Re: [RADIATOR] vlan change for EAP clients with external radiusserver

2013-03-25 Thread Roel Hoek
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 2013-03-22 20:02, a.l.m.bu...@lboro.ac.uk wrote:
> Hi,
> 
>> Question:
>> How to set the vlan-attribute for external authenticated users?
> 
> AddToReply
> 
>> I only can stripoff and add reply-items for all external users but not for a 
>> specific user depending on his MAC-address..
> 
> Ar Hook, specifically a PostAuthHook. fire off a PERL script in the PostAuth 
> that sets eg VLAN depending on the
> Calling-Station-Id of the client. the authentication is happening 
> remotely...but the person

Thanks, I will have a look at this. It is important for us that this script 
uses the same users-file as is used by the local authenticated users. I will 
have al look at the goodies directory.

> is local so this value wont be accidentally missing.   but what purpose is 
> this for? is this
> something that eg the eduroam 'CUI' requirement is for?

We make use of quarantainenet (quarantainenet.com). When a abnormality is 
detected, a host is isolated based on its MAC-address.

> 
> hooks.txt in the goodies directory for initial path to follow.
> 
> alan
> 


- -- 
Kind Regards,

Roel Hoek
ICT Service Centre
University of Twente, P.O.Box 217, 7500 AE Enschede, The Netherlands
Telephone +31 53 489 4598, Fax +31 53 489 2383
r.h.h...@utwente.nl; http://www.utwente.nl/icts
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEUEARECAAYFAlFQFCoACgkQJwlRSGnYBcZ3gACbBRUA0Zj5uVM7k+W3iCQ17CMp
9mMAlieV1pH7iJ/bEeQ38hmCs6wykro=
=OO3F
-END PGP SIGNATURE-
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


Re: [RADIATOR] vlan change for EAP clients with external radiusserver

2013-03-25 Thread A . L . M . Buxey
Hi,

> We make use of quarantainenet (quarantainenet.com). When a abnormality is 
> detected, a host is isolated based on its MAC-address.

..in a way that is eduroam compliant. the isolation network allows them to 
remediate
their issues and prove/ask for 'allowance' back to the network? what about 
language of
the isolation network - visitors who cannot speak english or dutch are able to 
understand
what is going on? :-)

alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


[RADIATOR] ERR: Unknown keyword 'AcctFailedLogFileName'

2013-03-25 Thread Vicaretti Vincenzo (Guest)
Hi all,
when I restart my radiator have this error:

/etc/radiator# /etc/init.d/radiator restart
Shutting down Radiator:[  OK  ]
Starting Radiator: Mon Mar 25 11:48:29 2013 329304: ERR: Unknown keyword 
'AcctFailedLogFileName' in /etc/radiator/radius.cfg line 222
Mon Mar 25 11:48:29 2013 330917: ERR: Unknown keyword 'AcctFailedLogFileName' 
in /etc/radiator/radius.cfg line 248
Mon Mar 25 11:48:29 2013 332568: ERR: Unknown keyword 'AcctFailedLogFileName' 
in /etc/radiator/radius.cfg line 273
Mon Mar 25 11:48:29 2013 335259: ERR: Unknown keyword 'AcctFailedLogFileName' 
in /etc/radiator/radius.cfg line 325
Mon Mar 25 11:48:29 2013 339210: ERR: Unknown keyword 'AcctFailedLogFileName' 
in /etc/radiator/radius.cfg line 344
Mon Mar 25 11:48:29 2013 341304: ERR: Unknown keyword 'AcctFailedLogFileName' 
in /etc/radiator/radius.cfg line 369

This is my handler configuration:


  
Retries 3
RetryTimeout 5
MaxFailedRequests 1
MaxFailedGraceTime 4
FailureBackoffTime 60
Secret XX
DisableMTUDiscovery

AuthPort 1812
AcctPort 1813


AuthPort 1812
AcctPort 1813

  
PreProcessingHook sub { ${$_[0]}->add_attr('EAPType', 'PEAP');}
AuthLog auth-nac
AcctLogFileName %L/accounting-test.log
AcctLogFileFormat %{Timestamp} %{Acct-Session-Id} %{Acct-Status-Type} 
%{Called-Station-Id} %{Calling-Station-Id} %{EAPType}
AcctFailedLogFileName %L/accounting-failed-test.log




__
Vincenzo Vicaretti

Collaboratore Esterno della Funzione IT.TS.SE
via degli Estensi 88 - 00164 - Roma

mob: +393384947829
mail: 
vincenzo.vicare...@guest.telecomitalia.it

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] ERR: Unknown keyword 'AcctFailedLogFileName'

2013-03-25 Thread A . L . M . Buxey
hi,

you have "AcctFailedLogFileName" in your config - thats not a valid key word

alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


[RADIATOR] R: ERR: Unknown keyword 'AcctFailedLogFileName'

2013-03-25 Thread Vicaretti Vincenzo (Guest)
But in radiator's reference manual (5.32.31) is indicated as a valid keyword:

AcctFailedLogFileName:
The name of a files used to log failed Accounting-Request messages in the 
standard
radius accounting log format. If no reply is ever received from any of the 
remote hosts,
the accounting message will be logged to the named file. The log file format is 
described
in Section 15.5 on page 346. If no AcctFailedLogFileName is defined, failed 
accounting
messages will not be logged. The default is no logging. The file name can 
include spe-
cial formatting characters as described in Section 5.2 on page 20, which means 
that
using the %C, %c and %R specifiers, you can maintain separate accounting log 
files for
each Realm or Client or a combination. The AcctFailedLogFileName file is always
opened, written and closed for each failure, so you can safely rotate it at any 
time.



-Messaggio originale-
Da: a.l.m.bu...@lboro.ac.uk [mailto:a.l.m.bu...@lboro.ac.uk] 
Inviato: lunedì 25 marzo 2013 12.02
A: Vicaretti Vincenzo (Guest)
Cc: radiator@open.com.au
Oggetto: Re: [RADIATOR] ERR: Unknown keyword 'AcctFailedLogFileName'

hi,

you have "AcctFailedLogFileName" in your config - thats not a valid key word

alan
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


Re: [RADIATOR] ERR: Unknown keyword 'AcctFailedLogFileName'

2013-03-25 Thread Heikki Vatiainen
On 03/25/2013 01:02 PM, a.l.m.bu...@lboro.ac.uk wrote:

> you have "AcctFailedLogFileName" in your config - thats not a valid key word

True, it's not a valid key word within a Handler. It should work inside
AuthBy SQL or AuthBy RADIUS. If you move it insde AuthBy RADIUS in your
example Handler, it should work.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


[RADIATOR] R: ERR: Unknown keyword 'AcctFailedLogFileName'

2013-03-25 Thread Vicaretti Vincenzo (Guest)
Thanks

-Messaggio originale-
Da: radiator-boun...@open.com.au [mailto:radiator-boun...@open.com.au] Per 
conto di Heikki Vatiainen
Inviato: lunedì 25 marzo 2013 12.14
A: radiator@open.com.au
Oggetto: Re: [RADIATOR] ERR: Unknown keyword 'AcctFailedLogFileName'

On 03/25/2013 01:02 PM, a.l.m.bu...@lboro.ac.uk wrote:

> you have "AcctFailedLogFileName" in your config - thats not a valid 
> key word

True, it's not a valid key word within a Handler. It should work inside AuthBy 
SQL or AuthBy RADIUS. If you move it insde AuthBy RADIUS in your example 
Handler, it should work.

Thanks,
Heikki

--
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server anywhere. 
SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, 
TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, 
RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, 
Windows, MacOSX, Solaris, VMS, NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


Re: [RADIATOR] ERR: Attribute number 146 (vendor 3076) is not defined in your dictionary aka Cisco bought Altiga in 2000

2013-03-25 Thread Heikki Vatiainen
On 03/25/2013 11:21 PM, Hugh Irvine wrote:

> I would probably add them to the Cisco-specific file in 
> "goodies/dictionary.cisco" for those people who want to use them.

Or maybe create a new file "goodies/dictionary.cisco-vpn"? The existing
"goodies/dictionary.cisco" has older definitions too that are no longer
in sync with IANA registry.

> You really don't want to change what is in the standard dictionary as that 
> would undoubtedly break existing operations.

Yes, that could easily. But a file with just vendor 3076 attributes
could be easily used when the newer definitions are required.

I'll ask this to be included. That was my idea anyway, but I had not
done it yet.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


Re: [RADIATOR] ERR: Attribute number 146 (vendor 3076) is not defined in your dictionary aka Cisco bought Altiga in 2000

2013-03-25 Thread Hugh Irvine

Agreed.

On 26 Mar 2013, at 08:51, Heikki Vatiainen  wrote:

> On 03/25/2013 11:21 PM, Hugh Irvine wrote:
> 
>> I would probably add them to the Cisco-specific file in 
>> "goodies/dictionary.cisco" for those people who want to use them.
> 
> Or maybe create a new file "goodies/dictionary.cisco-vpn"? The existing
> "goodies/dictionary.cisco" has older definitions too that are no longer
> in sync with IANA registry.
> 
>> You really don't want to change what is in the standard dictionary as that 
>> would undoubtedly break existing operations.
> 
> Yes, that could easily. But a file with just vendor 3076 attributes
> could be easily used when the newer definitions are required.
> 
> I'll ask this to be included. That was my idea anyway, but I had not
> done it yet.
> 
> Thanks,
> Heikki
> 
> -- 
> Heikki Vatiainen 
> 
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
> NetWare etc.


--

Hugh Irvine
h...@open.com.au

Radiator: the most portable, flexible and configurable RADIUS server 
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator