RE: PEAP Inner-tunnel can't match a user in the users file with some check attributes

-bounces+difan.zhao=guest-tek@lists.freeradius.org] On Behalf Of Alan DeKok Sent: November-19-11 1:37 AM To: FreeRadius users mailing list Subject: Re: PEAP Inner-tunnel can't match a user in the users file with some check attributes Difan Zhao wrote: I have an issue that whenever I have check

RE: Can I group users in the users file like in the SQL database?

Sent: March-04-11 2:00 AM To: FreeRadius users mailing list Subject: Re: Can I group users in the users file like in the SQL database? Difan Zhao wrote: Another quick question: Can I group users in the users file and assign the group reply attributes instead of to each individual user? No. See

FW: Use Hint file to proxy

-users-bounces+difan.zhao=guest-tek@lists.freeradius.org] On Behalf Of Difan Zhao Sent: March-02-11 9:01 AM To: FreeRadius users mailing list Subject: Use Hint file to proxy Hi experts, Long time no talk! I have another dilemma. For some reasons I want to try to use the hints file to do Proxy

Cleartext-Password := %{User-Name} in the users file. Possible?

up in 0.9 seconds. Sending delayed reject for request 0 Sending Access-Reject of id 123 to 127.0.0.1 port 16011 Waking up in 4.9 seconds. [cid:image002.gif@01CBD982.DFF851C0]Difan Zhao M.Eng | CCNA CCNP CCSP | Network Engineer T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011 difan.z

RE: Cleartext-Password := %{User-Name} in the users file. Possible?

@lists.freeradius.org] On Behalf Of Phil Mayers Sent: March-03-11 9:16 AM To: FreeRadius users mailing list Subject: Re: Cleartext-Password := %{User-Name} in the users file. Possible? On 03/03/11 16:10, Difan Zhao wrote: Hi experts, I want to try another way to authenticate devices by their MAC addresses. I

Can I group users in the users file like in the SQL database?

-Through = yes abc Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 851 Tunnel-Preference:0 = 0 Thanks! [cid:image003.gif@01CBD9A2.44D721B0]Difan Zhao M.Eng | CCNA CCNP CCSP | Network Engineer T: 403-509-1010 ext 3048 | M: 403-689-7514

How to add attributes on the reply from the home server

to achieve the same result? Right now my server just forwards the Access-accept to the switch and ignores all the VLAN attributes associated with the username set in my users file... Please help! Thanks! [cid:image003.gif@01CBD9B9.1BD2FB60]Difan Zhao M.Eng | CCNA CCNP CCSP | Network Engineer T

Use Hint file to proxy

a lot! [cid:image002.gif@01CBD8B8.490E09F0]Difan Zhao M.Eng | CCNA CCNP CCSP | Network Engineer T: 403-509-1010 ext 3048 | M: 403-689-7514 | F: 403.509.1011 difan.z...@guest-tek.commailto:difan.z...@guest-tek.com | www.guest-tek.comhttp://www.guest-tek.com The contents of this email

radius.log records individual client IP. Possible??

cli 08-00-0F-51-3F-60) It'd be ideal if it can show the IP of the NAS where the request is coming from. I know I could configure the client file to have individual IP for each client instead of entire subnet. However just wondering if there is easy switch to turn it on lol Thanks! Difan Zhao

How to configure proxy server to send a copy of acct to remote/home server

FreeRadius to automatically forward a copy to the remote server?? Thanks! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. Email: difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 www.guest-tek.com INTERNET | MEDIA

RE: After server rebuild the PEAP against Windows AD is not workingany more!

Hi Alan, Thank you for the info! I downgraded the samba to 3.0.33 and it works fine now! Thanks, Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. www.guest-tek.com Email: difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 http

After server rebuild the PEAP against Windows AD is not working any more!

account... The debug output is attached. Please help!! Thanks!!! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. Email: difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514 www.guest-tek.com INTERNET | MEDIA | VOICE

RE: Wildcard in realm name? possible??

$ { /etc/raddb/proxy.conf[33]: Invalid regex in realm ~*\.gtcorp\.com$ } # realm ~*\.gtcorp\.com$ I tried many other syntax and I found that I can't put ~ and * together and if I did the process won't start... I guess my problem is solved! This is just FYI! Thanks again for your help! Difan Zhao

Wildcard in realm name? possible??

== ... authorize { preprocess chap mschap GTCORP Suffix ... } Thanks!! Difan Zhao, M.Eng Network Engineer Guest-Tek Interactive Entertainment Inc. Email: difan.z...@guest-tek.com mailto:difan.z...@guest-tek.com Office: +1 (403) 509 1010 ext 3048 Cell: +1 (403) 689 7514

Freeradius 2.1.6: \ in %{SQL-User-Name}

the following query in PostSQL and it found the orginal entry successfully... select * from radcheck where username = 'GTCORP\\dzhao' I am wondering if there is a setting to automatically add another \ in the %{SQL-User-Name} if there is already a \ in it?? Thanks! Difan Zhao, M.Eng Network

RE: Freeradius 2.1.6: Store Cisco device enable passwordinPostgresql DB

\\dzhao' I am wondering if there is a setting to automatically add another \ in the %{SQL-User-Name} if there is already a \ in it?? Thanks! Difan Zhao, M.Eng Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message

RE: Freeradius 2.1.6: Store Cisco device enable password inPostgresql DB

list: safe-characters = \...@abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.-_: / Any ideas? Thank you! Difan Zhao, M.Eng Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users

Freeradius 2.1.6: Store Cisco device enable password in Postgresql DB

WHERE Username = '=24enab15=24' ORDER BY id Then I changed the username to this =24enab15=24 and now it works. I am just curious how freeradius or %{SQL-User-Name} treats special characters in username... Is there a way to treat them AS-IS? Thank you! Difan Zhao, M.Eng Network Engineer Guest

RE: VLAN Attribute ?

a question for you. It has a :0 following the Tunnel-Type. What is it for? I just removed it and it still works. However in the Radius -X debug it still has the :0 appending the attribute name. Any idea?? Thanks, Difan Zhao M.Eng Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office

RE: VLAN Attribute ?

-Group-Id:0 = 3, Tunnel-Preference = 0x00 Other switch vendor may use different attributes. I add these attributes in the users file. I am not using SQL. Don't know how to pull the attributes via sql... Hope it helps, Difan Zhao M.Eng Network Engineer difan.z...@guest-tek.com

RE: Authenticate computers with their hostnames

. Thanks again! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek

Authenticate computers with their hostnames

attributes? Anyway to work around this problem? Alan, I think you told me once that it's not easy to fool the NAS to accept all requests... Is this one of the case we are talking about?? Thank you and have a good weekend! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest

Question: How do I forcibly accept all rest requests??

{ # attr_filter.access_reject Auth-Type := Accept } } And obviously it's not working... Any ideas how I should configure it? Thank you!   Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514   - List

RE: Question: How do I forcibly accept all rest requests??

they don't like to see failed on their laptops. It's kind of important... I will really appreciate if you can come up with a solution for it... Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From

RE: Question: How do I forcibly accept all rest requests??

and I like it a lot! Your support is also very much appreciated! Thanks a lot Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org

mschap2 over peap, how to use cleartext password defined on the freeradius server instead of using Windows AD?

. Enseo_stb Cleartext-Password := password Any advice?? Thank you!! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com http://www.guest-tek.com/ Office: 403-509-1010 ext 3048 Cell: 403-689-7514 image002.jpg rad_recv: Access-Request packet from host

RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfileto include multiple MAC addresses??

-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org] On Behalf Of Difan Zhao Sent: Wednesday, December 30, 2009 12:19 PM To: FreeRadius users mailing list Subject: RE: MAC authentication bypass --- How amIsupposedto

RE: MAC authentication bypass ---How amIsupposedto?edit?theusersfileto include multiple MAC addresses??

but nothing is shown whether the value has been successfully updated or not... Is this about right or it's actually showing at somewhere else and I am looking at the wrong place?? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell

RE: Recall: MAC authentication bypass ---How?am?Isupposedto?edit?theusersfile to include multiple MACaddresses??

So I assume that none of you guys use MS Exchange server then... Do you guys all hate MS and support open source?? I am a windows guy but I am on your side!! Arran, you found the problem! Now it works! Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509

RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??

-Password}) { ok } else{ reject } } } Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 rad_recv: Access-Request

RE: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??

? Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 rad_recv: Access-Request packet from host 172.17.254.100 port 1645, id=45, length=157 User-Name = 00a0080806bd User-Password = 00a0080806bd

Recall: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??

Difan Zhao would like to recall the message, MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??

, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org [mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi us.org

RE: MAC authentication bypass --- How am I supposedto?edit?theusers file to include multiple MAC addresses??

to be the same as the User-Name. Am I doing it right? How can I convert it to lower cases or do I need to do it at all?? PS the MAC addresses will all start with 00-A0-08. Thank you and merry Christmas!! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010

RE: MAC authentication bypass --- How am I supposedto?edit?theusersfile to include multiple MAC addresses??

Lol Thank you Arran... You found the problem! Now it's good. Thanks again! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest-tek.com Office: 403-509-1010 ext 3048 Cell: 403-689-7514 -Original Message- From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org

NTLM, Kerberos 5 or LDAP

of. I am a Cisco guy and I have some Linux experience but no programming experience. Can any of you recommend me a book about how to use FreeRadius? I think that will stop me asking stupid questions... Thank you! Difan Zhao Network Engineer difan.z...@guest-tek.com www.guest-tek.com

Re: MAC authentication bypass --- How am I supposed to?edit?theusersfile to include multiple MAC addresses??

So..., Alan suggested using unlang. I am actually reading un-language (5). If I use it, where or what file do I put your script in? =Script that Alan wrote authorise { if(%{User-Name} =~ /[0-9a-z]{12}/i

RE: MAC authentication bypass --- How am I supposed to edit theusers file to include multiple MAC addresses??

Hi Alan, Thank you very much for quick response! Actually you are right. The password is in MD5 hash, not in clear text! I may not be able to use the guest VLAN (the vlan the device will be put in after failed or timeout 802.1x request) because I need to use this vlan for some other

RE: Dynamic VLAN assignment works on EAP-MD5, but not EAP-PEAP!!!

Hey Ivan, Thank you very much for your help! Now it works beautifully! My next step is to integrate FreeRadius with my Windows domain to use Windows AD for authentication. I am sure I will more questions for you guys! Thank you! Guest-tek, Difan Zhao difan.z...@guest-tek.com www.guest

MAC authentication bypass --- How am I supposed to edit the users file to include multiple MAC addresses??

Cleartext-Password := 00a0080806bd I appreciate any advice!! Thank you guys!! Difan Zhao, CCNP Network Engineer difan.z...@guest-tek.com www.guest-tek.com http://www.guest-tek.com/ Office: 403-509-1010 ext 3048 Cell: 403-689-7514 image001.jpgrad_recv: Accounting-Request