Re: [RADIATOR] Serious Open SSL bug

2014-04-08 Thread Hartmaier Alexander
On 2014-04-08 00:20, Johnson, Neil M wrote:

Just received notice from our security folks about this bug which may lead to 
leaking of the private key used to sign SSL certs and encrypt traffic.

More info can be of found here: http://heartbleed.com/

Are you guys aware of this and have plans to update the PERL SSL module for 
RADIATOR ?
The Perl Net::SSLeay module is just a binding for the underlying OpenSSL 
library, if it is patched the Perl apps aren't vulnerable as well.


-Neil

--
Neil Johnson
Network Engineer
The University of Iowa
Phone: 319 384-0938
Fax: 319 335-2951
E-Mail: neil-john...@uiowa.edu







___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

--
Best regards, Alexander Hartmaier

T-Systems Austria GesmbH
TSS Security Services
Network Security & Monitoring Engineer

phone: +43(0)57057-4320
fax: +43(0)57057-954320



*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidential and may be 
privileged.
If you are not the intended recipient, please notify the sender and then
delete this e-mail immediately.
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator

Re: [RADIATOR] Serious Open SSL bug

2014-04-08 Thread Heikki Vatiainen
On 04/08/2014 01:20 AM, Johnson, Neil M wrote:

> Just received notice from our security folks about this bug which may
> lead to leaking of the private key used to sign SSL certs and encrypt
> traffic.

Hello Neil,

thanks for the reminder. This looks like something that will keep people
busy for a while.

> More info can be of found here: http://heartbleed.com/
> 
> Are you guys aware of this and have plans to update the PERL SSL module
> for RADIATOR ?

We became aware of this when it was revealed yesterday. The precompiled
Windows ppms available from OSC's web site use OpenSSL 0.9.8.
Fortunately the problematic TLS extension is not included in 0.9.8.

Radiator itself does not come with OpenSSL. It uses the OpenSSL that the
system Perl uses. When the system OpenSSL receives the patch, Radiator
needs to be restarted so that it will use the patched OpenSSL libraries.

In general, the current Windows and other Perl versions, such as 5.14
and 5.16, available from ActiveState, Strawberry Perl, Ubuntu and such,
have recent enough Net-SSLeay to support everything Radiator requires.
Previously patches were needed to get EAP-FAST working, but this is not
the case anymore.

Thanks,
Heikki

-- 
Heikki Vatiainen 

Radiator: the most portable, flexible and configurable RADIUS server
anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald,
Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS,
TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP,
DIAMETER etc. Full source on Unix, Windows, MacOSX, Solaris, VMS,
NetWare etc.
___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


Re: [RADIATOR] logging inner/outer identities

2014-04-08 Thread Jakob Schlyter
On 7 apr 2014, at 22:25, Hartmaier Alexander  
wrote:

> I've just completed a very complex 802.1x setup and used
> %{OuterRequest:User-Name} in the AuthLog FILE or the inner PEAP-TLS handler.

Thanks, that fixes my logging problems!

jakob

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator


Re: [RADIATOR] Preventing Computer/Machine Authentication in AuthBy NTLM

2014-04-08 Thread Michael Rodrigues
I tried building 4.12.1 and it builds fine without the patches.

When untarring the patches tarball patches-4.12.1-20140407.tar.gz in the 
Radiator directory and testing the build, test "1d" fails to pass. Am I 
applying the patches correctly? I read that there was information on the 
site where the patches are downloaded, but I don't have direct access to 
it as a colleague maintains the account.

I'm using:

Digest::MD5 2.53
Digest::MD4 1.9
Digest::SHA 5.70
Net::SSLeay 1.42

perl 5.14.2
linux 3.5
Ubuntu 12.04


I also need to rewrite the outer identity before my AuthBy FILE sections 
that check that the user is not on the blacklist. As configured, it will 
check their anonymous ID against the blacklist, which does me no good.

Thanks,
Michael

On 4/7/2014 7:24 AM, Heikki Vatiainen wrote:
> On 04/02/2014 09:49 PM, Heikki Vatiainen wrote:
>
>> PostAuthHook sub { my $rp = ${$_[1]};
>> $rp->changeUserName($rp->{inner_identity}); }
>>
>> PEAP and TTLS both export the inner EAP identity (or TTLS inner username
>> when EAP is not used). The inner identity is exported to outer reply
>> message and can be retrieved as above.
>> Note: I noticed that if EAP, for example EAP-MSCHAP-V2, is used for
>> inner TTLS, the export seems not to work currently. We'll need to check why.
> This is now fixed in the latest patches for 4.12.1. The EAP identity or
> User-Name from TTLS tunnelled message is now available with
> $rp->{inner_identity}.
>
> Thanks,
> Heikki
>
>

-- 
Michael Rodrigues
Technical Support Services Manager
Gevirtz Graduate School of Education
Education Building 4203
(805) 893-8031
h...@education.ucsb.edu

___
radiator mailing list
radiator@open.com.au
http://www.open.com.au/mailman/listinfo/radiator