[RADIATOR] Documentation Update? Sources for SNMP_Session
Hi Radiator Developers! I see in the Radiator reference manual section (Radiator version 4.9) on SNMP Monitoring for radiator: --- 5.15 . . . SNMPAgent requires SNMP_Session-0.92.tar.gz or later from http://www.switch.ch/misc/leinen/snmp/perl/dist/ to be installed first. --- However it appears this URL is no longer valid on the www.switch.ch site. Simon Leinen, who hosted it on his staff website says that SWITCH is no longer supporting personal staff pages and so he's moved the home page for SNMP_Session to: https://code.google.com/p/snmp-session/ You might want to update the documentation with this. Kind Regards, Traiano Welcome ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] MacSec (802.1AE) possible with Radiator?
Hi, I am actually trying to get a testbed ready for Cisco MacSec with Radiator as radius server, but I don't know if this is even possible. Does Radiator has the needed features? (see links below) Did anyone tried that already? (I didn't find anything on google or on the mailinglist about radiator and macsec). The main problem ist that cisco uses some new EAP arguments for macsec and these seem to require EAP-FAST and EAP-FASTv2. When you try first without any special config, you will get something like "Zero length EAP Session ID" from MKA. It seems that Macsec needs some attributes like MS-MPPE-Send-Key, MS-MPPE-Recv-Key and EAP-Key-Name. If you define those with some values, the error changes to: *Mar 1 02:06:56.704: MKA-EVENT: MKPDU Validation - CA entry was NOT found for Rx CKN . *Mar 1 02:10:07.906: MKA-EVENT: MKPDU Validation failed (error: INVALID_PARAM). The problem is, that the CKN (some kind of key) is generated with EAP-Session ID, EAP-Key-Name, etcpp. But these values are normally calculated by the EAP functions and so I don't know how to specify them myself. The Problem is that the CKN is wrong, there is no problems with the certs (they are correctly imported at the client machine, etc.). Everything works with 802.1x without MacSec (802.1AE)! Here the actual testbed: We got 1 x Cisco 3750-X, 1 x Cisco 3750. There we have basically two machines plugged in: A Ubuntu 11.10 machine, which is dhcp,bind and radius server (Radiator). (Kernel is 3.0.0.15-generic, Ubuntu 11.10). Radiator version is 4.9. The other machine is the "client" plugged into the 3750-X with Windows 7 Professional N and Cisco Anyconnect Secure Mobility Client 3.0.5080. I also tried freeradius, but it can not really do EAP-FAST, so it does not even work when you define some EAP-Key-Name value. (You don't get further than the "zero length session id" error mentioned above). I post you some links below for more information. I don't know if I am allowed to post links to Cisco and Freeradius on the mailinglist here, sry. if it is not allowed, please delete the links then. Hopefully somebody knows the right settings for getting this to work. If not, is it planned to be implemented in future versions of radiator? Some of my configs, mainly standardconfigs: /etc/radiator/users: [...] testuser User-Password = "xxx" MS-MPPE-Send-Key = "xxx", MS-MPPE-Recv-Key = "xxx", EAP-Key-Name = "xxx" [...] /etc/radiator/radius.cfg [...] Secret xxx NasType Cisco Secret xxx NasType Cisco [...] RewriteUsername s/(.*)\\(.*)/$2/ Filename %D/users EAPType MSCHAP-V2,TTLS,TLS,MD5-Challenge,Generic-Token EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 500 Filename %D/users EAPType MSCHAP-V2,MD5,TLS EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever Filename %D/users EAPType MSCHAP-V2,Generic-Token AutoMPPEKeys Filename %D/users EAPType FAST,MSCHAP-V2,TTLS,TLS EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1000. AutoMPPEKeys EAPTLS_PEAPVersion 0 EAPTLS_PEAPBrokenV1Label EAPTLS_DHFile %D/certificates/dh2048.pem PreProcessingHook file:"/etc/radiator/goodies/eap_anon_hook.pl" PostAuthHook file:"/etc/radiator/goodies/eap_anon_hook.pl" AcctLogFileName %D/detail [...] always some self chosen strings, containing numbers and characters.
[RADIATOR] MacSec (802.1AE) possible with Radiator?
Sry. the mail got scrubbed ... here again in plain - Hi, I am actually trying to get a testbed ready for Cisco MacSec with Radiator as radius server, but I don't know if this is even possible. Does Radiator has the needed features? (see links below) Did anyone tried that already? (I didn't find anything on google or on the mailinglist about radiator and macsec). The main problem ist that cisco uses some new EAP arguments for macsec and these seem to require EAP-FAST and EAP-FASTv2. When you try first without any special config, you will get something like "Zero length EAP Session ID" from MKA. It seems that Macsec needs some attributes like MS-MPPE-Send-Key, MS-MPPE-Recv-Key and EAP-Key-Name. If you define those with some values, the error changes to: *Mar 1 02:06:56.704: MKA-EVENT: MKPDU Validation - CA entry was NOT found for Rx CKN . *Mar 1 02:10:07.906: MKA-EVENT: MKPDU Validation failed (error: INVALID_PARAM). The problem is, that the CKN (some kind of key) is generated with EAP-Session ID, EAP-Key-Name, etcpp. But these values are normally calculated by the EAP functions and so I don't know how to specify them myself. The Problem is that the CKN is wrong, there is no problems with the certs (they are correctly imported at the client machine, etc.). Everything works with 802.1x without MacSec (802.1AE)! Here the actual testbed: We got 1 x Cisco 3750-X, 1 x Cisco 3750. There we have basically two machines plugged in: A Ubuntu 11.10 machine, which is dhcp,bind and radius server (Radiator). (Kernel is 3.0.0.15-generic, Ubuntu 11.10). Radiator version is 4.9. The other machine is the "client" plugged into the 3750-X with Windows 7 Professional N and Cisco Anyconnect Secure Mobility Client 3.0.5080. I also tried freeradius, but it can not really do EAP-FAST, so it does not even work when you define some EAP-Key-Name value. (You don't get further than the "zero length session id" error mentioned above). I post you some links below for more information. I don't know if I am allowed to post links to Cisco and Freeradius on the mailinglist here, sry. if it is not allowed, please delete the links then. Hopefully somebody knows the right settings for getting this to work. If not, is it planned to be implemented in future versions of radiator? Some of my configs, mainly standardconfigs: /etc/radiator/users: [...] testuser User-Password = "xxx" MS-MPPE-Send-Key = "xxx", MS-MPPE-Recv-Key = "xxx", EAP-Key-Name = "xxx" [...] /etc/radiator/radius.cfg [...] Secret xxx NasType Cisco Secret xxx NasType Cisco [...] RewriteUsername s/(.*)\\(.*)/$2/ Filename %D/users EAPType MSCHAP-V2,TTLS,TLS,MD5-Challenge,Generic-Token EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 500 Filename %D/users EAPType MSCHAP-V2,MD5,TLS EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever Filename %D/users EAPType MSCHAP-V2,Generic-Token AutoMPPEKeys Filename %D/users EAPType FAST,MSCHAP-V2,TTLS,TLS EAPTLS_CAFile %D/certificates/demoCA/cacert.pem EAPTLS_CertificateFile %D/certificates/cert-srv.pem EAPTLS_CertificateType PEM EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem EAPTLS_PrivateKeyPassword whatever EAPTLS_MaxFragmentSize 1000. AutoMPPEKeys EAPTLS_PEAPVersion 0 EAPTLS_PEAPBrokenV1Label EAPTLS_DHFile %D/certificates/dh2048.pem PreProcessingHook file:"/etc/radiator/goodies/eap_anon_hook.pl" PostAuthHook file:"/etc/radiator/goodies/eap_anon_hook.pl" AcctLogFileName %D/detail [...] always some self chosen strings, containing numbers and characters. Links for more information: http://freeradius.1045715.n5.nabble.com/Configuring-freeradius-for-MACsec-td5508545.html http://www.cisco.com/en/US/docs/switches/lan/catalyst3750x_3560x/software/release/12.2_55_se/configuration/guide/sw8021x.html#wp1316521 http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.html Best Regards ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] Documentation Update? Sources for SNMP_Session
Hi, Thanks for reporting this. It will be fixed in the next release of Radiator and has already been updated in the FAQ. Thanks again. Cheers. On Friday, February 24, 2012 03:49:11 PM Traiano Welcome wrote: > Hi Radiator Developers! > > I see in the Radiator reference manual section (Radiator version 4.9) on > SNMP Monitoring for radiator: > > --- > 5.15 > . > . > . > SNMPAgent requires SNMP_Session-0.92.tar.gz or later from > http://www.switch.ch/misc/leinen/snmp/perl/dist/ to be installed first. > --- > > However it appears this URL is no longer valid on the www.switch.ch site. > Simon Leinen, who hosted it on his staff website says that SWITCH is no > longer supporting personal staff pages and so he's moved the home page for > SNMP_Session to: > > https://code.google.com/p/snmp-session/ > > You might want to update the documentation with this. > > Kind Regards, > Traiano Welcome > > > > > > ___ > radiator mailing list > radiator@open.com.au > http://www.open.com.au/mailman/listinfo/radiator -- Mike McCauley mi...@open.com.au Open System Consultants Pty. Ltd 9 Bulbul Place Currumbin Waters QLD 4223 Australia http://www.open.com.au Phone +61 7 5598-7474 Fax +61 7 5598-7070 Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator