Re: [RADIATOR] [RFC] configurable hooks
Hello,
On Thursday, February 07, 2013 04:29:56 PM Alexander Hartmaier wrote:
> On 2013-02-07 16:13, Heikki Vatiainen wrote:
> > On 02/05/2013 08:39 PM, Alexander Hartmaier wrote:
> >> I've looked into it today and have some questions:
> >> - is it safe to assume that the list or arguments passed to the
> >> ChallengeHook in my case is always ($self, $user, $p, $context)?
> >> If one arg is missing my added arguments would shift and populate the
> >> wrong variables. I was thinking about passing them by name in a hashref
> >> as first instead of last argument instead.
> >
> > Passing your arguments first would certainly work and would guard
> > against the problems that might come if arguments were added or removed
> > from ChallengeHook.
> >
> > I'd say it's a good idea to put your own arguments first.
>
> Will do that, thanks!
>
> >> - is it safe to die in hook code or will that tear down the Radiator
> >> process? I'm asking because that's the preferred way of doing argument
> >> validation, e.g.
> >> die 'id missing'
> >>
> >> unless defined $id;
> >
> > It should be safe since hooks are run within eval block and if there are
> > errors, they are caught and ERR with 'Error in $hookname...' is logged.
>
> Is that documented somewhere? Couldn't find it the docs.
The documentation of hook processing has been enlarged to cover this and other
topics in the Reference manual for the next release.
Thanks.
Cheers.
>
> >> Another note, I've used %D instead of the hardcoded path which works
> >> just as well:
> >>
> >> StartupHook sub { require "%D/MyHooks.pm"; }
> >
> > Based on your other messages, there were issues with this which were
> > then solved. Is everything working for you now?
> >
> > Thanks,
> > Heikki
>
> %D doesn't work, but my problem arised when I changed the StartupHook
> from a single line to multiple lines without terminating them with \.
> Works now but it would be great if Radiator logged such an error.
>
> Cheers, Alex
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"
> * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"
> * Notice: This e-mail contains information that is confidential and may be
> privileged. If you are not the intended recipient, please notify the sender
> and then delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"
> * ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] F5 BigIP vendor specific attributes
Hello Alexander, Thanks added to the latest patch set. Question though: It appears like the values for F5-LTM-User-Role are a bit like HEX bitmasks, but they are presented here as decimal. Any idea which is correct? On Wednesday, January 09, 2013 05:08:51 PM Alexander Hartmaier wrote: > Hi guys, > please add those to the dictionary (taken from > http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html): > > # > # F5 BigIP > # > VENDOR F5 3375 > VENDORATTR 3375 F5-LTM-User-Role 1 integer > VENDORATTR 3375 F5-LTM-User-Role-Universal 2 integer# > enable/disable VENDORATTR 3375 F5-LTM-User-Partition3 > string VENDORATTR 3375 F5-LTM-User-Console 4 integer > # enable/disable VENDORATTR 3375 F5-LTM-User-Shell5 >string # supported values are disable, tmsh, and bpsh VENDORATTR > 3375 F5-LTM-User-Context-1 10 integer VENDORATTR 3375 > F5-LTM-User-Context-2 11 integer VENDORATTR 3375 > F5-LTM-User-Info-1 12 string VENDORATTR 3375 > F5-LTM-User-Info-2 13 string > > VALUEF5-LTM-User-Role Administrator 0 > VALUEF5-LTM-User-Role Resource-Admin20 > VALUEF5-LTM-User-Role User-Manager 40 > VALUEF5-LTM-User-Role Auditor 80 > VALUEF5-LTM-User-Role Manager 100 > VALUEF5-LTM-User-Role App-Editor 300 > VALUEF5-LTM-User-Role Operator 400 > VALUEF5-LTM-User-Role Guest700 > VALUEF5-LTM-User-Role Policy-Editor800 > VALUEF5-LTM-User-Role No-Access900 > > VALUEF5-LTM-User-Role-Universal Disabled 0 > VALUEF5-LTM-User-Role-Universal Enabled1 > > VALUEF5-LTM-User-ConsoleDisabled 0 > VALUEF5-LTM-User-ConsoleEnabled1 > > -- > Best regards, Alexander Hartmaier > > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > Handelsgericht Wien, FN 79340b > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > * Notice: This e-mail contains information that is confidential and may be > privileged. If you are not the intended recipient, please notify the sender > and then delete this e-mail immediately. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > * -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator Version 4.11 released
ok. Enhancements to support Diameter client and server required for new Diameter Wx support in Radius-EAP-SIM. Fixed a problem that caused incorrect RecvTime in tunnelled PEAP requests. Implemented checkproc for SuSE in linux-radiator.init. Contributed by "Aeneas Jaißle (sewikom GmbH)" Added support for PostDiaToRadiusConversionHook and PostRadiusToDiaConversionHook to Server DIAMETER. Refactoring of md5 and mschapv2 challenge code prior to integrating Heimdal digest support. Added new module AuthBy HEIMDALDIGEST with example configuration and test setup instructions. Authenticates from Heimdal Kerberos (http://www.h5l.org/). Supports RADIUS-PAP, EAP-MD5, EAP-MSCHAPV2 (and therefore TTLS-PAP, TTLS-EAP-MD5, PEAP-EAP-MD5, PEAP-EAP-MSCHAPV2, TTLS-EAP-MSCHAPV2). With the kind assistance of Fredrik Pettai. Originally written by Klas Lindfors. Contributed by Stefan Wold of Stockholm University. Fixed a problem where file:"filename" syntax in configuration file could cause strange error messages in hooks if the filename was not found. Fixed a problem where PidFile could be incorrectly deleted if any child was killed in a farm. Now it is only deleted if the farm parent is shut down. Fixed a problem in server farms where if a child process was STOPped or hung, the graceful shutdown process could also hang, resulting in possible failure to restart all children correctly. Improvement to Linux startup script to better handle the case where Radiator fails to exit cleanly after stop command. Improvements to SNMP.pm snmpget, so that failures due to Unknown Object Identifier are detected. Suggested by Michael. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Heimdal Kerberos support added
OSC is pleased to announce that Radiator RADIUS Server now has native support for authentication with Heimdal Kerberos (http://www.h5l.org/) Heimdal Kerberos is an implementation of Kerberos 5 largely written in Sweden It is freely available under a three clause BSD style license. Kerberos 5 (RFC 4120) is a highly secure system for authenticating and controlling access to computer resources. The new Radiator AuthBy HEIMDALDIGEST module works with Heimdal Kerberos to authenticate users against a Heimdal Kerberos Key Distribution Centre (KDC). The advantage of using AuthBy HEIMDALDIGEST module is that (unlike other Kerberos based RADIUS authentication systems), a wide range of authentication protocols can be supported, including: RADIUS-PAP, EAP-MD5, EAP-MSCHAPV2 (and therefore TTLS-PAP, TTLS-EAP-MD5, PEAP-EAP-MD5, PEAP-EAP-MSCHAPV2, TTLS-EAP-MSCHAPV2). allowing more flexible integration of modern, widely used authentication protocols with a secure authentication back end. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Dictionary Addition
Hi, Thanks. Added to the latest patch set. Cheers. On Thursday, October 04, 2012 10:56:11 AM Lucas Hazel wrote: > Here's another one for you :) > > # Procera > VENDOR Procera 12913 > VENDORATTR 12913 Procera-Local-User-Name 1 string > > On 28/09/12 07:18, Mike McCauley wrote: > > Hi, > > Added to dictionary. > Thanks. > Cheers. > > On Thursday, September 27, 2012 01:30:48 PM Caporossi, Steve G. wrote: > > We have a system that required these being added to the radius > > dictionary. Thought I'd pass it along in case anyone else needed them. > > > > # > > # Opnet > > # > > VENDOR Network-Physics 7119 > > VENDORATTR 7119NetworkPhysics-Attribute33 string > > > > Thanks, > > Steve > > -- > Mike McCauley > mi...@open.com.au<mailto:mi...@open.com.au> Open System Consultants Pty. > Ltd > 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au > Phone +61 7 5598-7474 Fax +61 7 5598-7070 > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare > etc. > > ___ > radiator mailing list > radiator@open.com.au<mailto:radiator@open.com.au> > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Dictionary Addition
Hi, Added to dictionary. Thanks. Cheers. On Thursday, September 27, 2012 01:30:48 PM Caporossi, Steve G. wrote: > We have a system that required these being added to the radius dictionary. > Thought I'd pass it along in case anyone else needed them. > > # > # Opnet > # > VENDOR Network-Physics 7119 > VENDORATTR 7119NetworkPhysics-Attribute33 string > > Thanks, > Steve -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Vasco token support
Hi Heikki, On Thursday, August 23, 2012 09:35:06 PM Heikki Vatiainen wrote: > On 08/23/2012 08:40 PM, Roy Badami wrote: > > Our supplier has confirmed that Digipass authentication (time-based) is > > the default mode. > > Ok, sounds like it has not changed lately. > > > However they were not aware of RADIATOR and seemed to > > be concerned that this was 'not supported by Vasco'. Should I be > > concerned? I've used GO-1 tokens with RADIATOR before, but I just don't > > want to risk ending up with a large batch of new tokens and then finding > > they don't work with RADIATOR. Is RADIATOR no longer Vasco-certified? > > Hmm, everything should be just fine with Vasco and Radiator. I'll check > the latest status and get back to you soon. Nothing has changed with Radiator certification with Vasco as far as we know. Radiator is Vasco certified. Cheers. > > Thanks, > Heikki -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Minor AuthBy SQLTOTP bug
Hi Roy, thanks for reporting this. It is fixed in the latest patch set. We apologise for any inconvenience. Cheers. On Wednesday, August 22, 2012 05:34:13 PM Roy Badami wrote: > Also potentially a (very minor) code bug in AuthSQLTOTP.pm > > checkTOTP() doesn't correctly handle the case where $last_timestep is > undefined (due to a NULL in the database) if the PIN check fails. The > code does contains the line: > > $last_timestep += 0; # In case database has NULL > > but this line is skipped if the PIN is incorrect, leading to incorrect > SQL (at least in the case of postgres, which is my platform of choice) > > Assuming the initial value of last_timestep is NULL (which is permitted > by the sample schema in totp.sql) then you get an SQL error if the first > ever log-in attempt involves typing an incorrect PIN: > > Wed Aug 22 17:22:03 2012: DEBUG: Query to 'dbi:Pg:dbname=radiator': > 'SELECT secret, active, pin, digits, bad_logins, EXTRACT(EPOCH FROM > accessed), last_timestep FROM totpkeys WHERE username='roy-test'': > Wed Aug 22 17:22:03 2012: DEBUG: do query to 'dbi:Pg:dbname=radiator': > 'update totpkeys set accessed=now(), bad_logins=1, last_timestep= where > username='roy-test'': > Wed Aug 22 17:22:03 2012: ERR: do failed for 'update totpkeys set > accessed=now(), bad_logins=1, last_timestep= where username='roy-test'': > ERROR: syntax error at or near "where" > LINE 1: ... set accessed=now(), bad_logins=1, last_timestep= where user... > > Regards > > roy > > ^ > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy SQLTOTP doc bugs
Hi Ray, On Wednesday, August 22, 2012 04:26:34 PM Roy Badami wrote: > While playing with the AuthBy SQLTOTP module, I came across a couple of > errors in the documentation of the AuthSelect parameter (section 5.82.2 > of the reference manual). > > * The description and default query are missing field 6 > (last_timestep). This is particularly unfortunate, because if you use > the query from the documentation, or a similar query based on it that > omits field 6, then you lose replay protection. (The actual default > query in AuthSQLTOTP.pm is correct, however.) Fixed for the next release. > > * The documentation describes field 0 as the HEX encoded AES secret. In > fact, TOTP does not use AES, it uses HMAC-SHA1. Fixed for the next release. > > The SQLHOTP doc contains the same error re AES - I haven't verified the > query in the doc as I've not played with that module. Fixed for the next release. Also updated examples in goodies in the latest patch set Thanks for reporting these. Cheers. > > Regards > > roy -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Support for 3M SIP 2.0 in libraries
Hi All, We are pleased to announce that Radiator now supports authentication with 3M Standard Interchange Protocol (SIP) 2.0 SIP (not to be confused with VOIP Session Initiation Protocol) is a protocol used in many book libraries to communicate between library self service terminals and a central Automatic Circulation System (ACS). It is uauly used to check books in and out, extend loads etc. http://en.wikipedia.org/wiki/Standard_Interchange_Protocol The new AuthBy SIP2 module allows Radiator to authenticate RADIUS, DIameter and TACACS requests against an ACS using the library patron name and password. Protocols such as RADIUS-PAP, EAP-GTK, PEAP-GTK, TTLS-PAP etc can be supported with SIP2 This will make it practical and easy to implement WiFi and Captive Portal systems in libraries for the use of library patrons. Support for AuthBy SIP2, along with sample configurations and testing guidelines are available in the latest Radiator patch set for Radiator 4.10. Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Added support for EAP-PWD per RFC 5931
Hi Heikki, Excellent. Thanks for testing. Cheers. On Friday, July 13, 2012 01:11:30 AM Heikki Vatiainen wrote: > On 06/20/2012 03:31 AM, Mike McCauley wrote: > > We are pleased to announce that Radiator now supports EAP-PWD > > authentication. > Android 4.1 update was today pushed to the Galaxy Nexus phone I have > access to and the WLAN settings now have EAP-PWD as one of the EAP methods. > > I gave EAP-PWD a quick test using 32bit Ubuntu 12.04 and 10.04 as > platforms for Radiator 4.10, and the authentication seems to work fine. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator Version 4.10 released
is helps to keep TCP connections open in the face of "smart" firewalls that might try to close idle connections down. Defaults to 0 seconds, which means inactive. Radpwtst has new option -chap_nc that sends a RADIUS CHAP request, but in the old-fashioned way, with the CHAP Challenge in the authenticator, and not in a separate CHAP-Challenge attribute. Testing on Raspberry Pi running debian6-19-04-2012. It runs out of the box. http://www.raspberrypi.org Added hextobase32.pl to goodies. Script to help with entering HOTP and TOTP codes to Google Authenticator. Converts hex codes to base 32. Added VSAs for Anagran ANA to dictionary. Thanks to Bob Shafer. Added support for KeepaliveTimeout and UseStatusServerForFailureDetect to AuthBy RADIUS and AuthBy RADSEC. If UseStatusServerForFailureDetect is enabled, use only Status-Server requests (if any) to determine that a target server is failed when there is no reply. If not enabled (the default) use no- reply to any type of request. Uses NoreplyTimeout, MaxFailedRequests, MaxFailedGraceTime, FailureBackoffTime during failure detection. If you enable this, you should also ensure KeepaliveTimeout is set to a sensible interval to balance between detecting failures early and loading the target server. KeepaliveTimeout is the maximum time in seconds that a RADIUS connection can be idle before a Status-Server request is sent to keep the connection alive. Defaults to 0 seconds. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Anagran traffic manager - radius dictionary attributes
Hi Bob, thanks. This is now in the latest patch set. Cheers. On Thursday, June 21, 2012 06:08:59 AM Bob Shafer wrote: > This might be of use to others... > > I *thought* I had sent these to the list when we first set up our > Anagran traffic manager, however I can't find such a message in my sent > archive, so this time I really will send them ;) > > To implement management levels for the traffic manager we have added the > following entries to our dictionary: > > # > # Vendor specifics for Anagran > # > VENDOR ANA 23093 > VENDORATTR 23093Anagran-Privilege-Level 0 integer > VALUE Anagran-Privilege-Level exec1 > VALUE Anagran-Privilege-Level privilege 2 > VALUE Anagran-Privilege-Level privilege-config3 > > Thanks, > > Bob Shafer > University of Denver > > > > > > > > > > > > > > > > > > > > > > > > . -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Raspberry Pi
Hi All, Electronics enthusiasts may like to know that we have successfuly tested Radiator on Raspberry Pi running debian6-19-04-2012. It runs out of the box. http://www.raspberrypi.org/ Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Added support for EAP-PWD per RFC 5931
Hello, We are pleased to announce that Radiator now supports EAP-PWD authentication. EAP-PWD is highly secure (the password is never transmitted, even in encrypted form), and does not require PKI certificates, and also requires only 3 authentication round-trips. So it is considered efficient to roll out in eg Eduroam and other environments. Requires that the Radiator user database has access to the correct plaintext password. Sample configuration file and patch for Crypt-OpenSSL-Bignum-0.04 is included. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Digest::SHA
Hi All, Until now, Radiator and other products in the family used a mixture of Digest::SHA and Digest::SHA1, sometimes optionally and sometimes absolutely. We recently issued patches for Radiator and friends to always use Digest::SHA instead of Digest::SHA1. We think this will make installation easier for most implementers: Digest::SHA has more features, and is now included standard with modern Perl distros. By comparison, Digest::SHA1 is now not readily available for some Linux distros. So we have elected to use _only_ Digest::SHA, and it will now be an absolute prerequisite (not an optional one). These changes are in the latest patch set and will be in the next release 4.10, due out soon. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] EAP-AKA module now supports fast reauthentication and pseudonyms
Hi All, we are pleased to announce that the latest version 1.33 of the Radiator RADIUS EAP-SIM/EAP-AKA bundle now includes support for: Fast Reauthentication and Pseudonyms (TMSI) for both EAP-AKA and EAP-AKA-PRIME. This complements the existing similar support for EAP-SIM. Details at http://www.open.com.au/eap-sim -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RadSec -> RADIUS/TLS RFC
Thanks Alex. Stefan Winter deserves much of the credit for shepherding it through IETF. On Thursday, May 31, 2012 10:51:31 AM Alexander Hartmaier wrote: > Congratulations on getting RadSec into an RFC! > Radiator and its configuration is even mentioned in the appendix. > > http://www.rfc-editor.org/rfc/rfc6614.txt > -- > Cheers, Alex > > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > Handelsgericht Wien, FN 79340b > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > * Notice: This e-mail contains information that is confidential and may be > privileged. If you are not the intended recipient, please notify the sender > and then delete this e-mail immediately. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > * ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Opera PMS integration
Hi Michael, The Radiator-Opera integration and interoperation has been tested successfully by Micros-Fidelio Australia. According to correspondence from them, the Radiator interface for Opera has been released: FKT Logo is RRA and the Part Number is 5009-170 Cheers. On Wednesday, May 30, 2012 09:36:40 AM Michael Newton wrote: > Hi all, wondering if anyone has any experience with PMS integration over > TCP/IP? From the documentation included it sounds fairly straightforward, > but wondering if anyone has hit any stumbling blocks during their > implementations? > > MICROS are convinced that they've never worked with Radiator before, and so > this is a "pilot project" (presumably with commensurate costs) which came > as a bit of a surprise; I had thought Radiator was certified to work with > Opera already. > > Thanks in advance for any advice/warnings/anecdotes! > > -- > Michael Newton > Manager, Information Systems > Point of Presence Technologies -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Fwd: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS
Hi, On Wednesday, May 30, 2012 09:46:04 AM Fredrik Pettai wrote: > Hi, > > We are pushing it on the Cisco Wireless, ISE and NCS dev teams. AFAIK, there > is no Cisco gear (nor other (wireless) vendor) that supports RADSEC. > (Please correct me if I'm wrong...) Some years ago I tested (successfully) a Lancom L-54g wireless Access Point which implemented RadSec. I dont know if it or equivalent is still available. Cheers. > You (and everybody else that want to > see RADSEC implemented in their Cisco gear) should nag your Cisco contacts > about it, so this becomes a more important "business case" thus gets higher > priority. That's how it works... It's good that you (and other people) that > comes from the commercial side also starts asking for RADSEC support, > because AFAIK only the higher education customers has asked / nagged Cisco > about this earlier... > > Re, > /P > > On May 30, 2012, at 09:18 , Alexander Hartmaier wrote: > > Thanks for the info Mike! > > Do you know which devices support it? > > We're mainly interessted in Cisco gear. > > > > Best regards, Alex > > > > Am 2012-05-29 22:46, schrieb Mike McCauley: > >> RadSec is now an official RFC. > >> > >> > >> -- Forwarded Message -- > >> > >> Subject: [radext] RFC 6614 on Transport Layer Security (TLS) > >> Encryption for RADIUS > >> Date: Tuesday, May 29, 2012, 09:38:40 AM > >> From: rfc-edi...@rfc-editor.org > >> To: ietf-annou...@ietf.org, rfc-d...@rfc-editor.org > >> CC: rad...@ietf.org, rfc-edi...@rfc-editor.org > >> > >> > >> A new Request for Comments is now available in online RFC libraries. > >> > >>RFC 6614 > >> > >>Title: Transport Layer Security (TLS) Encryption > >> > >>for RADIUS > >> > >>Author: S. Winter, M. McCauley, > >> > >>S. Venaas, K. Wierenga > >> > >>Status: Experimental > >>Stream: IETF > >>Date: May 2012 > >>Mailbox:stefan.win...@restena.lu, > >> > >>mi...@open.com.au, > >>s...@cisco.com, > >>kl...@cisco.com > >> > >>Pages: 22 > >>Characters: 48004 > >>Updates/Obsoletes/SeeAlso: None > >> > >>I-D Tag:draft-ietf-radext-radsec-12.txt > >> > >>URL:http://www.rfc-editor.org/rfc/rfc6614.txt > >> > >> This document specifies a transport profile for RADIUS using > >> Transport Layer Security (TLS) over TCP as the transport protocol. > >> This enables dynamic trust relationships between RADIUS servers. > >> [STANDARDS-TRACK] > >> > >> This document is a product of the RADIUS EXTensions Working Group of > >> the IETF. > >> > >> > >> EXPERIMENTAL: This memo defines an Experimental Protocol for the > >> Internet community. It does not specify an Internet standard of any > >> kind. Discussion and suggestions for improvement are requested. > >> Distribution of this memo is unlimited. > >> > >> This announcement is sent to the IETF-Announce and rfc-dist lists. > >> To subscribe or unsubscribe, see > >> > >> http://www.ietf.org/mailman/listinfo/ietf-announce > >> http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist > >> > >> For searching the RFC series, see > >> http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see > >> http://www.rfc-editor.org/rfc.html. > >> > >> Requests for special distribution should be addressed to either the > >> author of the RFC in question, or to rfc-edi...@rfc-editor.org. > >> Unless > >> specifically noted otherwise on the RFC itself, all RFCs are for > >> unlimited distribution. > >> > >> > >> The RFC Editor Team > >> Association Management Solutions, LLC > >> > >> > >> ___ > >> radext mailing list > >> rad...@ietf.org > >> https://www.ietf.org/mailman/listinfo/radext > >> - > > > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*&qu
Re: [RADIATOR] Fwd: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS
Hi, sorry, dont have any info on Cisco. There are a 2 compliant implementations mentioned in the RFC. Cheers. On Wednesday, May 30, 2012 09:18:40 AM Alexander Hartmaier wrote: > Thanks for the info Mike! > Do you know which devices support it? > We're mainly interessted in Cisco gear. > > Best regards, Alex > > Am 2012-05-29 22:46, schrieb Mike McCauley: > > RadSec is now an official RFC. > > > > > > -- Forwarded Message -- > > > > Subject: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption > > for RADIUS > > Date: Tuesday, May 29, 2012, 09:38:40 AM > > From: rfc-edi...@rfc-editor.org > > To: ietf-annou...@ietf.org, rfc-d...@rfc-editor.org > > CC: rad...@ietf.org, rfc-edi...@rfc-editor.org > > > > > > A new Request for Comments is now available in online RFC libraries. > > > > RFC 6614 > > > > Title: Transport Layer Security (TLS) Encryption > > > > for RADIUS > > > > Author: S. Winter, M. McCauley, > > > > S. Venaas, K. Wierenga > > > > Status: Experimental > > Stream: IETF > > Date: May 2012 > > Mailbox:stefan.win...@restena.lu, > > > > mi...@open.com.au, > > s...@cisco.com, > > kl...@cisco.com > > > > Pages: 22 > > Characters: 48004 > > Updates/Obsoletes/SeeAlso: None > > > > I-D Tag:draft-ietf-radext-radsec-12.txt > > > > URL:http://www.rfc-editor.org/rfc/rfc6614.txt > > > > This document specifies a transport profile for RADIUS using > > Transport Layer Security (TLS) over TCP as the transport protocol. > > This enables dynamic trust relationships between RADIUS servers. > > [STANDARDS-TRACK] > > > > This document is a product of the RADIUS EXTensions Working Group of the > > IETF. > > > > > > EXPERIMENTAL: This memo defines an Experimental Protocol for the > > Internet community. It does not specify an Internet standard of any > > kind. Discussion and suggestions for improvement are requested. > > Distribution of this memo is unlimited. > > > > This announcement is sent to the IETF-Announce and rfc-dist lists. > > To subscribe or unsubscribe, see > > > > http://www.ietf.org/mailman/listinfo/ietf-announce > > http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist > > > > For searching the RFC series, see > > http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see > > http://www.rfc-editor.org/rfc.html. > > > > Requests for special distribution should be addressed to either the > > author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless > > specifically noted otherwise on the RFC itself, all RFCs are for > > unlimited distribution. > > > > > > The RFC Editor Team > > Association Management Solutions, LLC > > > > > > ___ > > radext mailing list > > rad...@ietf.org > > https://www.ietf.org/mailman/listinfo/radext > > - > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > Handelsgericht Wien, FN 79340b > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > * Notice: This e-mail contains information that is confidential and may be > privileged. If you are not the intended recipient, please notify the sender > and then delete this e-mail immediately. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*" > * ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Fwd: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS
RadSec is now an official RFC. -- Forwarded Message -- Subject: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS Date: Tuesday, May 29, 2012, 09:38:40 AM From: rfc-edi...@rfc-editor.org To: ietf-annou...@ietf.org, rfc-d...@rfc-editor.org CC: rad...@ietf.org, rfc-edi...@rfc-editor.org A new Request for Comments is now available in online RFC libraries. RFC 6614 Title: Transport Layer Security (TLS) Encryption for RADIUS Author: S. Winter, M. McCauley, S. Venaas, K. Wierenga Status: Experimental Stream: IETF Date: May 2012 Mailbox:stefan.win...@restena.lu, mi...@open.com.au, s...@cisco.com, kl...@cisco.com Pages: 22 Characters: 48004 Updates/Obsoletes/SeeAlso: None I-D Tag:draft-ietf-radext-radsec-12.txt URL:http://www.rfc-editor.org/rfc/rfc6614.txt This document specifies a transport profile for RADIUS using Transport Layer Security (TLS) over TCP as the transport protocol. This enables dynamic trust relationships between RADIUS servers. [STANDARDS-TRACK] This document is a product of the RADIUS EXTensions Working Group of the IETF. EXPERIMENTAL: This memo defines an Experimental Protocol for the Internet community. It does not specify an Internet standard of any kind. Discussion and suggestions for improvement are requested. Distribution of this memo is unlimited. This announcement is sent to the IETF-Announce and rfc-dist lists. To subscribe or unsubscribe, see http://www.ietf.org/mailman/listinfo/ietf-announce http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html. For downloading RFCs, see http://www.rfc-editor.org/rfc.html. Requests for special distribution should be addressed to either the author of the RFC in question, or to rfc-edi...@rfc-editor.org. Unless specifically noted otherwise on the RFC itself, all RFCs are for unlimited distribution. The RFC Editor Team Association Management Solutions, LLC ___ radext mailing list rad...@ietf.org https://www.ietf.org/mailman/listinfo/radext - -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Miraki wifi works with Radiator for accounting and authentication
Hi Scott, I think the product name is Meraki http://www.meraki.com/ not Miraki? I dont have any direct experience with it. Cheers. On Sunday, May 20, 2012 09:41:09 PM Scott wrote: > Hi Team,any advice?thanks > > > > At 2012-05-18 09:12:53,Scott wrote: > > dear team, we are trying to use Miraki wifi works with Radiator for > accounting and authentication. It's hotel. to simplify the guest's wifi > access and billing. the currently billing system is Fidelio. Any one can > advise if this can be done and how do they work with each other?thanks! > scott -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Yubikey and Radiator Windows Implementation
On Wednesday, April 25, 2012 04:29:19 PM Mike McCauley wrote: > Hi James, > > On Monday, April 23, 2012 11:00:36 AM James Austin wrote: > > We have a windows based install of Radiator. > > > > Will this work seamlessly with Yubikey? > > Yes, you should expect it to work with Yubikey, provided you have the > prerequisites installed: > > Auth-Yubikey_Decrypter-0.05 or later, and Crypt::Rijndael > perl database suport modules > SQL server. > > > Is there any documentation for Yubikey integration? See also AuthBy SQLYUBIKEY in the reference manual > > See goodies/yubikey.txt in your distribution. > > There are sample configuration files in the goodies directory in your > distribution: > > goodies/yubikey.cfg > > > Thanks, > > > > James Austin > > Houston, TX -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Yubikey and Radiator Windows Implementation
Hi James, On Monday, April 23, 2012 11:00:36 AM James Austin wrote: > We have a windows based install of Radiator. > > Will this work seamlessly with Yubikey? Yes, you should expect it to work with Yubikey, provided you have the prerequisites installed: Auth-Yubikey_Decrypter-0.05 or later, and Crypt::Rijndael perl database suport modules SQL server. > > Is there any documentation for Yubikey integration? See goodies/yubikey.txt in your distribution. There are sample configuration files in the goodies directory in your distribution: goodies/yubikey.cfg > > Thanks, > > James Austin > Houston, TX -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Enhancement for AuthDNSROAM/EduRoam and goodies suggestion
Hi Bjoern and others,
thanks for your patch. It is now in the latest patch set.
I take it you would like to see the included AllowInReply parameter included
in the sample goodies/dnsroam.cfg?
If you have other suggestions for improving the example goodies/dnsroam.cfg I
would welcome that too.
Ceers.
On Thursday, March 29, 2012 05:04:13 PM Bjoern A. Zeeb wrote:
> Hi Mike, all,
>
> A patch and a suggestion for goodies below.
>
> A lot of people seem to use Radiator with EduRoam and after two
> debugging sessions, the first to find the cause why it's not working
> for a user and the 2nd to apply the below patch, things are significantly
> starting to improve for a couple of users who's IdPs send out weird
> atttributed incl. VLAN asignments etc.
>
> Not sure if we should pass down all section 5.7.18 ref.pdf options
> down from the AuthDNSROAM patch below, but these two seem essential
> as having them in and not working might lead to unexpected results.
>
> My somehow excessive attribute filter list fuer Eduroam currently is
> AllowInReplyUser-Name, \
> Class, \
> Framed-Protocol, \
> Service-Type, \
> EAP-Message, \
> Message-Authenticator, \
> MS-MPPE-Send-Key, \
> MS-MPPE-Recv-Key, \
> MS-CHAP-Domain, \
> MS-CHAP2-Success, \
> Proxy-State
>
> with Framed-Protocol at least being excessive and should
> probably be static and Service-Type probably be restricted.
>
> I wonder if others have a comment on that list; I have been told
> another (open source) radius software comes with a pre-defined
> list but have not checked, so I think putting that into goodies,
> if not there yet, for AuthDNSRoam/Eduraom samples would be an
> excellent idea:)
>
>
> Special thanks go to Stefan Winter and Ronald van der Pol for
> the debugging sessions to figure out the VLAN problem while here
> at IETF83.
>
> Apart from that Radiator seems to do great wrt to DNSRoam and
> I am looking forward for the draft to be updated and the latest
> things that have been offically assigned to be sorted. Great!
> Thanks a lot for that!
>
> Thanks,
> /bz
>
> --- AuthDNSROAM.pm.orig 2011-09-29 21:51:05.0 +
> +++ AuthDNSROAM.pm 2012-03-29 16:16:09.0 +
> @@ -285,6 +285,7 @@ sub addRoute
>(qw(Address Transport Protocol Port UseTLS SRVName
>
>StripFromRequest AddToRequest ReplyHook ReplyHook.compiled
> NoReplyHook NoReplyHook.compiled + StripFromReply AllowInReply
>NoForwardAuthentication NoForwardAccounting AllowInRequest
>
>NoreplyTimeout IgnoreReject
> @@ -390,6 +391,7 @@ sub handle_request
> (map {defined $self->{$_} ? ($_ => $self->{$_}) : ()}
>(qw(Port Secret
>StripFromRequest AddToRequest ReplyHook
> ReplyHook.compiled NoReplyHook NoReplyHook.compiled +
> StripFromReply AllowInReply
>NoForwardAuthentication NoForwardAccounting
> AllowInRequest NoreplyTimeout IgnoreReject
>IgnoreAccountingResponse MaxBufferSize
> @@ -414,6 +416,7 @@ sub handle_request
> # Copy parameters from $self:
> (map {defined $self->{$_} ? ($_ => $self->{$_}) : ()}
>(qw(StripFromRequest AddToRequest ReplyHook
> ReplyHook.compiled NoReplyHook NoReplyHook.compiled +
> StripFromReply AllowInReply
>NoForwardAuthentication NoForwardAccounting
> AllowInRequest AuthPort AcctPort Secret Retries RetryTimeout
> UseOldAscendPasswords ServerHasBrokenPortNumbers ServerHasBrokenAddresses
> IgnoreReplySignature
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Documentation Update? Sources for SNMP_Session
Hi, Thanks for reporting this. It will be fixed in the next release of Radiator and has already been updated in the FAQ. Thanks again. Cheers. On Friday, February 24, 2012 03:49:11 PM Traiano Welcome wrote: > Hi Radiator Developers! > > I see in the Radiator reference manual section (Radiator version 4.9) on > SNMP Monitoring for radiator: > > --- > 5.15 > . > . > . > SNMPAgent requires SNMP_Session-0.92.tar.gz or later from > http://www.switch.ch/misc/leinen/snmp/perl/dist/ to be installed first. > --- > > However it appears this URL is no longer valid on the www.switch.ch site. > Simon Leinen, who hosted it on his staff website says that SWITCH is no > longer supporting personal staff pages and so he's moved the home page for > SNMP_Session to: > > https://code.google.com/p/snmp-session/ > > You might want to update the documentation with this. > > Kind Regards, > Traiano Welcome > > > > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Bug in SessSQL.pm
Hi Eddie,
thanks for reporting this.
It has now been fixed in the latest patch set.
Cheers.
On Tuesday, February 14, 2012 03:53:04 PM Eddie Stassen wrote:
> UpdateQuery crashes Radiator when the query
> contains %{Quote:...}. This is due to $self not being passed as the
> third parameter to Radius::Util::format_special(). The patch below
> fixes it.
>
> Regards,
> Eddie Stassen
>
> --- SessSQL.pm.ORIG 2012-02-14 15:32:12.0 +0200
> +++ SessSQL.pm 2012-02-14 15:44:42.0 +0200
> @@ -132,7 +132,9 @@
> $self->log($main::LOG_DEBUG,
>"$self->{Identifier} Updating session for $name,
> $nas_id, $nas_port", $p);
> # Now add the new one
> -$self->do(&Radius::Util::format_special($self->{UpdateQuery}, $p));
> +$self->do(&$self->{UpdateQuery}, $p, $self,
> +$self->quote($name), $nas_id, $nas_port+0,
> +
> $self->quote($p->getAttrByNum($Radius::Radius::ACCT_SESSION_ID; }
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] test
test, please ignore -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] two factor authentication
Hi Heikki, I wonder if he should also look at AuthBy OTP? Cheers. On Tuesday, January 17, 2012 09:39:27 PM Heikki Vatiainen wrote: > On 01/17/2012 08:13 PM, Alexander Hartmaier wrote: > > Hello Alexander, > > > I'm trying to implement a two factor auth where the user has to enter > > his Active Directory credentials. > > Radiator checks those against the AD, if successful creates an OTP and > > sends that to the mobile phone number fetched from the AD. > > Add State attribute to the challenge at this point. > > > A challenge is returned to the NAS. > > See this for how NAS should react to challenge. > http://tools.ietf.org/html/rfc2865#section-5.24 > > > My problem is that I can't distinguish the initial request and the > > challenge response which should skip the AD auth because this time the > > password field holds the OTP response. > > State should be echoed back in the challenge response unless the NAS is > badly broken. > > > By looking at the radius packets with tcpdump I couldn't find a > > difference in the radius attributes sent that let me write two different > > handlers. > > > > Ideas? > > Try something like this. Note that I have used a fixed value for > challenge, but you could make it generic to protect against replay > attacks or some other information that might be useful for selecting the > correct handler for verifying the challenge. > > ># Check challenge here > > > ># Generate OTP here and send challenge > > # AD auth happens here > AddToReply State=whatever > > > > > > Please let us know how it goes. > Heikki -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Noticed something odd when restarting
Hi Jared, thanks for reporting this. It will be fixed in the next release of Radiator. Cheers. On Wednesday 11 January 2012 03:50:17 am Jared Watkins wrote: > I'm working on code to do remote reloads of Radiator and I noticed the > following in the logs... is this something to be concerned about? > > Tue Jan 10 12:10:04 2012: NOTICE: Server started: Radiator 4.9 on fmsdev > (LOCKED) (LOCKED) Tue Jan 10 12:14:14 2012: NOTICE: Server started: > Radiator 4.9 on fmsdev (LOCKED) (LOCKED) (LOCKED) Tue Jan 10 12:31:09 2012: > NOTICE: Server started: Radiator 4.9 on fmsdev (LOCKED) (LOCKED) (LOCKED) > (LOCKED) Tue Jan 10 12:32:42 2012: NOTICE: Server started: Radiator 4.9 on > fmsdev (LOCKED) (LOCKED) (LOCKED) (LOCKED) (LOCKED) > > I think the LOCKED bit is referring to the fact that this is a eval > license.. but it looks like something might not be happening correctly with > restarts. I get the same thing if I HUP the process or issue a restart via > the manage port. > > Thanks, > J > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.8 on FreeBSD 8.2 crashes with: "ERR: Attribute number 93 is not defined in your dictionary"
Thanks Traiano, The latest patch set now includes: Updated ACME VSA's in dictionary to add many missing VSAs and to adopt attribute naming consistent with other RADIUS servers. Cheers. On Tuesday 08 November 2011 11:53:33 pm Traiano Welcome wrote: > See attached. > > Traiano > > On 2011/11/08 3:11 PM, "Heikki Vatiainen" wrote: > >On 11/07/2011 12:43 PM, Traiano Welcome wrote: > > > >Hello Traiano, > > > >> Many thanks, this seems to have solved the problem, the system is > >>running > >> with double query load with no crash for more than an hour :-) > > > >Good to hear and thanks for letting us know. One more request from us: > >can you reply with acme dictionary so that it can be included in > >Radiator dictionary. > > > >> Thanks to all who assisted: Mike McCauley, Hugh Irvine and Heikki! > > > >Thanks! > >Heikki > > > >-- > >Heikki Vatiainen > > > >Radiator: the most portable, flexible and configurable RADIUS server > >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > >DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > >NetWare etc. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.8 on FreeBSD 8.2 crashes with: "ERR: Attribute number 93 is not defined in your dictionary"
Hi Heikki, I think this is the same problem that is fixed in the latest patch set with: Fixed a case where an empty Framed-IPv6-Prefix could cause a crash in radpwtst. Cheers. On Saturday 05 November 2011 08:03:49 am Heikki Vatiainen wrote: > On 11/04/2011 12:58 PM, Traiano Welcome wrote: > > Hello Traiano, > > > Running Radiator in the foreground, I see an additional perl related (?) > > error line: > > Hmm, can you reply with the acme dictionary, dictionary.acme, and do a > Trace 5 debug. I would like to see the raw packet dump to see if you are > receiving malformed packets. > > > Authentic: CeK<200>XQ<255><142><136>><243><145><172>$x<248> > > Attributes: > > > > Fri Nov 4 10:33:34 2011: ERR: Attribute number 93 is not defined in your > > dictionary > > 'x' outside of string in unpack at > > /usr/local/lib/perl5/site_perl/5.12.3/Radius/Radius.pm line 1931. > > Thanks, this is useful information. Can you tell what version you > Radius.pm is? There should be a line like this at the top of the file > > # $Id: Radius.pm,v 1.157 2011/04/05 00:13:00 mikem Exp $ > > Version 1.157 is the originally released Radius.pm in version 4.8. Line > 1931 seems to be related to IPv6 Radius.pm 1.157 > > > Looking at my 2 dictionaries, attribute 93 seems to have various > > definitions: > > > > (dictionary) > > > > --- > > VENDORATTR 1584Annex-Rate-Reneg-Req-Rcvd 93 integer > > VENDORATTR 2352 RB-Remote-Port 93 string > > VENDORATTR 55353GPP2-Acct-Stop-Trigger 93 > > integer > > > > (dictionary.acme) > > > > --- > > VENDORATTR 9148 Acme-Flow-In-Src-Addr_FS2_F 93 > > ipaddr Acme > > --- > > > > I'm not sure which would be the overriding definition ? > > I do not these are the related. If it is a vendorattr, the the output > should be something like "... attribute 93 (vendor 1234) is not defined > ..." > > > Additionally, I have another FreeBSD server (8.2-RELEASE-p3 #1) running > > radiator 4.8 (same source package), using the same dictionaries, with > > perl version 5.12.4, but it's running fine. I've even upgraded the > > current perl on this system to 5.12.4, but that incremental change didn't > > have an effect. > > > > I'd be grateful for any additional insights you might have. > > If you could create a Trace 5 dump that shows the raw data that is > received, that would be useful. > > Thanks! > Heikki -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAPTLS_MaxFragmentSize settings
Hello Alex, On Tuesday 11 October 2011 09:35:08 pm Alexander Hartmaier wrote: > I've tried a lot of different values and looked at the radius packets > coming from our switches (for wired dot1x): peap 1350, inner tls 1300 > peap 1400, inner tls 1360 > peap 1412, inner tls 1350 > > In the end I've used 1350/1300 because increasing it any further towards > the limit didn't lower the number of packets so I preferred to have a > little bit of safety margin left. > > The EAP packet that is encapsulated inside one of the radius key/value > pairs + all other radius attributes doesn't exceed one ethernet frame > because EAP doesn't support fragmentation. Depending on the number of other > radius attributes your switches or wlan controllers send to the radius > servers you can increase the EAP payload. Decreasing the number of packets > reduces the authentication time and lowers to load on both the radius > client (switch, wlan controller) and radius server. > > @Open guys: can you please add something like my description to the docs? Done for the next release. Cheers. > > Am 2011-10-11 13:16, schrieb Alex Sharaz: > Hi, > > For a long time I've had > > = > # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt > # size that will be replied by Radiator. It must be small > # enough to fit in a single Radius request (ie less than 4096) > # and still leave enough space for other attributes > # Aironet APs seem to need a smaller MaxFragmentSize izes. > EAPTLS_MaxFragmentSize 1000 > > == > > Set up in my Radiator radius.cfg file simply because it was there in the > sample radius.cfg file I initially used. I'm now wondering if perhaps this > is a bit small. > > What are other people doing? > Is anyone explicitly setting this up or are people leaving it to the > default value > > Rgds > Alex > > > > > Time for another Macmillan Cancer Support event. This time its the 12 day > Escape to Africa challenge View route at > http://maps.google.co.uk/maps/ms?ie=UTF8&hl=en&msa=0&msid=20377986643603501 >6780.00049e867720273b73c39&z=8 Please sponsor me at > http://www.justgiving.com/Alex-Sharaz > > > > > > > Checked by Hu-fw-yhman > > > > > ___ > radiator mailing list > radiator@open.com.au<mailto:radiator@open.com.au> > http://www.open.com.au/mailman/listinfo/radiator > > -- > Cheers, Alex > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien > Handelsgericht Wien, FN 79340b > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >"* Notice: This e-mail contains information that is confidential and may be > privileged. If you are not the intended recipient, please notify the sender > and then delete this e-mail immediately. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* >"* -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator Version 4.9 released
seeding: seeding is now done by a new function Radius::Util::seed_random. radiusd calls it at startup and after forking farm children. It can be overridden if necessary to provide local random number initialisation and seeding. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Latest dictionary additions
Hi All, On Wednesday 21 September 2011 06:54:07 pm Heikki Vatiainen wrote: > Here's a summary of new and updated dictionary entries recently seen on > the list but not yet in patches for 4.8. > > I guess the hunt is still on for some others, but these look like ready > to be included. > > >From Alan > > # > # Aruba vendor specific radius attributes > # > VENDOR Aruba 14823 > VENDORATTR 14823 Aruba-User-Role 1 string > VENDORATTR 14823 Aruba-User-Vlan 2 integer > VENDORATTR 14823 Aruba-Priv-Admin-User 3 integer > VENDORATTR 14823 Aruba-Admin-Role4 string > VENDORATTR 14823 Aruba-Essid-Name5 string > VENDORATTR 14823 Aruba-Location-Id 6 string > VENDORATTR 14823 Aruba-Port-Id 7 string > VENDORATTR 14823 Aruba-Template-User 8 string > VENDORATTR 14823 Aruba-Named-User-Vlan 9 string > VENDORATTR 14823 Aruba-AP-Group 10 string > VENDORATTR 14823 Aruba-Framed-IPv6-Address 11 string All now in the latest patch set. > > >From Jethro > > ## Bluesocket > VENDOR Bluesocket 9967 > VENDORATTR 9967BlueSocketRole 100 string > VENDORATTR 9967Bluesocketap101 string These were already in the dictionary, one with with a slightly different case: BlueSocketap Which is correct? -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] New Nomadix attributes
Hi Mike, thanks for that. They are now in the latest patch set., Cheers. On Wednesday 21 September 2011 03:08:14 am Mike Newton wrote: > Please consider the following updates (attributes 14-21 and the IP-Upsell > values) for the dictionary. I've confirmed with Nomadix that this is a > complete list at the present time. Thanks a lot. > > Mike > > # > # Nomadix vendor sepecific > # > VENDOR Nomadix 3309 > VENDORATTR 3309Nomadix-Bw-Up 1 integer > VENDORATTR 3309Nomadix-Bw-Down 2 integer > VENDORATTR 3309Nomadix-URL-Redirection 3 string > VENDORATTR 3309Nomadix-IP-Upsell 4 integer > VENDORATTR 3309Nomadix-Expiration-Time 5 string > VENDORATTR 3309Nomadix-Subnet 6 string > VENDORATTR 3309Nomadix-MaxBytesUp 7 integer > VENDORATTR 3309Nomadix-MaxBytesDown8 integer > VENDORATTR 3309Nomadix-EndofSession9 integer > VENDORATTR 3309Nomadix-Logoff-URL 10 string > VENDORATTR 3309Nomadix-Net-VLAN11 integer > VENDORATTR 3309Nomadix-Config-URL 12 string > VENDORATTR 3309Nomadix-Goodbye-URL 13 string > VENDORATTR 3309Nomadix-Qos-Policy 14 string > VENDORATTR 3309Nomadix-SMTP-Redirect 17 integer > VENDORATTR 3309Nomadix-Centralized-Mgmt18 string > VENDORATTR 3309Nomadix-Group-Bw-Policy-ID 19 integer > VENDORATTR 3309Nomadix-Group-Max-Up20 integer > VENDORATTR 3309Nomadix-Group-Max-Down 21 integer > > VALUE Nomadix-IP-Upsell PrivatePool 0 > VALUE Nomadix-IP-Upsell PublicPool 1 -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] updated Aruba dictionaries?
Hi, On Monday 15 August 2011 10:25:12 pm Alan Buxey wrote: > Hi, > > > But I can add: > > > > VENDORATTR 14823 Aruba-Template-User 8 string > > > > courtesy of wireshark to your list. > > cool :-) thanks for that one though I believe its officially > > > ATTRIBUTE Aruba-MMS-User-Template 8 string > > so, > > VENDORATTR 14823 Aruba-MMS-User-Template 8 string Aruba's docs agree with this. Now added to the dictionary in the latest patch set. > > > ?? > > alan > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] aerohive dictionary file
Hi Alan, On Monday 15 August 2011 09:44:48 pm Alan Buxey wrote: > hi, > > I believe this is what is needed in RADIATOR for the aerohive > wireless kit as a starting dictionary. > > anyone care to confirm/agree/reject or differ? :-) Yes, that agrees with the aerohive docs. Added to the dictionary in the latest patch set. Cheers. > > # > # Aerohive vendor specific radius attributes > # > VENDOR Aerohive 26928 > VENDORATTR 26928 AH-HM-Admin-Group-Id1 integer > VALUE AH-HM-Admin-Group-IdRead-Only-Admin 0 > VALUE AH-HM-Admin-Group-IdSuper-Admin 1 > VALUE AH-HM-Admin-Group-IdRead-Write-Admin2 > > > > alan > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] CRL reload error
Hi Heikki, actually there is NO way to force a CRL reload except to kill the process. The certificates are NEVER flushed from the process under any circumstances :-( You can load new ones but the old ones are looked at before the recent ones. Cheers. On Tuesday 09 August 2011 06:35:20 pm Heikki Vatiainen wrote: > On 08/08/2011 05:59 PM, Alexander Hartmaier wrote: > > So a reload after every crl download is still the only solution? > > Unfortunately this seems to be currently the only solution. > > > Adding the crl download and refresh functionality to Radiator would be a > > welcome addition! > > I agree this would be very useful. Then again implementing it in > Radiator separately from OpenSSL would mean creating a lot of code that > would have a short lifetime becoming obsolete once OpenSSL starts to > fully support the functionality. The problem of course is it's not known > how soon or late this happens. > > Thanks, > Heikki > > > Cheers, Alex > > > > Am 2011-08-08 09:41, schrieb Heikki Vatiainen: > >> On 08/02/2011 01:59 PM, Alexander Hartmaier wrote: > >> > >> Hello Alexander, > >> > >>> what's the status of crl reloading? > >> > >> CRL reloading support depends on OpenSSL. As you have found out, it > >> appears the support is not in version 1.0.0. A quick check of 1.0.0 > >> series change log did not show anything related to this, so I guess the > >> wait is still on. > >> > >>> I've installed openssl 1.0.0 from Debian testing on a Debian stable > >>> server but it still fails with > >>> ERR: Failed to add CRL file '/etc/radiator/certificates/foo.crl.pem': > >>> error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert > >>> already in hash table -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Support for Freeswitch VOIP switch and Micros-Fidelio Opera PMS
Hi All, We have recently released some documentation and sample configuration files showing how to use Radiator and the AuthBy FIDELIO module to handle authentication and accounting for the Freeswitch VOIP switch (http://www.freeswitch.org). It can be used authenticate and to bill VOIP calls to a Micros-Fidelio Opera Hotel Property Management System (http://www.micros.com). The goal of this sample configuration is to implement a user-pays VOIP system in a hotel environment: Before a user can make a call from a hotel room VOIP phone, there must be someone checked into the room. When the call is completed, the call is billed to the hotel room. Documentation and sample configuration files are now in the latest Radiator patch set. We welcome feedback and suggestions from Freeswitch/Fidelio implementers. Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Multiple user groups for tacacs authorization possible
Hi Heikki, I did something similar to this at NBNCo (you have the configs I think). In that one we used the LDAP to get the groups the users is a member of, and used the device group the request cam from to to do a lookup in SQL, From there we get AuthorizeGroupAttr rules. Cheers. On Friday 08 July 2011 09:51:08 pm Heikki Vatiainen wrote: > On 07/07/2011 01:26 PM, Alexander Hartmaier wrote: > > we have the need to map users with membership in multiple groups into > > tacacs groups to decide if the user is allowed to login (authentication) > > and what the user is allowed to do (authorization). > > We solved the authentication by multiple authby ldap2's for the > > different ldap groups in an authby group. > > The first matched group populates the OSC-Group-Identifier attribute > > which is used for the GroupMemberAttr. > > Because some users are in multiple groups we're looking for a way to add > > all of them to the GroupMemberAttr, is this possible? > > This does not sound possible. Please see this example. Is this what you > are looking for? > > > GroupMemberAttr OSC-Group-Identifier > AuthorizeGroup group1 ... > # more rules for group1 > AuthorizeGroup group2 ... > # more rules for group2 > > And the Access-Reply messages would look like these > > User a: > OSC-Group-Identifier = group1 > User b: > OSC-Group-Identifier = group2 > User c: > OSC-Group-Identifier = group1 > OSC-Group-Identifier = group2 > > The user c would be allowed (group1 + group2). > > The above is not currently possible since Radiator currently only picks > up one attribute and uses its value. The second will not be used. > > Also, there's the question if both group1 and group2 contain permit and > deny rules how they would relate to each other. > > If the above is not what you are after, please tell us more. > > Thanks! -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [patch] Radiator 4.8: dictionary Fix type of Unisphere-Ipv6-*-DNS
Hi Roland, thanks for reporting this and the patch. It has now been fixed in the latest patch set. Cheers. On Tuesday 31 May 2011 01:19:33 am Roland Rosenfeld wrote: > Hi! > > The attached small patch changes the type of the vendor attributes > Unisphere-Ipv6-Primary-DNS and Unisphere-Ipv6-Secondary-DNS from > "string" to "ipaddrv6". > > This results in readable output in the logs instead of binary junk :-) > > Maybe this is useful for someone else... > > Greetings > Roland -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] OCRA tokens
Hi, is anyone using or planning to use OCRA tokens as described in draft-mraihi-mutual-oath-hotp-variants-14.txt Would you care to work with us to test a new Radiator OCRA authenticator? If so, please contact me directly. Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Fidelio authentication module: Some suggestions
Hi Ralf, Thanks for the suggestion. We have now updated the latest patch set with this: Added new parameter MessageHook to AuthBy FIDELIO. MessageHook is called after a message from Fidelio has been unpacked into a hash and before the record is passed to handle_message(). It can be used to change or transform any fields in the record before it is passsed to handle_message() and processed by AuthFIDELIO. Cheers. On Tuesday 17 May 2011 05:20:57 pm Ralf Ertzinger wrote: > Mike, > > On 05/10/2011 12:37 AM, Mike McCauley wrote: > > thanks for your note. > > Responses inline below > > Thanks for your quick reply and the fixes for the problems I noticed. > I will test those as soon as I'm on site with the customer again, this > may take a week or two, though. > > >> - Data mangle hook > >> This is more of a "nice to have". Provide a hook to mangle data > >> received from the Fidelio system before it is entered into the internal > >> Radiator database. Primary use case (for me) would be to lower case the > >> guest names. > > > > Not sure where you need this. A patch would be good. > > The customer would like to use the guest's last name as part of their > authentication scheme. Since there is no telling how that information > is saved in the fidelio database I'd like to be able to mangle that > before adding it to the internal Radiator copy (for example, convert > the name to lower case). -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] New eToken PASS import files have longer secret keys (64 chars vs. 48 chars)
Hi, Can you please send an example of a key, counter and resulting correct OTP, so we can investigate? Cheers. On Saturday 14 May 2011 05:35:32 am Linuxchuck wrote: > Hello again, > > I've been successfully using eToken PASS tokens since we moved to Radiator > without issue. We've recently purchased an additional set of 100 tokens > because we were running low, and the DigiPass Go-7 tokens we recently > received turn out to be unable to support changing PINs. During the process > of importing the new eToken PASS secret keys, I found that the token key > import files shipped with the tokens have changed now since SafeNet has > taken over ownership of Aladdin. > > The new files are called "AlpineXml.xml" and "importAlpine.dat". The first > is an XML file formatted exactly like the old XML files I'm familiar with > from the original Aladdin days. The second file is an ldif-formatted file > with basically the same information in it. I built an XML parsing PHP > script to perform bulk-imports for the older Aladdin import files, and it > works fine with the new XML files as well. > > I've noticed a particularly important change, however. The token secrets > are now 64 characters long, and will not properly import into the standard > secret column in the hotpkeys MySQL table which is a varchar(60) based on > the sql table built in hotp.cfg. (FYI, the original keys in my first > couple-hundred tokens were all 48 characters long.) In addition, the > "version" string in the older XML files is "6.0", and in the newer version, > is "6.20". > > I figured it would be a simple task to extend the storage of that column to > compensate for the longer keys, and applied an alter table command to do > just that. I then updated the keys for each token, ran a few queries to > ensure they matched exactly with the keys provided in the XML file, and > reloaded my Radiator servers. So far, so good... > > However, even though the new and longer secret keys now fit in the column, > I can not get any of these newly imported tokens to authenticate properly. > All of my older eToken PASS tokens with the shorter keys still work without > issue. It's these new tokens with the longer keys that refuse to > authenticate. > > Does anyone have an idea what could be going wrong here? I am not a Perl > coder by any stretch of the imagination, and my rudimentary scan of the > HOTP-related modules in Radiator did not give me any clues where things > could be going wrong. > > Thanks in advance... > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Fidelio authentication module: Some suggestions
Hi Ralf, thanks for your note. Responses inline below On Monday 09 May 2011 05:24:08 pm Ralf Ertzinger wrote: > Hi all. > > As mentioned some time ago we have a customer interested in using > Radiator to authenticate against an existing Micros Fidelio infrastructure. > > Last week I was finally able to do an on site visit to test the basic > functionality of the system. > > Good news first: the Fidelio connector worked as expected, it was able > to connect to the Fidelio system without too much trouble and get the > guest data, and I was able to successfully authenticate against the > Radius server using that data. > > All tests were done using a TCP connection to the Fidelio server. > > However, there are some minor problems I would love to get out of the way. > > - Reload failure >When Radiator is reloaded using SIGHUP it throws away it's internal copy >of the Fidelio database. However, it does not cleanly shut down the TCP >connection, and it also does not send a LE (link end) message to the >Fildelio system. >When Radiator then reconnects to the Fidelio server the latter does >not consider the connection as "new", and assumes that the Radius >server already has a copy of the database. So the Radius server does >not receive a new copy of the database and ends up with no data at >all. > >Suggested fix (as recommended by the Micros engineer on site with >me): either send a LE (link end) record on connection shutdown, >or completely close the TCP connection. Preferrably both. H. Tests here show that when a SIGHUP is received AuthFIDELIO reconnects and sends a link start and gets the latest database just fine. Nevertheless we have now made a change so that LE is sent and the TCP connection is closed during a SIGHUP, as suggested. It would be good if you could test this change at your location. > >Workaround: do a complete restart of the Radius server > > > - Keepalive >When the network connection between the Radius server and the Fidelio >server fails for some reason the Fidelio server aggressively times out >and closes the TCP connection when it cannot send database updates. >The Radius server may not notice this in a timely manner and thus may >not receive database update messages. > >Suggested fix (as recommended by the Micros engineer on site with >me): have the Radius server send LS (link start) messages in regular >intervals and wait for the Fidelio system to answer with LA (link > alive). OK. We disagree with the engineer. We think Radiator should send LA to check for connectivity, not LS. We have now made a change to send LA every 60 seconds (configurable). It would be good if you could test this change at your location. > >Workaround: this can be somewhat worked around by sending accounting >messages to the Fidelio system (in this particular setup accounting to >the Fidelio system is not part of the planned setup). Failure to send >an accounting message will cause a restart of the connection. > > > - Data mangle hook >This is more of a "nice to have". Provide a hook to mangle data received >from the Fidelio system before it is entered into the internal Radiator >database. Primary use case (for me) would be to lower case the guest >names. Not sure where you need this. A patch would be good. > > > I think I can provide a patch for the last point, but I have not found > an easy hook into the system reload functionality (from a module point > of view) or a way to regularily call a function from a module. If someone > could point me in the right direction I'd be quite grateful. Use &Radius::Select::add_timeout see the latest patch set for example in AuthFIDELIO.pm Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] linux-radiator.init suggestion
Hi Michael,
thanks for your suggestions.
They have now been added to the latest patch set.
Cheers.
On Saturday 30 April 2011 01:23:12 am Michael wrote:
> suggest using these processes for Debian in the linux-radiator.init control
> script. currently, i don't see anything.
>
> RELOADPROC="/sbin/start-stop-daemon --stop --signal HUP --pidfile
> ${RADIUSD_PIDFILE}" TRACEUPPROC="/sbin/start-stop-daemon --stop --signal
> USR1 --pidfile ${RADIUSD_PIDFILE}" TRACEDOWNPROC="/sbin/start-stop-daemon
> --stop --signal USR2 --pidfile ${RADIUSD_PIDFILE}"
>
> The "start-stop-daemon" requires a --start or --stop, but when the --signal
> is specified for the --stop process, it does not send a TERM, so process is
> not stopped.
>
>
> For the status option, i guess something is better than nothing?
> CHECKPROC="ps -fp `cat ${RADIUSD_PIDFILE}`"
>
>
> Michael
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Version 4.8 released
Hi Michael, thanks for reporting this. The patch set is now available, although there are currently no patches in it. Cheers. On Friday 29 April 2011 07:16:24 am Michael wrote: > Can't seem to download the patches. after accepting the license agreement, > it just keeps returning to the license agreement. > > On Thu, 28 Apr 2011, Mike McCauley wrote: > > We are pleased to announce the release of Radiator version 4.8 > > > > This version contains some new features and minor bug fixes. > > > > As usual, the new version is available to current licensees from: > > http://www.open.com.au/radiator/downloads/ > > > > and to current evaluators from: > > http://www.open.com.au/radiator/demo-downloads > > > > Licensees with expired access contracts can renew at: > > http://www.open.com.au/renewal.php > > > > An extract from the history file > > http://www.open.com.au/radiator/history.html is below: > > > > - > > Revision 4.8 (2011-04-28) New features and some bug fixes. > > > > Fixed a problem in AuthBy EAPBALANCE where no reply from a > > proxied request from the middle of an EAP stream would result in > > unlimited retransmissions of the request. Reported by Keith Ma. > > > > Testing on OpenWRT. OK, with caveats as discussed in the updated FAQ. > > > > Added Meru-AP-Id and Meru-AP-Name to dictionary. Provided by Neil > > Johnson. > > > > RPM packages were built by default on OpenSuSE with LZMA > > compression, which is not available for all platforms. This new > > Radiator.spec disables LZMA and uses BZ2 instead. In future all > > RPMS will be built with BZ2 comppression. New versions of > > Radiator-4.7-2.noarch.rpm and Radiator-Locked-4.7-2.noarch.rpm > > with BZ2 uploaded. > > > > Fixed a problem with AuthBy SQLTOTP and AuthBy SQLHOTP where > > MaxBadLogins, BadLoginWindow, DelayWindow, TimeStep and > > TimeStepOrigin parameters were not correctly read, resulting in > > errors like "Unknown keyword 'MaxBadLogins'". Reported by Matthew > > Reeves-Hairs. > > > > GetClientQuery was incorrectly using field 25 instead of 27 for > > flags. Documentation for GetClientQuery incorrectly decribed > > field 25 as being flags instead of ClientHook. > > > > Added SQLRetries parameter to all SQL type clauses. When > > executing a query, Radiator will try up to SQLRetries attempts to > > execute the query, retrying if certain types of SQL error are > > seen. Defaults to 2. Requested by Michael. > > > > Fixed some problems with Radius paths in the RPM on some > > platforms. Rebuilt and uploaded new RPMs. > > > > Improved Client CIDR address searches so a more specific cidr > > would have priority over a less specific cidr. Contributed by > > Nicholas Waples. > > > > Improved ClientListLDAP, added oscRadiusIdentifier & > > oscRadiusDefaultRealm into the default list of > > ClientAttrDef's. were the only attributes missing from > > oscRadiusClient ldap schema provided (in goodies). Contributed by > > Nicholas Waples. > > > > In Server TACACSPLUS, the call AuthenticationStartHook now > > includes the priv_lvl and service values from the TACACSPLUS > > request passed as arguments to the hook. > > > > In Server TACACSPLUS, during authetication, we now add > > cisco-avpair attributes to the RADIUS request for action, > > authen_type, priv-lvl and service from the incoming TACACSPLUS > > request. > > > > Improvements to AuthBy URL. Improved HTTP and HTML standards > > compliance by using the LWP::UserAgent methods post() and > > get(). Can now handle CHAP, MSCHAP and MSCHAPV2 authentication, > > as well as the previously supported PAP. *CHAP challenges and > > responses are encoded as HEX and sent as configurable web > > parameters. Updated the sample config file goodies/url.cfg, and > > improved documentation. Fixed inconsistant password in sample > > test_url_md5.cgi. Cleaned up some of the code to be compliant > > with in-house standards. > > > > Added support for BindAddress in all Ldap derived clauses, > > allowing you to specify a local address for the client side of > > the LDAP connection with BindAddress, in the form > > hostname[:port]. Defaults to 0.0.0.0. Updated sample config > > file. Suggested by Roel Hoek. > > > > Updated AuthBy NTLM so that if an authentication fails, the > > Warning log message records the user name along with the > > Authentication-Error. Suggested by David Zych. > > > > F
[RADIATOR] Radiator Version 4.8 released
US now honours reply attributes correctly for ASCII type Tacacs+ authentications. Patch from Heikki Vatiainen. Testing with XAMPP on Windows. XAMPP (http://www.apachefriends.org/en/xampp-windows.html) is an excellent, easy to install bundle of useful tools such as Apache, MySQL, Perl etc for Windows. It is a also good base for installing Radiator on Windows, especially if you wish to use Radiator with RAdmin or a MySQL database. Updated installation documentation to include XAMPP on Windows. Added support for Novell eDirectory NMAS (Novell Modular Authentication System) to AuthBy LDAP2. NMAS allows Novell eDirectory to support and authenticate passwords using the Vasco Digipass NMAS method, and other third party token and non-token systems. Vasco Response-Only (RO) tokens are only supported since NMAS does not curently support challenge-response via RADIUS. Sampple configuration file included. Ldap classes now support the "ipv6:" prefix for Ldap server Host names. If Host begins with "ipv6:" the subsequent host name(s) will be interpreted as IPV6 addresses where possible, and Net::LDAP will use INET6 to connect to the LDAP server. In AddressAllocator SQL, the default AllocateQuery was changed to check the STATE during the allocation to catch certain race conditions. With all Ldap clauses, removed the default BindAddress of 0.0.0.0. This was unnecessary and interferes in a non-obvious way with attempts to use ipv6: in the Host. Reported by Dyonisius Visser. Added attributes from RFC 5904 to dictionary. SNMP Agent now supports: RFC4669 - RADIUS Authentication Server MIB for IPv6 RFC4671 - RADIUS Accounting Server MIB for IPv6 The RFC are included in distribution. Improvements to EAP handling to support multiple desired EAP types in EAP NAK response, per RFC 3748. Fixed incorrect error message that referred to ServerHTTP. Repored by Karl Gaissmaier. Added support for PacketTrace to Server TACACSPLUS, Server DIAMETER, Server RADSEC. Requested by Karl Gaissmaier. Fixed a problem where attributes of type ipv6prefix (such as Framed-IPv6-Prefix) would not be decoded correctly if they had fewere than 16 octets. Reported by Lee, Larry KT. Client addresses in the form MAC:nn-nn-nn-nn-nn-nn now work even if the Called-Station-Id has the SSID of the AP appended as described in http://tools.ietf.org/html/rfc3580#section-3.20 Added example perl script rpt.pl which logs packets which match a regexp. Contributed by Bart Dumon. Fixed a problem when using AuthBy RADIUS with Synchronous and Fork that if the secrets don't match (resulting in "Bad authenticator received in reply to ID 1. Reply is ignored"), this creates forked processes that never terminate and have to be manually force-killed. Reported by David Zych. Fixed a number of innocuous warnings when radiusd is run with perl -w. Added usage documentation for author_args in tacacsplustest. In AuthSQL, GroupMembershipQuery is now not passed and bind variables. If you wish to use bind variables with GroupMembershipQuery, use the new GroupMembershipQueryParam. Fixed a problem with Server HTTP where some versions of Firefox would hang when trying to access localhost:9048. Also fixed som innocuous warnings when run with the -w flag. Fixed a problem with AuthLog SYSLOG and Log SYSLOG where in some cases with some versions of Sys::Syslog, the loghost was not set correctly. Reported by Klara Mall. radiusd now unlinks PidFile during an orderly shutdown. Suggested by Klara Mall to prevent startup scripts being confused by stale PID files. Improvements to AddressAllocator SQL: If CheckPoolQuery is set to an empty string, no pool checking will be done at startup. If AddAddressQuery is set to an empty string, addresses will not be automatically added to the pool. Testing against RadiusGINA, a Windows RADIUS login authenticator from LSE http://lsexperts.de/. Works well, and easy to install. Fixed a problem in TLS Stream based protocols (such as AuthBy RADSEC AuthBy DNSROAM etc, where ConnectOnDemand would not work correctly in the case where a TLS connection was being established and failed. Reported by Stefan Winter. Added goodies/radiusgina.txt, a Brief introduction to RadiusGINA, a Windows RADIUS login authenticator from LSE http://lsexperts.de -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] DigiPass Static PIN Reset for Go-7?
Hi, On Wednesday 27 April 2011 11:25:55 pm Linuxchuck wrote: > On 04/05/2011 03:44 PM, Heikki Vatiainen wrote: > > On 04/04/2011 07:44 PM, Linuxchuck wrote: > >> Time for a DigiPass token question. I have a box of 125 brand-new > >> DigiPass Go-7 tokens that I have imported into our production > >> Radiator server, and they work just fine. My question is: Is the > >> static password change procedure as outlined in the documentation > >> applicable to Go-7 tokens? The doc states "Go-1 and Go-3 tokens > >> (among others) also support the ability to change your PIN.". Would > >> the Go-7 be one of those that are "among others"? > > > > We do not have any Go-7 cards here, but we expect consistent behaviour > > with other tokens. However, support of PINs is dependent on that option > > being enabled in the card's import record (ie by Vasco), and the PIN > > options that might be configured there. > > > > You should check the import records for these tokens. > > > >> If so, I seem to have run into a snag trying the process. The trace > >> 4 log shows an error of "DEBUG: Radius::AuthSQLDIGIPASS REJECT: > >> Digipass Authentication failed: Response Too Long" when I attempt a > >> PIN reset based on the documentation. > > > > Please let us and the list know if you get PIN change to work. > > > > Thanks! > > No success on PIN changes with this series of token. I have 2 different > EXPORT.DPX files I can choose from: One without PINs, and one with > pre-defined PINs. Regardless of which of the two files I import into our > system, I get the same result as listed above when attempting to use the > PIN change procedure. It's a shame, we have 125 of these tokens, and I'd > love to be able to use them, but our policies require that the PINs must be > reset when the tokens are re-issued. I suppose I can mark the tokens for > single-issue only, and ensure they aren't re-issued after. > > > If there is a way to decode the options in the DPX files to determine which > entry defines the ability to change PINs, I'll check my files to see if it > exists. I dont know if you can do it by inspection of the DPX file, but if you use the digipass.pl program part of our Authen-Digipass to import then 'info' the token it will tell you whether PIN is enabled or not. Cheers. > > Fortunately, we primarily use eToken NG-OTP 64k, eToken PASS, and a couple > of software-based OTP tokens on mobile phones. Those are all plenty > flexible for our needs. That reminds me of another question, but I'll > start another post for it. > > Thanks! > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] logfile permissions
Hi Klara,
thanks for raising this issue.
It has now been fixed in the latest patch set.
Cheers.
On Monday 11 April 2011 09:14:05 am Klara Mall wrote:
> Hi,
>
> I noticed that there's a problem when you start radiator for the
> first time (i.e. with nonexistent logfile) and User is set to some
> non-root user. The logfile is created when radiator is still running
> as root (at least when debug log is enabled), so it's not writable
> anymore for the radiator process after the effective user id has
> been changed.
>
> What I did to fix it:
>
> --- a/Radius/ServerConfig.pm
> +++ b/Radius/ServerConfig.pm
> @@ -530,9 +530,24 @@
> # Only change if it not the same already
> if ($> != $uid)
> {
> - $> = $uid;
> - $self->log($main::LOG_ERR, "Could not set User to
> $self->{User} (got $>): $!") - unless $> == $uid;
> + # Try to change log file owner first if log file exists
> + my $logfile =
> &Radius::Util::format_special($self->{LogFile}); + if (-e
> $logfile) {
> + my $cnt = chown $uid, -1, $logfile;
> + if ($cnt == 1) {
> + $> = $uid;
> + $self->log($main::LOG_ERR, "Could not set User to
> $self->{User} (got $>): $!") + unless $> == $uid;
> + }
> + else {
> + $self->log($main::LOG_ERR, "Could not change log
> file $logfile owner to $self->{User}: $!"); + }
> + }
> + else {
> + $> = $uid;
> + $self->log($main::LOG_ERR, "Could not set User to
> $self->{User} (got $>): $!") + unless $> == $uid;
> + }
> }
> }
> else
>
>
> Regards
> Klara
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] stale pidfile
Hi Klara,
thanks for raising this issue.
It has now been fixed in the latest patch set.
Cheers.
On Monday 11 April 2011 09:14:57 am Klara Mall wrote:
> Hi,
>
> I think it would be good if radiator would remove its pidfile before
> shutting down. Init scripts could be misguided by a stale pidfile.
>
> This would fix it:
>
> --- a/radiusd
> +++ b/radiusd
> @@ -306,6 +306,11 @@
> # Call the ShutdownHook, if there is one
> $main::config->runHook('ShutdownHook');
> &log($main::LOG_NOTICE, "SIGTERM received: stopping");
> +my $pidfile = &Radius::Util::format_special($main::config->{PidFile});
> +if ($pidfile ne '')
> +{
> + unlink $pidfile;
> +}
> }
>
> #
>
>
> Regards
> Klara
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthLogSYSLOG.pm
Hi Klara,
thanks for reporting this.
It has been patched in the latest patch set.
Cheers.
On Friday 08 April 2011 07:25:10 am Klara Mall wrote:
> Hi,
>
> radiator 4.7 is running on Debian GNU/Linux lenny i386 (Perl v5.10.0)
> here. No problems with AuthLog SYSLOG.
>
> Just tested my configuration with radiator 4.7 on Debian GNU/Linux
> squeeze amd64 (Perl v5.10.1) and ran into trouble with Authlog SYSLOG.
>
> Relevant configuration settings in clause:
>Facility local7
>LogSock udp
>LogHost loghost
>LogIdent radauth
>
> Result: Nothing is logged on loghost and radiator log is telling:
> Thu Apr 7 22:30:28 2011: ERR: Error while doing AuthLog SYSLOG: no
> connection to syslog available
> - udp connect: nobody listening at
> /usr/share/perl5/Radius/AuthLogSYSLOG.pm line 138
>
> The following patch fixes it:
> --- AuthLogSYSLOG.pm.orig 2011-04-07 23:16:09.0 +0200
> +++ AuthLogSYSLOG.pm 2011-04-07 23:16:16.0 +0200
> @@ -130,9 +130,9 @@
> my $logopt = &Radius::Util::format_special($self->{LogOpt}, $p);
> eval {
> # We reset these here in case there are multiple SYSLOGs
> - $Sys::Syslog::host = $self->{LogHost};
> setlogsock($self->{LogSock})
> if defined $self->{LogSock};
> + $Sys::Syslog::host = $self->{LogHost};
> openlog($ident, $logopt, $self->{Facility});
> syslog("$self->{Facility}|$self->{Priority}", $str);
> closelog()
>
>
> Regards
> Klara
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Feature missing: PacketTrace in ServerRADSEC clause
Hi Karl, thanks for the suggestion. Support for PacketTrace has now been added to Server TACACSPLUS, Server DIAMETER, Server RADSEC. It is now available in the latest patch set. Cheers. On Wednesday 23 March 2011 09:14:50 pm Karl Gaissmaier wrote: > Hi RADIATOR team, > > I get an "ERR: Unknown keyword 'PacketTrace'" if I use this declaration > in a clause. This is a pity, since I can't even decode the > packets with wireshark because we UseTLS. > > PacketTrace is really needed especially within this clause. > Please support it in one of the next releases. > > Best Regards > Charly -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Feature missing: PacketTrace in ServerRADSEC clause
Support team: views on this request? On Wednesday 23 March 2011 09:14:50 pm Karl Gaissmaier wrote: > Hi RADIATOR team, > > I get an "ERR: Unknown keyword 'PacketTrace'" if I use this declaration > in a clause. This is a pity, since I can't even decode the > packets with wireshark because we UseTLS. > > PacketTrace is really needed especially within this clause. > Please support it in one of the next releases. > > Best Regards > Charly -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Why does this attribute fail?
Hello, Thanks for reporting this. It appears to be due to incorrect assembly of the transmitted packet sent by your NAS. The ADSL-Forum VSA, which contains the DSLForum-* attributes, has a single extra octet with value 0x02 at the end, after theDSLForum-Access-Loop-Encapsulation attribute . This is being seen by Radiator during unpacking as bad formatting, and the rest of the packet (which contains NAS-IP-Address) is not unpacked. You should refer this to your NAS vendor. Cheers. On Wednesday 23 March 2011 07:49:53 pm Vangelis Kyriakakis wrote: > Hello, > > I have a Juniper Router sending the following packet (see the full > log). I get a Warning error about Vendor 3561 Attribute 2 which is > DSLForum-Agent-Remote-Id = "00:0f:bb:2c:bb:1b" > Can you see any problem with the packet? > > Regards >Vangelis > > Tue Mar 22 17:04:19 2011: WARNING: Malformed request packet: Vendor 3561 > Attribute 2 with length : ignored > Tue Mar 22 17:04:19 2011: DEBUG: Packet dump: > *** Received from 194.219.231.127 port 50338 > > Packet length = 293 > 01 34 01 25 d9 21 b2 2f 4c cd b4 e2 73 59 2f 49 > 6e a9 aa b1 01 15 74 65 73 74 6c 6c 75 40 66 6f > 72 74 68 6e 65 74 2e 67 72 02 12 9e 34 1d ed 51 > 8a 8d 41 d7 25 98 79 bf fb 62 28 59 03 00 2c 05 > 32 38 31 1a 16 00 00 13 0a 38 10 38 63 37 33 2e > 36 65 61 63 2e 30 32 34 32 20 12 62 62 72 61 73 > 2d 6c 61 62 2d 6b 6c 6e 2d 30 31 05 06 10 4f 94 > 4e 57 18 67 65 2d 31 2f 32 2f 31 2e 31 30 30 3a > 33 33 32 31 2d 31 31 30 32 3d 06 00 00 00 0f 1a > 90 00 00 0d e9 01 1f 50 4f 50 2d 4b 4c 4e 2d 4d > 32 2d 4d 31 20 61 64 73 6c 20 30 33 2f 31 30 3a > 38 2e 33 35 02 13 30 30 3a 30 66 3a 62 62 3a 32 > 63 3a 62 62 3a 31 62 81 06 00 00 03 fc 82 06 00 > 00 5d bd 83 06 00 00 01 00 84 06 00 00 02 00 85 > 06 00 00 05 10 86 06 00 00 6e f0 87 06 00 00 04 > 00 88 06 00 00 5d c0 89 06 00 00 00 00 8a 06 00 > 00 00 00 8b 06 00 00 00 10 8c 06 00 00 00 01 8d > 06 00 00 00 14 8e 06 00 00 00 05 90 03 00 02 04 > 06 c2 db e7 7f > Code: Access-Request > Identifier: 52 > Authentic: <217>!<178>/L<205><180><226>sY/In<169><170><177> > Attributes: > User-Name = "test...@forthnet.gr" > User-Password = x > Chargeable-User-Identity = "" > Acct-Session-Id = "281" > Unisphere-Dhcp-Mac-Addr = "8c73.6eac.0242" > NAS-Identifier = "bbras-lab-kln-01" > NAS-Port = 273650766 > NAS-Port-Id = "ge-1/2/1.100:3321-1102" > NAS-Port-Type = Ethernet > DSLForum-Agent-Circuit-Id = "POP-KLN-M2-M1 adsl 03/10:8.35" > DSLForum-Agent-Remote-Id = "00:0f:bb:2c:bb:1b" > DSLForum-Actual-Data-Rate-Upstream = 1020 > DSLForum-Actual-Data-Rate-Downstream = 23997 > DSLForum-Minimum-Data-Rate-Upstream = 256 > DSLForum-Minimum-Data-Rate-Downstream = 512 > DSLForum-Attainable-Data-Rate-Upstream = 1296 > DSLForum-Attainable-Data-Rate-Downstream = 28400 > DSLForum-Maximum-Data-Rate-Upstream = 1024 > DSLForum-Maximum-Data-Rate-Downstream = 24000 > DSLForum-Minimum-Data-Rate-Upstream-Low-Power = 0 > DSLForum-Minimum-Data-Rate-Downstream-Low-Power = 0 > DSLForum-Maximum-Interleaving-Delay-Upstream = 16 > DSLForum-Actual-Interleaving-Delay-Upstream = 1 > DSLForum-Maximum-Interleaving-Delay-Downstream = 20 > DSLForum-Actual-Interleaving-Delay-Downstream = 5 > DSLForum-Access-Loop-Encapsulation = "" > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] wrong error message in Radius::StreamServer
Hi Karl, thanks for reporting this. It has now been fixed in the latest patch set. Cheers. On Friday 18 March 2011 11:22:18 pm Karl Gaissmaier wrote: > Hello RADIATOR team, > > I stumbled upon a wrong error message. Radiator version 4.7, latest > patches. > > Fri Mar 18 14:07:48 2011: ERR: ServerHTTP has UseSSL/UseTLS, but could not > load required modules: Can't locate Digest/HMAC_MD5.pm in @INC (@INC > contains: . /radiator/install/lib/site_perl/5.8.5/sun4-solaris > /radiator/install/lib/site_perl/5.8.5 /radiator/install/lib/site_perl > /radiator/perl-5.8.5/lib/5.8.5/sun4-solaris /radiator/perl-5.8.5/lib/5.8.5 > /radiator/perl-5.8.5/lib/site_perl/5.8.5/sun4-solaris > /radiator/perl-5.8.5/lib/site_perl/5.8.5 /radiator/perl-5.8.5/lib/site_perl > .) at /radiator/install/lib/site_perl/5.8.5/Radius/TLS.pm line 142. > > But there is no ServerHTTP configured, instead there is a ServerRADSEC > configured. > > Looks like an error in Radius::StreamServer. > > Maybe, first there was only ServerHTTP and later on > more modules using StreamServer. Please adjust the error message. > > Best Regards and thanks a lot for RADIATOR! Superb software, perfect > service! > > Charly -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP Method Negotiation
On Wednesday 09 March 2011 09:16:50 pm Aman Arneja wrote: > is that the patch set 4.7? Yes. Cheers. > > On Wed, Mar 9, 2011 at 4:26 PM, Mike McCauley wrote: > > Hello Aman, > > > > thanks for raising this. > > This issue has been fixed in the latest patch set. > > > > Cheers. > > > > On Wednesday 09 March 2011 07:38:58 pm Aman Arneja wrote: > > > Hi Guys > > > > > > I am trying to test the radiator server we just purchased > > > and notice that if my client NAK’s the server proposed method and > > > > proposes > > > > > a list of methods, RADIATOR just looks at the first method in the list > > > > and > > > > > sends > > > EAP Failure if it is not configured for it. From the RFC my > > > understanding is that it should read the list and choose a mthod from > > > the list that it supports. > > > Any help here is appreciated > > > > > > Thanx > > > > > > Aman Arneja > > > > -- > > Mike McCauley mi...@open.com.au > > Open System Consultants Pty. Ltd > > 9 Bulbul Place Currumbin Waters QLD 4223 Australia > > http://www.open.com.au > > Phone +61 7 5598-7474 Fax +61 7 5598-7070 > > > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare > > etc. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP Method Negotiation
Hello Aman, thanks for raising this. This issue has been fixed in the latest patch set. Cheers. On Wednesday 09 March 2011 07:38:58 pm Aman Arneja wrote: > Hi Guys > > I am trying to test the radiator server we just purchased > and notice that if my client NAK’s the server proposed method and proposes > a list of methods, RADIATOR just looks at the first method in the list and > sends > EAP Failure if it is not configured for it. From the RFC my understanding > is that it should read the list and choose a mthod from the list that it > supports. > Any help here is appreciated > > Thanx > > Aman Arneja -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthSQLTOTP question
Hi Matthew, On Thursday 03 March 2011 03:52:57 am Matthew Reeves-Hairs wrote: > Hi, > I have a question regarding the AuthSQLTOTP.pm module. > > Since the TOTP token time is time based, would it be possible to adapt it > to work with challenge response type authentication, MSCHAP for example? Yes, I think that would be possible, with a small performance cost. Cheers. > > Regards > > Matthew > Matthew Reeves-Hairs MBCS > (CCNA, CCNP, CCDA) > Director > > Willow ICT Limited > 13 Willow Close > Great Hormead > Hertfordshire, SG9 0NW > Mobile: +44 (0)7912 202627 > Fax: +44 (0)7092 361501 > matthew.reeves-ha...@willowict.com > http://www.willowict.com > > Please consider the environment before printing this email. > > The content of this email and any attachment is private and may be > privileged. If you are not the intended recipient, any use, disclosure, > copying or forwarding of this email and/or its attachments is unauthorised. > If you have received this email in error please notify the sender by email > and delete this message and any attachments immediately. Nothing in this > email shall bind the Company in any contract or obligation, unless we have > specifically agreed to be bound. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Colubris-AVPair
Hi All, thank you to Klara. We have now added these to the dictionary in the latest patch set. Cheers. On Tuesday 01 March 2011 07:07:23 am Klara Mall wrote: > Hi, > > On 02/28/2011 09:42 PM, Heikki Vatiainen wrote: > > On 02/28/2011 06:31 AM, Jeffrey Lee wrote: > >> Mon Feb 28 15:27:01 2011: ERR: Attribute number 254 (vendor 8744) is not > >> defined in your dictionary > >> Mon Feb 28 15:27:01 2011: ERR: Attribute number 251 (vendor 8744) is not > >> defined in your dictionary > >> Mon Feb 28 15:27:01 2011: ERR: Attribute number 253 (vendor 8744) is not > >> defined in your dictionary > >> Mon Feb 28 15:27:01 2011: ERR: Attribute number 252 (vendor 8744) is not > >> defined in your dictionary > >> > >> > >> i've checked the dictionary file (which is read by radiusd when it > >> started). the vendor (colubris) and vendor attribute (colubris-avpair) > >> seems to be defined. > > > > Yes, Colubris attribute number 0 is defined, but attributes 251 - 254 > > are not defined since their names and types are not known. > > > > Would you have documentation for those attributes so they could be added > > to the dictionary? > > Since we also use an HP ProCurve WLAN Controller (Colubris Networks was > aquired by HP in 2008) I also found these undocumented attributes in the > radiator logfile. I asked HP for an explanation and finally it became > clear that these attributes are not defined and this is a bug which > exists since many years. They said it will be fixed in one of the next > releases, at least for our product. > > My workaround until then: add the following to the dictionary such that > the logfile is not inundated with concerning ERR messages: > VENDORATTR 8744 Colubris-Attr-246 246 string > VENDORATTR 8744 Colubris-Attr-247 247 string > VENDORATTR 8744 Colubris-Attr-248 248 string > VENDORATTR 8744 Colubris-Attr-249 249 string > VENDORATTR 8744 Colubris-Attr-250 250 string > VENDORATTR 8744 Colubris-Attr-251 251 string > VENDORATTR 8744 Colubris-Attr-252 252 string > VENDORATTR 8744 Colubris-Attr-253 253 string > VENDORATTR 8744 Colubris-Attr-254 254 string > > Regards > Klara > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Status of the Micros Fidelio Connector
Hi Ralf, On Tuesday 22 February 2011 02:37:05 am Ralf Ertzinger wrote: > Hi. > > We're looking to deploy a WLAN infrastructure for a client using Mircos' > Opera software suite. I noticed that there has been a connector for that in > Radiator for some years, but Micros seems to consider it still uncertified. > > Can someone enlighten me as to the status of the connector? Success stories > welcome as well. The Radiator - Opera interface is complete and has been deployed at a number of sites. MF require successful completion reports from a certain number of sites before they will certify the interface. Although there have a number of successful deployments, not all have them have been reported to MF and therefore MF have not yet certified it. We will be happy to work with anyone planning to deploy the Opera interface if we can use that site as support for certification. Cheers. > > Thanks. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Added support for Novell eDirectory NMAS and Vasco Digipass NMAS method
Hello, we are pleased to announce that Radiator now supports Novell eDirectory NMAS and the Vasco Digipass NMAS method. Novell eDirectory is a widely used user and identity management system based on LDAP (www.novell.com) NMAS (Novell Modular Authentication System) is a component of eDirectory that permits eDirectory to authenticate passwords in a modular way. It allows third parties to add password authentication mechanisms (called Methods) to eDirectory. Vasco (www.vasco.com) have released such an NMAS Method for their Digipass 2 factor tokens. This allows administrators to use eDirectory to import, manage, assign and authenticate Vasco Digipass tokens for their users. Radiator now supports NMAS authentication of Vasco Digipass tokens (and other NMAS Methods). During NMAS authenticaiton, PAP passwords are passed to eDirectory and the selected NMAS Login sequence method. The NMAS methods authenticate the password and tell Radiator whether to accept or reject the password. Radiator will continue to support authenticating Vasco Digipass tokens in your own SQL database, and in RAdmin and it will also continue to supprot Novell Universal Passwords, as valid optional configurations. Support for NMAS is now in the latest Radiator patch set along with sample configuration files etc. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radsec and IPv6 keeps troubling me
Hello Patrick, thanks for reporting this. This would occur if the remote host name was specified in the form ipv6:hostname and the certificate name was for 'hostname'. It should now be fixed in the latest patch set. We apologise for any inconvenience. Cheers. On Monday 24 January 2011 10:36:52 pm Patrick Renkens wrote: > Hi all, > > Radsec in combination with IPv6 keeps troubling me. > This weekend I upgraded Radiator from version 4.4 to 4.7 and since then > the Radsec-connections won't work over IPv6. I had to switch back to > IPv4 to get it running again. > Both systems, Radsec server and client and server run Radiator 4.7 on > RHEL. RHEL 5.4 on clients side and RHEL 5.5 on server side. I only > upgraded de client side. The server that acts as Radsec-server was > already running Radiator 4.7. > > Personally I think it is not OS related, I experienced the same problems > on Solaris 5.9 and 5.10 before. > > Below you find the error-message and the relevant configuration parts. > > Any help is appreciated. > > > > > Sat Jan 22 16:35:41 2011: DEBUG: verifyFn start, hostname ipv6:'host' > Sat Jan 22 16:35:41 2011: DEBUG: verifyFn hostname after canonicalise > Sat Jan 22 16:35:41 2011: DEBUG: Verifying certificate with Subject > '/DC=net/DC=geant/O=SURFnet BV/CN=host' presented by peer ipv6:'host' > Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 2, value > 'host' against > Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value > https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:idp:E >urope:SURFnet:'host' against > Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value > https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu >rope:SURFnet:'host' against > Sat Jan 22 16:35:41 2011: DEBUG: Checking subjectAltName type 6, value > https://registry.edugain.org/resolver?urn=urn:geant:eduroam:component:sp:Eu >rope:SURFnet:SURFnet-office against > Sat Jan 22 16:35:41 2011: ERR: Verification of certificate presented by > ipv6:'host' failed > Sat Jan 22 16:35:41 2011: DEBUG: StreamTLS SSL_connect result: -1, 1, 4401 > Sat Jan 22 16:35:41 2011: ERR: StreamTLS client error: -1, 1, 4401, > 9303: 1 - error:14090086:SSL > routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed > > Sat Jan 22 16:35:41 2011: DEBUG: Stream disconnected from ipv6:'host':2083 > > > > #RADSEC client side: > > # RewriteUsername s/^([^@]+).*/$1/ > > Hostipv6:'hostname' > Port2083 > Secret > UseTLS > TLS_CertificateType PEM > TLS_CAPath %D/certs/cacert > TLS_CertificateFile %D/certs/%h.pem > TLS_PrivateKeyFile %D/certs/%h.pem > > > > #RADSEC serverside: > > Port2083 > UseTLS > TLS_CAFile %D/cert/edugain/cacert/xx.pem > TLS_CertificateFile %D/cert/edugain/yy.pem > TLS_CertificateType PEM > TLS_PrivateKeyFile %D/cert/edugain/yy.pem > TLS_RequireClientCert > TLS_SessionResumption 0 > Secret > Identifier RADSEC > > > > > Kind regards, > Patrick Renkens > Centre for Information Services (UCI) > Radboud University Nijmegen, Netherlands > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator.spec file: 4.7-3
Hi Nick,
On Friday 14 January 2011 10:25:23 am Nick Urbanik wrote:
> Dear Radiator folks,
>
> I'm building a Radiator RPM which we've patched to support
> AddressAllocatorDHCP.pm using a DHCP failover pair. The SPEC file
> provided with the tarball is not the one used to build the RPM, but
> that spec file is not provided, nor is there a source RPM provided.
>
> Please could anyone provide the spec file for Radiator 4.7-3?
Attached.
>
> I'm re-writing the spec file to avoid hard coding Perl version numbers
> and other such practices, but it would be nice to have a better
> starting point.
Cheers.
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
#
# RPM Spec file for Radiator on RH7, SuSE and similar
#
# Author: Mike McCauley (mi...@open.com.au)
# Copyright (C) 2001-2004 Open System Consultants
# $Id: Radiator.spec,v 1.53 2010/09/21 23:11:48 mikem Exp $
# Allow us to control whether we are building Locked or UNlocked from the
command line
# Disable the default LZMA compression on OpenSuSE, since it is not available
on all platforms
%define _binary_payload w9.bzdio
%{!?DISTNAME:%define DISTNAME Radiator}
%{!?PERLVER:%define PERLVER 5.10.0}
Summary: Radiator Radius server
Name: %{DISTNAME}
Version: 4.7
Release: 3
Epoch: 40703
License: Proprietary, Open System Consultants Pty Ltd
Group: System/Servers
Source: %{name}-%{version}.tgz
URL: http://www.open.com.au/radiator/
Vendor: Open System Consultants Pty. Ltd.
Packager: Open System Consultants, Mike McCauley
AutoReqProv: no
Provides: Radiator
Requires: perl >= 5.6.0
Prefix: /usr
BuildRoot: /var/tmp/%{name}-root
%description
Radiator Radius server provides RADIUS authentication through
a wide range of data sources, such as flat file, DBM, SQL, SecurID
LDAP, Unix Passwd, TACACS+, NT SAM, Active Directory, OPIE
NIS+, CDB, AFS Kerberos, PAM, RAdmin, global roaming (iPASS, GoRemote)
ISP billing (Emerald, Platypus, Rodopi, Optigold, Hawk-i, Billmax
Interbiller, Freeside).
%prep
%setup
%build
PREFIX=$RPM_BUILD_ROOT/%{prefix} perl Makefile.PL
make
%install
mkdir -p $RPM_BUILD_ROOT/bin
mkdir -p $RPM_BUILD_ROOT/var/log/radius
mkdir -p $RPM_BUILD_ROOT/etc/radiator
mkdir -p $RPM_BUILD_ROOT/etc/init.d
mkdir -p $RPM_BUILD_ROOT/usr/lib/perl5/
mkdir -p $RPM_BUILD_ROOT/usr/lib/perl5/site_perl
mkdir -p $RPM_BUILD_ROOT/usr/lib/perl5/vendor_perl
mkdir -p $RPM_BUILD_ROOT/usr/lib/perl5/site_perl/%PERLVER/Radius
make install
install -m644 goodies/linux-radius.cfg $RPM_BUILD_ROOT/etc/radiator/radius.cfg
install -m644 goodies/simple-users $RPM_BUILD_ROOT/etc/radiator/users
install -m644 dictionary $RPM_BUILD_ROOT/etc/radiator
install -m755 goodies/linux-radiator.init $RPM_BUILD_ROOT/etc/init.d/radiator
ln -fs /usr/lib/perl5/site_perl/%PERLVER/Radius
$RPM_BUILD_ROOT/usr/lib/perl5/site_perl
ln -fs /usr/lib/perl5/site_perl/%PERLVER/Radius $RPM_BUILD_ROOT/usr/lib/perl5
ln -fs /usr/lib/perl5/site_perl/%PERLVER/Radius
$RPM_BUILD_ROOT/usr/lib/perl5/vendor_perl
%files
%attr(-, root, root) %doc doc
%attr(-, root, root) %doc goodies
%attr(-, root, root) %doc ppm
%attr(-, root, root) %doc certificates
%attr(-, root, root) %doc dictionary*
%config /etc/radiator/radius.cfg
%config /etc/radiator/users
%dir /var/log/radius
/usr/bin/builddbm
/usr/bin/radpwtst
/usr/bin/radiusd
/usr/bin/buildsql
/usr/lib/perl5/site_perl/%PERLVER/Radius
/usr/lib/perl5/site_perl/Radius
/usr/lib/perl5/Radius
/usr/lib/perl5/vendor_perl/Radius
/etc/radiator/dictionary
/etc/init.d/radiator
%post
# Just in case they have a different perl version
#ln -fs /usr/lib/perl5/site_perl/5.8.3/Radius /usr/lib/perl5/site_perl/Radius
if [ -x /etc/rc.d/rc.M -a -x /etc/rc.d/rc.local ]; then
# Slackware
if ! grep -q 'radiator startup, added by rpm' /etc/rc.d/rc.local>/dev/null;
then
echo '# radiator startup, added by rpm' >> /etc/rc.d/rc.local
echo 'if [ -x /etc/init.d/radiator ]; then' >> /etc/rc.d/rc.local
echo '/etc/init.d/radiator start' >> /etc/rc.d/rc.local
echo 'fi' >> /etc/rc.d/rc.local
fi
else
# LSB and similar
# Try to be compatible with Cobalt and others:
if [ -d /etc/rc.d/rc0.d ]; then
rcbase=/etc/rc.d
else
rcbase=/etc
fi
# Add startup script
for i in 0 1 2
do
ln -sf ../init.d/radiator $rcbase/rc$i.d/K15radiator
done
for i in 2 3 4 5 6
do
ln -sf ../init.d/radiator $rcbase/rc$i.d/S90radiator
done
Re: [RADIATOR] HTTP Log
Hi Adam,
Thanks for your note.
Your patch has now been added to the latest patch set.
thanks again.
Cheers.
On Friday 14 January 2011 01:30:22 am Adam Bishop wrote:
> Hello,
>
> At high trace levels the log can accumulate characters that are "Special"
> to HTML, such as < and >. This can cause a few display issues with the
> HTTP log display.
>
> At the end of this message is a single line patch to escape the offending
> characters before they are emitted. Logging to text file/sql/syslog is
> unaffected.
>
> Adam Bishop
> JANET(UK)
>
> --- ServerHTTP.pm.old 2011-01-13 14:27:58.0 +
> +++ ServerHTTP.pm 2011-01-13 14:36:37.0 +
> @@ -1469,6 +1469,9 @@
> $log .= $self->{parent}->{log}[$i] . "\n"
> if defined $self->{parent}->{log}[$i];
> }
> +
> +$log = CGI::Util::simple_escape($log);
> +
> $self->send_standard(<<"EOF"
> This page shows the last $self->{parent}->{LogMaxLines} log messages
> recorded by this Radiator. It can be useful when checking or debugging your
> new configuration.
>
>
> JANET(UK) is a trading name of The JNT Association, a company limited
> by guarantee which is registered in England under No. 2881024
> and whose Registered Office is at Lumen House, Library Avenue,
> Harwell Oxford, Didcot, Oxfordshire. OX11 0SG
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Help with EAP-SIM simulator for evaluation
Hello Heikki and support, Just to let you know that this evaluator told us in his eval request he was mostly interested in the MAP gateway simulator. We are a bit suspicious about his intentions and whether he will actually purchase if successful, so if you notice anything odd about what hes up to, please let us know. The Cisco MAP interface is only provided on demand to customers who can confirm they have a Cisco ITP MAP gateway license. This is for legal reasons. Cheers. On Tuesday 11 January 2011 05:02:13 am Heikki Vatiainen wrote: > On 01/10/2011 05:34 PM, Effi Rand wrote: > > I need some help with the configuration of the radiator as a MAP-GATEWAY > > with radius interface. I'm not that experienced in this product and it's > > important for me to evaluate this feature since the expire date is due in > > 2 weeks. > > > > I was able to test the EAP-SIM with the SSGN simulator using the > > "odyssey" wireless client (after we cached some triplets to a local file) > > However , when I try to test it with the MAP-GATEWAY simulator (same > > client), I fail to get the access-accept message. > > There are a couple of things you should try. I will go through them below: > > # radius.cfg > > > > # $Id: linux-radius.cfg,v 1.3 2002/03/24 23:07:49 mikem Exp $ > > Looks like most of the content is from goodies/eap_simoperator.cfg > > > AuthPort 1645,1812,1647 > > AcctPort 1646,1813,1648 > > Please remove ports 1647 and 1648 since they will be used by map.cfg > > > > > > > # The name or address of the example MAP gateway(s) that > > will server this instance # Radius requests are sent to this gateway > > requesting triplets etc. Host localhost > > AuthPort 1647 > > Secret cisco > > Please check README section "Testing with the Radius MAP gateway > simulator". What you should have listening on localhost port 1647 is > another Radiator running configuration from goodies/map.cfg > > The example mpa.cfg uses port 1647 with secret mysecret > > What happens now is that this Radiator instanc gets the request that is > intented for the MAP simulator. Like README says, you should two > Radiator instances running at the same time: > > 4. Run the MAP gateway simulator: > radiusd -config goodies/map.cfg > > 5. Run Radiator EAP-SIM server > radiusd -config goodies/eap_simoperator.cfg > > > > > TripletsFile > > /tmp/Modules/Radius-EAP-SIM/goodies/triplets.dat Pin > > > > Remove the block. This AuthBy will be handled by the second > Radiator that uses map.cfg > > > > > > > Another thing , in the README file , you mention that there is also a > > cisco-ipt simulator under Radius-EAP-SIM/goodies/ciscomap.cfg > > > > There is no file like that. > > You are correct. If will check what has happened to it. > > > Another question , so far I've failed to test the iPhone EAP-SIM client > > against the EAP-SIM simulator. Any idea what can be done ? > > I have not tried iPhone myself, but unless you have already downloaded > iPhone configuration utility from Apple you may want to do that. The > utility gives you control over many things, including WLAN settings > where you can disable all the other WPA-Enterprise methods. > > Thanks! -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Help required with EAP TTLS
Hello Aman, On Monday 10 January 2011 04:11:55 pm Aman Arneja wrote: > Thanx Heikki > > 2 more questions from my clients are as follows > > 1.) When we talk about about Client auth in phase 1, what we meant was that > can there be an EAP TLS Mutual authentication in phase 1 ( Server auth + > Client auth) Yes, EAP-LS requires that by default. With EAP-TTLS and EAP-PEAP it is not required by default, but it can be enabled by setting EAPTLS_RequireClientCert > > 2.) Also does radiator support Key Agility extensions as defined at > http://tools.ietf.org/html/draft-hanna-eap-ttls-agility-00 No. > > With respect to method chaining and other questions, my client is in the > process of building a client side implementation and thus wanted to know > what all is supported, specially since we have zeroed in on buying radiator > server we just wanted to atleast match u guys in configuration. Hope that helps. Cheers. > > Thanx > > Aman Arneja > > On Sat, Jan 8, 2011 at 3:10 PM, Heikki Vatiainen wrote: > > On 01/07/2011 01:51 PM, Aman Arneja wrote: > > > I also need some information regarding your ttls support since i am > > > > looking > > > > > at a radius server that can service both SIM and TTLS requests, i need > > > > the > > > > > answers to the following questions. > > > > Good questions. Please see below for answers. > > > > > Features > > > Non-EAP inner methods - Which methods are supported? > > > > There are plenty: the basic ones are PAP, CHAP, MSCHAP ja MSCHAPv2. > > > > The way Radiator has been built makes supporting different inner methods > > easy. The inner method messages are dispatched as new RADIUS messages > > and can be handled in the configuration as their own, not within TTLS. > > > > In other words there is a lot of flexibility with the inner protocols, > > and the ones mentioned above are usually supported and used by clients. > > > > Do you have any specific methods in mind? > > > > > Client auth during phase 1 - Supported, Not/Supported > > > > Supported. The phase 1 message is available for authentication. You can > > for example, first validate MAC address or check WLAN SSID in the outer > > request and only then proceed to continue with phase 2. > > > > > Can identity privacy be explicitly enabled or disabled - on the client > > > > side > > > > > Can session resumption be explicitly enabled or disable - on the client > > > > side > > > > Yes for both. The outer identity can be different from the inner > > identity. Session resumption is supported by Radiator by default and can > > be disabled from the client side. > > > > > Method chaining in Phase 2 > > > > For this you would need to use Radiator with e.g., EAP-FAST where method > > chaining has been well defined. With TTLS methods can in theory be > > chained with clever configuration, but I do not think Radiator has been > > tested or used in such a configuration. > > > > If you have something specific in mind, please let us know. > > > > > Allowing tunnel method as inner method (FAST, PEAP) > > > > This may not been ever tested and I can not verify if this works. If you > > know a client that can do this, we would be very interested to know > > about it. > > > > > Also if you have any competitor analysis on this , like with free > > > radius etc, that would be great !! > > > > Please take a look Radiator technical information at > > http://www.open.com.au/radiator/technical.html > > > > I will check what analysis type of information we may also have. > > > > > Thanx > > > > > > Aman Arneja > > > > Thanks! > > > > Heikki Vatiainen > > > > -- > > Heikki Vatiainen > > > > Radiator: the most portable, flexible and configurable RADIUS server > > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > > NetWare etc. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] L5 load balancers for Radius
Sorry, meant F5 load balancer not L5. On Wednesday 01 December 2010 08:52:49 am Mike McCauley wrote: > Hi, > > One of our customers wants to use an L5 load balancer to balance tacacs and > RADIUS requests, but their LB service provider seems to not understand how > to do this and still preserve the source address (so the radius server can > tell who the client really is) > > Does anyone have an L5 config that shows how to do this? > > Cheers. > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] L5 load balancers for Radius
Hi, One of our customers wants to use an L5 load balancer to balance tacacs and RADIUS requests, but their LB service provider seems to not understand how to do this and still preserve the source address (so the radius server can tell who the client really is) Does anyone have an L5 config that shows how to do this? Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] New support team members
Hello, OSC's support services are expanding, and we welcome some new members to the support team: Sami Keski-Kasari Karri Huhtanen and Heikki Vatiainen All are highly experienced with Radiator are are ready to help OSC customers with email support, remote consulting and training. If you hold an email support contract, for a prompt response, please do not send email to individuals, but use the correct support email address and procedures outlined here: http://www.open.com.au/emailsupport.html Once again, welcome to our new team members. Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Certificate issues with intermediate certificates.
Hi Todd, there were some recent postings on this topic on this list under the subject Can't get chain certificates to work by "Stephen A. Felicetti" David Zych and Andrew Clark with a solution On Saturday 20 November 2010 06:55:02 am Smith, Todd wrote: > In working with Radiator and Apple devices, I am have problems with the > RADIUS server certificate being verified by the client. In discussion with > DigiCert, they suggest that Radiator is not correctly giving out the > intermediate certificates to the client. I am able to authenticate other > devices so I don't think that is a problem but something is keeping the > Apple devices from correctly authenticating. > > The syntax that I am using in Radiator is as follows: > > EAPType PEAP > # CAChain contains 2 intermediate certificates and the root > certificate concatenated like this Inter1->Inter2->Root EAPTLS_CAFile > %D/certificates/DigiCert/CAChain.crt > EAPTLS_CertificateFile > %D/certificates/DigiCert/weiland_camc_hsi.crt > EAPTLS_CertificateType PEM > EAPTLS_PrivateKeyFile > %D/certificates/DigiCert/weiland_camc_hsi.key > > EAPTLS_MaxFragmentSize 1000 > > DigiCert has suggested to test for the intermediate certificates by the > method quoted below using OpenSSL. When I tested it using port 1812 or 443 > all I received was the error message Connection refused:errno 29 Would you > be able to test a certificate chain in this way? Would you need a 802.1x > client to handshake before the X.509 certificate would be transmitted? > Trace 4 shows Radiator handing out the certificate but even though the > Apple clients have the appropriate root certificate, they can't verify the > server certificate and there doesn't seem to be any problem with the server > certificate since other devices don't seem to complain about it. > > Any suggestions as to what else I can look at? > > Todd Smith > > >Before going that direction, I think it would be valuable to determine > > whether the server is sending any intermediate certificates at all. The > > current >certificate you have requires two intermediates to chain > > properly, while the reissue I'm suggesting would require just one > > intermediate. But if the server is sending no intermediates, then > > neither option would resolve the issue. > > > >Can you try connecting to the RADIUS server using OpenSSL to check the > > certificate chain? From a workstation or server with OpenSSL that can > > access the RADIUS server (or from the RADIUS server itself), you would > > run this command: > > openssl s_client -connect weiland.camc.hsi: > where is the ssl port number on the RADIUS server > > Confidentiality Note: The information contained in this message > may be privileged and confidential. If this e-mail contains > protected health information, you are hereby notified that any > dissemination, distribution or copying of this communication is > strictly prohibited,except as permitted by law. If you have > received this communication in error, please notify the sender > immediately by replying to this message and deleting it from your > computer. Thank you. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Additional loging for EAP-TLS
Hello Markus,
Thanks for your thoughts.
EAP-Error is not in the dictionary, and will cause errors when the reply is
packaged will it not?
In any case, I would expect the EAP error reason to be available in the reason
sent to the AuthLog clause.
Also, if you have RejectHasReason set, I would expect to see the EAP error in
the reply message too.
Cheers.
On Friday 19 November 2010 06:41:05 am Markus Moeller wrote:
> Hi,
>
>I would like to log more than TLS error acknowledged into the access
> log, but I don't see that the error is stored anywhere. Is the below a good
> way to do it and use the EAP-Error attribute in the access log deny message
> ?
>
> Thank you
> Markus
>
>
> --- /tmp/EAP_13.pm 2010-11-18 08:16:53.0 +
> +++ /tmp/EAP_13_n.pm2010-11-18 08:22:06.0 +
> @@ -116,6 +116,7 @@
> {
> # Handshake was not successful
> my $errs = &Net::SSLeay::print_errs();
> +$p->add_attr('EAP-Error', "EAP TLS Handshake unsuccessful:
> $errs"); return ($main::REJECT, "EAP TLS Handshake unsuccessful: $errs"); }
> elsif ($reason == Net::SSLeay::ERROR_WANT_READ)
> @@ -137,6 +138,7 @@
> # Certificate verification failed, keep going
> # so we tell the client what the problem was
> my $verify_error_string =
> &Radius::TLS::verify_error_string($verify_result); +
> $p->add_attr('EAP-Error', "EAP TLS certificate verification failed:
> $verify_error_string, $errs"); $self->log($main::LOG_INFO, "EAP TLS
> certificate verification failed: $verify_error_string, $errs", $p);
>
> }
> @@ -144,6 +146,7 @@
> {
> # Serious TLS error, bail out
> $self->log($main::LOG_ERR, "EAP TLS error: $ret,
> $reason, $state, $verify_result, $errs", $p); +
> $p->add_attr('EAP-Error', "EAP TLS error: $ret, $reason, $state,
> $verify_result, $errs"); &Radius::TLS::contextSessionClear($context);
> $self->eap_failure($p->{rp}, $context);
> return ($main::REJECT, "EAP TLS error");
> @@ -192,6 +195,7 @@
> {
> &Radius::TLS::contextSessionClear($context);
> $self->eap_failure($p->{rp}, $context);
> +$p->add_attr('EAP-Error', "EAP TLS No peer certificate");
> return ($main::REJECT, 'EAP TLS No peer certificate');
> }
> &Net::SSLeay::X509_free($peer); # get_peer_certificate increments
> the count @@ -208,6 +212,7 @@
> {
> &Radius::TLS::contextSessionClear($context);
> $self->eap_failure($p->{rp}, $context);
> +$p->add_attr('EAP-Error', "EAP TLS session resumed by user
> $context->{tls_authenticated_cn} is not authenticated: $reason"); return
> ($main::REJECT, "EAP TLS session resumed by user
> $context->{tls_authenticated_cn} is not authenticated: $reason"); }
> $authuser = $user;
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Additional logging in AuthGROUP
Hi Markus,
thanks for the suggestion and patch.
It is now in the latest patch set.
Cheers.
On Thursday 18 November 2010 05:07:13 am Markus Moeller wrote:
> Would it be possible to add additional DEBUG logging to AuthGROUP, so that
> any individual Authby result will be logged ?
>
>
> Thank you
> Markus
>
>
> # Try all the authenticators in sequence until the AuthByPolicy
> # is satisfied
> # CAUTION: The handler might fork
> my ($handler, $reason);
> foreach $handler (@{$self->{AuthBy}})
> {
> # Make sure the authby is updated with stats
> push(@{$p->{StatsTrail}}, \%{$handler->{Statistics}});
>
> ($handled, $reason) = $handler->handle_request($p, $p->{rp},
> $extra_checks); # Evaluate the AuthByPolicy
> $self->log($main::LOG_DEBUG, "$type:$self->{Identifier}
> $handler->{Identifier} result: $Radius::AuthGeneric::reasons[$handled],
> $reason", $p); last unless
> $self->evaluatePolicy($self->{AuthByPolicy},$handled); }
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Add UsernameMatchesWithoutRealm to Auth by LSA
Hi Neil, thanks for the patch. It has been added to the latest patch set. Cheers. On Thursday 18 November 2010 04:02:13 am Johnson, Neil M wrote: > Yes, but the user being check is "radt...@uiowa.edu" > > Since it's AD I only want to check membership for "radtest". > > The change I made to the source seems to fix the problem. > > -Neil -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Time Drifting totp Tokens
Hi Steffen,
Thanks for the patch. It is now in the latest patch set.
Cheers.
On Wednesday 17 November 2010 07:29:51 am Steffen Weinreich wrote:
> Hi!
>
> I have found one of my Feilian c200 Token which has been drifted into
> the future. At the moment its is about 40 sec in the future and
> therefore a fresh entered PIN could be rejected since from the POV of
> the Radius Server the Token is not yet valid.
>
> For now I have changed AuthSQLTOTP.pm to take also a look into the
> future for the Token Code, but if the token continue to drift away from
> the "right" time, it could be nessessary to add some code to deal with
> time drifting
>
> The same also happens with software tokens with a incorrect time, but
> this is fixable by the user
>
> Please find by Patch included below:
>
> cheerio
>Steve
>
> --
> Wenn es Politikern die Sprache verschlägt, halten sie eine Rede.
>
>
> --- ../p1/Radius/AuthSQLTOTP.pm 2010-10-26 22:04:40.0 +
> +++ Radius/AuthSQLTOTP.pm 2010-11-16 17:23:53.0 +
> @@ -186,7 +186,7 @@
> $Radius::TOTP::X = $self->{TimeStep};
> $Radius::TOTP::T0 = $self->{TimeStepOrigin};
> my $T;
> -for ($delay_counter = 0; $delay_counter <= $self->{DelayWindow};
> $delay_counter++)
> +for ($delay_counter = -$self->{DelayWindow}; $delay_counter <=
> $self->{DelayWindow}; $delay_counter++)
> {
> $T = Radius::TOTP::totp_timestep($recv_time, $delay_counter);
> my $totp = Radius::TOTP::totp_compute_sha1(pack('H*', $secret),
> $T, $digits);
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] clarification on AuthBy ROUNDROBIN failover
205>z<241><177> > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 192.168.238.210 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = <18> > <241><241>p<227><159><200><208><158><7><216>Q<163>V<192> > NAS-Identifier = "WIRELESS" > Proxy-State = OSC-Extended-Id=1 > > Wed Nov 10 10:02:44 2010: DEBUG: Timed out, retransmitting > Wed Nov 10 10:02:44 2010: DEBUG: Packet dump: > *** Sending to 134.84.119.107 port 1836 > Code: Access-Request > Identifier: 1 > Authentic: 6-<145><131><166><149>tKp(1e<205>z<241><177> > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 192.168.238.210 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = <18> > <241><241>p<227><159><200><208><158><7><216>Q<163>V<192> > NAS-Identifier = "WIRELESS" > Proxy-State = OSC-Extended-Id=1 > > Wed Nov 10 10:02:49 2010: DEBUG: Timed out, retransmitting > Wed Nov 10 10:02:49 2010: DEBUG: Packet dump: > *** Sending to 134.84.119.107 port 1836 > Code: Access-Request > Identifier: 1 > Authentic: 6-<145><131><166><149>tKp(1e<205>z<241><177> > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 192.168.238.210 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = <18> > <241><241>p<227><159><200><208><158><7><216>Q<163>V<192> > NAS-Identifier = "WIRELESS" > Proxy-State = OSC-Extended-Id=1 > > Wed Nov 10 10:02:54 2010: INFO: AuthRADIUS CAH-wireless2008: No reply > after 40 seconds and 3 retransmissions to 134.84.119.107:1836 for > mikem (239). Now have 1 consecutive failures over 0 seconds. Backing > off for 300 seconds > Wed Nov 10 10:02:54 2010: INFO: AuthROUNDROBIN: Retry 2, > firstHostTried 0, lastHostTried 2 > Wed Nov 10 10:02:54 2010: DEBUG: Packet dump: > *** Sending to 134.84.119.7 port 1836 > Code: Access-Request > Identifier: 1 > Authentic: 6-<145><131><166><149>tKp(1e<205>z<241><177> > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 192.168.238.210 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = <18> > <241><241>p<227><159><200><208><158><7><216>Q<163>V<192> > NAS-Identifier = "WIRELESS" > Proxy-State = OSC-Extended-Id=1 > > Wed Nov 10 10:02:59 2010: DEBUG: Timed out, retransmitting > Wed Nov 10 10:02:59 2010: DEBUG: Packet dump: > *** Sending to 134.84.119.7 port 1836 > Code: Access-Request > Identifier: 1 > Authentic: 6-<145><131><166><149>tKp(1e<205>z<241><177> > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 192.168.238.210 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = <18> > <241><241>p<227><159><200><208><158><7><216>Q<163>V<192> > NAS-Identifier = "WIRELESS" > Proxy-State = OSC-Extended-Id=1 > > Wed Nov 10 10:03:04 2010: DEBUG: Timed out, retransmitting > Wed Nov 10 10:03:04 2010: DEBUG: Packet dump: > *** Sending to 134.84.119.7 port 1836 > Code: Access-Request > Identifier: 1 > Authentic: 6-<145><131><166><149>tKp(1e<205>z<241><177> > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 192.168.238.210 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = <18> > <241><241>p<227><159><200><208><158><7><216>Q<163>V<192> > NAS-Identifier = "WIRELESS" > Proxy-State = OSC-Extended-Id=1 > > Wed Nov 10 10:03:09 2010: DEBUG: Timed out, retransmitting > Wed Nov 10 10:03:09 2010: DEBUG: Packet dump: > *** Sending to 134.84.119.7 port 1836 > Code: Access-Request > Identifier: 1 > Authentic: 6-<145><131><166><149>tKp(1e<205>z<241><177> > Attributes: > User-Name = "mikem" > Service-Type = Framed-User > NAS-IP-Address = 192.168.238.210 > NAS-Port = 1234 > Called-Station-Id = "123456789" > Calling-Station-Id = "987654321" > NAS-Port-Type = Async > User-Password = <18> > <241><241>p<227><159><200><208><158><7><216>Q<163>V<192> > NAS-Identifier = "WIRELESS" > Proxy-State = OSC-Extended-Id=1 > > Wed Nov 10 10:03:14 2010: INFO: AuthRADIUS CAH-wireless2008: No reply > after 60 seconds and 3 retransmissions to 134.84.119.7:1836 for mikem > (239). Now have 1 consecutive failures over 0 seconds. Backing off for > 300 seconds > Wed Nov 10 10:03:14 2010: INFO: AuthROUNDROBIN: Retry 3, > firstHostTried 0, lastHostTried 0 > Wed Nov 10 10:03:14 2010: WARNING: AuthROUNDROBIN: Request was tried > for 3 times. All alive server from the RoundRobin list were tried. > Wed Nov 10 10:03:14 2010: INFO: AuthRADIUS CAH-wireless2008: Could not > find a working host to forward mikem (1) after 60 seconds. Ignoring > Wed Nov 10 10:03:14 2010: DEBUG: AuthBy ROUNDROBIN result: IGNORE, -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] OATH One-Time-Password support update
We are pleased to announce successful testing of Radiator with a range of OATH based One-Time-Password hardware tokens and soft tokens. OATH is an open specification for One-Time-Passwords (OTP) developed by the Initiative for Open Authentication (http://www.openauthentication.org). It includes public, open specifications for event based authentication (HOTP) and time-based authentication (TOTP), both using the public and well regarded SHA encryption standards. With Event-Based tokens (HOTP), a new OTP is generated each time you press a button or activate the token. With Time-Based tokens (TOTP), a new OTP is generated automatically every 30 seconds. OATH is designed to be used on both hardware tokens (a small device you carry in your pocket which displays the OTP), and also on soft tokens (small programs which run on your mobile phone or PC). There are a number of commercial hardware tokens and both free and commercial soft tokens available from a range of vendors. Radiator RADIUS Server has supported the HOTP and TOTP specifications since very soon after their publication and a number of customers are now using them in production. Radiator's HOTP and TOTP support is flexible and highly configurable and works with any OATH compatible hard or soft token. See AuthBy SQLHOTP and AuthBy SQLTOTP modules included in the Radiator distribution. Some of the OATH compatible hardware tokens currently available include: Feitain http://www.ftsafe.com OTP C200, ORP C200, OTP C300 Tokens Vasco (http://www.casco.com) GO6 (HOTP) Event-based Token Some of the OATH compatible soft tokens currently available include: Google Authenticator for iPhone, Andrioid and Blckberry OATH Token for iPhone iOATH Token for iPhone DS3 Oath for iPhone Pledge Token for iPhone, Android, WindowsMobile, BlackBerry, JavaPhone Android Token for Android Mobile-OTP Token for JavaPhones, WindowsMobile, iPhone, Blackberry, Android iOTP Token for iPhone The Google Authenticator is particularly recommended, since it supports multiple time and event based soft tokens at the same time, and provides for secret key importing through the use of barcodes, and is available on a wide range of devices. And its free of cost! The availability of free or inexpensive OATH based soft tokens on ubiquitous devices such as iPhone, driven by the use of open specification One-Time-Password protocols means that organizations can now deploy highly secure, flexible One-Time-Password systems for much less cost than was previously possible. The days of expensive tokens that must be sourced, stocked and replaced periodically or which can get lost, broken or their batteries discharge, along with their expensive authentication software are now gone. Open System Consultants and Radiator are pleased to be involved in this revolution in secure one-time-password systems. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] refresh time on clientlistsql
Hello Alexander, maybe you could reduce the RefreshPeriod in your ClientListSQL to less than an hour (or whatever the retain time is in the firewall is) so the SQL session stays up? Cheers. On Friday 29 October 2010 12:36:02 am Alexander Hartmaier wrote: > Still happens with newest DBI and DBD::Oracle. > I assume radiator doesn't close the db connection and a firewall removes > it from its state table which leads to dropped packets after an hour > when radiator tries to use the db connection again. > > You might want to look into DBIx::Connector which handles some problems > automatically. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator compatibility with Aloe Systems MVTS Pro VOIP Gateway
We are pleased to announce the completion of interoperation testing between Radiator RADIUS Server and the Aloe Systems MVTS Pro VOIP Gateway. Aloe Systems http://www.aloe-systems.com (until recently called Mera) are vendors of a range of VOIP solutions and devices. The MVTS Pro is a high performance class 4 softswitch with SBC functionality – a carrier-grade solution for VoIP traffic management. MVTS Proc con be configured to use RADIUS at various stages during endpoint connection and VOIP call setup. Radiator now has proven interoperation with the MVTS Pro, allowing you to integrate VOIP endpoint authentication, call authorization and call routing into your RADIUS infrastructure and using your choice of backend database and billing solution. The latest Radiator patch set and future revisions include specific documentation on Radiator configuration to operate with MVTS Pro and samples of the various types of RADIUS requests that MVTS Pro sends. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] restartWrapper patch to help with runaway restarts
Hello David, thanks for this patch. It has now been added to the latest patch set. Thanks especially for ensuring the help doc was up to date with your new arg too. Cheers. On Wednesday 27 October 2010 07:19:35 am David Zych wrote: > restartWrapper is wonderful for protecting against the possibility of a > fluke crash, but if something gets legitimately broken that a restart > *can't* fix, I don't want to be inundated with email every few seconds. > So I have modified restartWrapper to also accept a -min_interval > parameter which specifies the minimum time that must elapse between two > successive restarts (defaults to zero if not provided). > > So "restartWrapper -delay 1 -min_interval 300 prog" will restart prog > either 1 second after the previous run stopped OR 5 minutes after the > previous run started, whichever is later. > > The attached patch is against the Radiator 4.7 version of > restartWrapper. Hopefully others will find it helpful too. > > David -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ntlm_auth and Active Directory Workstation Restrictions
be able to work around this using the > "--workstation" option as the goodies/ntlm.cfg shows to pass the > workstation name that is trying to authenticate to ntlm_auth. But, > how am I suppose to do this as the workstation name (that the user is > currently trying to log in to) is not available in the authentication > request? Is anyone doing something similar? How were you able to get > Active Directory workstation restrictions working with your 802.1x > implemention? > > --greg > > > Gregory A. Fuller - CCNA > Network Manager > State University of New York at Oswego > Phone: (315) 312-5750 > http://www.oswego.edu/~gfuller > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] clarification on AuthBy ROUNDROBIN failover
Hello Andrew, On Wednesday 27 October 2010 01:38:12 am Andrew Clark wrote: > First one I sent to the list must've fallen through the cracks. > > I'm seeking some clarification on the failover behavior of AuthBy > ROUNDROBIN and how to read the logs when servers are marked dead. I > have three hosts in the round-robin pool (via a round-robin DNS host > name) and I can see that requests are being distributed correctly to > all three. What is unclear is the meaning of the logs when a server > is marked out. The three servers are of course at three different IP > addresses, but I only see log messages about one of three IP addresses > being marked down: > > Tue Oct 12 16:14:52 2010: INFO: AuthRADIUS: No reply after 3 > retransmissions to 134.84.119.107:1836 for foo (). Now have 1 > consecutive failures over 0 seconds. Backing off for 300 seconds > Tue Oct 12 16:14:52 2010: INFO: AuthROUNDROBIN: Retry 1, > firstHostTried 0, lastHostTried 0 > Tue Oct 12 16:14:52 2010: WARNING: AuthROUNDROBIN: Request was tried > for 1 times. All alive server from the RoundRobin list were tried. > Tue Oct 12 16:14:52 2010: INFO: AuthRADIUS could not find a working > host to forward to. Ignoring > Tue Oct 12 16:14:53 2010: INFO: AuthRADIUS: No reply after 3 > retransmissions to 134.84.119.107:1836 for foo (171). Now have 1 > consecutive failures over 0 seconds. Backing off for 300 seconds > Tue Oct 12 16:14:53 2010: INFO: AuthROUNDROBIN: Retry 1, > firstHostTried 0, lastHostTried 0 This means there was only one 'non-dead' server left in our list of server. > Tue Oct 12 16:14:53 2010: WARNING: AuthROUNDROBIN: Request was tried > for 1 times. All alive server from the RoundRobin list were tried. This last message means that there was no reply from any of the 'non-dead' servers it tried, and it ran out of servers to try. Looks to me like at this stage 2 of the 3 servers had been marked as down (due to no repsonse), and then there was no response from the third. You may want to investigate why all the downstream servers failed to reply. Hope that helps. Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Fwd: [suggestions] draft-mraihi-totp-timebased-06.txt
Hi Steffen,
thanks for reporting this. The patch set was missing he new version of
TOTP.pm. It has now been added.
We apologise for any inconvenience.
Cheers.
On Tuesday 26 October 2010 11:36:03 pm Steffen Weinreich wrote:
> Am 18.10.2010 01:20, schrieb Mike McCauley:
> > The new code is now available in the latest Radiator patch set.
> > Please let me know how you get on with this.
>
> Hi!
>
> The corresponding Radius::TOTP missing in the Patchset:
>
> Tue Oct 26 13:34:24 2010: DEBUG: Handling request with Handler
> 'Realm=DEFAULT', Identifier ''
> Tue Oct 26 13:34:24 2010: DEBUG: Deleting session for steve,
> 203.63.154.1, 1234
> Tue Oct 26 13:34:24 2010: DEBUG: Handling with Radius::AuthGROUP:
> Tue Oct 26 13:34:24 2010: DEBUG: Handling with Radius::AuthSQLTOTP: otp
> c200 Tue Oct 26 13:34:24 2010: DEBUG: Radius::AuthSQLTOTP looks for match
> with steve [steve]
> Tue Oct 26 13:34:24 2010: DEBUG: Query is: 'select secret, active, pin,
> digits, bad_logins, date_part('epoch',accessed)::int from
> radius.totpkeys where username='steve' and tokentype = 'otp c200'':
> Undefined subroutine &Radius::TOTP::totp_timestep called at
> Radius/AuthSQLTOTP.pm line 191.
>
>
>
> cheerio
> Steve
>
> --
> Es gibt ein 11., ungeschriebenes Pfadfindergesetz, nämlich:
> „Ein Pfadfinder ist kein Narr“. -- Lord Robert Baden-Powell
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Fwd: [suggestions] draft-mraihi-totp-timebased-06.txt
Hello Matthew, thanks for your note and the response from the TOTP authors. We find it very disappointing that the authors of the draft RFC 'imply' that some type of replay detection is required but don't actually specify how it is to be done. We fully expected the authors to add details about replay detection to their draft before requesting an RFC. We believe that this is sufficient cause to object to the RFC, and to require that the draft be improved. We think that for guaranteed interoperation between clients and authenticators (and therfore guaranteed correct operation of your system), this should be part of the specification. Nevertheless, we have added replay detection to AuthBy SQLTOTP, according to our view of how it should be done. This has required an additional column in the sample SQL database schema, and changes to the default AuthSelect and UpdateQuery parameters. The new code is now available in the latest Radiator patch set. Please let me know how you get on with this. Cheers. On Monday 18 October 2010 07:14:52 am Matthew Reeves-Hairs wrote: > Hi, > Please see the email below from the authors of the above draft spec. > > Can you say when this may be included into radiator? > > Regards > > Matthew > > Matthew Reeves-Hairs MBCS > (CCNA, CCNP, CCDA) > Director > > Willow ICT Limited > 13 Willow Close > Great Hormead > Hertfordshire, SG9 0NW > Mobile: +44 (0)7912 202627 > Fax: +44 (0)7092 361501 > matthew.reeves-ha...@willowict.com > http://www.willowict.com > > Please consider the environment before printing this email. > > The content of this email and any attachment is private and may be > privileged. If you are not the intended recipient, any use, disclosure, > copying or forwarding of this email and/or its attachments is unauthorised. > If you have received this email in error please notify the sender by email > and delete this message and any attachments immediately. Nothing in this > email shall bind the Company in any contract or obligation, unless we have > specifically agreed to be bound. > > Sent from my iPad > > Begin forwarded message: > > From: "Bajaj, Siddharth" > > Date: 16 October 2010 01:13:02 GMT+01:00 > > To: > > Cc: "Pei, Mingliang" , "Johan Rydell" > > , "Philip Hoyer" > > Subject: FW: [suggestions] draft-mraihi-totp-timebased-06.txt > > > > > > > > Hi Matthew, > > > > First of all let me apologize for not responding to your inquiry sooner. > > Thanks for pointing out this gap in the TOTP specification. > > > > Even though this is not explicitly stated in the document - by > > definition OTPs or one-time passwords are meant to be used only once. > > This is also implied in the discussion in the last paragraph of section > > 5.2 of the I-D. > > > > We are hoping that this I-D is approved as an RFC in next couple of > > months. If we have an opportunity to add explicit clarifying language to > > address your concern, we will definitely do that. > > > > In the interim, you can refer the vendor to my email and the spec > > authors. > > > > We are also launching the OATH certification program that will require > > any vendor who claims their product to be 'OATH certified' to be > > compliant with the certification documents. > > > > Thanks, > > > > Siddharth > > > > -Original Message- > > From: Jason Thompson [mailto:ja...@jdthompson.com] > > Sent: Wednesday, September 22, 2010 4:49 PM > > To: Bajaj, Siddharth > > Subject: FW: [suggestions] draft-mraihi-totp-timebased-06.txt > > > > > > -Original Message- > > From: matthew.reeves-ha...@willowict.com > > Sent: Monday, September 20, 2010 8:14 AM > > To: suggesti...@openauthentication.org > > Subject: [suggestions] draft-mraihi-totp-timebased-06.txt > > > > mreeves sent a message using the contact form at > > http://www.openauthentication.org/contact. > > > > Can you advise if the above mentioned document will be amended to fall > > in > > line with the certification document as published on this site? > > > > I have hit a problem were a supplier of a radius system accepts multiple > > authentications using the same TOTP, they state that the confirm to the > > standard quoting the above doc, which makes no mention of only allowing > > a > > TOTP to be used one, were the certification doc specifically mentions > > this. > > > > Thanks > > > > Matthew Reeves-Hairs > > > > > > > > > > -- > > This email was A
Re: [RADIATOR] ServerHTTP
nd_camc_hsi .crt > EAPTLS_CertificateType PEM > > # EAPTLS_PrivateKeyFile is the name of the file containing > # the servers private key. It is sometimes in the same file > # as the server certificate (EAPTLS_CertificateFile) > # If the private key is encrypted (usually the case) > # then EAPTLS_PrivateKeyPassword is the key to descrypt it > EAPTLS_PrivateKeyFile > %D/certificates/DigiCert/weiland_camc_hsi. key > #EAPTLS_PrivateKeyPassword whatever > > # EAPTLS_RandomFile is an optional file containing > # randdomness > # EAPTLS_RandomFile %D/certificates/random > > # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt > # size that will be replied by Radiator. It must be small > # enough to fit in a single Radius request (ie less than > 4096) # and still leave enough space for other attributes # Aironet APs > seem to need a smaller MaxFragmentSize # (eg 1024) than the default of > 2048. Others need even smaller s izes. > EAPTLS_MaxFragmentSize 1000 > > # EAPTLS_DHFile if set specifies the DH group file. It > # may be required if you need to use ephemeral DH keys. > # EAPTLS_DHFile %D/certificates/cert/dh > > > # If EAPTLS_CRLCheck is set and the client presents a > certifica te > # then Radiator will look for a certificate revocation list > (CRL ) > # for the certificate issuer > # when authenticating each client. If a CRL file is not > found, o r > # if the CRL says the certificate has neen revoked, the > authenti cation will > # fail with an error: > # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned > # One or more CRLs can be named with the EAPTLS_CRLFile > paramete r. > # Alternatively, CRLs may follow a file naming convention: > # the hash of the issuer subject name > # and a suffix that depends on the serial number. > # eg ab1331b2.r0, ab1331b2.r1 etc. > # You can find out the hash of the issuer name in a CRL > with # openssl crl -in crl.pem -hash -noout > # CRLs with tis name convention > # will be searched in EAPTLS_CAPath, else in the openssl > # certificates directory typically > /usr/local/openssl/certs/ # CRLs are expected to be in PEM format. > # A CRL files can be generated with openssl like this: > # openssl ca -gencrl -revoke cert-clt.pem > # openssl ca -gencrl -out crl.pem > # Use of these flags requires Net_SSLeay-1.21 or later > #EAPTLS_CRLCheck > #EAPTLS_CRLFile %D/certificates/crl.pem > #EAPTLS_CRLFile %D/certificates/revocations.pem > > # Some clients, depending on their configuration, may > require yo u to specify > # MPPE send and receive keys. This _will_ be required if > you sel ect > # 'Keys will be generated automatically for data privacy' > in the Funk Odyssey > # client Network Properties dialog. > # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key > # in the final Access-Accept > AutoMPPEKeys > > # You can configure the User-Name that will be used for the > inne r > # authentication. Defaults to 'anonymous'. This can be > useful # when proxying the inner authentication. If tehre is a realm, i t > can > # be used to choose a local Realm to handle the inner > authentica tion. > # %0 is replaced with the EAP identitiy > # EAPAnonymous anonym...@some.other.realm > > # You can enable or disable support for TTLS Session > Resumption and > # PEAP Fast Reconnect with the EAPTLS_SessionResumption > flag. # Default is enabled > #EAPTLS_SessionResumption 0 > > # You can limit how long after the initial session that a > sessio n can be resumed > # with EAPTLS_SessionResumptionLimit (time in seconds). > Defaults to 43200 > # (12 hours) > #EAPTLS_SessionResumptionLimit 10 > > # You can control which version of the draft PEAP protocol > to ho nour > # with EAPTLS_PEAPVersion. Defaults to 1. Set
Re: [RADIATOR] ServerHTTP
Hi Todd, On Thursday 14 October 2010 07:15:51 am Smith, Todd wrote: > The server is x86 32 bit Ubuntu 8.04 LTS running Linux kernel > 2.6.24-28-server with Perl version 5.8.8 fully patched from standard Ubuntu > sources. We have tried, but havent been able to reproduce this problem on that platform (or any other) Looks like you have your ServerHTTP configured for UseSSL? And that the connection from your browser was an SSL connection. How and where from did you install the perl Net::SSLeay module? Have you updated or changed your openssl install? What browser were you using? I think I need to see your complete config file (no secrets) Cheers. > > -Original Message----- > From: Mike McCauley [mailto:mi...@open.com.au] > Sent: Wednesday, October 13, 2010 17:07 > To: radiator@open.com.au > Cc: Smith, Todd > Subject: Re: [RADIATOR] ServerHTTP > > Hello Todd, > > That is perl crashing. Its very unusual. > > What platform, operating system and version of perl are you using? > > Cheers. > > Confidentiality Note: The information contained in this message > may be privileged and confidential. If this e-mail contains > protected health information, you are hereby notified that any > dissemination, distribution or copying of this communication is > strictly prohibited,except as permitted by law. If you have > received this communication in error, please notify the sender > immediately by replying to this message and deleting it from your > computer. Thank you. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] refresh time on clientlistsql
Hello Alex,
Thanks for the log.
Can we pls see a bit more of the log, maybe a few hundred lines before the
error.
Are you quite sure you dant have a 4.7 patch set installed?
Cheers.
On Thursday 14 October 2010 09:01:09 pm Alexander Hartmaier wrote:
> Hi Mike,
>
> the config section
>
>
> DBSourcedbi:Oracle:NAC
> DBUsername foo
> DBAuth bar
>
> ConnectionHook sub { \
> $_[1]->do("ALTER SESSION SET NLS_DATE_FORMAT = '-MM-DD
> HH24:MI:SS'"); \ $_[1]->do("ALTER SESSION SET CURRENT_SCHEMA = nacadm"); \
> }
>
> # store the supportgroup from the CMDB in the OSC-Group-Identifier
> attribute GetClientQuery SELECT device.ipaddr, 'key', NULL, NULL, NULL,
> NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL,
> NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup
> FROM device JOIN core.tblh...@pcmsat01 ON (device.hostid = tblhost.hostid)
> WHERE device.fk_collector = 5
>
> # Reread the client list every hour
> RefreshPeriod 3600
>
>
>
> the error from the level 3 logfile:
>
> Thu Oct 14 12:57:42 2010: ERR: Execute failed for 'SELECT device.ipaddr,
> 'key', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
> core.tblh...@pcmsat01 ON (device.hostid = tblhost.hostid) WHERE
> device.fk_collector = 5': SQL Timeout
>
>
>
> --
> Best regards, Alex
>
>
>
>
> Am Montag, den 11.10.2010, 23:27 +0200 schrieb Mike McCauley:
>
>
> Hello Alexander,
>
> On Tuesday 12 October 2010 03:07:16 am Alexander Hartmaier wrote:
> > Hi Mike,
> >
> > 4.7 rpm, without patches.
>
> OK, so we will need to see the config file and the log file showing the
> error and what happens before.
>
> Cheers.
>
>
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>"* Notice: This e-mail contains information that is confidential and may be
> privileged. If you are not the intended recipient, please notify the sender
> and then delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>"*
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ServerHTTP
Hello Todd, On Thursday 14 October 2010 05:48:10 am Smith, Todd wrote: > Hello Mike, > > > Wed Oct 13 15:08:18 2010: DEBUG: Stream sysread for 10.2.96.125:2446 > failed: Connection reset by peer. Peer probably disconnected. Wed Oct 13 > 15:08:18 2010: DEBUG: Stream disconnected from 10.2.96.125:2446 Wed Oct 13 > 15:08:23 2010: DEBUG: Stream sysread for 10.2.96.125:2447 failed: . Peer > probably disconnected. Wed Oct 13 15:08:23 2010: DEBUG: Stream disconnected > from 10.2.96.125:2447 Wed Oct 13 15:08:23 2010: DEBUG: Stream connected to > 10.2.96.125:2451 Wed Oct 13 15:08:23 2010: DEBUG: StreamTLS sessionInit for > 10.2.96.125 Wed Oct 13 15:08:23 2010: DEBUG: StreamTLS SSL_accept result: > -1, 2, 8720 Wed Oct 13 15:08:23 2010: DEBUG: StreamTLS Server Started for > 10.2.96.125:2451 Wed Oct 13 15:08:23 2010: DEBUG: New StreamServer > Connection created for 10.2.96.125:2451 Wed Oct 13 15:08:23 2010: DEBUG: > StreamTLS SSL_accept result: -1, 2, 8576 Wed Oct 13 15:08:23 2010: DEBUG: > StreamTLS SSL_accept result: 1, 0, 3 Wed Oct 13 15:08:23 2010: DEBUG: > ServerHTTP Connection GET /log > Segmentation fault That is perl crashing. Its very unusual. What platform, operating system and version of perl are you using? Cheers. > > I was just sitting on the webpage for a few seconds when it posted the > above to std_out since I was running Radiator in foreground as well as > log_stdout. I haven't changed LogMaxLines so it is sitting at default and > after I restarted Radiator with foreground and log_stdout; I was able to > view the log without any issues. It was only after just sitting at the > page looking at the log that I chose to refresh it with the above result in > stdout. > > Possible Perl issue maybe? I had just installed the latest patches and > reran make test and make install and restarted the process and nothing > seemed to error or fail during compilation. > > >> If there is a limit to the logfile size, can you limit the size of a > >> logfile being created? > > > >There are no features for rotating/changing log files based on size. > > This would seem to be a nice feature request since some other RADIUS > servers can do this and some customers might have functionity based around > size. It is not a show-stopper for me since as long as I can read the file > then it is good enough. > > Todd Smith > Confidentiality Note: The information contained in this message > may be privileged and confidential. If this e-mail contains > protected health information, you are hereby notified that any > dissemination, distribution or copying of this communication is > strictly prohibited,except as permitted by law. If you have > received this communication in error, please notify the sender > immediately by replying to this message and deleting it from your > computer. Thank you. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ServerHTTP
Hi Todd, On Wednesday 13 October 2010 12:12:47 am Smith, Todd wrote: > I am working on replacing some elderly Steel-Belted RADIUS servers with > Ubuntu 8.04LTS running Radiator and I am encountering some unusual > situations. I don't think that it is a true problem or I would have posted > a config and trace but it is somewhat surprising. I expect that you will > see plenty of postings from me as I try understand and work the new servers > into our environment. We will try to help you. I see you have an email support contract. You may wish to use the support alias for prompt, private responses. > > Using the clause, is there a limit to the size of the file > that can be viewed under the View Log link? A logfile that is 903K can be > read without any issue but a larger file, like a 10MB file causes the > entire perl process to stop. It doesn't produce any core dump or any error > message, it just drops out of process space and is not running under ps > -ef. If I restart the perl process and radiator, then the > function restarts and I can log back into the website. View Log shows the last LogMaxLines messages in an internal ring buffer within the Radiator process. It doesnt show the contents of the Radiator log file. The configuration includes the LogMaxLines, defaults to 500. Have you altered that? In any case, it sounds like your Radiator is crashing. Youmight consider running it in the foreground, or under restartWrapper, so you can see if there is an error message printed on stdout. > > If there is a limit to the logfile size, can you limit the size of a > logfile being created? There are no features for rotating/changing log files based on size. > I am currently rotating the logfile using the date > % macros in the LogFile directive but the file grows until the date > changes. I am still using Trace level 4 which as soon as I am comfortable > that everything is setup and working correctly then I will reduce it back > to 0 or 1. Good idea. Cheers. > > Thank you for your time. > > Todd Smith > > > Confidentiality Note: The information contained in this message > may be privileged and confidential. If this e-mail contains > protected health information, you are hereby notified that any > dissemination, distribution or copying of this communication is > strictly prohibited,except as permitted by law. If you have > received this communication in error, please notify the sender > immediately by replying to this message and deleting it from your > computer. Thank you. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] refresh time on clientlistsql
Hello Alexander, On Tuesday 12 October 2010 03:07:16 am Alexander Hartmaier wrote: > Hi Mike, > > 4.7 rpm, without patches. OK, so we will need to see the config file and the log file showing the error and what happens before. Cheers. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] refresh time on clientlistsql
Hello Alexander,
A recent patch caused a problem that probably would have affected timeouts in
ClientListSQL . A more recent patch has fixed that. What patch level are you
at?
Cheers.
On Saturday 09 October 2010 03:24:09 am Alexander Hartmaier wrote:
> Hi Hugh,
>
> we started to use the ClientListSQL feature too but get an Oracle SQL
> timeout error in the logs whenever Radiator tries to refresh the list,
> works on startup.
>
> Any idea why and how we can debug this?
>
> --
> Best regards, Alex
>
> Am Mittwoch, den 22.09.2010, 00:25 +0200 schrieb Hugh Irvine:
> > Hello Alex -
> >
> > See section 5.7.3 in the Radiator 4.7 reference manual ("doc/ref.pdf").
> >
> > regards
> >
> > Hugh
> >
> > On 22 Sep 2010, at 05:01, Martin Burton wrote:
> > > Hi Alex,
> > >
> > > You need to make sure that RefreshPeriod is set in your config file.
> > > It defaults to 0, which means the SQL query is performed only upon
> > > radiusd start or when it's sent a SIGHUP.
> > >
> > >
> > > .
> > > .
> > > .
> > > RefreshPeriod 300
> > > .
> > > .
> > > .
> > >
> > >
> > > would cause the the DB to be requeried every 5 minutes for example.
> > >
> > > Hope that helps.
> > >
> > > Cheers,
> > >
> > > Martin.
> > >
> > > On 21/09/2010 19:41, Alex Sharaz wrote:
> > >> Hi all,
> > >>
> > >> I've got a cluster of radius servers all configured to read NAS
> > >> clients from a db2 database. I thought that radiator was supposed to
> > >> periodically refresh its internal list of clients by rereading the
> > >> database.
> > >>
> > >> Yesterday morning I dded a number of clients to the database. by 16:00
> > >> today the radius servers still hadn't picked up the new clients. A
> > >> reload caused radiator to reread the client list but it would have
> > >> been nice to have radiator pic up the new clients automagically.
> > >>
> > >> Anyone else seen problems with refreshing client lists?
> > >>
> > >> Rgds
> > >> Alex
> > >>
> > >>
> > >>
> > >>
> > >>
> > >>
> > >> Checked by Hu-fw-yhman
> > >>
> > >>
> > >>
> > >> ___
> > >> radiator mailing list
> > >> radiator@open.com.au
> > >> http://www.open.com.au/mailman/listinfo/radiator
> > >
> > > --
> > > Martin Burton
> > > Senior Systems Administrator \\\|||///
> > > Special Projects Team \\ ^ ^ //
> > > Wellcome Trust Sanger Institute( 6 6 )
> > > -oOOo-(_)-oOOo---
> > >
> > >
> > > ___
> > > radiator mailing list
> > > radiator@open.com.au
> > > http://www.open.com.au/mailman/listinfo/radiator
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive
> > (www.open.com.au/archives/radiator)? Have you had a quick look on Google
> > (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>"* Notice: This e-mail contains information that is confidential and may be
> privileged. If you are not the intended recipient, please notify the sender
> and then delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>"* ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] SqlDb Patch 1.39 breaks on AuthSQLTOTP and AuthSQLHOTP
Hello Steffen,
thanks for reporting this. There was indeed a problem with the initialisation
of those modules, which we have fixed in the latest patch set.
We apologise for any inconvenience.
Cheers.
On Thursday 07 October 2010 09:50:20 pm Steffen Weinreich wrote:
> Hi!
>
> Today I have downloaded the latest patchset to play with AuthSQLTOTP
> and AuthSQLHOTP and had some headaches because all SQL Query's in this
> modules fails with
>
> Thu Oct 7 11:27:13 2010: DEBUG: Query is: 'select secret, counter_high,
> counter_low, active, pin, digits, bad_logins, unix_timestamp(accessed)
> from hotpkeys where username='mikem'':
> Thu Oct 7 11:27:13 2010: DEBUG: Radius::AuthSQLHOTP IGNORE: Database
> failure: mikem [mikem]
>
> After doing some debugging on this, I saw that in SqlDb.pm the variable
> $self->{SQLRetries} does not get initialized in the context of
> AuthSQLTOTP and AuthSQLHOTP. According to the diffs between the Release
> 4.7 and the patchset this variable has been added between 1.37 and 1.39
> of SqlDb.pm.
>
> I think there are some calls to the SqlDb.pm initalizing missing in (at
> least) AuthSQLTOTP and AuthSQLHOTP.
>
> cheerio
>Steve
>
> --
> Stillstand ist nutzlos. Es gibt eines oder das andere,
> entweder Fortschritt oder Nachlassen. -- Lord Robert Baden-Powell
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] accessing ntlm_auth Authentication-Error attribute
Hi David,
thanks for raising this issue.
We have now updated AuthBy NTLM so that if an authentication fails, the
Warning log message
records the user name along with the Authentication-Error.
This fix is now in the latest patch set.
As for getting the error message text into the reply message, that would take
some considerable modification of the code, which of course you may do if you
wish.
Thanks again for the suggestions.
Cheers.
On Wednesday 06 October 2010 10:23:36 am David Zych wrote:
> Hi,
>
> I'm using AuthBy NTLM to authenticate Active Directory users from a linux
> Radiator instance. When an authentication fails, ntlm_auth seems to give a
> useful error message in the "Authentication-Error" attribute which would be
> helpful for distinguishing different types of problems. This attribute is
> clearly visible both in the DEBUG output and in a WARNING log message that
> is generated by the module, but I can't figure out how to reference it
> afterward to do other things with it (such as include it in my AuthLog
> FailureFormat, store it in a database where it can assist our help desk in
> troubleshooting, return it as the reject reason, etc). Is there any way to
> get at this value short of modifying the module?
>
> Below are sample debug output snippets from two failed ntlm_auth login
> attempts. In both cases the AuthBy NTLM reject reason is simply "AuthBy
> NTLM Password check failed" which is not nearly as helpful in
> troubleshooting as the Authentication-Error message ("Wrong Password" vs
> "No such user") would be. Note also that unfortunately the WARNING message
> doesn't include the username, so even that wouldn't be terribly helpful in
> a production environment with lots of requests.
>
> Tue Oct 5 18:55:09 2010: DEBUG: Radius::AuthNTLM looks for match with dmrz
> [dmrz] Tue Oct 5 18:55:09 2010: DEBUG: Passing attribute
> Request-User-Session-Key: Yes Tue Oct 5 18:55:09 2010: DEBUG: Passing
> attribute Request-LanMan-Session-Key: Yes Tue Oct 5 18:55:09 2010: DEBUG:
> Passing attribute LANMAN-Challenge: 551ad887cef366ce Tue Oct 5 18:55:09
> 2010: DEBUG: Passing attribute NT-Response:
> ef76db2128d03a9789133c333175ac5aaad6acedd8c17f44 Tue Oct 5 18:55:09 2010:
> DEBUG: Passing attribute NT-Domain:: VUlVQw== Tue Oct 5 18:55:09 2010:
> DEBUG: Passing attribute Username:: ZG1yeg== Tue Oct 5 18:55:09 2010:
> DEBUG: Received attribute: .
> Tue Oct 5 18:55:09 2010: DEBUG: Received attribute: Authenticated: No
> Tue Oct 5 18:55:09 2010: DEBUG: Received attribute: Authentication-Error:
> Wrong Password Tue Oct 5 18:55:09 2010: DEBUG: Received attribute: .
> Tue Oct 5 18:55:09 2010: WARNING: NTLM Could not authenticate user: Wrong
> Password Tue Oct 5 18:55:09 2010: DEBUG: Radius::AuthNTLM REJECT: AuthBy
> NTLM Password check failed: dmrz [dmrz] Tue Oct 5 18:55:09 2010: DEBUG:
> AuthBy GROUP result: REJECT, AuthBy NTLM Password check failed Tue Oct 5
> 18:55:09 2010: INFO: Access rejected for dmrz: AuthBy NTLM Password check
> failed
>
> vs
>
> Tue Oct 5 18:55:38 2010: DEBUG: Radius::AuthNTLM looks for match with
> bogususer [bogususer] Tue Oct 5 18:55:38 2010: DEBUG: Passing attribute
> Request-User-Session-Key: Yes Tue Oct 5 18:55:38 2010: DEBUG: Passing
> attribute Request-LanMan-Session-Key: Yes Tue Oct 5 18:55:38 2010: DEBUG:
> Passing attribute LANMAN-Challenge: f706118f18863992 Tue Oct 5 18:55:38
> 2010: DEBUG: Passing attribute NT-Response:
> 3667e0f1e6a08365d587d54f8a7889357f36e94da008e8cf Tue Oct 5 18:55:38 2010:
> DEBUG: Passing attribute NT-Domain:: VUlVQw== Tue Oct 5 18:55:38 2010:
> DEBUG: Passing attribute Username:: Ym9ndXN1c2Vy Tue Oct 5 18:55:38 2010:
> DEBUG: Received attribute: .
> Tue Oct 5 18:55:38 2010: DEBUG: Received attribute: Authenticated: No
> Tue Oct 5 18:55:38 2010: DEBUG: Received attribute: Authentication-Error:
> No such user Tue Oct 5 18:55:38 2010: DEBUG: Received attribute: .
> Tue Oct 5 18:55:38 2010: WARNING: NTLM Could not authenticate user: No
> such user Tue Oct 5 18:55:38 2010: DEBUG: Radius::AuthNTLM REJECT: AuthBy
> NTLM Password check failed: bogususer [bogususer] Tue Oct 5 18:55:38 2010:
> DEBUG: AuthBy GROUP result: REJECT, AuthBy NTLM Password check failed Tue
> Oct 5 18:55:38 2010: INFO: Access rejected for bogususer: AuthBy NTLM
> Password check failed
>
> Thanks,
> David
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax
Re: [RADIATOR] bind address LDAP queries
Hello Roel, thanks for the suggestion. We have now updated Ldap.pm with support for BindAddress in all Ldap derived clauses, allowing you to specify a local address for the client side of the LDAP connection with BindAddress, in the form hostname[:port]. Defaults to 0.0.0.0. The change is now in the latest patch set. Hope that helps. Cheers. On Tuesday 05 October 2010 10:34:56 pm Roel Hoek wrote: > Hi, > > We are in a process to transfer our radius services onto new hardware. > On the old platform (SuSe with Radiator 3.17.1 ) the source address for > LDAP-queries to an external host is the first bind-address listed in the > 'BindAddress' in the config file, and this is the primary address of the > host. > > On the new system (Ubuntu) Radiator (4.7) doesn't use a source-address > listed in 'BindAddress' in the config file for LDAP-queries. In this > case the source address is the last defined secondary address on the host. > So I think it was just an coincidence that the source address for > LDAP-queries is listed in the config file? > > How does radiator selects an source address for LDAP-queries? Is it > possible to define it within the config? It is important for us that the > source address is fixed because of firewall settings. > > Attributes LocalAddress or BindAddress are not supported within an > AuthBy LDAP2 clause. -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authby LSA and groups not working (redux)
Hello Neil,
On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote:
> No, I'm running it on a member server.
>
> Our AD administrators are very reluctant to run applications on PDC's and
> BDC's. I can ask but I don't think I will get permission.
>
> Will it work on a BDC ?
>
> If not, do I have any other options ? Currently I'm using Radiator to proxy
> 802.1X requests to Juniper Steel-Belted Radius in order to re-write VLAN
> attributes. I was kind of hoping to eliminate SBR in part to simplify
> support for Eduroam.
Tests here show that it works OK on any domain member provided that the user
who is running the script is logged in to the domain.
Cheers.
>
> Thanks.
>
> -Neil
>
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-john...@uiowa.edu
>
>
> -Original Message-
> From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On
> Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010 9:22 PM
> To: radiator@open.com.au
> Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
>
> Hello Neil,
>
> tests here show that your script (suitably modified) works provided you run
> it on the PDC as the administrator.
>
> Is that how you are testing?
>
> Cheers.
>
> On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote:
> > I whipped up a script based on what I could find in the source code to
> > test group membership and it doesn't seem to matter if the group is local
> > or global, it can't find it:
> >
> > #!c:\perl64\bin\perl.exe
> >
> > use strict;
> > use Win32::NetAdmin;
> >
> > my $User = "nmjoo";
> > my $Group = "ITS-WIRELESS";
> > my $Domain = "IOWA";
> > my $Server = "";
> >
> > print "Getting Domain Controller\n";
> > Win32::NetAdmin::GetDomainController ("", $Domain, $Server);
> > print "Domain Controller for Domain $Domain is $Server\n";
> >
> > print "Checking to see if user: $User is member of Group: $Group\n";
> > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User)
> >
> > || Win32::NetAdmin::LocalGroupIsMember($Server, $Group,
> > || $User)) {
> >
> > print "$User is Member of group $Group";
> > }
> > else {
> > print "$User is not Member of group $Group";
> > }
> >
> > Output:
> >
> > C:\Program Files\Radiator>test2.pl
> > Getting Domain Controller
> > Domain Controller for Domain IOWA is \\IOWADC1
> > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS
> > nmjoo is not Member of group ITS-WIRELESS
> > C:\Program Files\Radiator>
> > --
> > Neil Johnson
> > Network Engineer
> > Information Technology Services
> > The University of Iowa
> > Work: 319 384-0938
> > Mobile: 319 540-2081
> > Fax: 319 355-2618
> > E-mail: neil-john...@uiowa.edu
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authby LSA and groups not working (redux)
Hello Neil,
tests here show that your script (suitably modified) works provided you run it
on the PDC as the administrator.
Is that how you are testing?
Cheers.
On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote:
> I whipped up a script based on what I could find in the source code to test
> group membership and it doesn't seem to matter if the group is local or
> global, it can't find it:
>
> #!c:\perl64\bin\perl.exe
>
> use strict;
> use Win32::NetAdmin;
>
> my $User = "nmjoo";
> my $Group = "ITS-WIRELESS";
> my $Domain = "IOWA";
> my $Server = "";
>
> print "Getting Domain Controller\n";
> Win32::NetAdmin::GetDomainController ("", $Domain, $Server);
> print "Domain Controller for Domain $Domain is $Server\n";
>
> print "Checking to see if user: $User is member of Group: $Group\n";
> if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User)
>
> || Win32::NetAdmin::LocalGroupIsMember($Server, $Group,
> || $User)) {
>
> print "$User is Member of group $Group";
> }
> else {
> print "$User is not Member of group $Group";
> }
>
> Output:
>
> C:\Program Files\Radiator>test2.pl
> Getting Domain Controller
> Domain Controller for Domain IOWA is \\IOWADC1
> Checking to see if user: nmjoo is member of Group: ITS-WIRELESS
> nmjoo is not Member of group ITS-WIRELESS
> C:\Program Files\Radiator>
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-john...@uiowa.edu
--
Mike McCauley mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au
Phone +61 7 5598-7474 Fax +61 7 5598-7070
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Issues with AuthbyNTLM (LONG)
Hi All, Yes, that looks like exactly the same problem. Good to see it will be fixed in the next 3.4 release, and that there is a patch available from Samba. Cheers. On Saturday 25 September 2010 07:03:25 pm Klara Mall wrote: > Hi all, > > On 09/22/2010 11:44 PM, Mike McCauley wrote: > > we have also seen some similar behaviour to that reported by Heikki, ie > > where ntlm_auth intermittently returns an incorrect User-Session-Key. > > Restarting Samba would cause it to work correctly for a while, and then > > it would start to send the wrong results again. > > > > Downgrading Samba and reporting the issue to the Samba team may be the > > best solution. > > Same behaviour for me (still using winbind from Debian etch here for > this reason), but I did not know that the User-Session-Key is the > problem. But now I found the issue is reported and probably recently > even resolved (see from comment 41): > https://bugzilla.samba.org/show_bug.cgi?id=6563 > > Regards > Klara -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Issues with AuthbyNTLM (LONG)
Code: Access-Request
> > Identifier: UNDEF
> > Authentic: <232><180><135>ho<23><1><169><169><10><215>4<199><184><149>I
> > Attributes:
> > EAP-Message =
> > <2><8><0>C<26><2><8><0>B1Wh<5>^<141><175><213><249><149><254>Wn"<180><27>
> >U<0><0><0><0><0><0><0><0><218><235><166><31><10><133><229>AFD<<226><221><1
> >35><189>b<229>q<163><11><248>-"<4><0>CAMC\tssmith Message-Authenticator =
> > <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> NAS-IP-Address =
> > 10.2.96.19
> > NAS-Identifier = "Dover Standalone (Thick) AP"
> > NAS-Port = 16973824
> > Calling-Station-Id = "00-13-ce-69-43-2c"
> > User-Name = "anonymous"
> >
> > Wed Sep 22 12:05:59 2010: DEBUG: Handling request with Handler '',
> > Identifier '' Wed Sep 22 12:05:59 2010: DEBUG: Deleting session for
> > anonymous, 10.2.96.19, 16973824 Wed Sep 22 12:05:59 2010: DEBUG: Handling
> > with Radius::AuthNTLM: Wed Sep 22 12:05:59 2010: DEBUG: Handling with
> > EAP: code 2, 8, 67, 26 Wed Sep 22 12:05:59 2010: DEBUG: Response type 26
> > Wed Sep 22 12:05:59 2010: DEBUG: Radius::AuthNTLM looks for match with
> > CAMC\tssmith [anonymous] Wed Sep 22 12:05:59 2010: DEBUG:
> > Radius::AuthNTLM ACCEPT: : CAMC\tssmith [anonymous] Wed Sep 22 12:05:59
> > 2010: DEBUG: Passing attribute Request-User-Session-Key: Yes Wed Sep 22
> > 12:05:59 2010: DEBUG: Passing attribute Request-LanMan-Session-Key: Yes
> > Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute LANMAN-Challenge:
> > 179b1eda2032ef41 Wed Sep 22 12:05:59 2010: DEBUG: Passing attribute
> > NT-Response: daeba61f0a85e54146443ce2dd87bd62e571a30bf82d2204 Wed Sep 22
> > 12:05:59 2010: DEBUG: Passing attribute NT-Domain:: Q0FNQw== Wed Sep 22
> > 12:05:59 2010: DEBUG: Passing attribute Username:: dHNzbWl0aA== Wed Sep
> > 22 12:05:59 2010: DEBUG: Received attribute: Authenticated: Yes Wed Sep
> > 22 12:05:59 2010: DEBUG: Received attribute: LANMAN-Session-Key:
> > 55FC5F8DFAA3A58D Wed Sep 22 12:05:59 2010: DEBUG: Received attribute:
> > User-Session-Key: B48DFF252D4FAB7CBEA3207E1A5C51BE
>
> Everything looks good so far. ntlm_auth gets a success back from the
> Windows server and also the User-Session-Key it requested.
>
> If I have understood correctly the User-Session-Key should be a MD4 hash
> of NTHash the the Windows server stores. In other words
> md4(md4(asciitounicde(password))) which with plain 7bit ascii is simply
> md4(md4(password))
>
> The broken ntlm_auth does not return this double hash of password, but
> instead of some other value. This value causes incorrect "authenticator
> response" to be calculated and makes the client think that the server
> does not know the real password hash. In other words the server
> authentication to the client fails.
>
> What happens is that client ends the authentication and no reply is ever
> received until a new try is initiated by the client. Just like below,
> the last message is the message to the client.
>
> Looking at Radiator goodies directory, the simplest method to generated
> User-Session-Key from a known password is this:
>
> % perl goodies/nthash.pl password
> {nthash}8846F7EAEE8FB117AD06BDD830B7586C
>
> % perl goodies/nthash.pl 8846F7EAEE8FB117AD06BDD830B7586C
> {nthash}0204D0612AF59BDABC236E5195648836
>
> The hex string 0204D0612AF59BDABC236E5195648836 is the User-Session-Key
> for the password 'password'.
>
> > Wed Sep 22 12:05:59 2010: DEBUG: Received attribute: .
> > Wed Sep 22 12:05:59 2010: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge:
> > Success Wed Sep 22 12:05:59 2010: DEBUG: AuthBy NTLM result: CHALLENGE,
> > EAP MSCHAP V2 Challenge: Success Wed Sep 22 12:05:59 2010: DEBUG: Access
> > challenged for anonymous: EAP MSCHAP V2 Challenge: Success Wed Sep 22
> > 12:05:59 2010: DEBUG: Returned PEAP tunnelled packet dump: Code:
> > Access-Challenge
> > Identifier: UNDEF
> > Authentic: <232><180><135>ho<23><1><169><169><10><215>4<199><184><149>I
> > Attributes:
> > EAP-Message =
> > <1><9><0>=<26><3><8><0>8S=AD59BE8E0A96165332AEEBF926A4002E2086
