Re: [RADIATOR] random EAP authentication errors since 4.17
Hi Heikki, just read the patches changelog, the EAP related things sound good! I'll get back to you when I got a change to update our 802.1x Radius servers to it. Thanks, Alex On 2017-04-20 10:26, Heikki Vatiainen wrote: On 24.1.2017 14.58, Hartmaier Alexander wrote: On 2017-01-24 12:57, Heikki Vatiainen wrote: I think we'll need to think about an interface for this. This discussion has been useful to understanding the custom use cases, so rather than moving it, I' say it's better to provide a documented call or similar to do this. That would be great! Can you name a timeframe how soon you would have a patch for us to decide if we implement the current solution or wait for the documented one? Getting back to this: The current Radiator 4.17 patch set includes eaptls_resume_post_auth_hook.pl in goodies that shows how to customise authentication results. What the sample hook shows should be more simple and better way to do what we discussed earlier. It also does away the need to know about how internals that could change in the future. The example shows how to work with non-resumed and resumed TLS sessions. There's no need to call any of the Net::SSLeay methods since the context now has the necessary information about how and if the resumption was done. Thanks, Heikki *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 24.1.2017 14.58, Hartmaier Alexander wrote: On 2017-01-24 12:57, Heikki Vatiainen wrote: I think we'll need to think about an interface for this. This discussion has been useful to understanding the custom use cases, so rather than moving it, I' say it's better to provide a documented call or similar to do this. That would be great! Can you name a timeframe how soon you would have a patch for us to decide if we implement the current solution or wait for the documented one? Getting back to this: The current Radiator 4.17 patch set includes eaptls_resume_post_auth_hook.pl in goodies that shows how to customise authentication results. What the sample hook shows should be more simple and better way to do what we discussed earlier. It also does away the need to know about how internals that could change in the future. The example shows how to work with non-resumed and resumed TLS sessions. There's no need to call any of the Net::SSLeay methods since the context now has the necessary information about how and if the resumption was done. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 2017-01-24 12:57, Heikki Vatiainen wrote: On 24.1.2017 13.39, Hartmaier Alexander wrote: Could you move the storage of reply attributes into the resume context to a point after PostAuthHook is called so this isn't required? I think we'll need to think about an interface for this. This discussion has been useful to understanding the custom use cases, so rather than moving it, I' say it's better to provide a documented call or similar to do this. That would be great! Can you name a timeframe how soon you would have a patch for us to decide if we implement the current solution or wait for the documented one? The latter is EAP-TTLS and the problem is PEAP/EAP-TLS? We don't use EAP-TTLS, only PEAP-TLS and EAP-TLS. EAP-TLS works, also resumption, PEAP-TLS doesn't. Ah, sorry, I read EAP-TLS twice. What kind of logs do you need? I could mail you the packet capture as a starting point, but we haven't had debugging enabled at that time, just log level 3 where no sign of the mentioned request with id 57 can be seen. I trace 4 log would be best. If you create one, just send it to me directly since the list does now allow large attachments. We had no duplicate error since about four hours, but I'll enable debug logging to file so we have it next time it occurs. That's a possibility since the adjustment is 40 which seems to be too little since you need 50. We probably need to update this value. I see, please document this value in ref.pdf. Which formula can be used to calculate this value? It's not calculated but an estimate that was based on watching how it worked with different certificate chains. It's a good idea to get this documented. Note that the difference between PEAP max fragment size (1300) and inner EAP-TLS max fragment size (1200) is 100, not 50. Would you suggest to decrease the inner value even more or keep the difference of 100 and decrease both? What happens when Radiator builds a reply packet with 1300 bytes EAP-Message and some other radius reply attributes and the udp packets gets larger than the server interface MTU (1500 in our case)? Is it possible that it gets silently dropped? Thanks, Heikki Is anyone else on the list using PEAP-TLS anywhere and can share her/his findings? Thanks, Alex *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 24.1.2017 13.39, Hartmaier Alexander wrote: Could you move the storage of reply attributes into the resume context to a point after PostAuthHook is called so this isn't required? I think we'll need to think about an interface for this. This discussion has been useful to understanding the custom use cases, so rather than moving it, I' say it's better to provide a documented call or similar to do this. The latter is EAP-TTLS and the problem is PEAP/EAP-TLS? We don't use EAP-TTLS, only PEAP-TLS and EAP-TLS. EAP-TLS works, also resumption, PEAP-TLS doesn't. Ah, sorry, I read EAP-TLS twice. What kind of logs do you need? I could mail you the packet capture as a starting point, but we haven't had debugging enabled at that time, just log level 3 where no sign of the mentioned request with id 57 can be seen. I trace 4 log would be best. If you create one, just send it to me directly since the list does now allow large attachments. That's a possibility since the adjustment is 40 which seems to be too little since you need 50. We probably need to update this value. I see, please document this value in ref.pdf. Which formula can be used to calculate this value? It's not calculated but an estimate that was based on watching how it worked with different certificate chains. It's a good idea to get this documented. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 2017-01-24 12:11, Heikki Vatiainen wrote:
On 24.1.2017 12.18, Hartmaier Alexander wrote:
Yes, that's correct. The information saved for resume has the same
lifetime. Also, if it happens that a session is resumed by TLS layer
but Radiator has no information about the resumed session, the
authentication will fail.
I can't confirm that behaviour. For us the (by OpenSSL) successfully
resumed session was accepted without any reply attributes leading to
clients not getting in the correct vlan. That's why I've assumed that
the resume context wasn't saved or restored correctly.
I think I might know why you are not seeing the your reply attributes,
please see below.
That explains why my change from $p->{EAPContext}->{hvn_test} to
$p->{EAPContext}->{eap_resume_context}->{hvn_test} in
EAPTLS_CertificateVerifyHook didn't work at all, Radiator overwrote
->{eap_resume_context} without checking that it's already there assuming
noone fiddled with it in a hook.
Correct. It only goes and fetches the information needed across
resumes when TLS handshake has completed. The hook runs before that.
To summarize, your suggested solution is:
- store custom variables in $p->{EAPContext} in
EAPTLS_CertificateVerifyHook
Yes. The context is available at that point. The saved resume
information has not been fetched yet.
- move them from $p->{EAPContext} to
$p->{EAPContext}->{eap_resume_context} in a PostAuthHook which can be
both in the EAP enabled AuthBy or the Handler for full authentications
(non-resumed). This is something I've never tried.
Yes, when you do this after full TLS handshake, the values will be
available when resume happens.
- access the stored variables in $p->{EAPContext}->{eap_resume_context}
when resuming. Is there a need to copy them to $p->{EAPContext} if I
only need their values in the PostAuthHook?
There's no need to copy them if it's ok for you to access them from
eap_resume_context.
- set the reply attributes based on the variables. Here I'd unsure if I
only need to set them for full authentications, because Radiator
persists them $p->{EAPContext}->{eap_resume_context} automatically or if
I need to do that myself because PostAuthHook is after Radiator has done
that already?
I think this might be the reason why you are not seeing the reply
attributes. The attributes (last_reply_attrs) in resume context are
not automatically updated if you add your own custom attributes in the
reply, for example, in PostAuthHook.
The attributes, last_reply_attrs, in resume context are the ones that
the inner authentication returned during the full authentication. If
you update those attributes with your custom reply attributes during
the full authentication in PostAuthHook, then your custom attributes
should be automatically added during resumption.
The radius reply attribute handling for session resumption is clear now,
thanks!
Could you move the storage of reply attributes into the resume context
to a point after PostAuthHook is called so this isn't required?
Our findings from Friday and yesterday where that only PEAP-TLS fails,
EAP-TLS works fine.
The latter is EAP-TTLS and the problem is PEAP/EAP-TLS?
We don't use EAP-TTLS, only PEAP-TLS and EAP-TLS. EAP-TLS works, also
resumption, PEAP-TLS doesn't.
We've disabled session resumption for all PEAP-TLS authentications, both
wired and wireless to work around the missing reply attributes on
resumption which lead to duplicate request errors.
I did a packet capture on the radius server and saw that the first
packet after the (PEAP) TLS tunnel establishment never gets replied by
radiator (radius packet id 57 in our capture) but it's retransmission by
the Cisco WLC after 5 seconds still gets logged as 'Duplicate request id
57 received from ...'. Do you have any idea why this could be happening?
Can't really say without logs. However, if it's related to fragment
sizes, then the adjustment in Radiator does seems not to be enough. It
uses value of 40 but as you wrote, you seem to be needing adjustment
of 50.
What kind of logs do you need? I could mail you the packet capture as a
starting point, but we haven't had debugging enabled at that time, just
log level 3 where no sign of the mentioned request with id 57 can be seen.
Further as Radiator 4.13 changelog states that it handles
EAPTLS_MaxFragmentSize of the inner EAP method automatically we've
commented our inner EAPTLS_MaxFragmentSize 1200 which lead to a non
working auth for certificates from two of our three CAs.
We had issues when we onboarded that CA and had to reduce both the outer
PEAP as well as the inner EAP-TLS EAPTLS_MaxFragmentSize by 50 to get it
working.
May there be an edge case that some auths hang because of a too large
packet (for which no error is logged by Radiator) which leads to not
replied requests which IDs are still remembered as already received by
Radiator?
That's a possibility since the adjustment is 40 which seems to be too
little since you need 50. We pro
Re: [RADIATOR] random EAP authentication errors since 4.17
On 24.1.2017 12.18, Hartmaier Alexander wrote:
Yes, that's correct. The information saved for resume has the same
lifetime. Also, if it happens that a session is resumed by TLS layer
but Radiator has no information about the resumed session, the
authentication will fail.
I can't confirm that behaviour. For us the (by OpenSSL) successfully
resumed session was accepted without any reply attributes leading to
clients not getting in the correct vlan. That's why I've assumed that
the resume context wasn't saved or restored correctly.
I think I might know why you are not seeing the your reply attributes,
please see below.
That explains why my change from $p->{EAPContext}->{hvn_test} to
$p->{EAPContext}->{eap_resume_context}->{hvn_test} in
EAPTLS_CertificateVerifyHook didn't work at all, Radiator overwrote
->{eap_resume_context} without checking that it's already there assuming
noone fiddled with it in a hook.
Correct. It only goes and fetches the information needed across resumes
when TLS handshake has completed. The hook runs before that.
To summarize, your suggested solution is:
- store custom variables in $p->{EAPContext} in
EAPTLS_CertificateVerifyHook
Yes. The context is available at that point. The saved resume
information has not been fetched yet.
- move them from $p->{EAPContext} to
$p->{EAPContext}->{eap_resume_context} in a PostAuthHook which can be
both in the EAP enabled AuthBy or the Handler for full authentications
(non-resumed). This is something I've never tried.
Yes, when you do this after full TLS handshake, the values will be
available when resume happens.
- access the stored variables in $p->{EAPContext}->{eap_resume_context}
when resuming. Is there a need to copy them to $p->{EAPContext} if I
only need their values in the PostAuthHook?
There's no need to copy them if it's ok for you to access them from
eap_resume_context.
- set the reply attributes based on the variables. Here I'd unsure if I
only need to set them for full authentications, because Radiator
persists them $p->{EAPContext}->{eap_resume_context} automatically or if
I need to do that myself because PostAuthHook is after Radiator has done
that already?
I think this might be the reason why you are not seeing the reply
attributes. The attributes (last_reply_attrs) in resume context are not
automatically updated if you add your own custom attributes in the
reply, for example, in PostAuthHook.
The attributes, last_reply_attrs, in resume context are the ones that
the inner authentication returned during the full authentication. If you
update those attributes with your custom reply attributes during the
full authentication in PostAuthHook, then your custom attributes should
be automatically added during resumption.
Our findings from Friday and yesterday where that only PEAP-TLS fails,
EAP-TLS works fine.
The latter is EAP-TTLS and the problem is PEAP/EAP-TLS?
We've disabled session resumption for all PEAP-TLS authentications, both
wired and wireless to work around the missing reply attributes on
resumption which lead to duplicate request errors.
I did a packet capture on the radius server and saw that the first
packet after the (PEAP) TLS tunnel establishment never gets replied by
radiator (radius packet id 57 in our capture) but it's retransmission by
the Cisco WLC after 5 seconds still gets logged as 'Duplicate request id
57 received from ...'. Do you have any idea why this could be happening?
Can't really say without logs. However, if it's related to fragment
sizes, then the adjustment in Radiator does seems not to be enough. It
uses value of 40 but as you wrote, you seem to be needing adjustment of 50.
Further as Radiator 4.13 changelog states that it handles
EAPTLS_MaxFragmentSize of the inner EAP method automatically we've
commented our inner EAPTLS_MaxFragmentSize 1200 which lead to a non
working auth for certificates from two of our three CAs.
We had issues when we onboarded that CA and had to reduce both the outer
PEAP as well as the inner EAP-TLS EAPTLS_MaxFragmentSize by 50 to get it
working.
May there be an edge case that some auths hang because of a too large
packet (for which no error is logged by Radiator) which leads to not
replied requests which IDs are still remembered as already received by
Radiator?
That's a possibility since the adjustment is 40 which seems to be too
little since you need 50. We probably need to update this value.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/
Re: [RADIATOR] random EAP authentication errors since 4.17
Hi Heikki,
On 2017-01-23 14:35, Heikki Vatiainen wrote:
On 20.1.2017 11.33, Hartmaier Alexander wrote:
Can you confirm that Radiator stores the information saved by
eap_save_resume_context for the same duration as OpenSSL is told to
do so?
In Radius/TLS.pm line 818 it looks like EAPTLS_SessionResumptionLimit is
used to set this timeout too.
Yes, that's correct. The information saved for resume has the same
lifetime. Also, if it happens that a session is resumed by TLS layer
but Radiator has no information about the resumed session, the
authentication will fail.
I can't confirm that behaviour. For us the (by OpenSSL) successfully
resumed session was accepted without any reply attributes leading to
clients not getting in the correct vlan. That's why I've assumed that
the resume context wasn't saved or restored correctly.
Can you please write up how we should persist our custom data set in the
EAPTLS_CertificateVerifyHook and retrieve it in the PostAuth hook?
I suggest defining and documenting one key that is persisted and
restored by eap_save_resume_context / eap_recover_resume_context which
can then be used by hooks to store data in.
I have attached a short PostAuthHook that does this. During the full
auth, the hook stores a custom value from EAPContext so that it is
available when TLS resume is done. When a TLS resume is done, it
copies the value from resume data to EAPContext. This allows you to
always access your custom value when the hook has run. You may want to
add more error checks, etc. but it should work as a sample.
The hook can be configured as PostAuthHook for an AuthBy or a Handler.
In addition to this, for a demo, use this for
EAPTLS_CertificateVerifyHook:
EAPTLS_CertificateVerifyHook sub {my $p = $_[5]; \
$p->{EAPContext}->{hvn_test} = 'hvn_test set in
CertificateVerifyHook. Time: '. time(); \
return $_[0];}
The verify hook sets a custom value that the PostAuthHook stores and
restores as needed. The timestamp is there to show how the value stays
the same once it's set during the full authentication.
Is $p->{EAPContext}->{eap_resume_context} already available in a
EAPTLS_CertificateVerifyHook or will data I'll write into it be
overwritten?
No, the resume context is created only when TLS has accepted a new
session. You need to store the values in EAPContext as you are already
doing.
That explains why my change from $p->{EAPContext}->{hvn_test} to
$p->{EAPContext}->{eap_resume_context}->{hvn_test} in
EAPTLS_CertificateVerifyHook didn't work at all, Radiator overwrote
->{eap_resume_context} without checking that it's already there assuming
noone fiddled with it in a hook.
Also in a PostAuth hook when a session has been resumed?
Yes, as seen in the attached hook.
I've tried using $p->{EAPContext}->{eap_resume_context} instead of
$p->{EAPContext} for all custom variables but the reply attributes set
by our PostAuth hook aren't restored from the resume context as it
seems.
Is eap_save_resume_context called before the PostAuth hook is called?
It is, but you may want to see the hook to see if it works better in
your case.
What about my suggestion to add a warning to Radius::Context::get if a
context can't be found?
Does this make sense as Radiator has one per-auth context and one
per-resumeable session?
I'd say get() does what it's now expected. In other words, it will
return the existing value or create a new context. Note that there is
also find() that returns the existing value, if any, and does not
reset the timeout. But in any case, the caller needs to see if it got
anything and act accordingly.
To summarize, your suggested solution is:
- store custom variables in $p->{EAPContext} in EAPTLS_CertificateVerifyHook
- move them from $p->{EAPContext} to
$p->{EAPContext}->{eap_resume_context} in a PostAuthHook which can be
both in the EAP enabled AuthBy or the Handler for full authentications
(non-resumed). This is something I've never tried.
- access the stored variables in $p->{EAPContext}->{eap_resume_context}
when resuming. Is there a need to copy them to $p->{EAPContext} if I
only need their values in the PostAuthHook?
- set the reply attributes based on the variables. Here I'd unsure if I
only need to set them for full authentications, because Radiator
persists them $p->{EAPContext}->{eap_resume_context} automatically or if
I need to do that myself because PostAuthHook is after Radiator has done
that already?
Just saw that the last paragraph in 4.22.77. PostAuthHook is duplicate.
I have made a ticket about this, thanks!
Heikki
Our findings from Friday and yesterday where that only PEAP-TLS fails,
EAP-TLS works fine.
We've disabled session resumption for all PEAP-TLS authentications, both
wired and wireless to work around the missing reply attributes on
resumption which lead to duplicate request errors.
I did a packet capture on the radius server and saw that the first
packet after the (PEAP) TLS tunnel establishment never gets replied by
radiator (
Re: [RADIATOR] random EAP authentication errors since 4.17
On 20.1.2017 11.33, Hartmaier Alexander wrote:
Can you confirm that Radiator stores the information saved by
eap_save_resume_context for the same duration as OpenSSL is told to do so?
In Radius/TLS.pm line 818 it looks like EAPTLS_SessionResumptionLimit is
used to set this timeout too.
Yes, that's correct. The information saved for resume has the same
lifetime. Also, if it happens that a session is resumed by TLS layer but
Radiator has no information about the resumed session, the
authentication will fail.
Can you please write up how we should persist our custom data set in the
EAPTLS_CertificateVerifyHook and retrieve it in the PostAuth hook?
I suggest defining and documenting one key that is persisted and
restored by eap_save_resume_context / eap_recover_resume_context which
can then be used by hooks to store data in.
I have attached a short PostAuthHook that does this. During the full
auth, the hook stores a custom value from EAPContext so that it is
available when TLS resume is done. When a TLS resume is done, it copies
the value from resume data to EAPContext. This allows you to always
access your custom value when the hook has run. You may want to add more
error checks, etc. but it should work as a sample.
The hook can be configured as PostAuthHook for an AuthBy or a Handler.
In addition to this, for a demo, use this for EAPTLS_CertificateVerifyHook:
EAPTLS_CertificateVerifyHook sub {my $p = $_[5]; \
$p->{EAPContext}->{hvn_test} = 'hvn_test set in
CertificateVerifyHook. Time: '. time(); \
return $_[0];}
The verify hook sets a custom value that the PostAuthHook stores and
restores as needed. The timestamp is there to show how the value stays
the same once it's set during the full authentication.
Is $p->{EAPContext}->{eap_resume_context} already available in a
EAPTLS_CertificateVerifyHook or will data I'll write into it be
overwritten?
No, the resume context is created only when TLS has accepted a new
session. You need to store the values in EAPContext as you are already
doing.
Also in a PostAuth hook when a session has been resumed?
Yes, as seen in the attached hook.
I've tried using $p->{EAPContext}->{eap_resume_context} instead of
$p->{EAPContext} for all custom variables but the reply attributes set
by our PostAuth hook aren't restored from the resume context as it seems.
Is eap_save_resume_context called before the PostAuth hook is called?
It is, but you may want to see the hook to see if it works better in
your case.
What about my suggestion to add a warning to Radius::Context::get if a
context can't be found?
Does this make sense as Radiator has one per-auth context and one
per-resumeable session?
I'd say get() does what it's now expected. In other words, it will
return the existing value or create a new context. Note that there is
also find() that returns the existing value, if any, and does not reset
the timeout. But in any case, the caller needs to see if it got anything
and act accordingly.
Just saw that the last paragraph in 4.22.77. PostAuthHook is duplicate.
I have made a ticket about this, thanks!
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
sub {
my $p = ${$_[0]};
my $result = ${$_[2]};
my $context = $p->{EAPContext};
return unless ($result == $main::ACCEPT &&
$context->{ssl});
unless ($context->{eap_resume_context})
{
# Should not happen
main::log($main::LOG_ERR, "PostAuthHook: No eap_resume_context", $p);
return;
}
my $custom_val;
my $reused = Net::SSLeay::session_reused($context->{ssl});
if ($reused)
{
# TLS session resumed. Get our custom value from the
# previously saved resume data and store it in EAP context
$custom_val = $context->{eap_resume_context}->{hvn_test};
$context->{hvn_test} = $custom_val;
}
else
{
# Full authentication. Need to store the custom value for
# later. Get it from EAP context where it was saved by
# EAPTLS_CertificateVerifyHook
$custom_val = $context->{hvn_test};
$context->{eap_resume_context}->{hvn_test} = $custom_val;
}
# The custom value always present in EAP context
main::log($main::LOG_DEBUG, "PostAuthHook: reused: $reused custom_val: $context->{hvn_test}", $p);
return;
}
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 2017-01-19 16:30, Heikki Vatiainen wrote:
On 19.1.2017 13.00, Hartmaier Alexander wrote:
we still have an issue with session resumption where the EAP context
doesn't contain the custom variables we've stored in the
EAPTLS_CertificateVerifyHook of the initial, non-resumed,
authentication.
I hope I can clarify this. Please note that EAP context is aimed at
for short term storage only, as described below.
How does EAPContextTimeout, which has been reduced from 1000 to 120
seconds in version 4.17, interact with EAPTLS_SessionResumptionLimit
which defaults to 43200 seconds (12 hours) which we have explictly
configured to this value?
EAPContextTimeout is for EAP authentication only. It sets the timeout
for the client to respond and continue the ongoing EAP authentication.
EAPTLS_SessionResumptionLimit is for OpenSSL as you have correctly
understood below.
If I've interpreted the code and OpenSSL docs correctly, OpenSSL would
keep the data required for a successful session resumption for
EAPTLS_SessionResumptionLimit (12 hours).
Yes.
If a client sends a session id it would look up the session and find it
if < EAPTLS_SessionResumptionLimit but Radiator would have thrown away
its context because of > EAPContextTimeout and not return any reply
attributes in the accept reply.
Correct partly. Radiator can throw away the EAP current context once
the authentication has finished. However, it will store information
required for session resumption. This information is stored and
retrieved by the functions in EAP.pm. For example, the reply
attributes, among other information, is stored by
eap_save_resume_context().
In other words, the information required across resumed sessions has
its own storage that is separate from the EAP authentication context.
When a session is resumed successfully, the saved information is
copied in EAP context so that hooks etc. can continue to use it as
they have done with earlier releases.
Can you confirm that Radiator stores the information saved by
eap_save_resume_context for the same duration as OpenSSL is told to do so?
In Radius/TLS.pm line 818 it looks like EAPTLS_SessionResumptionLimit is
used to set this timeout too.
We've increased EAPContextTimeout to the same 43200 seconds as
EAPTLS_SessionResumptionLimit which seems to have fixed the issue.
This will keep the EAP context around so that the custom values you
save in EAP context are always available. This works even if you don't
save the custom values to resume storage similar to how EAP.pm
eap_save_resume_context() does. What you are doing is much like how
things were working before the separate storage saved by
eap_save_resume_context() was introduced.
What Radiator saves by default with the above function is the
information it needs. This includes, for example, the reply attributes
and information about inner authentication user names for PEAP and
such. It does not include any custom information since it's now known
what it might be.
What you would need to save and recover from the resume_context is
your custom information. As was discussed in the previous messages,
there's no interface to do it yet, but I can see that it is needed.
Although both timeouts are now identical we still have issues with a
much lower amount of clients than before where the OpenSSL session
resumption works, but $p->{EAPContext} in the PostAuth hook doesn't
contain any of the custom variables.
As previously asked it should be sufficient to skip any PostAuth
processing at the beginning of a PostAuth hook using this code as
Radiator has saved the reply attributes from the initial full
authentication ifself:
return
if exists $context->{ssl} &&
Net::SSLeay::session_reused($context->{ssl});
exists $context->{ssl} is required because SSL_session_reused in OpenSSL
1.0.2 segfaults when given an invalid pointer (undefined at the Perl level).
This would however lose the custom variables used for logging.
Can you please write up how we should persist our custom data set in the
EAPTLS_CertificateVerifyHook and retrieve it in the PostAuth hook?
I suggest defining and documenting one key that is persisted and
restored by eap_save_resume_context / eap_recover_resume_context which
can then be used by hooks to store data in.
Is $p->{EAPContext}->{eap_resume_context} already available in a
EAPTLS_CertificateVerifyHook or will data I'll write into it be overwritten?
Also in a PostAuth hook when a session has been resumed?
I've tried using $p->{EAPContext}->{eap_resume_context} instead of
$p->{EAPContext} for all custom variables but the reply attributes set
by our PostAuth hook aren't restored from the resume context as it seems.
Is eap_save_resume_context called before the PostAuth hook is called?
If you can confirm that our analysis is correct please add something
like this to the docs of EAPContextTimeout:
I think we need to include information that describes how to save
custom information in case, for example, customisati
Re: [RADIATOR] random EAP authentication errors since 4.17
On 19.1.2017 13.00, Hartmaier Alexander wrote: we still have an issue with session resumption where the EAP context doesn't contain the custom variables we've stored in the EAPTLS_CertificateVerifyHook of the initial, non-resumed, authentication. I hope I can clarify this. Please note that EAP context is aimed at for short term storage only, as described below. How does EAPContextTimeout, which has been reduced from 1000 to 120 seconds in version 4.17, interact with EAPTLS_SessionResumptionLimit which defaults to 43200 seconds (12 hours) which we have explictly configured to this value? EAPContextTimeout is for EAP authentication only. It sets the timeout for the client to respond and continue the ongoing EAP authentication. EAPTLS_SessionResumptionLimit is for OpenSSL as you have correctly understood below. If I've interpreted the code and OpenSSL docs correctly, OpenSSL would keep the data required for a successful session resumption for EAPTLS_SessionResumptionLimit (12 hours). Yes. If a client sends a session id it would look up the session and find it if < EAPTLS_SessionResumptionLimit but Radiator would have thrown away its context because of > EAPContextTimeout and not return any reply attributes in the accept reply. Correct partly. Radiator can throw away the EAP current context once the authentication has finished. However, it will store information required for session resumption. This information is stored and retrieved by the functions in EAP.pm. For example, the reply attributes, among other information, is stored by eap_save_resume_context(). In other words, the information required across resumed sessions has its own storage that is separate from the EAP authentication context. When a session is resumed successfully, the saved information is copied in EAP context so that hooks etc. can continue to use it as they have done with earlier releases. We've increased EAPContextTimeout to the same 43200 seconds as EAPTLS_SessionResumptionLimit which seems to have fixed the issue. This will keep the EAP context around so that the custom values you save in EAP context are always available. This works even if you don't save the custom values to resume storage similar to how EAP.pm eap_save_resume_context() does. What you are doing is much like how things were working before the separate storage saved by eap_save_resume_context() was introduced. What Radiator saves by default with the above function is the information it needs. This includes, for example, the reply attributes and information about inner authentication user names for PEAP and such. It does not include any custom information since it's now known what it might be. What you would need to save and recover from the resume_context is your custom information. As was discussed in the previous messages, there's no interface to do it yet, but I can see that it is needed. If you can confirm that our analysis is correct please add something like this to the docs of EAPContextTimeout: I think we need to include information that describes how to save custom information in case, for example, customisation done by hooks requires it. That is, document the interface that needs to be implemented for saving the custom data. What you have described below would be for cases when EAP_UseState is not enabled. Even then the resumption is not allowed if Radiator does not know about the first full authentication. When State attribute use is enabled, then the context lookup will also depend on the State attribute that is created for each EAP authentication exchange. If the Radiator context timeout for the EAP session is shorter than the OpenSSL session timeout (EAPTLS_SessionResumptionLimit) a session resumption will succeed at the OpenSSL level but Radiator will create a new context which doesn't include any custom data nor the initial Radius reply attributes. Thanks again for your input on this. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
Hi,
we still have an issue with session resumption where the EAP context
doesn't contain the custom variables we've stored in the
EAPTLS_CertificateVerifyHook of the initial, non-resumed, authentication.
How does EAPContextTimeout, which has been reduced from 1000 to 120
seconds in version 4.17, interact with EAPTLS_SessionResumptionLimit
which defaults to 43200 seconds (12 hours) which we have explictly
configured to this value?
If I've interpreted the code and OpenSSL docs correctly, OpenSSL would
keep the data required for a successful session resumption for
EAPTLS_SessionResumptionLimit (12 hours).
If a client sends a session id it would look up the session and find it
if < EAPTLS_SessionResumptionLimit but Radiator would have thrown away
its context because of > EAPContextTimeout and not return any reply
attributes in the accept reply.
We've increased EAPContextTimeout to the same 43200 seconds as
EAPTLS_SessionResumptionLimit which seems to have fixed the issue.
If you can confirm that our analysis is correct please add something
like this to the docs of EAPContextTimeout:
If the Radiator context timeout for the EAP session is shorter than the
OpenSSL session timeout (EAPTLS_SessionResumptionLimit) a session
resumption will succeed at the OpenSSL level but Radiator will create a
new context which doesn't include any custom data nor the initial Radius
reply attributes.
I'd also suggest to add a warning log message to Radius::Context::get if
a context can't be found and a new one is returned.
Thanks, Alex
On 2016-12-19 10:23, Hartmaier Alexander wrote:
On 2016-12-16 12:40, Heikki Vatiainen wrote:
On 16.12.2016 11.46, Hartmaier Alexander wrote:
Sadly the sh** didn't stop there, OpenSSL segfaults when
Net::SSLeay::session_reused gets passed an undefined value:
For Net::SSLeay this is just a pass through call to OpenSSL's
respective function. I think the caller is responsible for not handing
undef/NULL as the argument.
For this reason I'd say this is not a candiate for a ticket against
Net::SSLeay and is not something that neither Net::SSLeay or OpenSSL
needs to handle.
I agree with your view regarding Net::SSLeay but not on OpenSSL,
function args should always be validated.
Is Mike (author of Net::SSLeay) still working for you? I haven't opened
a RT for the module as I'm not sure if this should be handled at the
Perl XS layer or in OpenSSL.
Mike is still maintainer for Net::SSLeay, but he is not with us
anymore. About the ticket, as I mentioned above, I think we need to do
the null check inside Radiator hook.
As a workaround I'll check for exists $p->{EAPContext} && exists
$p->{EAPContext}->{ssl} before calling the function. This was enough
for
MAC bypass auths (non-EAP) but expired certs crashed Radiator again
today.
I'd add && $p->{EAPContext}->{ssl} to the checks too. What likely
happens now is that the hash key 'ssl' exists but the value for the
key is undef. I'd say this is caused by the code that runs when the
expiration was noticed.
Already done that last week ;) Seems to be stable so far.
Would you advise to use Radius::TLS::contextSessionCheckReuse
instead of
Net::SSLeay::session_reused directly?
I think what could be done in this function is to set something like
$context->{eap_tls_session_resumed} to the value returned by
Net::SSLeay::session_reused or implement the resume counter which I
mentioned earlier. I would not call this function from a hook since
its purpose is to check if the session was resumed or not and do
what's appropriate based on resumption and configured resumption
settings.
We'd prefer to have a special variable we can use for logging instead of
having to do the determination ourselves.
Please advise a safe way of determining and logging EAP session
resumption, we seem to stumble from one pitfall to another ourselves.
I'd say the above extra check allow session_reused() to work for now
until we add the extras/helpers mentioned above and the earlier
messages.
Ok, thanks!
Thanks for your patience,
Heikki
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may
be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 2016-12-16 12:40, Heikki Vatiainen wrote:
On 16.12.2016 11.46, Hartmaier Alexander wrote:
Sadly the sh** didn't stop there, OpenSSL segfaults when
Net::SSLeay::session_reused gets passed an undefined value:
For Net::SSLeay this is just a pass through call to OpenSSL's
respective function. I think the caller is responsible for not handing
undef/NULL as the argument.
For this reason I'd say this is not a candiate for a ticket against
Net::SSLeay and is not something that neither Net::SSLeay or OpenSSL
needs to handle.
I agree with your view regarding Net::SSLeay but not on OpenSSL,
function args should always be validated.
Is Mike (author of Net::SSLeay) still working for you? I haven't opened
a RT for the module as I'm not sure if this should be handled at the
Perl XS layer or in OpenSSL.
Mike is still maintainer for Net::SSLeay, but he is not with us
anymore. About the ticket, as I mentioned above, I think we need to do
the null check inside Radiator hook.
As a workaround I'll check for exists $p->{EAPContext} && exists
$p->{EAPContext}->{ssl} before calling the function. This was enough for
MAC bypass auths (non-EAP) but expired certs crashed Radiator again
today.
I'd add && $p->{EAPContext}->{ssl} to the checks too. What likely
happens now is that the hash key 'ssl' exists but the value for the
key is undef. I'd say this is caused by the code that runs when the
expiration was noticed.
Already done that last week ;) Seems to be stable so far.
Would you advise to use Radius::TLS::contextSessionCheckReuse instead of
Net::SSLeay::session_reused directly?
I think what could be done in this function is to set something like
$context->{eap_tls_session_resumed} to the value returned by
Net::SSLeay::session_reused or implement the resume counter which I
mentioned earlier. I would not call this function from a hook since
its purpose is to check if the session was resumed or not and do
what's appropriate based on resumption and configured resumption
settings.
We'd prefer to have a special variable we can use for logging instead of
having to do the determination ourselves.
Please advise a safe way of determining and logging EAP session
resumption, we seem to stumble from one pitfall to another ourselves.
I'd say the above extra check allow session_reused() to work for now
until we add the extras/helpers mentioned above and the earlier messages.
Ok, thanks!
Thanks for your patience,
Heikki
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 16.12.2016 11.46, Hartmaier Alexander wrote:
Sadly the sh** didn't stop there, OpenSSL segfaults when
Net::SSLeay::session_reused gets passed an undefined value:
For Net::SSLeay this is just a pass through call to OpenSSL's respective
function. I think the caller is responsible for not handing undef/NULL
as the argument.
For this reason I'd say this is not a candiate for a ticket against
Net::SSLeay and is not something that neither Net::SSLeay or OpenSSL
needs to handle.
Is Mike (author of Net::SSLeay) still working for you? I haven't opened
a RT for the module as I'm not sure if this should be handled at the
Perl XS layer or in OpenSSL.
Mike is still maintainer for Net::SSLeay, but he is not with us anymore.
About the ticket, as I mentioned above, I think we need to do the null
check inside Radiator hook.
As a workaround I'll check for exists $p->{EAPContext} && exists
$p->{EAPContext}->{ssl} before calling the function. This was enough for
MAC bypass auths (non-EAP) but expired certs crashed Radiator again today.
I'd add && $p->{EAPContext}->{ssl} to the checks too. What likely
happens now is that the hash key 'ssl' exists but the value for the key
is undef. I'd say this is caused by the code that runs when the
expiration was noticed.
Would you advise to use Radius::TLS::contextSessionCheckReuse instead of
Net::SSLeay::session_reused directly?
I think what could be done in this function is to set something like
$context->{eap_tls_session_resumed} to the value returned by
Net::SSLeay::session_reused or implement the resume counter which I
mentioned earlier. I would not call this function from a hook since its
purpose is to check if the session was resumed or not and do what's
appropriate based on resumption and configured resumption settings.
Please advise a safe way of determining and logging EAP session
resumption, we seem to stumble from one pitfall to another ourselves.
I'd say the above extra check allow session_reused() to work for now
until we add the extras/helpers mentioned above and the earlier messages.
Thanks for your patience,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 2016-12-15 13:46, Heikki Vatiainen wrote:
On 15.12.2016 14.04, Hartmaier Alexander wrote:
If you get context from $p, it does not matter if, for example,
EAP_UseState was enabled or note. It's easier and more reliable to get
it from $p.
I've removed EAP_UseState from our config since everything works as
before. Can the nested auth of PEAP-TLS cause this in conjunction with
the state ID generation?
I'd say in your case the call to get EAP worked fine because it simply
returned the context that was retrieved earlier. In other words, it
did the same as getting the context with $p->{EAPContext}.
Our PostAuthHook already has this at the very top since the beginning.
Is this the correct way to check?
my $p = ${$_[0]};
my $rp = ${$_[1]};
my $result = $_[2];
my $reason = $_[3];
return
unless $$result == $main::ACCEPT;
Yes. This looks fine. The reason you are given a reference to result
is that you can also change it in case you need to modify the result
with your hook.
Yes, we already have several $$reason assignments ;)
Yes, but it only points to EAP.pm which didn't change much since 4.16.
How should they be persisted after writing to $context?
I hope this is clarified below. Now when I look at the notes, I can
see that a mentioned of eap_save_resume_context and
eap_recover_resume_context could have been included.
So basically write to and read from
$context->{eap_resume_context}->{foo} instead of $context->{foo}?
As this doesn't use an accessor method I'd like it at least documented
somewhere so we can be sure it doesn't break without notice on one of
the next updates.
Yes, that's correct. eap_resume_context points to the context that is
saved across resumed sessions. You are correct that there are no
accessors yet. These would be among the helpers for hooks that I wrote
about earlier.
Sadly the sh** didn't stop there, OpenSSL segfaults when
Net::SSLeay::session_reused gets passed an undefined value:
gdb --args perl -E 'use Net::SSLeay; my $foo = {foo => bar};
Net::SSLeay::session_reused($foo->{EAPContext}->{ssl});'
Is Mike (author of Net::SSLeay) still working for you? I haven't opened
a RT for the module as I'm not sure if this should be handled at the
Perl XS layer or in OpenSSL.
BTW this happens on Debian stable (8) 64bit with all packages updated,
OpenSSL 1.0.1t-1+deb8u5.
As a workaround I'll check for exists $p->{EAPContext} && exists
$p->{EAPContext}->{ssl} before calling the function. This was enough for
MAC bypass auths (non-EAP) but expired certs crashed Radiator again today.
Would you advise to use Radius::TLS::contextSessionCheckReuse instead of
Net::SSLeay::session_reused directly?
EAP_25.pm line 219 is the only place where Net::SSLeay::session_reused
is called directly outside of Radius::TLS::contextSessionCheckReuse.
Please advise a safe way of determining and logging EAP session
resumption, we seem to stumble from one pitfall to another ourselves.
Thanks, Alex
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 15.12.2016 14.04, Hartmaier Alexander wrote:
If you get context from $p, it does not matter if, for example,
EAP_UseState was enabled or note. It's easier and more reliable to get
it from $p.
I've removed EAP_UseState from our config since everything works as
before. Can the nested auth of PEAP-TLS cause this in conjunction with
the state ID generation?
I'd say in your case the call to get EAP worked fine because it simply
returned the context that was retrieved earlier. In other words, it did
the same as getting the context with $p->{EAPContext}.
Our PostAuthHook already has this at the very top since the beginning.
Is this the correct way to check?
my $p = ${$_[0]};
my $rp = ${$_[1]};
my $result = $_[2];
my $reason = $_[3];
return
unless $$result == $main::ACCEPT;
Yes. This looks fine. The reason you are given a reference to result is
that you can also change it in case you need to modify the result with
your hook.
Yes, but it only points to EAP.pm which didn't change much since 4.16.
How should they be persisted after writing to $context?
I hope this is clarified below. Now when I look at the notes, I can see
that a mentioned of eap_save_resume_context and
eap_recover_resume_context could have been included.
So basically write to and read from
$context->{eap_resume_context}->{foo} instead of $context->{foo}?
As this doesn't use an accessor method I'd like it at least documented
somewhere so we can be sure it doesn't break without notice on one of
the next updates.
Yes, that's correct. eap_resume_context points to the context that is
saved across resumed sessions. You are correct that there are no
accessors yet. These would be among the helpers for hooks that I wrote
about earlier.
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 2016-12-13 14:45, Heikki Vatiainen wrote:
On 13.12.2016 12.32, Hartmaier Alexander wrote:
I strongly advice to get context like this:
my $context = $p->{EAPContext};
Ok, I've changed our hooks to use this again like before, seems to not
make a difference both ways.
If you get context from $p, it does not matter if, for example,
EAP_UseState was enabled or note. It's easier and more reliable to get
it from $p.
I've removed EAP_UseState from our config since everything works as
before. Can the nested auth of PEAP-TLS cause this in conjunction with
the state ID generation?
Can you please add this to the reference guide?
Good idea. I think this discussion means we need to create an example
how to keep custom data that persists across resumed authentications.
Thanks!
The session_reused() call will tell this.
I've added logging and all resumed sessions are missing the reply
attributes we're adding with our hooks (mainly vlan id).
Does this check signal a successful resume or just the attempt to do so?
I am not sure if this has been strictly defined by the OpenSSL API. To
be sure, I would only check this after the TLS session has been
accepted. I'd check first that, for example, PostAuthHook result is
ACCEPT before continuing. Radiator only does this check for TLS
sessions that have been successfully established.
Our PostAuthHook already has this at the very top since the beginning.
Is this the correct way to check?
my $p = ${$_[0]};
my $rp = ${$_[1]};
my $result = $_[2];
my $reason = $_[3];
return
unless $$result == $main::ACCEPT;
It seems the reply attributes added by the hook code for the first,
non-resumed authentication aren't stored in the EAP context.
Please advise if it is required to do that manually or if this is a bug
in 4.17.
You need to do it manually. This is why it got a special mention in
the release history.
Yes, but it only points to EAP.pm which didn't change much since 4.16.
How should they be persisted after writing to $context?
What you could do is to write your custom attributes in the
resume_context when the authentication was successfully and
session_reused() indicates it was not a resumed. See
eap_save_resume_context in EAP.pm for an example.
The next time around when session_reused() indicates TLS did resume,
you can once again get the resume_context like above, but now just
verify the values are there and then use them.
So basically write to and read from
$context->{eap_resume_context}->{foo} instead of $context->{foo}?
As this doesn't use an accessor method I'd like it at least documented
somewhere so we can be sure it doesn't break without notice on one of
the next updates.
When the next Radiator release is done, see the change history for the
possible helpers that you could consider using in your hooks instead.
One of the helpers could be the resume count I wrote about earlier.
For now I'd use the session_reused() check with the Hook.
This works, but we're not sure if it means the resumption was successful
or attempted, see above.
As I mentioned above, I would only check this if the result indicates
authentication success.
What comes to reliably saving state information across server restarts
and reloads, that is not currently supported. Saving the resume
context required by Radiator is doable. SQL, Redis and similar could
be used for this. Storing and and reloading TLS library's TLS sessions
seems to be possible, from a quick look at the openssl docs. As a
downside, doing this would not still help with FarmSize without more
work there.
If you need to split load, maybe you could consider a front end proxy
that uses, for example, AuthBy HASHBALANCE to forward messages to a
number of workers where each worker is bound to its own port, as
opposed one port with FarmSize.
Thanks,
Heikki
Cheers, Alex
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 13.12.2016 12.32, Hartmaier Alexander wrote:
I strongly advice to get context like this:
my $context = $p->{EAPContext};
Ok, I've changed our hooks to use this again like before, seems to not
make a difference both ways.
If you get context from $p, it does not matter if, for example,
EAP_UseState was enabled or note. It's easier and more reliable to get
it from $p.
Can you please add this to the reference guide?
Good idea. I think this discussion means we need to create an example
how to keep custom data that persists across resumed authentications.
The session_reused() call will tell this.
I've added logging and all resumed sessions are missing the reply
attributes we're adding with our hooks (mainly vlan id).
Does this check signal a successful resume or just the attempt to do so?
I am not sure if this has been strictly defined by the OpenSSL API. To
be sure, I would only check this after the TLS session has been
accepted. I'd check first that, for example, PostAuthHook result is
ACCEPT before continuing. Radiator only does this check for TLS sessions
that have been successfully established.
It seems the reply attributes added by the hook code for the first,
non-resumed authentication aren't stored in the EAP context.
Please advise if it is required to do that manually or if this is a bug
in 4.17.
You need to do it manually. This is why it got a special mention in the
release history.
What you could do is to write your custom attributes in the
resume_context when the authentication was successfully and
session_reused() indicates it was not a resumed. See
eap_save_resume_context in EAP.pm for an example.
The next time around when session_reused() indicates TLS did resume, you
can once again get the resume_context like above, but now just verify
the values are there and then use them.
When the next Radiator release is done, see the change history for the
possible helpers that you could consider using in your hooks instead.
One of the helpers could be the resume count I wrote about earlier.
For now I'd use the session_reused() check with the Hook.
This works, but we're not sure if it means the resumption was successful
or attempted, see above.
As I mentioned above, I would only check this if the result indicates
authentication success.
What comes to reliably saving state information across server restarts
and reloads, that is not currently supported. Saving the resume context
required by Radiator is doable. SQL, Redis and similar could be used for
this. Storing and and reloading TLS library's TLS sessions seems to be
possible, from a quick look at the openssl docs. As a downside, doing
this would not still help with FarmSize without more work there.
If you need to split load, maybe you could consider a front end proxy
that uses, for example, AuthBy HASHBALANCE to forward messages to a
number of workers where each worker is bound to its own port, as opposed
one port with FarmSize.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
Answers below
On 2016-12-13 07:59, Heikki Vatiainen wrote:
On 1.12.2016 17.02, Hartmaier Alexander wrote:
We're fighting duplicate requests due to slow responses because of
PEAP-TLS many exchanged packets.
Is FarmSize still unusable when enabling EAP_UseState because the EAP
context data isn't shared between the forked childs?
This has not changed. EAP_UseState does not change this. Even if EAP
context data kept by Radiator could be shared between children,
there's still the TLS state that lives within the TLS library that can
not be easily shared.
Can Gossip be used to share this state between the childs or the State
attribute to balance all requests of one EAP session always to the same
child?
Gossip, or some other method, could be used for sharing EAP context.
However, the problem with TLS based EAP methods is the TLS state.
I've added this line to all PostAuthHooks and everything seems to work
as it should:
my $self = $p->{AuthBy};
my $context = $self->getEAPContext($p);
I strongly advice to get context like this:
my $context = $p->{EAPContext};
Ok, I've changed our hooks to use this again like before, seems to not
make a difference both ways.
Can you please add this to the reference guide?
return
if Net::SSLeay::session_reused($context->{ssl});
As I currently don't log if an auth was an EAP auth or a session
resumption I can't tell if the session resumption works.
The session_reused() call will tell this.
I've added logging and all resumed sessions are missing the reply
attributes we're adding with our hooks (mainly vlan id).
Does this check signal a successful resume or just the attempt to do so?
It seems the reply attributes added by the hook code for the first,
non-resumed authentication aren't stored in the EAP context.
Please advise if it is required to do that manually or if this is a bug
in 4.17.
Please note that as I wrote earlier, I'd consider EAP authentication
that uses TLS session resumption as EAP authentication too.
Of course, just a different way.
Can you please advice how to log session resumption?
For now I'd use the session_reused() check with the Hook.
This works, but we're not sure if it means the resumption was successful
or attempted, see above.
For help with hooks, I have thought about the following: Add a resume
counter in EAP context. If resume support is off, the counter would
always have undefined value. When resume support is enabled, the
counter would be initialised to 0 and incremented for each resume.
This would allow you to simply check 'if
($context->{eap_tls_resume_count})' to see if a TLS resume was done.
This counter could also be used to enforce policies, for example, an
upper for how many times (not just for how long) a session can be
resumed. This could also be something that can be logged in
authentication log for example for statistics.
When the resume happens and information that needs to be kept over
resumed sessions is recovered, a hook can be added to do any local
processing that might be required to recover custom information used
by the current configuration. In addition to this, a user specific
opaque value (could be a simple scalar or reference, for example) can
be copied over by the code. The user hooks could then use this as they
wish.
In short: we can enhance the support for storing configuration
specific data in the resume information and can add a counter that can
be used to detect resumption with hooks.
As far as I've understood I'd need to save and resume any additional
data I'm adding to the EAP context, how to do that?
Is it possible to persist that through server restarts or are reloads
the only workaround?
SystemD doesn't support reload as far as I know, can this be accomplised
by sending a signal to the radiator process in a user friendly way?
Thanks,
Heikki
Thanks, Alex
On 2016-11-30 18:09, Hartmaier Alexander wrote:
On 2016-11-30 17:45, Heikki Vatiainen wrote:
On 30.11.2016 18.02, Hartmaier Alexander wrote:
Let me clarify our setup:
EAPTLS_CertificateVerifyHook parses the cert issuer and subject and
populates
$context->{customer} = $customer;
[cut]
Thanks, this clarifies the situation. You need to save information
across resumed authentications.
I assume that the PostAuthHook is also run for resumed sessions but
EAPTLS_CertificateVerifyHook isn't which leads to the lack of the
$context contents and thus the failure of the PostAuthHook.
Correct. Certificate verification runs only during full TLS handshake.
Handler's PostAuthHook runs always when Handler is finishing its work.
It does not matter if the TLS handshake within an AuthBy was full or
resumed.
I'll get back to you about how to save custom information across
resumed authentications. For more about what is saved now, see EAP.pm
and eap_save_resume_context and its counterpart just below. When
thinking about possible options would a hook work for you? Another
possibly might be to au
Re: [RADIATOR] random EAP authentication errors since 4.17
On 1.12.2016 17.02, Hartmaier Alexander wrote:
We're fighting duplicate requests due to slow responses because of
PEAP-TLS many exchanged packets.
Is FarmSize still unusable when enabling EAP_UseState because the EAP
context data isn't shared between the forked childs?
This has not changed. EAP_UseState does not change this. Even if EAP
context data kept by Radiator could be shared between children, there's
still the TLS state that lives within the TLS library that can not be
easily shared.
Can Gossip be used to share this state between the childs or the State
attribute to balance all requests of one EAP session always to the same
child?
Gossip, or some other method, could be used for sharing EAP context.
However, the problem with TLS based EAP methods is the TLS state.
I've added this line to all PostAuthHooks and everything seems to work
as it should:
my $self = $p->{AuthBy};
my $context = $self->getEAPContext($p);
I strongly advice to get context like this:
my $context = $p->{EAPContext};
return
if Net::SSLeay::session_reused($context->{ssl});
As I currently don't log if an auth was an EAP auth or a session
resumption I can't tell if the session resumption works.
The session_reused() call will tell this.
Please note that as I wrote earlier, I'd consider EAP authentication
that uses TLS session resumption as EAP authentication too.
Can you please advice how to log session resumption?
For now I'd use the session_reused() check with the Hook.
For help with hooks, I have thought about the following: Add a resume
counter in EAP context. If resume support is off, the counter would
always have undefined value. When resume support is enabled, the counter
would be initialised to 0 and incremented for each resume. This would
allow you to simply check 'if ($context->{eap_tls_resume_count})' to see
if a TLS resume was done.
This counter could also be used to enforce policies, for example, an
upper for how many times (not just for how long) a session can be
resumed. This could also be something that can be logged in
authentication log for example for statistics.
When the resume happens and information that needs to be kept over
resumed sessions is recovered, a hook can be added to do any local
processing that might be required to recover custom information used by
the current configuration. In addition to this, a user specific opaque
value (could be a simple scalar or reference, for example) can be copied
over by the code. The user hooks could then use this as they wish.
In short: we can enhance the support for storing configuration specific
data in the resume information and can add a counter that can be used to
detect resumption with hooks.
Thanks,
Heikki
Thanks, Alex
On 2016-11-30 18:09, Hartmaier Alexander wrote:
On 2016-11-30 17:45, Heikki Vatiainen wrote:
On 30.11.2016 18.02, Hartmaier Alexander wrote:
Let me clarify our setup:
EAPTLS_CertificateVerifyHook parses the cert issuer and subject and
populates
$context->{customer} = $customer;
[cut]
Thanks, this clarifies the situation. You need to save information
across resumed authentications.
I assume that the PostAuthHook is also run for resumed sessions but
EAPTLS_CertificateVerifyHook isn't which leads to the lack of the
$context contents and thus the failure of the PostAuthHook.
Correct. Certificate verification runs only during full TLS handshake.
Handler's PostAuthHook runs always when Handler is finishing its work.
It does not matter if the TLS handshake within an AuthBy was full or
resumed.
I'll get back to you about how to save custom information across
resumed authentications. For more about what is saved now, see EAP.pm
and eap_save_resume_context and its counterpart just below. When
thinking about possible options would a hook work for you? Another
possibly might be to automatically save suitably named context
variables, for example $context->{custom_info} would be automatically
saved and restored.
The reason for this change was to allow the user of State attribute
with EAP authentication and more clearly separate information that is
needed during one EAP authentication dialog from information that
needs to be kept across resumed authentications.
Thanks,
Heikki
Correct me if I'm wrong but can a resumed session every be not accepted?
As it means that a successful auth has happened before.
Should a PostAuth hook, or some of the other hooks, be run at all in
this case?
It might make sense to differenciate between an authentication and a
resumption.
As the 'last_reply_attrs' are already stored in the context it might be
the easiest option to either use a different hook instead of PostAuth,
continue using PostAuth if you decide to not call PostAuth for resumed
'auths' or detect the resumption in the Hook and just bail out of it at
the very beginning.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99
Re: [RADIATOR] random EAP authentication errors since 4.17
On 30.11.2016 19.09, Hartmaier Alexander wrote: Correct me if I'm wrong but can a resumed session every be not accepted? It's possible. EAP-TLS can check if the user is still available in the user database or has their account been, for example, removed. PEAP requires the server and client to share a single handshake over the resumed TLS tunnel before the PEAP authentication is fully accepted by the both peers. This could be thought of one sort of authentication. In other words, TLS resume tells that the peers can resume a previously created session. On the EAP and Radius layer I'd consider a TLS resumed EAP-TLS, PEAP, etc. just a quicker way to authenticate where some things were skipped since they were already done, for example inner authentication, certificate checks. As it means that a successful auth has happened before. Should a PostAuth hook, or some of the other hooks, be run at all in this case? I think the hooks and other processing should be called the same as with non-resumed authentication. There could be, for example, an AuthBy GROUP where PEAP authby runs first and then another authby does possibly authorisation. This next authby may not care if PEAP did a full or resumed authentication but it needs to run always. It might make sense to differenciate between an authentication and a resumption. This can be made available for hooks. What you can already do is to check Net::SSLeay::session_reused(). More about this in another reply. As the 'last_reply_attrs' are already stored in the context it might be the easiest option to either use a different hook instead of PostAuth, continue using PostAuth if you decide to not call PostAuth for resumed 'auths' or detect the resumption in the Hook and just bail out of it at the very beginning. Detecting resumption in a Hook could be the best option here. If the hook needs to behave differently, then it can do so. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 12.12.2016 17.45, Hartmaier Alexander wrote:
please respond how to:
Hello Alex, I'll reply to your previous messages about these, but I'll
add quick notes below. Sometimes time just flies, I'm sorry for the slow
response.
- log auth vs. session resumption
- handle session resumption in PostAuthHooks
For these, you can currently check
Net::SSLeay::session_reused($context->{ssl}); are you wrote before. I'll
have an alternative too I have thought for this.
- if the last_reply_attrs don't include the attributes added by a
PostAuthHook
More about this in its own message. These attributes are from tunnelled
EAP's inner authentication. If you need to add, for example, VLAN
attributes with a Hook, we can see how to do that.
- usability of FarmSize with PEAP-TLS when enabling EAP_UseState
EAP_UseState does not change this. It's the TLS state that lives within
the SSL library that ties one TLS based EAP authentication session to
one instance making it problematic with FarmSize (multiple instances).
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
Hi,
please respond how to:
- log auth vs. session resumption
- handle session resumption in PostAuthHooks
- if the last_reply_attrs don't include the attributes added by a
PostAuthHook
- usability of FarmSize with PEAP-TLS when enabling EAP_UseState
Thanks, Alex
On 2016-12-01 16:02, Hartmaier Alexander wrote:
Hi,
We're fighting duplicate requests due to slow responses because of
PEAP-TLS many exchanged packets.
Is FarmSize still unusable when enabling EAP_UseState because the EAP
context data isn't shared between the forked childs?
Can Gossip be used to share this state between the childs or the State
attribute to balance all requests of one EAP session always to the
same child?
I've added this line to all PostAuthHooks and everything seems to work
as it should:
my $self = $p->{AuthBy};
my $context = $self->getEAPContext($p);
return
if Net::SSLeay::session_reused($context->{ssl});
As I currently don't log if an auth was an EAP auth or a session
resumption I can't tell if the session resumption works.
Can you please advice how to log session resumption?
Thanks, Alex
On 2016-11-30 18:09, Hartmaier Alexander wrote:
On 2016-11-30 17:45, Heikki Vatiainen wrote:
On 30.11.2016 18.02, Hartmaier Alexander wrote:
Let me clarify our setup:
EAPTLS_CertificateVerifyHook parses the cert issuer and subject and
populates
$context->{customer} = $customer;
[cut]
Thanks, this clarifies the situation. You need to save information
across resumed authentications.
I assume that the PostAuthHook is also run for resumed sessions but
EAPTLS_CertificateVerifyHook isn't which leads to the lack of the
$context contents and thus the failure of the PostAuthHook.
Correct. Certificate verification runs only during full TLS handshake.
Handler's PostAuthHook runs always when Handler is finishing its work.
It does not matter if the TLS handshake within an AuthBy was full or
resumed.
I'll get back to you about how to save custom information across
resumed authentications. For more about what is saved now, see EAP.pm
and eap_save_resume_context and its counterpart just below. When
thinking about possible options would a hook work for you? Another
possibly might be to automatically save suitably named context
variables, for example $context->{custom_info} would be automatically
saved and restored.
The reason for this change was to allow the user of State attribute
with EAP authentication and more clearly separate information that is
needed during one EAP authentication dialog from information that
needs to be kept across resumed authentications.
Thanks,
Heikki
Correct me if I'm wrong but can a resumed session every be not accepted?
As it means that a successful auth has happened before.
Should a PostAuth hook, or some of the other hooks, be run at all in
this case?
It might make sense to differenciate between an authentication and a
resumption.
As the 'last_reply_attrs' are already stored in the context it might be
the easiest option to either use a different hook instead of PostAuth,
continue using PostAuth if you decide to not call PostAuth for resumed
'auths' or detect the resumption in the Hook and just bail out of it at
the very beginning.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may
be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
Hi,
We're fighting duplicate requests due to slow responses because of
PEAP-TLS many exchanged packets.
Is FarmSize still unusable when enabling EAP_UseState because the EAP
context data isn't shared between the forked childs?
Can Gossip be used to share this state between the childs or the State
attribute to balance all requests of one EAP session always to the same
child?
I've added this line to all PostAuthHooks and everything seems to work
as it should:
my $self = $p->{AuthBy};
my $context = $self->getEAPContext($p);
return
if Net::SSLeay::session_reused($context->{ssl});
As I currently don't log if an auth was an EAP auth or a session
resumption I can't tell if the session resumption works.
Can you please advice how to log session resumption?
Thanks, Alex
On 2016-11-30 18:09, Hartmaier Alexander wrote:
On 2016-11-30 17:45, Heikki Vatiainen wrote:
On 30.11.2016 18.02, Hartmaier Alexander wrote:
Let me clarify our setup:
EAPTLS_CertificateVerifyHook parses the cert issuer and subject and
populates
$context->{customer} = $customer;
[cut]
Thanks, this clarifies the situation. You need to save information
across resumed authentications.
I assume that the PostAuthHook is also run for resumed sessions but
EAPTLS_CertificateVerifyHook isn't which leads to the lack of the
$context contents and thus the failure of the PostAuthHook.
Correct. Certificate verification runs only during full TLS handshake.
Handler's PostAuthHook runs always when Handler is finishing its work.
It does not matter if the TLS handshake within an AuthBy was full or
resumed.
I'll get back to you about how to save custom information across
resumed authentications. For more about what is saved now, see EAP.pm
and eap_save_resume_context and its counterpart just below. When
thinking about possible options would a hook work for you? Another
possibly might be to automatically save suitably named context
variables, for example $context->{custom_info} would be automatically
saved and restored.
The reason for this change was to allow the user of State attribute
with EAP authentication and more clearly separate information that is
needed during one EAP authentication dialog from information that
needs to be kept across resumed authentications.
Thanks,
Heikki
Correct me if I'm wrong but can a resumed session every be not accepted?
As it means that a successful auth has happened before.
Should a PostAuth hook, or some of the other hooks, be run at all in
this case?
It might make sense to differenciate between an authentication and a
resumption.
As the 'last_reply_attrs' are already stored in the context it might be
the easiest option to either use a different hook instead of PostAuth,
continue using PostAuth if you decide to not call PostAuth for resumed
'auths' or detect the resumption in the Hook and just bail out of it at
the very beginning.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may
be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 30.11.2016 16.34, Petr Adamec wrote: I have probably the same problem. It sounds like https://lists.open.com.au/pipermail/radiator/2015-August/020360.html My solution is to downgrade to 4.16 Hello Petr, can you see if 'EAPTLS_SessionContextId %u%1' parameter I wrote about yesterday would help with the errors you see? If you can do that, please let us know if it helps. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 2016-11-30 17:45, Heikki Vatiainen wrote:
On 30.11.2016 18.02, Hartmaier Alexander wrote:
Let me clarify our setup:
EAPTLS_CertificateVerifyHook parses the cert issuer and subject and
populates
$context->{customer} = $customer;
[cut]
Thanks, this clarifies the situation. You need to save information
across resumed authentications.
I assume that the PostAuthHook is also run for resumed sessions but
EAPTLS_CertificateVerifyHook isn't which leads to the lack of the
$context contents and thus the failure of the PostAuthHook.
Correct. Certificate verification runs only during full TLS handshake.
Handler's PostAuthHook runs always when Handler is finishing its work.
It does not matter if the TLS handshake within an AuthBy was full or
resumed.
I'll get back to you about how to save custom information across
resumed authentications. For more about what is saved now, see EAP.pm
and eap_save_resume_context and its counterpart just below. When
thinking about possible options would a hook work for you? Another
possibly might be to automatically save suitably named context
variables, for example $context->{custom_info} would be automatically
saved and restored.
The reason for this change was to allow the user of State attribute
with EAP authentication and more clearly separate information that is
needed during one EAP authentication dialog from information that
needs to be kept across resumed authentications.
Thanks,
Heikki
Correct me if I'm wrong but can a resumed session every be not accepted?
As it means that a successful auth has happened before.
Should a PostAuth hook, or some of the other hooks, be run at all in
this case?
It might make sense to differenciate between an authentication and a
resumption.
As the 'last_reply_attrs' are already stored in the context it might be
the easiest option to either use a different hook instead of PostAuth,
continue using PostAuth if you decide to not call PostAuth for resumed
'auths' or detect the resumption in the Hook and just bail out of it at
the very beginning.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 30.11.2016 18.02, Hartmaier Alexander wrote:
Let me clarify our setup:
EAPTLS_CertificateVerifyHook parses the cert issuer and subject and
populates
$context->{customer} = $customer;
[cut]
Thanks, this clarifies the situation. You need to save information
across resumed authentications.
I assume that the PostAuthHook is also run for resumed sessions but
EAPTLS_CertificateVerifyHook isn't which leads to the lack of the
$context contents and thus the failure of the PostAuthHook.
Correct. Certificate verification runs only during full TLS handshake.
Handler's PostAuthHook runs always when Handler is finishing its work.
It does not matter if the TLS handshake within an AuthBy was full or
resumed.
I'll get back to you about how to save custom information across resumed
authentications. For more about what is saved now, see EAP.pm and
eap_save_resume_context and its counterpart just below. When thinking
about possible options would a hook work for you? Another possibly might
be to automatically save suitably named context variables, for example
$context->{custom_info} would be automatically saved and restored.
The reason for this change was to allow the user of State attribute with
EAP authentication and more clearly separate information that is needed
during one EAP authentication dialog from information that needs to be
kept across resumed authentications.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 2016-11-30 16:35, Heikki Vatiainen wrote:
On 30.11.2016 17.21, Hartmaier Alexander wrote:
we only do machine cert authentication. Can I log the SessionContextId
for debugging purposes to really make sure it's not the issue?
This defaults to Handler. In other words, if a full authentication was
processed by Handler A, the resumption will only work with Handler A.
If Handler B is selected, full authentication is done. If this
happens, it is not an error but a normal full authentication.
I do understand the inner workings, thanks.
This also happens for smartphones, mainly Apple and Android.
Do you have log messages about errors?
Let me clarify our setup:
EAPTLS_CertificateVerifyHook parses the cert issuer and subject and
populates
$context->{customer} = $customer;
$context->{ca_name} = $ca_name;
$context->{cert_usage} = $cert_usage;
$context->{cert_subject} = $subject; # for logging only
$context->{cert_issuer} = $cert_issuer; # for loggin only
PostAuthHooks use $context->{customer} and $context->{cert_usage} to
allow/deny wired/wireless access assign VLAN ID/restrict SSIDs.
The error messages that started getting logged after the 4.17 update are
our custom reject reasons:
$$reason = "certificate usage '$cert_usage' not for DIRECT, subject: "
. $context->{cert_subject} . ", issuer: " . $context->{cert_issuer};
I wonder if the reduced EAPContextTimeout from 1000 to 120 seconds might
cause this when roaming from access-point to access-point?
This should only matter when it takes more than 120 seconds for the
client to respond after Radiator sends RADIUS Access-Challenge to get
the client to continue the ongoing EAP authentication. Once the
authentication has finished, this context is not required any longer.
The information required for resume is kept longer. See
EAPTLS_SessionResumptionLimit that defaults of 12 hours.
https://www.open.com.au/radiator/ref/EAPTLS_SessionResumptionLimit.html
I assume that the PostAuthHook is also run for resumed sessions but
EAPTLS_CertificateVerifyHook isn't which leads to the lack of the
$context contents and thus the failure of the PostAuthHook.
Thanks,
Heikki
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 30.11.2016 17.21, Hartmaier Alexander wrote: we only do machine cert authentication. Can I log the SessionContextId for debugging purposes to really make sure it's not the issue? This defaults to Handler. In other words, if a full authentication was processed by Handler A, the resumption will only work with Handler A. If Handler B is selected, full authentication is done. If this happens, it is not an error but a normal full authentication. This also happens for smartphones, mainly Apple and Android. Do you have log messages about errors? I wonder if the reduced EAPContextTimeout from 1000 to 120 seconds might cause this when roaming from access-point to access-point? This should only matter when it takes more than 120 seconds for the client to respond after Radiator sends RADIUS Access-Challenge to get the client to continue the ongoing EAP authentication. Once the authentication has finished, this context is not required any longer. The information required for resume is kept longer. See EAPTLS_SessionResumptionLimit that defaults of 12 hours. https://www.open.com.au/radiator/ref/EAPTLS_SessionResumptionLimit.html Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
Hi Heikki, we only do machine cert authentication. Can I log the SessionContextId for debugging purposes to really make sure it's not the issue? This also happens for smartphones, mainly Apple and Android. I wonder if the reduced EAPContextTimeout from 1000 to 120 seconds might cause this when roaming from access-point to access-point? Best regards, Alex On 2016-11-30 16:12, Heikki Vatiainen wrote: On 30.11.2016 16.27, Hartmaier Alexander wrote: we have random EAP authentication errors since the upgrade to 4.17. I figured it might have something to do with the EAP session resumption changes in 4.17. For tweaking resumption behaviour, can you try adding the parameter shown below to EAPTLS_ settings? I have been looking at this, and my suspicion is that when Windows has been configured to try both machine and username authentication, it uses the same TLS session for the both. This may cause confusion for it when a session resumption succeeds as machine while the session was first successful for username authentication. What Radiator sees is a successful resumption and proceeds as usually. In 4.17 you can further restrict the context for which the resumption is considered. So please add the original username to the context to use host/ prefix for creating a separate context for machine vs username authentication. EAPTLS_SessionContextId %u%1 The above adds original User-Name to the resumption context which will create separate resumption context when the username changes. This parameter goes to AuthBy that handles the outer EAP authentication (certicates, etc.). For more: https://open.com.au/radiator/ref/EAPTLS_SessionContextId_AuthByxx.html Thanks, Heikki *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
Hi Petr,
not sure was the problem only started after upgrading to 4.17 which
hasn't been release in 2015 when you reported your issue.
Best regards, Alex
On 2016-11-30 15:34, Petr Adamec wrote:
Hi,
I have probably the same problem. It sounds like
https://lists.open.com.au/pipermail/radiator/2015-August/020360.html
My solution is to downgrade to 4.16
Best regards
Petr Adamec
Dne 30.11.2016 v 15:27 Hartmaier Alexander napsal(a):
Hi,
we have random EAP authentication errors since the upgrade to 4.17.
I figured it might have something to do with the EAP session resumption
changes in 4.17.
The release notes only mentions to look at EAP.pm regarding required
hook code changes. I guess one should now use $self->getEAPContext($p)
instead of $p->{EAPContext} directly.
The problem is that $self isn't passed to any hook!
I couldn't find an example in the goodies either.
Please advice how to resolve this.
Thanks, Alex
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
On 30.11.2016 16.27, Hartmaier Alexander wrote: we have random EAP authentication errors since the upgrade to 4.17. I figured it might have something to do with the EAP session resumption changes in 4.17. For tweaking resumption behaviour, can you try adding the parameter shown below to EAPTLS_ settings? I have been looking at this, and my suspicion is that when Windows has been configured to try both machine and username authentication, it uses the same TLS session for the both. This may cause confusion for it when a session resumption succeeds as machine while the session was first successful for username authentication. What Radiator sees is a successful resumption and proceeds as usually. In 4.17 you can further restrict the context for which the resumption is considered. So please add the original username to the context to use host/ prefix for creating a separate context for machine vs username authentication. EAPTLS_SessionContextId %u%1 The above adds original User-Name to the resumption context which will create separate resumption context when the username changes. This parameter goes to AuthBy that handles the outer EAP authentication (certicates, etc.). For more: https://open.com.au/radiator/ref/EAPTLS_SessionContextId_AuthByxx.html Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@lists.open.com.au http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
Hi,
thanks for the quick response!
In the meantime I tried the new EAP_UseState, didn't fix the problem
but also didn't have any negative effect. Do you recommend to already
use it?
Disabling EAP session resumption seems to have fixed the issue
(EAPTLS_SessionResumption 0).
On 2016-11-30 15:38, Tuure Vartiainen wrote:
Hello,
On 30 Nov 2016, at 16:27, Hartmaier Alexander
wrote:
we have random EAP authentication errors since the upgrade to 4.17.
I figured it might have something to do with the EAP session resumption
changes in 4.17.
interesting, could you please send a trace 5 debug log for few authentication
errors?
I would have to force the errors again by reenabling EAP session
resumption which I'd rather like not to do.
The release notes only mentions to look at EAP.pm regarding required
hook code changes. I guess one should now use $self->getEAPContext($p)
instead of $p->{EAPContext} directly.
The problem is that $self isn't passed to any hook!
I couldn't find an example in the goodies either.
Please advice how to resolve this.
you can call it
$p->{AuthBy}->getEAPContext($p)
but the function is only available when processing $p which has EAP-Message AVP.
So it should be safe to use it in EAP specific hooks like
EAPTLS_CertificateVerifyHook and PostAuthHook in Handler that check for
TunnelledByPEAP=1?
I've changed:
my $context = $p->{EAPContext};
to:
my $self = $p->{AuthBy};
my $context = ($main::config->{EAP_UseState})
? $self->getEAPContextState($p, $code, $type)
: $self->getEAPContext($p);
as seen in EAP.pm. Should I always call getEAPContext instead? If the
above is required I'd advice to add a method doing that to EAP.pm.
The problem with getEAPContextState is that I don't have $code and $type
in my hook.
BR
Best regards, Alex
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
Hello,
> On 30 Nov 2016, at 16:27, Hartmaier Alexander
> wrote:
>
> we have random EAP authentication errors since the upgrade to 4.17.
> I figured it might have something to do with the EAP session resumption
> changes in 4.17.
>
interesting, could you please send a trace 5 debug log for few authentication
errors?
> The release notes only mentions to look at EAP.pm regarding required
> hook code changes. I guess one should now use $self->getEAPContext($p)
> instead of $p->{EAPContext} directly.
>
> The problem is that $self isn't passed to any hook!
>
> I couldn't find an example in the goodies either.
>
> Please advice how to resolve this.
>
you can call it
$p->{AuthBy}->getEAPContext($p)
but the function is only available when processing $p which has EAP-Message AVP.
BR
--
Tuure Vartiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] random EAP authentication errors since 4.17
Hi,
I have probably the same problem. It sounds like
https://lists.open.com.au/pipermail/radiator/2015-August/020360.html
My solution is to downgrade to 4.16
Best regards
Petr Adamec
Dne 30.11.2016 v 15:27 Hartmaier Alexander napsal(a):
> Hi,
> we have random EAP authentication errors since the upgrade to 4.17.
> I figured it might have something to do with the EAP session resumption
> changes in 4.17.
>
> The release notes only mentions to look at EAP.pm regarding required
> hook code changes. I guess one should now use $self->getEAPContext($p)
> instead of $p->{EAPContext} directly.
>
> The problem is that $self isn't passed to any hook!
>
> I couldn't find an example in the goodies either.
>
> Please advice how to resolve this.
>
> Thanks, Alex
>
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be
> privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> ___
> radiator mailing list
> radiator@lists.open.com.au
> http://lists.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
[RADIATOR] random EAP authentication errors since 4.17
Hi,
we have random EAP authentication errors since the upgrade to 4.17.
I figured it might have something to do with the EAP session resumption
changes in 4.17.
The release notes only mentions to look at EAP.pm regarding required
hook code changes. I guess one should now use $self->getEAPContext($p)
instead of $p->{EAPContext} directly.
The problem is that $self isn't passed to any hook!
I couldn't find an example in the goodies either.
Please advice how to resolve this.
Thanks, Alex
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@lists.open.com.au
http://lists.open.com.au/mailman/listinfo/radiator
