Re: [RADIATOR] Question about TACACS group assignment based on AD groups
Hello Daniel -
You can use Identifiers in your Client clauses to indicate what sort of device
they are, then use those identifiers in your Handlers.
Something like this:
……
Identifier Firewall
…..
Identifier Firewall
…..
Identifier Switch
…..
Identifier Switch
…..
…..
AuthByPolicy ContinueUntilAccept
AuthBy CheckReadOnlyAccessForFirewall
AuthBy CheckFullAccessForFirewall
AuthByPolicy ContinueUntilAccept
AuthBy CheckReadOnlyAccessForSwitch
AuthBy CheckFullAccessForSwitch
hope that helps
regards
Hugh
> On 7 Sep 2016, at 23:28, daniel.herrm...@zv.fraunhofer.de wrote:
>
> Hi all,
>
> I want to use Radiator both for RADIUS and for TACACS for Cisco devices,
> including command level authorization. Based on some posts on this list I got
> both the active directory and the TACACS server module up and running, but
> struggle with the configuration of both.
>
> If I understand correctly, the TACACS module simply converts the TACACS
> authentication requests to radius requests and passes them to Radiator for
> ordinary execution. Authorization requests are handled within the TACACS
> module.
>
> My configuration currently looks as follows:
>
> --- begin ---
>
> # Define DC to connect to
> Hostdc-b.ad.x.com
>
> # Identifier to use this AuthBy Clause later
> Identifier AuthByAD
>
> # Administrative user used to perform LDAP queries
> AuthDN
> cn=Administrator,cn=Users,DC=ad,DC=x,DC=xxx,DC=de
> AuthPassword
>
> # Where to search for users
> BaseDN OU= User,DC=ad,DC=xxx,DC=xxx,DC=de
> ServerChecksPassword
>
> # Add Check for group membership
> AuthAttrDef memberOf, ADGroup, check
>
> # Reply should include the group names for further processing
> AuthAttrDef memberOf, ADGroups, reply
>
> # There will be no default User
> NoDefault
>
> # LDAP attribute to check the UserName on
> UsernameAttrsAMAccountName
>
>
>
>Port 49
>AddToRequest NAS-Identifier=TACACS
>GroupMemberAttr tacacsgroup
>
>AuthorizeGroup network_ro deny service=shell cmd=show
> cmd-arh=tech-support
>AuthorizeGroup network_ro permit service=shell cmd=show cmd-arg=.*
>AuthorizeGroup network_ro deny .*
>
># This is for authorized users for full access. Place in lvl 15
> immediately, no restrictions apply
>AuthorizeGroup full_access permit service=shell cmd\* {priv-lvl=15}
>AuthorizeGroup full_access permit .*
>
># Default deny to prevent accidents when something is misconfigured
>AuthorizeGroup DEFAULT deny .*
>
>
>
> # Include client definition
> include %D/radius-clients.cfg
> # Include Active Directory AuthBy Handler
> include %D/authby-ad.cfg
> # Include configuration for the built-in TACACS server
> include %D/tacacs.cfg
>
> # TACACS Handler
>
>AddToRequest ADGroup="CN=netadmin,C=ad,DC=,DC=,DC=de"
>AuthBy AuthByAD
>
># Try read-only access
># AddToRequest
> ADGroup="CN=netadmin-readonly,C=ad,DC=,DC=xxx,DC=de"
># AuthBy AuthByAD
>
> --- end ---
>
> My problem now is how to tie both clues together in the handler. Ideally I
> would also like to distinguish based on the TACACS client which is asking. If
> it is a firewall (IPs known), then use command sets full_access_fw and
> firewall_ro based on AD groups.
>
> Basically I need something like this:
>
> - Firewall is TACACS client, and the user is member of group
> netadmin-security, return request with tacacsgroup=full_access_fw
> - Switch is TACACS client, and the user is member of group netadmin,
> return request with tacacsgroup=full_access
> - Firewall is TACACS client, and the user is member of group
> netadmin-security-ro, return request with tacacsgroup=firewall_ro
> - Switch is TACACS client, and the user is member of group netadmin-ro,
> return request with tacacsgroup=network_ro
>
> How would I do this mapping?
>
> Many thanks and best regards
> Daniel
>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM
Re: [RADIATOR] Migrate Cisco CAR MCD database to Radiator
Hello Rohan - Yes I am fairly sure we know how to do this. I’ll let someone from the office confirm - I think its a pay-for service. regards Hugh > On 24 Aug 2016, at 07:07, rohan.henry cwjamaica.com > <rohan.he...@cwjamaica.com> wrote: > > Hello, > > Has anyone ever migrated from Cisco CAR radius to Radiator > > I need to dump userlist tables from Cisco CAR database for migration to > Radiator but cannot find any documentation even from Cisco website. > > Thanks. > > Rohan > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Duplicate packets
Hello Mahmoud - Alan is correct, you at least need to acknowledge the requests, else you will get retries. Check the RADIUS RFC’s for a description of how the RADIUS protocol is designed. You will find the RFC’s in the “doc” directory of the Radiator distribution, as well as online. BTW - your configuration file is no longer available on Pastebin. regards Hugh > On 18 Jul 2016, at 20:34, Mahmoud Abdelsalam <m.abdelsa...@wimd.com.kw> wrote: > > Hi Alan, > > Thanks for your reply, it works without duplicates for almost 97% of the > accounts, could you please point me to documentation of this. > > Regards, > > Mahmoud Abdelsalam. > > > > On 07/18/16 12:25, a.l.m.bu...@lboro.ac.uk wrote: >> Hi, >> >>> I am not handling start packets so they are ignored, as you may noticed >> at least acknowledge them. if you dont handle them and ignore them then any >> decent NAS will resend >> them and/or mark your server as down/dead :( >> >> alan > -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Duplicate packets
Hello Mahmoud - The origin of all RADIUS requests is your network equipment. The only way duplicates happen is if the RADIUS server does not respond within the RADIUS timeout period or if the response does not arrive at the originiating device. In this particular case however, the Radiator debug log shows that the Radiator configuration file does not properly handle these accounting requests, so they are ignored. I would need to see a copy of your Radiator configuration file to be able to say any more. regards Hugh > On 18 Jul 2016, at 16:12, Mahmoud Abdelsalam <m.abdelsa...@wimd.com.kw> wrote: > > Hello, > > I have a weird situation here where our network team suspects Radiator > as the cause, I am getting duplicate packets(Start,Stop) on Radiator, > here is a sample: > > http://pastebin.com/M3D5P9wK > > We use both Cisco ISG and Mikrotik for PPPoE. > > I know Radiator is working fine and it has been for more than two years > but I need an advice, could radiator at any case be the cause of such a > duplicating? > > Please advice. > > Best Regards, > > Mahmoud Abdelsalam. > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Redback BRAS _ Radiator _ GPON network
Hello Thomas - If the Redback Smartedge BRAS can be configured to send RADIUS interim accounting updates, then yes you can configure Radiator to handle them. Note that this is totally dependent on the Redback device, so you will need to check their documentation. regards Hugh > On 11 Jun 2016, at 01:52, Thomas Kurian <tho...@kccg.com> wrote: > > Dear Support, > > We have a client who is basically an ISP with GPON network connected to > Ministry of Communication, Redback Smartedge BRAS and Radiator Radius server. > Currently their radiator is handling their customers authentication. Kindly > advise whether it is possible to send interim accounting updates from Redback > BRAS NAS to a new radiator radius server in order to identify the top > bandwidth abuser customer company sharing the GPON leased line on an hourly > basis. > > For example : Lets say the ISP has leased a 10Mbps connection from the > ministry of communication for a set of 10 various customer companies. > > Lets assume the average bandwidth consumption per company is 1Mbps. Lets say > from 1-2pm , 2nd company fully uses the 10Mbps bandwidth and therefore > during this hour the rest of the 9 companies cannot use this connection, > hence we need to identify these leased line abuser companies on a hourly > basis and put them under a separate tariff plan in order to provide them a > dedicated line to fulfill their bandwidth needs as per their consumption > rates. Currently since the ISP GPON network terminates at the ministry of > communication from where it is distributed to the customer companies, the ISP > does not have visibility on the top bandwidth abuser company as a lump-sum. > > Please advise whether having a new radiator installation instance which > receives interim accounting updates from Redback BRAS NAS server with a > customized GUI to review top abuser companies on a hourly basis or should we > consider to go for some additional product integration such as Solarwinds NPM > to achieve the above mentioned objective. > > -- > Best Regards, > > Thomas Kurian > IT Security Consultant > Kuwaiti Canadian Consulting Group (www.kccg.com) > T: +965 22435566 > F: +965 22415149 > E:tho...@kccg.com > > -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Hopefully a simple question regarding accounting
Hello Martin - Instead of IgnoreAccounting, you should use NoForwardAccounting, otherwise the original request will not be acknowledged. See the following section in the Radiator 4.16 reference manual (“doc/ref.pdf”). • 5.31.17 NoForwardAccounting Stops AuthBy RADIUS forwarding Accounting-Requests. They are ACCEPTED, but no further action is taken with them. This is different in meaning to IgnoreAccounting, which IGNOREs them. # Just ACCEPT Accounting-Requests, don’t forward them NoForwardAccounting regards Hugh > On 16 May 2016, at 20:19, Martin Burton <m...@sanger.ac.uk> wrote: > > Hi Folks, > > The Eduroam Fedaration are on the verge of implementing a > "no-accounting" border between Organisational and National Proxies and > participants are being asked to stop sending accounting packets upstream. > > Currently, I have the following config that forwards to the NRPS: > > > >Identifier NRPS >FailureBackoffTime 10 >RetryTimeout 5 >Retries 1 >UseExtendedIds >AllowInRequest User-Name, Reply-Message, State, Class, \ >Message-Authenticator, Proxy-State, \ >EAP-Message, MS-MPPE-Send-Key, MS-MPPE-Recv-Key, \ >Calling-Station-Id, Acct-Status-Type, > Acct-Session-ID > >AllowInReplyUser-Name, Reply-Message, State, Class, \ >Message-Authenticator, Proxy-State, \ >EAP-Message, MS-MPPE-Send-Key, MS-MPPE-Recv-Key, \ >Calling-Station-Id, Acct-Status-Type, > Acct-Session-ID, Operator-Name > > > >AddToRequest Operator-Name="1sanger.ac.uk" > # > # Include the radius server specific NRPS host configuration > # >include %D/%h.nrps > >AutoMPPEKeys > > > >Identifier OUT-NRPS >AcctLogFileName %L/default.acct.log >AuthByPolicy ContinueWhileIgnore >AuthLog EduroamLog >AuthBy AuthLOG >AuthBy NRPS > > > > where %D/%h.nrps simply contains the declarations for the upstreams. > > > If I want to ensure that no accounting packets are sent upstream is it > as simple as adding "IgnoreAccounting" the AuthBy: > > > Identifier NRPS > > IgnoreAccounting > > FailureBackoffTime 10 > RetryTimeout 5 > Retries 1 > > . > . > . > > > Just seems too simple! > > > Thanks, > > Martin. > > -- > Martin Burton > Principal Systems Administrator\\\|||/// > Infrastructure Team \\ ^ ^ // > Wellcome Trust Sanger Institute( 6 6 ) > -oOOo-(_)-oOOo--- > t: +44 (0)1223 496945 http://www.sanger.ac.uk > Extreme Networks Specialist: a178003uG1BAAU > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Example of AuthSelect MySQL stored procedure/function
Hello Mike - I don’t have a complete example, however the MySQL documentation is here: http://dev.mysql.com/doc/refman/5.7/en/call.html So your AuthSelect would look like this: AuthSelect CALL …… Perhaps someone else on the list has an example? BTW - there are a couple of Oracle examples in the “goodies” directory that might give you some ideas. regards Hugh > On 12 May 2016, at 20:40, Mike Puchol <puc...@me.com> wrote: > > Greetings, > > I've found a few posts on the mailing lists regarding use of stored > procedures or functions on MySQL against an AuthSelect, but none show the > actual MySQL declaration, and how it can return multiple AuthColumnDef > parameters - for example, I would like to do an select on username and MAC > address, and return Idle-Timeout and Session-Timeout parameters, plus some > NAS-specific attributes. > > Does anyone have a full example of both AuthSelect clause + MySQL procedure > code they can share? > > Thanks, > > Mike > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP PEAP Challenges
Hello Roberto - Welcome to the wonderful world of EAP. Note that EAP is essentially a stateful encrypted TCP tunnel, over RADIUS, over UDP, hence the large number of packets back and forth for a single authentication. I wonder what substance they were abusing? regards Hugh > On 12 Apr 2016, at 23:58, a.l.m.bu...@lboro.ac.uk wrote: > > Hi, >> Are all the challenges independent of each other? I can't find anything in >> the debug log that ties the incoming packets together. > > all seperate UDP packets - but with a known state - the RADIUS > server recognises the conversation (up to 256 from each NAS usually) > > with latest patchset for 4.16 you can see more details to help track > a conversation in debug > > alan > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Performance logging
Hello Alex -
It depends on what you are looking at.
EAP involves multiple RADIUS messages to and from the end user device and
Radiator.
If you are looking at the overall response time from the initial RADIUS
Access-Request, through all of the EAP back and forth, to the ultimate
Access-Accept, there really is nothing you can do.
If on the other hand you are looking only at the inner EAP request and the
associated authentication process, as Tuure says, any delays are likely to be
backend lookups.
regards
Hugh
> On 30 Mar 2016, at 20:57, Tuure Vartiainen <varti...@open.com.au> wrote:
>
> Hi,
>
>> On 29 Mar 2016, at 11:53, Hartmaier Alexander
>> <alexander.hartma...@t-systems.at> wrote:
>>
>> I've copied the calculation code to my LogFormatHook code:
>>
>> $message->{response_time} = Radius::Util::timeInterval( \
>>$p->{RecvTime}, \
>>$p->{RecvTimeMicros}, Radius::Util::getTimeHires()); \
>>
>> I'd still prefer if that float was available with a placeholder variable.
>>
>> It shows what I was expecting, EAP authentication is slow.
>> Any pointers where I can start optimizing the EAP auth performance?
>>
>
> hard to say without seeing your configuration and Trace 4 (DEBUG) log
> of a single request including microseconds (LogMicroseconds).
>
> I assume that those timings are for the last Access-Request of
> EAP authentication which produces either Access-Accept or Access-Reject.
>
> Usually most of the time goes to a user lookup from a backend.
>
>
> BR
> --
> Tuure Vartiainen <varti...@open.com.au>
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Performance logging
Hi Alex - I may have misunderstood your original question - %s is only the offset in the current second. For what you want to do you should probably be using “LogMicroseconds” global parameter (requires “Time-Hires” from CPAN). Otherwise you can add your own custom time attributes in the current request packet and post-process the logs to derive the deltas. The AuthBy INTERNAL clause is very handy for this sort of thing if you add them into your processing sequence at the relevant places. regards Hugh > On 23 Mar 2016, at 21:03, Hartmaier Alexander > <alexander.hartma...@t-systems.at> wrote: > > Hi Hugh, > is that a microsecond counter starting when the request is received? > Imho the wording is confusing, will it wrap around when the request takes > more than one second? > How would I log the microseconds as integer for requests that take longer > than one second? > > Thanks, Alex > > On 2016-03-23 10:33, Hugh Irvine wrote: >> Hello Alex - >> >> %s is the number of microseconds in the current second. >> >> From section 5.2 of the Radiator 4.16 reference manual (“doc/ref.pdf”): >> >> %s Microseconds in the current second >> >> Note that the RADIUS protocol only defines times in seconds. >> >> regards >> >> Hugh >> >> >>> On 23 Mar 2016, at 19:44, Hartmaier Alexander >>> <alexander.hartma...@t-systems.at> wrote: >>> >>> Hi, >>> I'd like to add the time it took to craft a response for each request to >>> the logs. >>> In the reference manual I only found %E which is 'The elapsed time in >>> seconds since the packet was received. Can be used to log >>> processing time for proxied packets etc.'. >>> For this logging I'd need at least milli- or better microseconds. >>> Did I overlook a placeholder for those or do they currently not exist? >>> >>> How do you guys monitor response time to prevent clients marking a >>> server as unresponsive because it takes it too long to send a response, >>> most of the time because of a backend like LDAP, SQL database or proxied >>> radius server being slow? >>> >>> Thanks, Alex >>> >>> >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien >>> Handelsgericht Wien, FN 79340b >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >>> Notice: This e-mail contains information that is confidential and may be >>> privileged. >>> If you are not the intended recipient, please notify the sender and then >>> delete this e-mail immediately. >>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >>> ___ >>> radiator mailing list >>> radiator@open.com.au >>> http://www.open.com.au/mailman/listinfo/radiator >> >> -- >> >> Hugh Irvine >> h...@open.com.au >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >> DIAMETER, SIM, etc. >> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. >> > -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Performance logging
Hello Alex - %s is the number of microseconds in the current second. From section 5.2 of the Radiator 4.16 reference manual (“doc/ref.pdf”): %s Microseconds in the current second Note that the RADIUS protocol only defines times in seconds. regards Hugh > On 23 Mar 2016, at 19:44, Hartmaier Alexander > <alexander.hartma...@t-systems.at> wrote: > > Hi, > I'd like to add the time it took to craft a response for each request to > the logs. > In the reference manual I only found %E which is 'The elapsed time in > seconds since the packet was received. Can be used to log > processing time for proxied packets etc.'. > For this logging I'd need at least milli- or better microseconds. > Did I overlook a placeholder for those or do they currently not exist? > > How do you guys monitor response time to prevent clients marking a > server as unresponsive because it takes it too long to send a response, > most of the time because of a backend like LDAP, SQL database or proxied > radius server being slow? > > Thanks, Alex > > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > Handelsgericht Wien, FN 79340b > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > Notice: This e-mail contains information that is confidential and may be > privileged. > If you are not the intended recipient, please notify the sender and then > delete this e-mail immediately. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Reply-Message
to use a > Reply-Message to reply with a group name from one of the mysql tables. Im not > having any luck getting the Reply-Message to work the way I want. I know the > mysql statement returns the right value, as I have it tested in phpmyadmin. > > Below is the query, and a level 4 trace, and my config. > > Table Structure: > > Username Password Groupname Notes Commonname > > > > > -- > Gabe Carmichael > Systems Analyst - Networking/Email > Lower Kuskokwim School District > 907-543-4860 > LKSD Internal 4 digit dial - 4860 > Skype: gabes72riv > g...@lksd.org > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Reading from multiple SQL tables
Hi Gabe - Please send me a copy of your configuration file (not copied to the mailing list) and I will take a look. I’m guessing you probably want “ContinueUntilAccept”, but give me a bit more detail about what you are trying to accomplish. regards Hugh > On 19 Feb 2016, at 06:54, Gabe Carmichael <g...@lksd.org> wrote: > > Good morning, > I have two tables that I am trying to read from as I have two different > clients talking to my radiator box. I can get it to read from the first > Authby SQL but not the second. I have my AuthbyPolicy as > ContinueUntilReject. Please let me know if I have something goofed as I have > not had to touch this in a long time. Thanks for you time. > > -- > Gabe Carmichael > Systems Analyst - Networking/Email > Lower Kuskokwim School District > 907-543-4860 > LKSD Internal 4 digit dial - 4860 > Skype: gabes72riv > g...@lksd.org > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Replay atttributes
Hello Gabe - You need to know what RADIUS attribute to use for this purpose, then configure the clause to return it with the group(s) as the value. See sections 5.30.8 and 5.30.10 in the Radiator 4.16 reference manual (“doc/ref.pdf”). See also the example configuration file in “goodies/sql.cfg”. regards Hugh > On 13 Feb 2016, at 04:17, Gabe Carmichael <g...@lksd.org> wrote: > > Good morning, > I have my instance running extremely well. I have added a group column to my > mysql table and have populated it with the all the groups that we want. We > are trying to pass the group attribute back to our Cisco 5508 wireless > controller. This would then be forwarded to our ISP's Paolo Alto firewall for > group based access rules via snmp traps from the wireless controller. How can > I reply to the wireless controller with group attributes? Thanks > > -- > Gabe Carmichael > Systems Analyst - Networking/Email > Lower Kuskokwim School District > 907-543-4860 > LKSD Internal 4 digit dial - 4860 > Skype: gabes72riv > g...@lksd.org > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] custom logging configuration
Hello All -
I have recently built some custom logging for a customer and I thought it might
be interesting to post an overview here.
This will also be included in “goodies/hooks.txt” in future releases.
The requested feature was to forward for each session the username and
associated IP address, together with a timestamp to a firewall and a security
device using SYSLOG.
This example shows logging to SYSLOG, but any other target(s) will
work equally well.
Here is the configuration file that I used for testing:
# log.cfg
Foreground
LogStdout
LogDir .
DbDir .
# User a lower trace level in production systems:
Trace 4
Secret mysecret
# define Log clauses here so they aren’t global loggers
Identifier SyslogToFirewall
# add syslog specific details here
Trace 3
Identifier SyslogToSecurityDevice
# add syslog specific details here
Trace 3
PreAuthHook file:"%D/sysloglogger.pl"
AuthResult REJECT
AcctResult ACCEPT
# Log accounting to a detail file
AcctLogFileName %L/detail
Filename %D/users
and here is the hook code:
# sysloglogger.pl
# Radiator hook to send SYSLOG messages
# to firewall and security device with
# Timestamp, User-Name and Framed-IP-Address
#
# Hugh Irvine, OSC, 20160206
sub
{
my $p = ${$_[0]};
my $acctstatus = $p->get_attr('Acct-Status-Type');
return unless $acctstatus eq 'Start';
my $user = $p->get_attr('User-Name');
my $ipaddress = $p->get_attr('Framed-IP-Address');
my $message = "user = $user, ip = $ipaddress";
my $syslogtofw = Radius::Configurable::find('Log', 'SyslogToFirewall');
if ($syslogtofw)
{
$syslogtofw->log($main::LOG_INFO, $message, $p);
}
my $syslogtosd = Radius::Configurable::find('Log',
'SyslogToSecurityDevice');
if ($syslogtosd)
{
$syslogtosd->log($main::LOG_INFO, $message, $p);
}
return;
}
Hopefully someone finds this useful.
regards
Hugh
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] 100% load 1 cpu core
Hello - What are you using to test? And you should note that a single instance of Radiator is single-threaded and will only use 1 CPU core. At the very least you should run separate instances for authentication and accounting. regards Hugh > On 2 Feb 2016, at 20:00, SinTeZ Wh1te <sintezwh...@gmail.com> wrote: > > Hello List! > > After installing Radiator on the test server, I got a problem with the 100% > load 1 CPU core but the others are unused. > > Screenshot > http://i.imgur.com/eQjK5k8.png > > radius.cfg > > > # Listen for addresses using default ports > BindAddress ::,0.0.0.0 > #BindV6Only > > AuthPort1645,1820 > AcctPort1646,1821 > > # Uncomment these for foreground debugging > #Foreground > #LogStdout > > Userradiator > Group radiator > > DbDir /etc/radiator > DictionaryFile /etc/radiator/dictionary > LogDir /var/log/radiator > LogFile %L/radiator-log-%Y-%m > PidFile /var/run/radiator/radiusd.pid > > # Dont turn this up too high, since all log messages are logged > # to the RADMESSAGES table in the database. 3 will give you everything > # except debugging messages > Trace 2 > > # You will probably want to change this to suit your site. > # You should list all the clients you have, and their secrets > # If you are using the Radmin Clients table, you wil probably > # want to disable this. > > Identifier Client-DEFAULT > Secret 12345 > DupInterval 0 > > > > > RejectHasReason > > Host 192.168.144.3 > Secret 12345 > AuthPort 1820 > AcctPort 1821 > RejectHasReason > > > > > > -- > With regards, > Alexander Yakunin > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2
Indeed - the old adage is very true: “Just because a packet can get somewhere does not mean that the reply can get back….” regards Hugh > On 1 Feb 2016, at 20:39, Hugo Veiga <hve...@ubi.pt> wrote: > > Hi, > > Heikki I bow to you. :) > > So the problem was this: > (Topology) > Radiator Machine/ IP: 10.253.1.12/24 > --Router--wireless switch/IP:10.240.1.1/24 > - The radiator machine receives requests from wireless switch. > - Wireless switch never receives the answer. > :: So Radiator machine is a virtual machine and installed by a colleague of > mine (system admin) that inserted the mask 255.0.0.0 in the network mask. > Radiator machine with the supplied mask will try to contact 10.240.1.1 > through arp discovery and will never find it because it's on a different > broadcast domain. The solution was obvious, insert the correct netmask and it > started to work perfectly. > > Problem solved. > Many thanks Heikki, > Hugo Veiga > > > > > > Code: Access-Request > > > > Identifier: 180 > > > > Authentic: <139><3>(<143><10><139>N<158><F<172><194><163><168><135>O > > > Radiator notices this and retransmits its previous reply > > > > Tue Jan 26 15:54:57 2016: INFO: Duplicate request id 180 received from > > > > 10.240.1.1(20004): retransmit reply > > > > Tue Jan 26 15:54:57 2016: DEBUG: Packet dump: > > > > *** Sending to 10.240.1.1 port 20004 > > > There are multiple retransmits back and forth and the authentication > does not proceed. > > I would check the Wi-Fi controller logs and make sure it is receiving > > the responses from Radiator. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Request for enhancement: Log Handler InfluxDB or at least UDP
Hi Heikki, Hi Karl - Two thoughts on this: 1. you can use the “|” pipe character in the “Filename …” parameter of the clause to pipe the log messages to another program directly, together with LogFormat 2. one can easily imagine a new clause with a hook as a parameter to do whatever one might wish, being mindful to limit overhead of course regards Hugh > On 30 Jan 2016, at 04:31, Heikki Vatiainen <h...@open.com.au> wrote: > > On 26.1.2016 17.31, Karl Gaissmaier wrote: > >> I'm in the process to feed an InfluxDB from RADIATOR logfiles. Much >> nicer would it be if RADIATOR team would implement: >> >> with the very simple but effective line protocol over >> HTTP or at least an generic >> with a proper logformat hook done by the users and shipped as >> goodies. > > How about starting with a logformat hook to generate the datapoints in > the line protocol format and then using, for example, curl to send the > files to InfluxDB? I'm think about this: > > https://docs.influxdata.com/influxdb/v0.9/guides/writing_data/ > > and 'Writing points from a file' described therein. > >> Interested? Have a look at https://blog.haschek.at/post/fc060 > > Yes, this is very interesting. I looked at the line protocol > specification and it should be easy to implement with a formatting hook > for authentication. Accounting should be fairly easy too. > > It might be worth considering a seprate log agent to forward the logs to > InfluxDB (or in genral to other logging, graphing, etc. systems). This > would separate the duties: radiator would create formatted logs and the > agent could handle the actual log forwarding. > > This would also make it easier to add accounting and debug log > forwarding too since they can already be formatted when written to files. > > If you need help with logformat hook, just let me know. I am interested > in helping you with this. > > Thanks, > Heikki > > -- > Heikki Vatiainen <h...@open.com.au> > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers
Hello -
You don’t have to do anything - the second AuthBy RADIUS clause will send the
reply to the NAS.
If you want to do more than that you will also need a ReplyHook in the second
AuthBy RADIUS clause.
regards
Hugh
> On 18 Jan 2016, at 18:15, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
>
> Hello Hugh!
>
> > Again note that your hook code will not see the result of the second AuthBy
> > RADIUS clause.
>
> If hook code not see result how can I check that I received in reply from
> second RADIUS server?
>
> What is necessary my boss.
> 1) NAS send Access-Request to Radiator
> 2) Radiator re-send Access-Request to primary RADIUS server
> 3) If primary server reply Access-Reject with attribute Reply-Message = 1,
> Radiator re-send Access-Request to secondary RADIUS server. If Reply-Message
> > 1 - send Access-Reject to NAS.
> 4) After secondary server reply - Radiator send reply to NAS
>
> Reply hook does it?
>
> 2016-01-15 1:42 GMT+03:00 Hugh Irvine <h...@open.com.au>:
>
> Hello -
>
> The first thing to understand is that the AuthBy RADIUS clause(s) operate
> asynchronously.
>
> The hook code in your first AuthBy RADIUS clause will only execute when the
> response is received for that clause.
>
> When the hook code calls the second AuthBy RADIUS clause it will exit without
> waiting.
>
> As shown in the example, your hook code needs to alter the response.
>
> In this case you would change the response to IGNORE which will allow the
> second AuthBy RADIUS clause to execute and return its result.
>
>
> …..
>
> $op->{RadiusResult} = $main::IGNORE;
>
> …..
>
> Again note that your hook code will not see the result of the second AuthBy
> RADIUS clause.
>
> hope that helps
>
> regards
>
> Hugh
>
>
> > On 14 Jan 2016, at 23:34, SinTeZ Wh1te <sintezwh...@gmail.com> wrote:
> >
> > Thank Hugh and Heikki!!!
> >
> > How can I get RADIUS reply packet from secondary server in hook script???
> > Radiator send Access-Reject before secondary server reply.
> >
> >
> > radius.cfg
> > ...
> >
> > Identifier Primary
> > Host 10.0.6.151
> > Secret 123456
> > AuthPort 1812
> > AcctPort 1813
> > ReplyHook file:"/etc/radiator/AccessReject"
> >
> >
> >
> > Identifier Secondary
> > Host 10.0.6.152
> > Secret 123456
> > AuthPort 1812
> > AcctPort 1813
> >
> >
> >
> > AuthBy Primary
> >
> > ...
> >
> >
> > /etc/radiator/AccessReject
> > ...
> > sub
> > {
> > my $p = ${$_[0]}; # proxy reply packet
> > my $rp = ${$_[1]};# reply packet to NAS
> > my $op = ${$_[2]};# original request packet
> > my $sp = ${$_[3]};# packet sent to proxy
> >
> > my $code = $p->code;
> > ::log($main::LOG_DEBUG, "Code = $code");
> > return unless $code eq 'Access-Reject';
> >
> > if($code eq 'Access-Reject'){
> > my $authby = Radius::AuthGeneric::find('Secondary');
> > if (defined $authby)
> > {
> > ::log($main::LOG_DEBUG, "=
> > HANDLE_REQUEST===");
> > my ($rc, $reason) = $authby->handle_request($op, $rp);
> > ::log($main::LOG_DEBUG, "= RC
> > === $rc");
> > ::log($main::LOG_DEBUG, "= REASON
> > === $reason");
> > if ($rc == 2)
> > {
> > ::log($main::LOG_DEBUG, "=
> > ACCEPT ===");
> > }
> > else
> > {
> > ::log($main::LOG_DEBUG, "=
> > REJECT ===");
> > }
> > }
> > return;
> > }
> > }
> > ...
> >
> > radiator log
> > ---
> > Thu Jan 14 15:22:08 2016: DEBUG: Packet dump:
> > *** Received from 10.0.6.13 port 57565
> > Code: Access-Request
> > Identifier: 0
> > Authentic:1452774130
> > Attributes:
> > User-Name = "testcoa10"
> >
Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers
812 > Code: Access-Reject > Identifier: 1 > Authentic: <155><2><181><187><19>'<218><220>tK[\<224><137>,<194> > Attributes: > Reply-Message = "1" > > Thu Jan 14 15:22:09 2016: DEBUG: Code = Access-Reject > Thu Jan 14 15:22:09 2016: DEBUG: = HANDLE_REQUEST=== > Thu Jan 14 15:22:09 2016: DEBUG: Handling with Radius::AuthRADIUS > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump: > *** Sending to 10.0.6.152 port 1812 > Code: Access-Request > Identifier: 1 > Authentic:1452774130 > Attributes: > User-Name = "testcoa10" > User-Password = C<143>a<151>S<184>6g<9><5>:<191>i<244>O3 > NAS-IP-Address = 10.0.6.13 > NAS-Port = 1 > NAS-Port-Id = "123" > Service-Type = Framed-User > Framed-Protocol = PPP > Acct-Session-Id = "1" > Calling-Station-Id = "0800.2727.0575" > > Thu Jan 14 15:22:09 2016: DEBUG: = RC === 2 > Thu Jan 14 15:22:09 2016: DEBUG: = REASON === > Thu Jan 14 15:22:09 2016: DEBUG: = ACCEPT === > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: 1 > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump: > *** Sending to 10.0.6.13 port 57565 > Code: Access-Reject > Identifier: 0 > Authentic: <175><159>4<197>i<159><11><252>}<247><174>[Cn<138><3> > Attributes: > Reply-Message = "Request Denied" > > Thu Jan 14 15:22:09 2016: DEBUG: Received reply in AuthRADIUS for req 1 from > 10.0.6.152:1812 > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump: > *** Received from 10.0.6.152 port 1812 > Code: Access-Accept > Identifier: 1 > Authentic: T<10><218>9<16>F<167>A<168><127><187><20><9>!Q<127> > Attributes: > Acct-Interim-Interval = 300 > Framed-IP-Address = 192.168.0.203 > > Thu Jan 14 15:22:09 2016: INFO: Access rejected for testcoa10: Proxied > Thu Jan 14 15:22:09 2016: DEBUG: Packet dump: > *** Sending to 10.0.6.13 port 57565 > Code: Access-Reject > Identifier: 0 > Authentic: <149><142><227>Y<252>N<137>w<167><194>a<1>e<253>Kl > Attributes: > Reply-Message = "Request Denied" > Acct-Interim-Interval = 300 > Framed-IP-Address = 192.168.0.203 > - > > > 2016-01-13 1:18 GMT+03:00 Hugh Irvine <h...@open.com.au>: > > Hello - > > See the example in “goodies/hooks.txt” in the Radiator 4.15 distribution. > > regards > > Hugh > > > > On 12 Jan 2016, at 18:52, SinTeZ Wh1te <sintezwh...@gmail.com> wrote: > > > > Hello! > > > > I want to do if it's possible to proxy auth request in a > > redundant fashion. > > > > On each requests, I want to proxy it to a primary server, if it's > > success then move on. > > If the auth fails (Access-Reject), I need to proxy Access-Request to a > > secondary server > > > > Is it possible? > > > > Thanks! > > ___ > > radiator mailing list > > radiator@open.com.au > > http://www.open.com.au/mailman/listinfo/radiator > > > -- > > Hugh Irvine > h...@open.com.au > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER, SIM, etc. > Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. > > > > > -- > С уважением, > Александр Якунин > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RADIUS Proxy for Auth Request on > 1 RADIUS servers
Hello - See the example in “goodies/hooks.txt” in the Radiator 4.15 distribution. regards Hugh > On 12 Jan 2016, at 18:52, SinTeZ Wh1te <sintezwh...@gmail.com> wrote: > > Hello! > > I want to do if it's possible to proxy auth request in a > redundant fashion. > > On each requests, I want to proxy it to a primary server, if it's > success then move on. > If the auth fails (Access-Reject), I need to proxy Access-Request to a > secondary server > > Is it possible? > > Thanks! > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] IgnoreAccountingResponse
Hello Ronald - IgnoreAccountingResponse does not affect the retries and timeouts, it is typically used in conjunction with AccountingHandled in the Realm or Handler. See section 5.31.30 in the Radiator manual (“doc/ref.pdf”): 5.31.30 IgnoreAccountingResponse This optional flag causes AuthBy RADIUS to ignore replies to accounting requests, instead of forwarding them back to the originating host. This can be used in conjunction with the AccountingHandled flag in a Handler or Realm (see Section 5.20.10 on page 75) to ensure that every proxied accounting request is replied to immediately, and the eventual reply from the remote RADIUS server is dropped. regards Hugh > On 21 Dec 2015, at 22:03, Ronald Pérez <ronald.pe...@fon.com> wrote: > > Hi all, > > I just want to know what happened in the case that we have > IgnoreAccountingResponse in our Autby and the remote server don't reply or > don't receive the request, there will be a retry to other servers withing > this AuthBy? or this request just get lost? How do we will identify a remote > failing server? > > > Kind regards and thanks for your help. > > Ronald > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authlog FILE - file location
Hello Michael - Yes - set the LogDir parameter to whatever you wish: ….. # set LogDir LogDir /var/log/radius ….. Identifier myauthlogger3 Filename %L/authlog_dsl_cust_a ….. You can also use any of the special characters listed in section 5.2 of the Radiator 4.15 reference manual (“doc/ref.pdf”). regards Hugh > On 4 Nov 2015, at 17:18, Michael Bellears <mbelle...@gcomm.com.au> wrote: > > Hi, > > Hopefully a quick question, Ive had a read of the manual, but cant seem to > find if it is possible to set a path for each logfile? > > i.e. > > >Identifier myauthlogger3 >Filename authlog_dsl_cust_a > > > Will log to file authlog_dsl_cust_a in the dir that radiator was started from > – Is there any way to add a “path” to where the file will be located? > > > Cheers. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Multithreading Radiator in Windows Server 2008/2012
Hello Alan - Yes absolutely - you typically want authentication to operate as quickly as possible, and its usually a fairly lightweight lookup operation. Accounting on the other hand is less time-critical and usually involves more processing to store the records. Therefore it makes sense to have these operations running in separate processes. Ie. …. # Authentication Instance Configuration # Listen for authentication requests only AuthPort1645, 1812 AcctPort ….. …. # Accounting Instance Configuration # Listen for accounting requests only AuthPort AcctPort1646, 1813 ….. regards Hugh > On 17 Oct 2015, at 23:39, Alan Buxey <a.l.m.bu...@lboro.ac.uk> wrote: > > >BTW - it is generally a good idea to >have separate authentication and > >>accounting instances as well (ie. one >Windows service for authentication > >on >1645 and/or 1812, and another >Windows service for accounting on >1646 > >and/or 1813). > > I'm guessing this is also true for Unix/linux/solaris installs too? > > alan -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Multithreading Radiator in Windows Server 2008/2012
Hello Nadav - Each instance of Radiator would be configured as a separate Windows service, with the “frontend” listening on the standard RADIUS ports (1645/1646 and/or 1812/1813). The “backend” Radiator instances would listen on whatever ports you want (ie. 11812/11813, and 12812/12813, and 13812/13813, whatever…). The “frontend” instance would then use AuthBy PROXY clauses to proxy to the corresponding “backend’s”. BTW - it is generally a good idea to have separate authentication and accounting instances as well (ie. one Windows service for authentication on 1645 and/or 1812, and another Windows service for accounting on 1646 and/or 1813). regards Hugh > On 16 Oct 2015, at 17:47, Nadav Hod <nadav@comm-it.co.il> wrote: > > Hi Hugh, > > I came across your post on the matter from a few years back: > http://www.open.com.au/pipermail/radiator/2012-August/018488.html > > I was wondering if you could explain how this is performed on the same > Windows Server. For example, assuming I wanted to have a front-end server as > one process and three other Radiator processes for authenticating different > kinds of traffic. How would this be configured so that the backend could > communicate with the frontend and vica versa? > > Would I need to install a different Windows service for each of these > processes? How would I ensure that each process would run under a different > core? Could one process which is CPU-intensive also use up a different core > if necessary so that this doesn't cause a bottleneck? -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Use FarmSize parameter
Hello Antonio - I am curious to know why your “father” process is taking so much time? Have you checked a trace 4 debug with LogMicroseconds enabled to see what exactly is taking the time? If you send me a copy of your configuration file(s) directly, I will take a look and try to make some suggestions. FarmSize can be used in some situations, but it can cause problems in other situations. regards Hugh > On 24 Sep 2015, at 00:40, António Mendes <antonio.men...@wit-software.com> > wrote: > > Hello all, > > We are running a scenario with an instance acting as a father and forwarding > the traffic for children processes according to some parameters in request. > We done that changing the init script and starting several instances of > radiator(each one in a different port). > > We are noticing that the father process are consuming too much processing > resources and is only using one core, we would like to change this > configuration to allow the distribution of load for all CPU cores available > in the server and to do that we are thinking to use "FarmSize" and create > several instances of father process. > > Do you see any problem with this new approach(I'm a little bit worried about > the write concurrency of log files)? Do you have any concern or > recommendations? > > > Thanks > -- > António Mendes > > WIT Software | Software Engineer > > This email was sent under WIT Software's Confidentiality Policy > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Use FarmSize parameter
Hi Antonio - I would need to see your configuration file(s) before making suggestions. If you send copies to me directly I will take a look. regards Hugh > On 24 Sep 2015, at 18:10, António Mendes <antonio.men...@wit-software.com> > wrote: > > Hi Hugh, thanks for your answer. > > The "father" process is consuming too much CPU due to the amount of requests, > it's perfectly normal because we have a huge amount of clients. The > Radiator's performance it's not a problem. > We need to move forward because we see that the hardware it's underused(one > CPU core reaches several time 100% of use but the others are unused). To > avoid this problem and make use of all cores available we take a look of > "Farmsize" feature, but like I said we are a bit worried about problems that > could arise, like concurrency problems. So my question is if there are known > problems in use the Farmsize, or do you advise to upgrade the configuration > in another way. > > Please note that we are thinking to use the Farmsize in accounting process, > so the known authentication problems will not be a problem for us. > > Best regards, > António Mendes > > WIT Software | Software Engineer > > This email was sent under WIT Software's Confidentiality Policy > > Às 07:38 de 24-09-2015, Hugh Irvine escreveu: >> Hello Antonio - >> >> I am curious to know why your “father” process is taking so much time? >> >> Have you checked a trace 4 debug with LogMicroseconds enabled to see what >> exactly is taking the time? >> >> If you send me a copy of your configuration file(s) directly, I will take a >> look and try to make some suggestions. >> >> FarmSize can be used in some situations, but it can cause problems in other >> situations. >> >> regards >> >> Hugh >> >> >> >>> On 24 Sep 2015, at 00:40, António Mendes <antonio.men...@wit-software.com> >>> wrote: >>> >>> Hello all, >>> >>> We are running a scenario with an instance acting as a father and >>> forwarding the traffic for children processes according to some parameters >>> in request. We done that changing the init script and starting several >>> instances of radiator(each one in a different port). >>> >>> We are noticing that the father process are consuming too much processing >>> resources and is only using one core, we would like to change this >>> configuration to allow the distribution of load for all CPU cores available >>> in the server and to do that we are thinking to use "FarmSize" and create >>> several instances of father process. >>> >>> Do you see any problem with this new approach(I'm a little bit worried >>> about the write concurrency of log files)? Do you have any concern or >>> recommendations? >>> >>> >>> Thanks >>> -- >>> António Mendes >>> >>> WIT Software | Software Engineer >>> >>> This email was sent under WIT Software's Confidentiality Policy >>> >>> ___ >>> radiator mailing list >>> >>> radiator@open.com.au >>> http://www.open.com.au/mailman/listinfo/radiator >> >> -- >> >> Hugh Irvine >> >> h...@open.com.au >> >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >> DIAMETER, SIM, etc. >> Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. >> >> > -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Auth for another mysql table
Hello Gabe - If you send me a copy of your configuration file (not to the list), I’ll take a look and make some suggestions. Also, what form are the usernames going to have? regards Hugh > On 12 Sep 2015, at 08:45, Gabe Carmichael <g...@lksd.org> wrote: > > I have our wireless locked down to just machine mac addresses. Now the upper > folks want to use the same mysql db to have a un/pw field with a group id. > Would I add another realm that would look to the other table, and if it does > how can I reply with the group id attribute. Thanks. > > > -- > Gabe Carmichael > Systems Analyst - Networking/Email > Lower Kuskokwim School District > 907-543-4860 > LKSD Internal 4 digit dial - 4860 > Skype: gabes72riv > g...@lksd.org > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Hourly Authentication-Count Downward Spikes
Hello Roberto - This is almost always a problem with the backend authentication resource. A trace 4 debug with LogMicroseconds (requires Time::HiRes from CPAN) will show you how long each processing step is taking. What I generally see is Radiator waiting for an external resource and at some critical number of requests per second the UDP queue starts to fill up leading to timeouts and retransmissions. Ie. if the external resource takes say 50 ms to respond, then it follows that at most you can process 20 requests per second - anything over that will lead to the problem I describe. This is just one theory, but as I say, a trace 4 debug with LogMicroseconds will tell you where to look. regards Hugh On 25 Aug 2015, at 03:41, Ullfig, Roberto Alfredo rull...@uic.edu wrote: Hello all, It’s the first day of classes here and we’re seeing hourly successful authentication-count downward spikes starting around 5-10 minutes before the hour – was wondering if any other people here see the same thing in their environments and We’re looking at the number of successful authentications per 5 minutes. During the summer we would max out at 5K but there were no downward spikes. We are now hitting 30K (shortly before noon) and this span of perhaps 20 minutes. --- Roberto Ullfig – rull...@uic.edu ACCC Research Programmer radiusauths.png___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] MySQL accounting gets entered but not deleted
Hello Gabe - The RADONLINE table is used to maintain a list of “who is connected now”, ie. records are entered when a user connects (an accounting start message) and removed when the user disconnects (an accounting stop message). The ACCOUNTING table is an historical record of all connections over time and is usually kept for some period of time for audit and/or billing purposes. If you don’t want any records in the ACCOUNTING table, just disable the inserts. If you need more help send me a copy of your configuration file and I will be happy to assist. regards Hugh On 15 Aug 2015, at 05:38, Gabe Carmichael g...@lksd.org wrote: Good morning, I am not good with mysql at all, but the example strings got me up and running. I seem to have the radonline table auto purging after a user logs off but the entry still exists in the accounting table. Is there a way to have it flush those entries after a certain amount of time? -- Gabe Carmichael Systems Analyst - Networking/Email Lower Kuskokwim School District 907-543-4860 LKSD Internal 4 digit dial - 4860 Skype: gabes72riv g...@lksd.org ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Restricting login access by source device
Hello Rob - The usual way to do this is with Identifiers in the Client clauses to group the devices, then use the Identifier either as an authentication check item, or for separate Handlers. regards Hugh On 26 Jun 2015, at 07:34, Patrick, Robert (CONTR) robert.patr...@hq.doe.gov wrote: How best to restrict RADIUS and TACACS auth to a specific source device (NAS) for a specific user? What is the best method to allow all users access all the time from any source, except user X that is only to permitted access when authenticating from device Y? Customer is looking to permit the humans to login with 2-factor tokens from anywhere, and scripts with username/password to login from a specific source. Thanks! -Rob Patrick ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Insert Accounting to DB Table.
Hello -
The Radiator timestamp is an attribute called “Timestamp” which is added to the
accounting requests.
See “goodies/sql.cfg” in the Radiator distribution.
regards
Hugh
On 31 May 2015, at 15:00, Mohammed Alhaj Ali m.al...@itc.sa wrote:
Hi Hugh,
Actually as you said I was trying to use Radiator server timestamp, but I'm
not sure about syntax and where to pass it, can you help please
Regards,
-Original Message-
From: Hugh Irvine [mailto:h...@open.com.au]
Sent: Friday, May 29, 2015 9:54 AM
To: Mohammed Alhaj Ali
Cc: Sami Keski-Kasari; radiator@open.com.au
Subject: Re: [RADIATOR] Insert Accounting to BD Table.
Hello -
You should check your accounting requests to see if Event-Timestamp is
present (I suspect it is not).
A trace 4 debug will show you what you are receiving in the accounting
requests.
You may need additional configuration on your Huawei equipment, or you may
need to use something else like the Radiator Timestamp.
regards
Hugh
On 28 May 2015, at 22:09, Mohammed Alhaj Ali m.al...@itc.sa wrote:
Hi Sami,
System calculate the Session-Timeout biased on the account first login
which rely on the Event-Timestamp, when it inserted on the TIME_STAMP
column on the DB table, then it will check the account number of date
to calculate account expiry and then it return this value to
Session-Timeout,
Note that there's no problem for the account already active and having
session-timeout configured, but for new subscription we did not get
Event-Timestamp to be insert on the DB table.
Please let me know if you need any other information.
Thank you!
-Original Message-
From: radiator-boun...@open.com.au
[mailto:radiator-boun...@open.com.au] On Behalf Of Sami Keski-Kasari
Sent: Thursday, May 28, 2015 1:54 PM
To: radiator@open.com.au
Subject: Re: [RADIATOR] Insert Accounting to BD Table.
Hello Mohammed,
I think that the error message is due your SQL query doesn't return anything
to Expiration Check item and you have AddToReply Session-Timeout = until
Expiration in configuration.
Could you tell us more how the system should work?
Who should/will update EXPIRATION field in database?
Best Regards,
Sami
On 05/27/2015 11:32 AM, Mohammed Alhaj Ali wrote:
Dears,
Recently we had some change on our network, as we replaced cisco
platform with Huawei BRAS, now we're unable to get prober accounting
specially, when customer account are newly created so we can't get
account activation on the first logging in order to calculate
Session-timeout, below are the error logs plus the part of the
configuration:
AuthBy SQL
AccountingTable DSL_ACCOUNTING
AcctColumnDef USERNAME,User-Name,%A
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef acctterminatecause, Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
#AcctInsertQuery insert into %0 (%1) values (%2)
AuthColumnDef 0,User-Password, check
AuthColumnDef 1,Expiration, check
AuthColumnDef 2,Simultaneous-Use, check
AuthColumnDef 3,Huawei-Domain-Name, reply
AuthColumnDef 4,GENERIC, reply
AuthSelect select PASSWORD, to_char(EXPIRATION, '-mm-dd
HH24:MI:SS') Expiration, MAXSESSIONS, EXPIRATION_D Huawei-Domain-Name ,
Session_Timeout Session-Timeout from ITC_ACCOUNTS_H where
upper(USERNAME)=upper('%n')
CachePasswordExpiry 86400
AddToReply Service-Type=Framed-User, Framed-Protocol=PPP,
Framed-MTU=1492, Session-Timeout = until Expiration
ConnectionAttemptFailedHook sub {my $self = shift;my $dbsource =
shift;my $dbusername = shift;my $dbauth =
shift;$self-log($main::LOG_ERR, Could not connect to SQL database
with
DBI-connect $dbsource, $dbusername, $dbauth: $@ $DBI::errstr);}
DBSource dbi:ODBC:ORADB
DBUsername user
DBAuth password
DateFormat %b %e, %Y %H:%M
EAPAnonymous anonymous
EAPContextTimeout 1000
EAPFAST_PAC_Lifetime 7776000
EAPFAST_PAC_Reprovision 2592000
EAPTLS_MaxFragmentSize 2048
EAPTLS_PEAPVersion 1
EAPTLS_SessionResumption 1
EAPTLS_SessionResumptionLimit 43200
EAPTLS_VerifyDepth 1
FailureBackoffTime 600
Identifier HUW_POOL
NoConnectionsHook sub { my $self = shift;$self-log($main::LOG_ERR,
Could not connect
Re: [RADIATOR] Insert Accounting to BD Table.
09:09:39 2015: DEBUG: Query is: 'select PASSWORD,
to_char(EXPIRATION, '-mm-dd HH24:MI:SS') Expiration, MAXSESSIONS,
EXPIRATION_D Huawei-Domain-Name , Session_Timeout Session-Timeout
from ITC_ACCOUNTS_H where
upper(USERNAME)=upper('testhua...@2048.itc.net.sa')':
Wed May 27 09:09:39 2015: DEBUG: Radius::AuthSQL looks for match with
testhua...@2048.itc.net.sa [testhua...@2048.itc.net.sa]
Wed May 27 09:09:39 2015: DEBUG: Radius::AuthSQL ACCEPT: :
testhua...@2048.itc.net.sa [testhua...@2048.itc.net.sa]
Wed May 27 09:09:39 2015: DEBUG: Session-Timeout=until ValidTo was
specified, but there was no ValidTo or Expiration check item for this
user. Ignored.
Wed May 27 09:09:39 2015: DEBUG: AuthBy SQL result: ACCEPT,
Wed May 27 09:09:39 2015: DEBUG: Access accepted for
testhua...@2048.itc.net.sa mailto:testhua...@2048.itc.net.sa
Wed May 27 09:09:39 2015: ERR: There is no value named until
Expiration for attribute Session-Timeout. Using 0.
Wed May 27 09:09:39 2015: DEBUG: Packet dump:
*** Sending to 87.101.255.184 port 1812
Mohammed Alhaj Ali
Integrated Telecom Co. Ltd.
Tel: +966(11) 406- Ext.2384
Fax : +966(11) 406-2221
GSM :
m.al...@itc.sa mailto:m.al...@itc.sa
http://www.execloud.net
www.itc.sa http://www.itc.sa
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Sami Keski-Kasari sam...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS,
PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full
source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RequestHook in AuthBy RADIUS
AVPs In other setups I found that changing avps on one clause it will send AVP changes to the following servers, which was not intended I achieved the intended behaviour by enclosing a AuthBy RADIUS in a GROUP between a couple of INTERNALs. The first one to change the AVP and a final one to restore from original packet. I found a RequestHook very useful and more clean approach. It is the counterpart of the Reply/NoReplyHook . I thought it could be useful for other and, eventually, included in next versions. Thanks anyway, Best regards, José Borges Ferreira On Wed, Apr 22, 2015 at 7:21 AM, Hugh Irvine h...@open.com.au wrote: Hello Jose - One way to do this is with multiple Handler clauses and an AuthBy HANDLER clause in the first one. See the example in “goodies/authhandler.cfg”. See also section 5.76 AuthBy HANDLER in the manual (“doc/ref.pdf”). You can have a different PreAuthHook in each target Handler clause, and the overall configuration will be much simpler. I would also have separate configuration files for authentication and accounting (each listening only on the corresponding ports). hope that helps regards Hugh On 22 Apr 2015, at 01:26, Jose Borges Ferreira undersp...@gmail.com wrote: Hi all, I have a setup that forwards some accounting to several servers. I need to mangle some attributes before a forward to the remote server.One requirement is to have different mangling per host. I couldn't found a way to change hook some code at AuthBy RADIUS, so I implemented the attached patch. So , my question is : Is there a way to achieve what I want ? Does the patch makes sense ? Thanks in advanced, José Borges Ferreira RequestHook.patch___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RequestHook in AuthBy RADIUS
Hi again -
You could also use an AuthBy MULTICAST clause instead of multiple AuthBy RADIUS
clauses.
regards
Hugh
On 25 Apr 2015, at 09:41, Hugh Irvine h...@open.com.au wrote:
Hi Jose -
Right - understood.
In this case I would probably use separate Radiator processes as
intermediates between your main server and the targets that require special
AVpair processing.
You would forward the original request unchanged and then deal with whatever
changes are required on the intermediate Radiator instances.
I tend to use this architecture quite often as it makes each individual piece
much simpler and cleaner.
Something like this:
…..
Handler Client-Identifier=PGW, Acct-Status-Type=Start
Identifier PGW_START
AccountingHandled
AuthBy GROUP
AuthByPolicy ContinueAlways
AuthBy RADIUS
# Forward to intermediate instance
Hostlocalhost
AcctPort 11812
Secret secret2
IgnoreAccountingResponse
/AuthBy
AuthBy RADIUS
# Forward to intermediate instance
Hostlocalhost
AcctPort 11813
Secret secret3
IgnoreAccountingResponse
/AuthBy
AuthBy RADIUS
# Forward to intermediate instance
Hostlocalhost
AcctPort 11814
Secret secret4
IgnoreAccountingResponse
/AuthBy
AuthBy RADIUS
Host192.168.1.5
Secret secret5
IgnoreAccountingResponse
/AuthBy
AuthBy RADIUS
Host192.168.1.6
Secret secret6
IgnoreAccountingResponse
/AuthBy
/AuthBy
MaxSessions 0
/Handler
BTW - I agree with you that a RequestHook would be a useful addition in any
case.
regards
Hugh
On 25 Apr 2015, at 00:35, Jose Borges Ferreira undersp...@gmail.com wrote:
Hi,
I have somthing similar to this:
Handler Client-Identifier=PGW, Acct-Status-Type=Start
Identifier PGW_START
AccountingHandled
AuthBy GROUP
AuthByPolicy ContinueUntilReject
AuthBy RADIUS
Host192.168.1.2
Secret secret2
StripFromRequestAVP1__2,AVP2__2
AllowInRequest 3GPP-IMSI,
Acct-Session-Id, NAS-Port-Type\
Acct-Status-Type,
Called-Station-Id, Calling-Station-Id, Event-Timestamp,
Framed-IP-Address, User-Name
/AuthBy
AuthBy RADIUS
Host192.168.1.3
Secret secret3
RequestHook sub {\
my $p = ${$_[0]};\
my $fp = ${$_[1]};\
my $imsi = $p-get_attr('3GPP-IMSI');\
if ($imsi =~ /^1234/) { \
$fp-change_attr('3GPP-RAT-Type,', 'UMTS');\
}\
}
AllowInRequest 3GPP-IMSI,
3GPP-PDP-Type, 3GPP-RAT-Type, 3GPP-User-Location-Info,
Acct-Session-Id,NAS-Port-Type \
Acct-Status-Type,
Called-Station-Id, Calling-Station-Id, Event-Timestamp,
Framed-IP-Address, User-Name
/AuthBy
AuthBy RADIUS
Host192.168.1.4
Secret secret3
AllowInRequest 3GPP-RAT-Type,
3GPP-User-Location-Info, Acct-Session-Id, NAS-Port-Type\
Acct-Status-Type,
Called-Station-Id, Calling-Station-Id, Event-Timestamp,
Framed-IP-Address, User-Name
/AuthBy
AuthBy RADIUS
Host192.168.1.5
Secret secret4
/AuthBy
AuthBy RADIUS
Host192.168.1.6
Secret secret5
/AuthBy
/AuthBy
MaxSessions 0
/Handler
( not exactly this but similar enough)
I want o achieve the following:
1.Broadcast accounting to all
Re: [RADIATOR] RequestHook in AuthBy RADIUS
Hello Jose - One way to do this is with multiple Handler clauses and an AuthBy HANDLER clause in the first one. See the example in “goodies/authhandler.cfg”. See also section 5.76 AuthBy HANDLER in the manual (“doc/ref.pdf”). You can have a different PreAuthHook in each target Handler clause, and the overall configuration will be much simpler. I would also have separate configuration files for authentication and accounting (each listening only on the corresponding ports). hope that helps regards Hugh On 22 Apr 2015, at 01:26, Jose Borges Ferreira undersp...@gmail.com wrote: Hi all, I have a setup that forwards some accounting to several servers. I need to mangle some attributes before a forward to the remote server.One requirement is to have different mangling per host. I couldn't found a way to change hook some code at AuthBy RADIUS, so I implemented the attached patch. So , my question is : Is there a way to achieve what I want ? Does the patch makes sense ? Thanks in advanced, José Borges Ferreira RequestHook.patch___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Processing delay in Diameter
Hello Arthur - The best way to see what is happening is to run Radiator at trace 4 with LogMicroseconds enabled. This will show you exactly how long each processing step is taking and how long Raditor is waiting for external resources. As Heikki says, this sort of problem is almost always due to slow responses from SQL and/or LDAP databases (or sometimes slow DNS lookups). regards Hugh On 27 Mar 2015, at 19:56, Heikki Vatiainen h...@open.com.au wrote: On 26.3.2015 14.45, Kaspar Jasper wrote: My Diameter peer sometimes complains about Diameter timeouts, which is 5 seconds. Debugging leads me to the interesting detail - Diameter messages sometimes are processing with delays in Radiator. For instance, Radiator's server Wireshark capture: No.Time Source Destination Protocol Length Info 231521 09:00:58.997242000 xxx.xxx.xx.xx xxx.xxx.xx.xx DIAMETER 1622 cmd=Accounting Request(271) flags=RP-- appl=Diameter Base Accounting(3) h2h=253e8654 e2e=253e8654 But in the Radiator this request appears 5.2 second later: Thu Mar 26 09:01:04 2015 029052: DEBUG: StateMachine::event event Most likely you see this request as delayed because there is already a queue in the OS receive buffer. That is, the previous messages have taken longer than than usually. I would take a look at the request processing flow and consider what external lookups radiusd is doing. For example, DNS lookups, SQL DB queries and so on. Some functions in Radius/Util.pm may do DNS lookups. This can happen if they are given a name instead of IP address. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ODBC Connection Error
Hello -
I am guessing there is something in your terminal session environment that is
not available to your script.
regards
Hugh
On 15 Mar 2015, at 19:38, Mohammed Alhaj Ali m.al...@itc.sa wrote:
Hi Hugh,
Issue fixed!!
Actually I ran the below command, there was no error, before that when I use
radiator startup script then then I get the error, but when run radiusd it's
working fine, I don't know what the problem with startup command on the
startup script?!
I add option I for the startup script:
[ -z ${RADIUSD_ARGS} ] RADIUSD_ARGS=-I -pid_file $RADIUSD_PIDFILE
-config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS.
Any idea ?!
Thank you,
Regards,
-Original Message-
From: Hugh Irvine [mailto:h...@open.com.au]
Sent: Friday, March 13, 2015 1:27 AM
To: Mohammed Alhaj Ali
Cc: radiator@open.com.au
Subject: Re: [RADIATOR] ODBC Connection Error
Hello again -
If you run “radiusd” from the command line you will see any Perl error
messages:
cd /your/Radiator/distribution/directory
perl radiusd -foreground -log_stdout -trace 4 -config_file …..
regards
Hugh
On 12 Mar 2015, at 20:18, Mohammed Alhaj Ali m.al...@itc.sa wrote:
Hi Hugh, but this lib file actually is there, and when I try to connect with
other DBD ie. Oracle it also failed, how can I check if there any wrong with
perl and perl modules..
Thank you!
-Original Message-
From: Hugh Irvine [mailto:h...@open.com.au]
Sent: Thursday, March 12, 2015 11:17 AM
To: Mohammed Alhaj Ali
Cc: radiator@open.com.au
Subject: Re: [RADIATOR] ODBC Connection Error
Hello -
As the error message says, this shared library is not found:
'/usr/lib/libsqora.so.11.1’
A quick Google search on Can't open lib '/usr/lib/libsqora.so.11.1’” brings
up lots of useful hits.
regards
Hugh
On 12 Mar 2015, at 18:46, Mohammed Alhaj Ali m.al...@itc.sa wrote:
Hi
Need help; I'm getting this error log when try to connect to remote DB:
ERR: Could not connect to SQL database with DBI-connect
dbi:ODBC:DSLDB, zoouser, zoopass2009: [unixODBC][Driver Manager]Can't
open lib '/usr/lib/libsqora.so.11.1' : file not found (SQL-01000
However odbc connection seems to be fine, please check below:
[root@radiator03 ~]# isql -v DSLDB
+---+
| Connected!|
| |
| sql-statement |
| help [tablename] |
| quit |
| |
+---+
SQL
Lookup forward to your help..
Thank you!
Regards.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER,
SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS,
PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ODBC Connection Error
Hello again - If you run “radiusd” from the command line you will see any Perl error messages: cd /your/Radiator/distribution/directory perl radiusd -foreground -log_stdout -trace 4 -config_file ….. regards Hugh On 12 Mar 2015, at 20:18, Mohammed Alhaj Ali m.al...@itc.sa wrote: Hi Hugh, but this lib file actually is there, and when I try to connect with other DBD ie. Oracle it also failed, how can I check if there any wrong with perl and perl modules.. Thank you! -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Thursday, March 12, 2015 11:17 AM To: Mohammed Alhaj Ali Cc: radiator@open.com.au Subject: Re: [RADIATOR] ODBC Connection Error Hello - As the error message says, this shared library is not found: '/usr/lib/libsqora.so.11.1’ A quick Google search on Can't open lib '/usr/lib/libsqora.so.11.1’” brings up lots of useful hits. regards Hugh On 12 Mar 2015, at 18:46, Mohammed Alhaj Ali m.al...@itc.sa wrote: Hi Need help; I'm getting this error log when try to connect to remote DB: ERR: Could not connect to SQL database with DBI-connect dbi:ODBC:DSLDB, zoouser, zoopass2009: [unixODBC][Driver Manager]Can't open lib '/usr/lib/libsqora.so.11.1' : file not found (SQL-01000 However odbc connection seems to be fine, please check below: [root@radiator03 ~]# isql -v DSLDB +---+ | Connected!| | | | sql-statement | | help [tablename] | | quit | | | +---+ SQL Lookup forward to your help.. Thank you! Regards. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Cisco 5508 passing mac for mac auth
Hello Gabe - I would probably use the third mode with MAC address for both username and password. If you are doing simple authentication (ie. not EAP), a simple AuthBy FILE clause will suffice. Something like this: ….. Handler AuthBy FILE Filename %D/macaddresses.txt AddToReply ….. /AuthBy /Handler ….. macaddress.txt would look something like this: # macaddress.txt # file containing MAC addresses for both username and password c8:2a:14:50:13:22 Password = c8:2a:14:50:13:22 c8:2a:14:50:13:33 Password = c8:2a:14:50:13:33 c8:2a:14:50:13:44 Password = c8:2a:14:50:13:44 ….. If you have further questions please include a trace 4 debug showing what is happening. regards Hugh On 18 Feb 2015, at 12:34, Gabe Carmichael g...@lksd.org wrote: All, When using a Cisco Wireless controller I have mac delimiters and 3 modes of operation: - Other - (In the Radius Access Request with Mac Authentication Password is NOT sent.) - Free Radius - (In the Radius Access Request with Mac Authentication Password is controller's shared secret with radius server.) - Cisco ACS - (In the Radius Access Request with Mac Authentication password is client's MAC address.) my question is, I am trying to get Radiator to auth by mac addresses in a flat file. Which mode do I need to use, and how would I need it mod my config file? Attached is a copy of my config. -- Gabe Carmichael Systems Analyst - Networking/Email Lower Kuskokwim School District 907-543-4860 LKSD Internal 4 digit dial - 4860 Skype: gabes72riv g...@lksd.org macauth.cfg___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] COA log
1
VALUE OSC-TACACS-Authen-MethodKRB52
VALUE OSC-TACACS-Authen-MethodLine3
VALUE OSC-TACACS-Authen-MethodEnable 4
VALUE OSC-TACACS-Authen-MethodLocal 5
VALUE OSC-TACACS-Authen-MethodTACACSPLUS 6
VALUE OSC-TACACS-Authen-MethodGuest 8
VALUE OSC-TACACS-Authen-MethodRADIUS 16
VALUE OSC-TACACS-Authen-MethodKRB417
VALUE OSC-TACACS-Authen-MethodRCMD32
…..
Of course you can use OSC-AVPAIR for anything at all, and you can use the
others as you see fit.
regards
Hugh
On 5 Feb 2015, at 10:20, Michael ri...@vianet.ca wrote:
I personally log COA/POD requests using a very custom method. This may
not be desirable for others. I do this by after processing the COA/POD
normally, pass it to an AuthBy config that essentially changes it to an
Accounting-Request packet, populates a few extra values, then passes it
to my normal accounting log AuthBy. This also requires adding custom
values to the dictionary file.
AuthBy GROUP
Identifier convert2accounting
AuthBy INTERNAL
OtherHook sub {\
# some fancy code here.
}
/AuthBy
# now that this packate has been converted to an accounting
packet, it is ready to be logged. pass it to the accounting log AuthBy
AuthBy accounting_log
/AuthBy
an example result is something like this:
+--+-++---+--+
| username | timestamp | type | sess_time | term_cause |
+--+-++---+--+
| username | 2015-01-05 15:04:09 | login | NULL | NULL |
| username | 2015-01-05 16:46:03 | info | NULL | rate-change |
| username | 2015-01-05 16:47:02 | info | NULL | kick-request |
| username | 2015-01-05 16:47:02 | logout | 6173 | Admin-Reset |
+--+-++---+--+
On 04/02/15 05:57 PM, Hugh Irvine wrote:
Hello -
As COA is not an authentication, it therefore follows that it will not be
logged by an AuthLog clause.
To see what happens with a COA you will need to look at the log file (not
the authlog file).
regards
Hugh
On 4 Feb 2015, at 20:49, ONRUBIA AVILES Carlos (SPC/CSP)
carlos.onrubia.avi...@proximus.com wrote:
Dear all,
I have the following problem:
I can log authentification with the configuration here below, it works
correctly.
But if I use event_log identifier to log a COA (and not a normal
Access-Request with Accept or Reject), nothing happens.
Can you indicate me how to log a COA with the answer (ACK or NACK)
Thanks in advance,
Handler User-Name = ABCD
AuthBy toto
AuthLog event_log
/Handler
AuthLog FILE
Identifier event_log
Filename%L/event_auth.log
SuccessFormat %v %d
%H:%M:%S,,%s,,%n,,HIDDEN,,%a,,PASS,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,
FailureFormat %v %d
%H:%M:%S,,%s,,%n,,HIDDEN,,none,,FAIL,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,%1
LogSuccess 1
LogFailure 1
/AuthLog
* Disclaimer *
http://www.proximus.be/maildisclaimer
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full
Re: [RADIATOR] COA log
Hello -
As COA is not an authentication, it therefore follows that it will not be
logged by an AuthLog clause.
To see what happens with a COA you will need to look at the log file (not the
authlog file).
regards
Hugh
On 4 Feb 2015, at 20:49, ONRUBIA AVILES Carlos (SPC/CSP)
carlos.onrubia.avi...@proximus.com wrote:
Dear all,
I have the following problem:
I can log authentification with the configuration here below, it works
correctly.
But if I use event_log identifier to log a COA (and not a normal
Access-Request with Accept or Reject), nothing happens.
Can you indicate me how to log a COA with the answer (ACK or NACK)
Thanks in advance,
Handler User-Name = ABCD
AuthBy toto
AuthLog event_log
/Handler
AuthLog FILE
Identifier event_log
Filename%L/event_auth.log
SuccessFormat %v %d
%H:%M:%S,,%s,,%n,,HIDDEN,,%a,,PASS,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,
FailureFormat %v %d
%H:%M:%S,,%s,,%n,,HIDDEN,,none,,FAIL,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,%1
LogSuccess 1
LogFailure 1
/AuthLog
* Disclaimer *
http://www.proximus.be/maildisclaimer
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Account log to MySQL
Hello Chad - From what you show below, you have two “Handler” lines - if this is not a typo it will certainly confuse the configuration file parser. The best way to debug is to set the Trace level to 4 (DEBUG) so you can see exactly what is happening. You set the Trace level in the configuration file: ….. Trace 4 ….. regards Hugh On 4 Feb 2015, at 08:39, Chad Roseburg croseb...@ncrl.org wrote: Goal: Capture successful logins as well as failures for stats purposes. I am setting up logging to a local MySQL instance. Here's what I've done: * Following instructions in the 'mysqlcreate.sql' file, I created the radius table and user(s). * Created the Mysql tables using the provided 'mysqlCreate.sql' in goodies. * Added the following stanza to my Handler just below the SIP Authby stanza: -- conf - Handler Handler AuthBy SIP2 Port 6001 Host siphost.com Delimiter | LoginUserID sipuser LoginPassword supersecret LocationCode Radiator SendChecksum no VerifyChecksum no NoDefault EAPType GTC /AuthBy AuthLog SQL DBSourcedbi:mysql:radius:localhost DBUsername radius DBAuth secrets LogSuccess SuccessQueryinsert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (%t, '%n', 1) LogFailure FailureQueryinsert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (%t, '%n', 0, %1) /AuthLog /Handler -- /conf --- I'm not seeing anything with: SELECT * FROM RADAUTHLOG; Is it just a quiet day or am I missing something? Last question is: does USERNAME refer to the client? Thank you! -- Chad Roseburg Automation Dept. North Central Regional Library ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Additional radius attributes for particular users on shared realm :: how to?!!
Hi -
In that case I would use a separate AuthBy FILE something like this:
…..
AuthBy FILE
Identifier prefixforciscoavpair
Filename %D/PrefixForCiscoAVPair
/AuthBy
Handler Realm=/^(512|1024|2048)\.itc\.net\.sa$/
AuthBy GROUP
AuthByPolicy ContinueWhileAccept
AuthBy GROUP
AuthByPolicy ContinueWhileReject
AuthBy dpool
AuthBy flat
PostAuthHook file:%D/FixedIP
PacketTrace
/AuthBy
AuthBy prefixforciscoavpair
/AuthBy
/Handler
…..
The contents of the file PrefixForCiscoAVPair would look something like this:
# PrefixForCiscoAVPair
# Add reply attributes only for certain usernames
DEFAULT User-Name = /^pizza/
AddToReply cisco-avpair = ip:sub-qos-policy-in=ISP_1024_UpStream,
cisco-avpair = ip:sub-qos-policy-out=ISP_1024_DownStream,
cisco-avpair = lcp:interface-config=description *** PizzaHut
***”,
cisco-avpair = lcp:interface-config=ip vrf forwarding PizzaHut”,
cisco-avpair = lcp:interface-config=ip unnumbered loopback 99”
DEFAULT Auth-Type = Accept
hope that helps
regards
Hugh
On 29 Jan 2015, at 23:42, Mohammed Alhaj Ali m.al...@itc.sa wrote:
Hi Hugh,
Thank you for your reply,
Please note that this user share one realm with other subscribers, and also
maybe other realms start with same user name, what I need to do is to
configure this parameter under responding realm, kindly check the below realm
configuration and how we can add additional attribute for some subscribers
which their accounts started with specific characters..
I need to include this configuration under the below handler:
Handler Realm=/^(512|1024|2048)\.itc\.net\.sa$/
AuthByPolicy ContinueWhileReject
AuthBy dpool
AuthBy flat
PostAuthHook file:%D/FixedIP
PacketTrace
/Handler
Suppose that user name is 'pizzahu...@1024.itc.net.sa', which's share same
realm, whenever you find 'pizza*' on user name just add other additional
attribute to reply.
AddToReply cisco-avpair = ip:sub-qos-policy-in=ISP_1024_UpStream,
cisco-avpair = ip:sub-qos-policy-out=ISP_1024_DownStream, cisco-avpair =
lcp:interface-config=description *** PizzaHut ***, cisco-avpair =
lcp:interface-config=ip vrf forwarding PizzaHut, cisco-avpair =
lcp:interface-config=ip unnumbered loopback 99
Thank you!
Regards,
-Original Message-
From: Hugh Irvine [mailto:h...@open.com.au]
Sent: Thursday, January 29, 2015 1:25 AM
To: Mohammed Alhaj Ali
Cc: radiator@open.com.au
Subject: Re: [RADIATOR] Additional radius attributes for particular users on
shared realm :: how to?!!
Hello -
The answer to this depends on what else you are doing in your configuration
file.
The simplest way to do it is with Handlers (not Realms) like this:
…….
Handler User-Name = /^xyz/
AuthBy ….
…..
AddToReply cisco-avpair =
ip:sub-qos-policy-in=ISP_1024_UpStream,
cisco-avpair =
ip:sub-qos-policy-out=ISP_1024_DownStream,
cisco-avpair = lcp:interface-config=description
*** XYZ ***”,
cisco-avpair = lcp:interface-config=ip vrf forwarding
xyz”,
cisco-avpair = lcp:interface-config=ip unnumbered
loopback 99”,
Framed-MTU = 1492,
Framed-Protocol = PPP,
Service-Type = Framed-User
/AuthBy
/Handler
Handler
AuthBy ….
…..
/AuthBy
/Handler
…..
There are many other possibilities depending on your exact requirements.
regards
Hugh
On 29 Jan 2015, at 00:32, Mohammed Alhaj Ali m.al...@itc.sa wrote:
Hi,
I'd asking how to use AddToReply to add additional radius attributes
for particular users on shared realm, for example if I've user name start
with 'xyz' then reply with additional radius attribute to requested NAS, We
already this configuration on Cisco AAA (car), and now we trying to migrate
on radiator, below script were applied on CAR please let me know how to
translate this to radiator configuration file.
(tcl script)...
if { [ string match xyz* $userName ] } {
$response addProfile PPPoEProfile-XYZ-$realm
} else {
$response addProfile PPPoEProfile-$realm
Attribute profile for any user start with 'xyz'
-- ls
[ //localhost/Radius/Profiles/PPPoEProfile-XYZ-1024.example.com/Attributes ]
Cisco-AVPair = ip:sub-qos-policy-in=ISP_1024_UpStream
Cisco-AVPair = ip:sub-qos-policy-out=ISP_1024_DownStream
Cisco-AVPair = lcp:interface-config=description *** XYZ ***
Cisco-AVPair = lcp:interface-config=ip vrf forwarding xyz
Cisco-AVPair = lcp:interface-config=ip unnumbered
Re: [RADIATOR] Additional radius attributes for particular users on shared realm :: how to?!!
Hello -
The answer to this depends on what else you are doing in your configuration
file.
The simplest way to do it is with Handlers (not Realms) like this:
…….
Handler User-Name = /^xyz/
AuthBy ….
…..
AddToReply cisco-avpair =
ip:sub-qos-policy-in=ISP_1024_UpStream,
cisco-avpair =
ip:sub-qos-policy-out=ISP_1024_DownStream,
cisco-avpair = lcp:interface-config=description
*** XYZ ***”,
cisco-avpair = lcp:interface-config=ip vrf forwarding
xyz”,
cisco-avpair = lcp:interface-config=ip unnumbered
loopback 99”,
Framed-MTU = 1492,
Framed-Protocol = PPP,
Service-Type = Framed-User
/AuthBy
/Handler
Handler
AuthBy ….
…..
/AuthBy
/Handler
…..
There are many other possibilities depending on your exact requirements.
regards
Hugh
On 29 Jan 2015, at 00:32, Mohammed Alhaj Ali m.al...@itc.sa wrote:
Hi,
I'd asking how to use AddToReply to add additional radius attributes for
particular users on shared realm, for example if I've user name start with
'xyz' then reply with additional radius attribute to requested NAS,
We already this configuration on Cisco AAA (car), and now we trying to
migrate on radiator, below script were applied on CAR please let me know how
to translate this to radiator configuration file.
(tcl script)...
if { [ string match xyz* $userName ] } {
$response addProfile PPPoEProfile-XYZ-$realm
} else {
$response addProfile PPPoEProfile-$realm
Attribute profile for any user start with 'xyz'
-- ls
[ //localhost/Radius/Profiles/PPPoEProfile-XYZ-1024.example.com/Attributes ]
Cisco-AVPair = ip:sub-qos-policy-in=ISP_1024_UpStream
Cisco-AVPair = ip:sub-qos-policy-out=ISP_1024_DownStream
Cisco-AVPair = lcp:interface-config=description *** XYZ ***
Cisco-AVPair = lcp:interface-config=ip vrf forwarding xyz
Cisco-AVPair = lcp:interface-config=ip unnumbered loopback 99
Framed-MTU = 1492
Framed-Protocol = PPP
Service-Type = Framed
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Simple update of Radiator
Hello Bernhard - You just need to install the new version Radiator-4.14 over the top of your existing installation. regards Hugh On 23 Jan 2015, at 01:14, it.netzwerk_firew...@bawagpsk.com wrote: Hi everyone, sorry for the basic question, but i can't find a manual for grading up an existing installation for Radiator (just the normal installation). Can you tell me the easiest way to do that, please. My actual installation is an 4.12.1 on Windows in directory e:\Radiator with Perl 5.16.3 Locally applied patches: ActivePerl Build 1603 [296746] Built under MSWin32 Compiled at Mar 13 2013 11:29:21 @INC: E:/software32p/perl/site/lib E:/software32p/perl/lib . Regards, Bernhard Diese Information und eventuelle Anhaenge sind vertraulich und ausschliesslich zur Kenntnisnahme durch den oder die genannten Adressaten bestimmt. Sollten Sie nicht der vorgesehene Adressat sein, ersuchen wir Sie, uns unverzueglich zu informieren und die Nachricht zu loeschen. Der Inhalt der fehlgeleiteten Nachricht darf weder aufgezeichnet noch Unbefugten mitgeteilt oder fuer irgendwelche Zwecke verwertet werden. Bitte beachten Sie weiters, dass trotz hoechstmoeglicher Sorgfalt unsererseits aufgrund der technischen Gegebenheiten im Internet keine Verantwortung fuer die Existenz von Viren uebernommen werden kann. This message and any attachments are confidential and are only intended for the recipient(s) to which they have been addressed. If you have received this message in error, please notify the sender immediately and delete the message from your system. The contents of this misdirected mail may not be saved, recorded or used for any purpose whatsoever or made available to unauthorised persons. This message has been prepared and sent with the greatest possible care, including scanning for viruses. In spite of this, we assume no liability whatsoever for the existence of any viruses. Firma: BAWAG P.S.K. Bank fuer Arbeit und Wirtschaft und Oesterreichische Postsparkasse Aktiengesellschaft Rechtsform: Aktiengesellschaft Sitz: politische Gemeinde Wien Firmenbuchnummer: 205340x Firmenbuchgericht: Handelsgericht Wien DVR-Nummer: 1075217 ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Simple update of Radiator
Hi again - Of course you must make sure you have backups of your configuration files and so on before changing anything. I personally prefer to keep all of my Radiator source distributions in individual directories so I can easily change between them. This also makes it very simple to go back to the previous version if there is a problem with the newer version. You should also test fully on a test machine before running new versions in production. regards Hugh On 23 Jan 2015, at 14:55, Hugh Irvine h...@open.com.au wrote: Hello Bernhard - You just need to install the new version Radiator-4.14 over the top of your existing installation. regards Hugh On 23 Jan 2015, at 01:14, it.netzwerk_firew...@bawagpsk.com wrote: Hi everyone, sorry for the basic question, but i can't find a manual for grading up an existing installation for Radiator (just the normal installation). Can you tell me the easiest way to do that, please. My actual installation is an 4.12.1 on Windows in directory e:\Radiator with Perl 5.16.3 Locally applied patches: ActivePerl Build 1603 [296746] Built under MSWin32 Compiled at Mar 13 2013 11:29:21 @INC: E:/software32p/perl/site/lib E:/software32p/perl/lib . Regards, Bernhard Diese Information und eventuelle Anhaenge sind vertraulich und ausschliesslich zur Kenntnisnahme durch den oder die genannten Adressaten bestimmt. Sollten Sie nicht der vorgesehene Adressat sein, ersuchen wir Sie, uns unverzueglich zu informieren und die Nachricht zu loeschen. Der Inhalt der fehlgeleiteten Nachricht darf weder aufgezeichnet noch Unbefugten mitgeteilt oder fuer irgendwelche Zwecke verwertet werden. Bitte beachten Sie weiters, dass trotz hoechstmoeglicher Sorgfalt unsererseits aufgrund der technischen Gegebenheiten im Internet keine Verantwortung fuer die Existenz von Viren uebernommen werden kann. This message and any attachments are confidential and are only intended for the recipient(s) to which they have been addressed. If you have received this message in error, please notify the sender immediately and delete the message from your system. The contents of this misdirected mail may not be saved, recorded or used for any purpose whatsoever or made available to unauthorised persons. This message has been prepared and sent with the greatest possible care, including scanning for viruses. In spite of this, we assume no liability whatsoever for the existence of any viruses. Firma: BAWAG P.S.K. Bank fuer Arbeit und Wirtschaft und Oesterreichische Postsparkasse Aktiengesellschaft Rechtsform: Aktiengesellschaft Sitz: politische Gemeinde Wien Firmenbuchnummer: 205340x Firmenbuchgericht: Handelsgericht Wien DVR-Nummer: 1075217 ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator+Mikrotik
Hello Sergio -
Yes - have a look at the current packages in the “Radius/Nas/…” directory of
the Radiator-4.14 distribution.
regards
Hugh
On 23 Jan 2015, at 13:41, sergio ser...@inbox.com wrote:
hello
It is possible to create a package for the Mikrotik? MikrotikSessionMIB.pm
-Original Message-
From: nath...@fsr.com
Sent: Mon, 8 Dec 2014 05:30:26 -0800
To: m.abdelsa...@wimd.com.kw, radiator@open.com.au
Subject: Re: [RADIATOR] Radiator+Mikrotik
On Monday, December 08, 2014 12:16 AM, Mahmoud Abdelsalam wrote:
Hello all,
As Mikrotik doesn't support COA for PPPoE, so I used Disconnect-Request,
the hook script will send Disconnect-Request to Mikrotik once the
session
exceeds the quota, here is how i send Disconnect-Request:
[snip]
This works fine but the problem is that user can't re-authenticate again
because it reaches Maxsessions although I have this in my config file:
[snip]
The user would successfully authenticate again when I manually remove
the
session from RADONLINE by executing the DeleteQuery.
It has been a while since I have had to look at/think about this, but as
I recall, this is how it works:
DeleteQuery doesn't get executed unless the Radiator server receives
Accounting-Stop from the MikroTik.
PoD/Disconnect-Request may or may not cause Accounting-Stop to be issued
by MikroTik RouterOS; I can't remember and I will have to simulate this
later and run a packet capture to see what happens. (Maybe if you are
running an older version of RouterOS, try upgrading? It could be a bug
that got fixed later, and they have definitely had their share of RADIUS
client bugs in the past.)
In any case, you can work around a problem where Radiator does not
receive Accounting-Stop by having Radiator verify that any active
sessions for the user that are recorded in the RADONLINE table are valid
at the moment that the user tries to authenticate again. Radiator does
this by executing an SNMP query to the NAS that is on record for each
session to see if the Session-ID for that row in the table is still
valid. If the NAS does not return anything for the OID, then Radiator
assumes the session is dead and purges that entry from RADONLINE,
reducing MaxSessions count by 1.
To enable this functionality, you need to make sure that SNMP is enabled
and configured on each MikroTik NAS, you need to make sure that Net-SNMP
is installed and configured on the Radiator server, and you need to add
these options to your Client clause in your Radiator config file:
Client DEFAULT
[...]
# MikroTik supports this MIB
NasType CiscoSessionMIB
SNMPCommunity public
/Client
Replace 'public' with the SNMP community string that you have configured
on the MikroTik.
We also made a slight change to the Radiator code, because by default, if
Radiator does not get a response back from its SNMP get to the
MikroTik, it gives the benefit of the doubt to RADONLINE. We have found
that more often than not, it is better to give the benefit of the doubt
to the user. That way, a user is not unfairly punished by problems with
our NAS or problems on our network that might make it impossible for
Radiator to communicate with our NAS. Here is the patch to make that
change in behavior:
diff -r -d -u -N Radius/Nas/CiscoSessionMIB.pm
Radius-patched/Nas/CiscoSessionMIB.pm
--- Radius/Nas/CiscoSessionMIB.pm2009-10-26 15:23:55.0 -0700
+++ Radius-patched/Nas/CiscoSessionMIB.pm2014-12-08 05:20:02.0
-0800
@@ -39,7 +39,7 @@
$client-{SNMPCommunity},
$Radius::Nas::CiscoMIB.9.150.1.1.3.1.2.$session_id);
-return 1 if (!$result || $result =~ /no response/i); # Could not
SNMP. Assume still there
+return 0 if (!$result || $result =~ /no response/i); # Could not
SNMP. Give benefit of doubt to user.
return 0 if $result =~ /no such variable/i; # Not in the MIB means
no such session
return uc($1) eq uc($name)
if ($result =~ /^.*\([^]+).*$/);
Hope this helps,
--
Nathan Anderson
First Step Internet, LLC
nath...@fsr.com
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Can't remember your password? Do you need a strong and secure password?
Use Password manager! It stores your passwords protects your account.
Check it out at http://mysecurelogon.com/password-manager
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP
Re: [RADIATOR] AVP with ipv4 or ipv6 values
Hello Arthur - This will need some special code in Radiator to deal with this properly. Look for a patch soon. regards Hugh On 25 Nov 2014, at 22:22, Arthur Konovalov kas...@hot.ee wrote: Hello, Asking a little suggestion how to solve raised problem. My system storing Diameter offline charging events to the MySQL. Usually in the Served-Party-IP-Address AVP I have an ipv4 value and all works fine (printout from Wireshark): AVP: Served-Party-IP-Address(848) l=18 f=VM- vnd=TGPP val=194.106.126.181 AVP Code: 848 Served-Party-IP-Address AVP Flags: 0xc0 AVP Length: 18 AVP Vendor Id: 3GPP (10415) Served-Party-IP-Address: 0001c26a7eb1 Served-Party-IP-Address Address Family: IPv4 (1) Served-Party-IP-Address Address: 194.106.126.181 But some equipment send an ipv6 address: AVP: Served-Party-IP-Address(848) l=30 f=VM- vnd=TGPP val=2a00:16e0:20:2:924d:7fc:ff47:7c4c AVP Code: 848 Served-Party-IP-Address AVP Flags: 0xc0 AVP Length: 30 AVP Vendor Id: 3GPP (10415) Served-Party-IP-Address: 00022a0016e00022924d07fcff477c4c Served-Party-IP-Address Address Family: IPv6 (2) Served-Party-IP-Address Address: 2a00:16e0:20:2:924d:7fc:ff47:7c4c and there a problem arise - address not properly converted. Trace level 4 output for this AVP shows as: Served-Party-IP-Address: VM., 02*0400014190T/3017238s For Diameter dictionary entry for this AVP: VANDORATTR 10415 Server-Party-IP-Address 848 Address For Radius converted: VANDORATTR 10415 Server-Party-IP-Address 80 string Radiator version 4.9 in use. Is there any suggestion how to implement how to store both ip addresses variants to SQL? Does upgrading Radiator might help there? br, Arthur ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Duplicate request issues
Hello Patrick - This sounds to me like the internal servers are not processing requests quickly enough and don’t respond to the external servers before the external servers time out and resend. When the resent request arrives at the internal server(s) they are indeed marked as duplicates because the previous request is still in process. We often see this sort of problem with slow responses from authentication resources like SQL and/or LDAP databases. A trace 4 debug with LogMicroseconds will show you exactly where the time is being spent waiting. Of course it may not be the external servers that are timing out - it may be the upstream devices and/or proxies that are resending. In any case, trace 4 debug with LogMicroseconds will show what Radiator is doing (or not doing), and the corresponding Wireshark trace will show you what packets are actually on the wire. regards Hugh On 25 Nov 2014, at 02:39, Patrik Forsberg patrik.forsb...@ip-only.se wrote: Hello, I have a problem where we have two external and two internal radius servers. The external radius servers proxy almost all requests on to the internal radius servers but the internal servers seem to think that the requests are duplicates ? I've done all I can think of to disable the duplicate filtration but I seem to be unable to stop the behavior. I've tried setting DupInterval 0, NoIgnoreDuplicates Access-Request,Accounting-Request and UseContentsForDuplicateDetection, all of them by themselves and in various combinations, but neither seem to remedy the problem ? When the external radius servers get to many requests on them the internal starts ignoring the requests due to duplicates ? Are there some other directive I can put in Clients, or other parts of the configuration, to stop this from happening ? Best Regards, Patrik Forsberg ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Using Radiator and Net-SNMP on the same server?
Hello Eivind - You will need to use different port numbers. regards Hugh On 21 Nov 2014, at 08:13, Eivind Olsen eiv...@aminor.no wrote: What's an easy way of running both Net-SNMP and Radiator (with its SNMPAgent). Is there some nice and fancy way of using both at the same time, or is the best / only way to tell them to listen on different ports such as UDP 161 for Net-SNMP and some other UDP-port for Radiator? Regards Eivind Olsen ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CoA-Request vs Change-Filter-Request in radpwtst
Hello Heikki - These could be added as synonyms as is done for some RADIUS attribute definitions. # Radius.pm # Implements Radius message packet object # # Contains the following additional attributes # SendTo # StatsTrail, array or refs to statistics hashes # # Handles multiple instances of the same attribute # Handles accounting packets, and authentication of same # Handles EAP # # Author: Mike McCauley (mi...@open.com.au), # Copyright (C) Open System Consultants # $Id: Radius.pm,v 1.175 2014/04/02 20:44:24 hvn Exp $ package Radius::Radius; @ISA = qw(Radius::AttrVal); use Radius::AttrVal; use Radius::BigInt; use Socket; use Digest::MD5; use Radius::Util; use strict; # RCS version number of this module $Radius::Radius::VERSION = '$Revision: 1.175 $'; # These map request names into request types. # Some are from RFC 2882. Add synonyms from RFC 5176. my %codes = ( 'Access-Request' = 1, 'Access-Accept' = 2, 'Access-Reject' = 3, 'Accounting-Request' = 4, 'Accounting-Response'= 5, 'Accounting-Status' = 6, 'Access-Password-Request'= 7, 'Access-Password-Ack'= 8, 'Access-Password-Reject' = 9, 'Accounting-Message' = 10, 'Access-Challenge' = 11, 'Status-Server' = 12, 'Status-Client' = 13, 'Resource-Free-Request' = 21, 'Resource-Free-Response' = 22, 'Resource-Query-Request' = 23, 'Resource-Query-Response'= 24, 'Alternate-Resource-Reclaim-Request' = 25, 'NAS-Reboot-Request' = 26, 'NAS-Reboot-Response'= 27, 'Ascend-Access-Next-Code'= 29, 'Ascend-Access-New-Pin' = 30, 'Ascend-Terminate-Session' = 31, 'Ascend-Password-Expired'= 32, 'Ascend-Access-Event-Request'= 33, 'Ascend-Access-Event-Response' = 34, 'Disconnect-Request' = 40, 'Disconnect-Request-ACKed' = 41, 'Disconnect-Request-NAKed' = 42, 'Change-Filter-Request' = 43, 'CoA-Request' = 43, 'Change-Filter-Request-ACKed'= 44, ‘CoA-ACKed’ = 44, 'Change-Filter-Request-NAKed'= 45, 'CoA-NAKed’ = 45, 'IP-Address-Allocate'= 50, 'IP-Address-Release' = 51, ); The decode can use the new definitions. Thoughts? regards Hugh On 13 Nov 2014, at 08:08, Heikki Vatiainen h...@open.com.au wrote: On 11/11/2014 02:14 PM, Vangelis Kyriakakis wrote: Radpwtst client uses code Change-Filter-Request for message 43 which is based on old rfc2882. Message 43 has been renamed to CoA-Requestin later rfc5176. The same stands for messages 44,45. It would be nice to change the names to the new ones since the old names cause some misunderstandings especially when talking to vendor support teams in order to solve CoA problems. Good point. We have discussed updating the names too because of the confusion the old names create. The drawback is that doing this requires changes to existing scripts that use radpwtst and any existing Radiator modules or hooks that do not come with Radiator (own custom code). The change could be applied to just radpwtst, but likely it would be less confusing to change them both. I'll see when to get this in the patches. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ::Accounting Request Proxying for Remote OSS Systems::
Hello -
Quite right - I didn’t notice you already had one.
regards
Hugh
On 4 Nov 2014, at 23:22, Mohammed Alhaj Ali m.al...@itc.sa wrote:
Hi..
Thank you Sir, I'll try to use the existing identifier on AuthBy SQL clause.
Regards,
-Original Message-
From: Hugh Irvine [mailto:h...@open.com.au]
Sent: Monday, November 03, 2014 2:08 AM
To: Mohammed Alhaj Ali
Cc: Heikki Vatiainen; radiator@open.com.au
Subject: Re: [RADIATOR] ::Accounting Request Proxying for Remote OSS Systems::
Hello -
You need to reference both AuthBy clauses in your Handler:
AuthBy SQL
# Add Identifier for reference in accounting Handler
Identifier SQLAccounting
AccountingTable zooomonline.ZOOOM_ACCOUNTING
AcctColumnDef USERNAME,User-Name,%A
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer
AcctColumnDef acctterminatecause, Acct-Terminate-Cause
AcctColumnDef NASIDENTIFIER,NAS-Identifier
AcctColumnDef NASPORT,NAS-Port,integer
AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address
AcctInsertQuery insert into %0 (ACCOUNT_ID, DATE_TIME, %1) values
(zooomonline.ZOOOM_ACCOUNTING_SEQ.nextval, SYSDATE, %2)
# AddToReply Service-Type=Framed-User, Framed-Protocol=PPP,
Framed-MTU=1492, Session-Timeout = until Expiration
AddToReply Service-Type=Framed-User, Framed-Protocol=PPP,
Framed-MTU=1492
AuthColumnDef 0,User-Password, check
# AuthColumnDef 1,Expiration, check
AuthColumnDef 1,Session-Timeout, reply
AuthColumnDef 2,Simultaneous-Use, check
AuthColumnDef 3,GENERIC, reply
# AuthSelect select PASSWORD, to_char(EXPIRATION, '-mm-dd
HH24:MI:SS') EXPIRATION, MAXSESSIONS, REPLYATTR, Session_Timeout
Session-Timeout from zooomonline.view_zooom_user_auth where
upper(USERNAME)=upper('%n')
AuthSelect select PASSWORD, (Session_Timeout) EXPIRATION, MAXSESSIONS,
REPLYATTR, Session_Timeout Session-Timeout from
zooomonline.view_zooom_user_auth where upper(USERNAME)=upper('%n')
CachePasswordExpiry 86400
ConnectionAttemptFailedHook sub {my $self = shift;my $dbsource =
shift;my $dbusername = shift;my $dbauth = shift;$self-log($main::LOG_ERR,
Could not connect to SQL database with DBI-connect $dbsource, $dbusername,
$dbauth: $@ $DBI::errstr);}
DBAuth zooomonline2009
DBSource dbi:ODBC:DSLPROD
DBUsername zooomonline
DateFormat %b %e, %Y %H:%M
EAPAnonymous anonymous
EAPContextTimeout 1000
EAPFAST_PAC_Lifetime 7776000
EAPFAST_PAC_Reprovision 2592000
EAPTLS_MaxFragmentSize 2048
EAPTLS_PEAPVersion 1
EAPTLS_SessionResumption 1
EAPTLS_SessionResumptionLimit 43200
EAPTLS_VerifyDepth 1
FailureBackoffTime 600
Identifier ZooomAuth
NoConnectionsHook sub { my $self = shift;$self-log($main::LOG_ERR,
Could not connect to any SQL database. Request is ignored. Backing off for
$self-{FailureBackoffTime} seconds);}
NullPasswordMatchesAny 1
PasswordPrompt password
SIPDigestRealm DefaultSipRealm
Timeout 60
/AuthBy
Handler Request-Type=Accounting-Request
AuthByPolicy ContinueAlways
AuthBy RADIUS
Secret 123456
Host 1.2.3.1
Host 1.2.3.2
AuthPort 1812
AcctPort 1813
IgnoreAccountingResponse
/AuthBy
# store accounting in SQL
# use the Identifier to reference the AuthBy SQL clause
AuthBy SQLAccounting
/Handler
hope that helps
regards
Hugh
On 2 Nov 2014, at 20:24, Mohammed Alhaj Ali m.al...@itc.sa wrote:
Hi,
I'm trying to setup only accounting request proxying for remote OSS systems,
as well to keep accounting messages to be written on SQL database with the
original AuthBy SQL. I applied the below configuration, and I had
received the accounting on the remote system, but I loss accounting update
on the sql database table...
Need urgent advice.
Configuration:
AuthBy SQL
AccountingTable zooomonline.ZOOOM_ACCOUNTING
AcctColumnDef USERNAME,User-Name,%A
AcctColumnDef TIME_STAMP,Timestamp,integer
AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type
AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer
AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer
AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer
AcctColumnDef ACCTSESSIONID,Acct-Session-Id
Re: [RADIATOR] ::Accounting Request Proxying for Remote OSS Systems::
Service-Type=Framed-User, Framed-Protocol=PPP,
Framed-MTU=1492
AuthColumnDef 0,User-Password, check
# AuthColumnDef 1,Expiration, check
AuthColumnDef 1,Session-Timeout, reply
AuthColumnDef 2,Simultaneous-Use, check
AuthColumnDef 3,GENERIC, reply
# AuthSelect select PASSWORD, to_char(EXPIRATION, '-mm-dd
HH24:MI:SS') EXPIRATION, MAXSESSIONS, REPLYATTR, Session_Timeout
Session-Timeout from zooomonline.view_zooom_user_auth where
upper(USERNAME)=upper('%n')
AuthSelect select PASSWORD, (Session_Timeout) EXPIRATION, MAXSESSIONS,
REPLYATTR, Session_Timeout Session-Timeout from
zooomonline.view_zooom_user_auth where upper(USERNAME)=upper('%n')
CachePasswordExpiry 86400
ConnectionAttemptFailedHook sub {my $self = shift;my $dbsource =
shift;my $dbusername = shift;my $dbauth = shift;$self-log($main::LOG_ERR,
Could not connect to SQL database with DBI-connect $dbsource, $dbusername,
$dbauth: $@ $DBI::errstr);}
DBAuth zooomonline2009
DBSource dbi:ODBC:DSLPROD
DBUsername zooomonline
DateFormat %b %e, %Y %H:%M
EAPAnonymous anonymous
EAPContextTimeout 1000
EAPFAST_PAC_Lifetime 7776000
EAPFAST_PAC_Reprovision 2592000
EAPTLS_MaxFragmentSize 2048
EAPTLS_PEAPVersion 1
EAPTLS_SessionResumption 1
EAPTLS_SessionResumptionLimit 43200
EAPTLS_VerifyDepth 1
FailureBackoffTime 600
Identifier ZooomAuth
NoConnectionsHook sub { my $self = shift;$self-log($main::LOG_ERR,
Could not connect to any SQL database. Request is ignored. Backing off for
$self-{FailureBackoffTime} seconds);}
NullPasswordMatchesAny 1
PasswordPrompt password
SIPDigestRealm DefaultSipRealm
Timeout 60
/AuthBy
Handler Request-Type=Accounting-Request
AuthByPolicy ContinueAlways
AccountingHandled
AuthBy RADIUS
Secret 123456
Host 1.2.3.1
Host 1.2.3.2
AuthPort 1812
AcctPort 1813
IgnoreAccountingResponse
/AuthBy
/Handler
Is there's any additional required configuration.
Thank you!
Regards,
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Hiding the LDAP Password attribute on Trace level 4 [SEC=UNCLASSIFIED]
Hi all - We discussed this at length many times over the years and our decision was always that “DEBUG” meant show everything that is going on, otherwise debugging is very hard. I suppose we could consider two levels: “DEBUG” as it is now, and “DEBUGWITHOUTPASSWORDS” with passwords obscured. Thoughts? regards Hugh On 13 Oct 2014, at 08:57, Keith Morrell keithmorr...@nbnco.com.au wrote: UNCLASSIFIED We use debug level 4 on all our subprocesses (we use radiator proxies for front ends) to gather detailed data about what’s going on – it’s just the way we like it. Personally, I think showing any passwords in clear text in logs is generally not a good idea… -Keith From: Alan Buxey [mailto:a.l.m.bu...@lboro.ac.uk] Sent: Monday, 13 October 2014 8:49 AM To: Keith Morrell; Vangelis Kyriakakis; Radiator Subject: Re: [RADIATOR] Hiding the LDAP Password attribute on Trace level 4 [SEC=UNCLASSIFIED] Why would you be running in this mode? Surely only debug level that high for debugging? And how could you be sure that the issue want due to incorrect password? ;) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Combining AuthSQLTOTP with other authication sources
Hello Tom - There is an example of how to do this sort of thing in: goodies/digipassStatic.txt and goodies/digipassStatic.cfg regards Hugh On 3 Aug 2014, at 22:19, Thomas Neumann tn_radia...@net-guru.org wrote: I'd like to use AuthSQLTOTP (or maybe also AuthSQLHOTP for that matter) in a way where the static password (PIN) is not stored in AuthSQLTOTP's SQL table but is verified against another auth source, such as existing Active Directory accounts checked by AuthLDAP2. Any idea if/how that might work? From looking at the source I think it's currently not possible, even if I were to chain Authby LDAP2 and Authby SQLTOTP in one handler and use ContinueUntilReject or something like that, because Authby LDAP2 would need to know that it must strip the OTP part of the password (say the last six chars) before it checks the password against LDAP, and later on Authby SQLTOTP would insist on having the user in its own SQL user table. To solve this in the most flexible way would require a method of stripping the OTP part (last N chars) from the password before it gets handled by some other auth method (LDAP2 or anything else that can check static passwords) and SQLTOTP would need to be modified to use its SQL table for bookkeeping (per-user num of failed logins, brute-force defense, ...) only, not as a primary source of usernames and static passwords. Any idea on how to solve this? --Tom ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Hello Chris - Thanks for letting us know. regards Hugh On 26 Jul 2014, at 03:50, Christopher Chance ccha...@newtechgrp.com wrote: Removing the synchronous did in fact fix the problem for some reason! Thanks! Best regards, Chris Chance Network Engineer - CaribServe Phone: +1 721 542-4233 Email: ccha...@newtechgrp.com -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Thursday, July 24, 2014 6:49 PM To: Christopher Chance Cc: radiator@open.com.au Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) Hello Chris - The other difference between what I sent and what you are doing is your use of Synchronous in the AuthBy RADIUS clause. In my suggestion I have removed it, and we think it is this that is causing the problem for some reason. # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don't use Synchronous Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret x AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn /AuthBy /Handler You might also want to upgrade to the latest Radiator 4.13. FYI - we had another site that was having problems with NTLM and it was resolved by my suggestion to have Radiator proxy to NPS. hope that helps regards Hugh On 25 Jul 2014, at 04:23, Christopher Chance ccha...@newtechgrp.com wrote: Got to work and was looking at it and basically you're doing the same thing I am, thought the MYSITE radius isn't needed as theirs nothing wrong with the MYSITE NTLM it works fine.. As for the OTHERSITE ... that's exactly how it is now, except instead of Microsoft NPS the other side is a radiator that authenticates via NTLM on the secondary domain... The problem is when that second radiator responds this radiator with the Access-Accept, this radiator as you can see in the logs does a bunch of eap challenges but never builds the final access-accept from what I can see for the client wifi device... and the client device hangs. The logs I included the good one was Local NTLM auth that authenticates and sends the client an access-accept The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner request to the second radiator and getting the access accept from that radiator and then it does some eap challenges and just hangs. Don't really want to switch from linux-radiator to NPS as the ESX we're running this on is tight on resources currently for another windows vm, especially since its only basically standing in as a Radius-MSCHAPv2-NTLM proxy. -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Wednesday, July 23, 2014 9:43 PM To: Christopher Chance Cc: radiator@open.com.au Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) Hello Chris - OK - this is what I had imagined. What I would suggest is running Microsoft NPS on each domain, then just proxy the inner requests to the corresponding NPS. In this case the inner requests are just straight MSCHAP-V2. Something like this: Foreground LogStdout LogDir /etc/radiator/log/ DbDir /etc/radiator PidFile %L/radiusd.pid DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813 Client 192.168.125.20 Secret xxx Identifier Ruckus /Client Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/(MYSITE|mysite)(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host Secret AuthPort . AcctPort . AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 /AuthBy /Handler Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/GUEST(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host . Secret AuthPort . AcctPort . AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 /AuthBy /Handler # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don't use Synchronous Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret x AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn /AuthBy /Handler
Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Hello Chris - The other difference between what I sent and what you are doing is your use of Synchronous in the AuthBy RADIUS clause. In my suggestion I have removed it, and we think it is this that is causing the problem for some reason. # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don't use Synchronous Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret x AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn /AuthBy /Handler You might also want to upgrade to the latest Radiator 4.13. FYI - we had another site that was having problems with NTLM and it was resolved by my suggestion to have Radiator proxy to NPS. hope that helps regards Hugh On 25 Jul 2014, at 04:23, Christopher Chance ccha...@newtechgrp.com wrote: Got to work and was looking at it and basically you're doing the same thing I am, thought the MYSITE radius isn't needed as theirs nothing wrong with the MYSITE NTLM it works fine.. As for the OTHERSITE ... that's exactly how it is now, except instead of Microsoft NPS the other side is a radiator that authenticates via NTLM on the secondary domain... The problem is when that second radiator responds this radiator with the Access-Accept, this radiator as you can see in the logs does a bunch of eap challenges but never builds the final access-accept from what I can see for the client wifi device... and the client device hangs. The logs I included the good one was Local NTLM auth that authenticates and sends the client an access-accept The Bad one that hangs was Radiator sending the Radius-MSCHAPv2 inner request to the second radiator and getting the access accept from that radiator and then it does some eap challenges and just hangs. Don't really want to switch from linux-radiator to NPS as the ESX we're running this on is tight on resources currently for another windows vm, especially since its only basically standing in as a Radius-MSCHAPv2-NTLM proxy. -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Wednesday, July 23, 2014 9:43 PM To: Christopher Chance Cc: radiator@open.com.au Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) Hello Chris - OK - this is what I had imagined. What I would suggest is running Microsoft NPS on each domain, then just proxy the inner requests to the corresponding NPS. In this case the inner requests are just straight MSCHAP-V2. Something like this: Foreground LogStdout LogDir /etc/radiator/log/ DbDir /etc/radiator PidFile %L/radiusd.pid DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813 Client 192.168.125.20 Secret xxx Identifier Ruckus /Client Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/(MYSITE|mysite)(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host Secret AuthPort . AcctPort . AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 /AuthBy /Handler Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/GUEST(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host . Secret AuthPort . AcctPort . AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 /AuthBy /Handler # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don't use Synchronous Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret x AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn /AuthBy /Handler Handler TunnelledByPEAP=1 AuthBy FILE EAPType MSCHAP-V2 EAP_PEAP_MSCHAP_Convert 1 /AuthBy /Handler Handler Client-Identifier = Ruckus AuthBy FILE CachePasswordExpiry 3600 Filename %D/users_anon EAPType PEAP,TLS,TTLS EAPTLS_PrivateKeyPassword whatever EAPTLS_CAFile /etc/radiator/certs/ca.pem EAPTLS_CertificateFile /etc/radiator/certs/server.pem EAPTLS_CertificateType PEM
Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Hello Chris - Could you please explain in detail what exactly you are trying to accomplish? It sounds like you are authenticating against Active Directory but you are running Radiator on Linux? Can you tell us how you differentiate between the 2 domains? We can make better suggestions if we clearly understand the problem. regards Hugh On 24 Jul 2014, at 03:30, Christopher Chance ccha...@newtechgrp.com wrote: Let me just say I got 802.1x working with PEAP/MSCHAPv2 - NTLM authentication…. The issue is we have 2 domains on our network and want to be able to have the single 802.1x authentication, sorted by domain authenticate and return the correct vlan for the user... I couldn’t figure a way out to do it with LDAP2 as apparently LDAP2 doesn’t like MSCHAPv2/PEAP only PAP for whatever reason… So NTLM I went to, and it works but that meant I had to join the linux server to the domain, and only 1 domain per server. To solve this I followed someone’s recommendation to have a second radius server (vm), that’s on the other domain that just checks domains and the first server will proxy the request to it… simple enough… The issue is it doesn’t work, the secondary radius sends the access-accept but for some reason the main server doesn’t seem to handle the challenge/accept process correctly anymore and the signin process just hangs on the wireless… So now I’m 110% lost and don’t know what else could be the issue… If you can take a look at this and help me out it would be greatly appreciated, as to where I’m going wrong. Good login with primary server doing NTLM: http://pastebin.com/Vimm88Ya Login that’s hanging being processed from remote Radius: http://pastebin.com/Lj3MCset Config is http://pastebin.com/UCr2vMdk Thanks, Chris ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM)
Hello Chris - OK - this is what I had imagined. What I would suggest is running Microsoft NPS on each domain, then just proxy the inner requests to the corresponding NPS. In this case the inner requests are just straight MSCHAP-V2. Something like this: Foreground LogStdout LogDir /etc/radiator/log/ DbDir /etc/radiator PidFile %L/radiusd.pid DictionaryFile %D/dictionary, %D/dictionary.cambium, %D/dictionary.ruckus Trace 4 AuthPort 1812 AcctPort 1813 Client 192.168.125.20 Secret xxx Identifier Ruckus /Client Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/(MYSITE|mysite)(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host …. Secret …. AuthPort ….. AcctPort ….. AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 /AuthBy /Handler Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/GUEST(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host ….. Secret …. AuthPort ….. AcctPort ….. AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=52 /AuthBy /Handler # this proxies to the machine that can then proxy to OTHERSITE NPS # strongly suggest you don’t use Synchronous Handler ConvertedFromEAPMSCHAPV2=1, User-Name=/OTHERSITE(.*)$/ AuthBy RADIUS StripFromRequest ConvertedFromEAPMSCHAPV2 Host 192.168.125.236 Secret x AuthPort 1812 AcctPort 1813 Retries 2 AddToReply Tunnel-Type=VLAN, Tunnel-Medium-Type=802, Tunnel-Private-Group-ID=nn /AuthBy /Handler Handler TunnelledByPEAP=1 AuthBy FILE EAPType MSCHAP-V2 EAP_PEAP_MSCHAP_Convert 1 /AuthBy /Handler Handler Client-Identifier = Ruckus AuthBy FILE CachePasswordExpiry 3600 Filename %D/users_anon EAPType PEAP,TLS,TTLS EAPTLS_PrivateKeyPassword whatever EAPTLS_CAFile /etc/radiator/certs/ca.pem EAPTLS_CertificateFile /etc/radiator/certs/server.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/server.pem EAPTLS_PEAPVersion 0 EAPTTLS_NoAckRequired UsernameMatchesWithoutRealm AutoMPPEKeys /AuthBy /Handler regards Hugh On 24 Jul 2014, at 11:08, Christopher Chance ccha...@newtechgrp.com wrote: 2 domains are on 2 seperate vlans... for authentication i'm filtering it by the handler Domain1\myuser Domain2\myuser if domain1 then process it via NTLM locally, if the second domain forward to secondary radius that has an interface on domain2 and is part of domain2's domain. This is being done so that my wireless in my office can accept both logins and sort users to the correct vlan based on their credentials, if a user logs in with Domain1\user then they get sent to Vlan 2 if they get on as domain2\user they login to vlan3 for instance. we have an office with different companies but want to simplify our wireless (atleast at the user level) so that it is 1 wireless network via wpa2 enterprise (802.1x eaps)... hence how what i'm trying to do above. Originally i was going to have the main radius server just filter by domains and send an ldap2 request to domain1 or domain2's DC but since ldap2 doesnt work with mschapv2 i had to go the ntlm way. And yes the linux version is what we're using as we plan to use the radius for some other things too but windows was giving us some headaches, but thats a different story for a different day. hope i've explained :S Chris From: Hugh Irvine [h...@open.com.au] Sent: Wednesday, July 23, 2014 8:07 PM To: Christopher Chance Cc: radiator@open.com.au Subject: Re: [RADIATOR] 802.1x PEAP-MSCHAPv2 - NTLM+(Radius/NTLM) Hello Chris - Could you please explain in detail what exactly you are trying to accomplish? It sounds like you are authenticating against Active Directory but you are running Radiator on Linux? Can you tell us how you differentiate between the 2 domains? We can make better suggestions if we clearly understand the problem. regards Hugh On 24 Jul 2014, at 03:30, Christopher Chance ccha...@newtechgrp.com wrote: Let me just say I got 802.1x working with PEAP/MSCHAPv2 - NTLM authentication…. The issue is we have 2 domains on our network and want to be able to have the single 802.1x authentication, sorted by domain authenticate and return the correct vlan for the user... I couldn’t figure a way out to do it with LDAP2 as apparently LDAP2 doesn’t like MSCHAPv2/PEAP only PAP for whatever reason
Re: [RADIATOR] Authorizing users via TACACS for Juniper Netscreens
Hello Craig - The usual way to do this is with Identifiers in the Client clauses and Handlers to match. Something like this: ….. Client 1.1.1.1 Identifier JuniperNetscreen Secret ….. ….. /Client Client 2.2.2.2 Identifier JuniperNetscreen Secret ….. ….. /Client Client 3.3.3.3 Identifier JuniperNetscreen Secret ….. ….. /Client ….. Handler Client-Identifier = JuniperNetscreen AuthBy ….. ….. /AuthBy /Handler ….. hope that helps regards Hugh On 24 Jun 2014, at 23:24, Craig Ayliffe craig.ayli...@brennanit.com.au wrote: Hi, I am looking for examples of Radiator configuration to restrict users logging into Juniper Netscreens running ScreenOS 6.3 and higher. Need to be able to specify the vsys to be Root and the privilege to be either ‘root’ or ‘read-only’ depending of their AuthorizeGroup configuration. Haven’t been able to find any examples anywhere. Would appreciate any assistance. Regards, Craig Craig Ayliffe | Brennan IT | Infrastructure Engineer T: 02 8235 3515 | M: 0410 400 546 | craig.ayli...@brennanit.com.au | www.brennanit.com.au image940dd2.jpg@f917d609.b99d4a76 ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authorizing users via TACACS for Juniper Netscreens
Hello Craig -
There are several steps:
1. define the AuthorizeGroup’s you require
2. specify the return attributes you need for each AuthorizeGroup (syntax will
depend on the specific device)
3. perform the authentication and set which AuthorizeGroup the user belongs to
…..
See the examples in section 5.96.10 in the Radiator 4.13 reference manual
(“doc/ref.pdf”).
See also the examples in “goodies/tacacsplusserver.cfg” and
“goodies/tacplus.txt”.
regards
Hugh
On 25 Jun 2014, at 10:51, Craig Ayliffe craig.ayli...@brennanit.com.au wrote:
Hi Hugh,
Actually I was looking for a way to set the vsys/privilege to restrict what a
user can do.
i.e. wanted to do something like this:
AuthorizeGroup READ permit service=netscreen {vsys=root
privilege=read-only}
AuthorizeGroup WRITE permit service=netscreen {vsys=root privilege=root}
Or do I need to use something like AuthorizeAdd/AuthorizeReplace to pass back
attribute-value pairs?
Regards,
Craig
-Original Message-
From: Hugh Irvine [mailto:h...@open.com.au]
Sent: Wednesday, 25 June 2014 8:39 AM
To: Craig Ayliffe
Cc: radiator@open.com.au
Subject: Re: [RADIATOR] Authorizing users via TACACS for Juniper Netscreens
Hello Craig -
The usual way to do this is with Identifiers in the Client clauses and
Handlers to match.
Something like this:
.
Client 1.1.1.1
Identifier JuniperNetscreen
Secret .
.
/Client
Client 2.2.2.2
Identifier JuniperNetscreen
Secret .
.
/Client
Client 3.3.3.3
Identifier JuniperNetscreen
Secret .
.
/Client
.
Handler Client-Identifier = JuniperNetscreen
AuthBy .
.
/AuthBy
/Handler
.
hope that helps
regards
Hugh
On 24 Jun 2014, at 23:24, Craig Ayliffe craig.ayli...@brennanit.com.au
wrote:
Hi,
I am looking for examples of Radiator configuration to restrict users
logging into Juniper Netscreens running ScreenOS 6.3 and higher.
Need to be able to specify the vsys to be Root and the privilege to be
either 'root' or 'read-only' depending of their AuthorizeGroup configuration.
Haven't been able to find any examples anywhere.
Would appreciate any assistance.
Regards,
Craig
Craig Ayliffe | Brennan IT | Infrastructure Engineer
T: 02 8235 3515 | M: 0410 400 546 | craig.ayli...@brennanit.com.au |
www.brennanit.com.au
image940dd2.jpg@f917d609.b99d4a76
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER, SIM, etc.
Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radius proxying to Microsoft NAP/NPS server
Hello Markus - Yes this is possible and yes it has been done successfully. You just need separate Handler’s with the corresponding AuthBy RADIUS clauses. regards Hugh On 20 Jun 2014, at 07:43, Markus Moeller hua...@moeller.plus.com wrote: Hi, has anybody used Radiator as a proxy Radius server for Microsoft NAP. I have WLAN setup with multiple SSIDs and would like to send the radius requests for SSID COMPANY1 to NPS server 1 and for SSID COMPANY2 to server 2 ( e.g. company 1 has a set of NPS rules different to company 2). One reason to do this would be to check on machine through a NPS policy/certifcate and user via smartcard at the same time so I can correlate the two (e.g. allow company 1 user smartcard login only from COMPANY1 machines) . Does that make sense ( assuming a Windows laptop environment ) ? Is there a better way to do this ? Thank you Markus ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator / Radmin - bulk add users
Hello Michael - See buildsql in the main Radiator distribution directory. See also section 10.0 in the Radiator 4.13 reference manual (“doc/ref.pdf”). Here is the help for buildsql: Radiator-4.13 hugh$ perl buildsql -h usage: buildsql [-h] -dbsource dbi:drivername:option [-dbusername dbusername] [-dbauth auth] [-password | -dbm | -flat] [-z] [-u] [-f] [-d username] [-l username] [-t dbmtype] [-tablename name] [-v] [-username_column columnname] [-password_column columnname] [-encryptedpassword] [-checkattr_column columnname] [-replyattr_column columnname] filename ... regards Hugh On 12 Jun 2014, at 12:45, Michael Bellears mbelle...@gcomm.com.au wrote: Hi, We have a need to add ~150users to Radmin – Doing this via the (Radmin) web interface would be tedious/error-prone – Is anyone aware of a script to bulk add users? Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] translate LDAP to radius
Hello Kaiser - No, Radiator can “translate” from RADIUS or TACACS+ or Diameter, to LDAP, not the other way around. I would be surprised if your SIP server did not support RADIUS and/or Diameter directly. regards Hugh On 10 Jun 2014, at 12:03, kai...@gentrice.net wrote: Dear sir, Can we use radiator as a proxy between LDAP and radius? We have a SIP server support LDAP, but user DB is radius server if it is possible, we hope to put a radiator as a translator, can we do it? kaiser cheng ✉ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] translate LDAP to radius
Hello Kaiser - You might also be interested in FreeSWITCH: http://www.freeswitch.org We have done a RADIUS integration for FreeSWITCH, and I am sure there are RADIUS implementations for Asterisk. regards Hugh On 10 Jun 2014, at 17:16, kai...@gentrice.net wrote: I am surprised too m and I try to make it for asterisk. br, kaiser cheng ✉ Hugh Irvine h...@open.com.au 於 2014/6/10 下午3:01 寫道: Hello Kaiser - No, Radiator can “translate” from RADIUS or TACACS+ or Diameter, to LDAP, not the other way around. I would be surprised if your SIP server did not support RADIUS and/or Diameter directly. regards Hugh On 10 Jun 2014, at 12:03, kai...@gentrice.net wrote: Dear sir, Can we use radiator as a proxy between LDAP and radius? We have a SIP server support LDAP, but user DB is radius server if it is possible, we hope to put a radiator as a translator, can we do it? kaiser cheng ✉ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] SQL Server connection
Hello - You should start with the example SQL configuration file in “goodies/sql.cfg”. On Windows you should use ODBC and DBD-ODBC. To say any more we will need to see a copy of the configuration file together with a trace 4 debug showing what is happening. regards Hugh On 9 Jun 2014, at 21:05, Vojislav Mihailovic v...@antamedia.com wrote: Hi, my company Antamedia has taken a Radiator Evaluation version. We installed the Strawberry Perl (64-bit) 5.18.2.2-64bit and DBI 1.631 on Windows Server 2012. We tested, but only work with auth file. We have created SQL server database, and all tables from sql file, but we have problem with connection on sql server. On this link is our radis config file. www.antamedia.com/download/radius.cfg We have problem to setup with auth sql and check account from database. Please help us to solve the problem and correct the error in radius config, in order to be able to continue testing. Thanks in advance Antamedia ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] How to increase session time
Hello Dennis - If you want different values for your different user groups, you would put something like this in your AuthBy LSA clauses: ….. # Session-Timeout = nnn # where nnn is the number of seconds # netadmin AuthBy LSA AddToReply Session-Timeout = nnn ….. /AuthBy # users AuthBy LSA AddToReply Session-Timeout = nnn ….. /AuthBy ….. Otherwise if you want the same one for both groups you can do this instead: ….. AuthBy GROUP AddToReply Session-Timeout = nnn ….. /AuthBy ….. BTW - I am located in Australia, so no need to send your email twice. regards Hugh On 8 May 2014, at 06:35, Qiu, Dennis dennis@davispolk.com wrote: Hugh, Can you let me know where I can put Session-Timeout attribute in my radius.cfg file? Thank you Dennis Qiu Information Systems Davis Polk Wardwell LLP 450 Lexington Avenue New York, NY 10017 212 450 5651 tel dennis@davispolk.com Confidentiality Note: This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments thereto and all copies. Please refer to the firm's privacy policy located at www.davispolk.com for important information on this policy. -Original Message- From: Qiu, Dennis Sent: Tuesday, May 06, 2014 9:15 PM To: 'Hugh Irvine' Cc: radiator@open.com.au Subject: RE: [RADIATOR] How to increase session time Hugh, I only see sessiontime in my HTTP session. That session is not used by network device. I do not see such attribute as Session-Timeout. Do I need to add this attribute into radius.cfg file? If I need to add, where I should add. Following is my radius.cfg. Can you advise? Thank you ### # windows.cfg # # Example Radiator configuration file. # This very simple file will allow you to get started with # a simple system on Windows. You can then add and change features. # We suggest you start simple, prove to yourself that it # works and then develop a more complicated configuration. # # This example is expected to be installed in # c:\Program Files\Radiator\radius.cfg # It will authenticate from a standard users file in # c:\Program Files\Radiator\users # it will log debug and other messages to # c:\Program Files\Radiator\logfile # and log accounting to a file in # c:\Program Files\Radiator\detail # (of course you can change all these by editing this config file if you wish) # # It will accept requests from any client and try to handle requests # for any realm. # And it will print out what its doing in great detail to the log file. # # See radius.cfg for more complete examples of features and # syntax, and refer to the reference manual for a complete description # of all the features and syntax. # # You should consider this file to be a starting point only # $Id: windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $ AcctPort 1646,1813 AuthPort 1645,1812 BindAddress 144.211.2.97 #BindAddress 0.0.0.0 DbDir c:/Program Files/Radiator DictionaryFile %D/dictionary Foreground 1 LogDir c:/Program Files/Radiator/Logs #LogFile logfile LogStdout 1 MaxChildren 0 PidFile %L/radiusd.pid PmwhoProg /usr/local/sbin/pmwho SnmpNASErrorTimeout 60 SnmpgetProg /usr/bin/snmpget SnmpsetProg /usr/bin/snmpset SnmpwalkProg /usr/bin/snmpwalk Trace 4 Client DEFAULT DupInterval 0 FramedGroupMaxPortsPerClassC 255 LivingstonHole 2 LivingstonOffs 29 NasType unknown SNMPCommunity 450dpw$ Secret mysecret /Client Handler NAS-Identifier=TACACS AuthByPolicy ContinueWhileIgnore AuthBy GROUP AuthByPolicy ContinueUntilAccept CachePasswordExpiry 86400 EAPAnonymous anonymous EAPContextTimeout 1000 EAPFAST_PAC_Lifetime 7776000 EAPFAST_PAC_Reprovision 2592000 EAPTLS_MaxFragmentSize 2048 EAPTLS_PEAPVersion 0 EAPTLS_SessionResumption 1 EAPTLS_SessionResumptionLimit 43200
Re: [RADIATOR] How to increase session time
Hello Dennis - The attribute you want is “Session-Timeout”, although you will need to do some testing to verify that your network devices support it. regards Hugh On 7 May 2014, at 08:02, Qiu, Dennis dennis@davispolk.com wrote: Support, Our networking devices use Radiator for authentication. Many times, guys are working on the network devices and they are prompted to authenticate again. It becomes very annoying. I am wondering what is the value of variables I can adjust to increase the session time. Thank you Dennis Qiu Information Systems Davis Polk Wardwell LLP 450 Lexington Avenue New York, NY 10017 212 450 5651 tel dennis@davispolk.com image001.jpg Confidentiality Note: This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments thereto and all copies. Please refer to the firm's privacy policy located at www.davispolk.com for important information on this policy. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Define a global array
Hello Steve -
What you describe makes perfect sense - and this is exactly what globals are
for.
See the hooks in “goodies/hooks.txt” for lots of examples.
regards
Hugh
On 2 Apr 2014, at 10:59, Steve Phillips st...@focb.co.nz wrote:
Hi there,
I am trying to setup a system that, on startup reads a DB table into a
hashed array and then makes this available to the rest of the hooks. A
later hook then takes this hashed array and parses it to add a value to
a custom attribute which is then used for later processing within a handler.
While I understand that globals are bad and should never be used, I
believe that making a DB request on every radius packet would have more
of an impact on performance for something that rarely changes (maybe
once a week or so) and so the positives outweigh the negatives.
What I had which doesn't seem to work was something along these lines.
from radius.cfg
# Hooks
StartupHook file:%D/hooks/StartupHook-SetupGlobals.pl
.
.
Client
Secret blah
PreHandlerHook file:$D/hooks/AddAttribute.pl
/Client
Handler MyAtttribute = /something/
.
Do Stuff
/Handler
in the SetupGlobals file I have something like;
# Define a global (obviously, there is where I'd read in the DB table)
our %global_steve = (
'message1' = 'Steve was here',
'message2' = 'woot'
);
and then, when trying to reference it I have in the PreHandler hook
sub {
main::log($main::LOG_INFO, Test: $main::global_steve{'messsage1'});
}
Which ends up printing out a blank.
Does anyone know of either, a way to get this going, or a way to read in
a db table of data and cache it for use in later hooks without having
each radius request generate another database call?
Thanks in advance,
--
Steve.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] max reauthentication
Hello Judy - There is no default. You can set the Session-Timeout value to whatever you wish in the RADIUS accept accept. Depending on what else you are doing, something like this: ….. # whatever AuthBy you are using # add the number of seconds you wish for Session-Timeout # where “nn” below is the number of seconds AuthBy ….. ….. AddToReply Session-Timeout = nn /AuthBy ….. See section 13.2.8 in the Radiator 4.12.1 reference manual (“doc/ref.pdf”). regards Hugh On 22 Mar 2014, at 09:21, Judy Angel j.an...@herts.ac.uk wrote: Please see the reply from the wireless controller vendor. the re-auth timer can be set by the RADIUS server. It is the Session-Timeout attribute. It would be good to see what the RADIUS is presently configured for What is the default setting Thanks Judy --On 19 March 2014 23:22 + Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: It's usually a function of your NAS (eg wireless controller). Check its settings for session-timeout ... which is usually an attribute that you can send back from your RADIATOR server in the access-accept packet too (though you may need to change your controller setting so that it honours that value) Alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Delayed Stop Record and Active Sessions
Hello Rohan - Depending on the actual delay, you may be able to do something clever with the timestamps. regards Hugh On 22 Feb 2014, at 08:21, rohan.henry @cwjamaica.com rohan.he...@cwjamaica.com wrote: Thanks for the feedback Heikki. I am thinking that the suggestion would solve the problem but defeats the state limit function. It means that a connection would now become unique based on Acct-Session-Id which changes for every connection and would grant access to the same user multiple times since the new Acct-Session-Id will not allow a database match. Rohan On Wed, Feb 19, 2014 at 3:40 PM, Heikki Vatiainen h...@open.com.au wrote: On 02/19/2014 09:22 PM, rohan.henry @cwjamaica.com wrote: How can fix an issue where the DeleteQuery statement in my Sessions DB config deletes the row for a new active session because of a delayed Stop record? A quick idea: Do you think the DeleteQuery could be changed to include Acct-Session-Id in the query. That is, the NAS-Port, etc, and Acct-Session-Id must match the existing entry. If the session has been replaced, the delete will not match any rows because the new entry on the row it would otherwise match has a different session id that belongs to the new session. Please let us know how this works. Thanks, Heikki Scenario: 1. A session is up (and row entered in the database for active session) 2. The session is dropped because of a premature disconnection (eg. modem line cable unplugged) but Stop record is delayed. 3. New session is created after modem line cable is restored (and after DeleteQuery statement removes database row for previous session) 4. The delayed Stop record finally comes in - the DeleteQuery statement now removes the row for the active session (An unwanted behavior). How do I compensate for the delayed Stop record that is causing active session database records to be deleted? -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] SIP2 + Fortigate setup
Hello Chad - You don’t need to do anything special - Radiator will process the password automatically. If you are using a flat file for your user records you should add an entry like this: # flat file user definitions 29030pretend User-Password = gulash hope that helps regards Hugh On 20 Feb 2014, at 09:42, Chad Roseburg croseb...@ncrl.org wrote: Thanks Heikki ~ there is an option to change the authentication scheme. I changed it to PAP as you suggest. Now it appears as though the fortigate is sending the password encrypted ...Ex: Test credentials: user: 29030pretend pass: gulash Server output excerpt: DEBUG: SIP2 send '2300020140219141804AO|AA29030pretend|ACterminal password|AD�$.%�6Է!H�' In looking at the docs, I see several encryption/decrypt options ...what do I include in my config to allow Radiator to decrypt this password? Thank you! Chad On Sat, Feb 15, 2014 at 12:32 AM, Heikki Vatiainen h...@open.com.au wrote: On 02/15/2014 02:42 AM, Chad Roseburg wrote: I have an evaluation version of Radiator 4.12.1. I need to set up a web captive portal on a Fortigate 60D that uses SIP2 authentication. The SIP2 part works ...tests successful: Hello Chad, radpwtst uses PAP with the options you have specified and sends User-Password which can be then used with AuthBy SIP2. However, it looks like the Fortigate is trying to do MS-CHAP instead of PAP. With MS-CHAP there is not password, only a challenge and response, and for this reason it does not work. Presence of MS-CHAP-Challenge without User-Password indicates MS-CHAP is tried. There should be a MS-CHAP-Response too with the attributes, but maybe you have left that out. These two attributes are used by MS-CHAP. See if there's 'Authentication Scheme', I think this is the option in Fortigate, or something similar that has been set to MS-CHAP or defaults to MS-CHAP. There should be an option to switch it to PAP. Please let us know if the above helps. Thanks, Heikki Ex. perl radpwtst -noacct -user 29030pretend -password secrets sending Access-Request... OK On RADIUS server I see: - Fri Feb 14 16:07:47 2014: DEBUG: SIP2 send '2300020140214 160747AONCRL|AA29030pretend|ACterminal password|ADsecrets|' Fri Feb 14 16:07:47 2014: DEBUG: SIP2 read '24 00020140214 160727AEJOE SMITH|AA29030pretend|BLY|CQY|AFGreetings. |AONCRL|' Fri Feb 14 16:07:47 2014: DEBUG: Radius::AuthSIP2 ACCEPT: : 29030pretend [29030pretend] Fri Feb 14 16:07:47 2014: DEBUG: AuthBy SIP2 result: ACCEPT But the second part is that I need to connect the fortigate to the RADIUS server. I add the fortigate as a client in the config using IP and a 'Secret' Here's some edited output when I test from the fortigate using the same creds: Fri Feb 14 16:23:44 2014: DEBUG: SIP2 send '2300020140214 162344AONCRL|AA29030pretend|ACterminal password|AD|' Fri Feb 14 16:23:44 2014: DEBUG: SIP2 read '24 00020140214 162323AEJOE SMITH|AA29030pretend|BLY|CQN|AFGreetings. |AONCRL|' Fri Feb 14 16:23:44 2014: DEBUG: Radius::AuthSIP2 REJECT: Bad password: 29030002429839 [29030002429839] Fri Feb 14 16:23:44 2014: DEBUG: AuthBy SIP2 result: REJECT, Bad password It looks like it's not sending the password. Also, at the top of the transmission there's mention of a MS-CHAP-Challenge: Attributes: NAS-Identifier = Fortinet_RTR MS-CHAP-Challenge = b1372381464165145.9229163j129220M Acct-Session-Id = 0021 Connect-Info = test Fortinet-Vdom-Name = root This is the Client config: Client 192.x.x.99 Secret secretspass DupInterval 0 /Client Thanks for any advice! -- Chad ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Chad Roseburg Automation Dept. North Central Regional Library ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS
Re: [RADIATOR] Alive\Update handlers with proxy
Hello -
There is an example showing how to use the Class attribute in
“goodies/hooks.txt”.
regards
Hugh
On 23 Dec 2013, at 20:33, Heikki Vatiainen h...@open.com.au wrote:
On 12/23/2013 09:25 AM, eliran shlomo wrote:
How can i copy the attribute vales that are sent in the Access-Accept to
the Accounting-Request?
If the attributes are fetched during the authentication, you could
consider AuthenticateAccounting and creating a Handler for the
accounting message which has an AuthBy with AuthenticateAccounting set
and for example, NoCheckPassword set.
This would force Radiator to run SQL and LDAP lookups for accounting too
allowing you to pull attribute values from the authentication backend.
Another alternative might be storing the values during authentication in
the Class attribute which the client will return with
Accounting-Requests. A hook could then process Class and push the
attributes in the accounting request message.
Yes another alternative is to create a hook that does all the necessary
lookups for the accounting messages. However, it might be possible to
use the two alternatives described above instead of doing everything
with a hook.
Thanks,
Heikki
On Wed, Dec 18, 2013 at 5:33 PM, Heikki Vatiainen h...@open.com.au
mailto:h...@open.com.au wrote:
On 12/18/2013 09:44 AM, eliran shlomo wrote:
The attribute in the LDAP for RB-Context-Name has changed from
safe to ngn.
but in the accounting that sent to the proxy the attribute value
didn't
changed.
RB-Context-Name = safe
the hook is acting as expected the problem is that some of attribute
values stay the same and some of them changed.
Hello Eliran,
the Hook you sent only changes Class attribute. In other words, only
$p-change_attr('Class', ...) is called but values of other attributes
are not touched.
The log you sent earlier shows that authentication and accounting
requests are processed by different Handlers. This is very likely one
reason why they change the attributes differently.
Thanks,
Heikki
--
Heikki Vatiainen h...@open.com.au mailto:h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au mailto:radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Heikki Vatiainen h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Use of attribute in accounting file name
Hello Markus -
Yes you can - see section 5.2 in the Radiator 4.12 reference manual
(“doc/ref.pdf”).
%{attr}
The value of the named attribute in the current packet (if any).
For example, %{User-Name} is the same as %n.
regards
Hugh
On 23 Dec 2013, at 01:16, Markus Moeller hua...@moeller.plus.com wrote:
Hi
I know you can use special character in the accounting file name (e.g. %c
or %C), but is it also possible to use an attribute value ?
When I read the client database I add an attribute e.g. host = Host1. Could
I use that instead of %C to avoid the reverse DNS lookup ?
Thank you
Markus
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Infinera with AuthBy SQL
Hello -
I generally find it easiest to use Identifiers in the Client clauses with
corresponding Handlers instead of Realm(s).
Something like this:
…..
Client 1.1.1.1
Identifier Infinera
…..
/Client
Client 2.2.2.2
Identifier Infinera
…..
/Client
Client 3.3.3.3
Identifier Infinera
…..
/Client
…..
ServerTACACSPLUS
…..
AddToRequest NAS-Identifier=TACACS
/ServerTACACSPLUS
# Deal with Infinera devices
Handler Client-Identifier = Infinera
…..
/Handler
# Deal with TACACS
Handler NAS-Identifier = TACACS
…..
/Handler
…..
regards
Hugh
On 5 Dec 2013, at 14:33, nho...@gmail.com wrote:
Hi
I have been tasked with getting our new Infinera infrastructure to
authenticate against our radiator servers.
The catch here is that our current configuration is TACACS+ for our
Cisco equipment and the Infinera kit only supports Radius.
We wanted to use the same database (example below) so that our
engineers would have the same credentials and access levels across
both environments.
| test | {SSHA} | tacacsgroup = admin |
| test2 | {SSHA} | tacacsgroup = readonly |
I have a working solution but was wondering if there was a more
elegant way keeping in mind that I probably can't touch the database.
Realm DEFAULT
AuthByPolicy ContinueUntilAccept
AuthBy SQL
Identifier tacacsauth
DBSource dbi:mysql:tacacs
DBUsername radius
DBAuth *
NoDefault
NoDefaultIfFound
IgnoreAccounting
FailureBackoffTime 10
AuthSelect select password, checkattr, replyattr \
from tacacsUser \
where username=%0 \
and replyattr rlike admin$
AuthColumnDef 0, Encrypted-Password, check
AddToReply Infinera-User-Priv-SA = SA-PRIVILEGED,\
Infinera-User-Priv-NE = NE-PRIVILEGED,\
Infinera-User-Priv-NA = NA-PRIVILEGED,\
Infinera-User-Priv-PR = PR-PRIVILEGED,\
Infinera-User-Priv-TT = TT-PRIVILEGED,\
Infinera-User-AdminDomain = FX,LAB,\
Infinera-User-Max-Concurrent-Session =2,\
Infinera-User-Allowed-Timezone-Config = TIMEZONE-CONFIG-ALLOW,\
Infinera-User-TimeZone = IST,\
Service-Type = Framed-User,\
Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
/AuthBy
AuthBy SQL
Identifier tacacsauth
DBSource dbi:mysql:tacacs
DBUsername radius
DBAuth iepu0oeC
NoDefault
NoDefaultIfFound
IgnoreAccounting
FailureBackoffTime 10
AuthSelect select password, checkattr, replyattr \
from tacacsUser \
where username=%0 \
and replyattr rlike readonly$
AuthColumnDef 0, Encrypted-Password, check
AddToReply Infinera-User-Priv-SA = SA-NONPRIVILEGED,\
Infinera-User-Priv-NE = NE-NONPRIVILEGED,\
Infinera-User-Priv-NA = NA-NONPRIVILEGED,\
Infinera-User-Priv-PR = PR-NONPRIVILEGED,\
Infinera-User-Priv-TT = TT-NONPRIVILEGED,\
Infinera-User-Priv-MA = MA-PRIVILEGED,\
Infinera-User-AdminDomain = FX,LAB,\
Infinera-User-Max-Concurrent-Session =2,\
Infinera-User-Allowed-Timezone-Config = TIMEZONE-CONFIG-ALLOW,\
Infinera-User-TimeZone = IST,\
Service-Type = Framed-User,\
Framed-Protocol = PPP,\
Framed-IP-Netmask = 255.255.255.255,\
Framed-Routing = None,\
Framed-MTU = 1500,\
Framed-Compression = Van-Jacobson-TCP-IP
/AuthBy
/Realm
Any ideas would be appreciated.
Regards
Derick
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Variables
Hello Rohan - Most if not all of these attributes should be included in the RADIUS accounting stop request, assuming RADIUS accounting is turned on in the NAS device. Note that there is a difference between “Event-Timestamp” as shown below which may be sent by the NAS, and “Timestamp” which is internal to Radiator. Have a look at a trace 4 debug to see exactly what you are receiving in the RADIUS accounting requests. regards Hugh On 26 Nov 2013, at 08:26, rohan.henry @cwjamaica.com rohan.he...@cwjamaica.com wrote: Hello, Are values for any of the foll. attributes automatically stored somewhere in Radiator where they can be fetched anytime during or at the end of the session? For example the Timestamp attribute. If not, how can I store values for use later in or at the end of the session? Attributes: Acct-Status-Type = Start User-Name = Event-Timestamp = Acct-Delay-Time = NAS-Identifier = Acct-Session-Id = NAS-IP-Address = Class = Service-Type = Framed-Protocol = Framed-Compression = Unisphere-Pppoe-Description = Framed-IP-Address = Framed-IP-Netmask = Calling-Station-Id = Connect-Info = NAS-Port-Type = NAS-Port = NAS-Port-Id = Acct-Authentic = Thanks. Regards, Rohan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] If-then-else logic for AuthBy
Hello again - Actually, I think Heikki’s answer is correct, due to the AuthBy DUO returning IGNORE. Its simpler too, although if the AuthBy DUO returns REJECT you’ll still call the AuthBy RADIUS. regards Hugh On 9 Nov 2013, at 10:40, Hugh Irvine h...@open.com.au wrote: Hello Christopher - What are the possible return values from your LDAP2 and DUO clauses? If I understand what you describe correctly you should be able to do this: AuthBy GROUP AuthByPolicy ContinueWhileIgnore AuthBy GROUP AuthByPolicy ContinueWhileAccept AuthBy LDAP2 ….. /AuthBy AuthBy GROUP AuthByPolicy ContinueWhileReject AuthBy DUO ….. /AuthBy AuthBy INTERNAL DefaultResult IGNORE /AuthBy /AuthBy /AuthBy AuthBy RADIUS ….. /AuthBy /AuthBy regards Hugh On 8 Nov 2013, at 05:31, Christopher Bongaarts c...@umn.edu wrote: That would seem to yield the effective logic: AuthBy LDAP2 if result = ACCEPT then AuthBy DUO if result != ACCEPT then AuthBy RADIUS endif endif which is not what I want - either DUO or RADIUS should be invoked, never both; which one is invoked is determined by the result of LDAP2. This is close: AuthBy GROUP AuthByPolicy ContinueUntilAccept AuthBy GROUP AuthByPolicy ContinueWhileAccept AuthBy LDAP2 AuthBy DUO /AuthBy AuthBy RADIUS /AuthBy but will invoke RADIUS unnecessarily if LDAP2 returns ACCEPT but DUO returns REJECT or IGNORE. Security-wise this is OK (it is not possible for this RADIUS to succeed if LDAP2 succeeded) but does put an extra load on the proxied RADIUS service. On 11/6/2013 4:24 PM, Hugh Irvine wrote: Hello Christopher - Something like this: AuthBy GROUP AuthByPolicy ContinueWhileAccept AuthBy LDAP2 AuthBy GROUP AuthByPolicy ContinueUntilAccept AuthBy DUO AuthBy RADIUS /AuthBy /AuthBy regards Hugh On 7 Nov 2013, at 08:51, Christopher Bongaarts c...@umn.edu wrote: I have a need to handle multiple authentication methods which returns something like this: AuthBy LDAP2 if result = ACCEPT then AuthBy DUO else AuthBy RADIUS with the ultimate authentication result coming from either the DUO or RADIUS module. I tried to figure out a way to arrange some combination of AuthBy GROUP and AuthByPolicy to make this fly but I can't seem to figure out a way to make it work. Any suggestions? -- %% Christopher A. Bongaarts %% c...@umn.edu %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota%% +1 (612) 625-1809%% ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- %% Christopher A. Bongaarts %% c...@umn.edu %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota%% +1 (612) 625-1809%% -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] If-then-else logic for AuthBy
Hello Christopher - What are the possible return values from your LDAP2 and DUO clauses? If I understand what you describe correctly you should be able to do this: AuthBy GROUP AuthByPolicy ContinueWhileIgnore AuthBy GROUP AuthByPolicy ContinueWhileAccept AuthBy LDAP2 ….. /AuthBy AuthBy GROUP AuthByPolicy ContinueWhileReject AuthBy DUO ….. /AuthBy AuthBy INTERNAL DefaultResult IGNORE /AuthBy /AuthBy /AuthBy AuthBy RADIUS ….. /AuthBy /AuthBy regards Hugh On 8 Nov 2013, at 05:31, Christopher Bongaarts c...@umn.edu wrote: That would seem to yield the effective logic: AuthBy LDAP2 if result = ACCEPT then AuthBy DUO if result != ACCEPT then AuthBy RADIUS endif endif which is not what I want - either DUO or RADIUS should be invoked, never both; which one is invoked is determined by the result of LDAP2. This is close: AuthBy GROUP AuthByPolicy ContinueUntilAccept AuthBy GROUP AuthByPolicy ContinueWhileAccept AuthBy LDAP2 AuthBy DUO /AuthBy AuthBy RADIUS /AuthBy but will invoke RADIUS unnecessarily if LDAP2 returns ACCEPT but DUO returns REJECT or IGNORE. Security-wise this is OK (it is not possible for this RADIUS to succeed if LDAP2 succeeded) but does put an extra load on the proxied RADIUS service. On 11/6/2013 4:24 PM, Hugh Irvine wrote: Hello Christopher - Something like this: AuthBy GROUP AuthByPolicy ContinueWhileAccept AuthBy LDAP2 AuthBy GROUP AuthByPolicy ContinueUntilAccept AuthBy DUO AuthBy RADIUS /AuthBy /AuthBy regards Hugh On 7 Nov 2013, at 08:51, Christopher Bongaarts c...@umn.edu wrote: I have a need to handle multiple authentication methods which returns something like this: AuthBy LDAP2 if result = ACCEPT then AuthBy DUO else AuthBy RADIUS with the ultimate authentication result coming from either the DUO or RADIUS module. I tried to figure out a way to arrange some combination of AuthBy GROUP and AuthByPolicy to make this fly but I can't seem to figure out a way to make it work. Any suggestions? -- %% Christopher A. Bongaarts %% c...@umn.edu %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota%% +1 (612) 625-1809%% ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- %% Christopher A. Bongaarts %% c...@umn.edu %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota%% +1 (612) 625-1809%% -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radius domain only auth, with password='cisco'
Hello Michael - This sounds like Cisco VPDN tunnelling. This example is from the standard “users” file in the Radiator distribution: # This example shows how to configure a Cisco VPDN circuit: open.com.au User-Password=cisco, Service-Type=Outbound-User cisco-avpair = vpdn:tunnel-id=cca-gw, cisco-avpair = vpdn:ip-addresses=1.2.3.4, cisco-avpair = vpdn:nas-password=pw, cisco-avpair = vpdn:gw-password=pw” regards Hugh On 7 Nov 2013, at 04:56, Michael ri...@vianet.ca wrote: Has anyone ever seen a situation where, for every authentication attempt to a radiator system from a cisco device, there is an authentication attempt right before it that appears to be: - a domain (the username with the 'username@' part stripped off). - plain text password is always 'cisco'. - Service-Type = Outbound-User if I remove this line from the cisco lns: aaa authorization network TEST group TEST ...the extra auth attempts stop, but then my radius network static profiles don't work, so it's not a solution but it narrows down the problem. my auth requests for the radiator system are essentially doubled due to this. This only started happening recently. Network guys sometimes are like a ticking time bomb and asking them can cause an explosion so i thought i would ask here. Mike ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] If-then-else logic for AuthBy
Hello Christopher - Something like this: AuthBy GROUP AuthByPolicy ContinueWhileAccept AuthBy LDAP2 AuthBy GROUP AuthByPolicy ContinueUntilAccept AuthBy DUO AuthBy RADIUS /AuthBy /AuthBy regards Hugh On 7 Nov 2013, at 08:51, Christopher Bongaarts c...@umn.edu wrote: I have a need to handle multiple authentication methods which returns something like this: AuthBy LDAP2 if result = ACCEPT then AuthBy DUO else AuthBy RADIUS with the ultimate authentication result coming from either the DUO or RADIUS module. I tried to figure out a way to arrange some combination of AuthBy GROUP and AuthByPolicy to make this fly but I can't seem to figure out a way to make it work. Any suggestions? -- %% Christopher A. Bongaarts %% c...@umn.edu %% %% OIT - Identity Management %% http://umn.edu/~cab %% %% University of Minnesota%% +1 (612) 625-1809%% ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radius domain only auth, with password='cisco'
Hello Michael - This is configured on the Cisco box - you will need to ask your network people to turn it off. regards Hugh On 7 Nov 2013, at 10:05, Michael ri...@vianet.ca wrote: i'm looking to stop it. not set it up. i'm not sure what had enabled/configured it to start happening. I guess this is probably the wrong place to ask. On 06/11/13 04:56 PM, Hugh Irvine wrote: Hello Michael - This sounds like Cisco VPDN tunnelling. This example is from the standard “users” file in the Radiator distribution: # This example shows how to configure a Cisco VPDN circuit: open.com.au User-Password=cisco, Service-Type=Outbound-User cisco-avpair = vpdn:tunnel-id=cca-gw, cisco-avpair = vpdn:ip-addresses=1.2.3.4, cisco-avpair = vpdn:nas-password=pw, cisco-avpair = vpdn:gw-password=pw” regards Hugh On 7 Nov 2013, at 04:56, Michael ri...@vianet.ca wrote: Has anyone ever seen a situation where, for every authentication attempt to a radiator system from a cisco device, there is an authentication attempt right before it that appears to be: - a domain (the username with the 'username@' part stripped off). - plain text password is always 'cisco'. - Service-Type = Outbound-User if I remove this line from the cisco lns: aaa authorization network TEST group TEST ...the extra auth attempts stop, but then my radius network static profiles don't work, so it's not a solution but it narrows down the problem. my auth requests for the radiator system are essentially doubled due to this. This only started happening recently. Network guys sometimes are like a ticking time bomb and asking them can cause an explosion so i thought i would ask here. Mike ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Migrate Cisco ACS to Radiator
Hi Jim - I believe we offer this as a custom service. I've copied Heikki on this email and he can provide details and costs. regards Hugh On 11 Oct 2013, at 06:25, Jim Tyrrell j...@scusting.com wrote: Hi, we need to migrate a customers users from their own Cisco ACS RADIUS server into our Radiator servers, but apparently its not possible to export the users passwords in a format we can import. I don't have direct access to the ACS server but have been given a dump that includes passwords in the following format Password :0x0020 8e 0c b4 cb 26 7b 20 10 fa 0f 80 77 ec c5 f5 20 a5 4c ea ac f1 f9 dd ca 7b 8e 81 39 ca 21 d0 f4 Chap password :0x0020 84 12 e3 bb 64 65 53 f9 61 7b 5d b4 f0 f4 9a 1b a4 8c da 6e 52 fa fd 34 95 c2 fb 8a a8 a8 fa 16 Does anyone have experience importing usernames and passwords into Radiator from ACS (textfile, or MySQL or LDAP)? From what I understand you can only export with the passwords encrypted using a Cisco algorithm so you can only import into another ACS server. Thanks. Jim. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Converting from using a plaintext users file, to using LDAP
Hello Elvind - Yes this is fairly simple to do with multiple AuthBy clauses - in this case with a trailing AuthBy FILE to set the required reply attributes. Depending on how many groups you need, it may be preferable to have a group attribute in each user record rather than use memberOf. In either case you would do something like this: …… AuthByPolicy ContinueWhileAccept AuthBy GROUP # check users and determine group AuthByPolicy ContinueUntilAccept AuthBy LDAP2 ….. /AuthBy AuthBy LDAP2 ….. /AuthBy ….. /AuthBy AuthBy FILE # apply per-group reply attributes ….. /AuthBy ….. hope that helps regards Hugh On 24 Sep 2013, at 23:00, Eivind Olsen eiv...@aminor.no wrote: Hello. I've very recently been given the task of migrating an existing Radiator installation from having its users in a plaintext file (AuthBy FILE), to authenticating against LDAP. This sounds straight forward enough, I'm somewhat familiar with AuthBy LDAP2. Now, what gets me a bit confused is this: the current users textfile has entries with various attributes. Often it's the same attribute for many users, but not always. For example, some have Timetra-Cmd attribute listing read-only commands. Oh, and if possible, I'd prefer to _not_ store these directly in the LDAP (if I can avoid extending the LDAP schema and avoid having to mess up the user provisioning tool, I'd prefer that). What I'd like to accomplish somehow is mapping the various userlevels to group-membership in LDAP. If someone are a member of for example the group timetra-full-admin they'll get a Timetra-Cmd set to one thing ,and if they're a member of timetra-read-only they'll have it set to something else. Makes sense? If I have to store the attribute values directly in LDAP, there's also a high chance that whoever is provisioning users might make a typo of some sorts. In other words: I don't want to extract attribute X from LDAP, and returns its exact value. Oh, and if I can avoid using Perl hooks, that would also be a good thing for me :) One way I've thought might work is having multiple AuthBy LDAP2-blocks chained together, with different searchfilters and replying with specific attributes, similar to this pseudo-code: Auth-block1: if memberOf=timetra-full-admins reply with attr Timetra-Cmd=abcd, otherwise continue to next block Auth-block2: if memberOf=timetra-read-only reply with attr Timetra-Cmd=efgh, otherwise continue to next block ... no more blocks? Reject user. Part of me thinks there's bound to be a better way than this, though. Can anyone lend me a clue? :) Regards Eivind Olsen eiv...@aminor.no ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Converting from using a plaintext users file, to using LDAP
Hello Elvind - Yes your approach will also work - I misunderstood your original question and thought you wanted to retain the AuthBy FILE component. The AuthBy FILE part would only be to hold the group reply attributes, which as you say can also be done with AddToReply in the simple case. regards Hugh On 25 Sep 2013, at 10:11, Eivind Olsen eiv...@aminor.no wrote: Hugh Irvine wrote: Yes this is fairly simple to do with multiple AuthBy clauses - in this case with a trailing AuthBy FILE to set the required reply attributes. My plan is to avoid the entire AuthBy FILE, if I can, so whoever is provisioning these users won't have to also edit a file, adding the users to the groups in LDAP should be sufficient. And if we need to make new levels of user access / giving special attributes to some, we'll add a new group and do a small change in radiusd.cfg I'll add the attributes with AddToReply, in the specific AuthBy block, and won't need to use an AuthBy FILE then? Regards Eivind Olsen -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Attribute Error Vendor 20942
Hello Miungisi -The IANA list shows vendor 20942 to be China Telecom:20942 China Telecom-Guangzhou Research and Development Center guomw guomwgsta.com;liuchenglonghuawei.comseehttp://www.iana.org/assignments/enterprise-numbers/enterprise-numbersUntil you get the real attribute definitions, you can add something like this to your Radiator dictionary:## Vendor-specific attributes for China Telecom#VENDOR China-Telecom 20942VENDORATTR 20942China-Telecom-Attr-100 100stringI also found the following with a quick Google search on "China Telecom radius attributes" at:http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4_22yd3/feature_guide/ha_othera_3.html#wp1079945…..Interaction with AAAThe HA will deal with the following attributes during the interaction with AAA for authentication and Accounting,•Correlation-IdThe received Correlation-Id in RRQ is sent in Accounting Start/Stop/Interim Messages to the AAA server. This attribute is not included during Authentication with AAA.•Calling-Station-IdThe received Calling-Station-Id in RRQ is sent in an Access-Request during Authentication with AAA for MN subscriber. This attribute is also sent in Accounting Start/Stop/Interim Messages to AAA server. The HA sends theCalling-Station-Id to AAA in the format of standard RADIUS Attribute [31] , as defined in RFC 2865.•Served-MDNThe HA receives the Served MDN value in an Access-Accept after successful authentication with the AAA server. The received attribute is sent in Accounting Start/Stop Messages only to the AAA for accounting purposes.•Charging-TypeThe HA receives the Charging-Type value in an Access-Accept after successful authentication with the AAA server. The received attribute is sent in Accounting Start/Stop messages only to the AAA for accounting purposes.Charging-Type values include the following:–0x0001- Post-paid accounting–0x0002- Pre-paid accounting–0x0003- both post-paid and pre-paid accounting•HA-Service-AddressThe HA sends the user's HA service address to the AAA in an accounting-start message.Table 16-1illustrates how the HA incorporates the attribute values in various Radius messages (RFC 2865 and 2866) during interaction with AAA.Table 16-1 HA Attributes in Radius Messages During ttributeAttribute ValueAccess- RequestAccess- AcceptAccounting- StartAccounting- StopAccounting- Interim-UpdateCalling-Station- Id310-100-10-10-1Correlation-Id26/5535/44000-10-10-1Served-MDN26/ 20942/ 1-10-10-10Charging-Type26/ 20942/ 10100-10-10-10HA-Service- Addres26/5535/7000-10-10So you could add the following to your dictionary:## Vendor-specific attributes for China Telecom#VENDOR China-Telecom 20942VENDORATTR 20942China-Telecom-Served-MDN 100stringVENDORATTR 20942China-Telecom-Charging-Type 101integerVALUE China-Telecom-Charging-Type Post-paid1VALUE China-Telecom-Charging-Type Pre-paid 2VALUE China-Telecom-Charging-Type Both-post-and-pre-paid 3When you do get the real attribute definitions please send us a copy.regardsHughOn 19 Sep 2013, at 17:17, Mlungisi Sibanda mdaw...@mweb.co.zw wrote:Hello,We are getting an attribute error below in our debug log. ERR: Attribute number 100 (vendor 20942) is not defined in your dictionaryThis is supposed to be an accounting attribute and vendor belongs to China Telecom, We have been asked to forward attribute values so that they can be added to the default dictionary but we can't seem to find these values.Does any have these attributes ?We are kinda desperate.RegardsMlungisi___radiator mailing listradiator@open.com.auhttp://www.open.com.au/mailman/listinfo/radiator--Hugh Irvineh...@open.com.auRadiator: the most portable, flexible and configurable RADIUS serveranywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,DIAMETER etc.Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Attribute Error Vendor 20942
Hello Heikki - I think it should be this(?): # # China Telecom-Guangzhou Research and Development Center (Huawei) # VENDOR CNCTC 20942 CNCTC-Served-MDN100 string CNCTC-Charging-Type 101 integer VALUE CNCTC-Charging-Type 1 Post-Paid VALUE CNCTC-Charging-Type 2 Pre-Paid VALUE CNCTC-Charging-Type 3 Post-Paid-And-Pre-Paid regards Hugh On 19 Sep 2013, at 18:44, Heikki Vatiainen h...@open.com.au wrote: On 09/19/2013 11:30 AM, Hugh Irvine wrote: So you could add the following to your dictionary: # # Vendor-specific attributes for China Telecom # VENDOR China-Telecom 20942 VENDORATTR 20942 China-Telecom-Served-MDN 100 string VENDORATTR 20942 China-Telecom-Charging-Type 101 integer VALUE China-Telecom-Charging-Type Post-paid 1 VALUE China-Telecom-Charging-Type Pre-paid 2 VALUE China-Telecom-Charging-Type Both-post-and-pre-paid 3 When you do get the real attribute definitions please send us a copy. Hello Mlungisi, Hello Hugh, here's another doc I found: http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4_22_xr/feature/guide/pdsn5_0_fcs.pdf I propose this. It's the same as Hugh suggested but here the vendor name follows an existing example. I also changed the value names to follow the existing Dashes-And-Capitals notation the dictionary mostly uses. Mlungisi, please let us know if you get reasonably looking attributes with these dictionary entries. Also, as Hugh mentions, if you have or find out more information about the attributes, please let us know. # # China Telecom-Guangzhou Research and Development Center (Huawei) # VENDORCNCTC 20942 CNCTC-Charging-Type 100 integer CNCTC-Served-MDN 101 string VALUE CNCTC-Charging-Type 1 Post-Paid VALUE CNCTC-Charging-Type 2 Pre-Paid VALUE CNCTC-Charging-Type 3 Post-Paid-And-Pre-Paid Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Attribute Error Vendor 20942
Hi Heikki - Actually I was meaning the attribute numbers. According to what I looked at Served-MDN should be 100 and Charging-Type should be 101? regards Hugh On 19 Sep 2013, at 19:14, Heikki Vatiainen h...@open.com.au wrote: Thanks, Hugh. Looks like I should not trust my memory with dictionary format. This should be in correct format: # # China Telecom-Guangzhou Research and Development Center (Huawei) # VENDORCNCTC 20942 VENDORATTR20942 CNCTC-Charging-Type 100 integer VENDORATTR20942 CNCTC-Served-MDN101 string VALUE CNCTC-Charging-Type Post-Paid 1 VALUE CNCTC-Charging-Type Pre-Paid2 VALUE CNCTC-Charging-Type Post-Paid-And-Pre-Paid 3 Heikki On 09/19/2013 12:00 PM, Hugh Irvine wrote: Hello Heikki - I think it should be this(?): # # China Telecom-Guangzhou Research and Development Center (Huawei) # VENDOR CNCTC 20942 CNCTC-Served-MDN 100 string CNCTC-Charging-Type 101 integer VALUECNCTC-Charging-Type 1 Post-Paid VALUECNCTC-Charging-Type 2 Pre-Paid VALUECNCTC-Charging-Type 3 Post-Paid-And-Pre-Paid regards Hugh On 19 Sep 2013, at 18:44, Heikki Vatiainen h...@open.com.au wrote: On 09/19/2013 11:30 AM, Hugh Irvine wrote: So you could add the following to your dictionary: # # Vendor-specific attributes for China Telecom # VENDOR China-Telecom 20942 VENDORATTR 20942 China-Telecom-Served-MDN 100 string VENDORATTR 20942 China-Telecom-Charging-Type 101 integer VALUE China-Telecom-Charging-Type Post-paid 1 VALUE China-Telecom-Charging-Type Pre-paid 2 VALUE China-Telecom-Charging-Type Both-post-and-pre-paid 3 When you do get the real attribute definitions please send us a copy. Hello Mlungisi, Hello Hugh, here's another doc I found: http://www.cisco.com/en/US/docs/ios/12_4/12_4x/12_4_22_xr/feature/guide/pdsn5_0_fcs.pdf I propose this. It's the same as Hugh suggested but here the vendor name follows an existing example. I also changed the value names to follow the existing Dashes-And-Capitals notation the dictionary mostly uses. Mlungisi, please let us know if you get reasonably looking attributes with these dictionary entries. Also, as Hugh mentions, if you have or find out more information about the attributes, please let us know. # # China Telecom-Guangzhou Research and Development Center (Huawei) # VENDOR CNCTC 20942 CNCTC-Charging-Type 100 integer CNCTC-Served-MDN101 string VALUE CNCTC-Charging-Type 1 Post-Paid VALUE CNCTC-Charging-Type 2 Pre-Paid VALUE CNCTC-Charging-Type 3 Post-Paid-And-Pre-Paid Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AddressAllocator DHCP and STOP Accounting packets
Hello Vangelis - An accounting stop should release the address. I will need to see a copy of your configuration file together with a trace 4 debug showing an accounting start and an accounting stop. regards Hugh On 18 Sep 2013, at 23:44, Vangelis Kyriakakis vkyr...@forthnetgroup.gr wrote: Hello, I'm trying to use AuthBy DYNADDRESS combined with AddressAllocator DHCP in order to allocate IPv4 addresses from an DHCP server. IP allocation during authentication is working fine but there is no any de-allocation happening with the STOP accounting packet. Is this the expected behaviour? Regards Vangelis ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] MongoDB \ Accounting
Hello Joe - I would be inclined to use method d) so you get a copy of the accounting requests in a separate process where you can do whatever you need to without impacting your main process. You would do something like this (assuming you are using Handlers): ….. Handler Request-Type = Accounting-Request AuthByPolicy ContinueAlways AuthBy RADIUS # forward a copy to a separate process …… IgnoreAccountingResponse /AuthBy AuthBy SQL # do normal accounting ….. /AuthBy /Handler Its also a good idea to have separate Radiator processes for authentication and accounting in any case. regards Hugh On 28 Jul 2013, at 18:21, Joe Hughes joeyconcr...@gmail.com wrote: Hi Simple question really. I want to introduce MongoDB as a test server for storing accounting and session data. We currently use MSSQL, it works well, but the large amount of data (and related joins into other data islands) can become unwieldy over time - especially for historic reporting. I have done some work with MongoDB and other systems (with relatively straight forward schemas), and storing accounting\session seems well suited for this. Don't get me wrong, its not that MSSQL\MySQL aren't up to the task, I just think this is well suited for NoSQL and I am keen to satisfy my technical curiosity.. I am considering the best ways of getting the accounting data from our RADIUS servers \ SQL databases into MongoDB. Looking for some feedback\comments. Some options; a) Write a accounting hook to break apart the accounting message, construct a JSON request and send it off to a remote application server. * Downside is the risk of blocking\disrupting the main process. b) Spool the messages to disk, have an out-of-process script parse the files, construct a JSON (or MongoDB request) , send it to a remote server and delete the file. Downside is some disk\write IO, nothing too taxing. * Out of process = good. c) At the DB level, clone the accounting messages into another table. Script reads the rows, processes as above, then deletes the rows. * Some extra DB load. d) Possibly silently forwarding (or replicating) the accounting message to another server and doing one of the above Anything I have missed. I am leaning towards b) or c) Is anybody else using NoSQL for this type of application? Any feedback? Regards Joe ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] logging EAP method
Hello Stuart -
Have a look at the code in Radius/EAP.pm.
The EAPType is added to the current request as
$p-{EAPType}
and the name is added as
$p-{EAPTypeName}
You can easily write a little hook to use one or the other or both.
regards
Hugh
On 12 Jul 2013, at 04:32, Stuart Kendrick skend...@fhcrc.org wrote:
Is there a way to log the EAP method employed?
I'm doing this currently:
LogSuccess 1
SuccessFormat%l: wap: OK: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
LogFailure 1
FailureFormat%l: wap: FAIL: %U: %n: %c: %{NAS-Identifier}: %T:
%{Calling-Station-Id}: %{Called-Station-Id}
I was imagining something like %{EAP Method} ... but I don't see such a
token defined in Section 5.2 Special characters of the manual (pp.
20-24) ...
[I'm trying to figure out which clients are still using LEAP ... ergo my
desire to log the EAP method ...]
--sk
Stuart Kendrick
FHCRC
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Redirect Clients when Capped
Hello Robert - You will probably need a hook to do this sort of thing. See the example hooks in goodies/hooks.txt. regards Hugh On 3 Jul 2013, at 19:17, Robert kennedy rob...@onlinedirect.co.za wrote: Hi All I’m running an older version of radiator. 3.6 to be exact. I would like to redirect users when they are capped. I do see the ascend client dns attributes, but I cannot seems to figure out how to use them only when a user is capped. I did read the FAQ and saw how they used the ascend dns attribute but it doesn’t seem to help me for capped users only. I’ve tried this, which has failed badly I get WARNING: No such attribute Ascend-Client-Primary-DNS . From my radius.cfg AuthBy SQL Identifier AuthLocal DBSourcedbi:Pg:dbname=visp;host=127.0.0.1 DBUsername radiator DBAuth xx Timeout 2 RejectEmptyPassword AuthSelect select CAST(CASE WHEN adsl.token = 'test_online' THEN \ 'x.x.x.x' ELSE 'x.x.y.y' END AS varchar) as \ dns, adsl.pass_word, adsl.adsl_class_id, \ adsl_disconnect_time_bw_cap (%0) as session_timeout, \ login_limit, adsl.token \ from adsl_accounts adsl, services s where \ adsl.bw_allowed 0 and adsl.username=%0 and adsl.enabled='1' \ and adsl.account_id=s.account_id and adsl.bw_allowed adsl.bw_used AuthColumnDef 0, Ascend-Client-Primary-DNS, reply AuthColumnDef 1, Password, check AuthColumnDef 2, Class, reply AuthColumnDef 3, Session-Timeout, reply AuthColumnDef 4, Simultaneous-Use, check AuthColumnDef 5, Configuration-Token, reply /AuthBy Any help would be greatly appreciated. Warm Regards Robert Technical HOD tel. 011 317 1800 ODspacer.jpgfax. 0866 467 737 cell. email. rob...@onlinedirect.co.za This email and any files transmitted with it is confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. Please note that any views or opinions presented in this email are solely those of the author and do not necessarily represent those of the company. The company accepts no liability for any damage caused by any virus transmitted by this email. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Error: Attribute number 1 (vendor 3561) is not defined in your dictionary
Hello - These attributes are defined in the Radiator 4.11 dictionary: VENDOR ADSL-Forum 3561 VENDORATTR 3561DSLForum-Agent-Circuit-Id1 string VENDORATTR 3561DSLForum-Agent-Remote-Id 2 string VENDORATTR 3561DSLForum-Actual-Data-Rate-Upstream 129 integer VENDORATTR 3561DSLForum-Actual-Data-Rate-Downstream 130 integer VENDORATTR 3561DSLForum-Minimum-Data-Rate-Upstream 131 integer VENDORATTR 3561DSLForum-Minimum-Data-Rate-Downstream132 integer VENDORATTR 3561DSLForum-Attainable-Data-Rate-Upstream 133 integer VENDORATTR 3561DSLForum-Attainable-Data-Rate-Downstream 134 integer VENDORATTR 3561DSLForum-Maximum-Data-Rate-Upstream 135 integer VENDORATTR 3561DSLForum-Maximum-Data-Rate-Downstream136 integer VENDORATTR 3561DSLForum-Minimum-Data-Rate-Upstream-Low-Power137 integer VENDORATTR 3561DSLForum-Minimum-Data-Rate-Downstream-Low-Power 138 integer VENDORATTR 3561DSLForum-Maximum-Interleaving-Delay-Upstream 139 integer VENDORATTR 3561DSLForum-Actual-Interleaving-Delay-Upstream 140 integer VENDORATTR 3561DSLForum-Maximum-Interleaving-Delay-Downstream 141 integer VENDORATTR 3561DSLForum-Actual-Interleaving-Delay-Downstream142 integer VENDORATTR 3561DSLForum-Access-Loop-Encapsulation 144 string VENDORATTR 3561DSLForum-IWF-Session 254 integer regards Hugh On 26 Jun 2013, at 20:22, Muni Raj p.muni...@gmail.com wrote: HI , I am gettin gthe following error in my radiator .. Could some help for investigating on this ??? -- Regards P.Muniraj ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ipv6::: bind results in no match on IPv4 client
Hello Jason - According to section 5.5 in the Radiator 4.11 reference manual (doc/ref.pdf) you need to specify both ipv6 and ipv4 like this: BindAddress ipv6:::, 0.0.0.0 5.5 Address binding One of the main functions of Radiator is to listen for UDP packets and TCP connections from other systems according to the Radiator configuration. The various Radiator clauses that can accept packets or connections from other systems all support the BindAddress parameter, which controls which IP addresses Radiator will listen on. IP packets sent to an IP address which is on the Radiator host, but which Radiator has not bound with BindAddress will not be received by Radiator. The driver for this is that a single host may have multiple IP addresses, and those addresses may be IPV4, IPV6 and/or IPV4-over-IPV6. You may require Radiator to only honour requests directed to one of or a subset of the IP addresses for the host. With BindAddress you can control which destination IP addresses Radiator will accept. You can specify one or more IPV4 or IPV6 addresses, including wildcard addresses. You can specifiy one or more comma separated bind addresses in the BindAddress parameter. The following forms may be used: • 0.0.0.0 (the default) Any IPV4 address on the host • 1.2.3.4 A specific IPV4 address on the host • ipv6::: Any IPV6 address on the host (and this may include any IPV4-over-IPV6 address, depending on how the host is configured • ipv6:2001:610:148:100::31 A specific IPV6 address on the host They may be combined in one BindAddress parameter like so: BindAddress 0.0.0.0 BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31 BindAddress ipv6:::, 0.0.0.0 Hint: Linux also has a special file to control the system wide behaviour: /proc/sys/net/ipv6/bindv6only By default this seems to be 0. When it is 0, this will not work as expected: BindAddress ipv6:::, 0.0.0.0 But if it is set to 1, the IPV6 bind wil not include the IPV4 bind and will work as expected. Hint: In order to support IPV6 address, you must install the Perl Socket6 module. regards Hugh On 27 Jun 2013, at 08:56, Mueller, Jason C jason-muel...@uiowa.edu wrote: Hello, I am using Radiator 4.11. I will show relevant portions of my config and then comment on them (IP addresses changed and Secret ***'d out to protect the guilty): -- BindAddress ipv6::: AuthPort 1812 AcctPort 1813 # ipv6 client Client ipv6:2620:0:e50:100::100 Secret *** DupInterval 0 AddToReply Session-Timeout=0,cisco-avpair=shell:roles=network-admin /Client # ipv4 client Client 128.255.90.90 Secret *** DupInterval 0 AddToReply Session-Timeout=0,Filter-Id=15 /Client # ipv4 subnet Client 128.255.100.0/24 Secret *** DupInterval 0 AddToReply Session-Timeout=0,Filter-Id=10 /Client -- When I use the BindAddress ipv6::: configuration parameter, neither of the IPv4 client definitions work. Radiator will give the following log message: Wed Jun 26 16:56:38 2013: NOTICE: Request from unknown client 128.255.90.90: ignored In the above configuration, the IPv6 client works just fine. If I add a Client DEFAULT clause when I still have the BindAddress ipv6::: parameter configured, the IPv4 clients that I want to match more specifically will match on the DEFAULT client stanza. I cannot have a DEFAULT client stanza in my config. Additionally, if I remove the BindAddress ipv6::: parameter from the config (or comment it out), then the IPv4 clients work as expected. It appears that when I enable IPv6 like above, that I lose my ability to match on more specific IPv4 client clauses, and I have to use the DEFAULT client stanza, which is not an option for me. Thoughts? Any help is appreciated. -Jason ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Accounting logs in mysql or oracle db
Hello Manish - See goodies/sql.cfg in the distribution and section 5.31 in the Radiator 4.11 reference manual (doc/ref.pdf). regards Hugh On 20 Jun 2013, at 15:22, Arya, Manish Kumar m.a...@yahoo.com wrote: Hi, Can some one please help us to configure radiator to push Radius accounting logs into mysql or oracle databases ? some sample configs may help us. Regards, -Manish ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator dropping accounting request
Hello Russell - The first thing to do is look at a trace 4 debug in Radiator with LogMicroseconds enabled (requires Time-Hires from CPAN). This will show you immediately how long each processing step is taking. The usual cause of this sort of problem is a slow database, probably due to a very large number of records in the accounting table resulting in very long insert times. See section 5.6.38 in the Radiator 4.11 reference manual (doc/ref.pdf). regards Hugh On 11 Jun 2013, at 09:12, Russell Fulton r.ful...@auckland.ac.nz wrote: Hi We are using radiator (on linux) to collect accounting data from Cisco WISMs (wireless infrastructure). I have verified that the accounting data is being received by the radiator machines but a fair portion never makes it to the database. Looking at the stats I see that there are a large number of drops during peak times. I am trying to work out what is causing the drops. CPU is sitting at well under 5% (mostly %1) the back end database is hosting many other databases that are not experiencing problems. I would really like some hints as to where to start diagnosing this issue. I suspect that the issue has been there since the system was installed. These machines were originally meant to do the authentication as well as the accounting but at go live got these same problems under load and it was decided to switch authentication to MS radius. I am a security analysis with a lot of UNIX/Linux experience and I have root access to the radiator boxes (4 of them). Russell ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radmin and Database
Hello Rohan - All of the Radmin code uses the current table names, so you can't really change them. Depending on your database you may be able to use some form of synonym for the table names to add whatever you want. See your database documentation for details. regards Hugh On 28 May 2013, at 06:24, rohan.he...@cwjamaica.com wrote: Hello All, Can Radmin be installed with my own database schema (e.i. my own table_names)? Or must I conform to the database schema in Radiator sample files for Radmin to work properly? Thanks. Rohan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radmin and Database
Hello Rohan - You can do this more simply by only processing stop records and subtracting the Acct-Session-Time from the Timestamp to get the start time. This can be done directly in the SQL statement. regards Hugh On 22 May 2013, at 17:11, Heikki Vatiainen h...@open.com.au wrote: On 05/22/2013 12:30 AM, rohan.he...@cwjamaica.com wrote: Sample records below include one row per session (I haven't yet been able to do a proper conversion of epoch time to date for the START_TIME). You are thinking of consolidating the start and stop records into one session record, did I understand correctly? If so, I recommend using an external process, a cron job, database function, etc., to do this. This process or function could select all Stops, look up the respective start with Accounting-Session-Id and then create the combined record. I think you could do this with a Radiator hook that does the consolidation when an Accounting-Request with Acct-Status-Type=stop is received. The downside here would be the need to create and debug the hook and especially the extra processing Radiator needs to do. My choice would be to consider something that runs outside Radiator and does the session consolidation. I would also consider doing this fairly infrequently, maybe daily, if possible. Thanks, Heikki +---+---+-++---+ | USER_NAME | NAS_PORT | ACCT_START_TIME | ACCT_STOP_TIME | ACCT_SESSION_TIME | +---+---+-++---+ | elclarke | 805306450 | -00-00 00:00:00 | Mar 1, 2013 01:11 | 729805 | | elclarke | 805306450 | -00-00 00:00:00 | Mar 6, 2013 09:03 | 460108 | | elclarke | 805306450 | 1362578608 | Mar 12, 2013 03:33 | 498607 | | elclarke | 805306450 | 1363077402 | Mar 16, 2013 12:01 | 375888 | | elclarke | 805306450 | 1363467090 | Mar 21, 2013 14:53 | 428504 | On Tue, 21 May 2013 23:40:26 +0300 Heikki Vatiainen h...@open.com.au wrote: On 05/21/2013 11:02 PM, rohan.he...@cwjamaica.com wrote: Can Radmin work in an environment where Radiator writes a single record (containing both Start and Stop fields) to MySQL for each session as oppose to two records per session? Hello Rohan, can you provide an example? This might be possible by defining suitable SQL queries, but it's hard to say more. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Rohan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator logs showing
Hello Prasoon -
The first thing to do is add NoDefault to your AuthBy LDAP2 clause.
This will stop the DEFAULTxxx lookups.
regards
Hugh
On 20 May 2013, at 15:01, Prasoon Majumdar prasoonpri...@gmail.com wrote:
Hi All,
user password in radius logs getting encrypted automatically and ldap is not
ableto process the logs :
Fri May 17 14:04:23 2013: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password:
DEFAULT1536 [pkoorika@cyan]
Fri May 17 14:04:23 2013: INFO: Connecting to 10.91.118.24:389
Fri May 17 14:04:24 2013: INFO: Attempting to bind to LDAP server
10.91.118.24:389
Fri May 17 14:04:24 2013: DEBUG: LDAP got result for uid=pkoorika, ou=people,
o=COLT, ou=customers, dc=colt,dc=net
Fri May 17 14:04:25 2013: DEBUG: LDAP got userPassword: {crypt}2hn4lvaP15OXs
Fri May 17 14:04:25 2013: DEBUG: LDAP got Cyaninc-User-Roles: Administrator
Fri May 17 14:04:26 2013: DEBUG: Radius::AuthLDAP2 looks for match with
DEFAULT1537 [pkoorika@cyan]
Fri May 17 14:04:26 2013: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password:
DEFAULT1537 [pkoorika@cyan]
Fri May 17 14:04:27 2013: INFO: Connecting to 10.91.118.24:389
Fri May 17 14:04:27 2013: INFO: Attempting to bind to LDAP server
10.91.118.24:389
Fri May 17 14:04:28 2013: DEBUG: LDAP got result for uid=pkoorika, ou=people,
o=COLT, ou=customers, dc=colt,dc=net
Fri May 17 14:04:28 2013: DEBUG: LDAP got userPassword: {crypt}2hn4lvaP15OXs
Fri May 17 14:04:29 2013: DEBUG: LDAP got Cyaninc-User-Roles: Administrator
Fri May 17 14:04:29 2013: DEBUG: Radius::AuthLDAP2 looks for match with
DEFAULT1538 [pkoorika@cyan]
Fri May 17 14:04:30 2013: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password:
DEFAULT1538 [pkoorika@cyan]
Fri May 17 14:04:30 2013: INFO: Connecting to 10.91.118.24:389
Fri May 17 14:04:31 2013: INFO: Attempting to bind to LDAP server
10.91.118.24:389
Fri May 17 14:04:31 2013: DEBUG: LDAP got result for uid=pkoorika, ou=people,
o=COLT, ou=customers, dc=colt,dc=net
Fri May 17 14:04:32 2013: DEBUG: LDAP got userPassword: {crypt}2hn4lvaP15OXs
Fri May 17 14:04:32 2013: DEBUG: LDAP got Cyaninc-User-Roles: Administrator
Fri May 17 14:04:33 2013: DEBUG: Radius::AuthLDAP2 looks for match with
DEFAULT1539 [pkoorika@cyan]
Fri May 17 14:04:33 2013: DEBUG: Radius::AuthLDAP2 REJECT: Bad Password:
DEFAULT1539 [pkoorika@cyan]
Fri May 17 14:04:34 2013: INFO: Connecting to 10.91.118.24:389
IS there a way to fix this issue, my configuration is listed below :
AuthPort 1812, 1645
AcctPort 1813, 1646
DbDir /etc/radiator/db
DictionaryFile %D/dictionary
LogDir /var/log/radiator
LogFile %L/radiator.log
PidFile /var/log/radiator/radiator.pid
#SocketQueueLength 1000
Trace 4
include %D/clients.cfg
#
# Convert username to lowercase
#
RewriteUsername tr/A-Z/a-z/
#
# SYSLOG Configuration
#
Log SYSLOG
# Facilityradius
Trace 4
LogSock udp
LogHost 10.5.2.45
/Log
#
# Authentication Logs
#
AuthLog FILE
Identifier auth_log
Filename%L/auth-%Y-%v.log
SuccessFormat %B:%u(NAS-Port: %{NAS-Port}):OK
FailureFormat %B:%u(NAS-Port: %{NAS-Port}):%1:%P:FAIL
LogSuccess 1
LogFailure 1
/AuthLog
#
# Status logs
StatsLog FILE
Interval86400
Filename/var/log/radiator/stats.log
/StatsLog
#Cyan User Auth
AuthBy LDAP2
Identifier cyan_user_auth
Host10.91.118.24
Port389
Timeout 60
AuthDN uid=radius,ou=appusers,dc=colt,dc=net
AuthPasswordr@d1u5
BaseDN o=colt,ou=customers,dc=colt,dc=net
Scope subtree
SearchFilter(uid=%U)
UsernameAttruid
PasswordAttruserPassword
ServerChecksPassword
AuthAttrDef userPassword,User-Password,check
AuthAttrDef radius-Callback-Id,Callback-Id,reply
AuthAttrDef Cyaninc-User-Roles,CyanInc-User-Roles,reply
AuthAttrDef Cyaninc-Acct-Event-Text,CyanInc-Acct-Event-Text,reply
AddToReplyIfNotExistService-Type=Login-User
/AuthBy
Handler Realm = cyan
AuthLog auth_log
RewriteUsername s/^([^@]+).*/$1/
AuthBy cyan_user_auth
/Handler
Any ideas how can be fix the {crypt}2hn4lvaP15OXs paramter appearing for
ldap uids.
--
Regards,
Prasoon Majumdar
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
--
Hugh Irvine
h...@open.com.au
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc.
Full source on Unix
Re: [RADIATOR] Handler matching multiple Service-Types
Hello Daniel - Something like this should work: Handler Service-Type = /Call-Check|Login-User/ ….. /Handler regards Hugh On 6 May 2013, at 18:20, Herrmann, Daniel daniel.herrm...@igd.fraunhofer.de wrote: Hello, We are using Radiator as Radius-Server for various Switches. We have two different Handlers, one for Cisco and HP gears, and one for Extreme Switches. They are nearly identical, even the reply, except of the Service Type. Cisco Requests have the attribute Service-Type=Call-Check, whereas Extreme switches have Service-Type=Login-User set. Is there a way to write a handler matching both Service-Types without omitting the check? Best Regards Daniel --- Daniel Herrmann Competence Center Lan (CC-LAN) Fraunhofer-Institut für Graphische Datenverarbeitung IGD Fraunhoferstr. 5 | 64283 Darmstadt | Germany Tel +49 6151 155-346 | Fax +49 6151 155-399 daniel.herrm...@igd.fraunhofer.de | www.igd.fraunhofer.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
