Re: [RADIATOR] AuthBy LDAP2 to AD

[Hartmaier Alexander]

Great, thanks!

Regarding GC: we have a customer who has trusts to other ADs and had the
requirement to authenticate against all of them and it only worked when
using the Global Catalog and not specifying a BaseDN, maybe because it
is different for each for the trusted ADs and so the users would be
excluded from the results.

As I've created this config years ago I don't remember the details but
it's still running fine.

Best regards, Alex

On 2015-12-22 22:08, Heikki Vatiainen wrote:
> On 12/20/2015 09:49 PM, Hartmaier Alexander wrote:
>
>> @Heikki: could you add a section in the AuthBy LDAP2 which covers the
>> topic Microsoft Active Directory?
> I've made a ticket for this including these:
> - Global catalog ports
> - ServerChecksPassword - can't get user credentials from AD
> - AttrsWithBaseScope - for AD constructed attributes e.g., tokenGroups
> for getting group and nested group membership information
> - Differences with non-AD LDAP servers - anything else than the above?
>
> One thing I'd like to ask you about Global Catalog: If the Base DN is
> not empty, does it affect the search results? You wrote that it should
> be left empty, however, I so far I have thought it's fine to specify a
> Base DN.
>
> See for example this doc, and search for 'non-instantiated'. As I
> understand it, it says base DN that is empty or anything else is fine.
>
> https://technet.microsoft.com/en-us/library/how-global-catalog-servers-work(v=ws.10).aspx
>
> Thanks,
> Heikki
>



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Authby LDAP and Authby OTP

[Joe Honnold]

Good day Heikki.

I have completed testing based your input for configuration changes and I now 
have a working config that meets the requirements.
Users have to enter their username and password and then the OTP received on 
their mobile device.
I will post a sanitized working config for reference in the near future.  More 
testing needs to be completed before it can be cleaned up and I am ready to 
call it good.

Thanks again for your input!
Joe.

> On Dec 22, 2015, at 8:38 AM, Joe Honnold  wrote:
> 
> Thanks for the reply.  I will give it a shot and see what happens.
> 
> Cheers!
> Joe.
> 
> 
> 
> 
> On 12/22/15, 8:31 AM, "radiator-boun...@open.com.au on behalf of Heikki 
> Vatiainen"  wrote:
> 
>> On 12/21/2015 05:23 AM, Joe Honnold wrote:
>> 
>>> I am working on a project for sending users OTP’s to gain access.  I
>>> would like to have users authenticate to AD and once accepted use Authby
>>> OTP to generate a token and send it to the user via SMS.   The user
>>> would then enter the OTP and gain access.
>>> I have done a bit of researching and found a config that I am using as a
>>> base.  http://www.van-sluis.nl/?p=345
>> 
>> There is one major difference between the example config you were using
>> and what you want to achieve: note that the example AuthBy LDAP2 had this:
>> 
>> # We don't do authentication. Authentication is done by OTP.
>> NoCheckPassword
>> 
>>> The Authby LDAP2 in my config is working as expected but the Authby OTP
>>> is not.  It is a bit confusing at this point as I am unsure how to debug
>>> the Authby OTP failure to find the exact issue.
>> 
>> I'd say the problem is that AuthBy OTP sees a password and thinks this
>> is the OTP.
>> 
>>> My expectation is that if the Authby OTP was working right a
>>> one-password would be generated and the sent to the users mobile number
>>> found in AD.
>>> 
>>> Any ideas where to start with this one?
>> 
>> I think the authentication flow needs to be changed with something like
>> this:
>> 
>> 
>> # Add this, otherwise unchanged
>> PostAuthHook sub {my $p = ${$_[0]}; $p->{DecodedPassword} = '';}
>> 
>> 
>> 
>>  # Add this, otherwise unchanged
>>  AddToReply State=otp-check
>> 
>> 
>> # New Handler goes here: Verify the OTP
>> 
>>  AuthBy SSLVPN_OTP
>> 
>> 
>> 
>> # Unchanged
>> 
>> 
>> 
>> The idea is this:
>> 1) Request first hits the current Handler
>> 2) Once AuthBy LDAP2 is done, it clears the password
>> 3) AuthBy OTP sees the empty passwords and generates the OTP
>> 4) AuthBy OTP adds State in the Access-Challenge
>> 5) The Access-Request with OTP will now contain 'State=otp-check'
>> request attribute
>> 6) The new Handler processes the request and does just the OTP verify
>> 
>> Please note the above is untested, but I'd say it should match how the
>> two phase authentication should go.
>> 
>> Please let us know if the above helps,
>> Heikki
>> 
>> -- 
>> Heikki Vatiainen 
>> 
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2 to AD

[Heikki Vatiainen]

On 12/20/2015 09:49 PM, Hartmaier Alexander wrote:

> @Heikki: could you add a section in the AuthBy LDAP2 which covers the
> topic Microsoft Active Directory?

I've made a ticket for this including these:
- Global catalog ports
- ServerChecksPassword - can't get user credentials from AD
- AttrsWithBaseScope - for AD constructed attributes e.g., tokenGroups
for getting group and nested group membership information
- Differences with non-AD LDAP servers - anything else than the above?

One thing I'd like to ask you about Global Catalog: If the Base DN is
not empty, does it affect the search results? You wrote that it should
be left empty, however, I so far I have thought it's fine to specify a
Base DN.

See for example this doc, and search for 'non-instantiated'. As I
understand it, it says base DN that is empty or anything else is fine.

https://technet.microsoft.com/en-us/library/how-global-catalog-servers-work(v=ws.10).aspx

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Authby LDAP and Authby OTP

[Joe Honnold]

Thanks for the reply.  I will give it a shot and see what happens.

Cheers!
Joe.




On 12/22/15, 8:31 AM, "radiator-boun...@open.com.au on behalf of Heikki 
Vatiainen"  wrote:

>On 12/21/2015 05:23 AM, Joe Honnold wrote:
>
>> I am working on a project for sending users OTP’s to gain access.  I
>> would like to have users authenticate to AD and once accepted use Authby
>> OTP to generate a token and send it to the user via SMS.   The user
>> would then enter the OTP and gain access.
>> I have done a bit of researching and found a config that I am using as a
>> base.  http://www.van-sluis.nl/?p=345
>
>There is one major difference between the example config you were using
>and what you want to achieve: note that the example AuthBy LDAP2 had this:
>
>  # We don't do authentication. Authentication is done by OTP.
>  NoCheckPassword
>
>> The Authby LDAP2 in my config is working as expected but the Authby OTP
>> is not.  It is a bit confusing at this point as I am unsure how to debug
>> the Authby OTP failure to find the exact issue.
>
>I'd say the problem is that AuthBy OTP sees a password and thinks this
>is the OTP.
>
>> My expectation is that if the Authby OTP was working right a
>> one-password would be generated and the sent to the users mobile number
>> found in AD.
>> 
>> Any ideas where to start with this one?
>
>I think the authentication flow needs to be changed with something like
>this:
>
>
>  # Add this, otherwise unchanged
>  PostAuthHook sub {my $p = ${$_[0]}; $p->{DecodedPassword} = '';}
>
>
>
>   # Add this, otherwise unchanged
>   AddToReply State=otp-check
>
>
># New Handler goes here: Verify the OTP
>
>   AuthBy SSLVPN_OTP
>
>
>
> # Unchanged
>
>
>
>The idea is this:
>1) Request first hits the current Handler
>2) Once AuthBy LDAP2 is done, it clears the password
>3) AuthBy OTP sees the empty passwords and generates the OTP
>4) AuthBy OTP adds State in the Access-Challenge
>5) The Access-Request with OTP will now contain 'State=otp-check'
>request attribute
>6) The new Handler processes the request and does just the OTP verify
>
>Please note the above is untested, but I'd say it should match how the
>two phase authentication should go.
>
>Please let us know if the above helps,
>Heikki
>
>-- 
>Heikki Vatiainen 
>
>Radiator: the most portable, flexible and configurable RADIUS server
>anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>NetWare etc.
>___
>radiator mailing list
>radiator@open.com.au
>http://www.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Authby LDAP and Authby OTP

[Heikki Vatiainen]

On 12/21/2015 05:23 AM, Joe Honnold wrote:

> I am working on a project for sending users OTP’s to gain access.  I
> would like to have users authenticate to AD and once accepted use Authby
> OTP to generate a token and send it to the user via SMS.   The user
> would then enter the OTP and gain access.
> I have done a bit of researching and found a config that I am using as a
> base.  http://www.van-sluis.nl/?p=345

There is one major difference between the example config you were using
and what you want to achieve: note that the example AuthBy LDAP2 had this:

  # We don't do authentication. Authentication is done by OTP.
  NoCheckPassword

> The Authby LDAP2 in my config is working as expected but the Authby OTP
> is not.  It is a bit confusing at this point as I am unsure how to debug
> the Authby OTP failure to find the exact issue.

I'd say the problem is that AuthBy OTP sees a password and thinks this
is the OTP.

> My expectation is that if the Authby OTP was working right a
> one-password would be generated and the sent to the users mobile number
> found in AD.
> 
> Any ideas where to start with this one?

I think the authentication flow needs to be changed with something like
this:


  # Add this, otherwise unchanged
  PostAuthHook sub {my $p = ${$_[0]}; $p->{DecodedPassword} = '';}



   # Add this, otherwise unchanged
   AddToReply State=otp-check


# New Handler goes here: Verify the OTP

   AuthBy SSLVPN_OTP



 # Unchanged



The idea is this:
1) Request first hits the current Handler
2) Once AuthBy LDAP2 is done, it clears the password
3) AuthBy OTP sees the empty passwords and generates the OTP
4) AuthBy OTP adds State in the Access-Challenge
5) The Access-Request with OTP will now contain 'State=otp-check'
request attribute
6) The new Handler processes the request and does just the OTP verify

Please note the above is untested, but I'd say it should match how the
two phase authentication should go.

Please let us know if the above helps,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2 to AD

[Hartmaier Alexander]

@Heikki: could you add a section in the AuthBy LDAP2 which covers the 
topic Microsoft Active Directory?


Thanks, Alex

On 2015-12-20 07:47, Joe Honnold wrote:
Got it all sorted.  Thanks for the pointers.  Here is what my working 
config for AD looks like.


Foreground
LogStdout
LogDir/var/log/radius
DbDir/etc/radiator
# User a lower trace level in production systems:
Trace 4
#
AuthPort1645
AcctPort1646


SecretIMNOTTELLLING




Debug 255
NoDefault
Host10.0.50.80 10.0.50.82
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standard LDAP, so you may want to use:
Port 3268
AuthDNcn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
AuthPasswordPLAINTEXTPASSWORD
BaseDN
PasswordAttr
ServerChecksPassword
UsernameAttr sAMAccountName
HoldServerConnection
FailureBackoffTime 0
AuthAttrDef MobileNumber,Callback-Number,request




On Dec 17, 2015, at 9:06 AM, Hartmaier Alexander 
> wrote:


Hi,
sadly HoldServerConnection doesn't work for Active Directory for us.
Not sure if that's the source of your problem though.
If you search the Global Catalog (3268 for LDAP and 3269 for LDAPS) 
you can't specify a BaseDN, leave it empty!

Just
BaseDN

Best regards, Alex

On 2015-12-15 18:18, Joe Honnold wrote:

Hi.

I am working towards a config that does AD authentication with the 
addition of OTP.  I have started the AD config and have hit an issue 
that I can not seem to get around.

The log file states:

Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad
Encrypted password: UserJ [UserJ]

I have completed some research via the docs and internet searching 
but nothing has pointed me in the right direction yet.
Any input towards a resolution would be appreciated as I need this 
to work prior to adding the OTP settings to the config.


radius.cfg file
==
# ad-ldap.cfg
#
# Example Radiator configuration file for authenticating from
# Active Directory via LDAP2, possibly from a Unix host.
#
# This very simple file will allow you to get started with
# a simple LDAP authentication system from AD.
#
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
#
# You should consider this file to be a starting point only
# $Id: ad-ldap.cfg,v 1.4 2015/06/02 19:37:27 hvn Exp $

Foreground
LogStdout
LogDir/var/log/radius
DbDir/etc/radiator
# User a lower trace level in production systems:
Trace 4
#
AuthPort1645
AcctPort1646

# You will probably want to add other Clients to suit your site.

SecretIMNOTTELLLING


# Authenticates users in the Organisational Unit called 'csx users'
# The user name coming from the NAS must match the sAMAccountName
# attribute of a user in that OU./ Users that are not in 'csx users'
# will not be able to log in.


Debug 255
NoDefault
Host10.0.50.80 10.0.50.82
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standard LDAP, so you may want to use:
Port 3268
AuthDNcn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
AuthPasswordPLAINTEXTPASSWORD
BaseDNDC=MS, DC=DOMAIN, DC=com
ServerChecksPassword
UsernameAttr sAMAccountName
HoldServerConnection
FailureBackoffTime 0
AuthAttrDef logonHours,MS-Login-Hours,check



==

Cleansed log dump
==
Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 
Code:   Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:24 2015: DEBUG: Handling request with Handler '', 
Identifier ''
Tue Dec 15 10:34:24 2015: DEBUG:  Deleting session for UserJ, 
10.0.100.8,

Tue Dec 15 10:34:24 2015: DEBUG: Handling with Radius::AuthLDAP2:
Tue Dec 15 10:34:24 2015: INFO: Connecting to 10.0.50.80:3268 
10.0.50.82:3268

Tue Dec 15 10:34:24 2015: INFO: Connected to 10.0.50.80:3268
Tue Dec 15 10:34:24 2015: INFO: Attempting to bind to LDAP server 
10.0.50.80:3268
Tue Dec 15 10:34:24 2015: DEBUG: LDAP got result for CN=Joe 
User,OU=Unit1,OU=Unit2,DC=ms,DC=domain,DC=com
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 looks for match 
with UserJ [UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad 
Encrypted password: UserJ [UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: AuthBy LDAP2 result: REJECT, Bad 
Encrypted password
Tue Dec 15 10:34:24 2015: INFO: Access rejected for UserJ: Bad 
Encrypted password

Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 
Code:   Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"

Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 
Code:   Access-Request
Identifier: 188
Authentic:  

Re: [RADIATOR] AuthBy LDAP2 to AD

[Joe Honnold]

Got it all sorted.  Thanks for the pointers.  Here is what my working config 
for AD looks like.

Foreground
LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace  4
#
AuthPort 1645
AcctPort 1646


Secret IMNOTTELLLING




Debug 255
NoDefault
Host 10.0.50.80 10.0.50.82
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standard LDAP, so you may want to use:
Port 3268
AuthDN cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
AuthPassword PLAINTEXTPASSWORD
BaseDN
PasswordAttr
ServerChecksPassword
UsernameAttr sAMAccountName
HoldServerConnection
FailureBackoffTime 0
AuthAttrDef MobileNumber,Callback-Number,request




On Dec 17, 2015, at 9:06 AM, Hartmaier Alexander 
mailto:alexander.hartma...@t-systems.at>> 
wrote:

Hi,
sadly HoldServerConnection doesn't work for Active Directory for us.
Not sure if that's the source of your problem though.
If you search the Global Catalog (3268 for LDAP and 3269 for LDAPS) you can't 
specify a BaseDN, leave it empty!
Just
BaseDN

Best regards, Alex

On 2015-12-15 18:18, Joe Honnold wrote:
Hi.

I am working towards a config that does AD authentication with the addition of 
OTP.  I have started the AD config and have hit an issue that I can not seem to 
get around.
The log file states:

Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted 
password: UserJ [UserJ]

I have completed some research via the docs and internet searching but nothing 
has pointed me in the right direction yet.
Any input towards a resolution would be appreciated as I need this to work 
prior to adding the OTP settings to the config.

radius.cfg file
==
# ad-ldap.cfg
#
# Example Radiator configuration file for authenticating from
# Active Directory via LDAP2, possibly from a Unix host.
#
# This very simple file will allow you to get started with
# a simple LDAP authentication system from AD.
#
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
#
# You should consider this file to be a starting point only
# $Id: ad-ldap.cfg,v 1.4 2015/06/02 19:37:27 hvn Exp $

Foreground
LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace 4
#
AuthPort 1645
AcctPort 1646

# You will probably want to add other Clients to suit your site.

Secret IMNOTTELLLING


# Authenticates users in the Organisational Unit called 'csx users'
# The user name coming from the NAS must match the sAMAccountName
# attribute of a user in that OU./ Users that are not in 'csx users'
# will not be able to log in.


Debug 255
NoDefault
Host 10.0.50.80 10.0.50.82
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standard LDAP, so you may want to use:
Port 3268
AuthDN cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
AuthPassword PLAINTEXTPASSWORD
BaseDN DC=MS, DC=DOMAIN, DC=com
ServerChecksPassword
UsernameAttr sAMAccountName
HoldServerConnection
FailureBackoffTime 0
AuthAttrDef logonHours,MS-Login-Hours,check



==

Cleansed log dump
==
Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 
Code:   Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:24 2015: DEBUG: Handling request with Handler '', Identifier ''
Tue Dec 15 10:34:24 2015: DEBUG:  Deleting session for UserJ, 10.0.100.8,
Tue Dec 15 10:34:24 2015: DEBUG: Handling with Radius::AuthLDAP2:
Tue Dec 15 10:34:24 2015: INFO: Connecting to 10.0.50.80:3268 10.0.50.82:3268
Tue Dec 15 10:34:24 2015: INFO: Connected to 10.0.50.80:3268
Tue Dec 15 10:34:24 2015: INFO: Attempting to bind to LDAP server 
10.0.50.80:3268
Tue Dec 15 10:34:24 2015: DEBUG: LDAP got result for CN=Joe 
User,OU=Unit1,OU=Unit2,DC=ms,DC=domain,DC=com
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 looks for match with UserJ 
[UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted 
password: UserJ [UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted 
password
Tue Dec 15 10:34:24 2015: INFO: Access rejected for UserJ: Bad Encrypted 
password
Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 
Code:   Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"

Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 
Code:   Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Servic

Re: [RADIATOR] AuthBy LDAP2 to AD

[Hartmaier Alexander]

Hi,
sadly HoldServerConnection doesn't work for Active Directory for us.
Not sure if that's the source of your problem though.
If you search the Global Catalog (3268 for LDAP and 3269 for LDAPS) you can't 
specify a BaseDN, leave it empty!
Just
BaseDN

Best regards, Alex

On 2015-12-15 18:18, Joe Honnold wrote:
Hi.

I am working towards a config that does AD authentication with the addition of 
OTP.  I have started the AD config and have hit an issue that I can not seem to 
get around.
The log file states:

Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted 
password: UserJ [UserJ]

I have completed some research via the docs and internet searching but nothing 
has pointed me in the right direction yet.
Any input towards a resolution would be appreciated as I need this to work 
prior to adding the OTP settings to the config.

radius.cfg file
==
# ad-ldap.cfg
#
# Example Radiator configuration file for authenticating from
# Active Directory via LDAP2, possibly from a Unix host.
#
# This very simple file will allow you to get started with
# a simple LDAP authentication system from AD.
#
# We suggest you start simple, prove to yourself that it
# works and then develop a more complicated configuration.
#
#
# You should consider this file to be a starting point only
# $Id: ad-ldap.cfg,v 1.4 2015/06/02 19:37:27 hvn Exp $

Foreground
LogStdout
LogDir /var/log/radius
DbDir /etc/radiator
# User a lower trace level in production systems:
Trace 4
#
AuthPort 1645
AcctPort 1646

# You will probably want to add other Clients to suit your site.

Secret IMNOTTELLLING


# Authenticates users in the Organisational Unit called 'csx users'
# The user name coming from the NAS must match the sAMAccountName
# attribute of a user in that OU./ Users that are not in 'csx users'
# will not be able to log in.


Debug 255
NoDefault
Host 10.0.50.80 10.0.50.82
# Microsoft AD also listens on port 3268, and
# requests received on that port are reported to be
# more compliant with standard LDAP, so you may want to use:
Port 3268
AuthDN cn=ADAccount, OU=Unit3, DC=MS, DC=DOMAIN, DC=COM
AuthPassword PLAINTEXTPASSWORD
BaseDN DC=MS, DC=DOMAIN, DC=com
ServerChecksPassword
UsernameAttr sAMAccountName
HoldServerConnection
FailureBackoffTime 0
AuthAttrDef logonHours,MS-Login-Hours,check



==

Cleansed log dump
==
Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 
Code:   Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:24 2015: DEBUG: Handling request with Handler '', Identifier ''
Tue Dec 15 10:34:24 2015: DEBUG:  Deleting session for UserJ, 10.0.100.8,
Tue Dec 15 10:34:24 2015: DEBUG: Handling with Radius::AuthLDAP2:
Tue Dec 15 10:34:24 2015: INFO: Connecting to 10.0.50.80:3268 10.0.50.82:3268
Tue Dec 15 10:34:24 2015: INFO: Connected to 10.0.50.80:3268
Tue Dec 15 10:34:24 2015: INFO: Attempting to bind to LDAP server 
10.0.50.80:3268
Tue Dec 15 10:34:24 2015: DEBUG: LDAP got result for CN=Joe 
User,OU=Unit1,OU=Unit2,DC=ms,DC=domain,DC=com
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 looks for match with UserJ 
[UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad Encrypted 
password: UserJ [UserJ]
Tue Dec 15 10:34:24 2015: DEBUG: AuthBy LDAP2 result: REJECT, Bad Encrypted 
password
Tue Dec 15 10:34:24 2015: INFO: Access rejected for UserJ: Bad Encrypted 
password
Tue Dec 15 10:34:24 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 
Code:   Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"

Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 
Code:   Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:29 2015: INFO: Duplicate request id 188 received from 
10.0.100.8(58652): retransmit reply
Tue Dec 15 10:34:29 2015: DEBUG: Packet dump:
*** Sending to 10.0.100.8 port 58652 
Code:   Access-Reject
Identifier: 188
Authentic:  T<143>B*<10><203><165><29>6I<4>0<129><234><251>9
Attributes:
Reply-Message = "Request Denied"

Tue Dec 15 10:34:34 2015: DEBUG: Packet dump:
*** Received from 10.0.100.8 port 58652 
Code:   Access-Request
Identifier: 188
Authentic:  <220><190><27><254>r<234><233>@<187>CR<161><231>C<241><4>
Attributes:
User-Name = "UserJ"
User-Password = <214><134>.<29><11>4<137><178><135>z<148>B<31>ivJ
Service-Type = Login-User
NAS-IP-Address = 10.0.100.8

Tue Dec 15 10:34:34 2015: INFO: Duplicate request id 188 received from 
10.0.100.8(58652): ret

Re: [RADIATOR] AuthBy LDAP2 to AD

[Heikki Vatiainen]

On 15.12.2015 19.18, Joe Honnold wrote:

> I am working towards a config that does AD authentication with the
> addition of OTP.  I have started the AD config and have hit an issue
> that I can not seem to get around.
> The log file states:
>
> Tue Dec 15 10:34:24 2015: DEBUG: Radius::AuthLDAP2 REJECT: Bad
> Encrypted password: UserJ [UserJ]

I would check the shared secret first. If the secret is incorrect, 
Radiator tries to bind with incorrectly decrypted password and this may 
be the reason why you see the above error.

Also, your test client is resending the authentication request. This can 
happen if it does not like the authenticator in the reply and discards 
the reply without processing it any further.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy Syslog port

[Heikki Vatiainen]

On 5.2.2015 20.09, Michael wrote:
> Correct me if i'm wrong, but is it the non-radiator Syslog perl module
> that doesn't have an option to specify the port?

Yes, support for options depends on the Sys::Syslog version. The latest 
version support port but, for example, Ubuntu 12.04 LTS is not recent 
enough. The problem is mostly with the API: the old versions do not 
provide the interface that is used to pass the port to the module.

> On 05/02/15 12:59 PM, l...@airstreamcomm.net wrote:
>> We are experimenting with docker containers and running radiator in the most 
>> minimal footprint possible, which means we wanted to avoid an unnecessary 
>> install of rsyslog.  Will this option be available in future releases?

Sys::Syslog version 0.28 is the minimum version with the interface that 
supports specifying the port number. Version 0.30 has a fix port 
handling ports which improves the performance that's useful if the log 
rate is high.

An option in Radiator is possible. The future release could use the new 
API for all options, including the port number, and revert back to the 
old API with older versions. I'll investigate this.

Meanwhile you could consider local modifications if your Sys::Syslog is 
recent enough.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy Syslog port

[Michael]

Correct me if i'm wrong, but is it the non-radiator Syslog perl module 
that doesn't have an option to specify the port?


On 05/02/15 12:59 PM, l...@airstreamcomm.net wrote:
> We are experimenting with docker containers and running radiator in the most 
> minimal footprint possible, which means we wanted to avoid an unnecessary 
> install of rsyslog.  Will this option be available in future releases?
>
>
>
>> On Feb 5, 2015, at 7:22 AM, Heikki Vatiainen  wrote:
>>
>>> On 4.2.2015 1.30, List wrote:
>>> Is it possible to log AuthBy Syslog to an external server on a different
>>> port than 514?  Reading the documentation I don't see an option to
>>> specify the port of the remote syslog server.
>> You are correct, there is no option for setting the remote port.
>>
>> I recommend logging to the local syslog server and configuring it to
>> forward the requests to the remote syslog servers. In addition to more
>> flexibility with configuration, this will also offload handling the log
>> messages to a separate process which can use, for example, TCP/TLS and
>> whatever is required to make sure the log messages get to their destination.
>>
>> Thanks,
>> Heikki
>>
>> -- 
>> Heikki Vatiainen 
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy Syslog port

[l...@airstreamcomm.net]

We are experimenting with docker containers and running radiator in the most 
minimal footprint possible, which means we wanted to avoid an unnecessary 
install of rsyslog.  Will this option be available in future releases?



> On Feb 5, 2015, at 7:22 AM, Heikki Vatiainen  wrote:
> 
>> On 4.2.2015 1.30, List wrote:
>> Is it possible to log AuthBy Syslog to an external server on a different
>> port than 514?  Reading the documentation I don't see an option to
>> specify the port of the remote syslog server.
> 
> You are correct, there is no option for setting the remote port.
> 
> I recommend logging to the local syslog server and configuring it to 
> forward the requests to the remote syslog servers. In addition to more 
> flexibility with configuration, this will also offload handling the log 
> messages to a separate process which can use, for example, TCP/TLS and 
> whatever is required to make sure the log messages get to their destination.
> 
> Thanks,
> Heikki
> 
> -- 
> Heikki Vatiainen 
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
> NetWare etc.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy Syslog port

[Heikki Vatiainen]

On 4.2.2015 1.30, List wrote:
> Is it possible to log AuthBy Syslog to an external server on a different
> port than 514?  Reading the documentation I don't see an option to
> specify the port of the remote syslog server.

You are correct, there is no option for setting the remote port.

I recommend logging to the local syslog server and configuring it to 
forward the requests to the remote syslog servers. In addition to more 
flexibility with configuration, this will also offload handling the log 
messages to a separate process which can use, for example, TCP/TLS and 
whatever is required to make sure the log messages get to their destination.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy FILE - Dont check password

[Hartmaier Alexander]

You don't even need that if the file doesn't contain a password check item.

On 2015-01-21 12:02, Peter Havekes wrote:

5.21.58
NoCheckPassword

This optional parameter causes AuthBy not to check the password. This
means that any
password entered by the user will be accepted.
This parameter is useful in conjunction with other authentication
methods where the
password check is done elsewhere.




On 20-01-15 14:17, Jim Tyrrell wrote:


Is it possible to have the AuthBy FILE check a file for the username but
not check the password?

I ideally want the AuthBy to just check for a username in a file of only
usernames, and if it matches generate the Reply, if it fails to match
the username then it will fall back to a 2nd AuthBy (via AuthByPolicy
ContinueWhileReject) that will respond with a different reply.

The idea being that if a user is in a username list the session will be
tunneled to a certain endpoint, and if not the user will be tunneled to
different IP.

Thanks.

Jim.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator







___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy FILE - Dont check password

[Peter Havekes]

5.21.58
NoCheckPassword

This optional parameter causes AuthBy not to check the password. This
means that any
password entered by the user will be accepted.
This parameter is useful in conjunction with other authentication
methods where the
password check is done elsewhere.




On 20-01-15 14:17, Jim Tyrrell wrote:
> Is it possible to have the AuthBy FILE check a file for the username but
> not check the password?
>
> I ideally want the AuthBy to just check for a username in a file of only
> usernames, and if it matches generate the Reply, if it fails to match
> the username then it will fall back to a 2nd AuthBy (via AuthByPolicy
> ContinueWhileReject) that will respond with a different reply.
>
> The idea being that if a user is in a username list the session will be
> tunneled to a certain endpoint, and if not the user will be tunneled to
> different IP.
>
> Thanks.
>
> Jim.
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

-- 
Peter Havekes

ICT-Ontwikkeling & CSIRT | Diensteenheid ICT en Facilitair
Avans Hogeschool | 0885256592 | Onderwijsboulevard 215 |
5223 DE 's-Hertogenbosch | http://www.avans.nl

Twitter: https://twitter.com/phavekes
Google+: https://plus.google.com/+PeterHavekes




smime.p7s
Description: S/MIME Cryptographic Signature
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy FILE - Dont check password

[Hartmaier Alexander]

Sure, just use a file with only usernames and no check items. Those are
on the same line as the username, look in the manual for the file format.

Cheers, Alex

On 2015-01-20 14:17, Jim Tyrrell wrote:
> Is it possible to have the AuthBy FILE check a file for the username but
> not check the password?
>
> I ideally want the AuthBy to just check for a username in a file of only
> usernames, and if it matches generate the Reply, if it fails to match
> the username then it will fall back to a 2nd AuthBy (via AuthByPolicy
> ContinueWhileReject) that will respond with a different reply.
>
> The idea being that if a user is in a username list the session will be
> tunneled to a certain endpoint, and if not the user will be tunneled to
> different IP.
>
> Thanks.
>
> Jim.
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP difference between bind failure to LDAP service and unreachable LDAP service

[Heikki Vatiainen]

On 03/12/2014 08:22 AM, karel.vandervel...@kpn.com wrote:

> Does anyone know if it is possible to handle the errors of an
> unreachable LDAP server vs not capable to bind differently within
> radiator? If so, please advise.

Try setting 'ServerChecksPassword' option. See the reference manual for
details.

I think the behaviour you describe below is correct since its purpose is
to return IGNORE to let AuthByPolicy and possibly the RADIUS client to
know that it was not possible to get a definitive yes/no answer from the
LDAP server.

In other words, use anonymous bind + search followed by
ServerChecksPassword or set up a user that does the bind and search
followed by ServerChecksPassword if anonymous bind is not allowed.

> For an access service we use the bind feature to let the LDAP server
> check the password for that specific user object, and then retrieve the
> required attributes. But when the username/password combination is wrong
> the result is IGNORE and hence another authentication attempt is done
> towards the second LDAP server (which of course also results in a
> non-successful bind attempt).

Thanks,
Heikki


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL and database connections

[Heikki Vatiainen]

On 01/15/2014 10:00 AM, Vangelis Kyriakakis wrote:

>  If we have an AuthBy SQL clause and a SessionDatabase SQL one, both
> connecting to the same database with the same DBUsername, will Radiator
> create two separate connections (one for each clause) or just one for
> both clauses?

Hello Vangelis,

if DBSource, DBUsername and DBAuth (after expanding any % specials)
are the same, then the connection should be the same. By 'should' I mean
that Radiator calls DBI's connect() which hides the actual workings of
the underlying layers.

If you do for example, 'sudo netstat -t -p -n' you can check the TCP
connections and the processes that use them.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy XML HTTP POST?

[Sami Keski-Kasari]

Hello Michael,

We have already certified interface for Opera Hotel Property Management
System from Micros-Fidelio.

We can consider to add iTesso support to Radiator.
The model could be that you/your customer will pay part of our
development costs and we will add support for iTesso to standard
Radiator distribution. After that we will be responsible to maintain
support module and you/your customer will get updates with standard
Radiator support contract.

Would you like to continue with this model?

If yes, please send us interface document so that we can give an
estimation of costs.

Best Regards,
 Sami


On 11/26/2013 10:43 PM, Michael Newton wrote:
> We have an opportunity to provide authentication for a hotel client based
> on guest name and room number. The property management system they are
> using (iTesso) has an HTTP/XML-based server that would need to be
> authenticated against, queried for matching name/room number, and then have
> a charge posted (or not, based on the results of the response.)
> 
> We have access to the XML spec and a test interface and are looking to see
> if anyone in the Radiator community has experience with this sort of setup,
> and/or if anyone would be interested in providing us with a quote for
> implementing such a module. Perl is not a native language for anyone
> in-house, unfortunately.
> 
> Looking forward to your replies!
> 
> Mike
> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Sami Keski-Kasari 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy INTERNAL not sending reply after several AuthBy RADIUS

[Heikki Vatiainen]

On 09/24/2013 05:47 PM, Tim Jones wrote:

> The debug output from the server shows the database being updated and
> returning ACCEPT, but then never sends out the Access-Accept response
> packet back to the NAS.

Hello Tim,

since you run this from ReplyHook returning from the Hook will not wind
back to a Handler which would then make sure the reply is passed back to
NAS. Take a look at how handlerResult is used e.g., by AuthRADIUS.pm to
tell Handler that a reply was received.

> I have a feeling it is because of setting the $op to IGNORE when
> forwarding the request, but the RequestHook of AuthBy INTERNAL doesn't
> pass it as a parameter so I cannot modify its' RadiusResult.

When the forwarding was done IGNORE was returned to Handler. Now when
reply was received you'd need to invoke Handler to finish the processing.

> Am I trying to solve this problem the wrong way, or have I forgotten
> something?

I think this comes from the asynchronous processing of requests. If I
understood your configuration correctly, calling handlerResult should help.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy Stats

[Heikki Vatiainen]

On 08/21/2013 12:51 AM, Barry Ard wrote:

> I am trying to get stats that show which AuthBy clauses in a handler
> have an ACCEPT result but haven't found a way to do it. The StatsLog
> shows the counts for requests going through an AuthBy but only the
> ACCEPTS for the Handler.

Hello Barry,

can you give an example that shows the behaviour you see?

The stats are collected like follows. Using this config as an example:


   AuthByPolicy ContinueUntilAccept
   AuthBy authby1
   AuthBy authby2
   AuthBy authby3


Lets say there are 3 requests and each of the requests is accepted by a
different AuthBy. In this case the counts for accepts are:

Handler: 3
authby1: 3
authby2: 2
authby3: 1

To quote the reference manual:
   Radiator collects statistics for the server as a whole, as
   well as for each Client, Realm, Handler, AuthBy and Host that
   a packet passes through.

Since all requests must hit authby1, its count will be 3. Since each of
the AuthBys accepts 1 request, authby1 sees all 3 requests, authby2 sees
2 and authby3 sees only one request.

In other words, this is a stats trail. When a certain counter type, e.g.
accessAccepts, is incremented, it increments the counters for all
modules that the request visited.

Thanks,
Heikki


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy RADIUS and LocalAddress

[Heikki Vatiainen]

On 08/19/2013 03:57 PM, Alexander Hartmaier wrote:

>> LocalAddress should default to BindAddress or 0.0.0.0 if LocalAddress is
>> not set explicitly as on option. It also tries to create a socket for
>> proxying the requests if no such socket exists already.
> And it seems creating that socket fails without on error message.

If you run it with DEBUG, you should see a message like this:

  DEBUG: AuthBy RADIUS creates new local socket '127.0.0.1:0' for
  sending requests

This is with the configuration you have attached. I think it also tells
what the problem is. The first IP is used for the source address for
proxying.

You could consider reordering BindAddress to have the desired outgoing
IP first, or maybe better, specify LocalAddress since you seem to have
special requirements.

> Assuming the radius server has the ip 192.0.2.2 on eth0 and 10.0.0.2 on
> eth1 and the virtual ips 192.0.2.10 and 10.0.0.10 as 'service' ips that
> should work:

Thanks for the configuration. As I mentioned above, I get 127.0.0.1 as
the source address if LocalAddress is commented out. This is the
intended behaviour, see e.g. LocalAddress in ref.pdf. Currently Radiator
always binds the local address when creating a socket for proxying.

> AuthPort1812
> AcctPort1813
> 
> BindAddress 127.0.0.1, 192.0.2.10, ipv6:2001:db8::10, 10.0.0.10

127.0.0.1 is the first address and thus the source address for AuthBy
RADIUS unless LocalAddress is defined.

> 
> 
> Host 192.0.2.20
> Secret FooBar
> AuthPort 1645
> NoForwardAccounting
> LocalAddress 10.0.0.2 # without this line no radius packet is
> sent according to tcpdump
> 
> 


Thanks,
Heikki


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy RADIUS and LocalAddress

[Alexander Hartmaier]

Hi Heikki,

On 2013-08-19 14:22, Heikki Vatiainen wrote:
> On 08/16/2013 02:45 PM, Alexander Hartmaier wrote:
>
>> I've migrated our main Radiator installation to new servers and just
>> faced the problem that an AuthBy RADIUS didn't send a packet out
>> although a trace 4 showed a "Sending to ".
>> The Radiator process is bound to some virtual IPs using BindAddress
>> which is different from the old installation where it listened on 0.0.0.0.
> Hello Alexander,
>
> what do you mean by *virtual* IP address in this case. Is it an alias
> address or something else?
The server has two interfaces, both have additional, virtual ip
addresses on both interfaces (eth0:0, eth0:1, eth1:0 and eth1:1 for
IPv4, additional IPv6 addresses on eth0 and eth1).

>
> Also, is that unpatched or patched 4.11?
patched from 2013-06-18
>
>> Adding LocalAddress using the non-virtual IPv4 address of the interface
>> fixed it. Without that a tcpdump shows no packets on neither of the two
>> interfaces.
> LocalAddress should default to BindAddress or 0.0.0.0 if LocalAddress is
> not set explicitly as on option. It also tries to create a socket for
> proxying the requests if no such socket exists already.
And it seems creating that socket fails without on error message.
>
>> Imho that's a bug because sending Radius requests as a Radius client
>> should be decoupled from being a Radius Server.
> Do you think you could provide a minimal configuration file that
> reproduces the problem you see? We would be interested in taking a
> further look at this.
Assuming the radius server has the ip 192.0.2.2 on eth0 and 10.0.0.2 on
eth1 and the virtual ips 192.0.2.10 and 10.0.0.10 as 'service' ips that
should work:

AuthPort1812
AcctPort1813

BindAddress 127.0.0.1, 192.0.2.10, ipv6:2001:db8::10, 10.0.0.10



Host 192.0.2.20
Secret FooBar
AuthPort 1645
NoForwardAccounting
LocalAddress 10.0.0.2 # without this line no radius packet is
sent according to tcpdump



>
> Thanks,
> Heikki
>



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy RADIUS and LocalAddress

[Heikki Vatiainen]

On 08/16/2013 02:45 PM, Alexander Hartmaier wrote:

> I've migrated our main Radiator installation to new servers and just
> faced the problem that an AuthBy RADIUS didn't send a packet out
> although a trace 4 showed a "Sending to ".
> The Radiator process is bound to some virtual IPs using BindAddress
> which is different from the old installation where it listened on 0.0.0.0.

Hello Alexander,

what do you mean by *virtual* IP address in this case. Is it an alias
address or something else?

Also, is that unpatched or patched 4.11?

> Adding LocalAddress using the non-virtual IPv4 address of the interface
> fixed it. Without that a tcpdump shows no packets on neither of the two
> interfaces.

LocalAddress should default to BindAddress or 0.0.0.0 if LocalAddress is
not set explicitly as on option. It also tries to create a socket for
proxying the requests if no such socket exists already.

> Imho that's a bug because sending Radius requests as a Radius client
> should be decoupled from being a Radius Server.

Do you think you could provide a minimal configuration file that
reproduces the problem you see? We would be interested in taking a
further look at this.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy DIAMETER

[Sami Keski-Kasari]

Hello Stefan,

On 08/05/2013 04:04 PM, Stefan Winter wrote:

>> We are now preparing initial release of Radius to Diameter translation
>> gateway for Radiator.  Currently we have implemented limited support for
>> DIAMETER base RFC 6377 and full support for NASREQ RFC 4005.
>
> You should probably not care about RC4005 any more. Its successor is
> almost ready, and was specifically created to address major deficiencies
> in RFC4005. The deficiencies were to such an extent that common belief
> in the IETF is "nobody uses this".
>
> See here for the successor draft spec:
>
> http://datatracker.ietf.org/doc/draft-ietf-dime-rfc4005bis/

Thanks for pointer to that draft.

It appears there are people using 4005.

Almost all of our Diameter customers are using Diameter in 3GPP 
environments. Those specs use RFC 3588 and RFC4005 as their base.
The new Diameter Base RFC 6733 is good because it is backward compliant. 
If upcoming NASREQ RFC is not backward compliant then I think that we 
need to support 4005 for a long time.

>> Our implementation is ready for public beta testing and we are looking
>> for volunteers for testing our translation gateway.
>>
>> If you are willing to test our Radius to Diameter translation gateway,
>> please reply directly to me and tell me about your intended test
>> environment and test plans.
>
> Out of curiosity: one of the many problems of RFC4005 was that it was
> syntactically impossible to translate a Diameter attribute of length
>> 253 Bytes into a RADIUS attribute; for obvious reasons.
>
> RADIUS has meanwhile specified "long" attributes, making this
> translation possible. Does your Diameter gateway already include support
> for extended RADIUS attributes? I'm speaking of RFC6929:

If you take a look of section 8 (Diameter Considerations), it seems not 
to agree with your view of using that RFC in Radius to Diameter 
translation :).

I think that problem with RFC6929 is that IANA has allocated only vendor 
specific attributes. So if we start using them we have to use it under 
vendor specific field and it will never be compliant with anybody. It is 
not a problem if you are processing things locally but it is problem if 
you need to proxy them.

So if upcoming NASREQ RFC will remove all radius<->diameter translation 
instructions I think that we will need separate RFC addressing to that. 
Otherwise all vendors starts using own solutions or we will continue to 
support RFC4005 instead of newer RFC. If there is some group doing 
translation RFC we will be happy to contribute.

I think we will add support for RFC6929 to Radiator in the near future
so that people can use it in local translations.


Best Regards,
  Sami

-- 
Sami Keski-Kasari 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy FILE

[Heikki Vatiainen]

On 08/07/2013 12:11 AM, Dan Prill wrote:

> I'm trying to get authentication set up against eDirectory via LDAP, but
> wanted to start by seeing if I could get AuthBy FILE to work first. When
> I attempt to connect with a Windows 7 laptop, I see the following in the
> logfile. I'm using the eap_peap.cfg file and a Trapeze MX-200 as the
> authenticator. Any suggestions appreciated.

Looks like Radiator thinks you are using LEAP, EAP method 17.

Radiator has successfully read the file, found the entry for the user
and thinks the password is good. Now it's sending a challenge back to
the client and waits the client to respond.

Since you mentioned PEAP and Radiator responds with LEAP, maybe there's
a configuration mismatch somewhere?

Thanks,
Heikki

> Tue Aug  6 15:39:07 2013: DEBUG: Packet dump:
> *** Received from 172.16.240.2 port 20009 
> Code:   Access-Request
> Identifier: 214
> Authentic:  an<4><249>@J<4>Zd<229>e1Z#<0>Y
> Attributes:
>  NAS-Port-Id = "AP10/1"
>  Calling-Station-Id = "64-80-99-1E-3F-FC"
>  Called-Station-Id = "00-0B-0E-B5-8A-44:NWHSU-Test"
>  Service-Type = Framed-User
>  User-Name = "dprill"
>  NAS-Port = 23410
>  EAP-Message =
> <2><6><0>&<17><1><0><24><232><209><188>2<242><218><148>`H<213><193><174><224><244><193><251><12>5<130><200><179>'<170><190>dprill
>  NAS-Port-Type = Wireless-IEEE-802-11
>  NAS-IP-Address = 172.16.240.2
>  NAS-Identifier = "Trapeze"
>  Message-Authenticator =
> 3<243><30><188>j<159><166><232><9><151><157>>2<170><194><237>
>  
> Tue Aug  6 15:39:07 2013: DEBUG: Handling request with Handler '',
> Identifier ''
> Tue Aug  6 15:39:07 2013: DEBUG:  Deleting session for dprill,
> 172.16.240.2, 23410
> Tue Aug  6 15:39:07 2013: DEBUG: Handling with Radius::AuthFILE:
> Tue Aug  6 15:39:07 2013: DEBUG: Handling with EAP: code 2, 6, 38, 17
> Tue Aug  6 15:39:07 2013: DEBUG: Response type 17
> Tue Aug  6 15:39:07 2013: DEBUG: Radius::AuthFILE looks for match with
> dprill [dprill]
> Tue Aug  6 15:39:07 2013: DEBUG: Radius::AuthFILE ACCEPT: : dprill [dprill]
> Tue Aug  6 15:39:07 2013: DEBUG: EAP result: 3, Wait for peer challenge
> Tue Aug  6 15:39:07 2013: DEBUG: AuthBy FILE result: CHALLENGE, Wait for
> peer challenge
> Tue Aug  6 15:39:07 2013: DEBUG: Access challenged for dprill: Wait for
> peer challenge
> Tue Aug  6 15:39:07 2013: DEBUG: Packet dump:
> *** Sending to 172.16.240.2 port 20009 
> Code:   Access-Challenge
> Identifier: 214
> Authentic:  b<28>8<12><25><31><137>D<141><130><150>%g<10>h<185>
> Attributes:
>  EAP-Message = <3><6><0><4>
>  Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy FILE

[Alan Buxey]

Hi

No response from the client.  What do you see on the client? Windows clients 
are fussy about their certificates (on that the cert needs to have particular 
attributes) does your cert match the requirements?


alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy DIAMETER

[Stefan Winter]

Hi,

> We are now preparing initial release of Radius to Diameter translation 
> gateway for Radiator.  Currently we have implemented limited support for 
> DIAMETER base RFC 6377 and full support for NASREQ RFC 4005.

You should probably not care about RC4005 any more. Its successor is
almost ready, and was specifically created to address major deficiencies
in RFC4005. The deficiencies were to such an extent that common belief
in the IETF is "nobody uses this".

See here for the successor draft spec:

http://datatracker.ietf.org/doc/draft-ietf-dime-rfc4005bis/

> Our implementation is ready for public beta testing and we are looking 
> for volunteers for testing our translation gateway.
> 
> If you are willing to test our Radius to Diameter translation gateway, 
> please reply directly to me and tell me about your intended test 
> environment and test plans.

Out of curiosity: one of the many problems of RFC4005 was that it was
syntactically impossible to translate a Diameter attribute of length
>253 Bytes into a RADIUS attribute; for obvious reasons.

RADIUS has meanwhile specified "long" attributes, making this
translation possible. Does your Diameter gateway already include support
for extended RADIUS attributes? I'm speaking of RFC6929:

http://datatracker.ietf.org/doc/rfc6929/

Greetings,

Stefan Winter

-- 
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg

Tel: +352 424409 1
Fax: +352 422473



signature.asc
Description: OpenPGP digital signature
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy RADIUS and UseExtendedIds, stripped Proxy-State and strange behavior after 256 requests

[Karl Gaissmaier]

Am 14.07.2013 11:35, schrieb Heikki Vatiainen:
> On 07/14/2013 12:17 PM, Karl Gaissmaier wrote:
>
>> it's sunday, really I can wait for answers from your
>> team after weekend ;-)
>
> Heh, I thought I'd save you some work since I understood you were gointo
> to work on the debug log and PacketTrace patch.
>
> The Proxy-State mangling is a bit problematic, though. This attribute is
> the only identifier that currently maps responses to requests with
> RadSec. If the other proxies mangle it, it would be essential to find
> and fix them.

sure, but it's a problem to show the mangled/stripped attr if I can't
decode it. It's just a suspicion, but I've to prove it to force my
upstream proxy (german research network) to look into the config and
rise the debug level, sorry.

Maybe for debug traces in case of unknown replies, you could use 
heuristic mappings, since the last 8-Bits of the packet Identifier
should match a pending extended-id from a request.

And you know the host and port from the sender.

I don't know your datastructure in detail where you queue
pending requests, but maybe you can narrow this heuristically
for debugging.

Best Regards
Charly
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy RADIUS and UseExtendedIds, stripped Proxy-State and strange behavior after 256 requests

[Karl Gaissmaier]

Hi Heikki,

Am 14.07.2013 11:35, schrieb Heikki Vatiainen:
> On 07/14/2013 12:17 PM, Karl Gaissmaier wrote:
>
>> it's sunday, really I can wait for answers from your
>> team after weekend ;-)
>
> Heh, I thought I'd save you some work since I understood you were gointo
> to work on the debug log and PacketTrace patch.

yep, you saved my (sun)day

>
> The Proxy-State mangling is a bit problematic, though. This attribute is
> the only identifier that currently maps responses to requests with
> RadSec. If the other proxies mangle it, it would be essential to find
> and fix them.

And with RADSEC it's important to dump unknown replies, since the 
packets are encrypted on wire and without the private-key of the
upstream proxy I can't decipher it. I need the dumps from Radiator
in the case of 'Unknown replies' even if the attr-values can't be
decoded.

Best Regards and thanks in advance
 Charly
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy RADIUS and UseExtendedIds, stripped Proxy-State and strange behavior after 256 requests

[Heikki Vatiainen]

On 07/14/2013 12:17 PM, Karl Gaissmaier wrote:

> it's sunday, really I can wait for answers from your
> team after weekend ;-)

Heh, I thought I'd save you some work since I understood you were gointo
to work on the debug log and PacketTrace patch.

The Proxy-State mangling is a bit problematic, though. This attribute is
the only identifier that currently maps responses to requests with
RadSec. If the other proxies mangle it, it would be essential to find
and fix them.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy RADIUS and UseExtendedIds, stripped Proxy-State and strange behavior after 256 requests

[Karl Gaissmaier]

Hi Heikki,

it's sunday, really I can wait for answers from your
team after weekend ;-)

Am 14.07.2013 10:54, schrieb Heikki Vatiainen:
> On 07/14/2013 11:30 AM, Karl Gaissmaier wrote:
>
>> Please fix this, if you UseExtendedIds in AuthBy RADIUS you should
>> always WARN if the Proxy-State is stripped or mangled.
>
> Good point. It's a good idea make this separate from getting an unknown
> reply, which is currently logged for the both cases.
>
>> And sure, we need better packet dumps in this case to see the
>> sent/missing/mangled attributes in the reply packet.
>
> We are actually working on this now. There will be two changes at least:
> - enable PackeTrace for requests received from AuthBy RADIUS and RADSEC
> - see that packet dump is called so that any Log ... within AuthBy etc.
> module will be called instead of the dump going just to the main log file

Thanks for Radiator and for this excellent service!


Best Regards
Charly

-- 
Karl Gaissmaier
Universität Ulm / Germany
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy RADIUS and UseExtendedIds, stripped Proxy-State and strange behavior after 256 requests

[Heikki Vatiainen]

On 07/14/2013 11:30 AM, Karl Gaissmaier wrote:

> Please fix this, if you UseExtendedIds in AuthBy RADIUS you should
> always WARN if the Proxy-State is stripped or mangled.

Good point. It's a good idea make this separate from getting an unknown
reply, which is currently logged for the both cases.

> And sure, we need better packet dumps in this case to see the
> sent/missing/mangled attributes in the reply packet.

We are actually working on this now. There will be two changes at least:
- enable PackeTrace for requests received from AuthBy RADIUS and RADSEC
- see that packet dump is called so that any Log ... within AuthBy etc.
module will be called instead of the dump going just to the main log file

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LSA and BaseDN

[Heikki Vatiainen]

On 09/13/2012 10:24 PM, Craig Simons wrote:
> Gaah! You're right. In my mind I was referencing examples of querying AD
> via LDAP, which would obviously not apply in this case.

I thought I'd check this before you do too much work :)

> 1)  I would imagine it would only be an authby group where you'd query
> the user in AD and ContinueWhileAccept into an LDAP lookup that would
> look for the user in the tree. It would seem that each authentication
> event would require a lookup to 2 different servers, which in a busy
> production environment, I'm not sure it's worth the latency and
> complication. 

It might not be that bad. When thinking of e.g., PEAP and EAP-MSCHAP-V2,
you would get one LDAP look for each full PEAP authentication. There are
multiple messages for inner EAP-MSCHAP-V2, but you would only need to do
LDAP lookup when inner LSA return accept. This could be handled with
ContinueWhileAccept.

Based on what you wrote about option 2, I gather what would be
sufficient is LDAP lookup to check the user exists. The BaseDN would be
set to excludes projects and such. This would be easy to do with
NoCheckPassword option.

> 2) Our AD environment, like many others, delegates permissions to
> multiple administrators who all have different areas of responsibility.
> In ours, administrators can create local accounts in their OUs for their
> own projects, etc. However, all of our students/staff/etc live in a more
> tightly controlled OU that is administered centrally. We'd like to
> contain Radius look ups to this container, but it would appear that we'd
> need to add everyone into a default group. I have no idea what the
> implications are for this, so I'm not sure if it's a non-starter or not.

So the user would have to be under the tightly controlled OU which would
be the BaseDN in AuthBy LDAP2. However, if there's already a group for
centrally administered users, maybe that could be used for LSA Group check.

> I'll have to go back and think about this some more.

Please let us know how this gets solved.

Thanks,
Heikki



-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LSA and BaseDN

[Craig Simons]

Gaah! You're right. In my mind I was referencing examples of querying AD via 
LDAP, which would obviously not apply in this case. I suppose there is no 
current functionality for doing this simply. As per your previous suggestions: 








1. Use AuthBy LDAP2 and AuthBy LSA. LDAP check is done first to see if 

the user has a DN (location in the tree) with allowed OU component. This 

does require configuration work and maybe hooks too, but should be possible. 




2. Create a new group and place all users that are not allowed to use 

wireless LAN in that group. We could then add 'BlacklistGroup' 

functionality in AuthBy LSA. If a user is a member of blacklisted group, 

access would not be allowed. 





1) I would imagine it would only be an authby group where you'd query the user 
in AD and ContinueWhileAccept into an LDAP lookup that would look for the user 
in the tree. It would seem that each authentication event would require a 
lookup to 2 different servers, which in a busy production environment, I'm not 
sure it's worth the latency and complication. 


2) Our AD environment, like many others, delegates permissions to multiple 
administrators who all have different areas of responsibility . In ours, 
administrators can create local accounts in their OUs for their own projects, 
etc. However, all of our students/staff/etc live in a more tightly controlled 
OU that is administered centrally. We'd like to contain Radius look ups to this 
container, but it would appear that we'd need to add everyone into a default 
group. I have no idea what the implications are for this, so I'm not sure if 
it's a non-starter or not. 


I'll have to go back and think about this some more. 


Regards, 
Craig 

- Original Message -

From: "Heikki Vatiainen"  
To: "Craig Simons"  
Cc: radiator@open.com.au 
Sent: Thursday, 13 September, 2012 11:58:50 
Subject: Re: [RADIATOR] AuthBy LSA and BaseDN 

On 09/13/2012 08:31 PM, Craig Simons wrote: 

> Thanks for the reply Heikki. I think in this case, it would probably be 
> easier to just migrate our Radiator deployment to Linux and use the NTLM 
> module. 

Before you start, can you tell how you were planning to configure AuthBy 
NTLM? You can give ntlm_auth some options, such as 
--require-membership-of but I'm not sure if that would be any different 
than using Group option with LSA. 

Thanks, 
Heikki 

-- 
Heikki Vatiainen  

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, 
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc. 

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LSA and BaseDN

[Heikki Vatiainen]

On 09/13/2012 08:31 PM, Craig Simons wrote:

> Thanks for the reply Heikki. I think in this case, it would probably be
> easier to just migrate our Radiator deployment to Linux and use the NTLM
> module.

Before you start, can you tell how you were planning to configure AuthBy
NTLM? You can give ntlm_auth some options, such as
--require-membership-of but I'm not sure if that would be any different
than using Group option with LSA.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LSA and BaseDN

[Craig Simons]

Thanks for the reply Heikki. I think in this case, it would probably be easier 
to just migrate our Radiator deployment to Linux and use the NTLM module. 


- Craig 




SFU SIMON FRASER UNIVERSITY 
Network Services 

Craig Simons 
Network and Systems Administrator 

Phone: 778-782-8036 
Cell: 604-649-7977 
Email: craigsim...@sfu.ca 
Twitter: simonscraig 

- Original Message -

From: "Heikki Vatiainen"  
To: "Craig Simons"  
Cc: radiator@open.com.au 
Sent: Thursday, 13 September, 2012 05:53:40 
Subject: Re: [RADIATOR] AuthBy LSA and BaseDN 

On 09/12/2012 08:03 PM, Craig Simons wrote: 

> Basically, our AD permission structure is such that not all OU 
> containers are "trusted" enough to allow wireless authentication. So, I 
> only want to allow authentication based on user entries in a specific OU 
> as opposed to users who are members of a group (not quite the same thing 
> I'm led to believe). 

Yes, I think these are different things. The LDAP tree structure AD uses 
tells where the users can be found and the user then has e.g., group 
membership as attribute. 

> We (currently) run Radiator on Windows servers and therefore use the LSA 
> module for AD authentication. The manual doesn't have any specific 
> configuration options for this module that appear to be able to limit 
> searches. 

The AD directory tree structure is not visible via LSA API. We thought 
about two options: 
1. Use AuthBy LDAP2 and AuthBy LSA. LDAP check is done first to see if 
the user has a DN (location in the tree) with allowed OU component. This 
does require configuration work and maybe hooks too, but should be possible. 

2. Create a new group and place all users that are not allowed to use 
wireless LAN in that group. We could then add 'BlacklistGroup' 
functionality in AuthBy LSA. If a user is a member of blacklisted group, 
access would not be allowed. 

Do you think option 2 would solve your problem? 

Thanks, 
Heikki 

-- 
Heikki Vatiainen  

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, 
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc. 

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LSA and BaseDN

[Heikki Vatiainen]

On 09/12/2012 08:03 PM, Craig Simons wrote:

> Basically, our AD permission structure is such that not all OU
> containers are "trusted" enough to allow wireless authentication. So, I
> only want to allow authentication based on user entries in a specific OU
> as opposed to users who are members of a group (not quite the same thing
> I'm led to believe).

Yes, I think these are different things. The LDAP tree structure AD uses
tells where the users can be found and the user then has e.g., group
membership as attribute.

> We (currently) run Radiator on Windows servers and therefore use the LSA
> module for AD authentication. The manual doesn't have any specific
> configuration options for this module that appear to be able to limit
> searches.

The AD directory tree structure is not visible via LSA API. We thought
about two options:
1. Use AuthBy LDAP2 and AuthBy LSA. LDAP check is done first to see if
the user has a DN (location in the tree) with allowed OU component. This
does require configuration work and maybe hooks too, but should be possible.

2. Create a new group and place all users that are not allowed to use
wireless LAN in that group. We could then add 'BlacklistGroup'
functionality in AuthBy LSA. If a user is a member of blacklisted group,
access would not be allowed.

Do you think option 2 would solve your problem?

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LSA and BaseDN

[Craig Simons]

Unfortunately, my knowledge of the intricacies of AD is limited, so I hope I 
can properly explain what I want to achieve. 


Basically, our AD permission structure is such that not all OU containers are 
"trusted" enough to allow wireless authentication. So, I only want to allow 
authentication based on user entries in a specific OU as opposed to users who 
are members of a group (not quite the same thing I'm led to believe). 


We (currently) run Radiator on Windows servers and therefore use the LSA module 
for AD authentication. The manual doesn't have any specific configuration 
options for this module that appear to be able to limit searches. 


Regards, 
Craig 




- Original Message -

From: "Heikki Vatiainen"  
To: radiator@open.com.au 
Sent: Wednesday, 12 September, 2012 06:17:19 
Subject: Re: [RADIATOR] AuthBy LSA and BaseDN 

On 09/12/2012 03:16 AM, Craig Simons wrote: 

> The AuthBy LSA module section of the manual does not specify the 
> ability to limit searches to a particular OU, only groups. The NTLM 
> module appears to allow and BaseDN parameter. Is there a way the 
> AuthBy LSA modules could do the same thing? 

Do you want to limit the searches to subtrees like BaseDN does? This 
would likely to be good for performance and easier for authentication 
related AD searches. Part of your message is missing something so I'm 
guessing a little here. 

Thanks, 
Heikki 

-- 
Heikki Vatiainen  

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, 
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, 
NetWare etc. 
___ 
radiator mailing list 
radiator@open.com.au 
http://www.open.com.au/mailman/listinfo/radiator 

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LSA and BaseDN

[Heikki Vatiainen]

On 09/12/2012 03:16 AM, Craig Simons wrote:

> The AuthBy LSA module section of the manual does not specify the
> ability to limit searches to a particular OU, only groups. The NTLM
> module appears to allow and BaseDN parameter. Is there a way the
> AuthBy LSA modules could do the same thing?

Do you want to limit the searches to subtrees like BaseDN does? This
would likely to be good for performance and easier for authentication
related AD searches. Part of your message is missing something so I'm
guessing a little here.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQLTOTP doc bugs

[Mike McCauley]

Hi Ray,


On Wednesday, August 22, 2012 04:26:34 PM Roy Badami wrote:
> While playing with the AuthBy SQLTOTP module, I came across a couple of
> errors in the documentation of the AuthSelect parameter (section 5.82.2
> of the reference manual).
> 
> * The description and default query are missing field 6
> (last_timestep).  This is particularly unfortunate, because if you use
> the query from the documentation,  or a similar query based on it that
> omits field 6, then you lose replay protection.  (The actual default
> query in AuthSQLTOTP.pm is correct, however.)

Fixed for the next release.

> 
> * The documentation describes field 0 as the HEX encoded AES secret.  In
> fact, TOTP does not use AES, it uses HMAC-SHA1.

Fixed for the next release.

> 
> The SQLHOTP doc contains the same error re AES - I haven't verified the
> query in the doc as I've not played with that module.

Fixed for the next release.
Also updated examples in goodies in the latest patch set

Thanks for reporting these.

Cheers.

> 
> Regards
> 
> roy
-- 
Mike McCauley   mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474   Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL - multiple rows/attributes

[Michael]

you could use GENERIC like how Heikki suggested but still have separate rows in 
your sql and use SQL to join all the results, and apply the attribute names.  
For MySQL, group_concat:



mysql> select * from temp;
+++-+
| id | Server | Password|
+++-+
|  5 | 172.16.1.1 | tunnelpass1 |
|  6 | 172.16.1.2 | tunnelpass2 |
|  7 | 172.16.1.3 | tunnelpass3 |
+++-+
3 rows in set (0.00 sec)

mysql> select GROUP_CONCAT( CONCAT('Tunnel-Server-Endpoint=',Server )) AS 
Servers, GROUP_CONCAT( CONCAT('Tunnel-Server-Endpoint=', Password)) AS 
Passwords from temp order by id;
+---+--+
| Servers   
| Passwords 
   |
+---+--+
| 
Tunnel-Server-Endpoint=172.16.1.1,Tunnel-Server-Endpoint=172.16.1.2,Tunnel-Server-Endpoint=172.16.1.3
 | 
Tunnel-Server-Endpoint=tunnelpass1,Tunnel-Server-Endpoint=tunnelpass2,Tunnel-Server-Endpoint=tunnelpass3
 |
+---+--+
1 row in set (0.00 sec)


Michael





On 12-06-26 07:33 AM, Heikki Vatiainen wrote:
> On 06/26/2012 12:28 PM, Jim Tyrrell wrote:
>> At the moment I just have a single very simple table that I am testing
>> with, 2 columns 'Endpoint'&  'Password' with 2 rows in the table for 2
>> different Tunnel endpoints.
>
> How about changing the config to use GENERIC:
>
> AuthColumnDef   0,GENERIC,reply
> AuthColumnDef   1,GENERIC,reply
>
> The DB would then have Endpoint and Password columns with values like these:
>
> Endpoint column for row n:
> Tunnel-Server-Endpoint=172.16.1.1,Tunnel-Server-Endpoint=172.16.1.2
> Password column for row n:
> Tunnel-Password="tunnelpass1",Tunnel-Password="tunnelpass2"
>
> With GENERIC you could actually put all reply attributes into the same
> column but that would likely make maintaining the values harder.
>
> With Hugh's solution you could get rid of repeating the attribute names
> and storing just the values.
>
> Heikki
>
>
>> I could have multiple columns for the multiple tunnels, but then if I
>> wanted to add or remove tunnels I would need to update the Radiator
>> query each time to add/remove the extra AuthAttrDefs, but I'd like the
>> flexibility to just add/remove entries to the SQL table without having
>> to change the Radiator config.
>>
>> ie - if I have one tunnel in the table then the handler needs to return:
>>
>> Code:   Access-Accept
>> Tunnel-Server-Endpoint = 172.16.1.1
>> Tunnel-Password = "tunnelpass"
>>
>> And if an extra entry is added to the table then return the following
>> format:
>>
>> Code:   Access-Accept
>> Tunnel-Server-Endpoint = 172.16.1.1
>> Tunnel-Password = "tunnelpass"
>> Tunnel-Server-Endpoint = 172.16.1.2
>> Tunnel-Password = "tunnelpass2"
>>
>>
>> If I was able to use LDAP I could just have an object such as:
>>
>> uid=TunnelEndPoints
>> tunnelip=172.16.0.1
>> tunnelip=172.16.0.2
>> tunnelpass=blah1
>> tunnelpass=blah2
>>
>> And then use an AuthBy LDAP including the following:
>>
>>   AuthAttrDef tunnelip,Tunnel-Server-Endpoint,reply
>>   AuthAttrDef tunnelpass,Tunnel-Password,reply
>>
>>
>> Is there not an equivalent of this for MySQL authentication?  How do
>> people store multiple attributes such as Framed-Route in MySQL and then
>> return multiple instances of this when they exist? (The examples above
>> would actually be returned as tagged attributes but I can worry about
>> that later).
>>
>> Thanks.
>>
>> Jim.
>>
>>
>> On 25/06/2012 18:05, Michael wrote:
>>>
>>> I seem to remember reading somewhere in the Radiator manual that it
>>> will only process the first sql row received therefore I don't think
>>> it will process multiple row results.  I can't seem to find in the
>>> manual where i read that though. On the other hand, you could have all
>>> reply values on the same row in the table, or create an sql statement
>>> that returns them all on one row.
>>>
>>> What is your sql table structure?  multiple tables?
>>>
>>> mike
>>>
>>>
>>> On 12-06-25 08:52 AM, Jim Tyrrell wrote:
 Hi,

 Is it possible for AuthBy SQL to return multiple attributes if the query
 returns multiple rows?

Re: [RADIATOR] AuthBy SQL - multiple rows/attributes

[Heikki Vatiainen]

On 06/26/2012 12:28 PM, Jim Tyrrell wrote:
> At the moment I just have a single very simple table that I am testing 
> with, 2 columns 'Endpoint' & 'Password' with 2 rows in the table for 2 
> different Tunnel endpoints.

How about changing the config to use GENERIC:

   AuthColumnDef   0,GENERIC,reply
   AuthColumnDef   1,GENERIC,reply

The DB would then have Endpoint and Password columns with values like these:

Endpoint column for row n:
Tunnel-Server-Endpoint=172.16.1.1,Tunnel-Server-Endpoint=172.16.1.2
Password column for row n:
Tunnel-Password="tunnelpass1",Tunnel-Password="tunnelpass2"

With GENERIC you could actually put all reply attributes into the same
column but that would likely make maintaining the values harder.

With Hugh's solution you could get rid of repeating the attribute names
and storing just the values.

Heikki


> I could have multiple columns for the multiple tunnels, but then if I 
> wanted to add or remove tunnels I would need to update the Radiator 
> query each time to add/remove the extra AuthAttrDefs, but I'd like the 
> flexibility to just add/remove entries to the SQL table without having 
> to change the Radiator config.
> 
> ie - if I have one tunnel in the table then the handler needs to return:
> 
> Code:   Access-Accept
>Tunnel-Server-Endpoint = 172.16.1.1
>Tunnel-Password = "tunnelpass"
> 
> And if an extra entry is added to the table then return the following 
> format:
> 
> Code:   Access-Accept
>Tunnel-Server-Endpoint = 172.16.1.1
>Tunnel-Password = "tunnelpass"
>Tunnel-Server-Endpoint = 172.16.1.2
>Tunnel-Password = "tunnelpass2"
> 
> 
> If I was able to use LDAP I could just have an object such as:
> 
> uid=TunnelEndPoints
> tunnelip=172.16.0.1
> tunnelip=172.16.0.2
> tunnelpass=blah1
> tunnelpass=blah2
> 
> And then use an AuthBy LDAP including the following:
> 
>  AuthAttrDef tunnelip,Tunnel-Server-Endpoint,reply
>  AuthAttrDef tunnelpass,Tunnel-Password,reply
> 
> 
> Is there not an equivalent of this for MySQL authentication?  How do 
> people store multiple attributes such as Framed-Route in MySQL and then 
> return multiple instances of this when they exist? (The examples above 
> would actually be returned as tagged attributes but I can worry about 
> that later).
> 
> Thanks.
> 
> Jim.
> 
> 
> On 25/06/2012 18:05, Michael wrote:
>>
>> I seem to remember reading somewhere in the Radiator manual that it 
>> will only process the first sql row received therefore I don't think 
>> it will process multiple row results.  I can't seem to find in the 
>> manual where i read that though. On the other hand, you could have all 
>> reply values on the same row in the table, or create an sql statement 
>> that returns them all on one row.
>>
>> What is your sql table structure?  multiple tables?
>>
>> mike
>>
>>
>> On 12-06-25 08:52 AM, Jim Tyrrell wrote:
>>> Hi,
>>>
>>> Is it possible for AuthBy SQL to return multiple attributes if the query
>>> returns multiple rows?
>>>
>>> I am currently using AuthBy SQL to return a Tunnel-Endpoint to a LAC
>>> with the following simplified config:
>>>
>>> 
>>>   DBSourcedbi:mysql:databasename:192.168.10.3
>>>   DBUsername  DBuser
>>>   DBAuth  DBPass
>>>   AuthSelect SELECT Endpoint, Password FROM endpoints
>>>   AuthColumnDef   0,Tunnel-Server-Endpoint,reply
>>>   AuthColumnDef   1,Tunnel-Password,reply
>>> 
>>>
>>> This works fine at the moment as I only have 1 row in the table which
>>> represents 1 endpoint.  But I now want to return multiple endpoints so
>>> the Access-Accept would be something along the lines of:
>>>
>>> Code:   Access-Accept
>>> Attributes:
>>>   Tunnel-Server-Endpoint = 172.16.1.1
>>>   Tunnel-Password = "tunnelpass"
>>>   Tunnel-Server-Endpoint = 172.16.1.2
>>>   Tunnel-Password = "tunnelpass2"
>>>
>>> I had hoped to just add a 2nd row to the table, but the handler just
>>> returns the values from the 1st row of the result.  I'd like to be able
>>> to return additional attributes for each row returned so I can easily
>>> add/remove more endpoints to the table as and when I need to.
>>>
>>> Thanks.
>>>
>>> Jim.
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>>
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solari

Re: [RADIATOR] AuthBy SQL - multiple rows/attributes

[Hugh Irvine]

Hello Jim -

I generally do this sort of thing in a hook, using a "dummy" AuthBy SQL clause 
to operate against.

Doing it this way allows to you use all of the normal Radiator code to do most 
of the heavy lifting.

There are a number of examples doing similar things in "goodies/hooks.txt" that 
should give you the general idea.

regards

Hugh


On 26 Jun 2012, at 19:28, Jim Tyrrell wrote:

> At the moment I just have a single very simple table that I am testing 
> with, 2 columns 'Endpoint' & 'Password' with 2 rows in the table for 2 
> different Tunnel endpoints.
> 
> I could have multiple columns for the multiple tunnels, but then if I 
> wanted to add or remove tunnels I would need to update the Radiator 
> query each time to add/remove the extra AuthAttrDefs, but I'd like the 
> flexibility to just add/remove entries to the SQL table without having 
> to change the Radiator config.
> 
> ie - if I have one tunnel in the table then the handler needs to return:
> 
> Code:   Access-Accept
>   Tunnel-Server-Endpoint = 172.16.1.1
>   Tunnel-Password = "tunnelpass"
> 
> And if an extra entry is added to the table then return the following 
> format:
> 
> Code:   Access-Accept
>   Tunnel-Server-Endpoint = 172.16.1.1
>   Tunnel-Password = "tunnelpass"
>   Tunnel-Server-Endpoint = 172.16.1.2
>   Tunnel-Password = "tunnelpass2"
> 
> 
> If I was able to use LDAP I could just have an object such as:
> 
> uid=TunnelEndPoints
> tunnelip=172.16.0.1
> tunnelip=172.16.0.2
> tunnelpass=blah1
> tunnelpass=blah2
> 
> And then use an AuthBy LDAP including the following:
> 
> AuthAttrDef tunnelip,Tunnel-Server-Endpoint,reply
> AuthAttrDef tunnelpass,Tunnel-Password,reply
> 
> 
> Is there not an equivalent of this for MySQL authentication?  How do 
> people store multiple attributes such as Framed-Route in MySQL and then 
> return multiple instances of this when they exist? (The examples above 
> would actually be returned as tagged attributes but I can worry about 
> that later).
> 
> Thanks.
> 
> Jim.
> 
> 
> On 25/06/2012 18:05, Michael wrote:
>> 
>> I seem to remember reading somewhere in the Radiator manual that it 
>> will only process the first sql row received therefore I don't think 
>> it will process multiple row results.  I can't seem to find in the 
>> manual where i read that though. On the other hand, you could have all 
>> reply values on the same row in the table, or create an sql statement 
>> that returns them all on one row.
>> 
>> What is your sql table structure?  multiple tables?
>> 
>> mike
>> 
>> 
>> On 12-06-25 08:52 AM, Jim Tyrrell wrote:
>>> Hi,
>>> 
>>> Is it possible for AuthBy SQL to return multiple attributes if the query
>>> returns multiple rows?
>>> 
>>> I am currently using AuthBy SQL to return a Tunnel-Endpoint to a LAC
>>> with the following simplified config:
>>> 
>>> 
>>>  DBSourcedbi:mysql:databasename:192.168.10.3
>>>  DBUsername  DBuser
>>>  DBAuth  DBPass
>>>  AuthSelect SELECT Endpoint, Password FROM endpoints
>>>  AuthColumnDef   0,Tunnel-Server-Endpoint,reply
>>>  AuthColumnDef   1,Tunnel-Password,reply
>>> 
>>> 
>>> This works fine at the moment as I only have 1 row in the table which
>>> represents 1 endpoint.  But I now want to return multiple endpoints so
>>> the Access-Accept would be something along the lines of:
>>> 
>>> Code:   Access-Accept
>>> Attributes:
>>>  Tunnel-Server-Endpoint = 172.16.1.1
>>>  Tunnel-Password = "tunnelpass"
>>>  Tunnel-Server-Endpoint = 172.16.1.2
>>>  Tunnel-Password = "tunnelpass2"
>>> 
>>> I had hoped to just add a 2nd row to the table, but the handler just
>>> returns the values from the 1st row of the result.  I'd like to be able
>>> to return additional attributes for each row returned so I can easily
>>> add/remove more endpoints to the table as and when I need to.
>>> 
>>> Thanks.
>>> 
>>> Jim.
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>> 
>>> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL - multiple rows/attributes

[Jim Tyrrell]

At the moment I just have a single very simple table that I am testing 
with, 2 columns 'Endpoint' & 'Password' with 2 rows in the table for 2 
different Tunnel endpoints.

I could have multiple columns for the multiple tunnels, but then if I 
wanted to add or remove tunnels I would need to update the Radiator 
query each time to add/remove the extra AuthAttrDefs, but I'd like the 
flexibility to just add/remove entries to the SQL table without having 
to change the Radiator config.

ie - if I have one tunnel in the table then the handler needs to return:

Code:   Access-Accept
   Tunnel-Server-Endpoint = 172.16.1.1
   Tunnel-Password = "tunnelpass"

And if an extra entry is added to the table then return the following 
format:

Code:   Access-Accept
   Tunnel-Server-Endpoint = 172.16.1.1
   Tunnel-Password = "tunnelpass"
   Tunnel-Server-Endpoint = 172.16.1.2
   Tunnel-Password = "tunnelpass2"


If I was able to use LDAP I could just have an object such as:

uid=TunnelEndPoints
tunnelip=172.16.0.1
tunnelip=172.16.0.2
tunnelpass=blah1
tunnelpass=blah2

And then use an AuthBy LDAP including the following:

 AuthAttrDef tunnelip,Tunnel-Server-Endpoint,reply
 AuthAttrDef tunnelpass,Tunnel-Password,reply


Is there not an equivalent of this for MySQL authentication?  How do 
people store multiple attributes such as Framed-Route in MySQL and then 
return multiple instances of this when they exist? (The examples above 
would actually be returned as tagged attributes but I can worry about 
that later).

Thanks.

Jim.


On 25/06/2012 18:05, Michael wrote:
>
> I seem to remember reading somewhere in the Radiator manual that it 
> will only process the first sql row received therefore I don't think 
> it will process multiple row results.  I can't seem to find in the 
> manual where i read that though. On the other hand, you could have all 
> reply values on the same row in the table, or create an sql statement 
> that returns them all on one row.
>
> What is your sql table structure?  multiple tables?
>
> mike
>
>
> On 12-06-25 08:52 AM, Jim Tyrrell wrote:
>> Hi,
>>
>> Is it possible for AuthBy SQL to return multiple attributes if the query
>> returns multiple rows?
>>
>> I am currently using AuthBy SQL to return a Tunnel-Endpoint to a LAC
>> with the following simplified config:
>>
>> 
>>   DBSourcedbi:mysql:databasename:192.168.10.3
>>   DBUsername  DBuser
>>   DBAuth  DBPass
>>   AuthSelect SELECT Endpoint, Password FROM endpoints
>>   AuthColumnDef   0,Tunnel-Server-Endpoint,reply
>>   AuthColumnDef   1,Tunnel-Password,reply
>> 
>>
>> This works fine at the moment as I only have 1 row in the table which
>> represents 1 endpoint.  But I now want to return multiple endpoints so
>> the Access-Accept would be something along the lines of:
>>
>> Code:   Access-Accept
>> Attributes:
>>   Tunnel-Server-Endpoint = 172.16.1.1
>>   Tunnel-Password = "tunnelpass"
>>   Tunnel-Server-Endpoint = 172.16.1.2
>>   Tunnel-Password = "tunnelpass2"
>>
>> I had hoped to just add a 2nd row to the table, but the handler just
>> returns the values from the 1st row of the result.  I'd like to be able
>> to return additional attributes for each row returned so I can easily
>> add/remove more endpoints to the table as and when I need to.
>>
>> Thanks.
>>
>> Jim.
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>


___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL - multiple rows/attributes

[Michael]

I seem to remember reading somewhere in the Radiator manual that it will only 
process the first sql row received therefore I don't think it will process 
multiple row results.  I can't seem to find in the manual where i read that 
though. On the other hand, you could have all reply values on the same row in 
the table, or create an sql statement that returns them all on one row.

What is your sql table structure?  multiple tables?

mike


On 12-06-25 08:52 AM, Jim Tyrrell wrote:
> Hi,
>
> Is it possible for AuthBy SQL to return multiple attributes if the query
> returns multiple rows?
>
> I am currently using AuthBy SQL to return a Tunnel-Endpoint to a LAC
> with the following simplified config:
>
> 
>   DBSourcedbi:mysql:databasename:192.168.10.3
>   DBUsername  DBuser
>   DBAuth  DBPass
>   AuthSelect SELECT Endpoint, Password FROM endpoints
>   AuthColumnDef   0,Tunnel-Server-Endpoint,reply
>   AuthColumnDef   1,Tunnel-Password,reply
> 
>
> This works fine at the moment as I only have 1 row in the table which
> represents 1 endpoint.  But I now want to return multiple endpoints so
> the Access-Accept would be something along the lines of:
>
> Code:   Access-Accept
> Attributes:
>   Tunnel-Server-Endpoint = 172.16.1.1
>   Tunnel-Password = "tunnelpass"
>   Tunnel-Server-Endpoint = 172.16.1.2
>   Tunnel-Password = "tunnelpass2"
>
> I had hoped to just add a 2nd row to the table, but the handler just
> returns the values from the 1st row of the result.  I'd like to be able
> to return additional attributes for each row returned so I can easily
> add/remove more endpoints to the table as and when I need to.
>
> Thanks.
>
> Jim.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL Reject or Accept in the SQL results

[Heikki Vatiainen]

On 02/09/2012 01:43 PM, Michael wrote:

> I use a reject column in my user database, and SELECT it like this:
> SELECT username, crypt, CONCAT('Reject:',reject), 
> 
> and:
> AuthColumnDef   2, Auth-Type, check

Yes, this is a very good method to do it.

> so, if the reject column is NULL, CONCAT returns NULL and it passed, but if 
> the reject column has text in it, CONCAT returns 'Reject:reject reason', and 
> the user is rejected.

Also, if SQL call returns 'Accept', the password check must still be
successful. So Auth-Type by itself does not accept the user if the
password is wrong.

A slight difference between this method and using hooks is the returned
Reply-Message with bad password. The above method returns Bad password
while with hooks it's possible to return message from SQL call.

Thanks!
Heikki

> 
> 
> On 12-02-08 12:40 PM, Lee Solway wrote:
>> Is there a way I can set an access Accept or Reject in the MySQL results
>> generated by AuthBy SQL?
>>
>> Currently I have a stored procedure that I call in the following.. I
>> would like the SP to be able to reject the Access-Request with an error
>> message also if possible..
>>
>>  AuthSelectCALL get_reply_attr('%U')
>>  AuthColumnDef 0, GENERIC, reply
>>  AuthColumnDef 1, User-Password, check
>>
>> Thanks,
>> Lee
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL Reject or Accept in the SQL results

[Michael]

I use a reject column in my user database, and SELECT it like this:
SELECT username, crypt, CONCAT('Reject:',reject), 

and:
AuthColumnDef   2, Auth-Type, check

so, if the reject column is NULL, CONCAT returns NULL and it passed, but if the 
reject column has text in it, CONCAT returns 'Reject:reject reason', and the 
user is rejected.




On 12-02-08 12:40 PM, Lee Solway wrote:
> Is there a way I can set an access Accept or Reject in the MySQL results
> generated by AuthBy SQL?
>
> Currently I have a stored procedure that I call in the following.. I
> would like the SP to be able to reject the Access-Request with an error
> message also if possible..
>
>  AuthSelectCALL get_reply_attr('%U')
>  AuthColumnDef 0, GENERIC, reply
>  AuthColumnDef 1, User-Password, check
>
> Thanks,
> Lee
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
>
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL Reject or Accept in the SQL results

[Heikki Vatiainen]

On 02/08/2012 07:40 PM, Lee Solway wrote:

Hello Lee,

> Is there a way I can set an access Accept or Reject in the MySQL results 
> generated by AuthBy SQL?

Please see below for one method.

> Currently I have a stored procedure that I call in the following.. I 
> would like the SP to be able to reject the Access-Request with an error 
> message also if possible..
> 
> AuthSelectCALL get_reply_attr('%U')
> AuthColumnDef 0, GENERIC, reply
> AuthColumnDef 1, User-Password, check

You could do both (control accept/reject and return reason) with
something like this. First change get_reply_attr to return 'true' or
'false' to control Accept or Reject. Also add another return value which
is the Reply-Message that is returned with Access-Reject.

 AuthColumnDef 2,X-Accepted-By-Sql,check
 AuthColumnDef 3,X-Reject-Msg,request

In the Handler or Realm clause prime X-Accepted-By-Sql like this:

AddToRequest X-Accepted-By-Sql=true

In the same Handler or Realm add RejectHasReason and a PostAuthHook to
replace reason with the value from SQL call.

RejectHasReason.
PostAuthHook sub { my $p = ${$_[0]}; my $rp = ${$_[1]}; \
   my $result = $_[2]; my $reason = $_[3]; \
return unless $$result == $main::REJECT; \
$$reason = $p->get_attr('X-Reject-Msg'); \
}

Putting this together, if the third value returned by SQL call is
something else than 'true' the request will be rejected. The hook will
then set the returned Reply-Message based on X-Reject-Msg which comes
from SQL call.

For more about the hook parameters, please see the reference manual.

Thanks!
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy-File cannot match user

[Heikki Vatiainen]

On 08/03/2011 06:22 PM, Roel Hoek wrote:

Hello Roel,

> I changed the Handler Realm match as specified and changed EAPAnonymous to 
> %0. Now the right handler handels the request and the
> username/identity is found by AuthBy FILE. (after stripping off the realm). 
> So it works now!
> I also added an extra Handler to handel PEAP when no identity is known yet.

Good to hear it works.

About the extra handler: if someone leaves out the @realm part and uses
just the username for the inner identity, then the whole authentication
is done using the extra Handler. I did not try the code but I'd say this
is what would happen.

The default Filename is %D/users, so you may want to check if the extra
Handler does what you expect with realmless identities.

Thanks!

> Thanks for your help!
> 
>  Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
> 
> Identifier PEAP-inner-without-realm
> EAPType MSCHAP-V2
> NoCheckPassword
> 
> 
>  Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
> AuthByPolicy ContinueWhileAccept
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername s/^\s*//
> RewriteUsername s/\s*$//
> 
> 
> Identifier PEAP-inner-productieoid-peap
> EAPType MSCHAP-V2
> # Rest of the config
> 
> 
> Identifier add-vlan-attributes
> Filename %D/users-wlan-peap_v3
> NoCheckPassword
> NoEAP
> 
> 
> 
> --
> 
> Code:   Access-Request
> Identifier: UNDEF
> Authentic:  <232><174><210><229>+M<192> <152>L<148><31>.o!T
> Attributes:
> EAP-Message = <2><0><0><27><1>d3126217@utwente.test2
> Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 172.31.178.10
> NAS-Identifier = "wlc-1"
> NAS-Port = 13
> Calling-Station-Id = "00271026a434"
> User-Name = ""
> 
> Wed Aug  3 17:15:24 2011: DEBUG: Handling request with Handler 'Realm=/^$/,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', 
> Identifier ''
> Wed Aug  3 17:15:24 2011: DEBUG: Handling with Radius::AuthFILE: 
> PEAP-inner-without-realm
> Wed Aug  3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 0, 27, 1
> Wed Aug  3 17:15:24 2011: DEBUG: Response type 1
> Wed Aug  3 17:15:24 2011: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
> Wed Aug  3 17:15:24 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP MSCHAP-V2 
> Challenge
> Wed Aug  3 17:15:24 2011: DEBUG: Access challenged for : EAP MSCHAP-V2 
> Challenge
> Wed Aug  3 17:15:24 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code:   Access-Challenge
> .
> .
> .
> Code:   Access-Request
> Identifier: UNDEF
> Authentic:  <150><207><169><232>HP-<233><201><25><185><247>E<129><207>"
> Attributes:
> EAP-Message =
> <2><1><0>Q<26><2><1><0>L1qwo<236><185><7><241>b@p<169><10><221><136>r<186><0><0><0><0><0><0><0><0><248><150>m<239><163><133>L!<219>G'<199><240>Vt<131><21><251><193>S<245><18><224><155><0>d3126217@utwente.test2
> Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 172.31.178.10
> NAS-Identifier = "wlc-1"
> NAS-Port = 13
> Calling-Station-Id = "00271026a434"
> User-Name = "d3126217@utwente.test2"
> 
> Wed Aug  3 17:15:24 2011: DEBUG: Handling request with Handler 
> 'Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', 
> Identifier 'PEAP-inner-utwente-test2'
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Handling with Radius::AuthLDAP2: 
> productieoid-peap
> Wed Aug  3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
> Wed Aug  3 17:15:24 2011: DEBUG: Response type 26
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote identity to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote identity to d3126217
> Wed Aug  3 17:15:24 2011: DEBUG: Rewrote identity to d3126217
> Wed Aug  3 17:15:24 2011: INFO: Connecting to oid.utwente.nl:389
> Wed Aug  3 17:15:24 2011: INFO: Attempting to bind to LDAP server <.>
> Wed Aug  3 17:15:24 2011: DEBUG: LDAP got result for uid=d3126217, <.>
> Wed Aug  3 17:15:24 2011: DEBUG: LDAP got chappassword: <.>
> Wed Aug  3 17:15:24 2011: DEBUG: LDAP got orclisenabled: ENABLED
> Wed Aug  3 17:15:24 2011: DEBUG: Radius::AuthLDAP2 looks for match with 
> d3126217 [d3126217@utwente.test2]
> Wed Aug  3 17:15:24 2011: DEB

Re: [RADIATOR] AuthBy-File cannot match user

[Roel Hoek]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Heikki,

I changed the Handler Realm match as specified and changed EAPAnonymous to %0. 
Now the right handler handels the request and the
username/identity is found by AuthBy FILE. (after stripping off the realm). So 
it works now!
I also added an extra Handler to handel PEAP when no identity is known yet.

Thanks for your help!



Identifier PEAP-inner-without-realm
EAPType MSCHAP-V2
NoCheckPassword



AuthByPolicy ContinueWhileAccept
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername s/^\s*//
RewriteUsername s/\s*$//


Identifier PEAP-inner-productieoid-peap
EAPType MSCHAP-V2
# Rest of the config


Identifier add-vlan-attributes
Filename %D/users-wlan-peap_v3
NoCheckPassword
NoEAP



- 
--

Code:   Access-Request
Identifier: UNDEF
Authentic:  <232><174><210><229>+M<192> <152>L<148><31>.o!T
Attributes:
EAP-Message = <2><0><0><27><1>d3126217@utwente.test2
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
NAS-Port = 13
Calling-Station-Id = "00271026a434"
User-Name = ""

Wed Aug  3 17:15:24 2011: DEBUG: Handling request with Handler 'Realm=/^$/,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 
''
Wed Aug  3 17:15:24 2011: DEBUG: Handling with Radius::AuthFILE: 
PEAP-inner-without-realm
Wed Aug  3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 0, 27, 1
Wed Aug  3 17:15:24 2011: DEBUG: Response type 1
Wed Aug  3 17:15:24 2011: DEBUG: EAP result: 3, EAP MSCHAP-V2 Challenge
Wed Aug  3 17:15:24 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP MSCHAP-V2 
Challenge
Wed Aug  3 17:15:24 2011: DEBUG: Access challenged for : EAP MSCHAP-V2 Challenge
Wed Aug  3 17:15:24 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code:   Access-Challenge
.
.
.
Code:   Access-Request
Identifier: UNDEF
Authentic:  <150><207><169><232>HP-<233><201><25><185><247>E<129><207>"
Attributes:
EAP-Message =
<2><1><0>Q<26><2><1><0>L1qwo<236><185><7><241>b@p<169><10><221><136>r<186><0><0><0><0><0><0><0><0><248><150>m<239><163><133>L!<219>G'<199><240>Vt<131><21><251><193>S<245><18><224><155><0>d3126217@utwente.test2
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
NAS-Port = 13
Calling-Station-Id = "00271026a434"
User-Name = "d3126217@utwente.test2"

Wed Aug  3 17:15:24 2011: DEBUG: Handling request with Handler 
'Realm=utwente.test2,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 
'PEAP-inner-utwente-test2'
Wed Aug  3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
Wed Aug  3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
Wed Aug  3 17:15:24 2011: DEBUG: Rewrote user name to d3126217
Wed Aug  3 17:15:24 2011: DEBUG: Handling with Radius::AuthLDAP2: 
productieoid-peap
Wed Aug  3 17:15:24 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
Wed Aug  3 17:15:24 2011: DEBUG: Response type 26
Wed Aug  3 17:15:24 2011: DEBUG: Rewrote identity to d3126217
Wed Aug  3 17:15:24 2011: DEBUG: Rewrote identity to d3126217
Wed Aug  3 17:15:24 2011: DEBUG: Rewrote identity to d3126217
Wed Aug  3 17:15:24 2011: INFO: Connecting to oid.utwente.nl:389
Wed Aug  3 17:15:24 2011: INFO: Attempting to bind to LDAP server <.>
Wed Aug  3 17:15:24 2011: DEBUG: LDAP got result for uid=d3126217, <.>
Wed Aug  3 17:15:24 2011: DEBUG: LDAP got chappassword: <.>
Wed Aug  3 17:15:24 2011: DEBUG: LDAP got orclisenabled: ENABLED
Wed Aug  3 17:15:24 2011: DEBUG: Radius::AuthLDAP2 looks for match with 
d3126217 [d3126217@utwente.test2]
Wed Aug  3 17:15:24 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 
[d3126217@utwente.test2]
Wed Aug  3 17:15:24 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
Wed Aug  3 17:15:24 2011: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP V2 
Challenge: Success
Wed Aug  3 17:15:24 2011: DEBUG: Access challenged for d3126217: EAP MSCHAP V2 
Challenge: Success
Wed Aug  3 17:15:24 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code:   Access-Challenge
.
.
.
Code:   Access-Request
Identifier: UNDEF
Authentic:  <30>B<132><240>:<19>6<159><187><31>Zo\T<175>*
Attributes:
EAP-Message = <2><2><0><6><26><3>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
 

Re: [RADIATOR] AuthBy-File cannot match user

[Heikki Vatiainen]

On 08/02/2011 01:39 PM, Roel Hoek wrote:

Hello Roel,

> I changed the config as proposed. The  is handled with success, 
> but the second handler,  fails again.
> (AuthFILE REJECT: No such user: jupiter@utwente.test2 [jupiter@utwente.test2])
> EAPAnonymous in the EAP-outer handler is %u. With %0 the Username is "" and 
> no handler can be found.

Can you do the following:
o EAPAnonymous %0
o Change the PEAP inner Handler to this:



The change is to have allow both empty realm and utwente.test2.

Since the first EAP request establishes the identity, the first inner
request will be empty. After that, when the identity is known, the realm
can be looked up from the identity.

If you do not want to allow empty realm, you can add an inner Handler
that allows emtpy realm and has a (possibly dummy) AuthBy that is
willing to do EAP. That will match the identity exchange and your
current handler can then take care of the actual authentication.

Please let us know if this works.

Thanks!

> Tue Aug  2 11:41:05 2011: DEBUG: Handling request with Handler 
> 'Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', 
> Identifier 'PEAP-inner-utwente-test2'
> Tue Aug  2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: 
> productieoid-peap
> Tue Aug  2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
> Tue Aug  2 11:41:05 2011: DEBUG: Response type 26
> Tue Aug  2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
> Tue Aug  2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
> Tue Aug  2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
> Tue Aug  2 11:41:05 2011: INFO: Connecting to oid.utwente.nl:389
> Tue Aug  2 11:41:05 2011: INFO: Attempting to bind to LDAP server 
> oid.utwente.nl:389
> Tue Aug  2 11:41:05 2011: DEBUG: LDAP got result for uid=d3126217,<...>
> Tue Aug  2 11:41:05 2011: DEBUG: LDAP got chappassword: {rcrypt}blablabla
> Tue Aug  2 11:41:05 2011: DEBUG: LDAP got orclisenabled: ENABLED
> Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 looks for match with 
> d3126217 [jupiter@utwente.test2]
> Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 
> [jupiter@utwente.test2]
> Tue Aug  2 11:41:05 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: 
> Success
> Tue Aug  2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP 
> V2 Challenge: Success
> Tue Aug  2 11:41:05 2011: DEBUG: Access challenged for jupiter@utwente.test2: 
> EAP MSCHAP V2 Challenge: Success
> Tue Aug  2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code:   Access-Challenge
> .
> .
> .
> Code:   Access-Request
> Identifier: UNDEF
> Authentic:  N<162><150>qf<254><242>:<4>'<14>n<245><251><191><147>
> Attributes:
> EAP-Message = <2><2><0><6><26><3>
> Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 172.31.178.10
> NAS-Identifier = "wlc-1"
> NAS-Port = 13
> Calling-Station-Id = "00271026a434"
> User-Name = "jupiter@utwente.test2"
> 
> Tue Aug  2 11:41:05 2011: DEBUG: Handling request with Handler 
> 'Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', 
> Identifier 'PEAP-inner-utwente-test2'
> Tue Aug  2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: 
> productieoid-peap
> Tue Aug  2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26
> Tue Aug  2 11:41:05 2011: DEBUG: Response type 26
> Tue Aug  2 11:41:05 2011: DEBUG: EAP result: 0,
> Tue Aug  2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Tue Aug  2 11:41:05 2011: DEBUG: Handling with Radius::AuthFILE: 
> add-vlan-attributes
> Tue Aug  2 11:41:05 2011: DEBUG: Reading users file 
> /etc/radiator//users-wlan-peap_v3
> Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with 
> jupiter@utwente.test2 [jupiter@utwente.test2]
> Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthFILE REJECT: No such user: 
> jupiter@utwente.test2 [jupiter@utwente.test2]
> Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with 
> DEFAULT [jupiter@utwente.test2]
> Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT 
> [jupiter@utwente.test2]
> Tue Aug  2 11:41:05 2011: DEBUG: AuthBy FILE result: ACCEPT,
> Tue Aug  2 11:41:05 2011: DEBUG: Access accepted for jupiter@utwente.test2
> Tue Aug  2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code:   Access-Accept
> 
> 
> -
> # WLAN (utwente.test2) inner authentication (PEAP)
> #
>  Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
> AuthByPolicy ContinueWhileAccept
> AddToRequest 
> Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
> 
> Identifier productieoid-peap
> EAPType MSCHAP-V2
> # Rest

Re: [RADIATOR] AuthBy-File cannot match user

[Roel Hoek]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hello Heikki,

I changed the config as proposed. The  is handled with success, 
but the second handler,  fails again.
(AuthFILE REJECT: No such user: jupiter@utwente.test2 [jupiter@utwente.test2])
EAPAnonymous in the EAP-outer handler is %u. With %0 the Username is "" and no 
handler can be found.


Tue Aug  2 11:41:05 2011: DEBUG: Handling request with Handler 
'Realm=utwente.test2,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 
'PEAP-inner-utwente-test2'
Tue Aug  2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: 
productieoid-peap
Tue Aug  2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
Tue Aug  2 11:41:05 2011: DEBUG: Response type 26
Tue Aug  2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
Tue Aug  2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
Tue Aug  2 11:41:05 2011: DEBUG: Rewrote identity to d3126217
Tue Aug  2 11:41:05 2011: INFO: Connecting to oid.utwente.nl:389
Tue Aug  2 11:41:05 2011: INFO: Attempting to bind to LDAP server 
oid.utwente.nl:389
Tue Aug  2 11:41:05 2011: DEBUG: LDAP got result for uid=d3126217,<...>
Tue Aug  2 11:41:05 2011: DEBUG: LDAP got chappassword: {rcrypt}blablabla
Tue Aug  2 11:41:05 2011: DEBUG: LDAP got orclisenabled: ENABLED
Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 looks for match with 
d3126217 [jupiter@utwente.test2]
Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 
[jupiter@utwente.test2]
Tue Aug  2 11:41:05 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
Tue Aug  2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: CHALLENGE, EAP MSCHAP V2 
Challenge: Success
Tue Aug  2 11:41:05 2011: DEBUG: Access challenged for jupiter@utwente.test2: 
EAP MSCHAP V2 Challenge: Success
Tue Aug  2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code:   Access-Challenge
.
.
.
Code:   Access-Request
Identifier: UNDEF
Authentic:  N<162><150>qf<254><242>:<4>'<14>n<245><251><191><147>
Attributes:
EAP-Message = <2><2><0><6><26><3>
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
NAS-Port = 13
Calling-Station-Id = "00271026a434"
User-Name = "jupiter@utwente.test2"

Tue Aug  2 11:41:05 2011: DEBUG: Handling request with Handler 
'Realm=utwente.test2,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 
'PEAP-inner-utwente-test2'
Tue Aug  2 11:41:05 2011: DEBUG: Handling with Radius::AuthLDAP2: 
productieoid-peap
Tue Aug  2 11:41:05 2011: DEBUG: Handling with EAP: code 2, 2, 6, 26
Tue Aug  2 11:41:05 2011: DEBUG: Response type 26
Tue Aug  2 11:41:05 2011: DEBUG: EAP result: 0,
Tue Aug  2 11:41:05 2011: DEBUG: AuthBy LDAP2 result: ACCEPT,
Tue Aug  2 11:41:05 2011: DEBUG: Handling with Radius::AuthFILE: 
add-vlan-attributes
Tue Aug  2 11:41:05 2011: DEBUG: Reading users file 
/etc/radiator//users-wlan-peap_v3
Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with 
jupiter@utwente.test2 [jupiter@utwente.test2]
Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthFILE REJECT: No such user: 
jupiter@utwente.test2 [jupiter@utwente.test2]
Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthFILE looks for match with DEFAULT 
[jupiter@utwente.test2]
Tue Aug  2 11:41:05 2011: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT 
[jupiter@utwente.test2]
Tue Aug  2 11:41:05 2011: DEBUG: AuthBy FILE result: ACCEPT,
Tue Aug  2 11:41:05 2011: DEBUG: Access accepted for jupiter@utwente.test2
Tue Aug  2 11:41:05 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code:   Access-Accept


- 
-
# WLAN (utwente.test2) inner authentication (PEAP)
#

AuthByPolicy ContinueWhileAccept
AddToRequest 
Calling-Station-Id=%{OuterRequest:Calling-Station-Id}

Identifier productieoid-peap
EAPType MSCHAP-V2
# Rest of the config
Version 2
Host <.>
BindAddress <.>
FailureBackoffTime 10
AuthDN <.>
AuthPassword <.>
BaseDN <.>
RcryptKey <.>
RewriteUsername s/^([^@]+).*/$1/
RewriteUsername s/^\s*//
RewriteUsername s/\s*$//
UsernameAttr <.>
PasswordAttr <.>
AuthAttrDef orclisenabled, OIDactive, request



Identifier add-vlan-attributes
Filename %D/users-wlan-peap_v3
NoCheckPassword
NoEAP

AuthLog authloggin

Re: [RADIATOR] AuthBy-File cannot match user

[Heikki Vatiainen]

On 08/01/2011 02:44 PM, Roel Hoek wrote:

Hello Roel,

> EAPAnonymous is set back to %u and EAPType is set to MSCHAP-V2
> Now, indeed, the user-name/identity is found in the users-file, and is found 
> in the LDAP-server, but now failed on EAP MSCHAP V2 (no
> such user???)

Hmm, I was able to recreate this was two simple AuthBy FILEs too.
However, I did not dig deeper to see why it fails.

> This has, I think, something to do that mschapv2 needs for challange and 
> responce the whole username including the realm. This works
> with 'NoEAP', but not with EAPType MSCHAP-V2.

Can you restructure your configuration a little. The restructure would
put two AuthBys into the PEAP inner Handler. The first does EAP and is
the LDAP check while the second gets the attributes from the file after
successful LDAP check.

Something like this should do it:

# WLAN (utwente.test2) inner authentication (PEAP)
#

   AuthByPolicy ContinueWhileAccept
   
   Identifier productieoid-peap
   EAPType MSCHAP-V2
   # Rest of the config
   
   
   Identifier add-vlan-attributes
   Filename %D/users-wlan-peap
   NoCheckPassword
   NoEAP
   

   # Rest of the Handler


The file users-wlan-peap would be the same as currently but without the
Auth-Type check items:

d3126217
 Tunnel-Type = 1:VLAN,
 Tunnel-Medium-Type = 1:Ether_802,
 Tunnel-Private-Group-ID = 1:131,
 Login-LAT-Group = "qnet"

# Rest of users-wlan-peap

This should still collect then user specific VLAN attributes but
otherwise do the authentication the same for all users.

Please let us know how this works.

Thanks!
Heikki


> Code:   Access-Request
> Identifier: UNDEF
> Authentic:  <239>d<146>I.<193>%#<14><13><189><176><200>.<182>Y
> Attributes:
> EAP-Message = 
> <2><1><0>Q<26><2><1><0>L1<162>VxN6pv<15>|<129><140>Y<241>`<200><166><0><0><0><0><0><0><0><0>
> <16><2>I<201>wr7<205><216><230>n<172><8>\<229>0{<219><160>@9<176>"<0>d3126217@utwente.test2
> Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 172.31.178.10
> NAS-Identifier = "wlc-1"
> NAS-Port = 13
> Calling-Station-Id = "00271026a434"
> User-Name = "jupiter@utwente.test2"
> 
> Mon Aug  1 12:15:31 2011: DEBUG: Handling request with Handler 
> 'Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', 
> Identifier 'PEAP-inner-utwente-test2'
> Mon Aug  1 12:15:31 2011: DEBUG: Handling with Radius::AuthFILE:
> Mon Aug  1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
> Mon Aug  1 12:15:31 2011: DEBUG: Response type 26
> Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
> Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
> Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
> Mon Aug  1 12:15:31 2011: DEBUG: Reading users file 
> /etc/radiator//users-wlan-peap
> Mon Aug  1 12:15:31 2011: DEBUG: Radius::AuthFILE looks for match with 
> d3126217 [jupiter@utwente.test2]
> Mon Aug  1 12:15:31 2011: DEBUG: Handling with Radius::AuthLDAP2: 
> productieoid-peap
> Mon Aug  1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
> Mon Aug  1 12:15:31 2011: DEBUG: Response type 26
> Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
> Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
> Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
> Mon Aug  1 12:15:31 2011: INFO: Connecting to oid.utwente.nl:389
> Mon Aug  1 12:15:31 2011: INFO: Attempting to bind to LDAP server 
> oid.utwente.nl:389
> Mon Aug  1 12:15:31 2011: DEBUG: LDAP got result for uid=d3126217, 
> ou=Employees, cn=Users, o=university of twente,c=nl
> Mon Aug  1 12:15:31 2011: DEBUG: LDAP got chappassword: {rcrypt}bla bla bla
> Mon Aug  1 12:15:31 2011: DEBUG: LDAP got orclisenabled: ENABLED
> Mon Aug  1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 looks for match with 
> d3126217 [jupiter@utwente.test2]
> Mon Aug  1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 
> [jupiter@utwente.test2]
> Mon Aug  1 12:15:31 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: 
> Success
> Mon Aug  1 12:15:31 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2 
> Challenge: Success: d3126217 [jupiter@utwente.test2]
> Mon Aug  1 12:15:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such 
> user d3126217
> Mon Aug  1 12:15:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2 
> failed: no such user d3126217
> Mon Aug  1 12:15:31 2011: INFO: Access rejected for jupiter@utwente.test2: 
> EAP MSCHAP V2 failed: no such user d3126217
> Mon Aug  1 12:15:32 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code:   Access-Reject
> 
> 
> On 2011-07-30 08:19, Heikki Vatiainen wrote:
>> On 07/29/2011 04:12 PM, Roel Hoek wrote:
> 
>>> Thanks for you comment. Although it did not work.
>>> I changed EAPAnonymous to %0. But now Username is "" and no handler can be 
>>> found.
> 
>> Unfortunat

Re: [RADIATOR] AuthBy-File cannot match user

[Roel Hoek]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Heikki,

EAPAnonymous is set back to %u and EAPType is set to MSCHAP-V2
Now, indeed, the user-name/identity is found in the users-file, and is found in 
the LDAP-server, but now failed on EAP MSCHAP V2 (no
such user???)
This has, I think, something to do that mschapv2 needs for challange and 
responce the whole username including the realm. This works
with 'NoEAP', but not with EAPType MSCHAP-V2.


Code:   Access-Request
Identifier: UNDEF
Authentic:  <239>d<146>I.<193>%#<14><13><189><176><200>.<182>Y
Attributes:
EAP-Message = 
<2><1><0>Q<26><2><1><0>L1<162>VxN6pv<15>|<129><140>Y<241>`<200><166><0><0><0><0><0><0><0><0>
<16><2>I<201>wr7<205><216><230>n<172><8>\<229>0{<219><160>@9<176>"<0>d3126217@utwente.test2
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
NAS-Port = 13
Calling-Station-Id = "00271026a434"
User-Name = "jupiter@utwente.test2"

Mon Aug  1 12:15:31 2011: DEBUG: Handling request with Handler 
'Realm=utwente.test2,
Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', Identifier 
'PEAP-inner-utwente-test2'
Mon Aug  1 12:15:31 2011: DEBUG: Handling with Radius::AuthFILE:
Mon Aug  1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
Mon Aug  1 12:15:31 2011: DEBUG: Response type 26
Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
Mon Aug  1 12:15:31 2011: DEBUG: Reading users file 
/etc/radiator//users-wlan-peap
Mon Aug  1 12:15:31 2011: DEBUG: Radius::AuthFILE looks for match with d3126217 
[jupiter@utwente.test2]
Mon Aug  1 12:15:31 2011: DEBUG: Handling with Radius::AuthLDAP2: 
productieoid-peap
Mon Aug  1 12:15:31 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
Mon Aug  1 12:15:31 2011: DEBUG: Response type 26
Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
Mon Aug  1 12:15:31 2011: DEBUG: Rewrote identity to d3126217
Mon Aug  1 12:15:31 2011: INFO: Connecting to oid.utwente.nl:389
Mon Aug  1 12:15:31 2011: INFO: Attempting to bind to LDAP server 
oid.utwente.nl:389
Mon Aug  1 12:15:31 2011: DEBUG: LDAP got result for uid=d3126217, 
ou=Employees, cn=Users, o=university of twente,c=nl
Mon Aug  1 12:15:31 2011: DEBUG: LDAP got chappassword: {rcrypt}bla bla bla
Mon Aug  1 12:15:31 2011: DEBUG: LDAP got orclisenabled: ENABLED
Mon Aug  1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 looks for match with 
d3126217 [jupiter@utwente.test2]
Mon Aug  1 12:15:31 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 
[jupiter@utwente.test2]
Mon Aug  1 12:15:31 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success
Mon Aug  1 12:15:31 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2 
Challenge: Success: d3126217 [jupiter@utwente.test2]
Mon Aug  1 12:15:31 2011: DEBUG: EAP result: 1, EAP MSCHAP V2 failed: no such 
user d3126217
Mon Aug  1 12:15:31 2011: DEBUG: AuthBy FILE result: REJECT, EAP MSCHAP V2 
failed: no such user d3126217
Mon Aug  1 12:15:31 2011: INFO: Access rejected for jupiter@utwente.test2: EAP 
MSCHAP V2 failed: no such user d3126217
Mon Aug  1 12:15:32 2011: DEBUG: Returned PEAP tunnelled packet dump:
Code:   Access-Reject


On 2011-07-30 08:19, Heikki Vatiainen wrote:
> On 07/29/2011 04:12 PM, Roel Hoek wrote:
> 
>> Thanks for you comment. Although it did not work.
>> I changed EAPAnonymous to %0. But now Username is "" and no handler can be 
>> found.
> 
> Unfortunately that's true. Taking another look at the configuration, the
> reason for this is the NoEAP option. Since EAP is not run for the inner
> authentication, the EAP identity will not be available.
> 
> Going back to your original configuration, would replacing "NoEAP" with
> "EAPType MSCHAP-V2" work? EAP MSCHAP-V2 will work fine with AuthBy FILE.
> 
> Thanks!
> Heikki
> 
> 
>> Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler 
>> 'Realm=/utwente.test|utwente.test2/,
>> Client-Identifier=/^WLANATUT-ID$|^LOCALH
>> OST-ID$/', Identifier 'WLAN-OUTER-TEST'
>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE:
>> Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25
>> Fri Jul 29 13:32:06 2011: DEBUG: Response type 25
>> Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request for
>> Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump:
>> Code:   Access-Request
>> Identifier: UNDEF
>> Authentic:  <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163>
>> Attributes:
>> EAP-Message = <2><0><0><27><1>d3126217@utwente.test2
>> Message-Authenticator = 
>> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
>> NAS-IP-Address = 172.31.178.10
>> NAS-Identifier = "wlc-1"
>> NAS-Port = 13
>>  

Re: [RADIATOR] AuthBy-File cannot match user

[Heikki Vatiainen]

On 07/29/2011 04:12 PM, Roel Hoek wrote:

> Thanks for you comment. Although it did not work.
> I changed EAPAnonymous to %0. But now Username is "" and no handler can be 
> found.

Unfortunately that's true. Taking another look at the configuration, the
reason for this is the NoEAP option. Since EAP is not run for the inner
authentication, the EAP identity will not be available.

Going back to your original configuration, would replacing "NoEAP" with
"EAPType MSCHAP-V2" work? EAP MSCHAP-V2 will work fine with AuthBy FILE.

Thanks!
Heikki


> Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler 
> 'Realm=/utwente.test|utwente.test2/,
> Client-Identifier=/^WLANATUT-ID$|^LOCALH
> OST-ID$/', Identifier 'WLAN-OUTER-TEST'
> Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE:
> Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25
> Fri Jul 29 13:32:06 2011: DEBUG: Response type 25
> Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request for
> Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code:   Access-Request
> Identifier: UNDEF
> Authentic:  <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163>
> Attributes:
> EAP-Message = <2><0><0><27><1>d3126217@utwente.test2
> Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 172.31.178.10
> NAS-Identifier = "wlc-1"
> NAS-Port = 13
> Calling-Station-Id = "00271026a434"
> User-Name = ""
> Fri Jul 29 13:32:06 2011: DEBUG: EAP result: 1, No Handler for PEAP inner 
> authentication
> Fri Jul 29 13:32:06 2011: DEBUG: AuthBy FILE result: REJECT, No Handler for 
> PEAP inner authentication
> Fri Jul 29 13:32:06 2011: INFO: Access rejected for jupiter@utwente.test2: No 
> Handler for PEAP inner authentication
> Fri Jul 29 13:32:06 2011: DEBUG: Packet dump:
> *** Sending to 172.31.178.10 port 32770 
> Code:   Access-Reject
> 
> ---
>  Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1>
> AuthByPolicy ContinueWhileReject
> AddToRequest 
> Calling-Station-Id=%{OuterRequest:Calling-Station-Id}
> 
> RewriteUsername s/^([^@]+).*/$1/
> RewriteUsername s/^\s*//
> RewriteUsername s/\s*$//
> Filename %D/users-wlan-peap
> NoEAP
>
> AuthLog authlogging-wlan-peap
> Identifier PEAP-inner-utwente-test2
> Description WLAN
> AuthLog authlogging-tent
> 
> 
>  Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/>
> 
> EAPType TTLS,PEAP
> EAPTLS_CAFile
> EAPTLS_CertificateFile
> EAPTLS_CertificateType PEM
> EAPTLS_PrivateKeyFile
> EAPTLS_PrivateKeyPassword
> EAPTLS_MaxFragmentSize 1024
> EAPTLS_SessionResumption 0
> AutoMPPEKeys
> EAPTLS_PEAPBrokenV1Label
> EAPTTLS_NoAckRequired
> # %U (en %u (met realm)) zijn de Inner-auth username voor PEAP
> #EAPAnonymous %u
> EAPAnonymous %0
> 
> AuthLog authlogging-wlan
> Identifier WLAN-OUTER-TEST
> Description WLAN
> AuthLog authlogging-tent
> 
> 
>> On 07/26/2011 06:14 PM, Roel Hoek wrote:
> 
>> Hello Roel,
> 
>>> We experience a problem with a handler for authenticating wireless-lan 
>>> users. AuthBy-File for a PEAP-mschapV2 cannot match a user if
>>> the outer and inner identity are not equal (normal situation).
>>> It looks like the userfile is searched by the outer-identity, although the 
>>> inner-identity is used for authentication via LDAP.
> 
>> Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section
>> "5.19.24 EAPAnonymous" for more info about EAPAnonymous.
> 
>> Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then
>> use User-Name attribute instead of EAP Identity to do the authentication.
> 
>> With EAPAnonymous you can set the inner request User-Name the same as
>> the EAP Identity is.
> 
>> Please let us know if this works for you.
> 
>> Thanks!
>> Heikki
> 
> 
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.

Re: [RADIATOR] AuthBy-File cannot match user

[Roel Hoek]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi Heikki,

Thanks for you comment. Although it did not work.
I changed EAPAnonymous to %0. But now Username is "" and no handler can be 
found.


Fri Jul 29 13:32:06 2011: DEBUG: Handling request with Handler 
'Realm=/utwente.test|utwente.test2/,
Client-Identifier=/^WLANATUT-ID$|^LOCALH
OST-ID$/', Identifier 'WLAN-OUTER-TEST'
Fri Jul 29 13:32:06 2011: DEBUG: Handling with Radius::AuthFILE:
Fri Jul 29 13:32:06 2011: DEBUG: Handling with EAP: code 2, 9, 112, 25
Fri Jul 29 13:32:06 2011: DEBUG: Response type 25
Fri Jul 29 13:32:06 2011: DEBUG: EAP PEAP inner authentication request for
Fri Jul 29 13:32:06 2011: DEBUG: PEAP Tunnelled request Packet dump:
Code:   Access-Request
Identifier: UNDEF
Authentic:  <177>6<209>Wz<163><198><243><230>M<179><134><155><15><207><163>
Attributes:
EAP-Message = <2><0><0><27><1>d3126217@utwente.test2
Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 172.31.178.10
NAS-Identifier = "wlc-1"
NAS-Port = 13
Calling-Station-Id = "00271026a434"
User-Name = ""
Fri Jul 29 13:32:06 2011: DEBUG: EAP result: 1, No Handler for PEAP inner 
authentication
Fri Jul 29 13:32:06 2011: DEBUG: AuthBy FILE result: REJECT, No Handler for 
PEAP inner authentication
Fri Jul 29 13:32:06 2011: INFO: Access rejected for jupiter@utwente.test2: No 
Handler for PEAP inner authentication
Fri Jul 29 13:32:06 2011: DEBUG: Packet dump:
*** Sending to 172.31.178.10 port 32770 
Code:   Access-Reject

- ---

AuthByPolicy ContinueWhileReject
AddToRequest 
Calling-Station-Id=%{OuterRequest:Calling-Station-Id}

RewriteUsername s/^([^@]+).*/$1/
RewriteUsername s/^\s*//
RewriteUsername s/\s*$//
Filename %D/users-wlan-peap
NoEAP
   
AuthLog authlogging-wlan-peap
Identifier PEAP-inner-utwente-test2
Description WLAN
AuthLog authlogging-tent




EAPType TTLS,PEAP
EAPTLS_CAFile
EAPTLS_CertificateFile
EAPTLS_CertificateType PEM
EAPTLS_PrivateKeyFile
EAPTLS_PrivateKeyPassword
EAPTLS_MaxFragmentSize 1024
EAPTLS_SessionResumption 0
AutoMPPEKeys
EAPTLS_PEAPBrokenV1Label
EAPTTLS_NoAckRequired
# %U (en %u (met realm)) zijn de Inner-auth username voor PEAP
#EAPAnonymous %u
EAPAnonymous %0

AuthLog authlogging-wlan
Identifier WLAN-OUTER-TEST
Description WLAN
AuthLog authlogging-tent


> On 07/26/2011 06:14 PM, Roel Hoek wrote:
> 
> Hello Roel,
> 
>> We experience a problem with a handler for authenticating wireless-lan 
>> users. AuthBy-File for a PEAP-mschapV2 cannot match a user if
>> the outer and inner identity are not equal (normal situation).
>> It looks like the userfile is searched by the outer-identity, although the 
>> inner-identity is used for authentication via LDAP.
> 
> Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section
> "5.19.24 EAPAnonymous" for more info about EAPAnonymous.
> 
> Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then
> use User-Name attribute instead of EAP Identity to do the authentication.
> 
> With EAPAnonymous you can set the inner request User-Name the same as
> the EAP Identity is.
> 
> Please let us know if this works for you.
> 
> Thanks!
> Heikki
> 

- -- 

Regards,

Roel Hoek
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
Telephone +31 53 489 4598, Fax +31 53 489 2383
r.h.h...@utwente.nl; http://www.utwente.nl/icts
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk4ysYsACgkQJwlRSGnYBcbjjACgooyw2MlzvMzll+LoRlYdpLz2
8yQAnAq9ESBiKIaeAJv5sW3/8g9MB8X8
=QhyV
-END PGP SIGNATURE-
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy-File cannot match user

[Heikki Vatiainen]

On 07/26/2011 06:14 PM, Roel Hoek wrote:

Hello Roel,

> We experience a problem with a handler for authenticating wireless-lan users. 
> AuthBy-File for a PEAP-mschapV2 cannot match a user if
> the outer and inner identity are not equal (normal situation).
> It looks like the userfile is searched by the outer-identity, although the 
> inner-identity is used for authentication via LDAP.

Try changing "EAPAnonymous %u" to "EAPAnonymous %0". See section
"5.19.24 EAPAnonymous" for more info about EAPAnonymous.

Your inner Handler has AuthBy FILE clause with NoEAP. Radiator will then
use User-Name attribute instead of EAP Identity to do the authentication.

With EAPAnonymous you can set the inner request User-Name the same as
the EAP Identity is.

Please let us know if this works for you.

Thanks!
Heikki


> We want for certain users a different reply-item (Tunnel-Private-Group-ID = 
> 1:131). Default users get "Tunnel-Private-Group-ID = 1:125".
> 
> 
> Is this a bug or a configuration error?
> 
> 
> 
> -
> part of logging:
> 
> Tue Jul 26 16:36:46 2011: DEBUG: PEAP Tunnelled request Packet dump:
> Code:   Access-Request
> Identifier: UNDEF
> Authentic:  1<229>E<203><131>N'<132><236><210><232>)$<237>O<189>
> Attributes:
> EAP-Message =
> <2><1><0>Q<26><2><1><0>L1:0<228><135><228><157>!<158>(-oL<26><178><213><199><0><0><0><0><0><0><0><0>>_<251>woZ;<156>-<13>r<204>DZ<173>,~<240>L<188><139><0>d3126217@utwente.test2
> Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> NAS-IP-Address = 172.31.178.10
> NAS-Identifier = "wlc-1"
> NAS-Port = 13
> Calling-Station-Id = "00271026a434"
> User-Name = "jupiter@utwente.test2"
> 
> Tue Jul 26 16:36:46 2011: DEBUG: Handling request with Handler 
> 'Realm=utwente.test2,
> Client-Identifier=/^WLANATUT-ID$|^LOCALHOST-ID$/,TunnelledByPEAP=1', 
> Identifier 'PEAP-inner-utwente-test2'
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthGROUP:
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthFILE:
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with 
> jupiter@utwente.test2 [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE REJECT: No such user: 
> jupiter@utwente.test2 [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE looks for match with 
> DEFAULT [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with Radius::AuthLDAP2: 
> productieoid-peap
> Tue Jul 26 16:36:46 2011: DEBUG: Handling with EAP: code 2, 1, 81, 26
> Tue Jul 26 16:36:46 2011: DEBUG: Response type 26
> Tue Jul 26 16:36:46 2011: DEBUG: Rewrote identity to d3126217
> Tue Jul 26 16:36:46 2011: DEBUG: Rewrote identity to d3126217
> Tue Jul 26 16:36:46 2011: DEBUG: Rewrote identity to d3126217
> Tue Jul 26 16:36:46 2011: INFO: Connecting to oid.utwente.nl:389
> Tue Jul 26 16:36:46 2011: INFO: Attempting to bind to LDAP server 
> oid.utwente.nl:389
> Tue Jul 26 16:36:46 2011: DEBUG: LDAP got result for uid=d3126217, 
> ou=Employees, bla bla bla
> Tue Jul 26 16:36:46 2011: DEBUG: LDAP got chappassword: {rcrypt}<-->
> Tue Jul 26 16:36:46 2011: DEBUG: LDAP got orclisenabled: ENABLED
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthLDAP2 looks for match with 
> d3126217 [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthLDAP2 ACCEPT: : d3126217 
> [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: 
> Success
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthFILE CHALLENGE: EAP MSCHAP V2 
> Challenge: Success: DEFAULT [jupiter@utwente.test2]
> Tue Jul 26 16:36:46 2011: DEBUG: Radius::AuthGROUP:  result: CHALLENGE, EAP 
> MSCHAP V2 Challenge: Success
> Tue Jul 26 16:36:46 2011: DEBUG: AuthBy GROUP result: CHALLENGE, EAP MSCHAP 
> V2 Challenge: Success
> Tue Jul 26 16:36:46 2011: DEBUG: Access challenged for jupiter@utwente.test2: 
> EAP MSCHAP V2 Challenge: Success
> Tue Jul 26 16:36:46 2011: DEBUG: Returned PEAP tunnelled packet dump:
> Code:   Access-Challenge
> Identifier: UNDEF
> Authentic:  1<229>E<203><131>N'<132><236><210><232>)$<237>O<189>
> Attributes:
> EAP-Message = 
> <1><2><0>=<26><3><1><0>8S=9B980A90DF101E2389BFC05B92F3DE116CBEEF18 M=success
> Message-Authenticator = 
> <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
> Tunnel-Type = 1:VLAN
> Tunnel-Medium-Type = 1:Ether_802
> Tunnel-Private-Group-ID = 1:125
> 
> Tue Jul 26 16:36:46 2011: DEBUG: EAP result: 3, EAP PEAP inner authentication 
> redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: AuthBy FILE result: CHALLENGE, EAP PEAP 
> inner authentication redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: Access challenged for jupiter@utwente.test2: 
> EAP PEAP inner authentication redispatched to a Handler
> Tue Jul 26 16:36:46 2011: DEBUG: Packet dump:
> *** Se

Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter

[Karl Gaissmaier]

Hi Heikki,

Am 12.04.2011 14:09, schrieb Heikki Vatiainen:
> On 04/11/2011 12:26 PM, Karl Gaissmaier wrote:
>
 this is strange as Radiator-4.x has explicit support for reconnecting
 to ldap servers after an idle timeout.
>>>
>>> Indeed. The function that has "ldap search for ..." error message does
>>> LDAP reconnect as the first thing. Reconnect should notice the closed
>>> connection and then connect again.
>>
>> but not with HoldSeverConnection, or? I don't see a reconnect,
>> not under Trace 4 and even not on the wire with wireshark.
>
> With HoldServerConnection, yes.
>
> When HoldServerConnection is defined and there should be an active ldap
> handle, the code checks if the socket is still ok or it the socket
> indicates that there is something available. If this something is
> LDAP_OPERATIONS_ERROR with "Unexpected EOF" then there should be a
> reconnect.

really strange. I didn't see this. After the LDAP
upgrade I'll come back to this problem and keep you informed.

Best Regards
Charly
-- 
Karl Gaissmaier
Kommunikations und Informationszentrum kiz
der Universität Ulm
Abteilung Infrastruktur
SG Netzwerk und Telekommunikation
89069 Ulm
Tel.: 49(0)731/50-22499 Fax : 49(0)731/50-1222499
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter

[Heikki Vatiainen]

On 04/11/2011 12:26 PM, Karl Gaissmaier wrote:

>>> this is strange as Radiator-4.x has explicit support for reconnecting
>>> to ldap servers after an idle timeout.
>>
>> Indeed. The function that has "ldap search for ..." error message does
>> LDAP reconnect as the first thing. Reconnect should notice the closed
>> connection and then connect again.
> 
> but not with HoldSeverConnection, or? I don't see a reconnect,
> not under Trace 4 and even not on the wire with wireshark.

With HoldServerConnection, yes.

When HoldServerConnection is defined and there should be an active ldap
handle, the code checks if the socket is still ok or it the socket
indicates that there is something available. If this something is
LDAP_OPERATIONS_ERROR with "Unexpected EOF" then there should be a
reconnect.

Before this check, the the code checks if the socket is still connected.
This should take care of e.g., timeouts caused by firewalls.


Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter

[Karl Gaissmaier]

Hello,

thanks for your reply!

Am 06.04.2011 23:44, schrieb Heikki Vatiainen:
> On 04/06/2011 03:39 PM, Christian Kratzer wrote:
>
>>> Wed Apr  6 00:32:34 2011: ERR: ldap search for (|(mail=foo)(uid=bar)) 
>>> failed with error LDAP_SERVER_DOWN.
>>> Wed Apr  6 00:32:34 2011: ERR: Disconnecting from LDAP server (server 
>>> foo.uni-ulm.de:636).
>>> Wed Apr  6 00:32:34 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User database 
>>> access error
>>
>> this is strange as Radiator-4.x has explicit support for reconnecting
>> to ldap servers after an idle timeout.
>
> Indeed. The function that has "ldap search for ..." error message does
> LDAP reconnect as the first thing. Reconnect should notice the closed
> connection and then connect again.

but not with HoldSeverConnection, or? I don't see a reconnect,
not under Trace 4 and even not on the wire with wireshark.

>
> It might be a good idea to upgrade since the newer versions might do
> better job with sending notices about the disonnect.

The LDAP Server isn't under my management domain. But I'll suggest
an upgrade.

>
> If upgrade is not possible, then commenting out HoldServerConnection
> will probably help too.

done, yep this helps but it's not the best solution under heavy load.


..
>>
>> Perhaps  as you only have one ldap server to forward to you should set
>> FailureBackoffTime to 0 to allow radiator to immediatly to reconnect.

This didn't help.

Best Regards
Charly
-- 
Karl Gaissmaier
Kommunikations und Informationszentrum kiz
der Universität Ulm
Abteilung Infrastruktur
SG Netzwerk und Telekommunikation
89069 Ulm
Tel.: 49(0)731/50-22499 Fax : 49(0)731/50-1222499
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter

[Heikki Vatiainen]

On 04/06/2011 03:39 PM, Christian Kratzer wrote:

>> Wed Apr  6 00:32:34 2011: ERR: ldap search for (|(mail=foo)(uid=bar)) failed 
>> with error LDAP_SERVER_DOWN.
>> Wed Apr  6 00:32:34 2011: ERR: Disconnecting from LDAP server (server 
>> foo.uni-ulm.de:636).
>> Wed Apr  6 00:32:34 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User database 
>> access error
> 
> this is strange as Radiator-4.x has explicit support for reconnecting
> to ldap servers after an idle timeout.

Indeed. The function that has "ldap search for ..." error message does
LDAP reconnect as the first thing. Reconnect should notice the closed
connection and then connect again.

It might be a good idea to upgrade since the newer versions might do
better job with sending notices about the disonnect.

If upgrade is not possible, then commenting out HoldServerConnection
will probably help too.

>> See the config part below:
>>
>> 
>> PacketTrace
>> HoldServerConnection
>> NoDefault
>>
>> Hostfoo.uni-ulm.de
>> Version 3
>> FailureBackoffTime  3
>>
>> UseSSL
>> SSLVerify   require
>> SSLCAFile   %D/certificates/ca-bundle.crt
>>
>> AuthDN  cn=secret
>> AuthPasswordmore-secret
>>
>> BaseDN  ou=bar,dc=uni-ulm,dc=de
>> Scope   one
>>
>> # username oder e-mail
>> SearchFilter(|(mail=%1)(uid=%1))
>> PasswordAttruserPassword
>> 
> 
> Perhaps  as you only have one ldap server to forward to you should set
> FailureBackoffTime to 0 to allow radiator to immediatly to reconnect.
> 
> Casual reading of the source code makes me think this might be the problem.
> 
> 
>> HINTS:
>>
>> I didn't see this problem with RADIATOR 3.11.
>> Sigh, I can't go back to 3.11 to verify it definitely.
>> Sigh, I know, it's a big step from 3.11 to 4.7.
>>
>> The LDAP server didn't change during the RADIATOR upgrade.
>> We are using an openldap-2.3.35 under SunOS 5.10 and openssl-0.9.8-latest.
> 
> As a side note and nothing to do with your current problem.
> 
> Latest stable is openldap-2.4.23 and latest released is 2.4.25. You
> should consider updating for anything but a trivial directory setup.
> There have been lots of fixes since openldap 2.3.
> 
> Greetings
> Christian
> 


-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter

[Christian Kratzer]

Hi,

On Wed, 6 Apr 2011, Karl Gaissmaier wrote:

> Hi RADIATOR team,
>
> I've got a problem with Version 4.7 and AuthBy LDAP2. The LDAP server 
> terminates
> the connection after 10min of client idle as configured in slapd.conf.
>
> Seems that the RADIATOR doesn't recognize this, and the first ACCESS-REQUEST
> after this termination gets the following error:
>
> Wed Apr  6 00:32:34 2011: ERR: ldap search for (|(mail=foo)(uid=bar)) failed 
> with error LDAP_SERVER_DOWN.
> Wed Apr  6 00:32:34 2011: ERR: Disconnecting from LDAP server (server 
> foo.uni-ulm.de:636).
> Wed Apr  6 00:32:34 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User database 
> access error

this is strange as Radiator-4.x has explicit support for reconnecting
to ldap servers after an idle timeout.

> See the config part below:
>
> 
> PacketTrace
> HoldServerConnection
> NoDefault
>
> Hostfoo.uni-ulm.de
> Version 3
> FailureBackoffTime  3
>
> UseSSL
> SSLVerify   require
> SSLCAFile   %D/certificates/ca-bundle.crt
>
> AuthDN  cn=secret
> AuthPasswordmore-secret
>
> BaseDN  ou=bar,dc=uni-ulm,dc=de
> Scope   one
>
> # username oder e-mail
> SearchFilter(|(mail=%1)(uid=%1))
> PasswordAttruserPassword
> 

Perhaps  as you only have one ldap server to forward to you should set
FailureBackoffTime to 0 to allow radiator to immediatly to reconnect.

Casual reading of the source code makes me think this might be the problem.


> HINTS:
>
> I didn't see this problem with RADIATOR 3.11.
> Sigh, I can't go back to 3.11 to verify it definitely.
> Sigh, I know, it's a big step from 3.11 to 4.7.
>
> The LDAP server didn't change during the RADIATOR upgrade.
> We are using an openldap-2.3.35 under SunOS 5.10 and openssl-0.9.8-latest.

As a side note and nothing to do with your current problem.

Latest stable is openldap-2.4.23 and latest released is 2.4.25. You
should consider updating for anything but a trivial directory setup.
There have been lots of fixes since openldap 2.3.

Greetings
Christian

-- 
Christian Kratzer  CK Software GmbH
Email:   c...@cksoft.de  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0  D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9  HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL results

[Heikki Vatiainen]

On 03/03/2011 04:49 PM, Vangelis Kyriakakis wrote:

>   I would like to know what happens when AuthSelect query in AuthBy 
> SQL returns two or more rows. Which one is used? The first or the last?
>   Example:
> 
> Username | Reply_item
> ---
> user  |  reply1
> user  |  reply2
> 
> AuthSelect select Reply_item from table where Username='user'
> AuthColumnDef   0,GENERIC,reply
> 
> Which reply_item is going to be used?

Hello Vangelis,

the answer is reply1. Even if the select returns multiple rows, only the
first row is used. The rest of the rows are not saved or used later.

Thanks!
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy multiple files

[Ricardo Freitas]

The AuthByPolicy worked like a charm.

Thank you guys!!

Ricardo

On 22-12-2010 17:00, Martin Burton wrote:
> Hi Ricardo,
>
> You need to use one of the "ContinueUntil..." AuthByPolicy statements in
> your handler.
>
> e.g.
>
> 
>  AuthByPolicy ContinueUntilReject
>  
>   ...
>   
>  
>  ...
>  
> 
>
> Hope that helps.
>
> Regards,
>
> Martin.
>
>
> On 22/12/2010 16:03, Ricardo Freitas wrote:
>> Hey guys
>>
>> How can I successful use two different AuthBy types?
>>
>> For instance, I would like to use AuthBy radius and AuthBy SQL.
>>
>> My main issue is if I "join" both configurations under one handler they
>> don't work and if I separate them into two different handlers, the first
>> handler is acknowledge and the second one ignore.
>>
>> How can I achieve this? Thank you very much, guys!
>>
>> Ricardo
>>
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator


___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy multiple files

[Martin Burton]

Hi Ricardo,

You need to use one of the "ContinueUntil..." AuthByPolicy statements in
your handler.

e.g.


AuthByPolicy ContinueUntilReject

...


...



Hope that helps.

Regards,

Martin.


On 22/12/2010 16:03, Ricardo Freitas wrote:
> Hey guys
> 
> How can I successful use two different AuthBy types?
> 
> For instance, I would like to use AuthBy radius and AuthBy SQL.
> 
> My main issue is if I "join" both configurations under one handler they 
> don't work and if I separate them into two different handlers, the first 
> handler is acknowledge and the second one ignore.
> 
> How can I achieve this? Thank you very much, guys!
> 
> Ricardo
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

-- 
Martin Burton
Senior Systems Administrator   \\\|||///
Special Projects Team \\  ^ ^  //
Wellcome Trust Sanger Institute(  6 6  )
-oOOo-(_)-oOOo---
  http://www.sanger.ac.uk



signature.asc
Description: OpenPGP digital signature
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2 failover with round-robin DNS?

[Garry Peirce]

Seeing this thread, I was reminded that I had once submitted a desired patch, 
but not sure it was ever implemented (?).  
http://www.open.com.au/pipermail/radiator/2007-June/014065.html

It was to resolve my issue with Clients (routers) with multiple A records and 
the fact that Client's addresses were resolved once at Radiator start-up and 
used only the first address returned by DNS.

My clients are routers and therefore may have a number of addresses which might 
be valid.
By sending the FQDN from the client as the NAS_ID, I modified Client::find to 
make use of it.
I can then define clients by FQDN, not by IP address.
This has worked well, but I have to remember to modify this module when 
upgrading.
Reading that this behavior may still exist, might this patch to be added to the 
source?



> On 12/17/2010 11:29 PM, Christian Kratzer wrote:
> 
> >> one more quick question.  What is the behavior of AuthBy LDAP2 with
> a
> >> round-robin DNS entry (multiple A records for the RR)?  If I'd like
> >> failover behavior, will a single Host declaration with a round-robin
> >> record be enough, or do I need to list out each individual LDAP
> >> server?
> >
> > you should explicitly list all servers as Dns will get resolved once
> > on load of config.
> 
> That is true with e.g. Clients, 
> ...

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2 failover with round-robin DNS?

[Andrew D. Clark]

 On Saturday, December 18, 2010 03:18:19 am Christian Kratzer wrote:
> Hi,
> 
> On Fri, 17 Dec 2010, Leigh Porter wrote:
> > I tried these methods and none of them really worked effectively against
> > a defective LDAP server. The best solution I found was a decent load
> > balancer with LDAP server availability testing..
> 
> we have a customer setup that successfully uses autby ldap for ha failover
> as folows:
> 
>   AutbyByPolicy ContinueWhileIngore
>   AuthBy ldap1
>   AuthBy ldap2
>   AuthBy ldap3
> 
> Radiator notices failed ldap servers usually when it gets a socket error
> from a dead server and moves on to the next server.
> 
> I believe there are still situations when the specific request which runs
> into an error situaion is dropped but radius resends should handle those
> cases.
> 
> Greetings
> Christian

Thanks all - I'll list them individually as I'm doing for other round-robin 
hosts.  It isn't the most convenient, but it seems to be the most predictable 
and useful way of doing it when you have one out of three hosts fall out of 
service.  We generally pull a failed host's A record out of the DNS at that 
time as well, but in either case, I'm still sending a HUP to Radiator.  
Putting a load balancer in front of those servers would solve the problem as 
well.

Musings ahead:

What would we all think of something like an MultiHost or RRHost configuration 
parameter that turned a round-robin resource record into multiple Host 
parameters?  That sounds convenient from a configuration perspective but could 
hold surprises when your host order changes.  The same result could be 
realized without any patches by using a pipe to another program in the 
configuration that generated the right stuff.

Going a little farther out on a limb now and into quite a bit more 
programming, perhaps with a RefreshTime parameter (based on the TTL by 
default) that would re-resolve the record perodically?  I can see quite a few 
failure cases that would need to be handled for that sort of thing to be 
robust in the face of DNS failure - and it certainly couldn't be robust in the 
case of DNS operator error.

--
Andrew Clark
 
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2 failover with round-robin DNS?

[Christian Kratzer]

Hi,

On Fri, 17 Dec 2010, Leigh Porter wrote:

> I tried these methods and none of them really worked effectively against a 
> defective LDAP server. The best solution I found was a decent load balancer 
> with LDAP server availability testing..

we have a customer setup that successfully uses autby ldap for ha failover as 
folows:

AutbyByPolicy ContinueWhileIngore
AuthBy ldap1
AuthBy ldap2
AuthBy ldap3

Radiator notices failed ldap servers usually when it gets a socket error
from a dead server and moves on to the next server.

I believe there are still situations when the specific request which runs into
an error situaion is dropped but radius resends should handle those
cases.

Greetings
Christian

-- 
Christian Kratzer  CK Software GmbH
Email:   c...@cksoft.de  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0  D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9  HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2 failover with round-robin DNS?

[Leigh Porter]

I tried these methods and none of them really worked effectively against a 
defective LDAP server. The best solution I found was a decent load balancer 
with LDAP server availability testing..

--
Leigh


On 17 Dec 2010, at 22:24, Heikki Vatiainen wrote:

> On 12/17/2010 11:29 PM, Christian Kratzer wrote:
> 
>>> one more quick question.  What is the behavior of AuthBy LDAP2 with a
>>> round-robin DNS entry (multiple A records for the RR)?  If I'd like
>>> failover behavior, will a single Host declaration with a round-robin
>>> record be enough, or do I need to list out each individual LDAP
>>> server?
>> 
>> you should explicitly list all servers as Dns will get resolved once
>> on load of config.
> 
> That is true with e.g. Clients, but from the manual it looks like AuthBy
> LDAP2 behaves a bit differently. Quote:
> 
>  Multiple space separated host names can be specified
>  and Net::LDAP will choose the first available one.
> 
> A quick check shows that the host name(s) are passed to Net::LDAP which
> takes care of resolving names to addresses. Note also how the doc below
> says hosts are tried until there is success.
> 
> http://search.cpan.org/~gbarr/perl-ldap-0.4001/lib/Net/LDAP.pod#new
> 
> Radiator seems to create a new Net::LDAP for each (re)connect so it
> might be that DNS is queried when there was a disconnect and a reconnect
> needs to be done.
> 
> So listing the hosts, like Christian writes, seems to be easier than
> trying to follow Net::LDAP's method of resolution.
> 
> -- 
> Heikki Vatiainen 
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2 failover with round-robin DNS?

[Heikki Vatiainen]

On 12/17/2010 11:29 PM, Christian Kratzer wrote:

>> one more quick question.  What is the behavior of AuthBy LDAP2 with a
>> round-robin DNS entry (multiple A records for the RR)?  If I'd like
>> failover behavior, will a single Host declaration with a round-robin
>> record be enough, or do I need to list out each individual LDAP
>> server?
> 
> you should explicitly list all servers as Dns will get resolved once
> on load of config.

That is true with e.g. Clients, but from the manual it looks like AuthBy
LDAP2 behaves a bit differently. Quote:

  Multiple space separated host names can be specified
  and Net::LDAP will choose the first available one.

A quick check shows that the host name(s) are passed to Net::LDAP which
takes care of resolving names to addresses. Note also how the doc below
says hosts are tried until there is success.

http://search.cpan.org/~gbarr/perl-ldap-0.4001/lib/Net/LDAP.pod#new

Radiator seems to create a new Net::LDAP for each (re)connect so it
might be that DNS is queried when there was a disconnect and a reconnect
needs to be done.

So listing the hosts, like Christian writes, seems to be easier than
trying to follow Net::LDAP's method of resolution.

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy LDAP2 failover with round-robin DNS?

[Christian Kratzer]

Hi,

On Fri, 17 Dec 2010, Andrew Clark wrote:

> Hi,
>
> one more quick question.  What is the behavior of AuthBy LDAP2 with a
> round-robin DNS entry (multiple A records for the RR)?  If I'd like
> failover behavior, will a single Host declaration with a round-robin
> record be enough, or do I need to list out each individual LDAP
> server?

you should explicitly list all servers as Dns will get resolved once
on load of config.
>
> Load-balancing isn't required, though I've seen Hugh's advice for how
> to do that in an email from May 14th, 2008.

Greetings
Christian

-- 
Christian Kratzer  CK Software GmbH
Email:   c...@cksoft.de  Wildberger Weg 24/2
Phone:   +49 7032 893 997 - 0  D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9  HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Authby LSA and groups not working (redux)

[Johnson, Neil M]

In summary,

- User "nmjoo" is member of the group "ITS-WIRELESS-IOWA".
- Group "ITS-WIRELESS-IOWA" is a member of the group "ITS-WIRELESS"
- User "spong" is member of the group "ITS-WIRELESS"

Then

Win32::NetAdmin::GroupIsMember("", "ITS-WIRELESS", "spong") and AuthByLSA 
Succeeds
Win32::NetAdmin::GroupIsMember("", "ITS-WIRELESS-IOWA", "nmjoo") and AuthByLSA 
Succeeds 
Win32::NetAdmin::GroupIsMember("", "ITS-WIRELESS", "nmjoo") and AuthByLSA Fails

I created a bug (#61838) for the Win32::NetAdmin module on CPAN, but it could 
be tricky because you could create a loop with nested groups.

Thanks.

-Neil

-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


> -Original Message-
> From: Johnson, Neil M
> Sent: Friday, October 01, 2010 12:42 PM
> To: Johnson, Neil M; Mike McCauley
> Cc: radiator@open.com.au
> Subject: RE: [RADIATOR] Authby LSA and groups not working (redux)
> 
> Actually it's because we have nested groups in the Universal group.
> 
> If I use an account that it is in the base group list, it works, but if
> I use an account that it is in a group that is in the Universal group,
> it doesn't work.
> 
> Still the solution looks to having to do a LDAP lookup(s).
> 
> -Neil
> 
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-john...@uiowa.edu
> 
> 
> > -Original Message-
> > From: Johnson, Neil M
> > Sent: Friday, October 01, 2010 10:02 AM
> > To: Johnson, Neil M; Mike McCauley
> > Cc: radiator@open.com.au
> > Subject: RE: [RADIATOR] Authby LSA and groups not working (redux)
> >
> > Okay,
> >
> > I think I may have found the issue.
> >
> > The group I'm trying to query is a Active Directory "Universal"
> Group.
> > If I query a "Global" group it works.
> >
> > It appears that Win32::NetAdmin does not support "Universal" Groups
> and
> > that the only solution is to perform an LDAP or ADSI query.
> >
> > -Neil
> >
> >
> > --
> > Neil Johnson
> > Network Engineer
> > Information Technology Services
> > The University of Iowa
> > Work: 319 384-0938
> > Mobile: 319 540-2081
> > Fax: 319 355-2618
> > E-mail: neil-john...@uiowa.edu
> >
> >
> > > -Original Message-
> > > From: radiator-boun...@open.com.au [mailto:radiator-
> > > boun...@open.com.au] On Behalf Of Johnson, Neil M
> > > Sent: Friday, October 01, 2010 8:46 AM
> > > To: Mike McCauley
> > > Cc: radiator@open.com.au
> > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> > >
> > > Mike,
> > >
> > > I'm running with my domain account (which has Administrator
> > privileges)
> > > on the server with the "Act as part of the operating system" flag
> > set.
> > >
> > > Authentication works as long as I don't use a "Group" Directive.
> > >
> > > I'm not sure how to proceed in debugging this.
> > >
> > > -Neil
> > >
> > >
> > > --
> > > Neil Johnson
> > > Network Engineer
> > > Information Technology Services
> > > The University of Iowa
> > > Work: 319 384-0938
> > > Mobile: 319 540-2081
> > > Fax: 319 355-2618
> > > E-mail: neil-john...@uiowa.edu
> > >
> > >
> > > > -Original Message-
> > > > From: Mike McCauley [mailto:mi...@open.com.au]
> > > > Sent: Thursday, September 30, 2010 7:03 PM
> > > > To: Johnson, Neil M
> > > > Cc: radiator@open.com.au
> > > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> > > >
> > > > Hello Neil,
> > > >
> > > > On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote:
> > > > > No, I'm running it on a member server.
> > > > >
> > > > > Our AD administrators are very reluctant to run applications on
> > > PDC's
> > > > and
> > > > > BDC's. I can ask but I don't think I will get permission.
> > > > >
> > > > > Will it work on a BDC ?
> > > > >
> >

Re: [RADIATOR] Authby LSA and groups not working (redux)

[Johnson, Neil M]

Actually it's because we have nested groups in the Universal group.

If I use an account that it is in the base group list, it works, but if I use 
an account that it is in a group that is in the Universal group, it doesn't 
work.

Still the solution looks to having to do a LDAP lookup(s).

-Neil

-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


> -Original Message-
> From: Johnson, Neil M
> Sent: Friday, October 01, 2010 10:02 AM
> To: Johnson, Neil M; Mike McCauley
> Cc: radiator@open.com.au
> Subject: RE: [RADIATOR] Authby LSA and groups not working (redux)
> 
> Okay,
> 
> I think I may have found the issue.
> 
> The group I'm trying to query is a Active Directory "Universal" Group.
> If I query a "Global" group it works.
> 
> It appears that Win32::NetAdmin does not support "Universal" Groups and
> that the only solution is to perform an LDAP or ADSI query.
> 
> -Neil
> 
> 
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-john...@uiowa.edu
> 
> 
> > -Original Message-
> > From: radiator-boun...@open.com.au [mailto:radiator-
> > boun...@open.com.au] On Behalf Of Johnson, Neil M
> > Sent: Friday, October 01, 2010 8:46 AM
> > To: Mike McCauley
> > Cc: radiator@open.com.au
> > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> >
> > Mike,
> >
> > I'm running with my domain account (which has Administrator
> privileges)
> > on the server with the "Act as part of the operating system" flag
> set.
> >
> > Authentication works as long as I don't use a "Group" Directive.
> >
> > I'm not sure how to proceed in debugging this.
> >
> > -Neil
> >
> >
> > --
> > Neil Johnson
> > Network Engineer
> > Information Technology Services
> > The University of Iowa
> > Work: 319 384-0938
> > Mobile: 319 540-2081
> > Fax: 319 355-2618
> > E-mail: neil-john...@uiowa.edu
> >
> >
> > > -Original Message-
> > > From: Mike McCauley [mailto:mi...@open.com.au]
> > > Sent: Thursday, September 30, 2010 7:03 PM
> > > To: Johnson, Neil M
> > > Cc: radiator@open.com.au
> > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> > >
> > > Hello Neil,
> > >
> > > On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote:
> > > > No, I'm running it on a member server.
> > > >
> > > > Our AD administrators are very reluctant to run applications on
> > PDC's
> > > and
> > > > BDC's. I can ask but I don't think I will get permission.
> > > >
> > > > Will it work on a BDC ?
> > > >
> > > > If not, do I have any other options ? Currently I'm using
> Radiator
> > to
> > > proxy
> > > > 802.1X requests to Juniper Steel-Belted Radius in order to re-
> write
> > > VLAN
> > > > attributes. I was kind of hoping to eliminate SBR in part to
> > simplify
> > > > support for Eduroam.
> > >
> > > Tests here show that it works OK on any domain member provided that
> > the
> > > user
> > > who is running the script is logged in to the domain.
> > >
> > > Cheers.
> > >
> > > >
> > > > Thanks.
> > > >
> > > > -Neil
> > > >
> > > > --
> > > > Neil Johnson
> > > > Network Engineer
> > > > Information Technology Services
> > > > The University of Iowa
> > > > Work: 319 384-0938
> > > > Mobile: 319 540-2081
> > > > Fax: 319 355-2618
> > > > E-mail: neil-john...@uiowa.edu
> > > >
> > > >
> > > > -Original Message-
> > > > From: radiator-boun...@open.com.au [mailto:radiator-
> > > boun...@open.com.au] On
> > > > Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010 9:22
> PM
> > > > To: radiator@open.com.au
> > > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> > > >
> > > > Hello Neil,
> > > >
> > > > tests here show that your script (suitably modified) works
> 

Re: [RADIATOR] Authby LSA and groups not working (redux)

[Johnson, Neil M]

Okay,

I think I may have found the issue.

The group I'm trying to query is a Active Directory "Universal" Group. If I 
query a "Global" group it works.

It appears that Win32::NetAdmin does not support "Universal" Groups and that 
the only solution is to perform an LDAP or ADSI query.

-Neil


-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


> -Original Message-
> From: radiator-boun...@open.com.au [mailto:radiator-
> boun...@open.com.au] On Behalf Of Johnson, Neil M
> Sent: Friday, October 01, 2010 8:46 AM
> To: Mike McCauley
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> 
> Mike,
> 
> I'm running with my domain account (which has Administrator privileges)
> on the server with the "Act as part of the operating system" flag set.
> 
> Authentication works as long as I don't use a "Group" Directive.
> 
> I'm not sure how to proceed in debugging this.
> 
> -Neil
> 
> 
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-john...@uiowa.edu
> 
> 
> > -Original Message-----
> > From: Mike McCauley [mailto:mi...@open.com.au]
> > Sent: Thursday, September 30, 2010 7:03 PM
> > To: Johnson, Neil M
> > Cc: radiator@open.com.au
> > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> >
> > Hello Neil,
> >
> > On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote:
> > > No, I'm running it on a member server.
> > >
> > > Our AD administrators are very reluctant to run applications on
> PDC's
> > and
> > > BDC's. I can ask but I don't think I will get permission.
> > >
> > > Will it work on a BDC ?
> > >
> > > If not, do I have any other options ? Currently I'm using Radiator
> to
> > proxy
> > > 802.1X requests to Juniper Steel-Belted Radius in order to re-write
> > VLAN
> > > attributes. I was kind of hoping to eliminate SBR in part to
> simplify
> > > support for Eduroam.
> >
> > Tests here show that it works OK on any domain member provided that
> the
> > user
> > who is running the script is logged in to the domain.
> >
> > Cheers.
> >
> > >
> > > Thanks.
> > >
> > > -Neil
> > >
> > > --
> > > Neil Johnson
> > > Network Engineer
> > > Information Technology Services
> > > The University of Iowa
> > > Work: 319 384-0938
> > > Mobile: 319 540-2081
> > > Fax: 319 355-2618
> > > E-mail: neil-john...@uiowa.edu
> > >
> > >
> > > -Original Message-
> > > From: radiator-boun...@open.com.au [mailto:radiator-
> > boun...@open.com.au] On
> > > Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010 9:22 PM
> > > To: radiator@open.com.au
> > > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> > >
> > > Hello Neil,
> > >
> > > tests here show that your script (suitably modified) works provided
> > you run
> > > it on the PDC as the administrator.
> > >
> > > Is that how you are testing?
> > >
> > > Cheers.
> > >
> > > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote:
> > > > I whipped up a script based on what I could find in the source
> code
> > to
> > > > test group membership and it doesn't seem to matter if the group
> is
> > local
> > > > or global, it can't find it:
> > > >
> > > > #!c:\perl64\bin\perl.exe
> > > >
> > > > use strict;
> > > > use Win32::NetAdmin;
> > > >
> > > > my $User = "nmjoo";
> > > > my $Group = "ITS-WIRELESS";
> > > > my $Domain = "IOWA";
> > > > my $Server = "";
> > > >
> > > > print "Getting Domain Controller\n";
> > > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server);
> > > > print "Domain Controller for Domain $Domain is $Server\n";
> > > >
> > > > print "Checking to see if user: $User is member of Group:
> > $Group\n";
> > > > if ( Win32::NetAdmin::Gr

Re: [RADIATOR] Authby LSA and groups not working (redux)

[Johnson, Neil M]

Mike,

I'm running with my domain account (which has Administrator privileges) on the 
server with the "Act as part of the operating system" flag set.

Authentication works as long as I don't use a "Group" Directive.

I'm not sure how to proceed in debugging this.

-Neil


-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


> -Original Message-
> From: Mike McCauley [mailto:mi...@open.com.au]
> Sent: Thursday, September 30, 2010 7:03 PM
> To: Johnson, Neil M
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> 
> Hello Neil,
> 
> On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote:
> > No, I'm running it on a member server.
> >
> > Our AD administrators are very reluctant to run applications on PDC's
> and
> > BDC's. I can ask but I don't think I will get permission.
> >
> > Will it work on a BDC ?
> >
> > If not, do I have any other options ? Currently I'm using Radiator to
> proxy
> > 802.1X requests to Juniper Steel-Belted Radius in order to re-write
> VLAN
> > attributes. I was kind of hoping to eliminate SBR in part to simplify
> > support for Eduroam.
> 
> Tests here show that it works OK on any domain member provided that the
> user
> who is running the script is logged in to the domain.
> 
> Cheers.
> 
> >
> > Thanks.
> >
> > -Neil
> >
> > --
> > Neil Johnson
> > Network Engineer
> > Information Technology Services
> > The University of Iowa
> > Work: 319 384-0938
> > Mobile: 319 540-2081
> > Fax: 319 355-2618
> > E-mail: neil-john...@uiowa.edu
> >
> >
> > -Original Message-
> > From: radiator-boun...@open.com.au [mailto:radiator-
> boun...@open.com.au] On
> > Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010 9:22 PM
> > To: radiator@open.com.au
> > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> >
> > Hello Neil,
> >
> > tests here show that your script (suitably modified) works provided
> you run
> > it on the PDC as the administrator.
> >
> > Is that how you are testing?
> >
> > Cheers.
> >
> > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote:
> > > I whipped up a script based on what I could find in the source code
> to
> > > test group membership and it doesn't seem to matter if the group is
> local
> > > or global, it can't find it:
> > >
> > > #!c:\perl64\bin\perl.exe
> > >
> > > use strict;
> > > use Win32::NetAdmin;
> > >
> > > my $User = "nmjoo";
> > > my $Group = "ITS-WIRELESS";
> > > my $Domain = "IOWA";
> > > my $Server = "";
> > >
> > > print "Getting Domain Controller\n";
> > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server);
> > > print "Domain Controller for Domain $Domain is $Server\n";
> > >
> > > print "Checking to see if user: $User is member of Group:
> $Group\n";
> > > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User)
> > >
> > > || Win32::NetAdmin::LocalGroupIsMember($Server,
> $Group,
> > > || $User)) {
> > >
> > > print "$User is Member of group $Group";
> > > }
> > > else {
> > > print "$User is not Member of group $Group";
> > > }
> > >
> > > Output:
> > >
> > > C:\Program Files\Radiator>test2.pl
> > > Getting Domain Controller
> > > Domain Controller for Domain IOWA is \\IOWADC1
> > > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS
> > > nmjoo is not Member of group ITS-WIRELESS
> > > C:\Program Files\Radiator>
> > > --
> > > Neil Johnson
> > > Network Engineer
> > > Information Technology Services
> > > The University of Iowa
> > > Work: 319 384-0938
> > > Mobile: 319 540-2081
> > > Fax: 319 355-2618
> > > E-mail: neil-john...@uiowa.edu
> 
> 
> 
> --
> Mike McCauley   mi...@open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
> http://www.open.com.au
> Phone +61 7 5598-7474   Fax   +61 7 5598-7070
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Authby LSA and groups not working (redux)

[Johnson, Neil M]

Mark,

Thanks for the tip, I can get AuthbyLSA to work for me unless I try to test for 
Group Membership which I need to do in order to assign users to a specific VLAN.

-Neil


-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


> -Original Message-
> From: Pearson, Mark [mailto:mark.pear...@ntu.ac.uk]
> Sent: Friday, October 01, 2010 4:13 AM
> To: Mike McCauley; Johnson, Neil M
> Cc: radiator@open.com.au
> Subject: RE: [RADIATOR] Authby LSA and groups not working (redux)
> 
> Hi, I have it working by running Radiator on a server in the domain.
> Note that you need 4.7 to use the magic bit
> UsernameMatchesWithoutRealm.
> Nothing is needed on the actual DCs regarding Radiator in our case.
> 
> 
>  
> ### The next line strips the @realm portion to allow AD to authenticate
> against it
>   UsernameMatchesWithoutRealm
>   EAPType MSCHAP-V2
>  
> 
> 
> ### This is the outer request where usern...@ntu.ac.uk are captured
> 
> 
>  
>   Filename %D/users
> 
> ### This tells the PEAP client what types of inner EAP requests we will
> honour
>   EAPType PEAP, TTLS
>   EAPTLS_CAFile %D/certificates/terenasslca.pem
>   EAPTLS_CertificateFile %D/certificates/final-cert.pem
>   EAPTLS_CertificateType PEM
>   EAPTLS_PrivateKeyFile %D/certificates/mykey.pem
>   EAPTLS_PrivateKeyPassword
>   EAPTLS_MaxFragmentSize 1000
>   AutoMPPEKeys
>   SSLeayTrace 4
>   EAPTLS_PEAPVersion 0
> 
> ### Added EAPAnonymous %{User-Name} to the outer AuthBy
> ### This will send the outer username  as the inner username
> ### (instead of "anonymous")
> 
>   EAPAnonymous %{User-Name}
> 
>  
> 
> 
> 
> regards
> Mark Pearson
> Senior Technical Support Analyst
> Information Systems
> Nottingham Trent University
> 
> tel: 0115 8488287
> 
> -Original Message-
> From: radiator-boun...@open.com.au [mailto:radiator-
> boun...@open.com.au]
> On Behalf Of Mike McCauley
> Sent: 01 October 2010 01:03
> To: Johnson, Neil M
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> 
> Hello Neil,
> 
> On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote:
> > No, I'm running it on a member server.
> >
> > Our AD administrators are very reluctant to run applications on PDC's
> > and BDC's. I can ask but I don't think I will get permission.
> >
> > Will it work on a BDC ?
> >
> > If not, do I have any other options ? Currently I'm using Radiator to
> > proxy 802.1X requests to Juniper Steel-Belted Radius in order to
> > re-write VLAN attributes. I was kind of hoping to eliminate SBR in
> > part to simplify support for Eduroam.
> 
> Tests here show that it works OK on any domain member provided that the
> user who is running the script is logged in to the domain.
> 
> Cheers.
> 
> >
> > Thanks.
> >
> > -Neil
> >
> > --
> > Neil Johnson
> > Network Engineer
> > Information Technology Services
> > The University of Iowa
> > Work: 319 384-0938
> > Mobile: 319 540-2081
> > Fax: 319 355-2618
> > E-mail: neil-john...@uiowa.edu
> >
> >
> > -Original Message-
> > From: radiator-boun...@open.com.au
> > [mailto:radiator-boun...@open.com.au] On Behalf Of Mike McCauley
> Sent:
> 
> > Wednesday, September 29, 2010 9:22 PM
> > To: radiator@open.com.au
> > Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
> >
> > Hello Neil,
> >
> > tests here show that your script (suitably modified) works provided
> > you run it on the PDC as the administrator.
> >
> > Is that how you are testing?
> >
> > Cheers.
> >
> > On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote:
> > > I whipped up a script based on what I could find in the source code
> > > to test group membership and it doesn't seem to matter if the group
> > > is local or global, it can't find it:
> > >
> > > #!c:\perl64\bin\perl.exe
> > >
> > > use strict;
> > > use Win32::NetAdmin;
> > >
> > > my $User = "nmjoo";
> > > my $Group = "ITS-WIRELESS";
> > > my $Domain = "IOWA";
> > > my $Server = "";
> > >
> > > print "Getting Domain Controller\n";
> > > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); print
> > > "Domain Controller for Domain $Dom

Re: [RADIATOR] Authby LSA and groups not working (redux)

[Pearson, Mark]

Hi, I have it working by running Radiator on a server in the domain.
Note that you need 4.7 to use the magic bit UsernameMatchesWithoutRealm.
Nothing is needed on the actual DCs regarding Radiator in our case.


 
### The next line strips the @realm portion to allow AD to authenticate
against it
  UsernameMatchesWithoutRealm
  EAPType MSCHAP-V2
 


### This is the outer request where usern...@ntu.ac.uk are captured
 

 
  Filename %D/users
  
### This tells the PEAP client what types of inner EAP requests we will
honour
  EAPType PEAP, TTLS
  EAPTLS_CAFile %D/certificates/terenasslca.pem
  EAPTLS_CertificateFile %D/certificates/final-cert.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile %D/certificates/mykey.pem
  EAPTLS_PrivateKeyPassword
  EAPTLS_MaxFragmentSize 1000
  AutoMPPEKeys
  SSLeayTrace 4
  EAPTLS_PEAPVersion 0
  
### Added EAPAnonymous %{User-Name} to the outer AuthBy 
### This will send the outer username  as the inner username 
### (instead of "anonymous")

  EAPAnonymous %{User-Name}

 
 


regards
Mark Pearson
Senior Technical Support Analyst
Information Systems
Nottingham Trent University

tel: 0115 8488287

-Original Message-
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au]
On Behalf Of Mike McCauley
Sent: 01 October 2010 01:03
To: Johnson, Neil M
Cc: radiator@open.com.au
Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)

Hello Neil,

On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote:
> No, I'm running it on a member server.
>
> Our AD administrators are very reluctant to run applications on PDC's 
> and BDC's. I can ask but I don't think I will get permission.
>
> Will it work on a BDC ?
>
> If not, do I have any other options ? Currently I'm using Radiator to 
> proxy 802.1X requests to Juniper Steel-Belted Radius in order to 
> re-write VLAN attributes. I was kind of hoping to eliminate SBR in 
> part to simplify support for Eduroam.

Tests here show that it works OK on any domain member provided that the
user who is running the script is logged in to the domain.

Cheers.

>
> Thanks.
>
> -Neil
>
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-john...@uiowa.edu
>
>
> -Original Message-
> From: radiator-boun...@open.com.au 
> [mailto:radiator-boun...@open.com.au] On Behalf Of Mike McCauley Sent:

> Wednesday, September 29, 2010 9:22 PM
> To: radiator@open.com.au
> Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
>
> Hello Neil,
>
> tests here show that your script (suitably modified) works provided 
> you run it on the PDC as the administrator.
>
> Is that how you are testing?
>
> Cheers.
>
> On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote:
> > I whipped up a script based on what I could find in the source code 
> > to test group membership and it doesn't seem to matter if the group 
> > is local or global, it can't find it:
> >
> > #!c:\perl64\bin\perl.exe
> >
> > use strict;
> > use Win32::NetAdmin;
> >
> > my $User = "nmjoo";
> > my $Group = "ITS-WIRELESS";
> > my $Domain = "IOWA";
> > my $Server = "";
> >
> > print "Getting Domain Controller\n"; 
> > Win32::NetAdmin::GetDomainController ("", $Domain, $Server); print 
> > "Domain Controller for Domain $Domain is $Server\n";
> >
> > print "Checking to see if user: $User is member of Group: $Group\n";

> > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User)
> >
> > || Win32::NetAdmin::LocalGroupIsMember($Server,
$Group,
> > || $User)) {
> >
> > print "$User is Member of group $Group"; } else {
> > print "$User is not Member of group $Group"; }
> >
> > Output:
> >
> > C:\Program Files\Radiator>test2.pl
> > Getting Domain Controller
> > Domain Controller for Domain IOWA is \\IOWADC1
> > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS
> > nmjoo is not Member of group ITS-WIRELESS
> > C:\Program Files\Radiator>
> > --
> > Neil Johnson
> > Network Engineer
> > Information Technology Services
> > The University of Iowa
> > Work: 319 384-0938
> > Mobile: 319 540-2081
> > Fax: 319 355-2618
> > E-mail: neil-john...@uiowa.edu



-- 
Mike McCauley   mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia
http://www.

Re: [RADIATOR] Authby LSA and groups not working (redux)

[Mike McCauley]

Hello Neil,

On Friday 01 October 2010 12:15:43 am Johnson, Neil M wrote:
> No, I'm running it on a member server.
>
> Our AD administrators are very reluctant to run applications on PDC's and
> BDC's. I can ask but I don't think I will get permission.
>
> Will it work on a BDC ?
>
> If not, do I have any other options ? Currently I'm using Radiator to proxy
> 802.1X requests to Juniper Steel-Belted Radius in order to re-write VLAN
> attributes. I was kind of hoping to eliminate SBR in part to simplify
> support for Eduroam.

Tests here show that it works OK on any domain member provided that the user 
who is running the script is logged in to the domain.

Cheers.

>
> Thanks.
>
> -Neil
>
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-john...@uiowa.edu
>
>
> -Original Message-
> From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On
> Behalf Of Mike McCauley Sent: Wednesday, September 29, 2010 9:22 PM
> To: radiator@open.com.au
> Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)
>
> Hello Neil,
>
> tests here show that your script (suitably modified) works provided you run
> it on the PDC as the administrator.
>
> Is that how you are testing?
>
> Cheers.
>
> On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote:
> > I whipped up a script based on what I could find in the source code to
> > test group membership and it doesn't seem to matter if the group is local
> > or global, it can't find it:
> >
> > #!c:\perl64\bin\perl.exe
> >
> > use strict;
> > use Win32::NetAdmin;
> >
> > my $User = "nmjoo";
> > my $Group = "ITS-WIRELESS";
> > my $Domain = "IOWA";
> > my $Server = "";
> >
> > print "Getting Domain Controller\n";
> > Win32::NetAdmin::GetDomainController ("", $Domain, $Server);
> > print "Domain Controller for Domain $Domain is $Server\n";
> >
> > print "Checking to see if user: $User is member of Group: $Group\n";
> > if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User)
> >
> > || Win32::NetAdmin::LocalGroupIsMember($Server, $Group,
> > || $User)) {
> >
> > print "$User is Member of group $Group";
> > }
> > else {
> > print "$User is not Member of group $Group";
> > }
> >
> > Output:
> >
> > C:\Program Files\Radiator>test2.pl
> > Getting Domain Controller
> > Domain Controller for Domain IOWA is \\IOWADC1
> > Checking to see if user: nmjoo is member of Group: ITS-WIRELESS
> > nmjoo is not Member of group ITS-WIRELESS
> > C:\Program Files\Radiator>
> > --
> > Neil Johnson
> > Network Engineer
> > Information Technology Services
> > The University of Iowa
> > Work: 319 384-0938
> > Mobile: 319 540-2081
> > Fax: 319 355-2618
> > E-mail: neil-john...@uiowa.edu



-- 
Mike McCauley   mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474   Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Authby LSA and groups not working (redux)

[Johnson, Neil M]

No, I'm running it on a member server.

Our AD administrators are very reluctant to run applications on PDC's and 
BDC's. I can ask but I don't think I will get permission.

Will it work on a BDC ?

If not, do I have any other options ? Currently I'm using Radiator to proxy 
802.1X requests to Juniper Steel-Belted Radius in order to re-write VLAN 
attributes. I was kind of hoping to eliminate SBR in part to simplify support 
for Eduroam.

Thanks.

-Neil

-- 
Neil Johnson
Network Engineer
Information Technology Services
The University of Iowa
Work: 319 384-0938
Mobile: 319 540-2081
Fax: 319 355-2618
E-mail: neil-john...@uiowa.edu


-Original Message-
From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On 
Behalf Of Mike McCauley
Sent: Wednesday, September 29, 2010 9:22 PM
To: radiator@open.com.au
Subject: Re: [RADIATOR] Authby LSA and groups not working (redux)

Hello Neil,

tests here show that your script (suitably modified) works provided you run it 
on the PDC as the administrator. 

Is that how you are testing?

Cheers.

On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote:
> I whipped up a script based on what I could find in the source code to test
> group membership and it doesn't seem to matter if the group is local or
> global, it can't find it:
>
> #!c:\perl64\bin\perl.exe
>
> use strict;
> use Win32::NetAdmin;
>
> my $User = "nmjoo";
> my $Group = "ITS-WIRELESS";
> my $Domain = "IOWA";
> my $Server = "";
>
> print "Getting Domain Controller\n";
> Win32::NetAdmin::GetDomainController ("", $Domain, $Server);
> print "Domain Controller for Domain $Domain is $Server\n";
>
> print "Checking to see if user: $User is member of Group: $Group\n";
> if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User)
>
> || Win32::NetAdmin::LocalGroupIsMember($Server, $Group,
> || $User)) {
>
> print "$User is Member of group $Group";
> }
> else {
> print "$User is not Member of group $Group";
> }
>
> Output:
>
> C:\Program Files\Radiator>test2.pl
> Getting Domain Controller
> Domain Controller for Domain IOWA is \\IOWADC1
> Checking to see if user: nmjoo is member of Group: ITS-WIRELESS
> nmjoo is not Member of group ITS-WIRELESS
> C:\Program Files\Radiator>
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-john...@uiowa.edu



-- 
Mike McCauley   mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474   Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Authby LSA and groups not working (redux)

[Mike McCauley]

Hello Neil,

tests here show that your script (suitably modified) works provided you run it 
on the PDC as the administrator. 

Is that how you are testing?

Cheers.

On Thursday 30 September 2010 03:18:24 am Johnson, Neil M wrote:
> I whipped up a script based on what I could find in the source code to test
> group membership and it doesn't seem to matter if the group is local or
> global, it can't find it:
>
> #!c:\perl64\bin\perl.exe
>
> use strict;
> use Win32::NetAdmin;
>
> my $User = "nmjoo";
> my $Group = "ITS-WIRELESS";
> my $Domain = "IOWA";
> my $Server = "";
>
> print "Getting Domain Controller\n";
> Win32::NetAdmin::GetDomainController ("", $Domain, $Server);
> print "Domain Controller for Domain $Domain is $Server\n";
>
> print "Checking to see if user: $User is member of Group: $Group\n";
> if ( Win32::NetAdmin::GroupIsMember($Server, $Group, $User)
>
> || Win32::NetAdmin::LocalGroupIsMember($Server, $Group,
> || $User)) {
>
> print "$User is Member of group $Group";
> }
> else {
> print "$User is not Member of group $Group";
> }
>
> Output:
>
> C:\Program Files\Radiator>test2.pl
> Getting Domain Controller
> Domain Controller for Domain IOWA is \\IOWADC1
> Checking to see if user: nmjoo is member of Group: ITS-WIRELESS
> nmjoo is not Member of group ITS-WIRELESS
> C:\Program Files\Radiator>
> --
> Neil Johnson
> Network Engineer
> Information Technology Services
> The University of Iowa
> Work: 319 384-0938
> Mobile: 319 540-2081
> Fax: 319 355-2618
> E-mail: neil-john...@uiowa.edu



-- 
Mike McCauley   mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474   Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Authby LSA help

[Hugh Irvine]

Hello Mark -

Could you please try the following configuration file?

…..

# This is where we authenticate a PEAP inner request, which will be an EAP
# request. The username of the inner request will be anonymous, although
# the identity of the EAP request will be the real username we are
# trying to authenticate.

# Added EAPAnonymous %{User-Name} to the outer AuthBy
# This will send the outer username  as the inner username 
# (instead of "anonymous")
 

 
 Domain ADS
 UsernameMatchesWithoutRealm 
 EAPType MSCHAP-V2
 

 
# The original PEAP request from a NAS will be sent to a matching
# Realm or Handler in the usual way, where it will be unpacked and 
# the inner authentication extracted.
# The inner authentication request will be sent again to a matching
# Realm or Handler. The special check item TunnelledByPEAP=1 can be used to 
select
# a specific handler, or else you can use EAPAnonymous to set a username and 
realm
# which can be used to select a Realm clause for the inner request.
# This allows you to select an inner authentication method based on Realm, 
and/or the
# fact that they were tunnelled. You can therfore act just as a PEAP server, or 
also 
# act as the AAA/H home server, and authenticate PEAP requests locally or proxy
# them to another remote server based on the realm of the inner authenticaiton 
request.
# In this basic example, both the inner and outer authentication are 
authenticated
# from a file by AuthBy FILE
 

 
  Filename %D/users
  # This tells the PEAP client what types of inner EAP requests
  # we will honour
  EAPType PEAP, TTLS
  EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
  EAPTLS_CertificateFile %D/certificates/cert-srv.pem
  EAPTLS_CertificateType PEM
  EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
  EAPTLS_PrivateKeyPassword whatever
  EAPTLS_MaxFragmentSize 1000
  AutoMPPEKeys
  SSLeayTrace 4
  EAPTLS_PEAPVersion 0
  EAPAnonymous %{User-Name}
 

 
…..

 
thanks and regards

Hugh


On 25 Aug 2010, at 00:58, Pearson, Mark wrote:

> Hugh, I have simplified the config a little and fixed a few things but
> now get the errors as seen in log2.txt. I have added the Domain ADS as
> the radiator server is not in the ADS domain where the accounts live.
> Does this need to be the FQDN ? In other words how does the Radiator
> server know where to send the LDAP requests ?
> 
> I notice that Michael Harlow was getting similar errors so I added
> UsernameMatchesWithoutRealm but its made no difference. 
> 
> 
> regards
> Mark Pearson
> Senior Technical Support Analyst
> Information Systems
> Nottingham Trent University
> 
> tel: 0115 8488287
> 
> -Original Message-
> From: Hugh Irvine [mailto:h...@open.com.au] 
> Sent: 24 August 2010 01:13
> To: Pearson, Mark
> Cc: radiator@open.com.au
> Subject: Re: [RADIATOR] Authby LSA help
> 
> 
> Hello Mark -
> 
> Can you please send me a copy of the full configuration file and a trace
> 4 debug showing the startup messages and a more complete log showing the
> whole sequence?
> 
> thanks and regards
> 
> Hugh
> 
> 
> On 21 Aug 2010, at 01:10, Pearson, Mark wrote:
> 
>> Hi, I currently have Radiator for Windows 4.3.1 and I want to
> authenticate clients against windows AD 2003. I am assuming that I use
> Authby LSA to do this. I want to use PEAP as the authententication type.
> The config below comes after all the client stuff etc and I have a user
> Anonymous in the %D/users database. I have included a section of log
> that includes the error. Any help on correct configuration will be
> appreciated.
>> 
>> 
>> 
>> # Authenticate with Windows LSA
>> 
>>  UsernameMatchesWithoutRealm
>>  # This tells the PEAP client what types of inner EAP requests
>>  # we will honour
>> EAPType MSCHAP-V2
>> 
>> 
>> 
>> 
>> # The original PEAP request from a NAS will be sent to a matching # 
>> Realm or Handler in the usual way, where it will be unpacked and the 
>> inner authentication # extracted.
>> # The inner authentication request will be sent again to a matching # 
>> Realm or Handler. The special check item TunnelledByPEAP=1 can be used
> 
>> to select # a specific handler, or else you can use EAPAnonymous to 
>> set a username and realm # which can be used to select a Realm clause
> for the inner request.
>> # This allows you to select an inner authentication method based on 
>> Realm, and/or the # fact that they were tunnelled. You can therfore 
>> act just as a PEAP server, or also # act as the AAA/H home server, and
> 
>> authenticate PEAP requests locally or proxy # them to another remote
> server based on the realm of the inner authenticaiton request.
>> # In this basic example, both the inner and outer authentication ar

Re: [RADIATOR] Authby LSA help

[Hugh Irvine]

Hello Mark -

Can you please send me a copy of the full configuration file and a trace 4 
debug showing the startup messages and a more complete log showing the whole 
sequence?

thanks and regards

Hugh


On 21 Aug 2010, at 01:10, Pearson, Mark wrote:

> Hi, I currently have Radiator for Windows 4.3.1 and I want to authenticate 
> clients against windows AD 2003. I am assuming that I use Authby LSA to do 
> this. I want to use PEAP as the authententication type. The config below 
> comes after all the client stuff etc and I have a user Anonymous in the 
> %D/users database. I have included a section of log that includes the error. 
> Any help on correct configuration will be appreciated.
>  
>  
> 
>  # Authenticate with Windows LSA
>  
>   UsernameMatchesWithoutRealm
>   # This tells the PEAP client what types of inner EAP requests
>   # we will honour
>  EAPType MSCHAP-V2
>  
> 
>  
> 
> # The original PEAP request from a NAS will be sent to a matching
> # Realm or Handler in the usual way, where it will be unpacked and the inner 
> authentication
> # extracted.
> # The inner authentication request will be sent again to a matching
> # Realm or Handler. The special check item TunnelledByPEAP=1 can be used to 
> select
> # a specific handler, or else you can use EAPAnonymous to set a username and 
> realm
> # which can be used to select a Realm clause for the inner request.
> # This allows you to select an inner authentication method based on Realm, 
> and/or the
> # fact that they were tunnelled. You can therfore act just as a PEAP server, 
> or also 
> # act as the AAA/H home server, and authenticate PEAP requests locally or 
> proxy
> # them to another remote server based on the realm of the inner 
> authenticaiton request.
> # In this basic example, both the inner and outer authentication are 
> authenticated
> # from a file by AuthBy FILE
>  
> 
>  
>   # The username of the outer authentication
>   #  must be in this file to get anywhere. In this example,
>   # it requires an entry for 'anonymous' which is the standard username 
>   # in the outer requests, and it also requires an entry for the
>   # actual user name who is trying to connect (ie the 'Login name' entered
>   # in the Funk Odyssey 'Edit Profile Properties' page
>   Filename %D/users
>  
>   # EAPType sets the EAP type(s) that Radiator will honour.
>   # Options are: MD5-Challenge, One-Time-Password
>   # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
>   # Multiple types can be comma separated. With the default (most
>   # preferred) type given first
>   EAPType PEAP
>  
>   EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>   EAPTLS_CertificateFile %D/certificates/cert-srv.pem
>   EAPTLS_CertificateType PEM
>   EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
>   EAPTLS_PrivateKeyPassword whatever
>   EAPTLS_MaxFragmentSize 1000
>   AutoMPPEKeys
>   SSLeayTrace 4
>   EAPTLS_PEAPVersion 1
>   EAPTLS_PEAPBrokenV1Label
>  
> 
>  
>  
> Section of log where error occurs
>  
> Thu Aug 19 16:37:40 2010: DEBUG: Handling request with Handler 
> 'TunnelledByPEAP=1'
> Thu Aug 19 16:37:40 2010: DEBUG:  Deleting session for anonymous, 
> 10.15.100.4, 29
> Thu Aug 19 16:37:40 2010: DEBUG: Handling with Radius::AuthLSA: 
> Thu Aug 19 16:37:40 2010: DEBUG: Handling with EAP: code 2, 8, 80, 26
> Thu Aug 19 16:37:40 2010: DEBUG: Response type 26
> Thu Aug 19 16:37:40 2010: DEBUG: Radius::AuthLSA looks for match with 
> com3pearsmw [anonymous]
> Thu Aug 19 16:37:40 2010: DEBUG: Radius::AuthLSA ACCEPT: : com3pearsmw 
> [anonymous]
> Thu Aug 19 16:37:40 2010: WARNING: Could not LogonUserNetworkMSCHAP (V2): 
> 3221225508, 2228600, The handle is invalid.
>  
> 
> Thu Aug 19 16:37:40 2010: DEBUG: EAP result: 1, EAP MSCHAP-V2 Authentication 
> failure
> Thu Aug 19 16:37:40 2010: DEBUG: AuthBy LSA result: REJECT, EAP MSCHAP-V2 
> Authentication failure
> Thu Aug 19 16:37:40 2010: INFO: Access rejected for anonymous: EAP MSCHAP-V2 
> Authentication failure
> Thu Aug 19 16:37:40 2010: DEBUG: Returned PEAP tunnelled packet dump:
> Code:   Access-Reject
> regards 
> Mark Pearson 
> Senior Technical Support Analyst 
> Information Systems 
> Nottingham Trent University
> 
> tel: 0115 8488287
> 
>  
> regards 
> Mark Pearson 
> Senior Technical Support Analyst 
> Information Systems 
> Nottingham Trent University
> 
> tel: 0115 8488287
> 
>  
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS t

Re: [RADIATOR] AuthBy NTLM busted under 4.7?

[Robert Blayzor]

On Aug 11, 2010, at 5:50 PM, Hugh Irvine wrote:
> Can you please send me a copy of the configuration file and a complete trace 
> 4 debug from a terminal session like this:
> 
>   cd /your/Radiator-4.7/source
> 
>   perl radiusd -foreground -log_stdout -trace 4 -config_file 
> /your/Radiator/configuration
> 
>   ….
> 
> Use you local pathnames in the above.
> 
> many thanks


Hugh, it's a compile time error in perl, so it doesn't get to far, but it shows 
the problem.

I didn't have the MD4 perl module installed, which wasn't required before, it 
appears to be now.  I installed it, and it's running now under 4.7.


[qix:/usr/local/radius/Radiator-4.7] perl radiusd -foreground -log_stdout 
-trace 4 -config_file /usr/local/radius/radius.cfg 
Wed Aug 11 23:53:14 2010: ERR: Could not load AuthBy module Radius::AuthNTLM: 
Can't locate Digest/MD4.pm in @INC (@INC contains: . 
/usr/local/lib/perl5/5.8.9/BSDPAN /usr/local/lib/perl5/site_perl/5.8.9/mach 
/usr/local/lib/perl5/site_perl/5.8.9 /usr/local/lib/perl5/5.8.9/mach 
/usr/local/lib/perl5/5.8.9 .) at Radius/MSCHAP.pm line 47,  line 129.
BEGIN failed--compilation aborted at Radius/MSCHAP.pm line 47,  line 
129.
Compilation failed in require at Radius/AuthNTLM.pm line 20,  line 129.
BEGIN failed--compilation aborted at Radius/AuthNTLM.pm line 20,  line 
129.
Compilation failed in require at (eval 48) line 3,  line 129.

Wed Aug 11 23:53:14 2010: ERR: Unknown object 'AuthBy' in 
/usr/local/radius/radius.cfg line 129
Can't locate object method "new" via package "Radius::AuthNTLM" at 
Radius/Configurable.pm line 450,  line 136.



-- 
Robert Blayzor
INOC, LLC
rblay...@inoc.net
http://www.inoc.net/~rblayzor/




___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy NTLM busted under 4.7?

[Hugh Irvine]

Hello Robert -

Can you please send me a copy of the configuration file and a complete trace 4 
debug from a terminal session like this:

cd /your/Radiator-4.7/source

perl radiusd -foreground -log_stdout -trace 4 -config_file 
/your/Radiator/configuration

….

Use you local pathnames in the above.

many thanks

Hugh


On 11 Aug 2010, at 22:25, Robert Blayzor wrote:

> Installed 4.7 today and upon launching it, I get:
> 
> Can't locate object method "new" via package "Radius::AuthNTLM" at 
> Radius/Configurable.pm line 450,  line 136.
> 
> 
> This worked fine under 4.2... so I simply rolled back to 4.2 and all is fine 
> again.
> 
> 
> This is perl, v5.8.9 built for i386-freebsd-64int
> 
> -- 
> Robert Blayzor
> INOC, LLC
> rblay...@inoc.net
> http://www.inoc.net/~rblayzor/
> 
> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] AuthBy SQL result: IGNORE, User database access error

[Hugh Irvine]

Hello Adam -

The -I parameter to perl indicates where to find the Radiator modules.

Here is the help for perl:


Radiator-4.6 hugh$ perl -h

Usage: perl [switches] [--] [programfile] [arguments]
  -0[octal] specify record separator (\0, if no argument)
  -aautosplit mode with -n or -p (splits $_ into @F)
  -C[number/list]   enables the listed Unicode features
  -ccheck syntax only (runs BEGIN and CHECK blocks)
  -d[:debugger] run program under debugger
  -D[number/list]   set debugging flags (argument is a bit mask or alphabets)
  -e programone line of program (several -e's allowed, omit programfile)
  -E programlike -e, but enables all optional features
  -fdon't do $sitelib/sitecustomize.pl at startup
  -F/pattern/   split() pattern for -a switch (//'s are optional)
  -i[extension] edit <> files in place (makes backup if extension supplied)
  -Idirectory   specify @INC/#include directory (several -I's allowed)
  -l[octal] enable line ending processing, specifies line terminator
  -[mM][-]moduleexecute "use/no module..." before executing program
  -nassume "while (<>) { ... }" loop around program
  -passume loop like -n but print line also, like sed
  -Prun program through C preprocessor before compilation
  -senable rudimentary parsing for switches after programfile
  -Slook for programfile using PATH environment variable
  -tenable tainting warnings
  -Tenable tainting checks
  -udump core after parsing program
  -Uallow unsafe operations
  -vprint version, subversion (includes VERY IMPORTANT perl 
info)
  -V[:variable] print configuration summary (or a single Config.pm variable)
  -wenable many useful warnings (RECOMMENDED)
  -Wenable all warnings
  -x[directory] strip off text before #!perl line and perhaps cd to 
directory
  -Xdisable all warnings


regards

Hugh


On 26 Jun 2010, at 00:16, Adam Gerson wrote:

> That worked. Thank you. What did -i do?
> 
> Adam
> 
> 
> -- 
> Adam Gerson
> Assistant Director of Technology
> Columbia Grammar and Prep School
> phone. 212-749-6200 ex. 321
> fax.  212-428-6806
> ager...@cgps.org
> http://www.cgps.org
> 
> On 6/24/10 5:10 AM, Hugh Irvine wrote:
>> 
>> Hello Adam -
>> 
>> Try this:
>> 
>> 
>>  /opt/local/bin/perl -I /usr/local/src/Radiator/Radiator-Locked-4.6 
>> /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
>> /etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid
>> 
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 24 Jun 2010, at 03:46, Adam Gerson wrote:
>> 
>>> I have figured out that MacPorts installs its own copy of perl into 
>>> /opt/local/bin
>>> 
>>> I need to use that perl, which includes the mysql packages. When I call 
>>> that perl explicitly I get this error:
>>> 
>>> sidekick:~ sadmin$ /opt/local/bin/perl 
>>> /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
>>> /etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid
>>> 
>>> Can't locate Radius/ServerConfig.pm in @INC (@INC contains: . 
>>> /opt/local/lib/perl5/site_perl/5.8.9/darwin-2level 
>>> /opt/local/lib/perl5/site_perl/5.8.9 /opt/local/lib/perl5/site_perl 
>>> /opt/local/lib/perl5/vendor_perl/5.8.9/darwin-2level 
>>> /opt/local/lib/perl5/vendor_perl/5.8.9 /opt/local/lib/perl5/vendor_perl 
>>> /opt/local/lib/perl5/5.8.9/darwin-2level /opt/local/lib/perl5/5.8.9 .) at 
>>> (eval 8) line 20,<_>  line 575.
>>> BEGIN failed--compilation aborted at (eval 8) line 20,<_>  line 575.
>>> ...caught at /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd line 
>>> 2,<_>  line 575.
>>> 
>>> 
>>> 
>>> 
>>> --
>>> Adam Gerson
>>> Assistant Director of Technology
>>> Columbia Grammar and Prep School
>>> phone. 212-749-6200 ex. 321
>>> fax.  212-428-6806
>>> ager...@cgps.org
>>> http://www.cgps.org
>>> 
>>> On 6/22/10 3:21 PM, Hugh Irvine wrote:
 
 Hello Adam -
 
 The error message you show below indicates your database is not running 
 (or is unreachable for some reason).
 
 regards
 
 Hugh
 
 
 On 22 Jun 2010, at 15:03, Adam Gerson wrote:
 
> Well, nothing has changed in my config file and my database is still up
> and working. I have not used Radiator for a week or two. I started it
> today to test it and now it cannot contact the database. I got an email
> saying my trail had experienced, but at startup Radiator reports its
> good until 2011 or 1000 connections.
> 
> 
> 
> 
> 
> Tue Jun 22 14:59:47 2010: DEBUG: Finished reading configuration file
> '/etc/radiator/radius.cfg'
> This Radiator license will expire on 2011-02-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of R

Re: [RADIATOR] AuthBy SQL result: IGNORE, User database access error

[Adam Gerson]

That worked. Thank you. What did -i do?

Adam


-- 
Adam Gerson
Assistant Director of Technology
Columbia Grammar and Prep School
phone. 212-749-6200 ex. 321
fax.  212-428-6806
ager...@cgps.org
http://www.cgps.org

On 6/24/10 5:10 AM, Hugh Irvine wrote:
>
> Hello Adam -
>
> Try this:
>
>
>   /opt/local/bin/perl -I /usr/local/src/Radiator/Radiator-Locked-4.6 
> /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
> /etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid
>
>
> regards
>
> Hugh
>
>
> On 24 Jun 2010, at 03:46, Adam Gerson wrote:
>
>> I have figured out that MacPorts installs its own copy of perl into 
>> /opt/local/bin
>>
>> I need to use that perl, which includes the mysql packages. When I call that 
>> perl explicitly I get this error:
>>
>> sidekick:~ sadmin$ /opt/local/bin/perl 
>> /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
>> /etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid
>>
>> Can't locate Radius/ServerConfig.pm in @INC (@INC contains: . 
>> /opt/local/lib/perl5/site_perl/5.8.9/darwin-2level 
>> /opt/local/lib/perl5/site_perl/5.8.9 /opt/local/lib/perl5/site_perl 
>> /opt/local/lib/perl5/vendor_perl/5.8.9/darwin-2level 
>> /opt/local/lib/perl5/vendor_perl/5.8.9 /opt/local/lib/perl5/vendor_perl 
>> /opt/local/lib/perl5/5.8.9/darwin-2level /opt/local/lib/perl5/5.8.9 .) at 
>> (eval 8) line 20,<_>  line 575.
>> BEGIN failed--compilation aborted at (eval 8) line 20,<_>  line 575.
>>  ...caught at /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd line 
>> 2,<_>  line 575.
>>
>>
>>
>>
>> --
>> Adam Gerson
>> Assistant Director of Technology
>> Columbia Grammar and Prep School
>> phone. 212-749-6200 ex. 321
>> fax.  212-428-6806
>> ager...@cgps.org
>> http://www.cgps.org
>>
>> On 6/22/10 3:21 PM, Hugh Irvine wrote:
>>>
>>> Hello Adam -
>>>
>>> The error message you show below indicates your database is not running (or 
>>> is unreachable for some reason).
>>>
>>> regards
>>>
>>> Hugh
>>>
>>>
>>> On 22 Jun 2010, at 15:03, Adam Gerson wrote:
>>>
 Well, nothing has changed in my config file and my database is still up
 and working. I have not used Radiator for a week or two. I started it
 today to test it and now it cannot contact the database. I got an email
 saying my trail had experienced, but at startup Radiator reports its
 good until 2011 or 1000 connections.





 Tue Jun 22 14:59:47 2010: DEBUG: Finished reading configuration file
 '/etc/radiator/radius.cfg'
 This Radiator license will expire on 2011-02-01
 This Radiator license will stop operating after 1000 requests
 To purchase an unlimited full source version of Radiator, see
 http://www.open.com.au/ordering.html
 To extend your license period, contact ad...@open.com.au

 Tue Jun 22 14:59:47 2010: DEBUG: Reading dictionary file
 '/etc/radiator/dictionary'
 Tue Jun 22 14:59:47 2010: DEBUG: Creating authentication port 0.0.0.0:1645
 Tue Jun 22 14:59:47 2010: DEBUG: Creating accounting port 0.0.0.0:1646
 Tue Jun 22 14:59:47 2010: NOTICE: Server started: Radiator 4.6 on
 sidekick.cgps.org (LOCKED)
 Tue Jun 22 14:59:54 2010: DEBUG: Packet dump:
 *** Received from 192.168.1.92 port 52380 
 Code:   Access-Request
 Identifier: 144
 Authentic:  -e<204><0><155>W<174><163>g<227><181><149><134>sP<148>
 Attributes:
User-Name = "adam"
User-Password =<175><244>t<214>bP0<25>+6c?<237><196><137>K
NAS-IP-Address = 192.168.1.92
Service-Type = Login-User
Framed-IP-Address = 10.93.3.23
Called-Station-Id = "00:19:92:02:B4:3A"
Calling-Station-Id = ""
NAS-Identifier = "Bluesocket"
Acct-Session-Id = "00:19:92:02:B4:3A:1277233194"
NAS-Port-Type = Wireless-IEEE-802-11

 Tue Jun 22 14:59:54 2010: DEBUG: Handling request with Handler
 'Realm=DEFAULT'
 Tue Jun 22 14:59:54 2010: DEBUG:  Deleting session for adam, 192.168.1.92,
 Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
 Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
 Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with
 DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
 Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database.
 Request is ignored. Backing off for 600 seconds
 Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User
 database access error
 Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
 Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
 Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with
 DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
 Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database.
 Request is ignored. Backing off for 600 seconds
 Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, 

Re: [RADIATOR] AuthBy SQL result: IGNORE, User database access error

[Hugh Irvine]

Hello Adam -

Try this:


/opt/local/bin/perl -I /usr/local/src/Radiator/Radiator-Locked-4.6 
/usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
/etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid


regards

Hugh


On 24 Jun 2010, at 03:46, Adam Gerson wrote:

> I have figured out that MacPorts installs its own copy of perl into 
> /opt/local/bin
> 
> I need to use that perl, which includes the mysql packages. When I call that 
> perl explicitly I get this error:
> 
> sidekick:~ sadmin$ /opt/local/bin/perl 
> /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
> /etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid
> 
> Can't locate Radius/ServerConfig.pm in @INC (@INC contains: . 
> /opt/local/lib/perl5/site_perl/5.8.9/darwin-2level 
> /opt/local/lib/perl5/site_perl/5.8.9 /opt/local/lib/perl5/site_perl 
> /opt/local/lib/perl5/vendor_perl/5.8.9/darwin-2level 
> /opt/local/lib/perl5/vendor_perl/5.8.9 /opt/local/lib/perl5/vendor_perl 
> /opt/local/lib/perl5/5.8.9/darwin-2level /opt/local/lib/perl5/5.8.9 .) at 
> (eval 8) line 20, <_> line 575.
> BEGIN failed--compilation aborted at (eval 8) line 20, <_> line 575.
>   ...caught at /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd line 
> 2, <_> line 575.
> 
> 
> 
> 
> -- 
> Adam Gerson
> Assistant Director of Technology
> Columbia Grammar and Prep School
> phone. 212-749-6200 ex. 321
> fax.  212-428-6806
> ager...@cgps.org
> http://www.cgps.org
> 
> On 6/22/10 3:21 PM, Hugh Irvine wrote:
>> 
>> Hello Adam -
>> 
>> The error message you show below indicates your database is not running (or 
>> is unreachable for some reason).
>> 
>> regards
>> 
>> Hugh
>> 
>> 
>> On 22 Jun 2010, at 15:03, Adam Gerson wrote:
>> 
>>> Well, nothing has changed in my config file and my database is still up
>>> and working. I have not used Radiator for a week or two. I started it
>>> today to test it and now it cannot contact the database. I got an email
>>> saying my trail had experienced, but at startup Radiator reports its
>>> good until 2011 or 1000 connections.
>>> 
>>> 
>>> 
>>> 
>>> 
>>> Tue Jun 22 14:59:47 2010: DEBUG: Finished reading configuration file
>>> '/etc/radiator/radius.cfg'
>>> This Radiator license will expire on 2011-02-01
>>> This Radiator license will stop operating after 1000 requests
>>> To purchase an unlimited full source version of Radiator, see
>>> http://www.open.com.au/ordering.html
>>> To extend your license period, contact ad...@open.com.au
>>> 
>>> Tue Jun 22 14:59:47 2010: DEBUG: Reading dictionary file
>>> '/etc/radiator/dictionary'
>>> Tue Jun 22 14:59:47 2010: DEBUG: Creating authentication port 0.0.0.0:1645
>>> Tue Jun 22 14:59:47 2010: DEBUG: Creating accounting port 0.0.0.0:1646
>>> Tue Jun 22 14:59:47 2010: NOTICE: Server started: Radiator 4.6 on
>>> sidekick.cgps.org (LOCKED)
>>> Tue Jun 22 14:59:54 2010: DEBUG: Packet dump:
>>> *** Received from 192.168.1.92 port 52380 
>>> Code:   Access-Request
>>> Identifier: 144
>>> Authentic:  -e<204><0><155>W<174><163>g<227><181><149><134>sP<148>
>>> Attributes:
>>> User-Name = "adam"
>>> User-Password =<175><244>t<214>bP0<25>+6c?<237><196><137>K
>>> NAS-IP-Address = 192.168.1.92
>>> Service-Type = Login-User
>>> Framed-IP-Address = 10.93.3.23
>>> Called-Station-Id = "00:19:92:02:B4:3A"
>>> Calling-Station-Id = ""
>>> NAS-Identifier = "Bluesocket"
>>> Acct-Session-Id = "00:19:92:02:B4:3A:1277233194"
>>> NAS-Port-Type = Wireless-IEEE-802-11
>>> 
>>> Tue Jun 22 14:59:54 2010: DEBUG: Handling request with Handler
>>> 'Realm=DEFAULT'
>>> Tue Jun 22 14:59:54 2010: DEBUG:  Deleting session for adam, 192.168.1.92,
>>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with
>>> DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
>>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database.
>>> Request is ignored. Backing off for 600 seconds
>>> Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User
>>> database access error
>>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with
>>> DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
>>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database.
>>> Request is ignored. Backing off for 600 seconds
>>> Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User
>>> database access error
>>> ^C
>>> 
>>> --
>>> Adam Gerson
>>> Assistant Director of Technology
>>> Columbia Grammar and Prep School
>>> phone. 212-749-6200 ex. 321
>>> fax.  212-428-6806
>>> ager...@cgps.org
>>> http://www.cgps.org
>>> 
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>

Re: [RADIATOR] AuthBy SQL result: IGNORE, User database access error

[Adam Gerson]

I have figured out that MacPorts installs its own copy of perl into 
/opt/local/bin

I need to use that perl, which includes the mysql packages. When I call 
that perl explicitly I get this error:

sidekick:~ sadmin$ /opt/local/bin/perl 
/usr/local/src/Radiator/Radiator-Locked-4.6/radiusd -config_file 
/etc/radiator/radius.cfg -pid_file /var/run/radiusd.pid

Can't locate Radius/ServerConfig.pm in @INC (@INC contains: . 
/opt/local/lib/perl5/site_perl/5.8.9/darwin-2level 
/opt/local/lib/perl5/site_perl/5.8.9 /opt/local/lib/perl5/site_perl 
/opt/local/lib/perl5/vendor_perl/5.8.9/darwin-2level 
/opt/local/lib/perl5/vendor_perl/5.8.9 /opt/local/lib/perl5/vendor_perl 
/opt/local/lib/perl5/5.8.9/darwin-2level /opt/local/lib/perl5/5.8.9 .) 
at (eval 8) line 20, <_> line 575.
BEGIN failed--compilation aborted at (eval 8) line 20, <_> line 575.
...caught at /usr/local/src/Radiator/Radiator-Locked-4.6/radiusd line 
2, <_> line 575.




-- 
Adam Gerson
Assistant Director of Technology
Columbia Grammar and Prep School
phone. 212-749-6200 ex. 321
fax.  212-428-6806
ager...@cgps.org
http://www.cgps.org

On 6/22/10 3:21 PM, Hugh Irvine wrote:
>
> Hello Adam -
>
> The error message you show below indicates your database is not running (or 
> is unreachable for some reason).
>
> regards
>
> Hugh
>
>
> On 22 Jun 2010, at 15:03, Adam Gerson wrote:
>
>> Well, nothing has changed in my config file and my database is still up
>> and working. I have not used Radiator for a week or two. I started it
>> today to test it and now it cannot contact the database. I got an email
>> saying my trail had experienced, but at startup Radiator reports its
>> good until 2011 or 1000 connections.
>>
>>
>>
>>
>>
>> Tue Jun 22 14:59:47 2010: DEBUG: Finished reading configuration file
>> '/etc/radiator/radius.cfg'
>> This Radiator license will expire on 2011-02-01
>> This Radiator license will stop operating after 1000 requests
>> To purchase an unlimited full source version of Radiator, see
>> http://www.open.com.au/ordering.html
>> To extend your license period, contact ad...@open.com.au
>>
>> Tue Jun 22 14:59:47 2010: DEBUG: Reading dictionary file
>> '/etc/radiator/dictionary'
>> Tue Jun 22 14:59:47 2010: DEBUG: Creating authentication port 0.0.0.0:1645
>> Tue Jun 22 14:59:47 2010: DEBUG: Creating accounting port 0.0.0.0:1646
>> Tue Jun 22 14:59:47 2010: NOTICE: Server started: Radiator 4.6 on
>> sidekick.cgps.org (LOCKED)
>> Tue Jun 22 14:59:54 2010: DEBUG: Packet dump:
>> *** Received from 192.168.1.92 port 52380 
>> Code:   Access-Request
>> Identifier: 144
>> Authentic:  -e<204><0><155>W<174><163>g<227><181><149><134>sP<148>
>> Attributes:
>>  User-Name = "adam"
>>  User-Password =<175><244>t<214>bP0<25>+6c?<237><196><137>K
>>  NAS-IP-Address = 192.168.1.92
>>  Service-Type = Login-User
>>  Framed-IP-Address = 10.93.3.23
>>  Called-Station-Id = "00:19:92:02:B4:3A"
>>  Calling-Station-Id = ""
>>  NAS-Identifier = "Bluesocket"
>>  Acct-Session-Id = "00:19:92:02:B4:3A:1277233194"
>>  NAS-Port-Type = Wireless-IEEE-802-11
>>
>> Tue Jun 22 14:59:54 2010: DEBUG: Handling request with Handler
>> 'Realm=DEFAULT'
>> Tue Jun 22 14:59:54 2010: DEBUG:  Deleting session for adam, 192.168.1.92,
>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with
>> DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database.
>> Request is ignored. Backing off for 600 seconds
>> Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User
>> database access error
>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with
>> DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
>> Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database.
>> Request is ignored. Backing off for 600 seconds
>> Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User
>> database access error
>> ^C
>>
>> --
>> Adam Gerson
>> Assistant Director of Technology
>> Columbia Grammar and Prep School
>> phone. 212-749-6200 ex. 321
>> fax.  212-428-6806
>> ager...@cgps.org
>> http://www.cgps.org
>>
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>

___
radiator m

Re: [RADIATOR] AuthBy SQL result: IGNORE, User database access error

[Hugh Irvine]

Hello Adam -

The error message you show below indicates your database is not running (or is 
unreachable for some reason).

regards

Hugh


On 22 Jun 2010, at 15:03, Adam Gerson wrote:

> Well, nothing has changed in my config file and my database is still up 
> and working. I have not used Radiator for a week or two. I started it 
> today to test it and now it cannot contact the database. I got an email 
> saying my trail had experienced, but at startup Radiator reports its 
> good until 2011 or 1000 connections.
> 
> 
> 
> 
> 
> Tue Jun 22 14:59:47 2010: DEBUG: Finished reading configuration file 
> '/etc/radiator/radius.cfg'
> This Radiator license will expire on 2011-02-01
> This Radiator license will stop operating after 1000 requests
> To purchase an unlimited full source version of Radiator, see
> http://www.open.com.au/ordering.html
> To extend your license period, contact ad...@open.com.au
> 
> Tue Jun 22 14:59:47 2010: DEBUG: Reading dictionary file 
> '/etc/radiator/dictionary'
> Tue Jun 22 14:59:47 2010: DEBUG: Creating authentication port 0.0.0.0:1645
> Tue Jun 22 14:59:47 2010: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Jun 22 14:59:47 2010: NOTICE: Server started: Radiator 4.6 on 
> sidekick.cgps.org (LOCKED)
> Tue Jun 22 14:59:54 2010: DEBUG: Packet dump:
> *** Received from 192.168.1.92 port 52380 
> Code:   Access-Request
> Identifier: 144
> Authentic:  -e<204><0><155>W<174><163>g<227><181><149><134>sP<148>
> Attributes:
>   User-Name = "adam"
>   User-Password = <175><244>t<214>bP0<25>+6c?<237><196><137>K
>   NAS-IP-Address = 192.168.1.92
>   Service-Type = Login-User
>   Framed-IP-Address = 10.93.3.23
>   Called-Station-Id = "00:19:92:02:B4:3A"
>   Calling-Station-Id = ""
>   NAS-Identifier = "Bluesocket"
>   Acct-Session-Id = "00:19:92:02:B4:3A:1277233194"
>   NAS-Port-Type = Wireless-IEEE-802-11
> 
> Tue Jun 22 14:59:54 2010: DEBUG: Handling request with Handler 
> 'Realm=DEFAULT'
> Tue Jun 22 14:59:54 2010: DEBUG:  Deleting session for adam, 192.168.1.92,
> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
> Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with 
> DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
> Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database. 
> Request is ignored. Backing off for 600 seconds
> Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User 
> database access error
> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
> Tue Jun 22 14:59:54 2010: DEBUG: Handling with Radius::AuthSQL:
> Tue Jun 22 14:59:54 2010: ERR: Could not connect to SQL database with 
> DBI->connect dbi:mysql:jamfsoftware:127.0.0.1, jamfsoftware, ***:
> Tue Jun 22 14:59:54 2010: ERR: Could not connect to any SQL database. 
> Request is ignored. Backing off for 600 seconds
> Tue Jun 22 14:59:54 2010: DEBUG: AuthBy SQL result: IGNORE, User 
> database access error
> ^C
> 
> -- 
> Adam Gerson
> Assistant Director of Technology
> Columbia Grammar and Prep School
> phone. 212-749-6200 ex. 321
> fax.  212-428-6806
> ager...@cgps.org
> http://www.cgps.org
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB: 

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets), 
together with a trace 4 debug showing what is happening?

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: (RADIATOR) AuthBy accept all authentication

[Hugh Irvine]

Hello Steve -

The usual way to do this is with an AuthBy GROUP:

	AuthByPolicy ContinueAlways


.
# disable authentication
AuthSelect
# deal with accounting
AccountingTable ACCOUNTING
AcctColumnDef .
.

# use an AuthBy GROUP for authentication
# with a different AuthByPolicy

AuthByPolicy ContinueWhileAccept

.




.

You can also use different Handlers for authentication and accounting:

# deal with accounting


.

# deal with authentication


..

regards

Hugh

On Friday, Oct 17, 2003, at 03:06 Australia/Melbourne, Steven Saner  
wrote:

Hi:

Is there a easy trick to making an , specifically an , clause always return an authentication accept? I can't seem to
find a built in configuration parameter to do this. I need something
sort of like "IgnoreAuthentication", but accept instead of ignore.
I want to create an  that only does stuff for accounting
requests, but I can't use "IgnoreAuthentication" because I need to
have the AuthByPolicy in the handlers set to "ContinueWhileAccept".
I am using Radiator 3.6.

Thanks for any advice.

Steve

--  
--- 
---
Steven Saner <[EMAIL PROTECTED]>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.


NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy accept all authentication

[DUFOUR Geoffrey]

Hello Steven,

Try to add : 

AuthColumnDef 0, User-Password, check
AuthSelect select NULL

to your  clause.

Regards.

Geoffrey

>
>
>
>
>

Hi:

Is there a easy trick to making an , specifically an , clause always return an authentication accept? I can't seem to
find a built in configuration parameter to do this. I need something
sort of like "IgnoreAuthentication", but accept instead of ignore.

I want to create an  that only does stuff for accounting
requests, but I can't use "IgnoreAuthentication" because I need to
have the AuthByPolicy in the handlers set to "ContinueWhileAccept".

I am using Radiator 3.6.

Thanks for any advice.

Steve

-- 

--
Steven Saner <[EMAIL PROTECTED]>
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL problem

[Hugh Irvine]

Hello Adam -

All you really need to do is use a RewriteUsername and a 
CaseInsensitivePasswords with a single AuthBy SQL.

regards

Hugh

On Thursday, Oct 16, 2003, at 00:27 Australia/Melbourne, Adam 
Pogorzelski wrote:

Hello,
I have such a problem. I have users in mysql database, and few so 
called
multilogin users. These multilogins have simple passwords created by
username, for example ppp/ppp. Problem is, that i need to authenticate
these combination as the same user:
ppp/ppp, PPP/PPP, ppp/PPP, PPP/ppp.
For now i am including to one Handler two authby's config files,
one with normal AuthSelect, and second with Authselect 'select
ucase(PASSWORD)'.
Because i have many Handlers, and for each Handler is two configs, i 
want
to minimize all configuration.
So my question is: is it possible to put in AuthBy clause two 
AuthSelect's ?
Similiar to AuthByPolicy ?

Btw, for each failed Radius::AuthSQL i have one insert to database with
info about it, and if i have four login/pass combination, i can have 
three
inserts to database with fail info.

ps. I may be wrong, but does Radiator isn't sql injection aware ?
Sat Oct 11 06:51:57 2003: ERR: do failed for 'insert into radauthlog
values (1065847917,'~}#','[EMAIL PROTECTED]'} }4',1,'No such
user','DNIS','CLID')': You have an error in your SQL syntax near '}
}4',1,'No such user','DNIS','CLID')' at line 1
S
--
"For proper viewing, take red pill now"
   Futurama
AdamP.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

NB: have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) AuthBy SQL problem

[Robert Blayzor]

On 10/15/03 10:27 AM, "Adam Pogorzelski" <[EMAIL PROTECTED]> wrote:

> I have such a problem. I have users in mysql database, and few so called
> multilogin users. These multilogins have simple passwords created by
> username, for example ppp/ppp. Problem is, that i need to authenticate
> these combination as the same user:
> ppp/ppp, PPP/PPP, ppp/PPP, PPP/ppp.
> For now i am including to one Handler two authby's config files,
> one with normal AuthSelect, and second with Authselect 'select
> ucase(PASSWORD)'.

Seems like it's more work than it's worth.  You have some options...

Add the directive in Radiator to ignore the case of passwords.  So that
"PaSSwoRD" would match "PASSWORD".  You can also rewrite the username with a
regex to force the username to lowercase before handling it in an authby..

> Because i have many Handlers, and for each Handler is two configs, i want
> to minimize all configuration.
> So my question is: is it possible to put in AuthBy clause two AuthSelect's ?
> Similiar to AuthByPolicy ?

For what reason if you just "IgnoreCase" on the password... ?

> ps. I may be wrong, but does Radiator isn't sql injection aware ?
> Sat Oct 11 06:51:57 2003: ERR: do failed for 'insert into radauthlog
> values (1065847917,'~}#','[EMAIL PROTECTED]'} }4',1,'No such
> user','DNIS','CLID')': You have an error in your SQL syntax near '}
> }4',1,'No such user','DNIS','CLID')' at line 1
> S

Tell Radiator what characters are valid in Usernames and you won't see
this...

ie:  UsernameCharset [EMAIL PROTECTED]

Or you could do something like:

RewriteUsername s/[EMAIL PROTECTED]/\?/g

Which strips out any bogus characters we don't except and replaces they with
a "?" Which should be SQL friendly...

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

Mac OS X. Because making Unix user-friendly is easier than debugging
Windows.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) authby radius

[tracker]

Yup thanks.

Robert Blayzor wrote:

On 9/11/03 2:42 PM, "tracker" <[EMAIL PROTECTED]> wrote:

 

Using this method, how do you enforce that only Accounting Stop records
will be stored locally?
   

Add the "AccountingStopsOnly" directive in your AuthBy SQL section.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9
Calm down -- it's only ones and zeroes.



 

--
jaws
---
Computer system security is a journey, not a destination


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) authby radius

[Robert Blayzor]

On 9/11/03 2:42 PM, "tracker" <[EMAIL PROTECTED]> wrote:

> Using this method, how do you enforce that only Accounting Stop records
> will be stored locally?

Add the "AccountingStopsOnly" directive in your AuthBy SQL section.

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

Calm down -- it's only ones and zeroes.


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) authby radius

[tracker]

Using this method, how do you enforce that only Accounting Stop records 
will be stored locally?

Robert Blayzor wrote:

On 9/10/03 10:49 PM, "tracker" <[EMAIL PROTECTED]> wrote:

 

Is it possible to store the accounting record of a user if my server
just acts as proxy? If so, how?
Example, below is my config for the realm domain.com
   


  AuthByPolicyContinueAlways
  AuthBy  Proxy-Acct
  AuthBy  Proxy-Auth


  Identifier  Proxy-Auth
  
  Secret  mysecret
  AuthPort1812
  AcctPort1813
  
  Retries 2


   Identifier  Proxy-Acct
   DBSourcedbi:MySQL:server=BLAH
   DBUsername  radius
   DBAuth  foo
   AuthSelect
   AccountingTable
   AcctSQLStatementINSERT INTO blah ...

At least that's what's worked for me ...

--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9
Life would be much easier if I had the source code.





 

--
jaws
---
Computer system security is a journey, not a destination


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) authby radius

[tracker]

Got it. AuthBy GROUP is more useful to use.

Thanks.

Dave Birkbeck wrote:

This is how I do it and it works great. The  in the realm
handler will continue to forward the acct packets to the end-point
Radius server after it writes to our local database. The AuthBy
GlobalAcct is the identifier for the  that handles the local
database insert.

   Identifier GlobalAcct
   IgnoreAuthentication
   DBSource dbi:Sybase:server=***
   DBUsername ***
   DBAuth ***
  
  

  
 
 AuthByPolicy ContinueAlways
 AuthBy GlobalAcct

   
   Host 202.202.202.9
   Secret   secret
   AuthPort 812
   AcctPort 813
   Retries  2
   
  

Dave

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of tracker
Sent: Wednesday, September 10, 2003 8:49 PM
To: [EMAIL PROTECTED]
Subject: (RADIATOR) authby radius
Hi all,

Is it possible to store the accounting record of a user if my server 
just acts as proxy? If so, how?
Example, below is my config for the realm domain.com


   
   Host202.202.202.9
   Secret  secret
   AuthPort 812
   AcctPort 813
   Retries 2
   

I want to have a copy of the accounting of users for domain.com and i 
will store it in mysql.

Thanks.

 

--
jaws
---
Computer system security is a journey, not a destination


===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

Re: (RADIATOR) authby radius

[Robert Blayzor]

On 9/10/03 10:49 PM, "tracker" <[EMAIL PROTECTED]> wrote:

> Is it possible to store the accounting record of a user if my server
> just acts as proxy? If so, how?
> Example, below is my config for the realm domain.com


   AuthByPolicyContinueAlways
   AuthBy  Proxy-Acct
   AuthBy  Proxy-Auth



   Identifier  Proxy-Auth
   
   Secret  mysecret
   AuthPort1812
   AcctPort1813
   
   Retries 2



Identifier  Proxy-Acct
DBSourcedbi:MySQL:server=BLAH
DBUsername  radius
DBAuth  foo
AuthSelect
AccountingTable
AcctSQLStatementINSERT INTO blah ...


At least that's what's worked for me ...


--
Robert Blayzor, BOFH
INOC, LLC
[EMAIL PROTECTED]
PGP: http://www.inoc.net/~dev/
Key fingerprint = A445 7D1E 3D4F A4EF 6875  21BB 1BAA 10FE 5748 CFE9

Life would be much easier if I had the source code.



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

RE: (RADIATOR) authby radius

[Dave Birkbeck]

This is how I do it and it works great. The  in the realm
handler will continue to forward the acct packets to the end-point
Radius server after it writes to our local database. The AuthBy
GlobalAcct is the identifier for the  that handles the local
database insert.


Identifier GlobalAcct
IgnoreAuthentication

DBSource dbi:Sybase:server=***
DBUsername ***
DBAuth ***

  
  



  
  
  AuthByPolicy ContinueAlways
  AuthBy GlobalAcct


Host 202.202.202.9
Secret   secret
AuthPort 812
AcctPort 813
Retries  2

   



Dave


-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
Behalf Of tracker
Sent: Wednesday, September 10, 2003 8:49 PM
To: [EMAIL PROTECTED]
Subject: (RADIATOR) authby radius

Hi all,

Is it possible to store the accounting record of a user if my server 
just acts as proxy? If so, how?
Example, below is my config for the realm domain.com



Host202.202.202.9
Secret  secret
AuthPort 812
AcctPort 813
Retries 2



I want to have a copy of the accounting of users for domain.com and i 
will store it in mysql.

Thanks.

-- 
jaws
---
Computer system security is a journey, not a destination



===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.

===
Archive at http://www.open.com.au/archives/radiator/
Announcements on [EMAIL PROTECTED]
To unsubscribe, email '[EMAIL PROTECTED]' with
'unsubscribe radiator' in the body of the message.