Jason Alderfer wrote:
Well, the example above is really just a test case. For the decision I
actually need to make based on Ldap-Group unlang is so much better.
Well... yes.
So I
made a hack which solves my problem but I don't think it will work for all
compare functions. I attached it
Hello List,
I have asked this before
(http://readlist.com/lists/lists.freeradius.org/freeradius-users/1/7788.html)
and Alan DeKok did say that I should place those accounting packets in a
different Acct-Type, but that was when I did not wish to log the
information but I now need to log the
Hey Tuc,
Regarding your issue, check the radiusd.conf file, in the modules{} section
for
the pap module settings, you probably have it set to encryption_scheme =
crypt, if so, change it to clear.
Also, daloRADIUS was built to be an SQL-based platform for managing
everything
though it is roughly
Etienne Pretorius wrote:
I need to know why the radrelay application stops replacation when it
comes across a 0 session length packet.
Because the RADIUS server says that the accounting packet was not
processed, so radrelay tries to send it again. This is what a NAS does
when it does not
Hi,
Hello List,
I have asked this before
(http://readlist.com/lists/lists.freeradius.org/freeradius-users/1/7788.html)
and Alan DeKok did say that I should place those accounting packets in a
different Acct-Type, but that was when I did not wish to log the
information but I now need to
Hi Alex,
i used JRadius around a year ago, and it is the way to go, JRadius only
builds a layer on top of FreeRadius though, it is not a standalone
RADIUS server, as is FreeRadius for example. It will allow you to
create handlers written in java using the existing JRadius packages to
deal
Hi!
Is it possible to run freeradius in debug mode to have all
debug (clients request) information in log file. It is not usable to have
open console with freeradius -Xf command.
Thanks
Alexey
-
List info/subscribe/unsubscribe? See
Alan DeKok wrote:
Etienne Pretorius wrote:
I need to know why the radrelay application stops replacation when it
comes across a 0 session length packet.
Because the RADIUS server says that the accounting packet was not
processed, so radrelay tries to send it again. This is what a
hi kalik,
After a long pause, I've successfully done my authorization of
my radius server by using digest and perl authentication in mixed mode, as
per your advice I put the digest entry first before the perl authentication
in the default file, and after that I've put a line of perl
Hello!
I'm using a FreeRadius setup (V 1.1.3-3 from Debian etch) with the MySQL
Backend for authorize and accounting. RADIUS packets are coming from
another company, which /probably/ has a Proxy for their delivery
front-end servers.
This setup usually works fine, but on some days I see spikes
Hi,
Hi!
Is it possible to run freeradius in debug mode to have all
debug (clients request) information in log file. It is not usable to have
open console with freeradius -Xf command.
redirect the output to a log file instead then...
eg
radiusd -X
Hi,
I'm using a FreeRadius setup (V 1.1.3-3 from Debian etch) with the MySQL
Backend for authorize and accounting. RADIUS packets are coming from
another company, which /probably/ has a Proxy for their delivery front-end
servers.
This setup usually works fine, but on some days I see
hi,
recently upgraded a 2.0.4 CVS system to the 2.0.5 CVS
and now the radius.log doesnt get populated with any
OK or FAIL messages when users log in.
config log{} section as per the standard distro and unchanged
from the 2.0.4 - which logged these things
auth = yes in the log{} section
[EMAIL PROTECTED] wrote:
hi,
recently upgraded a 2.0.4 CVS system to the 2.0.5 CVS
and now the radius.log doesnt get populated with any
OK or FAIL messages when users log in.
config log{} section as per the standard distro and unchanged
from the 2.0.4 - which logged these things
auth =
[EMAIL PROTECTED] wrote:
recently upgraded a 2.0.4 CVS system to the 2.0.5 CVS
and now the radius.log doesnt get populated with any
OK or FAIL messages when users log in.
Which messages?
config log{} section as per the standard distro and unchanged
from the 2.0.4 - which logged these
Hi,
Which messages?
the old classic:
Thu May 1 05:23:50 2008 : Auth: Login incorrect (rlm_pap: CLEAR TEXT password
check failed): [nagios-2] (from client server1 port 0)
Thu May 1 08:12:52 2008 : Auth: Login OK: [nagiostest] (from client amon port
0)
Thu May 1 08:15:51 2008 : Auth:
hi,
further to last messageusers would choose to log the auths in radius.log
but dont want to log good passwords or bad passwords... have submitted
a 'bug' to handle the DIFF
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I don't want the module saneusername to be executed, when the username
either
contains HOST or ends with .net or contains @.
Therefore in 2.0.4 I have this code in sites-available/default:
authorize {
if (!( %{User-Name} =~ /HOST/ || %{User-Name} =~ /.net/ ||
%{User-Name} =~ /@/ ))
Hey Tuc,
Regarding your issue, check the radiusd.conf file, in the modules{} section
for
the pap module settings, you probably have it set to encryption_scheme =
crypt, if so, change it to clear.
No, its the standard :
pap {
auto_header = no
}
Nope, no wireless involved.
Good thought though! :)
//anders
- Original Message -
From: Marinko Tarlac [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Sunday, May 11, 2008 4:01:57 PM GMT +00:00 GMT Britain, Ireland, Portugal
Subject: Re:
Hi,
Hey Tuc,
Regarding your issue, check the radiusd.conf file, in the modules{}
section
for
the pap module settings, you probably have it set to encryption_scheme =
crypt, if so, change it to clear.
No, its the standard :
pap {
Tuc at T-B-O-H.NET wrote:
No, its the standard :
pap {
auto_header = no
}
It looks like you have something else in the system adding a
Crypt-Password for the user... before the SQL module is called. Check
the unix module. It WILL say
Hi,
Hey Tuc,
Regarding your issue, check the radiusd.conf file, in the modules{} section
for
the pap module settings, you probably have it set to encryption_scheme =
crypt, if so, change it to clear.
No, its the standard :
pap {
auto_header = no
Tuc at T-B-O-H.NET wrote:
No, its the standard :
pap {
auto_header = no
}
It looks like you have something else in the system adding a
Crypt-Password for the user... before the SQL module is called. Check
the unix module. It WILL say something in
Hi,
Nope, no wireless involved.
Good thought though! :)
its not doing DNS lookups each time is it?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Norbert Wegener wrote:
I don't want the module saneusername to be executed, when the username
either
contains HOST or ends with .net or contains @.
Therefore in 2.0.4 I have this code in sites-available/default:
authorize {
if (!( %{User-Name} =~ /HOST/ || %{User-Name} =~ /.net/
Hello everyone,
I am using freeradius to have my wifi network use my LDAP credentials for
authentication. However, Windows has this glorious default setting that
automatically passes the domain username and password to the radius server
to authenticate for wifi access. While I can easily
I'm trying to use an external php script to authenticate users connecting to an
Access Point.
Protocol used is EAP-TTLS with PAP as inner authentication protocol.
The relevant parts of config file i use is:
** radiusd.conf *
modules {
pap {
Hi,
Hello everyone,
I am using freeradius to have my wifi network use my LDAP credentials for
authentication. However, Windows has this glorious default setting that
automatically passes the domain username and password to the radius server
to authenticate for wifi access. While I
Hi,
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = tuc, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
Hi,
you're not authorising the user. theres nothing to allow them access in
the authorise section.
modcall: entering group authorize for request 9
modcall[authorize]: module preprocess returns ok for request 9
rlm_realm: No '@' in User-Name = testa, looking up realm NULL
rlm_realm:
Hi,
+- entering group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = tuc, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing
Isn't pap in authorize section there to do the job?
How can i authorize ANY user so that they will be authenticated by the php
script?
Bye
Dario Maccari
Hi,
you're not authorising the user. theres nothing to allow them access in
the authorise section.
Hmm.. I *am* referencing the radius server with FQDN ... Lemme flip that switch
and see what I get to play with ...
Good catch .. It's letting me ship some more packets through per second.. no
final figures yet, but starting to hit 5k pkts/sec, though the radius server is
still not sweating
- Original Message -
From: [EMAIL PROTECTED]
Sent: 11:10 am
To: FreeRadius users mailing list
Subject: Re: stripping domain from username (for wifi authentication on
Windows XP)
Hi,
Hello everyone,
I am using freeradius to have my wifi network use my LDAP
Doug Hardie [EMAIL PROTECTED] wrote:
Why? What's so problematic about the Access-Rejects?
Because the NAS will not switch over to the alternate radius server
which is probably working properly.
Ok... so does the proxying server mark *all* home servers as dead?
The problem is that
Hi,
Hmm.. I *am* referencing the radius server with FQDN ... Lemme flip that
switch and see what I get to play with ...
Good catch .. It's letting me ship some more packets through per second.. no
final figures yet, but starting to hit 5k pkts/sec, though the radius server
is still not
Hi Everyone,
I installed the Freeradius 2.0.4 as Mr. Alan DeKok had suggested
I browse www.freeradius.org and run below command.
#cvs -d :pserver:[EMAIL PROTECTED]:/source login
CVS password: anoncvs
nothing happen and return to #
#cvs -d :pserver:[EMAIL PROTECTED]:/source checkout radiusd
then
Hi,
I installed the Freeradius 2.0.4 as Mr. Alan DeKok had suggested
I browse www.freeradius.org and run below command.
#cvs -d :pserver:[EMAIL PROTECTED]:/source login
CVS password: anoncvs
nothing happen and return to #
'nothing' should happen as all you've done is log into a CVS session
Hi,
I think that I have a similar problem when freeradius has to send
Access-Accept with multiple Cisco-AVPair=ssid=... entries. Do you think it
will be fixed in the near future ?
Thanks.
Konstantin
_
Konstantin KABASSANOV
FreeRadius users mailing list freeradius-users@lists.freeradius.org
writes:
I must be missing something here, likely due to my limited experience
with
FreeRADIUS.
No, all you have to do is to be able to read. With care and understanding.
OK, I'll Re-read again.
After re-reading the
Terry Pelley wrote:
As I said before, the only example of using a huntgroup I can see in the
users file does not list a password attribute at all.
Because the huntgroups file isn't about setting the password. i.e.
it doesn't *do* that. It's not *supposed* to do that.
Is the use of a
Joakim Bentholm wrote:
Anyone who knows if and where the patch mentioned above can be. I found
this discussion thread, but I do not know where and how to find the the
patch, if available. This would solve our problem with an unresponsive
user resource management server accessed through a
Kwok Sianbin wrote:
...
got some errors
btool: install: error: cannot install rlm_acctlog.la to a directory
not ending in /usr/local/lib/lib
In 10 years of fighting libtool, I have *never* seen this error. I
have no idea what this means.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Ryan Pugatch wrote:
...
Thanks for the response. I'm using 1.1.x. Currently, I have ldap
filter definined as:
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
I have enabled with_ntdomain_hack on preprocess.
Don't.
Use: filter =
- Original Message -
From: Alan DeKok
Sent: 02:32 pm
To: FreeRadius users mailing list
Subject: Re: stripping domain from username (for wifi authentication on
Windows XP)
Ryan Pugatch wrote:
...
Thanks for the response. I'm using 1.1.x. Currently, I have ldap
filter
If you have generated SSL certificates on Debian or Ubuntu since 2006,
you should seriously consider re-creating them.
http://lists.debian.org/debian-security-announce/2008/msg00152.html
https://lists.ubuntu.com/archives/ubuntu-security-announce/2008-May/000705.html
This applies to SSH
How difficult can it be to follow clearly written instructions?
As I said before, the only example of using a huntgroup I can see in the
users file does not list a password attribute at all. so assuming that I
should set the attribute to either CHAP-Password ==password or
Cleartext-Password ==
Hi,
Kwok Sianbin wrote:
...
got some errors
btool: install: error: cannot install rlm_acctlog.la to a directory
not ending in /usr/local/lib/lib
In 10 years of fighting libtool, I have *never* seen this error. I
have no idea what this means.
hi,
thankyou Alan for your responsible reporting of this issue,
as anyone using FreeRADIUS with EAP-TLS etc will be using OpenSSL
anyone on any platform with a weak key method needs to know
this issue.
I note that various OpenSSL-using tools are being updated to detect
such weak keys - eg
[EMAIL PROTECTED] wrote:
thankyou Alan for your responsible reporting of this issue,
as anyone using FreeRADIUS with EAP-TLS etc will be using OpenSSL
anyone on any platform with a weak key method needs to know
this issue.
I've updated the main web page, too.
I note that various
Hi,
I have a setup with freeradius where it is launching an external script to
authenticate users.
When doing PAP authentication against the radius server I receive the
%{User-Password} and pass it to my script.
However when using a cisco wireless lan controller it seems not to pass
Hello,
Using PEAP/mschapv2 with openldap through freeradius, I'd like to know if
there is a way to allow all users in the authorize section of radiusd.conf
(without doing ldap requests) and make the ldap request only in the
authenticate section. It is useful for instance to avoid multiple ldap
I'm attempting to have multiple realms use individual mysql tables in order to
seperate the usernames. I've read how to get multiple sql instances going, but
how do I tell which realm to use which sql instance?-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi,
incorrect shared secret between FR server and WLC?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
thanks alan, much appreciated.
I think you may be right. Its just strange the FR server doesn't mention
this - or would it not know and only the radius client know this?
thanks again,
On Tue, May 13, 2008 at 10:02 PM, [EMAIL PROTECTED] wrote:
hi,
incorrect shared secret between FR server and
Hello
Fedora core 5
rpm -Uvh freeradius-client-1.1.6-0.i386.rpm
/var/tmp/rpm-tmp.72946: line 1: fg: no job control
error: %post(freeradius-client-1.1.6-0.i386) scriptlet failed, exit status 1
rpm -e freeradius-client
/var/tmp/rpm-tmp.45576: line 1: fg: no job control
error:
Threre is a Unprintable characters ... warning about the potential
shared secret mismatch in the debug.
Ivan Kalik
Kalik Informatika ISP
Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše:
thanks alan, much appreciated.
I think you may be right. Its just strange the FR server doesn't
Thanks Ivan,
I don't have this message in the debug output, is this possibly because I'm
running an external script? Or is there a chance that its not a mismatched
secret?
thanks,
2008/5/14 Ivan Kalik [EMAIL PROTECTED]:
Threre is a Unprintable characters ... warning about the potential
shared
Create multiple sql instances. Create Autz-Type entry for each in
authorize section. Then add something like this in users file.
DEFAULT Real == whatever, Autz-Type = sqlwhatever
This is much simpler with unlang in 2.0 (no Autz-Type entries needed,
just a switch block in authorize).
Ivan
Yes. List ldap only in inner-tunel.
Ivan Kalik
Kalik Informatika ISP
Dana 13/5/2008, Konstantin KABASSANOV [EMAIL PROTECTED]
piše:
Hello,
Using PEAP/mschapv2 with openldap through freeradius, I'd like to know if
there is a way to allow all users in the authorize section of radiusd.conf
Are you using -X (capital X) or something else?
Ivan Kalik
Kalik Informatika ISP
Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše:
Thanks Ivan,
I don't have this message in the debug output, is this possibly because I'm
running an external script? Or is there a chance that its not a
Yes capital X as in -X
thanks,
2008/5/14 Ivan Kalik [EMAIL PROTECTED]:
Are you using -X (capital X) or something else?
Ivan Kalik
Kalik Informatika ISP
Dana 13/5/2008, niall el-assaad [EMAIL PROTECTED] piše:
Thanks Ivan,
I don't have this message in the debug output, is this possibly
freeradius version?
Ivan Kalik
Kalik Informatika ISP
Dana 14/5/2008, niall el-assaad [EMAIL PROTECTED] piše:
Yes capital X as in -X
thanks,
2008/5/14 Ivan Kalik [EMAIL PROTECTED]:
Are you using -X (capital X) or something else?
Ivan Kalik
Kalik Informatika ISP
Dana 13/5/2008, niall
Its 1.1.7 (actually 1.1.7-3.1.fc6)
thanks,
2008/5/14 Ivan Kalik [EMAIL PROTECTED]:
freeradius version?
Ivan Kalik
Kalik Informatika ISP
Dana 14/5/2008, niall el-assaad [EMAIL PROTECTED] piše:
Yes capital X as in -X
thanks,
2008/5/14 Ivan Kalik [EMAIL PROTECTED]:
Are you using -X
Hello
Fedora core 5
rpm -Uvh freeradius-client-1.1.6-0.i386.rpm
/var/tmp/rpm-tmp.72946: line 1: fg: no job control
error: %post(freeradius-client-1.1.6-0.i386) scriptlet failed, exit status 1
rpm -e freeradius-client
/var/tmp/rpm-tmp.45576: line 1: fg: no job control
error:
Konstantin KABASSANOV wrote:
Using PEAP/mschapv2 with openldap through freeradius, I'd like to know if
there is a way to allow all users in the authorize section of radiusd.conf
(without doing ldap requests) and make the ldap request only in the
authenticate section. It is useful for instance
Brad Furst wrote:
I'm attempting to have multiple realms use individual mysql tables in
order to seperate the usernames. I've read how to get multiple sql
instances going, but how do I tell which realm to use which sql instance?
I'm actually doing this in 2.0 without using multiple SQL
Hi all,
I am trying to do MAC insertion during post authentication section
with the help of freeradius. Like during authentication section it will
check in mysql database for MAC use option. If MAC use= 1 then if the
user is login for the first time then grab the mac address from the
login
69 matches
Mail list logo