Re: [RADIATOR] 100% load 1 cpu core
Hi On Tue, 2 Feb 2016, SinTeZ Wh1te wrote: > Hello List! > > After installing Radiator on the test server, I got a problem with the 100% > load 1 CPU core but the others are unused. > > Screenshot > http://i.imgur.com/eQjK5k8.png > there are various ways to distribute load over multile cores on radiator by fanning processes out to multiple radiator instances. But before getting into that we need to understand a lot more of your setup. You seem to have a quite simple proxy radius configuration. I have had setups with high load where a single frontend radiator process has distributed eap radius requests to multiple backends for cpu intensive eap processing with the Farming feature. In those cases the frontend has had no trouble at all to keep up with the load. I do see though that your radiator process seems to have high memory consumption over 100MB in your screenshot. That makes me wonder how responsive the backend is that you are proxying to. Radiator needs to keep track of all the requests it has proxies to the other host so if that host cannot keep up with the load a queue will build up on the frontend and it will start resending which will cause even more load on the backend. So generally if the backend cannot keep up things might go down the hill quite fast. Not sure if this is your issue. That would need further investigation. Please tell us more about: 1. the type of requests you are handling 2. the type of the backend you are proxying to Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP-TLS not getting client cert
Hi, On Mon, 1 Feb 2016, Hartmaier Alexander wrote: > Hi, > I'd say the client doesn't trust the radiator certificate and stops the > EAP conversation. the same client worked when on site. It failed when offsite and the requests were coming over the vpn. It turned out to be a firewall with huge mtu on the inside interface that was sending jumbograms that got dropped on the radius. Greetings Christian > > Best regards, Alex > > On 2016-01-18 12:30, Christian Kratzer wrote: >> Hi Sami, >> >> On Mon, 18 Jan 2016, Sami Keski-Kasari wrote: >>> Hello Christian, >>> >>> Usually this kind of behaviour is due to MTU problems. >>> There can be differences between different vendors for example how they >>> do tunnelling and how it affects to MTUs etc. >>> >>> Please try to adjust maximum TLS fragment size to see if it helps. >>> >>> Please see more at page 92 >>> 5.21.39 EAPTLS_MaxFragmentSize >>> in ref.pdf. >> yes we already have that set to 500. >> >> Just for understanding EAPTLS_MaxFragmentSize would only affect what >> radiator sends. There is no way to limit the size of the fragements coming >> from the ap. >> >> The trace4 logs stop exactly at the point radiator has completed sending of >> it's certificate to the client. >> >> I would assume that I would at least see the first of the packets with the >> client certificates. If not this could perhaps also be an issue with the >> network dropping incoming udp fragments and the os never being able to >> reassemble incomplete packets. I will have the customer check into that as >> well. >> >> Greetings >> Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2
Hi, On Tue, 26 Jan 2016, Hugo Veiga wrote: > In my original message I have by mistake a AuthBy INTERNAL in the outter > authentication it's actually a AuthBy SQL clause. which is exactly why I made you test your 4.9 case. AuthBy SQL supports EAP. AuthBy FILE also supports EAP. and as Heikki said before: AuthBy INTERNAL does not. > > > This is trace from radiator 4.9. > > Tue Jan 26 15:01:15 2016: DEBUG: Handling request with Handler > 'Realm=/^convidado$/i', Identifier '' > Tue Jan 26 15:01:15 2016: DEBUG: Deleting session for 1745@convidado, > 10.240.1.1, 54482 > Tue Jan 26 15:01:15 2016: DEBUG: Handling with Radius::AuthSQL: > SQLAccounting > Tue Jan 26 15:01:15 2016: DEBUG: AuthBy SQL result: IGNORE, Ignored due to > IgnoreAuthentication > Tue Jan 26 15:01:15 2016: DEBUG: Handling with Radius::AuthSQL: PEAP_CONVIDADO > Tue Jan 26 15:01:15 2016: DEBUG: Handling with Radius::AuthSQL: PEAP_CONVIDADO this is proof that the first packet is going into an AuthSQL. In your 4.16 example it was going into your AuthBy INTERNAL handler. Your old configuration should from 4.9 should run on 4.16. Just do not put swap your AuthBy FILE or AuthBy SQL for an AuthBy INTERNAL. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2
Hi, On Tue, 26 Jan 2016, Hugo Veiga wrote: > Hi Alan, > > I have the same config on radiator 4.9 and it works perfectly. > > About the stuff order ;) , I use the Authby as "functions" and usually I > put them before the handlers, this is very practical to reuse code. > > As you suggested I tried to put them after the handlers and I have the same > exact result. try getting a trace 4 log from the authentication on your 4.9 radiator so we can see the difference. Greetings Christian > > Best regards, > Hugo Veiga > > > 2016-01-25 19:09 GMT+00:00 Alan Buxey : > >> Try putting your stuff into order - your inner stuff , handlers et al , >> AFTER the realm check (where you are then asking for a particular handler). >> >> The goodies directory provides ready to go starting recipes for this stuff >> (so you can see how handlers/inner work) >> >> alan > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] EAP-TLS not getting client cert
Hi Sami, On Mon, 18 Jan 2016, Sami Keski-Kasari wrote: > Hello Christian, > > Usually this kind of behaviour is due to MTU problems. > There can be differences between different vendors for example how they > do tunnelling and how it affects to MTUs etc. > > Please try to adjust maximum TLS fragment size to see if it helps. > > Please see more at page 92 > 5.21.39 EAPTLS_MaxFragmentSize > in ref.pdf. yes we already have that set to 500. Just for understanding EAPTLS_MaxFragmentSize would only affect what radiator sends. There is no way to limit the size of the fragements coming from the ap. The trace4 logs stop exactly at the point radiator has completed sending of it's certificate to the client. I would assume that I would at least see the first of the packets with the client certificates. If not this could perhaps also be an issue with the network dropping incoming udp fragments and the os never being able to reassemble incomplete packets. I will have the customer check into that as well. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] EAP-TLS not getting client cert
Hi, a customer of mine has a WLAN EAP-TLS setup where there is an issue that some clients don't complete the EAP handshake. When comparing the traces the issue with the failing clients seems to be that after receiving the certificate from the radius server the clients never send their client certificate. The failing clients are all coming from another site which uses cisco instead of hp access points. They claim they can connect fine at the site with hp access points. Im arguing that the access points are irrelevant here and the clients not sending their certificate is most propably because of certificate issues on the client. Would you all agree with this ? I cannot think of any other reason but client misconfiguration when TLS authentication would stop after sending of the server certificate. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] FarmChildHook to rotate AuthPort, AcctPort and DBSource
Hi Heikki,
sorry about the delay in answering this.
On Wed, 4 Nov 2015, Heikki Vatiainen wrote:
> On 13.10.2015 15.45, Christian Kratzer wrote:
>
>> 3. Also note the rather high number fo MaxFailedRequests in HASHBALANCE. I
>> saw the backends get marked bad instantly when activating this in a high
>> load enviroment with a low number fo MaxFailedRequests. I never quite found
>> out why but assume this was due to interfering with in progress EAP
>> transactions. A value of 10 keeps the hashbalance happy until the backend
>> really dies. YMMW of course.
>
> That's possible. See EAPErrorReject configuration parameter for more
> info, but the default is to drop many EAP related requests when there's
> an error.
>
>> # walk over all AuthBy and Hash database credentials by farmInstance
>> foreach my $auth (@{$main::config->{AuthBy}}) {
>> my $id = $auth->{Identifier};
>
> You could also fetch the AuthBy handle directly with something like this:
>
> my $id = 'SQLauth';
> my $auth = Radius::AuthGeneric::find($id);
>
> Then continue as below (maybe add error check if $auth is not found)
that is also a valid point and should perhaps go in additionally.
We use this in multiple different configs so I itentionally put in the
loop over all authby so it would reach all the various database
connections.
It really depends a lot on how people want to use this and goodies is
the first place I look when I try to find ways to do things. That is
before I go into the sources.
>
>> foreach my $key (qw(DBSource DBUsername DBAuth)) {
>> if ($auth->{$key}) {
>> my $database_count = @{$auth->{$key}};
>> $auth->{$key} = [ $auth->{$key}[
>> ($main::farmInstance-1)%$database_count ] ];
>> &main::log($main::LOG_INFO, "farmchild.hook: AuthBy: $id,
>> $key: ".$auth->{$key}[0] );
>> }
>> }
>
> Remove one } here too.
>
>>
>> return;
>> }
>
> Please let me know if the original should go into goodies or if there's
> anything you'd like change before it gets added.
if it is ok with you just let it go in as it is.
That's the way I currently use it. If I change something I would need
to retest and I do not currently have the time.
But please feel free to change or add anything you consider worthwhile.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] FarmChildHook to rotate AuthPort, AcctPort and DBSource
Hi,
I would like to contribute following snippet I use for FarmChildHook EAP
environments where I have a backend radius behind HASHBALANCE or similar.
The hook shows how to accomplish following:
1. Add farminstance to Acctport and Authport of the base config and reopen
ports.
This is nice for setting up a backend with multiple ports where to point
HASHBALANCE at.
2. Walk over all authby in the config and hash the list of db credentials.
This way you can configure multiple databases in the main config and the hook
picks a differnt database for each child.
The code could easily be modified to rotate the list of databases by the child
number for a similar effect whilst keeping failover capability to the other
databases.
3. Also note the rather high number fo MaxFailedRequests in HASHBALANCE. I saw
the backends get marked bad instantly when activating this in a high load
enviroment with a low number fo MaxFailedRequests. I never quite found out why
but assume this was due to interfering with in progress EAP transactions. A
value of 10 keeps the hashbalance happy until the backend really dies. YMMW of
course.
Feel free to add this to the radiator goodies directory.
Greetings and have fun
Christian Kratzer
CK Software GmbH
How to use in the fronend:
--
FailureBackoffTime 60
Secret mysecret
MaxFailedRequests 10
Retries 0
AuthPort 10001
AcctPort 20001
AuthPort 10002
AcctPort 20002
AuthPort 10003
AcctPort 20003
...
How to use in the backend:
--
AuthPort 1
AcctPort 2
FarmSize 4
FarmChildHook file:"%D/hooks/farmchild.hook"
Identifier SQLauth
DBSourcedb1
DBUsername user
DBAuth pass
DBSourcedb2
DBUsername user
DBAuth pass
...
AuthBy SQLauth
hooks/farmchild.hook:
-
#
# FarmChildHook
# close and reopen AuthPort and AcctPort in farmchilds and adds
# farmInstance to the port number
# this also works correctly when farmInstance is >=10 when AuthPort
# 100%O fails.
#
# AuthPort 1
# AcctPort
# FarmSize 4
# FarmChildHook file:"%D/hooks/farmchild.hook"
#
sub
{
my $radius_server = $main::config->{radius_server};
# add farmInstance to AuthPort
my $authport = Radius::Util::format_special($main::config->{AuthPort});
if($authport) {
$authport=$authport + $main::farmInstance;
&main::log($main::LOG_INFO, "farmchild.hook: AuthPort: $authport");
$radius_server->{'AuthPort'} = $authport;
}
# add farmInstance to AcctPort
my $acctport = Radius::Util::format_special($main::config->{AcctPort});
if($acctport) {
$acctport=$acctport + $main::farmInstance;
&main::log($main::LOG_INFO, "farmchild.hook: AcctPort: $acctport");
$radius_server->{'AcctPort'} = $acctport;
}
# repoen auth and acct ports if needed
if($authport || $acctport) {
&main::log($main::LOG_INFO, "farmchild.hook: repoen ports");
$radius_server->close_sockets();
$radius_server->create_ports();
}
# walk over all AuthBy and Hash database credentials by farmInstance
foreach my $auth (@{$main::config->{AuthBy}}) {
my $id = $auth->{Identifier};
foreach my $key (qw(DBSource DBUsername DBAuth)) {
if ($auth->{$key}) {
my $database_count = @{$auth->{$key}};
$auth->{$key} = [ $auth->{$key}[
($main::farmInstance-1)%$database_count ] ];
&main::log($main::LOG_INFO, "farmchild.hook: AuthBy: $id, $key:
".$auth->{$key}[0] );
}
}
}
return;
}
--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Password/certificate security seems next to none on Radiator server
Hi, On Fri, 2 Oct 2015, Nadav Hod wrote: > Yes but as I mentioned in the original post, I suggested to access these > stores over a network share. These really shouldn't be local, afterall the > certificates can be loaded into memory and passwords can also be loaded into > memory. The share can be secured behind firewall (including different > security modules) and domain-level security. Most SMB's and enterprises > already have these in place. Keeping things local is bad practice for several > reasons. > you are free to implement this any way you like as Tuure pointed out a couple of posts back if you think it adds value in your specific setup. This thread is going nowhere. Can we please end it here. Greetings Chrsitian > > From: Nick Lowe [nick.l...@lugatech.com] > Sent: Friday, October 02, 2015 5:52 PM > To: Nadav Hod > Cc: Tuure Vartiainen; radiator@open.com.au > Subject: Re: [RADIATOR] Password/certificate security seems next to none on > Radiator server > > Nadav, > > You're just obfuscating by doing this as the RADIUS server still have > to get access to those things. Security through obscurity really > doesn't exist. It is a complete waste of time in my opinion. > > You have to reply on encryption of the backing storage and OS security > primitives with administrative best practice to do this properly. > There is no other way. > > Once somebody owns a box, all bets are off. > > Regards, > > Nick > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Password/certificate security seems next to none on Radiator server
Hi, On Fri, 2 Oct 2015, Nadav Hod wrote: > Hi Tuure, > > Moving the secrets from one cleartext file to another isn't secure, it's just > a way to break the code between more files. you still clearly do not understand that there is no way to solve this in software. Not in radiator or in any other software. Radiator or any other radius server needs to keep in plaintext: - credentials it needs to connect to backend databases - possible certificate private keys or passphrases to unlock those when needed - radius secrets - ... > I'm interested in a secure way to access credentials which are kept both > encrypted and only accessed when authenticated by a keyfile or something > equally strong. If credentials are kept encrypted and are decrypted on demand that is equally just obfuscation. You asked for it and were shown a way how to accomplish this but rejected it. > As far as I can tell this doesn't exist today in Radiator, I'm asking this > members in this mailing list whether or not they think there is added value > in implementing some form of sustainable security for these credentials. Radiator is following best practices already. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Best way to strip leading DOMAIN\ with PEAP
Hi, On Wed, 24 Jun 2015, Tuure Vartiainen wrote: > Hi, > >> On 24 Jun 2015, at 10:00, Christian Kratzer wrote: >> >> I have a couple of windows users that send a DOMAIN\ prefix to their >> username. >> >> What would be the best way to strip these things when using PEAP with AuthBy >> SQL. >> >> We are currently passing %X (eap identity) as the username with PEAP and %w >> (orig username) in the TTLS case. >> > > by using RewriteUsername I would say. E.g. > > RewriteUsername s/^([^\\]*)\\(.*)/$2/ and this would not interfere with EAP handling in PEAP or TTLS ? Greetings Christian > > > BR > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Best way to strip leading DOMAIN\ with PEAP
Hi, I have a couple of windows users that send a DOMAIN\ prefix to their username. What would be the best way to strip these things when using PEAP with AuthBy SQL. We are currently passing %X (eap identity) as the username with PEAP and %w (orig username) in the TTLS case. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2
Hi, On Tue, 9 Jun 2015, Heikki Vatiainen wrote: > On 9.6.2015 15.18, Christian Kratzer wrote: > >> yes that would help separate the cases but I would still need to solve >> the non eap case, i.E how to ignore SQLauthorize while SQLauthenticate >> is challenging the client. Would something like this work for plain >> MSCHAPv2 ? >> >> ContinueUntilChallenge >> AuthBySQLauthenticate >> AuthBySQLauthorize ( uses NoEAP and NoCheckPassword ) > > Hmm, going back to your earlier message, I'd say 'AuthByPolicy > ContinueWhileAccept' should be good for both EAP and non-EAP case. > > With plain (non-EAP) MSCHAPv2, there is no need to challenge the client. > When EAP authentication is done, it does use challenge, but non-EAP does > not. Radiator can immediately respond with accept or reject. > > If the client does not want to continue in the non-EAP case, then it may > not like the response Radiator sends. This could happen when, for > example, the response Radiator calculates is incorrect. > > If you switch to EAP-TTLS/PAP for testing, it should work similarly with > one request and immediate accept/reject from Radiator. Good tip. It seems that some attributes added by SQLauthorize are interfering. We added an AllowInReplay clause to the handler for non eap cases and it seems to be working as planned. Still testing though. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2
Hi, On Tue, 9 Jun 2015, Heikki Vatiainen wrote: > On 9.6.2015 15.05, Christian Kratzer wrote: > >> On Tue, 9 Jun 2015, Heikki Vatiainen wrote: >> >>> It should now return accept or reject, not a challenge. If it accepts, >>> it will tunnel MS-CHAP2-Success back to the client with the accept. >> >> this seems to lead to the problem in our setup. >> >> We have following structure in the inner handler with a cascaded a >> second AuthSQL after the authenticating sql for authorisation: >> >> >>IdentifierTunnelledByTTLS >>AuthByPolicyContinueWhileAccept >>AuthBySQLauthenticate >>AuthBySQLauthorize ( uses NoEAP and NoCheckPassword ) >> >> >> In the EAP-MSCHAPv2 case radiator does not proceed to SQLauthorize when >> SQLauthenticate has produced a challenge: > > How about adding a Handler for EAP: > > ># Policies etc. to work with EAP > > > ># Policies to work with non-EAP requests > yes that would help separate the cases but I would still need to solve the non eap case, i.E how to ignore SQLauthorize while SQLauthenticate is challenging the client. Would something like this work for plain MSCHAPv2 ? ContinueUntilChallenge AuthBySQLauthenticate AuthBySQLauthorize ( uses NoEAP and NoCheckPassword ) Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2
received value with what it expects. The value > it expects depends on the response the server calculates. The username > and password are included in the calculated response. The server can not > just say "yes" without knowing the password, that's the v2 part. Also, > the username must be the same the client uses when it calculates its > expected value. You should not rewrite it for plain MSCHAPv2. > > Thanks, > Heikki > > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] TTLS with inner MSCHAPv2 vs. inner EAP-MSCHAPv2
Hi, we are having an issue with authenticating TTLS when the supplicant uses plain MSCHAPv2 instead of EAP-MSCHAPv2 1. Testing with eapoltest and following config in eapol_test: - eap=TTLS phase2="auth=MSCHAPV2" produces following request when the request is reinjected into the inner handler: Code: Access-Request Identifier: UNDEF Authentic: <238>g<236>Z<18>2<187>dmM$<242><223><30><209>4 Attributes: User-Name = "" MS-CHAP-Challenge = <25><208><7><142>6Q<145>|`<157>P<251><194><203><233><156> MS-CHAP2-Response = ^<0><0><2><0>x<173><6><0> <0><0><0>;<0><0><0>h<0><0><0><0><0><0><0><0><214><233><146>R<152><167><214>xg<181><254><255>BS<175>@<204><29>=<1><225>|N<248> This fails to provide a challenge. Tue Jun 9 09:32:25 2015 986798: DEBUG: Radius::AuthSQL looks for match with X [X] Tue Jun 9 09:32:25 2015 987631: DEBUG: Radius::AuthSQL ACCEPT: : X [X] And subsequently fails. 2. Testing with eapoltest and following config in eapol_test: - eap=TTLS phase2="autheap=MSCHAPV2" produces following request when the request is reinjected into the inner handler: Code: Access-Request Identifier: UNDEF Authentic: <137>'H<220><247><247><152>z<186><145><230><133>i<216>?<227> Attributes: EAP-Message = <2><1><0>B<26><2><1><0>=1<3>A2<127><165><224>7<193><148><163>s<223><251><182><146><231><0><0><0><0><0><0><0><0>C<194><27>vv1<20><29>]h$/<149><17><159><202>I<6><128><204><246>"<186><189><0>radperf Message-Authenticator = <0><0><0><0><0><0><0><0><0><0><0><0><0><0><0><0> User-Name = "anonymous" Here we get a challenge: Tue Jun 9 10:57:58 2015 642003: DEBUG: Radius::AuthSQL ACCEPT: : xx [anonymous] Tue Jun 9 10:57:58 2015 642696: DEBUG: EAP result: 3, EAP MSCHAP V2 Challenge: Success Any tips where to start searching. We will try next to see if we can sucessfully authenticate TTLS/PAP in order to rule out any challenge issues. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] rcrypt implemantation in java ?
Hi, before we whip up something does anybody know of a rcrypt implemantation in java. It's under 10 lines of perl in Radius/Rcrypt.pm to port for encryption but if anoybody already has something I would rather not dive into java. ;) Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Extracting certificates info for EAP PEAP,TTLS,TLS
Hi Sami,
On Tue, 24 Feb 2015, Sami Keski-Kasari wrote:
> Hello Christian,
>
> MSCHAPv2 is mutual authentication protocol where client requires
> response from server. If the server doesn't send correct response client
> will terminate connection.
> So server can not just decide to accept authentication like in PAP case.
> I think that it is not possible to build walled garden solution with
> that protocol.
Thanks. That makes sense. I forgot about the mutality in CHAP.
Greetings
Christian
> If you use for example PEAP/GTC or EAP-TTLS/PAP you can use AuthBy GROUP
> to group sequences and use different policy inside them.
>
> for example like this:
>
>
> Identifier TunnelledByPEAP=1
> AuthByPolicy ContinueWhileAccept
>
> AuthByPolicy ContinueWhileReject
> AuthBy SQLauthenticate
>
> AuthHook sub {my $p = $_[0];\
> $p->add_attr('X-OSC-Auth-Status', 'Rejected');\
> return $main::ACCEPT}
>
>
> AuthBy INTERNALextractFunnyStuffFromRequest
> AuthBy SQLauthorize
>
>
> In this example the inner AuthBy INTERNAL will change reject to accept
> and mark it with vendor specific attribute that you can use in later
> INTERNAL to determine if authentication was successful or not.
>
> Best Regards,
> Sami
>
> On 02/24/2015 01:12 PM, Christian Kratzer wrote:
>> Hi Sami,
>>
>> We made progress with our setup thanks to your previous tips.
>>
>> We now have following setup simplyfied a bit:
>>
>>
>> Identifier TunnelledByPEAP=1
>> AuthByPolicy ContinueWhileAccept
>> AuthBy SQLauthenticate
>> AuthBy INTERNALextractFunnyStuffFromRequest
>> AuthBy SQLauthorize
>>
>>
>>
>> Identifier Outer
>> AuthBy FILE
>>
>>
>> the issue we are currently chasing is that the customer also wants
>> failed authentications to proceed into SQLauthorize so he can possible
>> put people into a walled garden with specific reply attributes.
>>
>> The issue seems to be that when MS-CHAP2 fails in TunneledByPeap it
>> seems to kill the EAP session and authentication terminates.
>>
>> Subsequent packets are not forwarded to the tunneled handler by the
>> outer handler.
>>
>> Do you have a suggestion how to accomplish authorization after failed
>> chap authentication.
>>
>> Terveisin
>> Christian
>>
>
>
>
--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Extracting certificates info for EAP PEAP,TTLS,TLS
Hi Sami, We made progress with our setup thanks to your previous tips. We now have following setup simplyfied a bit: Identifier TunnelledByPEAP=1 AuthByPolicy ContinueWhileAccept AuthBy SQLauthenticate AuthBy INTERNALextractFunnyStuffFromRequest AuthBy SQLauthorize Identifier Outer AuthBy FILE the issue we are currently chasing is that the customer also wants failed authentications to proceed into SQLauthorize so he can possible put people into a walled garden with specific reply attributes. The issue seems to be that when MS-CHAP2 fails in TunneledByPeap it seems to kill the EAP session and authentication terminates. Subsequent packets are not forwarded to the tunneled handler by the outer handler. Do you have a suggestion how to accomplish authorization after failed chap authentication. Terveisin Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Extracting certificates info for EAP PEAP,TTLS,TLS
Hei Sami, On Thu, 19 Feb 2015, Sami Keski-Kasari wrote: > Hello Christian, > > Answer to first question: > > > We have used AuthBy INTERNAL between actual AuthBys to modify request > message (for example in OTP cases that is very often needed to separate > first and second factor). In AuthBy INTERNAL you can have for example > AuthHook. Thanks. That looks much simpler and fits nicely into the setup. > Your TLS case could be something like this: > > Answer to second question: > - > > There are special characters %x and %X that include user's EAP-Identity. > %x is The EAP Identity for PEAP and TTLS inner requests. > %X is the EAP identity, with any trailing @realm stripped off. Thanks again. Did not see those options. > I hope this helps. Yes it does a lot. I will proceed with building the setup. Kiitos ja Terveisin Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Extracting certificates info for EAP PEAP,TTLS,TLS
Hi, I would like some advice on how to balance my options with a customer setup I have been building. This setup has both tunneled EAP PEAP and TTLS and non tunneled TLS based host authentication. There is both a mschap based EAP authentication followed by an SQL based authorisation clause. The basic structure is as follows: Identifier SQLauthenticate # mschap2 authentication Identifier SQLauthorize # sql based authorisation NoEAP Identifier PEAP AuthByPolicyContinueWhileAccept AuthBy SQLauthenticate AuthBy SQLauthorize Identifier TTLS AuthByPolicyContinueWhileAccept AuthBy SQLauthenticate AuthBy SQLauthorize # EAP TLS based host authentication Identifier TLS AuthBy FILE AuthBy SQLauthorize Identifier Outer AuthBy EAPouterHandler First question: --- The fun starts as the customer needs varius data from the client certificates that we can extract in various hooks. We have used the handler postAuthHook to access the peer certificate in the eap context and subsequently extract the issuer name and certificate policy from it and stick the data into the request. The dilemma ist that postAuthHook is too late to use the extracted data in the SQLauthorize clause. We would also not like to delegate the authorisation logic to the postauthhook. The authorisation is basically a psql stored procedure that encapsulates all the business logic. I would like to keep it visible in the configuration and not hidden in a hook. We were successfull in extracting the certificate in the inner handlers preauthhook as the certifcate has been extracted in the outer handler and is available at this point. This does not work for EAP TLS though as TLS is not tunneled. I could propably use one of the hooks in EAP_13 (TLS) like perhaps EAPTLS_CertificateVerifyHook to handle the TLS cass and the preHandlerHook for the tunneled methods. On the other hand I could propably patch the EAP PEAP,TTLS,TLS handlers and provide a generic way to map certificate data into the request. Do you have any advice on how to best handle this. Second question: We would also need the User and realm from the inner eap identity in above authorisation clauses. How could those best be accessed. The autorisation clauses use NoEAP in order to not interfere with the EAP challenge authentication. So the usual variables seem to have the outer identity. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/ ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthAttrDef for multi-value Radius attribute check
t; >> This will allow OSC-AVPAIR to be either attrname1=value1 or >> attrname2=value2 >> >> If you still think space can be used, please provide an example. I'm >> interested to see if I have missed something :) >> >> Thanks, >> Heikki >> >> -- >> Heikki Vatiainen >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. >> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >> ___ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator >> ___ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > > > > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN > 79340b > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > Notice: This e-mail contains information that is confidential and may be > privileged. > If you are not the intended recipient, please notify the sender and then > delete this e-mail immediately. > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.11: WARNING: Could not find AuthBy clause with Identifier ...
Hi, just verified your minimal configuration with a clean Radiator-4.11 plus patches installation: [root@test-centos64 Radiator-4.11]# cat /tmp/radius.cfg Foreground LogStdout LogDir . DbDir . Trace 4 Identifier myinternal AuthResult REJECT Secret mysecret AuthBy myinternal [root@test-centos64 Radiator-4.11]# radiusd -config_file /tmp/radius.cfg -trace 5 Fri Jul 5 23:07:02 2013: DEBUG: Finished reading configuration file '/tmp/radius.cfg' Fri Jul 5 23:07:02 2013: DEBUG: Reading dictionary file './dictionary' Fri Jul 5 23:07:02 2013: DEBUG: Creating authentication port 0.0.0.0:1645 Fri Jul 5 23:07:02 2013: DEBUG: Creating accounting port 0.0.0.0:1646 Fri Jul 5 23:07:02 2013: NOTICE: Server started: Radiator 4.11 on test-centos64.cksoft.de there must be something wrong in your installation or even your config. ># radiusd -c -log_stdout -trace 5 -config_file /tmp/radiator-config > Fri Jul 5 18:30:30 2013: WARNING: Could not find AuthBy clause with > Identifier myinternal > Fri Jul 5 18:30:30 2013: DEBUG: Finished reading configuration file > '/tmp/radiator-config' You might want to reverify the minimal configuration. I typoed Identifier myself a couple of days ago. Is above also the error message you get from your full configuration ? Greetings Christian On Fri, 5 Jul 2013, Karl Gaissmaier wrote: > Hi Christian, RADIATOR team and listeners, > > Am 05.07.2013 18:57, schrieb Christian Kratzer: > ... > >> just saw that you start with: >> >> >> >> and close with: >> >> > > uups, sorry but in my original cfg there isn't such a typo > and if I correct this stupid error it's the same problem > as before. > >> sounds fishy. How did you perform the update ? > > It's solaris, I use an own perl installation only for RADIATOR in order > not to depend on the system /usr/bin/perl with the needed CPAN > modules for RADIATOR. > > The perl installation is the same for Radiator-4.9 and 4.11. > I install it via: > > untar thew 4.11 tgz to /radiator/build-4.11 > cd /radiator/build-4.11 > untar the 4.11 patches > > # /special/perl-path/bin/perl Makefile.PL PREFIX=/radiator/install-4.11 > # make > # make test > # make install > # make clean > > and then to test the new installation with this special perl and > with this special INCLUDE path: > >> /special/perl-path/bin/perl -I /radiator/install-4.11/lib/site_perl/ >> /radiator/install-4.11/bin/radiusd -c -log_stdout -trace 5 -config_file >> /tmp/radiator-config > > Did it again, checked the files and rights and still the same error. > BTW, it's not the first time that I update it in this way. > > Sounds really fishy, just wondering if someone else sees the same problem. > >> >> Above configuration should most certainly work. >> >> Could be you have a strange mix of old, new and partially installed Radius >> modules >> and perhaps multiple versions of radiusd on your system. >> >> What does following show: >> >> find / -name Radius.pm >> find / -name AuthINTERNAL.pm >> find / -name radiusd > > foobar# find /radiator/ -name Radius.pm > /radiator/build/Radiator-4.9/Radius/Radius.pm > /radiator/build/Radiator-4.11/Radius/Radius.pm > /radiator/install-4.9/lib/site_perl/5.12.4/Radius/Radius.pm > /radiator/install-4.11/lib/site_perl/5.12.4/Radius/Radius.pm > > foobar# find /radiator/ -name radiusd > /radiator/build/Radiator-4.9/radiusd > /radiator/build/Radiator-4.11/radiusd > /radiator/install-4.9/bin/radiusd > /radiator/install-4.11/bin/radiusd > > foobar# find /radiator/ -name AuthINTERNAL.pm > /radiator/build/Radiator-4.9/Radius/AuthINTERNAL.pm > /radiator/build/Radiator-4.11/Radius/AuthINTERNAL.pm > /radiator/install-4.9/lib/site_perl/5.12.4/Radius/AuthINTERNAL.pm > /radiator/install-4.11/lib/site_perl/5.12.4/Radius/AuthINTERNAL.pm > > Everything as expected and often done during the last 10++ years > > Thanks for your help and hints so far >Charly > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.11: WARNING: Could not find AuthBy clause with Identifier ...
Hi, On Fri, 5 Jul 2013, Karl Gaissmaier wrote: > Hi RADIATOR team, > > I tried to upgrade from 4.9 to 4.11 (up to date patches applied) and I'm > no longer able to parse my old cfg file. > > >>> Identifiers are no longer recognized. <<< > > I stripped it down to the bare minimum: > >> Foreground >> LogStdout >> LogDir . >> DbDir . >> Trace 4 >> >> >> Identifier myinternal >> AuthResult REJECT >> >> >> >> Secret mysecret >> >> >> >> AuthBy myinternal >> just saw that you start with: and close with: try following instead AuthBy myinternal If you are still having problems post the output of the commands from my previous mail. Greetings Christian > > and I get still the following WARNING: > >> # radiusd -c -log_stdout -trace 5 -config_file /tmp/radiator-config >> Fri Jul 5 18:30:30 2013: WARNING: Could not find AuthBy clause with >> Identifier myinternal >> Fri Jul 5 18:30:30 2013: DEBUG: Finished reading configuration file >> '/tmp/radiator-config' > > Please check if it's a current bug or if it's my fault. > >> OS: SunOS foobar 5.11 11.1 sun4v sparc SUNW,Sun-Fire-T200 >> perl -v:perl 5, version 12, subversion 4 (v5.12.4) built for sun4-solaris >> radiusd -v: This is Radiator 4.11 on foobar > > > > Best Regards >Charly > > > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator 4.11: WARNING: Could not find AuthBy clause with Identifier ...
Hi, On Fri, 5 Jul 2013, Karl Gaissmaier wrote: > Hi RADIATOR team, > > I tried to upgrade from 4.9 to 4.11 (up to date patches applied) and I'm > no longer able to parse my old cfg file. > > >>> Identifiers are no longer recognized. <<< > > I stripped it down to the bare minimum: > >> Foreground >> LogStdout >> LogDir . >> DbDir . >> Trace 4 >> >> >> Identifier myinternal >> AuthResult REJECT >> >> >> >> Secret mysecret >> >> >> >> AuthBy myinternal >> > > and I get still the following WARNING: > >> # radiusd -c -log_stdout -trace 5 -config_file /tmp/radiator-config >> Fri Jul 5 18:30:30 2013: WARNING: Could not find AuthBy clause with >> Identifier myinternal >> Fri Jul 5 18:30:30 2013: DEBUG: Finished reading configuration file >> '/tmp/radiator-config' sounds fishy. How did you perform the update ? Above configuration should most certainly work. Could be you have a strange mix of old, new and partially installed Radius modules and perhaps multiple versions of radiusd on your system. What does following show: find / -name Radius.pm find / -name AuthINTERNAL.pm find / -name radiusd Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator & Debian Wheezy = memory problem?
Hi, On Wed, 19 Jun 2013, Michael wrote: > > 4 radius servers. identical config. the last in the list is not used as > much. lower usage seems to mean lower memory usage. even without any additional modules in use radiator will of course use some memory. Features like the session database will gradually build up memory usage until a level that matches your workload is reached. Restarting radiator will of course free up all of the memory. This would not be a memory leak but legitimate usage that you have to account for to match your workload or number of concurrent sessions in the case of session db. If you have a memory leak the process size would grow without ever reaching a saturation point. To find out if it is so you need to watch memory consuption with a graphing tool mrtg/cacti/observium/ If you see a graph that slowly saturates alls fine. If you see steady growth investigate further. Greetings Christian > > since May 7, up to 22% memory usage. restarting it, drops down to 4%. It > will sit there for a while and slowly creep up over a couple months. > -apr25 16.1%, 2.7 after restart > -may7 18.4%, 4.7 after restart > -may17 8.5%, 3.0 after restart > > === > root@:/l# ps u |grep radiusd > root 9404 4.6 22.1 263120 112584 pts/0 SMay07 2859:09 > /usr/bin/perl radiusd > root@:/# radiator stop > Shutting down Radiator: > root@:/# radiator start > Starting Radiator: > root@:/var/lib/mysql# ps u |grep radiusd > root 3490 2.5 4.1 91124 21224 pts/0S11:20 0:00 > /usr/bin/perl radiusd > === > root@:/# ps u |grep radiusd > root 25157 2.5 16.1 274228 123864 pts/3 SApr25 1994:48 > /usr/bin/perl radiusd > root@:/# radiator stop > Shutting down Radiator: > root@:/# radiator start > Starting Radiator: > root@:/# ps u |grep radiusd > root 21310 6.0 2.7 92972 20744 pts/0S11:24 0:00 > /usr/bin/perl radiusd > === > root@:# ps u |grep radiusd > root 20050 2.1 18.4 242708 93992 pts/1SMay07 1354:18 > /usr/bin/perl radiusd > root@:# radiator stop > Shutting down Radiator: > root@:# radiator start > Starting Radiator: > root@:# ps u |grep radiusd > root 3133 5.1 4.7 93896 24116 pts/1S11:27 0:00 > /usr/bin/perl radiusd > === > root@:# ps u |grep radiusd > root 14703 0.6 8.5 211892 65432 pts/0SMay17 306:39 > /usr/bin/perl radiusd > root@:# radiator stop > Shutting down Radiator: > root@:# radiator start > Starting Radiator: > root 22218 0.7 3.0 93524 23488 pts/0S11:30 0:00 > /usr/bin/perl radiusd > === > > On 19/06/13 11:10 AM, Michael wrote: >> I have this problem too. Radiator slowly consumes more and more memory as >> the weeks go by. Restarting it brings it back down. I have asked this >> question to, but also got the same answers you did. Not a radiator >> problem. >> >> >> On 19/06/13 05:04 AM, Kurt Bauer wrote: >>> Hi, >>> >>> since upgrading one of our radius-servers to Debain 7 (Wheezy) we >>> expierence serious memory problems, namely Radiator eating up all the >>> available memory over time (see attached graph). We have a few Radiator >>> installations running and the ones on Debian Squeeze behave fine. >>> Radiator 4.11 plus latest patches >>> Perl v5.14.2 (as packaged in Wheezy) >>> >>> Any similar experiences or hints why this could be? Restarting Radiator >>> every few days rectifies the situation but is not the way we want to run >>> the service ;-) >>> >>> Thanks for your help, >>> best regards, >>> Kurt >>> >>> >>> >>> >>> >>> >>> -- >>> Kurt Bauer >>> Vienna University Computer Center - ACOnet - VIX >>> Universitaetsstrasse 7, A-1010 Vienna, Austria, Europe >>> Tel: ++43 1 4277 - 14070 (Fax: - 814070) KB1970-RIPE >>> >>> >>> >>> ___ >>> radiator mailing list >>> radiator@open.com.au >>> http://www.open.com.au/mailman/listinfo/radiator >> >> >> ___ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator & Debian Wheezy = memory problem?
Hi, On Wed, 19 Jun 2013, Michael wrote: > I have this problem too. Radiator slowly consumes more and more memory as > the weeks go by. Restarting it brings it back down. I have asked this > question to, but also got the same answers you did. Not a radiator problem. then please show us your configuration and perhaps some logs and we might be able to hint you in the right direction. Without any insight in how you are using radiator we cannot help. Greetings Christian > > > On 19/06/13 05:04 AM, Kurt Bauer wrote: >> Hi, >> >> since upgrading one of our radius-servers to Debain 7 (Wheezy) we >> expierence serious memory problems, namely Radiator eating up all the >> available memory over time (see attached graph). We have a few Radiator >> installations running and the ones on Debian Squeeze behave fine. >> Radiator 4.11 plus latest patches >> Perl v5.14.2 (as packaged in Wheezy) >> >> Any similar experiences or hints why this could be? Restarting Radiator >> every few days rectifies the situation but is not the way we want to run >> the service ;-) >> >> Thanks for your help, >> best regards, >> Kurt >> >> >> >> >> >> >> -- >> Kurt Bauer >> Vienna University Computer Center - ACOnet - VIX >> Universitaetsstrasse 7, A-1010 Vienna, Austria, Europe >> Tel: ++43 1 4277 - 14070 (Fax: - 814070) KB1970-RIPE >> >> >> >> ___ >> radiator mailing list >> radiator@open.com.au >> http://www.open.com.au/mailman/listinfo/radiator > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator & Debian Wheezy = memory problem?
Hi, On Wed, 19 Jun 2013, Kurt Bauer wrote: > Hi, > > since upgrading one of our radius-servers to Debain 7 (Wheezy) we > expierence serious memory problems, namely Radiator eating up all the > available memory over time (see attached graph). We have a few Radiator > installations running and the ones on Debian Squeeze behave fine. > Radiator 4.11 plus latest patches > Perl v5.14.2 (as packaged in Wheezy) > > Any similar experiences or hints why this could be? Restarting Radiator > every few days rectifies the situation but is not the way we want to run > the service ;-) yes as others have said. This is most likely a problem in one of the modules you are using. Plain radiator generally does not crash oder leak memory. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Accounting records are not written to database
11/12 05:07 PM, rohan.he...@cwjamaica.com wrote: >>>>> >>>>>>> Hugh, >>>>> >>>>>>> >>>>> >>>>>>> Config and logs attached. >>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> And the application crashed when testing Simultaneous-Use for both >>>>>>> configurations below. >>>>> >>>>>>> >>>>> >>>>>>> In my AuthBy config: >>>>> >>>>>>> "DefaultSimultaneousUse 1" With "AuthAttrDef >>>>>>> Simultaneous-Use,Simultaneous-Use,check" >>>>> >>>>>>> >>>>> >>>>>>> Or >>>>> >>>>>>> >>>>> >>>>>>> In my Handler: >>>>> >>>>>>> MaxSessions 1 >>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> On Fri, 2 Nov 2012 07:19:09 +1100 >>>>> >>>>>>> Hugh Irvine wrote: >>>>> >>>>>>>> Hello Rohan - >>>>> >>>>>>>> >>>>> >>>>>>>> We will need to see the configuration file (no secrets) together with >>>>>>>> a trace 4 debug showing what is happening. >>>>> >>>>>>>> >>>>> >>>>>>>> regards >>>>> >>>>>>>> >>>>> >>>>>>>> Hugh >>>>> >>>>>>>> >>>>> >>>>>>>> >>>>> >>>>>>>> On 2 Nov 2012, at 05:53, wrote: >>>>> >>>>>>>> >>>>> >>>>>>>>> Hello, >>>>> >>>>>>>>> >>>>> >>>>>>>>> Why doesn't the following work? >>>>> >>>>>>>>> >>>>> >>>>>>>>> >>>>> >>>>>>>>> Identifier SQLAccounting >>>>> >>>>>>>>> DBSource dbi:mysql:inetdb_test >>>>> >>>>>>>>> DBUsername inet >>>>> >>>>>>>>> DBAuth inet@inetdb >>>>> >>>>>>>>> #Disable SQL authentication >>>>> >>>>>>>>> AuthSelect >>>>> >>>>>>>>> HandleAcctStatusTypes Start,Stop >>>>> >>>>>>>>> AccountingTable ARCH_ACCOUNTING >>>>> >>>>>>>>> AcctColumnDef USER_NAME,User-Name >>>>> >>>>>>>>> AcctColumnDef ACCT_START_TIME,Timestamp,integer >>>>> >>>>>>>>> AcctColumnDef ACCT_STOP_TIME,Timestamp,integer >>>>> >>>>>>>>> AcctColumnDef ACCT_STATUS_TYPE,Acct-Status-Type,integer >>>>> >>>>>>>>> AcctColumnDef ACCT_DELAY_TIME,Acct-Delay-Time,integer >>>>> >>>>>>>>> AcctColumnDef ACCT_INPUT_OCTETS,Acct-Input-Octets,integer >>>>> >>>>>>>>> AcctColumnDef ACCT_OUTPUT_OCTETS,Acct-Output-Octets,integer >>>>> >>>>>>>>> AcctColumnDef ACCT_SESSION_ID,Acct-Session-Id >>>>> >>>>>>>>> AcctColumnDef ACCT_SESSION_TIME,Acct-Session-Time,integer >>>>> >>>>>>>>> AcctColumnDef ACCT_TERMINATE_CAUSE,Acct-Terminate-Cause,integer >>>>> >>>>>>>>> AcctColumnDef FRAMED_IP_ADDRESS,Framed-IP-Address >>>>> >>>>>>>>> AcctColumnDef NAS_IDENTIFIER,NAS-Identifier >>>>> >>>>>>>>> AcctColumnDef NAS_PORT,NAS-Port,integer >>>>> >>>>>>>>> AcctColumnDef CALLED_STATION_ID,Called-Station-Id >>>>> >>>>>>>>> AcctColumnDef CALLING_STATION_ID,Calling-Station-Id >>>>> >>>>>>>>> SQLRecoveryFile %L/sqlaccounting.sql >>>>> >>>>>>>>> >>>>> >>>>>>>>> >>>>> >>>>>>>>> Specifying the following in my Handler does not work. I don't even >>>>>>>>> see any trace in my logs set at level 4 or 5. >>>>> >>>>>>>>> AuthBy SQLAccounting >>>>> >>>>>>>>> >>>>> >>>>>>>>> However my sessions database work with the following. >>>>> >>>>>>>>> SessionDatabase SQLSDB >>>>> >>>>>>>>> >>>>> >>>>>>>>> Thanks much. >>>>> >>>>>>>>> >>>>> >>>>>>>>> Regards, >>>>> >>>>>>>>> Rohan >>>>> >>>>>>>>> ___ >>>>> >>>>>>>>> radiator mailing list >>>>> >>>>>>>>> radiator@open.com.au >>>>> >>>>>>>>> http://www.open.com.au/mailman/listinfo/radiator >>>>> >>>>>>>> >>>>> >>>>>>>> -- >>>>> >>>>>>>> >>>>> >>>>>>>> Hugh Irvine >>>>> >>>>>>>> h...@open.com.au >>>>> >>>>>>>> >>>>> >>>>>>>> Radiator: the most portable, flexible and configurable RADIUS server >>>>> >>>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >>>>> >>>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >>>>> >>>>>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>>>> >>>>>>>> DIAMETER etc. >>>>> >>>>>>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >>>>> >>>>>>>> >>>>> >>>>>>> Rohan Henry >>>>> >>>>>>> Server Administrator >>>>> >>>>>>> LIME >>>>> >>>>>>> Phone (876) 936-4819 >>>>> >>>>>>> Mobile (876) 997-0729 >>>>> >>>>>>> >>>>> >>>>>>> >>>>> >>>>>>> ___ >>>>> >>>>>>> radiator mailing list >>>>> >>>>>>> radiator@open.com.au >>>>> >>>>>>> http://www.open.com.au/mailman/listinfo/radiator >>>>> >>>>> >>>>> >>>>> Rohan Henry >>>>> >>>>> Server Administrator >>>>> >>>>> LIME >>>>> >>>>> Phone (876) 936-4819 >>>>> >>>>> Mobile (876) 997-0729 >>>>> >>>>> ___ >>>>> radiator mailing list >>>>> radiator@open.com.au >>>>> http://www.open.com.au/mailman/listinfo/radiator >>>> >>>> >>>> -- >>>> >>>> Hugh Irvine >>>> h...@open.com.au >>>> >>>> Radiator: the most portable, flexible and configurable RADIUS server >>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >>>> DIAMETER etc. >>>> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >>>> >>> >>> Rohan Henry >>> Server Administrator >>> LIME >>> Phone (876) 936-4819 >>> Mobile (876) 997-0729 >>> ___ >>> radiator mailing list >>> radiator@open.com.au >>> http://www.open.com.au/mailman/listinfo/radiator >> >> >> -- >> >> Hugh Irvine >> h...@open.com.au >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >> DIAMETER etc. >> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. >> > > Rohan Henry > Server Administrator > LIME > Phone (876) 936-4819 > Mobile (876) 997-0729 > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Some Authentication Not Getting Logged
Hi, On Mon, 6 Aug 2012, Joseph A. Lanager wrote: > Hello, > > We'e been running Radiator for almost 10 years now and never had any trouble > retrieving any user authentication log information until just recently. At > least twice in the last few weeks we've found that there are no start and > stop times logged for some users. However, the system otherwise appears to > be functioning normally. We see no general system errors and other user > authentication is still being logged at those same times. Nothing has > changed with the handler configuration on the current Linux RADIUS server for > several years now and the only changes to the system are the regular Red Hat > updates that come out. Has anyone seen this behavior before or have any > ideas where to start looking for a possible cause? > as authentication and accounting are two separate things it is possible that accounting packets are getting firewalled or not generated in the first place. You might want to check if the missing start/stop records are alle from a specific NAS or specific group of NAS. Might be the configuration has been changed on those devices or a firewall configuration change is dropping accounting packets from those devices. Something similar to above scenario seems much more likely than radiator selectively dropping accounting for random users. Greetings Christian Kratzer CK Software GmbH -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Proxying RADIUS Accounting Packets to Third Party Vendor: Not all Attributes proxied
Hi, On Wed, 8 Feb 2012, Traiano Welcome wrote: >> I would consider spooling the radius requests into a separate file and >> use a script to send the spooled requests to the other radius from a >> separate process. This would isolate any issues you have with forwarding >> from you production setup. > > > This sounds very much like FreeRADIUS' "radrelay" concept, which > essentially the same thing. Does Radiator come with a standard script that > does this, or would I have to write my own? Not that I am aware of. It is not that hard though considering that if you use perl you can use all the radius parsing, encoding, sending logic from radiator. Radpwtest would be a good starting point for seeing how to get all this working together. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Proxying RADIUS Accounting Packets to Third Party Vendor: Not all Attributes proxied
Hi, On Tue, 7 Feb 2012, Traiano Welcome wrote: > Thanks, Alan! This seems to have worked. I've just had an ida though, for > "mirroring" radius accounting packets to an upstream radius system, which > might be easier than using radiator as a proxy, as follows: (On > FreeBSD), using packet mirroring functionality (e.g the pf mirroring > feature) to make a copy of the incoming radius accounting packets and > mirror them to an upstream radius server which requires a feed. > > Would this be an advisable alternative way of sending a radius packet feed > to a third party, in this case ? What would be the gotchas? You would have to decode the packets with the secret they were encoded with and reencode them with the secret required by your other radius server. You would also have to weed to duplicates resulting from resendes to your first radius server and you would need to handle resends for packets that got dropped and not acked by your destination radius server. All this makes a packet capture solution a whole lot harder than just using radius. Under high request load having a further radius to forward to and having to handle resends and acks for that other target might cause issues. I would consider spooling the radius requests into a separate file and use a script to send the spooled requests to the other radius from a separate process. This would isolate any issues you have with forwarding from you production setup. Greetings Christian Kratzer CK Software GmbH > > Many Thanks, > Traiano > > > > On 2012/02/06 6:02 PM, "Alan Buxey" wrote: > >> Hi, >> >>> WARNING: Bad authenticator received in reply to ID 153 >> >> incorrect shared secret or badly munged UDP packets, or packets >> received after your local RADIUS server has already decided to forget >> about them (timeout) >> >>> I've confirmed the secret is the same between the proxying radius >>> servers >>> and the destination radius server, so this doesn't look like the issue. >> >> Secret "whatever the secret is" >> >> >> ..then you never get undone by trailing spaces etc >> >>> Vendor Specific Attribute (26), length: 8 (bogus, goes past >>> end >>> of packet) >>> Vendor Specific Attribute (26), length: 12 (bogus, goes past >>> end >>> of packet) >> >> big big packets - larger than the MTU - change the size of your RADIUS >> packets >> to eg 1280 or so - the default in RADIATOR is big ...too big. then the >> RADIUS >> will break the packets up nicely. >> >> hmm, theres EAPTLS_MaxFragmentSize to deal with EAP - not sure about what >> you tweak >> with plain RADIUS accounting packets that are big. maybe change the host >> MTU size? >> >> alan > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] LDAP_OPERATIONS_ERROR
Hi, On Tue, 13 Dec 2011, Jim Tyrrell wrote: > Hi, > > Can someone shed light on what the error message "LDAP_OPERATIONS_ERROR" > actually means? I am seeing this quite frequently in the logs of our > Radius servers that connect to a load balanced cluster of LDAP servers. > I had suspected the connection being dropped/timed out on firewalls or > the load balancer, but Radiator is reporting this immediately after > attempting the lookup: > > > Tue Dec 13 10:04:49 2011: DEBUG: Rewrote user name to user...@domain.com > Tue Dec 13 10:04:49 2011: DEBUG: Packet dump: > *** Received from 1.2.3.4 1645 > Tue Dec 13 10:04:49 2011: DEBUG: Handling request with Handler > 'Called-Station-Id = //' > Tue Dec 13 10:04:49 2011: DEBUG: Rewrote user name to user...@domain.com > Tue Dec 13 10:04:49 2011: DEBUG: Handling with Radius::AuthLDAP2: > Tue Dec 13 10:04:49 2011: ERR: ldap search for > (&(uid=user...@domain.com)(objectstatus=enable)(rasstatus=enable)) > failed with error LDAP_OPERATIONS_ERROR. > Tue Dec 13 10:04:49 2011: ERR: Disconnecting from LDAP server (server > ldap-cluster:389). > Tue Dec 13 10:04:49 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User > database access error > > I cant see any obvious errors on the LDAP servers. I assume as the > error message is instant after the lookup then it is getting some sort > of response from LDAP but doesnt like it for some reason? we used to get this a lot when the ldap servers were closing idle connections after a certain timeout. Radiator noticed the socket was gone when it tried to perform the next query on it and then logged an LDAP_OPERATIONS_ERROR. This happened quite often on certain ldap servers that did not get a steady query load and thus had a changed to run into their idle timeout. You might want to confirm this is the case by running a packet capture of traffic between your radius and your ldap servers. Recent versions of AudhBy LDAP2 in Radiator automatically reconnect in these cases so you do not lose an auth request and get now operations error. Greetings Christian Kratzer CK Software GmbH > > Thanks. > > Jim. > _______ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Access-accept response too big.
Hi, On Wed, 29 Jun 2011, Ronald Pérez wrote: Hi all, I'm testing this. After radius receive and access-request, responds with an access-accept and a bunch of attributes, (include file), when this file is too big the response doesn't reach the client, i think maybe is a MTU problem. if the response does not fit into a single udp packet your network stack will split it up into multiple udp fragments. A networking problem of some sorts is quite possible. I would use tcpdump to sniff traffic on both ends into two files and then use wireshark to compare if all packets get through. Should not be too hard as radius is not that many packets. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator clustering on linux
Hi, On Wed, 22 Jun 2011, Félix Enrique Llorente Pastora wrote: Hi, We are running radiator in two linux boxes with a software round robin load balancer in front of it. When we do proxy from Access and Acct message looks like we are loosing messages. this will not work if you expect the reply to the load balancer and it will randomly distribute it to a server without keeping state. You could consider sending the proxy request from the radius servers onw address so the reply would go the the correct server. But even this would propably break for more complex authentication like chap or most eap variants that exchange multiple packets between nas and radius for a single request. Looking at the code looks like you have a hashmap wich store info about where to response the proxy messages. Is there a way to have this table shared between the two radiator instances (we have try with the mysql SessionDatabase but it doesn't work) not at the moment. You would either have to dispose of the load balancer or use one that understands radius and keeps state. Personally I wouldn't use a load balacner for two radius servers but would simple configure both servers in a all clients. Failover comes naturally with radius. Greetings Christian Kratzer CK Software GmbH BR Quique. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator clustering on linux
Hi, On Wed, 22 Jun 2011, Félix Enrique Llorente Pastora wrote: Another issue, If radiator process always sends the same source port when forwarding messages to the AAA server, I understand the only field to match queries and answers is packet-id. But this filed has 8 bits (only 256 values). What exactly would it happen if radiator has more that 256 pending request from AAA server? Does it creates any misbehaviour? yes that is a very real possibility that effictively limits your request/time rate to 256 / time_for_backend_to_answer_a_request. So if your backend is a far away you have to account for network delay which further reduces your requests/s. See section 5.30.20 in the manul on UseExtendedIds on how to fix this for most modern radius servers that support the Proxy-State Attribute. Greetings Christian Thanks and regards On 06/22/2011 12:04 PM, Félix Enrique Llorente Pastora wrote: Hi, We are running radiator in two linux boxes with a software round robin load balancer in front of it. When we do proxy from Access and Acct message looks like we are loosing messages. Looking at the code looks like you have a hashmap wich store info about where to response the proxy messages. Is there a way to have this table shared between the two radiator instances (we have try with the mysql SessionDatabase but it doesn't work) BR Quique. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy LDAP2, HoldServerConnection and missing Retry parameter
Hi, On Wed, 6 Apr 2011, Karl Gaissmaier wrote: > Hi RADIATOR team, > > I've got a problem with Version 4.7 and AuthBy LDAP2. The LDAP server > terminates > the connection after 10min of client idle as configured in slapd.conf. > > Seems that the RADIATOR doesn't recognize this, and the first ACCESS-REQUEST > after this termination gets the following error: > > Wed Apr 6 00:32:34 2011: ERR: ldap search for (|(mail=foo)(uid=bar)) failed > with error LDAP_SERVER_DOWN. > Wed Apr 6 00:32:34 2011: ERR: Disconnecting from LDAP server (server > foo.uni-ulm.de:636). > Wed Apr 6 00:32:34 2011: DEBUG: AuthBy LDAP2 result: IGNORE, User database > access error this is strange as Radiator-4.x has explicit support for reconnecting to ldap servers after an idle timeout. > See the config part below: > > > PacketTrace > HoldServerConnection > NoDefault > > Hostfoo.uni-ulm.de > Version 3 > FailureBackoffTime 3 > > UseSSL > SSLVerify require > SSLCAFile %D/certificates/ca-bundle.crt > > AuthDN cn=secret > AuthPasswordmore-secret > > BaseDN ou=bar,dc=uni-ulm,dc=de > Scope one > > # username oder e-mail > SearchFilter(|(mail=%1)(uid=%1)) > PasswordAttruserPassword > Perhaps as you only have one ldap server to forward to you should set FailureBackoffTime to 0 to allow radiator to immediatly to reconnect. Casual reading of the source code makes me think this might be the problem. > HINTS: > > I didn't see this problem with RADIATOR 3.11. > Sigh, I can't go back to 3.11 to verify it definitely. > Sigh, I know, it's a big step from 3.11 to 4.7. > > The LDAP server didn't change during the RADIATOR upgrade. > We are using an openldap-2.3.35 under SunOS 5.10 and openssl-0.9.8-latest. As a side note and nothing to do with your current problem. Latest stable is openldap-2.4.23 and latest released is 2.4.25. You should consider updating for anything but a trivial directory setup. There have been lots of fixes since openldap 2.3. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Problem with pam_radius
Hi,
On Wed, 30 Mar 2011, Francisco Rodrigo Cortinas Maseda wrote:
Hi,
My SQL connection is OK, for other reasons the connection between the SQL
server and Radiator is not been use for 20 seconds, the SQL servers drops it
down.
On the other hand, I have stated before that the secret is not the problem; the
config of the secret at radius:
let me summarize:
1. The password in a radius request from pam_radius shows up garbled
in the trace 4 log of your radius server.
2. The password in a radius request from radpwtst on the same server
as above gets through fine in the trace 4 log of your radius server.
That means you have no problem in your radiator config and there is
nothing to fix on the radius server.
You need to look into why pam_radius is incorrectly encrypting the
password. This is most certainly a secret issue. Search for the
problem on the pam_radius side.
As a next step you might want to use tcpdump to capture the radius requests
from pam_radius and from radpwtst and compare them in wireshark.
You can have wireshark decode udp/1940 traffic as radius and you can
specify your specific secret so wireshark can decode the password.
This will allow you to verify if pam_radius is doing what it is supposed to.
Greetings
Christian
Secret laboratorio
Identifier BBDD_Labo
The config at the server:
10.0.124.52:1940 laboratorio
They are the same, and the password is correctly configured at the database,
because i can test it from the radpwtst utility and is ok. The config of the
authby SQL:
Identifier SERVERS
DBSource dbi:mysql:auth_oss:127.0.0.1:3306
DBUsername root
DBAuth root
NoDefault
NoDefaultIfFound
Timeout 10
FailureBackoffTime 20
AuthSelect SELECT password FROM usuarios WHERE username='%{User-Name}'
AuthColumnDef 0, Password, check
AccountingTable
The radpwtst command is being sent from the server im also trying to connect to
using pam_radius, and that is not the radius server.
Any ideas?
-Mensaje original-
De: Christian Kratzer [mailto:ck-li...@cksoft.de]
Enviado el: miércoles, 30 de marzo de 2011 9:23
Para: Francisco Rodrigo Cortinas Maseda
CC: radiator@open.com.au
Asunto: Re: [RADIATOR] Problem with pam_radius
Hi,
On Wed, 30 Mar 2011, Francisco Rodrigo Cortinas Maseda wrote:
Tue Mar 22 09:19:00 2011: DEBUG: Handling request with Handler
'NAS-Identifier="sshd"'
Tue Mar 22 09:19:00 2011: DEBUG: Deleting session for frcm, 127.0.0.1, 26576
Tue Mar 22 09:19:00 2011: DEBUG: Decoded password is <198>*
uVf<204><1>w<227>-<190>V..<15>
Tue Mar 22 09:19:00 2011: DEBUG: Handling with Radius::AuthSQL
Tue Mar 22 09:19:00 2011: DEBUG: Handling with Radius::AuthSQL: SERVERS
Tue Mar 22 09:19:00 2011: DEBUG: Query is: 'SELECT password FROM usuarios WHERE
username='frcm'':
Tue Mar 22 09:19:00 2011: ERR: Execute failed for 'SELECT password FROM
usuarios WHERE username='frcm'': Lost connection to MySQL server during query
you have a problem with the connection to your sql server.
Tue Mar 22 09:19:00 2011: DEBUG: Radius::AuthSQL looks for match with frcm
[frcm]
Tue Mar 22 09:19:00 2011: DEBUG: Decoded password is <198>*
uVf<204><1>w<227>-<190>V..<15>
this still looks a lot like a mismatched secret.
Tue Mar 22 09:19:00 2011: DEBUG: Radius::AuthSQL REJECT: Bad Password: frcm
[frcm]
Tue Mar 22 09:19:00 2011: DEBUG: AuthBy SQL result: REJECT, Bad Password
Tue Mar 22 09:19:00 2011: INFO: Access rejected for frcm: Bad Password
Tue Mar 22 09:19:00 2011: DEBUG: Packet dump:
*** Sending to 10.0.124.53 port 27601
Code: Access-Reject
Identifier: 108
Authentic: 7<22><216>m<171>zD<191><238>@<181>[zl=<253>
Attributes:
Called-Station-Id = "<198>* uVf<204><1>w<227>-<190>V..<15>"
Reply-Message = "Bad Password"
If I use the radpwtst utility on the server where I am trying to authenticate
from using pam_radius, the password is correctly decoded and is showed up
correctly on the trace4.
you secret is ok for the Client from 127.0.0.1 but mismatched for the Client
clause that the server with pam_radius is using.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
Antes de imprimir este e-mail piense bien si es necesario hacerlo.
Este mensaje es privado y CONFIDENCIAL y se dirige exclusivamente a su
destinatario. Si usted ha recibido
Re: [RADIATOR] Problem with pam_radius
Hi, On Wed, 30 Mar 2011, Francisco Rodrigo Cortinas Maseda wrote: > Tue Mar 22 09:19:00 2011: DEBUG: Handling request with Handler > 'NAS-Identifier="sshd"' > Tue Mar 22 09:19:00 2011: DEBUG: Deleting session for frcm, 127.0.0.1, 26576 > Tue Mar 22 09:19:00 2011: DEBUG: Decoded password is <198>* > uVf<204><1>w<227>-<190>V..<15> > Tue Mar 22 09:19:00 2011: DEBUG: Handling with Radius::AuthSQL > Tue Mar 22 09:19:00 2011: DEBUG: Handling with Radius::AuthSQL: SERVERS > Tue Mar 22 09:19:00 2011: DEBUG: Query is: 'SELECT password FROM usuarios > WHERE username='frcm'': > Tue Mar 22 09:19:00 2011: ERR: Execute failed for 'SELECT password FROM > usuarios WHERE username='frcm'': Lost connection to MySQL server during query you have a problem with the connection to your sql server. > Tue Mar 22 09:19:00 2011: DEBUG: Radius::AuthSQL looks for match with frcm > [frcm] > Tue Mar 22 09:19:00 2011: DEBUG: Decoded password is <198>* > uVf<204><1>w<227>-<190>V..<15> this still looks a lot like a mismatched secret. > Tue Mar 22 09:19:00 2011: DEBUG: Radius::AuthSQL REJECT: Bad Password: frcm > [frcm] > Tue Mar 22 09:19:00 2011: DEBUG: AuthBy SQL result: REJECT, Bad Password > Tue Mar 22 09:19:00 2011: INFO: Access rejected for frcm: Bad Password > Tue Mar 22 09:19:00 2011: DEBUG: Packet dump: > *** Sending to 10.0.124.53 port 27601 > Code: Access-Reject > Identifier: 108 > Authentic: 7<22><216>m<171>zD<191><238>@<181>[zl=<253> > Attributes: >Called-Station-Id = "<198>* uVf<204><1>w<227>-<190>V..<15>" >Reply-Message = "Bad Password" > > If I use the radpwtst utility on the server where I am trying to authenticate > from using pam_radius, the password is correctly decoded and is showed up > correctly on the trace4. you secret is ok for the Client from 127.0.0.1 but mismatched for the Client clause that the server with pam_radius is using. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Client MAC:xx-xx-xx-xx-xx-xx
Hi Heikki,
On Mon, 28 Mar 2011, Heikki Vatiainen wrote:
> On 03/28/2011 01:30 PM, Adam Bishop wrote:
>
>> Which attribute does radiator use for comparison when using
>> MAC-filtering on a client block? Trying to pin down why one of our
>> clients isn't being picked up by the client block we have set:
>
> The attribute is Calling-Station-Id. Its format is like what you have
> below with hyphens being optional.
I just had a look at the code myself. It seems like it uses Called-Station-Id:
Function find in Client.pm
#
# Find a Client with the packed Host same as the RecvFrom host
# If not found, try to find one with the MAC address given in
# Called-Station-Id
# If not found, try to find one for DEFAULT
# REVISIT: Should probably add regexp matching too?
sub find
{
my ($p) = @_;
my ($client_port, $client_addr) =
Radius::Util::unpack_sockaddr_in($p->{RecvFrom});
my $ret = $Radius::Client::clients{$client_addr};
# Look for a IPV4 CIDR match.
$ret = findCidrAddress($client_addr)
unless defined $ret;
if (!defined $ret)
{
# Try to deduce a MAC address from Called-Station-Id
no warnings "uninitialized";
>>> my $mac = $p->getAttrByNum($Radius::Radius::CALLED_STATION_ID);
$ret = $Radius::Client::clients{'MAC:' . $mac}
if ($mac =~
/^[0-9a-fA-F]{2}-?[0-9a-fA-F]{2}-?[0-9a-fA-F]{2}-?[0-9a-fA-F]{2}-?[0-9a-fA-F]{2}-?[0-9a-fA-F]{2}$/);
# Still nothing, fall back to the default
$ret = $Radius::Client::clients{DEFAULT}
unless defined $ret;
}
return $ret;
}
This is most propably the access points mac address on the air which is
not necessarily the same as the mac adresse seen on the ethernet.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] radpwtest for EAP/TTL, EAP/TTLS and PEAP
Hi, On Mon, 21 Mar 2011, Karl Gaissmaier wrote: > Hi RADIATOR team, > > is it possible with radpwtest to check a radiator config for EAP/TTLS-PAP? > Maybe I just don't find the proper parameters for radpwtest, any hint welcome. > > If not already coded, please see this as a feature request. > > EAP/TTLS, EAP/TLS or PEAP configurations are heavily used in eduroaming > institutions. Would be very helpfull if we could monitor our federation config > via cron with the help of a scriptable radius checker. EAP support is a bit limited in radpwtst but you can use eapol_test from the wpa_supplicant package to test most EAP methods. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RadSec and Local DBM Users
ce-Type = Login-User >NAS-Identifier = "TACACS" >User-Name = "someuser" >User-Password = "" >cisco-avpair = "action=1" >cisco-avpair = "authen_type=1" >cisco-avpair = "priv-lvl=1" >cisco-avpair = "service=1" >OSC-Version-Identifier = "192" >Proxy-State = OSC-Extended-Id=1 > > Thu Feb 17 10:45:56 2011: DEBUG: AuthBy RADSEC result: IGNORE, > Thu Feb 17 10:45:56 2011: DEBUG: Handling with Radius::AuthDBFILE: > AuthenticateLocal > Thu Feb 17 10:45:56 2011: DEBUG: Radius::AuthDBFILE looks for match with > someuser [someuser] > Thu Feb 17 10:45:56 2011: DEBUG: Radius::AuthDBFILE REJECT: No such user: > someuser [someuser] > Thu Feb 17 10:45:56 2011: DEBUG: AuthBy DBFILE result: REJECT, No such user > Thu Feb 17 10:45:56 2011: INFO: Access rejected for someuser: No such user > Thu Feb 17 10:45:56 2011: DEBUG: Packet dump: > *** Reply to TACACSPLUS request: > Code: Access-Reject > Identifier: UNDEF > Authentic: @vg<173><181><209><149><211>O<140><28><133>,<160><173>~ > Attributes: >Reply-Message = "No such user" > > Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection result Access-Reject > Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection Authentication REPLY 2, > 0, No such user, > Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection disconnected from > 192.0.2.124:60130 > Thu Feb 17 10:45:56 2011: DEBUG: Received reply in AuthRADSEC for req 1 from > 192.0.2.131:2083 > Thu Feb 17 10:45:56 2011: DEBUG: Packet dump: > *** Received from 192.0.2.131 port 2083 > Code: Access-Accept > Identifier: 1 > Authentic: )-<164><24> <198><143><220><229><11>^<187><213><210>1<155> > Attributes: >Service-Type = Administrative-User >Mikrotik-Group = "full" >Tacacs-AuthGroup = "manager" >cisco-avpair = "priv-lvl=15" >Management-Policy-Id = "15" >Extreme-EPICenter-Role = "Administrator" >Proxy-State = OSC-Extended-Id=1 > > Thu Feb 17 10:45:56 2011: DEBUG: Access accepted for someuser > Thu Feb 17 10:45:56 2011: DEBUG: Packet dump: > *** Reply to TACACSPLUS request: > Code: Access-Accept > Identifier: UNDEF > Authentic: @vg<173><181><209><149><211>O<140><28><133>,<160><173>~ > Attributes: >Reply-Message = "No such user" >Service-Type = Administrative-User >Mikrotik-Group = "full" >Tacacs-AuthGroup = "manager" >cisco-avpair = "priv-lvl=15" >Management-Policy-Id = "15" >Extreme-EPICenter-Role = "Administrator" > > Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection result Access-Accept > Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection Authentication REPLY 1, > 0, , > Thu Feb 17 10:45:56 2011: ERR: TacacsplusConnection write error, > disconnecting: Bad file descriptor > Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection disconnected from > 192.0.2.124:60130 > Thu Feb 17 10:45:56 2011: DEBUG: TacacsplusConnection disconnected from > 192.0.2.124:60130 > > > Is this a "bug" or is it working "as-intended" ? > > The server has the following setup > Radiator Version: 4.7 - latest patches as of today(20110217) > FreeBSD: 7.2-RELEASE-p7 > Perl Modules: Digest::HMAC 1.02, Digest::MD5 2.38, Digest::SHA1 2.12, > Net::SSLeay 1.36 > > Thanks, > Patrik > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AcctInsertQuery for Authby RADIUS
Hi, On Wed, 16 Feb 2011, Jeffrey Lee wrote: > I tried adding after but as soon as > is executed, will not be executed. will always return an ignore as it dispatches the radius request and processes the answer asyncronously. > Can you actually place within a ? You can place both AuthBy below each other inside the handler and set the appropriate AuthByPolicy (Manual Section 5.24.1) to do what you want. You will not need an AuthBy GROUP for a simple case as a Handler already implements the same functionality as an AuthBy GROUP. > What I'm trying to achieve is to log the RADIUS accounting records > locally (start, stop & alive) for realms that need to be authenticated > by another RADIUS server. How can I achieve that? something like this should do the trick: AuthByPolicy ContinueWhileIgnore ... IgnoreAuthentication ... The will always proxy your requests and will return ignore. The AuthBy SQL will be called but will only handle accounting as you have configured IgnoreAuthentication. There are many possible variations but I think above is the simplest. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] PEAP Unknow Problem
Hi, On Wed, 16 Feb 2011, Raúl Tejeda Calero wrote: Hi, I´m still having problems with my PEAP-MSCHAP-V2 configuration. But the problem seems more complex this time and I don´t sure to understand the process. The log shows this: Schema: 1) EAPChallenge for mikem 2) Access challenged for anonymous: EAP PEAP Challenge 3) Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler 4) EAP PEAP inner authentication request for anonymous 5) Access challenged for anonymous: EAP MSCHAP-V2 Challenge 6) Access challenged for mikem: EAP PEAP inner authentication redispatched to a Handler 7) Radius::AuthFILE looks for match with mikem [anonymous] Radius::AuthFILE ACCEPT: : mikem [anonymous] EAP result: 1, EAP MSCHAP-V2 Authentication failure Thanks for the help. Raúl Tejeda ** Details: ** Radius.cfg: ## ## # Basic radius configuration # # outer auth with just PEAP EAPType PEAP, MSCHAP-V2 Filename %D/users-eap EAPTLS_CAFile %D/certificados/CAxxx.pem EAPTLS_CAPath %D/certificados EAPTLS_CertificateFile %D/certificados/serverxxx.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificados/serverxxx.key EAPTLS_MaxFragmentSize 500 # inner auth with MS-CHAP-V2 RewriteUsername s/(.*)\\(.*)/$2/ EAPType MSCHAP-V2 Filename %D/users EAPTLS_CAFile %D/certificados/CAxxx.pem EAPTLS_CertificateFile %D/certificados/serverxxx.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificados/serverxxx.key EAPTLS_MaxFragmentSize 500 you might want to do the following: 1. Swap the order of the two handlers so that the more specific TunneledByPEAP handler is checked first. From looking at your logs it seems all requests go into your outer auth handler and thus into the wrong AuthBy FILE. 2. Drop the MSCHAP-V2 from your EAPType list in your outer auth handler. It is of no use there as there is no MSCHAP in the outer authentication. 3. Drop all the EAPTLS options from your inner auth as they are no use for MSCHAP. 4. Add identifiers to both handlers so you can more easily identify them in your logs. Something like this for the outer handler Identifier EAP-PEAP and this for the inner Identifier EAP-MSCHAP-V2 This should get you a bit further. If it still does not work post the new config and the appropriate log and we should see what is happening. Greetings Christian Kratzer CK Software GmbH -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] PEAP problem: EAP result: 1, EAP authentication is not permitted
Hi, On Mon, 7 Feb 2011, Raúl Tejeda Calero wrote: Hi everyone, I have another trouble with my radiator configuration. I ´m trying to connect my winxp client with PeAP (without "validate server certificate"), I have entered one valid user (mikem-fred 4 example) and the log shows: Mon Feb 7 15:28:39 2011: DEBUG: Packet dump: *** Received from port 32768 Code: Access-Request Identifier: 74 Authentic: <175><136><30><157>sd<241><177><223><155><160>$s<228>o<129> Attributes: User-Name = "mikem" Calling-Station-Id = "xx" Called-Station-Id = "xx:Prueba" NAS-Port = 13 NAS-IP-Address = xxx.yyy.zzz.www NAS-Identifier = "WLC-1" Airespace-WLAN-Id = 4 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-IEEE-802-11 Tunnel-Type = 0:VLAN Tunnel-Medium-Type = 0:802 Tunnel-Private-Group-ID = 509 EAP-Message = <2><2><0><10><1>mikem Message-Authenticator = l<218>k<160><31><206><177><4>E<208><234><171>f<195><137>" Mon Feb 7 15:28:39 2011: DEBUG: Handling request with Handler 'NAS-IP-Address=xxx.yyy.zzz.www', Identifier '' Mon Feb 7 15:28:39 2011: DEBUG: Rewrote user name to mikem Mon Feb 7 15:28:39 2011: DEBUG: Deleting session for mikem, , 13 Mon Feb 7 15:28:39 2011: DEBUG: Handling with Radius::AuthFILE: Mon Feb 7 15:28:39 2011: DEBUG: Handling with EAP: code 2, 2, 10, 1 Mon Feb 7 15:28:39 2011: DEBUG: Response type 1 Mon Feb 7 15:28:39 2011: DEBUG: EAP result: 1, EAP authentication is not permitted. Mon Feb 7 15:28:39 2011: DEBUG: AuthBy FILE result: REJECT, EAP authentication is not permitted. Mon Feb 7 15:28:39 2011: INFO: Access rejected for mikem: EAP authentication is not permitted. Mon Feb 7 15:28:39 2011: DEBUG: Packet dump: *** Sending to 10.223.0.4 port 32768 Code: Access-Reject Identifier: 74 Authentic: <2>N<9>4<26><237><212>A<231><249><15>T$<129><152>[ Attributes: Reply-Message = "Request Denied" you need to have a dummy user anonymous in your users file for the first stage of outer authentication for any tunnelled eap method to work. The sample radiator users file has this: # For testing various EAP protocols. The Password can never be matched anonymous Encrypted-Password=nevermatch I like to use a simple anoymous in a separate users-file used only for the outer authentication. My running config is something like this: # RewriteUsername s/(.*)\\(.*)/$2/ Filename %D/users EAPType MSCHAP-V2, PEAP # EAPTLS_CAFile %D/certificados/ca.pem # EAPTLS_CertificateFile %D/certificados/serv.pem # EAPTLS_CertificateType PEM # EAPTLS_PrivateKeyFile %D/certificados/serv.key # EAPTLS_MaxFragmentSize 500 Another problem (or the same, i don´t know) is the following: If I use the handler "tunneledByPEAP=1", radiator says: Mon Feb 7 15:25:56 2011: WARNING: Could not find a handler for mikem: request is ignored you cannot have just a single handler with tunneledByPEAP=1. Either you combine inner and outer auth into a single handler like you have now or you split them up into two handlers like for example: -- radius.cfg -- # inner auth with MS-CHAP-V2 RewriteUsername s/(.*)\\(.*)/$2/ EAPType MSCHAP-V2 Filename %D/users # outer auth with just PEAP EAPType PEAP Filename %D/users-eap -- radius.cfg -- -- users-eap -- anonymous -- users-eap -- Also notice that I have put the RewriteUsername inside the AuthBy FILE with the MSCHAP-V2. As all chap variants include the username in calculating the challenge any rewrites can break your chap. I believe EAP-MSCHAP has special code to leave the identity intact dispite rewriting the username for the lookup. Not sure that it works under all conditions though. You might want to leave out rewriting at least until you get the config to work first. Thus, my access-request seems not tunneled by PeaP, perhaps I have configured PeAP in my WLAN and client. the trace shows that your client is attempting eap. Greetings Christian Thanks for your help, Regards, Raúl Tejeda ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Assigning IP's directly from the Radius server
Hi Gerard, On Mon, 7 Feb 2011, Gerard Alcorlo Bofill wrote: > Thanks Christian, > > but the IP address is not in my Accounting-request. May be I need to do > some changes to the AP configuration... > > That's the log I get from the Radius when the AP sends an Start and a > Stop accounting-requests. If I could get the IP from the > accounting-request it would one easy and clean solution but I don't know > how to do it. Ok. I did not pay attention to access point part. ;( There is no ip address in the accounting as the access points do not assign the ip address. That is also why radius cannot control the assignment of an ip address. The dhcp server that assigns the ip has no link to the Wireless session on the access-point. As Heikki wrote in his first mail you might get lucky if you use the dhcp server integrated into the access-point. I am not sure if that would scale over multiple access points though. Apart from that your only solution is propably to regularly parse the dhcp servers logs or somehow hook into the dhcp servers assignment process and match the clients by mac adress. Greetings Christian > > > *** Received from 192.168.50.9 port 1646 > Code: Accounting-Request > Identifier: 200 > Authentic: <14><192>d<210><169><24><165><15><242>:3<25>H<189>iW > Attributes: > Acct-Session-Id = "3186" > Called-Station-Id = "000e380d04a1" > Calling-Station-Id = "c417fe53f792" > cisco-avpair = "ssid=eduroam" > cisco-avpair = "vlan-id=54" > cisco-avpair = "nas-location=unspecified" > User-Name = "galco...@cesca.cat" > cisco-avpair = "connect-progress=Call Up" > Acct-Authentic = RADIUS > Acct-Status-Type = Start > NAS-Port-Type = Wireless-IEEE-802-11 > Cisco-NAS-Port = "1127" > NAS-Port = 1127 > Service-Type = Framed-User > NAS-IP-Address = 192.168.50.9 > Acct-Delay-Time = 0 > > > > > *** Received from 192.168.50.9 port 1646 > Code: Accounting-Request > Identifier: 207 > Authentic: J<192>]<142><20><149><196><164><165>P<227><169><218><147>]<171> > Attributes: > Acct-Session-Id = "3186" > Called-Station-Id = "000e380d04a1" > Calling-Station-Id = "c417fe53f792" > cisco-avpair = "ssid=eduroam-" > cisco-avpair = "vlan-id=54" > cisco-avpair = "nas-location=unspecified" > cisco-avpair = "auth-algo-type=eap-peap" > User-Name = "galco...@cesca.cat" > Acct-Authentic = RADIUS > cisco-avpair = "connect-progress=Call Up" > Acct-Session-Time = 282 > Acct-Input-Octets = 95290 > Acct-Output-Octets = 1349850 > Acct-Input-Packets = 806 > Acct-Output-Packets = 962 > Acct-Terminate-Cause = Lost-Carrier > cisco-avpair = "disc-cause-ext=No Reason" > Acct-Status-Type = Stop > NAS-Port-Type = Wireless-IEEE-802-11 > Cisco-NAS-Port = "1127" > NAS-Port = 1127 > Service-Type = Framed-User > NAS-IP-Address = 192.168.50.9 > Acct-Delay-Time = 0 > > > -- > Gerard > > Al 07/02/11 11:39, En/na Christian Kratzer ha escrit: >> Dear Gerard, >> >> On Mon, 7 Feb 2011, Gerard Alcorlo Bofill wrote: >> >>> Heikki, you do understood my problem. >>> And you confirmed me my suspicions, Framed-* attributes are ONLY for >>> connections such as PPP or PPPoE. >>> >>> I wanted to do all this work to have all logs centralized to radius and >>> to be able tu run radwho.cgi script to see which IP addresses were being >>> used in real time. >>> >>> At this moment radwho.cgi is not showing the assigned IP address because >>> radius doesn't know the IP assigned by the DHCP server. The problem is >>> that if I want to trace a connection I need to match the MAC address at >>> the DHCP server and the Radiator server. >>> >>> Do you think trying to pass the IP using SNMP traps from the AP would >>> be a good option or is there easier solution? >> >> The usual way to get the assigned ip would be to process radius >> accounting. Accounting records would also fill your session database >> which radwho.cgi could then query. >> >> Accounting would get you start, stop and interim records which all >> included the actual assigned ip. >> >> This would also let you have the nas assign the ips which is also much >> more stable in the long run. >> >> Greetings >> Christian >> > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RV: Can't locate object method "response_identity"
Hi, On Mon, 7 Feb 2011, Raúl Tejeda Calero wrote: Hello, I´m having trouble to handle EAP request with Radiator 4.7. I have installed all the perl modules (Net_SSLeay1.25, Digest_HMAC, Digest_SHA1, Digest_MD4,MD5, openssl 1.0.0beta5?) but the log shows this: Mon Feb 7 10:05:20 2011: DEBUG: Handling request with Handler 'NAS-IP-Address=x.x.x.x?, Identifier '' Mon Feb 7 10:05:20 2011: DEBUG: Rewrote user name to xxx.xxx Mon Feb 7 10:05:20 2011: DEBUG: Deleting session for xxx.xxx, x.x.x.x, 13 Mon Feb 7 10:05:20 2011: DEBUG: Handling with Radius::AuthFILE: Mon Feb 7 10:05:20 2011: DEBUG: Handling with EAP: code 2, 2, 16, 1 Mon Feb 7 10:05:20 2011: DEBUG: Response type 1 Mon Feb 7 10:05:20 2011: ERR: Could not handle an EAP request: Can't locate object method "response_identity" via package "Radius::EAP_26" at /usr/lib/perl5/site_perl/Radius/EAP.pm line 158. Mon Feb 7 10:05:20 2011: DEBUG: AuthBy FILE result: REJECT, Could not handle an EAP request Mon Feb 7 10:05:20 2011: INFO: Access rejected for x.x.x.x: Could not handle an EAP request Mon Feb 7 10:05:20 2011: DEBUG: Packet dump: *** Sending to 10.223.0.4 port 32768 Code: Access-Reject Identifier: 39 Authentic: <245><221><137><232><247><132><242><223>m<179><130><223>|<158><242><234> Attributes: Reply-Message = "Request Denied" I read an older mail with the same error but I can´t find the problem´s solution. most propably you are still missing some prerequisites. Try starting radiator from the command line with the foregrund option to see if it logs more errors from missing modules. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Assigning IP's directly from the Radius server
Dear Gerard, On Mon, 7 Feb 2011, Gerard Alcorlo Bofill wrote: > Heikki, you do understood my problem. > And you confirmed me my suspicions, Framed-* attributes are ONLY for > connections such as PPP or PPPoE. > > I wanted to do all this work to have all logs centralized to radius and > to be able tu run radwho.cgi script to see which IP addresses were being > used in real time. > > At this moment radwho.cgi is not showing the assigned IP address because > radius doesn't know the IP assigned by the DHCP server. The problem is > that if I want to trace a connection I need to match the MAC address at > the DHCP server and the Radiator server. > > Do you think trying to pass the IP using SNMP traps from the AP would > be a good option or is there easier solution? The usual way to get the assigned ip would be to process radius accounting. Accounting records would also fill your session database which radwho.cgi could then query. Accounting would get you start, stop and interim records which all included the actual assigned ip. This would also let you have the nas assign the ips which is also much more stable in the long run. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RHEL6 install - Can't locate Radius/ServerConfig.pm
Hi,
On Fri, 4 Feb 2011, Jim Tyrrell wrote:
> This is a fresh RHEL6 install so should of been a straight perl install
> and no upgrades. The following RPM's are installed:
>
> perl-5.10.1-115.el6.x86_64
> Radiator-4.7-3.noarch
ok.
Your problem seems to be that the rpm uses diffrent paths from your perl
installation. Perhaps because you have a 64bit system and the rpm is built
for a 32 bit perl installation.
>
> The perl paths are:
> # perl -e 'print join("\n",@INC);'
> /usr/local/lib64/perl5
> /usr/local/share/perl5
> /usr/lib64/perl5/vendor_perl
> /usr/share/perl5/vendor_perl
> /usr/lib64/perl5
> /usr/share/perl5
>
> The missing file is located:
> /usr/lib/perl5/site_perl/5.10.0/Radius/ServerConfig.pm
>
> Where should I be adding a symlink to what, or where and what perl
> library path should I be adding? Perl isnt my strong point and I don't
> want to add something in the wrong place which will cause other problems
> further down the line.
I would suggest that you remove the rpm and install from the tarball.
The Makefile will automatically find the best path to match your setup.
Greetings
Christian
>
> Thanks.
>
> Jim.
>
>
> Christian Kratzer wrote:
>> Hi,
>>
>> On Fri, 4 Feb 2011, Jim Tyrrell wrote:
>>
>>> Hi,
>>>
>>> I have built a fresh RHEL 6.0 x86_64 server, installed perl and other
>>> prerequisites and installed Radiator 4.7-3 from RPM but when I try and
>>> start radiusd I get the following error messages:
>>>
>>> /usr/bin/radiusd -config_file /etc/radiator/radius.cfg -foreground
>>> Can't locate Radius/ServerConfig.pm in @INC (@INC contains: .
>>> /usr/local/lib64/perl5 /usr/local/share/perl5
>>> /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl
>>> /usr/lib64/perl5 /usr/share/perl5 .) at /usr/bin/radiusd line 25.
>>> BEGIN failed--compilation aborted at /usr/bin/radiusd line 25.
>>>
>>> The file does exist:
>>>
>>> locate Radius/ServerConfig.pm
>>> /usr/lib/perl5/site_perl/5.10.0/Radius/ServerConfig.pm
>>>
>>> Am I missing a symlink or library path from somewhere?
>>
>> run the following
>>
>> perl -e 'print join("\n",@INC);'
>>
>> to see if /usr/lib/perl5/site_perl/5.10.0 is in the perl include path.
>>
>> There should be a symlink from 5.10 to 5.10.0 in case 5.10.0 is your
>> latest 5.10 perl. Possibly something went wrong with a perl upgrade.
>> I do not how perl packages are handled in Red Hat.
>>
>> Greetings
>> Christian
>>
>>>
>>> Thanks.
>>>
>>> Jim.
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] RHEL6 install - Can't locate Radius/ServerConfig.pm
Hi,
On Fri, 4 Feb 2011, Jim Tyrrell wrote:
> Hi,
>
> I have built a fresh RHEL 6.0 x86_64 server, installed perl and other
> prerequisites and installed Radiator 4.7-3 from RPM but when I try and
> start radiusd I get the following error messages:
>
> /usr/bin/radiusd -config_file /etc/radiator/radius.cfg -foreground
> Can't locate Radius/ServerConfig.pm in @INC (@INC contains: .
> /usr/local/lib64/perl5 /usr/local/share/perl5
> /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl
> /usr/lib64/perl5 /usr/share/perl5 .) at /usr/bin/radiusd line 25.
> BEGIN failed--compilation aborted at /usr/bin/radiusd line 25.
>
> The file does exist:
>
> locate Radius/ServerConfig.pm
> /usr/lib/perl5/site_perl/5.10.0/Radius/ServerConfig.pm
>
> Am I missing a symlink or library path from somewhere?
run the following
perl -e 'print join("\n",@INC);'
to see if /usr/lib/perl5/site_perl/5.10.0 is in the perl include path.
There should be a symlink from 5.10 to 5.10.0 in case 5.10.0 is your
latest 5.10 perl. Possibly something went wrong with a perl upgrade.
I do not how perl packages are handled in Red Hat.
Greetings
Christian
>
> Thanks.
>
> Jim.
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Accounting process dying
Hi Jim, On Fri, 28 Jan 2011, Jim wrote: > Thanks that's was very useful. I have done some more debugging and its > apparent that whenever the process dies the last thing it was doing was a SQL > update to a MS-SQL server. Doing some digging and it looks like we are > connecting to MS-SQL via Freetds. > > Radiator connection: > Identifier MSSQL-SessionDB > DBSourcedbi:Sybase:MSDBServerX > DBUsername dbuser > DBAuth dbpassword > Timeout 5 > > /usr/local/freetds/etc/freetds.conf: > [MSDBServerX] > host = x.x.x.x > port = 1433 > tds version = 7.0 > > I think the FreeTDS version we have maybe to recent as its newer than the FAQ > recommends - although the FAQ says "As of September 2003..". What is the > best way, if there is one, to connect to a Windows MS-SQL 2008 server? I have no Idea how well maintained FreeTDS is these days. Last time I saw it 10 years ago it had lots of issues. I also do not know if they have kept up with MS-SQL and it's development. As an alternative you might want to try DBD::proxy together with DBD::OBDC on your Windows Server. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy LDAP2 failover with round-robin DNS?
Hi, On Fri, 17 Dec 2010, Leigh Porter wrote: > I tried these methods and none of them really worked effectively against a > defective LDAP server. The best solution I found was a decent load balancer > with LDAP server availability testing.. we have a customer setup that successfully uses autby ldap for ha failover as folows: AutbyByPolicy ContinueWhileIngore AuthBy ldap1 AuthBy ldap2 AuthBy ldap3 Radiator notices failed ldap servers usually when it gets a socket error from a dead server and moves on to the next server. I believe there are still situations when the specific request which runs into an error situaion is dropped but radius resends should handle those cases. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy LDAP2 failover with round-robin DNS?
Hi, On Fri, 17 Dec 2010, Andrew Clark wrote: > Hi, > > one more quick question. What is the behavior of AuthBy LDAP2 with a > round-robin DNS entry (multiple A records for the RR)? If I'd like > failover behavior, will a single Host declaration with a round-robin > record be enough, or do I need to list out each individual LDAP > server? you should explicitly list all servers as Dns will get resolved once on load of config. > > Load-balancing isn't required, though I've seen Hugh's advice for how > to do that in an email from May 14th, 2008. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Can't Insert into database - fresh radiator install
Hi, On Fri, 10 Dec 2010, Ricardo Freitas wrote: > Hello everyone. > > I just installed Radiator 4.7. Have perl 5.12 and Mysql 5.1.8x. > > I had a running configuration of Radiator 2.19 that worked fine and upon > any call, it would register the info on my database. > > Currently, I'm trying to "authenticate" some calls using "radpwtsd" but > despite the fact I'm able to authenticate and account for each call, > those calls aren't inserted into the database - bear in mind that they > are logged and saved into the radius log directory. as you quoted "authenticate" above are you aware that accounting is a separate process and if you have given -noacct or similar options to radpwtst it will not generate any accounting. > I would also like to know how I can configure such logs since I'm trying > to log different perl files (so I can find out what is happening with > some variables) but I'm unable to do so. Thought a simple printf would > suffice if I was running the --config-file with debug on. For starters raise the loglevel to 4 and make sure you have specified a logfile file using the LogFile directive. Alternatively just start radiator from the command line using -log_stdout -trace 4 -foreground options. You should watch for mysql connection errors and for errors from perl in case it cannot load modules such as DBI or DBD::mysql. You of course need to install DBI and DBD::mysql for mysql connections to work from any perl application. > I can't manage to get the calls into the database and on the mysql logs > I haven't got any error (error log and general query log). I've tried to > access and insert a record into the database using the mysql/radius user > file and was able to. > > Can you guys give me some tips on where to start looking for problems? I > mean from 2.19 to 4.7 is an huge leap. For more detailed help you might want to post your config file stripped of all secrets. Greetings Chrsitian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Updated Radiator - error Can't locate object method "readConfig"
Hi Ricardo, On Wed, 8 Dec 2010, Ricardo Freitas wrote: > Hello, everyone. > > Just upgraded Radioator to the latest version and have Perl 5.8.8 also > running. > > When trying to run "radiusd --config_file > /my_radius_config_file_instance" I get the following error: > > > "Can't locate object method "readConfig" via package > "Radius::ServerConfig" at /usr/bin/radiusd", on ilne 181 > > > Could this be an error due too some obsolete configuration on the config > file? I fear it could be a Radiator error, since the file radiusd is the > one reporting the error. > > I had the radiator version 2.1.9 (yeah, really old..) > > Thanks guys, appreciate any help you can provide. did you install the radiator perl modules ? The radiusd script needs to match the perl modules. One or the other might be from the really old radiator. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Handlers with different identifiers
Dear Ricardo,
On Fri, 3 Dec 2010, Ricardo Freitas wrote:
> Dear Sirs
>
> I would like to know if there is any significant importance between two
> different identifiers associated with a same number.
>
> Let me place here the code:
>
>
> User-Name=/(username-with-calledNumber)\...@quiz$/>
> *Identifier Identifier1 (example)*
>
>
>{ configuration info }
>
>
>
>
>
> User-Name=/(username-with-calledNumber)\...@quiz$/>
> * Identifier Identifier2 (another example)*
>AccountingHandled
>AcctLogFileName %L/%Y%m%d_log
>
>
>{ configuration info }
>
>
>
>
>
>
> As you can see, I have an handler regarding the Access Request and another
> one regarding Accounting-Request. Both have different identifiers. Does this,
> in any way, alter the correct work flow of the calls? I thought this was more
> like an info/label thing than a real configuration parameter.
no it won't alter your flow of requests in radiator as it is not something you
are matching on.
Identifiers are a great way to label any parts of the radiator config not only
handlers also clients and authbys. You will find the respective identifiers in
all kinds of logs and stats.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Certificate issues with intermediate certificates.
Hi, On Fri, 19 Nov 2010, Smith, Todd wrote: > In working with Radiator and Apple devices, I am have problems with the > RADIUS server certificate being verified by the client. In discussion with > DigiCert, they suggest that Radiator is not correctly giving out the > intermediate certificates to the client. I am able to authenticate other > devices so I don't think that is a problem but something is keeping the Apple > devices from correctly authenticating. > > The syntax that I am using in Radiator is as follows: > > EAPType PEAP ># CAChain contains 2 intermediate certificates and the root > certificate concatenated like this Inter1->Inter2->Root >EAPTLS_CAFile %D/certificates/DigiCert/CAChain.crt > EAPTLS_CertificateFile > %D/certificates/DigiCert/weiland_camc_hsi.crt > EAPTLS_CertificateType PEM >EAPTLS_PrivateKeyFile %D/certificates/DigiCert/weiland_camc_hsi.key > > EAPTLS_MaxFragmentSize 1000 > > DigiCert has suggested to test for the intermediate certificates by the > method quoted below using OpenSSL. When I tested it using port 1812 or 443 > all I received was the error message Connection refused:errno 29 Would you > be able to test a certificate chain in this way? Would you need a 802.1x > client to handshake before the X.509 certificate would be transmitted? Trace > 4 shows Radiator handing out the certificate but even though the Apple > clients have the appropriate root certificate, they can't verify the server > certificate and there doesn't seem to be any problem with the server > certificate since other devices don't seem to complain about it. > > Any suggestions as to what else I can look at? a couple of short points: If you used openssl s_client to test be aware that this s_client uses tcp for a TLS/SSL connection. Radius runs on udp and is a totally different protcol. This cannot work and connection refused is what you will get in such a case. If you have certificate and several intermediates you should use EAPTLS_CertificateChainFile instead of EAPTLS_CertificateFile. Also be sure to put the server certificate first and then follow up with the intermediate certicates. A good test client for EAP/PEAP is eapol_test from the wpa_supplicant project. This will do actual radius queries with EAP/PEAP ans MSCAP or whatever. You will have to manually compile eapol_test from the wpa_supplicant sources though. A quick google for eapol_test brings up following: http://deployingradius.com/scripts/eapol_test/ Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Hello guys - losing some "calls" when I get some peaks (per second)
Hi Ricardo, On Mon, 8 Nov 2010, Ricardo Freitas wrote: > Hey guys > > I have been using Radioator for the past years (from 2006) and it is > mainly used to get calls, validating them and then saving them in a > database. > > The whole system has been working smoothly until now, where we have more > calls than ever. > > The main problem isn't with the number of calls in a whole, but in the > time frame they are received. From what I could learn, I think we manage > to successfully account for, more or less, 130 calls in a certain second > where the rest of the incoming calls are either lost or, and this is > where my doubt is, saved in a temporary cache. > > I don't know where or how to configure this but I would like to know if > it is possible to increase this cache size or, at least, know how is it > configure. > > Let me refrain that ALL calls appear on the radius server in the log > files with all their specific info (msisdn, alias, date of call, etc) > but not on the database, somehow they are not getting sent to the database. > > Let me just explain with an example. > > Imagine a certain second or seconds where you have 100, 60, 70 and 50 > calls on four consecutive seconds. All calls are saved in the database > (well, you can lose one or two). > > Now lets step it up a notch. Imagine you have 4 consecutive seconds with > 130, 180, 200, 170 calls. This time, and despite ALL the calls are saved > in the radius log servers, some of them are not passed through the mysql > database server, to be more specific in this case we generally lose 1/3 > or so of the calls (higher the number, higher the loss - we guess the > "safe" mark is 130 - above that all hell breaks loose). > > Do you guys have any idea how to solve this? > > Currently configuration - at least what I can tell you know - we have 6 > routers connected to our radius server, with four different instances on > the server - my guess, this was to distribute the load of the routers in > a more share way. > > First things first: is there a place where I can check the so called > cache? I mean, when we have lower load seconds, the database sometimes > has MORE calls that the radius itself which makes me believe it's > somehow dumping the cached calls.. > > Thanks a lot, this is getting very problematic. sounds like your database is not managing to keep up although it's hard to say exactly where your calls are getting lost from your description. You say all calls reach your radius server. From what logs are you determining this ? Might be interesting to know how far they get in. It is possible your database inserts are taking too long and the queued requests are getting dropped. If I understand you correctly you just need to save off accounting to a database without any authentication taking place. An extremely scalable strategy for this kind of situation might be to decouple the receiving of the requests and the insertion in the datbase. That is setup radiator to write the accounting to a logfile in the filesystem and setup a batched process to process completed logfiles every couple of minutes. Radiator will have no trouble writing 200 calls/sec into an ascii line by line log. I would guess the limit will be even higher. The separete process can insert the records into the database withough danger of timeouts occurring. Greetings Christian -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Remove Attribute from Reply
Hi, On Tue, 26 Oct 2010, Ian Mordey wrote: > Hi there > > Is there a way of removing an attribute from a reply? I have a radiator > box sending: > >cisco-avpair = "ip:dns-servers=XXX" > > in the response. I'd like to stop it sending this as I have it covered > in a PostAuthSelectHook file. I've seen the AddToReply. Is there an > opposite of this? there is StripFromReply so you could use StripFromReply cisco-avpair This will remove any cisco-avpair though so if you need to keep some cisco-avpairs or need to strip ip:dns-server possible embedded in a longer cisco-avpair you will probably have to use a hook and operate on the string. Greetings Christian > > > > Thanks > > Ian > > -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] refresh time on clientlistsql
Hi,
On Fri, 8 Oct 2010, Alexander Hartmaier wrote:
> Hi Hugh,
>
> we started to use the ClientListSQL feature too but get an Oracle SQL
> timeout error in the logs whenever Radiator tries to refresh the list,
> works on startup.
just a wild guess but does your oracle timeout idle connections
after a specific time.
We had a similar situation with LDAP sometime ago where were getting
LDAP_OPERATIONS_ERRORs when a connection was reused after a while of
inactivity.
The ldap server had closed the socket after a timeout and radiator
only noticed when it tried to write a query to the socket.
We contributed a fix to AuthbyLDAP2 that reattempts the connect on
errors. This has since been included in radiator.
What you are describing SQL Connection, Query works first time but
fails a while later sounds awfully similiar.
Just a wild guess though.
Greetings
Christian
>
> Any idea why and how we can debug this?
>
> --
> Best regards, Alex
>
>
> Am Mittwoch, den 22.09.2010, 00:25 +0200 schrieb Hugh Irvine:
>> Hello Alex -
>>
>> See section 5.7.3 in the Radiator 4.7 reference manual ("doc/ref.pdf").
>>
>> regards
>>
>> Hugh
>>
>>
>> On 22 Sep 2010, at 05:01, Martin Burton wrote:
>>
>>> Hi Alex,
>>>
>>> You need to make sure that RefreshPeriod is set in your config file. It
>>> defaults to 0, which means the SQL query is performed only upon radiusd
>>> start or when it's sent a SIGHUP.
>>>
>>>
>>> .
>>> .
>>> .
>>> RefreshPeriod 300
>>> .
>>> .
>>> .
>>>
>>>
>>> would cause the the DB to be requeried every 5 minutes for example.
>>>
>>> Hope that helps.
>>>
>>> Cheers,
>>>
>>> Martin.
>>>
>>> On 21/09/2010 19:41, Alex Sharaz wrote:
>>>> Hi all,
>>>>
>>>> I've got a cluster of radius servers all configured to read NAS clients
>>>> from a db2 database. I thought that radiator was supposed to periodically
>>>> refresh its internal list of clients by rereading the database.
>>>>
>>>> Yesterday morning I dded a number of clients to the database. by 16:00
>>>> today the radius servers still hadn't picked up the new clients. A
>>>> reload caused radiator to reread the client list but it would have been
>>>> nice to have radiator pic up the new clients automagically.
>>>>
>>>> Anyone else seen problems with refreshing client lists?
>>>>
>>>> Rgds
>>>> Alex
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Checked by Hu-fw-yhman
>>>>
>>>>
>>>>
>>>> ___
>>>> radiator mailing list
>>>> radiator@open.com.au
>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>
>>> --
>>> Martin Burton
>>> Senior Systems Administrator \\\|||///
>>> Special Projects Team \\ ^ ^ //
>>> Wellcome Trust Sanger Institute( 6 6 )
>>> -oOOo-(_)-oOOo---
>>>
>>>
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>>
>>
>> NB:
>>
>> Have you read the reference manual ("doc/ref.html")?
>> Have you searched the mailing list archive
>> (www.open.com.au/archives/radiator)?
>> Have you had a quick look on Google (www.google.com)?
>> Have you included a copy of your configuration file (no secrets),
>> together with a trace 4 debug showing what is happening?
>>
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may be
> privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Christian Kratzer CK Software GmbH
Email: c...@cksoft.de Schwarzwaldstr. 31
Phone: +49 7452 889 135 D-71131 Jettingen
Fax: +49 7452 889 136 HRB 245288, Amtsgericht Stuttgart
Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator performance problem with specific hardware
Hi, On Wed, 1 Sep 2010, Kukas Damjan wrote: > Hello, > > We are having problems with Radiator performance while using specific > hardware and software. > The hardware we're using is: > CPU: Sun SPARC T5140 - having 2 x SunSparc 1.2Ghz CPU, each CPU having 8 > cores, and each core simulates 8 virtual processors, so system has 128 > virtual (logical) processors > > The software we're using: > OS: Solaris 10 > Radiator 4.5.1. > > The performance problem appears when using more than 64 workers defined in > FarmSize parameter. If we use more than 64 workers, number of requests per > second drops drastically (measured values: with 64 workers- 5400 > requests/second, 128 workers - 1200 requests/second). By doing some specific > tests we've come to conclusion that problem > lies somewhere in simultaneous multiple read/write to socket (UDP queue) > mechanism. from your description this does sound a lot like your are hitting a lock contention issue in the operating system ( solaris ). If you have enough Requests to saturate that many cores you might try splitting the radiator into for example 4 instances on separate ports with each instance having a farm of 32 workers. That would give you 4 separate udp queues to 4 separate farms and might perhaps get you around your operating system issue. Of course you would have to distribute the load to the 4 instances either directly from your radius clients or via other means. I do not know if this is an option in your situation. Greetings Christian Kratzer CK Software GmbH -- Christian Kratzer CK Software GmbH Email: c...@cksoft.de Schwarzwaldstr. 31 Phone: +49 7452 889 135 D-71131 Jettingen Fax: +49 7452 889 136 HRB 245288, Amtsgericht Stuttgart Web: http://www.cksoft.de/ Geschaeftsfuehrer: Christian Kratzer ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
