On 2013-10-18 13:07, Heikki Vatiainen wrote:
> On 10/18/2013 12:14 PM, Alexander Hartmaier wrote:
>
>> The requests are sent to two Radiator servers forming a faiover pair
>> which both have the same TACACS key.
>> It only happens from time to time, the authentication and accouting
>> requests usua
This is a more human friendly output:
/$path/to/perl/used/by/radiator/perl -MNet::SSLeay -E 'say
Net::SSLeay::SSLeay_version()'
On 2013-10-30 23:25, Markus Moeller wrote:
> Hi Heikki,
>
>Thank you for that. Despite my attempts to use the latest static openssl
> library I used an old one :-(.
Yes, a Cisco IOS router configured to terminate IPSec IKEv1 client vpn
will send such an authorization request after the user auth to check if
the user is allowed to connect using this group.
On 2013-11-07 06:04, Hugh Irvine wrote:
> Hello Michael -
>
> This is configured on the Cisco box - you wi
some of the above, not sure which one
overrides the other
On 2013-11-07 15:22, Michael wrote:
> i don't understand it. The requests i'm speaking of all come before
> the user auth. not after. And, they of course are all being rejected
> because we don't even know what the
sfully where i'm looking at stopping them. I guess i could just
> reject all Service-Type="Outbound-User" but i was kinda just hoping to
> stop the requests all together. Thanks though. maybe i will just make
> a handler config to just reject them.
>
>
> On 07
me time they're not
> working. so how are they important?
>
>
>
> On 07/11/13 12:34 PM, Hartmaier Alexander wrote:
>> It seems you don't understand the importance of those *authorization*
>> requests: without them every user could authenticate against *every*
>&g
On 2013-11-26 10:47, Heikki Vatiainen wrote:
> On 11/25/2013 05:24 PM, Fabio Prina wrote:
>
>> In my TACACS trace 4 logs I see, not so few, rows like:
>>
>> Mon Nov 25 14:21:25 2013: ERR: Could not get peer name on
>> TacacsplusConnection socket: Transport endpoint is not connected
>> Mon Nov 25 14
On 2013-11-27 23:24, Heikki Vatiainen wrote:
> On 11/27/2013 01:30 PM, Hartmaier Alexander wrote:
>
>>> On 11/25/2013 05:24 PM, Fabio Prina wrote:
>>>> Mon Nov 25 14:21:25 2013: ERR: Could not get peer name on
>>>> TacacsplusConnection socket: Transport endpo
On 2013-08-23 10:35, Heikki Vatiainen wrote:
> On 08/22/2013 05:59 PM, Alexander Hartmaier wrote:
>
>> I hope the reference manual was updated to reflect this feature as well.
> Yes. The plan is to also have a separate section in the reference manual
> that talks about IPv6 in more detail. It will
Hi Markus,
you didn't configure NoDefault, see in section 5.21.12 NoDefault in the
Radiator Reference Manual for further details.
On 2013-12-20 11:30, Markus Moeller wrote:
Hi,
I have a switch configure to do EAP TLS authentication and when I made an
error in the config the following Access
d adding all users
> I need a DEFAULT don’t I ?
>
> Markus
>
>
> *From:* Hartmaier Alexander <mailto:alexander.hartma...@t-systems.at>
> *Sent:* Friday, December 20, 2013 10:52 AM
> *To:* radiator@open.com.au <mailto:radiator@open.com.au>
> *Subject:* R
On 2014-01-03 00:14, rohan.henry @cwjamaica.com wrote:
Hello,
How is a non default port specified when connecting to a remote Oracle server?
Thanks.
DBSource dbi:oracle:server
DBUsername
DBAuth
Rohan
The Oracle InstantClient configuration is in tnsnames.ora, there you specify
things like hos
Hi guys,
we had the issue that our Radiator process was running but the TACACS
socket on port 49 wasn't listening.
It turned out that a restart caused this because either debians
start-stop-daemon or the init script doesn't wait until the process is
really gone and Radiator is started while the old
On 2014-01-06 21:26, rohan.henry @cwjamaica.com wrote:
Thanks Alexander.
I am able to connect to the remote server via the Linux prompt using:
sqlplus user/passwd@server_IP/SID
But can't seem to get it right in Radiator.
Rohan
On Fri, Jan 3, 2014 at 5:24 AM, Hartmaier Alex
On 2014-01-07 13:43, Heikki Vatiainen wrote:
> On 01/03/2014 01:32 PM, Hartmaier Alexander wrote:
>
>> we had the issue that our Radiator process was running but the TACACS
>> socket on port 49 wasn't listening.
>> It turned out that a restart caused this because
>From time to time I'm struggling with getting a new user account stored
in a file working.
As MD5 isn't recommended these days and we don't want to use some
vendor/product specific algorithm like the mysql or mssql ones I'm
looking for something like SHA256 or better.
Digest::SHA is a required mo
On 2014-01-13 17:17, Heikki Vatiainen wrote:
> On 01/10/2014 03:15 PM, Hartmaier Alexander wrote:
>
>> As MD5 isn't recommended these days and we don't want to use some
>> vendor/product specific algorithm like the mysql or mssql ones I'm
>> looking for som
On 2014-01-13 17:51, Heikki Vatiainen wrote:
> On 01/13/2014 06:26 PM, Hartmaier Alexander wrote:
>
>> Are they included in the reference manual and I missed them? The
>> section that describes the different available password hashes would
>> be a great place to ad
On 2014-01-29 14:38, Heikki Vatiainen wrote:
> On 01/13/2014 06:58 PM, Hartmaier Alexander wrote:
>
>> Patching is welcome! If you'd add those formats we would immediately
>> switch to using them.
> Hello Alexander,
>
> support for {SHA256}, {SSHA256} and the 384 an
Hi guys,
I'm trying to get a wired and wireless 802.1x config working where in
one building shared Cisco IOS switches and Cisco WLAN controllers are
used for multiple companies, each with its own CA.
My handler config is below and as you can see the EAPTLS settings share
the same radius server cert
I've added some more Huawei VSAs to the dictionary, please include them
in the standard dictionary file, thanks!
VENDORATTR2011Huawei-Requested-APN168string
VENDORATTR2011Huawei-GGSN-Vendor232string
VENDORATTR2011Huawei-GGSN-Vendor233
Hi Heikki,
On 2014-02-03 17:10, Heikki Vatiainen wrote:
> On 01/31/2014 02:23 PM, Hartmaier Alexander wrote:
>
>> I'm trying to get a wired and wireless 802.1x config working where in
>> one building shared Cisco IOS switches and Cisco WLAN controllers are
>> used
On 2014-02-04 14:57, Heikki Vatiainen wrote:
> On 02/03/2014 02:27 PM, Hartmaier Alexander wrote:
>
>> I've added some more Huawei VSAs to the dictionary, please include them
>> in the standard dictionary file, thanks!
> Done. Thanks.
>
>> VENDORATTR2011
That worked like a charm!
Thanks Heikki!
Is this because of historical reasons?
On 2014-02-04 14:54, Heikki Vatiainen wrote:
> On 02/03/2014 06:46 PM, Hartmaier Alexander wrote:
>
>>> You might be able to use EAPTLS_CertificateVerifyHook to check which CA
>>> matched. How
On 2013-11-30 22:40, Heikki Vatiainen wrote:
> On 11/29/2013 04:04 PM, Hartmaier Alexander wrote:
>
>> I've just read the IPv6 section in the 4.12.1 reference manual after
>> installing 4.12.1 on a new RHEL6 box which has IPv6 support disabled via
>> 'alias ipv
On 2014-02-06 23:11, Heikki Vatiainen wrote:
> On 10/11/2013 11:38 AM, Alexander Hartmaier wrote:
>
>> our switching guys reported that their Cisco Nexus switches running
>> NX-OS log that their can't reach the tacacs servers. This is what the
>> troubleshooting brought up:
>>
>> 2013 Oct 11 08:47:
On 2014-02-07 08:35, Hartmaier Alexander wrote:
> On 2014-02-06 23:11, Heikki Vatiainen wrote:
>> On 10/11/2013 11:38 AM, Alexander Hartmaier wrote:
>>
>>> our switching guys reported that their Cisco Nexus switches running
>>> NX-OS log that their can't reac
Hi Elmar,
On 2014-03-24 17:10, Elmar Dreher wrote:
> Hello all,
>
> i am systemadministrator for eduroam at the university of Konstanz.
> We are using radiator and radsecproxy:
> 1. Radiator is hosted in an Application Zone
> 2. Radsecproxy is hosted in a DMZ and connected to the DFN for eduroam
On 2014-03-26 18:40, Roberto Pantoja wrote:
I have a problem trying to assign dynamic VLANs to users on a WPA2-Enterprise
configuration. Users have successful authentication and if I don't send the
Radius Attribute "Tunnel-Private-Group-ID" The Wireless Controller connects me
to the default VLa
On 2013-09-20 12:15, Hartmaier Alexander wrote:
> On 2013-09-20 11:44, Heikki Vatiainen wrote:
>> On 09/20/2013 11:35 AM, Alexander Hartmaier wrote:
>>
>>> @Radiator guys: are you interessted in supporting Message::Passing,
>>> Log::Log4perl or Log::Any?
>&g
On 2014-03-27 20:43, Heikki Vatiainen wrote:
> On 03/27/2014 05:22 PM, Hartmaier Alexander wrote:
>
>> Did you have time to work on this feature?
> We have worked on EAP-SIM, Diameter and other RADIUS functionality, but
> not this. It's still on the ideas to explore list, th
On 2014-03-28 09:02, Hartmaier Alexander wrote:
> On 2014-03-27 20:43, Heikki Vatiainen wrote:
>> On 03/27/2014 05:22 PM, Hartmaier Alexander wrote:
>>
>>> Did you have time to work on this feature?
>> We have worked on EAP-SIM, Diameter and other RADIUS functionalit
On 2014-04-02 20:57, Heikki Vatiainen wrote:
> On 04/01/2014 02:59 PM, Hartmaier Alexander wrote:
>
>> I think extending LogFormat is the right way to go because one might
>> want to log to a file or database in json or yaml as well.
>> What I still haven't f
Hi Heikki,
attached is what I just wrote, feedback welcome!
Feel free to include it in the Radiator dist with an extended copyright,
different name, ...
Best regards, Alex
On 2014-04-04 14:42, Heikki Vatiainen wrote:
> On 04/03/2014 12:28 PM, Hartmaier Alexander wrote:
>
>> I
On 2014-04-07 20:53, Jakob Schlyter wrote:
> This may be a Radiator-newbie-questions, but since I haven't resolved it many
> years of Radiatoring, I might as well drop it here.
>
> I'd like to log attributes sent in the outer EAP request together with the
> inner identity that I find in my PEAP h
On 2014-04-08 00:20, Johnson, Neil M wrote:
Just received notice from our security folks about this bug which may lead to
leaking of the private key used to sign SSL certs and encrypt traffic.
More info can be of found here: http://heartbleed.com/
Are you guys aware of this and have plans to up
Hi,
the following new feature seems to not work as I'd expect it:
PEAP and EAP-TTLS now make maximum fragment size available for inner
authentication protocols. EAP-TLS was improved to use this information.
This allows PEAP/EAP-TLS and EAP-TTLS/EAP-TLS to work better with
environments with variable
On 2014-05-05 13:53, Heikki Vatiainen wrote:
> On 05/02/2014 03:24 PM, Hartmaier Alexander wrote:
>
>> I've configured the outer PEAP Handler with EAPTLS_MaxFragmentSize 1350
>> and removed the value 1250 (1300 which we use for wired dot1x seems to
>> be too large) fro
On 2014-05-05 15:02, Heikki Vatiainen wrote:
> On 05/05/2014 03:01 PM, Hartmaier Alexander wrote:
>
>>> The correct number in your case is something between 1250 and 1300 when
>>> you have outer fragment size 1350? That is, when you have 1350 as outer
>>> fragme
On 2014-05-05 15:39, Heikki Vatiainen wrote:
> On 05/05/2014 04:18 PM, Hartmaier Alexander wrote:
>
>>> Yes, the inner EAP-TLS creates fragments of size 1310 and based on your
>>> message, I understand when these are given to outer PEAP for TLS
>>> tunneling and t
Hi,
please change the log message 'None of the desired EAP types (@desired)
are available' in EAP.pm line 213 (version 4.13) to log the EAP type
name instead or in addition to its number, thanks!
BR Alex
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Aust
On 2014-05-05 19:53, Alan Buxey wrote:
... but if the type is not available it might not even be known...and it's
number is the only thing sensible to be printed.
EAP.pm contains a lookup hash from number to name and back. If the entry
doesn't exist the number is fine, but for all supported EAP t
On 2014-06-19 00:48, Michael Rodrigues wrote:
> Hi,
>
> I've been searching around the list and the Internet trying to figure
> out how a wireless client can verify the hostname of the SSL cert
> provided by Radiator through the NAS as an SMTP or HTTP client would,
> but I can't seem to find anythi
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
Handelsgericht Wien, FN 79340b
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Notice: This e-mail contains information that is confidentia
Hi guys,
I'm trying to log the name of the AuthBy that accepted a request for a
Handler that has multiple AuthBys.
I've tried %{Auth-Type}, %{Request:Auth-Type} ad %{Reply:Auth-Type}
because that's included in the dictionary and mentioned in the reference
manual for the AuthBy identifier but none
On 2014-10-24 13:20, Heikki Vatiainen wrote:
> On 23.10.2014 15.31, Hartmaier Alexander wrote:
>
>> I'm trying to log the name of the AuthBy that accepted a request for a
>> Handler that has multiple AuthBys.
>>
>> I've tried %{Auth-Type}, %{Request:Aut
On 2014-10-31 20:26, Heikki Vatiainen wrote:
> On 10/24/2014 04:32 PM, Hartmaier Alexander wrote:
>
>>> In other words, this would allow you to log %{AuthBy:Identifier} in the
>>> AuthLog and see which was the last AuthBy that was evaluated.
>>>
>>> Is t
You need to specify the cmd-arg multiple times, one for each space
separated argument:
authorizedgroup deny service=shell cmd=changeto
cmd-arg=context cmd-arg=system
authorizedgroup permit service=shell cmd=changeto
cmd-arg=context cmd-arg=
authorizedgroup deny .*
BR Alex
On 2015-01-05 15:2
Sure, just use a file with only usernames and no check items. Those are
on the same line as the username, look in the manual for the file format.
Cheers, Alex
On 2015-01-20 14:17, Jim Tyrrell wrote:
> Is it possible to have the AuthBy FILE check a file for the username but
> not check the passwor
You don't even need that if the file doesn't contain a password check item.
On 2015-01-21 12:02, Peter Havekes wrote:
5.21.58
NoCheckPassword
This optional parameter causes AuthBy not to check the password. This
means that any
password entered by the user will be accepted.
This parameter is use
What we've seen is that if a Windows client does EAP authentication,
regardless which one, and it fails it doesn't try to do a DHCP request
even if you reply a radius success and vlan attributes to the switch.
On 2015-02-24 12:12, Christian Kratzer wrote:
> Hi Sami,
>
> We made progress with our s
If you try to connect to an Oracle database install Oracle Instantclient
and DBD::Oracle.
On 2015-03-12 10:18, Mohammed Alhaj Ali wrote:
> Hi Hugh, but this lib file actually is there, and when I try to connect with
> other DBD ie. Oracle it also failed, how can I check if there any wrong with
>
Hi guys,
I wasn't able to find any information in the manual on subsecond
precision logging when you want to define your own timestamp format with
the placeholders shown in section 5.3.
LogMicroseconds in a block with LogFormatHook doesn't seem to
have an effect on %S and there is no placeholder f
Hi Heikki,
On 2015-04-03 17:57, Heikki Vatiainen wrote:
> On 04/03/2015 02:41 PM, Hartmaier Alexander wrote:
>
>> I wasn't able to find any information in the manual on subsecond
>> precision logging when you want to define your own timestamp format with
>> the plac
Usually this occurs if the EAPTLS_MaxFragmentSize is set too large in regards
to the smallest MTU of the path the Radius packets take.
1000 is a low value for an Ethernet infrastructure with a MTU of 1500 but you
might have tunnels or some other media with a smaller MTU in your path.
Another p
@Heikki: please read Tom Christensens great article about encoding:
http://stackoverflow.com/questions/6162484/why-does-modern-perl-avoid-utf-8-by-default/
Short summary: each input value has to be decoded, each output encoded,
everything else is useless!
BR Alex
On 2015-06-18 10:36, Heikki Vati
That are *great* news!
Especially the work on sharing state between instances, we had problems
with tacacs sessions from Cisco WLCs that authorize on a different
server than the authentication happened which lead to non-working user
rights.
Regarding logging I'd love to see support for noSQL data
On 2015-06-19 09:16, Heikki Vatiainen wrote:
> On 06/18/2015 01:01 PM, Hartmaier Alexander wrote:
>
>> Especially the work on sharing state between instances, we had problems
>> with tacacs sessions from Cisco WLCs that authorize on a different
>> server than the authentica
Reduce the EAPTLS_MaxFragmentSize until the EAP Messages + Radius
attributes + all headers are smaller than your smallest path-MTU.
BR Alex
On 2015-07-06 15:46, Ullfig, Roberto Alfredo wrote:
> I just get a PEAP Failure. I snooped the packets and it's always the fourth
> challenge that fails. Wh
Hi Heikki,
that's a great release!
I couldn't find info about CEF and JSON logging in the reference manual,
should be included at least as keywords with a pointer to the
'logformat.cfg' goodies file although I'd prefer having it in the main docs.
Is there a way to log the used TLS version and cip
On 2015-07-16 15:07, Heikki Vatiainen wrote:
> On 16.7.2015 13.42, Hartmaier Alexander wrote:
>
>> I couldn't find info about CEF and JSON logging in the reference manual,
>> should be included at least as keywords with a pointer to the
>> 'logformat.cfg' goo
Hi guys,
when using the dictionary.cisco-vpn file we get the following warning on
startup:
WARNING: Attribute Cisco-VPN-WebVPN-HTML-Filter uses unknown type
'bitmap' on line 63
Please provide a fix in the patches, thanks!
Best regards, Alex
*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
Hi,
sadly HoldServerConnection doesn't work for Active Directory for us.
Not sure if that's the source of your problem though.
If you search the Global Catalog (3268 for LDAP and 3269 for LDAPS) you can't
specify a BaseDN, leave it empty!
Just
BaseDN
Best regards, Alex
On 2015-12-15 18:18, Joe
On Dec 17, 2015, at 9:06 AM, Hartmaier Alexander
<mailto:alexander.hartma...@t-systems.at>> wrote:
Hi,
sadly HoldServerConnection doesn't work for Active Directory for us.
Not sure if that's the source of your problem though.
If you search the Global Catalog (3268 for LDAP
be
excluded from the results.
As I've created this config years ago I don't remember the details but
it's still running fine.
Best regards, Alex
On 2015-12-22 22:08, Heikki Vatiainen wrote:
> On 12/20/2015 09:49 PM, Hartmaier Alexander wrote:
>
>> @Heikki: could you
Hi,
I'd say the client doesn't trust the radiator certificate and stops the
EAP conversation.
Best regards, Alex
On 2016-01-18 12:30, Christian Kratzer wrote:
> Hi Sami,
>
> On Mon, 18 Jan 2016, Sami Keski-Kasari wrote:
>> Hello Christian,
>>
>> Usually this kind of behaviour is due to MTU proble
Hi,
I'd like to add the time it took to craft a response for each request to
the logs.
In the reference manual I only found %E which is 'The elapsed time in
seconds since the packet was received. Can be used to log
processing time for proxied packets etc.'.
For this logging I'd need at least milli-
ly defines times in seconds.
>
> regards
>
> Hugh
>
>
>> On 23 Mar 2016, at 19:44, Hartmaier Alexander
>> wrote:
>>
>> Hi,
>> I'd like to add the time it took to craft a response for each request to
>> the logs.
>> In the reference manual I
Hi,
that's neat!
If you already calculate the response time can you please also expose it
via a special placeholder character?
I'd add this value to the AuthLog which goes via RabbitMQ to
Elasticsearch and can then be graphed in Kibana.
We only struggle with Radiators' logging in one place: the g
On 03/24/2016 01:18 PM, Hartmaier Alexander wrote:
If you already calculate the response time can you please also expose it
via a special placeholder character?
In the current patches there's the possibility to log RecvTime and
RecvTimeMicros which are the second and microsecond of the t
>> On 30 Mar 2016, at 20:57, Tuure Vartiainen wrote:
>>
>> Hi,
>>
>>> On 29 Mar 2016, at 11:53, Hartmaier Alexander
>>> wrote:
>>>
>>> I've copied the calculation code to my LogFormatHook code:
>>>
>>> $message-&
ar 2016, at 14:13, Hartmaier Alexander
>> wrote:
>>
>> yes this is the total auth time. Is one second a usual value for a
>> PEAP-TLS auth?
>>
> just out of curiosity, how do you calculate the total auth time?
>
> An EAP authentication takes around 4-10 r
Hi,
On 2016-03-30 15:10, Tuure Vartiainen wrote:
> Hi,
>
>> On 30 Mar 2016, at 14:55, Hartmaier Alexander
>> wrote:
>>
>> we use PEAP-TLS, EAP-PEAP as outer EAP type with EAP-TLS as inner.
>> Not sure if the outher EAP-PEAP adds any real security as the Radia
Hi,
I'm using 'Debug 12' inside of to troubleshoot TLS problems.
Have you set the port to 636 and UseSSL? UseTLS should really be named
UseSTARTTLS because it's quite irritating otherwise.
You also need to configure the root CA (not intermeditate CA!) cert using
SSLCAFile.
I haven't the need t
Hi,
I've finished forwarding all logs from all our Radiator instances to
Elasticsearch through syslog-ng (no need to install custom software on
the Radiator Servers) and RabbitMQ.
The log messages emitted by ServerTACACSPLUS sadly lack all the standard
Radius attributes like Handler:Identifier, Us
On 2016-05-30 11:31, Heikki Vatiainen wrote:
> On 27.5.2016 16.04, Hartmaier Alexander wrote:
>
>> The log messages emitted by ServerTACACSPLUS sadly lack all the standard
>> Radius attributes like Handler:Identifier, User-Name, Client-Identifier etc.
>> Is there a way t
On 2016-05-31 15:24, Heikki Vatiainen wrote:
> On 31.5.2016 12.57, Hartmaier Alexander wrote:
>
>>>> - Could not get peer name on TacacsplusConnection socket: Transport
>>>> endpoint is not connected
>>> Hmm, that's happening very early withing server t
Hi Heikki,
On 2016-06-10 09:39, Heikki Vatiainen wrote:
> On 8.6.2016 11.28, Hartmaier Alexander wrote:
>
>>> Hmm, do you get these often? Also, does your configuration have FarmSize
>>> enabled? This error occurs very early after the new connection has been
>>> a
Hi,
I've encountered some 'OTP Authentication failed: ()' logs and digged
deeper where there coming from.
In Radius/AuthOTP sub check_plain_password line 117 (4.16 with patches
1.1863):
else
{
my $result = $self->otp_verify($user, $submitted_pw, $p, $context);
return ($mai
On 2016-06-23 17:04, Heikki Vatiainen wrote:
> On 16.06.2016 17:55, Hartmaier Alexander wrote:
>
>> I've encountered some 'OTP Authentication failed: ()' logs and digged
>> deeper where there coming from.
>> Line 104 returns if $result is undefined, line
Hi Heikki,
On 2016-06-21 12:58, Heikki Vatiainen wrote:
> On 13.06.2016 10:27, Hartmaier Alexander wrote:
>
>>> I also noticed that we can get the peer IP and port from accept directly
>>> instead of calling getpeername(). What is done now is to check accept
>>>
On 2016-06-24 13:57, Heikki Vatiainen wrote:
> On 24.06.2016 14:08, Hartmaier Alexander wrote:
>
>>> We also thought about further improvements for unexpectedly closed
>>> connections so that they can be logged and handled more easily. However,
>>> this is th
Hi Julien,
I'd solve it by having two configurations, one for the static and one for the
dynamic address assignment.
The order is irrelevant, I'd put the one that's matching more often first.
Configure the AuthByPolicy of the Handler to ContinueUntilAccept so both cases
are checked until one ret
On 2016-06-29 13:32, Nadav Hod wrote:
> Hi,
>
> 2.1) I haven't dealt with OCSP in the context of RadSec, but rather as a
> scalable and faster alternative to CTL files in general when dealing with any
> certificate. Many of our applications already support OCSP, and it would be
> preferable to
Hi Heikki,
On 2016-06-29 12:41, Heikki Vatiainen wrote:
> On 28.6.2016 11.24, Hartmaier Alexander wrote:
>
>> Tue Jun 28 08:18:50 2016: DEBUG: ServerTACACSPLUS: New connection from
>> 1.2.3.4:11422
>> Tue Jun 28 08:18:50 2016: ERR: Could not get peer name on
>&g
On 2016-07-05 12:39, Heikki Vatiainen wrote:
> On 1.7.2016 21.43, Hartmaier Alexander wrote:
>
>> On 2016-06-29 13:32, Nadav Hod wrote:
> Hello Alexander, hello Nadav,
>
>>> 2.1) I haven't dealt with OCSP in the context of RadSec, but rather as a
>>> sca
As a general network design we try to stay away from multihomed servers
as much as possible as the server admins lack networking/routing
know-how which leads to failing connectivity all the time.
Direct server return has its own share of problems which is why we don't
use it anymore but this is pr
Hi Daniel,
we generate the Client config blocks using ClientListSQL from our NMS
database. The identifier is the hostname and we use the
OSC-Group-Identifier set to the support group name for further
distinguishment in the handlers.
We also add other metadata like OSC-Customer-Identifier for logg
88 matches
Mail list logo
