, you may want to be running
from the 3.0.0 release, or the v3.0.x branch.
There are NO new features in master (3.1.0) over 3.0.0. Our plan
for 3.1.0 is to finish the conversion to talloc, which may introduce
instabilities.
In contrast, 2.2.x and 3.0.x will have minimal changes.
Alan DeKok
=test.local --username=tu...@pub.com
Can you please let us know what needs to be configured to support the UPN?
ntlm_auth is from Samba. It's not part of FreeRADIUS. Ask the Samba
people how it works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
to master. I've just done
that now.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user
In your case, I'd say return to a default configuration. Then, get
the MAC address filtering working in post-auth. Once that's working,
add VLAN assignment.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, it runs the
post-auth processing. Which doesn't read the users file... as the
users file is done only in the authorize section.
You should be able to put authorized_macs.authorize in the post-auth
section. That will make it process the users file, and do what you want.
Alan DeKok.
-
List info
not support eaps. Can
Free Radius handle both encrypted and unencrypted connections at the
same time? If it can, can someone lead me down the correct path?
Yes. And there's nothing to do. Just configure a user with a
password. *All* authentication types will work.
Alan DeKok.
-
List info/subscribe
. Instrumentation is hard.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
... look up. You're not lost.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, or reworded.
...whenever I try to compare against absent attributes. What's the
correct syntax for this now - do I need:
if ((Attr) (Attr op RHS)) {
...or can I ignore the message?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
the Session-Timeout manually.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
to logoff user? then it should
work.
Read the debug output. You'll see the server receiving
Accounting-Request packets, with the users traffic over quota. THAT is
when FreeRADIUS can do something.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Franks Andy (RLZ) IT Systems Engineer wrote:
Trying version #d166290 results in
Which is old. The bug has already been fixed.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
for debian (possibly RHEL too) trigger the latter one, as it
runs a config check on restart (which bails out due to the error above).
The -C code should be changed to remove it's setting of -f. We'll
fix that for 3.0.1.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
/originate-coa for examples of originating a
disconnect message.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
John Dennis wrote:
3.0 is not on the download page http://freeradius.org/download.html nor
is there a download link on the above announcement page.
The announcement says: Version 3.0.0 (sig) has been released...
The 3.0.0 is a link.
I've added a link on the download page.
Alan DeKok
of OpenSSL.
Having threads means that each thread can wait without blocking
anything else.
It can probably be fixed, but it's hard.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, dispatch packet
That is *exactly* what the server does for TCP.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
be nice to be able to debug the exact state for that, but the
fix should be simple. I'll push something to git later today.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is smaller, more secure, and easier to maintain.
We'd like to add a special thanks to the Samba project, for the talloc
library. Many of the new features we made possible by talloc. We
expect more features in the future.
Alan DeKok.
FreeRADIUS Project Leader
-
List info/subscribe
.
I've learned to deal with it, but that doesn't mean I have to like it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Brian Julin wrote:
You guys are truly obsessed. I get exhausted just reading your commit logs.
:-)
It's what I do.
I spend a fair amount of time on other things, too. But pushing
FreeRADIUS ahead is a high priority.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
More debug output would help. The last patch came from output sent by
Stefan. The patch seems to help. But there's an underlying issue which is
harder to debug. It looks like a Linux specific IPv6 problem. I don't see any
issue with v4.
Alan DeKok.
On 2013-10-04, at 9:41 AM, a.l.m.bu
not a database,
so we recommend using one where necessary.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Usuário do Sistema wrote:
how to deny access by group ? if user is member of the group it's able
login in otherwise the user is deny
See the FAQ. Put this at the top of the users file:
DEFAULT LDAP-Group != allowed, Auth-Type := Reject
Alan DeKok.
-
List info/subscribe/unsubscribe? See
the NAS never sends an
Accounting-Request. Go fix the NAS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've pushed a fix for the proxy issue into the v2.x.x branch. If
people can test it, that would be appreciated.
We'll then release 2.2.2 and 3.0.0 on Monday.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
?
It should.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-Accept. Then, put those attributes into the reply.
In the users file, you can do:
bob Cleartext-Password := password
vlan attributes = ...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
but there is failure of connection
on the JMS and http with the error message below when RADIUS is used.
That error has nothing to do with FreeRADIUS. See the documentation
for the other software. It should tell you how to use it with RADIUS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
what's going on, and why.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
and once it is authenticated it only runs through the default
(which is understandable)
So... *nothing* else in the debug output is useful to you.
I guess you've read it as carefully as you've read the documentation.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
Clint Petty wrote:
How can I change the radius default testing123 password? Is there a
command I need to run to do this?
Edit raddb/clients.conf. Look for testing123.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
is
simple. It's not necessary, and a security risk.
There have been a number of requests to include rlm_raw, and the
answer has been (and will always be) no. There are alternatives which
are more secure, and generally better.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
will be unsubscribed and permanently banned from this list. Such
behavior is anti-social, rude, and will NOT be tolerated.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
and as long as the password
is correct the user will auth.
That seems to be doing what you want.
Am I attempting something impossible or doing it incorrectly?
I'm not entirely sure what you're doing, so I can't really answer that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
? That should
tell you *exactly* what's going on.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
) {
BUNCH OF UNLANG CODE
}
That should work. Ugly, but functional.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in the FAQ, man page, web pages,
and daily on this list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
the issue.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Don wrote:
I tried one of these inside gtc sub-section of eap.conf, that don't
seem to work:
auth_type = ntlm_auth
Setting that *should* be one step of a working configuration.
or
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{User-Name}
. Doing anything else is rude.
You've been very careful to say as little as possible about what
you're doing. You've also been careful to NOT follow the documentation
or examples.
That explains why you're having issues making it work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
. Is it possible to send subsequent GTC challenge in addition to
default Password challenge? If possible, how do I configure the
subsequent GTC challenge?
No. EAP-GTC is only challenge-response. It doesn't do multiple
challenges.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
* explanation. It's wrong and misleading.
It also contradicts your previous messages. You claimed you put the
users file entry at line one of the file. But now you talk about a
$INCLUDE statement.
So... which is it?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
I've followed all the steps to use this tool, but I can't make it.
What can be the problem ???
You do realize that eapol_test isn't part of FreeRADIUS, right?
Please ask the eapol_test authors how to fix it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
shorewall rules
That isn't useful here.
What information did you put into the client? Server IP, port,
secret, etc.? You likely entered the wrong information.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
Given your other mis-statments, I think you're wrong here, too. When
you follow the documentation and instructions here, it WILL WORK. Doing
random other things will make it NOT WORK.
I have no idea what you're doing, or what you changed to make it work.
And likely neither do you.
Alan
it.
If you're not going to follow instructions, you will have a VERY hard
time solving the problem.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
that the people logging in have accounts in ldap.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
paul trader wrote:
i used a default v2 install and only changed the users and clients.conf
files. everything else was left alone.
Well, there's no magic. If the users file entry doesn't match, it's
because the User-Name isn't test.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
. It contains a lot of
documentation on virtual servers, clients, and how they work together.
I am just wondering
what's the best practice. I don't want to increase number of hardware so
things can be segregated either.
Uh... virtual servers don't require additional hardware.
Alan DeKok.
-
List
questions, it would help to read the config
files. They're documented in exhaustive detail.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
indicates
VPN/RADIUS are talking to each other.
If it works, it works.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
it (or what to look for). I have been trying different settings for a
week now without success.
Because EAP is designed to make this impossible.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mehdi Ravanbakhsh wrote:
*i can not find any detailed document on this.*
doc/rlm_sql. It's on the Wiki, and distributed with the server tar
file.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
/ server cert which the iPad doesn't
like. Much of SSL is magic...
Try it with the test certificates created by the server. If the
problem doesn't happen, then the problem really is the certificates.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
,
FR does not support dynamic IP address allocation) on a private IP
address range, with limited access.
In 2.2.1, it can handle dynamic IP allocation. See
raddb/sites-available/dhcp. Look for pool.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nikolaos Milas wrote:
Thanks. I guess it is supported in 3.0.0 as well ?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
people world-wide for years. :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
installed
freeradius and configured it to use postgres.
Really? If you configure sql.conf, then that *isn't* enough. Read
raddb/sites-available/default, and look for sql.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a solution.
Because I don't know so much about Windows world, I need to know if I
have to use NTLM, LDAP or Kerberos in order to authenticate against
the remote AD.
For MS-CHAP and PEAP, you use ntlm. You don't have any other choice.
For EAP-TLS, you don't use AD or MySQL.
Alan DeKok
user information.
They don't authenticate users.
FreeRADIUS is an authentication server. Where necessary, it pulls
user information from a database. It also returns user profiles to a
WiFI AP. e.g. VLAN, etc.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
is as follows:
Alan DeKok
FreeRADIUS Project Leader
-
Feature improvements
* Updated dictionaries for alcatel, broadsoft, bskyb, dlink, meru,
telkom, trapeze, proxim, zeus, rfc6677, 6911, and rfc6930.
* Added %{randstr:..} support. Creates random strings in a
controllable format.
* Added
Unless there are any objections, we'll release 2.2.1 tomorrow.
The list of changes is large:
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unless there are any objections, we'll release 2.2.1 tomorrow.
The list of changes is large:
https://github.com/FreeRADIUS/freeradius-server/blob/v2.x.x/doc/ChangeLog
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
page, web pages, and daily on this list. Do NOT look at the
client output. It's unimportant.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
from what I've seen.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in the radreply table ?
Yes. The IP Pool module will notice there's already a
Framed-IP-Address, and won't add another one.
or any other settings need to be changed ?
No.
Alan DEKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
and than have the perl module access these
parameters?
No.
Why is it a problem to read a configuration file?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Romeo Mihalcea wrote:
unsubscribe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is it really that difficult?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
Anyone who knows how to use a text editor can follow them.
The point of documentation is so non-experts can get things done. If
you're going to ignore the documentation, then you're on your own.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
going on.
We're just RADIUS people. We come close, but we don't know
*everything*. :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, and showing up with a
bicycle. There's a bit of a disconnect somewhere.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
probably misunderstood)?
code means code, not configuration files
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Maxim Shoustin wrote:
Can I configure to give OK to any sim based on provider only, like
Orange, for example/
No. The design of EAP-SIM makes that impossible.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
that the installation is... a
default one. The customization is done via the paths at the top of the
Make.inc file. If you want to change *internal* paths, then all bets
are off. My only answer is Good luck!
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, instead of freeradius
Check radiusd -v. If it's not 2.x, then remove the RPM, and install
a version 2 RPM.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
will
depend on the character set... which is largely secret.
This makes it very difficult to create the *correct* NT hash.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reverted to original config for this.
You're changing the server configuration. You need fix your DNS.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hachmer, Tobias wrote:
- Rewrite DN?
You can rewrite the DN. That's why it's editable, as the LDAP-UserDn
attribute.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
to be server-side library code, or is it also for
client applications?
Yes. It's a fully-featured LGPL'd RADIUS library. It handles
everything related to RADIUS. Sockets, encoding, decoding,
dictionaries, etc.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Daniel Pocock wrote:
The FTP masters just accepted the new freeradius-client package, it
should be available to install now using apt-get
I've opened a bug request for removal of the radiusclient-ng package
from the Debian archive
Thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe
is happen to PAP , CHAP module ?
They're not called.
and what is the relation of all module in authenticate section ?
Read the comments before the authenticate section. And doc/aaa.rst.
This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
which contain the
Framed-IP-Address attribute.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
* to the SQL database. Without the SQL
module, you can't access your stored procedures.
So can i transfer all SQL module Task to SQL function in my database ?
Programming. Read the Postgres documentation to see how to use it's
embedded language.
Alan DeKok.
-
List info/subscribe
, looking for a magic solution. This isn't the best
approach.
Read doc/aaa.rst. Read man unlang. Read the debug output. Read
the default linelogconfiguration.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxy-State = 0x313232
EAP-Message = 0x04090004
So the solution is simple - if you're going to proxy the inner auth,
ensure the client inner auth method and upstream proxy auth method are
mutually compatible.
i.e. set proxy_tunneled_request_as_eap = no
Alan DeKok.
-
List info
if using
proxy_tunneled_request_as_eap = no
Does it actually need to NOT be there for
proxy_tunneled_request_as_eap = no
No.
See my reply to Phil. You need to set:
proxy_tunneled_request_as_eap = no
in eap.conf, peap{} subsection.
Alan DeKok.
-
List info/subscribe
)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Phil Mayers wrote:
On 29/08/13 18:16, Alan DeKok wrote:
i.e. set proxy_tunneled_request_as_eap = no
Although IIRC that *definitely* had issues in 2.1.10, right?
I don't recall... that was a long time ago, and I'm trying to get 3.0
out the door.
Alan DeKok.
-
List info/subscribe
some
other cisco craziness?
My guess is that it's a single byte. In v2.2.x, that's byte type.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
always reference the outer tunnel from the inner one.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
told it to do. The server is pretty dumb that
way.
Again, look at the debug log to see what's happening. *WHY* are you
doing LDAP lookups at all? Can you not delay them?
And rlm_cache should help a lot, too.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
, and web pages ALL say to post
the debug output. We really don't care about the configuration. It
doesn't show what happens when the server receives a request.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
attributes it needs in
the Access-Accept.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ultaman khoo wrote:
Thanks alan, i alreaady on it right now, anything from the RFC that you
aware of can challenge the back the changes of NAS ip is wrong? Thanks
All of the RADIUS RFCs assume that a client has one IP, and only one IP.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
versions have fixes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1 - 100 of 14295 matches
Mail list logo