Re: [RADIATOR] AuthBy RADIUS and UseExtendedIds, stripped Proxy-State and strange behavior after 256 requests
On 07/14/2013 11:30 AM, Karl Gaissmaier wrote: > Please fix this, if you UseExtendedIds in AuthBy RADIUS you should > always WARN if the Proxy-State is stripped or mangled. Good point. It's a good idea make this separate from getting an unknown reply, which is currently logged for the both cases. > And sure, we need better packet dumps in this case to see the > sent/missing/mangled attributes in the reply packet. We are actually working on this now. There will be two changes at least: - enable PackeTrace for requests received from AuthBy RADIUS and RADSEC - see that packet dump is called so that any Log ... within AuthBy etc. module will be called instead of the dump going just to the main log file Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy RADIUS and UseExtendedIds, stripped Proxy-State and strange behavior after 256 requests
Hi Heikki, it's sunday, really I can wait for answers from your team after weekend ;-) Am 14.07.2013 10:54, schrieb Heikki Vatiainen: > On 07/14/2013 11:30 AM, Karl Gaissmaier wrote: > >> Please fix this, if you UseExtendedIds in AuthBy RADIUS you should >> always WARN if the Proxy-State is stripped or mangled. > > Good point. It's a good idea make this separate from getting an unknown > reply, which is currently logged for the both cases. > >> And sure, we need better packet dumps in this case to see the >> sent/missing/mangled attributes in the reply packet. > > We are actually working on this now. There will be two changes at least: > - enable PackeTrace for requests received from AuthBy RADIUS and RADSEC > - see that packet dump is called so that any Log ... within AuthBy etc. > module will be called instead of the dump going just to the main log file Thanks for Radiator and for this excellent service! Best Regards Charly -- Karl Gaissmaier Universität Ulm / Germany ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy RADIUS and UseExtendedIds, stripped Proxy-State and strange behavior after 256 requests
On 07/14/2013 12:17 PM, Karl Gaissmaier wrote: > it's sunday, really I can wait for answers from your > team after weekend ;-) Heh, I thought I'd save you some work since I understood you were gointo to work on the debug log and PacketTrace patch. The Proxy-State mangling is a bit problematic, though. This attribute is the only identifier that currently maps responses to requests with RadSec. If the other proxies mangle it, it would be essential to find and fix them. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy RADIUS and UseExtendedIds, stripped Proxy-State and strange behavior after 256 requests
Hi Heikki, Am 14.07.2013 11:35, schrieb Heikki Vatiainen: > On 07/14/2013 12:17 PM, Karl Gaissmaier wrote: > >> it's sunday, really I can wait for answers from your >> team after weekend ;-) > > Heh, I thought I'd save you some work since I understood you were gointo > to work on the debug log and PacketTrace patch. yep, you saved my (sun)day > > The Proxy-State mangling is a bit problematic, though. This attribute is > the only identifier that currently maps responses to requests with > RadSec. If the other proxies mangle it, it would be essential to find > and fix them. And with RADSEC it's important to dump unknown replies, since the packets are encrypted on wire and without the private-key of the upstream proxy I can't decipher it. I need the dumps from Radiator in the case of 'Unknown replies' even if the attr-values can't be decoded. Best Regards and thanks in advance Charly ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] AuthBy RADIUS and UseExtendedIds, stripped Proxy-State and strange behavior after 256 requests
Am 14.07.2013 11:35, schrieb Heikki Vatiainen: > On 07/14/2013 12:17 PM, Karl Gaissmaier wrote: > >> it's sunday, really I can wait for answers from your >> team after weekend ;-) > > Heh, I thought I'd save you some work since I understood you were gointo > to work on the debug log and PacketTrace patch. > > The Proxy-State mangling is a bit problematic, though. This attribute is > the only identifier that currently maps responses to requests with > RadSec. If the other proxies mangle it, it would be essential to find > and fix them. sure, but it's a problem to show the mangled/stripped attr if I can't decode it. It's just a suspicion, but I've to prove it to force my upstream proxy (german research network) to look into the config and rise the debug level, sorry. Maybe for debug traces in case of unknown replies, you could use heuristic mappings, since the last 8-Bits of the packet Identifier should match a pending extended-id from a request. And you know the host and port from the sender. I don't know your datastructure in detail where you queue pending requests, but maybe you can narrow this heuristically for debugging. Best Regards Charly ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator