[RADIATOR] Limits on EAPTLS_PrivateKeyPassword
We have just renewed our certificates on our servers, and windows clients are unable to authenticate. Without having to select “Validate server certificate” in a wireless profile, Windows usually presents a security box informing you that the certificate may no be trusted and / or is not bound as the root anchor. From there you can continue and access is granted. However, since implementing our new certificates, Windows7 is not presenting any warnings, the radiator log files continue with challenges and requests continually. Windows8 just rejects the authentication outright: Thu Jun 12 11:05:43 2014: ERR: EAP PEAP TLS read failed: 19984: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied Thu Jun 12 11:05:43 2014: ERR: EAP PEAP TLS read failed: 19984: 1 - error:14094419:SSL routines:SSL3_READ_BYTES:tlsv1 alert access denied If I take our original certificate that DOES work with Windows7 / 8, and I remove the PrivateKeyPassword or change it, I get the same behaviour on both OS’s. So.. two things are likely the culprit, either the private key provided to create the cert is wrong… or Radiator limits what characters can be used for the private key. Any assistance would be grateful Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Proxy server variable
We have a custom PostAuthHook script which writes out some log details that is appended to syslog, so that is the first place I would like to try. We proxy to a dept on campus and the information they feel may be relevant to them is the initial server (host) the proxied radius request is sent to per client. Your example below references the Final host. I am not sure that my explanation makes sense, I appreciate your suggestion... Thanks M On 2014-03-21, at 4:07 PM, Heikki Vatiainen wrote: On 03/20/2014 05:23 PM, Michael Hulko wrote: I would like to log the server that a client is proxied to for authentication. Hello Michael, which log are you thinking of? Authentication log or something else? Please see below for some ideas but in short, it depends on at which point during the processing you want to log information. I have searched the through the Radius packets for some form of Attribute without any luck. I have also read through the Radius reference and cannot find anything useful there either. There must be a variable for when a external server times out as seen in the output of the log: No reply after 20 seconds and 3 retransmissions to 129.100.160.144:1645 for casecomp.gu...@ivey.ca casecomp.gu...@ivey.ca (69) The above tells 129.100.160.144 did not respond after retransmissions. If there are other Hosts, these will be tried next. Finally, when it fails to get a response from any Host, NoReplyHook will run and you should be able to get the details of the final Host from the second argument with $fp-{ThisHost} where $fp is the second Hook argument (${$_[1]}. any assistance would be appreciated. In other words, the object for the forwarded request has pointer to Host. You could then check $host-{Address} to get the address. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Proxy server variable
I would like to log the server that a client is proxied to for authentication. I have searched the through the Radius packets for some form of Attribute without any luck. I have also read through the Radius reference and cannot find anything useful there either. There must be a variable for when a external server times out as seen in the output of the log: No reply after 20 seconds and 3 retransmissions to 129.100.160.144:1645 for casecomp.gu...@ivey.ca (69) any assistance would be appreciated. Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Log messages
I think we figured it out... on of our admins restarted the radiator process under a different identity and did not have all the correct rights to the envrionment. Once we purged the process, the errors seem to stop. Thanks M On 2014-02-07, at 3:41 PM, Heikki Vatiainen wrote: On 02/06/2014 07:13 PM, Michael Hulko wrote: We're seeing the following, not quite so frequently in our logs. Not every server is reporting this. Can anyone confirm that this is simply a client trying to authenticate with an unsupported EAP type? The EAP type is 0 in this case and it's clearly not any real type. It might be a misbehaving client or the server might be receiving a RADIUS request where the first EAP-Message attribute looks like an EAP request or response for EAP type 0. Some intermediate system may have for example, stripped the first attribute away leaving causing the remainder to look like an EAP request or response. There are likely to be multiple reasons why you get these messages. They might originate as incorrect or get mangled during the transport. Thanks, Heikki Feb 5 11:32:53 riptide-6.vm.its.uwo.pri /usr/bin/radiusd[14112]: Could not load EAP module Radius::EAP_0: Can't locate Radius/EAP _0.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor _perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 11750293) line 3, GEN3 line 2747056. Feb 5 11:32:53 riptide-6.vm.its.uwo.pri /usr/bin/radiusd[14112]: Could not load EAP module Radius::EAP_0: Can't locate Radius/EAP _0.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor _perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 11750293) line 3, GEN3 line 2747056. -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Log messages
We're seeing the following, not quite so frequently in our logs. Not every server is reporting this. Can anyone confirm that this is simply a client trying to authenticate with an unsupported EAP type? Feb 5 11:32:53 riptide-6.vm.its.uwo.pri /usr/bin/radiusd[14112]: Could not load EAP module Radius::EAP_0: Can't locate Radius/EAP _0.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor _perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 11750293) line 3, GEN3 line 2747056. Feb 5 11:32:53 riptide-6.vm.its.uwo.pri /usr/bin/radiusd[14112]: Could not load EAP module Radius::EAP_0: Can't locate Radius/EAP _0.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor _perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 11750293) line 3, GEN3 line 2747056. Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Perl expressions
Thanks for the clarification... I was able to do as suggested. However, I am finding that evaluating check items in Handlers using Vendor VSAs are a hit or miss. I have in my config... Handler Client-Identifier = ONCAMPUS, Aruba-Port-Identifier = controller-address:0/11 - This works fine ! Handler TunnelledByPeap=1, Client-Identifier=ONCAMPUS, Realm=uwo.ca This works fine ! Handler TunnelledByPeap=1, Client-Identifier=ONCAMPUS, Realm=uwo.ca, Aruba-Essid-Name=ssid of choice --- FAILS !!! My dictionary file has all the Aruba VSA's defined.. other testing shows that it works with Some VSA's but not all... I am running tests on a Windows server /w Radiator ver. 4.51 and Linux server /w Radiator ver 4.12 Any thoughts??? Thanks M On 2013-10-21, at 2:54 PM, Heikki Vatiainen wrote: On 10/21/2013 06:44 PM, Michael Hulko wrote: Sorry for the noob type question...but is it possible to evaluate a perl expression WITHOUT wrapping the perl code in a Hook? Hello Michael, I do not there is support for evaluate. such as for example: Handler TunnelledByPEAP=1 Identifier Authby NTLM PostAuthHook file:%D/xxx.hook AddToReply User-Vlan = $vlan = 620+int(rand(9)); /Handler For this particular example, I would calculate $vlan with PostAuthHook, add it to $p (request) as e.g. X-rand-vlan and then do something like: AddToReply User-Vlan=%{X-rand-vlan} That would still give some hint that User-Vlan value is something special. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Perl expressions
Sorry for the noob type question...but is it possible to evaluate a perl expression WITHOUT wrapping the perl code in a Hook? such as for example: Handler TunnelledByPEAP=1 Identifier Authby NTLM PostAuthHook file:%D/xxx.hook AddToReply User-Vlan = $vlan = 620+int(rand(9)); /Handler Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator LoadBalancing Optimization
Thanks for the response too bad though. Unfortunately, we can only have one radius server instance per NAS (and a backup), but this particular NAS supports the radius proxy clients which are the problem. M On 2013-09-13, at 6:39 AM, Sami Keski-Kasari wrote: Hello Michael, CachePasswords doesn't work with EAP, it works only with PAP authentication. So it won't help you in this situation. My advice is that you should add more hosts for authentication or if you have a lot of accounting traffic then it might a good solution if you have separate instances for accounting and authentication. Best Regards, Sami On 09/12/2013 05:37 PM, Michael Hulko wrote: In a previous discussion regarding Loadbalancing radius requests, we instituted the AuthBy EAPBALANCE method to proxy requests to departmental radius servers. We have been running this method for close to 6 months and have been pretty satisfied with the result. Of late, however, the client traffic has increased, and the time for an authentication to complete is a tad longer than the users are willing to accept. My reading of the documentation provided by OSC, suggests the use of CachePasswords; CacheOnNoReply; and CachePasswordExpiry would assist in the performance. I understand that the trade-off of implementing these features is memory. So to that end, first, is anyone using these parameters?. What is the number of clients supported and related memory usage? I anticipate approx. 3-4K simultaneous users for the particular AuthBy clause. What would be the recommended Password expiry timer be? Any info would be appreciated. Below is the current config snippet of the AuthBy we are using. User connections are retried after a 45 min. period. #IVEY # Proxies auth requests to the IVEY IAS radius servers using a loadbalance algorithm. AuthBy EAPBALANCE Identifier IVEY Retries 3 RetryTimeout 5 FailureBackoffTime 20 AuthPort 1645 AcctPort 1646 Secret x LocalAddress xx # Host xxx /Host # Host /Host # Host /Host /AuthBy The last server is the slower of the 3 hosts available which I believe is the bottleneck. Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Sami Keski-Kasari sam...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator LoadBalancing Optimization
In a previous discussion regarding Loadbalancing radius requests, we instituted the AuthBy EAPBALANCE method to proxy requests to departmental radius servers. We have been running this method for close to 6 months and have been pretty satisfied with the result. Of late, however, the client traffic has increased, and the time for an authentication to complete is a tad longer than the users are willing to accept. My reading of the documentation provided by OSC, suggests the use of CachePasswords; CacheOnNoReply; and CachePasswordExpiry would assist in the performance. I understand that the trade-off of implementing these features is memory. So to that end, first, is anyone using these parameters?. What is the number of clients supported and related memory usage? I anticipate approx. 3-4K simultaneous users for the particular AuthBy clause. What would be the recommended Password expiry timer be? Any info would be appreciated. Below is the current config snippet of the AuthBy we are using. User connections are retried after a 45 min. period. #IVEY # Proxies auth requests to the IVEY IAS radius servers using a loadbalance algorithm. AuthBy EAPBALANCE Identifier IVEY Retries 3 RetryTimeout 5 FailureBackoffTime 20 AuthPort 1645 AcctPort 1646 Secret x LocalAddress xx # Host xxx /Host # Host /Host # Host /Host /AuthBy The last server is the slower of the 3 hosts available which I believe is the bottleneck. Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Additonal Aruba (14823) dictionary attributes
Sorry... cut off the last line... should be: VENDORATTR 14823 Aruba-AirGroup-Shared-Role26 string MH On 2013-05-17, at 9:04 AM, Michael Hulko wrote: FYI... in case you have not already included these in the latest dictionary file, I have found new attributes by Aruba's new version of OS which may cause log messages to appear. VENDORATTR 14823 Aruba-Device-Type 12string VENDORATTR 14823 Aruba-Mdps-Device-Imei 16string VENDORATTR 14823 Aruba-AirGroup-Shared-Ro26string It might be worthwhile to maybe have a separate download for the dictionary file on the website without having to always upgrade the Radiator software or unpack the latest release to extract the dictionary file. Just a thought. Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Loadbalancing requests from Proxy
Thanks for the input, I will look at the trace 4 messages for errors and states. I am not sure that this is the same type of situation that Neil is describing from Eduroam as this is an internal proxy setup for a dept who looks after their own AD etc... MH On 2013-05-17, at 12:50 PM, Christopher Bongaarts wrote: IIRC, this is the symptom we saw when our wireless controllers weren't returning all of the State attributes (see the thread from Neil at Iowa). For diagnosis, bump your Trace level up to 4 for a while, and observe the State attributes being sent and returned. On 5/17/2013 7:12 AM, Michael Hulko wrote: One note after implementing EAPBALANCE. I am getting this in the logs with a specific user at the moment. May 17 07:52:09 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: ProxyAlgorithm HASHBALANCE declines to break up an EAP stream after failover from 129.100.160.133:1645:1646 to 129.100.160.144:1645:1646 May 17 07:52:09 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: ProxyAlgorithm HASHBALANCE declines to break up an EAP stream after failover from 129.100.160.133:1645:1646 to 129.100.160.144:1645:1646 May 17 07:52:14 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: ProxyAlgorithm HASHBALANCE declines to break up an EAP stream after failover from 129.100.160.133:1645:1646 to 129.100.160.144:1645:1646 May 17 08:07:39 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: AuthRADIUS IVEY: Could not find a working host to forward asnow...@ivey.ca (79) after 20 seconds. Ignoring May 17 08:07:39 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: AuthRADIUS IVEY: Could not find a working host to forward asnow...@ivey.ca (79) after 20 seconds. Ignoring May 17 08:07:39 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: AuthRADIUS IVEY: No reply after 20 seconds and 3 retransmissions to 129.100.160.133:1645 for asnow...@ivey.ca (64) May 17 08:07:39 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23274]: AuthRADIUS IVEY: No reply after 20 seconds and 3 retransmissions to 129.100.160.133:1645 for asnow...@ivey.ca (64) Here is the config snippet I have included. AuthBy EAPBALANCE Log errorLogger Log western_syslog Identifier IVEY Retries 3 RetryTimeout 5 FailureBackoffTime 20 AuthPort 1645 AcctPort 1646 Secret x LocalAddress xx Host 129.100.160.144 /Host Host 129.100.160.97 /Host Host 129.100.160.133 /Host /AuthBy My interpretation of these messages is that the server the EAPBALANCE is trying to send the authentication packets to does not respond in the appropriate amount of time, the EAPBALANCE Hash does not want to break the authentication stream, but never times out long enough to move to another server? Any input would be helpful. My thought is to lower the values for Retries etc. MH On 2013-05-10, at 11:41 AM, Michael Hulko wrote: Thanks for the suggestion.. this seems to alleviate the timeouts that I had noticed previously. (Log file was sent separately). MH On 2013-05-10, at 5:26 AM, Heikki Vatiainen wrote: On 05/09/2013 11:09 PM, Michael Hulko wrote: We have been requested to try and loadbalance requests to a Campus department with their own Radius (IAS) server for their wireless users. Hello Michael, you mentioned campus and wireless LAN which makes me think there is EAP, such as PEAP or TTLS, involved. If so, you would need to use AuthBy EAPBALANCE to make sure the EAP authentication sessions are always handled by the same IAS server. Otherwise you will see failures and timeouts when the IAS servers receive requests they are not expecting. The Trace 4 log was not included, but I'd first check how it works with EAPBALANCE. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111
Re: [RADIATOR] Loadbalancing requests from Proxy
Thanks for the suggestion.. this seems to alleviate the timeouts that I had noticed previously. (Log file was sent separately). MH On 2013-05-10, at 5:26 AM, Heikki Vatiainen wrote: On 05/09/2013 11:09 PM, Michael Hulko wrote: We have been requested to try and loadbalance requests to a Campus department with their own Radius (IAS) server for their wireless users. Hello Michael, you mentioned campus and wireless LAN which makes me think there is EAP, such as PEAP or TTLS, involved. If so, you would need to use AuthBy EAPBALANCE to make sure the EAP authentication sessions are always handled by the same IAS server. Otherwise you will see failures and timeouts when the IAS servers receive requests they are not expecting. The Trace 4 log was not included, but I'd first check how it works with EAPBALANCE. Thanks, Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Loadbalancing requests from Proxy
We have been requested to try and loadbalance requests to a Campus department with their own Radius (IAS) server for their wireless users. We currently proxy to them from our Radiator server(s) for their users, however, their current server cannot handle to load. They have added 2 new servers to their environment and we have configured a test server to test the AuthBy VOLUMEBALANCE, ROUNDROBIN features of Radiator. We are experiencing, what appears to be excessive delays in responses from their servers in this configuration. We have tested each server individually while configured as AuthBy Radius with multiple host clauses, and although, the response times are immediate, there is no guarantee, that I can find from the documentation that a failed/timedout request will go to the next host listed in the AuthBy clause. Attached is the trace 4 log of the AuthBy VOLUMEBALANCE attempt. Any assistance or recommendations is greatly appreciated. here is the portion of the config used: # Dept identifier Client 129.100.160.133 IdenticalClients 129.100.160.144 IdenticalClients 129.100.160.97 Secret DupInterval 0 IgnoreAcctSignature Identifier ONCAMPUS /Client # Proxies auth requests to the IVEY IAS radius servers using a loadbalance algorithm (BogoMips) AuthBy VOLUMEBALANCE Log errorLogger Log western_syslog Identifier Dept Retries 3 RetryTimeout 5 FailureBackoffTime 20 AuthPort 1645 AcctPort 1646 Secret xx LocalAddress 172.18.58.210 # biz-core1 Host 129.100.160.144 BogoMips 2 /Host # biz-core2 Host 129.100.160.197 BogoMips 2 /Host # biz-support Host 129.100.160.133 BogoMips 1 /Host /AuthBy Thanks for any assistance. Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] New Error messages
The changelog for version 4.8 says: - Fixed an issue where truncated EAP-Message requests would cause a log message like Could not load EAP module Radius::EAP_ . This is now logged as invalid EAP type in EAP request and rejected. Reported by Daniel Rocha. Has this crept back into version 4.10 ?? MH On 2013-01-17, at 12:31 PM, Alexander Hartmaier wrote: On 2013-01-17 17:31, Michael Hulko wrote: Lately I've been seeing these errors daily which were not there prior to the new year: Jan 8 20:18:36 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23692]: Could not load EAP module Radius::EAP_66: Can't locate Radius/EAP_66.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 3683243) line 3, GEN1 line 699827. Jan 8 21:35:18 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_155: Can't locate Radius/EAP_155.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1968782) line 3, GEN1 line 352731. Jan 8 21:47:05 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_180: Can't locate Radius/EAP_180.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1977214) line 3, GEN1 line 354206. Jan 8 22:04:02 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_29: Can't locate Radius/EAP_29.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1989895) line 3, GEN1 line 356467. Jan 8 22:19:46 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_232: Can't locate Radius/EAP_232.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2000990) line 3, GEN1 line 358402. Jan 9 00:02:52 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_239: Can't locate Radius/EAP_239.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2074832) line 3, GEN1 line 371473. [11:17:45 slogr] grep Could not load EAP module Radius::EAP console Jan 9 10:26:05 riptide-3.vm.its.uwo.pri /usr/bin/radiusd[27250]: Could not load EAP module Radius::EAP_57: Can't locate Radius/EAP_57.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2742617) line 3, GEN1 line 532256. can someone shed some lightwe are running Radiator version 10 First, there is no version 10, the latest version is 4.11. The changelog for version 4.8 says: - Fixed an issue where truncated EAP-Message requests would cause a log message like Could not load EAP module Radius::EAP_ . This is now logged as invalid EAP type in EAP request and rejected. Reported by Daniel Rocha. So i guess you're running an older version than 4.8. Update and look if the errors are still present. Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Best regards, Alexander Hartmaier *** T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *** Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *** ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] New Error messages
Lately I've been seeing these errors daily which were not there prior to the new year: Jan 8 20:18:36 riptide-2.vm.its.uwo.pri /usr/bin/radiusd[23692]: Could not load EAP module Radius::EAP_66: Can't locate Radius/EAP_66.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 3683243) line 3, GEN1 line 699827. Jan 8 21:35:18 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_155: Can't locate Radius/EAP_155.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1968782) line 3, GEN1 line 352731. Jan 8 21:47:05 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_180: Can't locate Radius/EAP_180.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1977214) line 3, GEN1 line 354206. Jan 8 22:04:02 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_29: Can't locate Radius/EAP_29.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 1989895) line 3, GEN1 line 356467. Jan 8 22:19:46 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_232: Can't locate Radius/EAP_232.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2000990) line 3, GEN1 line 358402. Jan 9 00:02:52 riptide-5.vm.its.uwo.pri /usr/bin/radiusd[622]: Could not load EAP module Radius::EAP_239: Can't locate Radius/EAP_239.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2074832) line 3, GEN1 line 371473. [11:17:45 slogr] grep Could not load EAP module Radius::EAP console Jan 9 10:26:05 riptide-3.vm.its.uwo.pri /usr/bin/radiusd[27250]: Could not load EAP module Radius::EAP_57: Can't locate Radius/EAP_57.pm in @INC (@INC contains: . /usr/local/lib64/perl5 /usr/local/share/perl5 /usr/lib64/perl5/vendor_perl /usr/share/perl5/vendor_perl /usr/lib64/perl5 /usr/share/perl5 .) at (eval 2742617) line 3, GEN1 line 532256. can someone shed some lightwe are running Radiator version 10 Thanks Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor commands
Thanks everyone for the input. MH :) On 2012-12-05, at 10:57 PM, Hugh Irvine wrote: Hi Michael - Sure - telnet or whatever to the Monitor port. regards Hugh On 6 Dec 2012, at 12:00, Michael Hulko mihu...@uwo.ca wrote: That's where I was headed with the original question. Whether the commands can be run locally against the server itself. Make the call to itself essentially.. Thoughts MH On 2012-12-05, at 5:31 PM, Hugh Irvine wrote: Hi Michael - In that case I would probably just write a little Perl script to run whatever command(s) you wish against the Monitor port. You don't need to use Radar - you can use anything to connect to the Monitor port. regards Hugh On 6 Dec 2012, at 09:24, Michael Hulko mihu...@uwo.ca wrote: Hugh.. Thought of that, but the StatsLog records ALL statistics not just from the server but all the Realms; Clients; AuthBy's etc.not that it is large in our case...after testing this, we are left with approx. 10 entries plus the header per interval cycle, however, since the log is Appended, we would need to write something a little more sophisticated to grep the values we want and to ensure the timing between the StatsLog interval and the SNMP call for the data is synchronized as not to cause problems which is why we were looking into the Monitor language to execute on demand and respond only with the Server level information. Unless I missed something in the docs related to the StatsLog that weeds out the additional details. We are contemplating just programtically removing the Statistics file after each call just to keep it pruned. What would be best is to be able to have RADAR write these values as they are monitored into a RRD type flat file/database for reading by other systems from a historical perspective. Thanks anyway, I thought I would just ask. Is there anything that would prevent us from adjusting the RADAR code to facilitate our needs by our developers? regards; MH :) On 2012-12-05, at 5:05 PM, Hugh Irvine wrote: Hello Michael - Why don't you just use the StatsLog clause? See sections 5.94 and 5.95 in the manual (doc/ref.pdf). regards Hugh On 6 Dec 2012, at 03:29, Michael Hulko mihu...@uwo.ca wrote: It describes the command language from an external source point of view ( if I read correctly ).. not from the Radiator server itself. What the challenge is we want to monitor the Radius servers from another source such as Nagios, Whatsup Gold etc. We were looking at Radar and as impressive as it is, it does not store the data historically, which is what our requirements are. The SNMP side of the monitoring does not give us the complete picture, as it there is no oid for the Response Time value that Radar - Monitor - StatsLog provides unless I am missing something. So, what we have done in the past is created a local custom SNMP variable through various means for us to monitor and collect stats from other systems. We could parse through the StatsLog, however, this requires a fair bit of logic and programming and not to mention timing. Having tested the Monitor command language running the command STATS . we find we can parse the values simply. In order for us to define a custom SNMP oid variable we need to be able to run this locally on the server itself. If there is a way that Radar could provide historical and / or write the values into a log file for extraction would be easier. Any other suggestions would be appreciated. Thanks for your time and input MH On 2012-12-04, at 4:19 PM, Heikki Vatiainen wrote: On 12/04/2012 09:43 PM, Michael Hulko wrote: Just wondering if there is a way to execute the Monitor command language local to the Radiator server? Does section 25 Monitor command language in doc/ref.pdf describe what you are looking for? -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible
Re: [RADIATOR] Monitor commands
It describes the command language from an external source point of view ( if I read correctly ).. not from the Radiator server itself. What the challenge is we want to monitor the Radius servers from another source such as Nagios, Whatsup Gold etc. We were looking at Radar and as impressive as it is, it does not store the data historically, which is what our requirements are. The SNMP side of the monitoring does not give us the complete picture, as it there is no oid for the Response Time value that Radar - Monitor - StatsLog provides unless I am missing something. So, what we have done in the past is created a local custom SNMP variable through various means for us to monitor and collect stats from other systems. We could parse through the StatsLog, however, this requires a fair bit of logic and programming and not to mention timing. Having tested the Monitor command language running the command STATS . we find we can parse the values simply. In order for us to define a custom SNMP oid variable we need to be able to run this locally on the server itself. If there is a way that Radar could provide historical and / or write the values into a log file for extraction would be easier. Any other suggestions would be appreciated. Thanks for your time and input MH On 2012-12-04, at 4:19 PM, Heikki Vatiainen wrote: On 12/04/2012 09:43 PM, Michael Hulko wrote: Just wondering if there is a way to execute the Monitor command language local to the Radiator server? Does section 25 Monitor command language in doc/ref.pdf describe what you are looking for? -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor commands
Hugh.. Thought of that, but the StatsLog records ALL statistics not just from the server but all the Realms; Clients; AuthBy's etc.not that it is large in our case...after testing this, we are left with approx. 10 entries plus the header per interval cycle, however, since the log is Appended, we would need to write something a little more sophisticated to grep the values we want and to ensure the timing between the StatsLog interval and the SNMP call for the data is synchronized as not to cause problems which is why we were looking into the Monitor language to execute on demand and respond only with the Server level information. Unless I missed something in the docs related to the StatsLog that weeds out the additional details. We are contemplating just programtically removing the Statistics file after each call just to keep it pruned. What would be best is to be able to have RADAR write these values as they are monitored into a RRD type flat file/database for reading by other systems from a historical perspective. Thanks anyway, I thought I would just ask. Is there anything that would prevent us from adjusting the RADAR code to facilitate our needs by our developers? regards; MH :) On 2012-12-05, at 5:05 PM, Hugh Irvine wrote: Hello Michael - Why don't you just use the StatsLog clause? See sections 5.94 and 5.95 in the manual (doc/ref.pdf). regards Hugh On 6 Dec 2012, at 03:29, Michael Hulko mihu...@uwo.ca wrote: It describes the command language from an external source point of view ( if I read correctly ).. not from the Radiator server itself. What the challenge is we want to monitor the Radius servers from another source such as Nagios, Whatsup Gold etc. We were looking at Radar and as impressive as it is, it does not store the data historically, which is what our requirements are. The SNMP side of the monitoring does not give us the complete picture, as it there is no oid for the Response Time value that Radar - Monitor - StatsLog provides unless I am missing something. So, what we have done in the past is created a local custom SNMP variable through various means for us to monitor and collect stats from other systems. We could parse through the StatsLog, however, this requires a fair bit of logic and programming and not to mention timing. Having tested the Monitor command language running the command STATS . we find we can parse the values simply. In order for us to define a custom SNMP oid variable we need to be able to run this locally on the server itself. If there is a way that Radar could provide historical and / or write the values into a log file for extraction would be easier. Any other suggestions would be appreciated. Thanks for your time and input MH On 2012-12-04, at 4:19 PM, Heikki Vatiainen wrote: On 12/04/2012 09:43 PM, Michael Hulko wrote: Just wondering if there is a way to execute the Monitor command language local to the Radiator server? Does section 25 Monitor command language in doc/ref.pdf describe what you are looking for? -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Monitor commands
That's where I was headed with the original question. Whether the commands can be run locally against the server itself. Make the call to itself essentially.. Thoughts MH On 2012-12-05, at 5:31 PM, Hugh Irvine wrote: Hi Michael - In that case I would probably just write a little Perl script to run whatever command(s) you wish against the Monitor port. You don't need to use Radar - you can use anything to connect to the Monitor port. regards Hugh On 6 Dec 2012, at 09:24, Michael Hulko mihu...@uwo.ca wrote: Hugh.. Thought of that, but the StatsLog records ALL statistics not just from the server but all the Realms; Clients; AuthBy's etc.not that it is large in our case...after testing this, we are left with approx. 10 entries plus the header per interval cycle, however, since the log is Appended, we would need to write something a little more sophisticated to grep the values we want and to ensure the timing between the StatsLog interval and the SNMP call for the data is synchronized as not to cause problems which is why we were looking into the Monitor language to execute on demand and respond only with the Server level information. Unless I missed something in the docs related to the StatsLog that weeds out the additional details. We are contemplating just programtically removing the Statistics file after each call just to keep it pruned. What would be best is to be able to have RADAR write these values as they are monitored into a RRD type flat file/database for reading by other systems from a historical perspective. Thanks anyway, I thought I would just ask. Is there anything that would prevent us from adjusting the RADAR code to facilitate our needs by our developers? regards; MH :) On 2012-12-05, at 5:05 PM, Hugh Irvine wrote: Hello Michael - Why don't you just use the StatsLog clause? See sections 5.94 and 5.95 in the manual (doc/ref.pdf). regards Hugh On 6 Dec 2012, at 03:29, Michael Hulko mihu...@uwo.ca wrote: It describes the command language from an external source point of view ( if I read correctly ).. not from the Radiator server itself. What the challenge is we want to monitor the Radius servers from another source such as Nagios, Whatsup Gold etc. We were looking at Radar and as impressive as it is, it does not store the data historically, which is what our requirements are. The SNMP side of the monitoring does not give us the complete picture, as it there is no oid for the Response Time value that Radar - Monitor - StatsLog provides unless I am missing something. So, what we have done in the past is created a local custom SNMP variable through various means for us to monitor and collect stats from other systems. We could parse through the StatsLog, however, this requires a fair bit of logic and programming and not to mention timing. Having tested the Monitor command language running the command STATS . we find we can parse the values simply. In order for us to define a custom SNMP oid variable we need to be able to run this locally on the server itself. If there is a way that Radar could provide historical and / or write the values into a log file for extraction would be easier. Any other suggestions would be appreciated. Thanks for your time and input MH On 2012-12-04, at 4:19 PM, Heikki Vatiainen wrote: On 12/04/2012 09:43 PM, Michael Hulko wrote: Just wondering if there is a way to execute the Monitor command language local to the Radiator server? Does section 25 Monitor command language in doc/ref.pdf describe what you are looking for? -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Hugh Irvine h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER
[RADIATOR] Monitor commands
Just wondering if there is a way to execute the Monitor command language local to the Radiator server? Michael Hulko Network Analyst Western University Canada Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Password Variable not passed
I am not able to determine when using the %P variable, it does not pass the user password into the LDAP authentication.We are attempting to terminate the PEAP/EAP on our wireless controllers (Aruba) and pass the username and password to Radiator for authentication as this only requires a single common certificate to be presented to the clients, unless Radiator does not have an issue reusing certs on different servers?When I set the password in the config file statically, I receive an access-accept reply, however, when I attempt to use the %P parameter, the password is never included in the authentication.Suggestions would be appreciatedI have stripped the config down for testing purposes. logfile Description: Binary data #Tubuluar.vm.its.uwo.ca # # eap_multi.cfg # # This config supports EAP-TTLS and EAP-PEAP proxied from an external Radius server # Foreground 1 #LogStdout 1 LogDir c:/program files/radiator DbDir c:/program files/radiator AuthPort 1645,1812 AcctPort 1646,1813 # User a lower trace level in production systems: #Trace 3 Trace 7 # IMPORTANT = convert user name to lower case to ensure match on uwo.ca realm in handler match criteria UsernameCharset a-zA-Z0-9\._@- RewriteUsername tr/A-Z/a-z/ # UwoLDAP is used to authenticate the inner TTLS credentials and outer PEAP credentials against LDAP # Note requires TTLS and PEAP support # Both userid and password are checking for inner TTLS requests # Only the userid is checked for for outer PEAP requests AuthBy LDAP2 Log errorLogger Identifier UwoLDAP-LB EAPType MSCHAP-V2 NoDefault # Tell Radiator how to talk to the LDAP server Hostauth.uwo.ca AuthDN uid=%U,ou=people,o=uwo.ca,dc=its AuthPassword%P # Add role from LDAP to the request via the AuthAttrDef AuthAttrDef description,Role,request AuthAttrDef loginShell,Shell,request AuthAttrDef uwoid,Uid,request BaseDN o=uwo.ca,dc=its UsernameAttruid PasswordAttr AddToReply Reply-Message=STF Timeout 10 /AuthBy # Handlers are processed sequentially - and first match applies Handler Request-Type = Accounting-Request Log errorLogger AuthBy AccountingResponse PostAuthHook file:%D/accounting.hook /Handler # # Test Handler # Handles both authenication checks and logging as mac is available. # Handler AuthBy UwoLDAP /Handler ThanksMH inline: western-logo-sm2.gifMichael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Upgrade Challenges to 4.9
Yes...ppm install did give me version 0.44 however, upon futher investigation, we have a hook that calls "use Net::LDAP qw(:all)" . The qw(:all) is what is causing the issue with this version of NET::LDAP. There are several threads regarding this particular issue. One workaround is to import only the constants that are required. Will have to engage a pogrammer to help with that.Thanks for the headsup on the PeapVersion. Again, I only inheirtied the responsibility of the Radius service a while ago and I have no idea of the thought process the previous individual may have had with the configuration. The whole configuration looks a little convuluted to me, but that may have been due to limitations present in previous versions of Radiator.MHOn 2012-05-09, at 3:03 PM, Heikki Vatiainen wrote:On 05/09/2012 09:11 PM, Michael Hulko wrote:It would appear that I have missed the Net-LDAP module that one of ourhooks calls. Not sure why this is not part of the standardpackages...Is there a specific package I should use.I think ppm install perl-ldap should give you version 0.44 which is thecurrent version too.I took a quick look at the configuration too. I suggest the following:# DupInterval 0EAPTLS_PEAPVersion 0Unless there's a good reason, you should not accept duplicates. Also,PEAP version 0 works better with e.g., with Macs and IOS devices. It'salso default in version 4.9HeikkiMHOn 2012-05-09, at 1:36 PM, Michael Hulko wrote:I am attempting to upgrade our radius from 4.5.1 to the latest version4.9. In addition of upgrading Radiator itself, I am also upgradingthe version of ActivePerl from 5.6.x to 5.12.x.Stepping through the installation instructions and pointing therepository to open.au.com http://open.au.com for the Win32-LSA.pmmodule, it would appear that everything was in order. However, twoproblems arose...First, when attempting to run the radiusd daemon from the command lineprior to running the test script, I receive an error: " 'all' is notdefined in %NET::LDAP::Constant::EXPORT_TAGS at (eval 62) line 191. When I run the test.pl http://test.pl script, everything checksout. Not quite sure about what I am missing?Second...after i create a service and copy the original files andcerts into the directory, I get the following message when I start theservice in the logfile:"ERR: Compliation error in PostAuthHook: Can't continue after importerrors at (eval 68) line 191BEGIN failed--compliation aborted at (eval 68) line 191"I have tested authentication to the server, and it appears to work,however, I am concerned that something will break later. This is aWindows Server 2003 box. Any suggestions/comments would be greatlyappreciated. Attached is the original radius config I inheirted.(please do not critique the config)radius.cfgAll passwords/secrets have been removedThanksMH___radiator mailing listradiator@open.com.au mailto:radiator@open.com.auhttp://www.open.com.au/mailman/listinfo/radiatorMichael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca mailto:mihu...@uwo.ca___radiator mailing listradiator@open.com.auhttp://www.open.com.au/mailman/listinfo/radiator-- Heikki Vatiainen h...@open.com.auRadiator: the most portable, flexible and configurable RADIUS serveranywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,NetWare etc.___radiator mailing listradiator@open.com.auhttp://www.open.com.au/mailman/listinfo/radiator Michael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Upgrade Challenges to 4.9
I am attempting to upgrade our radius from 4.5.1 to the latest version 4.9. In addition of upgrading Radiator itself, I am also upgrading the version of ActivePerl from 5.6.x to 5.12.x. Stepping through the installation instructions and pointing the repository to open.au.com for the Win32-LSA.pm module, it would appear that everything was in order. However, two problems arose... First, when attempting to run the radiusd daemon from the command line prior to running the test script, I receive an error: 'all' is not defined in %NET::LDAP::Constant::EXPORT_TAGS at (eval 62) line 191. When I run the test.pl script, everything checks out. Not quite sure about what I am missing? Second...after i create a service and copy the original files and certs into the directory, I get the following message when I start the service in the logfile: ERR: Compliation error in PostAuthHook: Can't continue after import errors at (eval 68) line 191 BEGIN failed--compliation aborted at (eval 68) line 191 I have tested authentication to the server, and it appears to work, however, I am concerned that something will break later. This is a Windows Server 2003 box. Any suggestions/comments would be greatly appreciated. Attached is the original radius config I inheirted. (please do not critique the config) radius.cfg Description: Binary data All passwords/secrets have been removed Thanks MH ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Upgrade Challenges to 4.9
It would appear that I have missed the Net-LDAP module that one of our hooks calls. Not sure why this is not part of the standard packages...Is there a specific package I should use.MHOn 2012-05-09, at 1:36 PM, Michael Hulko wrote:I am attempting to upgrade our radius from 4.5.1 to the latest version 4.9. In addition of upgrading Radiator itself, I am also upgrading the version of ActivePerl from 5.6.x to 5.12.x. Stepping through the installation instructions and pointing the repository to open.au.com for the Win32-LSA.pm module, it would appear that everything was in order. However, two problems arose...First, when attempting to run the radiusd daemon from the command line prior to running the test script, I receive an error: " 'all' is not defined in %NET::LDAP::Constant::EXPORT_TAGS at (eval 62) line 191. When I run the test.pl script, everything checks out. Not quite sure about what I am missing?Second...after i create a service and copy the original files and certs into the directory, I get the following message when I start the service in the logfile:"ERR: Compliation error in PostAuthHook: Can't continue after import errors at (eval 68) line 191BEGIN failed--compliation aborted at (eval 68) line 191"I have tested authentication to the server, and it appears to work, however, I am concerned that something will break later. This is a Windows Server 2003 box. Any suggestions/comments would be greatly appreciated. Attached is the original radius config I inheirted. (please do not critique the config)radius.cfgAll passwords/secrets have been removedThanksMH___radiator mailing listradiator@open.com.auhttp://www.open.com.au/mailman/listinfo/radiator Michael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Simple question regarding PEAP termination
I may already know this answer, but would like to get confirmation. Can we terminate PEAP sessions on Radiator running on a *nix server? My understanding that this can only be done from a Windows server.Thanks in advance Michael HulkoNetwork AnalystWestern University CanadaNetwork Operations CentreInformation Technology Services1393 Western Road, SSB 3300CCLondon, Ontario N6G 1G9tel: 519-661-2111 x81390e-mail: mihu...@uwo.ca mailto:mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Unknown SSL errors
Thanks for the response and clarity. The upgraded cert itself did not increase in size, but the key increased. We are using EAPTLS_MaxFragmentSize 1000 in our configurations. The indications that corruption is taking place somewhere along the path will need to be further investigated. Although it appears that these errors are more indicative of client communication errors and not necessarily server or certificate issues, would it best to move to the latest version of Radiator?? I am sure this is already documentented somewhere, but I will ask in an effort to expediate an assumption, is Radiator multi-threaded or can support multi-threading? Respectfully Michael Hulko -Original Message- From: Heikki Vatiainen [mailto:h...@open.com.au] Sent: Friday, September 02, 2011 5:12 AM To: Michael Hulko Cc: radiator@open.com.au Subject: Re: [RADIATOR] Unknown SSL errors On 09/02/2011 12:09 AM, Michael Hulko wrote: We are currently running 2 Radiator servers ver4.5.1. We have recently upgraded our certs to Thawte 2048 bit. I have noticed an increase in the number of the these messages: EAP TLS error: -1, 1, 8576, 9408: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number Likely a corrupted packet. This comes from the SSL libraries Radiator uses. The library is telling it did not like SSL version when it did not find TLS1.0 or later but some corrupted values instead. ERR: EAP PEAP TLS Handshake unsuccessful: 9408: 1 - error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version Alert comes from the client. The client probably received a corrupted packet. ERR: EAP PEAP TLS read failed: 3888: 1 - error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record Likely caused by a corrupted packet too. The corrupton was detected by TLS layer. I am unsure of what these are indicative of. Are these client machine errors or server process errors These look like corrupted messages. Maybe caused by a weak wireless reception where the client is just barely able to transmit and receive. Since you mentioned you had upgraded to a new cert, did the certificate size grow? This would mean there's more to transfer correctly during the authentication. You could also try this: EAPTLS_MaxFragmentSize 1000 This may help with devices that are unable to handle large messages. See the reference manual for more. Thanks! Heikki -- Heikki Vatiainen h...@open.com.au Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Unknown SSL errors
We are currently running 2 Radiator servers ver4.5.1. We have recently upgraded our certs to Thawte 2048 bit. I have noticed an increase in the number of the these messages: EAP TLS error: -1, 1, 8576, 9408: 1 - error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number ERR: EAP PEAP TLS Handshake unsuccessful: 9408: 1 - error:1409442E:SSL routines:SSL3_READ_BYTES:tlsv1 alert protocol version ERR: EAP PEAP TLS read failed: 3888: 1 - error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record I am unsure of what these are indicative of. Are these client machine errors or server process errors Thanks for any input. Michael Hulko Network Analyst University of Western Ontario Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator Logging to an External Syslog Server
Our Windows server admin team uses a product call “Epilog for Windows” by Intersect Alliance. Interesting product. http://www.intersectalliance.com/ Cheers MH From: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] On Behalf Of Carter, Ronald Sent: Tuesday, April 12, 2011 12:26 PM To: radiator@open.com.au Subject: [RADIATOR] Radiator Logging to an External Syslog Server My company is running Radiator on a Windows Platform. I would like to export the Radiator logs to and external Syslog server. According to the manual this can be done with the Log Syslog command, but this only works on a Unix platform. Has anyone or does anyone know of a way that I can export the logs when using on a Windows platform. What I am really interested in logging and exporting are the results of authentication attempts, e.g.; request, failure, success, etc Any help that you can provide will be greatly appreciated. Thanks. Ron Carter, CISSP, CISM Sr. Information Assurance Specialist PPL Services Corporation 2 North 9th Street MS: GENGA2 Allentown, PA 18101 Phone: (610) 774-2502 The information contained in this message is intended only for the personal and confidential use of the recipient(s) named above. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that you have received this document in error and that any review, dissemination, distribution, or copying of this message is strictly prohibited. If you have received this communication in error, please notify us immediately, and delete the original message. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Unknown SSL errors
I have noticed an increase in the following log messages. Are these user based issues or is this a server based issue. We are currently running version 4.5 and recently upgraded the certificates on the server to 2048 bits from Thawte. Attached is the config with secrets removed. Please advise if I should be concerned or is this normal. ERR: EAP PEAP TLS Handshake unsuccessful: 5928: 1 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca ERR: EAP PEAP TLS read failed: 5928: 1 - error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac ERR: EAP PEAP TLS read failed: 5928: 1 - error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong Much appreciated. Michael Hulko Network Analyst University of Western Ontario Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca radius-bak.cfg Description: radius-bak.cfg ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Unknown SSL errors
Yes... most clients are working. We are struggling a little bit with the clients having duplicate Thawte root options (mostly Vista users), but overall it appears to be small in number. Thanks MH -Original Message- From: Sami Keski-Kasari [mailto:sam...@archred.com] Sent: Tuesday, November 02, 2010 11:00 AM To: Michael Hulko; radiator@open.com.au Subject: Re: [RADIATOR] Unknown SSL errors Hi Michael, Is PEAP working at all? If it is working for some clients, I think that some user agents are configured to use wrong ca certificate. -- Sami Michael Hulko mihu...@uwo.ca wrote: I have noticed an increase in the following log messages. Are these user based issues or is this a server based issue. We are currently running version 4.5 and recently upgraded the certificates on the server to 2048 bits from Thawte. Attached is the config with secrets removed. Please advise if I should be concerned or is this normal. ERR: EAP PEAP TLS Handshake unsuccessful: 5928: 1 - error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert unknown ca ERR: EAP PEAP TLS read failed: 5928: 1 - error:1408F455:SSL routines:SSL3_GET_RECORD:decryption failed or bad record mac ERR: EAP PEAP TLS read failed: 5928: 1 - error:140D2081:SSL routines:TLS1_ENC:block cipher pad is wrong Much appreciated. Michael Hulko Network Analyst University of Western Ontario Network Operations Centre Information Technology Services 1393 Western Road, SSB 3300CC London, Ontario N6G 1G9 tel: 519-661-2111 x81390 e-mail: mihu...@uwo.ca ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator -- Sami ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator