From krasotinpa at gmail.com  Tue Dec  3 09:16:57 2024
From: krasotinpa at gmail.com (Pavel Krasotin)
Date: Tue, 3 Dec 2024 12:16:57 +0300
Subject: [RADIATOR] ClientList REST
Message-ID: <CALFqNpLnGb__-AePjDAAmkU7ezMFaOa0rYR=3qx+Gxgcoqw7GQ@mail.gmail.com>

Hi

We use NETBOX as SoT about the devices in our network.
I think it would be a good idea to store and then retrieve the list of
clients from there.

We want to write a module for RADIATOR for this, For example, ClientList
REST.

Hugh, Heikki,
can you advise me how best to write and what to pay attention to when
writing such a module?

Thank you in advance.

PS I'm not a Perl expert :)
--
Best wishes
Pavel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20241203/77397796/attachment.html>

From hugh at radiatorsoftware.com  Tue Dec  3 20:55:57 2024
From: hugh at radiatorsoftware.com (Hugh Irvine)
Date: Wed, 4 Dec 2024 07:55:57 +1100
Subject: [RADIATOR] ClientList REST
In-Reply-To: <CALFqNpLnGb__-AePjDAAmkU7ezMFaOa0rYR=3qx+Gxgcoqw7GQ@mail.gmail.com>
References: <CALFqNpLnGb__-AePjDAAmkU7ezMFaOa0rYR=3qx+Gxgcoqw7GQ@mail.gmail.com>
Message-ID: <2e497cc3-b124-491a-8b74-45750c994d4e@radiatorsoftware.com>


Hello Pavel -

Take a look at ClientListSQL.pm and ClientListLDAP.pm in the Radius 
directory.

You should be able to copy one or the other as ClientListREST.pm and 
start from there.

There is also an AuthREST.pm module that might help you with the REST 
specific processing.

I'm sure Heikki has more suggestions.

cheers

Hugh


On 3/12/2024 20:16, Pavel Krasotin via radiator wrote:
> Hi
>
> We use NETBOX as SoT about the devices in our network.
> I think it would be a good idea to store and then retrieve the list of 
> clients from there.
>
> We want to write a module for RADIATOR for this, For example, 
> ClientList REST.
>
> Hugh,?Heikki,
> can you advise me how best to write and what to pay attention to when 
> writing such a module?
>
> Thank you in advance.
>
> PS I'm not a Perl expert :)
> --
> Best wishes
> Pavel
>
>
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20241204/e6616887/attachment.html>

From oss at eons.net  Tue Dec 17 22:42:26 2024
From: oss at eons.net (Stefan Paetow (OpenSource))
Date: Tue, 17 Dec 2024 22:42:26 +0000
Subject: [RADIATOR] Trying to use an AuthBy to try Radsec and RADIUS on the
	same host
Message-ID: <CAGmwA8o+zJaEKB+LfTk1q54vfYytqM=Kc26Z7tqxS+jKBRG0wA@mail.gmail.com>

Hi,

We're trying to implement a mixed AuthBy where we try Radsec (RADIUS/TLS)
first on the host(s) defined for a specific realm, and when they time out,
retry on plain old RADIUS.

Can I do something like this, or will there be a clash between the two sets
of Host clauses?

    <AuthBy RADSEC>
        MaxFailedRequests 5
        FailureBackoffTime 180
        NoreplyTimeout 5

        TLS_Protocols TLSv1.3, TLSv1.2
        TLS_CAFile %D/cafile.crt
        TLS_CertificateFile %D/certfile.crt
        TLS_CertificateType PEM
        TLS_PrivateKeyFile %D/certfile.key
        TLS_PolicyOID [oid redacted]

        Secret radsec
        Port 2083
        ConnectOnDemand
        ProxyAlgorithm HashBalance
        Asynchronous

        Host fe80::44bc:f9ff:fea8:ab02
        Host fe80::44bc:f9ff:fea8:ab04
        <Host fe80::44bc:f9ff:fea8:ab02>
            Secret this_secret_329847247
            Port 1812
            UseTLS 0
        </Host>
        <Host fe80::44bc:f9ff:fea8:ab04>
            Secret this_secret_3298423657
            Port 1812
            UseTLS 0
        </Host>
    </AuthBy>

Based on the documentation (and one of the examples in the docs, not in the
goodies), this *should* be possible, but I thought I'd check first?

If this does not work, is it because the Host clauses clash?

Kind regards

Stefan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20241217/94c00d79/attachment.html>

From hugh at radiatorsoftware.com  Wed Dec 18 06:14:32 2024
From: hugh at radiatorsoftware.com (Hugh Irvine)
Date: Wed, 18 Dec 2024 17:14:32 +1100
Subject: [RADIATOR] Trying to use an AuthBy to try Radsec and RADIUS on
 the same host
In-Reply-To: <CAGmwA8o+zJaEKB+LfTk1q54vfYytqM=Kc26Z7tqxS+jKBRG0wA@mail.gmail.com>
References: <CAGmwA8o+zJaEKB+LfTk1q54vfYytqM=Kc26Z7tqxS+jKBRG0wA@mail.gmail.com>
Message-ID: <0e3a1005-ae77-4c3a-9ed0-7782cf498d77@radiatorsoftware.com>


Hello Stefan -

You will need to configure both an AuthBy RADSEC clause *and* an AuthBy 
RADIUS clause.

You can't do both in the AuthBy RADSEC clause.

regards

Hugh


On 18/12/2024 09:42, Stefan Paetow (OpenSource) via radiator wrote:
> Hi,
>
> We're trying to implement a mixed AuthBy where we try Radsec 
> (RADIUS/TLS) first on the host(s) defined for a specific realm, and 
> when they time out, retry on plain old RADIUS.
>
> Can I do something like this,?or will?there be a clash between the?two 
> sets of Host?clauses?
>
> ? ? <AuthBy RADSEC>
> ? ? ? ? MaxFailedRequests 5
> ? ? ? ? FailureBackoffTime 180
> ? ? ? ? NoreplyTimeout 5
>
> ? ? ? ? TLS_Protocols TLSv1.3, TLSv1.2
> ? ? ? ? TLS_CAFile %D/cafile.crt
> ? ? ? ? TLS_CertificateFile %D/certfile.crt
> ? ? ? ? TLS_CertificateType PEM
> ? ? ? ? TLS_PrivateKeyFile %D/certfile.key
> ? ? ? ? TLS_PolicyOID [oid redacted]
>
> ? ? ? ? Secret radsec
> ? ? ? ? Port 2083
> ? ? ? ? ConnectOnDemand
> ? ? ? ? ProxyAlgorithm HashBalance
> ? ? ? ? Asynchronous
>
> ? ? ? ? Host fe80::44bc:f9ff:fea8:ab02
> ? ? ? ? Host fe80::44bc:f9ff:fea8:ab04
> ? ? ? ? <Host fe80::44bc:f9ff:fea8:ab02>
> ? ? ? ? ? ? Secret this_secret_329847247
> ? ? ? ? ? ? Port 1812
> ? ? ? ? ? ? UseTLS 0
> ? ? ? ? </Host>
> ? ? ? ? <Host fe80::44bc:f9ff:fea8:ab04>
> ? ? ? ? ? ? Secret this_secret_3298423657
> ? ? ? ? ? ? Port 1812
> ? ? ? ? ? ? UseTLS 0
> ? ? ? ? </Host>
> ? ? </AuthBy>
>
> Based on the documentation (and one of the examples in the docs, not 
> in the goodies), this *should* be possible, but I thought I'd check 
> first?
>
> If this does not work, is it because the Host clauses clash?
>
> Kind regards
>
> Stefan
>
>
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator

From oss at eons.net  Wed Dec 18 09:50:43 2024
From: oss at eons.net (Stefan Paetow (OpenSource))
Date: Wed, 18 Dec 2024 09:50:43 +0000
Subject: [RADIATOR] Trying to use an AuthBy to try Radsec and RADIUS on
 the same host
In-Reply-To: <0e3a1005-ae77-4c3a-9ed0-7782cf498d77@radiatorsoftware.com>
References: <CAGmwA8o+zJaEKB+LfTk1q54vfYytqM=Kc26Z7tqxS+jKBRG0wA@mail.gmail.com>
 <0e3a1005-ae77-4c3a-9ed0-7782cf498d77@radiatorsoftware.com>
Message-ID: <CAGmwA8pLUWUEuchZG9Wm2irqMpi6Sw8JqtZdmHYA5a0C3RTL1A@mail.gmail.com>

Hi Hugh,

Thank you for clarification! Also, does using 'Asynchronous' make sure that
AuthBy RADSEC gets executed first (and waits for a response) before falling
back to AuthBy RADIUS? The documentation implies so.

With kind regards

Stefan


On Wed, 18 Dec 2024 at 06:14, Hugh Irvine <hugh at radiatorsoftware.com> wrote:

>
> Hello Stefan -
>
> You will need to configure both an AuthBy RADSEC clause *and* an AuthBy
> RADIUS clause.
>
> You can't do both in the AuthBy RADSEC clause.
>
> regards
>
> Hugh
>
>
> On 18/12/2024 09:42, Stefan Paetow (OpenSource) via radiator wrote:
> > Hi,
> >
> > We're trying to implement a mixed AuthBy where we try Radsec
> > (RADIUS/TLS) first on the host(s) defined for a specific realm, and
> > when they time out, retry on plain old RADIUS.
> >
> > Can I do something like this, or will there be a clash between the two
> > sets of Host clauses?
> >
> >     <AuthBy RADSEC>
> >         MaxFailedRequests 5
> >         FailureBackoffTime 180
> >         NoreplyTimeout 5
> >
> >         TLS_Protocols TLSv1.3, TLSv1.2
> >         TLS_CAFile %D/cafile.crt
> >         TLS_CertificateFile %D/certfile.crt
> >         TLS_CertificateType PEM
> >         TLS_PrivateKeyFile %D/certfile.key
> >         TLS_PolicyOID [oid redacted]
> >
> >         Secret radsec
> >         Port 2083
> >         ConnectOnDemand
> >         ProxyAlgorithm HashBalance
> >         Asynchronous
> >
> >         Host fe80::44bc:f9ff:fea8:ab02
> >         Host fe80::44bc:f9ff:fea8:ab04
> >         <Host fe80::44bc:f9ff:fea8:ab02>
> >             Secret this_secret_329847247
> >             Port 1812
> >             UseTLS 0
> >         </Host>
> >         <Host fe80::44bc:f9ff:fea8:ab04>
> >             Secret this_secret_3298423657
> >             Port 1812
> >             UseTLS 0
> >         </Host>
> >     </AuthBy>
> >
> > Based on the documentation (and one of the examples in the docs, not
> > in the goodies), this *should* be possible, but I thought I'd check
> > first?
> >
> > If this does not work, is it because the Host clauses clash?
> >
> > Kind regards
> >
> > Stefan
> >
> >
> > _______________________________________________
> > radiator mailing list
> > radiator at lists.open.com.au
> > https://lists.open.com.au/mailman/listinfo/radiator
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20241218/6a6ed71e/attachment.html>

From hvn at open.com.au  Wed Dec 18 14:37:11 2024
From: hvn at open.com.au (Heikki Vatiainen)
Date: Wed, 18 Dec 2024 16:37:11 +0200
Subject: [RADIATOR] Trying to use an AuthBy to try Radsec and RADIUS on
 the same host
In-Reply-To: <CAGmwA8pLUWUEuchZG9Wm2irqMpi6Sw8JqtZdmHYA5a0C3RTL1A@mail.gmail.com>
References: <CAGmwA8o+zJaEKB+LfTk1q54vfYytqM=Kc26Z7tqxS+jKBRG0wA@mail.gmail.com>
 <0e3a1005-ae77-4c3a-9ed0-7782cf498d77@radiatorsoftware.com>
 <CAGmwA8pLUWUEuchZG9Wm2irqMpi6Sw8JqtZdmHYA5a0C3RTL1A@mail.gmail.com>
Message-ID: <69ab1d39-0d1b-4067-b4c9-004719c8fe71@open.com.au>

On 18.12.2024 11.50, Stefan Paetow (OpenSource) via radiator wrote:

> Thank you for clarification! Also, does using 'Asynchronous' make sure 
> that AuthBy RADSEC gets executed first (and waits for a response) before 
> falling back to AuthBy RADIUS? The documentation implies so.

Yes, 'Asynchronous' is the easiest option for this. With this option the 
AuthBy works similar to the AuthBys, such as SQL and LDAP, which return 
IGNORE when they can't get a meaningful response from the DB or directory.

Something like this should do it:

<Handler ...>
     # This is the default policy, here as a reminder
     AuthByPolicy ContinueWhileIgnore

     <AuthBy RADSEC>
         # Parameters
         Asynchronous
         # More parameters
     <AuthBy RADSEC>

     <AuthBy RADIUS>
         # Parameters
         Asynchronous
         # More parameters
     </AuthBy>

     # More parameters
</Handler>

You can use Status-Server or timeout based alive detection as usual with 
the above clauses. For example:

https://files.radiatorsoftware.com/radiator/ref/AuthByRADSEC.html#Host_AuthByRADSEC-7

Thanks,
Heikki

-- 
Heikki Vatiainen
Radiator Software, makers of Radiator
Visit radiatorsoftware.com for Radiator AAA server software




From oss at eons.net  Wed Dec 18 18:58:31 2024
From: oss at eons.net (Stefan Paetow (OpenSource))
Date: Wed, 18 Dec 2024 18:58:31 +0000
Subject: [RADIATOR] Trying to use an AuthBy to try Radsec and RADIUS on
 the same host
In-Reply-To: <69ab1d39-0d1b-4067-b4c9-004719c8fe71@open.com.au>
References: <CAGmwA8o+zJaEKB+LfTk1q54vfYytqM=Kc26Z7tqxS+jKBRG0wA@mail.gmail.com>
 <0e3a1005-ae77-4c3a-9ed0-7782cf498d77@radiatorsoftware.com>
 <CAGmwA8pLUWUEuchZG9Wm2irqMpi6Sw8JqtZdmHYA5a0C3RTL1A@mail.gmail.com>
 <69ab1d39-0d1b-4067-b4c9-004719c8fe71@open.com.au>
Message-ID: <CAGmwA8pERmR4V6gwjVx=XtcAP6kQWxm8kL40GoZnZf1xqe4Bjg@mail.gmail.com>

Hi Heikki,

Thank you very much. That clarifies things and seems to have been the
missing link. :-)

With kind regards

Stefan


On Wed, 18 Dec 2024 at 14:38, Heikki Vatiainen via radiator <
radiator at lists.open.com.au> wrote:

> On 18.12.2024 11.50, Stefan Paetow (OpenSource) via radiator wrote:
>
> > Thank you for clarification! Also, does using 'Asynchronous' make sure
> > that AuthBy RADSEC gets executed first (and waits for a response) before
> > falling back to AuthBy RADIUS? The documentation implies so.
>
> Yes, 'Asynchronous' is the easiest option for this. With this option the
> AuthBy works similar to the AuthBys, such as SQL and LDAP, which return
> IGNORE when they can't get a meaningful response from the DB or directory.
>
> Something like this should do it:
>
> <Handler ...>
>      # This is the default policy, here as a reminder
>      AuthByPolicy ContinueWhileIgnore
>
>      <AuthBy RADSEC>
>          # Parameters
>          Asynchronous
>          # More parameters
>      <AuthBy RADSEC>
>
>      <AuthBy RADIUS>
>          # Parameters
>          Asynchronous
>          # More parameters
>      </AuthBy>
>
>      # More parameters
> </Handler>
>
> You can use Status-Server or timeout based alive detection as usual with
> the above clauses. For example:
>
>
> https://files.radiatorsoftware.com/radiator/ref/AuthByRADSEC.html#Host_AuthByRADSEC-7
>
> Thanks,
> Heikki
>
> --
> Heikki Vatiainen
> Radiator Software, makers of Radiator
> Visit radiatorsoftware.com for Radiator AAA server software
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at lists.open.com.au
> https://lists.open.com.au/mailman/listinfo/radiator
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.open.com.au/pipermail/radiator/attachments/20241218/b8bafa67/attachment.html>