[RADIATOR] How to increase session time

Qiu, Dennis dennis.qiu at davispolk.com
Wed May 7 22:18:57 CDT 2014


Thank you very much. I will give a try tomorrow.

Dennis Qiu
Information Systems
Davis Polk & Wardwell LLP
450 Lexington Avenue
New York, NY 10017
212 450 5651   tel
dennis.qiu at davispolk.com


________________________________________________________________________________
Confidentiality Note: This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments thereto and all copies. Please refer to the firm's privacy policy located at www.davispolk.com for important information on this policy.

-----Original Message-----
From: Hugh Irvine [mailto:hugh at open.com.au] 
Sent: Wednesday, May 07, 2014 10:55 PM
To: Qiu, Dennis
Cc: radiator at open.com.au
Subject: Re: [RADIATOR] How to increase session time


Hello Dennis -

If you want different values for your different user groups, you would put something like this in your AuthBy LSA clauses:

	.....

	# Session-Timeout = nnn 
	# where nnn is the number of seconds

	# netadmin
	<AuthBy LSA>
		AddToReply Session-Timeout = nnn
		.....
	</AuthBy>

	# users
	<AuthBy LSA>
		AddToReply Session-Timeout = nnn
		.....
	</AuthBy>

	.....

Otherwise if you want the same one for both groups you can do this instead:

	.....

	<AuthBy GROUP>
		AddToReply Session-Timeout = nnn
		.....
	</AuthBy>

	.....

BTW - I am located in Australia, so no need to send your email twice.

regards

Hugh


On 8 May 2014, at 06:35, Qiu, Dennis <dennis.qiu at davispolk.com> wrote:

> Hugh,
> 
> Can you let me know where I can put Session-Timeout attribute in my radius.cfg file?
> 
> Thank you
> 
> Dennis Qiu
> Information Systems
> Davis Polk & Wardwell LLP
> 450 Lexington Avenue
> New York, NY 10017
> 212 450 5651   tel
> dennis.qiu at davispolk.com
> 
> 
> ______________________________________________________________________
> __________ Confidentiality Note: This email is intended only for the 
> person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments thereto and all copies. Please refer to the firm's privacy policy located at www.davispolk.com for important information on this policy.
> 
> 
> -----Original Message-----
> From: Qiu, Dennis
> Sent: Tuesday, May 06, 2014 9:15 PM
> To: 'Hugh Irvine'
> Cc: radiator at open.com.au
> Subject: RE: [RADIATOR] How to increase session time
> 
> Hugh,
> 
> I only see sessiontime in my HTTP session. That session is not used by network device.
> 
> I  do not see such attribute as "Session-Timeout". Do I need to add this attribute into radius.cfg file? If I need to add, where I should add.
> 
> Following is my radius.cfg. Can you advise?
> 
> Thank you
> 
> ######################################################################
> #################
> # windows.cfg
> #
> # Example Radiator configuration file.
> # This very simple file will allow you to get started with # a simple system on Windows. You can then add and change features.
> # We suggest you start simple, prove to yourself that it # works and then develop a more complicated configuration.
> #
> # This example is expected to be installed in 
> #   c:\Program Files\Radiator\radius.cfg
> # It will authenticate from a standard users file in
> #   c:\Program Files\Radiator\users
> # it will log debug and other messages to
> #   c:\Program Files\Radiator\logfile
> # and log accounting to a file in
> #   c:\Program Files\Radiator\detail
> # (of course you can change all these by editing this config file if you wish) # # It will accept requests from any client and try to handle requests # for any realm.
> # And it will print out what its doing in great detail to the log file.
> #
> # See radius.cfg for more complete examples of features and # syntax, and refer to the reference manual for a complete description # of all the features and syntax.
> #
> # You should consider this file to be a starting point only # $Id: 
> windows.cfg,v 1.1 2003/03/27 09:41:28 mikem Exp $
> 
> AcctPort 1646,1813
> AuthPort 1645,1812
> BindAddress 144.211.2.97
> #BindAddress 0.0.0.0
> DbDir c:/Program Files/Radiator
> DictionaryFile %D/dictionary
> Foreground 1
> LogDir c:/Program Files/Radiator/Logs
> #LogFile logfile
> LogStdout 1
> 
> MaxChildren 0
> PidFile %L/radiusd.pid
> PmwhoProg /usr/local/sbin/pmwho
> SnmpNASErrorTimeout 60
> SnmpgetProg /usr/bin/snmpget
> SnmpsetProg /usr/bin/snmpset
> SnmpwalkProg /usr/bin/snmpwalk
> Trace 4
> 
> <Client DEFAULT>
> 	DupInterval 0
> 	FramedGroupMaxPortsPerClassC 255
> 	LivingstonHole 2
> 	LivingstonOffs 29
> 	NasType unknown
> 	SNMPCommunity 450dpw$
> 	Secret mysecret
> </Client>
> 
> <Handler NAS-Identifier=TACACS>
> 	AuthByPolicy ContinueWhileIgnore
> 
> 	<AuthBy GROUP>
> 		AuthByPolicy ContinueUntilAccept
> 		CachePasswordExpiry 86400
> 		EAPAnonymous anonymous
> 		EAPContextTimeout 1000
> 		EAPFAST_PAC_Lifetime 7776000
> 		EAPFAST_PAC_Reprovision 2592000
> 		EAPTLS_MaxFragmentSize 2048
> 		EAPTLS_PEAPVersion 0
> 		EAPTLS_SessionResumption 1
> 		EAPTLS_SessionResumptionLimit 43200
> 		EAPTLS_VerifyDepth 1
> 		Identifier GetUser
> 		PasswordPrompt password
> 		SIPDigestRealm DefaultSipRealm
> 
> 		<AuthBy LSA>
> 			AddToReply tacacsgroup = netadmin
> 			CachePasswordExpiry 86400
> 			Domain ad.dpw.com
> 			DomainController server1
> 			EAPAnonymous anonymous
> 			EAPContextTimeout 1000
> 			EAPFAST_PAC_Lifetime 7776000
> 			EAPFAST_PAC_Reprovision 2592000
> 			EAPTLS_MaxFragmentSize 2048
> 			EAPTLS_PEAPVersion 0
> 			EAPTLS_SessionResumption 1
> 			EAPTLS_SessionResumptionLimit 43200
> 			EAPTLS_VerifyDepth 1
> 			EAPType MSCHAP-V2
> 			Group networking_staff
> 			NoDefault 1
> 			Origin Radiator
> 			PasswordPrompt password
> 			ProcessName IAS
> 			SIPDigestRealm DefaultSipRealm
> 			Source Radiator
> 			UsernameMatchesWithoutRealm 1
> 			Workstation 
> 		</AuthBy>
> 
> 		<AuthBy LSA>
> 			AddToReply tacacsgroup = users
> 			CachePasswordExpiry 86400
> 			Domain ad.dpw.com
> 			DomainController dcny003
> 			EAPAnonymous anonymous
> 			EAPContextTimeout 1000
> 			EAPFAST_PAC_Lifetime 7776000
> 			EAPFAST_PAC_Reprovision 2592000
> 			EAPTLS_MaxFragmentSize 2048
> 			EAPTLS_PEAPVersion 0
> 			EAPTLS_SessionResumption 1
> 			EAPTLS_SessionResumptionLimit 43200
> 			EAPTLS_VerifyDepth 1
> 			EAPType MSCHAP-V2
> 			Group networking_guest
> 			NoDefault 1
> 			Origin Radiator
> 			PasswordPrompt password
> 			ProcessName IAS
> 			SIPDigestRealm DefaultSipRealm
> 			Source Radiator
> 			UsernameMatchesWithoutRealm 1
> 			Workstation 
> 		</AuthBy>
> 	</AuthBy>
> </Handler>
> 
> <ServerHTTP >
> 	AuditTrail %D/audit.txt
> 	AuthByPolicy ContinueWhileIgnore
> 	BindAddress 144.211.2.97
> 	DefaultPrivilegeLevel 15
> 	LogMaxLines 500
> 	MaxBufferSize 10000000
> 	Password xxxxxxxxxx
> 	Port 9048
> 	Protocol tcp
> 	SessionTimeout 3600
> 	TLS_ExpectedPeerName .+
> 	Trace 3
> 	Username administrator
> 
> 	<AuthLog FILE>
> 		FailureFormat %l:%U:%P:FAIL
> 		Filename %L/weblog
> 		LogFailure 1
> 		LogSuccess 0
> 		SuccessFormat %l:%U:%P:OK
> 	</AuthLog>
> </ServerHTTP>
> 
> <Realm DEFAULT>
> 	PreProcessingHook file:"c:\program files\radiator\createavpairs.pl"
> 	#<AuthBy INTERNAL>
> 	#	DefaultResult REJECT
> 	#	AcctResult ACCEPT
> 	#</AuthBy>
> 	#	AcctLogFileName accounting-log
>     		AcctLogFileName %L/%d%m%Ylogfile
> 		AcctLogFileFormat %l:%{User-Name}:%{cisco-cmd}
> 
> 	#AddToRequest Request-Type=Accounting-Request
> 	#AcctLogFileName %D/acct.log
> 	AuthByPolicy ContinueWhileIgnore
> 	AuthBy GetUser
> 
> 	<AuthBy FILE>
> 		CachePasswordExpiry 86400
> 		EAPAnonymous anonymous
> 		EAPContextTimeout 1000
> 		EAPFAST_PAC_Lifetime 7776000
> 		EAPFAST_PAC_Reprovision 2592000
> 		EAPTLS_MaxFragmentSize 2048
> 		EAPTLS_PEAPVersion 0
> 		EAPTLS_SessionResumption 1
> 		EAPTLS_SessionResumptionLimit 43200
> 		EAPTLS_VerifyDepth 1
> 		Filename %D/users
> 		PasswordPrompt password
> 		SIPDigestRealm DefaultSipRealm
> 	</AuthBy>
> </Realm>
> 
> <ServerTACACSPLUS >
> 	AddToRequest NAS-Identifier=TACACS
> 	AuthorizationTimeout 1200
> 	AuthorizeGroup netadmin permit service=shell cmd\* {priv-lvl=15}
> 	AuthorizeGroup netadmin permit .*
> 	AuthorizeGroup users permit service=shell cmd\* {priv-lvl=1}
> 	AuthorizeGroup users permit .*
> 	AuthorizeGroup guest permit service=shell cmd\* {priv-lvl=0}
> 	AuthorizeGroup DEFAULT  deny .*
> 	BindAddress 144.211.2.97
> 	GroupCacheFile %L/radiator-tacacs-usergroup.cache
> 	GroupMemberAttr tacacsgroup
> 	IdleTimeout 1200
> 	MaxBufferSize 100000
> 	PasswordPrompt Password:
> 	Port 49
> 	SingleSession 1
> 	UsernamePrompt Username:
> 	
> 	<Log FILE>
> 		
> 		Filename %L/tacacs.log
> 		Trace 4
> 	</Log>
> </ServerTACACSPLUS>
> 
> 
> 
> Dennis Qiu
> Information Systems
> Davis Polk & Wardwell LLP
> 450 Lexington Avenue
> New York, NY 10017
> 212 450 5651   tel
> dennis.qiu at davispolk.com
> 
> 
> ______________________________________________________________________
> __________ Confidentiality Note: This email is intended only for the 
> person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments thereto and all copies. Please refer to the firm's privacy policy located at www.davispolk.com for important information on this policy.
> 
> 
> -----Original Message-----
> From: Hugh Irvine [mailto:hugh at open.com.au]
> Sent: Tuesday, May 06, 2014 9:05 PM
> To: Qiu, Dennis
> Cc: radiator at open.com.au
> Subject: Re: [RADIATOR] How to increase session time
> 
> 
> Hello Dennis -
> 
> The attribute you want is "Session-Timeout", although you will need to do some testing to verify that your network devices support it.
> 
> regards
> 
> Hugh
> 
> 
> On 7 May 2014, at 08:02, Qiu, Dennis <dennis.qiu at davispolk.com> wrote:
> 
>> Support,
>> 
>> Our networking devices use Radiator for authentication. Many times, guys are working on the network devices and they are prompted to authenticate again. It becomes very annoying.
>> 
>> I am wondering what is the value of  variables I can adjust to increase the session time.
>> 
>> Thank you
>> 
>> Dennis Qiu
>> Information Systems
>> Davis Polk & Wardwell LLP
>> 450 Lexington Avenue
>> New York, NY 10017
>> 212 450 5651   tel
>> dennis.qiu at davispolk.com
>> <image001.jpg>
>> Confidentiality Note: This email is intended only for the person or entity to which it is addressed and may contain information that is privileged, confidential or otherwise protected from disclosure. Unauthorized use, dissemination, distribution or copying of this email or the information herein or taking any action in reliance on the contents of this email or the information herein, by anyone other than the intended recipient, or an employee or agent responsible for delivering the message to the intended recipient, is strictly prohibited. If you have received this email in error, please notify the sender immediately and destroy the original message, any attachments thereto and all copies. Please refer to the firm's privacy policy located at www.davispolk.com for important information on this policy.
>> 
>> 
>> _______________________________________________
>> radiator mailing list
>> radiator at open.com.au
>> http://www.open.com.au/mailman/listinfo/radiator
> 
> 
> --
> 
> Hugh Irvine
> hugh at open.com.au
> 
> Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. 
> Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.
> 


--

Hugh Irvine
hugh at open.com.au

Radiator: the most portable, flexible and configurable RADIUS server anywhere. SQL, proxy, DBM, files, LDAP, NIS+, password, NT, Emerald, Platypus, Freeside, TACACS+, PAM, external, Active Directory, EAP, TLS, TTLS, PEAP, TNC, WiMAX, RSA, Vasco, Yubikey, MOTP, HOTP, TOTP, DIAMETER etc. 
Full source on Unix, Windows, MacOSX, Solaris, VMS, NetWare etc.



More information about the radiator mailing list