[RADIATOR] (RADIATOR) Patch to hide user password whenusingtacacs+ and trace 4, 5

Hugh Irvine hugh at open.com.au
Wed Jun 10 17:32:46 CDT 2009


Hello Peter -

I replied to this yesterday.

Trace 4 (and 5) are meant for debugging purposes, and hence display as  
much information as possible.

For normal production you would normally run Trace 3.

regards

Hugh


On 10 Jun 2009, at 01:08, Peter Havekes wrote:

> When using EAP-TTLS + PAP the cleartext passwords are also being  
> logged at trace level 5. Is this a feature or a bug?
>
> See example logging (xxxxxxx's are the password):
>
>
>
>
>
> Code:       Access-Request
> Identifier: 151
> Authentic:  <0><167>v<251>rtY<18>4<131><231>r?<208><8>M
> Attributes:
>         NAS-Port-Id = "AP11/1"
>         Calling-Station-Id = "00-02-78-DF-B5-E5"
>         Called-Station-Id = "00-0B-0E-29-51-C2:eduroam"
>         Service-Type = Framed-User
>         User-Name = "anonymous at avans.nl"
>         NAS-Port = 46947
>         EAP-Message =  
> < 
> 2 
> > 
> < 
> 9 
> > 
> < 
> 0 
> > 
> S 
> < 
> 21 
> > 
> < 
> 0><23><3><1><0>Hf<151><149><163><15><152><249><31><141><168><161>Uc3? 
> K<133><203><241>\V<195>=:<3>C<139>ik<245>#.<133><1
>         NAS-Port-Type = 19
>         NAS-IP-Address = 145.48.82.51
>         NAS-Identifier = "Trapeze"
>         Message-Authenticator = <149><175>Sq@<156><248><128>- 
> <142><143><198><236><170><153><165>
>
> Tue Jun  9 10:51:49 2009: DEBUG: Handling request with Handler  
> 'Called-Station-Id=/.*eduroam.*/,Realm=avans.nl,User-Name=/@/'
> Tue Jun  9 10:51:49 2009: DEBUG:  Deleting session for anonymous at avans.nl 
> , 145.48.82.51, 46947
> Tue Jun  9 10:51:49 2009: DEBUG: Handling with Radius::AuthFILE:
> Tue Jun  9 10:51:49 2009: DEBUG: Handling with EAP: code 2, 9, 83, 21
> Tue Jun  9 10:51:49 2009: DEBUG: Response type 21
> Tue Jun  9 10:51:49 2009: DEBUG: EAP TTLS data, 3, 9, 8
> Tue Jun  9 10:51:49 2009: DEBUG: TTLS Tunnelled Diameter Packet dump:
> Code:       UNDEF
> Identifier: UNDEF
> Authentic:  UNDEF
> Attributes:
>         User-Name = "phavekes at avans.nl"
>         User-Password = "xxxxxxxxxxxxxxxxx"
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> Mike McCauley wrote:
>>
>> Hello Markus,
>>
>> On Monday 08 June 2009 08:43:10 pm Markus Moeller wrote:
>>
>>> Hi Mike,
>>>
>>>    I can't see what has changed. Can you point me to which file  
>>> has changed
>>> please ?
>>>
>>
>> ServerTACACSPLUS.pm, about line 682.
>>
>> Cheers.
>>
>>
>>> Thank you
>>> Markus
>>> ----- Original Message -----
>>> From: "Mike McCauley" <mikem at open.com.au>
>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>> Cc: <radiator at open.com.au>
>>> Sent: Friday, June 05, 2009 11:26 PM
>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
>>> whenusingtacacs+ and trace 4, 5
>>>
>>>
>>>> Hello Markus,
>>>>
>>>> thanks for your note.
>>>> Our analysis shows that the fix required was different to the one  
>>>> you
>>>> sent.
>>>> However, we have made the appropriate fix, and it is now  
>>>> available in the
>>>> latest patch set.
>>>> We apologise for any inconvenience.
>>>>
>>>> Please let me know how you get on.
>>>> Cheers.
>>>>
>>>> On Saturday 06 June 2009 05:54:14 am Markus Moeller wrote:
>>>>
>>>>> Sorry it seems I overlooked another place where the TACACS  
>>>>> password is
>>>>> logged in clear.
>>>>>
>>>>> Would it be possible to change in line 573 in  
>>>>> ServerTACACSPLUS.pm  the
>>>>> following:
>>>>>
>>>>>     &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius  
>>>>> request
>>>>> packet
>>>>> dump:\n" . $tp->dump)
>>>>>         if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
>>>>>
>>>>> to (or similar):
>>>>>
>>>>>     my $dump = $tp->dump;
>>>>>     $dump =~ s/User-Password = .*\n/User-Password = XXX\n/g;
>>>>>     $dump =~ s/User-Password = .*$/User-Password = XXX/g;
>>>>>     &main::log($main::LOG_DEBUG, "TACACSPLUS derived Radius  
>>>>> request
>>>>> packet
>>>>> dump:\n" . $dump)
>>>>>         if (&main::willLog($main::LOG_DEBUG, $self->{parent}));
>>>>>
>>>>> Thank you
>>>>> Markus
>>>>>
>>>>>
>>>>>
>>>>> ----- Original Message -----
>>>>> From: "Markus Moeller" <huaraz at moeller.plus.com>
>>>>> To: "Mike McCauley" <mikem at open.com.au>; <radiator at open.com.au>
>>>>> Sent: Sunday, January 25, 2009 12:25 PM
>>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
>>>>> whenusingtacacs+ and trace 4, 5
>>>>>
>>>>>
>>>>>> Thank you
>>>>>> Markus
>>>>>>
>>>>>> ----- Original Message -----
>>>>>> From: "Mike McCauley" <mikem at open.com.au>
>>>>>> To: <radiator at open.com.au>
>>>>>> Cc: "Markus Moeller" <huaraz at moeller.plus.com>
>>>>>> Sent: Saturday, January 24, 2009 11:37 PM
>>>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password  
>>>>>> when
>>>>>> usingtacacs+ and trace 4, 5
>>>>>>
>>>>>>
>>>>>>> Hello Markus,
>>>>>>>
>>>>>>> On Thursday 22 January 2009 07:34:43 am Markus Moeller wrote:
>>>>>>>
>>>>>>>> Sorry, but what are your thoughts on this now ?
>>>>>>>>
>>>>>>> We have now made changes to Tacacs+ authentication so that the
>>>>>>> plaintext
>>>>>>> password is not logged, even at DEBUG level.
>>>>>>>
>>>>>>> The change is now in the latesst patch set.
>>>>>>>
>>>>>>> Thanks for your suggestion.
>>>>>>>
>>>>>>> Cheers.
>>>>>>>
>>>>>>>
>>>>>>>> Thank you
>>>>>>>> Markus
>>>>>>>>
>>>>>>>> ----- Original Message -----
>>>>>>>> From: "Markus Moeller" <huaraz at moeller.plus.com>
>>>>>>>> To: "Hugh Irvine" <hugh at open.com.au>
>>>>>>>> Cc: <radiator at open.com.au>
>>>>>>>> Sent: Thursday, January 15, 2009 8:30 PM
>>>>>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user  
>>>>>>>> password when
>>>>>>>> usingtacacs+ and trace 4, 5
>>>>>>>>
>>>>>>>>
>>>>>>>>> Hugh,
>>>>>>>>>
>>>>>>>>> I am a bit surprised about your answer.  One of the difference
>>>>>>>>> between Tacacs+ and Radius is that Tacacs+ encrypts the whole
>>>>>>>>> communication between the NAS device and the Tacacs server and
>>>>>>>>> sends
>>>>>>>>> all AV pairs in clear through the encrypted "tunnel" (The  
>>>>>>>>> same way
>>>>>>>>> as
>>>>>>>>> EAP-TLS does), whereas Radius uses clear text communication  
>>>>>>>>> with
>>>>>>>>> an encrypted password
>>>>>>>>> in the password AV pair. So when you dump the AV pairs for  
>>>>>>>>> Tacacs+
>>>>>>>>> (and
>>>>>>>>> EAP-TLS) it is after decrypting the tunnel, so it is all  
>>>>>>>>> visible.
>>>>>>>>> When you dump the AV pairs with Radius you have still the
>>>>>>>>> encrypted password.
>>>>>>>>>
>>>>>>>>> Here is a trace 4 output, where XXX is the password.
>>>>>>>>>
>>>>>>>>> Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection
>>>>>>>>> Authentication
>>>>>>>>> CONTINUE 0, markus,
>>>>>>>>> Thu Jan 15 10:41:41 2009: DEBUG: TacacsplusConnection
>>>>>>>>> Authentication
>>>>>>>>> REPLY 5, 1, Password: ,
>>>>>>>>> Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection  
>>>>>>>>> request 192,
>>>>>>>>> 1,
>>>>>>>>> 5,
>>>>>>>>> 0, 3401247729, 14
>>>>>>>>> Thu Jan 15 10:41:43 2009: DEBUG: TacacsplusConnection
>>>>>>>>> Authentication
>>>>>>>>> CONTINUE 0, XXX,
>>>>>>>>> Thu Jan 15 10:41:43 2009: DEBUG: TACACSPLUS derived Radius  
>>>>>>>>> request
>>>>>>>>> packet
>>>>>>>>> dump:
>>>>>>>>> Code:       Access-Request
>>>>>>>>> Identifier: UNDEF
>>>>>>>>> Authentic:  N<244>d]<242><195><216><219>X<176><253>
>>>>>>>>> <19><127><137><183>
>>>>>>>>> Attributes:
>>>>>>>>>        NAS-IP-Address = 10.1.3.1
>>>>>>>>>        NAS-Port-Id = "tty18"
>>>>>>>>>        Calling-Station-Id = "10.2.5.2"
>>>>>>>>>        Service-Type = Login-User
>>>>>>>>>        AuthType = tacacs
>>>>>>>>>        User-Name = "markus"
>>>>>>>>>        User-Password = XXX
>>>>>>>>>        DeviceType = generic
>>>>>>>>>        DeviceGroup = global
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Regards
>>>>>>>>> Markus
>>>>>>>>>
>>>>>>>>> ----- Original Message -----
>>>>>>>>> From: "Hugh Irvine" <hugh at open.com.au>
>>>>>>>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>>>>>>>> Cc: <radiator at open.com.au>
>>>>>>>>> Sent: Thursday, January 15, 2009 1:06 AM
>>>>>>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user password
>>>>>>>>> when using
>>>>>>>>> tacacs+ and trace 4, 5
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>> Hello Markus -
>>>>>>>>>>
>>>>>>>>>> Can we first of all determine whether or not Radiator logs
>>>>>>>>>> cleartext
>>>>>>>>>> passwords?
>>>>>>>>>>
>>>>>>>>>> We don't think it does, but if we are wrong please correct  
>>>>>>>>>> us.
>>>>>>>>>>
>>>>>>>>>> Our reluctance has to do with the fact that a simple protocol
>>>>>>>>>> sniffer will show you exactly the same thing as is shown by
>>>>>>>>>> Radiator
>>>>>>>>>> - ie. obfuscated passwords.
>>>>>>>>>>
>>>>>>>>>> Our reluctance is also due to the fact that a debug is  
>>>>>>>>>> meant to
>>>>>>>>>> provide
>>>>>>>>>> all of the information needed to fix problems - and the   
>>>>>>>>>> biggest
>>>>>>>>>> problem
>>>>>>>>>> tends to be with passwords.
>>>>>>>>>>
>>>>>>>>>> If you can show us that Radiator is logging cleartext  
>>>>>>>>>> passwords
>>>>>>>>>> we will
>>>>>>>>>> look at fixing it.
>>>>>>>>>>
>>>>>>>>>> If Radiator is logging the same packet data as shown by a
>>>>>>>>>> sniffer, then
>>>>>>>>>> we probably won't change anything.
>>>>>>>>>>
>>>>>>>>>> regards
>>>>>>>>>>
>>>>>>>>>> Hugh
>>>>>>>>>>
>>>>>>>>>> On 15 Jan 2009, at 08:38, Markus Moeller wrote:
>>>>>>>>>>
>>>>>>>>>>> Sorry to be persistent, but I don't understand your
>>>>>>>>>>> unwillingness to hide the password during trace. Let me  
>>>>>>>>>>> try to
>>>>>>>>>>> explain again why
>>>>>>>>>>> I need
>>>>>>>>>>> it.
>>>>>>>>>>>
>>>>>>>>>>> We want to use Radiator as main  Radius and Tacacs
>>>>>>>>>>> authentication server which forwards the requests to our  
>>>>>>>>>>> central
>>>>>>>>>>> Active Directory
>>>>>>>>>>> for
>>>>>>>>>>> password verification.  The server will be maintained by an
>>>>>>>>>>> operations
>>>>>>>>>>> team of several people, who from time to time need to add
>>>>>>>>>>> devices
>>>>>>>>>>> and
>>>>>>>>>>> troubleshoot issues. They are not always skilled enough   
>>>>>>>>>>> to know
>>>>>>>>>>> what
>>>>>>>>>>> trace level to use (e.g. 3,4 or higher (usually  highest  
>>>>>>>>>>> is best
>>>>>>>>>>> for them)), so they would see during troubleshooting  user
>>>>>>>>>>> passwords which
>>>>>>>>>>> possibly go into log files. Our internal audit  would not  
>>>>>>>>>>> accept
>>>>>>>>>>> such a
>>>>>>>>>>> solution. They are saying "You don't leave  your cash  
>>>>>>>>>>> openly on
>>>>>>>>>>> your desk in the office. You will put it in the  drawer  
>>>>>>>>>>> even if
>>>>>>>>>>> it
>>>>>>>>>>> is unlocked to avoid any temptation."  It is not  against
>>>>>>>>>>> malicious
>>>>>>>>>>> users
>>>>>>>>>>> as we know there are always ways to get  around for  
>>>>>>>>>>> privileged
>>>>>>>>>>> users,
>>>>>>>>>>> but they have to actively break rules  to get to passwords.
>>>>>>>>>>>
>>>>>>>>>>> A custom solution is also not acceptable as any patch need  
>>>>>>>>>>> to be
>>>>>>>>>>> verified against the changes etc....
>>>>>>>>>>>
>>>>>>>>>>> Could you reconsider your answer ?
>>>>>>>>>>>
>>>>>>>>>>> Thank you
>>>>>>>>>>> Markus
>>>>>>>>>>>
>>>>>>>>>>> ----- Original Message ----- From: "Hugh Irvine"
>>>>>>>>>>> <hugh at open.com.au>
>>>>>>>>>>> To: "Markus Moeller" <huaraz at moeller.plus.com>
>>>>>>>>>>> Cc: <radiator at open.com.au>
>>>>>>>>>>> Sent: Wednesday, January 14, 2009 7:02 AM
>>>>>>>>>>> Subject: Re: [RADIATOR] (RADIATOR) Patch to hide user  
>>>>>>>>>>> password
>>>>>>>>>>> when
>>>>>>>>>>> using tacacs+ and trace 4, 5
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>> Hello Markus -
>>>>>>>>>>>>
>>>>>>>>>>>> All I can suggest is your own custom code.
>>>>>>>>>>>>
>>>>>>>>>>>> regards
>>>>>>>>>>>>
>>>>>>>>>>>> Hugh
>>>>>>>>>>>>
>>>>>>>>>>>> On 14 Jan 2009, at 10:57, Markus Moeller wrote:
>>>>>>>>>>>>
>>>>>>>>>>>>> I still would like to see the password hidden during  
>>>>>>>>>>>>> debug.
>>>>>>>>>>>>> What
>>>>>>>>>>>>> would convince you to include it ?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Thank you
>>>>>>>>>>>>> Markus
>>>>>>>>>>>>>
>>>>>>>>>>>>> ----- Original Message ----- From: "Markus Moeller"
>>>>>>>>>>>>> <huaraz at moeller.plus.com
>>>>>>>>>>>>>
>>>>>>>>>>>>> To: "Bjoern A. Zeeb" <bz-lists at cksoft.de>
>>>>>>>>>>>>> Cc: <radiator at open.com.au>
>>>>>>>>>>>>> Sent: Monday, March 10, 2008 1:11 AM
>>>>>>>>>>>>> Subject: Re: (RADIATOR) Patch to hide user password when  
>>>>>>>>>>>>> using
>>>>>>>>>>>>> tacacs + and trace 4,5
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>>> On Sun, 9 Mar 2008, Markus Moeller wrote:
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> Hi,
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>>> The User-Password attribute is encoded when Radius is  
>>>>>>>>>>>>>>>> used
>>>>>>>>>>>>>>>> and
>>>>>>>>>>>>>>>> the logging with trace 4 or 5 does not reveal the  
>>>>>>>>>>>>>>>> password.
>>>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You mean the password is ot revealed because it is  
>>>>>>>>>>>>>>> "mangled/
>>>>>>>>>>>>>>> obfucated"?
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Yes
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> You know the authenticator, you know the secret thus you
>>>>>>>>>>>>>>> know the
>>>>>>>>>>>>>>> plaintext password when looking at your tracelevel 4  
>>>>>>>>>>>>>>> logs.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I also forward messages with syslog to a central syslog
>>>>>>>>>>>>>> server for
>>>>>>>>>>>>>> monitoring (although ususally not with trace 4,5 but can
>>>>>>>>>>>>>> happen
>>>>>>>>>>>>>> when debugging)
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> If you say, but if joe random on that machine sees the  
>>>>>>>>>>>>>>> logs
>>>>>>>>>>>>>>> he
>>>>>>>>>>>>>>> doesn't
>>>>>>>>>>>>>>> know the secret, then it's a matter of the
>>>>>>>>>>>>>>> ownership/permissions of your logfiles as it would be of
>>>>>>>>>>>>>>> your radius configuration.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I may have logfiles readable for operators but not the
>>>>>>>>>>>>>> clients file
>>>>>>>>>>>>>> with the secrects
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> A tracelevel > 3 is there for aiding in debugging and  
>>>>>>>>>>>>>>> it's
>>>>>>>>>>>>>>> pretty
>>>>>>>>>>>>>>> obvious that you can get a lot of information that way  
>>>>>>>>>>>>>>> to
>>>>>>>>>>>>>>> find
>>>>>>>>>>>>>>> a problem.  That's how the system is designed to work.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> True, but for example the radius code has also a section
>>>>>>>>>>>>>> commented
>>>>>>>>>>>>>> to not log the cleartext password.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> just my 2cts.
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Thank you
>>>>>>>>>>>>>> Markus
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>> --
>>>>>>>>>>>>>>> Dipl. Ing. (BA) Bjoern A. Zeeb          Research &
>>>>>>>>>>>>>>> Development
>>>>>>>>>>>>>>> CK Software GmbH
>>>>>>>>>>>>>>> http://www.cksoft.de/ Schwarzwaldstr. 31
>>>>>>>>>>>>>>>  Phone: +49 7452 889 135
>>>>>>>>>>>>>>> D-71131 Jettingen                       Fax: +49 7452  
>>>>>>>>>>>>>>> 889
>>>>>>>>>>>>>>> 136 HRB245288, Amtsgericht Stuttgart
>>>>>>>>>>>>>>> Geschaeftsfuehrer: Christian Kratzer
>>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --
>>>>>>>>>>>>>> Archive at http://www.open.com.au/archives/radiator/
>>>>>>>>>>>>>> Announcements on radiator-announce at open.com.au
>>>>>>>>>>>>>> To unsubscribe, email 'majordomo at open.com.au' with
>>>>>>>>>>>>>> 'unsubscribe radiator' in the body of the message.
>>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> radiator mailing list
>>>>>>>>>>>>> radiator at open.com.au
>>>>>>>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>>>>>>>>
>>>>>>>>>>>> NB:
>>>>>>>>>>>>
>>>>>>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>>>>>>> Have you searched the mailing list archive
>>>>>>>>>>>> (www.open.com.au/archives/radiator)?
>>>>>>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>>>>>>> Have you included a copy of your configuration file (no
>>>>>>>>>>>> secrets),
>>>>>>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>>>>>> Have you checked the RadiusExpert wiki:
>>>>>>>>>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>> Radiator: the most portable, flexible and configurable  
>>>>>>>>>>>> RADIUS
>>>>>>>>>>>> server
>>>>>>>>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>>>>>>>>> Includes support for reliable RADIUS transport (RadSec),
>>>>>>>>>>>> and DIAMETER translation agent.
>>>>>>>>>>>> -
>>>>>>>>>>>> Nets: internetwork inventory and management - graphical,
>>>>>>>>>>>> extensible,
>>>>>>>>>>>> flexible with hardware, software, platform and database
>>>>>>>>>>>> independence.
>>>>>>>>>>>> -
>>>>>>>>>>>> CATool: Private Certificate Authority for Unix and Unix- 
>>>>>>>>>>>> like
>>>>>>>>>>>> systems.
>>>>>>>>>>>>
>>>>>>>>>> NB:
>>>>>>>>>>
>>>>>>>>>> Have you read the reference manual ("doc/ref.html")?
>>>>>>>>>> Have you searched the mailing list archive
>>>>>>>>>> (www.open.com.au/archives/radiator)?
>>>>>>>>>> Have you had a quick look on Google (www.google.com)?
>>>>>>>>>> Have you included a copy of your configuration file (no  
>>>>>>>>>> secrets),
>>>>>>>>>> together with a trace 4 debug showing what is happening?
>>>>>>>>>> Have you checked the RadiusExpert wiki:
>>>>>>>>>> http://www.open.com.au/wiki/index.php/Main_Page
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>> Radiator: the most portable, flexible and configurable RADIUS
>>>>>>>>>> server
>>>>>>>>>> anywhere. Available on *NIX, *BSD, Windows, MacOS X.
>>>>>>>>>> Includes support for reliable RADIUS transport (RadSec),
>>>>>>>>>> and DIAMETER translation agent.
>>>>>>>>>> -
>>>>>>>>>> Nets: internetwork inventory and management - graphical,
>>>>>>>>>> extensible,
>>>>>>>>>> flexible with hardware, software, platform and database
>>>>>>>>>> independence. -
>>>>>>>>>> CATool: Private Certificate Authority for Unix and Unix-like
>>>>>>>>>> systems.
>>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> radiator mailing list
>>>>>>>>> radiator at open.com.au
>>>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> radiator mailing list
>>>>>>>> radiator at open.com.au
>>>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>>>
>>>>>>> --
>>>>>>> Mike McCauley                               mikem at open.com.au
>>>>>>> Open System Consultants Pty. Ltd
>>>>>>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>>>>>>> http://www.open.com.au Phone +61 7 5598-7474
>>>>>>> Fax +61 7 5598-7070
>>>>>>>
>>>>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>>>>> server
>>>>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,  
>>>>>>> Emerald,
>>>>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory,  
>>>>>>> EAP,
>>>>>>> TLS,
>>>>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, DIAMETER etc. Full source
>>>>>>> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>>>>>>
>>>>>> _______________________________________________
>>>>>> radiator mailing list
>>>>>> radiator at open.com.au
>>>>>> http://www.open.com.au/mailman/listinfo/radiator
>>>>>>
>>>> --
>>>> Mike McCauley                               mikem at open.com.au
>>>> Open System Consultants Pty. Ltd
>>>> 9 Bulbul Place Currumbin Waters QLD 4223 Australia
>>>> http://www.open.com.au
>>>> Phone +61 7 5598-7474                       Fax   +61 7 5598-7070
>>>>
>>>> Radiator: the most portable, flexible and configurable RADIUS  
>>>> server
>>>> anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT,  
>>>> Emerald,
>>>> Platypus, Freeside, TACACS+, PAM, external, Active Directory,  
>>>> EAP, TLS,
>>>> TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, DIAMETER etc. Full  
>>>> source
>>>> on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
>>>>
>>
>>
>>
>>
>
> ---------------------------------------------------------------------------
> Op deze e-mail zijn de volgende voorwaarden van toepassing:
> The following conditions apply to this e-mail:
> http://emaildisclaimer.avans.nl
> ---------------------------------------------------------------------------
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au
> http://www.open.com.au/mailman/listinfo/radiator



NB:

Have you read the reference manual ("doc/ref.html")?
Have you searched the mailing list archive (www.open.com.au/archives/radiator)?
Have you had a quick look on Google (www.google.com)?
Have you included a copy of your configuration file (no secrets),
together with a trace 4 debug showing what is happening?
Have you checked the RadiusExpert wiki:
http://www.open.com.au/wiki/index.php/Main_Page

-- 
Radiator: the most portable, flexible and configurable RADIUS server
anywhere. Available on *NIX, *BSD, Windows, MacOS X.
Includes support for reliable RADIUS transport (RadSec),
and DIAMETER translation agent.
-
Nets: internetwork inventory and management - graphical, extensible,
flexible with hardware, software, platform and database independence.
-
CATool: Private Certificate Authority for Unix and Unix-like systems.




More information about the radiator mailing list