Phil Mayers wrote:
Was there an RFC that went on to define the proper usage of the Class
attribute, or is it's usage still ambiguous ?
Ambiguous how? The RFC seems pretty specific to me; the field is NOT to
be interpreted by the NAS, is generated in the Access-Accept and sent in
On Tue, Mar 04, 2008 at 07:33:09AM +0100, Alan DeKok wrote:
Mike Richardson wrote:
I've been making changes for 8 hours a day for over a week so it might
differ from the original.
Which is a bit of a problem in and of itself.
I posted the configs in the original email - was there
Arran Cudbard-Bell wrote:
Yes the RFC describes how parties should process the attribute, but it
doesn't explicitly define an intended use.
Yup. Stuff happens with Class. Cool stuff! Honest!
Welcome to the RADIUS RFC's. Hence RFC 5080, and others.
Alan DeKok.
-
List
Mike Richardson wrote:
I posted the configs in the original email - was there anything in there
which looked completely out of place?
No idea. Honestly, I rarely look at configurations. There's just too
much stuff there. I look at debug logs. And if the configuration has
big problems,
Looks like something odd is going on. I've removed freeradius and
reinstalled it. I added the LDAP config and uncommented the various 'ldap'
lines,
see config.
Defintiely uncommented:
Auth-Type LDAP {
uni_ldap
}
This line still there:
rlm_ldap: Over-riding
Hi folks, same david Bell, different email address :)
Well I now have RADIUS and Cisco working pretty much as I want.
However it seems to be passing the AVPair stuff back, but the Cisco doesnt
seem to recognise it.
Where have I gone wrong.
My Users file has the following
DEFAULT Ldap-Group ==
Mike Richardson wrote:
Looks like something odd is going on. I've removed freeradius and
reinstalled it. I added the LDAP config and uncommented the various 'ldap'
lines,
see config.
You did a bit more than that. That additional effort is where the
problem is coming from.
Defintiely
Have you configured that priv level? Only 1 and 15 are configured by
default.
Ivan Kalik
Kalik Informatika ISP
Dana 4/3/2008, David Bell [EMAIL PROTECTED] piše:
Hi folks, same david Bell, different email address :)
Well I now have RADIUS and Cisco working pretty much as I want.
However it
I don't know anything about eDirectory, but could this be a problem for
retrieving password and other attributes:
rlm_ldap: No default NMAS login sequence
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Mar 04, 2008 at 10:45:37AM +0100, Alan DeKok wrote:
Um... no. When I said uncomment and configure the ldap module, it
did NOT mean re-name the existing ldap module, and add a new one with a
different name.
The extra work you're doing is breaking the server. Stop it. Just
Thanks for the raply Ivan - sorry to keep dragging this up.
I have another user configured as lvl 15 - heres the output from freeRADIUS
Login OK: [tom/pass1] (from client 212.95.252.0/24 port 0)
Sending Access-Accept of id 13 to 212.95.252.25 port 43419
Reply-Message = You now have level
Ah, there is no Service-Type in your reply. It should be Service-Type =
NAS-Prompt-User. Service type should be in the request too so make sure
it is this one.
Ivan Kalik
Kalik Informatika ISP
Dana 4/3/2008, David Bell [EMAIL PROTECTED] piše:
Thanks for the raply Ivan - sorry to keep dragging
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
modcall[authorize]: module pap returns noop for request 0
The ldap module didn't find a
Added that, no difference.
How do I put it in the request too?
Thanks
David
-Original Message-
From: Ivan Kalik [mailto:[EMAIL PROTECTED]
Sent: 04 March 2008 10:35
To: FreeRadius users mailing list
Subject: RE: Cisco AVpairs again.
Ah, there is no Service-Type in your reply. It
Mike Richardson wrote:
...
rlm_ldap: performing search in c=uk, with filter (uid=raduser1)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
That needs to be fixed. See Novell's documentation for how.
rad_check_password: Found Auth-Type System
It should be in the request. Post the whole debug with the request.
Ivan Kalik
Kalik Informatika ISP
Dana 4/3/2008, David Bell [EMAIL PROTECTED] piše:
Added that, no difference.
How do I put it in the request too?
Thanks
David
-Original Message-
From: Ivan Kalik [mailto:[EMAIL
On Tue, Mar 04, 2008 at 10:35:29AM +, Phil Mayers wrote:
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
modcall[authorize]:
On Tue, Mar 04, 2008 at 11:48:41AM +0100, Alan DeKok wrote:
Mike Richardson wrote:
...
rlm_ldap: performing search in c=uk, with filter (uid=raduser1)
rlm_ldap: No default NMAS login sequence
rlm_ldap: looking for check items in directory...
That needs to be fixed. See Novell's
hi,
Do i need to disabled rlm_sql module if I am using perl script to fetch
data from the database. If so then how do i disabled the rlm_sql module.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Not sure if you mean the Server or the router - so hers both - router 1st
Username: tom
Password:
You now have level 15 access as part of the SMC Group
Switch
17:47:10: RADIUS: Pick NAS IP for u=0x3C8D630 tableid=0 cfg_addr=0.0.0.0
17:47:10: RADIUS: ustruct sharecount=1
17:47:10: Radius:
Mike Richardson wrote:
On Tue, Mar 04, 2008 at 10:35:29AM +, Phil Mayers wrote:
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because of this.
rad_recv: Access-Request packet from host 212.95.252.25 port 49365, id=20,
length=73
NAS-IP-Address = 10.10.11.78
NAS-Port = 0
Cisco-NAS-Port = tty0
NAS-Port-Type = Async
User-Name = tom
User-Password = pass1
This is a dialin not login request.
You comment out slq entries in radiusd.conf.
Ivan Kalik
Kalik Informatika ISP
Dana 4/3/2008, johnson elangbam [EMAIL PROTECTED] piše:
hi,
Do i need to disabled rlm_sql module if I am using perl script to fetch
data from the database. If so then how do i disabled the rlm_sql module.
-
Ahh so something very fundimental then
How do I chage the request type?
-Original Message-
From: Ivan Kalik [mailto:[EMAIL PROTECTED]
Sent: 04 March 2008 11:32
To: FreeRadius users mailing list
Subject: RE: Cisco AVpairs again.
rad_recv: Access-Request packet from host 212.95.252.25
Mike Richardson wrote:
Any idea what it means? I get the same message when using openldap:
Ask Novell. Unfortunately, no one else knows...
rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with
filter ((uid=example)(objectclass=radiusprofile))
rlm_ldap: No default
Cisco documentation. It will say how to log into the device.
Ivan Kalik
Kalik Informatika ISP
Dana 4/3/2008, David Bell [EMAIL PROTECTED] piše:
Ahh so something very fundimental then
How do I chage the request type?
-Original Message-
From: Ivan Kalik [mailto:[EMAIL PROTECTED]
Sent:
On Tue, Mar 04, 2008 at 01:13:49PM +0100, Alan DeKok wrote:
Mike Richardson wrote:
Any idea what it means? I get the same message when using openldap:
Ask Novell. Unfortunately, no one else knows...
rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with
filter
On Tue, Mar 04, 2008 at 11:18:49AM +, Phil Mayers wrote:
How does the PAP module attempt to do the authentication? Does it do an
authenticated bind as the user or does it get the password variable and
compare it to something stored?
The latter.
Basically rlm_pap takes the
On Mar 4, 2008, at 12:08 AM, Alan DeKok wrote:
Zach Lowry wrote:
Sorry to reply to my own post, just curious if anyone had a chance to
take a glance at this. I'm still stumped and starting to suspect
that my
OpenLDAP is borked somehow, due to the numerous revisions of
Freeradius
I've
who give some data of performace?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Actually there was nothing wrong with that part of the config.
Had a look at this from a sideways perspective and tried to telnet to it
rather than use the Console.
Works perfectly
So looks like I just need to tell the Cisco how to behave properly when the
request is not via a telnet session.
Hi,
who give some data of performace?
what, exactly, are you after - requests per second etc? it all
depends on what you DO in the PERL module. if you make calls
to a DB in the PERL then that would be the bottleneck.
personally we use rlm_perl and i believe it should have been
taken out of
The binddn configured in freeradius needs to have admin privileges to
extract a password. It then binds with the userdn and extracted
password. That gets an positive authentication. You also need radius
specific ldap attributes the pass the authorization phase.
We used the freeradius/eDirectory
Why would you want access to it in the Perl module? The chap module
already does this.
* Any thoughts on how to support the RFC?
*
Use the code that's already in the server?
Your Perl module should supply a Cleartext-Password to the server, and
the server will Just Do the Right Thing.
Jeremy Kusnetz wrote:
It seems like I need to do all the authentication and set the RAD_REPLY
attributes.
No. The module *can* be listed in the authenticate section, but it
doesn't *have* to be listed there.
That does work except for my problem case, but what you are saying is all I
Hello,
I'd like to know if it's possible to use 2 different basedn in one ldap {
section in radius.conf.
In my LDAP database, I've got 2 entries :
ou=phones, cn=.
ou=users,cn=.
I want to authenticate devices from phones and from users.
Actually, I configured 2 ldap sections in
Hi, I have working configuration of PPTPD (Windows VPN) trought Radius to
LDAP stored users. The think is ,that it accepts only plain text stored
passwords in ldap becouse of very well known NT-Password for MSCHAPv2
I figure out there is an option to make it work with ntlm_auth in mschap
Phil Mayers (29.02.2008):
JB wrote:
Phil Mayers:
JB wrote:
I'm sorry, I have to ask again. Have you found a way to let the
reply query know that the user has already been rejected in the
check-query? I'm trying to avoid executing the same queries twice
and also to avoid using temporary
Mike Richardson wrote:
The suggestions made so far have been to uncomment this authenticate entry.
Once working should I be looking at commenting it out again and getting EAP
to work without the above bind?
No. If you're using TTLS + PAP, it's fine. For PEAP, it's impossible...
Ah,
39 matches
Mail list logo
