[RADIATOR] RejectReason Problem with AuthHANDLER

[Alexander Hartmaier]

Hi,

Radiator doesn't send the RejectReason when using AuthHANDLER but instead the 
hardcoded return string from AuthHANDLER.pm.

This is an excerpt of my config:


AuthByPolicyContinueUntilIgnore

# Show any rejection reason to the end user
RejectHasReason


AuthAttrDef memberof,GENERIC,request

# this populates Request:X-Identifier
PostSearchHook file:"%D/ldap_authselect_by_group.pl"



HandlerId %{Request:X-Identifier}





Identifier reject

# Show any rejection reason to the end user
RejectHasReason


AuthResult REJECT
RejectReason User isn't member of an OTP ldap group, rejecting



This is the level 4 log where the issue can be seen:

Mon Jun 28 08:20:06 2010: DEBUG: Handling with AuthINTERNAL:
Mon Jun 28 08:20:06 2010: DEBUG: AuthBy INTERNAL result: REJECT, User isn't 
member of an OTP ldap group, rejecting
Mon Jun 28 08:20:06 2010: DEBUG: AuthBy HANDLER result: REJECT, redirected by 
AuthHANDLER
Mon Jun 28 08:20:06 2010: INFO: Access rejected for test: redirected by 
AuthHANDLER
Mon Jun 28 08:20:06 2010: DEBUG: Packet dump:
*** Sending to 1.2.3.4 port 1025 
Code:   Access-Reject
Identifier: 1
Authentic:  <24>?N<127><151><193><229>Q<148><174>B!<1>^<233>*
Attributes:
Reply-Message = "redirected by AuthHANDLER"




--
Best regards, Alex





*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] RejectReason Problem with AuthHANDLER

[Alexander Hartmaier]

Hi Hugh,

I can confirm that the latest patchset fixes the problem.

Thanks for the quick-as-usual fix!

-- 
Best regards, Alex


Am Dienstag, den 29.06.2010, 05:47 +0200 schrieb Hugh Irvine:
> Hello Alex -
> 
> Thanks for letting us know about this.
> 
> Should be fixed in the latest Radiator 4.6 patches.
> 
> regards
> 
> Hugh
> 
> 
> On 28 Jun 2010, at 18:35, Alexander Hartmaier wrote:
> 
> > Hi,
> > 
> > Radiator doesn't send the RejectReason when using AuthHANDLER but instead 
> > the hardcoded return string from AuthHANDLER.pm.
> > 
> > This is an excerpt of my config:
> > 
> > 
> > AuthByPolicyContinueUntilIgnore
> > 
> > # Show any rejection reason to the end user
> > RejectHasReason
> > 
> > 
> > AuthAttrDef memberof,GENERIC,request
> > 
> > # this populates Request:X-Identifier
> > PostSearchHook file:"%D/ldap_authselect_by_group.pl"
> > 
> > 
> > 
> > HandlerId %{Request:X-Identifier}
> > 
> > 
> > 
> > 
> > 
> > Identifier reject
> > 
> > # Show any rejection reason to the end user
> > RejectHasReason
> > 
> > 
> > AuthResult REJECT
> > RejectReason User isn't member of an OTP ldap group, rejecting
> > 
> > 
> > 
> > This is the level 4 log where the issue can be seen:
> > 
> > Mon Jun 28 08:20:06 2010: DEBUG: Handling with AuthINTERNAL: 
> > Mon Jun 28 08:20:06 2010: DEBUG: AuthBy INTERNAL result: REJECT, User isn't 
> > member of an OTP ldap group, rejecting
> > Mon Jun 28 08:20:06 2010: DEBUG: AuthBy HANDLER result: REJECT, redirected 
> > by AuthHANDLER
> > Mon Jun 28 08:20:06 2010: INFO: Access rejected for test: redirected by 
> > AuthHANDLER
> > Mon Jun 28 08:20:06 2010: DEBUG: Packet dump:
> > *** Sending to 1.2.3.4 port 1025 
> > Code:   Access-Reject
> > Identifier: 1
> > Authentic:  <24>?N<127><151><193><229>Q<148><174>B!<1>^<233>*
> > Attributes:
> > Reply-Message = "redirected by AuthHANDLER"
> > 
> > 
> > -- 
> > Best regards, Alex
> > 
> > 
> > 
> > 
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> > Handelsgericht Wien, FN 79340b
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > Notice: This e-mail contains information that is confidential and may be 
> > privileged.
> > If you are not the intended recipient, please notify the sender and then
> > delete this e-mail immediately.
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > ___
> > radiator mailing list
> > radiator@open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB: 
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets), 
> together with a trace 4 debug showing what is happening?
> 

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] weird AuthBy Radius problem

[Alexander Hartmaier]

Hi,

I'm fighting a Radiator problem since today where Radiator sends the tacacs+ 
reply to the client 20 seconds after receiving an radius reply from another 
Radiator server.

That's our config:


Key foo
Port 49
AuthorizationTimeout 600
IdleTimeout 600

# Group attribute
GroupMemberAttr Class

PreHandlerHook file:"%D/tacacs_client_identifier.pl"

AuthorizeGroup bar  permit .*



Identifier tsa_radius

Host radius1.our-fqdn.org
Host radius2.our-fqdn.org
Secret radius-secret
AuthPort 1645
#AcctPort 1646
NoForwardAccounting
Retries 0
RetryTimeout 3



AuthByPolicy ContinueUntilAccept
# don't use a session database
SessionDatabase none

# no accounting should match that Handler


Filename %D/user_db/users.tacacs


AuthBy tsa_radius


Identifier tacacs_login
Filename %L/tacacs-login.authlog

SuccessFormat %l:%C:%U::OK
FailureFormat %l:%C:%U::FAIL

LogSuccess 1
LogFailure 1



# accounting

# don't use a session database
SessionDatabase none

# save accounting to file
AcctLogFileName %L/accounting/%c/%Y/%m/%Y-%m-%d-%c.log

# TBD
# AcctLogFileFormat %{Timestamp} %{User-Name}


The hook tacacs_client_identifier puts the tacacs client identifier in the 
OSC-Client-Identifier radius attribute for later use (from goodies).

This is a trace 4 log showing the problem:

Wed Jun 30 17:13:43 2010: DEBUG: New TacacsplusConnection created for 
172.16.1.1:49092
Wed Jun 30 17:13:43 2010: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 
160897109, 33
Wed Jun 30 17:13:43 2010: DEBUG: TacacsplusConnection Authentication START 1, 
1, 1 for username, 593920, 192.168.1.1
Wed Jun 30 17:13:43 2010: DEBUG: TacacsplusConnection Authentication REPLY 5, 
1, Password: ,
Wed Jun 30 17:13:43 2010: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 
160897109, 14
Wed Jun 30 17:13:43 2010: DEBUG: TacacsplusConnection Authentication CONTINUE 
0, **obscured**,
Wed Jun 30 17:13:43 2010: DEBUG: TACACSPLUS derived Radius request packet dump:
Code:   Access-Request
Identifier: UNDEF
Authentic:  
<202><192><17><134><158>A<163><229><154><225><234><1><171><169><211><29>
Attributes:
NAS-IP-Address = 172.16.1.1
NAS-Port-Id = "593920"
Calling-Station-Id = "192.168.1.1"
Service-Type = Login-User
NAS-Identifier = "TACACS"
User-Name = "username"
User-Password = **obscured**
OSC-Version-Identifier = "192"

Wed Jun 30 17:13:43 2010: DEBUG: Hook tacacs_client_identifier called
Wed Jun 30 17:13:43 2010: DEBUG: Hook tacacs_client_identifier searching for 
client <172.16.1.1>
Wed Jun 30 17:13:43 2010: DEBUG: Hook tacacs_client_identifier got client ident 

Wed Jun 30 17:13:43 2010: DEBUG: Handling request with Handler 
'OSC-Client-Identifier=tacacs_clients, Service-Type=Login-User', Identifier ''
Wed Jun 30 17:13:43 2010: DEBUG:  Deleting session for username, 172.16.1.1,
Wed Jun 30 17:13:43 2010: DEBUG: Handling with Radius::AuthFILE:
Wed Jun 30 17:13:43 2010: DEBUG: Radius::AuthFILE looks for match with username 
[username]
Wed Jun 30 17:13:43 2010: DEBUG: Radius::AuthFILE REJECT: No such user: 
username [username]
Wed Jun 30 17:13:43 2010: DEBUG: AuthBy FILE result: REJECT, No such user
Wed Jun 30 17:13:43 2010: DEBUG: Handling with Radius::AuthRADIUS
Wed Jun 30 17:13:43 2010: DEBUG: Packet dump:
*** Sending to 192.168.2.1 port 1645 
Code:   Access-Request
Identifier: 3
Authentic:  
<202><192><17><134><158>A<163><229><154><225><234><1><171><169><211><29>
Attributes:
NAS-IP-Address = 172.16.1.1
NAS-Port-Id = "593920"
Calling-Station-Id = "192.168.1.1"
Service-Type = Login-User
NAS-Identifier = "TACACS"
User-Name = "username"
User-Password = 8<181><210><234>cJ0<226><141><169><240><28>\<252><135><210>
OSC-Version-Identifier = "192"
OSC-Client-Identifier = "tacacs_clients"

Wed Jun 30 17:13:43 2010: DEBUG: AuthBy RADIUS result: IGNORE,
Wed Jun 30 17:13:43 2010: DEBUG: Received reply in AuthRADIUS for req 3 from 
192.168.2.1:1645
Wed Jun 30 17:13:43 2010: DEBUG: Packet dump:
*** Received from 192.168.2.1 port 1645 
Code:   Access-Accept
Identifier: 3
Authentic:  <247><184><242><205><231>U<177>F<167>6O)a<165>'<222>
Attributes:
Class = "bar"

Wed Jun 30 17:13:43 2010: DEBUG: Access accepted for username

### here is the 20 second delay ###

Wed Jun 30 17:14:03 2010: DEBUG: Packet dump:
*** Reply to TACACSPLUS request:
Code:   Access-Accept
Identifier: UNDEF
Authentic:  
<202><192><17><134><158>A<163><229><154><225><234><1><171><169><211><29>
Attributes:
Class = "bar"

Wed Jun 30 17:14:03 2010: DEBUG: TacacsplusConnection result Access-Accept
Wed Jun 30 17:14:03 2010: DEBUG: TacacsplusConnection Authentication REPLY 1, 
0, ,
Wed Jun 30 17:14:03 2010: DEBUG: TacacsplusConnection disconnected from 
172.16.1.1:49092




--
Best regards, Alex





*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Ren

Re: [RADIATOR] weird AuthBy Radius problem

[Alexander Hartmaier]

Hi Hugh,

thanks for your hint, you were totally right!
The dns reverse lookup caused by %C used for the AuthLog file does take
that much time from one of our bind dns servers, we're investigating now
why.

I've replaced it with %c and the problem is gone.

Maybe the radiator internals should be changed so logging happens after
sending the reply to the client?

That's again a case where the blocking nature of radiator causes severe
problems...

-- 
Best regards, Alex


Am Donnerstag, den 01.07.2010, 07:33 +0200 schrieb Hugh Irvine:
> Hello Alex -
> 
> I have not been able to reproduce this problem here.
> 
> The only thing I can think of is some DNS lookup (or similar) that is taking 
> a long time.
> 
> Is there any more information you can provide?
> 
> regards
> 
> Hugh
> 
> 
> On 1 Jul 2010, at 01:28, Alexander Hartmaier wrote:
> 
> > Hi,
> > 
> > I'm fighting a Radiator problem since today where Radiator sends the 
> > tacacs+ reply to the client 20 seconds after receiving an radius reply from 
> > another Radiator server.
> > 
> > That's our config:
> > 
> > 
> > Key foo
> > Port 49
> > AuthorizationTimeout 600
> > IdleTimeout 600
> > 
> > # Group attribute 
> > GroupMemberAttr Class
> > 
> > PreHandlerHook file:"%D/tacacs_client_identifier.pl"
> > 
> > AuthorizeGroup bar  permit .*
> > 
> > 
> > 
> > Identifier tsa_radius
> > 
> > Host radius1.our-fqdn.org
> > Host radius2.our-fqdn.org
> > Secret radius-secret
> > AuthPort 1645
> > #AcctPort 1646
> > NoForwardAccounting
> > Retries 0
> > RetryTimeout 3
> > 
> > 
> > 
> > AuthByPolicy ContinueUntilAccept
> > # don't use a session database
> > SessionDatabase none
> > 
> > # no accounting should match that Handler
> > 
> > 
> > Filename %D/user_db/users.tacacs
> > 
> > 
> > AuthBy tsa_radius
> > 
> > 
> > Identifier tacacs_login
> > Filename %L/tacacs-login.authlog
> > 
> > SuccessFormat %l:%C:%U::OK
> > FailureFormat %l:%C:%U::FAIL
> > 
> > LogSuccess 1
> > LogFailure 1
> > 
> > 
> > 
> > # accounting
> > 
> > # don't use a session database
> > SessionDatabase none
> > 
> > # save accounting to file
> > AcctLogFileName %L/accounting/%c/%Y/%m/%Y-%m-%d-%c.log
> > 
> > # TBD
> > # AcctLogFileFormat %{Timestamp} %{User-Name}
> > 
> > 
> > The hook tacacs_client_identifier puts the tacacs client identifier in the 
> > OSC-Client-Identifier radius attribute for later use (from goodies).
> > 
> > This is a trace 4 log showing the problem:
> > 
> > Wed Jun 30 17:13:43 2010: DEBUG: New TacacsplusConnection created for 
> > 172.16.1.1:49092
> > Wed Jun 30 17:13:43 2010: DEBUG: TacacsplusConnection request 192, 1, 1, 0, 
> > 160897109, 33
> > Wed Jun 30 17:13:43 2010: DEBUG: TacacsplusConnection Authentication START 
> > 1, 1, 1 for username, 593920, 192.168.1.1
> > Wed Jun 30 17:13:43 2010: DEBUG: TacacsplusConnection Authentication REPLY 
> > 5, 1, Password: ,  
> > Wed Jun 30 17:13:43 2010: DEBUG: TacacsplusConnection request 192, 1, 3, 0, 
> > 160897109, 14
> > Wed Jun 30 17:13:43 2010: DEBUG: TacacsplusConnection Authentication 
> > CONTINUE 0, **obscured**, 
> > Wed Jun 30 17:13:43 2010: DEBUG: TACACSPLUS derived Radius request packet 
> > dump:
> > Code:   Access-Request
> > Identifier: UNDEF
> > Authentic:  
> > <202><192><17><134><158>A<163><229><154><225><234><1><171><169><211><29>
> > Attributes:
> > NAS-IP-Address = 172.16.1.1
> > NAS-Port-Id = "593920"
> > Calling-Station-Id = "192.168.1.1"
> > Service-Type = Login-User
> > NAS-Identifier = "TACACS"
> > User-Name = "username"
> > User-Password = **obscured**
> > OSC-Version-Identifier = "192"
> > 
> > Wed Jun 30 17:13:43 2010: DEBUG: Hook tacacs_client_identifier called
> > Wed Jun 30 17:13:43 2010: DEBUG: Hook tacacs_client_identifier searching 
> > for client <172.16.1.1>
> > Wed Jun 30 17:13:43 2010: DEBUG: Hook tacacs_client_identifier got client 
> > ident 
> > Wed Jun 30 17:13:43 2010: DEBUG: Handling reque

Re: [RADIATOR] Installation on OpenWRT

[Alexander Hartmaier]

Hi,

Radiator is written in Perl, so check line 14 of Makefile.PL and figure
out what's going wrong.
Maybe some of your Perl modules are too old.
32MB of memory are really not much!
Radiator takes 28MB on our prod server which isn't really a lot for a
Perl app.

--
Best regards, Alex


Am Donnerstag, den 19.08.2010, 17:16 +0200 schrieb Andrea Coppini (AIR
Networks):
> Hi,
>
> I'm trying to install Radiator on an OpenWRT OS (www.openwrt.org).  I have
> 256Mb of disk and 32Mb of RAM allocated to OpenWRT, which should be plenty.
>
> I have installed all the Perl and Perlbase modules successfully, and
> unzipped Radiator-Locked-4.7 to the root.  I'm logged in as root, no
> password (this is a test system).
>
> When I run 'perl Makefile.PL', I get the following error:
> 
> ExtUtils/Install.pm did not return a true value at Makefile.PL line 14.
> BEGIN failed--compilation aborted at Makefile.PL line 14.
> 
> Any ideas what this might be? And how I could fix it?
>
>
> Regards
> Andrea
>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] incorrect doc in 5.7.2 GetClientQuery?

[Alexander Hartmaier]

The 4.7 ref manual says on page 46:

A comma-separated list of flag names as field 25

But the code says:
$client->set('ClientHook', $self->file_substitution($row[25]))
if defined $row[25]; # Make sure it gets compiled

and:

# Contributed by "Tony B" 
# Last row can be a comma separated list of flag names
map $client->{$_}++, split(/,/, $row[25]);

Is the 25th field the ClientHook or something else?
Whatfor are those 'flags'?

--
Alexander Hartmaier 
T-Systems Austria GesmbH



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] incorrect doc in 5.7.2 GetClientQuery?

[Alexander Hartmaier]

Thanks Hugh!

-- 
Best regards, Alex


Am Dienstag, den 07.09.2010, 15:30 +0200 schrieb Hugh Irvine:
> Hello Alex -
> 
> Thanks - we'll check this for the next release.
> 
> regards
> 
> Hugh
> 
> 
> On 7 Sep 2010, at 03:56, Alexander Hartmaier wrote:
> 
> > The 4.7 ref manual says on page 46:
> > 
> > A comma-separated list of flag names as field 25
> > 
> > But the code says:
> >$client->set('ClientHook', $self->file_substitution($row[25]))
> >if defined $row[25]; # Make sure it gets compiled
> > 
> > and:
> > 
> ># Contributed by "Tony B" 
> ># Last row can be a comma separated list of flag names
> >map $client->{$_}++, split(/,/, $row[25]);
> > 
> > Is the 25th field the ClientHook or something else?
> > Whatfor are those 'flags'?
> > 
> > --
> > Alexander Hartmaier 
> > T-Systems Austria GesmbH
> > 
> > 
> > 
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
> > Handelsgericht Wien, FN 79340b
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > Notice: This e-mail contains information that is confidential and may be 
> > privileged.
> > If you are not the intended recipient, please notify the sender and then
> > delete this e-mail immediately.
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> > ___
> > radiator mailing list
> > radiator@open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> NB: 
> 
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets), 
> together with a trace 4 debug showing what is happening?
> 

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Multiple radiator instances on single server?

[Alexander Hartmaier]

We've written our own init scripts because the one installed by the rpm
stops all radiusd processes and not just the one you want.
Last week we where bugged by this because the rpm also overwrites the
init script without creating an .rpmsave file.

@Hugh: if you want to improve both the rpm spec file and the init script
I can mail you our files.

--
Regards, Alex


Am Donnerstag, den 07.10.2010, 16:42 +0200 schrieb Gregory Fuller:
> I'd like to go through and separate out my authentication, accounting,
> and tacacsplus radiator configurations each into its own separate
> radiator instance on the same server.  One radiator process would run
> just the radius authentication, one process for radius accounting, and
> one process for all tacacsplus auth/accounting.  I'm running Radiator
> 4.5 under CentOS 5.4.
>
> I know I can start another process from the commad line and pass my
> different config files into it without any problems.  Within the
> config files I have separated out the different parts of the config
> for each operation and made sure only the port #'s I want to listen on
> are listed in the configs.
>
> How are most places handling the running of multiple radiator
> instances on the same server using the standard RedHat/CentOS
> "services" functionalty?  Did you copy and rename /etc/init.d/radiator
> for each one of the services and modify each service script to load
> different config files on startup?
>
> Just trying to figure out the best way to manage this.  I'd like to be
> able to do something like the following:
>
> For radius authentication:service radiator start
> For radius accounting:service radiator-acct start
> For tacacs auth/accounting:   service radiator-tacacs start
>
> Any sample RedHat/CentOS service config files for doing this would be
> appreciated also.  Thanks!
>
> --greg
>
>
> Gregory A. Fuller - CCNA
> Network Manager
> State University of New York at Oswego
> Phone: (315) 312-5750
> http://www.oswego.edu/~gfuller
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Mapping AD groups to TACAS+ groups

[Alexander Hartmaier]

We have the same need and I've written some hooks that do what you want.
We have multiple radiator instances proxying tacacs+ requests to our central 
instance with radius.
We use the OSC-Group-Identifier radius attribute for the tacacsgroup on the 
outer instances and build the ldap dn from it on the central instance and store 
it in a attribute not contained in the dictionary called 
OSC-Group-Identifier-LDAP.

Put this in your Handler which contains the AuthBy LDAP2:

PreAuthHook file:"%D/create-osc-group-identifier-ldap.pl"

This in your AuthBy LDAP2 section:
AuthAttrDef memberOf,OSC-Group-Identifier-LDAP,check

Create a file in your radiator directory called 
create-osc-group-identifier-ldap.pl with the following contents:

# transforms the OSC-Group-Identifier to the ldap format and store it in 
another attribute
sub {
my $p = ${$_[0]};

my $group;


if ($group = $p->get_attr('OSC-Group-Identifier')) {
# that's the current ldap groupname:
# CN=SUPPORT_OUR.GROUP.NAME,OU=_Groups,DC=our,DC=company,DC=at
$group = "CN=SUPPORT_$group,OU=_Groups,DC=our,DC=company,DC=at";

&main::log($main::LOG_DEBUG, "OSC-Group-Identifier-LDAP = $group");

$p->change_attr('OSC-Group-Identifier-LDAP', $group);
}

return;
}

You can verify that the hook is ok by running perl -c $filename.

HTH



--
Regards, Alex




Am Dienstag, den 28.09.2010, 02:00 +0200 schrieb Hugh Irvine:


Hello Waldemar -

If you already know the group from the SearchFilter query, you can just use an 
AddToReply like this:


###

Identifier ASA-Admin

Hostw3kvm.adtest.corporate.net
HoldServerConnection

AuthDN cn=radiator,cn=Users,dc=adtest,dc=corporate,dc=net
AuthPasswordX
BaseDN  dc=adtest,dc=corporate,dc=net
ServerChecksPassword
UsernameAttr sAMAccountName

SearchFilter 
(&(%0=%1)(memberOf=CN=ASAADMINS,DC=adtest,DC=corporate,DC=net))

AddToReply tacacsgroup = ASAADMINS

Debug 255

###



regards

Hugh


On 27 Sep 2010, at 18:40, 
mailto:w.sieb...@t-systems.com>> 
mailto:w.sieb...@t-systems.com>> wrote:

> Hello,
>
> I try to implement the mapping of AD groups to TACAS+ groups.
>
> Witch AuthAttrDef memberOf,tacacsgroup,reply will be the complete LDAP string 
> delivered:
> tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net
>
> My question: it is possible to strip all the unnecessary parts to deliver 
> "ASAADMINS" only to tacacsgroup?
>
> I read manual and mailinlist diligently, but was not clever.
>
> Thanks for your help
>
>
>
> Here an extract of my config:
> ###
> 
> Identifier ASA-Admin
>
> Hostw3kvm.adtest.corporate.net
> HoldServerConnection
>
> AuthDN cn=radiator,cn=Users,dc=adtest,dc=corporate,dc=net
> AuthPasswordX
> BaseDN  dc=adtest,dc=corporate,dc=net
> ServerChecksPassword
> UsernameAttr sAMAccountName
>
> SearchFilter 
> (&(%0=%1)(memberOf=CN=ASAADMINS,DC=adtest,DC=corporate,DC=net))
>
> AuthAttrDef memberOf,tacacsgroup,reply
>
> Debug 255
> 
> ###
> 
>  GroupMemberAttr tacacsgroup
>
> AuthorizeGroup ASAADMINS permit service=shell cmd=show 
> cmd-arg=.*
> AuthorizeGroup group1 deny .*
> .
> 
> ###
>
> Here an extract of my Log:
>
>
> Sun Sep 26 19:27:09 2010: DEBUG: AuthBy LDAP2 result: ACCEPT,
> Sun Sep 26 19:27:09 2010: DEBUG: Access accepted for aduser01
> Sun Sep 26 19:27:09 2010: DEBUG: Packet dump:
> *** Reply to TACACSPLUS request:
> Code:   Access-Accept
> Identifier: UNDEF
> Authentic:  ,|C<229><152><134><142>p? U<154>qSk<191>
> Attributes:
> tacacsgroup = CN=ASAADMINS,DC=adtest,DC=corporate,DC=net
>
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection result Access-Accept
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection Authentication REPLY 1, 
> 0, ,
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsplusConnection request 193, 2, 2, 0, 
> 1234, 79
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsPlus request packet dump: 
> c102020004d2004f0e63dedad6576899fad69068509e9bc4dd7fe3edaab83f773ddf0d4679cdadcbca8cd54899138d3cf493fc776e476146108586b5ff3052adcca129fb3fc2b59ca16a8ef718f1f2753f2c136795f90b
> Sun Sep 26 19:27:09 2010: DEBUG: Decrypting TacacsPlus request
> Sun Sep 26 19:27:09 2010: DEBUG: TacacsPlus request decrypted body: 
> 0600020015030a030d080d61647573657230314061646d696e732e7265616c6d31323374657374636c69656e74736572766963653d7368

Re: [RADIATOR] refresh time on clientlistsql

[Alexander Hartmaier]

Hi Hugh,

we started to use the ClientListSQL feature too but get an Oracle SQL
timeout error in the logs whenever Radiator tries to refresh the list,
works on startup.

Any idea why and how we can debug this?

--
Best regards, Alex


Am Mittwoch, den 22.09.2010, 00:25 +0200 schrieb Hugh Irvine:
> Hello Alex -
>
> See section 5.7.3 in the Radiator 4.7 reference manual ("doc/ref.pdf").
>
> regards
>
> Hugh
>
>
> On 22 Sep 2010, at 05:01, Martin Burton wrote:
>
> > Hi Alex,
> >
> > You need to make sure that RefreshPeriod is set in your config file.  It
> > defaults to 0, which means the SQL query is performed only upon radiusd
> > start or when it's sent a SIGHUP.
> >
> > 
> > .
> > .
> > .
> > RefreshPeriod 300
> > .
> > .
> > .
> > 
> >
> > would cause the the DB to be requeried every 5 minutes for example.
> >
> > Hope that helps.
> >
> > Cheers,
> >
> > Martin.
> >
> > On 21/09/2010 19:41, Alex Sharaz wrote:
> >> Hi all,
> >>
> >> I've got a cluster of radius servers all configured to read NAS clients 
> >> from a db2 database. I thought that radiator was supposed to periodically 
> >> refresh its internal list of clients by rereading the database.
> >>
> >> Yesterday morning I dded a number of clients to the database. by 16:00 
> >> today  the radius servers still hadn't picked up the new clients.  A 
> >> reload caused radiator to reread the client list but it would have been 
> >> nice to have radiator pic up the new clients automagically.
> >>
> >> Anyone else seen problems with refreshing client lists?
> >>
> >> Rgds
> >> Alex
> >>
> >>
> >>
> >>
> >>
> >>
> >> Checked by  Hu-fw-yhman
> >>
> >>
> >>
> >> ___
> >> radiator mailing list
> >> radiator@open.com.au
> >> http://www.open.com.au/mailman/listinfo/radiator
> >
> > --
> > Martin Burton
> > Senior Systems Administrator   \\\|||///
> > Special Projects Team \\  ^ ^  //
> > Wellcome Trust Sanger Institute(  6 6  )
> > -oOOo-(_)-oOOo---
> >
> >
> > ___
> > radiator mailing list
> > radiator@open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive 
> (www.open.com.au/archives/radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] refresh time on clientlistsql

[Alexander Hartmaier]

Hi Mike,

4.7 rpm, without patches.

-- 
Best regards, Alex


Am Samstag, den 09.10.2010, 00:20 +0200 schrieb Mike McCauley:
> Hello Alexander,
> 
> A recent patch caused a problem that probably would have affected timeouts in 
> ClientListSQL . A more recent patch has fixed that. What patch level are you 
> at?
> 
> Cheers.
> 
> On Saturday 09 October 2010 03:24:09 am Alexander Hartmaier wrote:
> > Hi Hugh,
> >
> > we started to use the ClientListSQL feature too but get an Oracle SQL
> > timeout error in the logs whenever Radiator tries to refresh the list,
> > works on startup.
> >
> > Any idea why and how we can debug this?
> >
> > --
> > Best regards, Alex
> >
> > Am Mittwoch, den 22.09.2010, 00:25 +0200 schrieb Hugh Irvine:
> > > Hello Alex -
> > >
> > > See section 5.7.3 in the Radiator 4.7 reference manual ("doc/ref.pdf").
> > >
> > > regards
> > >
> > > Hugh
> > >
> > > On 22 Sep 2010, at 05:01, Martin Burton wrote:
> > > > Hi Alex,
> > > >
> > > > You need to make sure that RefreshPeriod is set in your config file. 
> > > > It defaults to 0, which means the SQL query is performed only upon
> > > > radiusd start or when it's sent a SIGHUP.
> > > >
> > > > 
> > > > .
> > > > .
> > > > .
> > > > RefreshPeriod 300
> > > > .
> > > > .
> > > > .
> > > > 
> > > >
> > > > would cause the the DB to be requeried every 5 minutes for example.
> > > >
> > > > Hope that helps.
> > > >
> > > > Cheers,
> > > >
> > > > Martin.
> > > >
> > > > On 21/09/2010 19:41, Alex Sharaz wrote:
> > > >> Hi all,
> > > >>
> > > >> I've got a cluster of radius servers all configured to read NAS
> > > >> clients from a db2 database. I thought that radiator was supposed to
> > > >> periodically refresh its internal list of clients by rereading the
> > > >> database.
> > > >>
> > > >> Yesterday morning I dded a number of clients to the database. by 16:00
> > > >> today  the radius servers still hadn't picked up the new clients.  A
> > > >> reload caused radiator to reread the client list but it would have
> > > >> been nice to have radiator pic up the new clients automagically.
> > > >>
> > > >> Anyone else seen problems with refreshing client lists?
> > > >>
> > > >> Rgds
> > > >> Alex
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >>
> > > >> Checked by  Hu-fw-yhman
> > > >>
> > > >>
> > > >>
> > > >> ___
> > > >> radiator mailing list
> > > >> radiator@open.com.au
> > > >> http://www.open.com.au/mailman/listinfo/radiator
> > > >
> > > > --
> > > > Martin Burton
> > > > Senior Systems Administrator   \\\|||///
> > > > Special Projects Team \\  ^ ^  //
> > > > Wellcome Trust Sanger Institute(  6 6  )
> > > > -oOOo-(_)-oOOo---
> > > >
> > > >
> > > > ___
> > > > radiator mailing list
> > > > radiator@open.com.au
> > > > http://www.open.com.au/mailman/listinfo/radiator
> > >
> > > NB:
> > >
> > > Have you read the reference manual ("doc/ref.html")?
> > > Have you searched the mailing list archive
> > > (www.open.com.au/archives/radiator)? Have you had a quick look on Google
> > > (www.google.com)?
> > > Have you included a copy of your configuration file (no secrets),
> > > together with a trace 4 debug showing what is happening?
> >
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> >"* T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
> > Handelsgericht Wien, FN 79340b
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> >"* Notice: This e-mail contains information that is confidential and may be
> > privileged. If you are not the intended recipient, please notify the sender
> > and then delete this e-mail immediately.
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> >"* ___
> > radiator mailing list
> > radiator@open.com.au
> > http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> 
> -- 
> Mike McCauley   mi...@open.com.au
> Open System Consultants Pty. Ltd
> 9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
> Phone +61 7 5598-7474   Fax   +61 7 5598-7070
> 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] refresh time on clientlistsql

[Alexander Hartmaier]

Hi Mike,

the config section


DBSourcedbi:Oracle:NAC
DBUsername  foo
DBAuth  bar

ConnectionHook  sub { \
$_[1]->do("ALTER SESSION SET NLS_DATE_FORMAT = '-MM-DD 
HH24:MI:SS'"); \
$_[1]->do("ALTER SESSION SET CURRENT_SCHEMA  = nacadm"); \
}

# store the supportgroup from the CMDB in the OSC-Group-Identifier attribute
GetClientQuery SELECT device.ipaddr, 'key', NULL, NULL, NULL, NULL, NULL, 
NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL, NULL, NULL, 
NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup FROM device 
JOIN core.tblh...@pcmsat01 ON (device.hostid = tblhost.hostid) WHERE 
device.fk_collector = 5

# Reread the client list every hour
RefreshPeriod 3600



the error from the level 3 logfile:

Thu Oct 14 12:57:42 2010: ERR: Execute failed for 'SELECT device.ipaddr, 'key', 
NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 
device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 
'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN core.tblh...@pcmsat01 
ON (device.hostid = tblhost.hostid) WHERE device.fk_collector = 5': SQL Timeout



--
Best regards, Alex




Am Montag, den 11.10.2010, 23:27 +0200 schrieb Mike McCauley:


Hello Alexander,

On Tuesday 12 October 2010 03:07:16 am Alexander Hartmaier wrote:
> Hi Mike,
>
> 4.7 rpm, without patches.

OK, so we will need to see the config file and the log file showing the error
and what happens before.

Cheers.




*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] refresh time on clientlistsql

[Alexander Hartmaier]

Hi Mike,

I must have mistaken this server with another.
It runs 4.6 with some patches.
I've upgraded it now to 4.7 with the current patch set and will report
if this fixed the error message in the log.

-- 
Best regards, Alex


On Thu, 2010-10-14 at 13:21 +0200, Mike McCauley wrote:
> Hello Alex,
> 
> Thanks for the log.
> Can we pls see a bit more of the log, maybe a few hundred lines before the 
> error.
> Are you quite sure you dant have a 4.7 patch set installed?
> 
> Cheers.
> 
> On Thursday 14 October 2010 09:01:09 pm Alexander Hartmaier wrote:
> > Hi Mike,
> >
> > the config section
> >
> > 
> > DBSourcedbi:Oracle:NAC
> > DBUsername  foo
> > DBAuth  bar
> >
> > ConnectionHook  sub { \
> > $_[1]->do("ALTER SESSION SET NLS_DATE_FORMAT = '-MM-DD
> > HH24:MI:SS'"); \ $_[1]->do("ALTER SESSION SET CURRENT_SCHEMA  = nacadm"); \
> > }
> >
> > # store the supportgroup from the CMDB in the OSC-Group-Identifier
> > attribute GetClientQuery SELECT device.ipaddr, 'key', NULL, NULL, NULL,
> > NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, device.hostid, NULL,
> > NULL, NULL, NULL, NULL, NULL, NULL, 'OSC-Group-Identifier=' || tblhost.hsup
> > FROM device JOIN core.tblh...@pcmsat01 ON (device.hostid = tblhost.hostid)
> > WHERE device.fk_collector = 5
> >
> > # Reread the client list every hour
> > RefreshPeriod 3600
> > 
> >
> >
> > the error from the level 3 logfile:
> >
> > Thu Oct 14 12:57:42 2010: ERR: Execute failed for 'SELECT device.ipaddr,
> > 'key', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> > NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> > 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
> > core.tblh...@pcmsat01 ON (device.hostid = tblhost.hostid) WHERE
> > device.fk_collector = 5': SQL Timeout
> >
> >
> >
> > --
> > Best regards, Alex
> >
> >
> >
> >
> > Am Montag, den 11.10.2010, 23:27 +0200 schrieb Mike McCauley:
> >
> >
> > Hello Alexander,
> >
> > On Tuesday 12 October 2010 03:07:16 am Alexander Hartmaier wrote:
> > > Hi Mike,
> > >
> > > 4.7 rpm, without patches.
> >
> > OK, so we will need to see the config file and the log file showing the
> > error and what happens before.
> >
> > Cheers.
> >
> >
> >
> >
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> >"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> > Handelsgericht Wien, FN 79340b
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> >"* Notice: This e-mail contains information that is confidential and may be
> > privileged. If you are not the intended recipient, please notify the sender
> > and then delete this e-mail immediately.
> > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> >"*
> 
> 
> 

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] refresh time on clientlistsql

[Alexander Hartmaier]

Hi Mike,

I've encountered the problem on another server today which was running
4.7 without a patchset.
I've installed the same patchset as on the other server and upgraded DBI
and DBD::Oracle and hope this fixes it.

The error I've seen here is:
ORA-03113: end-of-file on communication channel
Process ID: 0
Session ID: 139 Serial number: 58899 (DBD ERROR:
OCIStmtExecute/Describe)

--
Best regards, Alex


On Wed, 2010-10-20 at 19:25 +0200, Hartmaier Alexander wrote:
> Hi Mike,
>
> I must have mistaken this server with another.
> It runs 4.6 with some patches.
> I've upgraded it now to 4.7 with the current patch set and will report
> if this fixed the error message in the log.
>


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] refresh time on clientlistsql

[Alexander Hartmaier]

Still happens with newest DBI and DBD::Oracle.
I assume radiator doesn't close the db connection and a firewall removes
it from its state table which leads to dropped packets after an hour
when radiator tries to use the db connection again.

You might want to look into DBIx::Connector which handles some problems
automatically.

-- 
Best regards, Alex


On Thu, 2010-10-28 at 15:27 +0200, Hartmaier Alexander wrote:
> Hi Mike,
> 
> I've encountered the problem on another server today which was running
> 4.7 without a patchset.
> I've installed the same patchset as on the other server and upgraded DBI
> and DBD::Oracle and hope this fixes it.
> 
> The error I've seen here is:
> ORA-03113: end-of-file on communication channel
> Process ID: 0
> Session ID: 139 Serial number: 58899 (DBD ERROR:
> OCIStmtExecute/Describe)
> 
> --
> Best regards, Alex
> 
> 
> On Wed, 2010-10-20 at 19:25 +0200, Hartmaier Alexander wrote:
> > Hi Mike,
> >
> > I must have mistaken this server with another.
> > It runs 4.6 with some patches.
> > I've upgraded it now to 4.7 with the current patch set and will report
> > if this fixed the error message in the log.
> >
> 
> 
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be 
> privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] refresh time on clientlistsql

[Alexander Hartmaier]

Hi Mike,

I've just done this as a workaround but still think Radiator should
close the database connection between refresh intervals.

Why don't you want to use CPAN modules?
You can ship known working versions bundled with Radiator.

--
Best regards, Alex


On Thu, 2010-10-28 at 23:31 +0200, Mike McCauley wrote:
> Hello Alexander,
>
> maybe you could reduce the RefreshPeriod in your ClientListSQL to less than an
> hour (or whatever the retain time is in the firewall is) so the SQL session
> stays up?
>
> Cheers.
>
> On Friday 29 October 2010 12:36:02 am Alexander Hartmaier wrote:
> > Still happens with newest DBI and DBD::Oracle.
> > I assume radiator doesn't close the db connection and a firewall removes
> > it from its state table which leads to dropped packets after an hour
> > when radiator tries to use the db connection again.
> >
> > You might want to look into DBIx::Connector which handles some problems
> > automatically.
>
>
>


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] RHEL4 and the new init script

[Alexander Hartmaier]

Hi,
after updating our primary radius servers to Radiator 4.7 I've tried the
new linux init script which now supports starting and stopping multiple
radius processes.
I've found out that it doesn't work with RHEL4 because its killproc
function defined in /etc/init.d/functions doesn't support the -p
attribute and fails miserably in parsing the function call.

As a workaround we've copied the functions file from a RHEL5 box
to /etc/init.d/function-rhel5 and change the lines checking for the file
and the one loading it:

[root@radius1 init.d]#
diff /etc/init.d/radiator /opt/Radiator-4.7/goodies/linux-radiator.init
48c48
< if [ -f /etc/init.d/functions-rhel5 ]; then
---
> if [ -f /etc/init.d/functions ]; then
50c50
< . /etc/init.d/functions-rhel5
---
> . /etc/init.d/functions

@Hugh: maybe you can add a note to the patches webpage and the init
script stating the minimum required version per dist.

--
Alexander Hartmaier 
T-Systems Austria GesmbH



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Windows Server 2008 R2

[Alexander Hartmaier]

Strawberry Perl is the Perl of choice on Windows these days:
http://strawberryperl.com

Best regards, Alex

Am 2011-04-07 00:13, schrieb Heikki Vatiainen:
> On 04/06/2011 05:09 PM, Remco van Noorloos wrote:
>
>> We are planning to install Radiator on a Windows Server 2008 R2
>> server. I checked the reference manual but only Windows Server 2003
>> is mentioned as supported. Is Windows Server 2008 supported or should
>> I use a Windows 2003 server?
> I have myself used Windows Server 2008. I do not see any reason why 2008
> R2 should not work too.
>
> The main thing is ActivePerl. If ActivePerl works well, then Radiator
> should not be a problem. If there are problems, then there is the option
> of going back to 2003.
>
> Best regards,
> Heikki
>

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] radiator exists on ClientSQL timeout

[Alexander Hartmaier]

Hi guys,
radiator exits when encountering a sql timeout:

Sat May 14 18:28:12 2011: ERR: Execute failed for 'SELECT device.ipaddr,
'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE
device.fk_collector = 5': SQL Timeout

I've already upgraded it from 4.7+patches to 4.8 but the problem persists.
We had problems with tcp connections closed by an intermediate firewall
in the past without a solution.
Which logs etc. do you need from our side to troubleshoot the bug?

Best regards, Alex

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator exists on ClientSQL timeout

[Alexander Hartmaier]

Hi Heikki,
this one runs on a debian 4 vm using the distro perl version 5.8.8.
DBI is version 1.616, DBD::Oracle version 1.28 with instantclient
11.2.0.2.0.
Do you have a suggestion what to add to the init script to redirect
those messages to a logfile?

Best regards, Alex

Am 2011-05-16 14:19, schrieb Heikki Vatiainen:
> On 05/16/2011 02:26 PM, Alexander Hartmaier wrote:
>
> Hello Alexander,
>
>> radiator exits when encountering a sql timeout:
>>
>> Sat May 14 18:28:12 2011: ERR: Execute failed for 'SELECT device.ipaddr,
>> 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
>> NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
>> 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
>> core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE
>> device.fk_collector = 5': SQL Timeout
>>
>> I've already upgraded it from 4.7+patches to 4.8 but the problem persists.
>> We had problems with tcp connections closed by an intermediate firewall
>> in the past without a solution.
>> Which logs etc. do you need from our side to troubleshoot the bug?
> Thanks for the report.
>
> Please tell us your operating system, perl DBI and DBD module versions
> and which DBD you are currently using (mysql, Pg, Oracle, etc.).
>
> If you could run Radiator with -log_stdout and -foreground radiusd
> options (or config file LogStdout and Foreground) and keep it running on
> a console where you have access to, you may be able to see what
> additional debug information might come from DBI, DBD or some other
> component.
>
> Since the libraries Radiator uses do not know about Radiator's logfile,
> there is a chance their messages to otherwise get lost.
>
> In many cases running with LogStdout and Foreground gives more
> information about the reason for exit.
>
> Thanks!
>

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator exists on ClientSQL timeout

[Alexander Hartmaier]

My init file is from the goodies dir.
Because I'm running debian the command used is
/sbin/start-stop-daemon --start --pidfile /var/run/radiusd.pid --exec 
$RADIUSD -- $RADIUSD_ARGS

where $RADIUSD_ARGS is the default of -config_file $RADIATOR_CONFIG 
-daemon $RADIATOR_ARGS

I've now changed it to:
  -z "${RADIUSD_ARGS}" ] && RADIUSD_ARGS="-config_file $RADIATOR_CONFIG 
-daemon $RADIATOR_ARGS -log_stdout > /var/log/radiator/stdout.log 
2>/var/log/radiator/stderr.log"

The -foreground option isn't compatible with start-stop-daemon but I 
hope -log_stdout is compatible with -daemon too.

Best regards, Alex

Am 2011-05-16 17:58, schrieb Heikki Vatiainen:
> On 05/16/2011 06:21 PM, Alexander Hartmaier wrote:
>
>> this one runs on a debian 4 vm using the distro perl version 5.8.8.
>> DBI is version 1.616, DBD::Oracle version 1.28 with instantclient
>> 11.2.0.2.0.
>> Do you have a suggestion what to add to the init script to redirect
>> those messages to a logfile?
> The radiusd arguments are -log_stdout and -foreground.
>
> Note: normally radiusd will detach from terminal and let the init script
> to finish. With -foreground option this may not happen (depends on the
> startup script) so you should should not leave the options there when
> the system boots.
>
> I would use these options from a terminal that I can leave running
> especially if there's a test server available that can be used for
> troubleshooting.
>
> If you can not run Radiator from command line, you could try starting
> Radiator with something like this:
>
> radiusd  >  /var/log/radiator/stdout.log 2>
> /var/log/radiator/stderr.log&
>
> Here  would contain the normal radiusd options and include
> -log_stdout and -foreground. Both stdout and stderr are directed to a
> file and&  puts radiusd to background.
>
>> Best regards, Alex
>>
>> Am 2011-05-16 14:19, schrieb Heikki Vatiainen:
>>> On 05/16/2011 02:26 PM, Alexander Hartmaier wrote:
>>>
>>> Hello Alexander,
>>>
>>>> radiator exits when encountering a sql timeout:
>>>>
>>>> Sat May 14 18:28:12 2011: ERR: Execute failed for 'SELECT device.ipaddr,
>>>> 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
>>>> NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
>>>> 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
>>>> core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE
>>>> device.fk_collector = 5': SQL Timeout
>>>>
>>>> I've already upgraded it from 4.7+patches to 4.8 but the problem
>>>> persists.
>>>> We had problems with tcp connections closed by an intermediate firewall
>>>> in the past without a solution.
>>>> Which logs etc. do you need from our side to troubleshoot the bug?
>>> Thanks for the report.
>>>
>>> Please tell us your operating system, perl DBI and DBD module versions
>>> and which DBD you are currently using (mysql, Pg, Oracle, etc.).
>>>
>>> If you could run Radiator with -log_stdout and -foreground radiusd
>>> options (or config file LogStdout and Foreground) and keep it running on
>>> a console where you have access to, you may be able to see what
>>> additional debug information might come from DBI, DBD or some other
>>> component.
>>>
>>> Since the libraries Radiator uses do not know about Radiator's logfile,
>>> there is a chance their messages to otherwise get lost.
>>>
>>> In many cases running with LogStdout and Foreground gives more
>>> information about the reason for exit.
>>>
>>> Thanks!
>>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>
>> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>
>> Notice: This e-mail contains information that is confidential and may be
>> privileged.
>> If you are not the intended recipient, please notify the sender and then
>> delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>
>
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator exists on ClientSQL timeout

[Alexander Hartmaier]

I haven't configured forking so we should be safe.

Am 2011-05-16 19:05, schrieb Heikki Vatiainen:
> On 05/16/2011 07:58 PM, Alexander Hartmaier wrote:
>> My init file is from the goodies dir.
> Ok, then we have to work around Debian specific things a bit.
>
>> Because I'm running debian the command used is
>> /sbin/start-stop-daemon --start --pidfile /var/run/radiusd.pid --exec
>> $RADIUSD -- $RADIUSD_ARGS
>>
>> where $RADIUSD_ARGS is the default of -config_file $RADIATOR_CONFIG
>> -daemon $RADIATOR_ARGS
>>
>> I've now changed it to:
>>   -z "${RADIUSD_ARGS}" ]&&  RADIUSD_ARGS="-config_file $RADIATOR_CONFIG
>> -daemon $RADIATOR_ARGS -log_stdout>  /var/log/radiator/stdout.log
>> 2>/var/log/radiator/stderr.log"
>>
>> The -foreground option isn't compatible with start-stop-daemon but I
>> hope -log_stdout is compatible with -daemon too.
> That may not work since -foreground keeps Radiator from forking and
> closing stdout. In other words, -foreground is needed for catching all
> messages. Would it be possible to do the following:
>
> 1. Start Radiator with unmodified start script
> 2. Observe what the actual command is (radiusd + all arguments)
> 3. Run radiusd from command line with the observed arguments plus
> -foreground and -log_stdout
>
> Thanks again!
>

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator exists on ClientSQL timeout

[Alexander Hartmaier]

Hi,
I was referring to the MaxChildren config option which we don't use.

Add the -b option to start-stop-daemon and replacing -daemon with 
-foreground did the trick.

It occurs approximatly once per day, maybe a Monday-morning bug.

Best regards, Alex

Am 2011-05-16 23:02, schrieb Heikki Vatiainen:
> On 05/16/2011 08:33 PM, Alexander Hartmaier wrote:
>> I haven't configured forking so we should be safe.
> Sorry, I may have been a bit unclear about which fork I was meaning.
> When Radiator is started without --foreground it will fork. If Fork has
> been configured for an AuthBy, Radiator will fork an additional copy to
> handle that authentication.
>
> What is important that there are no forks, not even the initial fork
> when Radiator backgrounds itself.
>
> If possible, can you send your configuration file. If not possible, I
> would like to know if you are using.
>
> If you are, try creating another username that Log SQL uses for
> accessing the DB. This will give SQL logging another DB handle which may
> help. This is mentioned in 4.8 ref.pdf
>
>> Am 2011-05-16 19:05, schrieb Heikki Vatiainen:
>>> On 05/16/2011 07:58 PM, Alexander Hartmaier wrote:
>>>> My init file is from the goodies dir.
>>> Ok, then we have to work around Debian specific things a bit.
>>>
>>>> Because I'm running debian the command used is
>>>> /sbin/start-stop-daemon --start --pidfile /var/run/radiusd.pid --exec
>>>> $RADIUSD -- $RADIUSD_ARGS
>>>>
>>>> where $RADIUSD_ARGS is the default of -config_file $RADIATOR_CONFIG
>>>> -daemon $RADIATOR_ARGS
>>>>
>>>> I've now changed it to:
>>>>-z "${RADIUSD_ARGS}" ]&&   RADIUSD_ARGS="-config_file $RADIATOR_CONFIG
>>>> -daemon $RADIATOR_ARGS -log_stdout>   /var/log/radiator/stdout.log
>>>> 2>/var/log/radiator/stderr.log"
>>>>
>>>> The -foreground option isn't compatible with start-stop-daemon but I
>>>> hope -log_stdout is compatible with -daemon too.
>>> That may not work since -foreground keeps Radiator from forking and
>>> closing stdout. In other words, -foreground is needed for catching all
>>> messages. Would it be possible to do the following:
>>>
>>> 1. Start Radiator with unmodified start script
>>> 2. Observe what the actual command is (radiusd + all arguments)
>>> 3. Run radiusd from command line with the observed arguments plus
>>> -foreground and -log_stdout
>>>
>>> Thanks again!
>>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>
>> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>
>> Notice: This e-mail contains information that is confidential and may be
>> privileged.
>> If you are not the intended recipient, please notify the sender and then
>> delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>
>
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] tacacs+ GroupMemberAttr per client

[Alexander Hartmaier]

Use different handlers for the tacacs clients.
You can use ClientListSQL or ClientListLDAP if you already have the
devices with their ips in a database or ldap directory.

BR Alex

Am 2011-05-17 23:28, schrieb James:
> Is there a way to set GroupMemberAttr per client?
>
> I want some devices to pull attributeX from an LDAP server, while
> another set of TACACS+ clients should pull attributeY.
>
> What's the best way to go about doing this without starting many, many
> different Radiator instances (one for each different group of
> devices)?
>
> -james
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] linux init script patch

[Alexander Hartmaier]

In my endless quest for a working init script to ease config for new
users here's a patch against Radiator-4.8 + patches from today (this
includes two patches to the linux init script).
This is to make it work on a Debian 6 box with Radiator installed with
perl Makefile.PL; make install which installs into /usr/local/bin and
not /usr/bin as the default init script points at.
I assume that the rpm installs a working init script so the one in the
goodies dir should work for people installing from the tar.gz.
Also as I pointed out before the pid file should be in the /var/run dir
to be LSB conform.
If you want to run radiator as non-root it has to go in a /var/run
subdir that is owned or at least writeable by the user.
Please also take a look at my mail from the 24th January!

I've also added an error message if the radiator binary can't be
executed, occured for me because it couldn't be found at all, maybe a -f
check should go in there before the -x.

Cheers, Alex

root@radiator:/etc/init.d# diff -u radiator
/root/Radiator-4.8/goodies/linux-radiator.init
--- radiator2011-05-20 10:58:06.0 +0200
+++ /root/Radiator-4.8/goodies/linux-radiator.init2011-05-19
23:36:28.0 +0200
@@ -6,7 +6,7 @@
  # chkconfig: 2345 90 15
  # description: radiator is the radius daemon required for RAS AAA.
  # processname: /usr/bin/radiusd
-# pidfile: /var/run/radiator.pid
+# pidfile: /var/log/radius/radiusd.pid
  # config: /etc/radiator/radius.cfg
  # config: /etc/sysconfig/radiator
  #
@@ -41,9 +41,9 @@

  [ -f "${SYSCONFIG}" ] && . "${SYSCONFIG}"

-[ -z "${RADIUSD}" ] && RADIUSD=/usr/local/bin/radiusd
+[ -z "${RADIUSD}" ] && RADIUSD=/usr/bin/radiusd
  [ -z "${RADIATOR_CONFIG}" ] && RADIATOR_CONFIG=/etc/radiator/radius.cfg
-[ -z "${RADIUSD_PIDFILE}" ] && RADIUSD_PIDFILE="/var/run/radiator.pid"
+[ -z "${RADIUSD_PIDFILE}" ] &&
RADIUSD_PIDFILE="/var/log/radius/radiusd.pid"
  [ -z "${RADIATOR_ARGS}" ] && RADIATOR_ARGS=""
  [ -z "${RADIUSD_ARGS}" ] && RADIUSD_ARGS="-pid_file $RADIUSD_PIDFILE
-config_file $RADIATOR_CONFIG -daemon $RADIATOR_ARGS"

@@ -60,10 +60,7 @@
  elif  [ -x /sbin/start-stop-daemon ]; then
  # Debian
  STARTPROC="/sbin/start-stop-daemon --start --pidfile
${RADIUSD_PIDFILE} --exec $RADIUSD -- $RADIUSD_ARGS"
-CHECKPROC=
-if [ -f ${RADIUSD_PIDFILE} ]; then
  CHECKPROC="ps -fp `cat ${RADIUSD_PIDFILE}`"
-fi
  KILLPROC="/sbin/start-stop-daemon --stop --pidfile ${RADIUSD_PIDFILE}"
  RELOADPROC="/sbin/start-stop-daemon --stop --signal HUP --pidfile
${RADIUSD_PIDFILE}"
  TRACEUPPROC="/sbin/start-stop-daemon --stop --signal USR1 --pidfile
${RADIUSD_PIDFILE}"
@@ -93,7 +90,6 @@
  fi

  if [ ! -x $RADIUSD ]; then
-echo Unable to find executable radiusd binary!
  exit 0
  fi



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator exists on ClientSQL timeout

[Alexander Hartmaier]

Since changing the init script line 37 from:
[ -z "${RADIUSD_ARGS}" ] && RADIUSD_ARGS="-config_file $RADIATOR_CONFIG 
-daemon $RADIATOR_ARGS"
[ -z "${RADIUSD_ARGS}" ] && RADIUSD_ARGS="-config_file $RADIATOR_CONFIG 
$RADIATOR_ARGS -foreground -log_stdout > /var/log/radiator/stdout.log 
2>/var/log/radiator/stderr.log"

it doesn't crash any more but still hangs after log entries like:
Tue May 24 15:54:34 2011: ERR: Execute failed for 'SELECT device.ipaddr, 
'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 
NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 
'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN 
core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE 
device.fk_collector = 5': ORA-03114: not connected to ORACLE (DBD ERROR: 
OCIStmtExecute/Describe)

Am 2011-05-18 10:45, schrieb Hartmaier Alexander:
> Hi,
> I was referring to the MaxChildren config option which we don't use.
>
> Add the -b option to start-stop-daemon and replacing -daemon with
> -foreground did the trick.
>
> It occurs approximatly once per day, maybe a Monday-morning bug.
>
> Best regards, Alex
>
> Am 2011-05-16 23:02, schrieb Heikki Vatiainen:
>> On 05/16/2011 08:33 PM, Alexander Hartmaier wrote:
>>> I haven't configured forking so we should be safe.
>> Sorry, I may have been a bit unclear about which fork I was meaning.
>> When Radiator is started without --foreground it will fork. If Fork has
>> been configured for an AuthBy, Radiator will fork an additional copy to
>> handle that authentication.
>>
>> What is important that there are no forks, not even the initial fork
>> when Radiator backgrounds itself.
>>
>> If possible, can you send your configuration file. If not possible, I
>> would like to know if you are using.
>>
>> If you are, try creating another username that Log SQL uses for
>> accessing the DB. This will give SQL logging another DB handle which may
>> help. This is mentioned in 4.8 ref.pdf
>>
>>> Am 2011-05-16 19:05, schrieb Heikki Vatiainen:
>>>> On 05/16/2011 07:58 PM, Alexander Hartmaier wrote:
>>>>> My init file is from the goodies dir.
>>>> Ok, then we have to work around Debian specific things a bit.
>>>>
>>>>> Because I'm running debian the command used is
>>>>> /sbin/start-stop-daemon --start --pidfile /var/run/radiusd.pid --exec
>>>>> $RADIUSD -- $RADIUSD_ARGS
>>>>>
>>>>> where $RADIUSD_ARGS is the default of -config_file $RADIATOR_CONFIG
>>>>> -daemon $RADIATOR_ARGS
>>>>>
>>>>> I've now changed it to:
>>>>> -z "${RADIUSD_ARGS}" ]&&RADIUSD_ARGS="-config_file 
>>>>> $RADIATOR_CONFIG
>>>>> -daemon $RADIATOR_ARGS -log_stdout>/var/log/radiator/stdout.log
>>>>> 2>/var/log/radiator/stderr.log"
>>>>>
>>>>> The -foreground option isn't compatible with start-stop-daemon but I
>>>>> hope -log_stdout is compatible with -daemon too.
>>>> That may not work since -foreground keeps Radiator from forking and
>>>> closing stdout. In other words, -foreground is needed for catching all
>>>> messages. Would it be possible to do the following:
>>>>
>>>> 1. Start Radiator with unmodified start script
>>>> 2. Observe what the actual command is (radiusd + all arguments)
>>>> 3. Run radiusd from command line with the observed arguments plus
>>>> -foreground and -log_stdout
>>>>
>>>> Thanks again!
>>>>
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>
>>> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
>>> Handelsgericht Wien, FN 79340b
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>
>>> Notice: This e-mail contains information that is confidential and may be
>>> privileged.
>>> If you are not the intended recipient, please notify the sender and then
>>> delete this e-mail immediately.
>>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>>>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator exists on ClientSQL timeout

[Alexander Hartmaier]

Hi Heikki,
no, this is only acting as tacacs+ server without any db logging.

# refresh the client list every hour
RefreshPeriod 3600

The intermediate firewalls will close the connection because the tcp 
connection is inactive for about an hour.
Can we enable tcp keepalives or add a check to radiator which detects 
broken connections?
DBIx::Connector was created from DBIx::Class code and would be the ideal 
solution for this problem.
You could include the newest version with every Radiator release if the 
license (same as Perl) allows it.

-Alex

Am 2011-05-25 17:37, schrieb Heikki Vatiainen:
> On 05/24/2011 05:06 PM, Alexander Hartmaier wrote:
>> Since changing the init script line 37 from:
>> [ -z "${RADIUSD_ARGS}" ]&&  RADIUSD_ARGS="-config_file $RADIATOR_CONFIG
>> -daemon $RADIATOR_ARGS"
>> [ -z "${RADIUSD_ARGS}" ]&&  RADIUSD_ARGS="-config_file $RADIATOR_CONFIG
>> $RADIATOR_ARGS -foreground -log_stdout>  /var/log/radiator/stdout.log
>> 2>/var/log/radiator/stderr.log"
>>
>> it doesn't crash any more but still hangs after log entries like:
>> Tue May 24 15:54:34 2011: ERR: Execute failed for 'SELECT device.ipaddr,
>> 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
>> NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
>> 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
>> core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE
>> device.fk_collector = 5': ORA-03114: not connected to ORACLE (DBD ERROR:
>> OCIStmtExecute/Describe)
> Hmm, connection was lost. I previously asked if you do LogSQL. If you
> do, then change SQL log config so that LogSQL and ClienetListSQL use
> different usernames (DBUsername) for DB access. When you do this,
> ClientListSQL and LogSQL will get their own handles and connections.
>
> What may happen now is ClientListSQL tries to log "Adding Clients ...",
> which is given to LogSQL which notices closed connection and destroys
> the handle.
>
> Then control returns to ClientListSQL and it continues and tries to read
> from the handle which was just killed by LogSQL.
>
> There is actually a comment on this now in 4.8 ref.pdf. See section
> 5.14.1. It was noticed when LogSQL runs in parallel with other SQL users
> it is possible that it can close DB handles when other DB users do not
> expect it.
>
> Please let us know if seprate LogSQL user solves the problem.
>
>
>> Am 2011-05-18 10:45, schrieb Hartmaier Alexander:
>>> Hi,
>>> I was referring to the MaxChildren config option which we don't use.
>>>
>>> Add the -b option to start-stop-daemon and replacing -daemon with
>>> -foreground did the trick.
>>>
>>> It occurs approximatly once per day, maybe a Monday-morning bug.
>>>
>>> Best regards, Alex
>>>
>>> Am 2011-05-16 23:02, schrieb Heikki Vatiainen:
>>>> On 05/16/2011 08:33 PM, Alexander Hartmaier wrote:
>>>>> I haven't configured forking so we should be safe.
>>>> Sorry, I may have been a bit unclear about which fork I was meaning.
>>>> When Radiator is started without --foreground it will fork. If Fork has
>>>> been configured for an AuthBy, Radiator will fork an additional copy to
>>>> handle that authentication.
>>>>
>>>> What is important that there are no forks, not even the initial fork
>>>> when Radiator backgrounds itself.
>>>>
>>>> If possible, can you send your configuration file. If not possible, I
>>>> would like to know if you are using.
>>>>
>>>> If you are, try creating another username that Log SQL uses for
>>>> accessing the DB. This will give SQL logging another DB handle which may
>>>> help. This is mentioned in 4.8 ref.pdf
>>>>
>>>>> Am 2011-05-16 19:05, schrieb Heikki Vatiainen:
>>>>>> On 05/16/2011 07:58 PM, Alexander Hartmaier wrote:
>>>>>>> My init file is from the goodies dir.
>>>>>> Ok, then we have to work around Debian specific things a bit.
>>>>>>
>>>>>>> Because I'm running debian the command used is
>>>>>>> /sbin/start-stop-daemon --start --pidfile /var/run/radiusd.pid --exec
>>>>>>> $RADIUSD -- $RADIUSD_ARGS
>>>>>>>
>>>>>>> where $RADIUSD_ARGS is the default of -config_file $RADIATOR_CONFIG
>>>>>>> -daemon $RADIATOR_ARGS
>>>>>>>
>>>>>>> I've n

Re: [RADIATOR] Request rejecting from within PostSearchHook

[Alexander Hartmaier]

I have a NoReplyHook that always sends accepts:

NoReplyHook file:"%D/reply-accept.hook"

$ cat reply-accept.hook
sub {
   my $p = ${$_[0]};
   my $fp = ${$_[1]};
   my $rp = ${$_[2]};

   $rp->set_code('Access-Accept');

   # reply to the Client that sent the request
   $p->{Client}->replyTo($p);
   return;
}

Best regards, Alex

Am 2011-05-31 10:34, schrieb Siebert Waldemar:
Hello,


It's possible to reject the request from within the PostSearchHook.

I have tried the following:

$_[2]->{RadiusResult} = $main::REJECT;

and

$_[5]->set_code('Access-Reject');

but none of them seems to work.

Thank you

Kind regards
Waldemar Siebert

T-Systems International GmbH


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator exists on ClientSQL timeout

[Alexander Hartmaier]

Since running with the foreground option radiator doesn't die any more
and the log only contains lines like those:
Mon May 30 17:38:14 2011: ERR: Execute failed for 'SELECT device.ipaddr,
'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE
device.fk_collector = 5': SQL Timeout
Mon May 30 19:40:14 2011: ERR: Execute failed for 'SELECT device.ipaddr,
'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE
device.fk_collector = 5': SQL Timeout
Mon May 30 21:42:16 2011: ERR: Execute failed for 'SELECT device.ipaddr,
'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE
device.fk_collector = 5': SQL Timeout
Mon May 30 23:44:18 2011: ERR: Execute failed for 'SELECT device.ipaddr,
'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE
device.fk_collector = 5': SQL Timeout

Note that although the refresh interval is configured for 3600 which is
one hour, it only seems to try every two hours.

Am 2011-05-30 14:02, schrieb Heikki Vatiainen:
> On 05/25/2011 07:09 PM, Alexander Hartmaier wrote:
>
>> no, this is only acting as tacacs+ server without any db logging.
> Thanks for confirming this.
>
>> # refresh the client list every hour
>> RefreshPeriod 3600
>>
>> The intermediate firewalls will close the connection because the tcp
>> connection is inactive for about an hour.
>> Can we enable tcp keepalives or add a check to radiator which detects
>> broken connections?
> It already does check for broken connections. Just before it prints
> "Adding Clients from SQL database" it does reconnect when needed.
>
> So it does a reconnect that succeeds, tries to execute the select for
> getting the client list and then hits "Execute failed". Now I would be
> interested in seeing what else it logs before it dies or hangs completely.
>
> Can you pass me the logs? I would especially be interested in seeing if
> it is able to log "Automatic ClientListSQL refresh failed, keeping old list"
>
>> DBIx::Connector was created from DBIx::Class code and would be the ideal
>> solution for this problem.
>> You could include the newest version with every Radiator release if the
>> license (same as Perl) allows it.
> I can ask about this, but currently disconnects and reconnects should be
> handled already.
>
> But if you could provide the logs that show how far Radiator gets after
> "Adding Clients from SQL database" that would be very useful.
>
> Thanks!
>

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] 802.1x authentication questions

[Alexander Hartmaier]

Hi,
I'm currently implementing dot1x for our wired and wireless
infrastructure (various Cisco switches, mostly 4500 and Cisco 5508
Wireless LAN Controllers).
I've installed radiator in a Debian 6 VM with openssl 1.0.0d from
testing for CRL reloading support although I'm not sure if this is still
necessary as Radiator logs reloading CRL messages.

Everything is working good so far but for the case that a non-company
client has dot1x enabled on the interface I'd like to switch the port to
our guest lan.
This is working fine on the switch, but a Windows 7 client receives the
EAP auth failure from Radiator and doesn't try to send a dhcp request
although the switch port has already been set to the guest lan.

Is there a solution for this problem?

For the wireless part we're getting the following error on the WLC:
%DOT1X-3-AUTHKEY_TX_TRANS_ERR: 1x_kxsm.c:128 Authentication state
transition to state 0 failed; port status 0, key available 1, key tx
enabled 1

If someone encountered this error and knows a solution while we wait for
the Cisco TAC please respond!

Thanks!

--
Best regards, Alex


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] 802.1x authentication questions

[Alexander Hartmaier]

Am 2011-06-02 09:54, schrieb Heikki Vatiainen:
> On 06/01/2011 07:17 PM, Alexander Hartmaier wrote:
>
>> Everything is working good so far but for the case that a non-company
>> client has dot1x enabled on the interface I'd like to switch the port to
>> our guest lan.
> What happens when you detect a non-company client? Have you configured
> Radiator to return Access-Accept with appropriate attributes for guest VLAN?
Yes, the switch configures the guest-vlan on the port, but the client
gets an EAP auth failure through the EAP tunnel.
>> This is working fine on the switch, but a Windows 7 client receives the
>> EAP auth failure from Radiator and doesn't try to send a dhcp request
>> although the switch port has already been set to the guest lan.
> If the Windows 7 client is using PEAP/EAP-MSCHAP-V2 and Radiator returns
> Access-Accept without really having access to the user's password or
> NThash of the password, the client will notice that Radiator did not
> return a correct MS-CHAP-V2 response.
>
> The response needs to prove the server (Radiator) really has access to
> the user's credentials. In other words, the server must be able to
> authenticate itself too. That is the V2 part in the protocol.

We're using PEAP/EAP-TLS with machine certs.
>> Is there a solution for this problem?
>>
>> For the wireless part we're getting the following error on the WLC:
>> %DOT1X-3-AUTHKEY_TX_TRANS_ERR: 1x_kxsm.c:128 Authentication state
>> transition to state 0 failed; port status 0, key available 1, key tx
>> enabled 1
>>
>> If someone encountered this error and knows a solution while we wait for
>> the Cisco TAC please respond!
> If this is not a MS-CHAP-V2 problem I described above, and there is a
> way to do this, it would be very interesting to hear more.
Also same PEAP/EAP-TLS here.

> Thanks!
>

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] 802.1x authentication questions

[Alexander Hartmaier]

Am 2011-06-03 16:47, schrieb Heikki Vatiainen:
> On 06/03/2011 11:35 AM, Alexander Hartmaier wrote:
>
>>> What happens when you detect a non-company client? Have you configured
>>> Radiator to return Access-Accept with appropriate attributes for guest VLAN?
>> Yes, the switch configures the guest-vlan on the port, but the client
>> gets an EAP auth failure through the EAP tunnel.
> Ok. The client would probably have to get an Access-Accept to continue.
> Just to check: is your plan to have the the non-company users to use a
> WPA-Enteriprise secured network too?
The VLAN assignment is just for the wired network, for the wireless we
have different SSIDs.
>> We're using PEAP/EAP-TLS with machine certs.
> This sounds to me like a setup that might be easier to get working with
> two different WLANs. One SSID (wlan name) would be for company clients
> and another SSID (with different parameters) would be for non-company
> clients.
>
> Enterprise WLAN access points and controllers support multiple SSIDs and
> differently configured WLANs/VLANs so that should be possible to do. And
> then you would not need to modify company users' authentication settings
> to allow redirecting visitors to their VLAN.
See above.
> With EAP-TLS too the client wants to see server authentication. Also,
> the server does want to see a certificate from the client that it
> trusts. If you can assign certificates to non-company clients, you could
> use that information to do VLAN selection.
We've already got all necessary certificates and the client config in place.
I only want to improve the guest experience.
> What kind of non-company clients do you plan supporting? Visitors or
> possibly employees' own devices which could be considered more long term
> than just those who occasionally come to meetings etc.
Visitor devices that are not under our control.
>>>> If someone encountered this error and knows a solution while we wait for
>>>> the Cisco TAC please respond!
>>> If this is not a MS-CHAP-V2 problem I described above, and there is a
>>> way to do this, it would be very interesting to hear more.
>> Also same PEAP/EAP-TLS here.
> Please also let us know if you get something from TAC too.
>
> Thanks!
>

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] BindAddress question

[Alexander Hartmaier]

Does this mean that we can't bind to IPv4 and IPv6 separately on Linux
to not get v6 mapped v4 addresses?

Am 2011-06-09 19:50, schrieb Heikki Vatiainen:
> On 06/09/2011 05:37 PM, Dyonisius Visser wrote:
>> Well, I installed a second instance on a dual stack host, and I tested
>> various combinations:
> Thanks for the summary.
>
>> BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31
>>  I.e. hardcoded addresses - this works, both IPv4 and IPv6 clients work
>>
>> BindAddress ipv6:::
>> IPv4 blocked (NOTICE: Request from unknown client 192.87.30.32: ignored)
> This should work if you specify your client like this:
>
> 
>
> Since the request arrived over IPv4 but was delivered to the application
> by IPv6 wildcard socket, the IPv4 address is presented as an IPv6
> address. See
>
> http://tools.ietf.org/html/rfc4291#section-2.5.5
>
> section "2.5.5.2. IPv4-Mapped IPv6 Address". The purpose of this mapping
> is to let the application to know was the message received over IPv6 or
> IPv4 since the socket can handle both protocols.
>
>
>> BindAddress 0.0.0.0
>>This is the default. IPv4 clients work. IPv6 clients DO NOT work,
>> and worse, nothing is logged by radiator, no "request from unknown
>> client 2001:610:blah:blah"
>>
>> BindAddress ipv6:::,0.0.0.0
>>Startup gives some errors, and only IPv6 works:
>> Thu Jun  9 16:25:54 2011: DEBUG: Finished reading configuration file
>> '/etc/radiator/radius.cfg'
>> Thu Jun  9 16:25:54 2011: DEBUG: Reading dictionary file
>> '/etc/radiator/db/dictionary'
>> Thu Jun  9 16:25:54 2011: DEBUG: Creating authentication port ipv61812
>> Thu Jun  9 16:25:54 2011: DEBUG: Creating accounting port ipv61813
>> Thu Jun  9 16:25:54 2011: DEBUG: Creating authentication port 0.0.0.0:1812
>> Thu Jun  9 16:25:54 2011: ERR: Could not bind authentication socket:
>> Address already in use
>> Thu Jun  9 16:25:54 2011: DEBUG: Creating accounting port 0.0.0.0:1813
>> Thu Jun  9 16:25:54 2011: ERR: Could not bind accounting socket:
>> Address already in use
>> Thu Jun  9 16:25:54 2011: NOTICE: Server started: Radiator 4.8 on radius
>> Thu Jun  9 16:25:55 2011: NOTICE: Request from unknown client
>> 145.100.98.42: ignored
>>
>> BindAddress 0.0.0.0,ipv6:::
>>Also some errors, only IPv4 works, and also nothing logged when an
>> IPv6 client connects:
>> Thu Jun  9 16:27:42 2011: DEBUG: Finished reading configuration file
>> '/etc/radiator/radius.cfg'
>> Thu Jun  9 16:27:42 2011: DEBUG: Reading dictionary file
>> '/etc/radiator/db/dictionary'
>> Thu Jun  9 16:27:42 2011: DEBUG: Creating authentication port 0.0.0.0:1812
>> Thu Jun  9 16:27:42 2011: DEBUG: Creating accounting port 0.0.0.0:1813
>> Thu Jun  9 16:27:42 2011: DEBUG: Creating authentication port ipv61812
>> Thu Jun  9 16:27:42 2011: ERR: Could not bind authentication socket:
>> Address already in use
>> Thu Jun  9 16:27:42 2011: DEBUG: Creating accounting port ipv61813
>> Thu Jun  9 16:27:42 2011: ERR: Could not bind accounting socket:
>> Address already in use
>> Thu Jun  9 16:27:42 2011: NOTICE: Server started: Radiator 4.8 on radius
>>
>>
>> So the only way I can radiator to accept requests from both protocols,
>> is to hardcode the interface addresses.
>>
>> Would it be possible to have radiator listen to 4+6 without hard coding?
>>
>> I think that option (whatever it looks like) should be the default.
>>
>> If possible, can the behavior of the current default ('BindAddress
>> 0.0.0.0') be changed so that it actually logs ignored incoming
>> requests?
>> I've spend quite some time figuring out what is going on, and only
>> tcpdump revealed that requests are actually reaching my box.
>>
>> Thanks :-)
>>
>

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] BindAddress question

[Alexander Hartmaier]

Awesome reply Heikki, thanks!
I recommend you add an IPv6 section to the pdf documentation including this!

Am 2011-06-14 15:21, schrieb Heikki Vatiainen:
> On 06/14/2011 11:45 AM, Alexander Hartmaier wrote:
>> Does this mean that we can't bind to IPv4 and IPv6 separately on Linux
>> to not get v6 mapped v4 addresses?
> I think the mapped addresses are only seen when a wildcard IPv6 bind is
> done. If you bind to a non-wildcard IPv4 or IPv6 address, you should
> only see traffic that arrived over IPv4 or IPv6, respectively.
>
> To control the mapped addresses, there is IPV6_V6ONLY socket option, see
> http://tools.ietf.org/html/rfc3493#section-5.3 for more
>
> Linux also has this special file to control the system wide behaviour:
>
> /proc/sys/net/ipv6/bindv6only
>
> By default this seems to be 0. When it is 0, this will not work:
>
> BindAddress ipv6:::, 0.0.0.0
>
> The result in logs is this:
>
> Tue Jun 14 16:15:07 2011: DEBUG: Creating authentication port ipv61645
> Tue Jun 14 16:15:07 2011: DEBUG: Creating accounting port ipv61646
> Tue Jun 14 16:15:07 2011: DEBUG: Creating authentication port 0.0.0.0:1645
> Tue Jun 14 16:15:07 2011: ERR: Could not bind authentication socket:
> Address already in use
> Tue Jun 14 16:15:07 2011: DEBUG: Creating accounting port 0.0.0.0:1646
> Tue Jun 14 16:15:07 2011: ERR: Could not bind accounting socket: Address
> already in use
>
> If I do this to enable the option:
> echo 1 |sudo tee /proc/sys/net/ipv6/bindv6only
>
> the same configuration works:
>
> BindAddress ipv6:::, 0.0.0.0
>
> Tue Jun 14 16:16:20 2011: DEBUG: Creating authentication port ipv61645
> Tue Jun 14 16:16:20 2011: DEBUG: Creating accounting port ipv61646
> Tue Jun 14 16:16:20 2011: DEBUG: Creating authentication port 0.0.0.0:1645
> Tue Jun 14 16:16:20 2011: DEBUG: Creating accounting port 0.0.0.0:1646
>
> When I used radpwtst to send requests to ipv6:::1 or 127.0.0.1 these
> Client clauses were matched, respectively:
>
> 
>  Identifier ipv6-loopback
>  Secret  mysecret
>  DupInterval 0
> 
> 
>  Identifier ipv4-loopback
>  Secret  mysecret
>  DupInterval 0
> 
>
> # Use this to check which Client clause matched
> 
>  
>  Filename%D/users-%{Client:Identifier}
>  
> 
>
> This may be useful for controlling IPv6 behaviour.
>
> Thanks!
> Heikki
>
>
>> Am 2011-06-09 19:50, schrieb Heikki Vatiainen:
>>> On 06/09/2011 05:37 PM, Dyonisius Visser wrote:
>>>> Well, I installed a second instance on a dual stack host, and I tested
>>>> various combinations:
>>> Thanks for the summary.
>>>
>>>> BindAddress 192.87.30.31,ipv6:2001:610:148:dead::31
>>>>   I.e. hardcoded addresses - this works, both IPv4 and IPv6 clients 
>>>> work
>>>>
>>>> BindAddress ipv6:::
>>>>  IPv4 blocked (NOTICE: Request from unknown client 192.87.30.32: 
>>>> ignored)
>>> This should work if you specify your client like this:
>>>
>>> 
>>>
>>> Since the request arrived over IPv4 but was delivered to the application
>>> by IPv6 wildcard socket, the IPv4 address is presented as an IPv6
>>> address. See
>>>
>>> http://tools.ietf.org/html/rfc4291#section-2.5.5
>>>
>>> section "2.5.5.2. IPv4-Mapped IPv6 Address". The purpose of this mapping
>>> is to let the application to know was the message received over IPv6 or
>>> IPv4 since the socket can handle both protocols.
>>>
>>>
>>>> BindAddress 0.0.0.0
>>>> This is the default. IPv4 clients work. IPv6 clients DO NOT work,
>>>> and worse, nothing is logged by radiator, no "request from unknown
>>>> client 2001:610:blah:blah"
>>>>
>>>> BindAddress ipv6:::,0.0.0.0
>>>> Startup gives some errors, and only IPv6 works:
>>>> Thu Jun  9 16:25:54 2011: DEBUG: Finished reading configuration file
>>>> '/etc/radiator/radius.cfg'
>>>> Thu Jun  9 16:25:54 2011: DEBUG: Reading dictionary file
>>>> '/etc/radiator/db/dictionary'
>>>> Thu Jun  9 16:25:54 2011: DEBUG: Creating authentication port ipv61812
>>>> Thu Jun  9 16:25:54 2011: DEBUG: Creating accounting port ipv61813
>>>> Thu Jun  9 16:25:54 2011: DEBUG: Creating authentication port 0.0.0.0:1812
>>>> Thu Jun  9 16:25:54 2011: ERR: Could not bind authentication socket:
>>>> Address already in use
>>>> Thu Jun  9 1

Re: [RADIATOR] radiator exists on ClientSQL timeout

[Alexander Hartmaier]

Hi Heikki,
can you please give me an update on that issue?!
We still have to restart radiator approximatly once a day because it 
either hangs or crashes.

Best regards, Alex

Am 2011-05-31 11:38, schrieb Hartmaier Alexander:
> Since running with the foreground option radiator doesn't die any more
> and the log only contains lines like those:
> Mon May 30 17:38:14 2011: ERR: Execute failed for 'SELECT device.ipaddr,
> 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
> core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE
> device.fk_collector = 5': SQL Timeout
> Mon May 30 19:40:14 2011: ERR: Execute failed for 'SELECT device.ipaddr,
> 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
> core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE
> device.fk_collector = 5': SQL Timeout
> Mon May 30 21:42:16 2011: ERR: Execute failed for 'SELECT device.ipaddr,
> 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
> core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE
> device.fk_collector = 5': SQL Timeout
> Mon May 30 23:44:18 2011: ERR: Execute failed for 'SELECT device.ipaddr,
> 'statickey', NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> NULL, NULL, device.hostid, NULL, NULL, NULL, NULL, NULL, NULL, NULL,
> 'OSC-Group-Identifier=' || tblhost.hsup FROM device JOIN
> core.tblhost@PCMSAT01 ON (device.hostid = tblhost.hostid) WHERE
> device.fk_collector = 5': SQL Timeout
>
> Note that although the refresh interval is configured for 3600 which is
> one hour, it only seems to try every two hours.
>
> Am 2011-05-30 14:02, schrieb Heikki Vatiainen:
>> On 05/25/2011 07:09 PM, Alexander Hartmaier wrote:
>>
>>> no, this is only acting as tacacs+ server without any db logging.
>> Thanks for confirming this.
>>
>>> # refresh the client list every hour
>>> RefreshPeriod 3600
>>>
>>> The intermediate firewalls will close the connection because the tcp
>>> connection is inactive for about an hour.
>>> Can we enable tcp keepalives or add a check to radiator which detects
>>> broken connections?
>> It already does check for broken connections. Just before it prints
>> "Adding Clients from SQL database" it does reconnect when needed.
>>
>> So it does a reconnect that succeeds, tries to execute the select for
>> getting the client list and then hits "Execute failed". Now I would be
>> interested in seeing what else it logs before it dies or hangs completely.
>>
>> Can you pass me the logs? I would especially be interested in seeing if
>> it is able to log "Automatic ClientListSQL refresh failed, keeping old list"
>>
>>> DBIx::Connector was created from DBIx::Class code and would be the ideal
>>> solution for this problem.
>>> You could include the newest version with every Radiator release if the
>>> license (same as Perl) allows it.
>> I can ask about this, but currently disconnects and reconnects should be
>> handled already.
>>
>> But if you could provide the logs that show how far Radiator gets after
>> "Adding Clients from SQL database" that would be very useful.
>>
>> Thanks!
>>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be 
> privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Multiple user groups for tacacs authorization possible

[Alexander Hartmaier]

Hi,
we have the need to map users with membership in multiple groups into
tacacs groups to decide if the user is allowed to login (authentication)
and what the user is allowed to do (authorization).
We solved the authentication by multiple authby ldap2's  for the
different ldap groups in an authby group.
The first matched group populates the OSC-Group-Identifier attribute
which is used for the GroupMemberAttr.
Because some users are in multiple groups we're looking for a way to add
all of them to the GroupMemberAttr, is this possible?

--
Cheers, Alex

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Multiple user groups for tacacs authorization possible

[Alexander Hartmaier]

Hi Heikki and Mike,

@Mike: that sounds like what I'm currently doing and what I also wrote
to the list some month ago.
@Heikki: yes, i've also thought about that. A first match logic would be
the easiest to implement like a firewall ruleset. So if the user is
member of two groups and there is no AuthorizeGroup statement for the
first group the next is tried. That will at least enable to simply map
ldap groups to AuthorizeGroups even if not all of them are used.

How would one implement AuthorizeGroups per device groups?
We have multiple teams each mainly responsible for a group of devices
e.g. the switching team accessing switches. They should have admin
rights, some of the other teams limited access.
I already get the support group from a db using ClientListSQL and put it
into the OSC-Group-Identifier attribute.

Cheers, Alex

Am 2011-07-09 01:02, schrieb Mike McCauley:
> Hi Heikki,
>
> I did something similar to this at NBNCo (you have the configs I think).
> In that one we used the LDAP to get the groups the users is a member of, and
> used the device group the request cam from to to do a lookup in SQL, From
> there we get AuthorizeGroupAttr rules.
>
> Cheers.
>
> On Friday 08 July 2011 09:51:08 pm Heikki Vatiainen wrote:
>> On 07/07/2011 01:26 PM, Alexander Hartmaier wrote:
>>> we have the need to map users with membership in multiple groups into
>>> tacacs groups to decide if the user is allowed to login (authentication)
>>> and what the user is allowed to do (authorization).
>>> We solved the authentication by multiple authby ldap2's  for the
>>> different ldap groups in an authby group.
>>> The first matched group populates the OSC-Group-Identifier attribute
>>> which is used for the GroupMemberAttr.
>>> Because some users are in multiple groups we're looking for a way to add
>>> all of them to the GroupMemberAttr, is this possible?
>> This does not sound possible. Please see this example. Is this what you
>> are looking for?
>>
>> 
>>GroupMemberAttr OSC-Group-Identifier
>>AuthorizeGroup group1 ...
>># more rules for group1
>>AuthorizeGroup group2 ...
>># more rules for group2
>>
>> And the Access-Reply messages would look like these
>>
>> User a:
>>OSC-Group-Identifier = group1
>> User b:
>>OSC-Group-Identifier = group2
>> User c:
>>OSC-Group-Identifier = group1
>>OSC-Group-Identifier = group2
>>
>> The user c would be allowed (group1 + group2).
>>
>> The above is not currently possible since Radiator currently only picks
>> up one attribute and uses its value. The second will not be used.
>>
>> Also, there's the question if both group1 and group2 contain permit and
>> deny rules how they would relate to each other.
>>
>> If the above is not what you are after, please tell us more.
>>
>> Thanks!
>
>

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload error

[Alexander Hartmaier]

Hi guys,
what's the status of crl reloading?
I've installed openssl 1.0.0 from Debian testing on a Debian stable
server but it still fails with
ERR: Failed to add CRL file '/etc/radiator/certificates/foo.crl.pem':
error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already
in hash table

Cheers, Alex

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload error

[Alexander Hartmaier]

So a reload after every crl download is still the only solution?
Adding the crl download and refresh functionality to Radiator would be a
welcome addition!

Cheers, Alex

Am 2011-08-08 09:41, schrieb Heikki Vatiainen:
> On 08/02/2011 01:59 PM, Alexander Hartmaier wrote:
>
> Hello Alexander,
>
>> what's the status of crl reloading?
> CRL reloading support depends on OpenSSL. As you have found out, it
> appears the support is not in version 1.0.0. A quick check of 1.0.0
> series change log did not show anything related to this, so I guess the
> wait is still on.
>
>> I've installed openssl 1.0.0 from Debian testing on a Debian stable
>> server but it still fails with
>> ERR: Failed to add CRL file '/etc/radiator/certificates/foo.crl.pem':
>> error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already
>> in hash table

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload error

[Alexander Hartmaier]

Am 2011-08-09 10:35, schrieb Heikki Vatiainen:
> On 08/08/2011 05:59 PM, Alexander Hartmaier wrote:
>> So a reload after every crl download is still the only solution?
> Unfortunately this seems to be currently the only solution.
>
>> Adding the crl download and refresh functionality to Radiator would be a
>> welcome addition!
> I agree this would be very useful. Then again implementing it in
> Radiator separately from OpenSSL would mean creating a lot of code that
> would have a short lifetime becoming obsolete once OpenSSL starts to
> fully support the functionality. The problem of course is it's not known
> how soon or late this happens.

I was referring to the feature to specify a url and let radiator handle
downloading of the crl instead of having to write a cronjob manually.
Having a config option that also reloads radiator instead of waiting
another five years for openssl to fix the issue would be welcome too.
I wonder why nobody stepped up to fix openssl a long time ago because
every product depending on it is affected.

> Thanks,
> Heikki
>
>> Cheers, Alex
>>
>> Am 2011-08-08 09:41, schrieb Heikki Vatiainen:
>>> On 08/02/2011 01:59 PM, Alexander Hartmaier wrote:
>>>
>>> Hello Alexander,
>>>
>>>> what's the status of crl reloading?
>>> CRL reloading support depends on OpenSSL. As you have found out, it
>>> appears the support is not in version 1.0.0. A quick check of 1.0.0
>>> series change log did not show anything related to this, so I guess the
>>> wait is still on.
>>>
>>>> I've installed openssl 1.0.0 from Debian testing on a Debian stable
>>>> server but it still fails with
>>>> ERR: Failed to add CRL file '/etc/radiator/certificates/foo.crl.pem':
>>>> error:0B07D065:x509 certificate routines:X509_STORE_add_crl:cert already
>>>> in hash table

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] 802.1x authentication questions

[Alexander Hartmaier]

I found out what is required to make 802.1x work with WPA2-Enterprise + AES:
the AuthBy of the outer handler needs AutoMPPEKeys configured so that
the Cisco WLC generates the PMK and starts the 4-way PTK handshake.

This graph shows the complete flow:
http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-enterprise/flow_wpa_enterprise.png

Please add this info the the reference manual AutoMPPEKeys section and
extend the the goodies/eap_peap_tls.cfg description of the config option!

Best regards, Alex

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] 802.1x authentication questions

[Alexander Hartmaier]

Hi Heikki,

Am 2011-09-14 08:54, schrieb Heikki Vatiainen:
> On 09/13/2011 03:38 PM, Alexander Hartmaier wrote:
>> I found out what is required to make 802.1x work with WPA2-Enterprise + AES:
>> the AuthBy of the outer handler needs AutoMPPEKeys configured so that
>> the Cisco WLC generates the PMK and starts the 4-way PTK handshake.
>>
>> This graph shows the complete flow:
>> http://kimiushida.com/bitsandpieces/articles/flow_diagram_wpa-enterprise/flow_wpa_enterprise.png
> Looks good. With e.g., PEAP there's also the possibility for a "fast
> reconnect" where the first full TLS negotiation is reused. This reduces
> the number of exchanged packets and processing time. I thought I'd add
> this so that in case you need to check logs you may notice not every
> authentication does the equal request exchange.
>
>> Please add this info the the reference manual AutoMPPEKeys section and
>> extend the the goodies/eap_peap_tls.cfg description of the config option!
> Hmm, true, looks like the description for AutoMPPEKeys describes the
> situation that was when dynamic WEP keys and such were in use. I'll make
> a note about upgrading the description. The option is these days
> required when you want to use EAP-PEAP, -TTLS, -TLS and such.
>
> Going back to original thread on June, did you get the guest access with
> PEAP working?
>
> At that time I thought there will be a problem with server failing to
> prove to the client it knows the client's credentials. This is needed
> with MS-CHAP-V2 and normally causes PEAP failure.
No, I haven't invested any more time into this.
Note that this was for the wired dot1x, now I was doing the same thing
for wireless.
We do PEAP-TLS for both and any Windows client we've tested (XP and 7)
doesn't try to get an ip address by dhcp when the EAP auth fails (which
is the case for guests that have PEAP-TLS for another CA configured or
PEAP-MS-CHAP-V2).
For those cases you would have to always send an EAP success message to
the client but a different reply to the switch on the radius level.
Can you force an EAP success?

>
> Thanks!
>

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH   Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Memory leak with Radiator?

[Alexander Hartmaier]

Note that Perl never frees memory back to the OS once it has allocated
it although it might be unused internally.

Am 2011-09-30 14:41, schrieb Michael:
> I noticed an increase of memory usage over time as well on radiusd. Quite a 
> long time though, but an increase non-the-less. 10% right now for example. 
> When I stop/start the service, it drops and remains at about 0.5% again.  I 
> have 4 identically synced config servers, where 2 are constantly used, and 2 
> are not (backups). The 2 constantly used are the ones that have the increase 
> of memory. The increase of memory is noticeable, but radiator does continue 
> to work very well.  Since this doesn't cause issues, it's not really 
> important to me at this time, but i just thought i would mention it.
>
> Using MySQL for user authentication data, and auth/accounting logs.
>
> The one thing i would think could cause this is the session db, which i do 
> not use.  I have:
> 
>   Identifier NULL
> 
> And then reference it by "SessionDatabase NULL" in all my Handler's.
>
> My config is quite long as I handle several different services, and multiple 
> ways of authenticating so I can't paste my config here.
>
>
>
> On 11-09-30 06:44 AM, Heikki Vatiainen wrote:
>> On 09/30/2011 10:35 AM, Elias wrote:
>>
>> Hello Elias,
>>
>>> We're running RADIATOR with Farms and have noticed that the RADIATOR
>>> processes eat up huge chunks of memory. Has anybody else experienced this?
>> Memory leaks are very rare but certainly possible. Can you reply with
>> your configuration (no secrets or passwords needed).
>>
>> The growing heap size hints this is a problem with dynamically allocated
>> memory. Seeing the configuration, the possible hooks and learning more
>> about what kind of traffic Radiator handles, would help diagnosing the
>> problem.
>>
>> The pmap output also indicates you are using DBD::Oracle. You may want to
>>
>> check http://search.cpan.org/~pythian/DBD-Oracle-1.30/
>>
>> and see if the memory leaks listed in the change log are relevant to
>> your configuration.
>>
>> Thanks!
>> Heikki
>>
>>
>>> last pid: 27248;  load avg:  3.88,  3.97,  3.98;   up
>>> 196+02:04:57
>>> 15:09:23
>>> 51 processes: 45 sleeping, 1 zombie, 5 on cpu
>>> CPU states: 73.9% idle, 24.1% user,  2.0% kernel,  0.0% iowait,  0.0% swap
>>> Memory: 8184M phys mem, 128M free mem, 10G swap, 4851M free swap
>>>
>>>  PID USERNAME LWP PRI NICE  SIZE   RES STATETIMECPU COMMAND
>>>16445 root   1  100 2410M *1393M* sleep  308.1H 84.69% radiusd
>>>16447 root   1  100 2410M *1281M* cpu307.4H 81.52% radiusd
>>>16443 root   1  100 2414M *1312M* cpu308.4H 80.92% radiusd
>>>16446 root   1  100 2398M *1236M* cpu306.9H 79.59% radiusd
>>>16444 root   1  100 2394M *1305M* cpu306.7H 75.31% radiusd
>>>
>>> The RADIUS services do not crash or anything, but its just that our low
>>> memory alert keeps on appearing every week or so. Restarting the
>>> RADIATOR daemon gets memory released again.
>>>
>>>
>>>
>>>
>>> root@radauth01 # pmap 16444
>>> 16444:  /usr/bin/perl /opt/radiator/radiusd -config_file
>>> /usr/local/etc/radius
>>> 0001 960K r-x--  /usr/local/bin/perl
>>> 0010E000  48K rwx--  /usr/local/bin/perl
>>> 0011A000  24K rwx--[ heap ]
>>> 00122944K rwx--[ heap ]
>>> *0040 2428928K rwx--[ heap ]*
>>> FDA01728K r-x--  /opt/oracle/lib32/libnnz10.so
>>> FDBB  56K r-x--  /opt/oracle/lib32/libnnz10.so
>>> FDBCC000  16K rwx--  /opt/oracle/lib32/libnnz10.so
>>> FDBD 128K rwx--  dev:32,13 ino:1539
>>> FDBF   8K rwx--  /opt/oracle/lib32/libnnz10.so
>>> FDC0   12288K r-x--  /opt/oracle/lib32/libclntsh.so.10.1
>>> FE802752K r-x--  dev:32,13 ino:1627
>>> FEAB  56K r-x--  /opt/oracle/lib32/libclntsh.so.10.1
>>> FEACC000  16K rwx--  /opt/oracle/lib32/libclntsh.so.10.1
>>> FEAD 448K rwx--  dev:32,13 ino:1627
>>> FEB4  16K rwx--  dev:32,13 ino:1627
>>> FEB44000  56K rwx--  /opt/oracle/lib32/libclntsh.so.10.1
>>> FEBF   8K rwx--[ anon ]
>>> FEC0  40K r-x--  /usr/local/lib/libgcc_s.so.1
>>> FEC18000   8K rwx--  /usr/local/lib/libgcc_s.so.1
>>> FEC2  48K r-x--  /usr/lib/libz.so.1
>>> FEC3A000  16K rwx--  /usr/lib/libz.so.1
>>> FEC5 192K r-x--  /usr/local/lib/mysql/libmysqlclient.so.14.0.0
>>> FEC8  32K r-x--  /usr/local/lib/mysql/libmysqlclient.so.14.0.0
>>> FEC96000  40K rwx--  /usr/local/lib/mysql/libmysqlclient.so.14.0.0
>>> FECA  64K rwx--  dev:32,11 ino:152615
>>> FECB  56K rwx--  /usr/local/lib/mysql/libmysqlclient.so.14.0.0
>>> FECD  64K r-x--
>>> /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBD/mysql/mysql.so
>>> FECE  32K r-x--
>>> /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBD/mysql/mysql.so
>>> FECF6000  24K rwx--
>>> /usr/local/lib/perl5/site_perl/5.8.7/sun4-solaris/auto/DBD/m

Re: [RADIATOR] EAPTLS_MaxFragmentSize settings

[Alexander Hartmaier]

I've tried a lot of different values and looked at the radius packets coming 
from our switches (for wired dot1x):
peap 1350, inner tls 1300
peap 1400, inner tls 1360
peap 1412, inner tls 1350

In the end I've used 1350/1300 because increasing it any further towards the 
limit didn't lower the number of packets so I preferred to have a little bit of 
safety margin left.

The EAP packet that is encapsulated inside one of the radius key/value pairs + 
all other radius attributes doesn't exceed one ethernet frame because EAP 
doesn't support fragmentation.
Depending on the number of other radius attributes your switches or wlan 
controllers send to the radius servers you can increase the EAP payload.
Decreasing the number of packets reduces the authentication time and lowers to 
load on both the radius client (switch, wlan controller) and radius server.

@Open guys: can you please add something like my description to the docs?

Am 2011-10-11 13:16, schrieb Alex Sharaz:
Hi,

For a long time I've had

=
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than 4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize izes.
   EAPTLS_MaxFragmentSize 1000

==

Set up in my Radiator radius.cfg file simply because it was there in the sample 
radius.cfg file I initially used. I'm now wondering if perhaps this is a bit 
small.

What are other people doing?
Is anyone explicitly setting this up or are people leaving it to the default 
value

Rgds
Alex




Time for another Macmillan Cancer Support event. This time its the 12 day 
Escape to Africa challenge
View route at 
http://maps.google.co.uk/maps/ms?ie=UTF8&hl=en&msa=0&msid=203779866436035016780.00049e867720273b73c39&z=8
Please sponsor me at http://www.justgiving.com/Alex-Sharaz






Checked by  Hu-fw-yhman




___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

--
Cheers, Alex

*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAPTLS_MaxFragmentSize settings

[Alexander Hartmaier]

Thanks Mike!

Am 2011-10-11 23:23, schrieb Mike McCauley:
> Hello Alex,
>
> On Tuesday 11 October 2011 09:35:08 pm Alexander Hartmaier wrote:
>> I've tried a lot of different values and looked at the radius packets
>> coming from our switches (for wired dot1x): peap 1350, inner tls 1300
>> peap 1400, inner tls 1360
>> peap 1412, inner tls 1350
>>
>> In the end I've used 1350/1300 because increasing it any further towards
>> the limit didn't lower the number of packets so I preferred to have a
>> little bit of safety margin left.
>>
>> The EAP packet that is encapsulated inside one of the radius key/value
>> pairs + all other radius attributes doesn't exceed one ethernet frame
>> because EAP doesn't support fragmentation. Depending on the number of other
>> radius attributes your switches or wlan controllers send to the radius
>> servers you can increase the EAP payload. Decreasing the number of packets
>> reduces the authentication time and lowers to load on both the radius
>> client (switch, wlan controller) and radius server.
>>
>> @Open guys: can you please add something like my description to the docs?
> Done for the next release.
>
> Cheers.
>
>> Am 2011-10-11 13:16, schrieb Alex Sharaz:
>> Hi,
>>
>> For a long time I've had
>>
>> =
>> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
>> # size that will be replied by Radiator. It must be small
>> # enough to fit in a single Radius request (ie less than 4096)
>> # and still leave enough space for other attributes
>> # Aironet APs seem to need a smaller MaxFragmentSize izes.
>>  EAPTLS_MaxFragmentSize 1000
>>
>> ==
>>
>> Set up in my Radiator radius.cfg file simply because it was there in the
>> sample radius.cfg file I initially used. I'm now wondering if perhaps this
>> is a bit small.
>>
>> What are other people doing?
>> Is anyone explicitly setting this up or are people leaving it to the
>> default value
>>
>> Rgds
>> Alex
>>
>>
>>
>>
>> Time for another Macmillan Cancer Support event. This time its the 12 day
>> Escape to Africa challenge View route at
>> http://maps.google.co.uk/maps/ms?ie=UTF8&hl=en&msa=0&msid=20377986643603501
>> 6780.00049e867720273b73c39&z=8 Please sponsor me at
>> http://www.justgiving.com/Alex-Sharaz
>>
>>
>>
>>
>>
>>
>> Checked by  Hu-fw-yhman
>>
>>
>>
>>
>> ___
>> radiator mailing list
>> radiator@open.com.au<mailto:radiator@open.com.au>
>> http://www.open.com.au/mailman/listinfo/radiator
>>
>> --
>> Cheers, Alex
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> "* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> "* Notice: This e-mail contains information that is confidential and may be
>> privileged. If you are not the intended recipient, please notify the sender
>> and then delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> "*
>
>
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] multiple hosts

[Alexander Hartmaier]

Synchronous will block the Radiator process until a reply is received or the 
configured timeout is exceeded.
During this time Radiator won't handle any other requests and will be marked as 
unreachable by the radius clients if their timeout*retry is lower than the 
combined timeout*retry of the AuthBy RADIUS clauses.

I strongly recommend to *NOT* use Synchronous, *EVER*.

Best regards, Alexander Hartmaier

Am 2011-11-23 02:21, schrieb Martin Burton:

Oops, forgot one important keyword in there.  You need to put the
Synchronous flag in the AuthBy RADIUS clause for host1.  If you don't
then Radiator will move onto the next AuthBy without waiting for a reply.



Secret 

Synchronous



Check the info in the Radiator manual about the implications of using
Synchronous though.

Cheers,

Martin.

On 23/11/2011 01:10, Martin Burton wrote:


You could probably achieve what you need using an AuthByPolicy, like:


   RewriteUsername s/^([^@]+).*/$1/
   AuthByPolicy ContinueWhileReject
   
   
   Secret 
   
   
   
   
   Secret x
   
   
   # Log accounting to the detail file in LogDir
   AcctLogFileName %L/detail


HTH.


On 23/11/2011 00:01, Judy Angel wrote:



Radius V4.2.
I am looking to authenticate on two servers. If the userid is not available
in host1 try host2. The config below works fine on host1 but if the return
fails as the userid does not exist it does not check for the userid in
host2. Should this be possible?



   RewriteUsername s/^([^@]+).*/$1/
   

   
   Secret 
   
   
   Secret x
   
   
 # Log accounting to the detail file in LogDir
   AcctLogFileName %L/detail


Thanks
Judy Angel
University of Hertfordshire

___
radiator mailing list
radiator@open.com.au<mailto:radiator@open.com.au>
http://www.open.com.au/mailman/listinfo/radiator





___
radiator mailing list
radiator@open.com.au<mailto:radiator@open.com.au>
http://www.open.com.au/mailman/listinfo/radiator







___
radiator mailing list
radiator@open.com.au<mailto:radiator@open.com.au>
http://www.open.com.au/mailman/listinfo/radiator


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] multiple hosts

[Alexander Hartmaier]

I have one radiator that needs to ask two other radius servers one after 
another.
In the Handler i've configured the first radius server with an AuthBy 
RADIUS which includes a ReplyHook.

This is the hook script:

use strict;
use warnings;
use Data::Dumper;

# this hook copies the @proxied_attrs from the answer of the radius server
# to the request to the next radius server and dispatches another request
sub {
 my $p  = ${$_[0]};  # reply packet from remote radius server
 my $rp = ${$_[1]};  # reply packet to NAS
 my $op = ${$_[2]};  # original request packet
 my $sp = ${$_[3]};  # packet sent to remote radius server

 # Get the request code from the proxy reply.
 my $code = $p->code;
&main::log($main::LOG_DEBUG, "radius replied with $code");
 # default to reject
 $op->{RadiusResult} = $main::REJECT;

 # Only proxy if the current request was accepted
 if ($code eq 'Access-Accept') {
 # Set the correct reply code in the reply packet
 # or if the AuthBy is undefined set to Access-Reject.

 # Find the AuthBy clause with the same Identifier
 my $identifier = 'identifier-of-second-authby-radius';
 my $authby = Radius::AuthGeneric::find($identifier);
&main::log($main::LOG_DEBUG, "Found Handler with Identifier $identifier")
 if defined $authby;

 if (defined $authby) {
 # filter the attributes sent to the second radius server
 my @proxied_attrs = qw/
 Framed-IP-Address
 /;
 for my $attr (@proxied_attrs) {
 my $value = $p->get_attr($attr);
 $op->add_attr($attr, $value);
 }

&main::log($main::LOG_DEBUG, Dumper($rp->{Attributes}));

 # Call handle_request for this AuthBy HANDLER
 my ($rc, $reason) = $authby->handle_request($op, $rp);

 $op->{RadiusResult} = $main::IGNORE;
 }
 else {
&main::log($main::LOG_ERR, "No AuthBy with Identifier $identifier");
 $op->{RadiusResult} = $main::REJECT;
 }
 }
 # we don't need to forward the accounting response to the first 
radius server
 elsif ($code eq 'Accounting-Response') {
 }
 else {
&main::log($main::LOG_ERR, "radius server didn't accept the request");
 }
 return;
}

You configure the second radius server in your global radiator config 
with an AuthBy and give it the identifier used in the hook.
This AuthBy has a ReplyHook:

use strict;
use warnings;

# this is needed to respond to the original request from the radius client
sub {
 my $p  = ${$_[0]};  # proxy reply packet
 my $rp = ${$_[1]};  # reply packet to NAS
 my $op = ${$_[2]};  # original request packet
 my $sp = ${$_[3]};  # packet sent to proxy

 # Get the request code from the proxy reply.
 my $code = $p->code;

 # Set the correct reply code in the reply packet
 if ($code eq 'Access-Accept') {
 $op->{RadiusResult} = $main::ACCEPT;
 }
 else {
 $op->{RadiusResult} = $main::REJECT;
 }
 return;
}

...and a NoReplyHook:

use strict;
use warnings;

sub {
 my $p = ${$_[0]};
 my $fp = ${$_[1]};
 my $rp = ${$_[2]};

 $rp->set_code('Access-Accept');

 # reply to the Client that sent the request
 $p->{Client}->replyTo($p);
 return;
}

@list: please feel free to suggest improvements or simplification if 
possible!

Best regards, Alex

Am 2011-11-25 00:37, schrieb Judy Angel:
> Have you solved the multi hosts config in another way?
> Judy
>
> --On 24 November 2011 16:51 +0100 Alexander Hartmaier 
>  wrote:
>
>> Synchronous will block the Radiator process until a reply is received or
>> the configured timeout is exceeded. During this time Radiator won't
>> handle any other requests and will be marked as unreachable by the 
>> radius
>> clients if their timeout*retry is lower than the combined timeout*retry
>> of the AuthBy RADIUS clauses.
>>
>> I strongly recommend to *NOT* use Synchronous, *EVER*.
>>
>> Best regards, Alexander Hartmaier
>>
>> Am 2011-11-23 02:21, schrieb Martin Burton:
>>
>>
>> Oops, forgot one important keyword in there.  You need to put the
>> Synchronous flag in the AuthBy RADIUS clause for host1.  If you don't
>> then Radiator will move onto the next AuthBy without waiting for a 
>> reply.
>>
>> 
>> 
>>  Secret 
>> 
>>  Synchronous
>> 
>>
>>
>> Check the info in the Radiator manual about the implications of using
>> Synchronous though.
>>
>> Cheers,
>>
>> Martin.
>>
>> On 23/11/2011 01:10, M

Re: [RADIATOR] TACACS+ and CISCO ASA

[Alexander Hartmaier]

Yes, working here fine since years, what problems are you encountering?

config:
AuthorizeGroup Admins  permit service=shell cmd\* {priv-lvl=15}

Best regards, Alex

Am 2011-12-12 17:34, schrieb Kim, Steve:
Does anyone try CISCO ASA authentication with TACACS+?

I have TACACS+ working with CISCO routers and switch, but not on ASA.
If anyone has this working, can you share what you did?

Thanks,
Steve.




___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] TACACS+ and CISCO ASA

[Alexander Hartmaier]

Did you enable tacacs authentication and authorization on the ASA?

Am 2011-12-12 18:06, schrieb Kim, Steve:


Alex,

Thanks for the reply.

The issue that I have is it prompts another authentication on ASA.

I'm same config as you listed which works fine with routers and switch.

This is config that I'm using:

AuthorizeGroup netadmin permit service=shell cmd\* {priv-lvl=15}

AuthorizeGroup netadmin permit .*

Is there anything that I need to do on ASA?

Thanks,

Steve.

*From:*radiator-boun...@open.com.au 
[mailto:radiator-boun...@open.com.au] *On Behalf Of *Alexander Hartmaier

*Sent:* Monday, December 12, 2011 11:36 AM
*To:* radiator@open.com.au
*Subject:* Re: [RADIATOR] TACACS+ and CISCO ASA

Yes, working here fine since years, what problems are you encountering?

config:
AuthorizeGroup Admins  permit service=shell cmd\* {priv-lvl=15}

Best regards, Alex

Am 2011-12-12 17:34, schrieb Kim, Steve:

Does anyone try CISCO ASA authentication with TACACS+?

I have TACACS+ working with CISCO routers and switch, but not on ASA.

If anyone has this working, can you share what you did?

Thanks,

Steve.



___
radiator mailing list
radiator@open.com.au  <mailto:radiator@open.com.au>
http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may 
be privileged.

If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] TACACS+ and CISCO ASA

[Alexander Hartmaier]

Our config is:

aaa-server tacacs protocol tacacs+
aaa-server tacacs (interface) host tacacs1.our.fqdn
key ***
aaa-server tacacs (interface) host tacacs2.our.fqdn
key ***

aaa authentication enable console tacacs LOCAL
aaa authentication http console tacacs LOCAL
aaa authentication ssh console tacacs LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server

Did you enable trace level 5 in radiator and checked the logs?

Cheers, Alex

Am 2011-12-12 18:40, schrieb Connolly, Robert T.:


Hi Alex,

I work with Steve Kim.  This is what I am using on the ASA 
for authentication and authorization, where radiator-1 is the group 
name I use:


aaa authorization exec authentication-server

aaa authentication telnet console radiator-1 LOCAL

aaa authentication http console radiator-1 LOCAL

aaa authentication ssh console radiator-1 LOCAL

aaa authentication serial console radiator-1 LOCAL

Am I missing anything?

Thank you.

Robert

*Robert T. Connolly, *MBA**

Information Systems

Senior Network Specialist

Davis Polk & Wardwell LLP
450 Lexington Avenue
New York, NY 10017

212 450 6185   tel

robert.conno...@davispolk.com <mailto:robert.conno...@davispolk.com>

Davis Polk



Confidentiality Note: This email is intended only for the person or 
entity to which it is addressed and may contain information that is 
privileged, confidential or otherwise protected from disclosure. 
Unauthorized use, dissemination, distribution or copying of this email 
or the information herein or taking any action in reliance on the 
contents of this email or the information herein, by anyone other than 
the intended recipient, or an employee or agent responsible for 
delivering the message to the intended recipient, is strictly 
prohibited. If you have received this email in error, please notify 
the sender immediately and destroy the original message, any 
attachments thereto and all copies. Please refer to the firm's privacy 
policy 
<http://www.davispolk.com/files/uploads/davispolk.master.privacypolicy.sep10.pdf> 
located at www.davispolk.com <http://www.davispolk.com/> for important 
information on this policy.


*From:*radiator-boun...@open.com.au 
[mailto:radiator-boun...@open.com.au] *On Behalf Of *Alexander Hartmaier

*Sent:* Monday, December 12, 2011 12:11 PM
*Cc:* radiator@open.com.au
*Subject:* Re: [RADIATOR] TACACS+ and CISCO ASA

Did you enable tacacs authentication and authorization on the ASA?

Am 2011-12-12 18:06, schrieb Kim, Steve:

Alex,

Thanks for the reply.

The issue that I have is it prompts another authentication on ASA.

I'm same config as you listed which works fine with routers and switch.

This is config that I'm using:

AuthorizeGroup netadmin permit service=shell cmd\* {priv-lvl=15}

AuthorizeGroup netadmin permit .*

Is there anything that I need to do on ASA?

Thanks,

Steve.

*From:*radiator-boun...@open.com.au 
<mailto:radiator-boun...@open.com.au> 
[mailto:radiator-boun...@open.com.au] *On Behalf Of *Alexander Hartmaier

*Sent:* Monday, December 12, 2011 11:36 AM
*To:* radiator@open.com.au <mailto:radiator@open.com.au>
*Subject:* Re: [RADIATOR] TACACS+ and CISCO ASA

Yes, working here fine since years, what problems are you encountering?

config:
AuthorizeGroup Admins  permit service=shell cmd\* {priv-lvl=15}

Best regards, Alex

Am 2011-12-12 17:34, schrieb Kim, Steve:

Does anyone try CISCO ASA authentication with TACACS+?

I have TACACS+ working with CISCO routers and switch, but not on ASA.

If anyone has this working, can you share what you did?

Thanks,

Steve.




___
radiator mailing list
radiator@open.com.au  <mailto:radiator@open.com.au>
http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may 
be privileged.

If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] two factor authentication

[Alexander Hartmaier]

Hi list,
I'm trying to implement a two factor auth where the user has to enter
his Active Directory credentials.
Radiator checks those against the AD, if successful creates an OTP and
sends that to the mobile phone number fetched from the AD.
A challenge is returned to the NAS.
My problem is that I can't distinguish the initial request and the
challenge response which should skip the AD auth because this time the
password field holds the OTP response.

By looking at the radius packets with tcpdump I couldn't find a
difference in the radius attributes sent that let me write two different
handlers.

Ideas?

--
Best regards, Alexander Hartmaier


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] two factor authentication

[Alexander Hartmaier]

Hi Heikki and Mike,
I'm already using AuthBy OTP with my own ChallengeHook.
I've read RFC2865 yesterday but missed the State attribute, thanks for
the great pointer!

Thats the working config I came up with:


 Identifier tsa-otp-client-vpn

 Filename %L/tsa-otp-client-vpn.authlog
 LogSuccess 1
 LogFailure 1
# log the Handler Identifier to be able to distinguish between AD
and OTP auth failures
 SuccessFormat %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:OK
 FailureFormat
%l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:FAIL



 Identifier otp_sms_challenge

 AuthByPolicyContinueUntilChallenge

 #StripFromRequest Password

 # clear the password to force AuthOTP to always generate a OTP
 PreAuthHook sub { \
 my $p = ${$_[0]}; \
 my $rp = ${$_[1]}; \
 $p->{DecodedPassword} = ''; \
 }
 AuthBy otp_sms
 #AddToReply State="otp-challenge"



 Identifier tsa-otp-client-vpn-otp

 AuthLog tsa-otp-client-vpn
 # Show any rejection reason to the end user
 RejectHasReason

 AuthBy otp_sms



 Identifier tsa-otp-client-vpn-ad

 AuthByPolicyContinueUntilChallenge

 # Show any rejection reason to the end user
 RejectHasReason

 AuthLog tsa-otp-client-vpn


 # Save time by never looking for a default
 NoDefault

 Host ip1 ip2 ip3
 Port 389
 Version 3

 # request timeout in seconds
 Timeout 2

 # don't try to reach the ldap for this amount of seconds after
failure
 FailureBackoffTime 0

 UsernameAttr samaccountname
 # don't check the password, just for phone number lookup
 #PasswordAttr
 ServerChecksPassword

 # store the users mobile phone number in the Callback-Number
radius attribute
 AuthAttrDef mobile,Callback-Number,request



 HandlerId otp_sms_challenge



I had to use AuthBy HANDLER for forcing AuthBy OTP to generate the token
by using PreAuthHook to delete the DecodedPassword.
As you see I've tried StripFromRequest Password which didn't work.
I was looking for a way to clear the password between the AuthBy LDAP
and AuthBy OTP.
Is there a way to do this?

Cheers, Alex

Am 2012-01-17 21:12, schrieb Mike McCauley:
> Hi Heikki,
>
> I wonder if he should also look at  AuthBy OTP?
> Cheers.
>
> On Tuesday, January 17, 2012 09:39:27 PM Heikki Vatiainen wrote:
>> On 01/17/2012 08:13 PM, Alexander Hartmaier wrote:
>>
>> Hello Alexander,
>>
>>> I'm trying to implement a two factor auth where the user has to enter
>>> his Active Directory credentials.
>>> Radiator checks those against the AD, if successful creates an OTP and
>>> sends that to the mobile phone number fetched from the AD.
>> Add State attribute to the challenge at this point.
>>
>>> A challenge is returned to the NAS.
>> See this for how NAS should react to challenge.
>> http://tools.ietf.org/html/rfc2865#section-5.24
>>
>>> My problem is that I can't distinguish the initial request and the
>>> challenge response which should skip the AD auth because this time the
>>> password field holds the OTP response.
>> State should be echoed back in the challenge response unless the NAS is
>> badly broken.
>>
>>> By looking at the radius packets with tcpdump I couldn't find a
>>> difference in the radius attributes sent that let me write two different
>>> handlers.
>>>
>>> Ideas?
>> Try something like this. Note that I have used a fixed value for
>> challenge, but you could make it generic to protect against replay
>> attacks or some other information that might be useful for selecting the
>> correct handler for verifying the challenge.
>>
>> 
>> # Check challenge here
>> 
>>
>> 
>> # Generate OTP here and send challenge
>> 
>># AD auth happens here
>>AddToReply State=whatever
>> 
>> 
>>
>>
>>
>> Please let us know how it goes.
>> Heikki


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Using Storable in a hook

[Alexander Hartmaier]

Serializing Objects, references and regexes is no easy task.
What are you trying to achieve?
I suggest you switch to a different format like JSON and only serialize
a data structure you created from the request attributes by yourself.
The internal representation of a packet could change with every version
so you shouldn't rely on it or at least be able to fix your code easily
if that happens.

Best regards, Alex

Am 2012-01-25 04:44, schrieb Jared Watkins:
> I figured out that I have to call it directly like Storable::nfreeze(\%x) but 
> the error I was getting for other way was:
>
> Bizarre copy of HASH in refgen at
>
> Now.. I'm passing the value in as a bound parameter in the hook and according 
> to a length call on the variable.. it's going in with an average length of 
> 1450 bytes.  However.. when I fetch it from the database (postgres) I'm only 
> getting back 3 bytes.
>
> I'm using just the attributes list out of the $p variable by 
> $p->{'Attributes'}.
>
> I've done binary data through DBI before (to mysql) without a problem.. so 
> I'm not sure where it might be getting lost here.
>
> Thanks,
> Jared
>
>
> On Jan 24, 2012, at 5:59 PM, Heikki Vatiainen wrote:
>
>> On 01/24/2012 10:44 PM, Jared Watkins wrote:
>>
>>> I'm seeing some weird errors and behavior trying to use the freeze method 
>>> from Storable.  Is there a special trick to making it work in hook code?
>> I have not used Storable myself, but if you could reply with some
>> examples I can take a a look.
>>
>> Note that some of the data structures, such as radius requests ($p
>> usually) are very large. You could see e.g. with Data::Dumper to see
>> what they look like.
>>
>>> I saw a reference on the cpan page for special handling when used in a 
>>> 'Safe' compartment.. is that what's happening here?   For reference.. for 
>>> development/debugging I'm attempting to serialize and store (in db field) a 
>>> hash I'm creating with all the per packet name-value pairs.
>> Hard to tell. Examples would be useful :)
>>
>> Thanks!
>> Heikki
>>
>> --
>> Heikki Vatiainen
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Using Storable in a hook

[Alexander Hartmaier]

Is it really binary data that your want to store?
I suggest you serialize to a variable and log it before guessing what's
happening.
Also enable DBI trace mode to see what queries get executed:
https://metacpan.org/module/DBI#TRACING

Best regards, Alex

Am 2012-01-25 18:15, schrieb Jared Watkins:
> I've tried storing the data a few different ways.. and I always end up with 
> the same 3 byte value stored in the database... which sounds like a memory 
> pointer rather than data.   I found a specific reference under DBD:Pg about 
> binary data.. and it suggests that you have to do an explicit bind and tell 
> it you are passing binary data like so:
>
> bind_param(1, $cdr, { pg_type =>  PG_BYTEA })
>
> You don't expose the DBI stuff directly though.. so it looks like that would 
> require a change or code addition to your sql module to allow separate calls 
> to prepare, bind, execute.
>
> I've not had time to setup a totally separate test to take Radiator out of 
> the equation.. but that's my best guess as to why it's not working at the 
> moment.
>
> J
>
>
> On Jan 25, 2012, at 8:01 AM, Heikki Vatiainen wrote:
>
>> On 01/25/2012 05:44 AM, Jared Watkins wrote:
>>
>>> I figured out that I have to call it directly like Storable::nfreeze(\%x) 
>>> but the error I was getting for other way was:
>>>
>>> Bizarre copy of HASH in refgen at
>>>
>>> Now.. I'm passing the value in as a bound parameter in the hook and 
>>> according to a length call on the variable.. it's going in with an average 
>>> length of 1450 bytes.  However.. when I fetch it from the database 
>>> (postgres) I'm only getting back 3 bytes.
>>>
>>> I'm using just the attributes list out of the $p variable by 
>>> $p->{'Attributes'}.
>> Try @{$p->{Attributes}} if you want to access the attribute array
>> instead of reference. Maybe you are already doing this, but I thought
>> I'd check. Also Data::Dumper has sometimes been quite helpful figuring
>> out how various items are composed.
>>
>>> I've done binary data through DBI before (to mysql) without a problem.. so 
>>> I'm not sure where it might be getting lost here.
>> Hard to tell. I have not tried this myself.
>>
>> Please keep us posted how it goes.
>>
>> Thanks!
>> Heikki
>>
>>> Thanks,
>>> Jared
>>>
>>>
>>> On Jan 24, 2012, at 5:59 PM, Heikki Vatiainen wrote:
>>>
 On 01/24/2012 10:44 PM, Jared Watkins wrote:

> I'm seeing some weird errors and behavior trying to use the freeze method 
> from Storable.  Is there a special trick to making it work in hook code?
 I have not used Storable myself, but if you could reply with some
 examples I can take a a look.

 Note that some of the data structures, such as radius requests ($p
 usually) are very large. You could see e.g. with Data::Dumper to see
 what they look like.

> I saw a reference on the cpan page for special handling when used in a 
> 'Safe' compartment.. is that what's happening here?   For reference.. for 
> development/debugging I'm attempting to serialize and store (in db field) 
> a hash I'm creating with all the per packet name-value pairs.
 Hard to tell. Examples would be useful :)

 Thanks!
 Heikki

 --
 Heikki Vatiainen

 Radiator: the most portable, flexible and configurable RADIUS server
 anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
 Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
 TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
 DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
 NetWare etc.
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>> --
>> Heikki Vatiainen
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload error

[Alexander Hartmaier]

Hi,
I've encountered another problem.
I've written a bash script that downloads the crl once a day at one
o'clock in the morning local time and restarts radiator afterwards
because of the openssl crl caching.
The CRL lifetime ends about 30 minutes later and radiator rejects all
auths after that time because the crl isn't up2date any more.
Do you have a solution for downloading the crl in sync with its lifetime?

Best regards, Alex


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] two factor authentication

[Alexander Hartmaier]

Hi Hugh,
should I use an AuthHook within the AuthBy INTERNAL?
Documentation for the list of passed parameters for the hooks would be 
nice so you don't have to look in the source code, if you're a Perl 
developer :)

That's what replaced the AuthBy HANDLER:


 DefaultResult ACCEPT

 # clear the password to force AuthOTP to always generate a OTP
 AuthHook sub { \
 my $p = ${$_[0]}; \
 $p->{DecodedPassword} = ''; \
 return $main::ACCEPT; \
 }


 AuthBy otp_sms

I hope the ACCEPT doesn't trigger a hidden security problem, the handler 
is configured with ContinueUntilChallenge.

Best regards, Alex

Am 2012-01-19 00:28, schrieb Hugh Irvine:
> Hello Alex -
>
> You can use an AuthBy INTERNAL between the other two clauses.
>
> See section 5.50 in the Radiator 4.9 reference manual ("doc/ref.pdf").
>
> regards
>
> Hugh
>
>
> On 18 Jan 2012, at 21:16, Alexander Hartmaier wrote:
>
>> Hi Heikki and Mike,
>> I'm already using AuthBy OTP with my own ChallengeHook.
>> I've read RFC2865 yesterday but missed the State attribute, thanks for
>> the great pointer!
>>
>> Thats the working config I came up with:
>>
>> 
>>  Identifier tsa-otp-client-vpn
>>
>>  Filename %L/tsa-otp-client-vpn.authlog
>>  LogSuccess 1
>>  LogFailure 1
>> # log the Handler Identifier to be able to distinguish between AD
>> and OTP auth failures
>>  SuccessFormat %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:OK
>>  FailureFormat
>> %l:%U:%{Request:Callback-Number}:%{Handler:Identifier}:FAIL
>> 
>>
>> 
>>  Identifier otp_sms_challenge
>>
>>  AuthByPolicyContinueUntilChallenge
>>
>>  #StripFromRequest Password
>>
>>  # clear the password to force AuthOTP to always generate a OTP
>>  PreAuthHook sub { \
>>  my $p = ${$_[0]}; \
>>  my $rp = ${$_[1]}; \
>>  $p->{DecodedPassword} = ''; \
>>  }
>>  AuthBy otp_sms
>>  #AddToReply State="otp-challenge"
>> 
>>
>> > Request-Type="Access-Request" State="otp-challenge">
>>  Identifier tsa-otp-client-vpn-otp
>>
>>  AuthLog tsa-otp-client-vpn
>>  # Show any rejection reason to the end user
>>  RejectHasReason
>>
>>  AuthBy otp_sms
>> 
>>
>> > Request-Type="Access-Request">
>>  Identifier tsa-otp-client-vpn-ad
>>
>>  AuthByPolicyContinueUntilChallenge
>>
>>  # Show any rejection reason to the end user
>>  RejectHasReason
>>
>>  AuthLog tsa-otp-client-vpn
>>
>> 
>>  # Save time by never looking for a default
>>  NoDefault
>>
>>  Host ip1 ip2 ip3
>>  Port 389
>>  Version 3
>>
>>  # request timeout in seconds
>>  Timeout 2
>>
>>  # don't try to reach the ldap for this amount of seconds after
>> failure
>>  FailureBackoffTime 0
>>
>>  UsernameAttr samaccountname
>>  # don't check the password, just for phone number lookup
>>  #PasswordAttr
>>  ServerChecksPassword
>>
>>  # store the users mobile phone number in the Callback-Number
>> radius attribute
>>  AuthAttrDef mobile,Callback-Number,request
>> 
>>
>> 
>>  HandlerId otp_sms_challenge
>> 
>> 
>>
>> I had to use AuthBy HANDLER for forcing AuthBy OTP to generate the token
>> by using PreAuthHook to delete the DecodedPassword.
>> As you see I've tried StripFromRequest Password which didn't work.
>> I was looking for a way to clear the password between the AuthBy LDAP
>> and AuthBy OTP.
>> Is there a way to do this?
>>
>> Cheers, Alex
>>
>> Am 2012-01-17 21:12, schrieb Mike McCauley:
>>> Hi Heikki,
>>>
>>> I wonder if he should also look at  AuthBy OTP?
>>> Cheers.
>>>
>>> On Tuesday, January 17, 2012 09:39:27 PM Heikki Vatiainen wrote:
>>>> On 01/17/2012 08:13 PM, Alexander Hartmaier wrote:
>>>>
>>>> Hello Alexander,
>>>>
>>>>> I'm trying to implement a two factor auth where the user has to enter
>>>>> his Active Directory credentials.
>>>>> Radiator checks those against the AD, if successful creates an OTP and
>>>>> sends th

Re: [RADIATOR] iOS5 and untrusted/not verified EAP certificates

[Alexander Hartmaier]

Hi Mike,

does IOS 5.1 finally support PEAP-TLS?

Best regards, Alex

Am 2012-02-09 14:08, schrieb Mike Puchol:
> Hi all,
>
> I'm testing EAP-PEAP with an iPad running iOS5.1, and even though I'm
> using an SSL certificate from Digicert, signed using SHA-1, and Digicert
> being on the list of trusted CAs by iOS (I even checked the serial
> number, which is good), I get the following on the iPad's debug console:
>
> Feb  9 14:02:08 Mikes-iPad kernel[0] :
> AppleBCMWLANCore::setCIPHER_KEY() [eapolclient]: type = CIPHER_PMK,
> index = 0, flags = 0x0, key lenght 0, key rsc lenght 0
> Feb  9 14:02:08 Mikes-iPad eapolclient[149] :
> peap_verify_server: server certificate not trusted, status 3 0
> Feb  9 14:02:08 Mikes-iPad Preferences[93] :
> -[WiFiManager(Private) _enterpriseAssociationResult:withInfo:]: User
> Information required
> Feb  9 14:02:10 Mikes-iPad eapolclient[149] :
> peap_verify_server: server certificate not trusted, status 3 0
> Feb  9 14:02:16 Mikes-iPad eapolclient[149] :
> peap_verify_server: server certificate not trusted, status 3 0
>
> The iPad then shows up an "Add certificate" dialog, but with a big red
> button and the text "Not verified". My guess is that it's trying to
> check a CRL, but of course, being still offline, this cannot be done.
>
> Has anyone successfully connected an iOS5 device using EAP without "bad
> certificate" warnings? As clarification, I'm not using provisioning
> profiles, so the iPad doesn't "know" the network when it first connects
> to it.
>
> Cheers,
>
> Mike
>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] missing request attributes with TunnelledByPEAP

[Alexander Hartmaier]

Hi,
we're doing PEAP-TLS for our WLANs and need to have different settings
per SSID.
The outer PEAP packet includes the Called-Station-Id attribute in the
form of 01-23-45-67-89-0a:SSID which I match using:


The inner TLS packet is matched by

but in case we want to have multiple SSIDs using PEAP-something we can't
distinguish the inner request because the Called-Station-Id isn't
included in the inner request.

Is there an option which attributes get copied to the inner request packet?

Thanks!

--
Cheers, Alex


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] missing request attributes with TunnelledByPEAP

[Alexander Hartmaier]

Hi Heikki,
I had to upgrade Radiator which was version 4.8 on this server so that
it knows PreHandlerHook.
It works when the PreHandlerHook is in the AuthBy but not when it is in
the Handler but doesn't warn about the PreHandlerHook in the Handler.
Is both supported for different usages?

What confused me is the fact that the copied attribute isn't visible in
the trace file but the dispatching still works:

Thu Feb 16 09:34:34 2012: DEBUG: EAP PEAP inner authentication request
for anonymous
Thu Feb 16 09:34:34 2012: DEBUG: PEAP Tunnelled request Packet dump:
Code:   Access-Request
Identifier: UNDEF
Authentic:  <30><142><221><130>g<220><185>cI<189><138>Z<234>6*~
Attributes:
EAP-Message = <2><12><0><2><13><0>
Message-Authenticator =
<0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0>
NAS-IP-Address = 10.1.2.3
NAS-Identifier = "nas.fqdn.net"
NAS-Port = 13
Calling-Station-Id = "00-21-6a-42-e8-46"
User-Name = "anonymous"

Thu Feb 16 09:34:34 2012: DEBUG: Handling request with Handler
'Client-Identifier="wlancontroller", Called-Station-Id=/:SSID$/,
TunnelledByPEAP=1', Identifier ''

Best regards, Alex

Am 2012-02-15 19:40, schrieb Heikki Vatiainen:
> On 02/15/2012 05:18 PM, Alexander Hartmaier wrote:
>
> Hello Alex,
>
>> The inner TLS packet is matched by
>> 
>> but in case we want to have multiple SSIDs using PEAP-something we can't
>> distinguish the inner request because the Called-Station-Id isn't
>> included in the inner request.
>>
>> Is there an option which attributes get copied to the inner request packet?
> You can use PreHandlerHook. It is now documented in 4.9 ref.pdf too:
>
>   5.20.65 PreHandlerHook
>   For EAP types that carry inner requests (such as PEAP, TTLS, FAST
>   etc), specifies a Perl hook to be called before the inner request
>   is redispatched to a matching Realm or Handler.
>
>
> In the outer Handler do something like this:
>
> PreHandlerHook sub { \
>   my $tp = ${$_[0]}; \
>   $tp->add_attr('Called-Station-Id', \
> $tp->{outerRequest}->get_attr('Called-Station-Id')); \
>   };
>
> tp stands for tunnelled packet. It can be manipulated with
> PreHandlerHook from the outer Handler.
>
> Thanks!
> Heikki
>
>


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload error

[Alexander Hartmaier]

Now that our dot1x and WLAN Radiator needs to check three different crls
I've looked into a better solution for refreshing them.
While reading Radius::TLS I've stumbled over the method reloadCrls which
claims to reload the crl if the timestamp changes. Has this ever worked?
In the contextInit method you've put a note # REVISIT: what if a CRL
changes while we are running?

I'm trying to restart Radiator as rarely as possible to not terminate an
ongoing EAP communication but the crls all have different expiration
dates (two have a lifetime of a day, the third of a week which will
probabliy also changed to a day or less).

Best regards, Alex


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRL reload error

[Alexander Hartmaier]

Hi Heikki,

Am 2012-03-22 17:16, schrieb Heikki Vatiainen:
> On 03/21/2012 12:11 PM, Alexander Hartmaier wrote:
>
>> Now that our dot1x and WLAN Radiator needs to check three different crls
>> I've looked into a better solution for refreshing them.
>> While reading Radius::TLS I've stumbled over the method reloadCrls which
>> claims to reload the crl if the timestamp changes. Has this ever worked?
> I asked about this, and this is the current situation: The code in
> Radiator works and is enabled (if so configured) by default. So the code
> for checking CRLs is there without modifications to Radiator sources.
>
> If the check really happens as expected depends on OpenSSL library.
> There is a patch for a 0.9.? version, but it doesnt work in 1.0. It
> could be that some distributions have applied the patch themselves, so
> the situation is not very clear. There are a couple of entries in
> OpenSSL request tracker, but it does not look like they have been processed.
>
> You could try to see if it works on your system.
I didn't find anything regarding autoloading of the crl in the openssl
changelog so the patch must still be not mainline.
We're using Debian Squeeze (6) on the server with openssl from the
testing tree to get openssl 1.0.0 which is now at version 1.0.0h.
Is OCSP an option instead of a crl? Can Radiator use OCSP?
>
>> In the contextInit method you've put a note # REVISIT: what if a CRL
>> changes while we are running?
> Hmm, that might be a little older comment, I'll check that too.
>
>> I'm trying to restart Radiator as rarely as possible to not terminate an
>> ongoing EAP communication but the crls all have different expiration
>> dates (two have a lifetime of a day, the third of a week which will
>> probabliy also changed to a day or less).
> That's very understandable.
>
> Heikki
>
>> Best regards, Alex
>>
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> Notice: This e-mail contains information that is confidential and may be 
>> privileged.
>> If you are not the intended recipient, please notify the sender and then
>> delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator

[Alexander Hartmaier]

Hi Sudhir,
please use meaningful subjects for your mails!
'Radiator' for a mail to the Radiator mailing list makes no sense and finding 
useful questions and answers later hard.

Thanks!

Am 2012-03-31 14:28, schrieb Sudhir Harwalkar:
Hi Heikki,

As I want to verify security feature PEAPv1 which uses GTC as inner 
authentication, but I haven't find separate config file for PEAPv1.
so please respond me which config file need to use for PEAPv1.

Thanks
Sudhir H


Larsen & Toubro Limited

www.larsentoubro.com

This Email may contain confidential or privileged information for the intended 
recipient (s) If you are not the intended recipient, please do not use or 
disseminate the information, notify the sender and delete it from your system.


___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Load balancing RADIATOR with Cisco ACE

[Alexander Hartmaier]

EAP and OTP also requires pinning which I personally would always use.

Am 2012-05-10 16:56, schrieb James:
> I've done it -- currently in production serving an environment with
> over 80,000 users. No issues.
>
> If you're load balancing TACACS+ you should enable stickiness so that
> the session remains pinned to one Radiator server. If load balancing
> simple RADIUS, just do a simple serverfarm and load balance with a
> "least connections" or round robin LB algorithm.
>
> Hope this helps.
>
> -james
>
> On Thu, May 10, 2012 at 5:15 AM, Janssen, G.H.C. (Gaston)
>  wrote:
>> Hi,
>>
>> We'd like to load balance RADIUS requests over several RADIATOR servers.
>> Therefor we will use an external hardware load balancer: a Cisco ACE 
>> (service module).
>> Is there anyone who has experience with this kind of combination, i.e 
>> RADIATOR & Cisco ACE.
>>
>> Any (white) papers on this subject are welcome, either so any ACE 
>> configuration examples.
>>
>> We are particulairy interested in field experiences in the combination Cisco 
>> ACE / RADIATOR.
>>
>>
>> (We already have taken notice of the Cisco configuration guide "Configuring 
>> RADIUS Load Balancing"
>> which in genaral describes it, but is not product specific (in this case 
>> RADIATOR)   :)
>>
>> Regards,
>> Gaston
>>
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> --
> Cheers, Alex


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] TLS Session Resumption does not work on Windows Server 2008 R2 64-bit.

[Alexander Hartmaier]

Note that Perl 5.12 is no longer supported because 5.16 came out yesterday.
The Perl community currently recommends to use Strawberry Perl for
Windows: http://strawberryperl.com

Best regards, Alex


Am 2012-05-21 20:08, schrieb Heikki Vatiainen:
> On 05/18/2012 05:35 PM, Johnson, Neil M wrote:
>
>> We are using Active State Perl 5.12.2 Build 1202 (64-bit).
>>
>> We are using your build of Net-SSLeay (1.36.0.1)
>>
>> The client I'm testing with is a Dell Latitude D620 with Windows 7.
>>
>> For the Server that seems to be working is running Active State Perl
>> 5.12.2 (Build 1202) (32-bit) and Net-SSLeay 1.36.0.1 also.
>>
>> So it's either a Windows Sever 2003 to 2008 issue or a 32-bit to 64-bit
>> issue.
> Ok, thanks for the information. I'll give 2008R2 with Perl 5.12.4 a try
> and see how it works with 32bit and 64bit Perl.
>
> Heikki
>
>


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator evaluation - Authenticate, Authorize LDAP users through Radius server to Network Switch

[Alexander Hartmaier]

Hi Pramod,
check out the various ldap*.cfg config files in the goodies directory as a starting point.
Radiator connects on the first use, not on startup.
You can also use the radpwtst utility to test your Radiator config so be sure its ok before configuring the switch.
Also enable trace level 4 to see what radius attributes the switch sends.
Best regards, Alex

Am 2012-05-30 08:35, schrieb Pramod Kulkarni:
Hello, 

1) I wanted to know How do you authenticate and authorize LDAP server users through Radiator for a network switch.

 2)How do you Map Radiator attributes to the LDAP attributes ,


 -I tried configuring LDAP in the radius.config and tried to run the C:\perl\bin\radiusd to test whether Radiator is listening to LDAP server,nothing working for me


 -I have configured a VSA for Ruggedcom in the dictionary of C:\Radiator ,How to map this attribute to Radiator inturn to LDAP server for authorization


# VSAs for Ruggedcom 
VENDOR          Ruggedcom    15004 
VENDORATTR      15004      RuggedCom-Privilege-level       2         string



In the radius.cfg I have mapped LDAP attributes checkAttr and replyattr as below,


 LDAP attributes and Radiator attributes( taken from radiator-ldap.schema)


AuthAttrDef   oscRadiusIdentifier,   RuggedCom-Privilege-level,reply



How and where to map the Radiator attributes to LDAP server attributes in the Radiator directory?How to restart the Radius server with the new configuration ?


Let me know if I can configure the switch as mentioned above through Radiator if possible provide a specific example  .


Waiting for your inputs. 

Thanks and Regards, 
 




 
Pramod Kulkarni
ABB Global Industries and Services Limited
Whitefield Road
560048, Bangalore, Karnataka, INDIA
Phone: +91 80 67579950
Mobile: +919663733663
email: pramod.kulka...@in.abb.com





 
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Fwd: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for RADIUS

[Alexander Hartmaier]

Thanks for the info Mike!
Do you know which devices support it?
We're mainly interessted in Cisco gear.

Best regards, Alex


Am 2012-05-29 22:46, schrieb Mike McCauley:
> RadSec is now an official RFC.
>
>
> --  Forwarded Message  --
>
> Subject: [radext] RFC 6614 on Transport Layer Security (TLS) Encryption for
> RADIUS
> Date: Tuesday, May 29, 2012, 09:38:40 AM
> From: rfc-edi...@rfc-editor.org
> To: ietf-annou...@ietf.org, rfc-d...@rfc-editor.org
> CC: rad...@ietf.org, rfc-edi...@rfc-editor.org
>
>
> A new Request for Comments is now available in online RFC libraries.
>
>
> RFC 6614
>
> Title:  Transport Layer Security (TLS) Encryption
> for RADIUS
> Author: S. Winter, M. McCauley,
> S. Venaas, K. Wierenga
> Status: Experimental
> Stream: IETF
> Date:   May 2012
> Mailbox:stefan.win...@restena.lu,
> mi...@open.com.au,
> s...@cisco.com,
> kl...@cisco.com
> Pages:  22
> Characters: 48004
> Updates/Obsoletes/SeeAlso:   None
>
> I-D Tag:draft-ietf-radext-radsec-12.txt
>
> URL:http://www.rfc-editor.org/rfc/rfc6614.txt
>
> This document specifies a transport profile for RADIUS using
> Transport Layer Security (TLS) over TCP as the transport protocol.
> This enables dynamic trust relationships between RADIUS servers.
> [STANDARDS-TRACK]
>
> This document is a product of the RADIUS EXTensions Working Group of the IETF.
>
>
> EXPERIMENTAL: This memo defines an Experimental Protocol for the
> Internet community.  It does not specify an Internet standard of any
> kind. Discussion and suggestions for improvement are requested.
> Distribution of this memo is unlimited.
>
> This announcement is sent to the IETF-Announce and rfc-dist lists.
> To subscribe or unsubscribe, see
>   http://www.ietf.org/mailman/listinfo/ietf-announce
>   http://mailman.rfc-editor.org/mailman/listinfo/rfc-dist
>
> For searching the RFC series, see http://www.rfc-editor.org/rfcsearch.html.
> For downloading RFCs, see http://www.rfc-editor.org/rfc.html.
>
> Requests for special distribution should be addressed to either the
> author of the RFC in question, or to rfc-edi...@rfc-editor.org.  Unless
> specifically noted otherwise on the RFC itself, all RFCs are for
> unlimited distribution.
>
>
> The RFC Editor Team
> Association Management Solutions, LLC
>
>
> ___
> radext mailing list
> rad...@ietf.org
> https://www.ietf.org/mailman/listinfo/radext
> -


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] RadSec -> RADIUS/TLS RFC

[Alexander Hartmaier]

Congratulations on getting RadSec into an RFC!
Radiator and its configuration is even mentioned in the appendix.

http://www.rfc-editor.org/rfc/rfc6614.txt
--
Cheers, Alex


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Digest::SHA

[Alexander Hartmaier]

Good move, thanks Mike!

BR Alex


Am 2012-06-16 00:14, schrieb Mike McCauley:
> Hi  All,
>
> Until now, Radiator and other products in the family used a mixture of
> Digest::SHA and Digest::SHA1, sometimes optionally and sometimes absolutely.
>
> We recently issued patches for Radiator and friends to always use Digest::SHA
> instead of Digest::SHA1. We think this will make installation easier for most
> implementers:
>
> Digest::SHA has more features, and is now included standard with modern Perl
> distros. By comparison, Digest::SHA1 is now not readily available for some
> Linux distros.
>
> So we have elected to use _only_ Digest::SHA, and it will now be an absolute
> prerequisite (not an optional one).
>
> These changes are in the latest patch set and will be in the next release
> 4.10, due out soon.
>


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] webserver serving tgz files as text/html

[Alexander Hartmaier]

Hi,
I experience that problem since years and finally took the time to look
into it.
Radiator-4.10.tgz and patches-4.10.tar.gz are both served with an
incorrect Content-Type which leads to Firefox saving the file
decompressed due to the set Content-Encoding: gzip.
Radiator-4.10.tgz is served as text/html, patches-4.10.tar.gz as text/plain.
It seems the mime types for both extensions is missing or configured wrong.

--
Best regards, Alexander Hartmaier


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] LDAPS connection problem

[Alexander Hartmaier]

We're having problems with a ldaps connection to two windows domain
controllers.
An ldapsearch on the cli works every time, the radiator connection only
sometimes.

I've upgraded the radiator servers from 4.8 to 4.10 with current patches
in hope of a fix but it still shows the same behaviour:

Sometimes it works:
Thu Oct 18 12:41:42 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636
Thu Oct 18 12:41:42 2012: INFO: Attempting to bind to LDAP server
10.1.2.1 10.1.2.2:636

Sometimes it doesn't:
Thu Oct 18 13:38:43 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636
Thu Oct 18 13:38:49 2012: ERR: Could not open LDAP connection to
10.1.2.1 10.1.2.2:636. Backing off for 5 seconds.

BTW the debug output is really puzzling when you configure more than one
server/ip-address and should be changed to only show the server/ip
that's used to try the connection!

That's our config:


# Save time by never looking for a default
NoDefault

Host 10.1.2.1 10.1.2.2
Port 636
Version 3

# request timeout in seconds
Timeout 3

# don't try to reach the ldap for this amount of seconds after
failure
FailureBackoffTime 5

# persistent connection doesn't work with M$ AD
# HoldServerConnection
UnbindAfterServerChecksPassword

## Enable SSL
UseSSL
## Enable TLS
# UseTLS
## Name of the client certificate file:
SSLCAClientCert %D/certificates/radius.fqdn.pem
## Name of the file containing the client private key
SSLCAClientKey %D/certificates/radius.fqdn.key
SSLCAFile %D/certificates/ad.pem
## Require ldap server certificate
#SSLVerify require

# LDAP access
AuthDN CN=foo,OU=bar,DC=fqdn,DC=at
AuthPassword foo

# Start looking here
BaseDN OU=bar,DC=fqdn,DC=at

# base, single, subtree
Scope subtree

UsernameAttr samaccountname
# don't check the password, just for phone number lookup
PasswordAttr

# store the users mobile phone number in the Callback-Number
radius attribute
AuthAttrDef mobile,Callback-Number,request
    

--
Best regards, Alexander Hartmaier


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] LDAPS connection problem

[Alexander Hartmaier]

On 2012-10-19 11:01, Heikki Vatiainen wrote:
> On 10/18/2012 06:33 PM, Alexander Hartmaier wrote:
>
>> I've upgraded the radiator servers from 4.8 to 4.10 with current patches
>> in hope of a fix but it still shows the same behaviour:
>>
>> Sometimes it works:
>> Thu Oct 18 12:41:42 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636
>> Thu Oct 18 12:41:42 2012: INFO: Attempting to bind to LDAP server
>> 10.1.2.1 10.1.2.2:636
>>
>> Sometimes it doesn't:
>> Thu Oct 18 13:38:43 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636
>> Thu Oct 18 13:38:49 2012: ERR: Could not open LDAP connection to
>> 10.1.2.1 10.1.2.2:636. Backing off for 5 seconds.
>>
>> BTW the debug output is really puzzling when you configure more than one
>> server/ip-address and should be changed to only show the server/ip
>> that's used to try the connection!
> The reference manual talks briefly about this:
>
>   ... Multiple space separated host names can be specified
>   and Net::LDAP will choose the first available one. ...
>
> What happens is radiusd passes all hosts to Net::LDAP which then uses
> its own methods for trying to contact the hosts. For this reason the log
> entry sort of makes sense. In other words, specifying multiple names or
> addresses for Host can be useful, but it takes some of the control away
> from radiusd.
>
> If you want full control for contacting LDAP servers, you can specify
> two AuthBy LDAP2 clauses both with just a single Host. When there's a
> connection or query problem, the AuthBy will return IGNORE and the
> default AuthByPolicy (ContinueWhileIgnore) will then switch to the next
> AuthBy.
>
> AuthBy LDAP2 also support FailureBackoffTime. In case of error, the
> failed AuthBy LDAP2 clause will be left alone to recover for the
> specified time.
>
>> That's our config:
>>
>> 
>> # Save time by never looking for a default
>> NoDefault
>>
>> Host 10.1.2.1 10.1.2.2
>> Port 636
> Here Net::LDAP will take care of retrying, timeouts etc. until all hosts
> have been tried.
>
>
> Thanks,
> Heikki
>
Thanks for the explanation, can you add this to the manual in all places
where multiple servers can be configured?

In the meantime I've upgraded Net::SSLeay from version 1.32 to CPANs
current 1.49 on this RHEL4 box which seems to have fixed the problem.
I'll get back to you if the problem occurs again.
--
Best regards, Alexander Hartmaier


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] LDAPS connection problem

[Alexander Hartmaier]

On 2012-10-19 11:39, Alexander Hartmaier wrote:
> On 2012-10-19 11:01, Heikki Vatiainen wrote:
>> On 10/18/2012 06:33 PM, Alexander Hartmaier wrote:
>>
>>> I've upgraded the radiator servers from 4.8 to 4.10 with current patches
>>> in hope of a fix but it still shows the same behaviour:
>>>
>>> Sometimes it works:
>>> Thu Oct 18 12:41:42 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636
>>> Thu Oct 18 12:41:42 2012: INFO: Attempting to bind to LDAP server
>>> 10.1.2.1 10.1.2.2:636
>>>
>>> Sometimes it doesn't:
>>> Thu Oct 18 13:38:43 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636
>>> Thu Oct 18 13:38:49 2012: ERR: Could not open LDAP connection to
>>> 10.1.2.1 10.1.2.2:636. Backing off for 5 seconds.
>>>
>>> BTW the debug output is really puzzling when you configure more than one
>>> server/ip-address and should be changed to only show the server/ip
>>> that's used to try the connection!
>> The reference manual talks briefly about this:
>>
>>   ... Multiple space separated host names can be specified
>>   and Net::LDAP will choose the first available one. ...
>>
>> What happens is radiusd passes all hosts to Net::LDAP which then uses
>> its own methods for trying to contact the hosts. For this reason the log
>> entry sort of makes sense. In other words, specifying multiple names or
>> addresses for Host can be useful, but it takes some of the control away
>> from radiusd.
>>
>> If you want full control for contacting LDAP servers, you can specify
>> two AuthBy LDAP2 clauses both with just a single Host. When there's a
>> connection or query problem, the AuthBy will return IGNORE and the
>> default AuthByPolicy (ContinueWhileIgnore) will then switch to the next
>> AuthBy.
>>
>> AuthBy LDAP2 also support FailureBackoffTime. In case of error, the
>> failed AuthBy LDAP2 clause will be left alone to recover for the
>> specified time.
>>
>>> That's our config:
>>>
>>> 
>>> # Save time by never looking for a default
>>> NoDefault
>>>
>>> Host 10.1.2.1 10.1.2.2
>>> Port 636
>> Here Net::LDAP will take care of retrying, timeouts etc. until all hosts
>> have been tried.
>>
>>
>> Thanks,
>> Heikki
>>
> Thanks for the explanation, can you add this to the manual in all places
> where multiple servers can be configured?
>
> In the meantime I've upgraded Net::SSLeay from version 1.32 to CPANs
> current 1.49 on this RHEL4 box which seems to have fixed the problem.
> I'll get back to you if the problem occurs again.
The problem still persists. Is such an issue known to you for RHEL4 maybe?

> --
> Best regards, Alexander Hartmaier
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be 
> privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] LDAPS connection problem

[Alexander Hartmaier]

On 2012-10-23 23:11, Heikki Vatiainen wrote:
> On 10/23/2012 12:29 PM, Alexander Hartmaier wrote:
>
>>> In the meantime I've upgraded Net::SSLeay from version 1.32 to CPANs
>>> current 1.49 on this RHEL4 box which seems to have fixed the problem.
>>> I'll get back to you if the problem occurs again.
>> The problem still persists. Is such an issue known to you for RHEL4 maybe?
> I am not aware of connect timeout problems with any OS/LDAP module version.
>
> Also, I noticed you have upgraded Net::SSLeay but LDAPS uses
> IO::Socket::SSL too so you could consider upgrading it if you want to
> make sure all modules are up-to-date.
Thanks, I've upgraded IO::Socket::SSL from 1.13 to 1.77 and a bunch of
other modules and will test again.
>
> I took a look at what Net::LDAPS::new() does. It loops through all the
> hosts it is given and uses the Timeout value for each host individually.
> In other words, 'Timeout 3' applies per host as opposed to both hosts in
> your case.
>
> Are you still using a single AuthBy LDAP2 or are you experiencing
> connect problems when there's just one Host in AuthBy LDAP2?
I still use one AuthBy LDAP2 with two hosts.
When you look at the log lines it can't be a timeout issue:
Tue Oct 23 11:37:44 2012: INFO: Connecting to 10.1.2.1 10.1.2.2:636
Tue Oct 23 11:37:44 2012: ERR: Could not open LDAP connection to
10.1.2.1 10.1.2.2:636. Backing off for 5 seconds.
>
> Thanks,
> Heikki
>
>



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] tacacs+ and command auth

[Alexander Hartmaier]

Hi Murat,
yes Radiator supports Tacacs and command authorization.
It converts all Tacacs requests to radius requests internally so you can handle them like radius requests.
The authorization is handled by an AuthGroup radius attribute that controls in which group a user is.
Look at the configuration options in the Radiator reference manual.
Best regards, Alexander Hartmaier

Network Security Engineer
T-Systems Austria GesmbH

On 2012-11-07 08:58, Murat Bilal wrote:



Hi all,
 
I wonder if Radiator supports tacacs protocol and command authorization. If so, can I  install this scenario on a 2 node linux(Ubuntu) mysql cluster.
 
Thanks
 
MURAT BİLAL
 
Services Engineer


Ericsson Turkey
CU Customer Support
Cyber Plaza C Blok Kat:1 No:146
Cyberpark 6800 Bilkent/Ankara
Mobile +90 554 898 98 43
murat.bi...@ericsson.com
www.ericsson.com 
 


  

This Communication is Confidential. We only send and receive email on the basis of the terms set out at
www.ericsson.com/email_disclaimer
 
 


 
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator




*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] A few tips on performance and high availabilty

[Alexander Hartmaier]

Thanks for sharing those best-practises with the list!

On 2012-12-03 17:17, Anders Bandholm wrote:
> Hi list!
>
> We have been running Radiator for several purposes for around 5 years,
> and I would like to share a few tricks that we have learned...
>
>
> Memcached
> -
>
> Memcached is distributed cache, with a simple Perl-api. We run an instance
> of memcached on each Radius-server. We use it for several things:
>
>   * We use it in a PostAuthHook for rejecting users with too many login
> failures (to prevent brute-force password guessing)
>
>   * We cache certain SOAP-calls. Since Radiator is single-threaded, fast
> answers from backends is imperative as you probably know. We use
> memcached in a "defensive" way: We always make the SOAP-call first,
> but with a low timeout (0.1 sec) If the call times out, we use the
> cache - if not we save the result to the cache.
>
>   * we have started a service for our customers (Danish schools) where
> they get alerts by email when user up- or download exceeds certain
> thresholds. This is handled by summing up bytes from accounting
> records in a PostProcessingHook. The counters for each user is kept
> in memcached.
>
> It seems to me that memcached is a perfect companion for Radiator!
>
> Memcached is of course not a database, and if you shut down one of
> the memcached instances you will lose part of your cache. But for the
> purposes above it works very well.
>
> The Perl module is Cache::Memcached.
>
> If you run Linux memcached is probably packaged for you - on Debian/Ubuntu
> you need packages like these:
>
> memcached
> libcache-memcached-perl
> libmemcached-tools
>
>
> Two other tricks
> 
>
>  1) We have started using Gearman to make it possible for the main radii
> to offload certain slow things to other servers. As explained above
> our radii keep track of user up/downloads through acct-records, and
> when a certain limit is reached we send email alerts to the relevant
> admin. But we don't want Radiator itself to send the email - we submit
> a job through Gearman (Perl: Gearman::Client and Gearman::Worker)
> This is a very promising technology and I expect we will use it more
> in the future.
I'd use a local MTA for queuing the mails to simplify things.
>
>  2) Simple trick - probably used by many of you: We have the client list
> in an Oracle database, but since the database is sometimes down
> for maintenance, we generate static file-based client-lists every
> 10 minutes instead, and reload Radiator when they change. If Oracle
> is down, Radiator does not suffer. (The 10 minutes interval is
> overkill for most installations ;-)
The client list is fine from the Oracle database directly because it
isn't updated if the db query fails.

But for users (AuthBy SQL) we use a local SQLite database which is
created from the Oracle database via a Perl script every hour or manually.
That has the advantage of being able to switch between it and the Oracle
database without reconfiguring Radiator much, just the dsn.
Also reloading Radiator isn't required with SQLite.
>
>
> Cheers,
> Anders

--
Best regards, Alex



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] OCSP support

[Alexander Hartmaier]

Hi guys,
does Radiator support OCSP?
It might be a better alternative to manually downloading CRLs and
restarting Radiator because openssl caches the CRL file.

--
Best regards, Alexander Hartmaier


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] OCSP support

[Alexander Hartmaier]

 On 2012-12-12 14:30, Heikki Vatiainen wrote:
> On 12/07/2012 11:02 AM, Alexander Hartmaier wrote:
>
>> does Radiator support OCSP?
>> It might be a better alternative to manually downloading CRLs and
>> restarting Radiator because openssl caches the CRL file.
> Hello Alexander. Radiator does not support OCSP. I checked about the
> reasons, and there are two main issues: first, Net-SSLeay does not have
> OCSP support. The second issue is the negative effect the latency and
> performance are likely to cause. This of course is site specific, but
> there's still the issue of missing support in the underlying modules.
>
> Thanks,
> Heikki
>
Thanks for the explanations Heikki!

--
Best regards, Alexander Hartmaier


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] F5 BigIP vendor specific attributes

[Alexander Hartmaier]

Hi guys,
please add those to the dictionary (taken from 
http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html):

#
# F5 BigIP
#
VENDOR  F5 3375
VENDORATTR  3375   F5-LTM-User-Role 1   integer
VENDORATTR  3375   F5-LTM-User-Role-Universal   2   integer# 
enable/disable
VENDORATTR  3375   F5-LTM-User-Partition3   string
VENDORATTR  3375   F5-LTM-User-Console  4   integer# 
enable/disable
VENDORATTR  3375   F5-LTM-User-Shell5   string # 
supported values are disable, tmsh, and bpsh
VENDORATTR  3375   F5-LTM-User-Context-1   10   integer
VENDORATTR  3375   F5-LTM-User-Context-2   11   integer
VENDORATTR  3375   F5-LTM-User-Info-1  12   string
VENDORATTR  3375   F5-LTM-User-Info-2  13   string

VALUEF5-LTM-User-Role   Administrator  0
VALUEF5-LTM-User-Role   Resource-Admin20
VALUEF5-LTM-User-Role   User-Manager  40
VALUEF5-LTM-User-Role   Auditor   80
VALUEF5-LTM-User-Role   Manager  100
VALUEF5-LTM-User-Role   App-Editor   300
VALUEF5-LTM-User-Role   Operator 400
VALUEF5-LTM-User-Role   Guest700
VALUEF5-LTM-User-Role   Policy-Editor800
VALUEF5-LTM-User-Role   No-Access900

VALUEF5-LTM-User-Role-Universal Disabled   0
VALUEF5-LTM-User-Role-Universal Enabled1

VALUEF5-LTM-User-ConsoleDisabled   0
VALUEF5-LTM-User-ConsoleEnabled1

--
Best regards, Alexander Hartmaier


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] F5 BigIP vendor specific attributes

[Alexander Hartmaier]

Hi Mike,

On 2013-01-10 01:05, Mike McCauley wrote:
> Hello Alexander,
>
>
> Thanks added to the latest patch set.
> Question though:
> It appears like the values for F5-LTM-User-Role are a bit like HEX bitmasks, 
> but they are presented here as decimal. Any idea which is correct?
No, sorry. I've only copied them from the given vendor website and
transformed it to Radiator dictionary format.
>
>
> On Wednesday, January 09, 2013 05:08:51 PM Alexander Hartmaier wrote:
>> Hi guys,
>> please add those to the dictionary (taken from
>> http://support.f5.com/kb/en-us/solutions/public/11000/400/sol11431.html):
>>
>> #
>> # F5 BigIP
>> #
>> VENDOR  F5 3375
>> VENDORATTR  3375   F5-LTM-User-Role 1   integer
>> VENDORATTR  3375   F5-LTM-User-Role-Universal   2   integer#
>> enable/disable VENDORATTR  3375   F5-LTM-User-Partition3  
>> string VENDORATTR  3375   F5-LTM-User-Console  4   integer 
>>   # enable/disable VENDORATTR  3375   F5-LTM-User-Shell5   
>>string # supported values are disable, tmsh, and bpsh VENDORATTR 
>> 3375   F5-LTM-User-Context-1   10   integer VENDORATTR  3375  
>> F5-LTM-User-Context-2   11   integer VENDORATTR  3375  
>> F5-LTM-User-Info-1  12   string VENDORATTR  3375  
>> F5-LTM-User-Info-2  13   string
>>
>> VALUEF5-LTM-User-Role   Administrator  0
>> VALUEF5-LTM-User-Role   Resource-Admin20
>> VALUEF5-LTM-User-Role   User-Manager  40
>> VALUEF5-LTM-User-Role   Auditor   80
>> VALUEF5-LTM-User-Role   Manager  100
>> VALUEF5-LTM-User-Role   App-Editor   300
>> VALUEF5-LTM-User-Role   Operator 400
>> VALUEF5-LTM-User-Role   Guest700
>> VALUEF5-LTM-User-Role   Policy-Editor800
>> VALUEF5-LTM-User-Role   No-Access900
>>
>> VALUEF5-LTM-User-Role-Universal Disabled   0
>> VALUEF5-LTM-User-Role-Universal Enabled1
>>
>> VALUEF5-LTM-User-ConsoleDisabled   0
>> VALUEF5-LTM-User-ConsoleEnabled1
>>
>> --
>> Best regards, Alexander Hartmaier
>>
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"
>> * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"
>> * Notice: This e-mail contains information that is confidential and may be
>> privileged. If you are not the intended recipient, please notify the sender
>> and then delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"
>> *

-- 
LG Alex

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] run exe file after accounting stop

[Alexander Hartmaier]

Hi Thomas,

the hooks are just regular Perl code so look at perldoc, either on the cli or 
perldoc.perl.org.

You want system [1] but note that the Radiator process will wait for it to exit 
until it continues process which might introduce a performance problem.

[1] http://perldoc.perl.org/functions/system.html

Best regards, Alex

On 2013-01-17 13:32, Thomas KCCG wrote:
Hello Guys,
What are the hook configuration lines required for running  an 
".exe file" after the radiator receives an accounting stop packet from the NAS 
(cisco ISG).

As there are no examples in the radiator documentations, goodies folder or 
mailing lists archives I really need your help on this.


Thanks & Best Regards,

Thomas Kurian






___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] New Error messages

[Alexander Hartmaier]

On 2013-01-17 17:31, Michael Hulko wrote:
> Lately I've been seeing these errors daily which were not there prior to the 
> new year:
>
> Jan  8 20:18:36 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23692]: Could
> not load EAP module Radius::EAP_66: Can't locate Radius/EAP_66.pm in @INC
> (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5
> /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl
> /usr/lib64/perl5 /usr/share/perl5 .) at (eval 3683243) line 3, 
> line 699827. Jan  8 21:35:18 riptide-5.vm.its.uwo.pri
> /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_155: Can't
> locate Radius/EAP_155.pm in @INC (@INC contains: . /usr/local/lib64/perl5
> /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl
> /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at
> (eval 1968782) line 3,  line 352731. Jan  8 21:47:05
> riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module
> Radius::EAP_180: Can't locate Radius/EAP_180.pm in @INC (@INC contains: .
> /usr/local/lib64/perl5 /usr/local/share/perl5
> /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl
> /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1977214) line 3, 
> line 354206. Jan  8 22:04:02 riptide-5.vm.its.uwo.pri
> /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_29: Can't
> locate Radius/EAP_29.pm in @INC (@INC contains: . /usr/local/lib64/perl5
> /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl
> /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at
> (eval 1989895) line 3,  line 356467. Jan  8 22:19:46
> riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module
> Radius::EAP_232: Can't locate Radius/EAP_232.pm in @INC (@INC contains: .
> /usr/local/lib64/perl5 /usr/local/share/perl5
> /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl
> /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2000990) line 3, 
> line 358402. Jan  9 00:02:52 riptide-5.vm.its.uwo.pri
> /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_239: Can't
> locate Radius/EAP_239.pm in @INC (@INC contains: . /usr/local/lib64/perl5
> /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl
> /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at
> (eval 2074832) line 3,  line 371473. [11:17:45 slogr] grep "Could
> not load EAP module Radius::EAP" console Jan  9 10:26:05
> riptide-3.vm.its.uwo.pri /usr/bin/radiusd[27250]: Could not load EAP
> module Radius::EAP_57: Can't locate Radius/EAP_57.pm in @INC (@INC
> contains: . /usr/local/lib64/perl5 /usr/local/share/perl5
> /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl
> /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2742617) line 3, 
> line 532256.
>
> can someone shed some lightwe are running Radiator version 10
First, there is no version 10, the latest version is 4.11.
The changelog for version 4.8 says:
- Fixed an issue where truncated EAP-Message requests would cause a log
message like "Could not load EAP module Radius::EAP_" . This is now
logged as invalid EAP type in EAP request and rejected. Reported by
Daniel Rocha.

So i guess you're running an older version than 4.8. Update and look if
the errors are still present.
>
> Thanks
>
> Michael Hulko
> Network Analyst
>
> Western University Canada
> Network Operations Centre
> Information Technology Services
> 1393 Western Road, SSB 3300CC
> London, Ontario  N6G 1G9
>
> tel: 519-661-2111 x81390
> e-mail: mihu...@uwo.ca <mailto:mihu...@uwo.ca>
>
>
>
>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

Best regards, Alexander Hartmaier



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] [RFC] configurable hooks

[Alexander Hartmaier]

Hi,
we'd need a way to pass config parameters to hooks to be able to use
them in multiple different handlers e.g. sending OTPs by SMS with
different accounts.
Is there already a way to do this which I've overlooked?
I'm currently abusing Radius attributes to get those static parameters
into the hooks but being able to pass options in the config would make
the config much clearer.

--
Best regards, Alexander Hartmaier


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] [RFC] configurable hooks

[Alexander Hartmaier]

On 2013-01-31 15:31, Heikki Vatiainen wrote:
> On 01/31/2013 02:01 PM, Alexander Hartmaier wrote:
>
>> we'd need a way to pass config parameters to hooks to be able to use
>> them in multiple different handlers e.g. sending OTPs by SMS with
>> different accounts.
>> Is there already a way to do this which I've overlooked?
> How about this:
>
> # radiusd config file
>
> StartupHook sub { require "/etc/radiator/MyHooks.pm"; }
> 
># AuthBys
>PostAuthHook sub { MyHooks::sendSMS(@_, 'account1', 'otherparam1'); }
> 
> 
># AuthBys
>PostAuthHook sub { MyHooks::sendSMS(@_, 'account2', 'otherparam2'); }
> 
>
> File MyHooks.pm would be something like this:
>
> # start of MyHooks.pm
> package MyHooks;
> use strict;
> use warnings;
> # PostAuthHook
> #
> sub sendSMS {
> my $p = ${$_[0]};  # Request packet
> my $rp = ${$_[1]}; # Response packet
> my $result = $_[2];# Verdict: success or not
> my $reason = $_[3];# String that tells reason for a reject
> my $account = $_[4];   # Account name
> my $param = $_[5]; # Some other param
>
> # code goes here
> }
>
> 1;
> # end of MyHooks.pm
>
>> I'm currently abusing Radius attributes to get those static parameters
>> into the hooks but being able to pass options in the config would make
>> the config much clearer.
> The above keeps the the existing PostAuthHook arguments as they are and
> adds the possibility for static arguments as additional options to
> existing PostAuthHook options.
>
> Would this work for you?
>
> Thanks,
> Heikki
>
I knew you guys have a solution, as always, awesome! That's good enough
for what I need and definitely better than putting parameters in Radius
attributes to fetch them in the handler.
Could you add that example to hooks.txt in the goodies dir?


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] [RFC] configurable hooks

[Alexander Hartmaier]

On 2013-01-31 22:58, Hugh Irvine wrote:
> Hello Alex -
>
> You can also use GlobalVar's for static parameters.
>
> See section 5.6.23 in the Radiator 4.11 reference manual ("doc/ref.pdf").
>
> There is an example in "goodies/hooks.txt".
>
> regards
>
> Hugh
>
>
> On 1 Feb 2013, at 01:31, Heikki Vatiainen  wrote:
>
>> On 01/31/2013 02:01 PM, Alexander Hartmaier wrote:
>>
>>> we'd need a way to pass config parameters to hooks to be able to use
>>> them in multiple different handlers e.g. sending OTPs by SMS with
>>> different accounts.
>>> Is there already a way to do this which I've overlooked?
>> How about this:
>>
>> # radiusd config file
>>
>> StartupHook sub { require "/etc/radiator/MyHooks.pm"; }
>> 
>>   # AuthBys
>>   PostAuthHook sub { MyHooks::sendSMS(@_, 'account1', 'otherparam1'); }
>> 
>> 
>>   # AuthBys
>>   PostAuthHook sub { MyHooks::sendSMS(@_, 'account2', 'otherparam2'); }
>> 
>>
>> File MyHooks.pm would be something like this:
>>
>> # start of MyHooks.pm
>> package MyHooks;
>> use strict;
>> use warnings;
>> # PostAuthHook
>> #
>> sub sendSMS {
>>my $p = ${$_[0]};  # Request packet
>>my $rp = ${$_[1]}; # Response packet
>>my $result = $_[2];# Verdict: success or not
>>my $reason = $_[3];# String that tells reason for a reject
>>my $account = $_[4];   # Account name
>>my $param = $_[5]; # Some other param
>>
>># code goes here
>> }
>>
>> 1;
>> # end of MyHooks.pm
>>
>>> I'm currently abusing Radius attributes to get those static parameters
>>> into the hooks but being able to pass options in the config would make
>>> the config much clearer.
>> The above keeps the the existing PostAuthHook arguments as they are and
>> adds the possibility for static arguments as additional options to
>> existing PostAuthHook options.
>>
>> Would this work for you?
>>
>> Thanks,
>> Heikki
>>
>> --
>> Heikki Vatiainen 
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
>
> --
>
> Hugh Irvine
> h...@open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>
Hi Hugh,
I haven't had time to reply to Heikki's post yesterday, his solution is
what I was looking for, thanks!
GlobalVars won't help help there because I need to use the same handler
multiple times in a single Radiator instance with different params.


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] [RFC] configurable hooks

[Alexander Hartmaier]

On 2013-02-01 10:08, Hugh Irvine wrote:
> Hello Alex -
>
> The way to do this with GlobalVar's is to use different Identifiers in the 
> Handlers thus:
>
> …..
>
> DefineFormattedGlobalVar  Handler1-param1  whatever
>
> DefineFormattedGlobalVar  Handler1-param2  whatever-else
>
> DefineFormattedGlobalVar  Handler2-param1  something
>
> DefineFormattedGlobalVar  Handler2-param2  something-else
>
> …..
>
> 
>
>   Identifier Handler1
>
>   ……
>
>   …… %{GlobalVar:%{Handler-Identifier}-param1} …..
>
>   …… %{GlobalVar:%{Handler-Identifier}-param2} …..
>
> 
>
> 
>
>   Identifier Handler2
>
>   ……
>
>   …… %{GlobalVar:%{Handler-Identifier}-param1} …..
>
>   …… %{GlobalVar:%{Handler-Identifier}-param2} …..
>
> 
>
> …..
>
> Here is an example:
>
> …..
>
> Radiator-4.11 hugh$ cat global.cfg 
>
> AuthPort 11645
> AcctPort 11646
>
> LogDir ./logs
> DbDir .
>
> Trace 4
>
> DefineFormattedGlobalVar  Handler1-param1  whatever
>
> DefineFormattedGlobalVar  Handler1-param2  whatever-else
>
> DefineFormattedGlobalVar  Handler2-param1  something
>
> DefineFormattedGlobalVar  Handler2-param1  something-else
>
> 
>   Secret mysecret
> 
>
> 
>   Identifier Handler1
>   
>   DefaultResult ACCEPT
>   AddToReply Reply-Message = 
> %{GlobalVar:%{Handler:Identifier}-param1}
>   
> 
>
> here is the result:
>
> Radiator-4.11 hugh$ perl radpwtst -auth_port 11645 -noacct -user hugh 
> -password hugh -trace 4
> Fri Feb  1 20:02:16 2013: DEBUG: Reading dictionary file './dictionary'
> sending Access-Request...
> Fri Feb  1 20:02:16 2013: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 11645 
> Code:   Access-Request
> Identifier: 121
> Authentic:  <143><6><136>9o<141>% @<148><2>vO<15>/<212>
> Attributes:
>   User-Name = "hugh"
>   Service-Type = Framed-User
>   NAS-IP-Address = 203.63.154.1
>   NAS-Identifier = "203.63.154.1"
>   NAS-Port = 1234
>   Called-Station-Id = "123456789"
>   Calling-Station-Id = "987654321"
>   NAS-Port-Type = Async
>   User-Password = T<142><153>t<137>lv<193>$I1_<249><14><201><164>
>
> Fri Feb  1 20:02:16 2013: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 51957 
> Code:   Access-Request
> Identifier: 121
> Authentic:  <143><6><136>9o<141>% @<148><2>vO<15>/<212>
> Attributes:
>   User-Name = "hugh"
>   Service-Type = Framed-User
>   NAS-IP-Address = 203.63.154.1
>   NAS-Identifier = "203.63.154.1"
>   NAS-Port = 1234
>   Called-Station-Id = "123456789"
>   Calling-Station-Id = "987654321"
>   NAS-Port-Type = Async
>   User-Password = T<142><153>t<137>lv<193>$I1_<249><14><201><164>
>
> Fri Feb  1 20:02:16 2013: DEBUG: Handling request with Handler '', Identifier 
> 'Handler1'
> Fri Feb  1 20:02:16 2013: DEBUG:  Deleting session for hugh, 203.63.154.1, 
> 1234
> Fri Feb  1 20:02:16 2013: DEBUG: Handling with AuthINTERNAL: 
> Fri Feb  1 20:02:16 2013: DEBUG: AuthBy INTERNAL result: ACCEPT, Fixed by 
> DefaultResult
> Fri Feb  1 20:02:16 2013: DEBUG: Access accepted for hugh
> Fri Feb  1 20:02:16 2013: DEBUG: Packet dump:
> *** Sending to 127.0.0.1 port 51957 
> Code:   Access-Accept
> Identifier: 121
> Authentic:  A<195>P<232><<2>z<217>Fmg<153><185><149><16>$
> Attributes:
>   Reply-Message = "whatever"
>
> Fri Feb  1 20:02:16 2013: DEBUG: Packet dump:
> *** Received from 127.0.0.1 port 11645 
> Code:   Access-Accept
> Identifier: 121
> Authentic:  A<195>P<232><<2>z<217>Fmg<153><185><149><16>$
> Attributes:
>   Reply-Message = "whatever"
>
> OK
>
> …..
>
>
> You can of course expand the GlobalVar's in your hook code too.
>
> regards
>
> Hugh
Ah, thanks! I haven't used GlobalVars at all so far.
I guess it makes sense if you need the same var more than once which is
not the case for me.

Best regards, Alex
>
>
> On 1 Feb 2013, at 18:46, Alexander Hartmaier 
>  wrote:
>
>> On 2013-01-31 22:58, Hugh Irvine wrote:
>>> Hello Alex -
>>>
>>> You can also use Globa

Re: [RADIATOR] [RFC] configurable hooks

[Alexander Hartmaier]

On 2013-01-31 15:31, Heikki Vatiainen wrote:
> On 01/31/2013 02:01 PM, Alexander Hartmaier wrote:
>
>> we'd need a way to pass config parameters to hooks to be able to use
>> them in multiple different handlers e.g. sending OTPs by SMS with
>> different accounts.
>> Is there already a way to do this which I've overlooked?
> How about this:
>
> # radiusd config file
>
> StartupHook sub { require "/etc/radiator/MyHooks.pm"; }
> 
># AuthBys
>PostAuthHook sub { MyHooks::sendSMS(@_, 'account1', 'otherparam1'); }
> 
> 
># AuthBys
>PostAuthHook sub { MyHooks::sendSMS(@_, 'account2', 'otherparam2'); }
> 
>
> File MyHooks.pm would be something like this:
>
> # start of MyHooks.pm
> package MyHooks;
> use strict;
> use warnings;
> # PostAuthHook
> #
> sub sendSMS {
> my $p = ${$_[0]};  # Request packet
> my $rp = ${$_[1]}; # Response packet
> my $result = $_[2];# Verdict: success or not
> my $reason = $_[3];# String that tells reason for a reject
> my $account = $_[4];   # Account name
> my $param = $_[5]; # Some other param
>
> # code goes here
> }
>
> 1;
> # end of MyHooks.pm
>
>> I'm currently abusing Radius attributes to get those static parameters
>> into the hooks but being able to pass options in the config would make
>> the config much clearer.
> The above keeps the the existing PostAuthHook arguments as they are and
> adds the possibility for static arguments as additional options to
> existing PostAuthHook options.
>
> Would this work for you?
>
> Thanks,
> Heikki
>
I've looked into it today and have some questions:
- is it safe to assume that the list or arguments passed to the
ChallengeHook in my case is always ($self, $user, $p, $context)?
If one arg is missing my added arguments would shift and populate the
wrong variables. I was thinking about passing them by name in a hashref
as first instead of last argument instead.

- is it safe to die in hook code or will that tear down the Radiator
process? I'm asking because that's the preferred way of doing argument
validation, e.g.
die 'id missing'
unless defined $id;

Another note, I've used %D instead of the hardcoded path which works
just as well:

StartupHook sub { require "%D/MyHooks.pm"; }



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] [RFC] configurable hooks

[Alexander Hartmaier]

On 2013-02-05 19:39, Alexander Hartmaier wrote:
> On 2013-01-31 15:31, Heikki Vatiainen wrote:
>> On 01/31/2013 02:01 PM, Alexander Hartmaier wrote:
>>
>>> we'd need a way to pass config parameters to hooks to be able to use
>>> them in multiple different handlers e.g. sending OTPs by SMS with
>>> different accounts.
>>> Is there already a way to do this which I've overlooked?
>> How about this:
>>
>> # radiusd config file
>>
>> StartupHook sub { require "/etc/radiator/MyHooks.pm"; }
>> 
>># AuthBys
>>PostAuthHook sub { MyHooks::sendSMS(@_, 'account1', 'otherparam1'); }
>> 
>> 
>># AuthBys
>>PostAuthHook sub { MyHooks::sendSMS(@_, 'account2', 'otherparam2'); }
>> 
>>
>> File MyHooks.pm would be something like this:
>>
>> # start of MyHooks.pm
>> package MyHooks;
>> use strict;
>> use warnings;
>> # PostAuthHook
>> #
>> sub sendSMS {
>> my $p = ${$_[0]};  # Request packet
>> my $rp = ${$_[1]}; # Response packet
>> my $result = $_[2];# Verdict: success or not
>> my $reason = $_[3];# String that tells reason for a reject
>> my $account = $_[4];   # Account name
>> my $param = $_[5]; # Some other param
>>
>> # code goes here
>> }
>>
>> 1;
>> # end of MyHooks.pm
>>
>>> I'm currently abusing Radius attributes to get those static parameters
>>> into the hooks but being able to pass options in the config would make
>>> the config much clearer.
>> The above keeps the the existing PostAuthHook arguments as they are and
>> adds the possibility for static arguments as additional options to
>> existing PostAuthHook options.
>>
>> Would this work for you?
>>
>> Thanks,
>> Heikki
>>
> I've looked into it today and have some questions:
> - is it safe to assume that the list or arguments passed to the
> ChallengeHook in my case is always ($self, $user, $p, $context)?
> If one arg is missing my added arguments would shift and populate the
> wrong variables. I was thinking about passing them by name in a hashref
> as first instead of last argument instead.
>
> - is it safe to die in hook code or will that tear down the Radiator
> process? I'm asking because that's the preferred way of doing argument
> validation, e.g.
> die 'id missing'
> unless defined $id;
>
> Another note, I've used %D instead of the hardcoded path which works
> just as well:
>
> StartupHook sub { require "%D/MyHooks.pm"; }
>
>
>
>
I've tested it and found out that it doesn't work: Error in
ChallengeHook(): Undefined subroutine &Hooks::sendSMS called at (eval
233) line 1.
I've tested my modules with perl -e 'require "/etc/radiator/Hooks.pm";
Hooks::sendSMS();' which works fine. I've also tried replacing %D with
/etc/radiator but this also fails. Adding warn's to several places
doesn't show up in the radiator log, not even at trace 4. How can I
debug that?


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] [RFC] configurable hooks

[Alexander Hartmaier]

On 2013-02-05 20:01, Alexander Hartmaier wrote:
> On 2013-02-05 19:39, Alexander Hartmaier wrote:
>> On 2013-01-31 15:31, Heikki Vatiainen wrote:
>>> On 01/31/2013 02:01 PM, Alexander Hartmaier wrote:
>>>
>>>> we'd need a way to pass config parameters to hooks to be able to use
>>>> them in multiple different handlers e.g. sending OTPs by SMS with
>>>> different accounts.
>>>> Is there already a way to do this which I've overlooked?
>>> How about this:
>>>
>>> # radiusd config file
>>>
>>> StartupHook sub { require "/etc/radiator/MyHooks.pm"; }
>>> 
>>># AuthBys
>>>PostAuthHook sub { MyHooks::sendSMS(@_, 'account1', 'otherparam1'); }
>>> 
>>> 
>>># AuthBys
>>>PostAuthHook sub { MyHooks::sendSMS(@_, 'account2', 'otherparam2'); }
>>> 
>>>
>>> File MyHooks.pm would be something like this:
>>>
>>> # start of MyHooks.pm
>>> package MyHooks;
>>> use strict;
>>> use warnings;
>>> # PostAuthHook
>>> #
>>> sub sendSMS {
>>> my $p = ${$_[0]};  # Request packet
>>> my $rp = ${$_[1]}; # Response packet
>>> my $result = $_[2];# Verdict: success or not
>>> my $reason = $_[3];# String that tells reason for a reject
>>> my $account = $_[4];   # Account name
>>> my $param = $_[5]; # Some other param
>>>
>>> # code goes here
>>> }
>>>
>>> 1;
>>> # end of MyHooks.pm
>>>
>>>> I'm currently abusing Radius attributes to get those static parameters
>>>> into the hooks but being able to pass options in the config would make
>>>> the config much clearer.
>>> The above keeps the the existing PostAuthHook arguments as they are and
>>> adds the possibility for static arguments as additional options to
>>> existing PostAuthHook options.
>>>
>>> Would this work for you?
>>>
>>> Thanks,
>>> Heikki
>>>
>> I've looked into it today and have some questions:
>> - is it safe to assume that the list or arguments passed to the
>> ChallengeHook in my case is always ($self, $user, $p, $context)?
>> If one arg is missing my added arguments would shift and populate the
>> wrong variables. I was thinking about passing them by name in a hashref
>> as first instead of last argument instead.
>>
>> - is it safe to die in hook code or will that tear down the Radiator
>> process? I'm asking because that's the preferred way of doing argument
>> validation, e.g.
>> die 'id missing'
>> unless defined $id;
>>
>> Another note, I've used %D instead of the hardcoded path which works
>> just as well:
>>
>> StartupHook sub { require "%D/MyHooks.pm"; }
>>
>>
>>
>>
> I've tested it and found out that it doesn't work: Error in
> ChallengeHook(): Undefined subroutine &Hooks::sendSMS called at (eval
> 233) line 1.
> I've tested my modules with perl -e 'require "/etc/radiator/Hooks.pm";
> Hooks::sendSMS();' which works fine. I've also tried replacing %D with
> /etc/radiator but this also fails. Adding warn's to several places
> doesn't show up in the radiator log, not even at trace 4. How can I
> debug that?
Thanks to mst on #perl-help I quickly found out that my StartupHook
isn't run at all because I've changed it to multiline without
terminating each line with \.
Please make Radiator log such an error, currently it's silently ignored!
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be 
> privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] [RFC] configurable hooks

[Alexander Hartmaier]

On 2013-02-07 16:13, Heikki Vatiainen wrote:
> On 02/05/2013 08:39 PM, Alexander Hartmaier wrote:
>
>> I've looked into it today and have some questions:
>> - is it safe to assume that the list or arguments passed to the
>> ChallengeHook in my case is always ($self, $user, $p, $context)?
>> If one arg is missing my added arguments would shift and populate the
>> wrong variables. I was thinking about passing them by name in a hashref
>> as first instead of last argument instead.
> Passing your arguments first would certainly work and would guard
> against the problems that might come if arguments were added or removed
> from ChallengeHook.
>
> I'd say it's a good idea to put your own arguments first.
Will do that, thanks!
>
>> - is it safe to die in hook code or will that tear down the Radiator
>> process? I'm asking because that's the preferred way of doing argument
>> validation, e.g.
>> die 'id missing'
>> unless defined $id;
> It should be safe since hooks are run within eval block and if there are
> errors, they are caught and ERR with 'Error in $hookname...' is logged.
Is that documented somewhere? Couldn't find it the docs.
>
>> Another note, I've used %D instead of the hardcoded path which works
>> just as well:
>>
>> StartupHook sub { require "%D/MyHooks.pm"; }
> Based on your other messages, there were issues with this which were
> then solved. Is everything working for you now?
>
> Thanks,
> Heikki
>
%D doesn't work, but my problem arised when I changed the StartupHook
from a single line to multiple lines without terminating them with \.
Works now but it would be great if Radiator logged such an error.

Cheers, Alex


*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] [RFC] configurable hooks

[Alexander Hartmaier]

On 2013-02-07 22:19, Mike McCauley wrote:
> Hello,
>
> On Thursday, February 07, 2013 04:29:56 PM Alexander Hartmaier wrote:
>> On 2013-02-07 16:13, Heikki Vatiainen wrote:
>>> On 02/05/2013 08:39 PM, Alexander Hartmaier wrote:
>>>> I've looked into it today and have some questions:
>>>> - is it safe to assume that the list or arguments passed to the
>>>> ChallengeHook in my case is always ($self, $user, $p, $context)?
>>>> If one arg is missing my added arguments would shift and populate the
>>>> wrong variables. I was thinking about passing them by name in a hashref
>>>> as first instead of last argument instead.
>>> Passing your arguments first would certainly work and would guard
>>> against the problems that might come if arguments were added or removed
>>> from ChallengeHook.
>>>
>>> I'd say it's a good idea to put your own arguments first.
>> Will do that, thanks!
>>
>>>> - is it safe to die in hook code or will that tear down the Radiator
>>>> process? I'm asking because that's the preferred way of doing argument
>>>> validation, e.g.
>>>> die 'id missing'
>>>>
>>>> unless defined $id;
>>> It should be safe since hooks are run within eval block and if there are
>>> errors, they are caught and ERR with 'Error in $hookname...' is logged.
>> Is that documented somewhere? Couldn't find it the docs.
> The documentation of hook processing has been enlarged to cover this and 
> other 
> topics in the Reference manual for the next release.
>
> Thanks.
>
> Cheers.
Thanks Mike! Keep up your great work!

>
>>>> Another note, I've used %D instead of the hardcoded path which works
>>>> just as well:
>>>>
>>>> StartupHook sub { require "%D/MyHooks.pm"; }
>>> Based on your other messages, there were issues with this which were
>>> then solved. Is everything working for you now?
>>>
>>> Thanks,
>>> Heikki
>> %D doesn't work, but my problem arised when I changed the StartupHook
>> from a single line to multiple lines without terminating them with \.
>> Works now but it would be great if Radiator logged such an error.
>>
>> Cheers, Alex
>>
>>
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"
>> * T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
>> Handelsgericht Wien, FN 79340b
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"
>> * Notice: This e-mail contains information that is confidential and may be
>> privileged. If you are not the intended recipient, please notify the sender
>> and then delete this e-mail immediately.
>> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"
>> * ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP iKev2 support in radiator 3.13

[Alexander Hartmaier]

That's because IKEv2 is no EAP method but an IPSec phase 1 standard.

Best regards, Alex

On 2013-02-26 11:02, Arya, Manish Kumar wrote:
Hi,

  We are currently running Radiator 3.13. I want to confirm if we can use EAP 
iKev2 with this radius server.
if not then does the latest version of radiator supports this authentication 
method ?

Regards,
-Manish



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Fwd: Re: EAP iKev2 support in radiator 3.13

[Alexander Hartmaier]

Forgot to reply also to the list.

 Original Message 
Subject:Re: [RADIATOR] EAP iKev2 support in radiator 3.13
Date:   Tue, 26 Feb 2013 13:04:37 +0100
From:   Alexander Hartmaier 
Organization:   T-Systems Austria GesmbH
To: Arya, Manish Kumar 



Hi Manish,
I suggest you upgrade to the latest version, Radiator is very backward
compatible, I can't remember a software upgrade that broke our configs
and we're running Radiator since before 2000.
Also check the patches if any of the fixes apply to you.
You can find the list of supported EAP types in the reference manual in
section 5.20.23 EAPType.

Best regards, Alex

On 2013-02-26 12:59, Arya, Manish Kumar wrote:
> Hi Alex,
>
>So Radiator 3.13 can support EAP ? or we should upgrade it ?
>
> Regards,
> -Manish
>
>
> --------
> *From:* Alexander Hartmaier 
> *To:* radiator@open.com.au
> *Sent:* Tuesday, February 26, 2013 3:56 PM
> *Subject:* Re: [RADIATOR] EAP iKev2 support in radiator 3.13
>
> That's because IKEv2 is no EAP method but an IPSec phase 1 standard.
> Best regards, Alex
> On 2013-02-26 11:02, Arya, Manish Kumar wrote:
>> Hi,
>>
>>   We are currently running Radiator 3.13. I want to confirm if we can
>> use EAP iKev2 with this radius server.
>> if not then does the latest version of radiator supports this
>> authentication method ?
>>
>> Regards,
>> -Manish
>>
>>
>> ___
>> radiator mailing list
>> radiator@open.com.au <mailto:radiator@open.com.au>
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may
> be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>
> ___
> radiator mailing list
> radiator@open.com.au <mailto:radiator@open.com.au>
> http://www.open.com.au/mailman/listinfo/radiator
>



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] ERR: Attribute number 146 (vendor 3076) is not defined in your dictionary aka Cisco bought Altiga in 2000

[Alexander Hartmaier]

After some googling I've found the answer to this question [1] asked on
this list in 2003 [2]
Seems Cisco ASAs, which where called PIX before, where called Altiga
before [3]

The current dictionary that ships with Radiator has the attributes up to
number 137.
The names in the Cisco ASA doc have some common attributes but also
changed and new ones.
I'd replace all Altiga definitions with Cisco-ASA- attributes with their
names from the table in [2] and submit it to the list for replacement in
the default dictionary, does that sound sane after 13 years?

[1]
http://www.google.com/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&ved=0CDIQFjAA&url=http%3A%2F%2Fwww.open.com.au%2Fpipermail%2Fradiator%2F2003-October%2F008053.html&ei=LOksUebXOsvRsgaPpoDQCw&usg=AFQjCNGveQ6v-u4hYtw6RZA5hP8FD_TlUg&sig2=7pknyx-Cqi079pJBCP_SqA&bvm=bv.42965579,d.Yms&cad=rja
[2]
http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/ref_extserver.html#wp1753749
[3] http://www.networkworld.com/news/2000/0119cistiga.html

--
Best regards, Alex



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] EAP-PEAP,EAP-TTLS to Radiator to LDAP

[Alexander Hartmaier]

We are using Radiator successfully for wired dot1x with PEAP-TLS and wireless 
PEAP-TLS and EAP-TLS for years.
You can find quite a lot of example configs in the goodies directory all 
starting with eap_.

Best regards, Alex

On 2013-02-27 14:34, benson, john wrote:
I used radiator years ago for a much simpler task than what I have in mind now. 
 We have a need to authenticate wired clients via Cisco switches using EAP-PEAP 
and EAP-TTLS to a radius server, where the radius server converts that 
authentication request into a secure LDAP authentication request to be passed 
on to our LDAP server which front-ends our Microsoft AD.  We currently use 
Juniper SBR for similar authentication tasks, however, we've hit a limitation 
with this particular requirement.  Can someone point me to some additional 
documentation that confirms or denies radiator's ability to do this?

Regards

John Benson




___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] ERR: Attribute number 146 (vendor 3076) is not defined in your dictionary aka Cisco bought Altiga in 2000

[Alexander Hartmaier]

On 2013-02-26 22:35, Heikki Vatiainen wrote:
> On 02/26/2013 07:04 PM, Alexander Hartmaier wrote:
>
>> After some googling I've found the answer to this question [1] asked on
>> this list in 2003 [2]
>> Seems Cisco ASAs, which where called PIX before, where called Altiga
>> before [3]
>>
>> The current dictionary that ships with Radiator has the attributes up to
>> number 137.
>> The names in the Cisco ASA doc have some common attributes but also
>> changed and new ones.
>> I'd replace all Altiga definitions with Cisco-ASA- attributes with their
>> names from the table in [2] and submit it to the list for replacement in
>> the default dictionary, does that sound sane after 13 years?
> Since the attributes are in use currently, the updated entries could be
> shipped at least as a separate dictionary file for those who need to use
> the latest definitions. I have also seen Altiga attributes used in
> current Cisco VPN deployments, so I think it would be a good idea to
> have the current definitions available too.
Yes, Cisco ASAs use the attributes defined in the document I've linked
which use the Altiga VSA (3076) and not the Cisco VSA (9).
I'd move the legacy Altiga VSAs into a separate dictionary file in the
goodies dir and put the current Cisco VSAs in the default dictionary file.
>
> If you have the entries, it would be good to see them and then consider
> what would be the best way to include them. If there are conflicting
> entries, then care would be needed when considering how to add them.
> Otherwise any users that may have equipment using them would have an
> unfortunate surprise.
>
> Thanks!
> Heikki
After an hour or typing I came up with this:

VENDORATTR  3076  Cisco-VPN-Access-Hours   
1 string
VENDORATTR  3076  Cisco-VPN-Simultaneous-Logins
2 integer
VENDORATTR  3076  Cisco-VPN-Primary-DNS
5 ipaddr
VENDORATTR  3076  Cisco-VPN-Secondary-DNS  
6 ipaddr
VENDORATTR  3076  Cisco-VPN-Primary-WINS   
7 ipaddr
VENDORATTR  3076  Cisco-VPN-Secondary-WINS 
8 ipaddr
VENDORATTR  3076  Cisco-VPN-SEP-Card-Assignment
9 integer
VENDORATTR  3076  Cisco-VPN-Tunneling-Protocols   
11 integer
VENDORATTR  3076  Cisco-VPN-IPsec-Sec-Association 
12 string
VENDORATTR  3076  Cisco-VPN-IPsec-Authentication  
13 string
VENDORATTR  3076  Cisco-VPN-Banner1   
15 string
VENDORATTR  3076  Cisco-VPN-IPsec-Allow-Passwd-Store  
16 integer
VENDORATTR  3076  Cisco-VPN-Use-Client-Address
17 integer
VENDORATTR  3076  Cisco-VPN-PPTP-Encryption   
20 integer
VENDORATTR  3076  Cisco-VPN-L2TP-Encryption   
21 integer
VENDORATTR  3076  Cisco-VPN-Group-Policy  
25 string
VENDORATTR  3076  Cisco-VPN-IPsec-Split-Tunnel-List   
27 string
VENDORATTR  3076  Cisco-VPN-IPsec-Default-Domain  
28 string
VENDORATTR  3076  Cisco-VPN-IPsec-Split-DNS-Names 
29 string
VENDORATTR  3076  Cisco-VPN-IPsec-Tunnel-Type 
30 integer
VENDORATTR  3076  Cisco-VPN-IPsec-Mode-Config 
31 integer
VENDORATTR  3076  Cisco-VPN-IPsec-User-Group-Lock 
33 integer
VENDORATTR  3076  Cisco-VPN-IPsec-Over-UDP
34 integer
VENDORATTR  3076  Cisco-VPN-IPsec-Over-UDP-Port   
35 integer
VENDORATTR  3076  Cisco-VPN-Banner2   
36 string
VENDORATTR  3076  Cisco-VPN-PPTP-MPPC-Compression 
37 integer
VENDORATTR  3076  Cisco-VPN-L2TP-MPPC-Compression 
38 integer
VENDORATTR  3076  Cisco-VPN-IPsec-IP-Compression  
39 integer
VENDORATTR  3076  Cisco-VPN-IPsec-IKE-Peer-ID-Check   
40 integer
VENDORATTR  3076  Cisco-VPN-IKE-Keep-Alives   
41 integer
VENDORATTR  3076  Cisco-VPN-IPsec-Auth-On-Rekey   
42 integer
VENDORATTR  3076  Cisco-VPN-Required-Client-Firewall-Vendor-Code  
45 integer
VENDORATTR  3076  Cisco-VPN-Required-Client-Firewall-Product-Code 
46 integer
VENDORATTR  3076  Cisco-VPN-Required-Client-Firewall-Description  
47 string
VENDORATTR  3076  Cisco-VPN-Require-HW-Client-Auth
48 integer
VENDORATTR  3076  Cisco-VPN-Required-Individual-User-Auth 
49 integer
VENDORATTR  3076  Cisco-VPN-Authenticated-User-Idle-Timeout   
50 integer
VENDORATTR  3076  Cisco-VPN-Cisco-IP-Phone-Bypass 
51 integer
VENDORATTR  3076  Cisco-VPN-IPsec-Split-Tunneling-Policy  
55

Re: [RADIATOR] laptop sending out wrong attribute

[Alexander Hartmaier]

On 2013-02-28 18:08, Bao Tran wrote:
> Hi everyone, I'm new to this forum and of course new to linux:).
>
> I have a number of laptops on the new domain but unable to associate to the 
> wireless network.
>
> When I try to connect my laptop to our wireless network by entering the 
> username e.g. jsmith, and the password.
> Looking at the radius log below, my understanding is that he laptop unable to 
> authenticate because the laptop sent the User-Name attribute to the radius 
> server as " host/PC12.domainA.com.au" instead of username 'jsmith"
>
> Is is possible to change that on radius? or I have to create a group policy 
> to change it on the laptop?
>
> Log messages:
> Thu Feb 28 17:22:42 2013: DEBUG: Radius::AuthLDAP2 looks for match with 
> host/PC12.domainA.com.au [host/PC12.domainA.com.auu]
> Thu Feb 28 17:22:42 2013: DEBUG: Radius::AuthLDAP2 REJECT: No such user: 
> host/PC12.domainA.com.auu [host/PC12.domainA.com.auu]
> Thu Feb 28 17:22:42 2013: INFO: Access rejected for host/PC12.domainA.com.au: 
> No such user
> Thu Feb 28 17:22:42 2013: DEBUG: Access challenged for 
> host/PC12.domainA.com.au: EAP PEAP inner authentication redispatched to a 
> Handler
> User-Name = "host/PC12.domainA.com.au"
> Thu Feb 28 17:22:42 2013: DEBUG:  Deleting session for 
> host/PC12.domainA.com.au, 192.168.1.1, 2
> Thu Feb 28 17:22:42 2013: INFO: Access rejected for host/PC12.domainA.com.au: 
> PEAP Authentication Failure
>
> Thanks everyone.
It looks like your wireless client in configured wrong when it sends the
hostname instead of the username. Which OS is running on the client? How
is the wireless and the client configured?

Best regards, Alex

> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Radiator -> MSSQL 2008

[Alexander Hartmaier]

Hi Matt,
both DBD::Sybase and DBD::ODBC with FreeTDS where suggested on the
#dbix-class irc channel where some users connect to MSSQL successfully
from Linux.
DBD::ODBC requires the Linux ODBC library which is included in the
Debian package unixodbc if you run that.

Best regards, Alex

On 2013-03-05 14:55, Matt Brown wrote:
> Hello.  I need to log some accounting data direct into a windows 2008
> MSSQL server, what is available to do this?
>
> Reading the FAQ and searching the mailing list it looks like my options
> are either FreeTDS, though the version it lists is < September 2003, or
> "DBD::proxy together with DBD::OBDC on your windows host" - but
> installing 3rd party software on the windows server is not an option.
>
> Is anyone using freetds, and if so what version is stable?  Are there
> any alternative methods to connect to MSSQL that work and are more up to
> date?
>
> Thanks.
>
> Matt.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] ERR: Attribute number 146 (vendor 3076) is not defined in your dictionary aka Cisco bought Altiga in 2000

[Alexander Hartmaier]

So you prefer to include obsolete entries in the default dictionary
instead of making them available in a separate file for backward compat?
If someone upgrades Radiator this doesn't mean that he replaces his
dictionary file with the one from the installation tarball.

Cheers, Alex

On 2013-03-25 23:04, Hugh Irvine wrote:
> Agreed.
>
> On 26 Mar 2013, at 08:51, Heikki Vatiainen  wrote:
>
>> On 03/25/2013 11:21 PM, Hugh Irvine wrote:
>>
>>> I would probably add them to the Cisco-specific file in 
>>> "goodies/dictionary.cisco" for those people who want to use them.
>> Or maybe create a new file "goodies/dictionary.cisco-vpn"? The existing
>> "goodies/dictionary.cisco" has older definitions too that are no longer
>> in sync with IANA registry.
>>
>>> You really don't want to change what is in the standard dictionary as that 
>>> would undoubtedly break existing operations.
>> Yes, that could easily. But a file with just vendor 3076 attributes
>> could be easily used when the newer definitions are required.
>>
>> I'll ask this to be included. That was my idea anyway, but I had not
>> done it yet.
>>
>> Thanks,
>> Heikki
>>
>> --
>> Heikki Vatiainen 
>>
>> Radiator: the most portable, flexible and configurable RADIUS server
>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
>> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
>> NetWare etc.
>
> --
>
> Hugh Irvine
> h...@open.com.au
>
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc.
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Syntax for handler

[Alexander Hartmaier]

Hi Manish,
as you have to define the nas and its radius secret anyway I suggest that you 
configure a client-identifier for it and use that in your Handler(s), makes 
future changes easier because you don't have to search the IP in your whole 
config.

Best regards, Alex

On 2013-04-15 12:56, Arya, Manish Kumar wrote:
Hi,

  I want to write a handler to entertain requests coming from a IP, is this the 
right syntax for this ?


AuthLog auth_log
RewriteUsername s/^([^@]+).*/$1/
AuthBy  alu_ldap


I had tried NAS-IP-Address=10.33.50.4 but it doesn't works

Regards,
-Manish



___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Syntax for handler

[Alexander Hartmaier]

Create a separate Client block, before the network its containted in if
you have already a Client block for the whole network as well, assign a
client-identifier to it and use it in the Handler instead of the
NAS-IP-Address.

BR Alex

On 2013-04-15 14:03, Arya, Manish Kumar wrote:
> Hi Alexander,
>
>   I have already added this IP in client list with secret. usually
> we write handlers for networks which look like  NAS-IP-Address=/10\.1\.233\..*/>
> but I am not sure what should be the syntax for a single IP like
> 10.33.50.4
>
> Regards,
> -Manish
>
>
> ----
> *From:* Alexander Hartmaier 
> *To:* radiator@open.com.au
> *Sent:* Monday, April 15, 2013 5:25 PM
> *Subject:* Re: [RADIATOR] Syntax for handler
>
> Hi Manish,
> as you have to define the nas and its radius secret anyway I suggest
> that you configure a client-identifier for it and use that in your
> Handler(s), makes future changes easier because you don't have to
> search the IP in your whole config.
> Best regards, Alex
> On 2013-04-15 12:56, Arya, Manish Kumar wrote:
>> Hi,
>>
>>   I want to write a handler to entertain requests coming from a IP,
>> is this the right syntax for this ?
>>
>> 
>> AuthLog auth_log
>> RewriteUsername s/^([^@]+).*/$1/
>> AuthBy  alu_ldap
>> 
>>
>> I had tried NAS-IP-Address=10.33.50.4 but it doesn't works
>>
>> Regards,
>> -Manish
>>
>>
>> ___
>> radiator mailing list
>> radiator@open.com.au <mailto:radiator@open.com.au>
>> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may
> be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>
> ___
> radiator mailing list
> radiator@open.com.au <mailto:radiator@open.com.au>
> http://www.open.com.au/mailman/listinfo/radiator
>

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator