[RADIATOR] RADIATOR, EAP-TLS
Hi Heikki, How to configure the client to trust the CA certificate? What I done was, converted CA, Client and Client Pvt key to hex value because in our code we are giving as hex code. Using this I run the radius server using TLS config file its showing continuously as Challenge. Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Monday, April 16, 2012 2:39 PM To: radiator@open.com.au Subject: Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/16/2012 11:12 AM, Sudhir Harwalkar wrote: > 1. Please guide me how to keep PACs in memory, what are all the changes need > to make in config files. You need to change the Handler for outer EAP-FAST authentication to use AuthBy SQL. See goodies/sql.cfg and look for CreateEAPFastPACQuery and GetEAPFastPACQuery. For defintion of the single table that is needed, see goodies/mysqlCreate.sql. The table is EAPFAST_PAC MySQL is not required, it is just used for an example. You could try SQLite for a simple file based DB. http://www.sqlite.org/download.html You can keep all EAPTLS_* settings the same as they are now when setting up AuthBy SQL. > 2. I tried to authenticate with the EAP-TLS, as I was seen Access challenge > message only and I haven't found any error in that case, please find the log, > and config files for this. The log shows two different messages: 1. EAP Identity from your client 2. EAP-TLS start from Radiator The client then resends the identity. Check the client settings. It seems not to accept EAP-TLS or is otherwise incorrectly configured. Note that at some point you need to configure the client to trust the CA certificate in certificates/demoCA/cacert.pem Thanks! Heikki > Regards > Sudhir H > > -Original Message- > From: radiator-boun...@open.com.au > [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen > Sent: Friday, April 13, 2012 6:00 PM > To: radiator@open.com.au > Subject: Re: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 > > On 04/12/2012 04:14 PM, Sudhir Harwalkar wrote: > >> 1. Whenever I flash the new code to the device it's generating new PAC key >> at that time it's getting authenticate with the server, >> If PACs are gone after a restart, but our device generating the same >> and send to the server so it should authenticate, why that's not happening >> here. > > If the server has lost its PACs, the client PAC are useless. It is the server > that decides if the PAC is valid. If the server refuses the PAC client sends, > then a new PAC needs to be provisioned to the client. That is my take to how > this should work. > >> 2. For EAP-TLS I took CA Certificate from >> C:\Radiator\Radiator-Locked-4.9\certificates\demoCA \cacert.pem and for >> Client I used C:\Radiator\Radiator-Locked-4.9\certificates\ cert-clt.pem is >> these are the correct files that I am using. > > Yes. See goodies/eap_tls.cfg for an example of EAP-TLS configuration. > > Heikki > > >> Sudhir H >> >> -Original Message- >> From: Heikki Vatiainen [mailto:h...@open.com.au] >> Sent: Thursday, April 12, 2012 2:52 PM >> To: Sudhir Harwalkar >> Subject: Re: FW: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 >> >> On 04/12/2012 09:25 AM, Sudhir Harwalkar wrote: >> >>> Thanks for helping me Heikki, when I flash the new code, then start the >>> radius server it's working fine after that I restarted the radius server >>> and power on the device then it's not authenticated. >>> Again I flash the code and verified working fine. >> >> Ok. Good to hear it works. >> >>> Problem arises only if I restart the radius server. >>> This should not happen right. >> >> By default Radiator keeps PACs in memory and they are gone after a restart. >> There is a possibility to keep them in SQL so that they survive across >> reboots. >> >> Heikki >> >> >> >> >> Larsen & Toubro Limited >> >> www.larsentoubro.com >> >> This Email may contain confidential or privileged information for the >> intended recipient (s) If you are not the intended recipient, please do not >> use or disseminate the information, notify the sender and delete it from >> your system. >> ___ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > > > -- > Heikki Vatiainen > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, > PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full > source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > > > Larsen & Toubro Limited > > www.larsentoubro.com > > This Email may contain confidential
Re: [RADIATOR] ] RADIATOR: EAP-FAST-MSCHAPv2
On 04/18/2012 08:08 AM, Sudhir Harwalkar wrote: > Still I am not clear about the working of EAP-FAST with MSCHAPv2. > In this case: > Whenever I flash the code to the device(client), its generating the new PAC > with this radius server and the client are authenticated successfully. Yes. If the client does not present a PAC, the RADIUS server will create an send it (provision) it a PAC. > If I restart the radius server means by pressing ctrl+c it stop the radius > sever and again I run the same config file, at that time PAC key is same and > authentication is failing. The client can send a PAC, but if the RADIUS server does not recognize (e.g., PAC is unknown or too old) it, it will provision a new PAC to the client. > As radius server is remembering the key so it's not authenticated is this > true?, if not when I restart the server it should authenticate right because > for radius server it's a new PAC key that's not happening here. The log you sent earlier shows your client did not like the new PAC or for some other reason refused to continue the authentication. It is the RADIUS server that decides if the PAC is valid or not. Client must be prepared for the case when the PAC it sends it not accepted or a new PAC is provisioned. > Note: My device(client) will generate new PAC whenever flash the code. Is it prepared to accept a new PAC if the RADIUS server wants to provision a new PAC. Also, the client can not generate a PAC. It can only accept and save a PAC from the RADIUS server. Some examples: Tue Apr 17 11:58:11 2012: DEBUG: EAP-FAST received PAC_OPAQUE Tue Apr 17 11:58:11 2012: DEBUG: Query is: 'select PAC_LIFETIME, PAC_KEY from EAPFAST_PAC where PAC_OPAQUE='fdba49cd98ff8bc9788e5be77a6757e616801327461dac23b865a6e701d62b6e' and PAC_LIFETIME >= 1334644091': Tue Apr 17 11:58:11 2012: DEBUG: EAP-FAST requested PAC not found Tue Apr 17 11:58:11 2012: DEBUG: EAP-FAST a new PAC will be provisioned This is from the log you sent. Your client is sending a PAC, but RADIATOR did not find it from the SQL db. So it will provision a new PAC. The authentication then continues but client does not want to continue. A bit later your client sends an alert: Tue Apr 17 11:58:11 2012: ERR: EAP-FAST TLS Handshake unsuccessful: 4924: 1 - error:140943F2:SSL routines:SSL3_READ_BYTES:sslv3 alert unexpected message If the PAC is not sent by the client, the log message is different but still clearly tells what Radiator is doing. So please check your client log and Radiator log for what is happening. The presence and provisioning of PAC can be seen from the log. Thanks! Heikki > Regards > Sudhir H > > -Original Message- > From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On > Behalf Of Heikki Vatiainen > Sent: Wednesday, April 18, 2012 3:08 AM > To: radiator@open.com.au > Subject: Re: [RADIATOR] RADIATOR: EAP-FAST-MSCHAPv2 > > On 04/17/2012 01:29 PM, Sudhir Harwalkar wrote: >> >> Because previously it was working fine without any modification from client >> side, does modification in EAP_43.pm is affecting for authentication? >> From the client log its failing after username and Pw. See the screen shot >> of the client log. > > The change in EAP_43.pm does one thing. If Server-Unauthenticated > provisioning is done, instead of requiring just one ciphersuite > (TLS_DH_anon_WITH_AES_128_CBC_SHA) the mode is entered when this ciphersuite > is present with possible other suites. One such suite is > TLS_EMPTY_RENEGOTIATION_INFO_SCSV from RFC 5746. > > If you want to go back to EAP_43.pm, just take it from Radiator distribution > and copy it over to any existing EAP_43.pm you have in your system. > > The PAC provisioning is not affected and using SQL (SQLite in your case) for > storing the PAC does not change how it is generated and provisioned. > > You should experiment with your client and see its logs for why it does not > work. The configuration I returned to you was working and tested fine here. > > Thanks! > Heikki > > > -- > Heikki Vatiainen > > Radiator: the most portable, flexible and configurable RADIUS server > anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, > Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, > PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full > source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > > > Larsen & Toubro Limited > > www.larsentoubro.com > > This Email may contain confidential or privileged information for the > intended recipient (s) If you are not the intended recipient, please do not > use or disseminate the information, notify the sender and delete it from your > system. -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy
Re: [RADIATOR] RADIATOR, EAP-TLS
On 04/18/2012 10:00 AM, Sudhir Harwalkar wrote: > How to configure the client to trust the CA certificate? That depends on the client. What you wrote below sounds correct. > What I done was, converted CA, Client and Client Pvt key to hex value because > in our code we are giving as hex code. Ok. > Using this I run the radius server using TLS config file its showing > continuously as Challenge. What does the client log show? The client log should show why it is not responding to the Challenge Radiator sends. Heikki > Regards > Sudhir H > > -Original Message- > From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On > Behalf Of Heikki Vatiainen > Sent: Monday, April 16, 2012 2:39 PM > To: radiator@open.com.au > Subject: Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2 > > On 04/16/2012 11:12 AM, Sudhir Harwalkar wrote: > >> 1. Please guide me how to keep PACs in memory, what are all the changes need >> to make in config files. > > You need to change the Handler for outer EAP-FAST authentication to use > AuthBy SQL. See goodies/sql.cfg and look for CreateEAPFastPACQuery and > GetEAPFastPACQuery. > > For defintion of the single table that is needed, see > goodies/mysqlCreate.sql. The table is EAPFAST_PAC > > MySQL is not required, it is just used for an example. You could try SQLite > for a simple file based DB. http://www.sqlite.org/download.html > > You can keep all EAPTLS_* settings the same as they are now when setting up > AuthBy SQL. > >> 2. I tried to authenticate with the EAP-TLS, as I was seen Access challenge >> message only and I haven't found any error in that case, please find the >> log, and config files for this. > > The log shows two different messages: > 1. EAP Identity from your client > 2. EAP-TLS start from Radiator > > The client then resends the identity. Check the client settings. It seems not > to accept EAP-TLS or is otherwise incorrectly configured. Note that at some > point you need to configure the client to trust the CA certificate in > certificates/demoCA/cacert.pem > > Thanks! > Heikki > > >> Regards >> Sudhir H >> >> -Original Message- >> From: radiator-boun...@open.com.au >> [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen >> Sent: Friday, April 13, 2012 6:00 PM >> To: radiator@open.com.au >> Subject: Re: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 >> >> On 04/12/2012 04:14 PM, Sudhir Harwalkar wrote: >> >>> 1. Whenever I flash the new code to the device it's generating new PAC key >>> at that time it's getting authenticate with the server, >>> If PACs are gone after a restart, but our device generating the same >>> and send to the server so it should authenticate, why that's not happening >>> here. >> >> If the server has lost its PACs, the client PAC are useless. It is the >> server that decides if the PAC is valid. If the server refuses the PAC >> client sends, then a new PAC needs to be provisioned to the client. That is >> my take to how this should work. >> >>> 2. For EAP-TLS I took CA Certificate from >>> C:\Radiator\Radiator-Locked-4.9\certificates\demoCA \cacert.pem and for >>> Client I used C:\Radiator\Radiator-Locked-4.9\certificates\ cert-clt.pem is >>> these are the correct files that I am using. >> >> Yes. See goodies/eap_tls.cfg for an example of EAP-TLS configuration. >> >> Heikki >> >> >>> Sudhir H >>> >>> -Original Message- >>> From: Heikki Vatiainen [mailto:h...@open.com.au] >>> Sent: Thursday, April 12, 2012 2:52 PM >>> To: Sudhir Harwalkar >>> Subject: Re: FW: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 >>> >>> On 04/12/2012 09:25 AM, Sudhir Harwalkar wrote: >>> Thanks for helping me Heikki, when I flash the new code, then start the radius server it's working fine after that I restarted the radius server and power on the device then it's not authenticated. Again I flash the code and verified working fine. >>> >>> Ok. Good to hear it works. >>> Problem arises only if I restart the radius server. This should not happen right. >>> >>> By default Radiator keeps PACs in memory and they are gone after a restart. >>> There is a possibility to keep them in SQL so that they survive across >>> reboots. >>> >>> Heikki >>> >>> >>> >>> >>> Larsen & Toubro Limited >>> >>> www.larsentoubro.com >>> >>> This Email may contain confidential or privileged information for the >>> intended recipient (s) If you are not the intended recipient, please do not >>> use or disseminate the information, notify the sender and delete it from >>> your system. >>> ___ >>> radiator mailing list >>> radiator@open.com.au >>> http://www.open.com.au/mailman/listinfo/radiator >> >> >> -- >> Heikki Vatiainen >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active
[RADIATOR] Tacacs Server and DefaultRealm
Hi, Found another issue with the Tacacs Server. It doesn't seem to honor DefaultRealm from the Client clause ? This might be by-design ofc.. just noticed it tho :) AddToRequestIfNotExist is honored tho! The same configuration adds the realm if I use a radius client instead of tacacs so config wise nothing seem to be wrong. Regards, Patrik Forsberg ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Tacacs Server and DefaultRealm
On 04/18/2012 11:26 AM, Patrik Forsberg wrote: > Found another issue with the Tacacs Server. > It doesn't seem to honor DefaultRealm from the Client clause ? Just tried this with latest 4.9 and slightly edited goodies/tacacasplusserver.cfg and got the same result. It works when DefaultRealm is in the server clause, though. > This might be by-design ofc.. just noticed it tho :) I'll check if there's such history behind this. Thanks for notifying us. > AddToRequestIfNotExist is honored tho! > > The same configuration adds the realm if I use a radius client instead of > tacacs so config wise nothing seem to be wrong. Ok. Thanks! Heikki > Regards, > Patrik Forsberg > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RADIATOR, EAP-TLS
On 04/18/2012 11:55 AM, Sudhir Harwalkar wrote: > Please see the EAP-TLS Client log file, Radius log file and eap_tls.cfg file. The wireshark capture is not that useful, the same information is in the Radiator logfile. If you can get a log from your client, not wireshark capture, that would be more useful. Radiator log shows Radiator sends EAP-TLS start message, but your client never responds. It just keeps on sending EAP Identity. Check your client. Why does it not react to EAP-TLS start? Thanks! Heikki > Regards > Sudhir H > > -Original Message- > From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On > Behalf Of Heikki Vatiainen > Sent: Wednesday, April 18, 2012 1:41 PM > To: radiator@open.com.au > Subject: Re: [RADIATOR] RADIATOR, EAP-TLS > > On 04/18/2012 10:00 AM, Sudhir Harwalkar wrote: > >> How to configure the client to trust the CA certificate? > > That depends on the client. What you wrote below sounds correct. > >> What I done was, converted CA, Client and Client Pvt key to hex value >> because in our code we are giving as hex code. > > Ok. > >> Using this I run the radius server using TLS config file its showing >> continuously as Challenge. > > What does the client log show? The client log should show why it is not > responding to the Challenge Radiator sends. > > Heikki > > >> Regards >> Sudhir H >> >> -Original Message- >> From: radiator-boun...@open.com.au >> [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen >> Sent: Monday, April 16, 2012 2:39 PM >> To: radiator@open.com.au >> Subject: Re: [RADIATOR] FW: FW: RADIATOR: EAP-FAST-MSCHAPv2 >> >> On 04/16/2012 11:12 AM, Sudhir Harwalkar wrote: >> >>> 1. Please guide me how to keep PACs in memory, what are all the changes >>> need to make in config files. >> >> You need to change the Handler for outer EAP-FAST authentication to use >> AuthBy SQL. See goodies/sql.cfg and look for CreateEAPFastPACQuery and >> GetEAPFastPACQuery. >> >> For defintion of the single table that is needed, see >> goodies/mysqlCreate.sql. The table is EAPFAST_PAC >> >> MySQL is not required, it is just used for an example. You could try >> SQLite for a simple file based DB. http://www.sqlite.org/download.html >> >> You can keep all EAPTLS_* settings the same as they are now when setting up >> AuthBy SQL. >> >>> 2. I tried to authenticate with the EAP-TLS, as I was seen Access challenge >>> message only and I haven't found any error in that case, please find the >>> log, and config files for this. >> >> The log shows two different messages: >> 1. EAP Identity from your client >> 2. EAP-TLS start from Radiator >> >> The client then resends the identity. Check the client settings. It >> seems not to accept EAP-TLS or is otherwise incorrectly configured. >> Note that at some point you need to configure the client to trust the >> CA certificate in certificates/demoCA/cacert.pem >> >> Thanks! >> Heikki >> >> >>> Regards >>> Sudhir H >>> >>> -Original Message- >>> From: radiator-boun...@open.com.au >>> [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen >>> Sent: Friday, April 13, 2012 6:00 PM >>> To: radiator@open.com.au >>> Subject: Re: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 >>> >>> On 04/12/2012 04:14 PM, Sudhir Harwalkar wrote: >>> 1. Whenever I flash the new code to the device it's generating new PAC key at that time it's getting authenticate with the server, If PACs are gone after a restart, but our device generating the same and send to the server so it should authenticate, why that's not happening here. >>> >>> If the server has lost its PACs, the client PAC are useless. It is the >>> server that decides if the PAC is valid. If the server refuses the PAC >>> client sends, then a new PAC needs to be provisioned to the client. That is >>> my take to how this should work. >>> 2. For EAP-TLS I took CA Certificate from C:\Radiator\Radiator-Locked-4.9\certificates\demoCA \cacert.pem and for Client I used C:\Radiator\Radiator-Locked-4.9\certificates\ cert-clt.pem is these are the correct files that I am using. >>> >>> Yes. See goodies/eap_tls.cfg for an example of EAP-TLS configuration. >>> >>> Heikki >>> >>> Sudhir H -Original Message- From: Heikki Vatiainen [mailto:h...@open.com.au] Sent: Thursday, April 12, 2012 2:52 PM To: Sudhir Harwalkar Subject: Re: FW: [RADIATOR] FW: RADIATOR: EAP-FAST-MSCHAPv2 On 04/12/2012 09:25 AM, Sudhir Harwalkar wrote: > Thanks for helping me Heikki, when I flash the new code, then start the > radius server it's working fine after that I restarted the radius server > and power on the device then it's not authenticated. > Again I flash the code and verified working fine. Ok. Good to hear it works. > Problem arises only if I restart the radius server. > This should not happen right.
Re: [RADIATOR] evaluation - Checkby syntax
On 04/17/2012 03:45 PM, Robb Pfrank wrote:
Hello Robb,
> I have taken myself out of the "users" unix group and was still able to
> login, shouldnt this setup that was suggested deny my logon? At this point
> of testing all we want to have is a users logon ID and its group membership
> be verified before granting access to the networking equipment. What is
> missing here to match these two objects?
I think this is where it goes wrong:
Tue Apr 17 08:36:08 2012: DEBUG: getpwnam got robert,
$1$uu9QEzhD$KJIBODnLV0WNWlGmBosLG1, 10026, 1, , , Robert Pfrank,
/home/robert, /bin/bash,
1 is your primary group ID in /etc/passwd
So if you run 'id' it should show you are still a member in users. It's
also likely that all other real users have their primary group set to
users, so you may want to create or use another group for RADIUS
authentication purposes.
Thanks!
Heikki
> ###robert is not present in etc/group
> users:x:1:brian,john,jason,clint
>
>
> sec-l-adm02 radiator # cat /etc/radiator/users
> # users
> #DEFAULT Auth-Type = SystemAuthentication, Group = netadm
> #
> DEFAULT Auth-Type = SystemAuthentication, Group = users
>
>
> SIMPLE.CFG
> Foreground
> LogStdout
> LogDir .
> DbDir .
> # User a lower trace level in production systems:
> Trace 4
>
> AuthPort1812
> AcctPort1813
>
> Identifier NetworkEquipment
> Secret mysecret
> DupInterval 0
>
>
> Identifier SystemAuthentication
>
>
>
> Identifier GroupAuthentication
> Filename %D/users
>
>
>
> Identifier RejectAuthAcceptAcct
> AuthResult REJECT
> AcctResult ACCEPT
>
>
>
> AuthByPolicy ContinueUntilReject
> AuthBy GroupAuthentication
> # AuthBy SystemAuthentication
>
>
>
> AuthBy RejectAuthAcceptAcct
>
>
>
> Port 8100
> DefaultPrivilegeLevel 15
>
>
>
>
>
> Tue Apr 17 08:36:08 2012: DEBUG: Packet dump:
> *** Received from 10.2.120.150 port 44214
> Code: Access-Request
> Identifier: 194
> Authentic: <171><226><236><178>$<236><18><156>>V<5>x<214><20><233>}
> Attributes:
> User-Name = "robert"
> User-Password =
> <132>_<219><191>{<248><11><180><197><220><198><187>C<7><14><177>
> NAS-Port-Id = "ttyS0"
> Service-Type = NAS-Prompt-User
> NAS-Port = 0
> NAS-IP-Address = 10.2.120.150
>
> Tue Apr 17 08:36:08 2012: DEBUG: Handling request with Handler
> 'Client-Identifier = NetworkEquipment, Service-Type = NAS-Prompt-User',
> Identifier ''
> Tue Apr 17 08:36:08 2012: DEBUG: Deleting session for robert, 10.2.120.150, 0
> Tue Apr 17 08:36:08 2012: DEBUG: Handling with Radius::AuthFILE:
> GroupAuthentication
> Tue Apr 17 08:36:08 2012: DEBUG: Radius::AuthFILE looks for match with robert
> [robert]
> Tue Apr 17 08:36:08 2012: DEBUG: Radius::AuthFILE REJECT: No such user:
> robert [robert]
> Tue Apr 17 08:36:08 2012: DEBUG: Radius::AuthFILE looks for match with
> DEFAULT [robert]
> Tue Apr 17 08:36:08 2012: DEBUG: Handling with Radius::AuthSYSTEM:
> SystemAuthentication
> Tue Apr 17 08:36:08 2012: DEBUG: getpwnam got robert,
> $1$uu9QEzhD$KJIBODnLV0WNWlGmBosLG1, 10026, 1, , , Robert Pfrank,
> /home/robert, /bin/bash,
> Tue Apr 17 08:36:08 2012: DEBUG: Radius::AuthSYSTEM looks for match with
> robert [robert]
> Tue Apr 17 08:36:08 2012: DEBUG: Radius::AuthSYSTEM ACCEPT: : robert [robert]
> Tue Apr 17 08:36:08 2012: DEBUG: Radius::AuthFILE ACCEPT: : DEFAULT [robert]
> Tue Apr 17 08:36:08 2012: DEBUG: AuthBy FILE result: ACCEPT,
> Tue Apr 17 08:36:08 2012: DEBUG: Access accepted for robert
> Tue Apr 17 08:36:08 2012: DEBUG: Packet dump:
> *** Sending to 10.2.120.150 port 44214
> Code: Access-Accept
> Identifier: 194
> Authentic: <183><18>5.qS|<217>E<17>S0<151><238><154><181>
> Attributes:
>
>
> Robb Pfrank
> Office +1 (312) 601-8647
> r...@headlandstech.com
>
>
>
> -Original Message-
> From: Hugh Irvine [mailto:h...@open.com.au]
> Sent: Thursday, April 12, 2012 1:40 AM
> To: Robb Pfrank
> Cc: radiator@open.com.au List
> Subject: Re: [RADIATOR] evaluation - Checkby syntax
>
>
> Hello Robb -
>
> No this won't work.
>
> Handlers only do matches.
>
> AuthBy's do checks.
>
> regards
>
> Hugh
>
>
> On 12 Apr 2012, at 02:29, Robb Pfrank wrote:
>
>> Could I just add Group to the handler to require both the correct group,
>> users, and the unix password from /etc/shadow to match? I tried this out
>> and got the below message.
>>
>>
>> > NAS-Prompt-User, Group = users>
>>AuthByPolicy ContinueUntilReject
>>AuthBy GroupAuthentication
>>AuthBy SystemAuthentication
>>
>>
>> sec-l-adm02 radiator # /usr/local/bin/radiusd -config_file simple.cfg
>> Wed Apr 11 12:23:39 2012: DEBUG: Creating StreamServer tcp port
>> 0.0.0.0:8100 Wed Apr 11 12:23:39 2012: DEBUG: Finished reading configuration
>> file 'simple.cfg'
>> This Radiator license will exp
Re: [RADIATOR] Idle timeout issue
Hi Mike,
I have tried again this time with laptop on continuously, not going to
sleep and it still cuts out the connection. I have pasted my radius.cfg for
your perusal.
LogDir /var/log/radius
DbDir /etc/radiator
# Use a low trace level in production systems. Increase
# it to 4 or 5 for debugging, or use the -trace flag to radiusd
Trace 4
AuthPort 1812
AcctPort 1813
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
Secret xxx
DupInterval 0
Secret xxx
AuthPort 1182
AcctPort 1183
DupInterval 0
DBSource dbi:mysql:bluezone
DBUsername root
DBAuth xxxyyyzzz
AddQuery insert into SUBSCRIBERS (USERNAME, \
NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, \
FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, DNIS)
values ('%n', '%N', \
%{NAS-Port}, �%{Acct-Session-Id}�, %{Timestamp},\
�%{Framed-IP-Address}�, �%{NAS-Port-Type}�, \
�%{Service-Type}�, �%{Called-Station-Id}�)
DBSource dbi:mysql:bluezone
DBUsername root
DBAuth xxxyyyzzz
# Only one Session per user at a time
DefaultSimultaneousUse 1
# Let the user IN if they have any time
left, set
# the Session-Timeout to the time left
AuthSelect select PASSWORD, SESSIONTIMEOUT
from SUBSCRIBERS where USERNAME=%0 and SESSIONTIMEOUT > 0
AuthColumnDef 0, User-Password, check
AuthColumnDef 1, Session-Timeout, reply
# Adjust the time left when they log out
AccountingStopsOnly
AcctSQLStatement update SUBSCRIBERS set
SESSIONTIMEOUT=SESSIONTIMEOUT-0%{Acct-Session-Time} where USERNAME='%n'
AccountingTable SUBSCRIBERS
Thanks and look forward to your response.
Cheers,
Jennings
*From:* Mike Puchol [mailto:puc...@me.com]
*Sent:* Saturday, 14 April 2012 2:42 AM
*To:* Jennings Tuala
*Cc:* radiator@open.com.au
*Subject:* Re: [RADIATOR] Idle timeout issue
Acct terminate cause is User-Request, meaning the hotspot received a
session end instruction from the device, eg. logoff URL, or a
disassociation which the hotspot translates as User-Request (eg. laptop
going to sleep). There is no Session-Timeout or Idle-Timeout in the logs
that would correspond to what you describe.
On Apr 13, 2012, at 3:26 PM, Jennings Tuala wrote:
Hi there,
I’m having some issues with idle timeouts in radiator. Users are suddenly
being disconnected after say 25 minutes of inactivity. This never used to
happen before so I attached a trace 4 debug for you to have a look at.
Would greatly appreciate your assistance please.
Thanks,
Jay
Tue Apr 10 15:48:32 2012: DEBUG: Packet dump:
*** Received from 110.5.112.85 port 32817
Code: Access-Request
Identifier: 29
Authentic: <137><202><239><165><163>W<22><229>Xfg<168>&<144><174><216>
Attributes:
User-Name = "6100510"
User-Password = @[<4>=<161><221><154>u<141><0><143><5><1><165>_<250>
NAS-IP-Address = 110.5.112.85
Service-Type = Login-User
Framed-IP-Address = 10.17.4.212
Called-Station-Id = "00:90:0B:05:6B:14"
Calling-Station-Id = "38:59:f9:80:c8:5d"
NAS-Identifier = "110.5.112.85"
Acct-Session-Id = "00:90:0B:05:6B:14:13341172017"
NAS-Port-Type = Wireless-IEEE-802-11
Tue Apr 10 15:48:32 2012: DEBUG: Handling request with Handler '',
Identifier ''
Tue Apr 10 15:48:32 2012: DEBUG: Deleting session for 6100510,
110.5.112.85,
Tue Apr 10 15:48:32 2012: DEBUG: do query is: 'delete from RADONLINE where
NASIDENTIFIER='110.5.112.85' and NASPORT=0':
Tue Apr 10 15:48:32 2012: DEBUG: Handling with Radius::AuthSQL:
Tue Apr 10 15:48:32 2012: DEBUG: Handling with Radius::AuthSQL:
Tue Apr 10 15:48:32 2012: DEBUG: Query is: 'select PASSWORD, SESSIONTIMEOUT
from SUBSCRIBERS where USERNAME='6100510' and SESSIONTIMEOUT > 0':
Tue Apr 10 15:48:32 2012: DEBUG: Radius::AuthSQL looks for match with
6100510 [6100510]
Tue Apr 10 15:48:32 2012: DEBUG: Radius::AuthSQL ACCEPT: : 6100510 [6100510]
Tue Apr 10 15:48:32 2012: DEBUG: AuthBy SQL result: ACCEPT,
Tue Apr 10 15:48:32 2012: DEBUG: Access accepted for 6100510
Tue Apr 10 15:48:32 2012: DEBUG: Packet dump:
*** Sending to 110.5.112.85 port 32817
Code: Access-Accept
Identifier: 29
Authentic: <253>;<226>m<181>{}V<28><250><198><209><179><151><176><224>
Attributes:
Session-Timeout = 864
Re: [RADIATOR] Idle timeout issue
maybe need Idle-Timeout = 0 in your authentication accept reply packet?
eg. AddToReplyIfNotExist Idle-Timeout = 0
On 12-04-18 09:24 PM, Jennings Tuala wrote:
> Hi Mike,
>
> I have tried again this time with laptop on continuously, not going to sleep
> and it still cuts out the connection. I have pasted my radius.cfg for your
> perusal.
>
> LogDir /var/log/radius
>
> DbDir /etc/radiator
>
> # Use a low trace level in production systems. Increase
>
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>
> Trace 4
>
> AuthPort 1812
>
> AcctPort 1813
>
> # You will probably want to add other Clients to suit your site,
>
> # one for each NAS you want to work with
>
>
>
> Secret xxx
>
> DupInterval 0
>
>
>
>
>
> Secret xxx
>
> AuthPort 1182
>
> AcctPort 1183
>
> DupInterval 0
>
>
>
>
>
> DBSource dbi:mysql:bluezone
>
> DBUsername root
>
> DBAuth xxxyyyzzz
>
> AddQuery insert into SUBSCRIBERS (USERNAME, \
>
> NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, \
>
> FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, DNIS)
>
> values ('%n', '%N', \
>
> %{NAS-Port}, �%{Acct-Session-Id}�, %{Timestamp},\
>
> �%{Framed-IP-Address}�, �%{NAS-Port-Type}�, \
>
> �%{Service-Type}�, �%{Called-Station-Id}�)
>
>
>
>
>
>
>
> DBSource dbi:mysql:bluezone
>
> DBUsername root
>
> DBAuth xxxyyyzzz
>
> # Only one Session per user at a time
>
> DefaultSimultaneousUse 1
>
> # Let the user IN if they have any time
> left, set
>
> # the Session-Timeout to the time left
>
> AuthSelect select PASSWORD, SESSIONTIMEOUT
> from SUBSCRIBERS where USERNAME=%0 and SESSIONTIMEOUT > 0
>
> AuthColumnDef 0, User-Password, check
>
> AuthColumnDef 1, Session-Timeout, reply
>
> # Adjust the time left when they log out
>
> AccountingStopsOnly
>
> AcctSQLStatement update SUBSCRIBERS set
> SESSIONTIMEOUT=SESSIONTIMEOUT-0%{Acct-Session-Time} where USERNAME='%n'
>
> AccountingTable SUBSCRIBERS
>
>
>
>
>
> Thanks and look forward to your response.
>
> Cheers,
>
> Jennings
>
> *From:*Mike Puchol [mailto:puc...@me.com ]
> *Sent:* Saturday, 14 April 2012 2:42 AM
> *To:* Jennings Tuala
> *Cc:* radiator@open.com.au
> *Subject:* Re: [RADIATOR] Idle timeout issue
>
> Acct terminate cause is User-Request, meaning the hotspot received a session
> end instruction from the device, eg. logoff URL, or a disassociation which
> the hotspot translates as User-Request (eg. laptop going to sleep). There is
> no Session-Timeout or Idle-Timeout in the logs that would correspond to what
> you describe.
>
>
> On Apr 13, 2012, at 3:26 PM, Jennings Tuala > wrote:
>
> Hi there,
>
> I’m having some issues with idle timeouts in radiator. Users are suddenly
> being disconnected after say 25 minutes of inactivity. This never used to
> happen before so I attached a trace 4 debug for you to have a look at. Would
> greatly appreciate your assistance please.
>
> Thanks,
>
> Jay
>
> Tue Apr 10 15:48:32 2012: DEBUG: Packet dump:
>
> *** Received from 110.5.112.85 port 32817
>
> Code: Access-Request
>
> Identifier: 29
>
> Authentic: <137><202><239><165><163>W<22><229>Xfg<168>&<144><174><216>
>
> Attributes:
>
> User-Name = "6100510"
>
> User-Password =
> @[<4>=<161><221><154>u<141><0><143><5><1><165>_<250>
>
> NAS-IP-Address = 110.5.112.85
>
> Service-Type = Login-User
>
> Framed-IP-Address = 10.17.4.212
>
> Called-Station-Id = "00:90:0B:05:6B:14"
>
> Calling-Station-Id = "38:59:f9:80:c8:5d"
>
> NAS-Identifier = "110.5.112.85"
>
> Acct-Session-Id = "00:90:0B:05:6B:14:13341172017"
>
> NAS-Port-Type = Wireless-IEEE-802-11
>
> Tue Apr 10 15:48:32 2012: DEBUG: Handling request with Handler '',
> Identifier ''
>
> Tue Apr 10 15:48:32 2012: DEBUG: Deleting session for 6100510,
> 110.5.112.85,
>
> Tue Apr 10 15:48:32 2012: DEBUG: do query is: 'delete from RADONLINE
> where NASIDENTIFIER='110.5.112.85' and NASPORT=0':
>
> Tue Apr 10 15:48:32 2012: DEBUG: Handling with Radius::AuthSQL:
>
> Tue Apr 10 15:48:32 2012: DEBUG: Handling with Radius::AuthSQL:
>
> Tue Apr 10 15:48:32 2012: DEBUG: Query is: 'select PASSWORD,
> SESSIONTIMEOUT from SUBSCR
Re: [RADIATOR] Idle timeout issue
Thanks Michael, I will try that and see if it goes.
Cheers,
Jennings
-Original Message-
From: Michael [mailto:ri...@vianet.ca]
Sent: Thursday, 19 April 2012 2:57 PM
To: Jennings Tuala
Cc: Mike Puchol; radiator@open.com.au
Subject: Re: [RADIATOR] Idle timeout issue
maybe need Idle-Timeout = 0 in your authentication accept reply packet?
eg. AddToReplyIfNotExist Idle-Timeout = 0
On 12-04-18 09:24 PM, Jennings Tuala wrote:
> Hi Mike,
>
> I have tried again this time with laptop on continuously, not going to
sleep and it still cuts out the connection. I have pasted my radius.cfg
for your perusal.
>
> LogDir /var/log/radius
>
> DbDir /etc/radiator
>
> # Use a low trace level in production systems. Increase
>
> # it to 4 or 5 for debugging, or use the -trace flag to radiusd
>
> Trace 4
>
> AuthPort 1812
>
> AcctPort 1813
>
> # You will probably want to add other Clients to suit your site,
>
> # one for each NAS you want to work with
>
>
>
> Secret xxx
>
> DupInterval 0
>
>
>
>
>
> Secret xxx
>
> AuthPort 1182
>
> AcctPort 1183
>
> DupInterval 0
>
>
>
>
>
> DBSource dbi:mysql:bluezone
>
> DBUsername root
>
> DBAuth xxxyyyzzz
>
> AddQuery insert into SUBSCRIBERS (USERNAME, \
>
> NASIDENTIFIER, NASPORT, ACCTSESSIONID, TIME_STAMP, \
>
> FRAMEDIPADDRESS, NASPORTTYPE, SERVICETYPE, DNIS)
>
> values ('%n', '%N', \
>
> %{NAS-Port}, �%{Acct-Session-Id}�, %{Timestamp},\
>
> �%{Framed-IP-Address}�, �%{NAS-Port-Type}�, \
>
> �%{Service-Type}�, �%{Called-Station-Id}�)
>
>
>
>
>
>
>
> DBSource dbi:mysql:bluezone
>
> DBUsername root
>
> DBAuth xxxyyyzzz
>
> # Only one Session per user at a time
>
> DefaultSimultaneousUse 1
>
> # Let the user IN if they have any time
left, set
>
> # the Session-Timeout to the time left
>
> AuthSelect select PASSWORD,
SESSIONTIMEOUT from SUBSCRIBERS where USERNAME=%0 and SESSIONTIMEOUT > 0
>
> AuthColumnDef 0, User-Password, check
>
> AuthColumnDef 1, Session-Timeout, reply
>
> # Adjust the time left when they log
out
>
> AccountingStopsOnly
>
> AcctSQLStatement update SUBSCRIBERS set
SESSIONTIMEOUT=SESSIONTIMEOUT-0%{Acct-Session-Time} where USERNAME='%n'
>
> AccountingTable SUBSCRIBERS
>
>
>
>
>
> Thanks and look forward to your response.
>
> Cheers,
>
> Jennings
>
> *From:*Mike Puchol [mailto:puc...@me.com ]
> *Sent:* Saturday, 14 April 2012 2:42 AM
> *To:* Jennings Tuala
> *Cc:* radiator@open.com.au
> *Subject:* Re: [RADIATOR] Idle timeout issue
>
> Acct terminate cause is User-Request, meaning the hotspot received a
session end instruction from the device, eg. logoff URL, or a
disassociation which the hotspot translates as User-Request (eg. laptop
going to sleep). There is no Session-Timeout or Idle-Timeout in the logs
that would correspond to what you describe.
>
>
> On Apr 13, 2012, at 3:26 PM, Jennings Tuala mailto:jtu...@blueskysamoa.com>> wrote:
>
> Hi there,
>
> I�m having some issues with idle timeouts in radiator. Users are
suddenly being disconnected after say 25 minutes of inactivity. This never
used to happen before so I attached a trace 4 debug for you to have a look
at. Would greatly appreciate your assistance please.
>
> Thanks,
>
> Jay
>
> Tue Apr 10 15:48:32 2012: DEBUG: Packet dump:
>
> *** Received from 110.5.112.85 port 32817
>
> Code: Access-Request
>
> Identifier: 29
>
> Authentic:
<137><202><239><165><163>W<22><229>Xfg<168>&<144><174><216>
>
> Attributes:
>
> User-Name = "6100510"
>
> User-Password =
@[<4>=<161><221><154>u<141><0><143><5><1><165>_<250>
>
> NAS-IP-Address = 110.5.112.85
>
> Service-Type = Login-User
>
> Framed-IP-Address = 10.17.4.212
>
> Called-Station-Id = "00:90:0B:05:6B:14"
>
> Calling-Station-Id = "38:59:f9:80:c8:5d"
>
> NAS-Identifier = "110.5.112.85"
>
> Acct-Session-Id = "00:90:0B:05:6B:14:13341172017"
>
> NAS-Port-Type = Wireless-IEEE-802-11
>
> Tue Apr 10 15:48:32 2012: DEBUG: Handling request with Handler '',
Identifier ''
>
> Tue Apr 10 15:48:32 2012: DEBUG: Deleting session for 6100510,
110.5.112.85,
>
> Tue Apr 10 15:48:32 2012: DEBUG: do query is: 'delete from RADONLINE
where NASIDENTIFIER='110.5.112.85' and NASPORT=0':
>
> Tue Apr 10 15:48:32 2012: DE
[RADIATOR] FW: ] RADIATOR: EAP-FAST-MSCHAPv2
Can we generate client log at radiator side is there any option. -Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Sudhir Harwalkar Sent: Wednesday, April 18, 2012 10:59 AM To: Heikki Vatiainen (h...@open.com.au) Cc: radiator@open.com.au Subject: [RADIATOR] FW: ] RADIATOR: EAP-FAST-MSCHAPv2 Observing same error after restarting the radius server and using the DB. So I think Radius server is remembering the PAC for this reason it's not getting authenticated. Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Sudhir Harwalkar Sent: Wednesday, April 18, 2012 10:38 AM To: Heikki Vatiainen Cc: radiator@open.com.au Subject: [RADIATOR] ] RADIATOR: EAP-FAST-MSCHAPv2 Hi Heiki, Still I am not clear about the working of EAP-FAST with MSCHAPv2. In this case: Whenever I flash the code to the device(client), its generating the new PAC with this radius server and the client are authenticated successfully. If I restart the radius server means by pressing ctrl+c it stop the radius sever and again I run the same config file, at that time PAC key is same and authentication is failing. As radius server is remembering the key so it's not authenticated is this true?, if not when I restart the server it should authenticate right because for radius server it's a new PAC key that's not happening here. Note: My device(client) will generate new PAC whenever flash the code. Regards Sudhir H -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Wednesday, April 18, 2012 3:08 AM To: radiator@open.com.au Subject: Re: [RADIATOR] RADIATOR: EAP-FAST-MSCHAPv2 On 04/17/2012 01:29 PM, Sudhir Harwalkar wrote: > > Because previously it was working fine without any modification from client > side, does modification in EAP_43.pm is affecting for authentication? > From the client log its failing after username and Pw. See the screen shot of > the client log. The change in EAP_43.pm does one thing. If Server-Unauthenticated provisioning is done, instead of requiring just one ciphersuite (TLS_DH_anon_WITH_AES_128_CBC_SHA) the mode is entered when this ciphersuite is present with possible other suites. One such suite is TLS_EMPTY_RENEGOTIATION_INFO_SCSV from RFC 5746. If you want to go back to EAP_43.pm, just take it from Radiator distribution and copy it over to any existing EAP_43.pm you have in your system. The PAC provisioning is not affected and using SQL (SQLite in your case) for storing the PAC does not change how it is generated and provisioned. You should experiment with your client and see its logs for why it does not work. The configuration I returned to you was working and tested fine here. Thanks! Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Larsen & Toubro Limited www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Larsen & Toubro Limited www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Larsen & Toubro Limited www.larsentoubro.com This Email may contain confidential or privileged information for the intended recipient (s) If you are not the intended recipient, please do not use or disseminate the information, notify the sender and delete it from your system. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
