All,
Seems that the return code priority is behaving different in 3.0 -
specifically the following config:
authorize {
updated
files
if (noop) {
...
}
}
...gives:
(0) authorize {
(0) [updated] = updated
(0) [files] = noop
(0) ? if (noop)
(0) ? if (noop) - FALSE
i.e.
On 14/10/13 16:01, Jonathan Gazeley wrote:
On 10/10/13 15:03, a.l.m.bu...@lboro.ac.uk wrote:
Samba 4 is lurvely... apparently 100% compatible with existing AD
installations, although, as always, it's a bit finicky and info is a
bit thin on the ground (and I've not written up a guide when I set
On 14/10/13 16:18, Phil Mayers wrote:
i.e. the noop from the files module is ignored. This is a change from
2.x where the most recent module return code can be checked.
Have I missed the change, or is this not intentional?
Looks like this happened in the modcall.c rewrite (d0aa96709cea
On 14/10/13 17:15, Phil Mayers wrote:
On 14/10/13 16:18, Phil Mayers wrote:
i.e. the noop from the files module is ignored. This is a change from
2.x where the most recent module return code can be checked.
Have I missed the change, or is this not intentional?
Looks like this happened
All,
We're seeing bursts of:
Thu Oct 10 11:52:14 2013 : Info: WARNING: Child is hung for request
47516341 in component authenticate module peap.
Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became
unblocked for request 47516341
...since the return of our students this year.
I
On 10/10/13 12:56, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became
unblocked for request 47516341
...since the return of our students this year.
I am 99% sure this is ntlm_auth being slow, and I have a strong
suspicion this is related to
On 09/10/13 19:09, Alan DeKok wrote:
That is *exactly* what the server does for TCP.
...in which case my comment is entirely redundant, please disregard!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 10/10/13 17:16, Brian Julin wrote:
You might be able to run FR under gdb (or attach/resume a running FR),
and set breakpoints with commands that resume after running the GDB
commands.
That's in inventive one, but I'm not *that* desperate yet!
-
List info/subscribe/unsubscribe? See
I've just ported our config to 3.0 and I'm seeing a few error messages;
they don't seem to be critical but are concerning me.
Specifically I'm seeing:
ERROR: Conditional evaluation failed due to internal sanity check.
...whenever I try to compare against absent attributes. What's the
correct
On 10/10/13 18:32, Phil Mayers wrote:
I've just ported our config to 3.0 and I'm seeing a few error messages;
they don't seem to be critical but are concerning me.
Specifically I'm seeing:
We're also getting:
Info: Invalid operator for item Sql-Group: reverting to '=='
...which is logged
On 10/10/13 18:51, Arran Cudbard-Bell wrote:
possibly if (outer.request
Hmm, no same thing, and worse it's squashing Module-Failure-Message :o(
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 09/10/13 16:36, Arran Cudbard-Bell wrote:
On 9 Oct 2013, at 15:47, Alan DeKok al...@deployingradius.com wrote:
Adam Bishop wrote:
It appears the debugging switches don't work quite as I'd expect in FreeRADIUS
3 when RadSec is configured.
Yes. Because of OpenSSL limitations, the
On 08/10/13 17:01, Rok Kosir wrote:
authentication to mysql), when i run freeradius -X, i get Segmentation
Fault when it reaches dhcp listner.
See doc/bugs.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 08/10/13 17:40, Mulindwa wrote:
Dear pple,
I have looked for this and failed to get it, i have users with set
volume limits and they get knocked off once they hit the limit, however
; i want to have this taken to the next level, i.e once the limit is
hit, the user's profile be changed and
On 10/07/2013 08:40 AM, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
if (Service-Type == NAS-Prompt-User) {
if (NAS-IP-Address =~ /^172\.17\.107\./) {
if (User-Name =~ /^wisms\-testing/) {
update control {
Auth-Type := Accept
}
ouch do you realise how dangerous that is? there
On 10/04/2013 07:02 AM, Shameek Bhattacharya wrote:
Hello,
I am facing issue with MS CHAP authentication in Ubuntu 13.04 .
Also NTLM Authentication takes place when putting 'wait = no' in
/etc/freeradius/modules/ntlm_auth
ie
exec ntlm_auth {
wait = no
wait = no is wrong here.
On 02/10/13 17:14, JB wrote:
Hi!
We're proxying auth requests to another RADIUS service and encounter the
following problem:
The password seems to get changed somewhere along the way.
In our case, a 9 character password arrives as 16 character garbage at the home
server, which then -of
On 02/10/13 17:30, JB wrote:
Yes, we double checked the secret.
Well, you missed something.
There is no other reasonable explanation for the behaviour you're
seeing. In *theory* it could be broken MD5 libraries at one end, but
that's so unlikely that the possibility can be discarded.
You
On 24/09/13 12:25, JB wrote:
At first glance, this seems to work but I wanted to know if there's a
better or more common way to achieve this. Or is this completely
stupid after all? (Why?)
Looks fine to me; you're conditionally executing the rest of your policy
based on earlier results.
-
On 24/09/13 17:58, María Teresa Mondragón Reyes wrote:
rad_recv: Accounting-Request packet from host 192.168.4.224 port 32769,
id=157, length=285
Invalid packet code 4 sent to a proxy port from home server
192.168.4.224 port 32769 - ID 157 : IGNORED
Ready to process requests.
This should be
On 23/09/13 17:33, paul trader wrote:
am i doing something glaringly wrong, or just going plain crazy?
It's difficult to say, because the debug you sent has all the useful
bits trimmed out - like the original packet, and the full module
processing chain.
Send a full debug, and odds are
On 23/09/2013 18:19, paul trader wrote:
hi phil - ok, here's the full debug for a successful request:
[files] users: Matched entry test at line 1
Versus
and here's the full output of a failed request:
[files] users: Matched entry DEFAULT at line 172
The two request look very similar,
On 22/09/2013 15:12, WorkingMan wrote:
I am wondering is it possible to configure one server using a single IP to
handle PPTP/IPSEC --- freeradius? Does it make sense (or possible) to create
a virtual servers against PPTP and IPSEC separately? I am just wondering
what's the best practice. I
On 11/09/13 12:05, stefan.pae...@diamond.ac.uk wrote:
The alternative is getting your users to install something like
SecureW2 (which I believe requires a license now), and using
EAP-TTLS- PAP which submits the users password in plaintext, or I
believe more recent flavours of Windows support
On 09/09/13 14:04, Stefan Winter wrote:
Hi,
mv raddb raddb-noinst
mkdir raddb
touch raddb/all.mk
make install
do 'mkdir raddb/mods-config'
you've 'messed around' with the configuration directory which assumes
that mods-config exists... i guess that could be fixed to make dir
directory first
On 29/08/13 13:21, Axel Thimm wrote:
The reason I'm not simply applying the patch is that this system is
covered by support by Red Hat and replacing the vendor shipped
freeradius (2.1.12) with a self-compiled one voids the support. So any
other solution that would allow me to keep the system
On 29/08/13 14:25, Axel Thimm wrote:
On Thu, Aug 29, 2013 at 02:12:35PM +0100, Phil Mayers wrote:
Otherwise, you could look at the verify { } stanza of the tls {
} block in eap.conf; this allows you to run an external script once
you've got the client cert, and there you can write any code you
On 29/08/13 14:35, Robert Roll wrote:
I'm trying to do a proxy from the inner-tunnel over to another radius server.
The primary reason for this is that we need to strip off the realm before
passing to the proxy.
I'm getting an EAP error response from the other server about it not liking
On 29/08/13 15:09, Matthew Newton wrote:
On Thu, Aug 29, 2013 at 02:48:59PM +0100, Phil Mayers wrote:
Or you could abandon the prejudice against upgrading because it's
supported (support you're not taking advantage of, I might add,
since you're asking here) and upgrade to 2.2.0 which, IIRC, has
On 29/08/13 15:49, stefan.pae...@diamond.ac.uk wrote:
That said, I commiserate with the original poster that yes, when the
policy is that you're only allowed to use vendor packages, you're
limited in what you can and cannot do.
Failing to direct these queries towards your paid support option
On 29/08/13 15:56, Robert Roll wrote:
I guess I assumed the id: in the TCP dump below was the EAP Response
Identifier maybe not ? Is there a different
EAP response identifier ?
Yes, in the EAP-Message attribute (EAP packet)
I actually have been running with debug radius -X.
On 29/08/13 17:01, Robert Roll wrote:
Ok, Below is the TCP dump. I have attached the Freeradius Debug output beginning
near the start of the proxy..
The problem here is pretty straightforward, but not obvious from the
debugs since FR is just proxying.
Basically, the client sends the inner
On 29/08/13 18:16, Alan DeKok wrote:
Phil Mayers wrote:
[peap] Got tunneled request
EAP-Message = 0x02090006031a
0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?)
That's EAP-MSCHAP-v2.
Doh, yes, brain fade. TBH this page could be clearer:
http://www.iana.org/assignments/eap
On 29/08/13 18:16, Alan DeKok wrote:
i.e. set proxy_tunneled_request_as_eap = no
Although IIRC that *definitely* had issues in 2.1.10, right?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query for
PEAP?
What inner?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 28/08/13 15:11, Arran Cudbard-Bell wrote:
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query for
PEAP?
What inner?
MSHCAPv2 - I thought PEAPv0
On 28/08/13 15:46, Arran Cudbard-Bell wrote:
OK. Just wondering if you could really get it down to a single
lookup, IIRC you needed the 'known good' NT-Password data for a
couple of rounds of MSCHAPv2?
Nope, just one. The MSCHAP challenge response arrive at you, you
validate them and in turn
On 28/08/13 16:00, Martin Kraus wrote:
I found that if I nest ifs then default = return won't skip the authorize
section and putting the tests on multiple lines doesn't work so it is this
ugly:-)
Yeah, that's an annoyance of the configurable failover stuff.
However this really isn't
On 08/26/2013 12:10 AM, mdeche...@comcast.net wrote:
Dear Users --
This is my first posting to the FreeRADIUS users list, so please be patient :)
You're already doing pretty well - you actually posted a full debug,
which hardly anyone does first time!
Ok, so for the SQL case the server
On 08/26/2013 09:04 AM, Atomikramp wrote:
but it's not giving the same result, the check against sql is ignored
and the user is authed successfully.
Because:
[sql] User sogo1 not found
++[sql] returns notfound
-
List info/subscribe/unsubscribe? See
On 08/26/2013 12:11 PM, Iliya Peregoudov wrote:
On 25.08.2013 15:03, ken.farrington wrote:
Module: Linked to sub-module rlm_eap_sim
Module: Instantiating eap-sim
rlm_eap_sim is compiled in.
/usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module
'rlm_sim_files':
On 25/08/2013 12:03, ken.farrington wrote:
/usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module
'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No
such file or directory
Your version of FreeRADIUS wasn't compiled with rlm_eap_sim enabled, or
it wasn't
On 08/23/2013 09:35 AM, Arran Cudbard-Bell wrote:
Or if you shift that hyphen one to the right, it'll probably work OK too :)
Usually first in the range works:
[-.a-z0-9]
IIRC + doesn't need to be escaped inside a range, same as .
-
List info/subscribe/unsubscribe? See
Matthew Newton m...@leicester.ac.uk wrote:
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote:
well looking at man wpa_supplicant I can see
EAP-PEAP/TLS
I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what
it's talking about.
Huh, and I thought MS-PEAP specified only
On 21/08/13 23:44, Chris Parker wrote:
Okay, pardon my confusion then. I had been following a howto online
and it reported that the command when run manually will produce the
key.
Either way, I'm still having a failure in MSCHAP with radtest that
I'm not quite grasping.
Well, as I explained
On 22/08/13 10:54, Alan Buxey wrote:
TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP
PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no
bare MSCHAP variant, because there's no spec for how to derive the
MSCHAP challenge from the TLS master secret.
The EAP
On 22/08/13 15:14, Chris Parker wrote:
Exec-Program output: Reading winbind reply failed! (0xc001)
Check the permissions on the winbind socket directory, specifically that
the freeradius daemon user can access it; this is usually at:
/var/cache/samba/winbindd_privileged
or
On 22/08/13 16:46, Dean, Barry wrote:
Anyone want to throw in 2 cents/pennies worth to this?
Yep, don't do it like this.
Instead, write the user/ip entries to a file using the linelog module,
and use a long-running perl process to tail the file (using File::Tail)
and post them to the PAN.
On 08/21/2013 05:11 AM, Chris Parker wrote:
Log output:
rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114,
length=57
User-Name = wyse1
User-Password = K503D
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
# Executing section authorize from file
On 08/20/2013 02:27 PM, stefan.pae...@diamond.ac.uk wrote:
Hello all,
I'm currently attempting to use rlm_python to query LDAP (with
python-ldap) and then return an XML string in a VSA
(SAML-AAA-Assertion). However, when I try to load it, I get the
dreaded undefined symbol: PyExc_SystemError
On 21/08/2013 12:17, Martin Kraus wrote:
Hi.
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
Is this really what you mean? TTLS outer and TLS inner, versus PEAP
outer and TLS inner?
Because the latter is unlikely to work; it's not a supported combo per
the PEAP
On 21/08/2013 19:28, Chris Parker wrote:
So I doubt this issue is with FR, but more of that Samba is being
cranky. I can never get ntlm_auth to give me that NT key, which I
feel if I could resolve that, I could continue with FR.
No. NT_KEY is only generated by mschap, not by username/password
On 21/08/2013 13:55, Chris Parker wrote:
Thank you Phil! That resolved my first steps, and I figured there was
something like that. I have poured over deployingfreeradius.com, but
for the life of me I could not find anything of assistance for my set
up.
Yeah... to be honest, I think I've just
Matthias Nagel matthias.h.na...@gmail.com wrote:
Hello,
if a do a smbencrypt ä then the output for the NT hash is
B5CF5E386433C7CB69E43ED774717792 but the correct hash would be
3104EAB484D59EFABCEA2C44B07F41D3. (If you do not see the letter: It
is a small a with two dots, unicode code point
On 08/16/2013 08:24 AM, nicolas@ricoh-industrie.fr wrote:
Hi list,
I'm searching the best way to configure a policy to split the domain
and the prefix ' /host' when it is a computer connection.
You probably don't want to do this.
Instead, you probably want to use the expansion:
On 08/14/2013 09:25 PM, McNutt, Justin M. wrote:
One other thing with multiple interfaces: RHEL 6 comes with some
anti-spoofing features in the kernel enabled by default. I'm afraid
As I noted elsewhere in the thread, the terms to google for this are
martians and rp filter, and you are
On 15/08/13 14:30, Darlington, Andrew wrote:
Couldn't open /etc/freeradius/acct_users for reading: Permission denied
Errors reading /etc/freeradius/acct_users
/etc/freeradius/modules/files[7]: Instantiation failed for module files
/etc/freeradius/sites-enabled/inner-tunnel[124]: Failed to load
On 14/08/13 15:07, Kurt Hillig wrote:
But radiusd isn't seeing any of the inbound RADIUS traffic on eth1 -
tcpdump shows it coming in, but radiusd -X shows no indication of
this traffic (but is reporting all of the traffic on eth0).
If radiusd -X isn't reporting *anything*, then it's not
On 14/08/13 15:55, Roberto Carna wrote:
I tried with Android device and it use CHAP authentication as Apple devices.
Ok, there is some confusion here.
You are using a captive portal, so it's actually your captive portal
web-based login that is doing CHAP - the Apple/Android devices are just
On 08/08/13 11:07, Shaw, Colin M. wrote:
difference. Lastly, for testing purposes, if I insert the required
attributes into the default post-auth then it all works and the wired
client is assigned the correct vlan, so again the switch side must be ok
and I also therefore presume all the
On 08/08/13 16:16, Shaw, Colin M. wrote:
Thanks for the reply Phil.
difference. Lastly, for testing purposes, if I insert the required
attributes into the default post-auth then it all works and the wired
client is assigned the correct vlan, so again the switch side must be
ok and I also
On 06/08/13 16:04, Horatiu Nimigean wrote:
i have pptpd on a centos 6 box configured to use radius for auth.
radius in turn checks credentials in ldap.
the user in ldap has a samba extension and a configured password (i used
ldap account manager to set it up) it also has a sambaNTPassword field
On 05/08/13 16:34, Fabrizio wrote:
Hi to all,
i'm using FreeRADIUS Version 2.1.10 with rp-pppoe-3.11 as NAS.
I would like to configure this system to be able to limit the user
internet bandwidth ( this is possible by WISPr-Bandwidth-Max-Down and
WISPr-Bandwidth-Max-Up attributes ) but at the
On 08/01/2013 08:51 AM, Gab Quidilla wrote:
Good day,
We have several branches configured for RADIUS. We are using freeradius
2.1.12 from CentOS 6.4 repo, plus daloradius 0.9.9, and MySQL. The
problem is that accounting packets are not received here in our head
office when accessing other
On 08/01/2013 09:35 AM, Gab Quidilla wrote:
office, it would not pass through the firewall. Accessing the branches
passess through the firewall, but the fw WAN link is configured for
accepting all packets
Yeah... sorry, but we hear that a lot on this mailing list, and quite
often the
On 01/08/13 10:02, Gab Quidilla wrote:
Hi,
I ran radsniff. I had someone at our branch login to the switches, and
still no accounting packets, while when I log into our switches, the
accounting packet is received. This is somewhat network-related yes?
Entirely. If the accounting packets don't
On 29/07/13 12:55, Marcel Kraan wrote:
Yes i want to use PAP (?) but where do i change that?
into my Wifi router ? or in the Freeradius config?
On the client.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 25/07/13 10:43, stefan.pae...@diamond.ac.uk wrote:
Alan,
https://confluence.terena.org/display/H2eduroam/freeradius-sp implies that after v2.1.9,
%{Realm} would contain DEFAULT, not whatever the realm extracted from
User-Name was, when used in logging... Hence my question.
Of course, if
a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Feel free to add your own feature requests :)
number of UDP packets - i.e. is/was the datagram fragmented?
alan
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
If it's re-assembling fragments then I'm impressed...
--
Sent
a.l.m.bu...@lboro.ac.uk wrote:
Hi,
My guess is dual-stack NAS-RADIUS is going to be rare.
ummm. take a hold on that assertion. the joy of dual-stack deployment
is that you need to ensure your servers are ready on IPv4 and IPv6 -
and as part of that, you need to ensure that your using both
On 23/07/13 17:19, Franks Andy (RLZ) IT Systems Engineer wrote:
This will probably be obvious, but I can’t see it!
Looks like a bug - the code here:
https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_ldap/groups.c#L495
...passes NULL for the result argument to
On 22/07/13 13:47, Arran Cudbard-Bell wrote:
It'd be nice to get some feedback from people though... do you think
you'll ever need to record both your NAS IPv4 and IPv6 addresses?
I'm guessing for dual stacking it'd be nice to record
Framed-IP-Address and Framed-IPv6-Prefix, should they both
On 22/07/13 14:32, Arran Cudbard-Bell wrote:
On 22 Jul 2013, at 14:15, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 22/07/13 13:47, Arran Cudbard-Bell wrote:
It'd be nice to get some feedback from people though... do you
think you'll ever need to record both your NAS IPv4 and IPv6
On 12/07/13 11:17, Eugene Grosbein wrote:
Please help. We need at least 1000 concurrent threads to deal with the load
here.
1000 threads is a crazy number. Can you explain why you think you need
that many? Are you doing very slow logic/lookups or something?
Anyway, the problem is almost
On 12/07/13 11:55, Eugene Grosbein wrote:
On 12.07.2013 17:38, Phil Mayers wrote:
On 12/07/13 11:17, Eugene Grosbein wrote:
Please help. We need at least 1000 concurrent threads to deal with the load
here.
1000 threads is a crazy number. Can you explain why you think you need
that many
On 11/07/13 09:39, sebastian buettrich wrote:
is this expected behaviour, the way anonymous identities are
implemented,
Yes. The outer EAP virtual server only sees the anonymous identity. The
inner EAP virtual server can see the real identity.
-
List info/subscribe/unsubscribe? See
On 10/07/13 15:43, Arran Cudbard-Bell wrote:
Update sections may now also return fail.
Can you clarify - AIUI, sql xlat can now also distinguish between empty
and fail, so if I do this:
update {
request:Tmp-String-0 := %{sql:...}
}
...and the SQL server is down, the xlat will fail and
On 08/07/13 14:59, Lovaas,Steven wrote:
Exec-Program output: Reading winbind reply failed! (0xc001)
Check the permissions on the winbind socket, which usually lives in
either /var/cache/samba/winbindd_privileged or
/var/lib/samba/winbindd_privileged
-
List info/subscribe/unsubscribe?
On 07/04/2013 04:35 AM, Patrick Gawthorne wrote:
update request {
Class = “%{Ldap-Group}”
}
You can't do that, because Ldap-Group is not a real attribute with a
value; it's a virtual attribute, which you compare against (think about
it - you can be in 1 group)
You would
On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote:
Hi,
I’m experimenting with a system involving an access-challenge to a
NAS. It works fine with FR so far on, say, the cisco ipsec vpn client,
which waits a long time until timing out waiting for user input. I’d
like to also
On 04/07/13 14:34, David Mitton wrote:
Quoting Phil Mayers p.may...@imperial.ac.uk:
On 04/07/13 11:00, Franks Andy (RLZ) IT Systems Engineer wrote:
Hi,
Session-timeout and Idle-timeout are attributes mentioned by the cisco
docs but neither of these seem to be what I'm after
On 03/07/13 15:29, Bruce Bauman wrote:
Right now we have freeradius configured so that EAP and non-EAP are
handled by separate virtual servers which are listening on separate
virtual ports.
We'd like to simplify our configuration and use the same port for both.
I've looked through the
On 03/07/13 16:24, Júlíus Þór Bess Ríkharðsson wrote:
Hi,
For some reason I cannot get Stripped-User-Name attribute to get
populated when using nostrip for a realm. Is this normal behaviour or am
I missing something?
Normal. nostrip means don't populate Stripped-User-Name
I need the
On 03/07/13 17:34, Martin Kraus wrote:
Now my setup stopped working because suddenly ldap-eduroam was checking for
groups when matching Ldap-Group. I was under the impression that when not
specificed with ldap-eduroam-Ldap-Group the default ldap entry would be used.
No. Most recently
On 07/02/2013 02:30 AM, Matt Zagrabelny wrote:
If a user is not in the secret group, then their login should fail if
the Vendor-3076-Attr-146 = 0x554d44 pair is in the request.
This is pretty easy:
authorize {
...
if (Vendor-3076-Attr-146 == 0x554d44) {
if (SQL-Group == secret) {
On 07/02/2013 07:56 AM, Ming-Ching Tiew wrote:
So this [^@]*@wlan.mncX.mccY.3gppnetwork.org is unique ? All the SIMs
from the same mobile operator will have the same string and it will be
different from another mobile operator ?
Yes, though be aware the pattern given isn't exactly valid; X
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for 3.0 which uses
direct DICT_ATTR pointer comparisons in some places (instead of
comparing vendor/attribute number).
So... what *can* you do with Vendor-X-Attr-Y?
-
List
On 02/07/13 11:37, Arran Cudbard-Bell wrote:
On 2 Jul 2013, at 08:53, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 07/02/2013 07:52 AM, Arran Cudbard-Bell wrote:
This may work for 2.x.x but definitely wont't work for 3.0 which
uses direct DICT_ATTR pointer comparisons in some places
On 28/06/13 08:14, Mathieu Simon wrote:
Second, I can't remember if mschap checks the acct control flags in authorize
or authenticate. If the latter you'll need to move away from using LDAP bind
for auth
Hmm, I guess that would require me studying the code :-\
I've just taken a look - sure
On 28/06/13 14:03, Arran Cudbard-Bell wrote:
On 28 Jun 2013, at 11:50, Phil Mayers p.may...@imperial.ac.uk
wrote:
On 28/06/13 08:14, Mathieu Simon wrote:
Second, I can't remember if mschap checks the acct control
flags in authorize or authenticate. If the latter you'll
need to move away
On 28/06/13 17:31, Mathieu Simon wrote:
The result was same when using radtest with -t mschap if that's what
you're pointing out.
Interesting. I would not have expected that.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 26/06/13 12:54, Omer Faruk SEN wrote:
User Authentication for UserPassword
That's not a type of authentication.
For example, are you using EAP for 802.1x/Wi-Fi, and if so, which EAP
outer and inner methods?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Couple of things:
IIRC the account control flags are checked by the mschap module, which I see
is running before the LDAP lookup - try moving mschap after LDAP in authorise
Second, I can't remember if mschap checks the acct control flags in authorize
or authenticate. If the latter you'll need
On 24/06/13 12:47, nicolas@ricoh-industrie.fr wrote:
Hi list,
I'm searching the best way to configure an authorization based on
both Host + Username ( mschapv2 + /usr/bin/ntlm_auth) but not Host
*or* Username.
Is it possible to verify host with mschapv2 and if the module
On 24/06/13 14:09, nicolas@ricoh-industrie.fr wrote:
Thanks for your help.
We want two authorization in the same times, for example, to ensure that
user not used his iPhone with his DOMAIN/UserName account.
Sorry, but that's not currently possible. No EAP method supports it. In
theory
On 19/06/13 13:11, Marco Streich wrote:
When I run radtest from my laptop, the authentication is successful:
radtest does not send eap. Download the wpa_supplicant sources and
compile eapol_test to test EAP.
WARNING: No known good password was found in LDAP. Are you sure that the
user
On 19/06/13 13:28, adrian.p.sm...@bt.com wrote:
What I really need to do is proxy the inner message to another Radius
server which will do the authentication but I cannot get this to work.
Whatever I try, I always see an EAP-Message avp heading off to the
remote server. I have looked at the
On 19/06/13 14:54, adrian.p.sm...@bt.com wrote:
What I really need to do is proxy the inner message to another
Radius server which will do the authentication but I cannot get
this to work. Whatever I try, I always see an EAP-Message avp
heading off to the remote server. I have looked at the
On 19/06/13 15:32, Olivier Beytrison wrote:
On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Some other comments -
Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
2.2.x.
Save yourself some round trip packets by setting default_eap_type
= ttls in eap.conf
Save yourself
On 06/14/2013 07:39 AM, Franks Andy (RLZ) IT Systems Engineer wrote:
Hi
Do I need to file a bug report or something?
No, the issue was raised on -devel
You can revert:
https://github.com/FreeRADIUS/freeradius-server/commit/4c3030db2743e682c58a0fba30b43d066f22beb0
...until a proper fix is
1 - 100 of 1979 matches
Mail list logo