Hi,
> I am not handling start packets so they are ignored, as you may noticed
at least acknowledge them. if you dont handle them and ignore them then any
decent NAS will resend
them and/or mark your server as down/dead :(
alan
___
radiator mailing l
Hi,
> 2.5) A method of synchronizing configuration files (apart from certain
> variables) across multiple servers. If all Radiator servers have very similar
> configuration and are distributed for load balancing and redundancy, it's a
> shame that the configuration needs to be managed and confi
Hi,
>Are all the challenges independent of each other? I can't find anything in
>the debug log that ties the incoming packets together.
all seperate UDP packets - but with a known state - the RADIUS
server recognises the conversation (up to 256 from each NAS usually)
with latest patch
Hi,
>Is there a paper somewhere which discusses EAP PEAP Challenges? I'm
>debugging a new controller's access to radiator and finding that a working
>auth requires 11 udp packets each way and I don't understand why. What
>info is being passed?
documented in the RFC and on resource
Hi,
> Somewhat yes, I get the idea of anonymizing user’s identity with PEAP, but
> for example with demo test certificates bundled with Radiator, PEAP-TLS
> takes 15 rounds for a single EAP authentication.
well, PEAP itself takes around 12-14 rounds - the EAP-TLS part is short.
however,
unless
hi,
seems fussy about the upper/lower case eg
WARNING: Clause Authby closed in /etc/radiator/radius.cfg line 121 does not
match currently open clause AuthBy from /etc/radiator/radius.cfg line 118
# Local test realm
# Strip realm
RewriteUsername s/^([^@]+).*/$1/
Hi,
> RFC 5077 (Session Tickets based TLS Session resumption, aka TLS Session
> Resumption without Server-Side State) is implemented as of Windows 8.1 and
> Windows Server 2012R2. So along with Windows 10, that's 16% of the desktop
> market share according to:
> https://www.netmarketshare.com/o
hi,
after installing 19/oct/2015 patchset with 4.15
syntax error at /usr/local/share/perl5/Radius/Util.pm line 483, near
"s@%{@{@rgs"
syntax error at /usr/local/share/perl5/Radius/Util.pm line 492, near
"s@%{@{@rgs"
Compilation failed in require at /usr/local/share/perl5/Radius/Configurable.pm
Hi,
> when using the dictionary.cisco-vpn file we get the following warning on
> startup:
> WARNING: Attribute Cisco-VPN-WebVPN-HTML-Filter uses unknown type
> 'bitmap' on line 63
4.15 ?
do you use that attribute? you could delete if you dont but
if I recall correctly, that value should be
Hi,
> Would using Microsoft EFS on the Radiator folder (which contains all NAS
> credentials) and limiting access be a stronger solution than using an
> encrypted database? Would this cause a noticeable performance hit for an SMB?
ah..you're using RADIATOR on a windows box? now I see why you w
Hi,
> In this case the private key wasn't necessary to authenticate the phones.
> ACS, Cisco's AAA server, also doesn't require the CAPF private key but rather
> the CAPF public key to authenticate phones.
what you need depends on your implementation. if using another CA - eg a public
one, th
Hi,
> These passwords are the ones I think should be protected since they are
> usually long-term and sensitive. Migrating every NAS to Active Directory
> defeats the separation of system administration from network administration,
> each time a new NAS has to be configured you would have a sys
Hi,
> Specific hardware for securing files on your server shouldn't be necessary
> for the use cases I'm suggesting. I've just integrated Radiator for the first
> time and I was shocked that for each NAS I had to keep the password in
> plaintext.
yes... but who can use that password? just the
Hi,
> I would like to discuss the issue of securing passwords and certificates on
> the Radiator server. From looking over the documentation and asking a member
> of support on the matter, it looks as if there is no option for encrypting
> passwords in the configuration. Moreover there seems as
Hi,
>So what happens to the EAP/PEAP requests if one enables FarmSize? Do they
>simply get processed by the parent, or do they break completely?
the issue is to ensure that the same child deals with them.
if you are running 4.15 + patches then there is a whoie nice new Gossip
framework w
Hi,
>We are in process of virtualising our physical radius servers (to vmware)
>and wanted to get a general feel from users in the community here to see
>what is the preferred option, keep running on physical servers or move to
>vm... Obviously each option has it's own benefits and
Hi,
>Oh man!
>
>In other words it's a waste of good money to pay for a signed certificate.
for your own internal 802.1X (where you are only directly authenticating your
own users
(and that includes eg eduroam) - yes. best practice is to use a self-signed CA
(you have the
same issues
Hi,
> I double checked to see of Win32::Lsa got installed:
thats Win32::Lsa and not RADIUS::LSA
alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Hi,
> Not tested, but I suspect that we will find that 1.53 is the version
> at which this starts to work and, if so, it should become the minimum
> version that should be used.
based on other changes etc I would say just go for the current latest
release - 1.70 - why opt for something older? (e
Hi,
> I definitely agree with your suggestion. Now that we all know that
> this is an issue, we can take steps to raise awareness and inform. For
> Eduroam in particular, I feel that notices should be put out to
> participating institutions.
actually, as a specific vendor problem, I would hope th
Hi,
> > is it possible to run Radiator (newest version) on Linux (CentOS 7)
> > with SELinux enabled? Are there any special configurations or other
> > advices to consider? Or should we better disable SELinux?
>
> I'd say it is worth trying with SELinux enabled first. We have not
> looked through
Hi,
> These warnings led me to discover that the RHEL6-provided version of
> perl-Net-SSLeay I had been using was positively ancient:
> $ perl -e 'use Net::SSLeay; print $Net::SSLeay::VERSION."\n"'
> 1.35
> so I installed the latest Net::SSLeay 1.70 from cpan and successfully
> got rid of the wa
Hi,
>I have a laptop running Windows 7. It's not connected to Active Directory.
>I can login to the wireless network fine the first time but if I
>disconnect and try to reconnect I get a PEAP failure in the radiator log.
>If I wait a while I can connect again. The radiator server is
Hi,
>I have local users working fine, goes to an outer PEAPhandle, then innner
>ms-chap handle.
>all works fine.
EAP type 26 is MS-EAP-Authentication (EAP/MS-CHAPv2) - which is different to
the one you are handling - type 25 PEAP, Protected EAP
alan
__
Hi,
F5 load balancers have been used successfully for RADIUS load balancing for
years
(its essential for the load balancer to be RADIUS protocol aware and ensure the
same session goes to the same backend)
alan
___
radiator mailing list
radiator@open.c
Hi,
>When using a Cisco Wireless controller I have mac delimiters and 3 modes
>of operation:
>- Other - (In the Radius Access Request with Mac Authentication Password
>is NOT sent.)
>- Free Radius - (In the Radius Access Request with Mac Authentication
>Password is controll
Hi,
> Is there a way to not include radius attributes, when sending a RADIUS
> access-reject?
StripFromReply ?
alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Hi,
>Sorry was wrong, only SUSPEND and WIRELESS are missing from both RPMS:
>4.10-1 and 4.14-1.
some local code you've added/created? the official releases dont have such .pm
files in the Radius directory - what file has got "use Radius::AuthSUSPEND" in
it?
might be you just copy the req
Hi,
> Also getting these:
>
> WARNING: ProxyAlgorithm HASHBALANCE declines to break up an EAP stream after
> failover
>
> Which is odd since we're using PEAP not EAP.
all EAP request must go to same remote RADIUS box. there is an EAPHASHBALANCE
methodbut
if doing ANY remote stuff then dont
Hi,
> Also getting these:
>
> WARNING: ProxyAlgorithm HASHBALANCE declines to break up an EAP stream after
> failover
>
> Which is odd since we're using PEAP not EAP.
PEAP is EAP...
alan
___
radiator mailing list
radiator@open.com.au
http://www.o
Hi,
> OK, well we're also seeing lots of these messages on the backend:
>
> INFO: Duplicate request id 147 received from 128.248.155.31(41004):
> retransmit reply
duplicates mean that a request wasnt answered quickly enough - usually caused
by a slowness
in the backend authentication systems..
Hi,
> > AFAIK most switching devices (including Cisco, commonly used here) does not
> > support the message-authenticator attribute. However the solution above
> > works now, thanks again!
? we use Cisco and have Message Authenticator enforcement turned on.
alan
___
Hi,
> Even in the absence of client side configuration, some of the clients
> (notably OS X) present some details about the cert to the user that they
> can verify manually (name, fingerprint, expiry date).
yep...and most users will click okay/accept without checking a single thing
or even read
Hi,
> I've been searching around the list and the Internet trying to figure
> out how a wireless client can verify the hostname of the SSL cert
> provided by Radiator through the NAS as an SMTP or HTTP client would,
> but I can't seem to find anything insightful. I'm not concerned with how
> t
Hi,
>Ok I copied straight from the goodies (eap_misc I think..) and even used
>certificates and still getting that error
..and the trace 5 output looks like??
it sounds like one of the PERL prerequisites might not be installed... the
install
guide lists the required PERL modules... Acti
Hi,
> Status-Server based failure detection needs two options specified in
> AuthBy RADIUS or Host within AuthBy RADIUS:
> - Flag: UseStatusServerForFailureDetect
> - Integer: KeepaliveTimeout numsec
what is the interplay/interaction with RADSEC for this StatusServer method?
cheers
alan
___
Hi,
> To make sure I'm on the same page with you, I'm guessing by "supplicant"
>you mean the wireless client (in this case a Windows 7 laptop)? There's no
>configuration that pops up immediately on that one. I tell it to connect
>to the network and it pops up a username / passwor
Hi,
> I like the output of Trace 4, it makes it easy to check user inquiries as
> it captures the username, IP, MAC, but the log files get very big due the
> the verbose output from the EAP traffic. At the moment I just rotate the
> log file a few times a day but is there a better way around th
Hi,
how did you restart the server? its likely the parent didnt die
and the new config isnt actually being used.
alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Hi,
> It does appear that there are issues cascading RADIATOR servers that are
> all using because the RADIUS "State" attribute used to
> track the EAP conversations gets mangled as the message progresses through
> the chain of servers.
interesting...I dont think that this has been discussed in
hi,
RADIATOR has a definition for the NAS-IPv6-Address attribute in
its dictionary file.
ATTRIBUTE NAS-IPv6-Address95 ipaddrv6
however, it appears that this attribute type (ipaddrv6) has
some interplay problem with the server. ie If you have a RADIUS packet
going thro
Hi,
> We are getting an attribute error below in our debug log.
> ERR: Attribute number 100 (vendor 20942) is not defined in your
> dictionary
i've got a few such errors...would be nice to get these vendors added
to the dictionary file - i think some of the ones i see have already been
mention
Hi,
>We're working with HP MSM wireless controllers, which can do EAP-TLS,
>EAP-TTLS, EAP-PEAP, LEAP, EAP-SIM, EAP-AKA, EAP-FAST, and EAP-GTC.
>
>I'm looking for the easiest way to allow WPA to use a RADIUS-based
>username/password for a public-access network. So no client certifi
Hi,
> 1.)Radiator has to fix AuthRADSEC. The user has to choose to use
>extended-Ids in the Proxy-State Attribut if the upstream proxy
>will handle this. By default it should use 8 Bit Identifiers.
>
> 2.)radsecproxy has to fix the self generated Access-Rejects.
>I
Hi,
> 1272017248108...@wlan.mnc001.mcc262.3gppnetwork.org
3gppnetwork realms are invalid. ..just like hotmail, gmail, yahoo etc -
until a notice comes from eduroam stating that these realms now have agreed
relationship, they are public realms and not within the private scheme of
eduroam.
> RF
Hi,
>We have a starange password issue on radiator tacacs.We setup password
>length to 8.When user enter 7 character password access rejected,that is
>ok.But when a user enters more than 8 characters(like 9,10 etc) He can
>login to the related device.What can be the problem?
if it
hi,
Mon Jul 8 15:11:21 2013: ERR: Stream could not setsockopt SO_KEEPALIVE socket
for connection to host2.domain.org:2083: Invalid argument
Mon Jul 8 15:11:21 2013: ERR: Stream write error, disconnecting: Broken pipe
Mon Jul 8 15:11:21 2013: ERR: Stream could not setsockopt SO_KEEPALIVE socket
Hi,
> yep, found in Configurable.pm
>
> >#
> ># Load a particular class module and construct and return an instance
> ># return undef if it didnt work
> >sub load
> >{
> >my ($file, $class, @args) = @_;
> >
> >my $ret;
>
Hi,
2013-04-30 Configurable.pm
Configuration file check no longer activates clauses which could cause
spurious error messages.
Requested by Garry Shtern.
?
could it just be that the configuration checker has a b0rkeness
as the server runs okay when NOT using '-c' ?
alan
Hi,
> safeword.cfg fails here too but the reason is missing module. Also,
> there's no Identifier or Handler in my goodies/safeword.cfg, it uses
> Handler DEFAULT. Is that really goodies/safeword.cfg or something else?
the version that comes with 4.11 but running radiator 4.11 with patches
howe
Hi,
> > I just tried goodies/minimal.cfg with freshly installed Solaris 11.1,
> > September 2012. Perl is 5.12.4 that comes with the system. Radiator is
> > unpatched 4.11.
>
> but in the goodies/simple.cfg is no 'Identifier' used.
> Please add an Identifier and try it again.
goodies/safeword.cf
Hi,
to confirm this via my own tests:
on Solaris:
Sat Jul 6 13:01:00 2013: WARNING: Could not find AuthBy clause with Identifier
myinternal
Sat Jul 6 13:01:00 2013: DEBUG: Finished reading configuration file 'test.cfg'
on Linux:
Sat Jul 6 12:59:22 2013: DEBUG: Finished reading configurati
Hi,
> The next test on monday is a fresh, newer perl installation.
> What perl version do you have on solaris?
perl 5, version 12, subversion 2 (v5.12.2)
alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiat
Hi,
> there must be something wrong in your installation or even your config.
check the config doesnt have wierd characters in it I guess... 'cat -v
/tmp/radiator-config'
there were some changes as the move to 4.11 occured to deal with the config
strings
in better ways -
alan
__
Hi,
> Sounds really fishy, just wondering if someone else sees the same problem.
no. have updated through 4.9m 4.10 and 4.11 by just getting latest version,
applying
patches and then 'make install' - thats on Solaris as on Linux. the only thing
that
I can think of is some required library isnt
Hi,
> are you saying postgresql is really that much better with regards to
> performance, and worth switching to?
really depends on what you are doing and how your database is structured. IMHO
the answer is yes..(or even YES!) in many use cases. of course, you may get the
speed benefits but its
Hi,
> When you enable IPv6 for a service updating OS and Software is often
> required. Having minimum requirements for IPv6 the docs would help
depends on how old your OS/software is. given that I was running IPv6 services
on servers at the beginning of the last decade (IPv6 isnt somethign new...
Hi,
> I use mysql database and my AccountingTable has more than 40 million records
> per month. Does anyone here have any policy purge? I have an extract of CGI
> access for my users and is very slow because the bank is getting too big.
> Does anyone have any recommendation what I should do to
Hi,
> Quick summary again, when using ipv6::: and bindv6only set to 0:
> * Both IPv4 and IPv6 traffic gets to Radiator
> * IPv6 works with everything I have tried
> * IPv4 clients will not match on the proper client stanza, only the DEFAULT
> client stanza
I have the following:
BindAddress 0.0.
Hi,
>
>
> I have EAPTLS_MaxFragmentSize set to 1400 bytes. The Server should have
> the same firewall configuration as the other eight servers that are
> working.
>
> Our server support staff think its a library that got corrupted while
> installing the Anti-Virus software and recommend that I
Hi,
> Can some one please help us to configure radiator to push Radius
>accounting logs into mysql or oracle databases ?
>some sample configs may help us.
have you read the ref.pdf RADIATOR reference guide from the OSC site?
if so, what configuration have you currently got so that w
Hi,
>I'm seeing the following messages in my RADIATOR log files.
>Mon Apr 29 14:05:06 2013 223814: WARNING: Need Socket6 to handle IPV6
>addresses in inet_ntop
you need Socket6 for IPv6 and RADIATOR (though thats obvious from that message)
>I tried a "ppm install Socket6" and rec
Hi,
>Is there a way in RADIATOR I can log the IP address of the RADIUS server
>that originates a request through the eduroam hierarchy?
nope. ll you can get/see is what is provided by the originating site. as you
say,
you'll find lots of NAS-Identifiers and NAS-IP-Address etc but they'll
Hi,
>I can put radiator in listening on a TCP port for a simple PAP
>authentication?
RADIUS - UDP
RADSEC - TCP
for a simple PAP test, just ensure you have the basic RADIUS port config on
your server...
eg "AuthPort 1812" in your main config
alan
_
Hi,
>If I'm trying to relay an 802.1x authentication to another proxy AAA
>server, can I just proxy without processing EAP request (to find the inner
>EAP request info?)
yes... eg
Secret topsecret
Hi,
> I'm trying to understand the traffic flow between an eduroam user and their
> home institution radius server. Ive been googling for a while but still dont
> fully understand the flow between the user and the radius server. Please shed
> some lights into my understanding:
>
> 1. User ente
hi,
you have "AcctFailedLogFileName" in your config - thats not a valid key word
alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
Hi,
> We make use of quarantainenet (quarantainenet.com). When a abnormality is
> detected, a host is isolated based on its MAC-address.
..in a way that is eduroam compliant. the isolation network allows them to
remediate
their issues and prove/ask for 'allowance' back to the network? what abou
Hi,
> Question:
> How to set the vlan-attribute for external authenticated users?
AddToReply
> I only can stripoff and add reply-items for all external users but not for a
> specific user depending on his MAC-address..
Ar Hook, specifically a PostAuthHook. fire off a PERL script in the Pos
Hi,
>Hi, I am trying to pass a AD username to AD for authentication using
>AuthBy LSA. It works if the username is just username or username@realm as
>I have the UsernameMatchesWithoutRealm parameter in.
>
>
>
>What isn't working is if the username is domain\username. Is the
Hi,
> >From what I understood the choice between PEAP and EAP-TLS is mainly
> dependent on the compatibility with our current user/password store. If
> I got it correctly, it's mandatory to have passwords stored in cleartext
> to allow PEAP/MSCHAPv2 to work, which is not our case since we hash the
Hi,
> With our current RADIUS configuration (which includes some custom hooks
> with database calls) it seems that even on a 16-core box we start to have
> RADIUS timeout issues when we push above 100 total requests per second
> when running a single instance of RADIATOR.
are you using the Farm m
Hi,
>Is there a way to pass the "Client-Identifier" to another RADIATOR process
>? Perhaps as an RADIUS Attribute ?
create your own private RADIUS attributeadd it to the dictionary
files...then
set that attribute to the value you want using the addtorequest.
alan
__
Hi,
>i use this configuration
>
>
>ROCommunity RaD1us
>Port %{GlobalVar:snmp_port}
>
>
>and in the init.d script i add snmp_port=9071
you arent clear if this now works for you...
what does simply adding
Port 9071
into the section give you?
have you installed the re
74 matches
Mail list logo
