Re: [RADIATOR] ERR: Attribute number 146 (vendor 3076) is not defined in your dictionary aka Cisco bought Altiga in 2000
Thanks Heikki! Best regards, Alex On 2013-04-26 16:21, Heikki Vatiainen wrote: > On 04/23/2013 10:57 AM, Alexander Hartmaier wrote: > >> will you include the dictionary in the goodies dir? I don't see it in >> the 4.11 patch tarball. > Hello Alexander, > > the dictionary is now in the top level Radiator distribution. There's > also a note in the main dictionary to see the new file for a more > current set of Cisco/Altiga attributes. > >> Are the names I've used ok for you? > We did not touch the names. I think they are fine. > > Thanks for your help, > Heikki > *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien Handelsgericht Wien, FN 79340b *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* Notice: This e-mail contains information that is confidential and may be privileged. If you are not the intended recipient, please notify the sender and then delete this e-mail immediately. *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"* ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] eduroam question
Is there a way in RADIATOR I can log the IP address of the RADIUS server that originates a request through the eduroam hierarchy? I'm currently logging the NAS-IP attribute, but in many cases that is a RFC1918 address. What I want is the IP address of the first RADIUS server sending the request. It would be helpful for debugging purposes. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] IPv6 Warning Message
I'm seeing the following messages in my RADIATOR log files. Mon Apr 29 14:05:06 2013 223814: WARNING: Need Socket6 to handle IPV6 addresses in inet_ntop I'm running RADIATOR 4.11 on Windows Server 20008 R2 with ActiveState PERL 5.12.2, And yes, our net and the server are IPv6 enabled. I tried a "ppm install Socket6" and received a "ppm install failed: Can't find any package that provides IO:Socket6" Error. I suspect that I I've got something wrong in my config, or I need to upgrade my PERL installation. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] eduroam question
Hi, >Is there a way in RADIATOR I can log the IP address of the RADIUS server >that originates a request through the eduroam hierarchy? nope. ll you can get/see is what is provided by the originating site. as you say, you'll find lots of NAS-Identifiers and NAS-IP-Address etc but they'll all be local things (RFC1918 addresses or local names for the APs or switches). I'm not sure where the US is in terms of global policy and advice - you really ought to be setting the Operator-Name attribute - you'll then have the realm/doamin the request came from. alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] IPv6 Warning Message
Hi, >I'm seeing the following messages in my RADIATOR log files. >Mon Apr 29 14:05:06 2013 223814: WARNING: Need Socket6 to handle IPV6 >addresses in inet_ntop you need Socket6 for IPv6 and RADIATOR (though thats obvious from that message) >I tried a "ppm install Socket6" and received a "ppm install failed: Can't >find any package that provides IO:Socket6" Error. >I suspect that I I've got something wrong in my config, or I need to >upgrade my PERL installation. the joys of PERL on Windows. not sure if StrawberryPERL isnt the way to go... however, the PERL module you want is Socket6 - it lurks on UMEMOTO/Socket6-0.23.tar.gz according to CPAN - I just 'yum install perl-socket6' - but thats the joy of RADIATOR on a Linux box where PERL is more friendly :-) but the win6.jp guys arent too bad - http://win6.jp/ActivePerl/index.html alan ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] IPv6 Warning Message
On 04/29/2013 10:32 PM, Johnson, Neil M wrote: > I'm seeing the following messages in my RADIATOR log files. > > Mon Apr 29 14:05:06 2013 223814: WARNING: Need Socket6 to handle IPV6 > addresses in inet_ntop Most likely you have a NAS that is sending requests which have attributes carrying IPv6 addresses or prefixes. > I'm running RADIATOR 4.11 on Windows Server 20008 R2 with ActiveState > PERL 5.12.2, And yes, our net and the server are IPv6 enabled. > > I tried a "ppm install Socket6" and received a "ppm install failed: > Can't find any package that provides IO:Socket6" Error. Try this: ppm install http://www.open.com.au/radiator/free-downloads/Socket6.ppd This should install Socket6 that matches your Perl version. AS automatic build infrastructure seems not to have built Socket6 for Perl 5.12. > I suspect that I I've got something wrong in my config, or I need to > upgrade my PERL installation. I think you only need Socket6 and this is not a configuration problem nor a problem with the Perl installation. Thanks, Heikki -- Heikki Vatiainen Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc. ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] IPv6 Warning Message
Thanks, I will try it out. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu On 4/29/13 3:17 PM, "Heikki Vatiainen" wrote: >On 04/29/2013 10:32 PM, Johnson, Neil M wrote: > >> I'm seeing the following messages in my RADIATOR log files. >> >> Mon Apr 29 14:05:06 2013 223814: WARNING: Need Socket6 to handle IPV6 >> addresses in inet_ntop > >Most likely you have a NAS that is sending requests which have >attributes carrying IPv6 addresses or prefixes. > >> I'm running RADIATOR 4.11 on Windows Server 20008 R2 with ActiveState >> PERL 5.12.2, And yes, our net and the server are IPv6 enabled. >> >> I tried a "ppm install Socket6" and received a "ppm install failed: >> Can't find any package that provides IO:Socket6" Error. > >Try this: >ppm install http://www.open.com.au/radiator/free-downloads/Socket6.ppd > >This should install Socket6 that matches your Perl version. AS automatic >build infrastructure seems not to have built Socket6 for Perl 5.12. > >> I suspect that I I've got something wrong in my config, or I need to >> upgrade my PERL installation. > >I think you only need Socket6 and this is not a configuration problem >nor a problem with the Perl installation. > >Thanks, >Heikki > > >-- >Heikki Vatiainen > >Radiator: the most portable, flexible and configurable RADIUS server >anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, >Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, >TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, >DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS, >NetWare etc. >___ >radiator mailing list >radiator@open.com.au >http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
Re: [RADIATOR] eduroam question
There's the %c and %C substitutions for the IP or reverse lookup of the IP of the client making the connection to your server is the closest there is. Of course, if you've only configured to interact with the top level client -- that might not be as much help, although one would assume the top level realm and proxy configuration might be better managed than organizations still in their testing stages. Robert Fisher Systems Administrator Sitestar Internet Services On 4/29/2013 1:34 PM, Johnson, Neil M wrote: Is there a way in RADIATOR I can log the IP address of the RADIUS server that originates a request through the eduroam hierarchy? I'm currently logging the NAS-IP attribute, but in many cases that is a RFC1918 address. What I want is the IP address of the first RADIUS server sending the request. It would be helpful for debugging purposes. Thanks. -Neil -- Neil Johnson Network Engineer The University of Iowa Phone: 319 384-0938 Fax: 319 335-2951 Mobile: 319 540-2081 E-Mail: neil-john...@uiowa.edu ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator ___ radiator mailing list radiator@open.com.au http://www.open.com.au/mailman/listinfo/radiator
[RADIATOR] Radiator evaluation-Authenticate and Authorize LDAP users using SASL EXTERNAL bind to network switch
Hello, I wanted to know how do u do SASL EXTERNAL binding for LDAP server through radiator for a network switch I have added the SSLclient ceritificate and SSLCA certificate in radiator path. Below are the further details of the radiator configurations radius.cfg Secret mysecret DupInterval 0 # Authenticate all realms with this # Authenticate all realms with this # Tell Radiator how to talk to the LDAP server Hostlocalhost # Tell the LDAP server to authenticate the LDAP bind # with SASL: UseSASL # When you are using SASL authentication to connect to # the LDAP server, Radiator will # use AuthDN and AuthPassword to authenticate using # SASL instead of the default simple authentication. # In this example, we have # configured a SASL user called mikem into the SASL # user database using saslpasswd2. In order for # openldap to map the SASL user 'mikem' to the same # priveleges as the LDAP manager (and hence have # access to protected password fields etc), you would need # something like this in your OpenLDAP configuration # (typically /etc/openldap/slapd.conf): #AuthDN uid=admin,ou=Users,dc=vmbox,dc=int #AuthPassword admin # You can also control which SASL mechanisms are # acceptable for SASL authentication. SASLMechanism is # a space separated list of mechanism names supported # by Authen::SASL, such as ANONYMOUS CRAM-MD5 # DIGEST-MD5 EXTERNAL LOGIN PLAIN. # Defaults to DIGEST-MD5. If you change this you may # need to change your SASL->LDAP user mapping SASLMechanism EXTERNAL # This the top of the search tree where users # will be found. It should match the configuration # of your server, see /etc/openldap/slapd.conf BaseDN dc=vmbox, dc=int # This is the LDAP attribute to match the radius user name UsernameAttrcn # If you dont specify ServerChecksPassword, you # need to tell Radiator which attribute in the LDAP # database contains # the users correct password. It can be plaintext or encrypted PasswordAttruserPassword # This tells AuthBy LDAP2 not to check the users password, # ie that LDAP is just used to store check or reply items # and the authentication happens elsewhere # Requires latest patches to Radiator 3.11 #NoCheckPassword # On some (most?) LDAP servers, you can tell AuthBy # LDAP to keep the connection to the server up for as # long as possible, and not close it after each # authentication. This can improve performance, # especially where UseTLS or USeSSL are in # operation. Not all server can support this, so if you # enable it and things dont work right: disable it # again. HoldServerConnection # You can use CheckAttr, ReplyAttr and AuthAttrDef # to specify check and reply attributes in the LDAP # database. See the reference manual for more # information #AuthAttrDef ipaddress,Framed-IP-Address,reply # These are the classic things to add to each users # reply to allow a PPP dialup session. It may be # different for your NAS. This will add some # reply items to everyone's reply AddToReply Framed-Protocol = PPP,\ Framed-IP-Netmask = 255.255.255.255,\ Framed-Routing = None,\ Framed-MTU = 1500,\ Framed-Compression = Van-Jacobson-TCP-IP # You can enable debugging of the Net::LDAP # module with this, which will dump LDAP requests # sent to and from the LDAP server Debug 255 # With LDAP2 and perl-ldap 0.22 and better on Unix/Linux, You can enable SSL or TLS. # See http://www.openldap.org/pub/ksoper/OpenLDAP_TLS_howto.html # for assistance on how to generate certificates and # configure openldap for SSL and/or TLS # To use SSL, set these #UseSSL #SSLCAClientCert C:/Program Files/Radiator/ldapcertificates/admin.pem #SSLCAClientKey C:/Program Files/Radiator/ldap
