Re: [RADIATOR] Radiator Logging to an External Syslog Server
On 04/12/2011 07:25 PM, Carter, Ronald wrote: > My company is running Radiator on a Windows Platform. I would like to > export the Radiator logs to and external Syslog server. According to the > manual this can be done with the command, but this only > works on a Unix platform. Has anyone or does anyone know of a way that I > can export the logs when using on a Windows platform. What I am really > interested in logging and exporting are the results of authentication > attempts, e.g.; request, failure, success, etc Try this: 1) Install syslog module ppm install Sys::Syslog 2) Configure Radiator like this LogHost ip.addr.of.remotehost LogSock inet This should work with Windows and the logs should be sent to the remote host port 514 UDP. For authentication log you should configure with respective settings as above and the AuthLog specific settings you require. > Any help that you can provide will be greatly appreciated. I hope the above helps. Please let me and this list know how it works. Best regards, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Loading configuration dynamically from SQL database
On 04/12/2011 04:00 PM, Remco van Noorloos wrote:
> That's a possibility indeed. Aren't there any plans to improve this
> mechanism to make the configuration even more dynamically than it is
> right now?
None are planned. The current code is quite efficient in keeping the
binding active and holding server connections between requests which is
good for performance especially when LDAPS is used.
> Perhaps it is something I can change easily myself in the Perl code?
Depends on how you define easy :)
What you would need to do is to create instances of AuthLDAP2 class for
every new set of LDAP server, port, AuthDN and possible other items that
define a LDAP session. I think it would need a fairly good amount of work.
> The Acct-Session-Id attribute is needed and is send by our Cisco
> routers in an Access-Request to be able to combine multiple
> Access-Requests based on that session ID.
Ok, the Acct-Session-Id already comes during authentication. Then it has
no problems working.
> The snippet below is from the log when I try to 'access' the
> %{CONNECTION_ID}. Strange thing is that it works in one AuthBy but
> doesn't work in the next one.
It should work. Are you sure EXEC spGetAuthenticationSource does return
a value for CONNECTION_ID?
It is also good to note that if you already have a CONNECTION_ID added
to request, adding a second CONNECTION_ID will not replace the existing.
You seem to be adding a CONNECTION_ID in AUTH_USER_realmSQL
> The 'EXEC spPasswdSelect , ''' should include the CONNECTION_ID as
> first parameter (the second one is indeed Acct-Session-Id, it doesn't
> matter whether it's empty or not). When looking at the log below the
> CONNECTION_ID is empty though.
> What am I doing wrong?
Hard to say. Maybe you should check EXEC spGetAuthenticationSource does
return something.
Thanks!
Heikki
> ---
>
> *** Received from 127.0.0.1 port 1739
> Code: Access-Request
> Identifier: 141
> Authentic: <229><20>~<138>k<128>?&:<131><246><147><184>/<27><236>
> Attributes:
> User-Name = "prox1-a...@dsl.proxsys.net"
> Service-Type = Framed-User
> NAS-IP-Address = 203.63.154.1
> NAS-Identifier = "203.63.154.1"
> NAS-Port = 1234
> Called-Station-Id = "123456789"
> Calling-Station-Id = "987654321"
> NAS-Port-Type = Token-Ring
> User-Password =
> <160><177>P<175>qDe<19>f<169><18><180><159><144><230><13>
>
> Tue Apr 12 14:53:36 2011: DEBUG: Handling request with Handler '', Identifier
> 'DefaultHandler'
> Tue Apr 12 14:53:36 2011: DEBUG: Deleting session for
> prox1-a...@dsl.proxsys.net, 203.63.154.1, 1234
> Tue Apr 12 14:53:36 2011: DEBUG: Handling with Radius::AuthSQL:
> DETERMINE_AUTH_BACKEND
> Tue Apr 12 14:53:36 2011: DEBUG: Handling with Radius::AuthSQL:
> DETERMINE_AUTH_BACKEND
> Tue Apr 12 14:53:36 2011: DEBUG: Query is: 'EXEC spGetAuthenticationSource
> 'prox1-a...@dsl.proxsys.net', 'Token-Ring', 'Framed-User', ''':
> Tue Apr 12 14:53:36 2011: DEBUG: Radius::AuthSQL looks for match with
> prox1-a...@dsl.proxsys.net [prox1-a...@dsl.proxsys.net]
> Tue Apr 12 14:53:36 2011: DEBUG: Radius::AuthSQL ACCEPT: :
> prox1-a...@dsl.proxsys.net [prox1-a...@dsl.proxsys.net]
> Tue Apr 12 14:53:36 2011: DEBUG: AuthBy SQL result: ACCEPT,
> Tue Apr 12 14:53:36 2011: DEBUG: Handling with Radius::AuthHANDLER:
> Tue Apr 12 14:53:36 2011: DEBUG: AuthBy HANDLER is redirecting to Handler
> 'AUTH_USER_realmSQL'
> Tue Apr 12 14:53:36 2011: DEBUG: Handling request with Handler '', Identifier
> 'AUTH_USER_realmSQL'
> Tue Apr 12 14:53:36 2011: DEBUG: Deleting session for
> prox1-a...@dsl.proxsys.net, 203.63.154.1, 1234
> Tue Apr 12 14:53:36 2011: DEBUG: Handling with Radius::AuthSQL:
> Tue Apr 12 14:53:36 2011: DEBUG: Handling with Radius::AuthSQL:
> Tue Apr 12 14:53:36 2011: DEBUG: Query is: 'EXEC spPasswdSelect , ''':
> Tue Apr 12 14:53:36 2011: ERR: Execute failed for 'EXEC spPasswdSelect , ''':
> [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near ','.
> (SQL-42000)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be
> prepared. (SQL-42000)
> Tue Apr 12 14:53:36 2011: ERR: Execute failed for 'EXEC spPasswdSelect , ''':
> [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near ','.
> (SQL-42000)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be
> prepared. (SQL-42000)
> Tue Apr 12 14:53:36 2011: DEBUG: Radius::AuthSQL looks for match with
> prox1-a...@dsl.proxsys.net [prox1-a...@dsl.proxsys.net]
> Tue Apr 12 14:53:36 2011: DEBUG: Radius::AuthSQL REJECT: No such user:
> prox1-a...@dsl.proxsys.net [prox1-a...@dsl.proxsys.net]
> Tue Apr 12 14:53:36 2011: DEBUG: Query is: 'EXEC spPasswdSelect , ''':
> Tue Apr 12 14:53:36 2011: ERR: Execute failed for 'EXEC spPasswdSelect , ''':
> [Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near ','.
> (SQL-42000)
> [Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be
> prepar
Re: [RADIATOR] [Radiator] EAP TTLS with EAP Inner Method
On 04/11/2011 03:55 PM, Aman Arneja wrote: > As you might have gathered from my previous mails, i am writing an EAP > TTLS Method. We are facing problems with using EAP Inner Methods. Non > Eap Inner methods are working fine. I am attaching 2 log files : > > 1.) radiatornoproxy : Config File = eap_ttls.cfg. > Topology : > Client - Wireless supplicant configured to authenticate using our TTLS + > EAP MsChapv2 > Radiator - AuthByLsa > > 2.) eapttlsradiator : Config File = eap_ttls_proxy.txtTopology : > Client - Wireless supplicant configured to authenticate using our TTLS + > EAP MsChapv2 > Radiator - AuthByRadius, with authentication terminating on Microsoft NPS > > In Both Cases Radiator is rejecting the AVP sent by client after server > sends access challenge. >From the log it looks like Radiator sends access challenge inside the tunnel as you say: EAP-Message = <1><7><0>)<26><1><7><0>$<16><23><206>c<129><234><225>n<214><201><243>f<208><248><184><20><219>RadiatorServer1 This seems to be a well formed EAP-MSCHAP-V2 challange according to http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-02 But when the response comes, Radiator does not even get to process it as an AVP but the underlying TLS processing indicates there is a "wrong version number" as seen below. In other words, it looks like after the client receives Radiator's tunnelled EAP-MSCHAP-V2 challenge, the tunnelling TLS thinks the received TLS record is faulty. A quick check shows that "wrong version number" could mean a mismatch between expected and received SSL 3.0 and TLS 1.x version. However, for me it looks like the version is alwasy <3><1> which is TLS 1.0. So it looks like SSL/TLS library Radiator uses sees something it does not like. > Can some1 pls help us with this? Let me know if any more information is > required. Seems to be an issue with the reading of the EAP Message from > the AVP. I would say it is a TLS problem. Though I am not sure what exactly. Best regards, Heikki > Snipped of issue is as follows > : > Mon Apr 11 04:34:01 2011: DEBUG: Handling request with Handler '', > Identifier '' > > Mon Apr 11 04:34:01 2011: DEBUG: Deleting session for > DVM-AMARNE-DC\anonymous, 192.168.10.3, 0 > > Mon Apr 11 04:34:01 2011: DEBUG: Handling with Radius::AuthFILE: > > Mon Apr 11 04:34:01 2011: DEBUG: Handling with EAP: code 2, 7, 139, 21 > > Mon Apr 11 04:34:01 2011: DEBUG: Response type 21 > > Mon Apr 11 04:34:01 2011: DEBUG: EAP TTLS data, 3, 7, 6 > > Mon Apr 11 04:34:01 2011: DEBUG: EAP result: 1, EAP TTLS read failed: > 1168: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > Mon Apr 11 04:34:01 2011: DEBUG: AuthBy FILE result: REJECT, EAP TTLS > read failed: 1168: 1 - error:1408F10B:SSL > routines:SSL3_GET_RECORD:wrong version number > > Mon Apr 11 04:34:01 2011: INFO: Access rejected for > DVM-AMARNE-DC\anonymous: EAP TTLS read failed: 1168: 1 - > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > Mon Apr 11 04:34:01 2011: DEBUG: Packet dump: > > *** Sending to 192.168.10.3 port 65529 > > Code: Access-Reject > > Identifier: 6 > > Authentic: > <179>~<25><150><242><188><191><189>_<127><180><130>O<26><21><209> > > Attributes: > > EAP-Message = <4><7><0><4> > > Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > > Reply-Message = "Request Denied" > > Thanx > > > > Aman Arneja > > > > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator Logging to an External Syslog Server
My company is running Radiator on a Windows Platform. I would like to export the Radiator logs to and external Syslog server. According to the manual this can be done with the command, but this only works on a Unix platform. Has anyone or does anyone know of a way that I can export the logs when using on a Windows platform. What I am really interested in logging and exporting are the results of authentication attempts, e.g.; request, failure, success, etc Any help that you can provide will be greatly appreciated. Thanks. Ron Carter, CISSP, CISM Sr. Information Assurance Specialist PPL Services Corporation 2 North 9th Street MS: GENGA2 Allentown, PA 18101 Phone: (610) 774-2502 The information contained in this message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately, and delete the original message. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter
Hi Heikki, Am 12.04.2011 14:09, schrieb Heikki Vatiainen: > On 04/11/2011 12:26 PM, Karl Gaissmaier wrote: > this is strange as Radiator-4.x has explicit support for reconnecting to ldap servers after an idle timeout. >>> >>> Indeed. The function that has "ldap search for ..." error message does >>> LDAP reconnect as the first thing. Reconnect should notice the closed >>> connection and then connect again. >> >> but not with HoldSeverConnection, or? I don't see a reconnect, >> not under Trace 4 and even not on the wire with wireshark. > > With HoldServerConnection, yes. > > When HoldServerConnection is defined and there should be an active ldap > handle, the code checks if the socket is still ok or it the socket > indicates that there is something available. If this something is > LDAP_OPERATIONS_ERROR with "Unexpected EOF" then there should be a > reconnect. really strange. I didn't see this. After the LDAP upgrade I'll come back to this problem and keep you informed. Best Regards Charly -- Karl Gaissmaier Kommunikations und Informationszentrum kiz der Universität Ulm Abteilung Infrastruktur SG Netzwerk und Telekommunikation 89069 Ulm Tel.: 49(0)731/50-22499 Fax : 49(0)731/50-1222499 ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Loading configuration dynamically from SQL database
Hi Heikki,
Thanks again for you answer.
That's a possibility indeed. Aren't there any plans to improve this mechanism
to make the configuration even more dynamically than it is right now?
Perhaps it is something I can change easily myself in the Perl code?
The Acct-Session-Id attribute is needed and is send by our Cisco routers in an
Access-Request to be able to combine multiple Access-Requests based on that
session ID.
The snippet below is from the log when I try to 'access' the %{CONNECTION_ID}.
Strange thing is that it works in one AuthBy but doesn't work in the next one.
The 'EXEC spPasswdSelect , ''' should include the CONNECTION_ID as first
parameter (the second one is indeed Acct-Session-Id, it doesn't matter whether
it's empty or not). When looking at the log below the CONNECTION_ID is empty
though.
What am I doing wrong?
---
*** Received from 127.0.0.1 port 1739
Code: Access-Request
Identifier: 141
Authentic: <229><20>~<138>k<128>?&:<131><246><147><184>/<27><236>
Attributes:
User-Name = "prox1-a...@dsl.proxsys.net"
Service-Type = Framed-User
NAS-IP-Address = 203.63.154.1
NAS-Identifier = "203.63.154.1"
NAS-Port = 1234
Called-Station-Id = "123456789"
Calling-Station-Id = "987654321"
NAS-Port-Type = Token-Ring
User-Password =
<160><177>P<175>qDe<19>f<169><18><180><159><144><230><13>
Tue Apr 12 14:53:36 2011: DEBUG: Handling request with Handler '', Identifier
'DefaultHandler'
Tue Apr 12 14:53:36 2011: DEBUG: Deleting session for
prox1-a...@dsl.proxsys.net, 203.63.154.1, 1234
Tue Apr 12 14:53:36 2011: DEBUG: Handling with Radius::AuthSQL:
DETERMINE_AUTH_BACKEND
Tue Apr 12 14:53:36 2011: DEBUG: Handling with Radius::AuthSQL:
DETERMINE_AUTH_BACKEND
Tue Apr 12 14:53:36 2011: DEBUG: Query is: 'EXEC spGetAuthenticationSource
'prox1-a...@dsl.proxsys.net', 'Token-Ring', 'Framed-User', ''':
Tue Apr 12 14:53:36 2011: DEBUG: Radius::AuthSQL looks for match with
prox1-a...@dsl.proxsys.net [prox1-a...@dsl.proxsys.net]
Tue Apr 12 14:53:36 2011: DEBUG: Radius::AuthSQL ACCEPT: :
prox1-a...@dsl.proxsys.net [prox1-a...@dsl.proxsys.net]
Tue Apr 12 14:53:36 2011: DEBUG: AuthBy SQL result: ACCEPT,
Tue Apr 12 14:53:36 2011: DEBUG: Handling with Radius::AuthHANDLER:
Tue Apr 12 14:53:36 2011: DEBUG: AuthBy HANDLER is redirecting to Handler
'AUTH_USER_realmSQL'
Tue Apr 12 14:53:36 2011: DEBUG: Handling request with Handler '', Identifier
'AUTH_USER_realmSQL'
Tue Apr 12 14:53:36 2011: DEBUG: Deleting session for
prox1-a...@dsl.proxsys.net, 203.63.154.1, 1234
Tue Apr 12 14:53:36 2011: DEBUG: Handling with Radius::AuthSQL:
Tue Apr 12 14:53:36 2011: DEBUG: Handling with Radius::AuthSQL:
Tue Apr 12 14:53:36 2011: DEBUG: Query is: 'EXEC spPasswdSelect , ''':
Tue Apr 12 14:53:36 2011: ERR: Execute failed for 'EXEC spPasswdSelect , ''':
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near ','.
(SQL-42000)
[Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be
prepared. (SQL-42000)
Tue Apr 12 14:53:36 2011: ERR: Execute failed for 'EXEC spPasswdSelect , ''':
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near ','.
(SQL-42000)
[Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be
prepared. (SQL-42000)
Tue Apr 12 14:53:36 2011: DEBUG: Radius::AuthSQL looks for match with
prox1-a...@dsl.proxsys.net [prox1-a...@dsl.proxsys.net]
Tue Apr 12 14:53:36 2011: DEBUG: Radius::AuthSQL REJECT: No such user:
prox1-a...@dsl.proxsys.net [prox1-a...@dsl.proxsys.net]
Tue Apr 12 14:53:36 2011: DEBUG: Query is: 'EXEC spPasswdSelect , ''':
Tue Apr 12 14:53:36 2011: ERR: Execute failed for 'EXEC spPasswdSelect , ''':
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near ','.
(SQL-42000)
[Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be
prepared. (SQL-42000)
Tue Apr 12 14:53:36 2011: ERR: Execute failed for 'EXEC spPasswdSelect , ''':
[Microsoft][ODBC SQL Server Driver][SQL Server]Incorrect syntax near ','.
(SQL-42000)
[Microsoft][ODBC SQL Server Driver][SQL Server]Statement(s) could not be
prepared. (SQL-42000)
Tue Apr 12 14:53:36 2011: DEBUG: AuthBy SQL result: REJECT, No such user
Tue Apr 12 14:53:36 2011: DEBUG: AuthBy HANDLER result: REJECT, No such user
Tue Apr 12 14:53:36 2011: INFO: Access rejected for prox1-a...@dsl.proxsys.net:
No such user
Tue Apr 12 14:53:36 2011: DEBUG: Packet dump:
*** Sending to 127.0.0.1 port 1739
Code: Access-Reject
Identifier: 141
Authentic: e<252><160><164><169>q(<223>lm<221>0<142>p<135><31>
Attributes:
Reply-Message = "Request Denied"
-Oorspronkelijk bericht-
Van: Heikki Vatiainen [mailto:h...@open.com.au]
Verzonden: dinsdag 12 april 2011 14:43
Aan: Remco van Noorloos
CC: radiator@open.com.au
Onderwerp: Re: [RADIATOR] Loading configuration dynamically from SQL database
On 04/11/2011 05:13 PM, Remco van Noorloos wrote:
> Currently we have 100+ LDAP
Re: [RADIATOR] Loading configuration dynamically from SQL database
On 04/11/2011 05:13 PM, Remco van Noorloos wrote:
> Currently we have 100+ LDAP servers we're authenticating with. So if
> we have to edit the config file in order to make a change that
> wouldn't be manageable for us and is a situation we really like to
> avoid.
That is very understandable.
One way to do this would be to generate automatically all the AuthBys
and then use Include to pull them in Radiator configuration.
> From what I understand the implementation isn't really uniform? Since
> some parameters can be set dynamically and others not?
Most things can be set dynamically so it is uniform in that sense. What
is not uniform is what the lifetime (for the better word) of various
parameters is.
The userid in search parameter varies from request to request, naturally.
AuthDN can be initialised when the first request arrives, but within one
AuthBy LDAP2, the AuthDN stays the same between request so that there is
not a separate bind operation for each request.
Host parameter can be set from a global variable, but that is when
Radiator starts or is reinitialised.
> In addition, when I use the following Handler the same problem
> occurs. In this snippet the 'CONNECTION_ID' is empty, this attribute
> is set in the ' DETERMINE_AUTH_BACKEND' AuthBy as included in my last
> mail.
Try Acct-Session-Id - notice the spelling.
Also, you are using AuthSelect with DETERMINE_AUTH_BACKEND and using
Acct-Session-Id as a part of AuthSelect. Since this select runs by
default for authentication requests, does it have access to
Acct-Session-Id parameter?
You should see from the log what happens. AuthSelect should be formatted
for each request, so %{CONNECTION_ID} should contain the value from the
request.
>
> Identifier AUTH_USER_realmSQL
>
> #
> # Perform SQL authentication
> #
>
> DBSourcedbi:ODBC:DRIVER={SQL
> Server};SERVER={%{GlobalVar:DB_PMS_SERVER}};DATABASE=%{GlobalVar:DB_PMS_NAME}
> DBUsername %{GlobalVar:DB_PMS_USER}
> DBAuth %{GlobalVar:DB_PMS_PASSWORD}
>
> AuthSelect EXEC spPasswdSelect %{CONNECTION_ID},
> %{Quote:%{Acct-Session-ID}}
> AuthColumnDef 0, User-Password, check
> AuthColumnDef 1, CONNECTION_ID, request
>
>
>
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter
On 04/11/2011 12:26 PM, Karl Gaissmaier wrote: >>> this is strange as Radiator-4.x has explicit support for reconnecting >>> to ldap servers after an idle timeout. >> >> Indeed. The function that has "ldap search for ..." error message does >> LDAP reconnect as the first thing. Reconnect should notice the closed >> connection and then connect again. > > but not with HoldSeverConnection, or? I don't see a reconnect, > not under Trace 4 and even not on the wire with wireshark. With HoldServerConnection, yes. When HoldServerConnection is defined and there should be an active ldap handle, the code checks if the socket is still ok or it the socket indicates that there is something available. If this something is LDAP_OPERATIONS_ERROR with "Unexpected EOF" then there should be a reconnect. Before this check, the the code checks if the socket is still connected. This should take care of e.g., timeouts caused by firewalls. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Status of Status-Server
On 04/09/2011 01:26 AM, Alan Buxey wrote: > just wondering what the current status or implementation level > of Status-Server in RADIATOR for remote proxy AuthBy handlers? It is implemented for Client side only. For example, AuthBy RADIUS clause does not contain code to send Status-Server requests to the next hop. > I know the server can send stuff back to a Client (which may use Status-Server > to detect if the RADIATOR is alive rather than just relying on a > response to a packet sent to determine if server is okay or not..) > but wondering if there are any methods/hooks for the server to throw > a status-server to the AuthBy RADIUS/RADSEC remote proxy to see if its > alive rather than rely on timers and reply timeouts for the behaviour - I am not aware of any hooks that have already been written to handle this. I think it could be possible to create a hook that does it. Maybe a pair of NoReplyHook and ReplyHook. If a request times out, the NoReplyHook could send out Status-Server and ReplyHook could then process it. I have not checked the details, but that might be one way to send a Status-Server. > we have a multi tier proxy architecture and it just takes one random > badly configured site in the scheme for all sorts of nasty things to > start occuring to a proxy in the middle of it. I guess its RADIATOR > dealing with Status-Server s a client rather than dealing with it > FROM clients :-) Have you checked DeadRealmMarking? http://www.eduroam.cz/dead-realm/docs/dead-realm.html It's been very helpful for making sure one unresponsive endsite or proxy does not kill the perfectly functioning next hop radius server. Yours, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
