You might want to do an LDAP lookup first on your UPN to find the
samAccountName, then use that with ntlm_auth.
Stefan
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf
) account for the original machine from
Active Directory. Then retry the net join command for both machines.
Stefan
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of trevor
authentications (as microsoft call it) - but I'm also looking at
samba4 - as it has a new option that will balance ntlm_auth against all
known boxes rather than the first box it latches onto - to spread the
load.
Samba 4 is lurvely... apparently 100% compatible with existing AD
it can also BE an AD master etc. anyway, you dont know how tempting it
was to yum install samba4 on our production system ;-)
Indeed. That's exactly what I'm using it for. :-)
I'd certainly like to see some samba3.x versus samba4 benchmarks in
this sort of context
Yes, versus Windows 2008
Congratulations! Thank you again for all of the countless hours you
spend on improving the best and most flexible RADIUS server. One
question though - is there a typo in the V2 upgrade link below? When I
click on it I get a 404 error..
Upgrading instructions are available here:
Yep, those are the ones. :-)
Stefan
Hmm
like these then?
Fri Oct 4 11:24:12 2013 : Info: WARNING: Child is hung for request
17630 in com ponent core module thread.
Fri Oct 4 11:24:13 2013 : Info: WARNING: Child is hung for request
17635 in com ponent core module thread.
Fri Oct 4
How can we run radiusd -x logname such that we have different
logname for each day?
Clement, may I suggest a cron job?
At midnight, move the log, kill and restart the radius server with a new log in
the name? Of course you run the risk of possibly killing any authentication
attempts that
Simon,
Did you enable the 'ldap' entry in the authorize section(s) of your default and
inner-tunnel servers?
It is commented out by default.
Stefan
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac
In the eap section, the default is md5, set it to ttls
And Roberto, you've emailed the entire FreeRADIUS mailing list. :-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow
supports other methods (like EAP-TLS
and PEAP with EAP-MSCHAPv2).
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of
Roberto Carna
But in the EAP-TLS section from eap.conf file, I don't see any
reference to MSCHAPv2and remember the NTLM authentication query is
set up in the MSCHAPv2 module
EAP-TLS does not use MSCHAPv2. It uses certificates.
I quote Alan DeKok's response to your question on September 18:
You need the following items on your Debian system to build eapol_test:
libssl-dev, libnl1, libnl-dev
:-)
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac
What I mean is that EAP-TLS is easier to me than AD authentication at
this point, because I've just put it to work...and if I want to use AD
auth I have to take EAP-TLS out and start again with NTLM / AD
authenticationis it OK ???
Roberto, you don't have to remove EAP-TLS to support
The alternative is getting your users to install something like
SecureW2 (which I believe requires a license now), and using EAP-TTLS-
PAP which submits the users password in plaintext, or I believe more
recent flavours of Windows support EAP-TTLS too.
If I remember correctly, when using
That's because EAP-TTLS/PAP doesn't use EAP on the inner tunnel. Just
PAP. So default_eap_type is irrelevant.
You support EAP-TTLS/PAP by ensuring PAP is working in the inner tunnel
- by populating a cleartext or hashed password and calling the pap
module in the authorize/authenticate
I shall try a RHEL6/CentOS6 compatible build tomorrow or Monday.
Shouldn't be a problem. John D, I'll update my tag, you guys will probably do
the same.
Regards
Stefan
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
Agreed on the support contract thing. If something is apparently
unsupported when it's broken, just run the supported version on a
test system, reproduce the problem, and go from there. If you know the
problem is to do with the newer features, forget the paid support and
ask here like you
Yes, Alan B had some comments about that IIRC...
I think Apple these days expect administrators to use the Apple iPhone
Configuration Utility to create a network profile and import that into your
802.1X settings.
Bizarre, but there you are.
Stefan
-Original Message-
Fine, yes,
12 with, I know, I know, FreeRADIUS 2.1.10. Python-LDAP was
Well... as Alan says, upgrade. Particularly if you know.
There is no 'out of the box' version for upgrade on Ubuntu 12 at this point
short of having to compile it ourselves, that is (situation is similar to
CentOS 6 where the last
Building your own packages on Debian/Ubuntu is trivial. There's really
no excuse not to run the latest code.
Matthew, I agree with you, but not when the policy is to only use what is
published on vendor (i.e. Ubuntu) repositories.
But, like I say, that's not a discussion appropriate for the
Hello all,
I'm currently attempting to use rlm_python to query LDAP (with python-ldap) and
then return an XML string in a VSA (SAML-AAA-Assertion). However, when I try to
load it, I get the dreaded undefined symbol: PyExc_SystemError error. This is
on Ubuntu 12 with, I know, I know, FreeRADIUS
: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of
Alan DeKok
Sent: 25 July 2013 01:47
To: FreeRadius users mailing list
Subject: Re: Realm attribute population
stefan.pae
Hi,
After FreeRADIUS 2.10, we had to replace the DEFAULT {} stanza with the below
in proxy.conf to ensure that the Realm attribute was correctly populated:
realm ~.+$ {
authhost = host to deal with other realms
:
:
}
Is that still necessary for FR 3.0? I'm just updating
Thanks, John.
I'll use that SPEC as base for CentOS 6.x packages :-)
Regards
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf
Have you opened the certificates you believe to be the latest in something else
(like Windows perhaps) and checked that the expiry dates of these certificates
is correct?
And have you checked that your server's time is correct too?
Stefan
From:
freeradius-users-bounces+stefan.paetow
Sorry John,
But you do have a tools package. It's called freeradius-utils. :-)
I'd guess radattr probably fits nicely into that.
Stefan
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[freeradius-users-bounces
the mschap and ntlm modules as per
standard FreeRADIUS wiki articles on AD authentication should be sufficient to
be able to authenticate the users in your LDS.
:-)
Stefan
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow
Did you mean https://github.com/FreeRADIUS/freeradius-
server/archive/release_3_0_0_rc0.tar.gz ?
I'm afraid I'm getting a build error (from fresh):
HEADER src/include/features.h
HEADER src/include/missing.h
HEADER src/include/tls.h
CC jlibtool.c
CC src/lib/dict.c
CC src/lib/filters.c
CC
Hi Arran, thanks, that's built now.
All, CentOS-compatible RPMS, SRPM and .tar.bz2 are at:
https://www.dropbox.com/sh/sbqyy7gvzrd3egt/rCKE7aMnku/FreeRADIUS
Regards
Stefan
-Original Message-
From: freeradius-users-
bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
.
:-)
Stefan
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of Divyesh Raithatha
Sent: 21 June 2013 20:19
To: FreeRadius users mailing list
Subject: Building RPMS from main
Answer is simple, i don`t know how :) ( i don`t have propert skills )
http://beej.us/guide/bggdb/
Thanks for that Arran,
It'll come in handy for Moonshot testing here.
:-)
Stefan
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and
Hi,
I have more a development question for Arran/Alan D about the build process for
FR 3.0... has it changed significantly compared to v2.2.0?
The reason I ask is that I would like to get started on a 3.0 build spec for
CentOS (since the last version for CentOS 6.4 is v2.1.12, and 2.2.0 is
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of Franks Andy (RLZ) IT Systems Engineer
Sent: 07 June 2013 13:47
To: FreeRadius users mailing list
Hi all,
I've been looking at using ${...} variables wherever I can and so far it's been
relatively successful. The only place where I am stuck is using some
comparisons, e.g.
if (%{Attribute} == ${variable}) {
...
}
The Attribute portion expands, the $-variable part does not (although it is
Thank you very much for the quick answer, Alan.
:-)
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: 28 May 2013
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of Cooper, Tom
Sent: 21 May 2013 11:34
To: FreeRadius users mailing list
Subject: Re
It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf - you can
configure all supported options in there.
Regards
Stefan
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
Ahhh.
According to this conversation:
http://freeradius.1045715.n5.nabble.com/PEAP-EAP-TLS-with-client-and-server-certificate-td2760634.html
- FR does support PEAP-EAP-TLS :-)
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of Cooper, Tom
Sent: 20 May 2013 13:07
To: freeradius-users@lists.freeradius.org
Subject: Re: Limit ADSL speed using radius?
We are in South Africa
exists in the reply (which is fair enough, the reply
shouldn't need to ship a username around in plain-text).
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac
Thank you, Alan. :-)
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: 13 May 2013 17:28
To: FreeRadius users mailing
I'm playing around with CUI generation with FreeRADIUS 2.2.0 and discovered
something odd.
In policy.conf I've set cui_require_operator_name = 1 and cui_hash_key =
4c2982f2f3b1dc4804994cf386db8c0a34d4ab2a. As you can see it's a 32-character
string and it looks like a hash.
In radiusd -X
in
cui_hash_key work or would it still cause the expand: portion to give me an
empty value?
Regards
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
Thank you :-)
Regards
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of Matthew Newton
Sent: 10 May 2013 12:13
To: FreeRadius users
: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of George Chelidze
Sent: 30 April 2013 10:57
To: FreeRadius users mailing list
Subject: rlm_ippool vs rlm_sqlippool
Greetings
Hi,
We're trying to put together an EAP-TTLS authentication solution with another
open-source authentication server (Jasig CAS). We've found that only the first
authentication process succeeds, but everything else after fails. In order for
us to pinpoint whether this is a problem in the CAS
in question.
Regards
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: 29 April 2013 14:08
To: FreeRadius users mailing
Thanks again for the confirmation, Alan.
:-)
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: 29 April 2013 15:35
48 matches
Mail list logo
