Re: [RADIATOR] FarmChildHook to rotate AuthPort, AcctPort and DBSource
On 13.10.2015 15.45, Christian Kratzer wrote:
> 3. Also note the rather high number fo MaxFailedRequests in HASHBALANCE. I
> saw the backends get marked bad instantly when activating this in a high load
> enviroment with a low number fo MaxFailedRequests. I never quite found out
> why but assume this was due to interfering with in progress EAP transactions.
> A value of 10 keeps the hashbalance happy until the backend really dies.
> YMMW of course.
That's possible. See EAPErrorReject configuration parameter for more
info, but the default is to drop many EAP related requests when there's
an error.
> # walk over all AuthBy and Hash database credentials by farmInstance
> foreach my $auth (@{$main::config->{AuthBy}}) {
> my $id = $auth->{Identifier};
You could also fetch the AuthBy handle directly with something like this:
my $id = 'SQLauth';
my $auth = Radius::AuthGeneric::find($id);
Then continue as below (maybe add error check if $auth is not found)
> foreach my $key (qw(DBSource DBUsername DBAuth)) {
> if ($auth->{$key}) {
> my $database_count = @{$auth->{$key}};
> $auth->{$key} = [ $auth->{$key}[
> ($main::farmInstance-1)%$database_count ] ];
> &main::log($main::LOG_INFO, "farmchild.hook: AuthBy: $id,
> $key: ".$auth->{$key}[0] );
> }
> }
Remove one } here too.
>
> return;
> }
Please let me know if the original should go into goodies or if there's
anything you'd like change before it gets added.
Thanks!
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authlog FILE - file location
Ah - Legendary! - Thank you Hugh. -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Wednesday, 4 November 2015 4:47 PM To: Michael Bellears Cc: radiator@open.com.au Subject: Re: [RADIATOR] Authlog FILE - file location Hello Michael - Yes - set the LogDir parameter to whatever you wish: ….. # set LogDir LogDir /var/log/radius ….. Identifier myauthlogger3 Filename %L/authlog_dsl_cust_a ….. You can also use any of the special characters listed in section 5.2 of the Radiator 4.15 reference manual (“doc/ref.pdf”). regards Hugh > On 4 Nov 2015, at 17:18, Michael Bellears wrote: > > Hi, > > Hopefully a quick question, Ive had a read of the manual, but cant seem to > find if it is possible to set a path for each logfile? > > i.e. > > >Identifier myauthlogger3 >Filename authlog_dsl_cust_a > > > Will log to file authlog_dsl_cust_a in the dir that radiator was started from > – Is there any way to add a “path” to where the file will be located? > > > Cheers. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Authlog FILE - file location
Hello Michael - Yes - set the LogDir parameter to whatever you wish: ….. # set LogDir LogDir /var/log/radius ….. Identifier myauthlogger3 Filename %L/authlog_dsl_cust_a ….. You can also use any of the special characters listed in section 5.2 of the Radiator 4.15 reference manual (“doc/ref.pdf”). regards Hugh > On 4 Nov 2015, at 17:18, Michael Bellears wrote: > > Hi, > > Hopefully a quick question, Ive had a read of the manual, but cant seem to > find if it is possible to set a path for each logfile? > > i.e. > > >Identifier myauthlogger3 >Filename authlog_dsl_cust_a > > > Will log to file authlog_dsl_cust_a in the dir that radiator was started from > – Is there any way to add a “path” to where the file will be located? > > > Cheers. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER, SIM, etc. Full source on Unix, Linux, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Authlog FILE - file location
Hi, Hopefully a quick question, Ive had a read of the manual, but cant seem to find if it is possible to set a path for each logfile? i.e. Identifier myauthlogger3 Filename authlog_dsl_cust_a Will log to file authlog_dsl_cust_a in the dir that radiator was started from - Is there any way to add a "path" to where the file will be located? Cheers. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Migrating a Radiator+Radmin server
I think I may have found the problem. "older" version of SQL used: 'TYPE=MyISAM' "new" version of SQL uses: ENGINE=MYISAM On the "new" server, it complained about our old radmin dbase dump file, as it use "TYPE" - So, I did a find/replace of "TYPE" -> "ENGINE" - Unaware there was "other" lines that had "Type"...hence NASTYPE was changed by the find/replace to NASENGINEIm just in the process of reimporting (Post a more "accurate" find/replacefingers crossed all works ok :) -Original Message- From: Heikki Vatiainen [mailto:h...@open.com.au] Sent: Wednesday, 4 November 2015 7:55 AM To: Michael Bellears; radiator@open.com.au Subject: Re: [RADIATOR] Migrating a Radiator+Radmin server On 11/03/2015 11:13 PM, Michael Bellears wrote: > Thanks - absolutely no mods herethe migration page does mention quite a > few mods to tables etcperhaps it was in an older upgrade? I took a look at the older Radmin releases too and there's no NASENGINE there. Also, the latest version does not have NASENGINE either. Engine does remind me a bit of MySQL DB engines, though. When upgrading you should step upgrade. Currently, AuthRADMIN.pm in Radiator and Radmin goodies directory are the same, so there's no need to copy them. > What would be your suggestion be? I would try doing step upgrade from 1.10. There appears to be no DB step between versions 1.13 and 1.14. > Ie: It has an "other" version section: > > Other versions > In order to upgrade between any other versions, you will need to dump your > current database, install the new software and then reload your old data: I would not do this yet but try the steps first. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Feature request - Different encryption methods in AuthBy UNIX
Yes it does.
Hmm. I must of mistyped a password somewhere.
Sorry.
-Neil
--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu
> On Nov 2, 2015, at 2:08 PM, varti...@open.com.au wrote:
>
> Hi
>
> On Monday, 2 November, 2015 20:09, "Johnson, Neil M"
> said:
>
>> Radiator 4.16 on the test box and Radiator 4.13 in production.
>>
>> It appears the password is in SHA-512 format ($6$ prefix), but it didn’t
>> work on the test box until I ran a python script uses the following line to
>> encrypt the password:
>>
>> encrypted_password = crypt.crypt(raw_passwd1, salt=crypt.METHOD_SHA512)
>>
>> And then manually copied it into the /etc/shadow file.
>>
>> Here is the password entry for a dummy account I created on the test box:
>>
>> $6$rMzuK3lt$OTG.nVZjYW6E4jWjQJ3DVQgpEPoSSy6p6b34p1nx5w3b7NKfTAWKKF0xvUGPeiM9PLSc3z83uD8JcKzzjU6951
>>
>> password is “fredsmed"
>>
>
> I'm unable to reproduce the problem with Radiator 4.16 on Ubuntu 14.04 box
> using AuthBy UNIX or FILE
> with the SHA-512 hash above.
>
> Does the following Perl script print the same hash twice on the test box?
>
> use strict;
> use warnings;
>
> my $pw =
> '$6$rMzuK3lt$OTG.nVZjYW6E4jWjQJ3DVQgpEPoSSy6p6b34p1nx5w3b7NKfTAWKKF0xvUGPeiM9PLSc3z83uD8JcKzzjU6951';
> my $submitted_pw = "fredsmed";
>
> if ($pw =~ /^\$[56]\$.+\$/) {
>print $pw . "\n";
>print crypt($submitted_pw, $pw) . "\n";
> }
>
>
> BR
> --
> Tuure Vartiainen
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Migrating a Radiator+Radmin server
On 11/03/2015 11:13 PM, Michael Bellears wrote: > Thanks - absolutely no mods herethe migration page does mention quite a > few mods to tables etcperhaps it was in an older upgrade? I took a look at the older Radmin releases too and there's no NASENGINE there. Also, the latest version does not have NASENGINE either. Engine does remind me a bit of MySQL DB engines, though. When upgrading you should step upgrade. Currently, AuthRADMIN.pm in Radiator and Radmin goodies directory are the same, so there's no need to copy them. > What would be your suggestion be? I would try doing step upgrade from 1.10. There appears to be no DB step between versions 1.13 and 1.14. > Ie: It has an "other" version section: > > Other versions > In order to upgrade between any other versions, you will need to dump your > current database, install the new software and then reload your old data: I would not do this yet but try the steps first. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features
On 11/03/2015 10:25 PM, Ullfig, Roberto Alfredo wrote: > Ah, the Android 6 support is in base 4.16 then - my mistake. Thanks! Yes. 4.16 should do the right thing no matter what the OpenSSL and Net::SSLeay versions are. It will also log during the startup about the versions it finds and what they can be done with (if TLS 1.2 is support and can be enabled etc.). Besides Android 6, some of the recent Linux distributions ship with wpa_supplicant that will try to use TLS 1.2, just like Android 6 does. The working TLS 1.2 support should keep these users happy too. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Migrating a Radiator+Radmin server
Thanks - absolutely no mods herethe migration page does mention quite a few mods to tables etcperhaps it was in an older upgrade? What would be your suggestion be? Ie: It has an "other" version section: Other versions In order to upgrade between any other versions, you will need to dump your current database, install the new software and then reload your old data: cd to distribution directory of your current version perl createdb.pl -dump >/tmp/radmin.dat cd to distribution directory of your new version follow full installation instructions for your new version perl createdb.pl /tmp/radmin.dat copy goodies/AuthRADMIN.pm to your Radiator installation Do I need to step upgrade? i.e 1.10 ->1.11, then 1.11->1.12 etc? Thanks -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Tuesday, 3 November 2015 9:31 PM To: radiator@open.com.au Subject: Re: [RADIATOR] Migrating a Radiator+Radmin server On 3.11.2015 11.13, Michael Bellears wrote: > Ah - Just found one difference - NASTYPE appears to have been changed > to NASENGINE in RADCLIENTLIST? Hmm, are you sure this is not a local modification? I took a look at Radmin/Schema.pm and the only changes in RADCLIENTLIST seem to be related to lengths of some of the varchar type fields. The migration instructions are here, but the changes are for different tokens and their management: http://www.open.com.au/radmin/migration.html Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features
Ah, the Android 6 support is in base 4.16 then - my mistake. Thanks! --- Roberto Ullfig - rull...@uic.edu ACCC Research Programmer -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Tuesday, November 03, 2015 2:22 PM To: radiator@open.com.au Subject: Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features On 11/03/2015 09:54 PM, Ullfig, Roberto Alfredo wrote: > Also, is it typical for patches to not be released in RPMs? Yes, the patches work best with the .tgz package: - untar the release .tgz - untar the patches on top of this - then proceed with 'perl Makefile.PL' as described in the installation manual for the .tgz package. While it's possible to replace files that were installed with rpm, I'd do it only when there's a specific need for it. > We installed the previous version from RPM. Should we remove that RPM before > installing this version plus patches? 'rpm -Uvh Radiator-4.16-1.noarch.rpm' should be enough to upgrade if you do not need patches and want to stay with rpm packaging. If there's something in the patches you do need, then you could consider switching to .tgz + patches. I'd say the current patches are not worth switching from rpm unless you want to try the RadSec Gossip features. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features
On 11/03/2015 09:54 PM, Ullfig, Roberto Alfredo wrote: > Also, is it typical for patches to not be released in RPMs? Yes, the patches work best with the .tgz package: - untar the release .tgz - untar the patches on top of this - then proceed with 'perl Makefile.PL' as described in the installation manual for the .tgz package. While it's possible to replace files that were installed with rpm, I'd do it only when there's a specific need for it. > We installed the previous version from RPM. Should we remove that RPM before > installing this version plus patches? 'rpm -Uvh Radiator-4.16-1.noarch.rpm' should be enough to upgrade if you do not need patches and want to stay with rpm packaging. If there's something in the patches you do need, then you could consider switching to .tgz + patches. I'd say the current patches are not worth switching from rpm unless you want to try the RadSec Gossip features. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features
Also, is it typical for patches to not be released in RPMs? --- Roberto Ullfig – rull...@uic.edu ACCC Research Programmer -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Ullfig, Roberto Alfredo Sent: Tuesday, November 03, 2015 1:48 PM To: radiator@open.com.au Subject: Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features We installed the previous version from RPM. Should we remove that RPM before installing this version plus patches? --- Roberto Ullfig – rull...@uic.edu ACCC Research Programmer -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Tuesday, October 27, 2015 4:57 AM To: radiator@open.com.au Subject: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features We are pleased to announce the release of Radiator version 4.16 This version contains two important security fixes. Upgrade is recommended. Please review OSC security advisory OSC-SEC-2015-02 for more information: https://www.open.com.au/OSC-SEC-2015-02.html As usual, the new version is available to current licensees from: https://www.open.com.au/radiator/downloads/ and to current evaluators from: https://www.open.com.au/radiator/demo-downloads Licensees with expired access contracts can renew at: https://www.open.com.au/renewal.html An extract from the history file https://www.open.com.au/radiator/history.html is below: - Revision 4.16 (2015-10-27) Selected bug fixes, compatibility notes, new features and enhancements Compatibility update for EAP-based TLS methods for clients that support TLS 1.2. Examples are the future Apple iOS and OS X releases and Android 6 Marshmallow. Two important security fixes. OSC recommends all users to review OSC security advisory OSC-SEC-2015-02 https://www.open.com.au/OSC-SEC-2015-02.html TLS session resumption may not currently work with all Windows clients. A workaround is to configure the EAPTLS_SessionResumption parameter to 0 or wait for the client to retry the authentication. Radiator now supports new module AddressAllocator DHCPv6 for IPv6 address allocation and prefix delegation Detailed changes Created separate directory for PPM files compiled for ActivePerl. Moved files from ppm to ppm/activeperl/ and updated the meta file contents. Win32-Lsa is now compiled for both ActivePerl 5.18 and 5.20 flavours up to Perl 5.20: 64bit and 32bit with 64bit integer. Created separate directory for PPM files compiled for Strawberry Perl. Win32-Lsa is now compiled for all Strawberry Perl flavours up to Perl 5.22: 64bit, 32bit with 32bit integers and 32bit with 64bit integers. Radiator now logs the Net::SSLeay and SSL/TLS library version during the radiusd startup. TLS v1.2 for TLS based EAP methods is not used if it can not be determined that the MPPE keys can be correctly calculated. These changes enhance compatibility with future Apple iOS, OS X and Android 6 Marshmallow. If all TLS versions are not available, details of what can be used is logged. Net::SSLeay 1.53 or later and OpenSSL 1.0.1 or later is required to fully utilise all TLS versions for TLS based EAP methods. Thanks to radiator mailing list members for comments and suggestions. AuthLog SYSLOG and Log SYSLOG clauses now support LogPort configuration parameter. This parameter requires Sys::Syslog version 0.28 or later. Suggested by Michael and Kilian Krause. LDAP modules now support BindFailedHook which is called when LDAP bind operation fails. The default is to log the failure. Bind password is no longer logged. To log the password, configure the hook to log it or configure the LDAP clause with the Debug configuration parameter and see the console output. With the kind help of Scott Bertilson. AuthBy LDAP2 now logs PasswordAttr as **obscured** when debugging is enabled. Binary attribute values are now logged in text format similarly to RADIUS attributes. To debug the password, use the Debug configuration parameter and see the console output or configure PasswordLogFileName for the Handler. Resolver for AuthBy DNSROAM now uses eval to catch exceptions from Net::DNS. The Net:DNS API had been changed around version 0.72 to raise exceptions when errors occurred. Uncaught exceptions could cause Radiator to crash. Reports and help with patches from Bjoern A. Zeeb and Paul Dekkers. Updated error levels for Resolver log messages. Most of the log messages are now using WARNING instead of ERR. These messages are logged for example for DNS failures or badly formatted DNS domains. ServerHTTP authentication now creates a request that can be correctly proxied to a remote server. Previously the proxied authentication would always fail. AuthBy RADIUS and its derived modules still required 'ipv6:' prefix for LocalAddress parameter. Reported by Claudio
Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features
We installed the previous version from RPM. Should we remove that RPM before installing this version plus patches? --- Roberto Ullfig – rull...@uic.edu ACCC Research Programmer -Original Message- From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Heikki Vatiainen Sent: Tuesday, October 27, 2015 4:57 AM To: radiator@open.com.au Subject: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features We are pleased to announce the release of Radiator version 4.16 This version contains two important security fixes. Upgrade is recommended. Please review OSC security advisory OSC-SEC-2015-02 for more information: https://www.open.com.au/OSC-SEC-2015-02.html As usual, the new version is available to current licensees from: https://www.open.com.au/radiator/downloads/ and to current evaluators from: https://www.open.com.au/radiator/demo-downloads Licensees with expired access contracts can renew at: https://www.open.com.au/renewal.html An extract from the history file https://www.open.com.au/radiator/history.html is below: - Revision 4.16 (2015-10-27) Selected bug fixes, compatibility notes, new features and enhancements Compatibility update for EAP-based TLS methods for clients that support TLS 1.2. Examples are the future Apple iOS and OS X releases and Android 6 Marshmallow. Two important security fixes. OSC recommends all users to review OSC security advisory OSC-SEC-2015-02 https://www.open.com.au/OSC-SEC-2015-02.html TLS session resumption may not currently work with all Windows clients. A workaround is to configure the EAPTLS_SessionResumption parameter to 0 or wait for the client to retry the authentication. Radiator now supports new module AddressAllocator DHCPv6 for IPv6 address allocation and prefix delegation Detailed changes Created separate directory for PPM files compiled for ActivePerl. Moved files from ppm to ppm/activeperl/ and updated the meta file contents. Win32-Lsa is now compiled for both ActivePerl 5.18 and 5.20 flavours up to Perl 5.20: 64bit and 32bit with 64bit integer. Created separate directory for PPM files compiled for Strawberry Perl. Win32-Lsa is now compiled for all Strawberry Perl flavours up to Perl 5.22: 64bit, 32bit with 32bit integers and 32bit with 64bit integers. Radiator now logs the Net::SSLeay and SSL/TLS library version during the radiusd startup. TLS v1.2 for TLS based EAP methods is not used if it can not be determined that the MPPE keys can be correctly calculated. These changes enhance compatibility with future Apple iOS, OS X and Android 6 Marshmallow. If all TLS versions are not available, details of what can be used is logged. Net::SSLeay 1.53 or later and OpenSSL 1.0.1 or later is required to fully utilise all TLS versions for TLS based EAP methods. Thanks to radiator mailing list members for comments and suggestions. AuthLog SYSLOG and Log SYSLOG clauses now support LogPort configuration parameter. This parameter requires Sys::Syslog version 0.28 or later. Suggested by Michael and Kilian Krause. LDAP modules now support BindFailedHook which is called when LDAP bind operation fails. The default is to log the failure. Bind password is no longer logged. To log the password, configure the hook to log it or configure the LDAP clause with the Debug configuration parameter and see the console output. With the kind help of Scott Bertilson. AuthBy LDAP2 now logs PasswordAttr as **obscured** when debugging is enabled. Binary attribute values are now logged in text format similarly to RADIUS attributes. To debug the password, use the Debug configuration parameter and see the console output or configure PasswordLogFileName for the Handler. Resolver for AuthBy DNSROAM now uses eval to catch exceptions from Net::DNS. The Net:DNS API had been changed around version 0.72 to raise exceptions when errors occurred. Uncaught exceptions could cause Radiator to crash. Reports and help with patches from Bjoern A. Zeeb and Paul Dekkers. Updated error levels for Resolver log messages. Most of the log messages are now using WARNING instead of ERR. These messages are logged for example for DNS failures or badly formatted DNS domains. ServerHTTP authentication now creates a request that can be correctly proxied to a remote server. Previously the proxied authentication would always fail. AuthBy RADIUS and its derived modules still required 'ipv6:' prefix for LocalAddress parameter. Reported by Claudio Ramirez. Correct address is now logged if binding to LocalAddress fails. Huawei-DNS-Server-IPv6-Address, Huawei-Framed-IPv6-Address, Alc-Ipv6-Address, Alc-Ipv6-Primary-Dns and Alc-Ipv6-Secondary-Dns had incorrect type ipv6addr. The correct type is ipaddrv6 for IPv6 addresses. SqlDb now initialises the DBD::ODBC odbc_query_timeout attribute with the Timeout configuration parameter value. This attribute is valid only fo
Re: [RADIATOR] Migrating a Radiator+Radmin server
On 3.11.2015 11.13, Michael Bellears wrote: > Ah – Just found one difference – NASTYPE appears to have been changed to > NASENGINE in RADCLIENTLIST? Hmm, are you sure this is not a local modification? I took a look at Radmin/Schema.pm and the only changes in RADCLIENTLIST seem to be related to lengths of some of the varchar type fields. The migration instructions are here, but the changes are for different tokens and their management: http://www.open.com.au/radmin/migration.html Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Migrating a Radiator+Radmin server
Ah - Just found one difference - NASTYPE appears to have been changed to NASENGINE in RADCLIENTLIST? Found after running the error I received: mysql> select NASIDENTIFIER,SECRET,DEFAULTREALM,NASTYPE,DUPINTERVAL from RADCLIENTLIST; ERROR 1054 (42S22): Unknown column 'NASTYPE' in 'field list' From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Michael Bellears Sent: Tuesday, 3 November 2015 7:06 PM To: 'radiator@open.com.au' Subject: [RADIATOR] Migrating a Radiator+Radmin server Hi Everyone, Migrating an old server -> New, and are having some issues with Radmin - Dump of the original mysql dbase, then import on the new server(After radiator and radmin install), Radmin works to an extent, but in some sections throws the following error: A serious error has occurred: Could not prepare and execute select NASIDENTIFIER,SECRET,DEFAULTREALM,NASTYPE,DUPINTERVAL from RADCLIENTLIST But I can list all users, list service profiles etc - The "old" radmin version was 1.10, the new is 1.15 - Hoping there is a "simple" fix :) (As I have looked at the table structure of RADCLIENTLIST on both the 1.10 ver and the 1.15 version, and they "appear" the same.) Cheers ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Migrating a Radiator+Radmin server
Hi Everyone, Migrating an old server -> New, and are having some issues with Radmin - Dump of the original mysql dbase, then import on the new server(After radiator and radmin install), Radmin works to an extent, but in some sections throws the following error: A serious error has occurred: Could not prepare and execute select NASIDENTIFIER,SECRET,DEFAULTREALM,NASTYPE,DUPINTERVAL from RADCLIENTLIST But I can list all users, list service profiles etc - The "old" radmin version was 1.10, the new is 1.15 - Hoping there is a "simple" fix :) (As I have looked at the table structure of RADCLIENTLIST on both the 1.10 ver and the 1.15 version, and they "appear" the same.) Cheers ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
