Re: rlm_realm module, Realm attr value
On Mon, Jan 24, 2011 at 03:15:46PM +, Phil Mayers wrote: If the configured realm value is DEFAULT, the realm as entered by the user could be used to feed the Realm attribute value. I don't think this is a good change. For example: authorize { suffix if (Realm == DEFAULT) { # not a local realm; do some stuff attr_filter.eduroam } } ...if you change the value of the Realm variable, it's never possible to compare against it. We rely on this in a number of places. Thanks for your comments. Beeing able to differentiate a path the request is about to take is a real need. I've had an impression %{control:Proxy-To-Realm} can be referenced to get this particular information. Please, correct me in case I need to pick up on the intended attribute content and its use. Since as you point out, you can already accomplish this with unlang or regexp realms, I don't think it's necessary to change the behaviour of the existing module. I admit, the ability to do comparisons against the matched proxy realm value is a feature I'd like to keep. Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
schilling schilling2...@gmail.com wrote: Thanks a lot. More questions. If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the following too: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html First things first, did you get it all working? If not, start there. When I say 'lower the load', all it does is reduce the number of EAP packets from about 12 to 4 that are needed for a session resumption; but also means you only need two LDAP lookups rather that 12. So your AD load will go from 0.01 to 0.01 or something. I am bigging up the numbers more than it is worth (although the latency bit is possibly handy for roaming devices). I am trying to follow your comment on this. I now realized we used to run eDir and now converted to iplanet directory. Anyway, do I still need to enable the compilation --with-edir option as stated below? My guess is yes since otherwise, I could not call ldap in the post-auth section in auth virtual server for eap. ##etc/raddb/modules/ldap # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # #edir_account_policy_check = no What I want to do is just to check some attribute in our ldap server, our structure is like the following: # extended LDIF # # LDAPv3 # base ou=people,dc=foo,dc=edu with scope subtree # filter: uid=sding # requesting: ALL # # sding, People, foo.edu dn: uid=sding,ou=People,dc=foo,dc=edu ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active uid: sding The eDir bit's are probably not needed as you are using mschap with those 'ntPassword' attributes. eDir has 'universal password' which is a sales monkey's way of saying the password is available in plaintext if required. Sounds like to me you do not currently have FreeRADIUS setup working the way you want it to? I would like to cache the following attribut/value in your example cache_ldap-userdn.pm, so I can use these values as logic to assign user to different VLANs. Can I do that in your pm? fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active Looks like 'employeeStatus' should go in as part of your user filter, but to do the others I would need to generalise my Perl module. Easily done, but I'm not going to do it before I know actually have it already working. :) /me pats sigmonster and gives it a cookie Cheers -- Alexander Clouter .sigmonster says: Success is a journey, not a destination. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2-factor-authentication with freeradius
Hi I'm trying to develop a two-factor-authentication with freeradius (if there isn't something compareable). For this I want to use first pap-authentication from freeradius. After that I want radius to ask for a second password and call a script which is sending a otp over an sms-gateway to the users phone. You can imagine the second factor as kind of mobile TAN. The sms-gateway works so far and isn't part of my question. I've found nothing like this in any howto or tutorial so far, instead of eap. Any ideas how to get it to work? Is the part the radius ask for second questions possible with a request-challenge or is ist something completly different? Where could I get further information about syntax used in users-file and client.conf -file to include scripts? Is the way over the files above a possible solution or should I use pam-files? Any ideas where to get more information? any kind of hinds are welcome MM - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 2-factor-authentication with freeradius
Marius.Meisner wrote: I'm trying to develop a two-factor-authentication with freeradius (if there isn't something compareable). src/modules/rlm_otp For this I want to use first pap-authentication from freeradius. After that I want radius to ask for a second password and call a script which is sending a otp over an sms-gateway to the users phone. You can imagine the second factor as kind of mobile TAN. The sms-gateway works so far and isn't part of my question. I've found nothing like this in any howto or tutorial so far, instead of eap. src/modules/rlm_example. It does *exactly* this. Where could I get further information about syntax used in users-file and client.conf -file to include scripts? The documentation? Is the way over the files above a possible solution or should I use pam-files? No idea. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_realm module, Realm attr value
Hello, Thanks for your comments. Beeing able to differentiate a path the request is about to take is a real need. I've had an impression %{control:Proxy-To-Realm} can be referenced to get this particular information. Please, correct me in case I need to pick up on the intended attribute content and its use. Seems like the term Realm is used in an overloaded manner: on the one hand, it's the user-supplied character string, on the other hand it's a named instance of the realm module. Looks like up until 2.1.8, the AVP Realm was always created with Realm-the-character-string as it came from the request, but with 2.1.9, this changed to Realm-the-instance-name. Problem is, both of these can be valuable somehow, and need to be addressable. In a rlm_linelog, I care about logging the actual input; at other places, I may want to check which path the packet will take. In short, I think there should be two attributes: one to contain the instance name, one with the string. Using unlang is of course possible, but clumsy - it worked without before. Greetings, Stefan Winter -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg Tel: +352 424409 1 Fax: +352 422473 signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_realm module, Realm attr value
On 01/25/2011 08:36 AM, Martin Stanislav wrote: Thanks for your comments. Beeing able to differentiate a path the request is about to take is a real need. I've had an impression %{control:Proxy-To-Realm} can be referenced to get this particular information. Please, correct me in case I need to pick up on the intended attribute content and its use. That's a good point. It's up to others (Alan) really if he wants to change the behaviour. I suspect it would be best to wait for 2.2 for a behaviour change, if so. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Increasing the timeout of LDAP
Hello, We're working with FreeRADIUS Version 2.1.8, for host sparc-sun-solaris2.10, with PAP authentication against LDAP. It works fine but... from time to time it appears the error in 'radius.log': Error: [ldap] ldap_search() failed: Timed out while waiting for server to respond. Please increase the timeout. We've tried to increase the value of 'timeout' in modules/ldap, to 10 or 20 (as it appears to be the default). But looking at the debugger's ouput (radiusd -X) it allways says that timeout = 4, and the errors continue appearing. ¿How can we increase the timeout? Best regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Increasing the timeout of LDAP
JAVIER MAGAZ FERNANDEZ wrote: We've tried to increase the value of 'timeout' in modules/ldap, to 10 or 20 (as it appears to be the default). But looking at the debugger's ouput (radiusd -X) it allways says that timeout = 4, and the errors continue appearing. ¿How can we increase the timeout? Edit the configuration file that the server is reading. The radiusd -X output shows what's in the config file. If it says '4, it's because the config file says 4. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_realm module, Realm attr value
Stefan Winter wrote: Seems like the term Realm is used in an overloaded manner: on the one hand, it's the user-supplied character string, on the other hand it's a named instance of the realm module. Not quite... a user-supplied character string, and a named realm in the proxy.conf file. The named realms are used by the realms module to find a matching name. Looks like up until 2.1.8, the AVP Realm was always created with Realm-the-character-string as it came from the request, but with 2.1.9, this changed to Realm-the-instance-name. Hmm... I think it's the other way around. In 2.1.9, a regex realm results in Realm = match, instead of Realm = regex. Problem is, both of these can be valuable somehow, and need to be addressable. In a rlm_linelog, I care about logging the actual input; at other places, I may want to check which path the packet will take. In short, I think there should be two attributes: one to contain the instance name, one with the string. Using unlang is of course possible, but clumsy - it worked without before. There's utility creating two attributes, I think. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TTLS: Getting the EMSK key?
Hi again, I have installed a clean new freeRadius 2.1.10 and set it up. It is working fine, and I am also receiving the MSK key (without doing any modifications to the code). How come I can get the MSK key, but not the EMSK? I would expect freeradius either to export both of them, or to not export both of them (for security reasons as you said). Thanks again, Daniel. -- View this message in context: http://freeradius.1045715.n5.nabble.com/EAP-TTLS-Getting-the-EMSK-key-tp3354606p3356264.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_realm module, Realm attr value
On Tue, Jan 25, 2011 at 01:52:21PM +0100, Alan DeKok wrote: The named realms are used by the realms module to find a matching name. Looks like up until 2.1.8, the AVP Realm was always created with Realm-the-character-string as it came from the request, but with 2.1.9, this changed to Realm-the-instance-name. Hmm... I think it's the other way around. In 2.1.9, a regex realm results in Realm = match, instead of Realm = regex. Correct. Problem is, both of these can be valuable somehow, and need to be addressable. In a rlm_linelog, I care about logging the actual input; at other places, I may want to check which path the packet will take. In short, I think there should be two attributes: one to contain the instance name, one with the string. Using unlang is of course possible, but clumsy - it worked without before. There's utility creating two attributes, I think. CPU cycles are burned within the rlm_realm to extract both, the realm as entered by the user and the matched proxy.conf realm entry. The Proxy-To-Realm attribute holds the latter value (realm_authorize realm_preacct function calls). The Realm attribute is set to the same value except holding a regex. It's set to the former value in such a case. In other words, DEFAULT proxy.conf entry is the only case, when the Realm attribute doesn't exactly match (string, case insensitive) the realm as entered by the user. Martin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP TTLS: Getting the EMSK key?
Daniel wrote: I have installed a clean new freeRadius 2.1.10 and set it up. It is working fine, and I am also receiving the MSK key (without doing any modifications to the code). As expected. How come I can get the MSK key, but not the EMSK? Because that's how it works. I would expect freeradius either to export both of them, or to not export both of them (for security reasons as you said). No. Go read the specifications. The EMSK is the master key. The MSK is a derived key. You can export derived keys, with minimal security problems. Exporting the master key is a major problem. In any case, this has nothing to do with FreeRADIUS. Go read the specs to see how the MSK and EMSK work. It's what *we* did. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: dynamic VLAN assignment w/ mschapv2 against AD and LDAP
I believe I resolved this. I used eapol_test to get all wanted result, and will try on real NAS later on. The following is what I did. Basically I followed Alexander's example, Modified peap section in eap.conf to use another virtual server auth instead of inner-tunnel virtual server. I almost blindly copied Alexander's example in auth server except I removed the reject for the realm checks. The ldap cache pm is not needed in my case since I do not query windows AD via LDAP to get their attributes. If I want to do ldap after ntlm against AD, then Alexander's pm might be needed. Then I want to map certain attribute like employeeStatus from our iPlanet ldap server to some radius attribute, so I can manipulate it in the post-auth section. I put the following line in etc/raddb/dictionary ATTRIBUTE My-Local-employeeStatus 3000string and the following line in etc/raddb/ldap.attrmap #FOO specific attributes replyItem My-Local-employeeStatus employeeStatus Without these two line addition, radius will complain unknown attribute. Then in the post-auth section #default will have no Tunnel attribute/value, instead, they will be configured on #the NAS to go to student VLANs. # this will cover my ldap ntPassword authentication/authorization #facstaff have employeeStatus set while student does not if ( %{User-Name} =~ /@/ %{reply:My-Local-employeeStatus} ) { update reply { Service-Type = Framed-User Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = facstaff } } #this will cover my AD ntlm auth, People in AD are all facstaff if ( %{User-Name} !~ /@/ ) { update reply { Service-Type = Framed-User Tunnel-Type = VLAN Tunnel-Medium-Type = IEEE-802 Tunnel-Private-Group-Id = facstaff } } In this way, people can map arbitrary attribute from ldap to radius, if not in dictionary/ldap.attrmap, then just defined your own. Then you have flexibility of using these attribute/value in your logic at post-auth section. Thanks all for the hints and help! Schilling On Tue, Jan 25, 2011 at 4:23 AM, Alexander Clouter a...@digriz.org.uk wrote: schilling schilling2...@gmail.com wrote: Thanks a lot. More questions. If you want to lower the load (and authentication latency) on your AD servers then you might want to look at the following too: http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg65781.html First things first, did you get it all working? If not, start there. When I say 'lower the load', all it does is reduce the number of EAP packets from about 12 to 4 that are needed for a session resumption; but also means you only need two LDAP lookups rather that 12. So your AD load will go from 0.01 to 0.01 or something. I am bigging up the numbers more than it is worth (although the latency bit is possibly handy for roaming devices). I am trying to follow your comment on this. I now realized we used to run eDir and now converted to iplanet directory. Anyway, do I still need to enable the compilation --with-edir option as stated below? My guess is yes since otherwise, I could not call ldap in the post-auth section in auth virtual server for eap. ##etc/raddb/modules/ldap # Un-comment the following to disable Novell # eDirectory account policy check and intruder # detection. This will work *only if* FreeRADIUS is # configured to build with --with-edir option. # #edir_account_policy_check = no What I want to do is just to check some attribute in our ldap server, our structure is like the following: # extended LDIF # # LDAPv3 # base ou=people,dc=foo,dc=edu with scope subtree # filter: uid=sding # requesting: ALL # # sding, People, foo.edu dn: uid=sding,ou=People,dc=foo,dc=edu ntPassword: 123F0AE5D10B5CCD1A7366E8DEABCDE fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active uid: sding The eDir bit's are probably not needed as you are using mschap with those 'ntPassword' attributes. eDir has 'universal password' which is a sales monkey's way of saying the password is available in plaintext if required. Sounds like to me you do not currently have FreeRADIUS setup working the way you want it to? I would like to cache the following attribut/value in your example cache_ldap-userdn.pm, so I can use these values as logic to assign user to different VLANs. Can I do that in your pm? fooEduPSHRdeptName: Information Technology Service (ITS) fooEduPSHRDepartmentNumber: 123456 fooEduEmployeeStatus: Active employeeStatus: Active Looks like
Parse error after Freeradius Migration (Ascend binary attribute)
Hello, I am working on migrating from freeradius 1.1.0 (manually compiled) to 2.1.8 (from Ubuntu repository). Right now I am stuck with the parsing of the configuration files. The files are working flawless on the old server but lead to a parsing error on startup on the new. I tried delving into the source code but didn't have the time to really understand all called functions. I'm not sure where the error is, because the formatting of the filter looks quite right to me. I'm pasting the error and the relevant portion of the configuration file, in hope someone sees where my problem is. # cat /var/log/freeradius/radius.log Error: users.smart[11]: Parse error (reply) for entry user: failed to parse Ascend binary attribute: failed to parse Ascend binary attribute: # cat users.smart user User-Password := password Service-Type = Framed-User, Framed-Protocol = PPP, Ascend-Assign-IP-Pool = 1, Framed-Netmask = 255.255.255.255, Ascend-Metric = 1, Framed-Routing = None, Ascend-Idle-Limit = 3600, Ascend-Route-IP = Route-IP-Yes, Ascend-Data-Filter = ip in drop udp dstport = 9, Ascend-Data-Filter = generic in forward 0 0 0 Regards, Tobias -- View this message in context: http://freeradius.1045715.n5.nabble.com/Parse-error-after-Freeradius-Migration-Ascend-binary-attribute-tp3356444p3356444.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Parse error after Freeradius Migration (Ascend binary attribute)
Hi, # cat /var/log/freeradius/radius.log Error: users.smart[11]: Parse error (reply) for entry user: failed to parse Ascend binary attribute: failed to parse Ascend binary attribute: # cat users.smart user User-Password := password I probably wont be the first person to tell you that this line should be user Cleartext-Password := password Ascend-Data-Filter = ip in drop udp dstport = 9, Ascend-Data-Filter = generic in forward 0 0 0 the error is related to one/both of these binary entries. the dictinary file has pretty good docs: read dictionary.ascend perhaps you havent got the dictionary included? if you've stripped the 2.x config or just dumped the 1.x config into place things just wont work alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Parse error after Freeradius Migration (Ascend binary attribute)
Alan Buxey wrote: Hi, # cat /var/log/freeradius/radius.log Error: users.smart[11]: Parse error (reply) for entry user: failed to parse Ascend binary attribute: failed to parse Ascend binary attribute: # cat users.smart user User-Password := password I probably wont be the first person to tell you that this line should be user Cleartext-Password := password Ascend-Data-Filter = ip in drop udp dstport = 9, Ascend-Data-Filter = generic in forward 0 0 0 the error is related to one/both of these binary entries. the dictinary file has pretty good docs: read dictionary.ascend perhaps you havent got the dictionary included? if you've stripped the 2.x config or just dumped the 1.x config into place things just wont work alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for the quick reply. Didn't know about the Cleartext-Password/User-Password, after reading a little, I think we will change our configuration file export accordingly. I checked about the dictionaries, all default dictionary files are included, including dictionary.ascend. The error is generated by the last line in the example (the generic filter), I confirmed this by swapping/deleting lines. I didn't just take all existing files from our 1.x installation and copied them over. In fact I started with the 2.x example configuration, including VirtualHosts and all the split files, and modified it to use our existing export files for the user configuration. Thanks for your suggestions, Tobias -- View this message in context: http://freeradius.1045715.n5.nabble.com/Parse-error-after-Freeradius-Migration-Ascend-binary-attribute-tp3356444p3356528.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Parse error after Freeradius Migration (Ascend binary attribute)
tobias.gruenewald wrote: ... Ascend-Data-Filter = generic in forward 0 0 0 The mask and value are hexadecimal numbers. Try using 00 rather than 0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Parse error after Freeradius Migration (Ascend binary attribute)
hi, radiusd -X output is always very nice...as per the docs, so we dont have to take wild guesses. how about just Ascend-Data-Filter = generic in forward alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL issue
I am having a strange issue with the latest upgrade to the Stable version. It appears as though Freeradius is using a username of radius instead of the root user I have configured in sql.conf. Is there another area I should be looking for user name and password configuration? The only changes I made were to the dictionary.wimax and re-compile to move to the newer version. Debug: Tue Jan 25 11:53:38 2011 : Error: rlm_sql_mysql: Couldn't connect socket to MySQL server radius@localhost:radius Tue Jan 25 11:53:38 2011 : Error: rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'localhost' (using password: YES)' David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: SQL issue
To answer my own question: The configuration is now in: /usr/local/etc/raddb/modules/sql whereas it was in /usr/local/etc/raddb/sql.conf in my older configuration. DOH! David From: freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org [mailto:freeradius-users-bounces+david.peterson=acc-corp.net@lists.freeradiu s.org] On Behalf Of David Peterson Sent: Tuesday, January 25, 2011 11:59 AM To: FreeRadius users mailing list Subject: SQL issue I am having a strange issue with the latest upgrade to the Stable version. It appears as though Freeradius is using a username of radius instead of the root user I have configured in sql.conf. Is there another area I should be looking for user name and password configuration? The only changes I made were to the dictionary.wimax and re-compile to move to the newer version. Debug: Tue Jan 25 11:53:38 2011 : Error: rlm_sql_mysql: Couldn't connect socket to MySQL server radius@localhost:radius Tue Jan 25 11:53:38 2011 : Error: rlm_sql_mysql: Mysql error 'Access denied for user 'radius'@'localhost' (using password: YES)' David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: SQL issuenihi,
hi, radius -X output. have you checked that the file you are editing is the file that the server is actually using? so many times we see eg /etc/raddb/sql.conf being edited but the server is reading /usr/local/etc/raddb.sql.conf (or more interesting, the file being edited is the /usr/src/radiusd/raddb/* file - ie the source file rather than the resulting installed file!) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New to the lists
Thanks again to everyone and their input. I was able to get the server to run after importing the database. The database itself has been in production for some time, I was very skeptical about changing the DB so I decided to edit the calls that FreeRADIUS runs on the DB itself which worked out very well indeed. One thing I noticed that it seems in the change in the DB was the name itself (truncated from freeradius to just radius) and id in some tables was changed to priority? So far so good either way, it's working well and radius -X returns no errors :-) -Tim -Original Message- From: freeradius-users-bounces+tim=velociter@lists.freeradius.org [mailto:freeradius-users-bounces+tim=velociter@lists.freeradius.org] On Behalf Of Tom Samplonius Sent: Friday, January 21, 2011 7:27 PM To: FreeRadius users mailing list Subject: Re: New to the lists I have a curious question though. Since the current version is substantially older than what we’re moving to, how will this affect the sql database? Will I be able to install the newest version of FreeRADIUS and just perform a mysql dump from the old server to the new one? It will depend on your current schema. The queries used by FreeRADIUS could have be customized. Even if they haven't been customized, it is possible the default changed between version. If they are different, you will need to move the queries from the config of your old server, and incorporate them into the config of the the new FreeRADIUS install. If the queries are the same, then you can just copy the database. Thanks in advance, -Tim Tom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question on Virtual Servers and inner-tunnel
Hi All, Hope this is not to stupid of a question but I have been checking out the inner-tunnel virtual server under sites-enabled. I read up a little on virtual servers and it looks like the inner-tunnel virtual server is just a regular old virtual server yet in the comments is says it specifically handles inner tunnel requests. I went through the default config for the inner-tunnel and did not see any commands that were un-commented that seemed to specify that the server exclusively dealt with inner-tunnel requests. So my question is wether naming the server inner-tunnel causes it to exclusively handle inner-tunnel requests, in other word is inner-tunnel a hard coded name that has to be used for handling inner-tunnel requests? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
That's a stupid question for someone with so many certs! ;) jus givn ya $hit. AKAIK it's not hard coded. In a config file somewhere is probably something like: if request type is 'x' then server inner-tunnel. Its been some time since I looked at the conf files so I can't say for sure which one and where. From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Tue Jan 25 17:18:57 2011 Subject: Question on Virtual Servers and inner-tunnel Hi All, Hope this is not to stupid of a question but I have been checking out the inner-tunnel virtual server under sites-enabled. I read up a little on virtual servers and it looks like the inner-tunnel virtual server is just a regular old virtual server yet in the comments is says it specifically handles inner tunnel requests. I went through the default config for the inner-tunnel and did not see any commands that were un-commented that seemed to specify that the server exclusively dealt with inner-tunnel requests. So my question is wether naming the server inner-tunnel causes it to exclusively handle inner-tunnel requests, in other word is inner-tunnel a hard coded name that has to be used for handling inner-tunnel requests? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
You could define new ones, change the existing one, both, etc. Generally speaking the default config just works unless you're doing something interesting. I can't say how/what you should do without knowing more about it. And then I prolly still can't, but others could. Since you're so self motivated, perhaps you could draft curriculum and tests for an FR cert? From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: 'freeradius-users@lists.freeradius.org' freeradius-users@lists.freeradius.org Sent: Tue Jan 25 17:50:53 2011 Subject: Re: Question on Virtual Servers and inner-tunnel So I guess the follow up question is then, if I want to create multiple virtual servers, I am going to have to find this config file if I want those servers to deal with the inner-tunnel requests or are you suppose to just define another server in the inner-tunnel file if you want a second virtual server that deals with inner-tunnel requests? That was a lot of certs? I have a lot more, those are just the most recentHeHe... I would attempt a cert in freeradius so I can pick it up faster but I never heard of a class for it much less a certification or training materials... Thanks for the fast response. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Tuesday, January 25, 2011 at 3:40 PM, in message 13923_1295998812_4d3f5f5c_13923_216_1_d9b37353831173459fdaa836d3b43499ae519...@wadpmbxv0.waddell.com, Gary Gatten ggat...@waddell.com wrote: That's a stupid question for someone with so many certs! ;) jus givn ya $hit. AKAIK it's not hard coded. In a config file somewhere is probably something like: if request type is 'x' then server inner-tunnel. Its been some time since I looked at the conf files so I can't say for sure which one and where. From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Tue Jan 25 17:18:57 2011 Subject: Question on Virtual Servers and inner-tunnel Hi All, Hope this is not to stupid of a question but I have been checking out the inner-tunnel virtual server under sites-enabled. I read up a little on virtual servers and it looks like the inner-tunnel virtual server is just a regular old virtual server yet in the comments is says it specifically handles inner tunnel requests. I went through the default config for the inner-tunnel and did not see any commands that were un-commented that seemed to specify that the server exclusively dealt with inner-tunnel requests. So my question is wether naming the server inner-tunnel causes it to exclusively handle inner-tunnel requests, in other word is inner-tunnel a hard coded name that has to be used for handling inner-tunnel requests? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question on Virtual Servers and inner-tunnel
The inner tunnel virtual server can be specified in the eap configuration. By default it is the inner tunnel virtual server. J See the ttls/peap/etc sections of eap.conf Ben From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+wiechman.lists=gmail.com@lists.freeradius.o rg] On Behalf Of Brett Littrell Sent: Tuesday, January 25, 2011 5:51 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: Question on Virtual Servers and inner-tunnel So I guess the follow up question is then, if I want to create multiple virtual servers, I am going to have to find this config file if I want those servers to deal with the inner-tunnel requests or are you suppose to just define another server in the inner-tunnel file if you want a second virtual server that deals with inner-tunnel requests? That was a lot of certs? I have a lot more, those are just the most recentHeHe... I would attempt a cert in freeradius so I can pick it up faster but I never heard of a class for it much less a certification or training materials... Thanks for the fast response. Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE On Tuesday, January 25, 2011 at 3:40 PM, in message 13923_1295998812_4D3F5F5C_13923_216_1_D9B37353831173459FDAA836D3B43499AE519 c...@wadpmbxv0.waddell.com, Gary Gatten ggat...@waddell.com wrote: That's a stupid question for someone with so many certs! ;) jus givn ya $hit. AKAIK it's not hard coded. In a config file somewhere is probably something like: if request type is 'x' then server inner-tunnel. Its been some time since I looked at the conf files so I can't say for sure which one and where. _ From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Tue Jan 25 17:18:57 2011 Subject: Question on Virtual Servers and inner-tunnel Hi All, Hope this is not to stupid of a question but I have been checking out the inner-tunnel virtual server under sites-enabled. I read up a little on virtual servers and it looks like the inner-tunnel virtual server is just a regular old virtual server yet in the comments is says it specifically handles inner tunnel requests. I went through the default config for the inner-tunnel and did not see any commands that were un-commented that seemed to specify that the server exclusively dealt with inner-tunnel requests. So my question is wether naming the server inner-tunnel causes it to exclusively handle inner-tunnel requests, in other word is inner-tunnel a hard coded name that has to be used for handling inner-tunnel requests? Brett Littrell Network Manager MUSD CISSP, CCSP, CCVP, MCNE This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Gary Gatten ggat...@waddell.com wrote: [-- multipart/alternative, encoding 7bit, 1 lines --] [-- text/plain, encoding base64, charset: utf-8, 38 lines --] That's a stupid question for someone with so many certs! ;) jus givn ya $hit. [snipped] font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font [-- text/html, encoding base64, charset: utf-8, 48 lines --] [-- text/plain, encoding 7bit, charset: us-ascii, 2 lines --] ...says the guy sending HTML emails with a retarded 'disclaimer' attached to all outbound email. Before you pick on someone, please learn how to use your email client, it otherwise leaves you looking like a puppy curling one out on the carpet. Cheers -- Alexander Clouter .sigmonster says: Beam me up, Scotty! It ate my phaser! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question on Virtual Servers and inner-tunnel
Did you read the part where I said I was just giving him $hit? OP did, and he got it. And I don't have control over what our half dozen email processors do to my email after I send it. But, just for you I'll see what I can do. Thanks. - Original Message - From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org freeradius-users-bounces+ggatten=waddell@lists.freeradius.org To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Sent: Wed Jan 26 00:49:27 2011 Subject: Re: Question on Virtual Servers and inner-tunnel Gary Gatten ggat...@waddell.com wrote: [-- multipart/alternative, encoding 7bit, 1 lines --] [-- text/plain, encoding base64, charset: utf-8, 38 lines --] That's a stupid question for someone with so many certs! ;) jus givn ya $hit. [snipped] font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font [-- text/html, encoding base64, charset: utf-8, 48 lines --] [-- text/plain, encoding 7bit, charset: us-ascii, 2 lines --] ...says the guy sending HTML emails with a retarded 'disclaimer' attached to all outbound email. Before you pick on someone, please learn how to use your email client, it otherwise leaves you looking like a puppy curling one out on the carpet. Cheers -- Alexander Clouter .sigmonster says: Beam me up, Scotty! It ate my phaser! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html