Le 27/05/2010 10:46, Marco Jaraiz a écrit :
hello,
i want to use expiration module to validate user account, but i need check
the expirtation between two dates, init and finish date.
somebody help me.
As you already may know the expiration module only works for expiration
date.
When I
Le 11/05/2010 10:09, htt thanh a écrit :
Hi, I don't know why the user-password id encrypted, how can I make a
cleartext secret...;((
The pb is with your client shared secret: the secret you set in
/etc/raddb/clients.conf and in your NAS configuration.
It seems that you haven't set the same
freeradius-users@lists.freeradius.org
On Monday 19 April 2010 07:16:52 pm Thibault Le Meur wrote:
Please can you explain why you think it is obsolete ?
It addresses the configuration in single-file format rather than the
distributed file format that the current packaging (for Debian at least)
uses
Jonathan Hutchins a écrit :
On Tuesday 20 April 2010 01:00:42 pm John Dennis wrote:
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
[mschap] No Cleartext-Password configured. Cannot create LM-Password.
You have to either have a Cleartext
Is it possible to set up a new account on the wiki, or does that require an
administrator?
I wanted to mark the page http://wiki.freeradius.org/PopTop as obsolete and
applying only to the 1.x versions of freeradius. These are the instructions
I was originally folowing, and they distinctly do
Hi All,
I just wanted to mark this thread as resolved.
Alan DeKok a écrit :
Yes. Others use multiple certs multiple EAP modules.
Thanks for this answer, this confirms that I'm on the right way.
Indeed it works now ;-)
I'll make more tests and will triple check my setup now I know
Hi Alan,
Thank you for your prompt answer.
Alan DeKok a écrit :
Yes. Others use multiple certs multiple EAP modules.
Thanks for this answer, this confirms that I'm on the right way.
A quick look at FR debug logs confirms, as far as I can read them, that
the client is refusing the
Hi,
I'm about to change the CA of my radius server certificate. At the same
time I've installed a new wifi network and plan to change the SSID as
well (authentication is EAP-TTLS or EAP-PEAP).
In order to avoid a complete breakout when I change the certificate of
my radius server (because a
Hi,
I recently came up with a small issue concerning modules instances name
(especially when they set Auth-Type).
* I defined my own pap module with the name 'pap-myorg' and expected it
to set Auth-Type to PAP-MYORG, but in fact it wasn't setting the
Auth-Type at all (moreover I saw no
Hegedus Gabor a écrit :
HI!
Can you help me,
I don't know how can i send back the client ip address to the openvpn
client.
The cisco vpn 3000 works correctly with cvpn3000 directory.
Are there any directory for openvpn?
or which return attrib name I can use?
This is a little off-topic for
Jack D. Martin Jr. a écrit :
I wasn't questioning your skills - trust me. I have read many of your
responses on the list, you helped me deploy my server without ever talking
to me. I am just looking for a solution. Basically what I have is a
billing solution that automatically suspends
Peter Param a écrit :
Hi all,
I'm trying to authenticate to a LDAPS backend but failing. Any suggestions?
Is it an LDAP server answering on LDAPS connections (LDAP+SSL on port
636) or an LDAP server answering on LDAP connections that are then
secured by Start-TLS (LDAP on port 389 +
Peter Param a écrit :
it is an LDAP server answering on LDAPS connections (LDAP+SSL on port 636)
...but it also supports the latter even tho an acl is set to not allow port 389
use start_tls=no fails also,
Maybe but keep it to no
it seems to have a problem with the cert and/or cert
Alexandros Gougousoudis a écrit :
Hi Ivan,
Try signing client certificates with the ca certificate. I have included
modified Makefile for 2.1.3. I have added make caclient.pem to
produce client certificates and cleanca to remove them. Try
importing caclient.p12 created this way onto the user
Michael Poser a écrit :
Hello,
native wired xp 802.1X client with PEAP (mschapv2) tries to authenticate via
freeradius against openldap with an md4 encoded utf-16e password hash.
This is just not possible.
PEAP (mschapv2) requires you can read the user password either as a
cleartext password
Hi John,
Nice to meet you ;-)
John Dennis a écrit :
John Dennis wrote:
Thibault Le Meur wrote:
T
I've searched and finally found out what occured. I'm using Fedora
Core 9 and after the FR package update here is what occured: a lot
of files including module files from the new RPM package
Hi Gurus,
I've just (auto)updated my FR from 2.0.5 to 2.1.1 and some
authentications stop working.
For these specific authentications the ldap module is used to retrieve
the password from LDAP (hashed with MD5 or CRYPT, ...), and then PAP is
used to compare the passwords (auto_header is
Thanks a lot for your answer,
[EMAIL PROTECTED] a écrit :
I've just (auto)updated my FR from 2.0.5 to 2.1.1 and some
authentications stop working.
For these specific authentications the ldap module is used to retrieve
the password from LDAP (hashed with MD5 or CRYPT, ...), and then PAP is
used
Sending Access-Accept of id 177 to 127.0.0.1 http://127.0.0.1
port 51289
Finished request 0
Going to the next request
Great, then you've been authenticated by the LDAP server and the RAdius
server is sending an Access-Accept message to you VPN server.
As far as FreeRadius
Sascha Kiefer a écrit :
Hi,
Thanks to http://wiki.freeradius.org/PopTop i can authenticate my vpn
users
using an remote radius server using MS-CHAPv2
You're welcome ;-)
Passwords are stored in clear in the mysql database.
PopTop is responsible for the remoteip.
Everything works.
Now, is it
Alan DeKok a écrit :
What am I doing wrong? Below I've copypasted config files of pptpd
radius and their debug logs.
sigh Do NOT post the FreeRADIUS dictionaries to this list. There
is nothing wrong with the dictionaries.
DO configure pptpd to point to the RADIUS dictionaries it
Hi,
hadi golestani a écrit :
Hi,
I wana use freeradius to dynamically assign ip to my vpn clients.
so I defined an ip pool with the range of 10.3.3.1 http://10.3.3.1
to 10.3.3.255 http://10.3.3.255,
with the radtest command , I'm getting the the ip in answer but while
trying to connect from
Terry Pelley a écrit :
FreeRADIUS Version 1.1.7 on Novell SLES10
The question is simple but I can't seem to find the answer to it so I
will apologize in advance.
Can some one tell me the format for entering the date in the
Expiration attribute?
I'm using the users file to authenticate
Hi,
I currently have a IPSEC/L2TP setup that uses FreeRadis (for
Active Directory auth). Radius is handing out the IP
addresses to the clients. Is there a way to have it update my
DNS server so it can create reverse-dns entries for them?
Yes it is.
In acct_users make a rule that run
Hi,
Hi,
i would make this architecture:
- authentication EAP/PEAP with MS-CHAPv2 with users in LDAP
database. Better with encrypted password, but not necessary.
Either:
* use Clear-text passwords in the userpassword attribute
* OR add an Ldap attribute that will hold the NTML hash
Basically trying to
figure out
what I need to add to these lines: groupname_attribute,
groupmembership_filter, and groupmembership_attribute. Also
not sure if
I need to add something to users file like: DEFAULT LDAP-Group ==
wireless. Can anyone provide input on what I need to
Hi Danny,
Let me correct just some things... can you confirm ?
After a lot of help from Thibault I was able to connect from xp client.
the causes for the problem was :
1.missing raddattr plug-in to option.pptpd
raddattr.so # after radius.so
2.un update dictionary (Microsoft
Hello everyone,
FreeRadius 1.0.1 from RHEL 4.
I get the following error (only shown in debug mode) after
1-2 weeks of
server working fine, without any issues:
rlm_ippool: Searching for an entry for nas/port:
172.25.254.218/9931392
rlm_ippool: No available ip addresses in pool.
# netstat -tunelup Aktive
Internetverbindungen (Nur Server) Proto Recv-Q Send-Q Local
Address Foreign Address
State Benutzer Inode PID/Program name
[...]
udp 0 0 192.168.100.207:1812 0.0.0.0:*
0
Thibault Le Meur wrote:
I've patched the radiusplugin to add Framed-IP-Address to
the re-auth
request but rlm_ippool still allocates a new IP Address
(I'm using FR
1.1.4).
Ok. It seems like rlm_ippool should be updated to look for
Framed-IP-Address in the request
Thibault Le Meur wrote:
I've patched the radiusplugin to add Framed-IP-Address to
the re-auth
request but rlm_ippool still allocates a new IP Address
(I'm using FR
1.1.4).
Ok. It seems like rlm_ippool should be updated to look for
Framed-IP-Address in the request
Whats the output of 'ps auxf' on your box?
Netstat will tell you what's using which port.
Do instead:
# netstat -tnp | grep 1812
example output:
tcp0 0 192.168.30.107:49182192.168.30.1:5222
ESTABLISHED 5938/gaim
And better if you have the lsof binary installed,
But the output now is:
rad_recv: Access-Request packet from host 127.0.0.1:1030,
id=65, length=54
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = peppeska
NAS-IP-Address = 127.0.0.1
NAS-Port = 0
authentication ?
If your pppoe server is a linux box, have you checked that the radiusclient
library contains the microsoft dictionnary as I described in my previous
email ?
Regards,
Thibault Le Meur
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Very strange I didn't get this email ?
See my comments below:
Thibault Le Meur ha scritto:
But the output now is:
rad_recv: Access-Request packet from host
127.0.0.1:1030, id=65,
length=54
Service-Type = Framed-User
Framed-Protocol = PPP
Hi Alan,
I'd like to patch the openvpn-radiusplugin so that an extra
attribute
is sent in the Access-Accept packets so that FR will be able to
differentiate Initial and Renegociation Access-Accept
requests and
only assign new IP address from the pool on Initial Access-Accept
and in the dictonary file:
$INCLUDE /etc/radiusclient/dictionary.microsoft
$INCLUDE /etc/radiusclient/dictionary.ascend
$INCLUDE /etc/radiusclient/dictionary.compat
$INCLUDE /etc/radiusclient/dictionary.merit
$INCLUDE /usr/share/freeradius/dictionary
Don't write $INCLUDE but
Thibault Le Meur wrote:
I've patched the radiusplugin to add Framed-IP-Address to
the re-auth
request but rlm_ippool still allocates a new IP Address
(I'm using FR
1.1.4).
Ok. It seems like rlm_ippool should be updated to look for
Framed-IP-Address in the request
MMM damn! why freeradius don't want work with me?
It's not a Freeradius issue, but a ppp/radiusclient issue ;-)
P.S.
without the Deafult Auth-Type in the users file...it's the
same... If I put $INCLUDE instead INCLUDE... work like before...
Very strange I've got several
quote
I've been using OpenVPN + Ralf's Radiusplugin for several months and
recently moved away from server-side IP assignment. However, while I did use
it, I found that in my configuration FreeRADIUS only assigned new IPs when
the accounting for that user had stopped (ie, if it recieved a STOP
-Message d'origine-
De :
[EMAIL PROTECTED]
radius.org
[mailto:[EMAIL PROTECTED]
sts.freeradius.org] De la part de peppeska
Envoyé : mercredi 21 mars 2007 18:36
À : FreeRadius users mailing list
Objet : Re: RE : RE : RE : freeradius, ldap error - HELP ME!
-BEGIN PGP
but plog:
[EMAIL PROTECTED]:/home/peppeska# plog
Mar 21 19:21:18 applejack pppd[18527]: Plugin rp-pppoe.so loaded.
Mar 21 19:21:18 applejack pppd[18529]: pppd 2.4.4 started by root, uid 0
Mar 21 19:21:19 applejack pppd[18529]: PPP session is 6
Mar 21 19:21:19 applejack pppd[18529]: Using
-Message d'origine-
De :
[EMAIL PROTECTED]
radius.org
[mailto:[EMAIL PROTECTED]
sts.freeradius.org] De la part de peppeska
Envoyé : mardi 20 mars 2007 10:34
À : FreeRadius users mailing list
Objet : freeradius, ldap error - HELP ME!
-BEGIN PGP SIGNED MESSAGE-
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: attempting LDAP reconnection
rlm_ldap: (re)connect to localhost:389, authentication 0
rlm_ldap: bind as cn=admin,dc=example/root to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap:
Hi,
I'm using a system (openvpn) with 'radiusplugin' to let FR authenticate
users and manage IP Pools.
Openvpn sometimes needs to renegotiate the connections and thus sends
authentication requests while the connection is still active (with an
already assigned IP address): this causes FR to
Thanks for your reply,
Thibault Le Meur wrote:
Openvpn sometimes needs to renegotiate the connections and
thus sends
authentication requests while the connection is still
active (with an
already assigned IP address): this causes FR to assign a new IP
address from the pool (which
-Message d'origine-
De :
[EMAIL PROTECTED]
radius.org
[mailto:[EMAIL PROTECTED]
sts.freeradius.org] De la part de Sam Schultz
Envoyé : mercredi 14 mars 2007 17:13
À : freeradius-users@lists.freeradius.org
Objet : Re: EAP-TTLS outer identity accounting
On Tue, 13 Mar
Hi,
I have 4 NAS-IP-Addresses.
My users are split into 6 groups (some are in multiple
groups): public, faculty, staff, student, vpn, and admin.
I would like the users to get access to the NAS by virtue of
being in a group.
192.168.1.1
admin
192.168.1.2
vpn
-Message d'origine-
De :
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] De la part de Marc Hultquist
Envoyé : mardi 20 février 2007 10:38
À : freeradius-users@lists.freeradius.org
Objet : New to FreeRadius, having a small issue
Hey Everyone, I am new to freeradius, and when
I didn't meen a mistake, but was wondering if my radiusclient had a
wrong mapping, that requests NT-password instead of
User-password (as an
example)
Here is the output from the radius server:
Ready to process requests.
rad_recv: Access-Request packet from host
Alan,
Thanks for your response.
We have tried to configure ttls as you suggested in your mail.
Unfortunately we have not succeeded.
To make things easier, we have tried to set up a completely new
configuration, with just one local user called test. Our Windows XP
client is using
At this time, I did a radiusd -X and saw the debug information scroll across
the screen, sitting at ready to process requests...
However, no requests are coming in. I am attempting this by connecting from
You say it yourself: no request reaches the Radius server.
I propose to check if the
2. Radius does not understand some attributes from client.
a) Jan 14 12:37:14 shata pppd[25046]: rc_avpair_gen: received
unknown attribute 25 of length 30:
0x333B0427013700010A1701C735C490B2116B014C
b) Jan 11 22:29:02 shata pppd[19185]: RADIUS: wrong service
type 4 for
It seems no mistakes in dictionary file. It is standard one
from RH distribution. BTW, freeradius use $INCLUDE, not
INCLUDE as you advised. With INCLUDE you will see something like
--
Wed Jan 17 14:48:41 2007 : Error: Errors reading dictionary:
dict_init:
-Message d'origine-
De :
[EMAIL PROTECTED]
radius.org
[mailto:[EMAIL PROTECTED]
sts.freeradius.org] De la part de Marxy
Envoyé : mercredi 17 janvier 2007 14:39
À : freeradius-users@lists.freeradius.org
Objet : Re: A couple of questions PoPToP+FreeRadius+IAS
Alan
Hi, i have one question:
Why when i try auth. by laptop-wifi over linksys then it's send that
request:
rad_recv: Access-Request packet from host 192.168.1.245:3072,
id=0, length=119
User-Name = rka
NAS-IP-Address = 192.168.1.245
Called-Station-Id =
Could you post this file ?
I have only:
eap {
default_eap_type = tls
tls {
tls_cacertfile = /etc/freeradius/cert/ca.pem
tls_certfile = /etc/freeradius/cert/radius.crt
tls_keyfile = /etc/freeradius/cert/radius.key
But, I don't completely understand PEAP, and how it relates
to MS-CHAP v2.
PEAP first establish a TLS tunnel (and thus uses the freeradius eap 'tls'
module).
Then a new Request is sent protected by this TLS tunnel. This inner request
can be based on ms-chapv2 or another EAP method).
I want
authorize (returns ok) for request 2 Mon Jan 15 13:39:00 2007
: Debug: auth: No authenticate method
(Auth-Type) configuration found for the request: Rejecting
Is 'eap' listed in our authorize section. It should be since this is an EAP
request and Freeradius needs a way to set Auth-Type to
The issue is, I've done everything, a semi-competent Linux user with
Critical thinking skills should do, I've been methodical. asnd
disciplined and persistent. Yet still, I cannot succeed at this. This
will make my University Career look bad. I just think I could use
another pair of eyes, maybe I
- Message de [EMAIL PROTECTED] -
Date : Sat, 13 Jan 2007 16:55:50 -0500
De : Evan Vittitow [EMAIL PROTECTED]
Répondre à : FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Objet : Re: FreeRadius IRC...
À : FreeRadius users mailing list
Working Dictionaries requested. Anyone with known working dictioniaries?
Please stop changing the thread, it's hard to follow.
About your PPPd+Radius+MS-CHAP issue:
* On the freeradius server, get back to the standard dictionaries
files (in case you have modified them).
*On the VPN
Hi,
The issue with the VPNs is that even through Client Side PPP uses
MS-CHAP, FreeRadius is causing pppd to think its authenticating normal CHAP.
Jan 9 03:09:00 kurama pppd[12373]: Peer User failed CHAP authentication
rlm_mschap: Found LM-Password
rlm_mschap: Found NT-Password
rlm_mschap: No
Hi,
The issue with the VPNs is that even through Client Side PPP uses
MS-CHAP, FreeRadius is causing pppd to think its authenticating normal CHAP.
Jan 9 03:09:00 kurama pppd[12373]: Peer User failed CHAP authentication
rlm_mschap: Found LM-Password
rlm_mschap: Found NT-Password
rlm_mschap: No
-Message d'origine-
De :
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] De la part de Ackbar Joolia
Envoyé : lundi 8 janvier 2007 14:07
À : freeradius-users@lists.freeradius.org
Objet : MySql and calling-station-id help please
Dear all,
I want to do authentication based on
-Message d'origine-
De :
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] De la part de Tamba Ben-Jusu
Envoyé : lundi 8 janvier 2007 15:01
À : Freeradius-Users@lists.freeradius.org
Objet : Authomated Access Accept/Deny
Hi All,
I am running the freeradius server on an ubuntu
Marco Stuhl
Hello,
Is there a way to insert password in radacct table?
Changing SQL query to insert %{User-Password} has no effect.
I don't think your NAS sends a User-Password attribute in the Accounting
Request.
How do you want FR to know the User-Password attribute then ?
Thibault
-
Is there a way to insert password in radacct table?
Changing SQL query to insert %{User-Password} has no effect.
I don't think your NAS sends a User-Password attribute in the Accounting
Request. How do you want FR to know the User-Password attribute then ?
I agree on that one; still no
-Message d'origine-
De :
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] De la part de Marco Stuhl
Envoyé : vendredi 15 décembre 2006 13:47
À : FreeRadius users mailing list
Objet : Re: RE : RE : rlm_sql: Password in Accounting Packet
Here's the scenario.
I'd like to make one
proposal
Thibault Le Meur wrote:
Enhancement proposal
Why not implement the NotBefore part in the FR server code as it is
already done for Expiration ?
Or, add a Date attribute, that will compare against the
current date. You can then use configurations
-Message d'origine-
De :
[EMAIL PROTECTED]
radius.org
[mailto:[EMAIL PROTECTED]
sts.freeradius.org] De la part de Felipe Neuwald
Envoyé : mardi 12 décembre 2006 18:06
À : freeradius-users@lists.freeradius.org
Objet : MySQL: don't logging to radacct
Hi Folks,
I'm using
I post here a cleaner solution to my need, and propose the opportunity to
have an even better way to code this (but requires a patch).
The Goal
I wanted to be able to manage temporary accounts for guests:
* these accounts are created in advance, but mustn't be valid before a given
date
-Message d'origine-
De :
[EMAIL PROTECTED]
radius.org
[mailto:[EMAIL PROTECTED]
sts.freeradius.org] De la part de Rafa³ Kamiñski
Envoyé : lundi 4 décembre 2006 13:28
À : freeradius-users@lists.freeradius.org
Objet : FreeRadius + Ldap + TLS/SSL
When i saw that error, i
-Message d'origine-
De :
[EMAIL PROTECTED]
radius.org
[mailto:[EMAIL PROTECTED]
sts.freeradius.org] De la part de Erling Paulsen
Envoyé : lundi 4 décembre 2006 15:11
À : FreeRadius users mailing list
Objet : Problem cheking multivalued attributes in LDAP schemas.
I try to
-Message d'origine-
De : ganesh subramonian [mailto:[EMAIL PROTECTED]
Envoyé : vendredi 1 décembre 2006 05:41
À : FreeRadius users mailing list
Cc : [EMAIL PROTECTED]
Objet : Re: RE : return user group information to radius client
hi
does that mean that sending/receiving of
-Message d'origine-
De :
[EMAIL PROTECTED]
radius.org
[mailto:[EMAIL PROTECTED]
sts.freeradius.org] De la part de Sundaram Divya-QDIVYA1
Envoyé : jeudi 30 novembre 2006 23:51
À : freeradius-users@lists.freeradius.org
Objet : FreeRadius and LDAP
We don't use openldap or
-Message d'origine-
De :
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
.org] De la part de [EMAIL PROTECTED]
Envoyé : vendredi 1 décembre 2006 17:16
À : freeradius-users@lists.freeradius.org
Objet : differentiating radius attribute
Hi everybody,
I'm using freeradius to authenticate
Also, I am under the understanding that EAP-TLS does NOT
require a client side cert, and EAP-TTLS DOES require a
EAP-TLS requires both server-side and client-side certs.
EAP-TTLS requires only a server-side cert. The client-side authentication is
performed through an inner TLS tunnel and is
Is there some standard way of telling the
client that this user belongs to this group.If so how
do i set this on the radius server.
Several NASes support the Login-LAT-Group reply attribute for this purpose:
check with your NAS doc.
HTH,
Thibault
-
List info/subscribe/unsubscribe? See
-Message d'origine-
De :
[EMAIL PROTECTED]
radius.org
[mailto:[EMAIL PROTECTED]
sts.freeradius.org] De la part de Sean
Envoyé : mardi 28 novembre 2006 13:22
À : freeradius-users@lists.freeradius.org
Objet : Expiration
Hi,
Just a quick question. Is expiration := Never
I have a question with regard to expiration. I'd like to update the
expiration to a new date once a user logs in for the first
time. I've tried to add a query to the sql conf file where
the radacct table
gets updated when a user logs in, but I can't seem to add a
new query that is
I'm replying to myself because I found a very ugly solution to cope with my
needs: Have an account not available before a given date.
I post this here in case this could be useful to someone, and to get
feedback if others have found better way to achieve this.
At least the following checks
The inner request will magically show up after the tunnel has
been decoded. It
is a new request, and will have its own User-Name attribute.
Could you be mores specific as:
* when did this feature appear ?
* how does this differ from previous versions ?
Indeed, I found out that with the
into an Access Accept reply? Why on earth would I want
this? Well, I
would like to i.e. give a guest-net Vlan back to users that actually
fail authentication, so that when they try to access the web
they will
instead get connected to a redirected guest-information webpage.
I haven't
Thibault Le Meur [EMAIL PROTECTED] wrote:
Indeed, I found out that with the latest release of FR, the debug
isn't the
same: previously (FR 1.0.1), I was able to read the
Tunneled inner-request
and attributes (with inner user name and password...) and
the complete
process
And, lastly, did you set copy_request_to_tunnel in eap.conf?
Don't, because
then your real inner user name gets overwritten by the outer one.
Strange... I've set copy_request_to_tunnel and I haven't seen my inner
User-Name be overwritten !
Are you sure it would overwrite the inner User-Name
Thibault Le Meur [EMAIL PROTECTED] wrote:
Strange... I've set copy_request_to_tunnel and I haven't seen my inner
User-Name be overwritten !
Doing that would be wrong. FreeRADIUS doesn't do that.
I know, It would have broken my setup ;-)
And, lastly, did you set
Why the command radiusd -A work fine and not
/etc/init.d/raduisd start ???
When you run 'radiusd -A' (I suppose you're root), you are running the
radius Server as Root.
When you run /etc/init.d/radiusd start, it switches to the 'radiusd' user
identity (in FC5).
So it is possible that you
freeRadius than calls accounting_stop_query located in
sql.conf and UPDATES the radacct table and its attributes
with all these new values.
What I'd like to do now is to execute a personalised sql
query right after this default accounting_stop_query so that
I could save/modify all
However you can instantiate a new sql module in sql.conf:
sql my-sql-acct {
...
Accounting_stop_query = MY Customized SQL query
}
Then in you radiusd.conf accounting section:
accounting {
sql
my-sql-acct
}
I tried this and freeRadius hangs at startup and says my-sql-acct: Unknown
Module.
My actual problem relates to the following errors, pulled
from radiusd -X:
[/etc/raddb/users]:214 WARNING! Check item Pool-Name ?found
in reply item list for user DEFAULT. ?This attribute MUST
go on the first line with the other check items
The offending rules are in users:
As you
I'm a bit confused on this one.
I want my users vlan'd based on their affiliation (ie, staff,
student) In my radiusd.conf file, under ldap, I've put:
groupmembership_attribute = eduPersonPrimaryAffiliation
That's a good start, but sending the whole ldap configuration section would
My ldap section from radiusd.conf looks like:
ldap {
server = ldapserver.net.org
identity = uid=name,dc=net,dc=org
password = password
basedn = ou=stuffdc=net,dc=org
filter =
I think part of my problem is that I do not have the vlans defined in the
Access Point. I incorrectly assumed that the AP would receive the vlan info
from the Radius server, and tag all outgoing packets from the wireless
client with that tag. However, I'm starting to think that that is
I have noticed in my log's this error and do not know what it
means, or
where to look to start fixing it..
rlm_eap_tls: Length Included
Mon Sep 25 08:58:16 2006 : Error: TLS_accept:error in SSLv3 read
client cert ificate A
I suppose you are using the EAP-TLS module to proceed
Thibault Le Meur [EMAIL PROTECTED] wrote:
* the inner PAP authentication is processed by the ldap module in
which I don't need to define which password hashing method is used (I
use at least CRYPT _and_ MD5 in the same directory for historical
reasons)
Version 2.0 has fixes that make
On Fri 22 Sep 2006 10:52, Thibault Le Meur wrote:
Thibault Le Meur [EMAIL PROTECTED] wrote:
* the inner PAP authentication is processed by the ldap module in
which I don't need to define which password hashing method is used (I
use at least CRYPT _and_ MD5 in the same directory
Thanks, in fact I know that by using the developpment version I could
have a test at the 2.0 branch, but I'm a little frightened
to test it
in my production environment...
I just want to correct my words because I don't want users on the list to
misunderstand my meaning: I think the CVS
I don't know if my chiming in will make a difference or not.
But windows can authenticate with a machine certificate or a user
certificate
If you're doing the machine certificates, please say so, I'm a little
confused as to what exactly you are doing now.
I don't now if you're asking
Hi,
it works now. Thanks Thibault, you saved my day, again! :-)
You're welcome
- the extension SubjectAltName must contain the Netbios name of the
PC (I think)
This had no meaning in my tests. Anyway, there must be chosen a type
of that field. Did you take DNS-Name, Email or Raw?
I use
1 - 100 of 124 matches
Mail list logo