(RADIATOR) Support for Microsoft groups with AuthBy LSA
Hugh Irvine
hugh at open.com.au
Mon Aug 7 16:59:22 CDT 2006
Hello John -
You will need to use two Handlers to split up the processing into the
"outer" and "inner" component parts.
Something like this:
LogDir c:\Program Files\Radiator
DbDir c:\Program Files\Radiator
AuthPort 1812
AcctPort 1813
# User a lower trace level in production systems:
Trace 4
# You will probably want to add other Clients to suit your site,
# one for each NAS you want to work with
<Client DEFAULT>
Secret xxxxxxxx
DupInterval 0
</Client>
# This clause handles Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also
# handles the outer and inner requests for TTSL and PEAP. You can use
# it to authenticate almost anything against Microsoft Active Directory
# process "inner" request
<Handler TunnelledByPEAP = 1>
<AuthBy LSA>
# Specifies which Windows Domain is ALWAYS to be used to authenticate
# users (even if they specify a different domain in their username).
# Empty string means the local machine only
# Special characters are supported. Can be an Active
# directory domain or a Windows NT domain controller
# domain name
# Empty string (the default) means the local machine
#Domain OPEN
# Specifies the Windows Domain to use if the user does not
# specify a doain domain in their username.
# Special characters are supported. Can be an Active
# directory domain or a Windows NT domain controller
# domain name
# Empty string (the default) means the local machine
#DefaultDomain OPEN
# You can check whether each user is the member of a windows group
# with the Group parameter. If more than one Group is specified,
then the
# user must be a member of at least one of them. Requires
Win32::NetAdmin
# (which is installed by default with ActivePerl). If no Group
# parameters are specified, then Group checks will not be performed.
Group Administrators
Group Domain Users
# You can specify which domain controller will be used to check group
# membership with the DomainController parameter. If no Group
parameters
# are specified, DomainController wil not be used. Defaults to
# empty string, meaning the default controller of the host where this
# instance of Radaitor is running.
#DomainController zulu
</AuthBy>
</Handler>
# process "outer" requests
<Handler>
<AuthBy FILE>
# this file only needs "anonymous"
Filename %D/users.anonymous
# EAPType sets the EAP type(s) that Radiator will honour.
# Options are: MD5-Challenge, One-Time-Password
# Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
# Multiple types can be comma separated. With the default (most
# preferred) type given first
EAPType PEAP, TTLS, MSCHAP-V2
# EAPTLS_CAFile is the name of a file of CA certificates
# in PEM format. The file can contain several CA certificates
# Radiator will first look in EAPTLS_CAFile then in
# EAPTLS_CAPath, so there usually is no need to set both
EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
# EAPTLS_CAPath is the name of a directory containing CA
# certificates in PEM format. The files each contain one
# CA certificate. The files are looked up by the CA
# subject name hash value
# EAPTLS_CAPath
# EAPTLS_CertificateFile is the name of a file containing
# the servers certificate. EAPTLS_CertificateType
# specifies the type of the file. Can be PEM or ASN1
# defaults to ASN1
EAPTLS_CertificateFile %D/certificates/cert-srv.pem
EAPTLS_CertificateType PEM
# EAPTLS_PrivateKeyFile is the name of the file containing
# the servers private key. It is sometimes in the same file
# as the server certificate (EAPTLS_CertificateFile)
# If the private key is encrypted (usually the case)
# then EAPTLS_PrivateKeyPassword is the key to descrypt it
EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
EAPTLS_PrivateKeyPassword whatever
# EAPTLS_RandomFile is an optional file containing
# randdomness
# EAPTLS_RandomFile %D/certificates/random
# EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
# size that will be replied by Radiator. It must be small
# enough to fit in a single Radius request (ie less than 4096)
# and still leave enough space for other attributes
# Aironet APs seem to need a smaller MaxFragmentSize
# (eg 1024) than the default of 2048. Others need even smaller sizes.
EAPTLS_MaxFragmentSize 1000
# EAPTLS_DHFile if set specifies the DH group file. It
# may be required if you need to use ephemeral DH keys.
# EAPTLS_DHFile %D/certificates/cert/dh
# If EAPTLS_CRLCheck is set and the client presents a certificate
# then Radiator will look for a certificate revocation list (CRL)
# for the certificate issuer
# when authenticating each client. If a CRL file is not found, or
# if the CRL says the certificate has neen revoked, the
authentication will
# fail with an error:
# SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
# One or more CRLs can be named with the EAPTLS_CRLFile parameter.
# Alternatively, CRLs may follow a file naming convention:
# the hash of the issuer subject name
# and a suffix that depends on the serial number.
# eg ab1331b2.r0, ab1331b2.r1 etc.
# You can find out the hash of the issuer name in a CRL with
# openssl crl -in crl.pem -hash -noout
# CRLs with tis name convention
# will be searched in EAPTLS_CAPath, else in the openssl
# certificates directory typically /usr/local/openssl/certs/
# CRLs are expected to be in PEM format.
# A CRL files can be generated with openssl like this:
# openssl ca -gencrl -revoke cert-clt.pem
# openssl ca -gencrl -out crl.pem
# Use of these flags requires Net_SSLeay-1.21 or later
#EAPTLS_CRLCheck
#EAPTLS_CRLFile %D/certificates/crl.pem
#EAPTLS_CRLFile %D/certificates/revocations.pem
# Some clients, depending on their configuration, may require you
to specify
# MPPE send and receive keys. This _will_ be required if you select
# 'Keys will be generated automatically for data privacy' in the
Funk Odyssey
# client Network Properties dialog.
# Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
# in the final Access-Accept
AutoMPPEKeys
# You can enable some warning messages from the Net::SSLeay
# module by setting SSLeayTrace to an integer from 1 to 4
# 1=ciphers, 2=trace, 3=dump data
SSLeayTrace 4
# You can configure the User-Name that will be used for the inner
# authentication. Defaults to 'anonymous'. This can be useful
# when proxying the inner authentication. If tehre is a realm, it can
# be used to choose a local Realm to handle the inner authentication.
# %0 is replaced with the EAP identitiy
EAPAnonymous %0
# You can enable or disable support for TTLS Session Resumption and
# PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
# Default is enabled
#EAPTLS_SessionResumption 0
# You can limit how long after the initial session that a session
can be resumed
# with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to
43200
# (12 hours)
#EAPTLS_SessionResumptionLimit 10
EAPTLS_PEAPVersion 1
EAPTLS_PEAPBrokenV1Label
</AuthBy>
</Handler>
Note the use of "EAPAnonymous %0" in the AuthBy FILE above.
The "users.anonymous" file above just needs something like this:
# users.anonymous
anonymous Password = this.will.never.match.any.password
hope that helps
regards
Hugh
On 8 Aug 2006, at 05:08, romanjoh at msnotes.wustl.edu wrote:
> Thanks for the patch. However, I have tested it out and I have
> still not been able to authenticate using AuthBy LSA and groups.
> The problem (as I understand it to be) is that the attempts to
> check if a user is a member of a group always uses the username of
> anonymous. I have put in a bit of debugging code and sniffed the
> connection between the RADIUS server and the domain controllers and
> the evidence is consistent. Details below for those interested.
>
> The question then is how does one get the real username to pass to
> the GroupIsMember call?
>
> ---
> Evidence from the tests:
>
> I made changes to two routines in AuthLSA.pm:
>
> #####################################################################
> # Check if the user is in the global group
> sub userIsInGroup
> {
> my ($self, $user, $group) = @_;
>
> require Win32::NetAdmin;
> import Win32::NetAdmin;
>
> my ($domain, $username) = $self->crack_name($user);
> # Find the controller to use
> my $controller = $self->{DomainController};
> if (!defined $controller)
> {
> $controller = $self->{controllers}{$domain};
> if (!defined $controller)
> {
> &Win32::NetAdmin::GetDomainController(undef, $domain, $controller);
> $self->{controllers}{$domain} = $controller;
> }
> }
> ---> $self->log($main::LOG_DEBUG, "Group: $group Controller
> $controller User $user Username $username");
> return &Win32::NetAdmin::GroupIsMember($controller, $group, $username)
> || &Win32::NetAdmin::LocalGroupIsMember($controller, $group,
> $username);
> }
>
> #####################################################################
> # We subclass this to do special checks: there are no check items
> # except the password, and only if its not an EAP
> sub checkUserAttributes
> {
> my ($self, $user, $p) = @_;
>
> my $userName = $p->getUserName();
>
> # Check for required group membership
> if (defined $self->{Group})
> {
> my $ismember;
> foreach (@{$self->{Group}})
> {
> $ismember++, last if $self->userIsInGroup($userName, $_);
> }
> --> return ($main::REJECT, "AuthBy LSA LUser $user $userName is not
> a member of any Group")
> unless $ismember;
> }
>
> # Short circuit authetication in EAP requests ?
> return ($main::ACCEPT)
> if $p->getAttrByNum($Radius::Radius::EAP_MESSAGE);
>
> return ($main::ACCEPT) if $self->check_password($p, $p-
> >decodedPassword(), $userName);
> return ($main::REJECT, 'AuthBy LSA Password check failed');
> }
>
> (the lines I changed/added are marked -->; the extra capital el is
> a slip of the finger)
>
> Here is the appropriate log snippets. The debug line in
> userIsInGroup produce the lines that indicate the Groups
> (Administrators, Domain Users) but the username is anonymous rather
> than romanjoh as needed.
>
> Mon Aug 7 13:45:58 2006: DEBUG: Handling request with Handler ''
> Mon Aug 7 13:45:58 2006: DEBUG: Deleting session for anonymous,
> 10.39.151.231, 877
> Mon Aug 7 13:45:58 2006: DEBUG: Handling with Radius::AuthLSA:
> Mon Aug 7 13:45:58 2006: DEBUG: Handling with EAP: code 2, 9, 71
> Mon Aug 7 13:45:58 2006: DEBUG: Response type 26
> Mon Aug 7 13:45:58 2006: DEBUG: Radius::AuthLSA looks for match
> with MEDPRIV\romanjoh [anonymous]
> Mon Aug 7 13:45:58 2006: DEBUG: Group: Administrators Controller \
> \MEDPRIVDC2 User anonymous Username anonymous
> Mon Aug 7 13:45:58 2006: DEBUG: Group: Domain Users Controller \
> \MEDPRIVDC2 User anonymous Username anonymous
> Mon Aug 7 13:45:58 2006: DEBUG: Radius::AuthLSA REJECT: AuthBy LSA
> LUser Radius::User=HASH(0x1c48ba4) anonymous is not a member of any
> Group: MEDPRIV\romanjoh [anonymous]
> Mon Aug 7 13:45:58 2006: DEBUG: EAP result: 1, EAP MSCHAP V2
> failed: no such user MEDPRIV\romanjoh
> Mon Aug 7 13:45:58 2006: DEBUG: AuthBy LSA result: REJECT, EAP
> MSCHAP V2 failed: no such user MEDPRIV\romanjoh
> Mon Aug 7 13:45:58 2006: INFO: Access rejected for anonymous: EAP
> MSCHAP V2 failed: no such user MEDPRIV\romanjoh
> Mon Aug 7 13:45:58 2006: DEBUG: Returned PEAP tunnelled packet dump:
>
> Here is the complete config file (renamed to radius.cfg, since we
> are installed and running as a Windows service)
>
> # lsa_eap_multi.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with
> # PAP, EAP-TTLS and EAP-PEAP authentication as used by Windows XP
> # (starting with SP1) using AuthBy LSA and Microsoft Active Directory.
> #
> # We suggest you start simple, prove to yourself that it
> # works and then develop a more complicated configuration.
> #
> # This example will authenticate Wireless PEAP users from a Windows
> LSA, which
> # permits authentication against any Windows Active Directory Domain
> # or NT Domain.
> # It will accept requests from any client and try to handle request
> # for any realm.
> # To use this LSA, Radiator must be run on Windows as Administrator,
> # or as a user that has the 'Act as part of the operating system'
> security policy
> # enabled.
> # Note: AuthBy LSA is _only_ available on Windows 2000, 2003 and XP
> (not Home edition).
> #
> # To use this example, Radiator must be run on Windows as
> Administrator,
> # or as a user that has the 'Act as part of the operating system'
> security policy
> # enabled. This is not possible with Windows XP Home edition.
> #
> # Requires the Win32-Lsa perl module from Open System Consultants.
> # Install the Win32-Lsa perl module using PPM and ActivePerl 5.6.1
> like this:
> # ppm install http://www.open.com.au/radiator/free-downloads/Win32-
> Lsa.ppd
> #
> # Users will only be authenticated if they have the 'Access this
> computer from the network'
> # security policy enabled. Their other account restrictions will
> also be checked
> # CHAP passwords can only be authenticated if the user has their
> # 'Store password using reversible encryption' option enabled in
> their Account
> #
> # In order to test this, you can user the sample test certificates
> # supplied with Radiator. For production, you
> # WILL need to install a real valid server certificate and
> # key for Radiator to use. Runs with openssl on Unix and Windows.
> #
> # See radius.cfg for more complete examples of features and
> # syntax, and refer to the reference manual for a complete description
> # of all the features and syntax.
> #
> # Requires openssl and Net_SSLeay.
> #
> # You should consider this file to be a starting point only
> # $Id: lsa_eap_multi.cfg,v 1.2 2006/01/16 00:07:32 mikem Exp $
>
> LogDir c:\Program Files\Radiator
> DbDir c:\Program Files\Radiator
> AuthPort 1812
> AcctPort 1813
> # User a lower trace level in production systems:
> Trace 4
>
> # You will probably want to add other Clients to suit your site,
> # one for each NAS you want to work with
> <Client DEFAULT>
> Secret xxxxxxxx
> DupInterval 0
> </Client>
>
> # This clause handles Radius PAP, CHAP, MSCHAP and MSCHAPV2 and also
> # handles the outer and inner requests for TTSL and PEAP. You can use
> # it to authenticate almost anything against Microsoft Active
> Directory
> <Handler>
> <AuthBy LSA>
> # Specifies which Windows Domain is ALWAYS to be used to authenticate
> # users (even if they specify a different domain in their username).
> # Empty string means the local machine only
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> # Empty string (the default) means the local machine
> #Domain OPEN
>
> # Specifies the Windows Domain to use if the user does not
> # specify a doain domain in their username.
> # Special characters are supported. Can be an Active
> # directory domain or a Windows NT domain controller
> # domain name
> # Empty string (the default) means the local machine
> #DefaultDomain OPEN
>
> # You can check whether each user is the member of a windows group
> # with the Group parameter. If more than one Group is specified,
> then the
> # user must be a member of at least one of them. Requires
> Win32::NetAdmin
> # (which is installed by default with ActivePerl). If no Group
> # parameters are specified, then Group checks will not be performed.
> Group Administrators
> Group Domain Users
>
> # You can specify which domain controller will be used to check group
> # membership with the DomainController parameter. If no Group
> parameters
> # are specified, DomainController wil not be used. Defaults to
> # empty string, meaning the default controller of the host where this
> # instance of Radaitor is running.
> #DomainController zulu
>
>
> # EAPType sets the EAP type(s) that Radiator will honour.
> # Options are: MD5-Challenge, One-Time-Password
> # Generic-Token, TLS, TTLS, PEAP, MSCHAP-V2
> # Multiple types can be comma separated. With the default (most
> # preferred) type given first
> EAPType PEAP, TTLS, MSCHAP-V2
>
> # EAPTLS_CAFile is the name of a file of CA certificates
> # in PEM format. The file can contain several CA certificates
> # Radiator will first look in EAPTLS_CAFile then in
> # EAPTLS_CAPath, so there usually is no need to set both
> EAPTLS_CAFile %D/certificates/demoCA/cacert.pem
>
> # EAPTLS_CAPath is the name of a directory containing CA
> # certificates in PEM format. The files each contain one
> # CA certificate. The files are looked up by the CA
> # subject name hash value
> # EAPTLS_CAPath
>
> # EAPTLS_CertificateFile is the name of a file containing
> # the servers certificate. EAPTLS_CertificateType
> # specifies the type of the file. Can be PEM or ASN1
> # defaults to ASN1
> EAPTLS_CertificateFile %D/certificates/cert-srv.pem
> EAPTLS_CertificateType PEM
>
> # EAPTLS_PrivateKeyFile is the name of the file containing
> # the servers private key. It is sometimes in the same file
> # as the server certificate (EAPTLS_CertificateFile)
> # If the private key is encrypted (usually the case)
> # then EAPTLS_PrivateKeyPassword is the key to descrypt it
> EAPTLS_PrivateKeyFile %D/certificates/cert-srv.pem
> EAPTLS_PrivateKeyPassword whatever
>
> # EAPTLS_RandomFile is an optional file containing
> # randdomness
> # EAPTLS_RandomFile %D/certificates/random
>
> # EAPTLS_MaxFragmentSize sets the maximum TLS fragemt
> # size that will be replied by Radiator. It must be small
> # enough to fit in a single Radius request (ie less than 4096)
> # and still leave enough space for other attributes
> # Aironet APs seem to need a smaller MaxFragmentSize
> # (eg 1024) than the default of 2048. Others need even smaller sizes.
> EAPTLS_MaxFragmentSize 1000
>
> # EAPTLS_DHFile if set specifies the DH group file. It
> # may be required if you need to use ephemeral DH keys.
> # EAPTLS_DHFile %D/certificates/cert/dh
>
>
> # If EAPTLS_CRLCheck is set and the client presents a certificate
> # then Radiator will look for a certificate revocation list (CRL)
> # for the certificate issuer
> # when authenticating each client. If a CRL file is not found, or
> # if the CRL says the certificate has neen revoked, the
> authentication will
> # fail with an error:
> # SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
> # One or more CRLs can be named with the EAPTLS_CRLFile parameter.
> # Alternatively, CRLs may follow a file naming convention:
> # the hash of the issuer subject name
> # and a suffix that depends on the serial number.
> # eg ab1331b2.r0, ab1331b2.r1 etc.
> # You can find out the hash of the issuer name in a CRL with
> # openssl crl -in crl.pem -hash -noout
> # CRLs with tis name convention
> # will be searched in EAPTLS_CAPath, else in the openssl
> # certificates directory typically /usr/local/openssl/certs/
> # CRLs are expected to be in PEM format.
> # A CRL files can be generated with openssl like this:
> # openssl ca -gencrl -revoke cert-clt.pem
> # openssl ca -gencrl -out crl.pem
> # Use of these flags requires Net_SSLeay-1.21 or later
> #EAPTLS_CRLCheck
> #EAPTLS_CRLFile %D/certificates/crl.pem
> #EAPTLS_CRLFile %D/certificates/revocations.pem
>
> # Some clients, depending on their configuration, may require you
> to specify
> # MPPE send and receive keys. This _will_ be required if you select
> # 'Keys will be generated automatically for data privacy' in the
> Funk Odyssey
> # client Network Properties dialog.
> # Automatically sets MS-MPPE-Send-Key and MS-MPPE-Recv-Key
> # in the final Access-Accept
> AutoMPPEKeys
>
> # You can enable some warning messages from the Net::SSLeay
> # module by setting SSLeayTrace to an integer from 1 to 4
> # 1=ciphers, 2=trace, 3=dump data
> SSLeayTrace 4
>
> # You can configure the User-Name that will be used for the inner
> # authentication. Defaults to 'anonymous'. This can be useful
> # when proxying the inner authentication. If tehre is a realm, it can
> # be used to choose a local Realm to handle the inner authentication.
> # %0 is replaced with the EAP identitiy
> # EAPAnonymous anonymous at some.other.realm
>
> # You can enable or disable support for TTLS Session Resumption and
> # PEAP Fast Reconnect with the EAPTLS_SessionResumption flag.
> # Default is enabled
> #EAPTLS_SessionResumption 0
>
> # You can limit how long after the initial session that a session
> can be resumed
> # with EAPTLS_SessionResumptionLimit (time in seconds). Defaults to
> 43200
> # (12 hours)
> #EAPTLS_SessionResumptionLimit 10
> EAPTLS_PEAPVersion 1
> EAPTLS_PEAPBrokenV1Label
> </AuthBy>
> </Handler>
>
> <graycol.gif>
> Hugh Irvine <hugh at open.com.au>
>
>
> Hugh Irvine <hugh at open.com.au>
> Sent by: owner-radiator at open.com.au
> 08/02/2006 06:28 PM
>
> <ecblank.gif>
>
> To
> <ecblank.gif>
>
> romanjoh at msnotes.wustl.edu
> <ecblank.gif>
>
> cc
> <ecblank.gif>
>
> radiator at open.com.au
> <ecblank.gif>
>
> Subject
> <ecblank.gif>
>
> Re: (RADIATOR) Support for Microsoft groups with AuthBy LSA
> <ecblank.gif>
> <ecblank.gif>
>
>
> Hello John -
>
> We have just added some addtional group checking in AuthBy LSA -
> perhaps you could test it for us?
>
> The patches are available in the Radiator 3.15 patch set.
>
> thanks and regards
>
> Hugh
>
>
> On 2 Aug 2006, at 23:25, romanjoh at msnotes.wustl.edu wrote:
>
> > Here is a link that explains the three types of group:
> >
> > http://technet2.microsoft.com/WindowsServer/en/library/79d93e46-
> > ecab-4165-8001-7adc3c9f804e1033.mspx?mfr=true
> >
> > The highlights: "There are three group scopes: universal, global,
> > and domain local.
> >
> > Members of universal groups can include other groups and accounts
> > from any domain in the domain tree or forest and can be assigned
> > permissions in any domain in the domain tree or forest.
> >
> > Members of global groups can include other groups and accounts only
> > from the domain in which the group is defined and can be assigned
> > permissions in any domain in the forest.
> >
> > Members of domain local groups can include other groups and
> > accounts from Windows Server 2003, Windows 2000, or Windows NT
> > domains and can be assigned permissions only within a domain."
> >
> >
> > Here is another link:
> > http://www.samspublishing.com/articles/article.asp?
> > p=98126&seqNum=2&rl=1
> >
> > Our need is to permit wireless access to members of a group. The
> > group is in one domain (the forest root domain) and the users are
> > in subdomains in that forest. This requires the use of universal
> > groups rather than global groups. I have just exhausted my
> > understanding of things Microsoft since I come from the networking
> > side, but if you have more questions let me know. I do wonder what
> > is the difference between global and universal groups that they are
> > treated differently in the system call below.
> >
> > Many thanks,
> >
> > john
> >
> > <graycol.gif>
> > Hugh Irvine <hugh at open.com.au>
> >
> >
> > Hugh Irvine <hugh at open.com.au>
> > 08/02/2006 03:41 AM
> >
> > <ecblank.gif>
> >
> > To
> > <ecblank.gif>
> >
> > romanjoh at msnotes.wustl.edu
> > <ecblank.gif>
> >
> > cc
> > <ecblank.gif>
> >
> > radiator at open.com.au
> > <ecblank.gif>
> >
> > Subject
> > <ecblank.gif>
> >
> > Re: (RADIATOR) Support for Microsoft groups with AuthBy LSA
> > <ecblank.gif>
> > <ecblank.gif>
> >
> >
> > Hello John -
> >
> > At the moment Radiator only supports Global groups - but can you
> > point us to some description of Universal groups?
> >
> > regards
> >
> > Hugh
> >
> >
> > On 2 Aug 2006, at 02:42, romanjoh at msnotes.wustl.edu wrote:
> >
> > > We are evaluating Radiator to replace another Radius server, and
> > > our need is to be able to authenticate users by Microsoft groups.
> > > Specifically, we need support for universal groups.Three types of
> > > Microsoft groups: Domain Local Groups, Global Groups, and
> Universal
> > > Groups.
> > >
> > > The documentation indicates in 5.51.7 that "Only Global groups are
> > > supported" for Groups in AuthBy LSA. The Perl code is:
> > > Win32::NetAdmin::GroupIsMember($controller, $group, $username) in
> > > AuthLSA.pm. I have not been able to tell from the ActiveState/
> > > Win32::NetAdmin documentation which types of groups are supported.
> > >
> > > Does this mean (as it appears) that Universal Groups are not
> > > supported? Does anyone have any experience or knowledge?
> > >
> > >
> > > John Roman
> > >
> > > jroman at wustl.edu
> > > Manager, Network Services
> > > Washington University
> > > Box 8132
> > > 660 S Euclid Avenue
> > > Saint Louis, MO 63110
> > > 314-362-7334
> >
> >
> >
> > NB:
> >
> > Have you read the reference manual ("doc/ref.html")?
> > Have you searched the mailing list archive (www.open.com.au/
> archives/
> > radiator)?
> > Have you had a quick look on Google (www.google.com)?
> > Have you included a copy of your configuration file (no secrets),
> > together with a trace 4 debug showing what is happening?
> >
> > --
> > Radiator: the most portable, flexible and configurable RADIUS server
> > anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> > Includes support for reliable RADIUS transport (RadSec),
> > and DIAMETER translation agent.
> > -
> > Nets: internetwork inventory and management - graphical, extensible,
> > flexible with hardware, software, platform and database
> independence.
> > -
> > CATool: Private Certificate Authority for Unix and Unix-like
> systems.
> >
> >
> >
>
>
>
> NB:
>
> Have you read the reference manual ("doc/ref.html")?
> Have you searched the mailing list archive (www.open.com.au/archives/
> radiator)?
> Have you had a quick look on Google (www.google.com)?
> Have you included a copy of your configuration file (no secrets),
> together with a trace 4 debug showing what is happening?
>
> --
> Radiator: the most portable, flexible and configurable RADIUS server
> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
> Includes support for reliable RADIUS transport (RadSec),
> and DIAMETER translation agent.
> -
> Nets: internetwork inventory and management - graphical, extensible,
> flexible with hardware, software, platform and database independence.
> -
> CATool: Private Certificate Authority for Unix and Unix-like systems.
>
>
> --
> Archive at http://www.open.com.au/archives/radiator/
> Announcements on radiator-announce at open.com.au
> To unsubscribe, email 'majordomo at open.com.au' with
> 'unsubscribe radiator' in the body of the message.
>
NB:
Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/
radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
--
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.
--
Archive at http://www.open.com.au/archives/radiator/
Announcements on radiator-announce at open.com.au
To unsubscribe, email 'majordomo at open.com.au' with
'unsubscribe radiator' in the body of the message.
More information about the radiator
mailing list