[RADIATOR] RAdmin Authentication (Access to RAdmin Website)
Hi Guys, Upgraded from 1.10 -> 1.15, and I (currently) can access 1.15 via the "anonymous" user (i.e. no login is required(Or asked for) to access the Radmin pages) - In the manual, it states to enable RAdmin Auth (Which is what we want), you set "Authenticate Admin Users" option on the "Edit Radmin Configuration"...but I cannot see this option on that page? Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RAdmin Authentication (Access to RAdmin Website)
Just an update to this - Ive enabled(forced) auth via .htaccess as an interim workaround, as I would prefer to use the RAdmin auth (i.e. So that Admin user credentials are easily added/changed within Radmin, rather than via .htpasswd file) Cheers. From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Michael Bellears Sent: Thursday, 5 November 2015 7:43 AM To: radiator@open.com.au Subject: [RADIATOR] RAdmin Authentication (Access to RAdmin Website) Hi Guys, Upgraded from 1.10 -> 1.15, and I (currently) can access 1.15 via the "anonymous" user (i.e. no login is required(Or asked for) to access the Radmin pages) - In the manual, it states to enable RAdmin Auth (Which is what we want), you set "Authenticate Admin Users" option on the "Edit Radmin Configuration"...but I cannot see this option on that page? Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Migrating a Radiator+Radmin server
Ah - Just found one difference - NASTYPE appears to have been changed to NASENGINE in RADCLIENTLIST? Found after running the error I received: mysql> select NASIDENTIFIER,SECRET,DEFAULTREALM,NASTYPE,DUPINTERVAL from RADCLIENTLIST; ERROR 1054 (42S22): Unknown column 'NASTYPE' in 'field list' From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Michael Bellears Sent: Tuesday, 3 November 2015 7:06 PM To: 'radiator@open.com.au' Subject: [RADIATOR] Migrating a Radiator+Radmin server Hi Everyone, Migrating an old server -> New, and are having some issues with Radmin - Dump of the original mysql dbase, then import on the new server(After radiator and radmin install), Radmin works to an extent, but in some sections throws the following error: A serious error has occurred: Could not prepare and execute select NASIDENTIFIER,SECRET,DEFAULTREALM,NASTYPE,DUPINTERVAL from RADCLIENTLIST But I can list all users, list service profiles etc - The "old" radmin version was 1.10, the new is 1.15 - Hoping there is a "simple" fix :) (As I have looked at the table structure of RADCLIENTLIST on both the 1.10 ver and the 1.15 version, and they "appear" the same.) Cheers ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Migrating a Radiator+Radmin server
I think I may have found the problem. "older" version of SQL used: 'TYPE=MyISAM' "new" version of SQL uses: ENGINE=MYISAM On the "new" server, it complained about our old radmin dbase dump file, as it use "TYPE" - So, I did a find/replace of "TYPE" -> "ENGINE" - Unaware there was "other" lines that had "Type"...hence NASTYPE was changed by the find/replace to NASENGINEIm just in the process of reimporting (Post a more "accurate" find/replacefingers crossed all works ok :) -Original Message- From: Heikki Vatiainen [mailto:h...@open.com.au] Sent: Wednesday, 4 November 2015 7:55 AM To: Michael Bellears; radiator@open.com.au Subject: Re: [RADIATOR] Migrating a Radiator+Radmin server On 11/03/2015 11:13 PM, Michael Bellears wrote: > Thanks - absolutely no mods herethe migration page does mention quite a > few mods to tables etcperhaps it was in an older upgrade? I took a look at the older Radmin releases too and there's no NASENGINE there. Also, the latest version does not have NASENGINE either. Engine does remind me a bit of MySQL DB engines, though. When upgrading you should step upgrade. Currently, AuthRADMIN.pm in Radiator and Radmin goodies directory are the same, so there's no need to copy them. > What would be your suggestion be? I would try doing step upgrade from 1.10. There appears to be no DB step between versions 1.13 and 1.14. > Ie: It has an "other" version section: > > Other versions > In order to upgrade between any other versions, you will need to dump your > current database, install the new software and then reload your old data: I would not do this yet but try the steps first. Thanks, Heikki -- Heikki Vatiainen <h...@open.com.au> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Authlog FILE - file location
Hi, Hopefully a quick question, Ive had a read of the manual, but cant seem to find if it is possible to set a path for each logfile? i.e. Identifier myauthlogger3 Filename authlog_dsl_cust_a Will log to file authlog_dsl_cust_a in the dir that radiator was started from - Is there any way to add a "path" to where the file will be located? Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authlog FILE - file location
Ah - Legendary! - Thank you Hugh. -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Wednesday, 4 November 2015 4:47 PM To: Michael Bellears Cc: radiator@open.com.au Subject: Re: [RADIATOR] Authlog FILE - file location Hello Michael - Yes - set the LogDir parameter to whatever you wish: ….. # set LogDir LogDir /var/log/radius ….. Identifier myauthlogger3 Filename %L/authlog_dsl_cust_a ….. You can also use any of the special characters listed in section 5.2 of the Radiator 4.15 reference manual (“doc/ref.pdf”). regards Hugh > On 4 Nov 2015, at 17:18, Michael Bellears <mbelle...@gcomm.com.au> wrote: > > Hi, > > Hopefully a quick question, Ive had a read of the manual, but cant seem to > find if it is possible to set a path for each logfile? > > i.e. > > >Identifier myauthlogger3 >Filename authlog_dsl_cust_a > > > Will log to file authlog_dsl_cust_a in the dir that radiator was started from > – Is there any way to add a “path” to where the file will be located? > > > Cheers. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] All RADIUS servers failed to respond
I think maybe you have the wrong mailing list? This mailing list is for Radiator. On 11/02/15 02:38 PM, Cover, Christopher R. CTR wrote: So sorry to display my ignorance, but I am having difficulty diagnosing why we cannot authenticate with RADIUS. I wonder if these clues might ring a bell with anyone with more experience. Thank you very much in advance for any clues. We are using Redhat Enterprise Linux 6.6, and the PAM module, pam_radius, version 1.4.0 from FreeRADIUS.org (http://freeradius.org/pam_radius_auth/). It was compiled by itself, apart from the FreeRADIUS server. Our PAM configuration (/etc/pam.d/sshd): #%PAM-1.0 auth required pam_sepermit.so auth sufficient /usr/local/lib64/security/pam_radius_auth.so debug client_id=sshsv auth include password-auth Our pam_radius module configuration (/etc/raddb/server): xxx.xxx.xxx.150:1645 $3cr3t 3 xxx.xxx.xxx.151:1645 $3cr3t 3 Yet, invariably we receive the following from /var/log/secure: Feb 11 13:34:41 client-host sshd[16967]: Invalid user testuser from xxx.xxx.xxx.7 Feb 11 13:34:41 client-host sshd[16970]: input_userauth_request: invalid user testuser Feb 11 13:34:50 client-host sshd[16967]: pam_radius_auth: Got user name testuser Feb 11 13:34:50 client-host sshd[16967]: pam_radius_auth: ignore last_pass, force_prompt set Feb 11 13:34:50 client-host sshd[16967]: pam_radius_auth: Sending RADIUS request code 1 Feb 11 13:34:53 client-host sshd[16967]: pam_radius_auth: RADIUS server xxx.xxx.xxx.150 failed to respond Feb 11 13:34:56 client-host sshd[16967]: pam_radius_auth: RADIUS server xxx.xxx.xxx.151 failed to respond Feb 11 13:34:56 client-host sshd[16967]: pam_radius_auth: All RADIUS servers failed to respond. Feb 11 13:34:56 client-host sshd[16967]: pam_radius_auth: authentication failed Feb 11 13:34:56 client-host sshd[16967]: pam_unix(sshd:auth): check pass; user unknown Feb 11 13:34:56 client-host sshd[16967]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser=rhost=remote-host Have we missed something obvious? ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy Syslog port
Correct me if i'm wrong, but is it the non-radiator Syslog perl module that doesn't have an option to specify the port? On 05/02/15 12:59 PM, l...@airstreamcomm.net wrote: We are experimenting with docker containers and running radiator in the most minimal footprint possible, which means we wanted to avoid an unnecessary install of rsyslog. Will this option be available in future releases? On Feb 5, 2015, at 7:22 AM, Heikki Vatiainen h...@open.com.au wrote: On 4.2.2015 1.30, List wrote: Is it possible to log AuthBy Syslog to an external server on a different port than 514? Reading the documentation I don't see an option to specify the port of the remote syslog server. You are correct, there is no option for setting the remote port. I recommend logging to the local syslog server and configuring it to forward the requests to the remote syslog servers. In addition to more flexibility with configuration, this will also offload handling the log messages to a separate process which can use, for example, TCP/TLS and whatever is required to make sure the log messages get to their destination. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] COA log
I personally log COA/POD requests using a very custom method. This may not be desirable for others. I do this by after processing the COA/POD normally, pass it to an AuthBy config that essentially changes it to an Accounting-Request packet, populates a few extra values, then passes it to my normal accounting log AuthBy. This also requires adding custom values to the dictionary file. AuthBy GROUP Identifier convert2accounting AuthBy INTERNAL OtherHook sub {\ # some fancy code here. } /AuthBy # now that this packate has been converted to an accounting packet, it is ready to be logged. pass it to the accounting log AuthBy AuthBy accounting_log /AuthBy an example result is something like this: +--+-++---+--+ | username | timestamp | type | sess_time | term_cause | +--+-++---+--+ | username | 2015-01-05 15:04:09 | login | NULL | NULL | | username | 2015-01-05 16:46:03 | info | NULL | rate-change | | username | 2015-01-05 16:47:02 | info | NULL | kick-request | | username | 2015-01-05 16:47:02 | logout | 6173 | Admin-Reset | +--+-++---+--+ On 04/02/15 05:57 PM, Hugh Irvine wrote: Hello - As COA is not an authentication, it therefore follows that it will not be logged by an AuthLog clause. To see what happens with a COA you will need to look at the log file (not the authlog file). regards Hugh On 4 Feb 2015, at 20:49, ONRUBIA AVILES Carlos (SPC/CSP) carlos.onrubia.avi...@proximus.com wrote: Dear all, I have the following problem: I can log authentification with the configuration here below, it works correctly. But if I use event_log identifier to log a COA (and not a normal Access-Request with Accept or Reject), nothing happens. Can you indicate me how to log a COA with the answer (ACK or NACK) Thanks in advance, Handler User-Name = ABCD AuthBy toto AuthLog event_log /Handler AuthLog FILE Identifier event_log Filename%L/event_auth.log SuccessFormat %v %d %H:%M:%S,,%s,,%n,,HIDDEN,,%a,,PASS,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},, FailureFormat %v %d %H:%M:%S,,%s,,%n,,HIDDEN,,none,,FAIL,,%N,,%c,,%{Type},,%{Connect-Info},,%{Calling-Station-Id},,%{GlobalVar:servername}%{GlobalVar:suffixfon},,%{GlobalVar:authPort},,%1 LogSuccess 1 LogFailure 1 /AuthLog * Disclaimer * http://www.proximus.be/maildisclaimer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Account log to MySQL
If you have a lot of different devices, and lots of auth activity, I would suggest setting up your authlog sql table to have a unique index for user/type/reason, and an sql query that inserts, but if the same error already exists, just increment a count column and the timestamp. This way, if a device that is rejected, and tries to connect 12 million times cause it's a stupid Dlink router, you don't end up with 12 million rows in your sql table. Only applies for larger setups i guess. On 03/02/15 04:39 PM, Chad Roseburg wrote: Goal: Capture successful logins as well as failures for stats purposes. I am setting up logging to a local MySQL instance. Here's what I've done: * Following instructions in the 'mysqlcreate.sql' file, I created the radius table and user(s). * Created the Mysql tables using the provided 'mysqlCreate.sql' in goodies. * Added the following stanza to my Handler just below the SIP Authby stanza: -- conf - Handler Handler AuthBy SIP2 Port 6001 Host siphost.com http://siphost.com Delimiter | LoginUserID sipuser LoginPassword supersecret LocationCode Radiator SendChecksum no VerifyChecksum no NoDefault EAPType GTC /AuthBy AuthLog SQL DBSource dbi:mysql:radius:localhost DBUsername radius DBAuth secrets LogSuccess SuccessQueryinsert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (%t, '%n', 1) LogFailure FailureQueryinsert into RADAUTHLOG (TIME_STAMP, USERNAME, TYPE, REASON) values (%t, '%n', 0, %1) /AuthLog /Handler -- /conf --- I'm not seeing anything with: SELECT * FROM RADAUTHLOG; Is it just a quiet day or am I missing something? Last question is: does USERNAME refer to the client? Thank you! -- Chad Roseburg Automation Dept. North Central Regional Library ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Two @ in User-Name: first Realm is used
Maybe you could just check the username directly? Handler Username=/@(netcologne.de|netaachen.de)$/i Or maybe you just want to reject any username with 2 @ symbols first, and therefore should result in the realm check working how you want it to? Handler Username=/@.*@/ AuthBy INTERNAL Identifier AuthBy_REJECT DefaultResult REJECT RejectReason pre-defined REJECT. /AuthBy /Handler On 16/09/14 07:50 AM, Roland Rosenfeld wrote: Hi! I noticed the following problem: I have a Handler Realm=/^net(cologne|aachen)\.de$/i ... /Handler or alternatively Realm /^net(cologne|aachen)\.de$/i ... /Realm defined. I expected those to match on u...@netcologne.de and u...@netaachen.de, but my logs show, that also u...@netcologne.de@foo (with two @ signs in the User-Name) gets access here. I'd like to keep out users with multiple @ signs in their User-Name. Any idea how to enforce this? In the manual I found the difference between %R (everything following the _first_ @ sign in the User-Name) and %K (everything following the _last_ @ sign in the User-Name), so there seems to be some logic about multiple @ signs, but how can I use this for my Realm matching? Tscho Roland ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
3. Will disabling machine authentication have any affect on SSO so that a user can login to a domain computer and automatically authenticate to the wifi (assuming the proper GPOs are in place). The recent Windows versions seem to have a number of possibilities to choose which account, user or computer, does the wifi authentiation. However, I have not looked more closely how these settings work with group policies. It would be interesting to hear how it works, so please let us know if you decide to test it. I just wanted to follow up on this as I have done some testing. I was able to use GPOs to allow SSO with a domain user account despite dropping requests for computer authentication. The user's credentials are used to authenticate to the wireless network before the rest of the logon process. I'm using Windows 7 clients and Server 2008R2. Thanks, Michael -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Wireless client verification of Radiator's SSL cert EAP/PEAP
Hi everyone, Thanks for all of the input, I think between that and the eduroam paper my questions have been answered. The breakdown of differences between various clients is rather useful as well. Even in the absence of client side configuration, some of the clients (notably OS X) present some details about the cert to the user that they can verify manually (name, fingerprint, expiry date). Thanks, Michael -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Wireless client verification of Radiator's SSL cert EAP/PEAP
Hi, I've been searching around the list and the Internet trying to figure out how a wireless client can verify the hostname of the SSL cert provided by Radiator through the NAS as an SMTP or HTTP client would, but I can't seem to find anything insightful. I'm not concerned with how the client uses the SSL chain and its included CAs to verify the cert cryptographically. For one, the client doesn't have Internet to make a reverse lookup until they accept the cert. Second, even if they were allowed DNS before authentication, someone controlling the network could easily catch and spoof the reverse lookup reply to make their cert look legitimate (assuming it was cryptographically legitimate). I'm doing some development/testing and I notice that iOS and Windows 8 seem to see my certificate as valid but not verified. I setup a PTR record to match my host and cert name but it didn't seem to make any difference. I monitored tcpdump while authenticating from OS X and I see no PTR requests I realize each client can have a different implementation. Is it even possible to legitimately verify a certificate hostname for clients using PEAP and EAP? I'd like to be as secure as possible without resorting to client-side certificates. Thanks, Michael -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator / Radmin - bulk add users
Excellent - Thanks Hugh. -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Thursday, 12 June 2014 4:05 PM To: Michael Bellears Cc: radiator@open.com.au Subject: Re: [RADIATOR] Radiator / Radmin - bulk add users Hello Michael - See buildsql in the main Radiator distribution directory. See also section 10.0 in the Radiator 4.13 reference manual (doc/ref.pdf). Here is the help for buildsql: Radiator-4.13 hugh$ perl buildsql -h usage: buildsql [-h] -dbsource dbi:drivername:option [-dbusername dbusername] [-dbauth auth] [-password | -dbm | -flat] [-z] [-u] [-f] [-d username] [-l username] [-t dbmtype] [-tablename name] [-v] [-username_column columnname] [-password_column columnname] [-encryptedpassword] [-checkattr_column columnname] [-replyattr_column columnname] filename ... regards Hugh On 12 Jun 2014, at 12:45, Michael Bellears mbelle...@gcomm.com.au wrote: Hi, We have a need to add ~150users to Radmin - Doing this via the (Radmin) web interface would be tedious/error-prone - Is anyone aware of a script to bulk add users? Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
The syntax in the link below and what you have has a small but important bug. Try something like this (notice the comma).: DEFAULT User-Name = /^mrodrigues$/i, Auth-Type = Reject:Blacklisted Otherwise it should go as Hugh wrote. I tried implementing the solution here: http://www.open.com.au/pipermail/radiator/2013-February/018882.html But I can still authenticate as Mrodrigues when I have DEFAULT User-Name = /^mrodrigues$/i Auth-Type = Reject in the users file. I did also have the DEFAULT Auth-Type = Accept at the end. I tried changing the default Accept to Reject: I think it should go as in the example as soon as you have correctly separated the reply attributes with a comma. Thanks, Heikki I was hoping it was something simple like a missing newline. It works with the comma, so I have the added advantage of being able to add arbitrary Reply attributes, as compared to the RewriteUsername to lowercase method. Thanks for your help on this; the list is always helpful, and I could spend all day tweaking Radiator. Thanks, Michael -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Limits on EAPTLS_PrivateKeyPassword
We have just renewed our certificates on our servers, and windows clients are unable to authenticate. Without having to select “Validate server certificate” in a wireless profile, Windows usually presents a security box informing you that the certificate may no be trusted and / or is not bound as the root anchor. From there you can continue and access is granted. However, since implementing our new certificates, Windows7 is not presenting any warnings, the radiator log files continue with challenges and requests continually. Windows8 just rejects the authentication outright: Thu Jun 12 11:05:43 2014: ERR: EAP PEAP TLS read failed: 19984: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied Thu Jun 12 11:05:43 2014: ERR: EAP PEAP TLS read failed: 19984: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied If I take our original certificate that DOES work with Windows7 / 8, and I remove the PrivateKeyPassword or change it, I get the same behaviour on both OS’s. So.. two things are likely the culprit, either the private key provided to create the cert is wrong… or Radiator limits what characters can be used for the private key. Any assistance would be grateful Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator / Radmin - bulk add users
Hi, We have a need to add ~150users to Radmin - Doing this via the (Radmin) web interface would be tedious/error-prone - Is anyone aware of a script to bulk add users? Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
TTLS_INNER_NTLM_AUTHBY NtlmAuthProg/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=AD+Domain Users Domain AD EAPTypeMSCHAP-V2 AutoMPPEKeys /AuthBy /Handler Handler EAP-Message=/.+/ Identifier OUTER_HANDLER AuthBy GROUP AuthByPolicy ContinueWhileAccept # Make sure MAC address is not blacklisted.. AuthBy FILE IdentifierOUTER_MAC_ADDRESS_BLACKLIST NoEAP # Calling-Station-Id attribute is the user's MAC in this case. AuthenticateAttribute Calling-Station-Id AcceptIfMissing Filename /etc/radiator/MacAddrBlacklist.txt /AuthBy # Set up the outer tunnel SSL connection AuthBy NTLM IdentifierOUTER_NTLM_AUTHBY NtlmAuthProg/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=AD+Domain Users Domain AD EAPTypePEAP, TTLS EAPTLS_CAFile /etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer EAPTLS_CertificateFile /etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/radiatordev.key AutoMPPEKeys /AuthBy # Get inner_identity after it is exported to the Reply, then use it to set the Request User-Name AuthBy INTERNAL Identifier OUTER_BLACKLIST_REWRITE RequestHook sub { my $rq = $_[0]; my $rp = $_[1]; $rq-changeUserName($rp-{inner_identity}); main::log($main::LOG_DEBUG, Changed Request User-Name to $rp-{inner_identity} from Reply inner_identity); return $main::ACCEPT;} /AuthBy # Check User blacklist AuthBy FILE Identifier OUTER_USER_BLACKLIST NoEAP AcceptIfMissing Filename /etc/radiator/UsernameBlacklist.txt /AuthBy /AuthBy # If Reply is Access-Accept, send User-Name from inner_identity for logging, session table. PostProcessingHook file:goodies/eap_acct_username_mod.pl /Handler # Handles and rejects all non-EAP authentication requests Handler Identifier NON_EAP_HANDLER AuthBy INTERNAL Identifier NON_EAP_REJECT AddToReplyReply-Message = Use an EAP method. RequestHook sub { main::log($main::LOG_DEBUG, Non-EAP authentication requested, rejecting request...); return $main::REJECT;} /AuthBy /Handler #This logs to /var/log/radius/logfile #Not really necessary, we have SQL logs. Log FILE Filename logfile /Log Thanks, Michael On 5/18/2014 4:26 PM, Heikki Vatiainen wrote: On 05/13/2014 11:15 PM, Michael Rodrigues wrote: I would like to REJECT any non-EAP in the outer handler. I've tried to rearrange things to have only AuthBy FILE in the outer hanlder, having AuthBy NTLM only in each inner handler. Hello Michael, try this: Handler EAP-Message=/.+/ # your current config for Handler /Handler # Default Handler Handler # Catches everything non-EAP # Could reject with e.g., AuthBy INTERNAL /Handler Note that the above may require setting another Handler before the default to catch the accounting, if this Radiator instances receives accounting too. This would also (I think) require me to move my AuthBy INTERNAL to each inner handler so that it can get inner_identity once it is unpacked after AuthBy NTLM. After this I would AuthBy FILE for blacklist. However, I can't seem to get my outer handler to drop non-EAP requests: I'd say the two Handler approach requires you not to rearrange internals or require any large changes. Please let us know how it works. PS. I've been traveling lately so unfortunately it took a bit longer than usual to reply. Thanks, Heikki -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
On 5/6/14, 1:15 PM, Heikki Vatiainen wrote: On 05/06/2014 10:22 PM, Michael Rodrigues wrote: I did end up putting the blacklist in the outer handler because all of my attempts to grab the inner_identity within the Inner Handler for PEAP would give me a blank string . Looking at it, I'm not sure what I get from having the separate Inner Handlers with the current config. In many cases the outer Handler contains an AuthBy FILE that only handles PEAP and TTLS outer authentication, that is, establishing the TLS tunnel. Note that if the incoming request is not an EAP request, this AuthBy will also try to authenticate the user. If non-EAP authentication is not desired, this AuthBy FILE can reject the non-EAP attempts. I would like to REJECT any non-EAP in the outer handler. I've tried to rearrange things to have only AuthBy FILE in the outer hanlder, having AuthBy NTLM only in each inner handler. This would also (I think) require me to move my AuthBy INTERNAL to each inner handler so that it can get inner_identity once it is unpacked after AuthBy NTLM. After this I would AuthBy FILE for blacklist. However, I can't seem to get my outer handler to drop non-EAP requests: (There's another TunnelledByEAP handler but it's otherwise identical to the PEAP one) Handler TunnelledByPEAP=1 AuthBy GROUP AuthByPolicy ContinueWhileAccept AuthBy NTLM NtlmAuthProg/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=AD+Domain Users Domain AD EAPType MSCHAP-V2 AutoMPPEKeys /AuthBy AuthBy INTERNAL Identifier FixUserNameForBlacklist # Get inner_identity after it is exported to the Reply, then use it to set the Request User-Name RequestHook sub { my $rq = $_[0]; my $rp = $_[1]; $rq-changeUserName($rp-{inner_identity}); main::log($main::LOG_DEBUG, Changed Request User-Name to $rp-{inner_identity} from Reply inner_identity); return $main::ACCEPT;} /AuthBy AuthBy FILE NoEAP Identifier CheckUserBlacklistPEAPInner AcceptIfMissing Filename /etc/radiator/UsernameBlacklist.txt /AuthBy /AuthBy /Handler Handler Identifier OuterHandler AuthByPolicy ContinueWhileAccept # Make sure MAC address is not blacklisted.. AuthBy FILE NoEAP Identifier CheckMacAddressBlacklist # Calling-Station-Id attribute is the user's MAC in this case. AuthenticateAttribute Calling-Station-Id AcceptIfMissing Filename /etc/radiator/MacAddrBlacklist.txt /AuthBy AuthBy FILE Identifier OuterTunnelAuth EAPType PEAP,TTLS EAPTLS_CAFile /etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer EAPTLS_CertificateFile /etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/radiatordev.key /AuthBy # If Reply is Access-Accept, send User-Name from inner_identity for logging, session table. PostProcessingHook file:goodies/eap_acct_username_mod.pl /Handler ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
it is exported to the Reply, then use it to set the Request User-Name RequestHook sub { my $rq = $_[0]; my $rp = $_[1]; $rq-changeUserName($rp-{inner_identity}); main::log($main::LOG_DEBUG, Changed Request User-Name to $rp-{inner_identity} from Reply inner_identity); return $main::ACCEPT;} /AuthBy AuthBy FILE Identifier CheckUserBlacklist NoEAP AcceptIfMissing Filename /etc/radiator/UsernameBlacklist.txt /AuthBy /AuthBy # If Reply is Access-Accept, send User-Name from inner_idenitty for logging, session table. PostProcessingHook file:goodies/eap_acct_username_mod.pl /Handler #This logs to /var/log/radius/logfile #Not really necessary, we have SQL logs. Log FILE Filename logfile /Log - eap_acct_username_mod.pl: - sub { my ($req, $rep, $handled, $reason) = @_; if (${$rep}-code() eq 'Access-Accept' ) { my $rep_username = ${$rep}-{inner_identity}; ${$rep}-changeUserName($rep_username); main::log($main::LOG_DEBUG, Hook changed User-Name to $rep_username for Access-Accept); } } - Thanks, Michael On 4/22/2014 3:03 AM, Heikki Vatiainen wrote: On 04/21/2014 11:15 PM, Michael Rodrigues wrote: So if I have three AuthBys in the outer Handler (INTERNAL first for renaming, then two FILEs for checking MAC address and Username) am I correct in assuming that the two AuthBy FILEs will be operating on the request as altered by the initial AuthBy INTERNAL? Yes, that is correct. Any modifications to request or reply objects are visible for the subsequent AuthBys. I made the suggested modification to the hook and it appears to execute, however, it seems to be replacing the username with a blank string () during Access-Challeng, and the subsequent AuthBy FILE sections are still using the anonymous outer identity when checking against the blacklist files I have. Looking at the configuration you sent previously, I'd say the real inner identity is available once the inner authentication has completed the EAP Identity exchange. That is, there are a number of requests and responses to get the TLS tunnel working, after that the real identity is sent by the peer over the TLS tunnel. When that has happened, you should see the real identity. It might also be worth considering doing the blacklisting with the inner Handler. If you use the outer Handler, it will eventually see the inner identity, but with the inner Handler, it will not need to query the blacklists for all requests, just the inner requests. You might want to search for 'Tunnelled' to see what the inner requests look like and if they would be more useful for implementing blacklisting based on usernames (EAP inner identity). MAC address based blacklisting could be in the outer Handler since the MAC is not included in the inner auth information. Thanks, Heikki -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
On 4/9/2014 8:01 AM, Heikki Vatiainen wrote: On 04/08/2014 11:36 PM, Michael Rodrigues wrote: When untarring the patches tarball patches-4.12.1-20140407.tar.gz in the Radiator directory and testing the build, test 1d fails to pass. Am I applying the patches correctly? I read that there was information on the site where the patches are downloaded, but I don't have direct access to it as a colleague maintains the account. Thanks for letting us know about this. The patches do not have the recently updated test.pl. Test 1d does a Status-Server request against Radiator and it now fails because it does not add Message-Authenticator in the request. This requirement was just recently added in Radiator. Status-Server requests with a correct Message-Authenticator will be ignored from now on. Updated test.pl was going to be in the next release, but it was unfortunately not tagged to be in the patch set meanwhile. It will be in the next patch set. I'm using: Ubuntu 12.04 Please make sure the system is updated with the latest OpenSSL patch for the Heartbleed vulnerability. Thanks for the heads up on this, I have since updated. I also need to rewrite the outer identity before my AuthBy FILE sections that check that the user is not on the blacklist. As configured, it will check their anonymous ID against the blacklist, which does me no good. I tried adding an AuthBy INTERNAL to the outer handler, using the perl snippet you had suggested with RequestHook. I get a hook error whenever it is called. I'm not a perl guru but I tried changing ${$_[1]} to just $_[1] and got rid of the SCALAR error, but I was still getting a Hook error with no specific information. Code: Access-Request Identifier: 155 Authentic: 130hZ30145187;199159164C211240sT5 Attributes: User-Name = anonymous-username NAS-IP-Address = 10.99.1.250 NAS-Port = 86 EAP-Message = 200131anonymous-username Message-Authenticator = 144111395132u~@7150m155q5{221 Fri Apr 18 09:22:30 2014: DEBUG: Handling request with Handler '', Identifier '' Fri Apr 18 09:22:30 2014: DEBUG: Deleting session for anonymous-username, 10.99.1.250, 86 Fri Apr 18 09:22:30 2014: DEBUG: Handling with Radius::AuthGROUP: Fri Apr 18 09:22:30 2014: DEBUG: Handling with AuthINTERNAL: Fri Apr 18 09:22:30 2014: ERR: Error in RequestHook(): Not a SCALAR reference at (eval 40) line 1. Fri Apr 18 09:22:30 2014: DEBUG: Radius::AuthGROUP: result: IGNORE, Hook error Fri Apr 18 09:22:30 2014: DEBUG: AuthBy GROUP result: IGNORE, Hook error For that you might consider an AuthBy INTERNAL that is evaluated before the blacklists. This AuthBy has RequestHook that you can use to modify the request before it is passed to the blacklist AuthBys. Thanks, Heikki Here's the updated config: Client 10.99.1.250 Secret testing123 /Client Handler User-Name=/^host\// # AuthBy INTERNAL will reject here # This catches computers trying to auth /Handler Handler TunnelledByPEAP=1 AuthBy NTLM NtlmAuthProg/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=AD+Domain Users Domain AD EAPType MSCHAP-V2 AutoMPPEKeys /AuthBy /Handler Handler TunnelledByTTLS=1 AuthBy NTLM NtlmAuthProg/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=AD+Domain Users Domain AD AutoMPPEKeys /AuthBy /Handler Handler AuthBy GROUP AuthByPolicy ContinueWhileAccept AuthBy INTERNAL RequestHook sub { my $rp = ${$_[1]}; $rp-changeUserName($rp-{inner_identity}); } DefaultResult ACCEPT /AuthBy # Make sure MAC address is not blacklisted.. AuthBy FILE NoEAP # Calling-Station-Id attribute is the user's MAC in this case. AuthenticateAttribute Calling-Station-Id AcceptIfMissing Filename /etc/radiator/MacAddrBlacklist.txt /AuthBy # Make sure USERNAME is not blacklisted.. AuthBy FILE NoEAP AcceptIfMissing Filename /etc/radiator/UsernameBlacklist.txt /AuthBy AuthBy NTLM NtlmAuthProg/usr/bin/ntlm_auth --helper-protocol=ntlm-server-1 --require-membership-of=AD+Domain Users Domain AD EAPType PEAP, TTLS, MSCHAP-V2 EAPTLS_CAFile /etc/radiator/certs/radiatordev_education_ucsb_edu_interm.cer
Re: [RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
I tried building 4.12.1 and it builds fine without the patches. When untarring the patches tarball patches-4.12.1-20140407.tar.gz in the Radiator directory and testing the build, test 1d fails to pass. Am I applying the patches correctly? I read that there was information on the site where the patches are downloaded, but I don't have direct access to it as a colleague maintains the account. I'm using: Digest::MD5 2.53 Digest::MD4 1.9 Digest::SHA 5.70 Net::SSLeay 1.42 perl 5.14.2 linux 3.5 Ubuntu 12.04 I also need to rewrite the outer identity before my AuthBy FILE sections that check that the user is not on the blacklist. As configured, it will check their anonymous ID against the blacklist, which does me no good. Thanks, Michael On 4/7/2014 7:24 AM, Heikki Vatiainen wrote: On 04/02/2014 09:49 PM, Heikki Vatiainen wrote: PostAuthHook sub { my $rp = ${$_[1]}; $rp-changeUserName($rp-{inner_identity}); } PEAP and TTLS both export the inner EAP identity (or TTLS inner username when EAP is not used). The inner identity is exported to outer reply message and can be retrieved as above. Note: I noticed that if EAP, for example EAP-MSCHAP-V2, is used for inner TTLS, the export seems not to work currently. We'll need to check why. This is now fixed in the latest patches for 4.12.1. The EAP identity or User-Name from TTLS tunnelled message is now available with $rp-{inner_identity}. Thanks, Heikki -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
#EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem EAPTLS_CertificateFile /etc/radiator/certs/radiatordev_education_ucsb_edu_cert.cer EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem EAPTLS_PrivateKeyFile /etc/radiator/certs/radiatordev.key #EAPTLS_PrivateKeyPassword whatever AutoMPPEKeys /AuthBy /AuthBy PostAuthHook file:goodies/eap_acct_username.pl /Handler #This logs to /var/log/radius/logfile #Not really necessary, we have SQL logs. Log FILE Filename logfile /Log On 3/26/2014 2:35 PM, Heikki Vatiainen wrote: On 03/26/2014 07:33 PM, Michael Rodrigues wrote: 1. How do I allow only directory users to authenticate, while preventing machine accounts from being authenticated? Use a Handler to catch these: Handler User-Name=/^host\// # AuthBy INTERNAL with reject here /Handler should do the trick. I would also consider using a separate Handler for inner and outer requests. See goodies/eap_peap.cfg for an example. 2. Will the eap_acct_username.pl prevent users from showing up as 'anonymous' in my accounting requests for all allowed types of auth? (PEAP, TTLS, MSCHAP-V2) This hook seems to return User-Name with Access-Accept to tell the NAS to use this username for the subsequent Accounting-Requests. I'd consider using a Hook, maybe PostAuthHook, in the inner Handler to write the real username in the outer requests EAP context. When the final Access-Accept is returned to the client, a PostAuthHook in the outer Handler can set the User-Name. This could be done after the authentication works otherwise. 3. Will disabling machine authentication have any affect on SSO so that a user can login to a domain computer and automatically authenticate to the wifi (assuming the proper GPOs are in place). The recent Windows versions seem to have a number of possibilities to choose which account, user or computer, does the wifi authentiation. However, I have not looked more closely how these settings work with group policies. It would be interesting to hear how it works, so please let us know if you decide to test it. Here's my configuration: Remove DupInterval 0 if you have it with real RADIUS clients. It should only be used for local loopback testing and it's not usually necessary there either. Thanks, Heikki ## ## # Radiator Configuration # # ## ## Updated 03/26/14 mbr ## Note this file is derived from pre-testing version provided by mrodrigues #This handler catches all Accounting-Request packets. #We only log Start and Stop accounting packets as Alive #packets are basically useless for our purposes. If you #would like to grab these packets, delete the HandleAcctStatusTypes #directive below, or edit as obviously necessary. #Handler Request-Type=Accounting-Request #AuthBy SQL #DBSourcedbi:mysql:radius:127.0.0.1:3306 #DBUsername radius #DBAuth xxx #HandleAcctStatusTypes Start,Stop # This statement inserts the accounting information into the SQL databasee. #AcctSQLStatement insert into ggse_public values('%{Acct-Session-Id}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status-Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}','%{Timestamp}','%{Calling-Station-Id}',NULL); # This will log messages from within the SQL insert statement #Log FILE #Filename debug.config #/Log #/AuthBy #/Handler #below was added on 2/4/13 to catch ALL iterations of logins that are BlackListed. RewriteUsername tr/A-Z/a-z/ #These are the IPs from which calls to the RADIUS server are allowed. Client 10.99.1.250 Secret testing123 DupInterval 0 /Client Handler #This is only tentative and hasn't been tested. This keeps people from circumventing the logs by making their outer identity anonymous. This script copies the inner identity to the outer identity; you can't authenticate without the correct inner identity. PostProcessingHook file:/etc/radiator/eap_acct_username.pl AuthBy GROUP AuthByPolicy ContinueWhileAccept # Make sure MAC address is not blacklisted.. AuthBy FILE NoEAP # Calling-Station-Id attribute is the user's MAC in this case. AuthenticateAttribute Calling-Station-Id AcceptIfMissing Filename /etc/radiator/MacAddrBlacklist.txt /AuthBy # Make sure USERNAME is not blacklisted.. AuthBy FILE NoEAP AcceptIfMissing Filename /etc/radiator/UsernameBlacklist.txt /AuthBy AuthBy NTLM Domain AD EAPTypePEAP, TTLS, MSCHAP-V2 EAPTLS_CAFile /etc
[RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM
Hi all, I've been using RADIATOR for 4 or 5 years using EAP-TTLS PAP against an LDAP database. We now have an Active Directory that is synced with LDAP, so all users and their passwords are now in AD. With the LDAP database, we had to configure every client manually (these are student computers we don't own) for wireless to work. This could sometimes take 20-30 minutes with Apple clients and involved installing SecureW2 on Windows. My goal now is to transition to using AuthBy NTLM with PEAP, TTLS, and MSCHAP-V2 in place of AuthBy LDAP2 so users can just type their username and password when prompted, while maintaining backwards compatibility with the EAP-TTLS PAP machines that were already configured. The config I have does do this, but it also allows domain computers to authenticate as computers; I don't want this. So it comes down to a few questions: 1. How do I allow only directory users to authenticate, while preventing machine accounts from being authenticated? 2. Will the eap_acct_username.pl prevent users from showing up as 'anonymous' in my accounting requests for all allowed types of auth? (PEAP, TTLS, MSCHAP-V2) 3. Will disabling machine authentication have any affect on SSO so that a user can login to a domain computer and automatically authenticate to the wifi (assuming the proper GPOs are in place). Here's my configuration: ## ## # Radiator Configuration # # ## ## Updated 03/26/14 mbr ## Note this file is derived from pre-testing version provided by mrodrigues #This handler catches all Accounting-Request packets. #We only log Start and Stop accounting packets as Alive #packets are basically useless for our purposes. If you #would like to grab these packets, delete the HandleAcctStatusTypes #directive below, or edit as obviously necessary. #Handler Request-Type=Accounting-Request #AuthBy SQL #DBSourcedbi:mysql:radius:127.0.0.1:3306 #DBUsername radius #DBAuth xxx #HandleAcctStatusTypes Start,Stop # This statement inserts the accounting information into the SQL databasee. #AcctSQLStatement insert into ggse_public values('%{Acct-Session-Id}','%{Framed-IP-Address}','%{User-Name}','%{Acct-Status-Type}','%{Extreme-SSID}','%{Connect-Info}','%{Acct-Delay-Time}','%{Timestamp}','%{Calling-Station-Id}',NULL); # This will log messages from within the SQL insert statement #Log FILE #Filename debug.config #/Log #/AuthBy #/Handler #below was added on 2/4/13 to catch ALL iterations of logins that are BlackListed. RewriteUsername tr/A-Z/a-z/ #These are the IPs from which calls to the RADIUS server are allowed. Client 10.99.1.250 Secret testing123 DupInterval 0 /Client Handler #This is only tentative and hasn't been tested. This keeps people from circumventing the logs by making their outer identity anonymous. This script copies the inner identity to the outer identity; you can't authenticate without the correct inner identity. PostProcessingHook file:/etc/radiator/eap_acct_username.pl AuthBy GROUP AuthByPolicy ContinueWhileAccept # Make sure MAC address is not blacklisted.. AuthBy FILE NoEAP # Calling-Station-Id attribute is the user's MAC in this case. AuthenticateAttribute Calling-Station-Id AcceptIfMissing Filename /etc/radiator/MacAddrBlacklist.txt /AuthBy # Make sure USERNAME is not blacklisted.. AuthBy FILE NoEAP AcceptIfMissing Filename /etc/radiator/UsernameBlacklist.txt /AuthBy AuthBy NTLM Domain AD EAPTypePEAP, TTLS, MSCHAP-V2 EAPTLS_CAFile /etc/radiator/certs/demoCA/cacert.pem EAPTLS_CertificateFile /etc/radiator/certs/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile /etc/radiator/certs/cert-srv.pem EAPTLS_PrivateKeyPassword whatever AutoMPPEKeys /AuthBy /AuthBy /Handler #PostProcessingHook file:/etc/radiator/eap_acct_username.pl #This logs to /var/log/radius/logfile #Not really necessary, we have SQL logs. Log FILE Filename logfile /Log Thanks, Michael -- Michael Rodrigues Technical Support Services Manager Gevirtz Graduate School of Education Education Building 4203 (805) 893-8031 h...@education.ucsb.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Proxy server variable
We have a custom PostAuthHook script which writes out some log details that is appended to syslog, so that is the first place I would like to try. We proxy to a dept on campus and the information they feel may be relevant to them is the initial server (host) the proxied radius request is sent to per client. Your example below references the Final host. I am not sure that my explanation makes sense, I appreciate your suggestion... Thanks M On 2014-03-21, at 4:07 PM, Heikki Vatiainen wrote: On 03/20/2014 05:23 PM, Michael Hulko wrote: I would like to log the server that a client is proxied to for authentication. Hello Michael, which log are you thinking of? Authentication log or something else? Please see below for some ideas but in short, it depends on at which point during the processing you want to log information. I have searched the through the Radius packets for some form of Attribute without any luck. I have also read through the Radius reference and cannot find anything useful there either. There must be a variable for when a external server times out as seen in the output of the log: No reply after 20 seconds and 3 retransmissions to 129.100.160.144:1645 for casecomp.gu...@ivey.ca casecomp.gu...@ivey.ca (69) The above tells 129.100.160.144 did not respond after retransmissions. If there are other Hosts, these will be tried next. Finally, when it fails to get a response from any Host, NoReplyHook will run and you should be able to get the details of the final Host from the second argument with $fp-{ThisHost} where $fp is the second Hook argument (${$_[1]}. any assistance would be appreciated. In other words, the object for the forwarded request has pointer to Host. You could then check $host-{Address} to get the address. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Proxy server variable
I would like to log the server that a client is proxied to for authentication. I have searched the through the Radius packets for some form of Attribute without any luck. I have also read through the Radius reference and cannot find anything useful there either. There must be a variable for when a external server times out as seen in the output of the log: No reply after 20 seconds and 3 retransmissions to 129.100.160.144:1645 for casecomp.gu...@ivey.ca (69) any assistance would be appreciated. Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Delayed Stop Record and Active Sessions
Hi Rohan, I think you pretty much should be deleting sessions using the session id included in the delete criteria, for accuracy. But, NOT using the session id in your count query. The 'state limit' function i think you are referring to is tough to do. I assume you mean user session limits. I don't think you can actually implement session limits accurately. It's just not possible to do it accurately. yes, the options are there and the idea exists, but i don't think it can ever be as accurate as you would expect it to be. Even if you solve your issues described here, there's always a possibility active sessions fail/drop/die and your device still holds onto that session for a given time until it realize that the session truly is lost, then sends the Stop packet. Maybe your problem is not delayed stop packets, but sessions that just have not stopped yet because the device still thinks the session is active. So ya, when user logs back in, if you for example have session limits of 1, you are now rejecting your user. My personal experience is you need to have a very solid infrastructure (like fiber) to your customers and a low 'keep alive' time in order to have strict user session limits. But, for an infrastructure like cable/dsl where sync's are lost, things drop, and other problems, you may want to think about using n + 1. Meaning, your desired session limit, plus 1. This allows your customer to always log back in if their session drops but they're old session still shows active. Yes, they can now have 1 more session than you want to allow. It's a trade off. If you want to be strict, you have to expect your users to be rejected due to dead sessions. On 21/02/14 04:21 PM, rohan.henry @cwjamaica.com wrote: Thanks for the feedback Heikki. I am thinking that the suggestion would solve the problem but defeats the state limit function. It means that a connection would now become unique based on Acct-Session-Id which changes for every connection and would grant access to the same user multiple times since the new Acct-Session-Id will not allow a database match. Rohan On Wed, Feb 19, 2014 at 3:40 PM, Heikki Vatiainen h...@open.com.au mailto:h...@open.com.au wrote: On 02/19/2014 09:22 PM, rohan.henry @cwjamaica.com http://cwjamaica.com wrote: How can fix an issue where the DeleteQuery statement in my Sessions DB config deletes the row for a new active session because of a delayed Stop record? A quick idea: Do you think the DeleteQuery could be changed to include Acct-Session-Id in the query. That is, the NAS-Port, etc, and Acct-Session-Id must match the existing entry. If the session has been replaced, the delete will not match any rows because the new entry on the row it would otherwise match has a different session id that belongs to the new session. Please let us know how this works. Thanks, Heikki Scenario: 1. A session is up (and row entered in the database for active session) 2. The session is dropped because of a premature disconnection (eg. modem line cable unplugged) but Stop record is delayed. 3. New session is created after modem line cable is restored (and after DeleteQuery statement removes database row for previous session) 4. The delayed Stop record finally comes in - the DeleteQuery statement now removes the row for the active session (An unwanted behavior). How do I compensate for the delayed Stop record that is causing active session database records to be deleted? -- Heikki Vatiainen h...@open.com.au mailto:h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au mailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Log messages
I think we figured it out... on of our admins restarted the radiator process under a different identity and did not have all the correct rights to the envrionment. Once we purged the process, the errors seem to stop. Thanks M On 2014-02-07, at 3:41 PM, Heikki Vatiainen wrote: On 02/06/2014 07:13 PM, Michael Hulko wrote: We're seeing the following, not quite so frequently in our logs. Not every server is reporting this. Can anyone confirm that this is simply a client trying to authenticate with an unsupported EAP type? The EAP type is 0 in this case and it's clearly not any real type. It might be a misbehaving client or the server might be receiving a RADIUS request where the first EAP-Message attribute looks like an EAP request or response for EAP type 0. Some intermediate system may have for example, stripped the first attribute away leaving causing the remainder to look like an EAP request or response. There are likely to be multiple reasons why you get these messages. They might originate as incorrect or get mangled during the transport. Thanks, Heikki Feb 5 11:32:53 riptide-6.vm.its.uwo.pri /usr/bin/radiusd[14112]: Could not load EAP module Radius::EAP_0: Can't locate Radius/EAP _0.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor _perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 11750293) line 3, GEN3 line 2747056. Feb 5 11:32:53 riptide-6.vm.its.uwo.pri /usr/bin/radiusd[14112]: Could not load EAP module Radius::EAP_0: Can't locate Radius/EAP _0.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor _perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 11750293) line 3, GEN3 line 2747056. -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Log messages
We're seeing the following, not quite so frequently in our logs. Not every server is reporting this. Can anyone confirm that this is simply a client trying to authenticate with an unsupported EAP type? Feb 5 11:32:53 riptide-6.vm.its.uwo.pri /usr/bin/radiusd[14112]: Could not load EAP module Radius::EAP_0: Can't locate Radius/EAP _0.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor _perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 11750293) line 3, GEN3 line 2747056. Feb 5 11:32:53 riptide-6.vm.its.uwo.pri /usr/bin/radiusd[14112]: Could not load EAP module Radius::EAP_0: Can't locate Radius/EAP _0.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor _perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 11750293) line 3, GEN3 line 2747056. Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] DefaultSimultaneousUse while using AuthRADIUS
Thank you Heikki, Took a while to get the time to upgrade, but the upgrade works and now shows the actual Reply-Message. And also, the DefaultSimultaneousUse in the ReplyHook still works fine. AuthBy RADIUS . # need to do DefaultSimultaneousUse check in Reply Hook when using AuthBy RADIUS. DefaultSimultaneousUse 1 ReplyHook file:%D/conf/hook.ReplyHook-DefaultSimultaneousUse.pl /AuthBy ReplyHook: sub { main::log($main::LOG_DEBUG, hook.Reply: executing.); my $p = ${$_[0]}; # proxy reply packet my $rp = ${$_[1]}; # reply packet to NAS my $op = ${$_[2]}; # original request packet my $sp = ${$_[3]}; # packet sent to proxy return unless $p-code eq 'Access-Accept'; # proxied auth request passed, check DefaultSimultaneousUse my $limit = $sp-{ThisAuth}-{DefaultSimultaneousUse}; main::log($main::LOG_DEBUG, hook.Reply: DefaultSimultaneousUse check of ($limit)); if( Radius::SessGeneric::find($op-{Handler}-{SessionDatabase} )-exceeded( $limit, $op-{OriginalUserName}, $op) ) { $op-{RadiusResult} = $main::REJECT; $p-change_attr('Reply-Message', DefaultSimultaneousUse of $limit exceeded); main::log($main::LOG_DEBUG, hook.Reply: DefaultSimultaneousUse of $limit exceeded); } main::log($main::LOG_DEBUG, hook.Reply: DONE); } On 23/12/13 04:28 PM, Heikki Vatiainen wrote: On 12/23/2013 07:27 PM, Michael wrote: for a proof of concept, i can set an error message this way: first by changing the AuthRADIUS.pm source: It appears you have Radiator 4.11 or earlier. One of the changes between 4.11 and 4.12 is how the Reply-Message from upstream is handled: http://www.open.com.au/radiator/history.html Altered AuthBy RADIUS and AuthBy RADSEC handleReply so that in the event of an Access-Reject from a proxied request, AuthLog* can log the actual Reply-Message from the reply instead of 'Proxied'. Requested by David Zych. This change is similar to what your proof of concept does. and then, i can set the error message in the ReplyHook with: $p-change_attr('Reply-Message', 'DefaultSimultaneousUse error'); With the current version this should be enough. The change made in AuthRADIUS.pm should take care of the rest. Thanks, Heikki ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] DefaultSimultaneousUse while using AuthRADIUS
On 23/12/13 04:23 AM, Heikki Vatiainen wrote: On 12/20/2013 10:59 PM, Michael wrote: This ReplyHook definitely did the trick, except for not showing a proper error message. it just shows 'Proxied' as the error. Is there a way to change the error message? The source kinda looks like the error message is hard coded to be 'Proxied' so i thought maybe this could be passed to another AuthBy when rejected, configured to reject with a fixed message, and set the redirected flag in the hook? You could do $p-add_attr('Reply-Message', ...) to push Reply-Message attribute in the reply received from the proxy. The Reply-Message should be logged in AuthLog if it is present in the reply. I'd say this is the easiest way to handle error message with the hook. Please let us know how the simultaneous use modifications work. Thanks, Heikki The setting of the Reply-Message didn't seem to work. The error message still says 'Proxied' for when it's a DefaultSimultaneousUse error. It looks to me like this 'Proxied' error message is hard coded in the source. The only place I see this text is here: Radius/AuthRADIUS.pm:($op, $op-{RadiusResult}, 'Proxied') Radius/AuthRADIUS.pm:$p-{Handler}-handlerResult($p, $p-{RadiusResult}, 'Proxied'); Radius/AuthRADSEC.pm:$p-{Handler}-handlerResult($p, $p-{RadiusResult}, 'Proxied'); Radius/AuthRADSEC.pm:($op, $op-{RadiusResult}, 'Proxied') a closer look: # Send this new reply packet back to wherever the # original packet came from $op-{Handler}-handlerResult($op, $op-{RadiusResult}, 'Proxied') unless ( ($self-{IgnoreReject} $p-code eq 'Access-Reject') || ($self-{IgnoreAccountingResponse} $p-code eq 'Accounting-Response')); If i change the 'Proxed' text here the changes do show in the authlog. I guess having the ability to set an error test message for the AuthLog would require modifying this source? It's always nice to have a proper error message for the technical support people. But again, yes the actual DefaultSimultaneousUsecheck suggested, in the ReplyHook does seem to be working fine. On 19/12/13 03:28 PM, Heikki Vatiainen wrote: On 12/18/2013 11:43 PM, Michael wrote: I've gotten closer using an AuthBy GROUP around AuthBy RADIUS, but it seem to: 1. receive the auth request 2. proxy it to the host 3. check the session db before the reply comes back and reject if need be. 4. send the reject to the lns device. 5. send the accept from the proxy to the lns device. This comes from AuthBy GROUP first evaluating all its AuthBys and then doing DefaultSimultaneousUse check. When the check is done the request has already been proxied to the next hop. You could consider a ReplyHook that does the check. I'd think something like below should work. sub { my $p = ${$_[0]}; # proxy reply packet my $rp = ${$_[1]}; # reply packet to NAS my $op = ${$_[2]}; # original request packet my $sp = ${$_[3]}; # packet sent to proxy return unless $p-code eq 'Access-Accept'; my $limit = $sp-{ThisAuth}-{DefaultSimultaneousUse}; if (Radius::SessGeneric::find($op-{Handler}-{SessionDatabase})-exceeded( $limit, $op-{OriginalUserName}, $op)) { $op-{RadiusResult} = $main::REJECT; } } Please let us know how it works. Thanks, Heikki ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] DefaultSimultaneousUse while using AuthRADIUS
for a proof of concept, i can set an error message this way: first by changing the AuthRADIUS.pm source: # Send this new reply packet back to wherever the # original packet came from # - look for error message first. my $error = 'Proxied'; $error = $p-get_attr('Reply-Message') if( $p-get_attr('Reply-Message') ); $op-{Handler}-handlerResult($op, $op-{RadiusResult}, $error) unless ( ($self-{IgnoreReject} $p-code eq 'Access-Reject') || ($self-{IgnoreAccountingResponse} $p-code eq 'Accounting-Response')); and then, i can set the error message in the ReplyHook with: $p-change_attr('Reply-Message', 'DefaultSimultaneousUse error'); Mike On 23/12/13 11:54 AM, Michael wrote: On 23/12/13 04:23 AM, Heikki Vatiainen wrote: On 12/20/2013 10:59 PM, Michael wrote: This ReplyHook definitely did the trick, except for not showing a proper error message. it just shows 'Proxied' as the error. Is there a way to change the error message? The source kinda looks like the error message is hard coded to be 'Proxied' so i thought maybe this could be passed to another AuthBy when rejected, configured to reject with a fixed message, and set the redirected flag in the hook? You could do $p-add_attr('Reply-Message', ...) to push Reply-Message attribute in the reply received from the proxy. The Reply-Message should be logged in AuthLog if it is present in the reply. I'd say this is the easiest way to handle error message with the hook. Please let us know how the simultaneous use modifications work. Thanks, Heikki The setting of the Reply-Message didn't seem to work. The error message still says 'Proxied' for when it's a DefaultSimultaneousUse error. It looks to me like this 'Proxied' error message is hard coded in the source. The only place I see this text is here: Radius/AuthRADIUS.pm:($op, $op-{RadiusResult}, 'Proxied') Radius/AuthRADIUS.pm:$p-{Handler}-handlerResult($p, $p-{RadiusResult}, 'Proxied'); Radius/AuthRADSEC.pm:$p-{Handler}-handlerResult($p, $p-{RadiusResult}, 'Proxied'); Radius/AuthRADSEC.pm:($op, $op-{RadiusResult}, 'Proxied') a closer look: # Send this new reply packet back to wherever the # original packet came from $op-{Handler}-handlerResult($op, $op-{RadiusResult}, 'Proxied') unless ( ($self-{IgnoreReject} $p-code eq 'Access-Reject') || ($self-{IgnoreAccountingResponse} $p-code eq 'Accounting-Response')); If i change the 'Proxed' text here the changes do show in the authlog. I guess having the ability to set an error test message for the AuthLog would require modifying this source? It's always nice to have a proper error message for the technical support people. But again, yes the actual DefaultSimultaneousUsecheck suggested, in the ReplyHook does seem to be working fine. On 19/12/13 03:28 PM, Heikki Vatiainen wrote: On 12/18/2013 11:43 PM, Michael wrote: I've gotten closer using an AuthBy GROUP around AuthBy RADIUS, but it seem to: 1. receive the auth request 2. proxy it to the host 3. check the session db before the reply comes back and reject if need be. 4. send the reject to the lns device. 5. send the accept from the proxy to the lns device. This comes from AuthBy GROUP first evaluating all its AuthBys and then doing DefaultSimultaneousUse check. When the check is done the request has already been proxied to the next hop. You could consider a ReplyHook that does the check. I'd think something like below should work. sub { my $p = ${$_[0]}; # proxy reply packet my $rp = ${$_[1]}; # reply packet to NAS my $op = ${$_[2]}; # original request packet my $sp = ${$_[3]}; # packet sent to proxy return unless $p-code eq 'Access-Accept'; my $limit = $sp-{ThisAuth}-{DefaultSimultaneousUse}; if (Radius::SessGeneric::find($op-{Handler}-{SessionDatabase})-exceeded( $limit, $op-{OriginalUserName}, $op)) { $op-{RadiusResult} = $main::REJECT; } } Please let us know how it works. Thanks, Heikki ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] DefaultSimultaneousUse while using AuthRADIUS
This ReplyHook definitely did the trick, except for not showing a proper error message. it just shows 'Proxied' as the error. Is there a way to change the error message? The source kinda looks like the error message is hard coded to be 'Proxied' so i thought maybe this could be passed to another AuthBy when rejected, configured to reject with a fixed message, and set the redirected flag in the hook? On 19/12/13 03:28 PM, Heikki Vatiainen wrote: On 12/18/2013 11:43 PM, Michael wrote: I've gotten closer using an AuthBy GROUP around AuthBy RADIUS, but it seem to: 1. receive the auth request 2. proxy it to the host 3. check the session db before the reply comes back and reject if need be. 4. send the reject to the lns device. 5. send the accept from the proxy to the lns device. This comes from AuthBy GROUP first evaluating all its AuthBys and then doing DefaultSimultaneousUse check. When the check is done the request has already been proxied to the next hop. You could consider a ReplyHook that does the check. I'd think something like below should work. sub { my $p = ${$_[0]}; # proxy reply packet my $rp = ${$_[1]}; # reply packet to NAS my $op = ${$_[2]}; # original request packet my $sp = ${$_[3]}; # packet sent to proxy return unless $p-code eq 'Access-Accept'; my $limit = $sp-{ThisAuth}-{DefaultSimultaneousUse}; if (Radius::SessGeneric::find($op-{Handler}-{SessionDatabase})-exceeded( $limit, $op-{OriginalUserName}, $op)) { $op-{RadiusResult} = $main::REJECT; } } Please let us know how it works. Thanks, Heikki ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] DefaultSimultaneousUse while using AuthRADIUS
DefaultSimultaneousUse doesn't appear to work when using AuthRADIUS. I thought it would proxy the request, and if accepted, check the session db for the DefaultSimultaneousUse option. Is this suppose to work? ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] DefaultSimultaneousUse while using AuthRADIUS
I've gotten closer using an AuthBy GROUP around AuthBy RADIUS, but it seem to: 1. receive the auth request 2. proxy it to the host 3. check the session db before the reply comes back and reject if need be. 4. send the reject to the lns device. 5. send the accept from the proxy to the lns device. so, resulting in 2 replies going back to the network access device. Handler Request-Type = Access-Request SessionDatabase COUNT AuthLog BREIF-authlogs.MM AuthBy GROUP DefaultSimultaneousUse 1 AuthBy RADIUS some config /AuthBy /AuthBy /Handler On 18/12/13 02:47 PM, Michael wrote: DefaultSimultaneousUse doesn't appear to work when using AuthRADIUS. I thought it would proxy the request, and if accepted, check the session db for the DefaultSimultaneousUse option. Is this suppose to work? ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Suggestion for Error Message in AuthByLSA / MSCHAPv2
doesn't the only error shown, come from the last AuthBy processed? I wanted to see errors for each authby but i had to modify the source code. On 11/12/13 11:46 AM, Johnson, Neil M wrote: Heikki, You are correct, I'm using multiple AuthBy clauses with AuthByPolicy ContinueUntilAcceptOrChallenge set. I need to do this to check membership in multiple AD groups. That could explain why I always get messages for the user not being found. -Neil ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Remote RADIUS servers (proxying)
doesn't a handler process it by default? I think you have to disable it. I do it like this: SessionDatabase NULL Identifier NULL /SessionDatabase NULL then in your handler, specify : SessionDatabase NULL Note: NULL is not a command or configuration, but an Identifier. On 29/11/13 04:50 PM, rohan.henry @cwjamaica.com wrote: Hello, I have configured a Handler clause to proxy Radius requests to a remote server. Why is Radiator processing one of my sessions database configuration even though I have not specified one under the Handler. The SessionDatabase entry is commented out. See sample config below. Handler NAS-Identifier=NAS1 # AddToRequest SERVICESTATUS = ACTIVE # SessionDatabase SQLSDB # MaxSessions 1 RejectHasReason #AuthByPolicy ContinueAlways # AuthBy SQLStart # AuthBy SQLStop # AuthBy xDSL # Proxy requests to production radius server AuthBy RADIUS Secret secret1 Host server1.domain.com http://server1.domain.com RetryTimeout 2 /Host Host server2.domain.com http://server2.domain.com Secret secret2 /Host /AuthBy ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Remote RADIUS servers (proxying)
it doesn't completely disable it. it only disables it for the handler that you put it in. On 29/11/13 05:32 PM, rohan.henry @cwjamaica.com wrote: Michael, I would prefer not to completely disable it since other Handlers are using it. I only want it disabled for a particular Handler. Rohan On Fri, Nov 29, 2013 at 5:19 PM, Michael ri...@vianet.ca mailto:ri...@vianet.ca wrote: doesn't a handler process it by default? I think you have to disable it. I do it like this: SessionDatabase NULL Identifier NULL /SessionDatabase NULL then in your handler, specify : SessionDatabase NULL Note: NULL is not a command or configuration, but an Identifier. On 29/11/13 04:50 PM, rohan.henry @cwjamaica.com http://cwjamaica.com wrote: Hello, I have configured a Handler clause to proxy Radius requests to a remote server. Why is Radiator processing one of my sessions database configuration even though I have not specified one under the Handler. The SessionDatabase entry is commented out. See sample config below. Handler NAS-Identifier=NAS1 # AddToRequest SERVICESTATUS = ACTIVE # SessionDatabase SQLSDB # MaxSessions 1 RejectHasReason #AuthByPolicy ContinueAlways # AuthBy SQLStart # AuthBy SQLStop # AuthBy xDSL # Proxy requests to production radius server AuthBy RADIUS Secret secret1 Host server1.domain.com http://server1.domain.com RetryTimeout 2 /Host Host server2.domain.com http://server2.domain.com Secret secret2 /Host /AuthBy ___ radiator mailing list radiator@open.com.au mailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Remote RADIUS servers (proxying)
from the manual: 5.12 SessionDatabase NULL This type of session database stores no session details, and always permits multiple log- ins. It is useful in environments with large user populations, and where no simultaneous- use prevention is required. SessionDatabase NULL uses much less memory and fewer CPU cycles than SessionDatabase INTERNAL (which is the default session database). The code for SessionDatabase NULL was contributed by Daniel Senie (d...@senie.com). SessionDatabase NULL understands the following parameters: 5.12.1 Identifier This optional parameter assigns a name to the Session Database, so it can be referred to in other parts of the configuration file. # Here is a useful name for this Session Database Identifier SDB1 On 29/11/13 06:03 PM, Michael wrote: it doesn't completely disable it. it only disables it for the handler that you put it in. On 29/11/13 05:32 PM, rohan.henry @cwjamaica.com wrote: Michael, I would prefer not to completely disable it since other Handlers are using it. I only want it disabled for a particular Handler. Rohan On Fri, Nov 29, 2013 at 5:19 PM, Michael ri...@vianet.ca mailto:ri...@vianet.ca wrote: doesn't a handler process it by default? I think you have to disable it. I do it like this: SessionDatabase NULL Identifier NULL /SessionDatabase NULL then in your handler, specify : SessionDatabase NULL Note: NULL is not a command or configuration, but an Identifier. On 29/11/13 04:50 PM, rohan.henry @cwjamaica.com http://cwjamaica.com wrote: Hello, I have configured a Handler clause to proxy Radius requests to a remote server. Why is Radiator processing one of my sessions database configuration even though I have not specified one under the Handler. The SessionDatabase entry is commented out. See sample config below. Handler NAS-Identifier=NAS1 # AddToRequest SERVICESTATUS = ACTIVE # SessionDatabase SQLSDB # MaxSessions 1 RejectHasReason #AuthByPolicy ContinueAlways # AuthBy SQLStart # AuthBy SQLStop # AuthBy xDSL # Proxy requests to production radius server AuthBy RADIUS Secret secret1 Host server1.domain.com http://server1.domain.com RetryTimeout 2 /Host Host server2.domain.com http://server2.domain.com Secret secret2 /Host /AuthBy ___ radiator mailing list radiator@open.com.au mailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Variables
to save other values, you have to place it in the Class attribute in the Reply packet going back to your device. The Class should get saved in the device, and will be there when the Stop packet comes in. I personally save a few values in the Class as coma separated values. When it comes back in, I have a PreHandlerHook to pull the Class attribute out, separate the values, and place them into their own attributes for later use and logging. But if you just want to save 1 value in the Class, and later log the Class value, no Hook should be needed. Mike On 26/11/13 02:20 PM, rohan.henry @cwjamaica.com wrote: Thanks Hugh. I am already seeing the attributes using trace 4. Just exploring other possible ways to obtain and store the Start time of a session without having to calculate using session time (Acct-Session-Time). Rohan On Mon, Nov 25, 2013 at 10:21 PM, Hugh Irvine h...@open.com.au mailto:h...@open.com.au wrote: Hello Rohan - Most if not all of these attributes should be included in the RADIUS accounting stop request, assuming RADIUS accounting is turned on in the NAS device. Note that there is a difference between Event-Timestamp as shown below which may be sent by the NAS, and Timestamp which is internal to Radiator. Have a look at a trace 4 debug to see exactly what you are receiving in the RADIUS accounting requests. regards Hugh On 26 Nov 2013, at 08:26, rohan.henry @cwjamaica.com http://cwjamaica.com rohan.he...@cwjamaica.com mailto:rohan.he...@cwjamaica.com wrote: Hello, Are values for any of the foll. attributes automatically stored somewhere in Radiator where they can be fetched anytime during or at the end of the session? For example the Timestamp attribute. If not, how can I store values for use later in or at the end of the session? Attributes: Acct-Status-Type = Start User-Name = Event-Timestamp = Acct-Delay-Time = NAS-Identifier = Acct-Session-Id = NAS-IP-Address = Class = Service-Type = Framed-Protocol = Framed-Compression = Unisphere-Pppoe-Description = Framed-IP-Address = Framed-IP-Netmask = Calling-Station-Id = Connect-Info = NAS-Port-Type = NAS-Port = NAS-Port-Id = Acct-Authentic = Thanks. Regards, Rohan ___ radiator mailing list radiator@open.com.au mailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au mailto:h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Variables
sample of the perl Hook? Well, if you're going to just need 1 value, and you are ok with using the Class attribute directly, then you don't need a hook. You would just need to configure: AddToReply Class = somevalue then, when the Stop comes back, the same Class value should be there. but, here's a sample of what i do for multiple saved values in the Class. Notice how i load the values into new attributes. Then i use/log those attributes: sub { my $req = ${$_[0]}; my $script_name = hook.PreHandlerHook.pl; main::log($main::LOG_DEBUG, $script_name: executing.); if( $req-code eq 'Accounting-Request' ) { if( my $class = $req-get_attr('Class') ) { my( $zone, $uid, $authed_un, $old_zone, $un_only ) = ( split(',', $class) )[0,1,2,3,4]; $req-change_attr('zone', $zone) if $zone; $req-change_attr('uid', $uid) if $uid; $req-change_attr('auth-un', $authed_un) if $authed_un; main::log($main::LOG_DEBUG, $script_name: loading csv values from Class into their own attributes: [zone=$zone,uid=$uid,auth-un=$authed_un,old_zone=$old_zone,un_only=$un_only]); } } # end sub } On 26/11/13 02:59 PM, rohan.henry @cwjamaica.com wrote: Thanks Michael. Would you be able to share a sample? On Tue, Nov 26, 2013 at 2:39 PM, Michael ri...@vianet.ca mailto:ri...@vianet.ca wrote: to save other values, you have to place it in the Class attribute in the Reply packet going back to your device. The Class should get saved in the device, and will be there when the Stop packet comes in. I personally save a few values in the Class as coma separated values. When it comes back in, I have a PreHandlerHook to pull the Class attribute out, separate the values, and place them into their own attributes for later use and logging. But if you just want to save 1 value in the Class, and later log the Class value, no Hook should be needed. Mike On 26/11/13 02:20 PM, rohan.henry @cwjamaica.com http://cwjamaica.com wrote: Thanks Hugh. I am already seeing the attributes using trace 4. Just exploring other possible ways to obtain and store the Start time of a session without having to calculate using session time (Acct-Session-Time). Rohan On Mon, Nov 25, 2013 at 10:21 PM, Hugh Irvine h...@open.com.au mailto:h...@open.com.au wrote: Hello Rohan - Most if not all of these attributes should be included in the RADIUS accounting stop request, assuming RADIUS accounting is turned on in the NAS device. Note that there is a difference between Event-Timestamp as shown below which may be sent by the NAS, and Timestamp which is internal to Radiator. Have a look at a trace 4 debug to see exactly what you are receiving in the RADIUS accounting requests. regards Hugh On 26 Nov 2013, at 08:26, rohan.henry @cwjamaica.com http://cwjamaica.com rohan.he...@cwjamaica.com mailto:rohan.he...@cwjamaica.com wrote: Hello, Are values for any of the foll. attributes automatically stored somewhere in Radiator where they can be fetched anytime during or at the end of the session? For example the Timestamp attribute. If not, how can I store values for use later in or at the end of the session? Attributes: Acct-Status-Type = Start User-Name = Event-Timestamp = Acct-Delay-Time = NAS-Identifier = Acct-Session-Id = NAS-IP-Address = Class = Service-Type = Framed-Protocol = Framed-Compression = Unisphere-Pppoe-Description = Framed-IP-Address = Framed-IP-Netmask = Calling-Station-Id = Connect-Info = NAS-Port-Type = NAS-Port = NAS-Port-Id = Acct-Authentic = Thanks. Regards, Rohan ___ radiator mailing list radiator@open.com.au mailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au mailto:h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc
[RADIATOR] AuthBy XML HTTP POST?
We have an opportunity to provide authentication for a hotel client based on guest name and room number. The property management system they are using (iTesso) has an HTTP/XML-based server that would need to be authenticated against, queried for matching name/room number, and then have a charge posted (or not, based on the results of the response.) We have access to the XML spec and a test interface and are looking to see if anyone in the Radiator community has experience with this sort of setup, and/or if anyone would be interested in providing us with a quote for implementing such a module. Perl is not a native language for anyone in-house, unfortunately. Looking forward to your replies! Mike ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Variables
oh, sorry, and. you need to add these values to the Reply after you authenticate: AddToReply Class = %{Reply:zone},%{Reply:uid},%{Reply:auth-un},%{Reply:old_zone},%U These %{Reply:attr} values are my own custom values added to the reply during authentication and are configured in the users profile. ...Then, the hook pulls them back out later. On 26/11/13 03:38 PM, Michael wrote: sample of the perl Hook? Well, if you're going to just need 1 value, and you are ok with using the Class attribute directly, then you don't need a hook. You would just need to configure: AddToReply Class = somevalue then, when the Stop comes back, the same Class value should be there. but, here's a sample of what i do for multiple saved values in the Class. Notice how i load the values into new attributes. Then i use/log those attributes: sub { my $req = ${$_[0]}; my $script_name = hook.PreHandlerHook.pl; main::log($main::LOG_DEBUG, $script_name: executing.); if( $req-code eq 'Accounting-Request' ) { if( my $class = $req-get_attr('Class') ) { my( $zone, $uid, $authed_un, $old_zone, $un_only ) = ( split(',', $class) )[0,1,2,3,4]; $req-change_attr('zone', $zone) if $zone; $req-change_attr('uid', $uid) if $uid; $req-change_attr('auth-un', $authed_un) if $authed_un; main::log($main::LOG_DEBUG, $script_name: loading csv values from Class into their own attributes: [zone=$zone,uid=$uid,auth-un=$authed_un,old_zone=$old_zone,un_only=$un_only]); } } # end sub } On 26/11/13 02:59 PM, rohan.henry @cwjamaica.com wrote: Thanks Michael. Would you be able to share a sample? On Tue, Nov 26, 2013 at 2:39 PM, Michael ri...@vianet.ca mailto:ri...@vianet.ca wrote: to save other values, you have to place it in the Class attribute in the Reply packet going back to your device. The Class should get saved in the device, and will be there when the Stop packet comes in. I personally save a few values in the Class as coma separated values. When it comes back in, I have a PreHandlerHook to pull the Class attribute out, separate the values, and place them into their own attributes for later use and logging. But if you just want to save 1 value in the Class, and later log the Class value, no Hook should be needed. Mike On 26/11/13 02:20 PM, rohan.henry @cwjamaica.com http://cwjamaica.com wrote: Thanks Hugh. I am already seeing the attributes using trace 4. Just exploring other possible ways to obtain and store the Start time of a session without having to calculate using session time (Acct-Session-Time). Rohan On Mon, Nov 25, 2013 at 10:21 PM, Hugh Irvine h...@open.com.au mailto:h...@open.com.au wrote: Hello Rohan - Most if not all of these attributes should be included in the RADIUS accounting stop request, assuming RADIUS accounting is turned on in the NAS device. Note that there is a difference between Event-Timestamp as shown below which may be sent by the NAS, and Timestamp which is internal to Radiator. Have a look at a trace 4 debug to see exactly what you are receiving in the RADIUS accounting requests. regards Hugh On 26 Nov 2013, at 08:26, rohan.henry @cwjamaica.com http://cwjamaica.com rohan.he...@cwjamaica.com mailto:rohan.he...@cwjamaica.com wrote: Hello, Are values for any of the foll. attributes automatically stored somewhere in Radiator where they can be fetched anytime during or at the end of the session? For example the Timestamp attribute. If not, how can I store values for use later in or at the end of the session? Attributes: Acct-Status-Type = Start User-Name = Event-Timestamp = Acct-Delay-Time = NAS-Identifier = Acct-Session-Id = NAS-IP-Address = Class = Service-Type = Framed-Protocol = Framed-Compression = Unisphere-Pppoe-Description = Framed-IP-Address = Framed-IP-Netmask = Calling-Station-Id = Connect-Info = NAS-Port-Type = NAS-Port = NAS-Port-Id = Acct-Authentic = Thanks. Regards, Rohan ___ radiator mailing list radiator@open.com.au mailto:radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au mailto:h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS
Re: [RADIATOR] Radius domain only auth, with password='cisco'
i'm looking to stop it. not set it up. i'm not sure what had enabled/configured it to start happening. I guess this is probably the wrong place to ask. On 06/11/13 04:56 PM, Hugh Irvine wrote: Hello Michael - This sounds like Cisco VPDN tunnelling. This example is from the standard “users” file in the Radiator distribution: # This example shows how to configure a Cisco VPDN circuit: open.com.au User-Password=cisco, Service-Type=Outbound-User cisco-avpair = vpdn:tunnel-id=cca-gw, cisco-avpair = vpdn:ip-addresses=1.2.3.4, cisco-avpair = vpdn:nas-password=pw, cisco-avpair = vpdn:gw-password=pw” regards Hugh On 7 Nov 2013, at 04:56, Michael ri...@vianet.ca wrote: Has anyone ever seen a situation where, for every authentication attempt to a radiator system from a cisco device, there is an authentication attempt right before it that appears to be: - a domain (the username with the 'username@' part stripped off). - plain text password is always 'cisco'. - Service-Type = Outbound-User if I remove this line from the cisco lns: aaa authorization network TEST group TEST ...the extra auth attempts stop, but then my radius network static profiles don't work, so it's not a solution but it narrows down the problem. my auth requests for the radiator system are essentially doubled due to this. This only started happening recently. Network guys sometimes are like a ticking time bomb and asking them can cause an explosion so i thought i would ask here. Mike ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Perl expressions
Thanks for the clarification... I was able to do as suggested. However, I am finding that evaluating check items in Handlers using Vendor VSAs are a hit or miss. I have in my config... Handler Client-Identifier = ONCAMPUS, Aruba-Port-Identifier = controller-address:0/11 - This works fine ! Handler TunnelledByPeap=1, Client-Identifier=ONCAMPUS, Realm=uwo.ca This works fine ! Handler TunnelledByPeap=1, Client-Identifier=ONCAMPUS, Realm=uwo.ca, Aruba-Essid-Name=ssid of choice --- FAILS !!! My dictionary file has all the Aruba VSA's defined.. other testing shows that it works with Some VSA's but not all... I am running tests on a Windows server /w Radiator ver. 4.51 and Linux server /w Radiator ver 4.12 Any thoughts??? Thanks M On 2013-10-21, at 2:54 PM, Heikki Vatiainen wrote: On 10/21/2013 06:44 PM, Michael Hulko wrote: Sorry for the noob type question...but is it possible to evaluate a perl expression WITHOUT wrapping the perl code in a Hook? Hello Michael, I do not there is support for evaluate. such as for example: Handler TunnelledByPEAP=1 Identifier Authby NTLM PostAuthHook file:%D/xxx.hook AddToReply User-Vlan = $vlan = 620+int(rand(9)); /Handler For this particular example, I would calculate $vlan with PostAuthHook, add it to $p (request) as e.g. X-rand-vlan and then do something like: AddToReply User-Vlan=%{X-rand-vlan} That would still give some hint that User-Vlan value is something special. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Perl expressions
Sorry for the noob type question...but is it possible to evaluate a perl expression WITHOUT wrapping the perl code in a Hook? such as for example: Handler TunnelledByPEAP=1 Identifier Authby NTLM PostAuthHook file:%D/xxx.hook AddToReply User-Vlan = $vlan = 620+int(rand(9)); /Handler Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator LoadBalancing Optimization
Thanks for the response too bad though. Unfortunately, we can only have one radius server instance per NAS (and a backup), but this particular NAS supports the radius proxy clients which are the problem. M On 2013-09-13, at 6:39 AM, Sami Keski-Kasari wrote: Hello Michael, CachePasswords doesn't work with EAP, it works only with PAP authentication. So it won't help you in this situation. My advice is that you should add more hosts for authentication or if you have a lot of accounting traffic then it might a good solution if you have separate instances for accounting and authentication. Best Regards, Sami On 09/12/2013 05:37 PM, Michael Hulko wrote: In a previous discussion regarding Loadbalancing radius requests, we instituted the AuthBy EAPBALANCE method to proxy requests to departmental radius servers. We have been running this method for close to 6 months and have been pretty satisfied with the result. Of late, however, the client traffic has increased, and the time for an authentication to complete is a tad longer than the users are willing to accept. My reading of the documentation provided by OSC, suggests the use of CachePasswords; CacheOnNoReply; and CachePasswordExpiry would assist in the performance. I understand that the trade-off of implementing these features is memory. So to that end, first, is anyone using these parameters?. What is the number of clients supported and related memory usage? I anticipate approx. 3-4K simultaneous users for the particular AuthBy clause. What would be the recommended Password expiry timer be? Any info would be appreciated. Below is the current config snippet of the AuthBy we are using. User connections are retried after a 45 min. period. #IVEY # Proxies auth requests to the IVEY IAS radius servers using a loadbalance algorithm. AuthBy EAPBALANCE Identifier IVEY Retries 3 RetryTimeout 5 FailureBackoffTime 20 AuthPort 1645 AcctPort 1646 Secret x LocalAddress xx # Host xxx /Host # Host /Host # Host /Host /AuthBy The last server is the slower of the 3 hosts available which I believe is the bottleneck. Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Sami Keski-Kasari sam...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator LoadBalancing Optimization
In a previous discussion regarding Loadbalancing radius requests, we instituted the AuthBy EAPBALANCE method to proxy requests to departmental radius servers. We have been running this method for close to 6 months and have been pretty satisfied with the result. Of late, however, the client traffic has increased, and the time for an authentication to complete is a tad longer than the users are willing to accept. My reading of the documentation provided by OSC, suggests the use of CachePasswords; CacheOnNoReply; and CachePasswordExpiry would assist in the performance. I understand that the trade-off of implementing these features is memory. So to that end, first, is anyone using these parameters?. What is the number of clients supported and related memory usage? I anticipate approx. 3-4K simultaneous users for the particular AuthBy clause. What would be the recommended Password expiry timer be? Any info would be appreciated. Below is the current config snippet of the AuthBy we are using. User connections are retried after a 45 min. period. #IVEY # Proxies auth requests to the IVEY IAS radius servers using a loadbalance algorithm. AuthBy EAPBALANCE Identifier IVEY Retries 3 RetryTimeout 5 FailureBackoffTime 20 AuthPort 1645 AcctPort 1646 Secret x LocalAddress xx # Host xxx /Host # Host /Host # Host /Host /AuthBy The last server is the slower of the 3 hosts available which I believe is the bottleneck. Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Easy 802.1X
We're working with HP MSM wireless controllers, which can do EAP-TLS, EAP-TTLS, EAP-PEAP, LEAP, EAP-SIM, EAP-AKA, EAP-FAST, and EAP-GTC. I'm looking for the easiest way to allow WPA to use a RADIUS-based username/password for a public-access network. So no client certificates or supplicant software, and supporting a wide range of client devices. Security is not a concern -- currently authentication is done through HTTP, and credentials are not personally identifying information. This is strictly about convenience, to avoid use of the HTML login. If anyone has set this up before, or has any pointers it would be appreciated. I thought this would be a snap but it is proving to be more difficult than it needs to be! Thanks. -- Michael Newton Manager, Information Systems Point of Presence Technologies *You manage your business. We’ll manage your network.* 114 Parliament Street, Toronto ON, M5A 2Y8 mnew...@pofp.com | www.pofp.com This document and all of its contents are intended only for the party to whom it is addressed, and may contain information which is privileged or confidential. Any other delivery, distribution, copying, or disclosure is strictly prohibited and is not a waiver of privilege or confidentiality. If you have received this telecommunication in error, please notify the sender immediately by return electronic mail, and destroy the message. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] proxying POD reply packets
On 16/07/13 04:24 PM, Heikki Vatiainen wrote: On 07/13/2013 08:20 PM, Michael wrote: So, my complicated config determines what device the request needs to go to and sends, and then it converts the POD and COA packets to accounting packets using scripting, then sends to my accounting handler and that POD/COA request is logged. Ok, so that's where the 'Accounting rejected' log entry in your first message came from. The default processing in Radiator will proxy back both ACKed and NAKed messages. The latter will be logged as a failed message with 'Change-Filter-Request rejected: thereason', but it will be proxied back just like an ACKed reply. However, rejected accounting messages are dropped. The RADIUS spec does not specify how to reject accounting messages, so there's no Accounting-Rejected message type to send back. You get drops instead. Thanks, Heikki hmm so, are you saying radiator after proxying out my POD/COA requests, and after i then convert the packet to an accounting packet and log it, radiator is actually expecting that the POD/COA reply coming back is actually an accounting reply and does not relay it to the radpwtst? ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] proxying POD reply packets
Heikki, to answer your questions at bottom snip I wonder if you have a (very) old Radiator or more likely, a configuration that causes NAKed messages to be rejected. snip I'm using v4.10 so it's not old. I do however have a quite complicated radiator configuration. Mainly, i inject POD's and COA's into radiator rather than sending directly to devices because i have many different cisco devices, some using different commands to accomplish the POD and COA. radiator applies the necessary commands for the given device before proxying. Also, i wanted these requests to be logged. So, my complicated config determines what device the request needs to go to and sends, and then it converts the POD and COA packets to accounting packets using scripting, then sends to my accounting handler and that POD/COA request is logged. So yes, i will have to review my config. For now though, adding the NAKed requests to the list in the code i described does make sure the reply packets coming back from the nas's are proxied to the radpwtst client. There's probably a better way of accomplishing this for sure. I'll look into this further Thanks. Michael On 13/07/13 03:25 AM, Heikki Vatiainen wrote: On 07/12/2013 06:46 PM, Michael wrote: also, Change-Filter-Request-NAKed would also need to be in that list. Hello Michael, I tested with this setup: radpwtst - R1 - R2 where R1 is a simple proxy Radiator and R2 is Radiator that replies with Change-Filter-NAKed or Disconnect-Request-NAKed. It also adds Error-Cause and Reply-Message to the responses. This is done with AuthBy INTERNAL. R1 config is simply this: Client DEFAULT Secret mysecret /Client Handler AuthBy RADIUS Secret mysecret Host 127.0.0.1 AuthPort 1812 AcctPort 1813 /AuthBy /Handler With the above setup the NAKed responses were proxied back to radpwtst correctly. Also the ACKed responses were proxied fine. R1 logs the message from R2 like this: DEBUG: Packet dump: *** Received from 127.0.0.1 port 1812 Code: Disconnect-Request-NAKed Identifier: 1 Authentic: C235235T17153RG13022121321327223184 Attributes: Reply-Message = No Matching Session Error-Cause = Session-Context-Not-Found INFO: Disconnect-Request rejected: No Matching Session DEBUG: Packet dump: *** Sending to 127.0.0.1 port 44624 Code: Disconnect-Request-NAKed Identifier: 90 Authentic: ZNg233165a23'3520118915514 Attributes: Reply-Message = No Matching Session Error-Cause = Session-Context-Not-Found The INFO line is logged by Handler which forwards the request back to radpwtst even if the request type was not added the the ACCEPTed request types. I wonder if you have a (very) old Radiator or more likely, a configuration that causes NAKed messages to be rejected. Thanks, Heikki ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] proxying POD reply packets
also, Change-Filter-Request-NAKed would also need to be in that list. On 09/07/13 07:00 AM, Heikki Vatiainen wrote: On 07/05/2013 09:17 PM, Michael wrote: In AuthRADIUS.pm, routine sub handleReply, should Disconnect-Request-NAKed also be listed in the code bellow? I think all types can be proxied back. Good news or bad news, the requestor will surely like to know abou them. Works for me now. The NAKed request now gets forwarded to the original requester (radpwtst). Thanks for reporting the results. If nothing special comes up the additional messages types will be in patches soon. Thanks, Heikki ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] proxying POD reply packets
Does anyone know of any issues with receiving reply packets from a packet-of-disconnect request which is proxied through radiator? For my POD requests, i inject them into radiator using radpwtst and have them configured to proxy to the proper device. The POD does work. When a session is matched and a user is disconnected, the AKed reply comes back to radiator and proxies back to radpwtst and radpwtst will exit with OK. But, when the device respondes with NOT acknowledged (ie. no matching session found), that reply is NOT proxied back to radpwtst and therefore produces a no response timeout issue for radpwtst. This is an example of the NAKed request coming back with No Matching Session which is correct, but it just stops and doesn't appear to forward that reply back to the waiting radpwtst. *** Received from 1.1.1.1 port 1700 Code: Disconnect-Request-NAKed Identifier: 22 Authentic: Attributes: Reply-Message = No Matching Session Error-Cause = Session-Context-Not-Found Fri Jul 5 09:50:26 2013: DEBUG: Accounting rejected: Proxied ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] proxying POD reply packets
In AuthRADIUS.pm, routine sub handleReply, should Disconnect-Request-NAKed also be listed in the code bellow? Works for me now. The NAKed request now gets forwarded to the original requester (radpwtst). # RadiusResult tells Synchronous mode that we have # finished with this packet and what the result was # ReplyHook above could set op-{RadiusResult} to force a # required reponse type if (!defined $op-{RadiusResult}) { if ($p-code eq 'Access-Accept' || $p-code eq 'Accounting-Response' || $p-code eq 'Disconnect-Request-ACKed' || $p-code eq 'Disconnect-Request-NAKed' || $p-code eq 'Change-Filter-Request-ACKed') { $op-{RadiusResult} = $main::ACCEPT; On 05/07/13 10:02 AM, Michael wrote: Does anyone know of any issues with receiving reply packets from a packet-of-disconnect request which is proxied through radiator? For my POD requests, i inject them into radiator using radpwtst and have them configured to proxy to the proper device. The POD does work. When a session is matched and a user is disconnected, the AKed reply comes back to radiator and proxies back to radpwtst and radpwtst will exit with OK. But, when the device respondes with NOT acknowledged (ie. no matching session found), that reply is NOT proxied back to radpwtst and therefore produces a no response timeout issue for radpwtst. This is an example of the NAKed request coming back with No Matching Session which is correct, but it just stops and doesn't appear to forward that reply back to the waiting radpwtst. *** Received from 1.1.1.1 port 1700 Code: Disconnect-Request-NAKed Identifier: 22 Authentic: Attributes: Reply-Message = No Matching Session Error-Cause = Session-Context-Not-Found Fri Jul 5 09:50:26 2013: DEBUG: Accounting rejected: Proxied ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AccountingTable Database Very big
are you saying postgresql is really that much better with regards to performance, and worth switching to? On 01/07/13 03:29 AM, a.l.m.bu...@lboro.ac.uk wrote: Hi, I use mysql database and my AccountingTable has more than 40 million records per month. Does anyone here have any policy purge? I have an extract of CGI access for my users and is very slow because the bank is getting too big. Does anyone have any recommendation what I should do to have a page extract access working well with a huge amount of data like this? firstly use InnoDB rather than MyISAM (InnoDB has been in MySQL for ages now...no default installs should not have InnoDB support...and no tools should want to slap MyISAM tables into the DB..should be InnoDB by default) secondly, edit the my.cnf to fully utilise your hostthere are plenty of docs for each InnoDB option...but..like MyISAM.there are also quite a few tools that will give you a fairly good start on the way down the path eg http://mysqltuner.com/ thirdly, look at what your tool is doing (in this case RADIATOR) with the DB to find out if there are any local query bottlenecks eg use the EXPLAIN command to find out what the queries are doing and where it cannot find quick answers. then look at adding required INDEXes to the tables finally, move from MySQL to PostgreSQL - psql doesnt have so many nasty locking events on each row/column - MySQL will cause limits whenever an update/insert is occuring (from experience, default install speed of psql is similar to that of MySQL after you've spent some time optimising the MySQL environment! - and THEN you can tweak psql even further ) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AccountingTable Database Very big
i use mysql. no i don't have anything that reads the data with a browser. sorry. On 30/06/13 11:33 PM, sergio wrote: I use mysql database, elterei from MyISAM to InnoDB but I wonder if another database would not help. Very good idea to use your tables YEAR-MES. What database do you use? you have some script to extract such data in the Browser? Thanks -Original Message- From: ri...@vianet.ca Sent: Sat, 29 Jun 2013 14:02:27 -0400 To: ser...@inbox.com Subject: Re: [RADIATOR] AccountingTable Database Very big I use monthly tables. that really helped. Then use the year-month attributes in your insert statements. And of course anything that reads this data will have to be altered to support year-month tables. Also an external process that runs monthly to make sure that the tables get created ahead of time. On 28/06/13 10:08 PM, sergio wrote: Hello list I use mysql database and my AccountingTable has more than 40 million records per month. Does anyone here have any policy purge? I have an extract of CGI access for my users and is very slow because the bank is getting too big. Does anyone have any recommendation what I should do to have a page extract access working well with a huge amount of data like this? Regards! GET FREE SMILEYS FOR YOUR IM EMAIL - Learn more at http://www.inbox.com/smileys Works with AIM®, MSN® Messenger, Yahoo!® Messenger, ICQ®, Google Talk™ and most webmails ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator FREE 3D EARTH SCREENSAVER - Watch the Earth right on your desktop! Check it out at http://www.inbox.com/earth ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AccountingTable Database Very big
I use monthly tables. that really helped. Then use the year-month attributes in your insert statements. And of course anything that reads this data will have to be altered to support year-month tables. Also an external process that runs monthly to make sure that the tables get created ahead of time. On 28/06/13 10:08 PM, sergio wrote: Hello list I use mysql database and my AccountingTable has more than 40 million records per month. Does anyone here have any policy purge? I have an extract of CGI access for my users and is very slow because the bank is getting too big. Does anyone have any recommendation what I should do to have a page extract access working well with a huge amount of data like this? Regards! GET FREE SMILEYS FOR YOUR IM EMAIL - Learn more at http://www.inbox.com/smileys Works with AIM®, MSN® Messenger, Yahoo!® Messenger, ICQ®, Google Talk™ and most webmails ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Debian Wheezy = memory problem?
I have this problem too. Radiator slowly consumes more and more memory as the weeks go by. Restarting it brings it back down. I have asked this question to, but also got the same answers you did. Not a radiator problem. On 19/06/13 05:04 AM, Kurt Bauer wrote: Hi, since upgrading one of our radius-servers to Debain 7 (Wheezy) we expierence serious memory problems, namely Radiator eating up all the available memory over time (see attached graph). We have a few Radiator installations running and the ones on Debian Squeeze behave fine. Radiator 4.11 plus latest patches Perl v5.14.2 (as packaged in Wheezy) Any similar experiences or hints why this could be? Restarting Radiator every few days rectifies the situation but is not the way we want to run the service ;-) Thanks for your help, best regards, Kurt -- Kurt Bauer kurt.ba...@univie.ac.at Vienna University Computer Center - ACOnet - VIX Universitaetsstrasse 7, A-1010 Vienna, Austria, Europe Tel: ++43 1 4277 - 14070 (Fax: - 814070) KB1970-RIPE ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Debian Wheezy = memory problem?
4 radius servers. identical config. the last in the list is not used as much. lower usage seems to mean lower memory usage. since May 7, up to 22% memory usage. restarting it, drops down to 4%. It will sit there for a while and slowly creep up over a couple months. -apr25 16.1%, 2.7 after restart -may7 18.4%, 4.7 after restart -may17 8.5%, 3.0 after restart === root@:/l# ps u |grep radiusd root 9404 4.6 22.1 263120 112584 pts/0 S May07 2859:09 /usr/bin/perl radiusd root@:/# radiator stop Shutting down Radiator: root@:/# radiator start Starting Radiator: root@:/var/lib/mysql# ps u |grep radiusd root 3490 2.5 4.1 91124 21224 pts/0 S 11:20 0:00 /usr/bin/perl radiusd === root@:/# ps u |grep radiusd root 25157 2.5 16.1 274228 123864 pts/3 S Apr25 1994:48 /usr/bin/perl radiusd root@:/# radiator stop Shutting down Radiator: root@:/# radiator start Starting Radiator: root@:/# ps u |grep radiusd root 21310 6.0 2.7 92972 20744 pts/0 S 11:24 0:00 /usr/bin/perl radiusd === root@:# ps u |grep radiusd root 20050 2.1 18.4 242708 93992 pts/1 S May07 1354:18 /usr/bin/perl radiusd root@:# radiator stop Shutting down Radiator: root@:# radiator start Starting Radiator: root@:# ps u |grep radiusd root 3133 5.1 4.7 93896 24116 pts/1 S 11:27 0:00 /usr/bin/perl radiusd === root@:# ps u |grep radiusd root 14703 0.6 8.5 211892 65432 pts/0 S May17 306:39 /usr/bin/perl radiusd root@:# radiator stop Shutting down Radiator: root@:# radiator start Starting Radiator: root 22218 0.7 3.0 93524 23488 pts/0 S 11:30 0:00 /usr/bin/perl radiusd === On 19/06/13 11:10 AM, Michael wrote: I have this problem too. Radiator slowly consumes more and more memory as the weeks go by. Restarting it brings it back down. I have asked this question to, but also got the same answers you did. Not a radiator problem. On 19/06/13 05:04 AM, Kurt Bauer wrote: Hi, since upgrading one of our radius-servers to Debain 7 (Wheezy) we expierence serious memory problems, namely Radiator eating up all the available memory over time (see attached graph). We have a few Radiator installations running and the ones on Debian Squeeze behave fine. Radiator 4.11 plus latest patches Perl v5.14.2 (as packaged in Wheezy) Any similar experiences or hints why this could be? Restarting Radiator every few days rectifies the situation but is not the way we want to run the service ;-) Thanks for your help, best regards, Kurt -- Kurt Bauer kurt.ba...@univie.ac.at Vienna University Computer Center - ACOnet - VIX Universitaetsstrasse 7, A-1010 Vienna, Austria, Europe Tel: ++43 1 4277 - 14070 (Fax: - 814070) KB1970-RIPE ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Debian Wheezy = memory problem?
- i use SessionDatabase NULL to disable this feature. - my radiator service handles many different authentication methods and my config is quite large. i'm up to 6,043 lines of config. I don't wish to send the config to anyone. - not sure what the logs are going to show for this mater not to mention what part of the logs would anyone want to look at. - i didn't say it was a memory leak. I just responded to Kurt Bauer saying that I experience the same problem ie. Debian Wheezy and increased memory usage over time. - i'm not actually looking for help though. I do realize how hard it would be for someone to help via email on such a matter. thanks anyways though. Michael On 19/06/13 02:19 PM, Christian Kratzer wrote: Hi, On Wed, 19 Jun 2013, Michael wrote: 4 radius servers. identical config. the last in the list is not used as much. lower usage seems to mean lower memory usage. even without any additional modules in use radiator will of course use some memory. Features like the session database will gradually build up memory usage until a level that matches your workload is reached. Restarting radiator will of course free up all of the memory. This would not be a memory leak but legitimate usage that you have to account for to match your workload or number of concurrent sessions in the case of session db. If you have a memory leak the process size would grow without ever reaching a saturation point. To find out if it is so you need to watch memory consuption with a graphing tool mrtg/cacti/observium/ If you see a graph that slowly saturates alls fine. If you see steady growth investigate further. Greetings Christian since May 7, up to 22% memory usage. restarting it, drops down to 4%. It will sit there for a while and slowly creep up over a couple months. -apr25 16.1%, 2.7 after restart -may7 18.4%, 4.7 after restart -may17 8.5%, 3.0 after restart === root@:/l# ps u |grep radiusd root 9404 4.6 22.1 263120 112584 pts/0 SMay07 2859:09 /usr/bin/perl radiusd root@:/# radiator stop Shutting down Radiator: root@:/# radiator start Starting Radiator: root@:/var/lib/mysql# ps u |grep radiusd root 3490 2.5 4.1 91124 21224 pts/0S11:20 0:00 /usr/bin/perl radiusd === root@:/# ps u |grep radiusd root 25157 2.5 16.1 274228 123864 pts/3 SApr25 1994:48 /usr/bin/perl radiusd root@:/# radiator stop Shutting down Radiator: root@:/# radiator start Starting Radiator: root@:/# ps u |grep radiusd root 21310 6.0 2.7 92972 20744 pts/0S11:24 0:00 /usr/bin/perl radiusd === root@:# ps u |grep radiusd root 20050 2.1 18.4 242708 93992 pts/1SMay07 1354:18 /usr/bin/perl radiusd root@:# radiator stop Shutting down Radiator: root@:# radiator start Starting Radiator: root@:# ps u |grep radiusd root 3133 5.1 4.7 93896 24116 pts/1S11:27 0:00 /usr/bin/perl radiusd === root@:# ps u |grep radiusd root 14703 0.6 8.5 211892 65432 pts/0SMay17 306:39 /usr/bin/perl radiusd root@:# radiator stop Shutting down Radiator: root@:# radiator start Starting Radiator: root 22218 0.7 3.0 93524 23488 pts/0S11:30 0:00 /usr/bin/perl radiusd === On 19/06/13 11:10 AM, Michael wrote: I have this problem too. Radiator slowly consumes more and more memory as the weeks go by. Restarting it brings it back down. I have asked this question to, but also got the same answers you did. Not a radiator problem. On 19/06/13 05:04 AM, Kurt Bauer wrote: Hi, since upgrading one of our radius-servers to Debain 7 (Wheezy) we expierence serious memory problems, namely Radiator eating up all the available memory over time (see attached graph). We have a few Radiator installations running and the ones on Debian Squeeze behave fine. Radiator 4.11 plus latest patches Perl v5.14.2 (as packaged in Wheezy) Any similar experiences or hints why this could be? Restarting Radiator every few days rectifies the situation but is not the way we want to run the service ;-) Thanks for your help, best regards, Kurt -- Kurt Bauer kurt.ba...@univie.ac.at Vienna University Computer Center - ACOnet - VIX Universitaetsstrasse 7, A-1010 Vienna, Austria, Europe Tel: ++43 1 4277 - 14070 (Fax: - 814070) KB1970-RIPE ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo
Re: [RADIATOR] Additonal Aruba (14823) dictionary attributes
Sorry... cut off the last line... should be: VENDORATTR 14823 Aruba-AirGroup-Shared-Role26 string MH On 2013-05-17, at 9:04 AM, Michael Hulko wrote: FYI... in case you have not already included these in the latest dictionary file, I have found new attributes by Aruba's new version of OS which may cause log messages to appear. VENDORATTR 14823 Aruba-Device-Type 12string VENDORATTR 14823 Aruba-Mdps-Device-Imei 16string VENDORATTR 14823 Aruba-AirGroup-Shared-Ro26string It might be worthwhile to maybe have a separate download for the dictionary file on the website without having to always upgrade the Radiator software or unpack the latest release to extract the dictionary file. Just a thought. Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Loadbalancing requests from Proxy
Thanks for the input, I will look at the trace 4 messages for errors and states. I am not sure that this is the same type of situation that Neil is describing from Eduroam as this is an internal proxy setup for a dept who looks after their own AD etc... MH On 2013-05-17, at 12:50 PM, Christopher Bongaarts wrote: IIRC, this is the symptom we saw when our wireless controllers weren't returning all of the State attributes (see the thread from Neil at Iowa). For diagnosis, bump your Trace level up to 4 for a while, and observe the State attributes being sent and returned. On 5/17/2013 7:12 AM, Michael Hulko wrote: One note after implementing EAPBALANCE. I am getting this in the logs with a specific user at the moment. May 17 07:52:09 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: ProxyAlgorithm HASHBALANCE declines to break up an EAP stream after failover from 129.100.160.133:1645:1646 to 129.100.160.144:1645:1646 May 17 07:52:09 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: ProxyAlgorithm HASHBALANCE declines to break up an EAP stream after failover from 129.100.160.133:1645:1646 to 129.100.160.144:1645:1646 May 17 07:52:14 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: ProxyAlgorithm HASHBALANCE declines to break up an EAP stream after failover from 129.100.160.133:1645:1646 to 129.100.160.144:1645:1646 May 17 08:07:39 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: AuthRADIUS IVEY: Could not find a working host to forward asnow...@ivey.ca (79) after 20 seconds. Ignoring May 17 08:07:39 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: AuthRADIUS IVEY: Could not find a working host to forward asnow...@ivey.ca (79) after 20 seconds. Ignoring May 17 08:07:39 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: AuthRADIUS IVEY: No reply after 20 seconds and 3 retransmissions to 129.100.160.133:1645 for asnow...@ivey.ca (64) May 17 08:07:39 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: AuthRADIUS IVEY: No reply after 20 seconds and 3 retransmissions to 129.100.160.133:1645 for asnow...@ivey.ca (64) Here is the config snippet I have included. AuthBy EAPBALANCE Log errorLogger Log western_syslog Identifier IVEY Retries 3 RetryTimeout 5 FailureBackoffTime 20 AuthPort 1645 AcctPort 1646 Secret x LocalAddress xx Host 129.100.160.144 /Host Host 129.100.160.97 /Host Host 129.100.160.133 /Host /AuthBy My interpretation of these messages is that the server the EAPBALANCE is trying to send the authentication packets to does not respond in the appropriate amount of time, the EAPBALANCE Hash does not want to break the authentication stream, but never times out long enough to move to another server? Any input would be helpful. My thought is to lower the values for Retries etc. MH On 2013-05-10, at 11:41 AM, Michael Hulko wrote: Thanks for the suggestion.. this seems to alleviate the timeouts that I had noticed previously. (Log file was sent separately). MH On 2013-05-10, at 5:26 AM, Heikki Vatiainen wrote: On 05/09/2013 11:09 PM, Michael Hulko wrote: We have been requested to try and loadbalance requests to a Campus department with their own Radius (IAS) server for their wireless users. Hello Michael, you mentioned campus and wireless LAN which makes me think there is EAP, such as PEAP or TTLS, involved. If so, you would need to use AuthBy EAPBALANCE to make sure the EAP authentication sessions are always handled by the same IAS server. Otherwise you will see failures and timeouts when the IAS servers receive requests they are not expecting. The Trace 4 log was not included, but I'd first check how it works with EAPBALANCE. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111
Re: [RADIATOR] Loadbalancing requests from Proxy
Thanks for the suggestion.. this seems to alleviate the timeouts that I had noticed previously. (Log file was sent separately). MH On 2013-05-10, at 5:26 AM, Heikki Vatiainen wrote: On 05/09/2013 11:09 PM, Michael Hulko wrote: We have been requested to try and loadbalance requests to a Campus department with their own Radius (IAS) server for their wireless users. Hello Michael, you mentioned campus and wireless LAN which makes me think there is EAP, such as PEAP or TTLS, involved. If so, you would need to use AuthBy EAPBALANCE to make sure the EAP authentication sessions are always handled by the same IAS server. Otherwise you will see failures and timeouts when the IAS servers receive requests they are not expecting. The Trace 4 log was not included, but I'd first check how it works with EAPBALANCE. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Loadbalancing requests from Proxy
We have been requested to try and loadbalance requests to a Campus department with their own Radius (IAS) server for their wireless users. We currently proxy to them from our Radiator server(s) for their users, however, their current server cannot handle to load. They have added 2 new servers to their environment and we have configured a test server to test the AuthBy VOLUMEBALANCE, ROUNDROBIN features of Radiator. We are experiencing, what appears to be excessive delays in responses from their servers in this configuration. We have tested each server individually while configured as AuthBy Radius with multiple host clauses, and although, the response times are immediate, there is no guarantee, that I can find from the documentation that a failed/timedout request will go to the next host listed in the AuthBy clause. Attached is the trace 4 log of the AuthBy VOLUMEBALANCE attempt. Any assistance or recommendations is greatly appreciated. here is the portion of the config used: # Dept identifier Client 129.100.160.133 IdenticalClients 129.100.160.144 IdenticalClients 129.100.160.97 Secret DupInterval 0 IgnoreAcctSignature Identifier ONCAMPUS /Client # Proxies auth requests to the IVEY IAS radius servers using a loadbalance algorithm (BogoMips) AuthBy VOLUMEBALANCE Log errorLogger Log western_syslog Identifier Dept Retries 3 RetryTimeout 5 FailureBackoffTime 20 AuthPort 1645 AcctPort 1646 Secret xx LocalAddress 172.18.58.210 # biz-core1 Host 129.100.160.144 BogoMips 2 /Host # biz-core2 Host 129.100.160.197 BogoMips 2 /Host # biz-support Host 129.100.160.133 BogoMips 1 /Host /AuthBy Thanks for any assistance. Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handler type Stop/Alive distinguished processing
: DEBUG: Handling request with Handler 'Request-Type = Accounting-Request', Identifier '' Thu Apr 4 12:37:31 2013: DEBUG: tamesql Deleting session for 65002914, 10.50.1.4, 0 Thu Apr 4 12:37:31 2013: DEBUG: do query to 'dbi:ODBC:IRONMAN': 'delete from RADONLINE where NASIDENTIFIER='10.50.1.4' and NASPORT=00': Thu Apr 4 12:37:31 2013: DEBUG: Handling with Radius::AuthSQL: thomas Thu Apr 4 12:37:31 2013: DEBUG: Handling accounting with Radius::AuthSQL Thu Apr 4 12:37:31 2013: DEBUG: do query to 'dbi:ODBC:IRONMAN': 'update quotasubscribers set monthlycounter = 160823960, totalcounter = 160823960, timestamp = 13650682 51 where username='65002914' And Type = 'Q'': Thu Apr 4 12:37:31 2013: DEBUG: AuthBy SQL result: ACCEPT, Thu Apr 4 12:37:31 2013: DEBUG: Running PostAuthHook: Using Identifier Thu Apr 4 12:37:31 2013: DEBUG: Running PostAuthHook sql query check for : 65002914 Thu Apr 4 12:37:31 2013: DEBUG: Query to 'dbi:ODBC:IRONMAN': 'select username from quotasubscribers where switched = 0 and type = 'Q' and monthlycounter = maxquota ': Thu Apr 4 12:37:31 2013: DEBUG: The user 65002914 either has not yet exceeded allocated quota or isnt a quota based user Thu Apr 4 12:37:31 2013: DEBUG: Accounting accepted Thu Apr 4 12:37:31 2013: DEBUG: Packet dump: *** Sending to 10.50.1.4 port 1646 Code: Accounting-Response Identifier: 29 Authentic: (e12Z183bS24*-_1504'130238 Attributes: *_Radiator Config file_* LogDir /var/log/radius DbDir /etc/radiator # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 4 # You will probably want to add other Clients to suit your work site, Client DEFAULT Secret XX DupInterval 0 /Client Client 10.50.1.4 Secret XX DupInterval 0 NasType Cisco IgnoreAcctSignature /Client # Accept processing of other accounting requests of the genre Stop Handler Acct-Status-Type = Stop AuthBy SQL Identifier thomas DBSource dbi:ODBC:IRONMAN DBUsername DBAuth WX AccountingStopsOnly AccountingTable ACCOUNTING AcctColumnDef USERNAME, User-Name AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets,integer AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets,integer AcctColumnDef TIME_STAMP,Event-Timestamp,integer-date AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time,integer AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time,integer AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port,integer /Handler SessionDatabase SQL # This SessionDatabase clause can be used to insert value of extra desired field for future development Identifier tamesql DBSourcedbi:ODBC:IRONMAN DBUsername XXX DBAuth X /SessionDatabase # Accept processing of other accounting requests of the genre Alive interim updates Handler Request-Type = Accounting-Request AuthBy SQL Identifier thomas DBSource dbi:ODBC:IRONMAN DBUsername XXX DBAuth XX AcctSQLStatement update quotasubscribers set monthlycounter = %{Acct-Output-Octets}, totalcounter = %{Acct-Output-Octets}, timestamp = %{Event-Timestamp} \ where username='%n' \ And Type = 'Q' /AuthBy PostAuthHook file:/etc/radiator/rocky.pl #Log accounting to a detail file AcctLogFileName %L/detail /Handler Requesting your kind help cooperation, Thomas Kurian IT Security Engineer (B.Tech. -- Electrical) Kuwaiti Canadian Consulting Group (www.kccg.com) T: +965 22435566 F: +965 22415149 E:tho...@kccg.com On 3/27/2013 11:40 PM, Michael wrote: AuthByPolicy is only for what to do when you have multiple authby's. you only have 1 per handler here so it's irrelevant. Best to show some debug log of this in action with a start packet to figure out what's going on. the config looks like it should at least handle the start packet. On 27/03/13 03:32 PM, Thomas Kurian wrote: Hi Mike, Thanks for your email. Can you please tell me where exactly i have to add AuthByPolicy ContinueWhileIgnore? Should it go under each handler clause inside Authby sql? _My old config (which didnt work ,Start packets were never getting processed) (this was the config i had problem a long time ago.. which lead me to ask
Re: [RADIATOR] Handler type Stop/Alive distinguished processing
On 27 March 2013 09:29, radiator-requ...@open.com.au wrote: My requirement is to process and handle ,Alive and Stop packet separately and the configuration must be called/processed separately ,each time the radiator receives it based on the Acct Status type as described above. Please help me out , i could not find an explanation for this anywhere and i am confused. Please let me know, if you need any more specifics to help me out. There shouldn't be any problem with using Handler Acct-Status-Type=Start, Handler Acct-Status-Type=Alive, or Handler Acct-Status-Type=Stop, it is how we do accounting on our server. Maybe make sure you you are using AuthByPolicy ContinueWhileIgnore if you have problems with subsequent handlers not getting called? If that doesn't help, I'd suggest posting the config that doesn't work instead of the one that does; other people may be able to provide more suggestions. Mike ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handler type Stop/Alive distinguished processing
AuthByPolicy has to do with the processing of the AuthBy's in Handlers, not the handlers themselves. Radiator will process the Handlers in order they are in the config file, and will only process the first match. that's it. If you want to do multiple things with the same packet, you would have to configure only 1 Handler, and multiple AuthBy's to do more than one thing with a packet. Michael On 27/03/13 12:41 PM, Michael Newton wrote: On 27 March 2013 09:29, radiator-requ...@open.com.au mailto:radiator-requ...@open.com.au wrote: My requirement is to process and handle ,Alive and Stop packet separately and the configuration must be called/processed separately ,each time the radiator receives it based on the Acct Status type as described above. Please help me out , i could not find an explanation for this anywhere and i am confused. Please let me know, if you need any more specifics to help me out. There shouldn't be any problem with using Handler Acct-Status-Type=Start, Handler Acct-Status-Type=Alive, or Handler Acct-Status-Type=Stop, it is how we do accounting on our server. Maybe make sure you you are using AuthByPolicy ContinueWhileIgnore if you have problems with subsequent handlers not getting called? If that doesn't help, I'd suggest posting the config that doesn't work instead of the one that does; other people may be able to provide more suggestions. Mike ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Bandwidth switch COA advice
This is not really a cut-and-paste sort of configuration. different cisco devices can have different config. Sometimes this is all done on 1 line, but generally this is what it looks like: aaa server radius dynamic-author client 1.1.1.1 client 1.1.1.2 client 1.1.1.3 client 1.1.1.4 server-key 7 12464C5F030316 auth-type any ! The clients being the ip address from where you need to accept connections ie. from radpwtst. Also keep in mind, this enables the POD server on the nas, but it doesn't necessarily listen on the ip address that you use for radius or to connect to the device. I work on devices that have many ips and the POD service seems to only sit on some, possible just one of the nas's ips. On 27/03/13 03:13 PM, Thomas Kurian wrote: Hello Michael, Many thanks for your email. I am just handling the radiator side of our company project . ISG (NAS) is handled by my colleague. so Can you please give me the necessary steps that i should ask him to do on the NAS? Additionally can you also please elaborate the steps or provide me with an example on what is to done on the radiator in a sequence. I positively believe that your previous experience with this subject ,can certainly help me out. Requesting your kind help cooperation, Thomas Kurian IT Security Engineer (B.Tech. -- Electrical) Kuwaiti Canadian Consulting Group (www.kccg.com) T: +965 22435566 F: +965 22415149 E:tho...@kccg.com On 3/27/2013 8:18 PM, Michael wrote: I do this, but it's done by sending the cisco-avpair attribute to the nas, with a value such as: ip:sub-qos-policy-out=RATE10M. RATE10M is a rate policy that MUST be already setup in the NAS. And of course you usually have 2 of these values. 1 being ip:sub-qos-policy-in= and the other ip:sub-qos-policy-out= to cover both the upload and the download. On a wider view of the process i myself use, i inject the request using radpwtst into NOT the nas, but into the radiator system which is configured to proxy the request itself to the nas, and then you have the ability to log that action. The nas needs to be setup with the POD server to accept these requests. Michael On 27/03/13 05:16 AM, Thomas Kurian wrote: Hello Friends, I want to do a COA ,to switch the bandwidth profile of the users after they exceed maximum their allocated quota. Which are the attributes to be included in the COA script to achieve this( (with respect to the following Accounting request capture from the NAS[cisco ISG]) , is it cisco-Policy-Up/Down or some other? what additional script lines might be required to achieve this bandwidth switch COA? Is there some configuration to be changed on the NAS end? To make myself clear ,my requirement is for example, to switch the bandwidth of this user from 8Mbps to 1Mbps after this user exceeds allocated quota ( quota check is to done by comparing 2 values like this, if monthlycounter=maxquota ,perform the COA bandwidth switching). Note:[totalcounter and maxquota are column names in my odbc database named quotasubscribers]. _Hook_ sub { \ my $p = ${$_[0]}; \ return unless $p-code eq 'Accounting-Request'; \ main::log($main::LOG_DEBUG, 'Handling Accounting-Request'); \ my $user_name = $p-get_attr('User-Name'); \ my $sess_id = $p-get_attr('Acct-Session-Id'); \ my $framed_ipaddress = $p-get_attr('Framed-IP-Address'); \ my @coa_attrs = (User-Name=$user_name, Acct-Session-Id=$sess_id, Framed-IP-Address=$framed_ipaddress);\ my @cmd_args = (-noacct, -noauth, -time,-code, Change-Filter-Request); \ push @cmd_args, (-trace, 4, -bind_address, 0.0.0.0, -auth_port, 3799, -secret, xxx, -s, x.x.x.x); \ my @cmd = (perl, radpwtst); \ main::log($main::LOG_DEBUG, Running command: @cmd @cmd_args @coa_attrs); \ system (@cmd, @cmd_args, @coa_attrs); \ } _Accounting request sent from ISG_ Wed Mar 27 10:19:32 2013: DEBUG: Packet dump: *** Received from 10.50.1.4 port 1646 Code: Accounting-Request Identifier: 165 Authentic: .255]191175+218#2371820229|214 Attributes: Acct-Session-Id = 002D98E3 cisco-Policy-Up = 8Mbps cisco-Policy-Down = 8Mbps Framed-Protocol = PPP Framed-IP-Address = 94.187.159.88 User-Name = 99759991 cisco-avpair = connect-progress=LAN Ses Up cisco-avpair = nas-tx-speed=10 cisco-avpair = nas-rx-speed=10 Acct-Session-Time = 40503 Acct-Input-Octets = 81218503 Acct-Output-Octets = 2504979160 Acct-Input-Packets = 1032810 Acct-Output-Packets = 1829162 Acct-Authentic = RADIUS Acct-Status-Type = Alive NAS-Port-Type = Virtual NAS-Port = 0 NAS-Port-Id = 0/0/0/666 cisco-avpair = client-mac-address=7073.cbb3.66c8 Class = 153318997599912144$2210343000
Re: [RADIATOR] Handler type Stop/Alive distinguished processing
AuthByPolicy is only for what to do when you have multiple authby's. you only have 1 per handler here so it's irrelevant. Best to show some debug log of this in action with a start packet to figure out what's going on. the config looks like it should at least handle the start packet. On 27/03/13 03:32 PM, Thomas Kurian wrote: Hi Mike, Thanks for your email. Can you please tell me where exactly i have to add AuthByPolicy ContinueWhileIgnore? Should it go under each handler clause inside Authby sql? _My old config (which didnt work ,Start packets were never getting processed) (this was the config i had problem a long time ago.. which lead me to ask this question)_ AcctPort 1813 AuthPort 1812 BindAddress 0.0.0.0 LogDir /var/log/radius DbDir /etc/radiator # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 4 # You will probably want to add other Clients to suit your work site, # one for each NAS you want to work with Client DEFAULT Secret DupInterval 0 /Client Client 10.50.1.4 Secret xxx DupInterval 0 NasType Cisco IgnoreAcctSignature /Client #For strictly processing with Accounting Stop packets Handler Acct-Status-Type = Stop AuthBy SQL Identifier Block-Quota-SQL DBSource dbi:mysql:radius DBUsername DBAuth x AccountingStopsOnly AccountingTable quotacouunter AuthColumnDef username,User-Name,check AuthSelect select monthlycounter from quotacounter \ where username='%n' \ And type = 'Q' #AuthColumnDef 0, Session-Timeout, reply AcctSQLStatement update quotacounter set \ monthlycounter=monthlycounter+%{Acct-Input-Octets} \ where username='%n' \ And Type = 'Q' AuthSelect select totalcounter from quotacounter \ where username='%n' \ And Type = 'Q' AcctSQLStatement update quotacounter set \ totalcounter=totalcounter+%{Acct-Input-Octets} \ where username='%n' \ And Type = 'Q' PostAuthHook file:%D/thomas.pl; /AuthBy /Handler # Accept processing of other accounting requests of the genre start and interim Handler Request-Type = Accounting-Request Realm DEFAULT AuthBy SQL DBSource dbi:mysql:radius DBUsername DBAuth AccountingTable ACCOUNTING AcctColumnDef USERNAME, User-Name AcctColumnDef ACCTSTATUSTYPE,Acct-Status-Type AcctColumnDef FRAMEDIPADDRESS,Framed-IP-Address AcctColumnDef ACCTINPUTOCTETS,Acct-Input-Octets AcctColumnDef ACCTOUTPUTOCTETS,Acct-Output-Octets AcctColumnDef TIME_STAMP,Event-Timestamp AcctColumnDef ACCTSESSIONTIME,Acct-Session-Time AcctColumnDef ACCTDELAYTIME,Acct-Delay-Time AcctColumnDef ACCTSESSIONID,Acct-Session-Id AcctColumnDef ACCTTERMINATECAUSE,Acct-Terminate-Cause AcctColumnDef NASIDENTIFIER,NAS-Identifier AcctColumnDef NASPORT,NAS-Port AcctColumnDef ACCTSESSIONID,Acct-Session-Id /AuthBy # Log accounting to a detail file AcctLogFileName %L/detail /Realm /Handler Requesting your kind help, Thomas Kurian IT Security Engineer (B.Tech. -- Electrical) Kuwaiti Canadian Consulting Group (www.kccg.com) T: +965 22435566 F: +965 22415149 E: tho...@kccg.com On 3/27/2013 8:00 PM, radiator-requ...@open.com.au wrote: Send radiator mailing list submissions to radiator@open.com.au To subscribe or unsubscribe via the World Wide Web, visit http://www.open.com.au/mailman/listinfo/radiator or, via email, send a message with subject or body 'help' to radiator-requ...@open.com.au You can reach the person managing the list at radiator-ow...@open.com.au When replying, please edit your Subject line so it is more specific than Re: Contents of radiator digest... Today's Topics: 1. Re: Handler type Stop/Alive distinguished processing (Michael Newton) -- Message: 1 Date: Wed, 27 Mar 2013 09:41:40 -0700 From: Michael Newton mnew...@pofp.com Subject: Re: [RADIATOR] Handler type Stop/Alive distinguished processing To: radiator@open.com.au Message-ID: CADEoLhCoJHu0vQChsC5-czmG24k+kwsSnw=fzydovji-bh-...@mail.gmail.com Content-Type: text/plain; charset=utf-8 On 27 March 2013 09:29, radiator-requ...@open.com.au wrote: My requirement is to process and handle ,Alive and Stop packet separately and the configuration must be called/processed separately ,each time the radiator receives it based on the Acct Status type as described above. Please help me out , i could not find an explanation for this anywhere and i am confused. Please let me know, if you need any more specifics to help me out. There shouldn't be any problem with using Handler Acct-Status-Type=Start, Handler Acct-Status-Type=Alive, or Handler Acct-Status-Type=Stop, it is how we do accounting on our server. Maybe make sure you you are using AuthByPolicy ContinueWhileIgnore if you have problems with subsequent handlers not getting called? If that doesn't help, I'd suggest posting the config
[RADIATOR] Radmin - still active?
Hi Guys, We have been running Radiator/RAdmin for many years - I have a question, but the RAdmin list appears to be inactive (last post in 2011?) Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] format_special for GENERIC attributes.
Suggestion... I just noticed that when using GENERIC attribute name for AuthColumnDef in AuthBy SQL which allows for a comma separated attribute list, the result from the select query is not passed through format_special therefore I can't use global variables. --- old/Radius/AuthSQL.pm 2013-01-07 17:21:33.0 -0500 +++ new/Radius/AuthSQL.pm 2013-01-25 15:08:55.0 -0500 @@ -472,6 +472,7 @@ sub getAuthColumns if ($attrib eq GENERIC) { # Column is a list of attr=value pairs + $cols[$colnr] = Radius::Util::format_special( $cols[$colnr], $p ); if ($type eq 'check') { $user-get_check-parse($cols[$colnr]); ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] New Error messages
The changelog for version 4.8 says: - Fixed an issue where truncated EAP-Message requests would cause a log message like Could not load EAP module Radius::EAP_ . This is now logged as invalid EAP type in EAP request and rejected. Reported by Daniel Rocha. Has this crept back into version 4.10 ?? MH On 2013-01-17, at 12:31 PM, Alexander Hartmaier wrote: On 2013-01-17 17:31, Michael Hulko wrote: Lately I've been seeing these errors daily which were not there prior to the new year: Jan 8 20:18:36 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23692]: Could not load EAP module Radius::EAP_66: Can't locate Radius/EAP_66.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 3683243) line 3, GEN1 line 699827. Jan 8 21:35:18 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_155: Can't locate Radius/EAP_155.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1968782) line 3, GEN1 line 352731. Jan 8 21:47:05 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_180: Can't locate Radius/EAP_180.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1977214) line 3, GEN1 line 354206. Jan 8 22:04:02 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_29: Can't locate Radius/EAP_29.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1989895) line 3, GEN1 line 356467. Jan 8 22:19:46 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_232: Can't locate Radius/EAP_232.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2000990) line 3, GEN1 line 358402. Jan 9 00:02:52 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_239: Can't locate Radius/EAP_239.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2074832) line 3, GEN1 line 371473. [11:17:45 slogr] grep Could not load EAP module Radius::EAP console Jan 9 10:26:05 riptide-3.vm.its.uwo.pri /usr/bin/radiusd[27250]: Could not load EAP module Radius::EAP_57: Can't locate Radius/EAP_57.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2742617) line 3, GEN1 line 532256. can someone shed some lightwe are running Radiator version 10 First, there is no version 10, the latest version is 4.11. The changelog for version 4.8 says: - Fixed an issue where truncated EAP-Message requests would cause a log message like Could not load EAP module Radius::EAP_ . This is now logged as invalid EAP type in EAP request and rejected. Reported by Daniel Rocha. So i guess you're running an older version than 4.8. Update and look if the errors are still present. Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Best regards, Alexander Hartmaier *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] New Error messages
Lately I've been seeing these errors daily which were not there prior to the new year: Jan 8 20:18:36 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23692]: Could not load EAP module Radius::EAP_66: Can't locate Radius/EAP_66.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 3683243) line 3, GEN1 line 699827. Jan 8 21:35:18 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_155: Can't locate Radius/EAP_155.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1968782) line 3, GEN1 line 352731. Jan 8 21:47:05 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_180: Can't locate Radius/EAP_180.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1977214) line 3, GEN1 line 354206. Jan 8 22:04:02 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_29: Can't locate Radius/EAP_29.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1989895) line 3, GEN1 line 356467. Jan 8 22:19:46 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_232: Can't locate Radius/EAP_232.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2000990) line 3, GEN1 line 358402. Jan 9 00:02:52 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_239: Can't locate Radius/EAP_239.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2074832) line 3, GEN1 line 371473. [11:17:45 slogr] grep Could not load EAP module Radius::EAP console Jan 9 10:26:05 riptide-3.vm.its.uwo.pri /usr/bin/radiusd[27250]: Could not load EAP module Radius::EAP_57: Can't locate Radius/EAP_57.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2742617) line 3, GEN1 line 532256. can someone shed some lightwe are running Radiator version 10 Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor commands
Thanks everyone for the input. MH :) On 2012-12-05, at 10:57 PM, Hugh Irvine wrote: Hi Michael - Sure - telnet or whatever to the Monitor port. regards Hugh On 6 Dec 2012, at 12:00, Michael Hulko mihu...@uwo.ca wrote: That's where I was headed with the original question. Whether the commands can be run locally against the server itself. Make the call to itself essentially.. Thoughts MH On 2012-12-05, at 5:31 PM, Hugh Irvine wrote: Hi Michael - In that case I would probably just write a little Perl script to run whatever command(s) you wish against the Monitor port. You don't need to use Radar - you can use anything to connect to the Monitor port. regards Hugh On 6 Dec 2012, at 09:24, Michael Hulko mihu...@uwo.ca wrote: Hugh.. Thought of that, but the StatsLog records ALL statistics not just from the server but all the Realms; Clients; AuthBy's etc.not that it is large in our case...after testing this, we are left with approx. 10 entries plus the header per interval cycle, however, since the log is Appended, we would need to write something a little more sophisticated to grep the values we want and to ensure the timing between the StatsLog interval and the SNMP call for the data is synchronized as not to cause problems which is why we were looking into the Monitor language to execute on demand and respond only with the Server level information. Unless I missed something in the docs related to the StatsLog that weeds out the additional details. We are contemplating just programtically removing the Statistics file after each call just to keep it pruned. What would be best is to be able to have RADAR write these values as they are monitored into a RRD type flat file/database for reading by other systems from a historical perspective. Thanks anyway, I thought I would just ask. Is there anything that would prevent us from adjusting the RADAR code to facilitate our needs by our developers? regards; MH :) On 2012-12-05, at 5:05 PM, Hugh Irvine wrote: Hello Michael - Why don't you just use the StatsLog clause? See sections 5.94 and 5.95 in the manual (doc/ref.pdf). regards Hugh On 6 Dec 2012, at 03:29, Michael Hulko mihu...@uwo.ca wrote: It describes the command language from an external source point of view ( if I read correctly ).. not from the Radiator server itself. What the challenge is we want to monitor the Radius servers from another source such as Nagios, Whatsup Gold etc. We were looking at Radar and as impressive as it is, it does not store the data historically, which is what our requirements are. The SNMP side of the monitoring does not give us the complete picture, as it there is no oid for the Response Time value that Radar - Monitor - StatsLog provides unless I am missing something. So, what we have done in the past is created a local custom SNMP variable through various means for us to monitor and collect stats from other systems. We could parse through the StatsLog, however, this requires a fair bit of logic and programming and not to mention timing. Having tested the Monitor command language running the command STATS . we find we can parse the values simply. In order for us to define a custom SNMP oid variable we need to be able to run this locally on the server itself. If there is a way that Radar could provide historical and / or write the values into a log file for extraction would be easier. Any other suggestions would be appreciated. Thanks for your time and input MH On 2012-12-04, at 4:19 PM, Heikki Vatiainen wrote: On 12/04/2012 09:43 PM, Michael Hulko wrote: Just wondering if there is a way to execute the Monitor command language local to the Radiator server? Does section 25 Monitor command language in doc/ref.pdf describe what you are looking for? -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible
Re: [RADIATOR] Monitor commands
It describes the command language from an external source point of view ( if I read correctly ).. not from the Radiator server itself. What the challenge is we want to monitor the Radius servers from another source such as Nagios, Whatsup Gold etc. We were looking at Radar and as impressive as it is, it does not store the data historically, which is what our requirements are. The SNMP side of the monitoring does not give us the complete picture, as it there is no oid for the Response Time value that Radar - Monitor - StatsLog provides unless I am missing something. So, what we have done in the past is created a local custom SNMP variable through various means for us to monitor and collect stats from other systems. We could parse through the StatsLog, however, this requires a fair bit of logic and programming and not to mention timing. Having tested the Monitor command language running the command STATS . we find we can parse the values simply. In order for us to define a custom SNMP oid variable we need to be able to run this locally on the server itself. If there is a way that Radar could provide historical and / or write the values into a log file for extraction would be easier. Any other suggestions would be appreciated. Thanks for your time and input MH On 2012-12-04, at 4:19 PM, Heikki Vatiainen wrote: On 12/04/2012 09:43 PM, Michael Hulko wrote: Just wondering if there is a way to execute the Monitor command language local to the Radiator server? Does section 25 Monitor command language in doc/ref.pdf describe what you are looking for? -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor commands
Hugh.. Thought of that, but the StatsLog records ALL statistics not just from the server but all the Realms; Clients; AuthBy's etc.not that it is large in our case...after testing this, we are left with approx. 10 entries plus the header per interval cycle, however, since the log is Appended, we would need to write something a little more sophisticated to grep the values we want and to ensure the timing between the StatsLog interval and the SNMP call for the data is synchronized as not to cause problems which is why we were looking into the Monitor language to execute on demand and respond only with the Server level information. Unless I missed something in the docs related to the StatsLog that weeds out the additional details. We are contemplating just programtically removing the Statistics file after each call just to keep it pruned. What would be best is to be able to have RADAR write these values as they are monitored into a RRD type flat file/database for reading by other systems from a historical perspective. Thanks anyway, I thought I would just ask. Is there anything that would prevent us from adjusting the RADAR code to facilitate our needs by our developers? regards; MH :) On 2012-12-05, at 5:05 PM, Hugh Irvine wrote: Hello Michael - Why don't you just use the StatsLog clause? See sections 5.94 and 5.95 in the manual (doc/ref.pdf). regards Hugh On 6 Dec 2012, at 03:29, Michael Hulko mihu...@uwo.ca wrote: It describes the command language from an external source point of view ( if I read correctly ).. not from the Radiator server itself. What the challenge is we want to monitor the Radius servers from another source such as Nagios, Whatsup Gold etc. We were looking at Radar and as impressive as it is, it does not store the data historically, which is what our requirements are. The SNMP side of the monitoring does not give us the complete picture, as it there is no oid for the Response Time value that Radar - Monitor - StatsLog provides unless I am missing something. So, what we have done in the past is created a local custom SNMP variable through various means for us to monitor and collect stats from other systems. We could parse through the StatsLog, however, this requires a fair bit of logic and programming and not to mention timing. Having tested the Monitor command language running the command STATS . we find we can parse the values simply. In order for us to define a custom SNMP oid variable we need to be able to run this locally on the server itself. If there is a way that Radar could provide historical and / or write the values into a log file for extraction would be easier. Any other suggestions would be appreciated. Thanks for your time and input MH On 2012-12-04, at 4:19 PM, Heikki Vatiainen wrote: On 12/04/2012 09:43 PM, Michael Hulko wrote: Just wondering if there is a way to execute the Monitor command language local to the Radiator server? Does section 25 Monitor command language in doc/ref.pdf describe what you are looking for? -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor commands
That's where I was headed with the original question. Whether the commands can be run locally against the server itself. Make the call to itself essentially.. Thoughts MH On 2012-12-05, at 5:31 PM, Hugh Irvine wrote: Hi Michael - In that case I would probably just write a little Perl script to run whatever command(s) you wish against the Monitor port. You don't need to use Radar - you can use anything to connect to the Monitor port. regards Hugh On 6 Dec 2012, at 09:24, Michael Hulko mihu...@uwo.ca wrote: Hugh.. Thought of that, but the StatsLog records ALL statistics not just from the server but all the Realms; Clients; AuthBy's etc.not that it is large in our case...after testing this, we are left with approx. 10 entries plus the header per interval cycle, however, since the log is Appended, we would need to write something a little more sophisticated to grep the values we want and to ensure the timing between the StatsLog interval and the SNMP call for the data is synchronized as not to cause problems which is why we were looking into the Monitor language to execute on demand and respond only with the Server level information. Unless I missed something in the docs related to the StatsLog that weeds out the additional details. We are contemplating just programtically removing the Statistics file after each call just to keep it pruned. What would be best is to be able to have RADAR write these values as they are monitored into a RRD type flat file/database for reading by other systems from a historical perspective. Thanks anyway, I thought I would just ask. Is there anything that would prevent us from adjusting the RADAR code to facilitate our needs by our developers? regards; MH :) On 2012-12-05, at 5:05 PM, Hugh Irvine wrote: Hello Michael - Why don't you just use the StatsLog clause? See sections 5.94 and 5.95 in the manual (doc/ref.pdf). regards Hugh On 6 Dec 2012, at 03:29, Michael Hulko mihu...@uwo.ca wrote: It describes the command language from an external source point of view ( if I read correctly ).. not from the Radiator server itself. What the challenge is we want to monitor the Radius servers from another source such as Nagios, Whatsup Gold etc. We were looking at Radar and as impressive as it is, it does not store the data historically, which is what our requirements are. The SNMP side of the monitoring does not give us the complete picture, as it there is no oid for the Response Time value that Radar - Monitor - StatsLog provides unless I am missing something. So, what we have done in the past is created a local custom SNMP variable through various means for us to monitor and collect stats from other systems. We could parse through the StatsLog, however, this requires a fair bit of logic and programming and not to mention timing. Having tested the Monitor command language running the command STATS . we find we can parse the values simply. In order for us to define a custom SNMP oid variable we need to be able to run this locally on the server itself. If there is a way that Radar could provide historical and / or write the values into a log file for extraction would be easier. Any other suggestions would be appreciated. Thanks for your time and input MH On 2012-12-04, at 4:19 PM, Heikki Vatiainen wrote: On 12/04/2012 09:43 PM, Michael Hulko wrote: Just wondering if there is a way to execute the Monitor command language local to the Radiator server? Does section 25 Monitor command language in doc/ref.pdf describe what you are looking for? -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER
[RADIATOR] Monitor commands
Just wondering if there is a way to execute the Monitor command language local to the Radiator server? Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] A few tips on performance and high availabilty
This memcache sounds pretty nice. I do experience many pppoe logins where a router will constantly attempt to login which is fine at a slow rate. Some router (usually Dlink) must be defective as they sometimes attempt to login WAY TOO often. My personal record i've seen is about 12 times a second. This means a little over 1 million rows in a failure sql table per day. I have so far combated this issue by instead of logging every failure, i use an sql table with a unique index key between the username, a month/day value, and message, then use an INSERT INTO table . ON DUPLICATE KEY UPDATE hits=hits+1. It works quite nicely. This reduces these 1 million rows PER DAY down to just 1 row per day and counts the number of times it happens in a given day. 28/30/31 rows for the month. Very effective. I also have routers that seems to login, logout, login, logout successfully all day long. This must be defective routers, but i'm not interested in a REACTIVE solution of calling these people and telling them they need to trash that router. I'm more interested in PROACTIVE solutions to battle this. Just a quick glance right now in my success log, i've got 2 people, 12 thousand, and 16 thousand logins so far for just today. And this will be every day. These are SUCCESS. so these routers are logging in, logging out constantly. And i'm only 11 hours into this day. Failures, 127 thousand for 1 user again just for today. And i'm only 11 hours into this day. The login attempts though, still of course cause many unneeded sql queries for the authentication. This memcache sounds interesting. Do you have a quick description of usage, or a link describing how to implement it into radiator? Thanks On 03/12/12 11:17 AM, Anders Bandholm wrote: Hi list! We have been running Radiator for several purposes for around 5 years, and I would like to share a few tricks that we have learned... Memcached - Memcached is distributed cache, with a simple Perl-api. We run an instance of memcached on each Radius-server. We use it for several things: * We use it in a PostAuthHook for rejecting users with too many login failures (to prevent brute-force password guessing) * We cache certain SOAP-calls. Since Radiator is single-threaded, fast answers from backends is imperative as you probably know. We use memcached in a defensive way: We always make the SOAP-call first, but with a low timeout (0.1 sec) If the call times out, we use the cache - if not we save the result to the cache. * we have started a service for our customers (Danish schools) where they get alerts by email when user up- or download exceeds certain thresholds. This is handled by summing up bytes from accounting records in a PostProcessingHook. The counters for each user is kept in memcached. It seems to me that memcached is a perfect companion for Radiator! Memcached is of course not a database, and if you shut down one of the memcached instances you will lose part of your cache. But for the purposes above it works very well. The Perl module is Cache::Memcached. If you run Linux memcached is probably packaged for you - on Debian/Ubuntu you need packages like these: memcached libcache-memcached-perl libmemcached-tools Two other tricks 1) We have started using Gearman to make it possible for the main radii to offload certain slow things to other servers. As explained above our radii keep track of user up/downloads through acct-records, and when a certain limit is reached we send email alerts to the relevant admin. But we don't want Radiator itself to send the email - we submit a job through Gearman (Perl: Gearman::Client and Gearman::Worker) This is a very promising technology and I expect we will use it more in the future. 2) Simple trick - probably used by many of you: We have the client list in an Oracle database, but since the database is sometimes down for maintenance, we generate static file-based client-lists every 10 minutes instead, and reload Radiator when they change. If Oracle is down, Radiator does not suffer. (The 10 minutes interval is overkill for most installations ;-) Cheers, Anders ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] SQL Timeout
I see this query timeout issue quite often. I have a 4 system sql replication ring though, so it just moves onto the next one and keeps humming. not sure what's causing the timeout though. On 20/11/12 04:33 PM, Heikki Vatiainen wrote: On 11/20/2012 02:27 PM, Ricardo Martinez wrote: Is there a way to mark the DB SQL as down in the configuration file, maybe with a PostHook? Or something like that? Currently DB query timeout can not be trapped with a hook. Have you had problems with the DB timing out queries while still allowing connections? I'd like to know how common this problem is. Thanks, Heikki Regards, Ricardo.- -Mensaje original- De: Ricardo Martinez [mailto:rmarti...@redvoiss.net] Enviado el: lunes, 19 de noviembre de 2012 18:50 Para: 'Heikki Vatiainen'; 'radiator@open.com.au' Asunto: RE: [RADIATOR] SQL Timeout There is also other post about the same issue : http://www.open.com.au/pipermail/radiator/2011-April/017237.html -Mensaje original- De: Ricardo Martinez [mailto:rmarti...@redvoiss.net] Enviado el: lunes, 19 de noviembre de 2012 18:36 Para: 'Heikki Vatiainen'; 'radiator@open.com.au' Asunto: RE: [RADIATOR] SQL Timeout Is there another more safe way to do the BackOff. What I'm trying to do is when a SQLquery is Timeout by Radiator mark the server as down and do the next AuthBy Clause. I saw a pair of question about the same issue near 2002 : http://www.open.com.au/pipermail/radiator/2002-October/005289.html Please help me here. I'm using : Radiator 4.9 perl, v5.10.1 (*) built for x86_64-linux-thread-multi DBI : 1 .622 DBD:mysql 4.022 Regards, Ricardo.- -Mensaje original- De: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] En nombre de Heikki Vatiainen Enviado el: lunes, 19 de noviembre de 2012 18:21 Para: radiator@open.com.au Asunto: Re: [RADIATOR] SQL Timeout On 11/19/2012 10:47 PM, Ricardo Martinez wrote: Question : When it says .Radiator will wait for when trying to contact the SQL server. this means that a */select/* is a CONTACT??? Hello Ricardo, there is a contact before the select. The contact succeeds but the subsequent query (DELYREQ) times out. Since it was the query that returned error and not the contact just before it, FailureBackoffTime is not triggered. So, I don't understand why the Radiator is not doing the Backoff. If you make the DB contact to block, for example using iptables to drop traffic destined to the DB, it will then time out the connection attempt. When this happens you will see it start the backoff timer. Thanks, Heikki -- Heikki Vatiainenh...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] SQL Timeout
looks like your first AuthBy SQL is answering accept. is this maybe because you don't have any 'check' options at all? Then if accept, never process the AuthBy FILE because of ContunueWhileIgnore. For example, maybe you need at least one check option: AuthColumnDef 1, Encrypted-Password, check Not exactly sure though. On 19/11/12 02:07 PM, Ricardo Martinez wrote: Hello, I'm trying to Backoff an SQL query to my database whenever a timeout happened. I have the next configuration in my radius_auth.cfg : Handler NAS-IP-Address = 10.0.0.82, Service-Type = SIP-Caller-AVPs RewriteUsername s/^([^@]+).*/$1/ AuthBy GROUP AuthByPolicy ContinueWhileIgnore AuthBy SQL DBSource dbi:mysql:prueba:127.0.0.1:3306 http://127.0.0.1:3306 DBUsername radius DBAuth radiator Timeout 2 FailureBackoffTime 60 SQLRetries 2 NoDefault AuthSelect call DELAYREQ; AuthColumnDef 0, SIP-AVP, reply /AuthBy AuthBy FILE Filename /usr/src/Radiator-4.9/users_tranum /AuthBy /AuthBy /Handler The procedure DELAYREQ() in my mysql DB sleep for 5 seconds and return a column. This is the log for a Request to this Handler: Mon Nov 19 16:03:33 2012: DEBUG: Packet dump: *** Received from 10.0.0.82 port 36336 Code: Access-Request Identifier: 96 Authentic: h29217d218=220!2001911701482.~^ Attributes: User-Name = sip:557100050994@10.0.0.86 mailto:sip%3A557100050994@10.0.0.86 Service-Type = SIP-Caller-AVPs Called-Station-Id = sip:0212345678@10.0.0.82 mailto:sip%3A0212345678@10.0.0.82 Sip-Uri-User = 0212345678 Calling-Station-Id = sip:557100050994@10.0.0.86 mailto:sip%3A557100050994@10.0.0.86 NAS-Port = 0 NAS-IP-Address = 10.0.0.82 Mon Nov 19 16:03:33 2012: DEBUG: Handling request with Handler 'NAS-IP-Address = 10.0.0.82, Service-Type = SIP-Caller-AVPs', Identifier '' Mon Nov 19 16:03:33 2012: DEBUG: Rewrote user name to sip:557100050994 Mon Nov 19 16:03:33 2012: DEBUG: Deleting session for sip:557100050994@10.0.0.86 mailto:sip%3A557100050994@10.0.0.86, 10.0.0.82, 0 Mon Nov 19 16:03:33 2012: DEBUG: Handling with Radius::AuthGROUP: Mon Nov 19 16:03:33 2012: DEBUG: Handling with Radius::AuthSQL: Mon Nov 19 16:03:33 2012: DEBUG: Handling with Radius::AuthSQL: Mon Nov 19 16:03:33 2012: DEBUG: Query is: 'call DELAYREQ;': (2 seconds delay) Mon Nov 19 16:03:35 2012: ERR: getOneRow timed out Mon Nov 19 16:03:35 2012: DEBUG: Radius::AuthSQL looks for match with sip:557100050994 [sip:557100050994@10.0.0.86 mailto:sip%3A557100050994@10.0.0.86] Mon Nov 19 16:03:35 2012: DEBUG: Radius::AuthSQL ACCEPT: : sip:557100050994 [sip:557100050994@10.0.0.86 mailto:sip%3A557100050994@10.0.0.86] Mon Nov 19 16:03:35 2012: DEBUG: Radius::AuthGROUP: result: ACCEPT, Mon Nov 19 16:03:35 2012: DEBUG: AuthBy GROUP result: ACCEPT, Mon Nov 19 16:03:35 2012: DEBUG: Access accepted for sip:557100050994 Mon Nov 19 16:03:35 2012: DEBUG: Packet dump: *** Sending to 10.0.0.82 port 36336 Code: Access-Accept Identifier: 96 Authentic: M,115213723?135233IA137-143011 Attributes: SIP-AVP = avion I was expecting if the DB take too much time to answer it failover to the second AuthBy. Maybe I'm doing something wrong? Can someone help me here? Regards, Ricardo.- ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] SQL Timeout
I think you would have to query a 2nd time within 60 seconds in order to see the BackOff in the log. On 19/11/12 02:44 PM, Ricardo Martinez wrote: Hello Michael. I have modified the AuthByPolicy fro mContinueWhileIgnore for And now it jumps to the second AuthBy, but is not marking the DB as fail (and therefor doing the Backooff Time), this is the log. What I’m doing wrong? Mon Nov 19 16:41:05 2012: DEBUG: Packet dump: *** Received from 10.0.0.82 port 34896 Code: Access-Request Identifier: 112 Authentic: 3123t2021972475185138147198*22184216x Attributes: User-Name = sip:557100050994@10.0.0.86 mailto:sip%3A557100050994@10.0.0.86 Service-Type = SIP-Caller-AVPs Called-Station-Id = sip:0212345678@10.0.0.82 mailto:sip%3A0212345678@10.0.0.82 Sip-Uri-User = 0212345678 Calling-Station-Id = sip:557100050994@10.0.0.86 mailto:sip%3A557100050994@10.0.0.86 NAS-Port = 0 NAS-IP-Address = 10.0.0.82 Mon Nov 19 16:41:05 2012: DEBUG: Handling request with Handler 'NAS-IP-Address = 10.0.0.82, Service-Type = SIP-Caller-AVPs', Identifier 'AuthFailover' Mon Nov 19 16:41:05 2012: DEBUG: Rewrote user name to sip:557100050994 Mon Nov 19 16:41:05 2012: DEBUG: Deleting session for sip:557100050994@10.0.0.86 mailto:sip%3A557100050994@10.0.0.86, 10.0.0.82, 0 Mon Nov 19 16:41:05 2012: DEBUG: Handling with Radius::AuthSQL: Mon Nov 19 16:41:05 2012: DEBUG: Handling with Radius::AuthSQL: Mon Nov 19 16:41:05 2012: DEBUG: Query is: 'call DELAYREQ;': Mon Nov 19 16:41:07 2012: ERR: Execute failed for 'call DELAYREQ;': SQL Timeout Mon Nov 19 16:41:09 2012: ERR: Execute failed for 'call DELAYREQ;': SQL Timeout Mon Nov 19 16:41:09 2012: DEBUG: Radius::AuthSQL looks for match with sip:557100050994 [sip:557100050994@10.0.0.86 mailto:sip%3A557100050994@10.0.0.86] Mon Nov 19 16:41:09 2012: DEBUG: Radius::AuthSQL REJECT: No such user: sip:557100050994 [sip:557100050994@10.0.0.86 mailto:sip%3A557100050994@10.0.0.86] Mon Nov 19 16:41:09 2012: DEBUG: Query is: 'call DELAYREQ;': Mon Nov 19 16:41:11 2012: ERR: Execute failed for 'call DELAYREQ;': SQL Timeout Mon Nov 19 16:41:13 2012: ERR: Execute failed for 'call DELAYREQ;': SQL Timeout Mon Nov 19 16:41:13 2012: DEBUG: AuthBy SQL result: REJECT, No such user Mon Nov 19 16:41:13 2012: DEBUG: Handling with Radius::AuthFILE: Mon Nov 19 16:41:13 2012: DEBUG: Radius::AuthFILE looks for match with sip:557100050994 [sip:557100050994@10.0.0.86 mailto:sip%3A557100050994@10.0.0.86] Mon Nov 19 16:41:13 2012: DEBUG: Radius::AuthFILE ACCEPT: : sip:557100050994 [sip:557100050994@10.0.0.86 mailto:sip%3A557100050994@10.0.0.86] Mon Nov 19 16:41:13 2012: DEBUG: AuthBy FILE result: ACCEPT, Mon Nov 19 16:41:13 2012: DEBUG: Access accepted for sip:557100050994 Mon Nov 19 16:41:13 2012: DEBUG: Packet dump: *** Sending to 10.0.0.82 port 34896 Code: Access-Accept Identifier: 112 Authentic: @165188181;242-251184200q174`23924k Attributes: SIP-AVP = tranum:sip:0212345678@10.0.0.82 mailto:tranum%3Asip%3A0212345678@10.0.0.82 SIP-AVP = channels:1 Thanks, Ricardo.- *De:*Michael [mailto:ri...@vianet.ca mailto:ri...@vianet.ca] *Enviado el:* lunes, 19 de noviembre de 2012 16:28 *Para:* Ricardo Martinez *CC:* radiator@open.com.au mailto:radiator@open.com.au *Asunto:* Re: [RADIATOR] SQL Timeout looks like your first AuthBy SQL is answering accept. is this maybe because you don't have any 'check' options at all? Then if accept, never process the AuthBy FILE because of ContunueWhileIgnore. For example, maybe you need at least one check option: AuthColumnDef 1, Encrypted-Password, check Not exactly sure though. On 19/11/12 02:07 PM, Ricardo Martinez wrote: Hello, I’m trying to Backoff an SQL query to my database whenever a timeout happened. I have the next configuration in my radius_auth.cfg : Handler NAS-IP-Address = 10.0.0.82, Service-Type = SIP-Caller-AVPs RewriteUsername s/^([^@]+).*/$1/ AuthBy GROUP AuthByPolicy ContinueWhileIgnore AuthBy SQL DBSource dbi:mysql:prueba:127.0.0.1:3306 http://127.0.0.1:3306 DBUsername radius DBAuth radiator Timeout 2 FailureBackoffTime 60 SQLRetries 2 NoDefault AuthSelect call DELAYREQ; AuthColumnDef 0, SIP-AVP, reply /AuthBy AuthBy FILE Filename /usr/src/Radiator-4.9/users_tranum /AuthBy /AuthBy /Handler The procedure DELAYREQ() in my mysql DB sleep for 5 seconds and return a column. This is the log for a Request to this Handler: Mon Nov 19 16:03:33 2012: DEBUG: Packet dump: *** Received from 10.0.0.82 port 36336 Code: Access-Request Identifier: 96 Authentic: h29217d218
Re: [RADIATOR] SessionDB::RADONLINE::Deletion Failing
5.10.4 DeleteQuery This SQL statement is executed whenever a user session finishes (i.e. when an Account- ing-Request Stop message is received). It is expected to remove the details of the ses- sion from the SQL database. Special formatting characters may be used. %0 is replaced by the quoted user name to be deleted, %1 by the NAS IP address, %2 by the NAS-Port, %3 by the SQL quoted Acct-Session-Id. If DeleteQuery is defined as an empty string, then the query will not be executed. On 13/11/12 02:15 PM, ronald higgins wrote: Hi User List, I need a bit of an assist. I'm having an issue with sessions being deleted from RADONLINE when a stop record comes in. This is the pertinent bit in the conf: ## SessionDatabase SQL Identifier SessionDB DBSourcedbi:mysql:radius:XXX.XXX.XXX.XXX:3306 DBUsername radius DBAuth DB_PASSWORD Timeout 5 /SessionDatabase Pretty basic and standard now. ## This is the Trace 4 in the log file for the Start and the Stop: ## Start: Tue Nov 13 18:51:25 2012: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='196.X.X.X' and NASPORT=01929707729': Tue Nov 13 18:51:25 2012: DEBUG: do query is: 'insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('ADSL_USERNAME', '196.X.X.X', 1929707729, '7/0/3/5.209_16FBD22C', 1352825485, 'ADSL_IP', 'Virtual', 'Framed-User')': It's quite happily inserting the record. ## Stop: Tue Nov 13 20:46:27 2012: DEBUG: do query to 'DB_CONNECTION_STRING': 'delete from RADONLINE where NASIDENTIFIER='196.X.X.X' and NASPORT=01929707729': Tue Nov 13 20:46:27 2012: ERR: do failed for 'delete from RADONLINE where NASIDENTIFIER='196.X.X.X' and NASPORT=01929707729': MySQL server has gone away Not so happy on the Stop record, Stops always seem to produce the MySQL server has gone away. ## If i log into mysql and delete the query as it's posted in the logs it deletes just fine... mysql delete from RADONLINE where NASIDENTIFIER='196.X.X.X' and NASPORT=01929707729; Query OK, 1 row affected (0.00 sec) It's Radiator 4.10, running on Centos 5.3 and Perl version 5.8.8 Any thoughts? Regards Ronald ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] SessionDB::RADONLINE::Deletion Failing
I don't think that delete statement you are seeing is actually a delete statement to delete the session from your sql table. It is a delete statement to help make sure duplicates don't happen in the table. So, you should probably specify the proper delete statement as per the manual section 5.10.4 On 13/11/12 02:34 PM, Michael wrote: 5.10.4 DeleteQuery This SQL statement is executed whenever a user session finishes (i.e. when an Account- ing-Request Stop message is received). It is expected to remove the details of the ses- sion from the SQL database. Special formatting characters may be used. %0 is replaced by the quoted user name to be deleted, %1 by the NAS IP address, %2 by the NAS-Port, %3 by the SQL quoted Acct-Session-Id. If DeleteQuery is defined as an empty string, then the query will not be executed. On 13/11/12 02:15 PM, ronald higgins wrote: Hi User List, I need a bit of an assist. I'm having an issue with sessions being deleted from RADONLINE when a stop record comes in. This is the pertinent bit in the conf: ## SessionDatabase SQL Identifier SessionDB DBSourcedbi:mysql:radius:XXX.XXX.XXX.XXX:3306 DBUsername radius DBAuth DB_PASSWORD Timeout 5 /SessionDatabase Pretty basic and standard now. ## This is the Trace 4 in the log file for the Start and the Stop: ## Start: Tue Nov 13 18:51:25 2012: DEBUG: do query is: 'delete from RADONLINE where NASIDENTIFIER='196.X.X.X' and NASPORT=01929707729': Tue Nov 13 18:51:25 2012: DEBUG: do query is: 'insert into RADONLINE (USERNAME, NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE) values ('ADSL_USERNAME', '196.X.X.X', 1929707729, '7/0/3/5.209_16FBD22C', 1352825485, 'ADSL_IP', 'Virtual', 'Framed-User')': It's quite happily inserting the record. ## Stop: Tue Nov 13 20:46:27 2012: DEBUG: do query to 'DB_CONNECTION_STRING': 'delete from RADONLINE where NASIDENTIFIER='196.X.X.X' and NASPORT=01929707729': Tue Nov 13 20:46:27 2012: ERR: do failed for 'delete from RADONLINE where NASIDENTIFIER='196.X.X.X' and NASPORT=01929707729': MySQL server has gone away Not so happy on the Stop record, Stops always seem to produce the MySQL server has gone away. ## If i log into mysql and delete the query as it's posted in the logs it deletes just fine... mysql delete from RADONLINE where NASIDENTIFIER='196.X.X.X' and NASPORT=01929707729; Query OK, 1 row affected (0.00 sec) It's Radiator 4.10, running on Centos 5.3 and Perl version 5.8.8 Any thoughts? Regards Ronald ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator does not wait for RADIUS requests
and if the secret is wrong, i'm pretty sure it will show the connection in the debug logs. On 06/11/12 02:38 PM, alan buxey wrote: Hi, I entered the correct password. did you? All I have seen you say so far is that you used perl radpwtst -user mikem -password fred -auth_port 1812 -trace 4 wheres the shared secret for the client to talk to the RADIUS server? radpwst emulates a NAS rather than a real client edge device - so it needs to have a shared secret radpwtst -h alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] verifying online sessions with SNMP
I see my snmp problem is due to missing MIBs, and Radiator has switched to numerical snmp queries in the latest version/patch set: 2012-09-25 : Updated all Nas/*.pm modules to use numeric OIDs instead of sysmbolic, since some recent versions of snmp tools install without MIBs. Guess someone may still want to add the error detection though. On 01/11/12 02:07 PM, Michael wrote: I'm having some issues with verifying online session with the DefaultSimultaneousUse option. I keep seeing that sessions are gone away. Messages in the log such as: Thu Nov 1 04:45:41 2012: INFO: Session 0196B6A4 for username at 0.0.0.0: has gone away But, the sessions where NOT gone away and should have been counted, and this login request should have been rejected. I found out by manually running the snmp query that the snmp query is not working: # /usr/bin/snmpget -c x 0.0.0.0 iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2.26740905 iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2.26740905: Unknown Object Identifier (org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2.26740905) I see in the snmpget routine in Radius/SNMP.pm, the error checking doesn't seem to include this error. Should it be added: SNIP my $result = `$command`; if ($result =~ /error/i || $result =~ /no response/i || $result =~ /timeout/i || $result =~ /Unknown Object Identifier/ ) { SNIP After changing this myself, i can now see the problem in the logs: Thu Nov 1 12:08:06 2012: ERR: The command '/usr/bin/snmpget -c 0.0.0.0 iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2.26740905 21' failed with an error: iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2.26740905: Unknown Object Identifier (org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2.26740905) Now i see i have an snmpget problem. Michael ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] verifying online sessions with SNMP
I'm having some issues with verifying online session with the DefaultSimultaneousUse option. I keep seeing that sessions are gone away. Messages in the log such as: Thu Nov 1 04:45:41 2012: INFO: Session 0196B6A4 for username at 0.0.0.0: has gone away But, the sessions where NOT gone away and should have been counted, and this login request should have been rejected. I found out by manually running the snmp query that the snmp query is not working: # /usr/bin/snmpget -c x 0.0.0.0 iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2.26740905 iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2.26740905: Unknown Object Identifier (org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2.26740905) I see in the snmpget routine in Radius/SNMP.pm, the error checking doesn't seem to include this error. Should it be added: SNIP my $result = `$command`; if ($result =~ /error/i || $result =~ /no response/i || $result =~ /timeout/i || $result =~ /Unknown Object Identifier/ ) { SNIP After changing this myself, i can now see the problem in the logs: Thu Nov 1 12:08:06 2012: ERR: The command '/usr/bin/snmpget -c 0.0.0.0 iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2.26740905 21' failed with an error: iso.org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2.26740905: Unknown Object Identifier (org.dod.internet.private.enterprises.9.9.150.1.1.3.1.2.26740905) Now i see i have an snmpget problem. Michael ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Accounting records are not written to database
Looks like your AuthBy xDSL is accepting, therefore since the default AuthByPolicy is ContinueWhileIgnore, it will stop at the xDSL authby and the AuthBy SQLAccounting is not processed. I personally handle accounting in a separate handler. To me, handling accounting and authorization in the same handler is tricky. Handler Request-Type = Accounting-Request, Acct-Status-Type = Start|Stop Michael On 01/11/12 05:07 PM, rohan.he...@cwjamaica.com wrote: Hugh, Config and logs attached. And the application crashed when testing Simultaneous-Use for both configurations below. In my AuthBy config: DefaultSimultaneousUse 1 With AuthAttrDef Simultaneous-Use,Simultaneous-Use,check Or In my Handler: MaxSessions 1 On Fri, 2 Nov 2012 07:19:09 +1100 Hugh Irvineh...@open.com.au wrote: Hello Rohan - We will need to see the configuration file (no secrets) together with a trace 4 debug showing what is happening. regards Hugh On 2 Nov 2012, at 05:53,rohan.he...@cwjamaica.com wrote: Hello, Why doesn't the following work? Identifier SQLAccounting DBSource dbi:mysql:inetdb_test DBUsername inet DBAuth inet@inetdb #Disable SQL authentication AuthSelect HandleAcctStatusTypes Start,Stop AccountingTable ARCH_ACCOUNTING AcctColumnDef USER_NAME,User-Name AcctColumnDef ACCT_START_TIME,Timestamp,integer AcctColumnDef ACCT_STOP_TIME,Timestamp,integer AcctColumnDef ACCT_STATUS_TYPE,Acct-Status-Type,integer AcctColumnDef ACCT_DELAY_TIME,Acct-Delay-Time,integer AcctColumnDef ACCT_INPUT_OCTETS,Acct-Input-Octets,integer AcctColumnDef ACCT_OUTPUT_OCTETS,Acct-Output-Octets,integer AcctColumnDef ACCT_SESSION_ID,Acct-Session-Id AcctColumnDef ACCT_SESSION_TIME,Acct-Session-Time,integer AcctColumnDef ACCT_TERMINATE_CAUSE,Acct-Terminate-Cause,integer AcctColumnDef FRAMED_IP_ADDRESS,Framed-IP-Address AcctColumnDef NAS_IDENTIFIER,NAS-Identifier AcctColumnDef NAS_PORT,NAS-Port,integer AcctColumnDef CALLED_STATION_ID,Called-Station-Id AcctColumnDef CALLING_STATION_ID,Calling-Station-Id SQLRecoveryFile %L/sqlaccounting.sql Specifying the following in my Handler does not work. I don't even see any trace in my logs set at level 4 or 5. AuthBy SQLAccounting However my sessions database work with the following. SessionDatabase SQLSDB Thanks much. Regards, Rohan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. Rohan Henry Server Administrator LIME Phone (876) 936-4819 Mobile (876) 997-0729 ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Change of Authorization
This was the hardest thing to get working and automated for me personally. I don't know if there is an easy way of doing it. I didn't find one. I accomplished it with a complicated process. It could be as simple as a script to execute ./radpwtst -s IP -code Change-Filter-Request etc. My complicated process goes something like the following, but I would suggest making sure the above simple method works for you as I do have a couple nas's where CoA just doesn't work with the IOS that it has. - a script process that injects Change-Filter-Request packets into the radiator service, using radpwtst: push( @change_args, ( '-s', 'local radiator ip', '-code', 'Change-Filter-Request', Timestamp=$timestamp, NAS-IP-Address=$nas_ip, NAS-Port=$nas_port, Acct-Session-Id=$sess_id, Framed-IP-Address=$ip, Class=$class, cisco-Policy-Up=$rate_up, cisco-Policy-Down=$rate_down ) - a Handler with custom Hook configured to read the cisco-Policy rate values from the injected packet, and look up the proper policy command from a radiator global variable depending on the nas-ip-address since I have multiple nas's that require different commands. eg. global variable: DefineFormattedGlobalVar 1.2.3.4-RATE100M-up ip:sub-qos-policy-in=RATE100M DefineFormattedGlobalVar 1.2.3.4-RATE100M-down ip:sub-qos-policy-out=RATE100M - add 2 cisco-avpair attributes to the packet with the up rate and down rate commands. These are the actual commands the NAS needs to change the rate limit. The policy must already be setup on your nas. ie: cisco-avpair=ip:sub-qos-policy-in=RATE100M cisco-avpair=ip:sub-qos-policy-out=RATE100M - then a custom authby that required patching to determine what nas to forward the packet to, since i have multiple nas's. Also another authby that logs this request which is not required but i wanted to log it. There's much more to it, but I don't want to get too deep here. it all pretty much revolves around building the Change-Filter-Request packet with ./radpwtst -code Change-Filter-Request and ether send that to the nas, or inject it into radiator so you can do other things with it. Michael On 15/10/12 12:47 PM, rohan.he...@cwjamaica.com wrote: Hello all, I do not see any info on the captioned in the Radiator documentation. Where do I go to see details on implementing COA? Thanks. Rohan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Multi-Line Handler issues with 4.10
why i want to is besides the point. Because, I don't actually want to really. it's a matter of it already being done. It must be within the standard specs of the parser i guess, since it's always worked before and the docs probably said you could do it. But don't worry about it. i patched it myself. I will maintain this patch for myself and for future versions. Thanks. On 12-08-13 05:02 AM, alan buxey wrote: Hi, abused? the last version said multiple lines was fine. Hasn't been a problem until 4.10. It more has to do with the vast configuration that I have (452K so far) and i organize my config like this a lot and don't feel like rearranging it all right now. my config is 708K - its when it reached 300k that I decided that I'd keep the format tight and within the standard specs of the parser. I can see what your patch does...but I still cannot see why you'd want to break the handler line up like that...should anyone take over your role I'm sure they wouldnt like to inherit that. (and every line you read in is an extra bit of work for the config parser to do) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Multi-Line Handler issues with 4.10
yep, correct. The multi-line config support was broken in 4.10 then partially fixed with then patch-set. A couple points of interest for the fix though, that i have changed for myself. This is my own personal opinion and may not be agreed with anyone else: Ignoring commented lines in config should probably include leading white space so people can indent their comments if they want. - next if $line =~ /^#/; + next if $line =~ /^\s*#/; Blank lines should be ignored, and should also include whitespace for blank lines that actually have spaces, or tabs on them because you can't see them. best to just ignore. - next if $line eq ''; + next if $line =~ /^\s*$/; Also, the ($line eq '') will never equal a blank line because a blank line has a carriage return and line feed values on it that you don't actually see. a blank line has an 0x0A and 0x0D hex characters i think at the end of the line. So this line: next if $line eq ''; wont work, but this line: next if $line =~ m/^$/; will. The order of these i also changed. Ignore blank and commented lines i would think should be first before anything. On 12-08-13 11:30 AM, alan buxey wrote: Hi, why i want to is besides the point. Because, I don't actually want to really. it's a matter of it already being done. It must be within the standard specs of the parser i guess, since it's always worked before and the docs probably said you could do it. But don't worry about it. i patched it myself. I will maintain this patch for myself and for future versions. I seem to recall that there was a change which also broke multi-line configs (ie those with just the \ at the end...) which was then fixed as part of the patch-set. Obviously this also affected the way your configuration was also read in. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Multi-Line Handler issues with 4.10
abused? the last version said multiple lines was fine. Hasn't been a problem until 4.10. It more has to do with the vast configuration that I have (452K so far) and i organize my config like this a lot and don't feel like rearranging it all right now. I patched the code myself. works fine now and i can use 4.10 without changing my current config. My request can be ignored. Michael On 12-08-11 09:05 AM, alan buxey wrote: Hi, i found some time to try the 4.10 upgrade with patches, but i have this Multi-Line config issue. Seems to be related to the fact that I have a blank line and comments in the middle of the multi line Handler. Fri Aug 10 10:51:18 2012: ERR: Unknown keyword 'Handler' in /etc/radiator/conf/handler.pre-defined line 3 Fri Aug 10 10:51:18 2012: ERR: Unknown keyword 'Request-Type' in /etc/radiator/conf/handler.pre-defined line 6 Handler \ # failed auth attempts many times a day. used to reject a username. Request-Type = Access-Request, \ User-Name = DISABLED Identifier handler_null SessionDatabase NULL AuthBy AuthBy_REJECT /Handler there comes a point when a configuration parser is being abusedwhy dont you simply have # failed auth attempts many times a day. used to reject a username. Handler Request-Type = Access-Request, User-Name = DISABLED Identifier handler_null SessionDatabase NULL AuthBy AuthBy_REJECT /Handler ?? this is how the docs say you write handlers - and its the way that any auto-export config generator tool could output the config (I generate my RADIATOR configuration from an SQL database). instead, you have devised a rather wierd local requirement - and then suggest some code changes to allow this to be read that could mess up peoples legitimate configurations. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Multi-Line Handler issues with 4.10
i found some time to try the 4.10 upgrade with patches, but i have this Multi-Line config issue. Seems to be related to the fact that I have a blank line and comments in the middle of the multi line Handler. Fri Aug 10 10:51:18 2012: ERR: Unknown keyword 'Handler' in /etc/radiator/conf/handler.pre-defined line 3 Fri Aug 10 10:51:18 2012: ERR: Unknown keyword 'Request-Type' in /etc/radiator/conf/handler.pre-defined line 6 Handler \ # failed auth attempts many times a day. used to reject a username. Request-Type = Access-Request, \ User-Name = DISABLED Identifier handler_null SessionDatabase NULL AuthBy AuthBy_REJECT /Handler On 12-07-06 05:57 AM, Heikki Vatiainen wrote: On 07/03/2012 12:22 AM, Heikki Vatiainen wrote: If you can wait a little with upgrading I will get back to this later this week. Patches for 4.10 now restore the functionality while keeping the originally planned multiline change working. Please let us know if there are still problems. Thanks, Heikki ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Multi-Line Handler issues with 4.10
i had to make a couple changes for my config to parse properly. 1. move the ignore blank lines and lines beginning with a hash process before appending to the $line variable. 2. ignore blank lines including lines with whitespace (next if $_ =~ /^\s*$/;) --- /usr/src/radiator/4.10/Radiator-4.10+patches+vianet_custom/Radius/Configurable.pm 2012-08-09 10:59:18.0 -0400 +++ /etc/radiator/src/radiator-v4.10+patches+vianet_custom/share/perl/5.8.8/Radius/Configurable.pm 2012-08-10 12:23:11.0 -0400 @@ -162,16 +162,17 @@ sub parse { # print parsing for $self: $_\n; # test + # Ignore blank lines and lines beginning with hash + next if $_ =~ /^\s*$/; + next if $_ =~ /^\s*#/; + $line .= $_; next if ($line =~ s/\\$//); # Line continuation + # Strip leading and trailing white space $line =~ s/^\s*//; $line =~ s/\s*$//; - # Ignore blank lines and lines beginning with hash - next if $line eq ''; - $line = '', next if $line =~ /^#/; - # Look for /Objectname to end the object definition last if ($line =~ /^\/([^]*)/); On 12-08-10 11:07 AM, Michael wrote: i found some time to try the 4.10 upgrade with patches, but i have this Multi-Line config issue. Seems to be related to the fact that I have a blank line and comments in the middle of the multi line Handler. Fri Aug 10 10:51:18 2012: ERR: Unknown keyword 'Handler' in /etc/radiator/conf/handler.pre-defined line 3 Fri Aug 10 10:51:18 2012: ERR: Unknown keyword 'Request-Type' in /etc/radiator/conf/handler.pre-defined line 6 Handler \ # failed auth attempts many times a day. used to reject a username. Request-Type = Access-Request, \ User-Name = DISABLED Identifier handler_null SessionDatabase NULL AuthBy AuthBy_REJECT /Handler On 12-07-06 05:57 AM, Heikki Vatiainen wrote: On 07/03/2012 12:22 AM, Heikki Vatiainen wrote: If you can wait a little with upgrading I will get back to this later this week. Patches for 4.10 now restore the functionality while keeping the originally planned multiline change working. Please let us know if there are still problems. Thanks, Heikki ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Multi-Line Handler issues with 4.10
I also have really complex config files and Handlers and putting things on multiple lines does help to keep things neat. Hopefully this can be fixed, although i guess it's not a pressing issue to upgrade so no need to rush. On 12-07-02 05:22 PM, Heikki Vatiainen wrote: On 07/02/2012 09:47 PM, Aaron Holtz wrote: Hello - I've noticed with 4.10 that you can no longer have multi-line Handler statements. Thanks for reporting this. There were changes between 4.9 and 4.10 related to parsing hooks and I think this may be what caused the problem you are seeing. Under 4.9 something like this loads properly: Handler Called-Station-Id=/(7103925369|7105941010|\ 563974|4445690321|3335774198)/, CHAP-Password=/[\w]+/ Under 4.10 I'm getting: Sun Jul 1 13:27:43 2012: ERR: Unknown keyword 'Handler' in /etc/raddb/test.cfg line 6 Yes, I can reproduce this took. Is this a bug? We have a fairly complex config file with several multi-line handlers and upgrading to 4.10 isn't going to be possible without having some seriously long Handler statements. If you can wait a little with upgrading I will get back to this later this week. Thanks, Heikki ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy SQL - multiple rows/attributes
you could use GENERIC like how Heikki suggested but still have separate rows in your sql and use SQL to join all the results, and apply the attribute names. For MySQL, group_concat: mysql select * from temp; +++-+ | id | Server | Password| +++-+ | 5 | 172.16.1.1 | tunnelpass1 | | 6 | 172.16.1.2 | tunnelpass2 | | 7 | 172.16.1.3 | tunnelpass3 | +++-+ 3 rows in set (0.00 sec) mysql select GROUP_CONCAT( CONCAT('Tunnel-Server-Endpoint=',Server )) AS Servers, GROUP_CONCAT( CONCAT('Tunnel-Server-Endpoint=', Password)) AS Passwords from temp order by id; +---+--+ | Servers | Passwords | +---+--+ | Tunnel-Server-Endpoint=172.16.1.1,Tunnel-Server-Endpoint=172.16.1.2,Tunnel-Server-Endpoint=172.16.1.3 | Tunnel-Server-Endpoint=tunnelpass1,Tunnel-Server-Endpoint=tunnelpass2,Tunnel-Server-Endpoint=tunnelpass3 | +---+--+ 1 row in set (0.00 sec) Michael On 12-06-26 07:33 AM, Heikki Vatiainen wrote: On 06/26/2012 12:28 PM, Jim Tyrrell wrote: At the moment I just have a single very simple table that I am testing with, 2 columns 'Endpoint' 'Password' with 2 rows in the table for 2 different Tunnel endpoints. How about changing the config to use GENERIC: AuthColumnDef 0,GENERIC,reply AuthColumnDef 1,GENERIC,reply The DB would then have Endpoint and Password columns with values like these: Endpoint column for row n: Tunnel-Server-Endpoint=172.16.1.1,Tunnel-Server-Endpoint=172.16.1.2 Password column for row n: Tunnel-Password=tunnelpass1,Tunnel-Password=tunnelpass2 With GENERIC you could actually put all reply attributes into the same column but that would likely make maintaining the values harder. With Hugh's solution you could get rid of repeating the attribute names and storing just the values. Heikki I could have multiple columns for the multiple tunnels, but then if I wanted to add or remove tunnels I would need to update the Radiator query each time to add/remove the extra AuthAttrDefs, but I'd like the flexibility to just add/remove entries to the SQL table without having to change the Radiator config. ie - if I have one tunnel in the table then the handler needs to return: Code: Access-Accept Tunnel-Server-Endpoint = 172.16.1.1 Tunnel-Password = tunnelpass And if an extra entry is added to the table then return the following format: Code: Access-Accept Tunnel-Server-Endpoint = 172.16.1.1 Tunnel-Password = tunnelpass Tunnel-Server-Endpoint = 172.16.1.2 Tunnel-Password = tunnelpass2 If I was able to use LDAP I could just have an object such as: uid=TunnelEndPoints tunnelip=172.16.0.1 tunnelip=172.16.0.2 tunnelpass=blah1 tunnelpass=blah2 And then use an AuthBy LDAP including the following: AuthAttrDef tunnelip,Tunnel-Server-Endpoint,reply AuthAttrDef tunnelpass,Tunnel-Password,reply Is there not an equivalent of this for MySQL authentication? How do people store multiple attributes such as Framed-Route in MySQL and then return multiple instances of this when they exist? (The examples above would actually be returned as tagged attributes but I can worry about that later). Thanks. Jim. On 25/06/2012 18:05, Michael wrote: I seem to remember reading somewhere in the Radiator manual that it will only process the first sql row received therefore I don't think it will process multiple row results. I can't seem to find in the manual where i read that though. On the other hand, you could have all reply values on the same row in the table, or create an sql statement that returns them all on one row. What is your sql table structure? multiple tables? mike On 12-06-25 08:52 AM, Jim Tyrrell wrote: Hi, Is it possible for AuthBy SQL to return multiple attributes if the query returns multiple rows? I am currently using AuthBy SQL to return a Tunnel-Endpoint to a LAC with the following simplified config: AuthBy SQL DBSourcedbi:mysql:databasename:192.168.10.3
Re: [RADIATOR] AuthBy SQL - multiple rows/attributes
I seem to remember reading somewhere in the Radiator manual that it will only process the first sql row received therefore I don't think it will process multiple row results. I can't seem to find in the manual where i read that though. On the other hand, you could have all reply values on the same row in the table, or create an sql statement that returns them all on one row. What is your sql table structure? multiple tables? mike On 12-06-25 08:52 AM, Jim Tyrrell wrote: Hi, Is it possible for AuthBy SQL to return multiple attributes if the query returns multiple rows? I am currently using AuthBy SQL to return a Tunnel-Endpoint to a LAC with the following simplified config: AuthBy SQL DBSourcedbi:mysql:databasename:192.168.10.3 DBUsername DBuser DBAuth DBPass AuthSelect SELECT Endpoint, Password FROM endpoints AuthColumnDef 0,Tunnel-Server-Endpoint,reply AuthColumnDef 1,Tunnel-Password,reply /AuthBy This works fine at the moment as I only have 1 row in the table which represents 1 endpoint. But I now want to return multiple endpoints so the Access-Accept would be something along the lines of: Code: Access-Accept Attributes: Tunnel-Server-Endpoint = 172.16.1.1 Tunnel-Password = tunnelpass Tunnel-Server-Endpoint = 172.16.1.2 Tunnel-Password = tunnelpass2 I had hoped to just add a 2nd row to the table, but the handler just returns the values from the 1st row of the result. I'd like to be able to return additional attributes for each row returned so I can easily add/remove more endpoints to the table as and when I need to. Thanks. Jim. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Opera PMS integration
Hi all, wondering if anyone has any experience with PMS integration over TCP/IP? From the documentation included it sounds fairly straightforward, but wondering if anyone has hit any stumbling blocks during their implementations? MICROS are convinced that they've never worked with Radiator before, and so this is a pilot project (presumably with commensurate costs) which came as a bit of a surprise; I had thought Radiator was certified to work with Opera already. Thanks in advance for any advice/warnings/anecdotes! -- Michael Newton Manager, Information Systems Point of Presence Technologies ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Password Variable not passed
I am not able to determine when using the %P variable, it does not pass the user password into the LDAP authentication.We are attempting to terminate the PEAP/EAP on our wireless controllers (Aruba) and pass the username and password to Radiator for authentication as this only requires a single common certificate to be presented to the clients, unless Radiator does not have an issue reusing certs on different servers?When I set the password in the config file statically, I receive an access-accept reply, however, when I attempt to use the %P parameter, the password is never included in the authentication.Suggestions would be appreciatedI have stripped the config down for testing purposes. logfile Description: Binary data #Tubuluar.vm.its.uwo.ca # # eap_multi.cfg # # This config supports EAP-TTLS and EAP-PEAP proxied from an external Radius server # Foreground 1 #LogStdout 1 LogDir c:/program files/radiator DbDir c:/program files/radiator AuthPort 1645,1812 AcctPort 1646,1813 # User a lower trace level in production systems: #Trace 3 Trace 7 # IMPORTANT = convert user name to lower case to ensure match on uwo.ca realm in handler match criteria UsernameCharset a-zA-Z0-9\._@- RewriteUsername tr/A-Z/a-z/ # UwoLDAP is used to authenticate the inner TTLS credentials and outer PEAP credentials against LDAP # Note requires TTLS and PEAP support # Both userid and password are checking for inner TTLS requests # Only the userid is checked for for outer PEAP requests AuthBy LDAP2 Log errorLogger Identifier UwoLDAP-LB EAPType MSCHAP-V2 NoDefault # Tell Radiator how to talk to the LDAP server Hostauth.uwo.ca AuthDN uid=%U,ou=people,o=uwo.ca,dc=its AuthPassword%P # Add role from LDAP to the request via the AuthAttrDef AuthAttrDef description,Role,request AuthAttrDef loginShell,Shell,request AuthAttrDef uwoid,Uid,request BaseDN o=uwo.ca,dc=its UsernameAttruid PasswordAttr AddToReply Reply-Message=STF Timeout 10 /AuthBy # Handlers are processed sequentially - and first match applies Handler Request-Type = Accounting-Request Log errorLogger AuthBy AccountingResponse PostAuthHook file:%D/accounting.hook /Handler # # Test Handler # Handles both authenication checks and logging as mac is available. # Handler AuthBy UwoLDAP /Handler ThanksMH inline: western-logo-sm2.gifMichael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator