Re: [RADIATOR] SessionDatabase SQL
copy and paste from the manual: If DeleteQuery is defined as an empty string, then the query will not be executed. The manual is quite informative, and organised quite well. I know manuals suck to read sometimes, but the radiator manual is one of the best organized manuals i've seen. Of course, that's a personal opinion. Michael On Wed, 13 Apr 2011, Eddie Stassen wrote: > Hi, > > Could someone please explain the rationale behind calling DeleteQuery > on the session database when an authentication packet is received? It > makes no sense to me since the mere reception of an > Authentication-Request is no indication that a session has ended. It > also means it is potentially very easy for users to bypass > simultaneous login limitations by simply making a faking a second PPP > session with a bad password (or spoofing an Authentication-Request), > which will cause their existing radonline entry to be deleted and > allow the account to be used from anywhere else. > > Is there any way to disable this behaviour without hacking the code? > > Eddie > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Logging to an External Syslog Server
Our Windows server admin team uses a product call “Epilog for Windows” by Intersect Alliance. Interesting product. http://www.intersectalliance.com/ Cheers MH From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Carter, Ronald Sent: Tuesday, April 12, 2011 12:26 PM To: radiator@open.com.au Subject: [RADIATOR] Radiator Logging to an External Syslog Server My company is running Radiator on a Windows Platform. I would like to export the Radiator logs to and external Syslog server. According to the manual this can be done with the command, but this only works on a Unix platform. Has anyone or does anyone know of a way that I can export the logs when using on a Windows platform. What I am really interested in logging and exporting are the results of authentication attempts, e.g.; request, failure, success, etc Any help that you can provide will be greatly appreciated. Thanks. Ron Carter, CISSP, CISM Sr. Information Assurance Specialist PPL Services Corporation 2 North 9th Street MS: GENGA2 Allentown, PA 18101 Phone: (610) 774-2502 The information contained in this message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately, and delete the original message. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Renew Radiator configuration
Dear all, Currently I have to restart Radiator to enable config changes. Since I'm using it in a test environment at the moment this is no big deal. I'd like to use it in a production environment and I don't want Radiator to become offline (not even a couple of seconds), so I was trying to figure out how to reload the configuration in runtime. In the documentation there's something about a SIGHUP signal which can be send to make Radiator reload the configuration. There's a problem though, I'm using Radiator on a Windows platform which doesn't support SIGHUP signals (or any signal at all) as far as I know. Is there another way to make Radiator reloads it's config in runtime? Thanks, Best regards, PROXSYS* Remco van Noorloos ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] SessionDatabase SQL
Hi, Could someone please explain the rationale behind calling DeleteQuery on the session database when an authentication packet is received? It makes no sense to me since the mere reception of an Authentication-Request is no indication that a session has ended. It also means it is potentially very easy for users to bypass simultaneous login limitations by simply making a faking a second PPP session with a bad password (or spoofing an Authentication-Request), which will cause their existing radonline entry to be deleted and allow the account to be used from anywhere else. Is there any way to disable this behaviour without hacking the code? Eddie ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] [Radiator] EAP TTLS with EAP Inner Method
This turend out to be an issue with the MsChapV2 AVP and the trailer bits. This is now resolved Thanx Aman Arneja On Wed, Apr 13, 2011 at 12:18 AM, Heikki Vatiainen wrote: > On 04/11/2011 03:55 PM, Aman Arneja wrote: > > > As you might have gathered from my previous mails, i am writing an EAP > > TTLS Method. We are facing problems with using EAP Inner Methods. Non > > Eap Inner methods are working fine. I am attaching 2 log files : > > > > 1.) radiatornoproxy : Config File = eap_ttls.cfg. > > Topology : > > Client - Wireless supplicant configured to authenticate using our TTLS + > > EAP MsChapv2 > > Radiator - AuthByLsa > > > > 2.) eapttlsradiator : Config File = eap_ttls_proxy.txtTopology : > > Client - Wireless supplicant configured to authenticate using our TTLS + > > EAP MsChapv2 > > Radiator - AuthByRadius, with authentication terminating on Microsoft NPS > > > > In Both Cases Radiator is rejecting the AVP sent by client after server > > sends access challenge. > > From the log it looks like Radiator sends access challenge inside the > tunnel as you say: > > EAP-Message = > > <1><7><0>)<26><1><7><0>$<16><23><206>c<129><234><225>n<214><201><243>f<208><248><184><20><219>RadiatorServer1 > > This seems to be a well formed EAP-MSCHAP-V2 challange according to > http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-02 > > But when the response comes, Radiator does not even get to process it as > an AVP but the underlying TLS processing indicates there is a "wrong > version number" as seen below. In other words, it looks like after the > client receives Radiator's tunnelled EAP-MSCHAP-V2 challenge, the > tunnelling TLS thinks the received TLS record is faulty. > > A quick check shows that "wrong version number" could mean a mismatch > between expected and received SSL 3.0 and TLS 1.x version. However, for > me it looks like the version is alwasy <3><1> which is TLS 1.0. > > So it looks like SSL/TLS library Radiator uses sees something it does > not like. > > > Can some1 pls help us with this? Let me know if any more information is > > required. Seems to be an issue with the reading of the EAP Message from > > the AVP. > > I would say it is a TLS problem. Though I am not sure what exactly. > > Best regards, > Heikki > > > > Snipped of issue is as follows > > : > > Mon Apr 11 04:34:01 2011: DEBUG: Handling request with Handler '', > > Identifier '' > > > > Mon Apr 11 04:34:01 2011: DEBUG: Deleting session for > > DVM-AMARNE-DC\anonymous, 192.168.10.3, 0 > > > > Mon Apr 11 04:34:01 2011: DEBUG: Handling with Radius::AuthFILE: > > > > Mon Apr 11 04:34:01 2011: DEBUG: Handling with EAP: code 2, 7, 139, 21 > > > > Mon Apr 11 04:34:01 2011: DEBUG: Response type 21 > > > > Mon Apr 11 04:34:01 2011: DEBUG: EAP TTLS data, 3, 7, 6 > > > > Mon Apr 11 04:34:01 2011: DEBUG: EAP result: 1, EAP TTLS read failed: > > 1168: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version > number > > > > Mon Apr 11 04:34:01 2011: DEBUG: AuthBy FILE result: REJECT, EAP TTLS > > read failed: 1168: 1 - error:1408F10B:SSL > > routines:SSL3_GET_RECORD:wrong version number > > > > Mon Apr 11 04:34:01 2011: INFO: Access rejected for > > DVM-AMARNE-DC\anonymous: EAP TTLS read failed: 1168: 1 - > > error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number > > > > Mon Apr 11 04:34:01 2011: DEBUG: Packet dump: > > > > *** Sending to 192.168.10.3 port 65529 > > > > Code: Access-Reject > > > > Identifier: 6 > > > > Authentic: > > <179>~<25><150><242><188><191><189>_<127><180><130>O<26><21><209> > > > > Attributes: > > > > EAP-Message = <4><7><0><4> > > > > Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> > > > > Reply-Message = "Request Denied" > > > > Thanx > > > > > > > > Aman Arneja > > > > > > > > > > > > ___ > > radiator mailing list > > radiator@open.com.au > > http://www.open.com.au/mailman/listinfo/radiator > > > -- > Heikki Vatiainen > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, > TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, > DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, > NetWare etc. > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
