${RADIUSD_PIDFILE} TRACEUPPROC=/sbin/start-stop-daemon --stop --signal USR1 --pidfile ${RADIUSD_PIDFILE} @@ -93,7 +90,6 @@ fi if [ ! -x $RADIUSD ]; then -echo Unable to find executable radiusd binary! exit 0 fi *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator exists on ClientSQL timeout
Hi, I was referring to the MaxChildren config option which we don't use. Add the -b option to start-stop-daemon and replacing -daemon with -foreground did the trick. It occurs approximatly once per day, maybe a Monday-morning bug. Best regards, Alex Am 2011-05-16 23:02, schrieb Heikki Vatiainen: On 05/16/2011 08:33 PM, Alexander Hartmaier wrote: I haven't configured forking so we should be safe. Sorry, I may have been a bit unclear about which fork I was meaning. When Radiator is started without --foreground it will fork. If Fork has been configured for an AuthBy, Radiator will fork an additional copy to handle that authentication. What is important that there are no forks, not even the initial fork when Radiator backgrounds itself. If possible, can you send your configuration file. If not possible, I would like to know if you are usingLog SQL. If you are, try creating another username that Log SQL uses for accessing the DB. This will give SQL logging another DB handle which may help. This is mentioned in 4.8 ref.pdf Am 2011-05-16 19:05, schrieb Heikki Vatiainen: On 05/16/2011 07:58 PM, Alexander Hartmaier wrote: My init file is from the goodies dir. Ok, then we have to work around Debian specific things a bit. Because I'm running debian the command used is /sbin/start-stop-daemon --start --pidfile /var/run/radiusd.pid --exec $RADIUSD -- $RADIUSD_ARGS where $RADIUSD_ARGS is the default of -config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS I've now changed it to: -z ${RADIUSD_ARGS} ] RADIUSD_ARGS=-config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS -log_stdout /var/log/radiator/stdout.log 2/var/log/radiator/stderr.log The -foreground option isn't compatible with start-stop-daemon but I hope -log_stdout is compatible with -daemon too. That may not work since -foreground keeps Radiator from forking and closing stdout. In other words, -foreground is needed for catching all messages. Would it be possible to do the following: 1. Start Radiator with unmodified start script 2. Observe what the actual command is (radiusd + all arguments) 3. Run radiusd from command line with the observed arguments plus -foreground and -log_stdout Thanks again! *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] tacacs+ GroupMemberAttr per client
Use different handlers for the tacacs clients. You can use ClientListSQL or ClientListLDAP if you already have the devices with their ips in a database or ldap directory. BR Alex Am 2011-05-17 23:28, schrieb James: Is there a way to set GroupMemberAttr per client? I want some devices to pull attributeX from an LDAP server, while another set of TACACS+ clients should pull attributeY. What's the best way to go about doing this without starting many, many different Radiator instances (one for each different group of devices)? -james ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] radiator exists on ClientSQL timeout
Hi guys, radiator exits when encountering a sql timeout: Sat May 14 18:28:12 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout I've already upgraded it from 4.7+patches to 4.8 but the problem persists. We had problems with tcp connections closed by an intermediate firewall in the past without a solution. Which logs etc. do you need from our side to troubleshoot the bug? Best regards, Alex *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator exists on ClientSQL timeout
Hi Heikki, this one runs on a debian 4 vm using the distro perl version 5.8.8. DBI is version 1.616, DBD::Oracle version 1.28 with instantclient 11.2.0.2.0. Do you have a suggestion what to add to the init script to redirect those messages to a logfile? Best regards, Alex Am 2011-05-16 14:19, schrieb Heikki Vatiainen: On 05/16/2011 02:26 PM, Alexander Hartmaier wrote: Hello Alexander, radiator exits when encountering a sql timeout: Sat May 14 18:28:12 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout I've already upgraded it from 4.7+patches to 4.8 but the problem persists. We had problems with tcp connections closed by an intermediate firewall in the past without a solution. Which logs etc. do you need from our side to troubleshoot the bug? Thanks for the report. Please tell us your operating system, perl DBI and DBD module versions and which DBD you are currently using (mysql, Pg, Oracle, etc.). If you could run Radiator with -log_stdout and -foreground radiusd options (or config file LogStdout and Foreground) and keep it running on a console where you have access to, you may be able to see what additional debug information might come from DBI, DBD or some other component. Since the libraries Radiator uses do not know about Radiator's logfile, there is a chance their messages to otherwise get lost. In many cases running with LogStdout and Foreground gives more information about the reason for exit. Thanks! *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator exists on ClientSQL timeout
My init file is from the goodies dir. Because I'm running debian the command used is /sbin/start-stop-daemon --start --pidfile /var/run/radiusd.pid --exec $RADIUSD -- $RADIUSD_ARGS where $RADIUSD_ARGS is the default of -config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS I've now changed it to: -z ${RADIUSD_ARGS} ] RADIUSD_ARGS=-config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS -log_stdout /var/log/radiator/stdout.log 2/var/log/radiator/stderr.log The -foreground option isn't compatible with start-stop-daemon but I hope -log_stdout is compatible with -daemon too. Best regards, Alex Am 2011-05-16 17:58, schrieb Heikki Vatiainen: On 05/16/2011 06:21 PM, Alexander Hartmaier wrote: this one runs on a debian 4 vm using the distro perl version 5.8.8. DBI is version 1.616, DBD::Oracle version 1.28 with instantclient 11.2.0.2.0. Do you have a suggestion what to add to the init script to redirect those messages to a logfile? The radiusd arguments are -log_stdout and -foreground. Note: normally radiusd will detach from terminal and let the init script to finish. With -foreground option this may not happen (depends on the startup script) so you should should not leave the options there when the system boots. I would use these options from a terminal that I can leave running especially if there's a test server available that can be used for troubleshooting. If you can not run Radiator from command line, you could try starting Radiator with something like this: radiusdoptions/var/log/radiator/stdout.log 2 /var/log/radiator/stderr.log Hereoptions would contain the normal radiusd options and include -log_stdout and -foreground. Both stdout and stderr are directed to a file and puts radiusd to background. Best regards, Alex Am 2011-05-16 14:19, schrieb Heikki Vatiainen: On 05/16/2011 02:26 PM, Alexander Hartmaier wrote: Hello Alexander, radiator exits when encountering a sql timeout: Sat May 14 18:28:12 2011: ERR: Execute failed for 'SELECT device.ipaddr, 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout I've already upgraded it from 4.7+patches to 4.8 but the problem persists. We had problems with tcp connections closed by an intermediate firewall in the past without a solution. Which logs etc. do you need from our side to troubleshoot the bug? Thanks for the report. Please tell us your operating system, perl DBI and DBD module versions and which DBD you are currently using (mysql, Pg, Oracle, etc.). If you could run Radiator with -log_stdout and -foreground radiusd options (or config file LogStdout and Foreground) and keep it running on a console where you have access to, you may be able to see what additional debug information might come from DBI, DBD or some other component. Since the libraries Radiator uses do not know about Radiator's logfile, there is a chance their messages to otherwise get lost. In many cases running with LogStdout and Foreground gives more information about the reason for exit. Thanks! *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator exists on ClientSQL timeout
I haven't configured forking so we should be safe. Am 2011-05-16 19:05, schrieb Heikki Vatiainen: On 05/16/2011 07:58 PM, Alexander Hartmaier wrote: My init file is from the goodies dir. Ok, then we have to work around Debian specific things a bit. Because I'm running debian the command used is /sbin/start-stop-daemon --start --pidfile /var/run/radiusd.pid --exec $RADIUSD -- $RADIUSD_ARGS where $RADIUSD_ARGS is the default of -config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS I've now changed it to: -z ${RADIUSD_ARGS} ] RADIUSD_ARGS=-config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS -log_stdout /var/log/radiator/stdout.log 2/var/log/radiator/stderr.log The -foreground option isn't compatible with start-stop-daemon but I hope -log_stdout is compatible with -daemon too. That may not work since -foreground keeps Radiator from forking and closing stdout. In other words, -foreground is needed for catching all messages. Would it be possible to do the following: 1. Start Radiator with unmodified start script 2. Observe what the actual command is (radiusd + all arguments) 3. Run radiusd from command line with the observed arguments plus -foreground and -log_stdout Thanks again! *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Windows Server 2008 R2
Strawberry Perl is the Perl of choice on Windows these days: http://strawberryperl.com Best regards, Alex Am 2011-04-07 00:13, schrieb Heikki Vatiainen: On 04/06/2011 05:09 PM, Remco van Noorloos wrote: We are planning to install Radiator on a Windows Server 2008 R2 server. I checked the reference manual but only Windows Server 2003 is mentioned as supported. Is Windows Server 2008 supported or should I use a Windows 2003 server? I have myself used Windows Server 2008. I do not see any reason why 2008 R2 should not work too. The main thing is ActivePerl. If ActivePerl works well, then Radiator should not be a problem. If there are problems, then there is the option of going back to 2003. Best regards, Heikki *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] RHEL4 and the new init script
Hi, after updating our primary radius servers to Radiator 4.7 I've tried the new linux init script which now supports starting and stopping multiple radius processes. I've found out that it doesn't work with RHEL4 because its killproc function defined in /etc/init.d/functions doesn't support the -p attribute and fails miserably in parsing the function call. As a workaround we've copied the functions file from a RHEL5 box to /etc/init.d/function-rhel5 and change the lines checking for the file and the one loading it: [root@radius1 init.d]# diff /etc/init.d/radiator /opt/Radiator-4.7/goodies/linux-radiator.init 48c48 if [ -f /etc/init.d/functions-rhel5 ]; then --- if [ -f /etc/init.d/functions ]; then 50c50 . /etc/init.d/functions-rhel5 --- . /etc/init.d/functions @Hugh: maybe you can add a note to the patches webpage and the init script stating the minimum required version per dist. -- Alexander Hartmaier alexander.hartma...@t-systems.at T-Systems Austria GesmbH *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] refresh time on clientlistsql
Hi Mike, I've just done this as a workaround but still think Radiator should close the database connection between refresh intervals. Why don't you want to use CPAN modules? You can ship known working versions bundled with Radiator. -- Best regards, Alex On Thu, 2010-10-28 at 23:31 +0200, Mike McCauley wrote: Hello Alexander, maybe you could reduce the RefreshPeriod in your ClientListSQL to less than an hour (or whatever the retain time is in the firewall is) so the SQL session stays up? Cheers. On Friday 29 October 2010 12:36:02 am Alexander Hartmaier wrote: Still happens with newest DBI and DBD::Oracle. I assume radiator doesn't close the db connection and a firewall removes it from its state table which leads to dropped packets after an hour when radiator tries to use the db connection again. You might want to look into DBIx::Connector which handles some problems automatically. *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator