[RADIATOR] Documentation Update? Sources for SNMP_Session

2012-02-24 Thread Traiano Welcome
Hi Radiator Developers!

 I see in the Radiator reference manual section (Radiator version 4.9) on
SNMP Monitoring for radiator:

---
5.15 
.
.
.
SNMPAgent requires SNMP_Session-0.92.tar.gz or later from
http://www.switch.ch/misc/leinen/snmp/perl/dist/ to be installed first.
---

However it appears this URL is no longer valid on the www.switch.ch site.
Simon Leinen, who hosted it on his staff website says that SWITCH is no
longer supporting personal staff pages and so he's moved the home page for
SNMP_Session to: 

 https://code.google.com/p/snmp-session/

You might want to update the documentation with this.

Kind Regards,
Traiano Welcome





___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


[RADIATOR] MacSec (802.1AE) possible with Radiator?

2012-02-24 Thread Andreas Bader

  
  
Hi,
  
  I am actually trying to get a testbed ready for Cisco MacSec with
  Radiator as radius server, but I don't know if this is even
  possible. 
  Does Radiator has the needed features? (see links below)
  Did anyone tried that already? (I didn't find anything on google
  or on the mailinglist about radiator and macsec).
  
  The main problem ist that cisco uses some new EAP arguments for
  macsec and these seem to require EAP-FAST and EAP-FASTv2. 
  When you try first without any special config, you will get
  something like "Zero length EAP Session ID" from MKA. 
  It seems that Macsec needs some attributes like MS-MPPE-Send-Key,
  MS-MPPE-Recv-Key and EAP-Key-Name. If you define those with some
  values, the error changes to:
  *Mar  1 02:06:56.704: MKA-EVENT: MKPDU Validation - CA entry was
  NOT found for Rx CKN    .
  *Mar  1 02:10:07.906: MKA-EVENT: MKPDU Validation failed (error:
  INVALID_PARAM).
  
  The problem is, that the CKN (some kind of key) is generated with
  EAP-Session ID, EAP-Key-Name, etcpp. But these values are normally
  calculated by the EAP functions and so I don't know how to specify
  them myself. The Problem is that the CKN is wrong, there is no
  problems with the certs (they are correctly imported at the client
  machine, etc.).
  
  Everything works with 802.1x without MacSec (802.1AE)!
  
  Here the actual testbed:
  We got 1 x Cisco 3750-X, 1 x Cisco 3750.
  There we have basically two machines plugged in: A Ubuntu 11.10
  machine, which is dhcp,bind and radius server (Radiator). 
  (Kernel is 3.0.0.15-generic, Ubuntu 11.10). Radiator version is
  4.9.
  The other machine is the "client" plugged into the 3750-X with
  Windows 7 Professional N and Cisco Anyconnect Secure Mobility
  Client 3.0.5080.
  
  I also tried freeradius, but it can not really do EAP-FAST, so it
  does not even work when you define some EAP-Key-Name value. (You
  don't get further than the "zero length session id" error
  mentioned above).
  
  I post you some links below for more information. I don't know if
  I am allowed to post links to Cisco and Freeradius on the
  mailinglist here, sry. if it is not allowed, please delete the
  links then.
  
  Hopefully somebody knows the right settings for getting this to
  work. If not, is it planned to be implemented in future versions
  of radiator?
  
  Some of my configs, mainly standardconfigs:
  /etc/radiator/users:
  [...]
  testuser User-Password = "xxx"
      MS-MPPE-Send-Key = "xxx",
      MS-MPPE-Recv-Key = "xxx",
      EAP-Key-Name = "xxx"
  [...]
  
  /etc/radiator/radius.cfg
  [...]
  
      Secret xxx
      NasType Cisco
  
  
  
      Secret xxx
      NasType Cisco
  
  [...]
  
      RewriteUsername s/(.*)\\(.*)/$2/
      
          Filename %D/users
          EAPType MSCHAP-V2,TTLS,TLS,MD5-Challenge,Generic-Token
          EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
          EAPTLS_CertificateFile %D/certificates/cert-srv.pem
          EAPTLS_CertificateType PEM
          EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
          EAPTLS_PrivateKeyPassword whatever
          EAPTLS_MaxFragmentSize 500
      
  
  
      
          Filename %D/users
          EAPType MSCHAP-V2,MD5,TLS
          EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
          EAPTLS_CertificateFile %D/certificates/cert-srv.pem
          EAPTLS_CertificateType PEM
          EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
          EAPTLS_PrivateKeyPassword whatever
      
  
  
  
     
         Filename %D/users
         EAPType MSCHAP-V2,Generic-Token
         AutoMPPEKeys
     
  
  
      
          Filename %D/users
          EAPType FAST,MSCHAP-V2,TTLS,TLS
          EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
          EAPTLS_CertificateFile %D/certificates/cert-srv.pem
          EAPTLS_CertificateType PEM
          EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
          EAPTLS_PrivateKeyPassword whatever
          EAPTLS_MaxFragmentSize 1000.
          AutoMPPEKeys
          EAPTLS_PEAPVersion 0
          EAPTLS_PEAPBrokenV1Label
          EAPTLS_DHFile %D/certificates/dh2048.pem
      
     PreProcessingHook
  file:"/etc/radiator/goodies/eap_anon_hook.pl"
     PostAuthHook file:"/etc/radiator/goodies/eap_anon_hook.pl"
     AcctLogFileName %D/detail
  
  
  [...]
  
   always some self chosen strings, containing numbers and
  characters.
 

[RADIATOR] MacSec (802.1AE) possible with Radiator?

2012-02-24 Thread Andreas Bader
Sry. the mail got scrubbed ... here again in plain

-

Hi,

I am actually trying to get a testbed ready for Cisco MacSec with 
Radiator as radius server, but I don't know if this is even possible.
Does Radiator has the needed features? (see links below)
Did anyone tried that already? (I didn't find anything on google or on 
the mailinglist about radiator and macsec).

The main problem ist that cisco uses some new EAP arguments for macsec 
and these seem to require EAP-FAST and EAP-FASTv2.
When you try first without any special config, you will get something 
like "Zero length EAP Session ID" from MKA.
It seems that Macsec needs some attributes like MS-MPPE-Send-Key, 
MS-MPPE-Recv-Key and EAP-Key-Name. If you define those with some values, 
the error changes to:
*Mar  1 02:06:56.704: MKA-EVENT: MKPDU Validation - CA entry was NOT 
found for Rx CKN    .
*Mar  1 02:10:07.906: MKA-EVENT: MKPDU Validation failed (error: 
INVALID_PARAM).

The problem is, that the CKN (some kind of key) is generated with 
EAP-Session ID, EAP-Key-Name, etcpp. But these values are normally 
calculated by the EAP functions and so I don't know how to specify them 
myself. The Problem is that the CKN is wrong, there is no problems with 
the certs (they are correctly imported at the client machine, etc.).

Everything works with 802.1x without MacSec (802.1AE)!

Here the actual testbed:
We got 1 x Cisco 3750-X, 1 x Cisco 3750.
There we have basically two machines plugged in: A Ubuntu 11.10 machine, 
which is dhcp,bind and radius server (Radiator).
(Kernel is 3.0.0.15-generic, Ubuntu 11.10). Radiator version is 4.9.
The other machine is the "client" plugged into the 3750-X with Windows 7 
Professional N and Cisco Anyconnect Secure Mobility Client 3.0.5080.

I also tried freeradius, but it can not really do EAP-FAST, so it does 
not even work when you define some EAP-Key-Name value. (You don't get 
further than the "zero length session id" error mentioned above).

I post you some links below for more information. I don't know if I am 
allowed to post links to Cisco and Freeradius on the mailinglist here, 
sry. if it is not allowed, please delete the links then.

Hopefully somebody knows the right settings for getting this to work. If 
not, is it planned to be implemented in future versions of radiator?

Some of my configs, mainly standardconfigs:
/etc/radiator/users:
[...]
testuser User-Password = "xxx"
 MS-MPPE-Send-Key = "xxx",
 MS-MPPE-Recv-Key = "xxx",
 EAP-Key-Name = "xxx"
[...]

/etc/radiator/radius.cfg
[...]

 Secret xxx
 NasType Cisco



 Secret xxx
 NasType Cisco

[...]

 RewriteUsername s/(.*)\\(.*)/$2/

 Filename %D/users
 EAPType MSCHAP-V2,TTLS,TLS,MD5-Challenge,Generic-Token
 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
 EAPTLS_CertificateType PEM
 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
 EAPTLS_PrivateKeyPassword whatever
 EAPTLS_MaxFragmentSize 500




 Filename %D/users
 EAPType MSCHAP-V2,MD5,TLS
 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
 EAPTLS_CertificateType PEM
 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
 EAPTLS_PrivateKeyPassword whatever





Filename %D/users
EAPType MSCHAP-V2,Generic-Token
AutoMPPEKeys




 Filename %D/users
 EAPType FAST,MSCHAP-V2,TTLS,TLS
 EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
 EAPTLS_CertificateFile %D/certificates/cert-srv.pem
 EAPTLS_CertificateType PEM
 EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
 EAPTLS_PrivateKeyPassword whatever
 EAPTLS_MaxFragmentSize 1000.
 AutoMPPEKeys
 EAPTLS_PEAPVersion 0
 EAPTLS_PEAPBrokenV1Label
 EAPTLS_DHFile %D/certificates/dh2048.pem

PreProcessingHook file:"/etc/radiator/goodies/eap_anon_hook.pl"
PostAuthHook file:"/etc/radiator/goodies/eap_anon_hook.pl"
AcctLogFileName %D/detail


[...]

 always some self chosen strings, containing numbers and characters.

Links for more information:
http://freeradius.1045715.n5.nabble.com/Configuring-freeradius-for-MACsec-td5508545.html
http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1316521
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html

Best Regards

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


Re: [RADIATOR] Documentation Update? Sources for SNMP_Session

2012-02-24 Thread Mike McCauley
Hi,

Thanks for reporting this.
It will be fixed in the next release of Radiator and has already been updated 
in the FAQ.

Thanks again.

Cheers.

On Friday, February 24, 2012 03:49:11 PM Traiano Welcome wrote:
> Hi Radiator Developers!
> 
>  I see in the Radiator reference manual section (Radiator version 4.9) on
> SNMP Monitoring for radiator:
> 
> ---
> 5.15 
> .
> .
> .
> SNMPAgent requires SNMP_Session-0.92.tar.gz or later from
> http://www.switch.ch/misc/leinen/snmp/perl/dist/ to be installed first.
> ---
> 
> However it appears this URL is no longer valid on the www.switch.ch site.
> Simon Leinen, who hosted it on his staff website says that SWITCH is no
> longer supporting personal staff pages and so he's moved the home page for
> SNMP_Session to:
> 
>  https://code.google.com/p/snmp-session/
> 
> You might want to update the documentation with this.
> 
> Kind Regards,
> Traiano Welcome
> 
> 
> 
> 
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
-- 
Mike McCauley   mi...@open.com.au
Open System Consultants Pty. Ltd
9 Bulbul Place Currumbin Waters QLD 4223 Australia   http://www.open.com.au
Phone +61 7 5598-7474   Fax   +61 7 5598-7070

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator