[RADIATOR] Radiator mailing list migration

Hello list members, Radiator mailing lists and list archives are migrating to a new server soon. This requires no action from you. A message will be posted through the migrated list when the operation has finished. This should happen later today. The current mailing list address,

[RADIATOR] Radiator Version 4.17 released - enhancements, new features, security and other fixes

We are pleased to announce the release of Radiator version 4.17 This version contains enhancements, new features, security and other fixes described below. As usual, the new version is available to current licensees and evaluators from: https://www.open.com.au/radiator/downloads.html Licensees

Re: [RADIATOR] Radiator and Load Balancer

This may be the case now, but pretty sure we went down this road YEARS ago and even with BindAddress, packets were still being sourced from the main IP address. In the mailing list archives this argument may exist. I vaguely remember being told by Hugh that it was not possible in Perl at the

Re: [RADIATOR] Radiator and Load Balancer

In my experience this is not the case. It will LISTEN on those addresses for sure. But it’s return packets are always sourced from the primary IP address of the outgoing interface. DSR will work, but the clients will receive a response from an IP address that is not of the configure RADIUS

Re: [RADIATOR] Radiator and Load Balancer

On 27.07.2016 21:32, Robert Blayzor wrote: > The problem with this I think is that Radiator responds with a source > address of where the packet leaves. (at least that’s been my > experience). Yes, this happens by default when BindAddress is not configured. The default is to bind the RADIUS

Re: [RADIATOR] Radiator and Load Balancer

As a general network design we try to stay away from multihomed servers as much as possible as the server admins lack networking/routing know-how which leads to failing connectivity all the time. Direct server return has its own share of problems which is why we don't use it anymore but this is

Re: [RADIATOR] Radiator and Load Balancer

On 27/07/16 19:32, Robert Blayzor wrote: > DSR load balancing assumes the real servers know about the load balanced VIP > and is generally configured on a loopback. > > The problem with this I think is that Radiator responds with a source address > of where the packet leaves. (at least that’s

Re: [RADIATOR] Radiator and Load Balancer

DSR load balancing assumes the real servers know about the load balanced VIP and is generally configured on a loopback. The problem with this I think is that Radiator responds with a source address of where the packet leaves. (at least that’s been my experience). Most clients will probably

Re: [RADIATOR] Radiator and Load Balancer

Thanks Shaun. This is good reading. Barry On Wed, Jul 27, 2016 at 11:38 AM, shaun gibson wrote: > On 27/07/2016 18:14, Barry Ard wrote: > > > We are running into some challenges configuring a new environment for > > Eduroam. > > > > Recently we have moved away from 2 servers

Re: [RADIATOR] Radiator and Load Balancer

On 27/07/2016 18:14, Barry Ard wrote: > We are running into some challenges configuring a new environment for > Eduroam. > > Recently we have moved away from 2 servers running multiple radiator > processes to a multiple VMs behind an F5 load balancer. This has been > working well for our

[RADIATOR] Radiator and Load Balancer

We are running into some challenges configuring a new environment for Eduroam. Recently we have moved away from 2 servers running multiple radiator processes to a multiple VMs behind an F5 load balancer. This has been working well for our wireless infrastructure but has been posing challenges as

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

*** Sending to 10.240.1.1 port 20004 * There are multiple retransmits back and forth and the authentication does not proceed. I would check the Wi-Fi controller logs and make sure it is receiving the responses from Radiator. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

; > > > 10.240.1.1(20004): retransmit reply > > > > Tue Jan 26 15:54:57 2016: DEBUG: Packet dump: > > > > *** Sending to 10.240.1.1 port 20004 > > > There are multiple retransmits back and forth and the authentication > does not proceed. >

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

On 01/26/2016 06:05 PM, Hugo Veiga wrote: > Also tried another certificate but it's doing the same, it gets stuck > and never reaches the inner handler. I don't think this is a certificate or handler problem now. Previously AuthBy INTERNAL was dropping the request, but now when you changed the

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Hi, I'm sorry Heikki I don't know why but I didn't receive your email (but a friend of mine in this list as sent me yesterday). So this is what I've tested/checked so far: 1 - Perl modules: In this list are the ones mentioned in the goodies file for PEAP/MSCHAPv2 (# Requires Net_SSLeay.pm-1.21

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Hi, On Tue, 26 Jan 2016, Hugo Veiga wrote: > Hi Alan, > > I have the same config on radiator 4.9 and it works perfectly. > > About the stuff order ;) , I use the Authby as "functions" and usually I > put them before the handlers, this is very practical to reuse code. > > As you suggested I tried

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Hi Alan, I have the same config on radiator 4.9 and it works perfectly. About the stuff order ;) , I use the Authby as "functions" and usually I put them before the handlers, this is very practical to reuse code. As you suggested I tried to put them after the handlers and I have the same exact

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Hi, On Tue, 26 Jan 2016, Hugo Veiga wrote: > In my original message I have by mistake a AuthBy INTERNAL in the outter > authentication it's actually a AuthBy SQL clause. which is exactly why I made you test your 4.9 case. AuthBy SQL supports EAP. AuthBy FILE also supports EAP. and as Heikki

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

In my original message I have by mistake a AuthBy INTERNAL in the outter authentication it's actually a AuthBy SQL clause. This is trace from radiator 4.9. Tue Jan 26 15:01:15 2016: DEBUG: Handling request with Handler 'Realm=/^convidado$/i', Identifier '' Tue Jan 26 15:01:15 2016: DEBUG:

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Sorry For the waist of your time, and thanks for your point (I was trying all possible things that I could remember and this went to the list by mistake). Also tried another certificate but it's doing the same, it gets stuck and never reaches the inner handler. Here is a trace from 4.16 with

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

Try putting your stuff into order - your inner stuff , handlers et al , AFTER the realm check (where you are then asking for a particular handler). The goodies directory provides ready to go starting recipes for this stuff (so you can see how handlers/inner work)

Re: [RADIATOR] radiator never gets to the 2nd authentication phase in PEAP - MSCHAPv2

On 01/25/2016 07:57 PM, Hugo Veiga wrote: > I'm upgrading from 4.9 to radiator 4.16 and I'm stuck because I can't > get radiator to get to the inner authentication phase. AuthBy INTERNAL does not work with EAP (PEAP in this case). It just ignores the request by default. If you had problems with

Re: [RADIATOR] RADIATOR 4.16 clause checks...

On 16.11.2015 13.32, a.l.m.bu...@lboro.ac.uk wrote: > seems fussy about the upper/lower case eg I'll see that this gets changed. I'd say case insensitive check is enough here. Thanks for reporting this! Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and

[RADIATOR] RADIATOR 4.16 clause checks...

hi, seems fussy about the upper/lower case eg WARNING: Clause Authby closed in /etc/radiator/radius.cfg line 121 does not match currently open clause AuthBy from /etc/radiator/radius.cfg line 118 # Local test realm # Strip realm RewriteUsername s/^([^@]+).*/$1/

Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features

On 11/03/2015 10:25 PM, Ullfig, Roberto Alfredo wrote: > Ah, the Android 6 support is in base 4.16 then - my mistake. Thanks! Yes. 4.16 should do the right thing no matter what the OpenSSL and Net::SSLeay versions are. It will also log during the startup about the versions it finds and what they

Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features

On 11/03/2015 09:54 PM, Ullfig, Roberto Alfredo wrote: > Also, is it typical for patches to not be released in RPMs? Yes, the patches work best with the .tgz package: - untar the release .tgz - untar the patches on top of this - then proceed with 'perl Makefile.PL' as described in the

Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features

2:22 PM To: radiator@open.com.au Subject: Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features On 11/03/2015 09:54 PM, Ullfig, Roberto Alfredo wrote: > Also, is it typical for patches to not be released in RPMs? Yes, the patches work best with the .

Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features

:48 PM To: radiator@open.com.au Subject: Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features We installed the previous version from RPM. Should we remove that RPM before installing this version plus patches? --- Roberto Ullfig – rull...@uic.edu ACCC

Re: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features

Of Heikki Vatiainen Sent: Tuesday, October 27, 2015 4:57 AM To: radiator@open.com.au Subject: [RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features We are pleased to announce the release of Radiator version 4.16 This version contains two important security fixes

[RADIATOR] Radiator Version 4.16 released - security fixes, enhancements and new features

We are pleased to announce the release of Radiator version 4.16 This version contains two important security fixes. Upgrade is recommended. Please review OSC security advisory OSC-SEC-2015-02 for more information: https://www.open.com.au/OSC-SEC-2015-02.html As usual, the new version is

Re: [RADIATOR] Radiator, WPA2, certificates and untrusted

Hi, >Oh man! > >In other words it's a waste of good money to pay for a signed certificate. for your own internal 802.1X (where you are only directly authenticating your own users (and that includes eg eduroam) - yes. best practice is to use a self-signed CA (you have the same issues

Re: [RADIATOR] Radiator, WPA2, certificates and untrusted

Skou Jensen Cc: radiator@open.com.au Emne: Re: [RADIATOR] Radiator, WPA2, certificates and untrusted Hi Jesper, I think this is normal behavior. In eduroam we install the CA's root-certificate in the client/supplicant. (The 'eduroam CAT' crafted installer does so). The clients certificate store

Re: [RADIATOR] Radiator, WPA2, certificates and untrusted

Hi Jesper, I think this is normal behavior. In eduroam we install the CA’s root-certificate in the client/supplicant. (The 'eduroam CAT’ crafted installer does so). The clients certificate store is the responsibility of the browser (in a laptop). So, in a web context your server-certificate is

[RADIATOR] Radiator, WPA2, certificates and untrusted

Hello people, I'm in the process of renewing a certificate for our Radiator setup and I've run into a bit of problem. The problem is that I can't get clients to trust the WPA2 certificate when connecting to the network. Eg. Windows 7, an iPhone and probably other clients too. On the iOS I

Re: [RADIATOR] Radiator Version 4.15 released - security fixes and enhancements

On 16.7.2015 18.10, Hartmaier Alexander wrote: On 2015-07-16 15:07, Heikki Vatiainen wrote: There's also an example of how to use a custom module, possibly modified from Radius/LogFormat.pm, to change the formatting or add new formats. I know because I was the one who requested the feature

Re: [RADIATOR] Radiator Version 4.15 released - security fixes and enhancements

On 16.7.2015 17.04, Nick Lowe wrote: In conjunction with https://tools.ietf.org/html/rfc7465 , it is probably time for RADIUS servers to comply with this by default unless explicitly configured otherwise: Thanks for the RC4 reminder Nick. This configuration is now possible with Radiator.

Re: [RADIATOR] Radiator Version 4.15 released - security fixes and enhancements

Hi Heikki, that's a great release! I couldn't find info about CEF and JSON logging in the reference manual, should be included at least as keywords with a pointer to the 'logformat.cfg' goodies file although I'd prefer having it in the main docs. Is there a way to log the used TLS version and

Re: [RADIATOR] Radiator Version 4.15 released - security fixes and enhancements

On 16.7.2015 13.42, Hartmaier Alexander wrote: I couldn't find info about CEF and JSON logging in the reference manual, should be included at least as keywords with a pointer to the 'logformat.cfg' goodies file although I'd prefer having it in the main docs. Good point. I'll see that CEF and

Re: [RADIATOR] Radiator Version 4.15 released - security fixes and enhancements

RC4 is particularly broken now: https://www.rc4nomore.com https://www.rc4nomore.com/vanhoef-usenix2015.pdf In conjunction with https://tools.ietf.org/html/rfc7465 , it is probably time for RADIUS servers to comply with this by default unless explicitly configured otherwise: o TLS servers MUST

Re: [RADIATOR] Radiator Version 4.15 released - security fixes and enhancements

On 2015-07-16 15:07, Heikki Vatiainen wrote: On 16.7.2015 13.42, Hartmaier Alexander wrote: I couldn't find info about CEF and JSON logging in the reference manual, should be included at least as keywords with a pointer to the 'logformat.cfg' goodies file although I'd prefer having it in the

[RADIATOR] Radiator Version 4.15 released - security fixes and enhancements

We are pleased to announce the release of Radiator version 4.15 This version contains fixes for an EAP-MSCHAP-V2 and EAP-pwd vulnerability. Upgrade is recommended. Please review OSC security advisory OSC-SEC-2015-01 for more information: https://www.open.com.au/OSC-SEC-2015-01.html As usual, the

Re: [RADIATOR] [Radiator] Error connecting to readonly RADMIN Mysql DB

On 03/19/2015 02:49 PM, Heikki Vatiainen wrote: On 03/19/2015 12:18 PM, Laurent Duru wrote: Thu Mar 19 11:11:11 2015: ERR: Execute failed for 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where USERNAME=‘X'': Can't call

[RADIATOR] [Radiator] Error connecting to readonly RADMIN Mysql DB

Hello, My configuration as is : Blue server : Radiator + Radmin + Mysql Master Red Server : Mysql Slave There is a Master-Slave Replication between blue and red, I need to avoid Radiator writes on Red. In my Radiator config I use a Read/Write account to connect to Blue and a Read Only

Re: [RADIATOR] [Radiator] Error connecting to readonly RADMIN Mysql DB

On 03/19/2015 12:18 PM, Laurent Duru wrote: Thu Mar 19 11:11:11 2015: ERR: Execute failed for 'select PASS_WORD, STATICADDRESS, TIMELEFT, MAXLOGINS, SERVICENAME, BADLOGINS, VALIDFROM, VALIDTO from RADUSERS where USERNAME=‘X'': Can't call method prepare on an undefined value at

[RADIATOR] Radiator Load Balancing

Hello, Right now we are using Radiator's own load balancer. Would using an F5 Load Balancer to load balance make any sense and would it work? Their product is here: https://f5.com We use it for other services but they are all tcp based. Thanks! --- Roberto Ullfig - rull...@uic.edu ACCC

Re: [RADIATOR] Radiator+Mikrotik

hello It is possible to create a package for the Mikrotik? MikrotikSessionMIB.pm -Original Message- From: nath...@fsr.com Sent: Mon, 8 Dec 2014 05:30:26 -0800 To: m.abdelsa...@wimd.com.kw, radiator@open.com.au Subject: Re: [RADIATOR] Radiator+Mikrotik On Monday, December 08

Re: [RADIATOR] Radiator+Mikrotik

@open.com.au Subject: Re: [RADIATOR] Radiator+Mikrotik On Monday, December 08, 2014 12:16 AM, Mahmoud Abdelsalam wrote: Hello all, As Mikrotik doesn't support COA for PPPoE, so I used Disconnect-Request, the hook script will send Disconnect-Request to Mikrotik once the session exceeds the quota

Re: [RADIATOR] Radiator+Mikrotik

-Original Message- From: nath...@fsr.com Sent: Mon, 8 Dec 2014 05:30:26 -0800 To: m.abdelsa...@wimd.com.kw, radiator@open.com.au Subject: Re: [RADIATOR] Radiator+Mikrotik On Monday, December 08, 2014 12:16 AM, Mahmoud Abdelsalam wrote: Hello all, As Mikrotik doesn't support COA

Re: [RADIATOR] Radiator+Mikrotik

It is possible to create a package for the Mikrotik? MikrotikSessionMIB.pm -Original Message- From: nath...@fsr.com Sent: Mon, 8 Dec 2014 05:30:26 -0800 To: m.abdelsa...@wimd.com.kw, radiator@open.com.au Subject: Re: [RADIATOR] Radiator+Mikrotik On Monday, December 08, 2014 12:16 AM, Mahmoud

Re: [RADIATOR] Radiator does not allow LEFT OUTER JOIN in SQL statement? - Solved - config typo

Sorry, Just a typo in the radius config file... Sorry to cause this trouble Met vriendelijke groeten/With kind regards, Karel van der Velden [KPN-logo] Ananke Goddess of necessity, inevitability and compulsion Godin van de noodzakelijkheid, onvermijdelijkheid en dwangmatigheid

Re: [RADIATOR] Radiator Authorization Cisco ASA

You need to specify the cmd-arg multiple times, one for each space separated argument: authorizedgroup readonly group deny service=shell cmd=changeto cmd-arg=context cmd-arg=system authorizedgroup readonly group permit service=shell cmd=changeto cmd-arg=context cmd-arg=other context name

[RADIATOR] Radiator Authorization Cisco ASA

I have a Cisco ASA with multiple context. I am trying to deny the use of the command changeto context system, but allow authorized group to be able to change to any of the other context. When user types in the command they get denied. I have entered authorizedgroup readonly group permit

Re: [RADIATOR] Radiator Authorization Cisco ASA

On 5.1.2015 15.34, Steve Normoyle wrote: I have a Cisco ASA with multiple context. I am trying to deny the use of the command changeto context system, but allow authorized group to be able to change to any of the other context. When user types in the command they get denied. Hello Steve,

[RADIATOR] Radiator+Mikrotik

Hello all, As Mikrotik doesn't support COA for PPPoE, so I used Disconnect-Request, the hook script will send Disconnect-Request to Mikrotik once the session exceeds the quota, here is how i send Disconnect-Request: my @coa_attrs = (User-Name=$user_name, Acct-Session-Id=$sess_id,

Re: [RADIATOR] Radiator+Mikrotik

On Monday, December 08, 2014 12:16 AM, Mahmoud Abdelsalam wrote: Hello all, As Mikrotik doesn't support COA for PPPoE, so I used Disconnect-Request, the hook script will send Disconnect-Request to Mikrotik once the session exceeds the quota, here is how i send Disconnect-Request: [snip]

[RADIATOR] Radiator Version 4.14 released - includes a fix for EAP authentication vulnerability

We are pleased to announce the release of Radiator version 4.14 This version contains a fix for an EAP authentication vulnerability. Upgrade is strongly recommended. Please review OSC security advisory OSC-SEC-2014-01 for more information: https://www.open.com.au/OSC-SEC-2014-01.html As usual,

[RADIATOR] Radiator evaluation - now available as virtual machine

We are pleased to announce the availability of the first release of preconfigured Radiator and RAdmin evaluation virtual machine. The virtual machine image is available from the usual location: http://www.open.com.au/radiator/ The virtual machine is configured to respond to RADIUS, TACACS+ and

Re: [RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone

Hi Heikki, The same problems with the certificates :( Thanks for your this suggestion, Imanol On Thu, Jun 19, 2014 at 9:17 PM, Heikki Vatiainen h...@open.com.au wrote: On 06/19/2014 12:46 AM, Imanol Fuidio wrote: I have repeated the test on an iphone with IOS7 configuring a TLS profile

Re: [RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone

On 06/19/2014 12:46 AM, Imanol Fuidio wrote: I have repeated the test on an iphone with IOS7 configuring a TLS profile with the CA in der format. The same problem. The log is also in https://gist.github.com/ifdm001/57c03984282f33406aec Maybe you could try with the certificates that come with

[RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone

Hi everyone, In the company we have performed some tests on EAP TLS. We are using Radiator-4.13 with the goodie eap_tls.cfg. We have created self-signed certificates through the script: script.sh (You can find the script, as well as the certificates in

Re: [RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone

On 06/18/2014 02:04 PM, Imanol Fuidio wrote: The WiFi configuration is: EAP method TLS, Phase 2 PAP, User certificate, Identiy user Phase 2 PAP looks odd. This would make sense with EAP-TTLS, but I am not sure what it could mean with EAP-TLS. Wed Jun 18 11:49:35 2014: ERR: EAP TLS error: -1,

Re: [RADIATOR] Radiator / Radmin - EAP TLS certificates on Android phone

Hi Heikki, The same test repeated with Second Phase as none and the same problem. As you have said, this should have nothing to do with EAP TLS. I have repeated the test on an iphone with IOS7 configuring a TLS profile with the CA in der format. The same problem. The log is also in

Re: [RADIATOR] Radiator / Radmin - bulk add users

Excellent - Thanks Hugh. -Original Message- From: Hugh Irvine [mailto:h...@open.com.au] Sent: Thursday, 12 June 2014 4:05 PM To: Michael Bellears Cc: radiator@open.com.au Subject: Re: [RADIATOR] Radiator / Radmin - bulk add users Hello Michael - See buildsql in the main Radiator

Re: [RADIATOR] Radiator / Radmin - bulk add users

Hello Michael - See buildsql in the main Radiator distribution directory. See also section 10.0 in the Radiator 4.13 reference manual (“doc/ref.pdf”). Here is the help for buildsql: Radiator-4.13 hugh$ perl buildsql -h usage: buildsql [-h] -dbsource dbi:drivername:option [-dbusername

[RADIATOR] Radiator / Radmin - bulk add users

Hi, We have a need to add ~150users to Radmin - Doing this via the (Radmin) web interface would be tedious/error-prone - Is anyone aware of a script to bulk add users? Cheers. ___ radiator mailing list radiator@open.com.au

Re: [RADIATOR] Radiator Version 4.13 released

On 05/02/2014 03:24 PM, Hartmaier Alexander wrote: I've configured the outer PEAP Handler with EAPTLS_MaxFragmentSize 1350 and removed the value 1250 (1300 which we use for wired dot1x seems to be too large) from the inner TLS handler which makes it fail the same way as when configuring 1300.

Re: [RADIATOR] Radiator Version 4.13 released

On 2014-05-05 13:53, Heikki Vatiainen wrote: On 05/02/2014 03:24 PM, Hartmaier Alexander wrote: I've configured the outer PEAP Handler with EAPTLS_MaxFragmentSize 1350 and removed the value 1250 (1300 which we use for wired dot1x seems to be too large) from the inner TLS handler which makes

Re: [RADIATOR] Radiator Version 4.13 released

On 05/05/2014 03:01 PM, Hartmaier Alexander wrote: The correct number in your case is something between 1250 and 1300 when you have outer fragment size 1350? That is, when you have 1350 as outer fragment size, 1250 works but 1300 does not. So what you're saying is that 1350 for the outer

Re: [RADIATOR] Radiator Version 4.13 released

On 2014-05-05 15:02, Heikki Vatiainen wrote: On 05/05/2014 03:01 PM, Hartmaier Alexander wrote: The correct number in your case is something between 1250 and 1300 when you have outer fragment size 1350? That is, when you have 1350 as outer fragment size, 1250 works but 1300 does not. So what

Re: [RADIATOR] Radiator Version 4.13 released

On 05/05/2014 04:18 PM, Hartmaier Alexander wrote: Yes, the inner EAP-TLS creates fragments of size 1310 and based on your message, I understand when these are given to outer PEAP for TLS tunneling and transport, the result is too large: it does not fit in 1350. Can you add a critical

Re: [RADIATOR] Radiator Version 4.13 released

On 2014-05-05 15:39, Heikki Vatiainen wrote: On 05/05/2014 04:18 PM, Hartmaier Alexander wrote: Yes, the inner EAP-TLS creates fragments of size 1310 and based on your message, I understand when these are given to outer PEAP for TLS tunneling and transport, the result is too large: it does

Re: [RADIATOR] Radiator Version 4.13 released

Hi, the following new feature seems to not work as I'd expect it: PEAP and EAP-TTLS now make maximum fragment size available for inner authentication protocols. EAP-TLS was improved to use this information. This allows PEAP/EAP-TLS and EAP-TTLS/EAP-TLS to work better with environments with

[RADIATOR] Radiator Version 4.13 released

We are pleased to announce the release of Radiator version 4.13 This version contains one new module for authenticating against YubiKey validation server and YubiHSM, some significant new features and bug fixes. As usual, the new version is available to current licensees from:

[RADIATOR] Radiator SIM support version 1.42 with SIM cards for EAP-SIM, EAP-AKA and EAP-AKA' released

Hello Everyone, Radiator SIM support version 1.42 is now released. This version supports Radiator 4.13 and provides small updates to the recently released version 1.41. We are also pleased to announce the availability of SIM cards for those who evaluate Radiator SIM support. We can provide mini,

Re: [RADIATOR] Radiator/AuthWimax.pm BS ID Questions

On 04/14/2014 07:07 AM, Adam O'Reilly wrote: Just wanting to find out the reasoning behind this: 200 my $bsid = $p-get_attr('WiMAX-BS-ID'); 201 ($napid, $bsid) = unpack('a3 a3', $bsid) The reason is we are seeing WiMAX-BS-ID come in like this WiMAX-BS-ID = 000XXXX001

[RADIATOR] Radiator/AuthWimax.pm BS ID Questions

Hello Everyone, Just wanting to find out the reasoning behind this: 22 # $Id: AuthWIMAX.pm,v 1.21 2012/12/13 20:19:47 mikem Exp $ . 200 my $bsid = $p-get_attr('WiMAX-BS-ID'); 201 ($napid, $bsid) = unpack('a3 a3', $bsid) 202 if (defined $bsid); The reason is we are

Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)

On 2014-03-26 18:40, Roberto Pantoja wrote: I have a problem trying to assign dynamic VLANs to users on a WPA2-Enterprise configuration. Users have successful authentication and if I don't send the Radius Attribute Tunnel-Private-Group-ID The Wireless Controller connects me to the default VLan

Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)

Hi, On 03/26/2014 06:40 PM, Roberto Pantoja wrote: I have a problem trying to assign dynamic VLANs to users on a WPA2-Enterprise configuration. Users have successful authentication and if I don't send the Radius Attribute Tunnel-Private-Group-ID The Wireless Controller connects me to the

Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)

Thank you for your promptly answer, but I have the same effect if I put the VLAN name or numeric ID. Do you have any other idea that can help me to resolve this problem. Best regards. On 03/26/2014 11:37 AM, Hartmaier Alexander wrote: On 2014-03-26 18:40, Roberto Pantoja wrote: I have a

Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)

as spam. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo

Re: [RADIATOR] Radiator using WPA2-Enterprise and dynamic VLAN Assignment (Part 1)

/X7j9AwsBAS3GX2PQPOmvUmkxeMeR4%21FmwYL%21b%21gsSiAI7lo7et4NX6Fo9FCU0sXr2U9s6bVQO2bgE3KctAewCA== to report this email as spam. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] Radiator sotp to respond to request : stuck in a script : I/O error Interrupted

Hi, yesterday we have experienced twice a situation where Radiator stops to respond to requests apparently because the server was stuck in the execution of a script. Here is what we saw in the logfile : Tue Jan 14 13:13:56 2014: DEBUG: Deleting session for demk2801, 10.40.0.130, 1 Tue Jan 14

Re: [RADIATOR] Radiator on Linux using LDAP2, MS Active Directory, MSCHAP-V2

On 10/15/2013 10:41 PM, Sevilla, Norman A wrote: The only function that we are unable to migrate successfully is 8021.x wireless authentication. The Windows-based version used Authby LSA so the MSCHAP-V2 challenge worked successfully. On the Linux-based system, Authby LDAP2 is finding my

[RADIATOR] RADIATOR issue with particular attribute (NAS-IPv6-Address)

hi, RADIATOR has a definition for the NAS-IPv6-Address attribute in its dictionary file. ATTRIBUTE NAS-IPv6-Address95 ipaddrv6 however, it appears that this attribute type (ipaddrv6) has some interplay problem with the server. ie If you have a RADIUS packet going

[RADIATOR] Radiator Version 4.12.1 released

We are pleased to announce the release of Radiator version 4.12.1 This version contains one bug fix and one enhancement. A bug in AuthBy SQL prevented it from loading with certain configurations. As usual, the new version is available to current licensees from:

Re: [RADIATOR] Radiator LoadBalancing Optimization

Hello Michael, CachePasswords doesn't work with EAP, it works only with PAP authentication. So it won't help you in this situation. My advice is that you should add more hosts for authentication or if you have a lot of accounting traffic then it might a good solution if you have separate

Re: [RADIATOR] Radiator LoadBalancing Optimization

Thanks for the response too bad though. Unfortunately, we can only have one radius server instance per NAS (and a backup), but this particular NAS supports the radius proxy clients which are the problem. M On 2013-09-13, at 6:39 AM, Sami Keski-Kasari wrote: Hello Michael,

[RADIATOR] Radiator LoadBalancing Optimization

In a previous discussion regarding Loadbalancing radius requests, we instituted the AuthBy EAPBALANCE method to proxy requests to departmental radius servers. We have been running this method for close to 6 months and have been pretty satisfied with the result. Of late, however, the client

[RADIATOR] Radiator Version 4.12 released

We are pleased to announce the release of Radiator version 4.12 This version contains two new modules, AuthBy DUO and AuthBy DIAMETER, some significant new features and bug fixes. As usual, the new version is available to current licensees from: http://www.open.com.au/radiator/downloads/ and to

Re: [RADIATOR] Radiator and radsecproxy, status-server and failover algo, one step forward

Hi, 1272017248108...@wlan.mnc001.mcc262.3gppnetwork.org 3gppnetwork realms are invalid. ..just like hotmail, gmail, yahoo etc - until a notice comes from eduroam stating that these realms now have agreed relationship, they are public realms and not within the private scheme of eduroam. RFC

Re: [RADIATOR] Radiator and radsecproxy, status-server and failover algo, one step forward

Hi, status-server musnt be proxiedits only for the first-hop check of a remote proxy and not the end target - but that surely isnt the issue? a Status-Server message is easy to deal with - you just send something back to show you are alive - RADIATOR has been sending a basic statts page

Re: [RADIATOR] Radiator and radsecproxy, status-server and failover algo, one step forward

Hi, Am 15.07.2013 09:15, schrieb a.l.m.bu...@lboro.ac.uk: Hi, 1272017248108...@wlan.mnc001.mcc262.3gppnetwork.org 3gppnetwork realms are invalid. ..just like hotmail, gmail, yahoo etc - until a notice comes from eduroam stating that these realms now have agreed relationship, they are

Re: [RADIATOR] Radiator and radsecproxy, status-server and failover algo, one step forward

Hi, 1.)Radiator has to fix AuthRADSEC. The user has to choose to use extended-Ids in the Proxy-State Attribut if the upstream proxy will handle this. By default it should use 8 Bit Identifiers. 2.)radsecproxy has to fix the self generated Access-Rejects. If a

[RADIATOR] Radiator and radsecproxy, status-server and failover algo, one step forward

Hi radiator team, now I proved my suspicion, that the upstream radsecproxy is stripping the radiator proxy-state, at least in status-server requests. I used monkey patching in AuthBy RADSEC, just quick and dirty to get the result (you know, it's sunday): Sun Jul 14 16:56:43 2013 009313: DEBUG:

Re: [RADIATOR] Radiator and radsecproxy, status-server and failover algo, one step forward

Am 14.07.2013 17:28, schrieb Karl Gaissmaier: ... Worse, it seems that buggy clients with unroutable @Realms trigger answers with proxy-state stripped. So I get NoreplyTimeouts for any buggy client request and my upstream connections break away. Seems that all german @Realms in eduroam using

Re: [RADIATOR] Radiator and radsecproxy, status-server and failover algo, one step forward

Hi As an end site you really shouldn't be sending invalid realms to your national proxy... but there does seem to be something odd gong on here. . their system should be just sending back a straight access reject. If radsecproxy doesn't like extended proxy id (or the config doesn't allow it )

Re: [RADIATOR] Radiator and radsecproxy, status-server and failover algo, one step forward

Hi Alex, hi radiator team, Am 14.07.2013 19:48, schrieb Alan Buxey: Hi As an end site you really shouldn't be sending invalid realms to your national proxy... but there does seem to be something odd gong on here. I sent it to test this situation. As an eduroam ServiceProvider I don't know if

Re: [RADIATOR] Radiator + libtnc + tpm platform authentication IMC

On 07/11/2013 07:31 PM, Florian Kabus wrote: We would like to authenticate Win 7 endpoints with certificates stored on the TPM and thus based on the identity deny or permit access to the enterprise network. Hello Florian, this sounds like a normal EAP-TLS setup from the RADIUS/EAP server's

Re: [RADIATOR] Radiator + libtnc + tpm platform authentication IMC

Am 12.07.2013 11:28, schrieb Heikki Vatiainen: this sounds like a normal EAP-TLS setup from the RADIUS/EAP server's perspective. Please see goodies/eap_tls.cfg for EAP-TLS examples. I do not think it matters to the servers side whether the private key is stored in a TPM chip or in a file.

[RADIATOR] Radiator + libtnc + tpm platform authentication IMC

Hello, I know this is maybe not the right place to ask, but as my last hope: Are there any experiences, resources, hints regarding implementation of an TPM platform authentication on windows clients in conjunction with radiator? classic scenario: We would like to authenticate Win 7 endpoints

  1   2   3   4   5   6   7   8   9   10   >