Re: [RADIATOR] [RFC] configurable hooks
Hello, On Thursday, February 07, 2013 04:29:56 PM Alexander Hartmaier wrote: On 2013-02-07 16:13, Heikki Vatiainen wrote: On 02/05/2013 08:39 PM, Alexander Hartmaier wrote: I've looked into it today and have some questions: - is it safe to assume that the list or arguments passed to the ChallengeHook in my case is always ($self, $user, $p, $context)? If one arg is missing my added arguments would shift and populate the wrong variables. I was thinking about passing them by name in a hashref as first instead of last argument instead. Passing your arguments first would certainly work and would guard against the problems that might come if arguments were added or removed from ChallengeHook. I'd say it's a good idea to put your own arguments first. Will do that, thanks! - is it safe to die in hook code or will that tear down the Radiator process? I'm asking because that's the preferred way of doing argument validation, e.g. die 'id missing' unless defined $id; It should be safe since hooks are run within eval block and if there are errors, they are caught and ERR with 'Error in $hookname...' is logged. Is that documented somewhere? Couldn't find it the docs. The documentation of hook processing has been enlarged to cover this and other topics in the Reference manual for the next release. Thanks. Cheers. Another note, I've used %D instead of the hardcoded path which works just as well: StartupHook sub { require %D/MyHooks.pm; } Based on your other messages, there were issues with this which were then solved. Is everything working for you now? Thanks, Heikki %D doesn't work, but my problem arised when I changed the StartupHook from a single line to multiple lines without terminating them with \. Works now but it would be great if Radiator logged such an error. Cheers, Alex ** * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b ** * Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. ** * ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] F5 BigIP vendor specific attributes
Hello Alexander, Thanks added to the latest patch set. Question though: It appears like the values for F5-LTM-User-Role are a bit like HEX bitmasks, but they are presented here as decimal. Any idea which is correct? On Wednesday, January 09, 2013 05:08:51 PM Alexander Hartmaier wrote: Hi guys, please add those to the dictionary (taken from http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html): # # F5 BigIP # VENDOR F5 3375 VENDORATTR 3375 F5-LTM-User-Role 1 integer VENDORATTR 3375 F5-LTM-User-Role-Universal 2 integer# enable/disable VENDORATTR 3375 F5-LTM-User-Partition3 string VENDORATTR 3375 F5-LTM-User-Console 4 integer # enable/disable VENDORATTR 3375 F5-LTM-User-Shell5 string # supported values are disable, tmsh, and bpsh VENDORATTR 3375 F5-LTM-User-Context-1 10 integer VENDORATTR 3375 F5-LTM-User-Context-2 11 integer VENDORATTR 3375 F5-LTM-User-Info-1 12 string VENDORATTR 3375 F5-LTM-User-Info-2 13 string VALUEF5-LTM-User-Role Administrator 0 VALUEF5-LTM-User-Role Resource-Admin20 VALUEF5-LTM-User-Role User-Manager 40 VALUEF5-LTM-User-Role Auditor 80 VALUEF5-LTM-User-Role Manager 100 VALUEF5-LTM-User-Role App-Editor 300 VALUEF5-LTM-User-Role Operator 400 VALUEF5-LTM-User-Role Guest700 VALUEF5-LTM-User-Role Policy-Editor800 VALUEF5-LTM-User-Role No-Access900 VALUEF5-LTM-User-Role-Universal Disabled 0 VALUEF5-LTM-User-Role-Universal Enabled1 VALUEF5-LTM-User-ConsoleDisabled 0 VALUEF5-LTM-User-ConsoleEnabled1 -- Best regards, Alexander Hartmaier ** * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b ** * Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. ** * -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator Version 4.11 released
to support Diameter client and server required for new Diameter Wx support in Radius-EAP-SIM. Fixed a problem that caused incorrect RecvTime in tunnelled PEAP requests. Implemented checkproc for SuSE in linux-radiator.init. Contributed by Aeneas Jaißle (sewikom GmbH) Added support for PostDiaToRadiusConversionHook and PostRadiusToDiaConversionHook to Server DIAMETER. Refactoring of md5 and mschapv2 challenge code prior to integrating Heimdal digest support. Added new module AuthBy HEIMDALDIGEST with example configuration and test setup instructions. Authenticates from Heimdal Kerberos (http://www.h5l.org/). Supports RADIUS-PAP, EAP-MD5, EAP-MSCHAPV2 (and therefore TTLS-PAP, TTLS-EAP-MD5, PEAP-EAP-MD5, PEAP-EAP-MSCHAPV2, TTLS-EAP-MSCHAPV2). With the kind assistance of Fredrik Pettai. Originally written by Klas Lindfors. Contributed by Stefan Wold of Stockholm University. Fixed a problem where file:filename syntax in configuration file could cause strange error messages in hooks if the filename was not found. Fixed a problem where PidFile could be incorrectly deleted if any child was killed in a farm. Now it is only deleted if the farm parent is shut down. Fixed a problem in server farms where if a child process was STOPped or hung, the graceful shutdown process could also hang, resulting in possible failure to restart all children correctly. Improvement to Linux startup script to better handle the case where Radiator fails to exit cleanly after stop command. Improvements to SNMP.pm snmpget, so that failures due to Unknown Object Identifier are detected. Suggested by Michael. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Heimdal Kerberos support added
OSC is pleased to announce that Radiator RADIUS Server now has native support for authentication with Heimdal Kerberos (http://www.h5l.org/) Heimdal Kerberos is an implementation of Kerberos 5 largely written in Sweden It is freely available under a three clause BSD style license. Kerberos 5 (RFC 4120) is a highly secure system for authenticating and controlling access to computer resources. The new Radiator AuthBy HEIMDALDIGEST module works with Heimdal Kerberos to authenticate users against a Heimdal Kerberos Key Distribution Centre (KDC). The advantage of using AuthBy HEIMDALDIGEST module is that (unlike other Kerberos based RADIUS authentication systems), a wide range of authentication protocols can be supported, including: RADIUS-PAP, EAP-MD5, EAP-MSCHAPV2 (and therefore TTLS-PAP, TTLS-EAP-MD5, PEAP-EAP-MD5, PEAP-EAP-MSCHAPV2, TTLS-EAP-MSCHAPV2). allowing more flexible integration of modern, widely used authentication protocols with a secure authentication back end. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Dictionary Addition
Hi, Thanks. Added to the latest patch set. Cheers. On Thursday, October 04, 2012 10:56:11 AM Lucas Hazel wrote: Here's another one for you :) # Procera VENDOR Procera 12913 VENDORATTR 12913 Procera-Local-User-Name 1 string On 28/09/12 07:18, Mike McCauley wrote: Hi, Added to dictionary. Thanks. Cheers. On Thursday, September 27, 2012 01:30:48 PM Caporossi, Steve G. wrote: We have a system that required these being added to the radius dictionary. Thought I'd pass it along in case anyone else needed them. # # Opnet # VENDOR Network-Physics 7119 VENDORATTR 7119NetworkPhysics-Attribute33 string Thanks, Steve -- Mike McCauley mi...@open.com.aumailto:mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Dictionary Addition
Hi, Added to dictionary. Thanks. Cheers. On Thursday, September 27, 2012 01:30:48 PM Caporossi, Steve G. wrote: We have a system that required these being added to the radius dictionary. Thought I'd pass it along in case anyone else needed them. # # Opnet # VENDOR Network-Physics 7119 VENDORATTR 7119NetworkPhysics-Attribute33 string Thanks, Steve -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy SQLTOTP doc bugs
Hi Ray, On Wednesday, August 22, 2012 04:26:34 PM Roy Badami wrote: While playing with the AuthBy SQLTOTP module, I came across a couple of errors in the documentation of the AuthSelect parameter (section 5.82.2 of the reference manual). * The description and default query are missing field 6 (last_timestep). This is particularly unfortunate, because if you use the query from the documentation, or a similar query based on it that omits field 6, then you lose replay protection. (The actual default query in AuthSQLTOTP.pm is correct, however.) Fixed for the next release. * The documentation describes field 0 as the HEX encoded AES secret. In fact, TOTP does not use AES, it uses HMAC-SHA1. Fixed for the next release. The SQLHOTP doc contains the same error re AES - I haven't verified the query in the doc as I've not played with that module. Fixed for the next release. Also updated examples in goodies in the latest patch set Thanks for reporting these. Cheers. Regards roy -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Minor AuthBy SQLTOTP bug
Hi Roy, thanks for reporting this. It is fixed in the latest patch set. We apologise for any inconvenience. Cheers. On Wednesday, August 22, 2012 05:34:13 PM Roy Badami wrote: Also potentially a (very minor) code bug in AuthSQLTOTP.pm checkTOTP() doesn't correctly handle the case where $last_timestep is undefined (due to a NULL in the database) if the PIN check fails. The code does contains the line: $last_timestep += 0; # In case database has NULL but this line is skipped if the PIN is incorrect, leading to incorrect SQL (at least in the case of postgres, which is my platform of choice) Assuming the initial value of last_timestep is NULL (which is permitted by the sample schema in totp.sql) then you get an SQL error if the first ever log-in attempt involves typing an incorrect PIN: Wed Aug 22 17:22:03 2012: DEBUG: Query to 'dbi:Pg:dbname=radiator': 'SELECT secret, active, pin, digits, bad_logins, EXTRACT(EPOCH FROM accessed), last_timestep FROM totpkeys WHERE username='roy-test'': Wed Aug 22 17:22:03 2012: DEBUG: do query to 'dbi:Pg:dbname=radiator': 'update totpkeys set accessed=now(), bad_logins=1, last_timestep= where username='roy-test'': Wed Aug 22 17:22:03 2012: ERR: do failed for 'update totpkeys set accessed=now(), bad_logins=1, last_timestep= where username='roy-test'': ERROR: syntax error at or near where LINE 1: ... set accessed=now(), bad_logins=1, last_timestep= where user... Regards roy ^ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Vasco token support
Hi Heikki, On Thursday, August 23, 2012 09:35:06 PM Heikki Vatiainen wrote: On 08/23/2012 08:40 PM, Roy Badami wrote: Our supplier has confirmed that Digipass authentication (time-based) is the default mode. Ok, sounds like it has not changed lately. However they were not aware of RADIATOR and seemed to be concerned that this was 'not supported by Vasco'. Should I be concerned? I've used GO-1 tokens with RADIATOR before, but I just don't want to risk ending up with a large batch of new tokens and then finding they don't work with RADIATOR. Is RADIATOR no longer Vasco-certified? Hmm, everything should be just fine with Vasco and Radiator. I'll check the latest status and get back to you soon. Nothing has changed with Radiator certification with Vasco as far as we know. Radiator is Vasco certified. Cheers. Thanks, Heikki -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Support for 3M SIP 2.0 in libraries
Hi All, We are pleased to announce that Radiator now supports authentication with 3M Standard Interchange Protocol (SIP) 2.0 SIP (not to be confused with VOIP Session Initiation Protocol) is a protocol used in many book libraries to communicate between library self service terminals and a central Automatic Circulation System (ACS). It is uauly used to check books in and out, extend loads etc. http://en.wikipedia.org/wiki/Standard_Interchange_Protocol The new AuthBy SIP2 module allows Radiator to authenticate RADIUS, DIameter and TACACS requests against an ACS using the library patron name and password. Protocols such as RADIUS-PAP, EAP-GTK, PEAP-GTK, TTLS-PAP etc can be supported with SIP2 This will make it practical and easy to implement WiFi and Captive Portal systems in libraries for the use of library patrons. Support for AuthBy SIP2, along with sample configurations and testing guidelines are available in the latest Radiator patch set for Radiator 4.10. Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator Version 4.10 released
option -chap_nc that sends a RADIUS CHAP request, but in the old-fashioned way, with the CHAP Challenge in the authenticator, and not in a separate CHAP-Challenge attribute. Testing on Raspberry Pi running debian6-19-04-2012. It runs out of the box. http://www.raspberrypi.org Added hextobase32.pl to goodies. Script to help with entering HOTP and TOTP codes to Google Authenticator. Converts hex codes to base 32. Added VSAs for Anagran ANA to dictionary. Thanks to Bob Shafer. Added support for KeepaliveTimeout and UseStatusServerForFailureDetect to AuthBy RADIUS and AuthBy RADSEC. If UseStatusServerForFailureDetect is enabled, use only Status-Server requests (if any) to determine that a target server is failed when there is no reply. If not enabled (the default) use no- reply to any type of request. Uses NoreplyTimeout, MaxFailedRequests, MaxFailedGraceTime, FailureBackoffTime during failure detection. If you enable this, you should also ensure KeepaliveTimeout is set to a sensible interval to balance between detecting failures early and loading the target server. KeepaliveTimeout is the maximum time in seconds that a RADIUS connection can be idle before a Status-Server request is sent to keep the connection alive. Defaults to 0 seconds. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Raspberry Pi
Hi All, Electronics enthusiasts may like to know that we have successfuly tested Radiator on Raspberry Pi running debian6-19-04-2012. It runs out of the box. http://www.raspberrypi.org/ Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Anagran traffic manager - radius dictionary attributes
Hi Bob, thanks. This is now in the latest patch set. Cheers. On Thursday, June 21, 2012 06:08:59 AM Bob Shafer wrote: This might be of use to others... I *thought* I had sent these to the list when we first set up our Anagran traffic manager, however I can't find such a message in my sent archive, so this time I really will send them ;) To implement management levels for the traffic manager we have added the following entries to our dictionary: # # Vendor specifics for Anagran # VENDOR ANA 23093 VENDORATTR 23093Anagran-Privilege-Level 0 integer VALUE Anagran-Privilege-Level exec1 VALUE Anagran-Privilege-Level privilege 2 VALUE Anagran-Privilege-Level privilege-config3 Thanks, Bob Shafer University of Denver . -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Added support for EAP-PWD per RFC 5931
Hello, We are pleased to announce that Radiator now supports EAP-PWD authentication. EAP-PWD is highly secure (the password is never transmitted, even in encrypted form), and does not require PKI certificates, and also requires only 3 authentication round-trips. So it is considered efficient to roll out in eg Eduroam and other environments. Requires that the Radiator user database has access to the correct plaintext password. Sample configuration file and patch for Crypt-OpenSSL-Bignum-0.04 is included. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Digest::SHA
Hi All, Until now, Radiator and other products in the family used a mixture of Digest::SHA and Digest::SHA1, sometimes optionally and sometimes absolutely. We recently issued patches for Radiator and friends to always use Digest::SHA instead of Digest::SHA1. We think this will make installation easier for most implementers: Digest::SHA has more features, and is now included standard with modern Perl distros. By comparison, Digest::SHA1 is now not readily available for some Linux distros. So we have elected to use _only_ Digest::SHA, and it will now be an absolute prerequisite (not an optional one). These changes are in the latest patch set and will be in the next release 4.10, due out soon. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RadSec - RADIUS/TLS RFC
Thanks Alex. Stefan Winter deserves much of the credit for shepherding it through IETF. On Thursday, May 31, 2012 10:51:31 AM Alexander Hartmaier wrote: Congratulations on getting RadSec into an RFC! Radiator and its configuration is even mentioned in the appendix. http://www.rfc-editor.org/rfc/rfc6614.txt -- Cheers, Alex ** * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b ** * Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. ** * ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] EAP-AKA module now supports fast reauthentication and pseudonyms
Hi All, we are pleased to announce that the latest version 1.33 of the Radiator RADIUS EAP-SIM/EAP-AKA bundle now includes support for: Fast Reauthentication and Pseudonyms (TMSI) for both EAP-AKA and EAP-AKA-PRIME. This complements the existing similar support for EAP-SIM. Details at http://www.open.com.au/eap-sim -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Fwd: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS
Hi, sorry, dont have any info on Cisco. There are a 2 compliant implementations mentioned in the RFC. Cheers. On Wednesday, May 30, 2012 09:18:40 AM Alexander Hartmaier wrote: Thanks for the info Mike! Do you know which devices support it? We're mainly interessted in Cisco gear. Best regards, Alex Am 2012-05-29 22:46, schrieb Mike McCauley: RadSec is now an official RFC. -- Forwarded Message -- Subject: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS Date: Tuesday, May 29, 2012, 09:38:40 AM From: rfc-edi...@rfc-editor.org To: ietf-annou...@ietf.org, rfc-d...@rfc-editor.org CC: rad...@ietf.org, rfc-edi...@rfc-editor.org A new Request for Comments is now available in online RFC libraries. RFC 6614 Title: Transport Layer Security (TLS) Encryption for RADIUS Author: S. Winter, M. McCauley, S. Venaas, K. Wierenga Status: Experimental Stream: IETF Date: May 2012 Mailbox:stefan.win...@restena.lu, mi...@open.com.au, s...@cisco.com, kl...@cisco.com Pages: 22 Characters: 48004 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-radext-radsec-12.txt URL:http://www.rfc-editor.org/rfc/rfc6614.txt This document specifies a transport profile for RADIUS using Transport Layer Security (TLS) over TCP as the transport protocol. This enables dynamic trust relationships between RADIUS servers. [STANDARDS-TRACK] This document is a product of the RADIUS EXTensions Working Group of the IETF. EXPERIMENTAL: This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see http://www.rfc-editor.org/rfc.html. Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ radext mailing list rad...@ietf.org https://www.ietf.org/mailman/listinfo/radext - ** * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b ** * Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. ** * ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Fwd: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS
Hi, On Wednesday, May 30, 2012 09:46:04 AM Fredrik Pettai wrote: Hi, We are pushing it on the Cisco Wireless, ISE and NCS dev teams. AFAIK, there is no Cisco gear (nor other (wireless) vendor) that supports RADSEC. (Please correct me if I'm wrong...) Some years ago I tested (successfully) a Lancom L-54g wireless Access Point which implemented RadSec. I dont know if it or equivalent is still available. Cheers. You (and everybody else that want to see RADSEC implemented in their Cisco gear) should nag your Cisco contacts about it, so this becomes a more important business case thus gets higher priority. That's how it works... It's good that you (and other people) that comes from the commercial side also starts asking for RADSEC support, because AFAIK only the higher education customers has asked / nagged Cisco about this earlier... Re, /P On May 30, 2012, at 09:18 , Alexander Hartmaier wrote: Thanks for the info Mike! Do you know which devices support it? We're mainly interessted in Cisco gear. Best regards, Alex Am 2012-05-29 22:46, schrieb Mike McCauley: RadSec is now an official RFC. -- Forwarded Message -- Subject: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS Date: Tuesday, May 29, 2012, 09:38:40 AM From: rfc-edi...@rfc-editor.org To: ietf-annou...@ietf.org, rfc-d...@rfc-editor.org CC: rad...@ietf.org, rfc-edi...@rfc-editor.org A new Request for Comments is now available in online RFC libraries. RFC 6614 Title: Transport Layer Security (TLS) Encryption for RADIUS Author: S. Winter, M. McCauley, S. Venaas, K. Wierenga Status: Experimental Stream: IETF Date: May 2012 Mailbox:stefan.win...@restena.lu, mi...@open.com.au, s...@cisco.com, kl...@cisco.com Pages: 22 Characters: 48004 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-radext-radsec-12.txt URL:http://www.rfc-editor.org/rfc/rfc6614.txt This document specifies a transport profile for RADIUS using Transport Layer Security (TLS) over TCP as the transport protocol. This enables dynamic trust relationships between RADIUS servers. [STANDARDS-TRACK] This document is a product of the RADIUS EXTensions Working Group of the IETF. EXPERIMENTAL: This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see http://www.rfc-editor.org/rfc.html. Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ radext mailing list rad...@ietf.org https://www.ietf.org/mailman/listinfo/radext - *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http
Re: [RADIATOR] Opera PMS integration
Hi Michael, The Radiator-Opera integration and interoperation has been tested successfully by Micros-Fidelio Australia. According to correspondence from them, the Radiator interface for Opera has been released: FKT Logo is RRA and the Part Number is 5009-170 Cheers. On Wednesday, May 30, 2012 09:36:40 AM Michael Newton wrote: Hi all, wondering if anyone has any experience with PMS integration over TCP/IP? From the documentation included it sounds fairly straightforward, but wondering if anyone has hit any stumbling blocks during their implementations? MICROS are convinced that they've never worked with Radiator before, and so this is a pilot project (presumably with commensurate costs) which came as a bit of a surprise; I had thought Radiator was certified to work with Opera already. Thanks in advance for any advice/warnings/anecdotes! -- Michael Newton Manager, Information Systems Point of Presence Technologies -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Fwd: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS
RadSec is now an official RFC. -- Forwarded Message -- Subject: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS Date: Tuesday, May 29, 2012, 09:38:40 AM From: rfc-edi...@rfc-editor.org To: ietf-annou...@ietf.org, rfc-d...@rfc-editor.org CC: rad...@ietf.org, rfc-edi...@rfc-editor.org A new Request for Comments is now available in online RFC libraries. RFC 6614 Title: Transport Layer Security (TLS) Encryption for RADIUS Author: S. Winter, M. McCauley, S. Venaas, K. Wierenga Status: Experimental Stream: IETF Date: May 2012 Mailbox:stefan.win...@restena.lu, mi...@open.com.au, s...@cisco.com, kl...@cisco.com Pages: 22 Characters: 48004 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-radext-radsec-12.txt URL:http://www.rfc-editor.org/rfc/rfc6614.txt This document specifies a transport profile for RADIUS using Transport Layer Security (TLS) over TCP as the transport protocol. This enables dynamic trust relationships between RADIUS servers. [STANDARDS-TRACK] This document is a product of the RADIUS EXTensions Working Group of the IETF. EXPERIMENTAL: This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see http://www.rfc-editor.org/rfc.html. Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ radext mailing list rad...@ietf.org https://www.ietf.org/mailman/listinfo/radext - -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Miraki wifi works with Radiator for accounting and authentication
Hi Scott, I think the product name is Meraki http://www.meraki.com/ not Miraki? I dont have any direct experience with it. Cheers. On Sunday, May 20, 2012 09:41:09 PM Scott wrote: Hi Team,any advice?thanks At 2012-05-18 09:12:53,Scott scotts...@163.com wrote: dear team, we are trying to use Miraki wifi works with Radiator for accounting and authentication. It's hotel. to simplify the guest's wifi access and billing. the currently billing system is Fidelio. Any one can advise if this can be done and how do they work with each other?thanks! scott -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Yubikey and Radiator Windows Implementation
Hi James, On Monday, April 23, 2012 11:00:36 AM James Austin wrote: We have a windows based install of Radiator. Will this work seamlessly with Yubikey? Yes, you should expect it to work with Yubikey, provided you have the prerequisites installed: Auth-Yubikey_Decrypter-0.05 or later, and Crypt::Rijndael perl database suport modules SQL server. Is there any documentation for Yubikey integration? See goodies/yubikey.txt in your distribution. There are sample configuration files in the goodies directory in your distribution: goodies/yubikey.cfg Thanks, James Austin Houston, TX -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Yubikey and Radiator Windows Implementation
On Wednesday, April 25, 2012 04:29:19 PM Mike McCauley wrote: Hi James, On Monday, April 23, 2012 11:00:36 AM James Austin wrote: We have a windows based install of Radiator. Will this work seamlessly with Yubikey? Yes, you should expect it to work with Yubikey, provided you have the prerequisites installed: Auth-Yubikey_Decrypter-0.05 or later, and Crypt::Rijndael perl database suport modules SQL server. Is there any documentation for Yubikey integration? See also AuthBy SQLYUBIKEY in the reference manual See goodies/yubikey.txt in your distribution. There are sample configuration files in the goodies directory in your distribution: goodies/yubikey.cfg Thanks, James Austin Houston, TX -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Enhancement for AuthDNSROAM/EduRoam and goodies suggestion
Hi Bjoern and others, thanks for your patch. It is now in the latest patch set. I take it you would like to see the included AllowInReply parameter included in the sample goodies/dnsroam.cfg? If you have other suggestions for improving the example goodies/dnsroam.cfg I would welcome that too. Ceers. On Thursday, March 29, 2012 05:04:13 PM Bjoern A. Zeeb wrote: Hi Mike, all, A patch and a suggestion for goodies below. A lot of people seem to use Radiator with EduRoam and after two debugging sessions, the first to find the cause why it's not working for a user and the 2nd to apply the below patch, things are significantly starting to improve for a couple of users who's IdPs send out weird atttributed incl. VLAN asignments etc. Not sure if we should pass down all section 5.7.18 ref.pdf options down from the AuthDNSROAM patch below, but these two seem essential as having them in and not working might lead to unexpected results. My somehow excessive attribute filter list fuer Eduroam currently is AllowInReplyUser-Name, \ Class, \ Framed-Protocol, \ Service-Type, \ EAP-Message, \ Message-Authenticator, \ MS-MPPE-Send-Key, \ MS-MPPE-Recv-Key, \ MS-CHAP-Domain, \ MS-CHAP2-Success, \ Proxy-State with Framed-Protocol at least being excessive and should probably be static and Service-Type probably be restricted. I wonder if others have a comment on that list; I have been told another (open source) radius software comes with a pre-defined list but have not checked, so I think putting that into goodies, if not there yet, for AuthDNSRoam/Eduraom samples would be an excellent idea:) Special thanks go to Stefan Winter and Ronald van der Pol for the debugging sessions to figure out the VLAN problem while here at IETF83. Apart from that Radiator seems to do great wrt to DNSRoam and I am looking forward for the draft to be updated and the latest things that have been offically assigned to be sorted. Great! Thanks a lot for that! Thanks, /bz --- AuthDNSROAM.pm.orig 2011-09-29 21:51:05.0 + +++ AuthDNSROAM.pm 2012-03-29 16:16:09.0 + @@ -285,6 +285,7 @@ sub addRoute (qw(Address Transport Protocol Port UseTLS SRVName StripFromRequest AddToRequest ReplyHook ReplyHook.compiled NoReplyHook NoReplyHook.compiled + StripFromReply AllowInReply NoForwardAuthentication NoForwardAccounting AllowInRequest NoreplyTimeout IgnoreReject @@ -390,6 +391,7 @@ sub handle_request (map {defined $self-{$_} ? ($_ = $self-{$_}) : ()} (qw(Port Secret StripFromRequest AddToRequest ReplyHook ReplyHook.compiled NoReplyHook NoReplyHook.compiled + StripFromReply AllowInReply NoForwardAuthentication NoForwardAccounting AllowInRequest NoreplyTimeout IgnoreReject IgnoreAccountingResponse MaxBufferSize @@ -414,6 +416,7 @@ sub handle_request # Copy parameters from $self: (map {defined $self-{$_} ? ($_ = $self-{$_}) : ()} (qw(StripFromRequest AddToRequest ReplyHook ReplyHook.compiled NoReplyHook NoReplyHook.compiled + StripFromReply AllowInReply NoForwardAuthentication NoForwardAccounting AllowInRequest AuthPort AcctPort Secret Retries RetryTimeout UseOldAscendPasswords ServerHasBrokenPortNumbers ServerHasBrokenAddresses IgnoreReplySignature -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Documentation Update? Sources for SNMP_Session
Hi, Thanks for reporting this. It will be fixed in the next release of Radiator and has already been updated in the FAQ. Thanks again. Cheers. On Friday, February 24, 2012 03:49:11 PM Traiano Welcome wrote: Hi Radiator Developers! I see in the Radiator reference manual section (Radiator version 4.9) on SNMP Monitoring for radiator: --- 5.15 SNMPAgent . . . SNMPAgent requires SNMP_Session-0.92.tar.gz or later from http://www.switch.ch/misc/leinen/snmp/perl/dist/ to be installed first. --- However it appears this URL is no longer valid on the www.switch.ch site. Simon Leinen, who hosted it on his staff website says that SWITCH is no longer supporting personal staff pages and so he's moved the home page for SNMP_Session to: https://code.google.com/p/snmp-session/ You might want to update the documentation with this. Kind Regards, Traiano Welcome ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Bug in SessSQL.pm
Hi Eddie, thanks for reporting this. It has now been fixed in the latest patch set. Cheers. On Tuesday, February 14, 2012 03:53:04 PM Eddie Stassen wrote: UpdateQuery SessionDatabase SQL crashes Radiator when the query contains %{Quote:...}. This is due to $self not being passed as the third parameter to Radius::Util::format_special(). The patch below fixes it. Regards, Eddie Stassen --- SessSQL.pm.ORIG 2012-02-14 15:32:12.0 +0200 +++ SessSQL.pm 2012-02-14 15:44:42.0 +0200 @@ -132,7 +132,9 @@ $self-log($main::LOG_DEBUG, $self-{Identifier} Updating session for $name, $nas_id, $nas_port, $p); # Now add the new one -$self-do(Radius::Util::format_special($self-{UpdateQuery}, $p)); +$self-do($self-{UpdateQuery}, $p, $self, +$self-quote($name), $nas_id, $nas_port+0, + $self-quote($p-getAttrByNum($Radius::Radius::ACCT_SESSION_ID; } ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] test
test, please ignore -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Noticed something odd when restarting
Hi Jared, thanks for reporting this. It will be fixed in the next release of Radiator. Cheers. On Wednesday 11 January 2012 03:50:17 am Jared Watkins wrote: I'm working on code to do remote reloads of Radiator and I noticed the following in the logs... is this something to be concerned about? Tue Jan 10 12:10:04 2012: NOTICE: Server started: Radiator 4.9 on fmsdev (LOCKED) (LOCKED) Tue Jan 10 12:14:14 2012: NOTICE: Server started: Radiator 4.9 on fmsdev (LOCKED) (LOCKED) (LOCKED) Tue Jan 10 12:31:09 2012: NOTICE: Server started: Radiator 4.9 on fmsdev (LOCKED) (LOCKED) (LOCKED) (LOCKED) Tue Jan 10 12:32:42 2012: NOTICE: Server started: Radiator 4.9 on fmsdev (LOCKED) (LOCKED) (LOCKED) (LOCKED) (LOCKED) I think the LOCKED bit is referring to the fact that this is a eval license.. but it looks like something might not be happening correctly with restarts. I get the same thing if I HUP the process or issue a restart via the manage port. Thanks, J ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.8 on FreeBSD 8.2 crashes with: ERR: Attribute number 93 is not defined in your dictionary
Thanks Traiano, The latest patch set now includes: Updated ACME VSA's in dictionary to add many missing VSAs and to adopt attribute naming consistent with other RADIUS servers. Cheers. On Tuesday 08 November 2011 11:53:33 pm Traiano Welcome wrote: See attached. Traiano On 2011/11/08 3:11 PM, Heikki Vatiainen h...@open.com.au wrote: On 11/07/2011 12:43 PM, Traiano Welcome wrote: Hello Traiano, Many thanks, this seems to have solved the problem, the system is running with double query load with no crash for more than an hour :-) Good to hear and thanks for letting us know. One more request from us: can you reply with acme dictionary so that it can be included in Radiator dictionary. Thanks to all who assisted: Mike McCauley, Hugh Irvine and Heikki! Thanks! Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.8 on FreeBSD 8.2 crashes with: ERR: Attribute number 93 is not defined in your dictionary
Hi Heikki, I think this is the same problem that is fixed in the latest patch set with: Fixed a case where an empty Framed-IPv6-Prefix could cause a crash in radpwtst. Cheers. On Saturday 05 November 2011 08:03:49 am Heikki Vatiainen wrote: On 11/04/2011 12:58 PM, Traiano Welcome wrote: Hello Traiano, Running Radiator in the foreground, I see an additional perl related (?) error line: Hmm, can you reply with the acme dictionary, dictionary.acme, and do a Trace 5 debug. I would like to see the raw packet dump to see if you are receiving malformed packets. Authentic: CeK200XQ255142136243145172$x248 Attributes: Fri Nov 4 10:33:34 2011: ERR: Attribute number 93 is not defined in your dictionary 'x' outside of string in unpack at /usr/local/lib/perl5/site_perl/5.12.3/Radius/Radius.pm line 1931. Thanks, this is useful information. Can you tell what version you Radius.pm is? There should be a line like this at the top of the file # $Id: Radius.pm,v 1.157 2011/04/05 00:13:00 mikem Exp $ Version 1.157 is the originally released Radius.pm in version 4.8. Line 1931 seems to be related to IPv6 Radius.pm 1.157 Looking at my 2 dictionaries, attribute 93 seems to have various definitions: (dictionary) --- VENDORATTR 1584Annex-Rate-Reneg-Req-Rcvd 93 integer VENDORATTR 2352 RB-Remote-Port 93 string VENDORATTR 55353GPP2-Acct-Stop-Trigger 93 integer (dictionary.acme) --- VENDORATTR 9148 Acme-Flow-In-Src-Addr_FS2_F 93 ipaddr Acme --- I'm not sure which would be the overriding definition ? I do not these are the related. If it is a vendorattr, the the output should be something like ... attribute 93 (vendor 1234) is not defined ... Additionally, I have another FreeBSD server (8.2-RELEASE-p3 #1) running radiator 4.8 (same source package), using the same dictionaries, with perl version 5.12.4, but it's running fine. I've even upgraded the current perl on this system to 5.12.4, but that incremental change didn't have an effect. I'd be grateful for any additional insights you might have. If you could create a Trace 5 dump that shows the raw data that is received, that would be useful. Thanks! Heikki -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAPTLS_MaxFragmentSize settings
Hello Alex, On Tuesday 11 October 2011 09:35:08 pm Alexander Hartmaier wrote: I've tried a lot of different values and looked at the radius packets coming from our switches (for wired dot1x): peap 1350, inner tls 1300 peap 1400, inner tls 1360 peap 1412, inner tls 1350 In the end I've used 1350/1300 because increasing it any further towards the limit didn't lower the number of packets so I preferred to have a little bit of safety margin left. The EAP packet that is encapsulated inside one of the radius key/value pairs + all other radius attributes doesn't exceed one ethernet frame because EAP doesn't support fragmentation. Depending on the number of other radius attributes your switches or wlan controllers send to the radius servers you can increase the EAP payload. Decreasing the number of packets reduces the authentication time and lowers to load on both the radius client (switch, wlan controller) and radius server. @Open guys: can you please add something like my description to the docs? Done for the next release. Cheers. Am 2011-10-11 13:16, schrieb Alex Sharaz: Hi, For a long time I've had = # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt # size that will be replied by Radiator. It must be small # enough to fit in a single Radius request (ie less than 4096) # and still leave enough space for other attributes # Aironet APs seem to need a smaller MaxFragmentSize izes. EAPTLS_MaxFragmentSize 1000 == Set up in my Radiator radius.cfg file simply because it was there in the sample radius.cfg file I initially used. I'm now wondering if perhaps this is a bit small. What are other people doing? Is anyone explicitly setting this up or are people leaving it to the default value Rgds Alex Time for another Macmillan Cancer Support event. This time its the 12 day Escape to Africa challenge View route at http://maps.google.co.uk/maps/ms?ie=UTF8hl=enmsa=0msid=20377986643603501 6780.00049e867720273b73c39z=8 Please sponsor me at http://www.justgiving.com/Alex-Sharaz Checked by Hu-fw-yhman ___ radiator mailing list radiator@open.com.aumailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Cheers, Alex ** * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b ** * Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. ** * -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator Version 4.9 released
Radius::Util::seed_random. radiusd calls it at startup and after forking farm children. It can be overridden if necessary to provide local random number initialisation and seeding. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Latest dictionary additions
Hi All, On Wednesday 21 September 2011 06:54:07 pm Heikki Vatiainen wrote: Here's a summary of new and updated dictionary entries recently seen on the list but not yet in patches for 4.8. I guess the hunt is still on for some others, but these look like ready to be included. From Alan # # Aruba vendor specific radius attributes # VENDOR Aruba 14823 VENDORATTR 14823 Aruba-User-Role 1 string VENDORATTR 14823 Aruba-User-Vlan 2 integer VENDORATTR 14823 Aruba-Priv-Admin-User 3 integer VENDORATTR 14823 Aruba-Admin-Role4 string VENDORATTR 14823 Aruba-Essid-Name5 string VENDORATTR 14823 Aruba-Location-Id 6 string VENDORATTR 14823 Aruba-Port-Id 7 string VENDORATTR 14823 Aruba-Template-User 8 string VENDORATTR 14823 Aruba-Named-User-Vlan 9 string VENDORATTR 14823 Aruba-AP-Group 10 string VENDORATTR 14823 Aruba-Framed-IPv6-Address 11 string All now in the latest patch set. From Jethro ## Bluesocket VENDOR Bluesocket 9967 VENDORATTR 9967BlueSocketRole 100 string VENDORATTR 9967Bluesocketap101 string These were already in the dictionary, one with with a slightly different case: BlueSocketap Which is correct? -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] New Nomadix attributes
Hi Mike, thanks for that. They are now in the latest patch set., Cheers. On Wednesday 21 September 2011 03:08:14 am Mike Newton wrote: Please consider the following updates (attributes 14-21 and the IP-Upsell values) for the dictionary. I've confirmed with Nomadix that this is a complete list at the present time. Thanks a lot. Mike # # Nomadix vendor sepecific # VENDOR Nomadix 3309 VENDORATTR 3309Nomadix-Bw-Up 1 integer VENDORATTR 3309Nomadix-Bw-Down 2 integer VENDORATTR 3309Nomadix-URL-Redirection 3 string VENDORATTR 3309Nomadix-IP-Upsell 4 integer VENDORATTR 3309Nomadix-Expiration-Time 5 string VENDORATTR 3309Nomadix-Subnet 6 string VENDORATTR 3309Nomadix-MaxBytesUp 7 integer VENDORATTR 3309Nomadix-MaxBytesDown8 integer VENDORATTR 3309Nomadix-EndofSession9 integer VENDORATTR 3309Nomadix-Logoff-URL 10 string VENDORATTR 3309Nomadix-Net-VLAN11 integer VENDORATTR 3309Nomadix-Config-URL 12 string VENDORATTR 3309Nomadix-Goodbye-URL 13 string VENDORATTR 3309Nomadix-Qos-Policy 14 string VENDORATTR 3309Nomadix-SMTP-Redirect 17 integer VENDORATTR 3309Nomadix-Centralized-Mgmt18 string VENDORATTR 3309Nomadix-Group-Bw-Policy-ID 19 integer VENDORATTR 3309Nomadix-Group-Max-Up20 integer VENDORATTR 3309Nomadix-Group-Max-Down 21 integer VALUE Nomadix-IP-Upsell PrivatePool 0 VALUE Nomadix-IP-Upsell PublicPool 1 -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] aerohive dictionary file
Hi Alan, On Monday 15 August 2011 09:44:48 pm Alan Buxey wrote: hi, I believe this is what is needed in RADIATOR for the aerohive wireless kit as a starting dictionary. anyone care to confirm/agree/reject or differ? :-) Yes, that agrees with the aerohive docs. Added to the dictionary in the latest patch set. Cheers. # # Aerohive vendor specific radius attributes # VENDOR Aerohive 26928 VENDORATTR 26928 AH-HM-Admin-Group-Id1 integer VALUE AH-HM-Admin-Group-IdRead-Only-Admin 0 VALUE AH-HM-Admin-Group-IdSuper-Admin 1 VALUE AH-HM-Admin-Group-IdRead-Write-Admin2 alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] updated Aruba dictionaries?
Hi, On Monday 15 August 2011 10:25:12 pm Alan Buxey wrote: Hi, But I can add: VENDORATTR 14823 Aruba-Template-User 8 string courtesy of wireshark to your list. cool :-) thanks for that one though I believe its officially ATTRIBUTE Aruba-MMS-User-Template 8 string so, VENDORATTR 14823 Aruba-MMS-User-Template 8 string Aruba's docs agree with this. Now added to the dictionary in the latest patch set. ?? alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload error
Hi Heikki, actually there is NO way to force a CRL reload except to kill the process. The certificates are NEVER flushed from the process under any circumstances :-( You can load new ones but the old ones are looked at before the recent ones. Cheers. On Tuesday 09 August 2011 06:35:20 pm Heikki Vatiainen wrote: On 08/08/2011 05:59 PM, Alexander Hartmaier wrote: So a reload after every crl download is still the only solution? Unfortunately this seems to be currently the only solution. Adding the crl download and refresh functionality to Radiator would be a welcome addition! I agree this would be very useful. Then again implementing it in Radiator separately from OpenSSL would mean creating a lot of code that would have a short lifetime becoming obsolete once OpenSSL starts to fully support the functionality. The problem of course is it's not known how soon or late this happens. Thanks, Heikki Cheers, Alex Am 2011-08-08 09:41, schrieb Heikki Vatiainen: On 08/02/2011 01:59 PM, Alexander Hartmaier wrote: Hello Alexander, what's the status of crl reloading? CRL reloading support depends on OpenSSL. As you have found out, it appears the support is not in version 1.0.0. A quick check of 1.0.0 series change log did not show anything related to this, so I guess the wait is still on. I've installed openssl 1.0.0 from Debian testing on a Debian stable server but it still fails with ERR: Failed to add CRL file '/etc/radiator/certificates/foo.crl.pem': error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already in hash table -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Support for Freeswitch VOIP switch and Micros-Fidelio Opera PMS
Hi All, We have recently released some documentation and sample configuration files showing how to use Radiator and the AuthBy FIDELIO module to handle authentication and accounting for the Freeswitch VOIP switch (http://www.freeswitch.org). It can be used authenticate and to bill VOIP calls to a Micros-Fidelio Opera Hotel Property Management System (http://www.micros.com). The goal of this sample configuration is to implement a user-pays VOIP system in a hotel environment: Before a user can make a call from a hotel room VOIP phone, there must be someone checked into the room. When the call is completed, the call is billed to the hotel room. Documentation and sample configuration files are now in the latest Radiator patch set. We welcome feedback and suggestions from Freeswitch/Fidelio implementers. Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Multiple user groups for tacacs authorization possible
Hi Heikki, I did something similar to this at NBNCo (you have the configs I think). In that one we used the LDAP to get the groups the users is a member of, and used the device group the request cam from to to do a lookup in SQL, From there we get AuthorizeGroupAttr rules. Cheers. On Friday 08 July 2011 09:51:08 pm Heikki Vatiainen wrote: On 07/07/2011 01:26 PM, Alexander Hartmaier wrote: we have the need to map users with membership in multiple groups into tacacs groups to decide if the user is allowed to login (authentication) and what the user is allowed to do (authorization). We solved the authentication by multiple authby ldap2's for the different ldap groups in an authby group. The first matched group populates the OSC-Group-Identifier attribute which is used for the GroupMemberAttr. Because some users are in multiple groups we're looking for a way to add all of them to the GroupMemberAttr, is this possible? This does not sound possible. Please see this example. Is this what you are looking for? Server TACACSPLUS GroupMemberAttr OSC-Group-Identifier AuthorizeGroup group1 ... # more rules for group1 AuthorizeGroup group2 ... # more rules for group2 And the Access-Reply messages would look like these User a: OSC-Group-Identifier = group1 User b: OSC-Group-Identifier = group2 User c: OSC-Group-Identifier = group1 OSC-Group-Identifier = group2 The user c would be allowed (group1 + group2). The above is not currently possible since Radiator currently only picks up one attribute and uses its value. The second will not be used. Also, there's the question if both group1 and group2 contain permit and deny rules how they would relate to each other. If the above is not what you are after, please tell us more. Thanks! -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [patch] Radiator 4.8: dictionary Fix type of Unisphere-Ipv6-*-DNS
Hi Roland, thanks for reporting this and the patch. It has now been fixed in the latest patch set. Cheers. On Tuesday 31 May 2011 01:19:33 am Roland Rosenfeld wrote: Hi! The attached small patch changes the type of the vendor attributes Unisphere-Ipv6-Primary-DNS and Unisphere-Ipv6-Secondary-DNS from string to ipaddrv6. This results in readable output in the logs instead of binary junk :-) Maybe this is useful for someone else... Greetings Roland -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Fidelio authentication module: Some suggestions
Hi Ralf, Thanks for the suggestion. We have now updated the latest patch set with this: Added new parameter MessageHook to AuthBy FIDELIO. MessageHook is called after a message from Fidelio has been unpacked into a hash and before the record is passed to handle_message(). It can be used to change or transform any fields in the record before it is passsed to handle_message() and processed by AuthFIDELIO. Cheers. On Tuesday 17 May 2011 05:20:57 pm Ralf Ertzinger wrote: Mike, On 05/10/2011 12:37 AM, Mike McCauley wrote: thanks for your note. Responses inline below Thanks for your quick reply and the fixes for the problems I noticed. I will test those as soon as I'm on site with the customer again, this may take a week or two, though. - Data mangle hook This is more of a nice to have. Provide a hook to mangle data received from the Fidelio system before it is entered into the internal Radiator database. Primary use case (for me) would be to lower case the guest names. Not sure where you need this. A patch would be good. The customer would like to use the guest's last name as part of their authentication scheme. Since there is no telling how that information is saved in the fidelio database I'd like to be able to mangle that before adding it to the internal Radiator copy (for example, convert the name to lower case). -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] OCRA tokens
Hi, is anyone using or planning to use OCRA tokens as described in draft-mraihi-mutual-oath-hotp-variants-14.txt Would you care to work with us to test a new Radiator OCRA authenticator? If so, please contact me directly. Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] New eToken PASS import files have longer secret keys (64 chars vs. 48 chars)
Hi, Can you please send an example of a key, counter and resulting correct OTP, so we can investigate? Cheers. On Saturday 14 May 2011 05:35:32 am Linuxchuck wrote: Hello again, I've been successfully using eToken PASS tokens since we moved to Radiator without issue. We've recently purchased an additional set of 100 tokens because we were running low, and the DigiPass Go-7 tokens we recently received turn out to be unable to support changing PINs. During the process of importing the new eToken PASS secret keys, I found that the token key import files shipped with the tokens have changed now since SafeNet has taken over ownership of Aladdin. The new files are called AlpineXml.xml and importAlpine.dat. The first is an XML file formatted exactly like the old XML files I'm familiar with from the original Aladdin days. The second file is an ldif-formatted file with basically the same information in it. I built an XML parsing PHP script to perform bulk-imports for the older Aladdin import files, and it works fine with the new XML files as well. I've noticed a particularly important change, however. The token secrets are now 64 characters long, and will not properly import into the standard secret column in the hotpkeys MySQL table which is a varchar(60) based on the sql table built in hotp.cfg. (FYI, the original keys in my first couple-hundred tokens were all 48 characters long.) In addition, the version string in the older XML files is 6.0, and in the newer version, is 6.20. I figured it would be a simple task to extend the storage of that column to compensate for the longer keys, and applied an alter table command to do just that. I then updated the keys for each token, ran a few queries to ensure they matched exactly with the keys provided in the XML file, and reloaded my Radiator servers. So far, so good... However, even though the new and longer secret keys now fit in the column, I can not get any of these newly imported tokens to authenticate properly. All of my older eToken PASS tokens with the shorter keys still work without issue. It's these new tokens with the longer keys that refuse to authenticate. Does anyone have an idea what could be going wrong here? I am not a Perl coder by any stretch of the imagination, and my rudimentary scan of the HOTP-related modules in Radiator did not give me any clues where things could be going wrong. Thanks in advance... ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Fidelio authentication module: Some suggestions
Hi Ralf, thanks for your note. Responses inline below On Monday 09 May 2011 05:24:08 pm Ralf Ertzinger wrote: Hi all. As mentioned some time ago we have a customer interested in using Radiator to authenticate against an existing Micros Fidelio infrastructure. Last week I was finally able to do an on site visit to test the basic functionality of the system. Good news first: the Fidelio connector worked as expected, it was able to connect to the Fidelio system without too much trouble and get the guest data, and I was able to successfully authenticate against the Radius server using that data. All tests were done using a TCP connection to the Fidelio server. However, there are some minor problems I would love to get out of the way. - Reload failure When Radiator is reloaded using SIGHUP it throws away it's internal copy of the Fidelio database. However, it does not cleanly shut down the TCP connection, and it also does not send a LE (link end) message to the Fildelio system. When Radiator then reconnects to the Fidelio server the latter does not consider the connection as new, and assumes that the Radius server already has a copy of the database. So the Radius server does not receive a new copy of the database and ends up with no data at all. Suggested fix (as recommended by the Micros engineer on site with me): either send a LE (link end) record on connection shutdown, or completely close the TCP connection. Preferrably both. H. Tests here show that when a SIGHUP is received AuthFIDELIO reconnects and sends a link start and gets the latest database just fine. Nevertheless we have now made a change so that LE is sent and the TCP connection is closed during a SIGHUP, as suggested. It would be good if you could test this change at your location. Workaround: do a complete restart of the Radius server - Keepalive When the network connection between the Radius server and the Fidelio server fails for some reason the Fidelio server aggressively times out and closes the TCP connection when it cannot send database updates. The Radius server may not notice this in a timely manner and thus may not receive database update messages. Suggested fix (as recommended by the Micros engineer on site with me): have the Radius server send LS (link start) messages in regular intervals and wait for the Fidelio system to answer with LA (link alive). OK. We disagree with the engineer. We think Radiator should send LA to check for connectivity, not LS. We have now made a change to send LA every 60 seconds (configurable). It would be good if you could test this change at your location. Workaround: this can be somewhat worked around by sending accounting messages to the Fidelio system (in this particular setup accounting to the Fidelio system is not part of the planned setup). Failure to send an accounting message will cause a restart of the connection. - Data mangle hook This is more of a nice to have. Provide a hook to mangle data received from the Fidelio system before it is entered into the internal Radiator database. Primary use case (for me) would be to lower case the guest names. Not sure where you need this. A patch would be good. I think I can provide a patch for the last point, but I have not found an easy hook into the system reload functionality (from a module point of view) or a way to regularily call a function from a module. If someone could point me in the right direction I'd be quite grateful. Use Radius::Select::add_timeout see the latest patch set for example in AuthFIDELIO.pm Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] linux-radiator.init suggestion
Hi Michael, thanks for your suggestions. They have now been added to the latest patch set. Cheers. On Saturday 30 April 2011 01:23:12 am Michael wrote: suggest using these processes for Debian in the linux-radiator.init control script. currently, i don't see anything. RELOADPROC=/sbin/start-stop-daemon --stop --signal HUP --pidfile ${RADIUSD_PIDFILE} TRACEUPPROC=/sbin/start-stop-daemon --stop --signal USR1 --pidfile ${RADIUSD_PIDFILE} TRACEDOWNPROC=/sbin/start-stop-daemon --stop --signal USR2 --pidfile ${RADIUSD_PIDFILE} The start-stop-daemon requires a --start or --stop, but when the --signal is specified for the --stop process, it does not send a TERM, so process is not stopped. For the status option, i guess something is better than nothing? CHECKPROC=ps -fp `cat ${RADIUSD_PIDFILE}` Michael ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Version 4.8 released
Hi Michael, thanks for reporting this. The patch set is now available, although there are currently no patches in it. Cheers. On Friday 29 April 2011 07:16:24 am Michael wrote: Can't seem to download the patches. after accepting the license agreement, it just keeps returning to the license agreement. On Thu, 28 Apr 2011, Mike McCauley wrote: We are pleased to announce the release of Radiator version 4.8 This version contains some new features and minor bug fixes. As usual, the new version is available to current licensees from: http://www.open.com.au/radiator/downloads/ and to current evaluators from: http://www.open.com.au/radiator/demo-downloads Licensees with expired access contracts can renew at: http://www.open.com.au/renewal.php An extract from the history file http://www.open.com.au/radiator/history.html is below: - Revision 4.8 (2011-04-28) New features and some bug fixes. Fixed a problem in AuthBy EAPBALANCE where no reply from a proxied request from the middle of an EAP stream would result in unlimited retransmissions of the request. Reported by Keith Ma. Testing on OpenWRT. OK, with caveats as discussed in the updated FAQ. Added Meru-AP-Id and Meru-AP-Name to dictionary. Provided by Neil Johnson. RPM packages were built by default on OpenSuSE with LZMA compression, which is not available for all platforms. This new Radiator.spec disables LZMA and uses BZ2 instead. In future all RPMS will be built with BZ2 comppression. New versions of Radiator-4.7-2.noarch.rpm and Radiator-Locked-4.7-2.noarch.rpm with BZ2 uploaded. Fixed a problem with AuthBy SQLTOTP and AuthBy SQLHOTP where MaxBadLogins, BadLoginWindow, DelayWindow, TimeStep and TimeStepOrigin parameters were not correctly read, resulting in errors like Unknown keyword 'MaxBadLogins'. Reported by Matthew Reeves-Hairs. GetClientQuery was incorrectly using field 25 instead of 27 for flags. Documentation for GetClientQuery incorrectly decribed field 25 as being flags instead of ClientHook. Added SQLRetries parameter to all SQL type clauses. When executing a query, Radiator will try up to SQLRetries attempts to execute the query, retrying if certain types of SQL error are seen. Defaults to 2. Requested by Michael. Fixed some problems with Radius paths in the RPM on some platforms. Rebuilt and uploaded new RPMs. Improved Client CIDR address searches so a more specific cidr would have priority over a less specific cidr. Contributed by Nicholas Waples. Improved ClientListLDAP, added oscRadiusIdentifier oscRadiusDefaultRealm into the default list of ClientAttrDef's. were the only attributes missing from oscRadiusClient ldap schema provided (in goodies). Contributed by Nicholas Waples. In Server TACACSPLUS, the call AuthenticationStartHook now includes the priv_lvl and service values from the TACACSPLUS request passed as arguments to the hook. In Server TACACSPLUS, during authetication, we now add cisco-avpair attributes to the RADIUS request for action, authen_type, priv-lvl and service from the incoming TACACSPLUS request. Improvements to AuthBy URL. Improved HTTP and HTML standards compliance by using the LWP::UserAgent methods post() and get(). Can now handle CHAP, MSCHAP and MSCHAPV2 authentication, as well as the previously supported PAP. *CHAP challenges and responses are encoded as HEX and sent as configurable web parameters. Updated the sample config file goodies/url.cfg, and improved documentation. Fixed inconsistant password in sample test_url_md5.cgi. Cleaned up some of the code to be compliant with in-house standards. Added support for BindAddress in all Ldap derived clauses, allowing you to specify a local address for the client side of the LDAP connection with BindAddress, in the form hostname[:port]. Defaults to 0.0.0.0. Updated sample config file. Suggested by Roel Hoek. Updated AuthBy NTLM so that if an authentication fails, the Warning log message records the user name along with the Authentication-Error. Suggested by David Zych. Further improvements to AuthBy URL. Now suports CopyReplyItem parameter. If a successful HTTP reply contains a string like 'xxx=hexencodedvalue' the value will be copied to the RADIUS reply as attribute yyy=value the value is expected to be HEX encoded and will be HEX decoded before adding to the reply. Fixed a problem where some SQL modules were not being correctly initialised, which was revealed when the new SQLRetries was added. Reported by Steffen Weinreich. Further improvements to AuthBy URL. Now supports CopyRequestItem parameter. Adds a tagged item to the HTTP request. Format is CopyRequestItem xxx yyy. The text of yyy (which may be contain special characters) will be added to the HTTP request with the tag xxx. In the special case where yyy is not defined
[RADIATOR] Radiator Version 4.8 released
with XAMPP on Windows. XAMPP (http://www.apachefriends.org/en/xampp-windows.html) is an excellent, easy to install bundle of useful tools such as Apache, MySQL, Perl etc for Windows. It is a also good base for installing Radiator on Windows, especially if you wish to use Radiator with RAdmin or a MySQL database. Updated installation documentation to include XAMPP on Windows. Added support for Novell eDirectory NMAS (Novell Modular Authentication System) to AuthBy LDAP2. NMAS allows Novell eDirectory to support and authenticate passwords using the Vasco Digipass NMAS method, and other third party token and non-token systems. Vasco Response-Only (RO) tokens are only supported since NMAS does not curently support challenge-response via RADIUS. Sampple configuration file included. Ldap classes now support the ipv6: prefix for Ldap server Host names. If Host begins with ipv6: the subsequent host name(s) will be interpreted as IPV6 addresses where possible, and Net::LDAP will use INET6 to connect to the LDAP server. In AddressAllocator SQL, the default AllocateQuery was changed to check the STATE during the allocation to catch certain race conditions. With all Ldap clauses, removed the default BindAddress of 0.0.0.0. This was unnecessary and interferes in a non-obvious way with attempts to use ipv6: in the Host. Reported by Dyonisius Visser. Added attributes from RFC 5904 to dictionary. SNMP Agent now supports: RFC4669 - RADIUS Authentication Server MIB for IPv6 RFC4671 - RADIUS Accounting Server MIB for IPv6 The RFC are included in distribution. Improvements to EAP handling to support multiple desired EAP types in EAP NAK response, per RFC 3748. Fixed incorrect error message that referred to ServerHTTP. Repored by Karl Gaissmaier. Added support for PacketTrace to Server TACACSPLUS, Server DIAMETER, Server RADSEC. Requested by Karl Gaissmaier. Fixed a problem where attributes of type ipv6prefix (such as Framed-IPv6-Prefix) would not be decoded correctly if they had fewere than 16 octets. Reported by Lee, Larry KT. Client addresses in the form MAC:nn-nn-nn-nn-nn-nn now work even if the Called-Station-Id has the SSID of the AP appended as described in http://tools.ietf.org/html/rfc3580#section-3.20 Added example perl script rpt.pl which logs packets which match a regexp. Contributed by Bart Dumon. Fixed a problem when using AuthBy RADIUS with Synchronous and Fork that if the secrets don't match (resulting in Bad authenticator received in reply to ID 1. Reply is ignored), this creates forked processes that never terminate and have to be manually force-killed. Reported by David Zych. Fixed a number of innocuous warnings when radiusd is run with perl -w. Added usage documentation for author_args in tacacsplustest. In AuthSQL, GroupMembershipQuery is now not passed and bind variables. If you wish to use bind variables with GroupMembershipQuery, use the new GroupMembershipQueryParam. Fixed a problem with Server HTTP where some versions of Firefox would hang when trying to access localhost:9048. Also fixed som innocuous warnings when run with the -w flag. Fixed a problem with AuthLog SYSLOG and Log SYSLOG where in some cases with some versions of Sys::Syslog, the loghost was not set correctly. Reported by Klara Mall. radiusd now unlinks PidFile during an orderly shutdown. Suggested by Klara Mall to prevent startup scripts being confused by stale PID files. Improvements to AddressAllocator SQL: If CheckPoolQuery is set to an empty string, no pool checking will be done at startup. If AddAddressQuery is set to an empty string, addresses will not be automatically added to the pool. Testing against RadiusGINA, a Windows RADIUS login authenticator from LSE http://lsexperts.de/. Works well, and easy to install. Fixed a problem in TLS Stream based protocols (such as AuthBy RADSEC AuthBy DNSROAM etc, where ConnectOnDemand would not work correctly in the case where a TLS connection was being established and failed. Reported by Stefan Winter. Added goodies/radiusgina.txt, a Brief introduction to RadiusGINA, a Windows RADIUS login authenticator from LSE http://lsexperts.de -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] stale pidfile
Hi Klara, thanks for raising this issue. It has now been fixed in the latest patch set. Cheers. On Monday 11 April 2011 09:14:57 am Klara Mall wrote: Hi, I think it would be good if radiator would remove its pidfile before shutting down. Init scripts could be misguided by a stale pidfile. This would fix it: --- a/radiusd +++ b/radiusd @@ -306,6 +306,11 @@ # Call the ShutdownHook, if there is one $main::config-runHook('ShutdownHook'); log($main::LOG_NOTICE, SIGTERM received: stopping); +my $pidfile = Radius::Util::format_special($main::config-{PidFile}); +if ($pidfile ne '') +{ + unlink $pidfile; +} } # Regards Klara -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] logfile permissions
Hi Klara, thanks for raising this issue. It has now been fixed in the latest patch set. Cheers. On Monday 11 April 2011 09:14:05 am Klara Mall wrote: Hi, I noticed that there's a problem when you start radiator for the first time (i.e. with nonexistent logfile) and User is set to some non-root user. The logfile is created when radiator is still running as root (at least when debug log is enabled), so it's not writable anymore for the radiator process after the effective user id has been changed. What I did to fix it: --- a/Radius/ServerConfig.pm +++ b/Radius/ServerConfig.pm @@ -530,9 +530,24 @@ # Only change if it not the same already if ($ != $uid) { - $ = $uid; - $self-log($main::LOG_ERR, Could not set User to $self-{User} (got $): $!) - unless $ == $uid; + # Try to change log file owner first if log file exists + my $logfile = Radius::Util::format_special($self-{LogFile}); + if (-e $logfile) { + my $cnt = chown $uid, -1, $logfile; + if ($cnt == 1) { + $ = $uid; + $self-log($main::LOG_ERR, Could not set User to $self-{User} (got $): $!) + unless $ == $uid; + } + else { + $self-log($main::LOG_ERR, Could not change log file $logfile owner to $self-{User}: $!); + } + } + else { + $ = $uid; + $self-log($main::LOG_ERR, Could not set User to $self-{User} (got $): $!) + unless $ == $uid; + } } } else Regards Klara -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthLogSYSLOG.pm
Hi Klara, thanks for reporting this. It has been patched in the latest patch set. Cheers. On Friday 08 April 2011 07:25:10 am Klara Mall wrote: Hi, radiator 4.7 is running on Debian GNU/Linux lenny i386 (Perl v5.10.0) here. No problems with AuthLog SYSLOG. Just tested my configuration with radiator 4.7 on Debian GNU/Linux squeeze amd64 (Perl v5.10.1) and ran into trouble with Authlog SYSLOG. Relevant configuration settings in AuthLog SYSLOG clause: Facility local7 LogSock udp LogHost loghost LogIdent radauth Result: Nothing is logged on loghost and radiator log is telling: Thu Apr 7 22:30:28 2011: ERR: Error while doing AuthLog SYSLOG: no connection to syslog available - udp connect: nobody listening at /usr/share/perl5/Radius/AuthLogSYSLOG.pm line 138 The following patch fixes it: --- AuthLogSYSLOG.pm.orig 2011-04-07 23:16:09.0 +0200 +++ AuthLogSYSLOG.pm 2011-04-07 23:16:16.0 +0200 @@ -130,9 +130,9 @@ my $logopt = Radius::Util::format_special($self-{LogOpt}, $p); eval { # We reset these here in case there are multiple SYSLOGs - $Sys::Syslog::host = $self-{LogHost}; setlogsock($self-{LogSock}) if defined $self-{LogSock}; + $Sys::Syslog::host = $self-{LogHost}; openlog($ident, $logopt, $self-{Facility}); syslog($self-{Facility}|$self-{Priority}, $str); closelog() Regards Klara -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Why does this attribute fail?
Hello, Thanks for reporting this. It appears to be due to incorrect assembly of the transmitted packet sent by your NAS. The ADSL-Forum VSA, which contains the DSLForum-* attributes, has a single extra octet with value 0x02 at the end, after theDSLForum-Access-Loop-Encapsulation attribute . This is being seen by Radiator during unpacking as bad formatting, and the rest of the packet (which contains NAS-IP-Address) is not unpacked. You should refer this to your NAS vendor. Cheers. On Wednesday 23 March 2011 07:49:53 pm Vangelis Kyriakakis wrote: Hello, I have a Juniper Router sending the following packet (see the full log). I get a Warning error about Vendor 3561 Attribute 2 which is DSLForum-Agent-Remote-Id = 00:0f:bb:2c:bb:1b Can you see any problem with the packet? Regards Vangelis Tue Mar 22 17:04:19 2011: WARNING: Malformed request packet: Vendor 3561 Attribute 2 with length : ignored Tue Mar 22 17:04:19 2011: DEBUG: Packet dump: *** Received from 194.219.231.127 port 50338 Packet length = 293 01 34 01 25 d9 21 b2 2f 4c cd b4 e2 73 59 2f 49 6e a9 aa b1 01 15 74 65 73 74 6c 6c 75 40 66 6f 72 74 68 6e 65 74 2e 67 72 02 12 9e 34 1d ed 51 8a 8d 41 d7 25 98 79 bf fb 62 28 59 03 00 2c 05 32 38 31 1a 16 00 00 13 0a 38 10 38 63 37 33 2e 36 65 61 63 2e 30 32 34 32 20 12 62 62 72 61 73 2d 6c 61 62 2d 6b 6c 6e 2d 30 31 05 06 10 4f 94 4e 57 18 67 65 2d 31 2f 32 2f 31 2e 31 30 30 3a 33 33 32 31 2d 31 31 30 32 3d 06 00 00 00 0f 1a 90 00 00 0d e9 01 1f 50 4f 50 2d 4b 4c 4e 2d 4d 32 2d 4d 31 20 61 64 73 6c 20 30 33 2f 31 30 3a 38 2e 33 35 02 13 30 30 3a 30 66 3a 62 62 3a 32 63 3a 62 62 3a 31 62 81 06 00 00 03 fc 82 06 00 00 5d bd 83 06 00 00 01 00 84 06 00 00 02 00 85 06 00 00 05 10 86 06 00 00 6e f0 87 06 00 00 04 00 88 06 00 00 5d c0 89 06 00 00 00 00 8a 06 00 00 00 00 8b 06 00 00 00 10 8c 06 00 00 00 01 8d 06 00 00 00 14 8e 06 00 00 00 05 90 03 00 02 04 06 c2 db e7 7f Code: Access-Request Identifier: 52 Authentic: 217!178/L205180226sY/In169170177 Attributes: User-Name = test...@forthnet.gr User-Password = x Chargeable-User-Identity = Acct-Session-Id = 281 Unisphere-Dhcp-Mac-Addr = 8c73.6eac.0242 NAS-Identifier = bbras-lab-kln-01 NAS-Port = 273650766 NAS-Port-Id = ge-1/2/1.100:3321-1102 NAS-Port-Type = Ethernet DSLForum-Agent-Circuit-Id = POP-KLN-M2-M1 adsl 03/10:8.35 DSLForum-Agent-Remote-Id = 00:0f:bb:2c:bb:1b DSLForum-Actual-Data-Rate-Upstream = 1020 DSLForum-Actual-Data-Rate-Downstream = 23997 DSLForum-Minimum-Data-Rate-Upstream = 256 DSLForum-Minimum-Data-Rate-Downstream = 512 DSLForum-Attainable-Data-Rate-Upstream = 1296 DSLForum-Attainable-Data-Rate-Downstream = 28400 DSLForum-Maximum-Data-Rate-Upstream = 1024 DSLForum-Maximum-Data-Rate-Downstream = 24000 DSLForum-Minimum-Data-Rate-Upstream-Low-Power = 0 DSLForum-Minimum-Data-Rate-Downstream-Low-Power = 0 DSLForum-Maximum-Interleaving-Delay-Upstream = 16 DSLForum-Actual-Interleaving-Delay-Upstream = 1 DSLForum-Maximum-Interleaving-Delay-Downstream = 20 DSLForum-Actual-Interleaving-Delay-Downstream = 5 DSLForum-Access-Loop-Encapsulation = ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Feature missing: PacketTrace in ServerRADSEC clause
Support team: views on this request? On Wednesday 23 March 2011 09:14:50 pm Karl Gaissmaier wrote: Hi RADIATOR team, I get an ERR: Unknown keyword 'PacketTrace' if I use this declaration in a ServerRADSEC clause. This is a pity, since I can't even decode the packets with wireshark because we UseTLS. PacketTrace is really needed especially within this clause. Please support it in one of the next releases. Best Regards Charly -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Feature missing: PacketTrace in ServerRADSEC clause
Hi Karl, thanks for the suggestion. Support for PacketTrace has now been added to Server TACACSPLUS, Server DIAMETER, Server RADSEC. It is now available in the latest patch set. Cheers. On Wednesday 23 March 2011 09:14:50 pm Karl Gaissmaier wrote: Hi RADIATOR team, I get an ERR: Unknown keyword 'PacketTrace' if I use this declaration in a ServerRADSEC clause. This is a pity, since I can't even decode the packets with wireshark because we UseTLS. PacketTrace is really needed especially within this clause. Please support it in one of the next releases. Best Regards Charly -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] wrong error message in Radius::StreamServer
Hi Karl, thanks for reporting this. It has now been fixed in the latest patch set. Cheers. On Friday 18 March 2011 11:22:18 pm Karl Gaissmaier wrote: Hello RADIATOR team, I stumbled upon a wrong error message. Radiator version 4.7, latest patches. Fri Mar 18 14:07:48 2011: ERR: ServerHTTP has UseSSL/UseTLS, but could not load required modules: Can't locate Digest/HMAC_MD5.pm in @INC (@INC contains: . /radiator/install/lib/site_perl/5.8.5/sun4-solaris /radiator/install/lib/site_perl/5.8.5 /radiator/install/lib/site_perl /radiator/perl-5.8.5/lib/5.8.5/sun4-solaris /radiator/perl-5.8.5/lib/5.8.5 /radiator/perl-5.8.5/lib/site_perl/5.8.5/sun4-solaris /radiator/perl-5.8.5/lib/site_perl/5.8.5 /radiator/perl-5.8.5/lib/site_perl .) at /radiator/install/lib/site_perl/5.8.5/Radius/TLS.pm line 142. But there is no ServerHTTP configured, instead there is a ServerRADSEC configured. Looks like an error in Radius::StreamServer. Maybe, first there was only ServerHTTP and later on more modules using StreamServer. Please adjust the error message. Best Regards and thanks a lot for RADIATOR! Superb software, perfect service! Charly -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP Method Negotiation
Hello Aman, thanks for raising this. This issue has been fixed in the latest patch set. Cheers. On Wednesday 09 March 2011 07:38:58 pm Aman Arneja wrote: Hi Guys I am trying to test the radiator server we just purchased and notice that if my client NAK’s the server proposed method and proposes a list of methods, RADIATOR just looks at the first method in the list and sends EAP Failure if it is not configured for it. From the RFC my understanding is that it should read the list and choose a mthod from the list that it supports. Any help here is appreciated Thanx Aman Arneja -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP Method Negotiation
On Wednesday 09 March 2011 09:16:50 pm Aman Arneja wrote: is that the patch set 4.7? Yes. Cheers. On Wed, Mar 9, 2011 at 4:26 PM, Mike McCauley mi...@open.com.au wrote: Hello Aman, thanks for raising this. This issue has been fixed in the latest patch set. Cheers. On Wednesday 09 March 2011 07:38:58 pm Aman Arneja wrote: Hi Guys I am trying to test the radiator server we just purchased and notice that if my client NAK’s the server proposed method and proposes a list of methods, RADIATOR just looks at the first method in the list and sends EAP Failure if it is not configured for it. From the RFC my understanding is that it should read the list and choose a mthod from the list that it supports. Any help here is appreciated Thanx Aman Arneja -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthSQLTOTP question
Hi Matthew, On Thursday 03 March 2011 03:52:57 am Matthew Reeves-Hairs wrote: Hi, I have a question regarding the AuthSQLTOTP.pm module. Since the TOTP token time is time based, would it be possible to adapt it to work with challenge response type authentication, MSCHAP for example? Yes, I think that would be possible, with a small performance cost. Cheers. Regards Matthew Matthew Reeves-Hairs MBCS (CCNA, CCNP, CCDA) Director Willow ICT Limited 13 Willow Close Great Hormead Hertfordshire, SG9 0NW Mobile: +44 (0)7912 202627 Fax: +44 (0)7092 361501 matthew.reeves-ha...@willowict.com http://www.willowict.com Please consider the environment before printing this email. The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company in any contract or obligation, unless we have specifically agreed to be bound. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Colubris-AVPair
Hi All, thank you to Klara. We have now added these to the dictionary in the latest patch set. Cheers. On Tuesday 01 March 2011 07:07:23 am Klara Mall wrote: Hi, On 02/28/2011 09:42 PM, Heikki Vatiainen wrote: On 02/28/2011 06:31 AM, Jeffrey Lee wrote: Mon Feb 28 15:27:01 2011: ERR: Attribute number 254 (vendor 8744) is not defined in your dictionary Mon Feb 28 15:27:01 2011: ERR: Attribute number 251 (vendor 8744) is not defined in your dictionary Mon Feb 28 15:27:01 2011: ERR: Attribute number 253 (vendor 8744) is not defined in your dictionary Mon Feb 28 15:27:01 2011: ERR: Attribute number 252 (vendor 8744) is not defined in your dictionary i've checked the dictionary file (which is read by radiusd when it started). the vendor (colubris) and vendor attribute (colubris-avpair) seems to be defined. Yes, Colubris attribute number 0 is defined, but attributes 251 - 254 are not defined since their names and types are not known. Would you have documentation for those attributes so they could be added to the dictionary? Since we also use an HP ProCurve WLAN Controller (Colubris Networks was aquired by HP in 2008) I also found these undocumented attributes in the radiator logfile. I asked HP for an explanation and finally it became clear that these attributes are not defined and this is a bug which exists since many years. They said it will be fixed in one of the next releases, at least for our product. My workaround until then: add the following to the dictionary such that the logfile is not inundated with concerning ERR messages: VENDORATTR 8744 Colubris-Attr-246 246 string VENDORATTR 8744 Colubris-Attr-247 247 string VENDORATTR 8744 Colubris-Attr-248 248 string VENDORATTR 8744 Colubris-Attr-249 249 string VENDORATTR 8744 Colubris-Attr-250 250 string VENDORATTR 8744 Colubris-Attr-251 251 string VENDORATTR 8744 Colubris-Attr-252 252 string VENDORATTR 8744 Colubris-Attr-253 253 string VENDORATTR 8744 Colubris-Attr-254 254 string Regards Klara ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Status of the Micros Fidelio Connector
Hi Ralf, On Tuesday 22 February 2011 02:37:05 am Ralf Ertzinger wrote: Hi. We're looking to deploy a WLAN infrastructure for a client using Mircos' Opera software suite. I noticed that there has been a connector for that in Radiator for some years, but Micros seems to consider it still uncertified. Can someone enlighten me as to the status of the connector? Success stories welcome as well. The Radiator - Opera interface is complete and has been deployed at a number of sites. MF require successful completion reports from a certain number of sites before they will certify the interface. Although there have a number of successful deployments, not all have them have been reported to MF and therefore MF have not yet certified it. We will be happy to work with anyone planning to deploy the Opera interface if we can use that site as support for certification. Cheers. Thanks. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Added support for Novell eDirectory NMAS and Vasco Digipass NMAS method
Hello, we are pleased to announce that Radiator now supports Novell eDirectory NMAS and the Vasco Digipass NMAS method. Novell eDirectory is a widely used user and identity management system based on LDAP (www.novell.com) NMAS (Novell Modular Authentication System) is a component of eDirectory that permits eDirectory to authenticate passwords in a modular way. It allows third parties to add password authentication mechanisms (called Methods) to eDirectory. Vasco (www.vasco.com) have released such an NMAS Method for their Digipass 2 factor tokens. This allows administrators to use eDirectory to import, manage, assign and authenticate Vasco Digipass tokens for their users. Radiator now supports NMAS authentication of Vasco Digipass tokens (and other NMAS Methods). During NMAS authenticaiton, PAP passwords are passed to eDirectory and the selected NMAS Login sequence method. The NMAS methods authenticate the password and tell Radiator whether to accept or reject the password. Radiator will continue to support authenticating Vasco Digipass tokens in your own SQL database, and in RAdmin and it will also continue to supprot Novell Universal Passwords, as valid optional configurations. Support for NMAS is now in the latest Radiator patch set along with sample configuration files etc. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radsec and IPv6 keeps troubling me
Hello Patrick, thanks for reporting this. This would occur if the remote host name was specified in the form ipv6:hostname and the certificate name was for 'hostname'. It should now be fixed in the latest patch set. We apologise for any inconvenience. Cheers. On Monday 24 January 2011 10:36:52 pm Patrick Renkens wrote: Hi all, Radsec in combination with IPv6 keeps troubling me. This weekend I upgraded Radiator from version 4.4 to 4.7 and since then the Radsec-connections won't work over IPv6. I had to switch back to IPv4 to get it running again. Both systems, Radsec server and client and server run Radiator 4.7 on RHEL. RHEL 5.4 on clients side and RHEL 5.5 on server side. I only upgraded de client side. The server that acts as Radsec-server was already running Radiator 4.7. Personally I think it is not OS related, I experienced the same problems on Solaris 5.9 and 5.10 before. Below you find the error-message and the relevant configuration parts. Any help is appreciated. Sat Jan 22 16:35:41 2011: DEBUG: verifyFn start, hostname ipv6:'host' Sat Jan 22 16:35:41 2011: DEBUG: verifyFn hostname after canonicalise Sat Jan 22 16:35:41 2011: DEBUG: Verifying certificate with Subject '/DC=net/DC=geant/O=SURFnet BV/CN=host' presented by peer ipv6:'host' Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 2, value 'host' against Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:idp:E urope:SURFnet:'host' against Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu rope:SURFnet:'host' against Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu rope:SURFnet:SURFnet-office against Sat Jan 22 16:35:41 2011: ERR: Verification of certificate presented by ipv6:'host' failed Sat Jan 22 16:35:41 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401 Sat Jan 22 16:35:41 2011: ERR: StreamTLS client error: -1, 1, 4401, 9303: 1 - error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Sat Jan 22 16:35:41 2011: DEBUG: Stream disconnected from ipv6:'host':2083 #RADSEC client side: Handler Realm=/^'realm'$/i # RewriteUsername s/^([^@]+).*/$1/ AuthBy RADSEC Hostipv6:'hostname' Port2083 Secret cut UseTLS TLS_CertificateType PEM TLS_CAPath %D/certs/cacert TLS_CertificateFile %D/certs/%h.pem TLS_PrivateKeyFile %D/certs/%h.pem /AuthBy /Handler #RADSEC serverside: ServerRADSEC Port2083 UseTLS TLS_CAFile %D/cert/edugain/cacert/xx.pem TLS_CertificateFile %D/cert/edugain/yy.pem TLS_CertificateType PEM TLS_PrivateKeyFile %D/cert/edugain/yy.pem TLS_RequireClientCert TLS_SessionResumption 0 Secret cut Identifier RADSEC /ServerRADSEC Kind regards, Patrick Renkens Centre for Information Services (UCI) Radboud University Nijmegen, Netherlands ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] HTTP Log
Hi Adam, Thanks for your note. Your patch has now been added to the latest patch set. thanks again. Cheers. On Friday 14 January 2011 01:30:22 am Adam Bishop wrote: Hello, At high trace levels the log can accumulate characters that are Special to HTML, such as and . This can cause a few display issues with the HTTP log display. At the end of this message is a single line patch to escape the offending characters before they are emitted. Logging to text file/sql/syslog is unaffected. Adam Bishop JANET(UK) --- ServerHTTP.pm.old 2011-01-13 14:27:58.0 + +++ ServerHTTP.pm 2011-01-13 14:36:37.0 + @@ -1469,6 +1469,9 @@ $log .= $self-{parent}-{log}[$i] . \n if defined $self-{parent}-{log}[$i]; } + +$log = CGI::Util::simple_escape($log); + $self-send_standard(EOF This page shows the last $self-{parent}-{LogMaxLines} log messages recorded by this Radiator. It can be useful when checking or debugging your new configuration. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Oxford, Didcot, Oxfordshire. OX11 0SG ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator.spec file: 4.7-3
Hi Nick, On Friday 14 January 2011 10:25:23 am Nick Urbanik wrote: Dear Radiator folks, I'm building a Radiator RPM which we've patched to support AddressAllocatorDHCP.pm using a DHCP failover pair. The SPEC file provided with the tarball is not the one used to build the RPM, but that spec file is not provided, nor is there a source RPM provided. Please could anyone provide the spec file for Radiator 4.7-3? Attached. I'm re-writing the spec file to avoid hard coding Perl version numbers and other such practices, but it would be nice to have a better starting point. Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. # # RPM Spec file for Radiator on RH7, SuSE and similar # # Author: Mike McCauley (mi...@open.com.au) # Copyright (C) 2001-2004 Open System Consultants # $Id: Radiator.spec,v 1.53 2010/09/21 23:11:48 mikem Exp $ # Allow us to control whether we are building Locked or UNlocked from the command line # Disable the default LZMA compression on OpenSuSE, since it is not available on all platforms %define _binary_payload w9.bzdio %{!?DISTNAME:%define DISTNAME Radiator} %{!?PERLVER:%define PERLVER 5.10.0} Summary: Radiator Radius server Name: %{DISTNAME} Version: 4.7 Release: 3 Epoch: 40703 License: Proprietary, Open System Consultants Pty Ltd Group: System/Servers Source: %{name}-%{version}.tgz URL: http://www.open.com.au/radiator/ Vendor: Open System Consultants Pty. Ltd. Packager: Open System Consultants, Mike McCauley mi...@open.com.au AutoReqProv: no Provides: Radiator Requires: perl = 5.6.0 Prefix: /usr BuildRoot: /var/tmp/%{name}-root %description Radiator Radius server provides RADIUS authentication through a wide range of data sources, such as flat file, DBM, SQL, SecurID LDAP, Unix Passwd, TACACS+, NT SAM, Active Directory, OPIE NIS+, CDB, AFS Kerberos, PAM, RAdmin, global roaming (iPASS, GoRemote) ISP billing (Emerald, Platypus, Rodopi, Optigold, Hawk-i, Billmax Interbiller, Freeside). %prep %setup %build PREFIX=$RPM_BUILD_ROOT/%{prefix} perl Makefile.PL make %install mkdir -p $RPM_BUILD_ROOT/bin mkdir -p $RPM_BUILD_ROOT/var/log/radius mkdir -p $RPM_BUILD_ROOT/etc/radiator mkdir -p $RPM_BUILD_ROOT/etc/init.d mkdir -p $RPM_BUILD_ROOT/usr/lib/perl5/ mkdir -p $RPM_BUILD_ROOT/usr/lib/perl5/site_perl mkdir -p $RPM_BUILD_ROOT/usr/lib/perl5/vendor_perl mkdir -p $RPM_BUILD_ROOT/usr/lib/perl5/site_perl/%PERLVER/Radius make install install -m644 goodies/linux-radius.cfg $RPM_BUILD_ROOT/etc/radiator/radius.cfg install -m644 goodies/simple-users $RPM_BUILD_ROOT/etc/radiator/users install -m644 dictionary $RPM_BUILD_ROOT/etc/radiator install -m755 goodies/linux-radiator.init $RPM_BUILD_ROOT/etc/init.d/radiator ln -fs /usr/lib/perl5/site_perl/%PERLVER/Radius $RPM_BUILD_ROOT/usr/lib/perl5/site_perl ln -fs /usr/lib/perl5/site_perl/%PERLVER/Radius $RPM_BUILD_ROOT/usr/lib/perl5 ln -fs /usr/lib/perl5/site_perl/%PERLVER/Radius $RPM_BUILD_ROOT/usr/lib/perl5/vendor_perl %files %attr(-, root, root) %doc doc %attr(-, root, root) %doc goodies %attr(-, root, root) %doc ppm %attr(-, root, root) %doc certificates %attr(-, root, root) %doc dictionary* %config /etc/radiator/radius.cfg %config /etc/radiator/users %dir /var/log/radius /usr/bin/builddbm /usr/bin/radpwtst /usr/bin/radiusd /usr/bin/buildsql /usr/lib/perl5/site_perl/%PERLVER/Radius /usr/lib/perl5/site_perl/Radius /usr/lib/perl5/Radius /usr/lib/perl5/vendor_perl/Radius /etc/radiator/dictionary /etc/init.d/radiator %post # Just in case they have a different perl version #ln -fs /usr/lib/perl5/site_perl/5.8.3/Radius /usr/lib/perl5/site_perl/Radius if [ -x /etc/rc.d/rc.M -a -x /etc/rc.d/rc.local ]; then # Slackware if ! grep -q 'radiator startup, added by rpm' /etc/rc.d/rc.local/dev/null; then echo '# radiator startup, added by rpm' /etc/rc.d/rc.local echo 'if [ -x /etc/init.d/radiator ]; then' /etc/rc.d/rc.local echo '/etc/init.d/radiator start' /etc/rc.d/rc.local echo 'fi' /etc/rc.d/rc.local fi else # LSB and similar # Try to be compatible with Cobalt and others: if [ -d /etc/rc.d/rc0.d ]; then rcbase=/etc/rc.d else rcbase=/etc fi # Add startup script for i in 0 1 2 do ln -sf ../init.d/radiator $rcbase/rc$i.d/K15radiator done for i in 2 3 4 5 6 do ln -sf ../init.d/radiator $rcbase/rc$i.d/S90radiator done fi %preun if [ -x /etc/rc.d/rc.M -a -x /etc/rc.d/rc.local ]; then # Slackware echo slackware else # LSB and similar # Try
Re: [RADIATOR] Help required with EAP TTLS
Hello Aman, On Monday 10 January 2011 04:11:55 pm Aman Arneja wrote: Thanx Heikki 2 more questions from my clients are as follows 1.) When we talk about about Client auth in phase 1, what we meant was that can there be an EAP TLS Mutual authentication in phase 1 ( Server auth + Client auth) Yes, EAP-LS requires that by default. With EAP-TTLS and EAP-PEAP it is not required by default, but it can be enabled by setting EAPTLS_RequireClientCert 2.) Also does radiator support Key Agility extensions as defined at http://tools.ietf.org/html/draft-hanna-eap-ttls-agility-00 No. With respect to method chaining and other questions, my client is in the process of building a client side implementation and thus wanted to know what all is supported, specially since we have zeroed in on buying radiator server we just wanted to atleast match u guys in configuration. Hope that helps. Cheers. Thanx Aman Arneja On Sat, Jan 8, 2011 at 3:10 PM, Heikki Vatiainen h...@open.com.au wrote: On 01/07/2011 01:51 PM, Aman Arneja wrote: I also need some information regarding your ttls support since i am looking at a radius server that can service both SIM and TTLS requests, i need the answers to the following questions. Good questions. Please see below for answers. Features Non-EAP inner methods - Which methods are supported? There are plenty: the basic ones are PAP, CHAP, MSCHAP ja MSCHAPv2. The way Radiator has been built makes supporting different inner methods easy. The inner method messages are dispatched as new RADIUS messages and can be handled in the configuration as their own, not within TTLS. In other words there is a lot of flexibility with the inner protocols, and the ones mentioned above are usually supported and used by clients. Do you have any specific methods in mind? Client auth during phase 1 - Supported, Not/Supported Supported. The phase 1 message is available for authentication. You can for example, first validate MAC address or check WLAN SSID in the outer request and only then proceed to continue with phase 2. Can identity privacy be explicitly enabled or disabled - on the client side Can session resumption be explicitly enabled or disable - on the client side Yes for both. The outer identity can be different from the inner identity. Session resumption is supported by Radiator by default and can be disabled from the client side. Method chaining in Phase 2 For this you would need to use Radiator with e.g., EAP-FAST where method chaining has been well defined. With TTLS methods can in theory be chained with clever configuration, but I do not think Radiator has been tested or used in such a configuration. If you have something specific in mind, please let us know. Allowing tunnel method as inner method (FAST, PEAP) This may not been ever tested and I can not verify if this works. If you know a client that can do this, we would be very interested to know about it. Also if you have any competitor analysis on this , like with free radius etc, that would be great !! Please take a look Radiator technical information at http://www.open.com.au/radiator/technical.html I will check what analysis type of information we may also have. Thanx Aman Arneja Thanks! Heikki Vatiainen -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Help with EAP-SIM simulator for evaluation
Hello Heikki and support, Just to let you know that this evaluator told us in his eval request he was mostly interested in the MAP gateway simulator. We are a bit suspicious about his intentions and whether he will actually purchase if successful, so if you notice anything odd about what hes up to, please let us know. The Cisco MAP interface is only provided on demand to customers who can confirm they have a Cisco ITP MAP gateway license. This is for legal reasons. Cheers. On Tuesday 11 January 2011 05:02:13 am Heikki Vatiainen wrote: On 01/10/2011 05:34 PM, Effi Rand wrote: I need some help with the configuration of the radiator as a MAP-GATEWAY with radius interface. I'm not that experienced in this product and it's important for me to evaluate this feature since the expire date is due in 2 weeks. I was able to test the EAP-SIM with the SSGN simulator using the odyssey wireless client (after we cached some triplets to a local file) However , when I try to test it with the MAP-GATEWAY simulator (same client), I fail to get the access-accept message. There are a couple of things you should try. I will go through them below: # radius.cfg # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $ Looks like most of the content is from goodies/eap_simoperator.cfg AuthPort 1645,1812,1647 AcctPort 1646,1813,1648 Please remove ports 1647 and 1648 since they will be used by map.cfg Realm DEFAULT AuthBy SIMOPERATOR # The name or address of the example MAP gateway(s) that will server this instance # Radius requests are sent to this gateway requesting triplets etc. Host localhost AuthPort 1647 Secret cisco Please check README section Testing with the Radius MAP gateway simulator. What you should have listening on localhost port 1647 is another Radiator running configuration from goodies/map.cfg The example mpa.cfg uses port 1647 with secret mysecret What happens now is that this Radiator instanc gets the request that is intented for the MAP simulator. Like README says, you should two Radiator instances running at the same time: 4. Run the MAP gateway simulator: radiusd -config goodies/map.cfg 5. Run Radiator EAP-SIM server radiusd -config goodies/eap_simoperator.cfg AuthBy MAP TripletsFile /tmp/Modules/Radius-EAP-SIM/goodies/triplets.dat Pin /AuthBy Remove the AuthBy MAP block. This AuthBy will be handled by the second Radiator that uses map.cfg /Realm Another thing , in the README file , you mention that there is also a cisco-ipt simulator under Radius-EAP-SIM/goodies/ciscomap.cfg There is no file like that. You are correct. If will check what has happened to it. Another question , so far I've failed to test the iPhone EAP-SIM client against the EAP-SIM simulator. Any idea what can be done ? I have not tried iPhone myself, but unless you have already downloaded iPhone configuration utility from Apple you may want to do that. The utility gives you control over many things, including WLAN settings where you can disable all the other WPA-Enterprise methods. Thanks! -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] L5 load balancers for Radius
Hi, One of our customers wants to use an L5 load balancer to balance tacacs and RADIUS requests, but their LB service provider seems to not understand how to do this and still preserve the source address (so the radius server can tell who the client really is) Does anyone have an L5 config that shows how to do this? Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] L5 load balancers for Radius
Sorry, meant F5 load balancer not L5. On Wednesday 01 December 2010 08:52:49 am Mike McCauley wrote: Hi, One of our customers wants to use an L5 load balancer to balance tacacs and RADIUS requests, but their LB service provider seems to not understand how to do this and still preserve the source address (so the radius server can tell who the client really is) Does anyone have an L5 config that shows how to do this? Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] New support team members
Hello, OSC's support services are expanding, and we welcome some new members to the support team: Sami Keski-Kasari Karri Huhtanen and Heikki Vatiainen All are highly experienced with Radiator are are ready to help OSC customers with email support, remote consulting and training. If you hold an email support contract, for a prompt response, please do not send email to individuals, but use the correct support email address and procedures outlined here: http://www.open.com.au/emailsupport.html Once again, welcome to our new team members. Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Certificate issues with intermediate certificates.
Hi Todd, there were some recent postings on this topic on this list under the subject Can't get chain certificates to work by Stephen A. Felicetti David Zych and Andrew Clark with a solution On Saturday 20 November 2010 06:55:02 am Smith, Todd wrote: In working with Radiator and Apple devices, I am have problems with the RADIUS server certificate being verified by the client. In discussion with DigiCert, they suggest that Radiator is not correctly giving out the intermediate certificates to the client. I am able to authenticate other devices so I don't think that is a problem but something is keeping the Apple devices from correctly authenticating. The syntax that I am using in Radiator is as follows: EAPType PEAP # CAChain contains 2 intermediate certificates and the root certificate concatenated like this Inter1-Inter2-Root EAPTLS_CAFile %D/certificates/DigiCert/CAChain.crt EAPTLS_CertificateFile %D/certificates/DigiCert/weiland_camc_hsi.crt EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/DigiCert/weiland_camc_hsi.key EAPTLS_MaxFragmentSize 1000 DigiCert has suggested to test for the intermediate certificates by the method quoted below using OpenSSL. When I tested it using port 1812 or 443 all I received was the error message Connection refused:errno 29 Would you be able to test a certificate chain in this way? Would you need a 802.1x client to handshake before the X.509 certificate would be transmitted? Trace 4 shows Radiator handing out the certificate but even though the Apple clients have the appropriate root certificate, they can't verify the server certificate and there doesn't seem to be any problem with the server certificate since other devices don't seem to complain about it. Any suggestions as to what else I can look at? Todd Smith Before going that direction, I think it would be valuable to determine whether the server is sending any intermediate certificates at all. The current certificate you have requires two intermediates to chain properly, while the reissue I'm suggesting would require just one intermediate. But if the server is sending no intermediates, then neither option would resolve the issue. Can you try connecting to the RADIUS server using OpenSSL to check the certificate chain? From a workstation or server with OpenSSL that can access the RADIUS server (or from the RADIUS server itself), you would run this command: openssl s_client -connect weiland.camc.hsi:radius_ssl_port where radius_ssl_port is the ssl port number on the RADIUS server Confidentiality Note: The information contained in this message may be privileged and confidential. If this e-mail contains protected health information, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited,except as permitted by law. If you have received this communication in error, please notify the sender immediately by replying to this message and deleting it from your computer. Thank you. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Additional loging for EAP-TLS
Hello Markus, Thanks for your thoughts. EAP-Error is not in the dictionary, and will cause errors when the reply is packaged will it not? In any case, I would expect the EAP error reason to be available in the reason sent to the AuthLog clause. Also, if you have RejectHasReason set, I would expect to see the EAP error in the reply message too. Cheers. On Friday 19 November 2010 06:41:05 am Markus Moeller wrote: Hi, I would like to log more than TLS error acknowledged into the access log, but I don't see that the error is stored anywhere. Is the below a good way to do it and use the EAP-Error attribute in the access log deny message ? Thank you Markus --- /tmp/EAP_13.pm 2010-11-18 08:16:53.0 + +++ /tmp/EAP_13_n.pm2010-11-18 08:22:06.0 + @@ -116,6 +116,7 @@ { # Handshake was not successful my $errs = Net::SSLeay::print_errs(); +$p-add_attr('EAP-Error', EAP TLS Handshake unsuccessful: $errs); return ($main::REJECT, EAP TLS Handshake unsuccessful: $errs); } elsif ($reason == Net::SSLeay::ERROR_WANT_READ) @@ -137,6 +138,7 @@ # Certificate verification failed, keep going # so we tell the client what the problem was my $verify_error_string = Radius::TLS::verify_error_string($verify_result); + $p-add_attr('EAP-Error', EAP TLS certificate verification failed: $verify_error_string, $errs); $self-log($main::LOG_INFO, EAP TLS certificate verification failed: $verify_error_string, $errs, $p); } @@ -144,6 +146,7 @@ { # Serious TLS error, bail out $self-log($main::LOG_ERR, EAP TLS error: $ret, $reason, $state, $verify_result, $errs, $p); + $p-add_attr('EAP-Error', EAP TLS error: $ret, $reason, $state, $verify_result, $errs); Radius::TLS::contextSessionClear($context); $self-eap_failure($p-{rp}, $context); return ($main::REJECT, EAP TLS error); @@ -192,6 +195,7 @@ { Radius::TLS::contextSessionClear($context); $self-eap_failure($p-{rp}, $context); +$p-add_attr('EAP-Error', EAP TLS No peer certificate); return ($main::REJECT, 'EAP TLS No peer certificate'); } Net::SSLeay::X509_free($peer); # get_peer_certificate increments the count @@ -208,6 +212,7 @@ { Radius::TLS::contextSessionClear($context); $self-eap_failure($p-{rp}, $context); +$p-add_attr('EAP-Error', EAP TLS session resumed by user $context-{tls_authenticated_cn} is not authenticated: $reason); return ($main::REJECT, EAP TLS session resumed by user $context-{tls_authenticated_cn} is not authenticated: $reason); } $authuser = $user; -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Add UsernameMatchesWithoutRealm to Auth by LSA
Hi Neil, thanks for the patch. It has been added to the latest patch set. Cheers. On Thursday 18 November 2010 04:02:13 am Johnson, Neil M wrote: Yes, but the user being check is radt...@uiowa.edu Since it's AD I only want to check membership for radtest. The change I made to the source seems to fix the problem. -Neil -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Additional logging in AuthGROUP
Hi Markus, thanks for the suggestion and patch. It is now in the latest patch set. Cheers. On Thursday 18 November 2010 05:07:13 am Markus Moeller wrote: Would it be possible to add additional DEBUG logging to AuthGROUP, so that any individual Authby result will be logged ? Thank you Markus # Try all the authenticators in sequence until the AuthByPolicy # is satisfied # CAUTION: The handler might fork my ($handler, $reason); foreach $handler (@{$self-{AuthBy}}) { # Make sure the authby is updated with stats push(@{$p-{StatsTrail}}, \%{$handler-{Statistics}}); ($handled, $reason) = $handler-handle_request($p, $p-{rp}, $extra_checks); # Evaluate the AuthByPolicy $self-log($main::LOG_DEBUG, $type:$self-{Identifier} $handler-{Identifier} result: $Radius::AuthGeneric::reasons[$handled], $reason, $p); last unless $self-evaluatePolicy($self-{AuthByPolicy},$handled); } -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Time Drifting totp Tokens
Hi Steffen, Thanks for the patch. It is now in the latest patch set. Cheers. On Wednesday 17 November 2010 07:29:51 am Steffen Weinreich wrote: Hi! I have found one of my Feilian c200 Token which has been drifted into the future. At the moment its is about 40 sec in the future and therefore a fresh entered PIN could be rejected since from the POV of the Radius Server the Token is not yet valid. For now I have changed AuthSQLTOTP.pm to take also a look into the future for the Token Code, but if the token continue to drift away from the right time, it could be nessessary to add some code to deal with time drifting The same also happens with software tokens with a incorrect time, but this is fixable by the user Please find by Patch included below: cheerio Steve -- Wenn es Politikern die Sprache verschlägt, halten sie eine Rede. --- ../p1/Radius/AuthSQLTOTP.pm 2010-10-26 22:04:40.0 + +++ Radius/AuthSQLTOTP.pm 2010-11-16 17:23:53.0 + @@ -186,7 +186,7 @@ $Radius::TOTP::X = $self-{TimeStep}; $Radius::TOTP::T0 = $self-{TimeStepOrigin}; my $T; -for ($delay_counter = 0; $delay_counter = $self-{DelayWindow}; $delay_counter++) +for ($delay_counter = -$self-{DelayWindow}; $delay_counter = $self-{DelayWindow}; $delay_counter++) { $T = Radius::TOTP::totp_timestep($recv_time, $delay_counter); my $totp = Radius::TOTP::totp_compute_sha1(pack('H*', $secret), $T, $digits); ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] clarification on AuthBy ROUNDROBIN failover
-Type = Async User-Password = 18 241241p2271592002081587216Q163V192 NAS-Identifier = WIRELESS Proxy-State = OSC-Extended-Id=1 Wed Nov 10 10:03:09 2010: DEBUG: Timed out, retransmitting Wed Nov 10 10:03:09 2010: DEBUG: Packet dump: *** Sending to 134.84.119.7 port 1836 Code: Access-Request Identifier: 1 Authentic: 6-145131166149tKp(1e205z241177 Attributes: User-Name = mikem Service-Type = Framed-User NAS-IP-Address = 192.168.238.210 NAS-Port = 1234 Called-Station-Id = 123456789 Calling-Station-Id = 987654321 NAS-Port-Type = Async User-Password = 18 241241p2271592002081587216Q163V192 NAS-Identifier = WIRELESS Proxy-State = OSC-Extended-Id=1 Wed Nov 10 10:03:14 2010: INFO: AuthRADIUS CAH-wireless2008: No reply after 60 seconds and 3 retransmissions to 134.84.119.7:1836 for mikem (239). Now have 1 consecutive failures over 0 seconds. Backing off for 300 seconds Wed Nov 10 10:03:14 2010: INFO: AuthROUNDROBIN: Retry 3, firstHostTried 0, lastHostTried 0 Wed Nov 10 10:03:14 2010: WARNING: AuthROUNDROBIN: Request was tried for 3 times. All alive server from the RoundRobin list were tried. Wed Nov 10 10:03:14 2010: INFO: AuthRADIUS CAH-wireless2008: Could not find a working host to forward mikem (1) after 60 seconds. Ignoring Wed Nov 10 10:03:14 2010: DEBUG: AuthBy ROUNDROBIN result: IGNORE, -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] refresh time on clientlistsql
Hello Alexander, maybe you could reduce the RefreshPeriod in your ClientListSQL to less than an hour (or whatever the retain time is in the firewall is) so the SQL session stays up? Cheers. On Friday 29 October 2010 12:36:02 am Alexander Hartmaier wrote: Still happens with newest DBI and DBD::Oracle. I assume radiator doesn't close the db connection and a firewall removes it from its state table which leads to dropped packets after an hour when radiator tries to use the db connection again. You might want to look into DBIx::Connector which handles some problems automatically. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] OATH One-Time-Password support update
We are pleased to announce successful testing of Radiator with a range of OATH based One-Time-Password hardware tokens and soft tokens. OATH is an open specification for One-Time-Passwords (OTP) developed by the Initiative for Open Authentication (http://www.openauthentication.org). It includes public, open specifications for event based authentication (HOTP) and time-based authentication (TOTP), both using the public and well regarded SHA encryption standards. With Event-Based tokens (HOTP), a new OTP is generated each time you press a button or activate the token. With Time-Based tokens (TOTP), a new OTP is generated automatically every 30 seconds. OATH is designed to be used on both hardware tokens (a small device you carry in your pocket which displays the OTP), and also on soft tokens (small programs which run on your mobile phone or PC). There are a number of commercial hardware tokens and both free and commercial soft tokens available from a range of vendors. Radiator RADIUS Server has supported the HOTP and TOTP specifications since very soon after their publication and a number of customers are now using them in production. Radiator's HOTP and TOTP support is flexible and highly configurable and works with any OATH compatible hard or soft token. See AuthBy SQLHOTP and AuthBy SQLTOTP modules included in the Radiator distribution. Some of the OATH compatible hardware tokens currently available include: Feitain http://www.ftsafe.com OTP C200, ORP C200, OTP C300 Tokens Vasco (http://www.casco.com) GO6 (HOTP) Event-based Token Some of the OATH compatible soft tokens currently available include: Google Authenticator for iPhone, Andrioid and Blckberry OATH Token for iPhone iOATH Token for iPhone DS3 Oath for iPhone Pledge Token for iPhone, Android, WindowsMobile, BlackBerry, JavaPhone Android Token for Android Mobile-OTP Token for JavaPhones, WindowsMobile, iPhone, Blackberry, Android iOTP Token for iPhone The Google Authenticator is particularly recommended, since it supports multiple time and event based soft tokens at the same time, and provides for secret key importing through the use of barcodes, and is available on a wide range of devices. And its free of cost! The availability of free or inexpensive OATH based soft tokens on ubiquitous devices such as iPhone, driven by the use of open specification One-Time-Password protocols means that organizations can now deploy highly secure, flexible One-Time-Password systems for much less cost than was previously possible. The days of expensive tokens that must be sourced, stocked and replaced periodically or which can get lost, broken or their batteries discharge, along with their expensive authentication software are now gone. Open System Consultants and Radiator are pleased to be involved in this revolution in secure one-time-password systems. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator compatibility with Aloe Systems MVTS Pro VOIP Gateway
We are pleased to announce the completion of interoperation testing between Radiator RADIUS Server and the Aloe Systems MVTS Pro VOIP Gateway. Aloe Systems http://www.aloe-systems.com (until recently called Mera) are vendors of a range of VOIP solutions and devices. The MVTS Pro is a high performance class 4 softswitch with SBC functionality – a carrier-grade solution for VoIP traffic management. MVTS Proc con be configured to use RADIUS at various stages during endpoint connection and VOIP call setup. Radiator now has proven interoperation with the MVTS Pro, allowing you to integrate VOIP endpoint authentication, call authorization and call routing into your RADIUS infrastructure and using your choice of backend database and billing solution. The latest Radiator patch set and future revisions include specific documentation on Radiator configuration to operate with MVTS Pro and samples of the various types of RADIUS requests that MVTS Pro sends. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Fwd: [suggestions] draft-mraihi-totp-timebased-06.txt
Hi Steffen, thanks for reporting this. The patch set was missing he new version of TOTP.pm. It has now been added. We apologise for any inconvenience. Cheers. On Tuesday 26 October 2010 11:36:03 pm Steffen Weinreich wrote: Am 18.10.2010 01:20, schrieb Mike McCauley: The new code is now available in the latest Radiator patch set. Please let me know how you get on with this. Hi! The corresponding Radius::TOTP missing in the Patchset: Tue Oct 26 13:34:24 2010: DEBUG: Handling request with Handler 'Realm=DEFAULT', Identifier '' Tue Oct 26 13:34:24 2010: DEBUG: Deleting session for steve, 203.63.154.1, 1234 Tue Oct 26 13:34:24 2010: DEBUG: Handling with Radius::AuthGROUP: Tue Oct 26 13:34:24 2010: DEBUG: Handling with Radius::AuthSQLTOTP: otp c200 Tue Oct 26 13:34:24 2010: DEBUG: Radius::AuthSQLTOTP looks for match with steve [steve] Tue Oct 26 13:34:24 2010: DEBUG: Query is: 'select secret, active, pin, digits, bad_logins, date_part('epoch',accessed)::int from radius.totpkeys where username='steve' and tokentype = 'otp c200'': Undefined subroutine Radius::TOTP::totp_timestep called at Radius/AuthSQLTOTP.pm line 191. cheerio Steve -- Es gibt ein 11., ungeschriebenes Pfadfindergesetz, nämlich: „Ein Pfadfinder ist kein Narr“. -- Lord Robert Baden-Powell -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] clarification on AuthBy ROUNDROBIN failover
Hello Andrew, On Wednesday 27 October 2010 01:38:12 am Andrew Clark wrote: First one I sent to the list must've fallen through the cracks. I'm seeking some clarification on the failover behavior of AuthBy ROUNDROBIN and how to read the logs when servers are marked dead. I have three hosts in the round-robin pool (via a round-robin DNS host name) and I can see that requests are being distributed correctly to all three. What is unclear is the meaning of the logs when a server is marked out. The three servers are of course at three different IP addresses, but I only see log messages about one of three IP addresses being marked down: Tue Oct 12 16:14:52 2010: INFO: AuthRADIUS: No reply after 3 retransmissions to 134.84.119.107:1836 for foo (). Now have 1 consecutive failures over 0 seconds. Backing off for 300 seconds Tue Oct 12 16:14:52 2010: INFO: AuthROUNDROBIN: Retry 1, firstHostTried 0, lastHostTried 0 Tue Oct 12 16:14:52 2010: WARNING: AuthROUNDROBIN: Request was tried for 1 times. All alive server from the RoundRobin list were tried. Tue Oct 12 16:14:52 2010: INFO: AuthRADIUS could not find a working host to forward to. Ignoring Tue Oct 12 16:14:53 2010: INFO: AuthRADIUS: No reply after 3 retransmissions to 134.84.119.107:1836 for foo (171). Now have 1 consecutive failures over 0 seconds. Backing off for 300 seconds Tue Oct 12 16:14:53 2010: INFO: AuthROUNDROBIN: Retry 1, firstHostTried 0, lastHostTried 0 This means there was only one 'non-dead' server left in our list of server. Tue Oct 12 16:14:53 2010: WARNING: AuthROUNDROBIN: Request was tried for 1 times. All alive server from the RoundRobin list were tried. This last message means that there was no reply from any of the 'non-dead' servers it tried, and it ran out of servers to try. Looks to me like at this stage 2 of the 3 servers had been marked as down (due to no repsonse), and then there was no response from the third. You may want to investigate why all the downstream servers failed to reply. Hope that helps. Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ntlm_auth and Active Directory Workstation Restrictions
in the authentication request? Is anyone doing something similar? How were you able to get Active Directory workstation restrictions working with your 802.1x implemention? --greg Gregory A. Fuller - CCNA Network Manager State University of New York at Oswego Phone: (315) 312-5750 http://www.oswego.edu/~gfuller ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] restartWrapper patch to help with runaway restarts
Hello David, thanks for this patch. It has now been added to the latest patch set. Thanks especially for ensuring the help doc was up to date with your new arg too. Cheers. On Wednesday 27 October 2010 07:19:35 am David Zych wrote: restartWrapper is wonderful for protecting against the possibility of a fluke crash, but if something gets legitimately broken that a restart *can't* fix, I don't want to be inundated with email every few seconds. So I have modified restartWrapper to also accept a -min_interval parameter which specifies the minimum time that must elapse between two successive restarts (defaults to zero if not provided). So restartWrapper -delay 1 -min_interval 300 prog will restart prog either 1 second after the previous run stopped OR 5 minutes after the previous run started, whichever is later. The attached patch is against the Radiator 4.7 version of restartWrapper. Hopefully others will find it helpful too. David -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Fwd: [suggestions] draft-mraihi-totp-timebased-06.txt
Hello Matthew, thanks for your note and the response from the TOTP authors. We find it very disappointing that the authors of the draft RFC 'imply' that some type of replay detection is required but don't actually specify how it is to be done. We fully expected the authors to add details about replay detection to their draft before requesting an RFC. We believe that this is sufficient cause to object to the RFC, and to require that the draft be improved. We think that for guaranteed interoperation between clients and authenticators (and therfore guaranteed correct operation of your system), this should be part of the specification. Nevertheless, we have added replay detection to AuthBy SQLTOTP, according to our view of how it should be done. This has required an additional column in the sample SQL database schema, and changes to the default AuthSelect and UpdateQuery parameters. The new code is now available in the latest Radiator patch set. Please let me know how you get on with this. Cheers. On Monday 18 October 2010 07:14:52 am Matthew Reeves-Hairs wrote: Hi, Please see the email below from the authors of the above draft spec. Can you say when this may be included into radiator? Regards Matthew Matthew Reeves-Hairs MBCS (CCNA, CCNP, CCDA) Director Willow ICT Limited 13 Willow Close Great Hormead Hertfordshire, SG9 0NW Mobile: +44 (0)7912 202627 Fax: +44 (0)7092 361501 matthew.reeves-ha...@willowict.com http://www.willowict.com Please consider the environment before printing this email. The content of this email and any attachment is private and may be privileged. If you are not the intended recipient, any use, disclosure, copying or forwarding of this email and/or its attachments is unauthorised. If you have received this email in error please notify the sender by email and delete this message and any attachments immediately. Nothing in this email shall bind the Company in any contract or obligation, unless we have specifically agreed to be bound. Sent from my iPad Begin forwarded message: From: Bajaj, Siddharth sba...@verisign.com Date: 16 October 2010 01:13:02 GMT+01:00 To: matthew.reeves-ha...@willowict.com Cc: Pei, Mingliang m...@verisign.com, Johan Rydell johan.ryd...@portwise.com, Philip Hoyer pho...@actividentity.com Subject: FW: [suggestions] draft-mraihi-totp-timebased-06.txt Hi Matthew, First of all let me apologize for not responding to your inquiry sooner. Thanks for pointing out this gap in the TOTP specification. Even though this is not explicitly stated in the document - by definition OTPs or one-time passwords are meant to be used only once. This is also implied in the discussion in the last paragraph of section 5.2 of the I-D. We are hoping that this I-D is approved as an RFC in next couple of months. If we have an opportunity to add explicit clarifying language to address your concern, we will definitely do that. In the interim, you can refer the vendor to my email and the spec authors. We are also launching the OATH certification program that will require any vendor who claims their product to be 'OATH certified' to be compliant with the certification documents. Thanks, Siddharth -Original Message- From: Jason Thompson [mailto:ja...@jdthompson.com] Sent: Wednesday, September 22, 2010 4:49 PM To: Bajaj, Siddharth Subject: FW: [suggestions] draft-mraihi-totp-timebased-06.txt -Original Message- From: matthew.reeves-ha...@willowict.com Sent: Monday, September 20, 2010 8:14 AM To: suggesti...@openauthentication.org Subject: [suggestions] draft-mraihi-totp-timebased-06.txt mreeves sent a message using the contact form at http://www.openauthentication.org/contact. Can you advise if the above mentioned document will be amended to fall in line with the certification document as published on this site? I have hit a problem were a supplier of a radius system accepts multiple authentications using the same TOTP, they state that the confirm to the standard quoting the above doc, which makes no mention of only allowing a TOTP to be used one, were the certification doc specifically mentions this. Thanks Matthew Reeves-Hairs -- This email was Anti Virus checked by Astaro Security Gateway. http://www.astaro.com for Willow ICT Limited http://www.willowict.com -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc
Re: [RADIATOR] refresh time on clientlistsql
Hello Alex, Thanks for the log. Can we pls see a bit more of the log, maybe a few hundred lines before the error. Are you quite sure you dant have a 4.7 patch set installed? Cheers. On Thursday 14 October 2010 09:01:09 pm Alexander Hartmaier wrote: Hi Mike, the config section ClientListSQL DBSourcedbi:Oracle:NAC DBUsername foo DBAuth bar ConnectionHook sub { \ $_[1]-do(ALTER SESSION SET NLS_DATE_FORMAT = '-MM-DD HH24:MI:SS'); \ $_[1]-do(ALTER SESSION SET CURRENT_SCHEMA = nacadm); \ } # store the supportgroup from the CMDB in the OSC-Group-Identifier attribute GetClientQuery SELECT device.ipaddr, 'key', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblh...@pcmsat01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5 # Reread the client list every hour RefreshPeriod 3600 /ClientListSQL the error from the level 3 logfile: Thu Oct 14 12:57:42 2010: ERR: Execute failed for 'SELECT device.ipaddr, 'key', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblh...@pcmsat01 ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout -- Best regards, Alex Am Montag, den 11.10.2010, 23:27 +0200 schrieb Mike McCauley: Hello Alexander, On Tuesday 12 October 2010 03:07:16 am Alexander Hartmaier wrote: Hi Mike, 4.7 rpm, without patches. OK, so we will need to see the config file and the log file showing the error and what happens before. Cheers. ** * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b ** * Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. ** * -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ServerHTTP
Hi Todd, On Thursday 14 October 2010 07:15:51 am Smith, Todd wrote: The server is x86 32 bit Ubuntu 8.04 LTS running Linux kernel 2.6.24-28-server with Perl version 5.8.8 fully patched from standard Ubuntu sources. We have tried, but havent been able to reproduce this problem on that platform (or any other) Looks like you have your ServerHTTP configured for UseSSL? And that the connection from your browser was an SSL connection. How and where from did you install the perl Net::SSLeay module? Have you updated or changed your openssl install? What browser were you using? I think I need to see your complete config file (no secrets) Cheers. -Original Message- From: Mike McCauley [mailto:mi...@open.com.au] Sent: Wednesday, October 13, 2010 17:07 To: radiator@open.com.au Cc: Smith, Todd Subject: Re: [RADIATOR] ServerHTTP Hello Todd, That is perl crashing. Its very unusual. What platform, operating system and version of perl are you using? Cheers. Confidentiality Note: The information contained in this message may be privileged and confidential. If this e-mail contains protected health information, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited,except as permitted by law. If you have received this communication in error, please notify the sender immediately by replying to this message and deleting it from your computer. Thank you. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ServerHTTP
. EAPTLS_MaxFragmentSize 1000 # EAPTLS_DHFile if set specifies the DH group file. It # may be required if you need to use ephemeral DH keys. # EAPTLS_DHFile %D/certificates/cert/dh # If EAPTLS_CRLCheck is set and the client presents a certifica te # then Radiator will look for a certificate revocation list (CRL ) # for the certificate issuer # when authenticating each client. If a CRL file is not found, o r # if the CRL says the certificate has neen revoked, the authenti cation will # fail with an error: # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned # One or more CRLs can be named with the EAPTLS_CRLFile paramete r. # Alternatively, CRLs may follow a file naming convention: # the hash of the issuer subject name # and a suffix that depends on the serial number. # eg ab1331b2.r0, ab1331b2.r1 etc. # You can find out the hash of the issuer name in a CRL with # openssl crl -in crl.pem -hash -noout # CRLs with tis name convention # will be searched in EAPTLS_CAPath, else in the openssl # certificates directory typically /usr/local/openssl/certs/ # CRLs are expected to be in PEM format. # A CRL files can be generated with openssl like this: # openssl ca -gencrl -revoke cert-clt.pem # openssl ca -gencrl -out crl.pem # Use of these flags requires Net_SSLeay-1.21 or later #EAPTLS_CRLCheck #EAPTLS_CRLFile %D/certificates/crl.pem #EAPTLS_CRLFile %D/certificates/revocations.pem # Some clients, depending on their configuration, may require yo u to specify # MPPE send and receive keys. This _will_ be required if you sel ect # 'Keys will be generated automatically for data privacy' in the Funk Odyssey # client Network Properties dialog. # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key # in the final Access-Accept AutoMPPEKeys # You can configure the User-Name that will be used for the inne r # authentication. Defaults to 'anonymous'. This can be useful # when proxying the inner authentication. If tehre is a realm, i t can # be used to choose a local Realm to handle the inner authentica tion. # %0 is replaced with the EAP identitiy # EAPAnonymous anonym...@some.other.realm # You can enable or disable support for TTLS Session Resumption and # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag. # Default is enabled #EAPTLS_SessionResumption 0 # You can limit how long after the initial session that a sessio n can be resumed # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to 43200 # (12 hours) #EAPTLS_SessionResumptionLimit 10 # You can control which version of the draft PEAP protocol to ho nour # with EAPTLS_PEAPVersion. Defaults to 1. Set it to 0 for unusua l clients, # such as Funk Odyssey Client 2.22 or later. EAPTLS_PEAPVersion 0 /AuthBy /Handler tssm...@weiland:/etc/radiator$ -Original Message- From: Mike McCauley [mailto:mi...@open.com.au] Sent: Thursday, October 14, 2010 07:27 To: radiator@open.com.au Cc: Smith, Todd Subject: Re: [RADIATOR] ServerHTTP Hi Todd, On Thursday 14 October 2010 07:15:51 am Smith, Todd wrote: The server is x86 32 bit Ubuntu 8.04 LTS running Linux kernel 2.6.24-28-server with Perl version 5.8.8 fully patched from standard Ubuntu sources. We have tried, but havent been able to reproduce this problem on that platform (or any other) Looks like you have your ServerHTTP configured for UseSSL? And that the connection from your browser was an SSL connection. How and where from did you install the perl Net::SSLeay module? Have you updated or changed your openssl install? What browser were you using? I think I need to see your complete config file (no secrets) Cheers. Confidentiality Note: The information contained in this message may be privileged and confidential. If this e-mail contains protected health information, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited,except as permitted by law. If you have received this communication in error, please notify the sender immediately by replying to this message and deleting it from your computer. Thank you
Re: [RADIATOR] ServerHTTP
Hello Todd, On Thursday 14 October 2010 05:48:10 am Smith, Todd wrote: Hello Mike, Wed Oct 13 15:08:18 2010: DEBUG: Stream sysread for 10.2.96.125:2446 failed: Connection reset by peer. Peer probably disconnected. Wed Oct 13 15:08:18 2010: DEBUG: Stream disconnected from 10.2.96.125:2446 Wed Oct 13 15:08:23 2010: DEBUG: Stream sysread for 10.2.96.125:2447 failed: . Peer probably disconnected. Wed Oct 13 15:08:23 2010: DEBUG: Stream disconnected from 10.2.96.125:2447 Wed Oct 13 15:08:23 2010: DEBUG: Stream connected to 10.2.96.125:2451 Wed Oct 13 15:08:23 2010: DEBUG: StreamTLS sessionInit for 10.2.96.125 Wed Oct 13 15:08:23 2010: DEBUG: StreamTLS SSL_accept result: -1, 2, 8720 Wed Oct 13 15:08:23 2010: DEBUG: StreamTLS Server Started for 10.2.96.125:2451 Wed Oct 13 15:08:23 2010: DEBUG: New StreamServer Connection created for 10.2.96.125:2451 Wed Oct 13 15:08:23 2010: DEBUG: StreamTLS SSL_accept result: -1, 2, 8576 Wed Oct 13 15:08:23 2010: DEBUG: StreamTLS SSL_accept result: 1, 0, 3 Wed Oct 13 15:08:23 2010: DEBUG: ServerHTTP Connection GET /log Segmentation fault That is perl crashing. Its very unusual. What platform, operating system and version of perl are you using? Cheers. I was just sitting on the webpage for a few seconds when it posted the above to std_out since I was running Radiator in foreground as well as log_stdout. I haven't changed LogMaxLines so it is sitting at default and after I restarted Radiator with foreground and log_stdout; I was able to view the log without any issues. It was only after just sitting at the page looking at the log that I chose to refresh it with the above result in stdout. Possible Perl issue maybe? I had just installed the latest patches and reran make test and make install and restarted the process and nothing seemed to error or fail during compilation. If there is a limit to the logfile size, can you limit the size of a logfile being created? There are no features for rotating/changing log files based on size. This would seem to be a nice feature request since some other RADIUS servers can do this and some customers might have functionity based around size. It is not a show-stopper for me since as long as I can read the file then it is good enough. Todd Smith Confidentiality Note: The information contained in this message may be privileged and confidential. If this e-mail contains protected health information, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited,except as permitted by law. If you have received this communication in error, please notify the sender immediately by replying to this message and deleting it from your computer. Thank you. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ServerHTTP
Hi Todd, On Wednesday 13 October 2010 12:12:47 am Smith, Todd wrote: I am working on replacing some elderly Steel-Belted RADIUS servers with Ubuntu 8.04LTS running Radiator and I am encountering some unusual situations. I don't think that it is a true problem or I would have posted a config and trace but it is somewhat surprising. I expect that you will see plenty of postings from me as I try understand and work the new servers into our environment. We will try to help you. I see you have an email support contract. You may wish to use the support alias for prompt, private responses. Using the ServerHTTP clause, is there a limit to the size of the file that can be viewed under the View Log link? A logfile that is 903K can be read without any issue but a larger file, like a 10MB file causes the entire perl process to stop. It doesn't produce any core dump or any error message, it just drops out of process space and is not running under ps -ef. If I restart the perl process and radiator, then the ServerHTTP function restarts and I can log back into the website. View Log shows the last LogMaxLines messages in an internal ring buffer within the Radiator process. It doesnt show the contents of the Radiator log file. The configuration includes the LogMaxLines, defaults to 500. Have you altered that? In any case, it sounds like your Radiator is crashing. Youmight consider running it in the foreground, or under restartWrapper, so you can see if there is an error message printed on stdout. If there is a limit to the logfile size, can you limit the size of a logfile being created? There are no features for rotating/changing log files based on size. I am currently rotating the logfile using the date % macros in the LogFile directive but the file grows until the date changes. I am still using Trace level 4 which as soon as I am comfortable that everything is setup and working correctly then I will reduce it back to 0 or 1. Good idea. Cheers. Thank you for your time. Todd Smith Confidentiality Note: The information contained in this message may be privileged and confidential. If this e-mail contains protected health information, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited,except as permitted by law. If you have received this communication in error, please notify the sender immediately by replying to this message and deleting it from your computer. Thank you. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] refresh time on clientlistsql
Hello Alexander, On Tuesday 12 October 2010 03:07:16 am Alexander Hartmaier wrote: Hi Mike, 4.7 rpm, without patches. OK, so we will need to see the config file and the log file showing the error and what happens before. Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] refresh time on clientlistsql
Hello Alexander, A recent patch caused a problem that probably would have affected timeouts in ClientListSQL . A more recent patch has fixed that. What patch level are you at? Cheers. On Saturday 09 October 2010 03:24:09 am Alexander Hartmaier wrote: Hi Hugh, we started to use the ClientListSQL feature too but get an Oracle SQL timeout error in the logs whenever Radiator tries to refresh the list, works on startup. Any idea why and how we can debug this? -- Best regards, Alex Am Mittwoch, den 22.09.2010, 00:25 +0200 schrieb Hugh Irvine: Hello Alex - See section 5.7.3 in the Radiator 4.7 reference manual (doc/ref.pdf). regards Hugh On 22 Sep 2010, at 05:01, Martin Burton wrote: Hi Alex, You need to make sure that RefreshPeriod is set in your config file. It defaults to 0, which means the SQL query is performed only upon radiusd start or when it's sent a SIGHUP. ClientListSQL . . . RefreshPeriod 300 . . . /ClientListSQL would cause the the DB to be requeried every 5 minutes for example. Hope that helps. Cheers, Martin. On 21/09/2010 19:41, Alex Sharaz wrote: Hi all, I've got a cluster of radius servers all configured to read NAS clients from a db2 database. I thought that radiator was supposed to periodically refresh its internal list of clients by rereading the database. Yesterday morning I dded a number of clients to the database. by 16:00 today the radius servers still hadn't picked up the new clients. A reload caused radiator to reread the client list but it would have been nice to have radiator pic up the new clients automagically. Anyone else seen problems with refreshing client lists? Rgds Alex Checked by Hu-fw-yhman ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Martin Burton Senior Systems Administrator \\\|||/// Special Projects Team \\ ^ ^ // Wellcome Trust Sanger Institute( 6 6 ) -oOOo-(_)-oOOo--- ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator NB: Have you read the reference manual (doc/ref.html)? Have you searched the mailing list archive (www.open.com.au/archives/radiator)? Have you had a quick look on Google (www.google.com)? Have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? ** * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b ** * Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. ** * ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] SqlDb Patch 1.39 breaks on AuthSQLTOTP and AuthSQLHOTP
Hello Steffen, thanks for reporting this. There was indeed a problem with the initialisation of those modules, which we have fixed in the latest patch set. We apologise for any inconvenience. Cheers. On Thursday 07 October 2010 09:50:20 pm Steffen Weinreich wrote: Hi! Today I have downloaded the latest patchset to play with AuthSQLTOTP and AuthSQLHOTP and had some headaches because all SQL Query's in this modules fails with Thu Oct 7 11:27:13 2010: DEBUG: Query is: 'select secret, counter_high, counter_low, active, pin, digits, bad_logins, unix_timestamp(accessed) from hotpkeys where username='mikem'': Thu Oct 7 11:27:13 2010: DEBUG: Radius::AuthSQLHOTP IGNORE: Database failure: mikem [mikem] After doing some debugging on this, I saw that in SqlDb.pm the variable $self-{SQLRetries} does not get initialized in the context of AuthSQLTOTP and AuthSQLHOTP. According to the diffs between the Release 4.7 and the patchset this variable has been added between 1.37 and 1.39 of SqlDb.pm. I think there are some calls to the SqlDb.pm initalizing missing in (at least) AuthSQLTOTP and AuthSQLHOTP. cheerio Steve -- Stillstand ist nutzlos. Es gibt eines oder das andere, entweder Fortschritt oder Nachlassen. -- Lord Robert Baden-Powell -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] bind address LDAP queries
Hello Roel, thanks for the suggestion. We have now updated Ldap.pm with support for BindAddress in all Ldap derived clauses, allowing you to specify a local address for the client side of the LDAP connection with BindAddress, in the form hostname[:port]. Defaults to 0.0.0.0. The change is now in the latest patch set. Hope that helps. Cheers. On Tuesday 05 October 2010 10:34:56 pm Roel Hoek wrote: Hi, We are in a process to transfer our radius services onto new hardware. On the old platform (SuSe with Radiator 3.17.1 ) the source address for LDAP-queries to an external host is the first bind-address listed in the 'BindAddress' in the config file, and this is the primary address of the host. On the new system (Ubuntu) Radiator (4.7) doesn't use a source-address listed in 'BindAddress' in the config file for LDAP-queries. In this case the source address is the last defined secondary address on the host. So I think it was just an coincidence that the source address for LDAP-queries is listed in the config file? How does radiator selects an source address for LDAP-queries? Is it possible to define it within the config? It is important for us that the source address is fixed because of firewall settings. Attributes LocalAddress or BindAddress are not supported within an AuthBy LDAP2 clause. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] accessing ntlm_auth Authentication-Error attribute
Hi David, thanks for raising this issue. We have now updated AuthBy NTLM so that if an authentication fails, the Warning log message records the user name along with the Authentication-Error. This fix is now in the latest patch set. As for getting the error message text into the reply message, that would take some considerable modification of the code, which of course you may do if you wish. Thanks again for the suggestions. Cheers. On Wednesday 06 October 2010 10:23:36 am David Zych wrote: Hi, I'm using AuthBy NTLM to authenticate Active Directory users from a linux Radiator instance. When an authentication fails, ntlm_auth seems to give a useful error message in the Authentication-Error attribute which would be helpful for distinguishing different types of problems. This attribute is clearly visible both in the DEBUG output and in a WARNING log message that is generated by the module, but I can't figure out how to reference it afterward to do other things with it (such as include it in my AuthLog FailureFormat, store it in a database where it can assist our help desk in troubleshooting, return it as the reject reason, etc). Is there any way to get at this value short of modifying the module? Below are sample debug output snippets from two failed ntlm_auth login attempts. In both cases the AuthBy NTLM reject reason is simply AuthBy NTLM Password check failed which is not nearly as helpful in troubleshooting as the Authentication-Error message (Wrong Password vs No such user) would be. Note also that unfortunately the WARNING message doesn't include the username, so even that wouldn't be terribly helpful in a production environment with lots of requests. Tue Oct 5 18:55:09 2010: DEBUG: Radius::AuthNTLM looks for match with dmrz [dmrz] Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute LANMAN-Challenge: 551ad887cef366ce Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute NT-Response: ef76db2128d03a9789133c333175ac5aaad6acedd8c17f44 Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute NT-Domain:: VUlVQw== Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute Username:: ZG1yeg== Tue Oct 5 18:55:09 2010: DEBUG: Received attribute: . Tue Oct 5 18:55:09 2010: DEBUG: Received attribute: Authenticated: No Tue Oct 5 18:55:09 2010: DEBUG: Received attribute: Authentication-Error: Wrong Password Tue Oct 5 18:55:09 2010: DEBUG: Received attribute: . Tue Oct 5 18:55:09 2010: WARNING: NTLM Could not authenticate user: Wrong Password Tue Oct 5 18:55:09 2010: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM Password check failed: dmrz [dmrz] Tue Oct 5 18:55:09 2010: DEBUG: AuthBy GROUP result: REJECT, AuthBy NTLM Password check failed Tue Oct 5 18:55:09 2010: INFO: Access rejected for dmrz: AuthBy NTLM Password check failed vs Tue Oct 5 18:55:38 2010: DEBUG: Radius::AuthNTLM looks for match with bogususer [bogususer] Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute LANMAN-Challenge: f706118f18863992 Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute NT-Response: 3667e0f1e6a08365d587d54f8a7889357f36e94da008e8cf Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute NT-Domain:: VUlVQw== Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute Username:: Ym9ndXN1c2Vy Tue Oct 5 18:55:38 2010: DEBUG: Received attribute: . Tue Oct 5 18:55:38 2010: DEBUG: Received attribute: Authenticated: No Tue Oct 5 18:55:38 2010: DEBUG: Received attribute: Authentication-Error: No such user Tue Oct 5 18:55:38 2010: DEBUG: Received attribute: . Tue Oct 5 18:55:38 2010: WARNING: NTLM Could not authenticate user: No such user Tue Oct 5 18:55:38 2010: DEBUG: Radius::AuthNTLM REJECT: AuthBy NTLM Password check failed: bogususer [bogususer] Tue Oct 5 18:55:38 2010: DEBUG: AuthBy GROUP result: REJECT, AuthBy NTLM Password check failed Tue Oct 5 18:55:38 2010: INFO: Access rejected for bogususer: AuthBy NTLM Password check failed Thanks, David ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX
Re: [RADIATOR] Authby LSA and groups not working (redux)
Hello Neil, On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote: No, I'm running it on a member server. Our AD administrators are very reluctant to run applications on PDC's and BDC's. I can ask but I don't think I will get permission. Will it work on a BDC ? If not, do I have any other options ? Currently I'm using Radiator to proxy 802.1X requests to Juniper Steel-Belted Radius in order to re-write VLAN attributes. I was kind of hoping to eliminate SBR in part to simplify support for Eduroam. Tests here show that it works OK on any domain member provided that the user who is running the script is logged in to the domain. Cheers. Thanks. -Neil -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-john...@uiowa.edu -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010 9:22 PM To: radiator@open.com.au Subject: Re: [RADIATOR] Authby LSA and groups not working (redux) Hello Neil, tests here show that your script (suitably modified) works provided you run it on the PDC as the administrator. Is that how you are testing? Cheers. On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote: I whipped up a script based on what I could find in the source code to test group membership and it doesn't seem to matter if the group is local or global, it can't find it: #!c:\perl64\bin\perl.exe use strict; use Win32::NetAdmin; my $User = nmjoo; my $Group = ITS-WIRELESS; my $Domain = IOWA; my $Server = ; print Getting Domain Controller\n; Win32::NetAdmin::GetDomainController (, $Domain, $Server); print Domain Controller for Domain $Domain is $Server\n; print Checking to see if user: $User is member of Group: $Group\n; if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User) || Win32::NetAdmin::LocalGroupIsMember($Server, $Group, || $User)) { print $User is Member of group $Group; } else { print $User is not Member of group $Group; } Output: C:\Program Files\Radiatortest2.pl Getting Domain Controller Domain Controller for Domain IOWA is \\IOWADC1 Checking to see if user: nmjoo is member of Group: ITS-WIRELESS nmjoo is not Member of group ITS-WIRELESS C:\Program Files\Radiator -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-john...@uiowa.edu -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authby LSA and groups not working (redux)
Hello Neil, tests here show that your script (suitably modified) works provided you run it on the PDC as the administrator. Is that how you are testing? Cheers. On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote: I whipped up a script based on what I could find in the source code to test group membership and it doesn't seem to matter if the group is local or global, it can't find it: #!c:\perl64\bin\perl.exe use strict; use Win32::NetAdmin; my $User = nmjoo; my $Group = ITS-WIRELESS; my $Domain = IOWA; my $Server = ; print Getting Domain Controller\n; Win32::NetAdmin::GetDomainController (, $Domain, $Server); print Domain Controller for Domain $Domain is $Server\n; print Checking to see if user: $User is member of Group: $Group\n; if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User) || Win32::NetAdmin::LocalGroupIsMember($Server, $Group, || $User)) { print $User is Member of group $Group; } else { print $User is not Member of group $Group; } Output: C:\Program Files\Radiatortest2.pl Getting Domain Controller Domain Controller for Domain IOWA is \\IOWADC1 Checking to see if user: nmjoo is member of Group: ITS-WIRELESS nmjoo is not Member of group ITS-WIRELESS C:\Program Files\Radiator -- Neil Johnson Network Engineer Information Technology Services The University of Iowa Work: 319 384-0938 Mobile: 319 540-2081 Fax: 319 355-2618 E-mail: neil-john...@uiowa.edu -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Issues with AuthbyNTLM (LONG)
Hi All, Yes, that looks like exactly the same problem. Good to see it will be fixed in the next 3.4 release, and that there is a patch available from Samba. Cheers. On Saturday 25 September 2010 07:03:25 pm Klara Mall wrote: Hi all, On 09/22/2010 11:44 PM, Mike McCauley wrote: we have also seen some similar behaviour to that reported by Heikki, ie where ntlm_auth intermittently returns an incorrect User-Session-Key. Restarting Samba would cause it to work correctly for a while, and then it would start to send the wrong results again. Downgrading Samba and reporting the issue to the Samba team may be the best solution. Same behaviour for me (still using winbind from Debian etch here for this reason), but I did not know that the User-Session-Key is the problem. But now I found the issue is reported and probably recently even resolved (see from comment 41): https://bugzilla.samba.org/show_bug.cgi?id=6563 Regards Klara -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Issues with AuthbyNTLM (LONG)
:59 2010: DEBUG: Handling request with Handler '', Identifier '' Wed Sep 22 12:05:59 2010: DEBUG: Deleting session for anonymous, 10.2.96.19, 16973824 Wed Sep 22 12:05:59 2010: DEBUG: Handling with Radius::AuthNTLM: Wed Sep 22 12:05:59 2010: DEBUG: Handling with EAP: code 2, 8, 67, 26 Wed Sep 22 12:05:59 2010: DEBUG: Response type 26 Wed Sep 22 12:05:59 2010: DEBUG: Radius::AuthNTLM looks for match with CAMC\tssmith [anonymous] Wed Sep 22 12:05:59 2010: DEBUG: Radius::AuthNTLM ACCEPT: : CAMC\tssmith [anonymous] Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute LANMAN-Challenge: 179b1eda2032ef41 Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute NT-Response: daeba61f0a85e54146443ce2dd87bd62e571a30bf82d2204 Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute NT-Domain:: Q0FNQw== Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute Username:: dHNzbWl0aA== Wed Sep 22 12:05:59 2010: DEBUG: Received attribute: Authenticated: Yes Wed Sep 22 12:05:59 2010: DEBUG: Received attribute: LANMAN-Session-Key: 55FC5F8DFAA3A58D Wed Sep 22 12:05:59 2010: DEBUG: Received attribute: User-Session-Key: B48DFF252D4FAB7CBEA3207E1A5C51BE Everything looks good so far. ntlm_auth gets a success back from the Windows server and also the User-Session-Key it requested. If I have understood correctly the User-Session-Key should be a MD4 hash of NTHash the the Windows server stores. In other words md4(md4(asciitounicde(password))) which with plain 7bit ascii is simply md4(md4(password)) The broken ntlm_auth does not return this double hash of password, but instead of some other value. This value causes incorrect authenticator response to be calculated and makes the client think that the server does not know the real password hash. In other words the server authentication to the client fails. What happens is that client ends the authentication and no reply is ever received until a new try is initiated by the client. Just like below, the last message is the message to the client. Looking at Radiator goodies directory, the simplest method to generated User-Session-Key from a known password is this: % perl goodies/nthash.pl password {nthash}8846F7EAEE8FB117AD06BDD830B7586C % perl goodies/nthash.pl 8846F7EAEE8FB117AD06BDD830B7586C {nthash}0204D0612AF59BDABC236E5195648836 The hex string 0204D0612AF59BDABC236E5195648836 is the User-Session-Key for the password 'password'. Wed Sep 22 12:05:59 2010: DEBUG: Received attribute: . Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP MSCHAP V2 Challenge: Success Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for anonymous: EAP MSCHAP V2 Challenge: Success Wed Sep 22 12:05:59 2010: DEBUG: Returned PEAP tunnelled packet dump: Code: Access-Challenge Identifier: UNDEF Authentic: 232180135ho231169169102154199184149I Attributes: EAP-Message = 190=263808S=AD59BE8E0A96165332AEEBF926A4002E20868CDB M=success Message-Authenticator = Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP PEAP inner authentication redispatched to a Handler Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE, EAP PEAP inner authentication redispatched to a Handler Wed Sep 22 12:05:59 2010: DEBUG: Access challenged for CAMC\tssmith: EAP PEAP inner authentication redispatched to a Handler Wed Sep 22 12:05:59 2010: DEBUG: Packet dump: *** Sending to 10.2.96.19 port Code: Access-Challenge Identifier: 45 Authentic: 1552161732212245196238211w\24174m2453 Attributes: EAP-Message = 190T25023310I10160227173198N190HO14186 171197251Z154195g232147254#2381297x^6'S\134A`qL203 2531428p190232%M224w148215176170UW221931686147 252492557313722192193190M202236153[ Message-Authenticator = ^C -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] TLS/TTLS
Hello Leigh, On Tuesday 21 September 2010 08:39:26 am Leigh Porter wrote: Hi All, Does anybody know of any TLS/TTLS crypto accelerator cards that can be used with Radiator? I assume that anything that supports the crypto you are using and OpenSSL would be usable? I personally know that the Sun crypto cards work (on Sun platforms) with OpenSSL and with Radiator. Radiator's TLS code initialises any hardware acceleration that might be available to OpenSSL, so I would expect it to work with any crypto card that OpenSSL supports. Cheers. Has anybody tried this? -- Leigh Porter ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] TOTP config ERRORS
is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. Includes support for reliable RADIUS transport (RadSec), and DIAMETER translation agent. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. - CATool: Private Certificate Authority for Unix and Unix-like systems. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] incorrect doc in 5.7.2 GetClientQuery?
Hello Alexander, Thanks for reporting this. On Tuesday 07 September 2010 06:56:12 pm Alexander Hartmaier wrote: The 4.7 ref manual says on page 46: A comma-separated list of flag names as field 25 But the code says: $client-set('ClientHook', $self-file_substitution($row[25])) if defined $row[25]; # Make sure it gets compiled and: # Contributed by Tony B to...@go-concepts.com # Last row can be a comma separated list of flag names map $client-{$_}++, split(/,/, $row[25]); Is the 25th field the ClientHook or something else? Whatfor are those 'flags'? There were 2 problems here: an error in the doc and an error in the code. The correct case is: Field 25 is ClientHook Field 27 is flags from the new doc: A comma-separated list of flag names as field 27. Each comma separated name in the field will be used to set a Client flag type parameter. For example if field 27 has the value: IgnoreAcctSignature,UseOldAscendPasswords,StatusServerShowClientDetails, it will set the IgnoreAcctSignature, UseOldAscendPasswords and StatusServerShowClientDetails flag parameters in the resulting Client. The fixed code is in the latest patch set, and the fixed doc will appear in the next release. Thanks again. Cheers. -- Alexander Hartmaier alexander.hartma...@t-systems.at T-Systems Austria GesmbH ** * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b ** * Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. ** * ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator