Will this make it into both service files of the tarball and distro packages?
Thanks, Alex
T-SYSTEMS AUSTRIA GESMBH
PU Cyber Security
Network Architecture
Operation Manager Authentication
Rennweg 97-99, A-1030 Vienna
+43 57057 4320 (phone)
+43 676 8642 4320 (mobile)
E-mail:
FYI Debian without systemd is available as Devuan.
T-SYSTEMS AUSTRIA GESMBH
PU Cyber Security
Network Architecture
Operation Manager Authentication
Rennweg 97-99, A-1030 Vienna
+43 57057 4320 (phone)
+43 676 8642 4320 (mobile)
E-mail: alexander.hartma...@t-systems.com
Internet: www.t-systems.at
This Wiki entry is a great source of information in one place!
Thank you very much!
T-SYSTEMS AUSTRIA GESMBH
PU Cyber Security
Network Architecture
Operation Manager Authentication
Rennweg 97-99, A-1030 Vienna
+43 57057 4320 (phone)
+43 676 8642 4320 (mobile)
E-mail:
Hello Alfred,
how would the reverse proxy help? Just by ensuring that there is always (as
long as the reverse proxy works ) a response to the https request?
Thanks, Alex
T-SYSTEMS AUSTRIA GESMBH
PU Cyber Security
Network Architecture
Operation Manager Authentication
Rennweg 97-99, A-1030
Hi,
that sounds like a sane solution.
A simpler might be to mark Duo dead for a configurable number of seconds after
which it's marked as alive again without a check. The next authentication would
then either work or again trigger marking it as dead.
Thanks, Alex
T-SYSTEMS AUSTRIA GESMBH
PU
Hi Heikki,
thanks for the new version, we'll look into deploying it.
We've encountered another issue today: when CheckTimerInterval is configured to
0, to disable the periodic DUO API check which fills our log and generated
unnecessary traffic and load, the API never recovers when marked as
Hi Heikki,
today at noon I had the change to reenable Cisco Duo and set TLS to v1.2.
So far it looks good, I saw other authentication requests getting processed
while AuthBy DUO waited for a user response.
I haven't grapsed so far how TLSv1.3 could cause this bug?
If I understood it correctly,
Good morning Heikki,
awesome support from you as always, thank you!!!
I saw that the connection to Duo is TLS 1.3 in the packet captures I've taken.
Will try your suggestion and report back.
Best regards, Alex
T-SYSTEMS AUSTRIA GESMBH
PU Cyber Security
Network Architecture
Operation Manager
I've tracked down the issue to the poke call at the beginning of
checkForResponses which doesn't return for half a minute sometimes::q
Thu May 27 11:24:19 2021: DEBUG: before poke
Thu May 27 11:24:19 2021: DEBUG: after poke
Thu May 27 11:24:19 2021: DEBUG: after while
Hi,
today we experienced an issue where two handlers using AuthBy DUO blocked a
whole radiator instance.
It seems to be triggerend when a user doesn't response to the push notification.
As Radiator is using HTTP::Async this shouldn't happen.
A packet capture of the Duo https api calls and level 5
Hi Pat,
3269 is Global Catalog over TLS, changing that to 636 will change the behaviour
as you need a BaseDN and won't be able to authenticate users of trusted domains
any more, so don't do that.
Instead raise the Radiator log level or do a packet capture and look at it in
wireshark to see what
Hi Heikki,
you mean Christian?
My idea was to add an IgnoreIfMissing to all AuthBys and configure AuthByPolicy
ContinueWhileIgnore.
Best regards, Alex
T-SYSTEMS AUSTRIA GESMBH
TCO Local Network Factory
Alexander Hartmaier
Operation Manager Authentication
Rennweg 97-99, A-1030 Vienna
+43 57057
Hi Heikki,
thanks for the pointers!
Are you planning to add an easily configurable support for such a scenario?
Thanks, Alex
T-SYSTEMS AUSTRIA GESMBH
TCO Local Network Factory
Alexander Hartmaier
Operation Manager Authentication
Rennweg 97-99, A-1030 Vienna
+43 57057 4320 (phone)
+43 676 8642
Hi,
we write the accounting logs into a single file in json format and forward this
using Elastic Filebeat.
Best regards, Alex
T-SYSTEMS AUSTRIA GESMBH
TCO Local Network Factory
Alexander Hartmaier
Operation Manager Authentication
Rennweg 97-99, A-1030 Vienna
+43 57057 4320 (phone)
+43 676
Hi Heikki,
I've found a workaround that I like more than using a hook: just fill the
OSC-Client-Identifier attribute in the ClientListSQL query.
Do you see any downsides of doing it this way?
Thanks, Alex
T-SYSTEMS AUSTRIA GESMBH
TCO Local Network Factory
Alexander Hartmaier
Operation Manager
We've installed new AAA servers and upgraded Radiator from 4.13 to 4.21 too.
On the new servers the OSC-Client-Identifier isn't populated by the
PreHandlerHook named 'tacacs_client_identifier' from goodies/hooks.txt.
I've checked and it's code hasn't changed.
We've applied the latest patches
16 matches
Mail list logo
