ilAcceptOrChallenge set.
>>
>> I need to do this to check membership in multiple AD groups.
>>
>> That could explain why I always get messages for the user not being
>> found.
>>
>> -Neil
>>
>>
>
--
Heikki Vatiainen
Radiator: the most por
assword with out using a higher logging level so our security office
> can identify attack attempts.
I'm not sure if LSA will tell if the username or password was incorrect.
If LSA is used with e.g., AuthBy LDAP2, then the information should be
more easily available as LDAP search result.
eds to e.g., proxy the requests then the
replies from proxy and possible retransmissions by the server make
things a bit harder if the targeted debugging needed to cover those
cases too.
Thanks,
Heikki
> Thanks.
>
> -Original Message-
> From: radiator-boun...@open.com.au [m
acacsplustest does not support IPv6 for testing yet, but the
server side should work.
> Please add this info.
The documentation regarding Socket6.pm not required for recent enough
Perls will be in the next release's documentation. We can also mention
TACACS+ too.
Thanks,
Heikki
--
Heikki V
not cause it. In
other words, a quick disconnect before getpeername did not make
getpeername fail so it might be caused by something that happens during
accept.
Do you have FarmSize enabled? I see accept is called a bit differently
for ServerTACACSPLUS than for the other TCP stream servers.
Thanks,
ly with your Radiator configuration (no secrets or passwords
required) and tell what is the Radiator version.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypu
itting
the maximum length of value. If there is no room left, then things would
get tricky (as if they already were not :).
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
On 11/15/2013 09:15 PM, Heikki Vatiainen wrote:
> On 11/14/2013 11:41 PM, David Zych wrote:
>
>> My problem with PacketTrace as currently implemented is that it adds packet
>> dumps to _every_ global logger, whereas I'd really like to control where
>> they go and
er systems may have a larger number of Hosts configured? If
the problem persists, can you switch on debugging to see what triggers
the above.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, pa
g that is done for the new incoming TCP connection.
Do you have IPv6 connections coming in? What else could cause the listen
socket to indicate incoming connection? Which Radiator version, Perl
version and operating system you are using?
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most
ssword or non-existing user.
> It would help us track down users with misconfigured wireless devices.
Please let us know if the above helps. It may depend on the windows
environment, so I can not tell for sure what the status codes will tell.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator
On 11/12/2013 10:43 PM, Heikki Vatiainen wrote:
> Global option would be possible at least. Lets see what it would take to
> have it as a per Handler option. Value for per Handler option should
> probably default to the global option so it can be overridden easily.
The patches now hav
*$/
>
> which is working for me now.
>
> Is this a bug in the parsing of the regex, or have I misunderstood the
> formatting for variable-length repeating characters?
I think it works as intended and with the double quotes you can make it
work as you originally thought. The r
gt; Now he did understand it. :)
> It's a bug in Net::LDAP:
> https://rt.cpan.org/Public/Bug/Display.html?id=90459
Hello Klara,
thanks for keeping us informed about this. I think we'll have a note in
the documentation about this too. I'll keep an eye on the ticket to see
w
n other words, the number does not affect what the option does. It is
only used for organising the web gui.
This new option will likely be added soon with the debug level
enhancement for rejected requests.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and config
hould be very similar to AuthLog
SYSLOG too.
I'll see what we can do.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, A
ntainers.
> BTW: I just verified: with libnet-ldap-perl from Debian squeeze it
> works. As it seems the reason is that the part of the
> IO::Socket::SSL code with the identity is not used (no DEBUG
> output for this).
This should narrow down the work to find the change that caused the
as a per-Handler config option, so that I
> could set it to DEBUG for this one Handler but leave it alone for others)
Global option would be possible at least. Lets see what it would take to
have it as a per Handler option. Value for per Handler option should
probably default to the global opt
27;,
> localaddr => '',
> multihomed => 1,
> version => 3,
> inet6 => 0,
> timeout => 3,
> cafile =>
> '/etc/ra
t log messages and
miss some useful INFO messages while doing it.
There are quite likely people who use the INFO level reject messages for
monitoring their service, so the default would be to use INFO but it
would be possible to switch it to e.g., DEBUG and just use AuthLogs to
see all rejects
b %%
>>> %% University of Minnesota%% +1 (612) 625-1809%%
>>>
>>> ___
>>> radiator mailing list
>>> radiator@open.com.au
>>> http://www.open.com.au/mailman/listinfo/radiator
>>
>> --
ost IP_ADDRESS_OF_REMOTE_HOST
>>> Facility local5
>>> SuccessFormat %H:%M:%S | %{Calling-Station-Id} | %u | OK | NAS-IP %N
>>> FailureFormat %H:%M:%S | %{Calling-Station-Id} | %u | FAIL: %1 | NAS-IP
>>> %N
>>>
--
Heikki Vatiainen
Radiato
' and the
facility is 'user'. Messages with this facility and severity level may
not get logged by default.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Pl
sent information to the syslog server indicating that
> I had invalid attributes. After they were removed and I restarted, Radiator
> did not send any logs. I would have expected to get the general log info, but
> that did not happen.
>
> Any help is appreciated. We might try upgr
uses the same components as the perl that runs Radiator.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory,
em/Net-SSLeay-1.55/lib/Net/SSLeay.pod#Low_level_API:_Version_related_functions
Thanks,
Heikki
> Markus
>
> -Original Message- From: Heikki Vatiainen
> Sent: Wednesday, October 30, 2013 5:11 PM
> To: Markus Moeller ; radiator@open.com.au
> Subject: Re: [RADIATOR] CRL reload
returned
>
> # ls -al User_CA_2.pem
> -rwxrwxrwx 1 root root 70699 Oct 28 21:55 User_CA_2.pem
>
> # /usr/sfw/bin/openssl crl -in User_CA_2.pem -noout -lastupdate -nextupdate
> lastUpdate=Oct 28 19:26:37 2013 GMT
> nextUpdate=Nov 11 19:26:37 2013 GMT
>
>
On 10/11/2013 04:50 PM, Heikki Vatiainen wrote:
> Great, I'll get back to you when we have something to test.
Hello David,
EAP_25.pm in the current patches now sets $context->{inner_identity} as
soon as the inner EAP figures it out.
If you have time to test this, please let us know
orks with something
very basic?
I could not try with ActivePerl 5.12.2 since PPM complained about
requiring authentication to upgrade to 0.33. Seeing how to get this
solved may take a bit longer, but I thought I'd confirm syslog on
Windows should work.
--
Heikki Vatiainen
Radiator: the most port
the former in the manual
Hello Francesc,
try this:
${$_[0]}->change_attr('Session-Timeout', -1)
Note that the attribute is Session-Timeout, not Session-Time.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL
ock' does not work.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA,
My dictionary file has all the Aruba VSA's defined..
>
> other testing shows that it works with Some VSA's but not all...
Maybe the ones that did not work are handlers for inner requests?
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurabl
STOP
> Accounting Records in ~1% from 100.000.
When it retries you should first see an ERR message about execute
failing and then the normal DEBUG level message starting with 'Query to
...'. The DEBUG message is from the retry.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the mos
me lookup
uses the static name to ip definitions? The cisco docs do not say if all
name lookups use the local definitions.
I do not if it does or not, since I have usually seen and used 'no ip
domain-lookup' when working with IOS. I guess this is not an option at
this point? Maybe in a lab?
T
deas
> how to investigate this problem with more details.
>
> Thanks, Eike
>
>
>
>
>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
>
--
Heikki
d-vlan}
That would still give some hint that User-Vlan value is something special.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external
led) (we're
> running 4.11 + patches), should I try to disable it? Can this be done
> for some clients only too?
It's a server level flag but you can specify it on the client side. On
IOS something like this should do it:
tacacs-server host ... single-connection
Thanks,
Heikki
ssion option? This sets the
TAC_PLUS_SINGLE_CONNECT_FLAG flag as described in
http://tools.ietf.org/html/draft-grant-tacacs-02
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password,
ems Alexander sees, could it be possible that
accounting requests are sent to different Radiators than authentication
or authorization requests?
If so, then there might be a different shared key configured on the
NX-OS than on Radiator? In this case Radiator logs should show errors
hinting about
, you could then use AuthBy
LDAP2 for authorization (checking group memberships etc.).
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, ext
consider e.g., a PostAuthHook to
see if Session-Timeout is going to be 0 and then switch the result to
reject. Might even be a good time to reject sessions that have only a
few seconds left?
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS s
omatic and if it fails or the server is configured not to support it,
the fallback is full authentication. There is no requirement it is
supported by either side.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, D
thought the type could be handled when this
was not true. There will be patches soon that update this and remove the
mandatory Socket6 dependency if the system has Socket that is current
enough.
Thanks for pointing this out.
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and c
The error User and password is 691 how to spawn another COD error for Locked
> User?
Please provide more details and Radiator debug (Trace 4) log showing
what currently happens. Then we would need to better description of what
Radiator needs to reply.
Thanks,
Heikki
--
Heikki Vatiainen
R
If no, then my plan is sound, but
> setting it in EAP_25 would be even better and save me a PostAuthHook.
> :)
I think the plan could be to introduce {inner_auth_success} and leave
{inner_identity} just for logging and other such purposes.
Would you be interested in testing this?
Tha
$obj->data.crl = $crl;
>$cert_store->data[i] = $obj;
>break
>}
> }
>
> in TLS.pm. I haven’t tried it yet as I haven’t got a dev setup ready,
> but wonder if that looks sensible.
--
Heikki Vatiainen
Radiator: the most portable, fle
are now reserved. Any attribute
names starting with Unknown are ignored when loading dictionaries and a
warning is logged.
Please let us know how it goes,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, N
his problem the wrong way, or have I forgotten
> something?
I think this comes from the asynchronous processing of requests. If I
understood your configuration correctly, calling handlerResult should help.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable
t
invalid formats are detected and logged. I'll see that this gets fixed.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Ac
ile-Attribute. However, there's a conflict
with one source and current dictionary. Not added, at least yet.
> about 10% of logs filled with these...
This should not be a problem once the patch mentioned above is commited.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most porta
rrect.
Please let us know if this helps.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TN
is
instantiated which means it does not have to do it for each proxied
packet. This should save a couple of cycles since there is no need to
use e.g., the currently proxied request to resolve the destination port.
The file: chomp is likely to appear in the patches soon but it's not
there yet.
first, or
do you see need for other passing other information through these too?
As always, any additional ideas and comments from the list members would
be appreciated too.
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files,
ded a note about GENERIC attributes too.
Thanks for spotting this.
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS
ype Post-Paid 1
VALUE CNCTC-Charging-Type Pre-Paid2
VALUE CNCTC-Charging-Type Post-Paid-And-Pre-Paid 3
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, pass
ove
files in goodies should get you started.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PE
> VALUE CNCTC-Charging-Type 2 Pre-Paid
> VALUE CNCTC-Charging-Type 3 Post-Paid-And-Pre-Paid
>
>
>
> regards
>
> Hugh
>
>
> On 19 Sep 2013, at 18:44, Heikki Vatiainen wrote:
>
>> On 09/19/2013 11:30 AM, Hugh Irvine wrote:
>>
>>>
pe 100 integer
CNCTC-Served-MDN101 string
VALUE CNCTC-Charging-Type 1 Post-Paid
VALUE CNCTC-Charging-Type 2 Pre-Paid
VALUE CNCTC-Charging-Type 3 Post-Paid-And-Pre-Paid
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configura
R = "attrname1=value1"
with a user file like this:
mikem User-Password=fred, OSC-AVPAIR="attrname1=value1|attrname2=value2"
This will allow OSC-AVPAIR to be either attrname1=value1 or attrname2=value2
If you still think space can be used, please provide an example. I
On 09/18/2013 01:14 PM, Heikki Vatiainen wrote:
> Thanks, noted. Also noted Garry's message. Something like
> %{RequestOr:attributename} should be quite straight forward to do and
> understand. However, %{RequestAnd:attributename} requires a bit more.
>
>
> Synat
uired values (e.g., 1.2.3.4 and 2.3.4.5)
could come from a multivalued LDAP attribute.
If there are examples how the above would be put in use, please let us know.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM,
not load EAP module Radius::EAP_16'.
EAP method 16 does not look line anything that is currently used. This
may also be caused by a message that is not part of any existing session
the process was handling.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and co
ibutes, you could have something like this (flat
file format):
mikem User-Password=fred, %{RequestOr:Framed-IP-Address}=1.2.3.4
This would pass if any of the 4 Framed-IP-Address attributes is 1.2.3.4.
Any comments about how useful you or the others would see this is
appreciated.
Thanks,
Hei
signed 32 bit and 64 bit types instead of
Signed32 and Signed64.
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS
Operations
> Academic Information and Communication Technologies (AICT)
> University of Alberta
> Edmonton, Alberta Canada
>
>
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radi
ientList
refresh.
Testing with Strawberry Perl on Windows. Updated installation
documentation and reference manual to include Strawberry Perl on
Windows.
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, p
andlers, you could use
those to see which Handler was selected for the current request.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, P
ypt.
If you want to pass the password to MySQL function, use %P to get
decoded User-Password.
Thanks,
Heikki
> Thanks,
> Jeff
>
>
> Sent from my iPhone
>
> On 30/08/2013, at 7:06 PM, Heikki Vatiainen wrote:
>
>> On 08/30/2013 10:46 AM, Jeffrey Lee wrote:
&
PHP's crypt with salt) before comparing against database.
A better way to do this is to let Radiator know what the DB has. In this
case you need to tell it the DB has MySQL hashes.
> Does anyone have a solution to this?
Please let us know if the above helps.
Thanks,
Heikki
--
Heik
ess binding, IPv6 related attributes, IPv6 CIDR
clients, required modules, RFCs, etc. - all gathered in one place.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platy
, CIDR notation is now supported for IPv6 clients:
...
...
Any comments and test reports are appreciated.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus
If needed, we can also provide customisation help.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, T
ents the counters for all
modules that the request visited.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Director
DIUS unless LocalAddress is defined.
>
>
> Host 192.0.2.20
> Secret FooBar
> AuthPort 1645
> NoForwardAccounting
> LocalAddress 10.0.0.2 # without this line no radius packet is
> sent according to tcpdump
>
>
Thanks,
H
ested in taking a
further look at this.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS,
ilable in the latest Radiator patch set for Radiator 4.11.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP,
separately. This
allow checking the configuration without activating the modules and
causing error messages related to e.g., binding to ports.
Those who have their custom modules may want to see e.g. AuthTEST for an
example how to apply the changes to their own modules.
Thanks,
Heikki
--
Heikki
with
> dprill [dprill]
> Tue Aug 6 15:39:07 2013: DEBUG: Radius::AuthFILE ACCEPT: : dprill [dprill]
> Tue Aug 6 15:39:07 2013: DEBUG: EAP result: 3, Wait for peer challenge
> Tue Aug 6 15:39:07 2013: DEBUG: AuthBy FILE result: CHALLENGE, Wait for
> peer challenge
> Tue Aug
in the latest 4.11 patches. It's a new module that does
asynchronous communication.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, ex
s. An example of
reply attributes, or reply items, is inside the braces {}.
For quick testing you could also try goodies/tacacsplustest. Something
like this should match the about AuthorizeGroup:
perl goodies/tacacsplustest -port 4949 -trace 4 -noacct -user heinzdb
-author_args service=shell,cmd
reclaims all addresses that have
exceeded their expiry time.
> Does anybody have any pointers please?
Please see ReclaimQuery and AddressAllocator SQL and DHCP in the
reference manual. The goodies directory also containts examples, see
goodies/addressallocator*
Thanks,
Heikki
--
Heikki
US so it's not a problem of
using a proxy.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TL
ed fine? I'm thinking of the alternatives at hand: sticking with
Proxy-State extented IDs (using one TCP connection) or using the port
numbers (multiple TCP connections) for ID space extension?
Thanks for your input!
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and c
vides.
For UDP extended identifier space can also be useful. For example, when
there are strict firewall rules that restrict what the source ports can be.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files,
there is no Accounting-Reject message type to send back.
About the conversion: are you doing the conversion so that you can log
the various RFC 5176 replies? Would a separate log file type à la
AuthLog be the way to solve this?
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable,
but it will be proxied back
just like an ACKed reply.
However, rejected accounting messages are dropped. The RADIUS spec does
not specify how to reject accounting messages, so there's no
Accounting-Rejected message type to send back. You get drops instead.
Thanks,
Heikki
--
Heikki Vatiain
On 07/15/2013 05:18 PM, Karl Gaissmaier wrote:
> there is a missing whitespace in the documentation:
Hello Charly,
this will be fixed in the next ref.pdf.
> > DefineFormattedGlobalVar system mysystem
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, fle
own for memberof?
Most likely because the memberof LDAP attribute value is in CN=...
format. When attribute is added in the request, CN is taken as the
attribute name and the rest (...) as the value.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADI
bit problematic, though. This attribute is
the only identifier that currently maps responses to requests with
RadSec. If the other proxies mangle it, it would be essential to find
and fix them.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS serv
On 07/10/2013 12:50 PM, Karl Gaissmaier wrote:
> a SIGHUP to a running radiator (Version 4.11) opens an additional socket
> for AuthByRADSEC:
Fixed in the latest patches.
Thanks for reporting this,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable
rything not otherwise specified
> DefaultResultACCEPT
>
> Must be:
>
> DefaultResult ACCEPT
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+,
et dump is called so that any Log ... within AuthBy etc.
module will be called instead of the dump going just to the main log file
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,
Not-Found
The INFO line is logged by Handler which forwards the request back to
radpwtst even if the request type was not added the the ACCEPTed request
types.
I wonder if you have a (very) old Radiator or more likely, a
configuration that causes NAKed messages to be rejected.
Thanks,
Heikki
ng if there are
other similar fixes needed. Meanwhile you can do a restart if you need
to reconfigure. A HUP already tears down and reinitializes everything,
so the overall effect is the same.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS serv
ADIUS/EAP server's
perspective. Please see goodies/eap_tls.cfg for EAP-TLS examples. I do
not think it matters to the servers side whether the private key is
stored in a TPM chip or in a file.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
is now an official IETF RFC 6614. RFC 6614 is now
included in the distribution. In accordance with RFC 6614,
the default shared secret for RadSec has been changed to
'radsec', UseTLS is enabled by default, and
TLS_RequireClientCert is enabled in Server RADSEC by default.
T
ks for me now. The NAKed request now gets forwarded to the original
> requester (radpwtst).
Thanks for reporting the results. If nothing special comes up the
additional messages types will be in patches soon.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and conf
n are you currently running? We have a
couple of versions installed with perlbrew and at least 5.12.5 and
5.14.4 do not complain about setsockopt.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, pas
Making this automatic is once again problematic: there is no
standard way to enumerate the interfaces to find out all addresses the
system has.
However, if there are supported ways to do all or some of the above, I
would be interested to hear more.
Thanks,
Heikki
--
Heikki Vatiainen
Radiator: the most
was
thrown off a bit since I was under the impression it fails with stock
4.11. That's not the case but the change is in the 4.11 patches. It's
also not specific to Solaris either.
We'll see what can be done for this. Thanks again for everyone.
Heikki
--
Heikki Vatiainen
301 - 400 of 1068 matches
Mail list logo