Hello, I have one question, is it possible to configure my freeradius server so
that only clients with a ca certificate can login themselves with their
username and password? I want to configure my freeradius server so that the
users can only login after the successfully server certificate
Hi,
I don't know how to explain this problem. Sounds completely crazy.
I have a freeRADIUS 2.1.7 (in CentOS 5.5) setup with MySQL backend to
be used with dd-wrt chilli. I have tested in three separate line
exchanging the location of radius and chilli but in particular line I
found out that
Alan Buxey wrote:
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct//auth-detail-20100914
[reply_log] /var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d
expands to /var/log/radius/radacct//reply-detail-20100914
Klaus Laus wrote:
Hello, I have one question, is it possible to configure my freeradius server
so that only clients with a ca certificate can login themselves with their
username and password? I want to configure my freeradius server so that the
users can only login after the successfully
Deepak wrote:
When radius is put in that particular line, it doesn't respond to the
request from chilli on one particular line of the other two lines. For
Example: If radius is in Line 1, it processes the request from Line 2
but completely ignores from Line 3. By line I mean three separate DSL
Konstantin Chekushin wrote:
Good day. I want to continue Dinh Pham Cong topic ((FreeRadius crashed
on accounting load tests with 1000 concurrent clients - Tue, 10 Nov 2009
01:39:30 -0800 ))
I use freeradius 2.1.9
Linux myhost 2.6.26-2-amd64
Some info from radiusd.conf :
sigh This
Hi,
We use the freeradius to assigne users in the vlan. The default
settings rejects users in case of a request from an unidentified
user. Instead of this we would like assign him to a specific vlan.
I don't find information about how to do this. Any pointer or
On 15/09/10 10:02, Fabien COMBERNOUS wrote:
Hi,
We use the freeradius to assigne users in the vlan. The default settings
rejects users in case of a request from an unidentified user. Instead of
this we would like assign him to a specific vlan. I don't find
information about how to do this.
Hello Alan,
Thanks for that it does seem my setup works. I've added winbind use
default domain = yes to my smb.conf which now reads
[global]
workgroup = DOMAIN
realm = DOMAIN.AC.UK
server string = Samba Server Version %v
security = ADS
password server =
Hi,
Is it possible to apply special policy based on NAS IP Address, for
example I want to check originating ip address for special NAS or set IP
Address pool for the other NAS .
Thanks in advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Use:
%{%{Packet-Src-IP-Address}:-%{Packet-Src-IPv6-Address}}
That should work.
Or:
%{%{client:ipaddr}:-%{client:ipv6addr}}
thanks, I guess this change can be made to the 2.1.10 default config?
this issue also affects the acct_unique module too:
acct_unique {
Quoting *Alan DeKok al...@deployingradius.com*:
Konstantin Chekushin wrote:
I've started
./radius -xxx -f
radius? Not radiusd? And why not radiusd -X as documented
*everywhere* ?
-X = -sfxx -l stdout . But, I didn't wanted single mode for my
loading test. So I used ./radiusd
Blame the NAS.
As I said before sounds crazy.. Most probably NAS is to blame.
Thanks
Deepak
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
for example:
server exampe_acct {
#160;#160;#160;#160;#160;#160;#160; listen {
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
type = acct
#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;#160;
ipaddr = *
Thank you Phil for your answer.
On 15/09/2010 11:09, Phil Mayers wrote:
Are you using 802.1x or macauth?
If you are sending an access-reject, you can't assign a vlan.
Reject means "give no service". You either need to send an accept
Hi,
Thanks for that it does seem my setup works. I've added winbind use
default domain = yes to my smb.conf which now reads
[global]
workgroup = DOMAIN
realm = DOMAIN.AC.UK
server string = Samba Server Version %v
security = ADS
password server =
Hello All
In the radiusclient configuration file there is an option called auth_order
which accepts two values (local, radius). If we set this option as follows:
auth_order radius,local
doesn't it means that if the authentication fails using RADIUS it should be
performed using the /etc/passwd
Thanks a lot Alan DeKok, do I have any possibility to permit login only persons
with username/password and client certificate?
All authentications methods works fine on my server, but I´ll only permit login
with username/password and client certificate. Which code I need to set in
On 15/09/10 12:30, Fabien COMBERNOUS wrote:
Thank you Phil for your answer.
On 15/09/2010 11:09, Phil Mayers wrote:
Are you using 802.1x or macauth?
If you are sending an access-reject, you can't assign a vlan. Reject
means give no service. You either need to send an accept with a
vlan, or
I've tried dozens of ways but I can't figure out how to get the NAS type for
clients defined in MySQL.
The column is populated, the query has the correct fields matching the source
code for the module. The module appears to populate the address, shortname,
nastype, secret and virtual server.
My sql module (we use an sql backend return notfound.
I tried to add the following at the end of the authorize section.
On 15/09/2010 16:30, Phil Mayers wrote:
if (notfound) {
update reply {
Tunnel-Private-Group-Id = 1234
We use a sql backend. Just after my sql module (in the authorise
section) i added the following bloc.
if (notfound) {
update reply {
Tunnel-Type := 13
Tunnel-Medium-Type := 6
Tunnel-Private-Group-ID := 42
}
Our students have returned this week, and I've noticed a couple new
messages logged to my FreeRadius 2.1.3 server. When it happens, my
controllers fail over to the secondary Radius server. This has happened
a few times. My Radius servers are only lightly loaded, and only
configured to do
On 15/09/10 16:13, Fabien COMBERNOUS wrote:
We use a sql backend. Just after my sql module (in the authorise
section) i added the following bloc.
if (notfound) {
update reply {
Tunnel-Type := 13
Tunnel-Medium-Type := 6
Tunnel-Private-Group-ID := 42
}
}
When a user is unknown, the sql
On 15/09/10 16:20, Mike Diggins wrote:
Our students have returned this week, and I've noticed a couple new
messages logged to my FreeRadius 2.1.3 server. When it happens, my
controllers fail over to the secondary Radius server. This has happened
a few times. My Radius servers are only lightly
2.1.3 is very old now , 2.1.9 is current and has many fixes over that - check
its changelog .. this error message suggests that you've got a slow backend
somewhere - be that ldap, sql or even a bit of perl
- Reply message -
From: Mike Diggins mike.digg...@mcmaster.ca
Date: Wed, Sep 15,
John Doppke wrote:
I've tried dozens of ways but I can't figure out how to get the NAS type for
clients defined in MySQL.
The column is populated, the query has the correct fields matching the source
code for the module. The module appears to populate the address, shortname,
nastype,
On 15/09/2010 17:29, Phil Mayers wrote:
Please post the full debugging output.
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting 'Auth-Type := CHAP'
++[chap] returns ok
++[mschap] returns noop
[suffix]
On 15/09/10 16:49, Fabien COMBERNOUS wrote:
On 15/09/2010 17:29, Phil Mayers wrote:
Please post the full debugging output.
Sigh. This is not the full debugging output. You're making it hard to
help you.
+- entering group authorize {...}
++[preprocess] returns ok
[chap] Setting
Hi,
We are thinking of authenticate users via 802.1x/mschapv2 with
freeradius, samba and Active Directory. Is the following a good
redundancy design? If not, which one is better?
radius1 1.1.1.1, radius2 2.2.2.2
Active Directory Domain Controllers 3.3.3.3 4.4.4.4
put 1.1.1.1 and 2.2.2.2 as
Hello I have a question: I want to configure the radiusd.conf, here es my
problem there es two radiusd.conf in diferent paths
/usr/local/etc/raddb/radiusd.conf and
/root/freeradius-server-2.1.9/raddb/radiusd.conf. which configuration file
should I use... is there a manual to configure this
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 9/15/10 11:07 AM, schilling wrote:
For certificate, do we need a server certificate for both radius1 and
radius2 if we want supplicant to verify the server certificate?
Just a note on this, you can get a single certificate with SANs (Subject
Hi,
seems okay
For certificate, do we need a server certificate for both radius1 and
radius2 if we want supplicant to verify the server certificate?
you can use the same server certificate - so that the clients recognise them as
the
same - important if there is to be any failover have
Hi,
Hello I have a question: I want to configure the radiusd.conf, here es my
problem there es two radiusd.conf in diferent paths
/usr/local/etc/raddb/radiusd.conf and
/root/freeradius-server-2.1.9/raddb/radiusd.conf. which configuration file
should I use... is there a manual to
Am 15.09.2010 um 20:10 schrieb Samuel Isaias Barriga Perez:
Hello I have a question: I want to configure the radiusd.conf, here
es my problem there es two radiusd.conf in diferent paths /usr/local/
etc/raddb/radiusd.conf and /root/freeradius-server-2.1.9/raddb/
radiusd.conf. which
On 09/15/2010 02:07 PM, schilling wrote:
For certificate, do we need a server certificate for both radius1 and
radius2 if we want supplicant to verify the server certificate?
yes, certificates bind a subject to a public key, in this case the
subject is the ip address of your radius server.
On 09/15/2010 02:21 PM, Alan Buxey wrote:
Hi,
seems okay
For certificate, do we need a server certificate for both radius1 and
radius2 if we want supplicant to verify the server certificate?
you can use the same server certificate - so that the clients recognise them as
the
same -
On 15/09/2010 19:43, John Dennis wrote:
On 09/15/2010 02:21 PM, Alan Buxey wrote:
Hi,
seems okay
For certificate, do we need a server certificate for both radius1 and
radius2 if we want supplicant to verify the server certificate?
you can use the same server certificate - so that the
Hi,
Depends upon how aggressive the client is about validating the cert. The
libraries I'm familiar with will take the CN of the subject do a DNS
lookup and see if it matches the ip address on the socket. In which case
I wouldn't expect the above to work.
...tell me how exactly a host is
Hi,
We have implemented a freeradius server on ubuntu 10.04 connecting to AD on
windows 2003 to allow our users to auth against for wirless access.
This morning it all broke. And we don’t know why.
So I started looking to build a new server to fault find.
I am trying to find some
Many times this is caused by a software update to the system.
To figure out where the problem lies, you will need to follow
the very well documented procedure for debugging freeradius
if you do not have logs of what was updated on the system so
you can rollback the update(s).
Cheers,
Ken
On Wed,
I've found that keeping config file history using RCS or git to be very
useful. It's saved me a bunch of headache with bind, apache, sendmail
and freeradius. If you'd like some tips, I'm happy to oblige either
on-list or off, depending on whether the regulars consider it OT.
Cheers,
C.J.
On
Hi,
We have implemented a freeradius server on ubuntu 10.04 connecting to AD on
windows 2003 to allow our users to auth against for wirless access.
This morning it all broke. And we don’t know why.
okay. a not so wild stab in the dark.
yesterday or day before a SAMBA security issue was
Hi,
vlan assignment based on vlan.
here what i have in my users file
DEFAULT User-Category == student
Reply-Message = Your a member of the student Group,
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 902,
Eric Doutreleau eric.doutrel...@it-sudparis.eu wrote:
i m using freeradius 2.1.9 and i have some problems with making dynamic
vlan assignment based on vlan.
here what i have in my users file
DEFAULT User-Category == student
Reply-Message = Your a member of the student Group,
Hi Mark,
* You haven't told us how much a lot of memory is.
From top
radiusd 16 0 218m 126m 1560 S 0.0 50.7 40:39.86 radiusd
* Upgrade to 2.1.10 (release imminent)
Going to give 2.1.9 a go
* All I can offer is a comparison based on probably totally different
I'm tinkering with my VPN setup using FreeRadius and AD, and getting
Not possible to verify the identity of the server. Some googling
shows that message can be related to certificates.
Some digging through the FreeRadius docs came up with:
If FreeRADIUS was configured to use OpenSSL,
47 matches
Mail list logo
