Pshem Kowalczyk wrote:
Are the packets read from detail file send sequentially, waiting for
each individual response before sending next packet, or are the
packets send in groups, and then potentially the re-try occurs for
those that didn't receive the reply?
Yes.
Studying the packet
Now I'm trying to return different reply attributes
depending on Active Directory group membership and restrict
which groups can authenticate. Ldap lookups against the
active directory root fail with operation error.
Reconfiguring Active Directory is not a viable option so I
have to
Leighton Man wrote:
I've upgraded to 2.1.3 but, sorry, I'm really struggling with the concepts.
I can't do if Ldap-Group because there is no container in Active Directory
above staff and student to query.
What I think I need is:
if ladp_staff returns ok {
update reply{
Hi List,
I have quite a interesting problem. And I don't think it's
freeRADIUS-related, but I hope somebody else already had the same issue and
can give me a hint. Also a hint where to dig / ask would be very nice...
Okay, the setup:
I'm using freeRADIUS aus 802.1x/PEAP authenticator for our
This version comes 3 months after 2.1.3, which is a bit more of a
delay than we would like. However, it includes a number of minor bug
fixes, and some interesting new features.
The best new feature is one that has been needed for a long time. The
(easy) ability to see debugging output from
For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius
2.14, I wrote a simple how-to.
I hope it could help someone. :)
INSTALLATION PROCESS: FREERADIUS 2.14 (PEAP – MSCHAP)
===
OS :
===
- Ubuntu Server 8.10
==
SWITCH:
==
- HP 2600
==
Pre-requires :
This is great Alan! This is exact answer I wished to hear
Thank again for your help.
Alan DeKok-2 wrote:
leopold wrote:
I want to keep NAS table replicated in redundant SQL servers for failover
reasons, is this fair?
Yes.
How do you propose solving SQL NAS table replication
hi,
nice - a good compendium of other resources to make a complete task.
one small quirk though, you say its for FR 2.14 - in fact, its for
FR 2.1.3 - (2.1.4 isnt yet released)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
A.L.M.Buxey wrote:
one small quirk though, you say its for FR 2.14 - in fact, its for
FR 2.1.3 - (2.1.4 isnt yet released)
modified :) thx!
--
View this message in context:
http://www.nabble.com/-How-To--Freeradius-2.14-%28PEAP-%E2%80%93-MSCHAP%29-tp22433641p22434045.html
Sent from the
Hi,
one small quirk though, you say its for FR 2.14 - in fact, its for
FR 2.1.3 - (2.1.4 isnt yet released)
correction - 2.1.4 is out - I've finally caught up with todays
email - but your guide references 2.1.3 and downloads 2.1.3
- hope that helps! :-)
alan
-
List
On Sun, 4 Jan 2009, Alan DeKok wrote:
Mike Diggins wrote:
How do I stop it from sending the same Reply message when the user
enters a incorrect password. Right now the Reject responds like this:
Sending Access-Reject of id 22 to 192.168.2.2 port 1025
Reply-Message = Group=NetWorkers
I would like to have an ldap group that is another instance of ldap
(selected by departmentNumber), but I don't see how to add it into the
configuration (users file).
ldap everyonePlusMacs {
server = ldap
basedn = dc=example,dc=com
filter =
Hi,
Can anyone tell me when the next freeradius release is due?
Regards,
Clare Scally.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Today :)
On Tue, Mar 10, 2009 at 3:28 PM, Clare Scally clare.sca...@eircom.netwrote:
Hi,
Can anyone tell me when the next freeradius release is due?
Regards,
Clare Scally.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi Leosi,
For thoses, who are interested by setting up PEAP/MSHCAP under Freeradius
2.14, I wrote a simple how-to.
I hope it could help someone. :)
INSTALLATION PROCESS: FREERADIUS 2.14 (PEAP – MSCHAP)
===
OS :
===
- Ubuntu Server
Am 10.03.2009 um 15:28 schrieb Clare Scally:
Hi,
Can anyone tell me when the next freeradius release is due?
If you mean 2.1.4, it has been released today.
Regards,
Clare Scally.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
users.html
Nicolas
Am 10.03.2009 um 13:17 schrieb Alan DeKok:
This version comes 3 months after 2.1.3, which is a bit more of a
delay than we would like. However, it includes a number of minor bug
fixes, and some interesting new features.
The best new feature is one that has been needed for a long
time.
see man unlang. The syntax and examples are documented.
Read it many times. The problem is not the documentation, which is great, but
my understanding which isn't!
I'm working on it but finding it heavy going.
...
ldap_staff
if (ok) {
update reply {
...
Hi,
I'm looking for the best way of configuring freeradius (either version
1.1.3 or version 2.1.1) with two separate LDAP configurations.
The reason for this, is we've got two different NAS' (VPN client and
WIFI) both querying freeradius with LDAP backend for authentication and
authorization,
Nicolas Goutte wrote:
FreeRADIUS 2.1.4 Thu Dec 25 17:40:00 CEST 2008; , urgency=medium
Just a nitpick: the date above is probaly the one of 2.1.3 (around three
months ago) and not the date of today.
Whoops.. missed that. Oh well. It's not critical.
Alan DeKok.
-
List
Hi,
I couldn't reach bug.freeradius.org, so I'm reporting this here. There
is a typo in src/freeradius.devel/rad_assert.h:
#elsif !defined(FR_SCAN_BUILD)
should be
#elif !defined(FR_SCAN_BUILD)
HTH
-John
Alan DeKok wrote:
This version comes 3 months after 2.1.3, which is a
In 2.1.3 you can use unlang and not need huntgroups at all. Read man
unlang on freeradius site.
Thank you for answer Ivan. I'm thinking about upgrading of 2.1.3 or
2.1.4 but I'm not really sure how to transform my huntgroups und users
configuration in unlang. I read the documentation but I
Alan DeKok wrote:
This version comes 3 months after 2.1.3, which is a bit more of a
delay than we would like. However, it includes a number of minor bug
fixes, and some interesting new features.
Thank you Alan and everyone else for the new release, your community
efforts are very much
Am Dienstag, 10. März 2009 16:32:32 schrieb John Center:
Hi,
I couldn't reach bug.freeradius.org, so I'm reporting this here. There
is a typo in src/freeradius.devel/rad_assert.h:
#elsif !defined(FR_SCAN_BUILD)
should be
#elif !defined(FR_SCAN_BUILD)
HTH
-John
Alan DeKok
Michael Schwartzkopff wrote:
I reported a bug in the create-users.pl create users script. Since
bugs.freeradius.org was not reachable I reported the bug here in the list.
But the solution is not included in the new version.
That fix is pending based on other changes to create-users.pl.
John Dennis wrote:
I noticed a couple of small problems in building the new release. There
was an incorrect #elif in radassert.h which causes the compile to fail
(it was a typo #elsif). The Makefile in etc/raddb contained a dangling
reference otp.conf which is no longer present. I've included
hi,
thanks for the rad_assert pointers etc. still coming a cropper
on another part of the build process:
gmake[6]: Entering directory
`/usr/src/freeradius-server-2.1.4/src/modules/rlm_smsotp'
gmake[7]: Entering directory
`/usr/src/freeradius-server-2.1.4/src/modules/rlm_smsotp'
gmake[7]: ***
a.l.m.bu...@lboro.ac.uk wrote:
thanks for the rad_assert pointers etc. still coming a cropper
on another part of the build process:
Arg. I don't usually build with experimental modules, so I didn't
catch that.
suggest that some of us are called in (like cattle? ;-) ) when the release
is
Hi,
I'll re-spin 2.1.4, unless there are objections.
for reference, i did the old classic 'rm -rf src/modules/rlm_smsotp'
and 'make install' then worked (it was the install part failing with that
message, not the main make process). it built. it runs fine (after
blowing away the old
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
a.l.m.bu...@lboro.ac.uk wrote:
hi,
thanks for the rad_assert pointers etc. still coming a cropper
on another part of the build process:
gmake[6]: Entering directory
`/usr/src/freeradius-server-2.1.4/src/modules/rlm_smsotp'
gmake[7]:
I'm just getting back to this problem. I'm lost as to how to implement
either of these solutions. To summarise, I want to either remove, or just
not send, any Reply-Message when the user fails authentication. Where
would I put this attr_filter to delete it, and what does the attr_filer
look like?
Alan DeKok wrote:
It's about time we have a formal testing process. I have some hosted
machines with spare cycles.
I'll install CruiseControl...
Nope.
After a quick review of continuous integration systems:
- few integrate with git
- most integrate with other build systems (Ant,
On Tue, 10 Mar 2009, t...@kalik.net wrote:
I'm just getting back to this problem. I'm lost as to how to implement
either of these solutions. To summarise, I want to either remove, or just
not send, any Reply-Message when the user fails authentication. Where
would I put this attr_filter to
Hi,
Is CPPFLAGS used? I see it defined in Make.inc, but I don't see it
actually used. I've been adding it to CFLAGS to make sure it gets included.
Thanks.
-John
Alan DeKok wrote:
This version comes 3 months after 2.1.3, which is a bit more of a
delay than we would like.
John Center wrote:
Is CPPFLAGS used? I see it defined in Make.inc, but I don't see it
actually used. I've been adding it to CFLAGS to make sure it gets
included.
It's not used anywhere.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Leighton Man wrote:
Logic now working correctly - Many thanks
Final problem is to return reply attributes in the access accept message. As
a test I added Reply-Message := User is staff in the update reply section
and the server duly added it to the next access challenge message. I assume I
Thanks to Alan, we are now running freeRADIUS 2.1.3 on our
embedded network controller.
The problem is that now it is less stable than the 1.1.7
version we had been using.
Again, I am sure our config is screwed up.
For example, the 'radius.log' file contains dozens of files
saying:
Error:
Sorry, it's %{reply:User-Name}. From man unlang about strings:
Double-quoted strings are expanded by inserting the value of any
variables (see VARIABLES, below) before being evaluated. If the result
is a number it is evaluated in a numerical context.
..
Single-quoted strings are
Chhaya, Harshal wrote:
For example, the 'radius.log' file contains dozens of files
saying:
Error: Discarding duplicate request from client test-net
port - ID: XX due to unfinished request YYY
So... find out what's blocking the server, and why.
The config uses a flat file with
Is that possible that I keep my huntgroups for all clients with
IP-Addresses and write a conditions only for network masks?
That would probably be the best. You might benefit from using sql
huntgroup implementation (pull IP's from the database):
http://wiki.freeradius.org/SQL_Huntgroup_HOWTO
I have quite a interesting problem. And I don't think it's
freeRADIUS-related
You are correct. It's an AD problem. Something is wrong with the schema
for those imported accounts. SAM-Account-Name should be of the type
ADSTYPE_OCTET_STRING (case insensitive unicode string).
Ivan Kalik
Kalik
I'm looking for the best way of configuring freeradius (either version
1.1.3 or version 2.1.1) with two separate LDAP configurations.
Create multiple ldap instances:
ldap wifi {
..
}
ldap vpn {
..
}
That works for any module.
Ivan Kalik
Kalik Informatika ISP
-
List
I would like to have an ldap group that is another instance of ldap
(selected by departmentNumber), but I don't see how to add it into the
configuration (users file).
This is documented:
http://wiki.freeradius.org/Rlm_ldap#Group_Support
Ivan Kalik
Kalik Informatika ISP
-
List
I've read that, I just can't seem to make it work, I'm missing
something, but can't figure it out.
instantiate {
ldap NIE {
server = ldap
basedn = dc=lanl,dc=gov
filter = ((departmentNumber=NIE-2)(uid=%{User-Name}))
...
}
Alan,
Find out which module is blocking the server, and why.
Okay, here is a newbie question: How do I do this?
The embedded network controller is should be able to
support upto 50 concurrent wireless clients using WPA2-PEAP.
Here is my config:
(One thing that struck me as I was copying
Hi Alan,
Another thing I noticed, if you set WITH_VMPS=no, it isn't consistent:
listen.c, line 1795: undefined symbol: RAD_LISTEN_VQP
cc: acomp failed for listen.c
gmake[4]: *** [listen.lo] Error 1
This code is not surrounded with #defines:
if (this-type ==
Hi,
2009/3/10 Alan DeKok al...@deployingradius.com
The best new feature is one that has been needed for a long time. The
(easy) ability to see debugging output from a live server. You can
now do this via the raddebug command.
Brilliant feature - however I needed to mod the shell
Ivan/Alan,
Other then killing radiusd are there any other solutions to force radius to
drop request if all databases cannot be reached ?
With the latest release 2.1.4 my failover works fine, but still if there is
a network issue connecting to ALL Databases I do not see any practical
reason
Hi Alan,
Compiling for 64-bit Solaris 10 (SPARC) using Sun Studio 12, see the
following warnings (with appropriate lines):
ttls.c, line 78: warning: integer overflow detected: op
if ((length (1 31)) != 0) {
ttls.c, line 217: warning: integer overflow detected: op
I've read that, I just can't seem to make it work, I'm missing
something, but can't figure it out.
instantiate {
ldap NIE {
server = ldap
basedn = dc=lanl,dc=gov
filter = ((departmentNumber=NIE-2)(uid=%{User-Name}))
...
}
Find out which module is blocking the server, and why.
Okay, here is a newbie question: How do I do this?
Run server in debug mode (radiusd -X).
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Did anyone ever find out if the samba guys fixed the problem with ntlm_auth
returning the NT_KEY that was causing XP's 802.1x client to barf?
Thomas E. Casartello, Jr.
Staff Assistant - Wireless Technician/Linux Administrator
Information Technology
Wilson 105A
Westfield State College
Rupert Finnigan wrote:
Brilliant feature - however I needed to mod the shell script. Path to
radmin was set to
/Users/alandekok/git/2_1_x.git.freeradius.org/src/main/
http://2_1_x.git.freeradius.org/src/main/. Hardly the end of the
world, but thought I'd mention it.
Damn it... that makes
leopold wrote:
For my situation since radiusd keeps everything in DB and if ALL databases
cannot be contacted the radiusd should not respond at all.
Is there any way to force radiusd to drop request and not to respond with
Access-Reject?
Try something like this:
authorize {
...
Chhaya, Harshal wrote:
Alan,
Find out which module is blocking the server, and why.
Okay, here is a newbie question: How do I do this?
As suggested, debug mode is a start.
The embedded network controller is should be able to
support upto 50 concurrent wireless clients using WPA2-PEAP.
John Center wrote:
Hi Alan,
Another thing I noticed, if you set WITH_VMPS=no, it isn't consistent:
listen.c, line 1795: undefined symbol: RAD_LISTEN_VQP
cc: acomp failed for listen.c
gmake[4]: *** [listen.lo] Error 1
OK. I'll fix that. It shouldn't affect anything else, though.
John Center wrote:
Hi Alan,
Compiling for 64-bit Solaris 10 (SPARC) using Sun Studio 12, see the
following warnings (with appropriate lines):
ttls.c, line 78: warning: integer overflow detected: op
if ((length (1 31)) != 0) {
Hmm... un-typed numbers are int, but that
This is a new installation using openssl0.98j and freeradius 2.1.3.
I get this error when running in debug mode: radiusd: symbol lookup error:
/usr/lib/rlm_eap_tls-2.1.3.so: undefined symbol: SSL_CTX_set_info_callback
prior to running in debug mode, I ran ./bootstrap under freeradius/certs
58 matches
Mail list logo