Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

RADIUS and Vendor-Specific attributes

5 views
Skip to first unread message

Greg Palumbo

unread,
Oct 29, 2009, 4:43:41 PM10/29/09
to
Hi,

I'm trying to add a vendor specific attribute (Cisco AV Pair) to BMAS
(NMAS 3.1.2 on NetWare 6.5 SP6). I can add any generic attribute I
want, but any of the vendor-specific attributes are not sent back in the
radius access-accept packet. Is there some configuration change I need
to make to support vendor specific attributes? They all show up in
ConsoleOne, I can add them, and they are saved when I hit OK.

Thanks for any suggestions!

Greg

Craig Johnson

unread,
Oct 30, 2009, 1:15:26 PM10/30/09
to
In article <18nGm.986$cC1...@kovat.provo.novell.com>, Greg Palumbo
wrote:
> Thanks for any suggestions!
>
BMAS? Hmm - hard to even remember using that. Any chance you could
set up a test BM 3.8 system and see if the NMAS version will support
your change?

Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to http://www.craigjconsulting.com ***


Greg Palumbo

unread,
Oct 30, 2009, 5:17:55 PM10/30/09
to
Thanks Craig,

Actually, as I was trying to compose the original post, I was having
trouble remembering what version I was even running! I checked my notes
and it looks like this install consists of the following:

NetWare 6.5.SP6
NMAS 2.2 from the BorderManager 3.8 CD
SECUPD6A.TGZ
NMAS235.TGZ
NMAS 2.3.5
RADIUS.NLM 4.15 (comes with 6.5 SP6).

So I think I actually have BM 3.8... Any other ideas?

Thanks again!
Greg

Craig Johnson

unread,
Oct 31, 2009, 4:29:57 PM10/31/09
to
In article <7KIGm.1140$cC1...@kovat.provo.novell.com>, Greg Palumbo
wrote:

> So I think I actually have BM 3.8... Any other ideas?
>
Ok - at least you have the latest NetWare-based RADIUS.

A warning - it appears that if you apply SP8, it will break management
of the DAS object in ConsoleOne. I'm trying to track down the exact
issue.

In terms of the attributes - I don't have much of a clue if the NMAS
version doesn't work. You probably want to consider setting up
FreeRadius on a SLES server.

Greg Palumbo

unread,
Oct 31, 2009, 7:01:36 PM10/31/09
to
Thanks Craig,

I figured there weren't many people using the Vendor specific attributes
in NetWare RADIUS...the product is now pretty old. So is FreeRADIUS the
supported path going forward? Does it back-end against eDir?

I would appreciate any update you could give on the SP8 issue, as I plan
on applying that eventually.

Best regards,
Greg

Craig Johnson

unread,
Nov 2, 2009, 2:34:05 PM11/2/09
to
In article <kl3Hm.1212$cC1...@kovat.provo.novell.com>, Greg Palumbo wrote:
> I figured there weren't many people using the Vendor specific attributes
> in NetWare RADIUS...the product is now pretty old. So is FreeRADIUS the
> supported path going forward? Does it back-end against eDir?

FreeRadius is the supported method. (Though I'm not quite clear what sort
of support is offered. There is, at least, an iManager plugin for it). It
does authenticate to eDir, and when I get time I plan to update my RADIUS
guide with an example using it.


>
> I would appreciate any update you could give on the SP8 issue, as I plan
> on applying that eventually.
>

I will post. I think somewhere a file gets updated that needs to be
backrevved, but finding it is a problem. My suspicion is a
consoleone-related file in the public directory, but not under the 1.2
directory.

Greg Palumbo

unread,
Nov 6, 2009, 6:54:28 PM11/6/09
to

I read the other two recent threads on this, it does sort of sound like
a snapin issue, but those are usually under the 1.2\snapins directory I
thought. what about installing a fresh copy of C1 on the C:\ drive from
the BMAS CD or from NW65SP7? Also, wouldn't all the replaced sys/public
files be in SYS/SYSTEM:\BACKSP7? Maybe something like Beyond Compare or
WinMerge could flag all the changed files easily...

Craig Johnson

unread,
Nov 10, 2009, 7:45:12 PM11/10/09
to
In article <UG2Jm.1195$K62....@kovat.provo.novell.com>, Greg Palumbo
wrote:

> I read the other two recent threads on this, it does sort of sound like
> a snapin issue, but those are usually under the 1.2\snapins directory I
> thought. what about installing a fresh copy of C1 on the C:\ drive from
> the BMAS CD or from NW65SP7? Also, wouldn't all the replaced sys/public
> files be in SYS/SYSTEM:\BACKSP7? Maybe something like Beyond Compare or
> WinMerge could flag all the changed files easily...
>
My latest thinking is that this is related to security. The failing
attribute contains an encryption of the DAS client password. I'm assuming
that ConsoleOne relies on some background process to do the encryption, and
that between SP7 and SP8, it changed. The new attributes are longer than
the old ones, so the snapin-related issue may simply be that it cannot read
what was stored.

I don't know if there is a particular security-related component that can
be reversed to allow changes to the DAS object, then updated again to put
things back to SP8.

0 new messages