Re: (RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x(continue)
Mike McCauley wrote: Hello Pavel, On Sat, 23 Aug 2003 01:01 am, Pavel Paprok wrote: Mike McCauley wrote: Hello Pavel, On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: Mike McCauley wrote: On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: Hallo, I am trying to get work wifi access point Orinoco/Proxim AP-2000 with 802.1x EAP/PEAP user auth by Radiator: - Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP with demo certificates. - Orinoco/Proxim AP-2000 (latest firmware 2.1.3) - Test client is notebook Dell with Win XP (all patches applied), wireless card Orinoco Silver and/or builtin Intel Pro/WirelessLAN 2100 3A After all known install and config issues I meet (described in FAQ, archive and UtahGeeks) I moved to status where user is authenticated OK and radius send "Access-Accept". But its last info from radius log, no real connection follows, no accounting on log. Especially basic UtahGeeks config of Access point is pretty closed to our config, but unfortunatelly there are not published Radiator configuration so here maybe I have a problem. Or problem is in using different wifi client? Please help me somebody where is a problem? That sounds a lot like the client is not configured to expect a dynamic WEP key, but your Radiator is configured to send themto the AP. Check the 'WEP key will be provided for me' option in your client configuration. of course, as I have written below in Windows XP client config: "- Key is provided for me automatically ON" yesterday i also turn on eap tracing in WinXP, see log below, interesting is last line: "We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth." ...i dont know what it means. That is very curious, since the last thing sent by Radiator is clearly an EAP Success. Perhaps the EAP Failure is being sent by the AP? I wonder if your AP needs some configuration so that it will support dynamic WEP? Cheers. I just try to use AP Signamax 22Mbps in 802.1x with same radiator and windows xp client configuration and client connected ok! So there should be no general problem with client and radius configuration, problem is likely in Avaya or its configuration. Or in EAP compatibility of Avaya? Sounds like the problem is there. We found when we tested the Orinoco AP-2000 here that you had to have the _latest_ firmware installed else it would not work properly. see the Radiator FAQ for more details. http://www.open.com.au/radiator/faq.html We have seen several problems with EAP-PEAP using the Proxim/Avaya AP2000 product.. Now that we have EAP-TTLS completely deployed we are working on enabling PEAP for those users that absolutly refuse to use a real 802.1x client. We will post all our EAP-TTLS and EAP-PEAP configs on utahgeeks.sourceforge.net site..We have also compiled a lengthy list of cards that works and do not work with 802.1x, we will be adding that to the site as well. On another note, we have recently found a bug in the 2.2.2/2.2.4 code for the AP-2000 that causes it not to send Accounting records to Radiator correctly. The problem deals with the of all things the order that you enable radius accounting on the AP and not a problem with Radiator. I will be updating the AP configs to reflect the changes. Bret I noted that I must set a "IgnoreAcctSignature" option to "yes" for Avaya or I get "Bad EAP Message-Authenticator" warnings in log and auth failed. Signamax works ok both with or without this option maybe there is a start of problems? Sounds like there is a shared secret problem between Radiator and the Avaya? Are there some AddToReply which I would try to add to reply for Avaya? Have Avaya AP-2000 working with 802.1x somebody to help me with configuratio? Article in FAQ about it does not help me, I dont know where is mistake so exact AP configure dump of real working device welcomed. Cheers. Pavel Pavel Cheers. My configuration: -- users -- wifitestUser-Password=wifi Session-Timeout=60 -- radius.cfg -- AuthPort1812 AcctPort1813 LogStdout LogDir /var/log/radius DbDir /etc/radiator Trace 5 Secret X Identifier wifi-testnet IgnoreAcctSignature yes # now core config from eap_peap.cfg example: AcctLogFileName %L/detail Filename %D/users EAPType MSCHAP-V2 Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys # i did try also #AddToReply MS-MPPE-Encryption-Policy = E
(RADIATOR) Access controllers
Hi all, Has anyone used Radiator with Nomadix, Transat WAIN Server, ezXcess or IntelliGate access controllers? Access Controllers typically provide a web-based login page. Cheers. -- Mike McCauley [EMAIL PROTECTED] Open System Consultants Pty. LtdUnix, Perl, Motif, C++, WWW 24 Bateman St Hampton, VIC 3188 Australia http://www.open.com.au Phone +61 3 9598-0985 Fax +61 3 9598-0955 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP etc on Unix, Windows, MacOS etc. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Dynamic Vars
Hello Miko - In answer to your question, no you don't need "pseudo-attributes" to be defined in your dictionary when you add attributes to the request. The dictionary is only used to decode the request off the wire and to encode the reply just before it is sent. Once the request is in memory you can use it as a scratch-pad area for whatever you require and it will simply be discarded after processing so you don't have to worry about it. regards Hugh On Saturday, Aug 23, 2003, at 00:37 Australia/Melbourne, [EMAIL PROTECTED] wrote: You can use AddToRequest (6.5.21) in your to add an attribute to the request as well. I use this in my current configuration, however I also added the attribute to the dictionary as well. I am not sure if this is required or not in this instance. regards, Miko --- Original Message --- From: "Hugh Irvine" <[EMAIL PROTECTED]> To: Nick Rogness <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Fri, 22 Aug 2003 16:55:09 +1000 Subject: Re: (RADIATOR) Dynamic Vars Hello Nick - The only thing I can think of is to write your own custom versions of those modules so they do what you require. The source modules are in the "Radius" directory of the Radiator distribution. regards Hugh On Friday, Aug 22, 2003, at 09:37 Australia/Melbourne, Nick Rogness wrote: > > In my radius config file I have: > > > . > . > PreHandlerHook file:"/etc/raddb/prehandler.radhook" > > > > In /etc/raddb/prehandler.radhook I have: > > . > . > $p->add_attr('CCC-DB',"testdb"); > . > > > For my SessionDB I try to reference my %{CCC-DB} variable: > > > Identifier SDB > DBSource dbi:mysql:%{CCC-DB}:db1.domain.com > . > . > > But it appears I can't reference it as it comes up with an > error: > > Wed Aug 20 19:28:01 2003: ERR: do failed for 'delete from > RADONLINE > where > NASIDENTIFIER='203.63.154.1' and NASPORT=01234': No Database > Selected > > So I'm assuming that you can only reference certain %{attr} in > certain > cases. I want to be able to use the same sessionDB "template" > and > have it > reference different databases as determined by the > PreHandlerHook. I > don't want to build 50 different > statements for > all > of our customers (since they all have different DBs). How can I > accomplish this? > > Same problem exists for DBSource directives. I > want the > Prehandler to choose the database to connect to. Any pointers? > > Thanks, > > Nick Rogness > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. > NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) RADAR Segmentation Fault
Hello German - We have had some reports of problems with Perl 5.8 so I suggest you go back to Perl 5.6.1 and let us know what you discover. I have copied this mail to Mike as he may have other comments. regards Hugh On Saturday, Aug 23, 2003, at 00:48 Australia/Melbourne, GermanG wrote: Hello We're trying to put to work Radar, program starts normally, but when trying to "Monitor new Radiator server", it segfaults. Radiator is localhost:9048, just for testing. We followed the "Radar Installation" guide. Any help? The command line shows this: $ radar -d Thu Aug 21 12:15:13 2003: Sending to localhost:9048: BINARY Segmentation Fault (core dumped) Radiator log shows the following: Wed Aug 20 19:53:04 2003: DEBUG: New MonitorConnection created for 127.0.0.1:33236 Wed Aug 20 19:53:07 2003: DEBUG: MonitorConnection disconnected from 127.0.0.1:33236 Radiator config file (relevant lines): #Foreground #LogStdout LogDir/var/log/metav LogFile /var/log/metav/radiator.log # DbDir /etc/radiator # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 5 Username mikem Password fred Secret xx NasType Cisco HW & SW: -Sun Enterprise 250 (2 x Ultra SPARC 400 MHz) with 1GB Memory -Solaris 8 4/01 (Assembled 01 March 2001) -Perl v5.8.0 -Radiator 3.6 -Radar 1.3 Thanks & Regards, German Gatica === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x (continue)
Hello Pavel, On Sat, 23 Aug 2003 01:01 am, Pavel Paprok wrote: > Mike McCauley wrote: > >Hello Pavel, > > > >On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: > >>Mike McCauley wrote: > >>>On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: > Hallo, > > I am trying to get work wifi access point Orinoco/Proxim AP-2000 with > 802.1x EAP/PEAP user auth by Radiator: > - Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP > with demo certificates. > - Orinoco/Proxim AP-2000 (latest firmware 2.1.3) > - Test client is notebook Dell with Win XP (all patches applied), > wireless card Orinoco Silver > and/or builtin Intel Pro/WirelessLAN 2100 3A > > After all known install and config issues I meet (described in FAQ, > archive and UtahGeeks) I moved to status where > user is authenticated OK and radius send "Access-Accept". But its last > info from radius log, no real connection follows, no accounting on log. > Especially basic UtahGeeks config of Access point is pretty closed to > our config, but unfortunatelly there are not published Radiator > configuration so here maybe I have a problem. Or problem is in using > different wifi client? Please help me somebody where is a problem? > >>> > >>>That sounds a lot like the client is not configured to expect a dynamic > >>>WEP key, but your Radiator is configured to send themto the AP. > >>> > >>>Check the 'WEP key will be provided for me' option in your client > >>>configuration. > >> > >>of course, as I have written below in Windows XP client config: > >> > >>"- Key is provided for me automatically ON" > >>yesterday i also turn on eap tracing in WinXP, see log below, interesting > >>is last line: > >> > >>"We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth." > >> > >>...i dont know what it means. > > > >That is very curious, since the last thing sent by Radiator is clearly an > > EAP Success. > >Perhaps the EAP Failure is being sent by the AP? > > > >I wonder if your AP needs some configuration so that it will support > > dynamic WEP? > > > >Cheers. > > I just try to use AP Signamax 22Mbps in 802.1x with same radiator and > windows xp client configuration > and client connected ok! So there should be no general problem with > client and radius configuration, > problem is likely in Avaya or its configuration. Or in EAP compatibility > of Avaya? Sounds like the problem is there. We found when we tested the Orinoco AP-2000 here that you had to have the _latest_ firmware installed else it would not work properly. see the Radiator FAQ for more details. http://www.open.com.au/radiator/faq.html > > I noted that I must set a "IgnoreAcctSignature" option to "yes" for > Avaya or I get "Bad EAP Message-Authenticator" warnings in log and auth > failed. Signamax works ok both with or without this option maybe > there is a start of problems? Sounds like there is a shared secret problem between Radiator and the Avaya? > Are there some AddToReply which I would try to add to reply for Avaya? > Have Avaya AP-2000 working with 802.1x somebody to help me with > configuratio? Article in FAQ > about it does not help me, I dont know where is mistake so exact AP > configure dump of real working device welcomed. Cheers. > > Pavel > > >>Pavel > >> > >>>Cheers. > >>> > My configuration: > > -- users -- > wifitestUser-Password=wifi > Session-Timeout=60 > > > -- radius.cfg -- > AuthPort1812 > AcctPort1813 > > LogStdout > LogDir /var/log/radius > DbDir /etc/radiator > > Trace 5 > > > Secret X > Identifier wifi-testnet > IgnoreAcctSignature yes > > # now core config from eap_peap.cfg example: > > > AcctLogFileName %L/detail > > Filename %D/users > EAPType MSCHAP-V2 > > > > > Filename %D/users > EAPType PEAP > EAPTLS_CAFile %D/certificates/demoCA/cacert.pem > > EAPTLS_CertificateFile %D/certificates/cert-srv.pem > EAPTLS_CertificateType PEM > > EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem > EAPTLS_PrivateKeyPassword whatever > > EAPTLS_MaxFragmentSize 1024 > > AutoMPPEKeys > # i did try also > #AddToReply MS-MPPE-Encryption-Policy = > Encryption-Allowed,\ > # MS-MPPE-Encryption-Types = > Encryption-Any SSLeayTrace 4 > > > > > > -- WinXP client configuration -- > > - Data encryption (WEP enabled) ON > - Network Authentication (Shared mode) OFF > - Key
(RADIATOR) Hang on EAP-PEAP
Hi all, I recently have a service call for my laptop running XP, but the configuration of the system remains. I also replace the router NATing the traffic between the wireless AP (Cisco 350) and the radius becuase it busted duringthe NYC blackout last week. Since the Cisco AP will only take the dynamic IP when the DHCP is on. I have done few reconfiguration. After the reconfiguration, MAC add auth, EAP-TLS etc all seem to work fine on all APs. I can also get connected via the Cisco AP with EAP-TLS. The problem I encountered is that when I ask for EAP-PEAP, it hung (between the radius and the XP) at the point for "message authenticator". After it hung, the radius stops working to authenticate all devices. Below is the dump. I would appreicate if anyone may have any insight why this happened and how to fix it. Many thanks in advance! Bon Fri Aug 22 17:44:45 2003: DEBUG: Packet dump: *** Received from 192.168.2.27 port 1096 Code: Access-Request Identifier: 65 Authentic: <186><164><215>K<151>.<220><172>d<167><21><239><174><203><20><142> Attributes: User-Name = "TSMACH246\bon" cisco-avpair = "ssid=qcwireless" NAS-IP-Address = 192.168.2.27 Called-Station-Id = "004096563106" Calling-Station-Id = "00022d1d364e" NAS-Identifier = "AP350-563106" NAS-Port = 37 Framed-MTU = 1400 NAS-Port-Type = Wireless-IEEE-802-11 Service-Type = Login-User EAP-Message = <2>Y<0>)<25><0><23><3><1><0><30>w.F<179><219><189><156>q<129><135><167><140><170>p&<180>y+<157><250>h<3><207>1<253><210> Message-Authenticator = <218><154>,+#<228>j<2>~?ge<143>8<231><142> Fri Aug 22 17:44:45 2003: DEBUG: Handling request with Handler 'NAS-IP-Address = 192.168.2.27, Request-Type=Access-Request' Fri Aug 22 17:44:45 2003: DEBUG: Deleting session for TSMACH246\bon, 192.168.2.27, 37 Fri Aug 22 17:44:45 2003: DEBUG: Handling with Radius::AuthSQL Fri Aug 22 17:44:45 2003: DEBUG: Handling with Radius::AuthSQL: Fri Aug 22 17:44:45 2003: DEBUG: Handling with EAP: code 2, 89, 41 Fri Aug 22 17:44:45 2003: DEBUG: Response type 25 Fri Aug 22 17:44:45 2003: DEBUG: EAP PEAP inner authentication request for anonymous Fri Aug 22 17:44:45 2003: DEBUG: PEAP Tunnelled request Packet dump: Code: Access-Request Identifier: UNDEF Authentic: <252>',<213><141><5>#<254>Q<219><23>`<7><253>-<179> Attributes: EAP-Message = <2>Y<0><14><1>TSMACH246\bon User-Name = "anonymous" NAS-IP-Address = 192.168.2.27 NAS-Identifier = "AP350-563106" NAS-Port = 37 Calling-Station-Id = "00022d1d364e" Fri Aug 22 17:44:45 2003: DEBUG: Handling request with Handler 'TunnelledByPEAP=1' Fri Aug 22 17:44:45 2003: DEBUG: Deleting session for , 192.168.2.27, 37 Fri Aug 22 17:44:45 2003: DEBUG: Handling with Radius::AuthSQL Fri Aug 22 17:44:45 2003: DEBUG: Handling with Radius::AuthSQL: Fri Aug 22 17:44:45 2003: DEBUG: Handling with EAP: code 2, 89, 14 Fri Aug 22 17:44:45 2003: DEBUG: Response type 1 Fri Aug 22 17:44:45 2003: DEBUG: Access challenged for anonymous: EAP MSCHAP-V2 Challenge Fri Aug 22 17:44:45 2003: DEBUG: Access challenged for TSMACH246\bon: EAP PEAP inner authentication redespatched to a Handler Fri Aug 22 17:44:45 2003: DEBUG: Packet dump: *** Sending to 192.168.2.27 port 1096 Code: Access-Challenge Identifier: 65 Authentic: <186><164><215>K<151>.<220><172>d<167><21><239><174><203><20><142> Attributes: EAP-Message = <1>Z<0>9<25><0><23><3><1><0>.<180>Z<190><250><22><192><8>6~J<192><220><172>{2<19><253><184>(<149><150><185>\<12><236><237>R<237><28><200><197><16>A<159><149>^b\<191><211><241><137>F<173><244>t Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
RE: (RADIATOR) MAx TNT & MSBlast
This problem is actually caused by the "good" blaster worm nachi Nachi pings a host before it trys to spread so it doesn't waist its time on non-existent hosts. The problem is that each one of those pings generates an arp request and with such a high number of pings MAX TNT boxes can't handle the high number of arp request and lock up or reboot The ping has a specific signature, 92byes all AA as the content, that you can create a policy map for Cisco has an article on how to block Nachi ICMP traffic on your inbound router interface http://www.cisco.com/warp/public/707/cisco-sn-20030820-nachi.shtml Hope that helps Thanks, Tony B, CCNA, Network+ Systems Administration GO Concepts, Inc. / www.go-concepts.com Are you on the GO yet? What about those you know, are they on the GO? 513.934.2800 1.888.ON.GO.YET -Original Message- From: Sean Watkins (northrock) [mailto:[EMAIL PROTECTED] Sent: Friday, August 22, 2003 11:41 AM To: [EMAIL PROTECTED] Subject: (RADIATOR) MAx TNT & MSBlast Hi, I know this isn't the place, but any MAX TNT users out there seeing weird card failures begining with the onslaught of MSBlast? I saw a news.com article about it... however I can't find any more info. Anyone know of any active ascend / lucent tnt mailing lists? Sean Article Text: In addition, network administrators reported on a newsgroup that telecommunications equipment maker Lucent Technologies' TNT MAX network gateway crashed due to some interaction with traffic created by the MSBlast worms. A representative for the company confirmed that Lucent was investigating the issue, but couldn't supply details. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) MAx TNT & MSBlast
Hi, I know this isn't the place, but any MAX TNT users out there seeing weird card failures begining with the onslaught of MSBlast? I saw a news.com article about it... however I can't find any more info. Anyone know of any active ascend / lucent tnt mailing lists? Sean Article Text: In addition, network administrators reported on a newsgroup that telecommunications equipment maker Lucent Technologies' TNT MAX network gateway crashed due to some interaction with traffic created by the MSBlast worms. A representative for the company confirmed that Lucent was investigating the issue, but couldn't supply details.
Re: (RADIATOR) Re: cant connect Win XP to Orinoco AP-2000 via 802.1x(continue)
Mike McCauley wrote: Hello Pavel, On Thu, 21 Aug 2003 10:40 pm, Pavel Paprok wrote: Mike McCauley wrote: On Wed, 20 Aug 2003 08:42 pm, Pavel Paprok wrote: Hallo, I am trying to get work wifi access point Orinoco/Proxim AP-2000 with 802.1x EAP/PEAP user auth by Radiator: - Radiator 3.6 eval version RPM on RedHat 9, configured for EAP/PEAP with demo certificates. - Orinoco/Proxim AP-2000 (latest firmware 2.1.3) - Test client is notebook Dell with Win XP (all patches applied), wireless card Orinoco Silver and/or builtin Intel Pro/WirelessLAN 2100 3A After all known install and config issues I meet (described in FAQ, archive and UtahGeeks) I moved to status where user is authenticated OK and radius send "Access-Accept". But its last info from radius log, no real connection follows, no accounting on log. Especially basic UtahGeeks config of Access point is pretty closed to our config, but unfortunatelly there are not published Radiator configuration so here maybe I have a problem. Or problem is in using different wifi client? Please help me somebody where is a problem? That sounds a lot like the client is not configured to expect a dynamic WEP key, but your Radiator is configured to send themto the AP. Check the 'WEP key will be provided for me' option in your client configuration. of course, as I have written below in Windows XP client config: "- Key is provided for me automatically ON" yesterday i also turn on eap tracing in WinXP, see log below, interesting is last line: "We got a EAP_failure after we got a PEAP_SUCCESS. Failing auth." ...i dont know what it means. That is very curious, since the last thing sent by Radiator is clearly an EAP Success. Perhaps the EAP Failure is being sent by the AP? I wonder if your AP needs some configuration so that it will support dynamic WEP? Cheers. I just try to use AP Signamax 22Mbps in 802.1x with same radiator and windows xp client configuration and client connected ok! So there should be no general problem with client and radius configuration, problem is likely in Avaya or its configuration. Or in EAP compatibility of Avaya? I noted that I must set a "IgnoreAcctSignature" option to "yes" for Avaya or I get "Bad EAP Message-Authenticator" warnings in log and auth failed. Signamax works ok both with or without this option maybe there is a start of problems? Are there some AddToReply which I would try to add to reply for Avaya? Have Avaya AP-2000 working with 802.1x somebody to help me with configuratio? Article in FAQ about it does not help me, I dont know where is mistake so exact AP configure dump of real working device welcomed. Pavel Pavel Cheers. My configuration: -- users -- wifitestUser-Password=wifi Session-Timeout=60 -- radius.cfg -- AuthPort1812 AcctPort1813 LogStdout LogDir /var/log/radius DbDir /etc/radiator Trace 5 Secret X Identifier wifi-testnet IgnoreAcctSignature yes # now core config from eap_peap.cfg example: AcctLogFileName %L/detail Filename %D/users EAPType MSCHAP-V2 Filename %D/users EAPType PEAP EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1024 AutoMPPEKeys # i did try also #AddToReply MS-MPPE-Encryption-Policy = Encryption-Allowed,\ # MS-MPPE-Encryption-Types = Encryption-Any SSLeayTrace 4 -- WinXP client configuration -- - Data encryption (WEP enabled) ON - Network Authentication (Shared mode) OFF - Key is provided for me automatically ON - Adhoc network OFF - Enable 802.1x auth ON - EAP type: PEAP -Authenticate as computer OFF - Authenticate as guest OFF - Validate server certificate OFF - Authentication method: EAP-MSCHAP v2 (automatically use Windows logon name OFF) - Enable fast reconnect OFF - something from Orinoco-2000 config - Operational Mode Wireless A: 802.11bg physical iface 802.11g OFDM / DSSS 2.4 GHz, enable auto channel select ON, transmit rate: auto fallback, dtim period: 1 rts/cts medium reservation: 2347, enable closed system: OFF Wireless B: 802.11b only physical iface 802.11b DSSS 2.4 GHz enable auto channel select ON, mcast rate: 2mbit, dtim period: 1 rts/cts medium reservation: 2347, dist AP: large, enable closed system: OFF, enable load balancing: ON, enable medium density distribution: ON MAC access control: OFF Authentication: wireless slot A: mode 802.1x, rekeying interval: 900, encr key lenght: 64bits wireless slot B: mode 802.1x, rekeying
(RADIATOR) RADAR Segmentation Fault
Hello We're trying to put to work Radar, program starts normally, but when trying to "Monitor new Radiator server", it segfaults. Radiator is localhost:9048, just for testing. We followed the "Radar Installation" guide. Any help? The command line shows this: $ radar -d Thu Aug 21 12:15:13 2003: Sending to localhost:9048: BINARY Segmentation Fault (core dumped) Radiator log shows the following: Wed Aug 20 19:53:04 2003: DEBUG: New MonitorConnection created for 127.0.0.1:33236 Wed Aug 20 19:53:07 2003: DEBUG: MonitorConnection disconnected from 127.0.0.1:33236 Radiator config file (relevant lines): #Foreground #LogStdout LogDir/var/log/metav LogFile /var/log/metav/radiator.log # DbDir /etc/radiator # Use a low trace level in production systems. Increase # it to 4 or 5 for debugging, or use the -trace flag to radiusd Trace 5 Username mikem Password fred Secret xx NasType Cisco HW & SW: -Sun Enterprise 250 (2 x Ultra SPARC 400 MHz) with 1GB Memory -Solaris 8 4/01 (Assembled 01 March 2001) -Perl v5.8.0 -Radiator 3.6 -Radar 1.3 Thanks & Regards, German Gatica === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Dynamic Vars
You can use AddToRequest (6.5.21) in your to add an attribute to the request as well. I use this in my current configuration, however I also added the attribute to the dictionary as well. I am not sure if this is required or not in this instance. regards, Miko > --- Original Message --- > From: "Hugh Irvine" <[EMAIL PROTECTED]> > To: Nick Rogness <[EMAIL PROTECTED]> > Cc: <[EMAIL PROTECTED]> > Sent: Fri, 22 Aug 2003 16:55:09 +1000 > Subject: Re: (RADIATOR) Dynamic Vars > > > Hello Nick - > > The only thing I can think of is to write your own custom versions > of > those modules so they do what you require. > > The source modules are in the "Radius" directory of the Radiator > distribution. > > regards > > Hugh > > > On Friday, Aug 22, 2003, at 09:37 Australia/Melbourne, Nick Rogness > wrote: > > > > > In my radius config file I have: > > > > > > . > > . > > PreHandlerHook file:"/etc/raddb/prehandler.radhook" > > > > > > > > In /etc/raddb/prehandler.radhook I have: > > > > . > > . > > $p->add_attr('CCC-DB',"testdb"); > > . > > > > > > For my SessionDB I try to reference my %{CCC-DB} variable: > > > > > > Identifier SDB > > DBSource dbi:mysql:%{CCC-DB}:db1.domain.com > > . > > . > > > > But it appears I can't reference it as it comes up with an > > error: > > > > Wed Aug 20 19:28:01 2003: ERR: do failed for 'delete from > > RADONLINE > > where > > NASIDENTIFIER='203.63.154.1' and NASPORT=01234': No Database > > Selected > > > > So I'm assuming that you can only reference certain %{attr} in > > certain > > cases. I want to be able to use the same sessionDB "template" > > and > > have it > > reference different databases as determined by the > > PreHandlerHook. I > > don't want to build 50 different > > statements for > > all > > of our customers (since they all have different DBs). How can I > > accomplish this? > > > > Same problem exists for DBSource directives. I > > want the > > Prehandler to choose the database to connect to. Any pointers? > > > > Thanks, > > > > Nick Rogness > > > > === > > Archive at http://www.open.com.au/archives/radiator/ > > Announcements on [EMAIL PROTECTED] > > To unsubscribe, email '[EMAIL PROTECTED]' with > > 'unsubscribe radiator' in the body of the message. > > > > NB: have you included a copy of your configuration file (no > secrets), > together with a trace 4 debug showing what is happening? > > -- > Radiator: the most portable, flexible and configurable RADIUS > server > anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. > - > Nets: internetwork inventory and management - graphical, > extensible, > flexible with hardware, software, platform and database > independence. > > === > Archive at http://www.open.com.au/archives/radiator/ > Announcements on [EMAIL PROTECTED] > To unsubscribe, email '[EMAIL PROTECTED]' with > 'unsubscribe radiator' in the body of the message. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Radius 99.9% (fwd)
Hello Wesley - The only way we can help you is by looking at a copy of your configuration file (no secrets) together with a trace 4 debug from Radiator showing what is happening. regards Hugh On Friday, Aug 22, 2003, at 19:33 Australia/Melbourne, Wesley Hof wrote: Hi, First of all my apologies to disturb u guys again. I have a problem, my radius doesn't always react on accounting, I also see that radiusd keeps almost 99% cpu in use. The machine has 1G ram and has 2 pIII 800 procs. Here is a paste from a top. When I restart radiator, accounting goes well for about 2 minutes, then radiusd starts taking 99% cpu and accounting goes wrong. 22599 root 15 0 11772 11M 3496 R 0 98.8 2.2 219:07 radiusd I don't see the problem, anyone had this problem before? Real thanks in advance. W. -- (o_ Wesley Hof //\ UNIX System Engineer V_/_ UNInet ))) A Scarlet Company === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
(RADIATOR) Radius 99.9% (fwd)
Hi, First of all my apologies to disturb u guys again. I have a problem, my radius doesn't always react on accounting, I also see that radiusd keeps almost 99% cpu in use. The machine has 1G ram and has 2 pIII 800 procs. Here is a paste from a top. When I restart radiator, accounting goes well for about 2 minutes, then radiusd starts taking 99% cpu and accounting goes wrong. 22599 root 15 0 11772 11M 3496 R 0 98.8 2.2 219:07 radiusd I don't see the problem, anyone had this problem before? Real thanks in advance. W. -- (o_ Wesley Hof //\ UNIX System Engineer V_/_ UNInet ))) A Scarlet Company === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthSQL and NULL passwords
I did wonder if I was editing the correct file, I think I was. I installed Radiator with Perl 5.8.0 (from Sun Freeware) which installs in /usr/local. The Radius distribution seems to install in /usr/local/lib/perl5/site_perl/5.8.0/Radius/ and the binary in /usr/local/bin. Thanks for the advice. Richard === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthSQL and NULL passwords
Hello Richard - BTW - we have had reports of problems with Perl 5.8, so you might want to consider Perl 5.6.1. regards Hugh On Friday, Aug 22, 2003, at 17:55 Australia/Melbourne, Richard Grantham wrote: I did wonder if I was editing the correct file, I think I was. I installed Radiator with Perl 5.8.0 (from Sun Freeware) which installs in /usr/local. The Radius distribution seems to install in /usr/local/lib/perl5/site_perl/5.8.0/Radius/ and the binary in /usr/local/bin. Thanks for the advice. Richard NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) AuthSQL and NULL passwords
Hello Richard - The first thing to do is make sure that you are editing the correct copy of the file. If you have done a "make install" then the copy of "Radius/AuthSQL.pm" that is being executed is in the Perl file hierarchy. It is generally *much* easier to edit the file in "Radius/AuthSQL.pm" in the distribution directory, add whatever "print " statements you need for debugging, then execute "radiusd" from the distribution directory like this: # this assumes that the source tarball has been unpacked in "/usr/local/src" cd /usr/local/src/Radiator/Radiator-3.6 perl radiusd -foreground -log_stdout -trace 4 -config_file . this will pick up the local files in preference to the ones in the Perl file hierarchy. regards Hugh On Thursday, Aug 21, 2003, at 23:33 Australia/Melbourne, Richard Grantham wrote: Hi list, A while ago I asked about configuring Radiator to reject authentications without NULL passwords when the password is NULL in the database. Two solutions were suggested at the time - decoding the password and using it in the SELECT statement or changing the Radiator code. I don't think I could change the SQL statement to decode passwords - plus our authentication statements are long enough already! I want to change the source code to do what we want. We want to make this change for security reasons that are a little convoluted to go into in too much detail! I'm assuming that this is the code in AuthSQL.pm that needs to be changed: # Add a *-Password check item unless the correct password # was NULL in the database, This means that if # the password column for a user is NULL, # then any password is accepted for that user. $user->get_check->add_attr (defined $self->{EncryptedPassword} ? 'Encrypted-Password' : 'User-Password', $password) if defined $password I've been playing with it a bit but to no avail. I'm afraid my 'l33t perl sk1llz' are not up to much because I can't seem to change Radiator's behaviour. For instance, the first thing I did was remove that 'if defined $password': $user->get_check->add_attr (defined $self->{EncryptedPassword} ? 'Encrypted-Password' : 'User-Password', $password); This didn't do anything. Can anyone point me in the right direction? Have I missed something incredibly obvious? TIA Richard === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Resolved problem tracking actual userid and macs address with EAP.
Hello John - Thanks for the update. BTW - you can also use the incoming request packet as a temporary scratch-pad area, which avoids you having to worry about undefined attributes in the reply packet (as the packet is just deleted after processing). regards Hugh On Friday, Aug 22, 2003, at 00:56 Australia/Melbourne, John McFadden wrote: There may be better ways but the good news is I did get around my authenication sql logging issue. I was able to get around the mac to userid tracking problem by adding temp attributes to the reply in the inner authentication then using them in the outer authentication to do the acutal logging. ie: The inner authentication (posauth code) sets an action attribute to tell the outer authenication to put out a log, plus a couple of attributes to populate the log. The outer authentication (postauth code) checks the action attribute and if set to log gets the other attributes and does the sql insert. In either case it deletes the temp attributes. Therefore the final pass through the outer authentication which has the mac can do the log with all the required attributes. Regards John McFadden === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Question about spliting the NAS-IP-ADDRESS for SQL use
Hello Troy - I suggest you write a PreClientHook that will add the pseudo-attributes shown below to the incoming request packet. There is an example that does something quite similar for Cisco pseudo-attributes in the file "goodies/hooks.txt". regards Hugh On Friday, Aug 22, 2003, at 06:49 Australia/Melbourne, Troy Holder wrote: We have a DB table with all of our network equipment in it and plan to use that to determine what Authby to use for different types of equipment ( got to love how Cisco wants different reply values to allow a user into enable mode). I plan to have a Handler call an AuthBy SQL to do a query for the Auth-Type the device needs use and then run that AuthBy clause. The problem that I am running into is that we have the equipment's IP address broken up into the octets. I know that I can use %N in the SQL in the config, but how can I get %IP1.%IP2.%IP3.%IP4 (as in %N = %IP1.%IP2.%IP3.%IP4) instead? -- --- | Troy Holder[EMAIL PROTECTED] | | Senior Network Engineer | | Communication Technologies| | North Carolina State University | --- === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.
Re: (RADIATOR) Dynamic Vars
Hello Nick - The only thing I can think of is to write your own custom versions of those modules so they do what you require. The source modules are in the "Radius" directory of the Radiator distribution. regards Hugh On Friday, Aug 22, 2003, at 09:37 Australia/Melbourne, Nick Rogness wrote: In my radius config file I have: . . PreHandlerHook file:"/etc/raddb/prehandler.radhook" In /etc/raddb/prehandler.radhook I have: . . $p->add_attr('CCC-DB',"testdb"); . For my SessionDB I try to reference my %{CCC-DB} variable: Identifier SDB DBSourcedbi:mysql:%{CCC-DB}:db1.domain.com . . But it appears I can't reference it as it comes up with an error: Wed Aug 20 19:28:01 2003: ERR: do failed for 'delete from RADONLINE where NASIDENTIFIER='203.63.154.1' and NASPORT=01234': No Database Selected So I'm assuming that you can only reference certain %{attr} in certain cases. I want to be able to use the same sessionDB "template" and have it reference different databases as determined by the PreHandlerHook. I don't want to build 50 different statements for all of our customers (since they all have different DBs). How can I accomplish this? Same problem exists for DBSource directives. I want the Prehandler to choose the database to connect to. Any pointers? Thanks, Nick Rogness === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message. NB: have you included a copy of your configuration file (no secrets), together with a trace 4 debug showing what is happening? -- Radiator: the most portable, flexible and configurable RADIUS server anywhere. Available on *NIX, *BSD, Windows 95/98/2000, NT, MacOS X. - Nets: internetwork inventory and management - graphical, extensible, flexible with hardware, software, platform and database independence. === Archive at http://www.open.com.au/archives/radiator/ Announcements on [EMAIL PROTECTED] To unsubscribe, email '[EMAIL PROTECTED]' with 'unsubscribe radiator' in the body of the message.