Re: [RADIATOR] max reauthentication

2014-03-24 Thread Sami Keski-Kasari
Hello Judy,

I have one addition to Hugh's reply.
All NASses are doing anything if you doesn't specify also
Termination-Action attribute.

The Line below should do the trick  with most of NASes
AddToReply Session-Timeout = nn, Termination-Action=1

Termination-Action=1 means re-authentication.

Best Regards,
 Sami

On 03/22/2014 01:44 AM, Hugh Irvine wrote:
> 
> Hello Judy -
> 
> There is no default.
> 
> You can set the Session-Timeout value to whatever you wish in the RADIUS 
> accept accept.
> 
> Depending on what else you are doing, something like this:
> 
> …..
> 
>   # whatever AuthBy you are using
>   # add the number of seconds you wish for Session-Timeout
>   # where “nn” below is the number of seconds
> 
>   
> 
>   …..
> 
>   AddToReply Session-Timeout = nn
> 
>   
> 
> …..
> 
> See section 13.2.8 in the Radiator 4.12.1 reference manual (“doc/ref.pdf”).
> 
> regards
> 
> Hugh
> 
> 
> 
> On 22 Mar 2014, at 09:21, Judy Angel  wrote:
> 
>>
>> Please see the reply from the wireless controller vendor.
>>
>>> the re-auth timer can be set by the RADIUS server. It is the
>>> Session-Timeout attribute. It would be good to see what the RADIUS is
>>> presently configured for
>>
>> What is the default setting
>> Thanks
>> Judy
>>
>> --On 19 March 2014 23:22 + Alan Buxey  wrote:
>>
>>> It's usually a function of your NAS (eg wireless controller). Check its
>>> settings for session-timeout ... which is usually an attribute that you
>>> can send back from your RADIATOR server in the access-accept packet too
>>> (though you may need to change your controller setting so that it honours
>>> that value)
>>>
>>> Alan
>>
>>
>>
>>
>> ___
>> radiator mailing list
>> radiator@open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> --
> 
> Hugh Irvine
> h...@open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server 
> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, 
> Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, 
> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
> DIAMETER etc. 
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 
> ___
> radiator mailing list
> radiator@open.com.au
> http://www.open.com.au/mailman/listinfo/radiator
> 


-- 
Sami Keski-Kasari 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


[RADIATOR] Problems with radiator to radsecproxy TLS connections

2014-03-24 Thread Elmar Dreher
Hello all,

i am systemadministrator for eduroam at the university of Konstanz.
We are using radiator and radsecproxy:
1. Radiator is hosted in an Application Zone
2. Radsecproxy is hosted in a DMZ and connected to the DFN for eduroam purposes
3. OS on both environments is Ubuntu 12.04

The setup is the following:
1. All connection (beetween radiator and radsecproxy) are implemented by using 
TLS
2. On radiator the RADSEC implementaion is used to realize TLS connetion from 
and to radsecproxy
3. Radiator an radsecproxy are redundant (2 radiators and 2 radsecproxies) and 
are connected redundant


Now the problem:
Soemtimes it happens that the connection between radsecproxy <-> radiator is 
broken (experience has shown after 5 to 6 weeks):
At case of an eduroam Login attempt radsecproxy or radiator is logging that the 
remote peer isn't available.
Looking an the network connection with netstat -tapen everythink looks ok.

Does everbody have the same experience with this architecture or does have an 
idea or hint what could be the problem or how to solve the problem (we already 
have a weekly reboot of all radsecproxy and radiator services and everything 
works fine).

 Many greetings from Konstanz, Elmar Dreher
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


[RADIATOR] test

2014-03-24 Thread Qiu, Dennis
Please disregard this email.

Dennis Qiu
Information Systems
Davis Polk & Wardwell LLP
450 Lexington Avenue
New York, NY 10017
212 450 5651   tel
dennis@davispolk.com
[Davis Polk]

Confidentiality Note: This email is intended only for the person or entity to 
which it is addressed and may contain information that is privileged, 
confidential or otherwise protected from disclosure. Unauthorized use, 
dissemination, distribution or copying of this email or the information herein 
or taking any action in reliance on the contents of this email or the 
information herein, by anyone other than the intended recipient, or an employee 
or agent responsible for delivering the message to the intended recipient, is 
strictly prohibited. If you have received this email in error, please notify 
the sender immediately and destroy the original message, any attachments 
thereto and all copies. Please refer to the firm's privacy 
policy
 located at www.davispolk.com for important 
information on this policy.


<>___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] test

2014-03-24 Thread Qiu, Dennis
Please disregard this email. Sorry for the noise.

Dennis Qiu
Information Systems
Davis Polk & Wardwell LLP
450 Lexington Avenue
New York, NY 10017
212 450 5651   tel
dennis@davispolk.com
[Davis Polk]

Confidentiality Note: This email is intended only for the person or entity to 
which it is addressed and may contain information that is privileged, 
confidential or otherwise protected from disclosure. Unauthorized use, 
dissemination, distribution or copying of this email or the information herein 
or taking any action in reliance on the contents of this email or the 
information herein, by anyone other than the intended recipient, or an employee 
or agent responsible for delivering the message to the intended recipient, is 
strictly prohibited. If you have received this email in error, please notify 
the sender immediately and destroy the original message, any attachments 
thereto and all copies. Please refer to the firm's privacy 
policy
 located at www.davispolk.com for important 
information on this policy.


<>___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

[RADIATOR] CRLs not working with EAP TLS

2014-03-24 Thread Markus Moeller
Hi 

I have setup EAP-TLS for wired 802.1x using CRLCheck, but I noticed that 
despite having the certificate serial number in the CRL Radiator still accepts 
the presented certificate ( I also can see Radiator re-read the CRL file) .  I 
was trying to verify that the serial numbers match using the 
EAPTLS_CertificateVerifyHook function but can’t extract the certificate serial 
number. I tried with  my $ai = &Net::SSLeay::X509_get_serialNumber($x509);  
which I read does not give the serial  number but an ASN.1 encoded string. Does 
anybody have a tool which converts it into a serial number which I can compare 
to the CRL serial number ?  

Does anybody has CRL working for EAP TLS ? 

Thank you 
Markus
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] CRLs not working with EAP TLS

2014-03-24 Thread Markus Moeller
BTW I use  perl -MNet::SSLeay -E 'say Net::SSLeay::SSLeay_version()'
OpenSSL 1.0.1e 11 Feb 2013


From: Markus Moeller 
Sent: Monday, March 24, 2014 9:59 PM
To: radiator@open.com.au 
Subject: [RADIATOR] CRLs not working with EAP TLS

Hi 

I have setup EAP-TLS for wired 802.1x using CRLCheck, but I noticed that 
despite having the certificate serial number in the CRL Radiator still accepts 
the presented certificate ( I also can see Radiator re-read the CRL file) .  I 
was trying to verify that the serial numbers match using the 
EAPTLS_CertificateVerifyHook function but can’t extract the certificate serial 
number. I tried with  my $ai = &Net::SSLeay::X509_get_serialNumber($x509);  
which I read does not give the serial  number but an ASN.1 encoded string. Does 
anybody have a tool which converts it into a serial number which I can compare 
to the CRL serial number ?  

Does anybody has CRL working for EAP TLS ? 

Thank you 
Markus




___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator