Re: [RADIATOR] Duplicate packets
Hi, > I am not handling start packets so they are ignored, as you may noticed at least acknowledge them. if you dont handle them and ignore them then any decent NAS will resend them and/or mark your server as down/dead :( alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Questions regarding new release and current roadmap
Hi, > 2.5) A method of synchronizing configuration files (apart from certain > variables) across multiple servers. If all Radiator servers have very similar > configuration and are distributed for load balancing and redundancy, it's a > shame that the configuration needs to be managed and configured separately > for each server. There are differences between servers, but the bulk of the > configuration can remain the same. > > There is 3rd party software such as rsync for synchronizing files, but the > variables for each Radiator configuration file have to be within the file > itself (as far as I can tell). If the variables could be configured outside > of each configuration file, such as a header file, this would allow for > synchronizing the configuration files effectively across all servers while > still taking into account the differences between each server. eh??? we do multi server configuration syncing already - you know that you can just include different files for each server...using...a headerfile as you say - our radius.cfg contains all local requirements and then pulls in the local config file for the server. (in our case we use a database to hold all details, generate the required new configs for each server then push out to each server) > 2.6) A more secure method for storing credentials, at the moment they can > only be stored locally on the Radiator servers. Perhaps integration with > popular 3rd party solutions (such as CyberArk) if their API permits it. read discussions on the list - if stored elsewhere there are still security issues. what are you hoping to fix/resolve? you can store configs on a remote DB if there are basic local issues (though anyone with admin access could still read the DB credentials and then connect to the DB to get hold of config). alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP PEAP Challenges
Hi, >Are all the challenges independent of each other? I can't find anything in >the debug log that ties the incoming packets together. all seperate UDP packets - but with a known state - the RADIUS server recognises the conversation (up to 256 from each NAS usually) with latest patchset for 4.16 you can see more details to help track a conversation in debug alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP PEAP Challenges
Hi, >Is there a paper somewhere which discusses EAP PEAP Challenges? I'm >debugging a new controller's access to radiator and finding that a working >auth requires 11 udp packets each way and I don't understand why. What >info is being passed? documented in the RFC and on resources such as packetlife identity request/response set up of EAP - transfer of the server cert (and intermediates0 (that bit can be a couple more packets) negotiation for PEAP PEAP tunnel creation MSCHAPv2 challenge-response accept its a lof of stuff going on. over UDP , with possible interesting RADIUS interactions. if you want something with less chat, EAP-TLS or EAP-PWD ...or event EAP-FAST are the way to go. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Performance logging
Hi, > Somewhat yes, I get the idea of anonymizing user’s identity with PEAP, but > for example with demo test certificates bundled with Radiator, PEAP-TLS > takes 15 rounds for a single EAP authentication. well, PEAP itself takes around 12-14 rounds - the EAP-TLS part is short. however, unless the client is correctly configured it will do the PEAP part with any RADIUS server that has a CA the client knows (hello any of those public CAs) - and thus will provide that server with the clients public-component TLS cert alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] RADIATOR 4.16 clause checks...
hi, seems fussy about the upper/lower case eg WARNING: Clause Authby closed in /etc/radiator/radius.cfg line 121 does not match currently open clause AuthBy from /etc/radiator/radius.cfg line 118 # Local test realm # Strip realm RewriteUsername s/^([^@]+).*/$1/ # Users file for testing purposes Filename /etc/radiator/testusers so, is it supposed to be this fussy? :-) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Suggestion: Support of TLS Session Resumption based on tickets and not just session IDs
Hi, > RFC 5077 (Session Tickets based TLS Session resumption, aka TLS Session > Resumption without Server-Side State) is implemented as of Windows 8.1 and > Windows Server 2012R2. So along with Windows 10, that's 16% of the desktop > market share according to: > https://www.netmarketshare.com/operating-system-market-share.aspx?qprid=10&qpcustomd=0 well, depends if they use this for 802.1X... and if stuff is being done to support this then PLEASE let it be fully tested and verified by the requester/suggester and other people before being let loose. the TLS 1.2 issues we've recently had with issues was the result of the feature being requested but not then being tested thoroughly :/ alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] problem with latest patchset
hi,
after installing 19/oct/2015 patchset with 4.15
syntax error at /usr/local/share/perl5/Radius/Util.pm line 483, near
"s@%{@{@rgs"
syntax error at /usr/local/share/perl5/Radius/Util.pm line 492, near
"s@%{@{@rgs"
Compilation failed in require at /usr/local/share/perl5/Radius/Configurable.pm
line 16.
BEGIN failed--compilation aborted at
/usr/local/share/perl5/Radius/Configurable.pm line 16.
Compilation failed in require at /usr/local/share/perl5/Radius/ServerConfig.pm
line 11.
BEGIN failed--compilation aborted at
/usr/local/share/perl5/Radius/ServerConfig.pm line 11.
Compilation failed in require at /usr/local/bin/radiusd line 34.
BEGIN failed--compilation aborted at /usr/local/bin/radiusd line 34.
alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] dictionary.cisco-vpn bitmap type warning
Hi, > when using the dictionary.cisco-vpn file we get the following warning on > startup: > WARNING: Attribute Cisco-VPN-WebVPN-HTML-Filter uses unknown type > 'bitmap' on line 63 4.15 ? do you use that attribute? you could delete if you dont but if I recall correctly, that value should be an 'integer8' alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Password/certificate security seems next to none on Radiator server
Hi, > Would using Microsoft EFS on the Radiator folder (which contains all NAS > credentials) and limiting access be a stronger solution than using an > encrypted database? Would this cause a noticeable performance hit for an SMB? ah..you're using RADIATOR on a windows box? now I see why you worry about things being readable! ;-) okay...use EFS...but once the volume is decrypted it can be read. put strings into memory and they can be read, performance hit = no - as the config is only read at startup or restart... only entries in databases are checked dynamically. you can store your stuff securely elsewhere eg a database that is read by the RADIATOR server..but thats just obfuscation as they'll still have to be read by the server..stored in memory..and if the database isnt secured then thats more of an attack vector (also, admins on the server with DB read access could still read the password...) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Password/certificate security seems next to none on Radiator server
Hi, > In this case the private key wasn't necessary to authenticate the phones. > ACS, Cisco's AAA server, also doesn't require the CAPF private key but rather > the CAPF public key to authenticate phones. what you need depends on your implementation. if using another CA - eg a public one, then you just need the CA to be trusted/known. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Password/certificate security seems next to none on Radiator server
Hi, > These passwords are the ones I think should be protected since they are > usually long-term and sensitive. Migrating every NAS to Active Directory > defeats the separation of system administration from network administration, > each time a new NAS has to be configured you would have a system admin create > it for you under the correct OU and he would be the one to manage it in the > future. If you want to have a AAA server for network admins only, you'd have > to keep the passwords in cleartext. ..so...you're talking about the shared secret password? how people deploy their RADIUS server is down to them - but in most cases its the network team that run the RADIUS server (from what I've seen) with the system admin looking after the OS as for 'defeating the seperation' - hello? its 2015 - we're all supposed to be working together and avoiding living in silos...all unified and not a tribal thing (indeed, virtualisation systems such as VMware and HyperV are defeating you too - the system admins now look after their network > Assuming you kept all NAS credentials on the server (unencrypted), you would > in fact be providing any user with local admin on the server permission to > access credentials which shouldn't concern them. I'd imagine in this day and > age that big companies would want something like that mitigated. dont let people onto the system who shouldnt be on there. the people going on there know the shared secret anyway. > I'm interested in hearing if other users feel that these security measures > are a worthy enhancement for future versions. At the very least it would help > to be less dependent on existing system architecture for securing credentials. if other servers didnt do the same thing, i would think RADIATOR was wrong. but FreeRADIUS and radsecproxy both do to. they expect the admin to be running secure servers (maybe ones not used for ANY other purpose as a minimum) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Password/certificate security seems next to none on Radiator server
Hi, > Specific hardware for securing files on your server shouldn't be necessary > for the use cases I'm suggesting. I've just integrated Radiator for the first > time and I was shocked that for each NAS I had to keep the password in > plaintext. yes... but who can use that password? just the NAS. if you try using that password (shared secret_ on another NAS it wont work as the IP address of the client is different oh, unless you've defined your client as 0.0.0.0/0 but that would be stupidity > Radiator is installed on servers worldwide whether physical or VM, I believe > that each of them (regardless of hardware) should be provided with at least > the same security as NPS which knows how to accept user passwords in > plaintext and then obfuscate them (whether encrypted, hashed or otherwise). NPS stores its NAS shared secrets simply too. user passwords can be stored in many secure ways...even kept in their original location in the AD and use LSA or ntlm_auth to authenticate the user via AD through RADIATOR alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Password/certificate security seems next to none on Radiator server
Hi, > I would like to discuss the issue of securing passwords and certificates on > the Radiator server. From looking over the documentation and asking a member > of support on the matter, it looks as if there is no option for encrypting > passwords in the configuration. Moreover there seems as if there is no option > to secure the certificates. I research this for a bit and herein is one > possible solution, I'm sure there are others which may be more suitable. > > > I believe that OSC should look into KeePass, specifically kpcli which is a > perl distribution which allows storing passwords in a highly encrypted manner > whilst allowing access via master password or a keyfile. You can even make a > composite password which requires both a key file and a password (so that > even if the keyfile or master password is compromised, your passwords > aren't). Two-factor authentication and encryption is much better than no > authentication and encryption at all. The key file should be allowed to be > accessible from a remote network share. at some point, the server needs to read passwords... if you have to have a master key, IT needs to be in the config somewhere. and if someone malicious has control of your server then they could read that key and, using the very PERL libraries you are talking about, extract the keys.basically, a server doing RADIUS needs to be secure. > It's true that the master password would have to appear in the configuration, > but the keyfile solution sounds promising if you ensure that the user running > the radiusd process is a domain user who has access only to the necessary > files and shares. Another option for the master password would be to prompt > the Radiator administrator for the master password when radiusd is run > (preferably via CLI so that it can be automated). thats really good for when the server restarts after a power cut, outage etc. almost all people usign apache strip the key from their server cert for exactly this same reason - you want the server to start up without a human being around > How about a way to store the certificates in a keystore such as pkcs12 which > is already available via OpenSSL? > In this way each certificate in the keystore can be addressed by alias, > whilst they are encrypted and safe, without having to keep individual > passwords in cleartext. > The passwords retrieved from kpcli could include the password for the > keystore as well as certificates within the file, thus providing > authentication and encryption to all certificates which Radiator must access. > Anyone who doesn't wish to encrypt their passwords or secure their > certificates could continue to work with Radiator the same as before, these > are only suggested enhancements. what passwords are you talking about? user passwords should never be stored in plain text format anyway...as for the certs, ALL RADIUS servers work in the same way as RADIATOR - ALL of them have a certificate that needs to be read and someone has access to. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Use FarmSize parameter
Hi, >So what happens to the EAP/PEAP requests if one enables FarmSize? Do they >simply get processed by the parent, or do they break completely? the issue is to ensure that the same child deals with them. if you are running 4.15 + patches then there is a whoie nice new Gossip framework which is very easy to get up and running to share the state between all children and ensure the request gets dealt with correctly. try it (in test/lab/bench environment)thats really the best way. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] VM or physical
Hi, >We are in process of virtualising our physical radius servers (to vmware) >and wanted to get a general feel from users in the community here to see >what is the preferred option, keep running on physical servers or move to >vm... Obviously each option has it's own benefits and limitations, but as >far as Radiator itself, any word of advise on what is the better platform? >Anyone had any issues with running under vm worth mentioning? >Current Radiator servers setup in an active/active configuration with each >of those servers processing around 1200 packets/min of dot1x auth for >wireless networks and VPN with a number of handlers with pre/post hooks >etc... I'd advise that you benchmark your requirements to ensure the platform can deal with the requirements... your 1200 isnt much though there are documents and various articles showing poorer UDP performance with virtual platforms we certainly had an issue and had to keep a physical box alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator, WPA2, certificates and untrusted
Hi, >Oh man! > >In other words it's a waste of good money to pay for a signed certificate. for your own internal 802.1X (where you are only directly authenticating your own users (and that includes eg eduroam) - yes. best practice is to use a self-signed CA (you have the same issues in getting the Root CA onto the clients but there are tools, some free, for that anyway. for a public 802.1X system where any person wants to join then there are 2 arguments - ease of use (go for well known public CA) or security - use a self-signed CA. I'd hope such a public 802.1X system (and there are some out there nowand increasing due to eg HS2.0/passpoint/802.11u) would have some configuration system/tool and they should use a self-signed CA - any $0.01 script kiddie can geta cert from a well known CA for some $$ and fake your AP/network :/ alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] OpenSSL version.
Hi, > I double checked to see of Win32::Lsa got installed: thats Win32::Lsa and not RADIUS::LSA alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Apple iOS 9 and OS X El Capitan
Hi, > Not tested, but I suspect that we will find that 1.53 is the version > at which this starts to work and, if so, it should become the minimum > version that should be used. based on other changes etc I would say just go for the current latest release - 1.70 - why opt for something older? (especially regarding the 1.0.2 openssl fixes in 1.68 and 1.69) - and anyone with creaky old systems might find they are running PERL < 5.8.8 - which is also sorted in 1.66... alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Apple iOS 9 and OS X El Capitan (radiator Digest, Vol 74, Issue 10)
Hi, > I definitely agree with your suggestion. Now that we all know that > this is an issue, we can take steps to raise awareness and inform. For > Eduroam in particular, I feel that notices should be put out to > participating institutions. actually, as a specific vendor problem, I would hope that OSC would communicate to their commercial customers about this - inform their customers of this requirement anyway. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Running Radiator under SELinux?
Hi, > > is it possible to run Radiator (newest version) on Linux (CentOS 7) > > with SELinux enabled? Are there any special configurations or other > > advices to consider? Or should we better disable SELinux? > > I'd say it is worth trying with SELinux enabled first. We have not > looked throughly at this yet, but basic configuration seems to work. If > you check radiusd_selinux(8) man page, many things apply to Radiator too. $ getenforce Enforcing works fine here. you will need to look at eg auditd and use tools such as audit2why etc to verify when things fail. I cant recall anything in particular that we had to do to get it working with SELinux... we call some pre/post handler scripts, we call SSL code (RADSEC and dynamic server discovery stuff)... if you are using an SQL system you MIGHT have further games or if you use the web interface admin method you might have something to deal with there.. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Apple iOS 9 and OS X El Capitan
Hi, > These warnings led me to discover that the RHEL6-provided version of > perl-Net-SSLeay I had been using was positively ancient: > $ perl -e 'use Net::SSLeay; print $Net::SSLeay::VERSION."\n"' > 1.35 > so I installed the latest Net::SSLeay 1.70 from cpan and successfully > got rid of the warnings. ouch. if you read the release notes for RADIATOR you'll see that they've been advising to use versions >> 1.39 for some time now - even 4.12 had much improvements if using 1.52 and later... the heartbleed fix requires something like 1.69 (now i really hope that RedHat have at least backported the fixes to their old version!!!) ...at least 1.35 gave you SHA256 ability... alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Odd PEAP Reconnection Failures
Hi, >I have a laptop running Windows 7. It's not connected to Active Directory. >I can login to the wireless network fine the first time but if I >disconnect and try to reconnect I get a PEAP failure in the radiator log. >If I wait a while I can connect again. The radiator server is a >development server and not under any load. The problem does NOT occur if I >am on a laptop that is in Active Directory - in that case I can >connect/reconnect over and over again with no issues. what do you see on the server when you are running trace level 5 for this client? alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] eduroam request with EAP Nak desires type 26
Hi, >I have local users working fine, goes to an outer PEAPhandle, then innner >ms-chap handle. >all works fine. EAP type 26 is MS-EAP-Authentication (EAP/MS-CHAPv2) - which is different to the one you are handling - type 25 PEAP, Protected EAP alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Load Balancing
Hi, F5 load balancers have been used successfully for RADIUS load balancing for years (its essential for the load balancer to be RADIUS protocol aware and ensure the same session goes to the same backend) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Cisco 5508 passing mac for mac auth
Hi, >When using a Cisco Wireless controller I have mac delimiters and 3 modes >of operation: >- Other - (In the Radius Access Request with Mac Authentication Password >is NOT sent.) >- Free Radius - (In the Radius Access Request with Mac Authentication >Password is controller's shared secret with radius server.) huh? FreeRADIUS quite happily takes Mac address with the MAC address as password... in fact, you'd have to do quite a bit of work and ignore some key WIKI docs to make that description above work! :/ > - Cisco ACS - (In the Radius Access Request with Mac Authentication >password is client's MAC address.) this one is what you want to use with RADIATOR (and FreeRADIUS ;-)) , then just list the MAC addresses as username and as password in your "Users" file for that method (I assume you'll have a seperate policy so call in this particular MAC list Users file for a handler for that service. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] strip attributes from access-reject
Hi, > Is there a way to not include radius attributes, when sending a RADIUS > access-reject? StripFromReply ? alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthWIRELESS.pm, AuthSUSPEND.pm?
Hi, >Sorry was wrong, only SUSPEND and WIRELESS are missing from both RPMS: >4.10-1 and 4.14-1. some local code you've added/created? the official releases dont have such .pm files in the Radius directory - what file has got "use Radius::AuthSUSPEND" in it? might be you just copy the required stuff from your old server (once you've worked out what it is and why its there.) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthRADIUS : Could not find a working host to forward messages
Hi, > Also getting these: > > WARNING: ProxyAlgorithm HASHBALANCE declines to break up an EAP stream after > failover > > Which is odd since we're using PEAP not EAP. all EAP request must go to same remote RADIUS box. there is an EAPHASHBALANCE methodbut if doing ANY remote stuff then dont use it - the docs clearly state the issue when using such systems in eg federated systems such as eduroam as you have no control over remote proxies and any of them can alter/remove/playwith the required proxy-state attribute alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthRADIUS : Could not find a working host to forward messages
Hi, > Also getting these: > > WARNING: ProxyAlgorithm HASHBALANCE declines to break up an EAP stream after > failover > > Which is odd since we're using PEAP not EAP. PEAP is EAP... alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthRADIUS : Could not find a working host to forward messages
Hi, > OK, well we're also seeing lots of these messages on the backend: > > INFO: Duplicate request id 147 received from 128.248.155.31(41004): > retransmit reply duplicates mean that a request wasnt answered quickly enough - usually caused by a slowness in the backend authentication systemsthe NAS has resent a request as it didnt get a reply (so if requests are being silently dropped that can happen too) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Problems with Secret and SQLClientList
Hi, > > AFAIK most switching devices (including Cisco, commonly used here) does not > > support the message-authenticator attribute. However the solution above > > works now, thanks again! ? we use Cisco and have Message Authenticator enforcement turned on. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Wireless client verification of Radiator's SSL cert EAP/PEAP
Hi, > Even in the absence of client side configuration, some of the clients > (notably OS X) present some details about the cert to the user that they > can verify manually (name, fingerprint, expiry date). yep...and most users will click okay/accept without checking a single thing or even reading the wording. other clients may just silently fail if its a CA that the OS just doesnt know. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Wireless client verification of Radiator's SSL cert EAP/PEAP
Hi, > I've been searching around the list and the Internet trying to figure > out how a wireless client can verify the hostname of the SSL cert > provided by Radiator through the NAS as an SMTP or HTTP client would, > but I can't seem to find anything insightful. I'm not concerned with how > the client uses the SSL chain and its included CAs to verify the cert > cryptographically. > > For one, the client doesn't have Internet to make a reverse lookup until > they accept the cert. correct. there is no reverse lookups etc. the client is configured to trust a CA (and the RADIUS cert is signed by that CA - either directly or with intermediates that the client either knows or is passed through to it via the 802.1X certificate phase) and the client is configured to trust a CN that CN is given to the RADIUS certificate. ie client configured to trust a CA and given the CN of a certificate it should trust. the RADIUS server presents a certificate signed by that trusted CA and has a name that the client is configured to trust. you'll realise by now that you dont want to use a public CA as many clients cannot be configured to trust a specific CN and anyone could get a cert signed by eg verisign ;-) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Trying to get Radiator to work with EAP-TTLS auth
Hi, >Ok I copied straight from the goodies (eap_misc I think..) and even used >certificates and still getting that error ..and the trace 5 output looks like?? it sounds like one of the PERL prerequisites might not be installed... the install guide lists the required PERL modules... ActiveState PERL has binary modules to install, Strawberry PERL will compile to install them. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Status-Server changes in patches for Radiator 4.11
Hi, > Status-Server based failure detection needs two options specified in > AuthBy RADIUS or Host within AuthBy RADIUS: > - Flag: UseStatusServerForFailureDetect > - Integer: KeepaliveTimeout numsec what is the interplay/interaction with RADSEC for this StatusServer method? cheers alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP TLS issues "routines:SSL3_READ_BYTES:tlsv1 alert access denied"
Hi, > To make sure I'm on the same page with you, I'm guessing by "supplicant" >you mean the wireless client (in this case a Windows 7 laptop)? There's no >configuration that pops up immediately on that one. I tell it to connect >to the network and it pops up a username / password dialog no other >options to set. yes, supplicant is the term used for the OS component that deals with the 802.1X before dropping back to the main TCP/IP stack you will be finding, as many '802.1X pioneers' before you - such as the eduroam folk - how many varied clients and behaviours there are in the world. Windows 8 and Windows Phone devices, for example, also require CRLDP field to be present in the certificate chain (either in the server cert, or the CA or both - doesnt matterwhy??? why when there is no way it can validate that cert until after its actually connected to the network? no-one knows...and noone as far as I'm aware, from microsoft has explained or cleared the issue). it could be that. by default, your chosen CA is not in the default known CA list in Windows 7 - use the mmc snap-in , check the certs present in Trusted Root etc to see if its there...some 'common' CAs only make it via eg windows update patches alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Trace level
Hi, > I like the output of Trace 4, it makes it easy to check user inquiries as > it captures the username, IP, MAC, but the log files get very big due the > the verbose output from the EAP traffic. At the moment I just rotate the > log file a few times a day but is there a better way around that? Trace 3 doesnt provide required info? You could edit the Perl source to stop the logging of the EAP messages alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Remote RADIUS servers (proxying)
Hi, how did you restart the server? its likely the parent didnt die and the new config isnt actually being used. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Missing info from error message
Hi, > It does appear that there are issues cascading RADIATOR servers that are > all using because the RADIUS "State" attribute used to > track the EAP conversations gets mangled as the message progresses through > the chain of servers. interesting...I dont think that this has been discussed in eduroam (well, certainly not recently) - and if all servers did this then nothing would work in a proxy system > To make things work with the US NTLRS servers they graciously stopped > using EAPBALANCE to load balance between our servers and moved to a > traditional primary/backup model, but obviously I can't ask everyone to do > that :-). ;-) in the UK we did trials with EAPBALANCE and it didnt work well with many of the connecting servers we use primary/secondary/tertiary (I'm now wondering if the US found our doc ;-) ) > The RADIATOR folks recommended I try HASHBALANCE instead, but I like the > extra assurance that EAP conversations don't get broken up. yes. the conversation cannot get broken up - both end destinations and middle boxes dont like that - especially since another middle box could choose a different destination alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] RADIATOR issue with particular attribute (NAS-IPv6-Address)
hi, RADIATOR has a definition for the NAS-IPv6-Address attribute in its dictionary file. ATTRIBUTE NAS-IPv6-Address95 ipaddrv6 however, it appears that this attribute type (ipaddrv6) has some interplay problem with the server. ie If you have a RADIUS packet going through RADIATOR on a host that isnt doing IPv6 - ie it doesnt have PERL Socket6 library installed, then the 18byte attribute is mangled to 2 bytes. the result of that? other servers such as NPS will just silently drop the packet (well, it logs malformed RADIUS packet but remote servers think server is dead). in a highly federated environment (eg eduroam) this leads to quite elongated/obtuse issues. May I ask that this handling of the packet be seperated from IPv6 functionality (standard IPv4 servers should just pass known packets through as is) - perhaps as simple as changing the type of that attribute? many thanks alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Attribute Error Vendor 20942
Hi, > We are getting an attribute error below in our debug log. > ERR: Attribute number 100 (vendor 20942) is not defined in your > dictionary i've got a few such errors...would be nice to get these vendors added to the dictionary file - i think some of the ones i see have already been mentioned in the past (come up on mailing list history) eg (sorted through uniq) Attribute number 12 (vendor 14823) is not defined in your dictionary Attribute number 141 (vendor 2011) is not defined in your dictionary Attribute number 1 (vendor 27262) is not defined in your dictionary Attribute number 1 (vendor 6139) is not defined in your dictionary Attribute number 2 (vendor 3385) is not defined in your dictionary Attribute number 3 (vendor 3385) is not defined in your dictionary Attribute number 3 (vendor 9967) is not defined in your dictionary Attribute number 4 (vendor 2) is not defined in your dictionary Attribute number 4 (vendor 3385) is not defined in your dictionary Attribute number 5 (vendor 2) is not defined in your dictionary Attribute number 5 (vendor 23735) is not defined in your dictionary Attribute number 5 (vendor 3385) is not defined in your dictionary Attribute number 6 (vendor 23735) is not defined in your dictionary Attribute number 6 (vendor 26928) is not defined in your dictionary about 10% of logs filled with these... alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Easy 802.1X
Hi, >We're working with HP MSM wireless controllers, which can do EAP-TLS, >EAP-TTLS, EAP-PEAP, LEAP, EAP-SIM, EAP-AKA, EAP-FAST, and EAP-GTC. > >I'm looking for the easiest way to allow WPA to use a RADIUS-based >username/password for a public-access network. So no client certificates >or supplicant software, and supporting a wide range of client devices. >Security is not a concern -- currently authentication is done through >HTTP, and credentials are not personally identifying information. This is >strictly about convenience, to avoid use of the HTML login. firstly I hope you mean WPA2/AES and not just old WPA/TKIP. secondly, yes, this is fairly easy - you just need your RADIUS server to have a certificate signed by a root CA that is common in the OS platform. The client will then , in most cases, be happy with the cert and just ask the user for their username/passwordwhich will then be cached on the device for future auths to your system (and that could be a problem more than anything else) - this will be with EAP-PEAP (PEAPv0) obviously, without proper configuration 802.1X is open to abuse - ie someone else could get a cert signed by that same CA and then spoof being one of your APs and start harvesting credentials...as the clients, if not set to trust only a particular CN provided will open up EAP and pass credentials through - whilst the common EAP is PEAP/MSCHAPv2, once the EAP part if done (which is would be, you just collect the MSCHAPv2 challenge...send to a cloud cracker et voila.but as you said, security isnt too much here - if you already have open wireless with just http auth then thats true. personally I think moving into this arena, EAP/802.1X is the way to go for convenience(if you use EAP-TTLS then you would also be ready to use hotspot2.0 for automatic association of mobile devices - particularly if you have agreements etc with carriers. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator and radsecproxy, status-server and failover algo, one step forward
Hi, > 1.)Radiator has to fix AuthRADSEC. The user has to choose to use >extended-Ids in the Proxy-State Attribut if the upstream proxy >will handle this. By default it should use 8 Bit Identifiers. > > 2.)radsecproxy has to fix the self generated Access-Rejects. >If a Proxy-State Attribut was present in the Access-Request, the >generated Access-Reject must copy this attribut and send it back. I agree with both points. both servers are doing something wrong..and the interop causes issues. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator and radsecproxy, status-server and failover algo, one step forward
Hi, > 1272017248108...@wlan.mnc001.mcc262.3gppnetwork.org 3gppnetwork realms are invalid. ..just like hotmail, gmail, yahoo etc - until a notice comes from eduroam stating that these realms now have agreed relationship, they are public realms and not within the private scheme of eduroam. > RFC 5997, saying that Status-Server MUST NOT be proxied and therefore > the Proxy-State attribut isn't allowed. status-server musnt be proxiedits only for the first-hop check of a remote proxy and not the end target - but that surely isnt the issue? a Status-Server message is easy to deal with - you just send something back to show you are alive - RADIATOR has been sending a basic statts page back for status-server queries to it for years. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Tacacs password issue
Hi, >We have a starange password issue on radiator tacacs.We setup password >length to 8.When user enter 7 character password access rejected,that is >ok.But when a user enters more than 8 characters(like 9,10 etc) He can >login to the related device.What can be the problem? if its standard DES then anything beyong the 8th char is ignored. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] RADSEC error on Solaris
hi, Mon Jul 8 15:11:21 2013: ERR: Stream could not setsockopt SO_KEEPALIVE socket for connection to host2.domain.org:2083: Invalid argument Mon Jul 8 15:11:21 2013: ERR: Stream write error, disconnecting: Broken pipe Mon Jul 8 15:11:21 2013: ERR: Stream could not setsockopt SO_KEEPALIVE socket for connection to ipv6:host1.domain.org:2083: Invalid argument Mon Jul 8 15:11:21 2013: ERR: Stream write error, disconnecting: Broken pipe Mon Jul 8 15:11:21 2013: ERR: Stream could not setsockopt SO_KEEPALIVE socket for connection to host2.domain.org:2083: Invalid argument Mon Jul 8 15:11:21 2013: ERR: Stream write error, disconnecting: Broken pipe Mon Jul 8 15:11:21 2013: ERR: Stream could not setsockopt SO_KEEPALIVE socket for connection to host1.domain.org:2083: Invalid argument Mon Jul 8 15:11:21 2013: ERR: Stream write error, disconnecting: Broken pipe Mon Jul 8 15:11:21 2013: ERR: Stream could not setsockopt SO_KEEPALIVE socket for connection to ipv6:host1.domain.org:2083: Invalid argument Mon Jul 8 15:11:21 2013: ERR: Stream write error, disconnecting: Broken pipe Mon Jul 8 15:11:21 2013: ERR: Stream write error, disconnecting: Broken pipe Mon Jul 8 15:11:21 2013: ERR: Stream could not setsockopt SO_KEEPALIVE socket for connection to host1.domain.org:2083: Invalid argument this is on Solaris - the connections appear to be open after running but I'm thinking not optimally.. does the server need more admin rights to access socket option...or does Solaris require different code (Invalid argument) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.11: WARNING: Could not find AuthBy clause with Identifier ...
Hi,
> yep, found in Configurable.pm
>
> >#
> ># Load a particular class module and construct and return an instance
> ># return undef if it didnt work
> >sub load
> >{
> >my ($file, $class, @args) = @_;
> >
> >my $ret;
> >return unless eval("require $class") && ($ret = $class->new($file,
> > @args));
> >$ret->activate() unless $ret->isCheckingConfiguration();
> >return $ret;
> >}
>
> The object does no longer get activated if we are in check config
> mode, and the WARNING comes from findAndUse() later on.
confirmed. adjusting to older format:
$ret->activate();
the server passes the '-c' check with this config again.
so...whats the issue with having 'activate' in config checking mode? what does
this reversion expose us to? :-)
alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.11: WARNING: Could not find AuthBy clause with Identifier ...
Hi, 2013-04-30 Configurable.pm Configuration file check no longer activates clauses which could cause spurious error messages. Requested by Garry Shtern. ? could it just be that the configuration checker has a b0rkeness as the server runs okay when NOT using '-c' ? alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.11: WARNING: Could not find AuthBy clause with Identifier ...
Hi, > safeword.cfg fails here too but the reason is missing module. Also, > there's no Identifier or Handler in my goodies/safeword.cfg, it uses > Handler DEFAULT. Is that really goodies/safeword.cfg or something else? the version that comes with 4.11 but running radiator 4.11 with patches however, I've now updated the Linux box with the patches-4.11 and it now fails too: Sat Jul 6 14:43:05 2013: WARNING: Could not find AuthBy clause with Identifier myinternal Sat Jul 6 14:43:05 2013: DEBUG: Finished reading configuration file '/tmp/test.cfg' the previous patchfile I had installed was from January -rw-r--r-- 1 root root146903 Jan 14 13:28 patches-4.11.tar.gz looking at that patchset, # tar -tvf patches-4.11.tar.gz -rw-r--r-- mikem/users 219 2013-01-13 05:59:43 patches/PATCHFILES -rw-r--r-- mikem/users 18990 2013-01-13 05:59:44 patches/index.html -rw-r--r-- mikem/users3322 2013-01-13 05:59:44 Radius/EAP_4.pm -rw-r--r-- mikem/users 420251 2013-01-13 05:59:45 dictionary -rw-r--r-- mikem/users 11774 2013-01-13 05:59:45 Radius/AuthACE.pm -rw-r--r-- mikem/users 92825 2013-01-13 05:59:45 Radius/AuthGeneric.pm -rw-r--r-- mikem/users 27026 2013-01-13 05:59:45 Radius/AuthSQL.pm -rw-r--r-- mikem/users8050 2013-01-13 05:59:45 goodies/sql.cfg -rw-r--r-- mikem/users4840 2013-01-13 05:59:45 Radius/AuthLogSYSLOG.pm -rw-r--r-- mikem/users 48085 2013-01-13 05:59:45 Radius/AuthRADIUS.pm -rw-r--r-- mikem/users 32279 2013-01-13 05:59:45 Radius/AuthRADSEC.pm -rw-r--r-- mikem/users 25124 2013-01-13 05:59:45 Radius/TLS.pm This is patch set $Revision: 1.1500 $ so, something since then appears to have made something interesting happen alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.11: WARNING: Could not find AuthBy clause with Identifier ...
Hi, > > I just tried goodies/minimal.cfg with freshly installed Solaris 11.1, > > September 2012. Perl is 5.12.4 that comes with the system. Radiator is > > unpatched 4.11. > > but in the goodies/simple.cfg is no 'Identifier' used. > Please add an Identifier and try it again. goodies/safeword.cfg that fails in the same way (its a naked Handler statement instead of a Realm statement - but still has an identifier that is not recognised) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.11: WARNING: Could not find AuthBy clause with Identifier ...
Hi, to confirm this via my own tests: on Solaris: Sat Jul 6 13:01:00 2013: WARNING: Could not find AuthBy clause with Identifier myinternal Sat Jul 6 13:01:00 2013: DEBUG: Finished reading configuration file 'test.cfg' on Linux: Sat Jul 6 12:59:22 2013: DEBUG: Finished reading configuration file '/tmp/test.cfg' curious. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.11: WARNING: Could not find AuthBy clause with Identifier ...
Hi, > The next test on monday is a fresh, newer perl installation. > What perl version do you have on solaris? perl 5, version 12, subversion 2 (v5.12.2) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.11: WARNING: Could not find AuthBy clause with Identifier ...
Hi, > there must be something wrong in your installation or even your config. check the config doesnt have wierd characters in it I guess... 'cat -v /tmp/radiator-config' there were some changes as the move to 4.11 occured to deal with the config strings in better ways - alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.11: WARNING: Could not find AuthBy clause with Identifier ...
Hi, > Sounds really fishy, just wondering if someone else sees the same problem. no. have updated through 4.9m 4.10 and 4.11 by just getting latest version, applying patches and then 'make install' - thats on Solaris as on Linux. the only thing that I can think of is some required library isnt present and is causing issues in a wierd way - this shouldnt be the case...there are libraries you only need if doing certain things - eg Ipv6 or RADSEC alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AccountingTable Database Very big
Hi, > are you saying postgresql is really that much better with regards to > performance, and worth switching to? really depends on what you are doing and how your database is structured. IMHO the answer is yes..(or even YES!) in many use cases. of course, you may get the speed benefits but its a new thing to learn and people will need to get a little reskilled (and you need the latest release to have native replication) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ipv6::: bind results in no match on IPv4 client
Hi, > When you enable IPv6 for a service updating OS and Software is often > required. Having minimum requirements for IPv6 the docs would help depends on how old your OS/software is. given that I was running IPv6 services on servers at the beginning of the last decade (IPv6 isnt somethign new...its been around longer than the average age of some mailing lists I'm on! ;-) ) I would HOPE that you wouldnt have to update any recently installed OS. indeed, you shouldnt be running any OS that is older than around 5 years.. 8-) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AccountingTable Database Very big
Hi, > I use mysql database and my AccountingTable has more than 40 million records > per month. Does anyone here have any policy purge? I have an extract of CGI > access for my users and is very slow because the bank is getting too big. > Does anyone have any recommendation what I should do to have a page extract > access working well with a huge amount of data like this? firstly use InnoDB rather than MyISAM (InnoDB has been in MySQL for ages now...no default installs should not have InnoDB support...and no tools should want to slap MyISAM tables into the DB..should be InnoDB by default) secondly, edit the my.cnf to fully utilise your hostthere are plenty of docs for each InnoDB option...but..like MyISAM.there are also quite a few tools that will give you a fairly good start on the way down the path eg http://mysqltuner.com/ thirdly, look at what your tool is doing (in this case RADIATOR) with the DB to find out if there are any local query bottlenecks eg use the EXPLAIN command to find out what the queries are doing and where it cannot find quick answers. then look at adding required INDEXes to the tables finally, move from MySQL to PostgreSQL - psql doesnt have so many nasty locking events on each row/column - MySQL will cause limits whenever an update/insert is occuring (from experience, default install speed of psql is similar to that of MySQL after you've spent some time optimising the MySQL environment! - and THEN you can tweak psql even further ) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ipv6::: bind results in no match on IPv4 client
Hi, > Quick summary again, when using ipv6::: and bindv6only set to 0: > * Both IPv4 and IPv6 traffic gets to Radiator > * IPv6 works with everything I have tried > * IPv4 clients will not match on the proper client stanza, only the DEFAULT > client stanza I have the following: BindAddress 0.0.0.0,IPV6::: and on Linux systems I have to have this tweak to let the binding work correctly: net.ipv6.bindv6only = 1 (in /etc/sysctl.conf) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP PEAP Authentication Failing
Hi, > > > I have EAPTLS_MaxFragmentSize set to 1400 bytes. The Server should have > the same firewall configuration as the other eight servers that are > working. > > Our server support staff think its a library that got corrupted while > installing the Anti-Virus software and recommend that I delete and > re-install RADIATOR first. possible..but more likely that the server firewall settings arent the same or the TCP/IP stack got blatted by its removal. any chance of running it on a Linux box instead? ;-) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Accounting logs in mysql or oracle db
Hi, > Can some one please help us to configure radiator to push Radius >accounting logs into mysql or oracle databases ? >some sample configs may help us. have you read the ref.pdf RADIATOR reference guide from the OSC site? if so, what configuration have you currently got so that we can see where you're not on track ? alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] IPv6 Warning Message
Hi, >I'm seeing the following messages in my RADIATOR log files. >Mon Apr 29 14:05:06 2013 223814: WARNING: Need Socket6 to handle IPV6 >addresses in inet_ntop you need Socket6 for IPv6 and RADIATOR (though thats obvious from that message) >I tried a "ppm install Socket6" and received a "ppm install failed: Can't >find any package that provides IO:Socket6" Error. >I suspect that I I've got something wrong in my config, or I need to >upgrade my PERL installation. the joys of PERL on Windows. not sure if StrawberryPERL isnt the way to go... however, the PERL module you want is Socket6 - it lurks on UMEMOTO/Socket6-0.23.tar.gz according to CPAN - I just 'yum install perl-socket6' - but thats the joy of RADIATOR on a Linux box where PERL is more friendly :-) but the win6.jp guys arent too bad - http://win6.jp/ActivePerl/index.html alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] eduroam question
Hi, >Is there a way in RADIATOR I can log the IP address of the RADIUS server >that originates a request through the eduroam hierarchy? nope. ll you can get/see is what is provided by the originating site. as you say, you'll find lots of NAS-Identifiers and NAS-IP-Address etc but they'll all be local things (RFC1918 addresses or local names for the APs or switches). I'm not sure where the US is in terms of global policy and advice - you really ought to be setting the Operator-Name attribute - you'll then have the realm/doamin the request came from. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator TCP listening
Hi, >I can put radiator in listening on a TCP port for a simple PAP >authentication? RADIUS - UDP RADSEC - TCP for a simple PAP test, just ensure you have the basic RADIUS port config on your server... eg "AuthPort 1812" in your main config alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] 802.1x , EAP error
Hi, >If I'm trying to relay an 802.1x authentication to another proxy AAA >server, can I just proxy without processing EAP request (to find the inner >EAP request info?) yes... eg Secret topsecret Secret youllnever know or just a plain wrapper read proxy.cfg and proxyalgorithm.cfg in goodies alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] eduroam and radius servers
Hi, > I'm trying to understand the traffic flow between an eduroam user and their > home institution radius server. Ive been googling for a while but still dont > fully understand the flow between the user and the radius server. Please shed > some lights into my understanding: > > 1. User enter the username and password to access eduroam. > 2. the credentials pass to the wireless access point and pass to the visitor > home institution radius server - On this step, the log on the radius server > shows 'Access-Request' > 3. The visitor institution radius server then pass the credentials to the > user home radius server for authentication. > 4. If the credentials are correct, then home radius server reply with an > Access-Accept code. > 5. If the user enter the wrong credentials, then the home radius server > respond with either Access-Challenge or Access-Reject messages there are sites and courses that explain this...but, basically, EAPOL from AP, client send an idnetity (outerID = so eg anonymous@realm), if @realm isnt local, that the request will be forwarded to the national proxies...and onto the home site. via a few more exchanges (of RADIUS cert/CA) an EAP tunnel is established between the AP and the home RADIUS server - using the proxied route. the clients real username (InnerID) eg 'username' is then passed through that tunnelnow, depending on mechanism various things could happen...but if its PEAP/MSCHAPv2, an MSCHAPv2 challenge response is then passed through the EAP tunnel. finally the Access-Accept packet (if all is okay) is passed back to the AP - along with keying material for the local WPA2/AES etc cipher mechanism and other things can be added to this accept by the local RADIUS server such as VLAN/bandwidth etc etc. the client NEVER needs to trust the visited site RADIUS server (so their home server can be eg self-signed and trusted,,and the visited site can have self-sign and trusted by THEIR users), the credentials are never passed in such fashion to the AP or the visited RADIUS server. thats a quick/brief summary - and due the brevity theres a few oversights and vast assumptions alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ERR: Unknown keyword 'AcctFailedLogFileName'
hi, you have "AcctFailedLogFileName" in your config - thats not a valid key word alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] vlan change for EAP clients with external radiusserver
Hi, > We make use of quarantainenet (quarantainenet.com). When a abnormality is > detected, a host is isolated based on its MAC-address. ..in a way that is eduroam compliant. the isolation network allows them to remediate their issues and prove/ask for 'allowance' back to the network? what about language of the isolation network - visitors who cannot speak english or dutch are able to understand what is going on? :-) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] vlan change for EAP clients with external radiusserver
Hi, > Question: > How to set the vlan-attribute for external authenticated users? AddToReply > I only can stripoff and add reply-items for all external users but not for a > specific user depending on his MAC-address.. Ar Hook, specifically a PostAuthHook. fire off a PERL script in the PostAuth that sets eg VLAN depending on the Calling-Station-Id of the client. the authentication is happening remotely...but the person is local so this value wont be accidentally missing. but what purpose is this for? is this something that eg the eduroam 'CUI' requirement is for? hooks.txt in the goodies directory for initial path to follow. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] FW: userid:ntu.ac.uk - Question on dropping part of the username
Hi, >Hi, I am trying to pass a AD username to AD for authentication using >AuthBy LSA. It works if the username is just username or username@realm as >I have the UsernameMatchesWithoutRealm parameter in. > > > >What isn't working is if the username is domain\username. Is there a way >to strip off the domain\ portion before it gets passed to AD ? can you overwrite what is passed through - eg use 'Domain' or 'DomainFormat' to change what is actually sent? maybe its easier for user education and documentation - (ie only let things work for the user if they do things as docuemnted rather than take all junk sent to you? ) alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Ideas on Radiator setup with OpenLDAP and Kerberos serving Windows and Ubuntu Clients
Hi, > >From what I understood the choice between PEAP and EAP-TLS is mainly > dependent on the compatibility with our current user/password store. If > I got it correctly, it's mandatory to have passwords stored in cleartext > to allow PEAP/MSCHAPv2 to work, which is not our case since we hash the > passwords. Authenticating to Kerberos is also apparently not possible > because we're not using digest! shame > Even if this setup worked I assume we would still need the user to > reconfigure the supplicant every 90 days (we enforce a password change) > which is kinda annoying for them. you can sent 'enter new password' requests during PEAP auth phase...so they dont need to reconfigure their supplicant..just update the profile > At this point EAP-TLS would be the way to go! A question arises tough: > are the EAP-TLS certs generated specifically for the user or for the > machine? The former would be preferred since we could then extract the > username and proceed with an LDAP query, subsequently obtaining the > aforementioned "gid" value to map the right switch port... but then, how > would the user be provided her/his first cert on linux when logging in > for the first time? Argh... this is not really a Radiator issue, I know :) EAP-TLS opens the can of worms that is PKI and full PKI management. you probably also dont want them to be able to just download their cert and slap it onto anything.. or give it to someone else. using some guest network (cisco switches, for example, give you an 802.1X fail or guest VLAN option...) the guest vlan could be a walled garden given them access to the required boot-strap/setup environment alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Proxy'ing Client-Identifier to "slave" RADIUS processes
Hi, > With our current RADIUS configuration (which includes some custom hooks > with database calls) it seems that even on a 16-core box we start to have > RADIUS timeout issues when we push above 100 total requests per second > when running a single instance of RADIATOR. are you using the Farm method? one parent with multiple children? are you running in a high debug level? wonder why you are stuck at such a low performance level alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Proxy'ing Client-Identifier to "slave" RADIUS processes
Hi, >Is there a way to pass the "Client-Identifier" to another RADIATOR process >? Perhaps as an RADIUS Attribute ? create your own private RADIUS attributeadd it to the dictionary files...then set that attribute to the value you want using the addtorequest. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator monitor port
Hi,
>i use this configuration
>
>
>ROCommunity RaD1us
>Port %{GlobalVar:snmp_port}
>
>
>and in the init.d script i add snmp_port=9071
you arent clear if this now works for you...
what does simply adding
Port 9071
into the section give you?
have you installed the required SNMP_Session PERL module?
alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
