Re: [RADIATOR] Idle timeout issue
On 04/13/2012 05:04 PM, Jennings Tuala wrote: This never used to happen before. Prior to this issue, all sessions would run continuously for the entire provisioned time (which was what we wanted). Eg. A 2 hour pass would have a 2 hour continuous session until it ran out, regardless of whether the laptop went into sleep mode/shutdown/rebooted…etc. I think when the above happens, the NAS (WLAN controller/hotspot or other device) will in practice always disconnect the user and send Accounting-Request with Acct-Status-Type = Stop. This issue just cropped up recently. I read somewhere that the mysql database might be sending a kill switch but I’m not sure as I’m a mysql novice. I have however checked my database and can’t see anything regarding idle timeout or session timeout, but then again, I could be looking in the wrong place. L There is a possibility to disconnect user with RADIUS, see http://tools.ietf.org/html/rfc5176 for more. However, this must be configured and done with radpwtst (or similar tool) or from a Hook from Radiator. So you would definitely know if this is happening. In my opinion the Accounting stops you see is what normally happens when a users leaves the network (client shutdown, reboot, sleep, etc.). Really appreciate your help and response as this is an issue I would love to solve before we launch our hotspot service. See goodies/blocktime.txt for an option. The idea is to use accounting stops to subtract from time available for the user. When the users logs in again, the returned Sesstion-Timeout reflects what's currently left. Note: if you want to try this, add 'HandleAcctStatusTypes Stop' to the AuthBy to make sure possible accounting alives are not processed here. Thanks! Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2
On 04/16/2012 08:25 AM, Sudhir Harwalkar wrote: When radius server gets restart, our device sending same PAC details, it should authenticate right? because for the radius server it's the new key when it get restart, it has to authenticate if radius server is not remembering the previous keys info , please correct me if I have Understood wrong. Currently Radiator will provision a new PAC if the PAC is unknown or too old. The behaviour should be the same when the client sends no PAC at all. You should check the client you are using to see how it reacts when the PAC it sends is not accepted a new PAC is provisioned. Thanks! Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2
1. Please guide me how to keep PACs in memory, what are all the changes need to make in config files. 2. I tried to authenticate with the EAP-TLS, as I was seen Access challenge message only and I haven't found any error in that case, please find the log, and config files for this. Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Friday, April 13, 2012 6:00 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 04:14 PM, Sudhir Harwalkar wrote: 1. Whenever I flash the new code to the device it's generating new PAC key at that time it's getting authenticate with the server, If PACs are gone after a restart, but our device generating the same and send to the server so it should authenticate, why that's not happening here. If the server has lost its PACs, the client PAC are useless. It is the server that decides if the PAC is valid. If the server refuses the PAC client sends, then a new PAC needs to be provisioned to the client. That is my take to how this should work. 2. For EAP-TLS I took CA Certificate from C:\Radiator\Radiator-Locked-4.9\certificates\demoCA \cacert.pem and for Client I used C:\Radiator\Radiator-Locked-4.9\certificates\ cert-clt.pem is these are the correct files that I am using. Yes. See goodies/eap_tls.cfg for an example of EAP-TLS configuration. Heikki Sudhir H -Original Message- From: Heikki Vatiainen [mailto:h...@open.com.au] Sent: Thursday, April 12, 2012 2:52 PM To: Sudhir Harwalkar Subject: Re: FW: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 09:25 AM, Sudhir Harwalkar wrote: Thanks for helping me Heikki, when I flash the new code, then start the radius server it's working fine after that I restarted the radius server and power on the device then it's not authenticated. Again I flash the code and verified working fine. Ok. Good to hear it works. Problem arises only if I restart the radius server. This should not happen right. By default Radiator keeps PACs in memory and they are gone after a restart. There is a possibility to keep them in SQL so that they survive across reboots. Heikki Larsen Toubro Limited www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Larsen Toubro Limited www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. eap_tls.cfg Description: eap_tls.cfg logfile Description: logfile ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2
On 04/16/2012 11:12 AM, Sudhir Harwalkar wrote: 1. Please guide me how to keep PACs in memory, what are all the changes need to make in config files. You need to change the Handler for outer EAP-FAST authentication to use AuthBy SQL. See goodies/sql.cfg and look for CreateEAPFastPACQuery and GetEAPFastPACQuery. For defintion of the single table that is needed, see goodies/mysqlCreate.sql. The table is EAPFAST_PAC MySQL is not required, it is just used for an example. You could try SQLite for a simple file based DB. http://www.sqlite.org/download.html You can keep all EAPTLS_* settings the same as they are now when setting up AuthBy SQL. 2. I tried to authenticate with the EAP-TLS, as I was seen Access challenge message only and I haven't found any error in that case, please find the log, and config files for this. The log shows two different messages: 1. EAP Identity from your client 2. EAP-TLS start from Radiator The client then resends the identity. Check the client settings. It seems not to accept EAP-TLS or is otherwise incorrectly configured. Note that at some point you need to configure the client to trust the CA certificate in certificates/demoCA/cacert.pem Thanks! Heikki Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Friday, April 13, 2012 6:00 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 04:14 PM, Sudhir Harwalkar wrote: 1. Whenever I flash the new code to the device it's generating new PAC key at that time it's getting authenticate with the server, If PACs are gone after a restart, but our device generating the same and send to the server so it should authenticate, why that's not happening here. If the server has lost its PACs, the client PAC are useless. It is the server that decides if the PAC is valid. If the server refuses the PAC client sends, then a new PAC needs to be provisioned to the client. That is my take to how this should work. 2. For EAP-TLS I took CA Certificate from C:\Radiator\Radiator-Locked-4.9\certificates\demoCA \cacert.pem and for Client I used C:\Radiator\Radiator-Locked-4.9\certificates\ cert-clt.pem is these are the correct files that I am using. Yes. See goodies/eap_tls.cfg for an example of EAP-TLS configuration. Heikki Sudhir H -Original Message- From: Heikki Vatiainen [mailto:h...@open.com.au] Sent: Thursday, April 12, 2012 2:52 PM To: Sudhir Harwalkar Subject: Re: FW: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 09:25 AM, Sudhir Harwalkar wrote: Thanks for helping me Heikki, when I flash the new code, then start the radius server it's working fine after that I restarted the radius server and power on the device then it's not authenticated. Again I flash the code and verified working fine. Ok. Good to hear it works. Problem arises only if I restart the radius server. This should not happen right. By default Radiator keeps PACs in memory and they are gone after a restart. There is a possibility to keep them in SQL so that they survive across reboots. Heikki Larsen Toubro Limited www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Larsen Toubro Limited www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au
Re: [RADIATOR] Tacacs Authentication to survive reloads ?
To follow this up .. I tried downgrading to 4.7, with patches, and it seem to have the exact same issue.. Regards, Patrik Forsberg -Original Message- From: radiator-boun...@open.com.au [mailto:radiator- boun...@open.com.au] On Behalf Of Patrik Forsberg Sent: Friday, April 13, 2012 3:52 PM To: Heikki Vatiainen; radiator@open.com.au Subject: Re: [RADIATOR] Tacacs Authentication to survive reloads ? The patterns received with AuthorizeGroupAttr are stored in the context and override the patterns in the config file. Now when the context is gone with the reload, the possible overrides are gone too. I think this is the reason why it refuses to process authorization. The authorization patters may no longer be correct without the overrides. So.. downgrade to pre-4.8 ? or any way to re-instate the context(s) after a reload in some way ? or is there something in the configuration I can change to make it better for the tacacs server ? Regards, Patrik Forsberg ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2
As per your comment, I made changes for EAP-FAST MACHAPv2, If I enable AUTHBY SQL ,its giving me an error for User Filename ERR: Unknown keyword 'Filename' in c:\Radiator\Radiator-Locked-4.9\goodies\eap_fast.cfg line 51. Please see the config file and sql.cfg file. Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Monday, April 16, 2012 2:39 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/16/2012 11:12 AM, Sudhir Harwalkar wrote: 1. Please guide me how to keep PACs in memory, what are all the changes need to make in config files. You need to change the Handler for outer EAP-FAST authentication to use AuthBy SQL. See goodies/sql.cfg and look for CreateEAPFastPACQuery and GetEAPFastPACQuery. For defintion of the single table that is needed, see goodies/mysqlCreate.sql. The table is EAPFAST_PAC MySQL is not required, it is just used for an example. You could try SQLite for a simple file based DB. http://www.sqlite.org/download.html You can keep all EAPTLS_* settings the same as they are now when setting up AuthBy SQL. 2. I tried to authenticate with the EAP-TLS, as I was seen Access challenge message only and I haven't found any error in that case, please find the log, and config files for this. The log shows two different messages: 1. EAP Identity from your client 2. EAP-TLS start from Radiator The client then resends the identity. Check the client settings. It seems not to accept EAP-TLS or is otherwise incorrectly configured. Note that at some point you need to configure the client to trust the CA certificate in certificates/demoCA/cacert.pem Thanks! Heikki Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Friday, April 13, 2012 6:00 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 04:14 PM, Sudhir Harwalkar wrote: 1. Whenever I flash the new code to the device it's generating new PAC key at that time it's getting authenticate with the server, If PACs are gone after a restart, but our device generating the same and send to the server so it should authenticate, why that's not happening here. If the server has lost its PACs, the client PAC are useless. It is the server that decides if the PAC is valid. If the server refuses the PAC client sends, then a new PAC needs to be provisioned to the client. That is my take to how this should work. 2. For EAP-TLS I took CA Certificate from C:\Radiator\Radiator-Locked-4.9\certificates\demoCA \cacert.pem and for Client I used C:\Radiator\Radiator-Locked-4.9\certificates\ cert-clt.pem is these are the correct files that I am using. Yes. See goodies/eap_tls.cfg for an example of EAP-TLS configuration. Heikki Sudhir H -Original Message- From: Heikki Vatiainen [mailto:h...@open.com.au] Sent: Thursday, April 12, 2012 2:52 PM To: Sudhir Harwalkar Subject: Re: FW: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 09:25 AM, Sudhir Harwalkar wrote: Thanks for helping me Heikki, when I flash the new code, then start the radius server it's working fine after that I restarted the radius server and power on the device then it's not authenticated. Again I flash the code and verified working fine. Ok. Good to hear it works. Problem arises only if I restart the radius server. This should not happen right. By default Radiator keeps PACs in memory and they are gone after a restart. There is a possibility to keep them in SQL so that they survive across reboots. Heikki Larsen Toubro Limited www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Larsen Toubro Limited www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify
Re: [RADIATOR] Tacacs Authentication to survive reloads ?
Did another downgrade to 4.6 this time and here the issue seem to be gone.. I can reload/restart and the commands gets authorized as they should.. Another issue that seem to be gone with 4.6 is that the first request to a Radiator 4.9 tacacs server fail, second and onwards works as they should. Regards, Patrik Forsberg -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Patrik Forsberg Sent: den 16 april 2012 12:57 To: Heikki Vatiainen; radiator@open.com.au Subject: Re: [RADIATOR] Tacacs Authentication to survive reloads ? To follow this up .. I tried downgrading to 4.7, with patches, and it seem to have the exact same issue.. Regards, Patrik Forsberg -Original Message- From: radiator-boun...@open.com.au [mailto:radiator- boun...@open.com.au] On Behalf Of Patrik Forsberg Sent: Friday, April 13, 2012 3:52 PM To: Heikki Vatiainen; radiator@open.com.au Subject: Re: [RADIATOR] Tacacs Authentication to survive reloads ? The patterns received with AuthorizeGroupAttr are stored in the context and override the patterns in the config file. Now when the context is gone with the reload, the possible overrides are gone too. I think this is the reason why it refuses to process authorization. The authorization patters may no longer be correct without the overrides. So.. downgrade to pre-4.8 ? or any way to re-instate the context(s) after a reload in some way ? or is there something in the configuration I can change to make it better for the tacacs server ? Regards, Patrik Forsberg ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Tacacs Authentication to survive reloads ?
On 04/16/2012 02:13 PM, Patrik Forsberg wrote: Did another downgrade to 4.6 this time and here the issue seem to be gone.. I can reload/restart and the commands gets authorized as they should.. With version 4.7 + patches you tried, the patches may have included AuthorizeGroupAttr so that's why it did not work. It was between 4.7 and 4.8 when this became available. Another issue that seem to be gone with 4.6 is that the first request to a Radiator 4.9 tacacs server fail, second and onwards works as they should. There are a number of changes between 4.6 and 4.8/4.9 and one of them may have fixed the problem you are seeing. Is there anything else you do not like in current apart from authorization info (context) not being saved across reloads? Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Tacacs Authentication to survive reloads ?
Did another downgrade to 4.6 this time and here the issue seem to be gone.. I can reload/restart and the commands gets authorized as they should.. With version 4.7 + patches you tried, the patches may have included AuthorizeGroupAttr so that's why it did not work. It was between 4.7 and 4.8 when this became available. I see.. I'll try 4.7 without patches.. Another issue that seem to be gone with 4.6 is that the first request to a Radiator 4.9 tacacs server fail, second and onwards works as they should. There are a number of changes between 4.6 and 4.8/4.9 and one of them may have fixed the problem you are seeing. Actually the issue arise in 4.9 at least, this specific issue is so small that I didn't try it on 4.8 and 4.7.. Is there anything else you do not like in current apart from authorization info (context) not being saved across reloads? No the only real issue I see is that authentications doesn't survive a reload.. secondary is the first request failing other than that I think it all works as I expect it :) //Patrik ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2
On 04/16/2012 02:02 PM, Sudhir Harwalkar wrote: As per your comment, I made changes for EAP-FAST MACHAPv2, If I enable AUTHBY SQL ,its giving me an error for User Filename ERR: Unknown keyword 'Filename' in c:\Radiator\Radiator-Locked-4.9\goodies\eap_fast.cfg line 51. Filename is not meaningful with AuthBy SQL Instead you need to setup SQL settings If you use SQLite, you need something like this: DBSourcedbi:SQLite:dbname=/path/to/pacdb.sqlite With other databases you need more. For example with MySQL: DBSourcedbi:mysql:radius DBUsername mikem DBAuth fred Also, you need to install Perl DBI driver for your chosen database. With windows use the ppm utility to search for and install. Also make sure you have CreateEAPFastPACQuery GetEAPFastPACQuery set in eap_fast.cfg within AuthBy SQL. Heikki Please see the config file and sql.cfg file. Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Monday, April 16, 2012 2:39 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/16/2012 11:12 AM, Sudhir Harwalkar wrote: 1. Please guide me how to keep PACs in memory, what are all the changes need to make in config files. You need to change the Handler for outer EAP-FAST authentication to use AuthBy SQL. See goodies/sql.cfg and look for CreateEAPFastPACQuery and GetEAPFastPACQuery. For defintion of the single table that is needed, see goodies/mysqlCreate.sql. The table is EAPFAST_PAC MySQL is not required, it is just used for an example. You could try SQLite for a simple file based DB. http://www.sqlite.org/download.html You can keep all EAPTLS_* settings the same as they are now when setting up AuthBy SQL. 2. I tried to authenticate with the EAP-TLS, as I was seen Access challenge message only and I haven't found any error in that case, please find the log, and config files for this. The log shows two different messages: 1. EAP Identity from your client 2. EAP-TLS start from Radiator The client then resends the identity. Check the client settings. It seems not to accept EAP-TLS or is otherwise incorrectly configured. Note that at some point you need to configure the client to trust the CA certificate in certificates/demoCA/cacert.pem Thanks! Heikki Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Friday, April 13, 2012 6:00 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 04:14 PM, Sudhir Harwalkar wrote: 1. Whenever I flash the new code to the device it's generating new PAC key at that time it's getting authenticate with the server, If PACs are gone after a restart, but our device generating the same and send to the server so it should authenticate, why that's not happening here. If the server has lost its PACs, the client PAC are useless. It is the server that decides if the PAC is valid. If the server refuses the PAC client sends, then a new PAC needs to be provisioned to the client. That is my take to how this should work. 2. For EAP-TLS I took CA Certificate from C:\Radiator\Radiator-Locked-4.9\certificates\demoCA \cacert.pem and for Client I used C:\Radiator\Radiator-Locked-4.9\certificates\ cert-clt.pem is these are the correct files that I am using. Yes. See goodies/eap_tls.cfg for an example of EAP-TLS configuration. Heikki Sudhir H -Original Message- From: Heikki Vatiainen [mailto:h...@open.com.au] Sent: Thursday, April 12, 2012 2:52 PM To: Sudhir Harwalkar Subject: Re: FW: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 09:25 AM, Sudhir Harwalkar wrote: Thanks for helping me Heikki, when I flash the new code, then start the radius server it's working fine after that I restarted the radius server and power on the device then it's not authenticated. Again I flash the code and verified working fine. Ok. Good to hear it works. Problem arises only if I restart the radius server. This should not happen right. By default Radiator keeps PACs in memory and they are gone after a restart. There is a possibility to keep them in SQL so that they survive across reboots. Heikki Larsen Toubro Limited www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible
Re: [RADIATOR] Tacacs Authentication to survive reloads ?
Sorry for not chiming in earlier...I'm also dealing with the same problem -- TACACS+ reload results in dozens of network device authentications getting lost. I suppose this becomes problematic when you have a network of my size (2500+ devices). Would it be possible to reinstate functionality that would allow the TACACS+ server to survive a reload? That would be very, very helpful! -james On Mon, Apr 16, 2012 at 07:28, Patrik Forsberg patrik.forsb...@ip-only.se wrote: Did another downgrade to 4.6 this time and here the issue seem to be gone.. I can reload/restart and the commands gets authorized as they should.. With version 4.7 + patches you tried, the patches may have included AuthorizeGroupAttr so that's why it did not work. It was between 4.7 and 4.8 when this became available. I see.. I'll try 4.7 without patches.. Another issue that seem to be gone with 4.6 is that the first request to a Radiator 4.9 tacacs server fail, second and onwards works as they should. There are a number of changes between 4.6 and 4.8/4.9 and one of them may have fixed the problem you are seeing. Actually the issue arise in 4.9 at least, this specific issue is so small that I didn't try it on 4.8 and 4.7.. Is there anything else you do not like in current apart from authorization info (context) not being saved across reloads? No the only real issue I see is that authentications doesn't survive a reload.. secondary is the first request failing other than that I think it all works as I expect it :) //Patrik ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2
Please check the modification in the config ( eap_fast.cfg) file is correct or not? Because still not authenticated DBI drivers are already installed. Regards Sudhir H -Original Message- From: Sudhir Harwalkar Sent: Monday, April 16, 2012 4:33 PM To: 'Heikki Vatiainen' Cc: radiator@open.com.au Subject: RE: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2 As per your comment, I made changes for EAP-FAST MACHAPv2, If I enable AUTHBY SQL ,its giving me an error for User Filename ERR: Unknown keyword 'Filename' in c:\Radiator\Radiator-Locked-4.9\goodies\eap_fast.cfg line 51. Please see the config file and sql.cfg file. Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Monday, April 16, 2012 2:39 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/16/2012 11:12 AM, Sudhir Harwalkar wrote: 1. Please guide me how to keep PACs in memory, what are all the changes need to make in config files. You need to change the Handler for outer EAP-FAST authentication to use AuthBy SQL. See goodies/sql.cfg and look for CreateEAPFastPACQuery and GetEAPFastPACQuery. For defintion of the single table that is needed, see goodies/mysqlCreate.sql. The table is EAPFAST_PAC MySQL is not required, it is just used for an example. You could try SQLite for a simple file based DB. http://www.sqlite.org/download.html You can keep all EAPTLS_* settings the same as they are now when setting up AuthBy SQL. 2. I tried to authenticate with the EAP-TLS, as I was seen Access challenge message only and I haven't found any error in that case, please find the log, and config files for this. The log shows two different messages: 1. EAP Identity from your client 2. EAP-TLS start from Radiator The client then resends the identity. Check the client settings. It seems not to accept EAP-TLS or is otherwise incorrectly configured. Note that at some point you need to configure the client to trust the CA certificate in certificates/demoCA/cacert.pem Thanks! Heikki Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Friday, April 13, 2012 6:00 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 04:14 PM, Sudhir Harwalkar wrote: 1. Whenever I flash the new code to the device it's generating new PAC key at that time it's getting authenticate with the server, If PACs are gone after a restart, but our device generating the same and send to the server so it should authenticate, why that's not happening here. If the server has lost its PACs, the client PAC are useless. It is the server that decides if the PAC is valid. If the server refuses the PAC client sends, then a new PAC needs to be provisioned to the client. That is my take to how this should work. 2. For EAP-TLS I took CA Certificate from C:\Radiator\Radiator-Locked-4.9\certificates\demoCA \cacert.pem and for Client I used C:\Radiator\Radiator-Locked-4.9\certificates\ cert-clt.pem is these are the correct files that I am using. Yes. See goodies/eap_tls.cfg for an example of EAP-TLS configuration. Heikki Sudhir H -Original Message- From: Heikki Vatiainen [mailto:h...@open.com.au] Sent: Thursday, April 12, 2012 2:52 PM To: Sudhir Harwalkar Subject: Re: FW: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 09:25 AM, Sudhir Harwalkar wrote: Thanks for helping me Heikki, when I flash the new code, then start the radius server it's working fine after that I restarted the radius server and power on the device then it's not authenticated. Again I flash the code and verified working fine. Ok. Good to hear it works. Problem arises only if I restart the radius server. This should not happen right. By default Radiator keeps PACs in memory and they are gone after a restart. There is a possibility to keep them in SQL so that they survive across reboots. Heikki Larsen Toubro Limited www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2
On 04/16/2012 06:02 PM, Sudhir Harwalkar wrote: Please check the modification in the config ( eap_fast.cfg) file is correct or not? Because still not authenticated DBI drivers are already installed. Try with the attached configuration file. The changes are: - Enabled Handler TunnelledByFAST=1 so that you can keep the users in a file while keeping PACs in SQL - Changed SQLite db file location to c:/Program Files/Radiator/pacdb.sqlite You need to create c:/Program Files/Radiator/pacdb.sqlite with the following command: sqlite3.exe -init pac.sql c:/Program Files/Radiator/pacdb.sqlite This will create an empty db file with the appropriate structure for EAP-FAST. When you test with the client the log will show how Radiator creates the PAC and reads it from the db file. You can now stop radiusd without loosing PAC information. Thanks! Heikki Regards Sudhir H -Original Message- From: Sudhir Harwalkar Sent: Monday, April 16, 2012 4:33 PM To: 'Heikki Vatiainen' Cc: radiator@open.com.au Subject: RE: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2 As per your comment, I made changes for EAP-FAST MACHAPv2, If I enable AUTHBY SQL ,its giving me an error for User Filename ERR: Unknown keyword 'Filename' in c:\Radiator\Radiator-Locked-4.9\goodies\eap_fast.cfg line 51. Please see the config file and sql.cfg file. Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Monday, April 16, 2012 2:39 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/16/2012 11:12 AM, Sudhir Harwalkar wrote: 1. Please guide me how to keep PACs in memory, what are all the changes need to make in config files. You need to change the Handler for outer EAP-FAST authentication to use AuthBy SQL. See goodies/sql.cfg and look for CreateEAPFastPACQuery and GetEAPFastPACQuery. For defintion of the single table that is needed, see goodies/mysqlCreate.sql. The table is EAPFAST_PAC MySQL is not required, it is just used for an example. You could try SQLite for a simple file based DB. http://www.sqlite.org/download.html You can keep all EAPTLS_* settings the same as they are now when setting up AuthBy SQL. 2. I tried to authenticate with the EAP-TLS, as I was seen Access challenge message only and I haven't found any error in that case, please find the log, and config files for this. The log shows two different messages: 1. EAP Identity from your client 2. EAP-TLS start from Radiator The client then resends the identity. Check the client settings. It seems not to accept EAP-TLS or is otherwise incorrectly configured. Note that at some point you need to configure the client to trust the CA certificate in certificates/demoCA/cacert.pem Thanks! Heikki Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Friday, April 13, 2012 6:00 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 04:14 PM, Sudhir Harwalkar wrote: 1. Whenever I flash the new code to the device it's generating new PAC key at that time it's getting authenticate with the server, If PACs are gone after a restart, but our device generating the same and send to the server so it should authenticate, why that's not happening here. If the server has lost its PACs, the client PAC are useless. It is the server that decides if the PAC is valid. If the server refuses the PAC client sends, then a new PAC needs to be provisioned to the client. That is my take to how this should work. 2. For EAP-TLS I took CA Certificate from C:\Radiator\Radiator-Locked-4.9\certificates\demoCA \cacert.pem and for Client I used C:\Radiator\Radiator-Locked-4.9\certificates\ cert-clt.pem is these are the correct files that I am using. Yes. See goodies/eap_tls.cfg for an example of EAP-TLS configuration. Heikki Sudhir H -Original Message- From: Heikki Vatiainen [mailto:h...@open.com.au] Sent: Thursday, April 12, 2012 2:52 PM To: Sudhir Harwalkar Subject: Re: FW: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 09:25 AM, Sudhir Harwalkar wrote: Thanks for helping me Heikki, when I flash the new code, then start the radius server it's working fine after that I restarted the radius server and power on the device then it's not authenticated. Again I flash the code and verified working fine. Ok. Good to hear it works. Problem arises only if I restart the radius server. This should not happen right. By default Radiator keeps PACs in memory and they are gone after a restart. There is a possibility to keep them in SQL so that they survive across reboots. Heikki Larsen Toubro Limited www.larsentoubro.com This Email may contain confidential or
Re: [RADIATOR] MySQL deadlocks using Galera
I'd check what is happening in MySQL land first (do a show engine innodb status;). A lock often occurs when a transaction is not able to complete within the deadlock timeout. Are you doing updates on a column (rows are locked on indexes during those updates etc)? On Thu, Apr 12, 2012 at 10:57 PM, Ian Mordey ian.mor...@allurian.com wrote: Hi there I'm attempting to use radiator backing off to a MySQL cluster running Galera replication. I have three radiator boxes and transactions are getting written to the DB but I'm getting lots of these errors: Deadlock found when trying to get lock; try restarting transaction Any ideas how I can stop this happening so much? Thanks ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2
After creating the DB and used config files, I am getting an error as: ERR: EAP-FAST TLS Handshake unsuccessful: 1248: 1 - error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message See the DB file attached with this. Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Monday, April 16, 2012 11:52 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/16/2012 06:02 PM, Sudhir Harwalkar wrote: Please check the modification in the config ( eap_fast.cfg) file is correct or not? Because still not authenticated DBI drivers are already installed. Try with the attached configuration file. The changes are: - Enabled Handler TunnelledByFAST=1 so that you can keep the users in a file while keeping PACs in SQL - Changed SQLite db file location to c:/Program Files/Radiator/pacdb.sqlite You need to create c:/Program Files/Radiator/pacdb.sqlite with the following command: sqlite3.exe -init pac.sql c:/Program Files/Radiator/pacdb.sqlite This will create an empty db file with the appropriate structure for EAP-FAST. When you test with the client the log will show how Radiator creates the PAC and reads it from the db file. You can now stop radiusd without loosing PAC information. Thanks! Heikki Regards Sudhir H -Original Message- From: Sudhir Harwalkar Sent: Monday, April 16, 2012 4:33 PM To: 'Heikki Vatiainen' Cc: radiator@open.com.au Subject: RE: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2 As per your comment, I made changes for EAP-FAST MACHAPv2, If I enable AUTHBY SQL ,its giving me an error for User Filename ERR: Unknown keyword 'Filename' in c:\Radiator\Radiator-Locked-4.9\goodies\eap_fast.cfg line 51. Please see the config file and sql.cfg file. Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Monday, April 16, 2012 2:39 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/16/2012 11:12 AM, Sudhir Harwalkar wrote: 1. Please guide me how to keep PACs in memory, what are all the changes need to make in config files. You need to change the Handler for outer EAP-FAST authentication to use AuthBy SQL. See goodies/sql.cfg and look for CreateEAPFastPACQuery and GetEAPFastPACQuery. For defintion of the single table that is needed, see goodies/mysqlCreate.sql. The table is EAPFAST_PAC MySQL is not required, it is just used for an example. You could try SQLite for a simple file based DB. http://www.sqlite.org/download.html You can keep all EAPTLS_* settings the same as they are now when setting up AuthBy SQL. 2. I tried to authenticate with the EAP-TLS, as I was seen Access challenge message only and I haven't found any error in that case, please find the log, and config files for this. The log shows two different messages: 1. EAP Identity from your client 2. EAP-TLS start from Radiator The client then resends the identity. Check the client settings. It seems not to accept EAP-TLS or is otherwise incorrectly configured. Note that at some point you need to configure the client to trust the CA certificate in certificates/demoCA/cacert.pem Thanks! Heikki Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Friday, April 13, 2012 6:00 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 04:14 PM, Sudhir Harwalkar wrote: 1. Whenever I flash the new code to the device it's generating new PAC key at that time it's getting authenticate with the server, If PACs are gone after a restart, but our device generating the same and send to the server so it should authenticate, why that's not happening here. If the server has lost its PACs, the client PAC are useless. It is the server that decides if the PAC is valid. If the server refuses the PAC client sends, then a new PAC needs to be provisioned to the client. That is my take to how this should work. 2. For EAP-TLS I took CA Certificate from C:\Radiator\Radiator-Locked-4.9\certificates\demoCA \cacert.pem and for Client I used C:\Radiator\Radiator-Locked-4.9\certificates\ cert-clt.pem is these are the correct files that I am using. Yes. See goodies/eap_tls.cfg for an example of EAP-TLS configuration. Heikki Sudhir H -Original Message- From: Heikki Vatiainen [mailto:h...@open.com.au] Sent: Thursday, April 12, 2012 2:52 PM To: Sudhir Harwalkar Subject: Re: FW: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 09:25 AM, Sudhir Harwalkar wrote: Thanks for helping me Heikki, when I flash the new code, then start the radius server it's working fine after that I restarted the radius