Radius proxy append reply message - radius

we have a radius proxy server which will receive request from different realm and forward to different radius server to process authentication and accounting stuff. Normally the reply message is sent out by the target radius server, we are now facing a problem that one of the target radius server cannot reply session timeout message.
So we are wondering if it is possible to append a session timeout message and together with the reply message sent out by the target radius server to requester?
we are using free radius.
Many thanks.

In the authorize section (sites-available/default) use the 'update' unlang stanza.
update reply {
Session-Timeout := "<timeout>"
}
If you want to make it conditional on the upstream proxy sending you messages:
if ("%{client:Shortname}" == '<client name>') {
<update>
}

Related

Can google apps script time-based trigger cause this problem: "554 5.4.6 Too many hops 53 (50 max):"?

Hello I have a google docs document where I installed a simple emailing code on as follows:
function sendMail() {
var file = DriveApp.getFileById('XXXXXXXX');
var recipients = "mymail#group1.com" + "mymail#group2.com" + "mymail#group3.com";
MailApp.sendEmail(recipients, 'Daily Notes', 'Please see file Attached.', {
name: file.getName(),
attachments: [file.getAs(MimeType.PDF)]
});
}
The code works fine it sends the email to multiple group emails which I want it to send. It has done this for a month now. But until recently, I keep receiving this Mail Delivery Subsystem after 20 minutes or 1 hour from the original email which is sent out and inside the error message email it says:
"The following addresses had permanent fatal errors"
and it points to only one of the emails I send daily mails to. It also says something like this: (reason: 554 5.4.6 Too many hops). and then this:
554 5.4.6 Too many hops 53 (50 max).
The Good Doc's file has Google's time-driven trigger as you can see in the image below. I wonder if somehow the trigger is running twice in the time interval I gave to it. Could it be why this is happening?
In almost all cases 554 5.4.6 Too many hops 53 (50 max) means loop along email delivery path e.g. server A forwards to server B, server B forwards to server A, server A forwards to sever B, …. It is detected by counting Received: headers in message passing via give SMTP/email server.
Suggested fixing procedure:
Inspect Reveived: headers in email bounce message to locate server(s) responsible for the loop.
contact the relevant postmaster
In many years I have seen just one "real life" case when bounce message/email like that was not caused by email delivery loop.

HTTP Sender and REST conventions

I'm writing a C# Web API server application, and will send JSON to it via a Mirth HTTP Sender destination. This post is about how to handle error conditions. Specifically, there are three scenarios I want to handle:
Sometimes we take the C# application server offline for a short period for system upgrade or maintenance, and Mirth is unable to connect at all. I want Mirth to queue all messages in order, and when the server is available, process them in the order they were received.
The server receives the request, but rejects it due to a problem with the content of the request, e.g., missing a required field. In accordance with REST conventions, the server will return a 400-level HTTP response. This message would be rejected every time it's submitted, so it should not be re-sent; just log the failure and move on to the next message.
The server receives the request, but something goes wrong on the server, and the server returns an HTTP 500 Server Error response. This would be the appropriate response, for example, when something in the server environment has gone wrong. One real-world example was the time the Web API server was running, but somebody rebooted the database server. REST conventions would suggest we continue to resend the message until the transient problem has been resolved.
For #1, initially I had it queue on failure/always, but it appears the response transformer never runs for messages that were queued (at least, the debug statements never showed in the log). I have turned queueing off, and set it to retry every ten seconds for an hour, and that seems to give the desired behavior. Am I on the right track here, or missing something?
For #2 and #3, returning any HTTP 400 or 500 error invokes the 1-hour retries. What I want is to apply the 1-hour retries for the 500 errors, but not the 400 errors. I’ve tried responseStatus = SENT in the response transformer, but the response transformer only runs once, after the hour has expired, and not for each retry.
This seems like a common problem, yet I’m not finding a solution. How are the rest of you handling this?
You're close!
So by default, the response transformer will only run if there's a response payload to transform. For connection problems, or possibly for 4xx/5xx responses that contain no payload, the response transformer won't execute.
However, if you set your response data types (From the Summary -> Set Data Types dialog, or from the Destinations -> Edit Response, Message Templates tab) to Raw, then the response transformer will execute all the time. The reason being that the Raw data type considers even an empty payload to be "transformable".
So turn queuing back on, and set your response data types to Raw. Then in the response transformer, if you look at the Reference tab there's a category for HTTP Sender:
You'll want the "response status line", that's the "HTTP/1.1 200 OK" line of the response that contains the response code. Here's a response transformer script that forces 4xx responses to error:
if (responseStatus == QUEUED) {
var statusLine = $('responseStatusLine');
if (statusLine) {
var parts = statusLine.split(' ');
if (parts.length >= 2) {
var responseCode = parseInt(parts[1], 10);
// Force 4xx responses to error
if (responseCode >= 400 && responseCode < 500) {
responseStatus = ERROR;
responseStatusMessage = statusLine;
}
}
}
}

Test RADIUS configuration method

I'm developing a product that need to integrate with RADIUS server as an authentication method.
When configuring the RADIUS server (IP Address, Port, Shared Secret) I would like to do a "test" in order to check that the configuration is valid - The server is available and it is indeed a RADIUS server, Shared secret is OK.
I did some research on how to do it,
My options are:
Send Access-Request message with fictional user name and password to the RADIUS server
Send Status-Server message to the RADIUS server
RFC 5997 introduces the use of Status-Server Packets in the RADIUS protocol.
This packet extension enabling clients to query the status of a RADIUS server.
The Status-Server is marked as experimental and as Informational RFC rather than as a Standards-Track RFC
My questions are:
Which are the most common \ in use RADIUS server vendors ? MS NPS, FreeRADIUS, Other?
Are these vendors supporting Status-Server request - Do they implementing this packet type ?
If i will use Access-Request, I will receive "Access-Reject" with a failure message in "Reply-Message" attribute. Can i understand the reason for the refusal from that text message? Is there any list of error codes\messages that are part of the Standard ?
Thanks a lot,
Yossi Zrahia
Ad 1) Exact (or even estimate) numbers are hard to come by, but you should expect to encounter FreeRADIUS, Microsoft NPS, Radiator and maybe Cisco ACS/ISE.
Ad 2) FreeRADIUS, Radiator support it. Microsoft NPS and Cisco ACS/ISE do not. If your "test" is used once (upon configuring) I would use option 1 with the Access-Request. If you wish to periodically check the availability and configuration of a RADIUS server, I would suggest implementing both options and allow for configuration of the check as part of the RADIUS configuration:
IP: 1.2.3.4
Port: 1812
Shared Secret: U7tr453cur3
Servercheck: [x] Status-Server
[ ] Access-Request
Ad 3) From RFC2865, section 5.18 (Reply-Message):
"[...] This Attribute indicates text which MAY be displayed to the user. [...] When used in an Access-Reject, it is the failure message. It MAY indicate a dialog message to prompt the user before another Access-Request attempt. [...] The Text field is one or more octets, and its contents are implementation dependent. It is intended to be human readable, and MUST NOT affect operation of the protocol. It is recommended that the message contain UTF-8 encoded 10646 [7] characters."
There apparently are no standard messages specified; however if IP, Port or Shared Secret are configured incorrectly you should not get a response at all, because RFC 2865 specifies:
"A request from a client for which the RADIUS server does not have a shared secret MUST be silently discarded."

NETTY 4.1.4: TCP Socket Server which replies back towards clients after processing requests

i'm new to Netty and intend to create a tcp socket server which reads the info of each client and replies back towards client before processing requests immediately ,i.e. sort of an acknowledgement towards client as and when the message enters overriden channelRead method of ChannelInboundHandlerAdapter class.
Please guide me in the above specified objective.
i'm currently trying the basic netty 4.1.4 echo server example however i wanted server to send back acknowledgement to the client so i updated channelread method as follows :
#Override
public void channelRead(ChannelHandlerContext ctx, Object msg) {
ctx.write(msg);
ChannelFuture cf = ctx.channel().write("FROM SERVER");
System.out.println("Channelfuture is "+cf);
}
and the output obtained was as follows:
Channelfuture is DefaultChannelPromise#3f4ee9dd(failure: java.lang.UnsupportedOperationException: unsupported message type: String (expected: ByteBuf, FileRegion))
I understand the error that it is expecting bytebuf but how do i achieve it? also, whether this method would be able to send out acknowledgement towards client
You can use String.getBytes(Charset) and Unpooled.wrappedBuffer(byte[]) to convert to ByteBuf.
ChannelFuture cf = ctx.channel()
.write(Unpooled.wrappedBuffer("FROM SERVER".getBytes(CharsetUtil.UTF_8)));
Also note that ctx.channel().write(...); may not be what you want. Consider ctx.write(...); instead. The difference is that if your handler is a ChannelDuplexHandler it would receive a write event when you do channel().write(). Using ctx instead of channel will send the write out from your handlers point in the pipeline instead of from the end of the pipeline, which is usually what you want.

Send XMPP (Smack) Message

Ok, the problem should be trivial but I can't get to the bottom of it.
I have two users A & B
Their JID's for this example will be A#123 and B#123 where 123 is the IP of the server.
I'm sending a message from A->B using the following code:
chat = chatmanager.createChat(username,
new MessageListener() {
public void processMessage(Chat chat, Message message) {}});
String sendUsername = username + "#123";
Message msgObj = new Message(sendUsername, Message.Type.chat);
msgObj.setBody(message);
chat.sendMessage(msgObj);
I've hardcoded the IP so that I'm 100% sure that I attach the "#123" at the end of the nickname so there are no incorrect JIDs.
So A#123 sends msgObj to B#123. This is how I understood XMPP messaging to work. That you can't send from A->B but it must be A#123 -> B#123.
However, my server seems to think otherwise. It continuously informs me of the following error:
2010.12.27 19:02:52 [org.jivesoftware.openfire.session.LocalOutgoingServerSession
.createOutgoingSession(LocalOutgoingServerSession.java:258)] Error trying to
connect to remote server: A(DNS lookup: A:5269)
java.net.UnknownHostException: A
In both A and B's roster on the Openfire server, they have each other as a contact with the proper JIDs (username#123).
Can anyone provide some insight? I'm lost.
Edit
I'm trying to use Wireshark to catch the XML sent to and from the Openfire server to determine if the recipient of the message is named properly (A#123 instead of A).
Upon using Wireshark, I received this as the XML being transferred:
\302\3469\223\341\3429\000\000\000\000\377\377
I have disabled SSL, I have connected un-securely. I'm not sure why I'm getting SSL type XML, is that what it is?
Turns out the answer to this problem was something that was just overlooked.
In the first line of code:
chat = chatmanager.createChat(username, new MessageListener() {
public void processMessage(Chat chat, Message message) {}
});
I didn't make the variable "username" have the proper IP extension. So it was merely "A" instead of "A#123"
Moving "sendUsername" to the top and Changing "username" to "sendUsername" makes everything work great :)
Silly mistake.
Using IP addresses is almost always more confusing than you think it is.
There's a good chance you have OpenFire misconfigured, so that the IP address isn't a valid hostname. Go into the admin console, under "System Properties", and make sure that the xmpp.domain property is set to your IP address.