That's actually what ended up happening. The AP's kick functionality
does NOT properly clear the PMKSA cache entry, as I discovered through
empirical testing, and summarily filed a bug report.
On 2/9/2012 06:04, Jouni Malinen wrote:
On Feb 9, 2012 8:03 AM, Christ Schlacta li...@aarcane.org
In fact it's the Ubiquiti PicoStation M2. I'd suspect all their AirOS V
products exhibit similar behavior, but this is a mostly homogenous
environment, and I can't confirm my suspicions.
On 2/9/2012 13:31, Arran Cudbard-Bell wrote:
On 9 Feb 2012, at 22:02, Christ Schlacta wrote:
That's
I'm trying to find some sample accounting data from freeradius,
preferably in a mysql database to run some test analyses on. I'm
considdering using Freeradius + Mysql accounting in my environment, and
don't have the infrastructure to generate test data, and would like to
analyze some to see
I'm using WPA2-EAP-TLS to verify certificates, and matching certificates
to accounts in LDAP to verify accounts are in good standing.
This morning around 7AM local time I blocked an offending user from the
wifi network by adding their account to the disabled-users group in the
ldap directory.
Self-signed provides stronger security in most cases. I'm using
self-signed here, and distributing a certificate to unmanaged user
devices is as easy as placing a p12 file on a USB drive and requiring
users to stop by ops before getting on wireless. If you're using a
public CA to sign certs,
I've attached android, windows 7, macosx, and ubuntu linux to an eap-tls
network using wpa2-eap-tls, which requires client and CA certs. it's no
issue once you know what you're doing. the hardest part is the nearly
complete lack of documentation for any OS except linux. you're limited
to
/2012 08:31 PM, Christ Schlacta wrote:
Is it possible yet to configure freeradius TLS to use a classic CRL, as
in a single file that's downloaded from the authority every once in a
while that is a.. well, CRL, rather than a directory with hashed stuff
in it? I'm not in front of my fr right now, so I
Is it possible yet to configure freeradius TLS to use a classic CRL, as
in a single file that's downloaded from the authority every once in a
while that is a.. well, CRL, rather than a directory with hashed stuff
in it? I'm not in front of my fr right now, so I don't know the exact
are the clients also properly configured?
On 1/3/2012 11:18, John Corps wrote:
Doing an nmap scan on the server it does show both 1812 and 1813 open
UDP. The auth is working fine on 1812 so i don't understand why
accounting isn't working.
On Tue, Jan 3, 2012 at 2:09 PM, YvesDMydm...@gmail.com
I've got a number of devices all of which only have the option for one
radius IP address (not hostname!) to be configured. How can I configure
this type of device for failover (and optionally balance)? is there
some PROPER way to do this? or am I limited to only being able to have
one fr
to coerce these single-ip devices to
work with a pair or more of radius servers, or no other way to configure
reliable failover ?
On 12/30/2011 11:37, Alan DeKok wrote:
Christ Schlacta wrote:
I've got a number of devices all of which only have the option for one
radius IP address
On 10/15/2011 2:46, Phil Mayers wrote:
On 10/15/2011 03:17 AM, Christ Schlacta wrote:
I've got a handful of windows clients. I'm most concerned about the
Windows 7 machines, but there are a few Vista, and even an XP client. I
want to deploy Machine account certificates for wifi authentication
I've got a handful of windows clients. I'm most concerned about the
Windows 7 machines, but there are a few Vista, and even an XP client. I
want to deploy Machine account certificates for wifi authentication,
so machines will be able to connect to the network BEFORE the user logs
on (mainly
Store them how, where, and for what purposes?
On 9/19/2011 23:07, Rajkumar balaji wrote:
Hi All,
I just want to store user details like, The user name is ABC and the user
belongs to XYZ group and PQR group.
Thanks
Regards
Rajkumar Balaji
--
View this message in context:
have access to the un-encrypted password payload (NT,
cleartext), which is a severe security compromise. That's why you
(should) always use an internal Certificate Authority, where you control
which certs are signed and distributed.
On 9/20/2011 00:31, Alan DeKok wrote:
Christ Schlacta wrote
If you've got sufficient control over CPE and CPE is all sufficiently
capable, you should be doing EAP-TLS authentication anyway. if CPE is
compromised, you can simply reflash, replace the credentials, and revoke
the old ones.
On 9/20/2011 04:18, Raz Muhammad wrote:
Hi,
We are
List is down.
On 9/15/2011 07:49, Alan DeKok wrote:
Is the list down, or are people quiet?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 9/14/2011 8:46, Alan DeKok wrote:
rauch.hol...@googlemail.com wrote:
Like I mentioned in my response to Arran, the OP didn't mention whether he
had tried anything by himself before posting to this list. Maybe he tried it
but he couldn't figure out what the example was telling him (but then
Have you tried setting the proper timeout from the auth section?
Session-Timeout :=
`/script/that/returns/minimum/of/1-hour/or/remaining-time` ?
On 9/12/2011 20:52, denzx wrote:
Hi, I am new in this mailing list.
I have similar situation too, I need counting something before decide to
send
On 9/13/2011 00:59, Fajar A. Nugraha wrote:
On Tue, Sep 13, 2011 at 2:43 PM, Phil Mayersp.may...@imperial.ac.uk wrote:
On 09/12/2011 10:42 PM, Fajar A. Nugraha wrote:
If I understand raddb/sites-available/dynamic-clients correctly, the
only way to store (well, to retrieve actualy) dynamic
On 9/13/2011 08:32, 2394263740 wrote:
Hello,
I'm using free radius server 2.1.11 on Linux Enterprise Server 6.1.
OS: Linux Enterprise Server 6.1
Radius: free radius server 2.1.11
Database: Mysql
Sometime, I need disable a user account in mysql database. And then
enable it later on after some
On 9/13/2011 12:09, Arran Cudbard-Bell wrote:
On 13 Sep 2011, at 20:29, rauch.hol...@googlemail.com wrote:
Hi to everybody,
On Tue, 13 Sep 2011, Alan DeKok wrote:
2394263740 wrote:
Sometime, I need disable a user account in mysql database. And then
enable it later on after some check
entries in clients.conf
(Christ Schlacta)
4. Re: Quick enable/disable user account. (Christ Schlacta)
5. Re: Best Practices - maximum NAS entries in clients.conf
(Arran Cudbard-Bell)
--
Message: 1
Date: Tue, 13 Sep
On 9/12/2011 07:21, Arran Cudbard-Bell wrote:
On 12 Sep 2011, at 16:04, Sallee, Stephen (Jake) wrote:
@ everyone
We have about 100 NAS entries in our clients.conf file, it makes the file a
bear to deal with but the server seems to handle it fine. We will be expanding
our infrastructure
On 9/12/2011 12:41, Arran Cudbard-Bell wrote:
Last I heard, you could NOT dynamically add NASs without restarting
clients.conf as NAS entries are only read once on startup. Has this changed?
Yes, FreeRADIUS will now load clients dynamically from clients or from a
database, or an LDAP
rlm_programming language here can do that.
On 8/31/2011 10:23 AM, Shreya Shah wrote:
Is it possible to rate users based on their data usage and reject
authentication to those users exceeding the limit ?
I think I can achieve rating using counter.conf and reading the usage
from radacct but
On 6/28/2011 01:52, Marco Londero wrote:
On Tue, 28 Jun 2011 10:28:45 +0200, Alan DeKokal...@deployingradius.com
wrote:
Use the correct certificates.
I re-generated client certificate and signed it w/ CA one instead of
server (default Makefile conf) and worked.
Sorry for the noise.
I
is it at all possible to send a message to a windows 7 or windows vista
client that the client is guaranteed to see when authentication is rejected?
more details:
wireless WPA2-EAP-TLS on a Ubiquiti PicoStation 2 firmware 5.3.2 (I
believe it includes some form of hostapd, but I'm not sure which
SO far as I know, there is no good way to automatically add a mac
address to a user entry, or an user entry to a mac80211 entry on first
connect. the UNLANG to ensure that the mac address matches for a
validated account is simple however, and you should have no issue
figuring that out. see
On 2/26/2011 13:10, Josh Richard wrote:
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
it doesn't work like that, you're supposed to click the link at the
bottom of any given post.
-
List info/subscribe/unsubscribe? See
On 2/16/2011 15:02, Alexander Clouter wrote:
Thomas A. Finef...@head.cfa.harvard.edu wrote:
I thought this would be easy but now I'm wondering if it will be
possible at all. We are transitioning to a DMZ for all ssh logins.
During phase one, people will use a standard (but different than
On 2/14/2011 01:07, Phil Mayers wrote:
On 02/13/2011 10:37 PM, Christ Schlacta wrote:
it seems to get to the same point (Finished request xxx.) and then
repeats the entire process four times (the same number of times
specified in my switch config) then fails to connect. I'm not sure if
I'm
so uh.. I locked myself out of my radius enabled switch (for some
stupid reason the switch thinks it's a good idea to use radius for the
admin user as well...) and now I can sign in to my switch, but can't
change anything, because I don't know what radius responses to send. if
anyone knows
I'm trying to authenticate a wired client (Switch supports radius) and
I'm getting the following output (or similar):
rad_recv: Access-Request packet from host 10.0.0.13 port 1024, id=161,
length=136
User-Name = izanami
Called-Station-Id = 30-46-9a-16-00-bc
On 1/26/2011 23:49, piston wrote:
Hi
Is that possible to reset the sql counter every 30 minute?
Basically, i need to get user free access of 20 minutes, after 20
minutes NAS will logout the user.
And the user is allow to login again after 30 minute.
Thanks
-
List
2 issues
1) is there a listing somewhere of all OIDs and what they all mean to
windows (XP) ?
2) Issuing client certs isn't that difficult. with windows vista/7,
installing a cert is a simple double-click operation, so if they have a usb
flash, you can use linux to zip a copy of their private
that does help. can the first instance be named as well, or must there
always be an unnamed instance?
On 1/17/2011 22:06, Johan Meiring wrote:
On 2011/01/17 10:37 PM, Christ Schlacta wrote:
one more question: can there be multiples of ANY module specified? for
example, can I use two
I've got a radius server up and running, and I want to clean up my
configuration as much as possible. is it a safe assumption that if I
remove a file (actually move it out of the way) and attempt to
authenticate a client that if the client can successfully authenticate
that everything is
I've found something odd in regard to the modules directory. I ended up
needing to use checkval module for ldap authentication to work properly
for me. the documentation I found said to place the following in config
files:
checkval {
item-name = Calling-Station-Id
check-name
I have everyone setup to use tls authentication, with authorization via
ldap check on the hostname and the mac address. that's the ONLY path.
On 1/17/2011 13:28, John Dennis wrote:
On 01/17/2011 03:36 PM, Christ Schlacta wrote:
I've got a radius server up and running, and I want to clean
try appending the following snippet to the end of the SQL statement:
; SELECT COUNT(*) col FROM dual WHERE 1=1;
the result is numeric 1 is returned, and the requirement that something must
return is satisfied.
I believe there may be some other statement you can append instead to
query the
I use phpldapadmin and ldap-account-administrator for different purposes.
On 1/13/2011 13:33, David Peterson wrote:
I personally use and like Daloradius.
http://daloradius.com/
David
-Original Message-
From:
freeradius-users-bounces+david.peterson=acc-corp@lists.freeradius.org
On 1/6/2011 06:36, Hendl Stephan wrote:
Hi list,
we have a freeradius server with enabled tls and an own CA. We prove the
validity of the cert issuer like it is aoutlined in the example below.
check_cert_issuer = /C=DE/ST=somewhere/L=someplace/O=AnyCompany
No we want to change our CA and
are all common, but every device is
missing one or more of them :( I can't think of any other way to ensure
that a user is found
On 12/21/2010 01:37, Alan DeKok wrote:
Christ Schlacta wrote:
so I've done some research, looking at how freeradius works now, it
manages to identify hostnames from
so I've done some research, looking at how freeradius works now, it
manages to identify hostnames from certificates which are issued to a
given host, blah blah blah. suffice it to say when lain
authenticates, it knows it's lain. I want to make sure that lain's MAC
address matches what I know
I want an option to do some sort of your authentication is pending
administrative approval. a message has been sent to the administrators,
please try again in a few minutes. AND an option to sya your
authentication has failed completely, I'm sending you to a separate
vlan namely, the
On 12/6/2010 6:31 PM, Alan DeKok wrote:
Christ Schlacta wrote:
1) the user has bad or no credentials
in this case the user should be sent to a captive vlan where all they
can do is connect to the registration webpage to acquire a certificate
and bind it to their wifi MAC address.
You want
I had it setup in mysql using the ability to manually specify queries.
if the ldap module has that exact same functionality, it should be
absolutely possible. Unless you have frequently changing clients, or an
overabundance of clients, it's not worth it. it's a nightmare to maintain
On
mac filtering should happen at the AP level.
On Mon, Nov 29, 2010 at 7:23 PM, Viirydiianah Robles
hello.viryt...@hotmail.com wrote:
Hi
I have ubuntu 10.4 with freeradisUs-server-2.1.10
my question is, where to add the Mac address? in users or clients.conf file,
I have to change any line of
Replace the broken mikrotik
Sent from my iPhone
On Nov 23, 2010, at 13:25, Pableus pablodi...@hotmail.com wrote:
Hello, I have a FreeRADIUS server doing authentication and
accounting with
ADSL and with wireless users. The wireless users are connected to a
MikroTik
which is running a
I've currently got a single host configured to have a certificate, the
certificate is issued on a per-host basis. I want to somehow link a
specific machine to a specific ssl certificate. it's my understanding
that openldap or mysql can do this. I'd prefer not to use mysql as the
mysql
51 matches
Mail list logo
