Re: [RADIATOR] AuthByLSA group issue if DC controller is unavailable.
Rereading the code, I see what you're talking about. Although, after looking at the Win32::NetAdmin module, I don't see any direct support for DC failover, or even detecting when a DC is unavailable -- While I do see where you could use the Win32::NetAdmin::GetServers to list the PDC and BDC -- I don't see how you would have it inform the code to retry against the second server. Sadly the MSDN pages for the GetDomainController method does not seem to share any light on this either. The only thing I've found about reliably testing the availability of a DC is to make a DNS SRV and LDAP query outside of the Win32 heirarchy. What comes to mind, is you could try commenting out the second if block and the references to $self->${controllers}{$domain} to force it to call the GetAnyDomainControllers each time. Two real issues with that approach...The first is that since I can't find the documentation for the underlying C library, I don't know if that search would include inactive DCs or not, and I don't have an AD environment to test it on directly. The second issue is that it obviously pushes the processing time per request up; although hopefully not by much. Robert Fisher Systems Administrator Sitestar Internet Services On 4/3/2015 11:34 AM, Johnson, Neil M wrote: > No, I do not have it set. We have multiple DCs for redundancy and scaling and > I didn’t want to be tied to one particular DC. > > However the last two nights when our Server Team performed some DC hardware > migrations, users could not authenticate to the Wireless Service while a > particular DC was unavailable. > > The error in the log was “User Not Found”. > > > -Neil > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthByLSA group issue if DC controller is unavailable.
Neil: Would you please clarify, do you have the DomainController variable set? The way I'm reading this code, it should call the GetAnyDomainController each time the sub routine is called unless that variable is set. Robert Fisher Systems Administrator Sitestar Internet Services On 4/3/2015 9:17 AM, Johnson, Neil M wrote: > We are having issues with Authentication failures using AuthByLSA when the > workstation fails over to another Domain Controller. > > The issue is that we do a group membership check in our AuthByLSA Handler. > > It appears from the code below that if you don’t specify a DC it picks one > the first time it checks for group membership and keeps using it even if the > DC becomes > unavailable. > > Code is from the method “userIsInGroup” in AuthByLSA.pm. > > > # Find the controller to use > my $controller = $self->{DomainController}; > if (!defined $controller) > { > $controller = $self->{controllers}{$domain}; > if (!defined $controller) > { > &Win32::NetAdmin::GetAnyDomainController(undef, $domain, > $controller); > $self->{controllers}{$domain} = $controller; > } > } > $self->log($main::LOG_DEBUG, "Checking LSA Group membership for > $controller, $group, $username"); > return &Win32::NetAdmin::GroupIsMember($controller, $group, $username) > || &Win32::NetAdmin::LocalGroupIsMember($controller, $group, $username); > > Is it possible to add code to check for a DC failure and then repeat the call > to “Win32::NetAdmin::GetAnyDomainController” in this subroutine? > > Thanks. > > -Neil > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] strip attributes from access-reject
You can do this with a PostAuthHook. Check out the goodies/hooks.txt file -- The first four examples cover this, in fact -- the fourth example is specifically removing specific reply items based on the Client Identifier. Robert Fisher Systems Administrator Sitestar Internet Services On 12/15/2014 9:47 AM, Mueller, Jason C wrote: > Is there a way to not include radius attributes, when sending a RADIUS > access-reject? > > I have AddToReply attributes in the client stanza. I need to send different > attributes based on the device type that is being authenticated against, > which is why the AddToReply config is in the client stanza. > > > Here is a sanitized version of the client stanza: > > IdenticalClients 192.168.2.1/32 > Secret areallygoodsecret > DupInterval 0 > AddToReply Session-Timeout=0,Juniper-Local-User-Name=some_name > > > > However, some devices don’t like getting attributes in an access-reject, > including Juniper MX’s. > > Is there a way to strip out all the defined AddToReply attributes, as well as > the RADIUS reply-message (attribute 18), when sending an access-reject? > > Thanks. > > -Jason > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] LDAP shadowExpire
You could accomplish this in a PostSearchHook. The documentation includes an example for adding a reply item based off a multiplied value, so guessing something like: PostSearchHook sub { my $shadowExpire = $_[4]->get('shadowExpire'); $_[3]->get_check->add_attr("Expiration", $shadowExpire * 86400); } Robert Fisher Systems Administrator Sitestar Internet Services On 2/4/2014 10:11 AM, Fabio Prina wrote: > Hi All, > > I'm using posixAccount/shadowAccount users in a LDAP and I would like to use > the shadowExpire attribute to check the Expiration ... but the value is > expressed days since the 01/01/1970 and not seconds > > Maybe is a stupid question but is there a way to use this attribute? Like > multiply by 86400 before the check > > Thanks > -- > Fabio > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] on Windows Server ?
Jason: I have a similar need, and when I first looked at Syslog -- even the activestate forums said not to expect Sys::Syslog to work on windows. Thankfully, that's changed -- and I did some testing first with a simple script then finally in one my Radiator instance. I only specified an AuthLog and I'm using a different facility -- but I can at least verify that AuthLog SYSLOG works in my case with the following stanza on Windows 2003 sp2 (i386/32 bit processor) running Radiator 4.11, ActiveState Perl 5.16.3, with Sys::Syslog 0.32. Identifierauthsyslog LogSuccess1 LogFailure1 SuccessFormat%l:%N:%u:%U:%P:%1:OK FailureFormat%l:%N:%u:%U:%P:%1:FAIL LogHostIP_OF_SYSLOG_SERVER LogSockudp LogIdentradius Facility auth Robert Fisher Systems Administrator Sitestar Internet Services On 11/1/2013 1:58 PM, Mueller, Jason C wrote: > Heikki, > > I created a Perl script independent of Radiator that called Sys::Syslog and > sent a message to the remote host. That worked using UDP. > > Here are the stanzas I created in the Radiator config file: > > > Identifier syslog > LogSock udp > LogHost IP_ADDRESS_OF_REMOTE_HOST > Facility local5 > > > > Identifier authsyslog > LogSock udp > LogHost IP_ADDRESS_OF_REMOTE_HOST > Facility local5 > SuccessFormat %H:%M:%S | %{Calling-Station-Id} | %u | OK | NAS-IP %N > FailureFormat %H:%M:%S | %{Calling-Station-Id} | %u | FAIL: %1 | NAS-IP > %N > > > As Neil indicated, the inet option did not work. I really don’t want to use > the “inet” option, since it tries TCP first, and we are not using TCP. The > RADIUS servers are under relatively heavy load, so I do not want to consume > the time or cycles sending a message with no possible means of success in a > single threaded application. > > I did not have the LogSuccess and LogFailure options set in the SYSLOG> clause. I have added those, but no success. > > I should note that when I had invalid attributes in the section > that Radiator actually sent information to the syslog server indicating that > I had invalid attributes. After they were removed and I restarted, Radiator > did not send any logs. I would have expected to get the general log info, but > that did not happen. > > Any help is appreciated. We might try upgrading Perl and upgrading Radiator > (one at a time to see which makes a difference). > > -Jason > > > On Oct 30, 2013, at 8:54 AM, Heikki Vatiainen wrote: > >> On 10/29/2013 07:56 PM, Johnson, Neil M wrote: >>> Tried the LogSock inet, did not work. >>> >>> We are running ActiveState PERL 5.12.2 and Sys::Syslog version 0.33 >> I tried with ActivePerl 5.14.4 and Sys::Syslog 0.33 using this >> configuration: >> >> >> Identifier myauthlogger >> LogHost 172.16.172.14 >> LogSock inet >> LogSuccess 1 >> LogFailure 1 >> >> >> I had tcpdump running on 172.16.172.14 and there was traffic to syslog >> port 514. The configuration was goodies/authlog.cfg modified to use >> SYSLOG as shown above. >> >> Maybe you could try a simple config to see if it works with something >> very basic? >> >> I could not try with ActivePerl 5.12.2 since PPM complained about >> requiring authentication to upgrade to 0.33. Seeing how to get this >> solved may take a bit longer, but I thought I'd confirm syslog on >> Windows should work. >> >> >> -- >> Heikki Vatiainen >> >> Radiator: the most portable, flexible and configurable RADIUS server >> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >> NetWare etc. > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] on Windows Server ?
As I recall, the problem was with the Windows implementation of the Sys::Syslog, which at least started as simply a perl wrapper to the unix syslog() library calls. Both modules inherit from Sys::Syslog, so any issues experienced with one will be seen by the other. Though, as ActiveState now includes Sys::Syslog in their win32 and win64 distros, it might be possible to get this to work; although, the "rules of syslog" say to avoid the setlogsock() call, which is conditionally called in both of these modules as well, so...It's worth a test to see if the documentation can be updated. Robert Fisher Systems Administrator Sitestar Internet Services On 10/28/2013 11:54 AM, Johnson, Neil M wrote: Can you use on Windows ? According to the Manual only works on UNIX systems, but nothing is mentioned in the section of the manual for . Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: +1 319 384-0938 Fax: +1 319 335-2951 E-Mail: neil-john...@uiowa.edu <mailto:neil-john...@uiowa.edu> Lync: neil-john...@uiowa.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] ActiveState Win32 and FailureBackoffTime
OK...Upgraded from ActivePerl 5.8 to 5.16 as well as making sure all the relavent packages were updated as well and updated Radiator from 3.14 to 4.11 -- but I'm still not seeing a reconnect attempt if the service loses connectivity. So apparently I missed something -- can someone spot what that might be? Here's a cleaned up snippet from a Trace 3 log (far too much traffic to sit with Trace 4) and the relevant parts of my config. As you can see, I'm definining the FailureBackOffTime in my ClientListSQL and in the AuthBy clause (AuthBy Sitestar is essentially a customized AuthBy EMERALD module which still inherits the DB connection parameters from AuthBy SQL...I also use some AuthBy SQL clauses with the same parameters as well) -- and then in addition to defining the FailureBackOffTime -- I also define the RefreshPeriod of the ClientListSQL -- but the log shows 'backing off for 0 seconds' and never indicates an attempt to reconnect. Tue Jul 30 13:50:59 2013: ERR: Could not connect to SQL database with DBI->connect dbi:ODBC:RADIUSDB, raduser, raddbpass: [Microsoft][ODBC SQL Server Driver]Timeout expired (SQL-HYT00) Tue Jul 30 13:50:59 2013: ERR: Could not connect to any SQL database. Request is ignored. Backing off for 0 seconds Tue Jul 30 13:51:00 2013: NOTICE: Server started: Radiator 4.11 on freedom # Let's define several variables. DefineGlobalVarSUBSCRIBER_DBdbi:ODBC:RADIUSDB DefineGlobalVar ACCOUNTING_DBdbi:ODBC:RadiusAcct DefineGlobalVar PROPELACCT_DBdbi:ODBC:RadiusAcct DefineGlobalVardatabaseuserraduser DefineGlobalVardatabasepassraddbpass DefineGlobalVardatabackofftime300 DBSource%{GlobalVar:SUBSCRIBER_DB} DBUsername%{GlobalVar:databaseuser} DBAuth %{GlobalVar:databasepass} FailureBackoffTime%{GlobalVar:databackofftime} # Re-read Servers table every 15 minutes. RefreshPeriod900 GetClientQuerySELECT \ IPAddress AS NASIdentifier, \ Secret, \ NULL AS IgnoreAcctSignature, \ DupInterval, \ DefaultRealm, \ NasType, \ Community AS SNMPCommunity, \ NULL AS LivingstonOffs, \ NULL AS LivingstonHole, \ NULL AS FramedGroupBaseAddress, \ NULL AS FramedGroupMaxPortsPerClassC, \ RewriteUsername, \ NoIgnoreDuplicates, \ NULL AS PreHandlerHook, \ Comments AS Identifier, \ DefaultReply, \ NULL AS FramedGroup, \ StripFromReply, \ AllowInReply, \ AddToReply, \ AddToReplyIfNotExist, \ DynamicReply, \ AddToRequest, \ StripFromRequest, \ AddToRequestIfNotExist, \ Flags \ FROM Servers Identifiersitestar-log Filename%L/rad-auth-%Y-%m.log LogSuccess1 LogFailure1 SuccessFormat%l:%c:%N:%u:%U:%P:%1:OK FailureFormat%l:%c:%N:%u:%U:%P:%1:FAIL IdentifierSitestarAuth DBSource%{GlobalVar:SUBSCRIBER_DB} DBUsername%{GlobalVar:databaseuser} DBAuth %{GlobalVar:databasepass} FailureBackoffTime%{GlobalVar:databackofftime} AuthSelectRadUserLookup '%U', '%R', '%{Request:Called-Station-Id}' # Empty AccountingTable turns off Accounting. IgnoreAccounting AccountingTable CaseInsensitivePasswords AddATDefaults AuthLog sitestar-log AuthBySitestarAuth Robert Fisher Systems Administrator Sitestar Internet Services On 7/23/2013 9:01 AM, Robert Fisher wrote: > Hrmm -- Don't have a trace 4 log, but did see where the logs have a > backing off > for 0 seconds, and my ClientListSQL clause has a refresh of 900 -- but > it's still > not triggering a reconnect, though I do notice I'm running a rather old > version > of 3.14 -- so going to try updating Perl and Radiator before continuing > to tweak > settings. > > Robert Fisher > Systems Administrator > Sitestar Internet Services > > > On 7/23/2013 5:43 AM, Sami Keski-Kasari wrote: >> Hello Robert, >> >> On 07/22/2013 05:59 PM, Robert Fisher wrote: >> >>> Even though I have the FailureBackoffTime defined to 300 or 5 minutes, >>> it seems to be ignored. >> It is supported on windows. FailureBackoffTime applies when none of >> the configured DBs can be connected. The next connection attempt is >> done when the FailureBackoffTime has elapsed. >> >> Can you see "Backing off for a seconds messages" in the log? >> >> Could you reply with trace 4 logfile from this event? >> >>> The documentation does state the optional Timeout >>> parameter is ignored on ActiveState Win32, and I suspe
Re: [RADIATOR] ActiveState Win32 and FailureBackoffTime
Hrmm -- Don't have a trace 4 log, but did see where the logs have a backing off for 0 seconds, and my ClientListSQL clause has a refresh of 900 -- but it's still not triggering a reconnect, though I do notice I'm running a rather old version of 3.14 -- so going to try updating Perl and Radiator before continuing to tweak settings. Robert Fisher Systems Administrator Sitestar Internet Services On 7/23/2013 5:43 AM, Sami Keski-Kasari wrote: > Hello Robert, > > On 07/22/2013 05:59 PM, Robert Fisher wrote: > >> Even though I have the FailureBackoffTime defined to 300 or 5 minutes, >> it seems to be ignored. > > It is supported on windows. FailureBackoffTime applies when none of > the configured DBs can be connected. The next connection attempt is > done when the FailureBackoffTime has elapsed. > > Can you see "Backing off for a seconds messages" in the log? > > Could you reply with trace 4 logfile from this event? > >> The documentation does state the optional Timeout >> parameter is ignored on ActiveState Win32, and I suspect that has more >> to do with the level of control of TCP sockets in Win32 more than >> anything >> else. > > True, Timeout is ignored and the command runs as long as it returns > for some reason. The reason it is ignored has to do with how signals > are implemented in Win32 perl. > >> What I don't understand is why the FailureBackoffTime doesn't cause >> Radiator to attempt a reconnect, and can see there's no second attempt >> to reconnect because nothing new about the connection makes it into >> the logs 5 - 10 - 15 minutes or even hours after the event until the >> service/daemon is restarted. > > If there is activity that requires DB access and there is currently no > connection to the DB, it should reconnect. Note that if you have e.g., > ClientListSQL with no refresh, there is only one attempt to fetch the > client list. If that fails, then no retries are done. You can > configure a refresh interval that should make periodic connections. > >> So my questions are: >> >> >> 1) Is some extra step required to use FailureBackoffTime in Windows? > > No > >> 2)Alternatively, is there any way to hook into the connection lost >> as an event so I can kill the radiator instance -- since that would at >> least be able to signal to Windows that the service has "died" and >> can then use the MS tools to try and restart the service and thus >> resynch the connection. > > There is currently undocumented hook that is called when no databases > can be connected to. Currently the hook just logs the above "Backing > off..." massage and does nothing else.: > ConnectionAttemptFailedHook (see SqlDb.pm). > > Best Regards, > Sami > > > > > >> Thanks in advance, >> > > ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] ActiveState Win32 and FailureBackoffTime
I'm running on Windows 2000 and Windows 2003 with ActiveState perl, using the DBD::ODBC to connect to local SQL Server instances. However, I notice some times the service either starts before the DB is ready (Despite having it defined in windows as dependent on both SQL Server and SQL ServerAgent services)..Or that under higher load a connection might timeout. Even though I have the FailureBackoffTime defined to 300 or 5 minutes, it seems to be ignored. The documentation does state the optional Timeout parameter is ignored on ActiveState Win32, and I suspect that has more to do with the level of control of TCP sockets in Win32 more than anything else. What I don't understand is why the FailureBackoffTime doesn't cause Radiator to attempt a reconnect, and can see there's no second attempt to reconnect because nothing new about the connection makes it into the logs 5 - 10 - 15 minutes or even hours after the event until the service/daemon is restarted. So my questions are: 1) Is some extra step required to use FailureBackoffTime in Windows? 2)Alternatively, is there any way to hook into the connection lost as an event so I can kill the radiator instance -- since that would at least be able to signal to Windows that the service has "died" and can then use the MS tools to try and restart the service and thus resynch the connection. Thanks in advance, -- Robert Fisher Systems Administrator Sitestar Internet Services ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] eduroam question
There's the %c and %C substitutions for the IP or reverse lookup of the IP of the client making the connection to your server is the closest there is. Of course, if you've only configured to interact with the top level client -- that might not be as much help, although one would assume the top level realm and proxy configuration might be better managed than organizations still in their testing stages. Robert Fisher Systems Administrator Sitestar Internet Services On 4/29/2013 1:34 PM, Johnson, Neil M wrote: Is there a way in RADIATOR I can log the IP address of the RADIUS server that originates a request through the eduroam hierarchy? I'm currently logging the NAS-IP attribute, but in many cases that is a RFC1918 address. What I want is the IP address of the first RADIUS server sending the request. It would be helpful for debugging purposes. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Proxy'ing Client-Identifier to "slave" RADIUS processes
You could build a custom vendor attribute by adding it to your dictionary on an unused vendor id and then in the handler or client clause use an Add-To-Request to tack on the value. It would mean reconfiguring the slave or downstream instances so those handlers matched on the new vendor attribute rather than Client-Identifier. Alternatively, the NAS-Identifier would be preserved, but I imagine you're using Client-Identifier to group similar clients together. On 1/28/2013 11:42 AM, Johnson, Neil M wrote: I'm playing with running multiple instances of RADIATOR on the same windows box to improve RADIATOR performance. I have a "Master" instance of RADIATOR that proxies incoming requests from my NAS boxes (wireless controllers) to one of four "slave" instances using . However, I need to use different Handlers based on the incoming NAS box. Using a single instance of RADIATOR I would just use "Identifier" keyword in the configuration clause and pick a Handler using "Client-Identifier" selector in the clause. Is there a way to pass the "Client-Identifier" to another RADIATOR process ? Perhaps as an RADIUS Attribute ? Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Radiator User Traffic Accounting from Smart Switch
This doesn't seem like a question about Radiator or even RADIUS. In order to gather RADIUS accounting data from the switch -- radius accounting has to be supported in the switch's firmware. I don't know of any switch that supports this. However, if all you're interested in is a count of octets-in versus octets-out on a port by port basis, you're probably better off investigating a solution with SNMP or RMON as both protocols are commonly available on managed switches and there are many monitoring packages that can be used to not only check on the status of the switch and the various ports but also to record the traffic data. On 7/20/2012 10:49 AM, Jeff Kaminski wrote: We at Urban Networks have Radiator up and running on CentOS, as well as the built in ServerHTTP. In particular, we are interested in traffic accounting for users on Urban's network that do not need Radius authentication. We just need to collect their traffic usage for billing. I am currently setting up the /etc/radiator/radius.cfg file and can create users. What I now need to know is how to collect IP traffic accounting information for a particular user that is on a particular port on a smart switch. This Radius accounting information then needs to be forwarded on to a Platypus 7 server that handles user account billing. To summarize, The user is already attached to Urban's network and has full Internet access. We just want to track their traffic usage. Something like the number of Megabytes in and out of the port on the switch that they are on per hour - or something like that? So Radiator needs to map the user to the switch and port, and then track port statistics. Jeff ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator