Joao Miguel Ferreira wrote:
Hello all,
I'm a bit confuse here.
1)
is it possible for a freeradius setup,
runnging on a NAS system, via some authentication module,
determine the
Phil Mayers wrote:
We're bringing a Cisco (formerly Airespace) lightweight wireless system
online, and I'm seeing some odd things in the accounting.
Specifically, the usernames can change in the accounting packets. This
causes the default SQL queries (at least, the ones for Postgres under
Bill Farina wrote:
Here's the scenario, I have a Linksys WRT54GS running DD-WRT RC5 which
is fully configured for Radius. I have a small FreeBSD server running
FreeRadius-1.1.7_2. HTTPD (or Apache) has not been installed on the
system and in it's current configuration would be difficult to
So when the user logs I have two queries inserting similar data with different
sessions ids:
47B7691A2F4300 and 47B7691A2F4301
I would really appreciate some guidance from this point on as I'm pretty much
out of ideas.
Your NAS is broken / misbehaving. It sends the Acct-Session-Id and it's
Santiago Balaguer García wrote:
The answer is not totally correct. Because a microcuts in the
connectibity of hotspot cause that hotspot re-sends the acct request.
No, because then the Acct-Session-Id would remain the same.
In that case, you have to desactivate:
- accounting_start_query_alt
Kartik CDS wrote:
Thanks for the response Alan.
But can you please let me know whether it is mentioned in the radius rfc
that the client should validate the source address?
The wording may not be explicit, but aside from radius secrets being
bound to a server IP port, the client-generated
Gong Cheng wrote:
Hi folks,
I am working on an issue like this:
In my users file, I have
user1
attribute1=val1
user2
attribute2=val2
DEFAULT
attribute1=def_val1
attribute2=def_val2
My intention is that
- for individual users, like user1 and user2, I will get
Ivan Kalik wrote:
The phones need to be in a tagged vlan instead of an untagged.
Are you sure about that? You tag VLANs on a trunk port. And that port
will be connected to the upstream device, not your phone.
No, it's quite common for VoIP hardphones to have a passthrough port -
effectively
Agent Smith wrote:
No love man.
Changed the huntgroup defination and also changed the
sites-enabled/SERVER-1760 file to read.
authorize {
files
#auth_log
pap
}
authenticate {
files # I also tried it without files here.
pap
}
You've massively
Alexey Eronko wrote:
Thanks for you replay.
According with this link :
http://deployingradius.com/documents/protocols/compatibility.html.
I need EAP-GTC. I'm not sure that my Proxim AP700 support this kind of EAP.
APs should not care. All EAP types (that generate crypto keys) should work
Is
ldap a {
add the set_auth_type = yes option to all 3 ldap modules, and probably
call them something more descriptive for reasons which will become clear
below e.g.
modules {
ldap ldap-a {
..
set_auth_type = yes
}
}
authorize {
You can probably do this:
authorize {
All,
I'm moving our legacy switches over to the VMPS support in FreeRadius 2
and I'm aware there are others on the list who have done this.
I'm seeing several different formats of VMPS request. The easy ones
are from older switches e.g. cisco 1900s:
VMPS-Packet-Type = VMPS-Join-Request
Phil Mayers wrote:
All,
I'm moving our legacy switches over to the VMPS support in FreeRadius 2
and I'm aware there are others on the list who have done this.
I'm seeing several different formats of VMPS request. The easy ones
are from older switches e.g. cisco 1900s:
VMPS-Packet-Type
Russell D. Mitchell wrote:
OK, so I changed the line in my users file to the following:
bob Auth-Type := Accept, Cleartext-Password := hello
And it now works, but I don't think this is the right thing to do.
Besides, it was supposed to 'just work'.
/Russ
Russell D. Mitchell wrote:
Phil Mayers wrote:
Russell D. Mitchell wrote:
OK, so I changed the line in my users file to the following:
bob Auth-Type := Accept, Cleartext-Password := hello
And it now works, but I don't think this is the right thing to do.
Besides, it was supposed to 'just work'.
/Russ
Russell D
Russell D. Mitchell wrote:
Well, the tarball is named freeradius-server-2.0.2.tar, and it untars
into a directory named freeradius-server-2.0.2.
As per my other email, I think you have an older version on the system
(probably in /usr/sbin, from an RPM) and need to remove it.
-
List
Ivan Kalik wrote:
A: I have a set of master tunnel attributes that I always have to send to
this Telco.
i.e. Service-type, Tunnel-Type, Tunnel-Preference, Tunnel-password,
Tunnel-Server-Endpoint..etc
The way this Telco obtains these attributes is by sending the
Username/Password combination my
Dave wrote:
I cant seem to find the relative documentation or examples, but I want
to have an IP pool pool2 with multiple range-start and range-stop IP
ranges in it, but Im not sure how to put together the config for it.
Can't be done. You'd need to use sqlippool for that.
Something like
Alan DeKok wrote:
Phil Mayers wrote:
The value of VQP-Error-Code may make a difference; the code in OpenVMPS
seems to work like this:
Do you have some sample unlang config we can add to the server examples?
We're currently using something almost identical to this (minor edits to
remove
Could you please correct me about mac authorization.
In my debug log I see mac authorization request :
rad_recv: Access-Request packet from host 10.10.10.139:6001, id=7,
length=115
User-Name = 00-18-de-4e-8f-1d
User-Password = secret
NAS-IP-Address = x.x.x.139
JB wrote:
I'm sorry, I have to ask again. Have you found a way to let the reply
query know that the user has already been rejected in the check-query?
I'm trying to avoid executing the same queries twice and also to avoid
using temporary tables.
I thought I'd answered this?
What you could
JB wrote:
Phil Mayers:
JB wrote:
I'm sorry, I have to ask again. Have you found a way to let the reply
query know that the user has already been rejected in the
check-query? I'm trying to avoid executing the same queries twice and
also to avoid using temporary tables.
I thought I'd
Was there an RFC that went on to define the proper usage of the Class
attribute, or is it's usage still ambiguous ?
Ambiguous how? The RFC seems pretty specific to me; the field is NOT to
be interpreted by the NAS, is generated in the Access-Accept and sent in
Accounting-Request - i.e. it's
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
rlm_pap: WARNING! No known good password found for the user. Authentication
may fail because of this.
modcall[authorize]: module pap returns noop for request 0
The ldap module didn't find a
Mike Richardson wrote:
On Tue, Mar 04, 2008 at 10:35:29AM +, Phil Mayers wrote:
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module ldap returns ok for request 0
rlm_pap: WARNING! No known good password found for the user.
Authentication may fail because
I was going to knock out a quick concept patch but I see it's not a
trivial patch; before I make the effort to code it I thought I'd check:
It seems useful for the sql module to set the return code to
RLM_MODULE_REJECT if the Auth-Type gets set to reject - the specific use
case I have is an
I've put perl in the authorization section in the
sites-enabled/default directory
I've put Auth-Type perl
{
perl
}
in the authenticate section
And I've put a section of perl module in the modules section in the
William Bulley wrote:
For Windows supplicants, we will use PEAPv0/MS-CHAPv2.
For non-Windows supplicants, we would use EAP/TTLS and
MD5 as the inner method.
I am confused as to how to configure FreeRADIUS 2.0.1
to accomplish this simultaneous behaviour. What causes
me to be confused is this
Vincent Magnin wrote:
Hello Rafael,
It should be possible in Freeradius 2 and using unlang language:
if (User-Name != test-user) {
sql_log
}
In previous versions, you can use Acct-Type:
preacct {
files
}
accounting {
Acct-Type SQL-LOG {
sqllog
}
}
...then in acct_users:
Rashmi Bajaj wrote:
Hi,
I am using the freeradius to receive radius acct logs from another
remote radius server. The purpose is to use the radwho output.
How do I make the radwho output to show all the attributes that it
receives?
Currently the output shows: Login, Name, What, TTY, When, From
Ben Wiechman wrote:
With this it wouldn't be that hard to separate the information for a
specific subscriber or group into a separate log file would it.
Correct.
Assuming that the two log options are appropriately configured:
Fr 2.x
if( User-Name != test-user {
# will (Group-Name !=
Also the index 'acctsessiontime' is missing for the radacct table in the
default schema; makes the Accounting-On / Accounting-Off queries very
slow doing a table scan on 1.4 million rows... Is this intentional or an
oversight ?
In the postgres schema, there's a conditional compound index
[EMAIL PROTECTED] wrote:
Hi,
Quite. I believe you'll probably run into problems with MyISAM if you've
got a loaded RADIUS server. It's taken around 6 months for serious issues
to occur. We switched over to some new more 'chatty' firmware on our access
points, and that seemed to push it over
++[eap] returns noop
++[expiration] returns noop
++[logintime] returns noop
You've removed the PAP module from the sites-available/default
authorize stanza, so this happens:
auth: No authenticate method (Auth-Type) configuration found for the
Put the pap module back where it was.
-
List
[EMAIL PROTECTED] wrote:
Hi,
I am using the following configuration:
O/S: rhel4_u5_i386
Freeradius 1.1.7
Client to test: NTRadPing 1.5
Steps undertaken:
- Installed a fresh system with rhel4_u5_i386
- Build and compile freeradius 1.1.7 on it.
- Update the clients.conf
Alan DeKok wrote:
Phil Mayers wrote:
If your NAS supply Message-Authenticator, you could refuse packets
without one:
Edit the client section and set require_message_authenticator = yes.
Ah thanks - I didn't know about that
The recommendations of RFC 5080 have been implemented
Arran Cudbard-Bell wrote:
Hi All,
I know this isn't strictly a FreeRADIUS issue but many of the users of
the list are involved in academia and so may have come across this with
their linux users.
wpa_Supplicant appears to work fine on wireless networks, but on wired
networks it attempts to
Somebody please tell me where I should be looking to make this work
correctly.
It doesn't work because the PAP module isn't doing anything. The PAP
module *should* be taking the crypt'd password, and doing something
useful with it. (See man rlm_pap)
I don't have a copy of 2.0.3 handy,
First things first - can I clarify that your goal is to have users,
using EAP TTLS/PAP, authenticating against LDAP entries. The LDAP
entries are of the form:
dn: cn=j_doe,ou=...
cn: j_doe
userPassword: {SSHA}bhjqewhtqothethwe==
Correct?
Looking at the first LDAP debug you show, we see:
[EMAIL PROTECTED] wrote:
My setup is as follows and I am trying to do WPA2 EAP-TLS authentication
on an Apple Airport WLAN:
Fedora 8
Freeradius (192.168.1.26)
Airport Express (192.168.1.23) - WPA2
No it is not:
I do not seem to be seeing eap messages in debug mode. Would
appreciate
rsg wrote:
Hi,
SQLIPPOOL requires, maintenance of an IP address table carrying individual IPs
Is there a way to handle IP prefixes (prefix/range format) so that in
large networks having many different networks could main and utilze
this effectively.
Sure; write an allocate-find SQL query
bmccorkle wrote:
Ok, that info helped me out but not all the way. I created another virtual
server 'vmps' in the sites available folder and linked the file to
sites-enabled. I got this code off of another post here that uses a sql
db...
vmps {
# the mac address can be in several places...
rsg wrote:
Hi,
Can you provide me with some more info to proceed with this?
There's no need to email me directly; I read the list.
I'm not quite sure of how to do it with allocate-find.
Neither am I. It was a general suggestion.
Personally I wouldn't do it that way; I'd just insert the
server vmps {
... stuff
vmps {
... stuff
mac2vlan.authorize
If (!ok) {
update reply {
VMPS-VLAN-Name = Public
}
}
}
}
If is wrong - it should be if
-
List info/subscribe/unsubscribe? See
Marco Gaiarin wrote:
[i'm not subscribed to this list, so, please, put me on CC]
I've just setup a 'test installation' of freeradius in a debian etch
box (using freeradius with 1.1.3 recompiled by me to support EAP-TLS).
Upgrade to 1.1.7 at least
In my environments there's ever a LDAP
On users file, last line say:
# On no match, the user is denied access.
In the default config, that's correct, since the default config says:
authorize {
preprocess
chap
mschap
suffix
eap
files
pap
}
i.e. files is the only
Basically, this works in hints:
DEFAULT NAS-Port-Id =~ (.+):(.+), NAS-Port !* ANY
NAS-Port = `%{expr:1000*%{1} + %{2}}`,
Fall-Through = Yes
...but this does not:
DEFAULT NAS-Port !* ANY, NAS-Port-Id =~ (.+):(.+)
NAS-Port = `%{expr:1000*%{1} + %{2}}`,
Jakob Hirsch wrote:
Quoting Phil Mayers:
Basically, this works in hints:
DEFAULT NAS-Port-Id =~ (.+):(.+), NAS-Port !* ANY
NAS-Port = `%{expr:1000*%{1} + %{2}}`,
Fall-Through = Yes
...but this does not:
DEFAULT NAS-Port !* ANY, NAS-Port-Id =~ (.+):(.+)
NAS-Port
Jos Vos wrote:
On Sun, Apr 06, 2008 at 08:06:40PM +0100, Phil Mayers wrote:
I can see two options, neither very pleasant :o(
1. For the short term distributions (Fedora, Ubuntu), volunteer to be
a packager. In principle I could do this for Fedora; in practice I have
no time or patience
Lemaster, Rob wrote:
Does FreeRADIUS have a functionality that allows the administrator to debug
RADIUS requests and responses? Something that will show the request and
response with attributes, etc..
This is well documented, please read the docs before asking basic questions.
e.g. man
Lemaster, Rob wrote:
Can FreeRADIUS be integrated into Windows Active Directory for user
Yes. A google search for freeradius active directory shows many results.
credentials and privelige based on Active Directory group? What is
the best way to integrate FreeRADIUS into Windows Active
Charlie B wrote:
Has no one else experienced this issue where reset password confuses
WinXP? I really don't want to use IAS. Anyone ideas?
Let me get this straight: You have machines in the domain, users doing
domain logins, and wired 802.1x using the domain credentials. When you
change a
[EMAIL PROTECTED] wrote:
We'd like to setup the following:
A workstation is booted, the supplicant asks for the credentials, the cisco
switch pa
sses the credentials to a freeradius server, freeradius authenticates the user to an
edirectory ldap server, freeradius decides which
Andrew Hood wrote:
Alan DeKok wrote:
Andrew Hood wrote:
I know good style says newbies should lurk before posting, but anyway:
Is freeradius supposed to be C89?
It's supposed to be as portable as possible.
src/modules/rlm_eap/types/rlm_eap_tnc/eap_tnc.c
Is full of C++ comments and
Hans Bornemann wrote:
Hi,
I have a problem with huntgroups and wpa2. It concerns the following:
First, huntgroups works with ntradping and crypt-passwd:
mysql-db
unzinn| NT-Password| := | 7C53CFA5EA7D0F9B3B968AA0FB51A3F5
unzinn| crypt-password | == |
Hans Bornemann wrote:
Hi,
did you mean the operator for the huntgroups?
No. Crypt-Password
hans
On Thu, 2008-04-10 at 10:29 +0100, Phil Mayers wrote:
Hans Bornemann wrote:
Hi,
I have a problem with huntgroups and wpa2. It concerns the following:
First, huntgroups works with ntradping
Cristian Novac wrote:
Could someone please take a look at the attached log file and give me a
hint about how to solve the problem.
The log file tells you how to solve the problem:
WARNING: Found User-Password ==
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See man
Shane McKinley wrote:
No one has any ideas or suggestions? If I can solve this issue I will
have a 'perfect' freeradius installation. And FYI I upgraded my server
to a dual core 2BG of RAM and still the same issue resides.
If the radius server doesn't receive the packets, it doesn't matter
sub wrote:
Hello everybody,
I simply and correctly setup my ubuntu linux box to use freeradius
authentication; actually the problem is that I'm not able to use
radius accounting.
I think that I correctly setup my radius server to use sql as
accounting mode but the radius server neither receives
Jeremiah Millay wrote:
Hi,
I'm seeing some odd behavior running freeradius-1.1.7 in a freebsd 6.3
environment. I see a lot of these in the radius log:
Tue Apr 22 09:27:44 2008 : Error: Discarding duplicate request from
client arc3.wnskvtao.sover.net:1645 - ID: 208 due to unfinished request
Are you using wtmp i.e. radlast. Don't. It's slow.
Here are some more snippets related to wtmp (from what I can tell):
unix {
cache = no
cache_reload = 600
radwtmp = ${logdir}/radwtmp
}
accounting {
detail
unix
radutmp
}
session {
radutmp
}
I'm guessing it won't
All,
We're rolling out a password-expiry policy here, and it's been suggested
that it would be helpful for the VPN to prompt a user to change their
password, rather than just lock them out.
The VPN is poptop on Linux, authing to FreeRadius, which current talks
to winbind and then to our
Robert Haskins wrote:
I'm trying to compile freeradius.org version 2.0.3 on Red Hat 7.3, and
I'm getting the following error:
Wow. That's a seriously OLD os install. Please consider upgrading.
/usr/local/src/radius/freeradius-server-2.0.3/src/freeradius-devel/rad_assert.h:26:
warning:
Alan DeKok wrote:
Phil Mayers wrote:
Could you point me towards the place in the FR2 source code that does
the RFC cleaning? I can't seem to find it.
raddb/attrs.access_reject seems to be the place.
Ahh. The light dawns - I assumed it was hard-coded in like the
rfc_clean() function
Mike Perdide wrote:
Hello,
I'm working on VLAN assignement with FreeRadius, with windows XP users.
The FreeRadius server is using openLdap, and works overs EAP-TTLS.
The goal of my work is for the users to be on different Vlans depending on
their status.
The radius part is working fine,
Mike Perdide wrote:
Phil Mayers wrote:
Is the windows machine a domain member?
No it's not. Only the users are.
?
When you sit at the login screen, and press ctrl+alt+del, are you
logging in with a username and password which is checked against the
domain controllers?
If so
Mike Perdide wrote:
Phil Mayers wrote:
Is the windows machine a domain member?
No it's not. Only the users are.
?
When you sit at the login screen, and press ctrl+alt+del, are you
logging in with a username and password which is checked against the
domain controllers?
If so
Sergio Belkin wrote:
Hi,
I had been using EAP-TTLS, but I've commented in an earlier post, I
have no luck with securew2 and Vista. So I am planning use a
secondary password for radius in clear-text. But I'd want to know if
TTLS and PEAP can live together, my current eap.conf is as follow:
Julien MIOTTE wrote:
1. Using the windows native supplicant and machine account
authentication. Basically the process is this:
* machine powers on - no-one logged in
* machine uses its own domain account to login host/$machinename
* user presses ctrl+alt+del
* machine
Sturgis, Grant wrote:
Greetings list,
Brand new freeradius user here, I will try not to be too obnoxious with
silly questions.
My goal is to replace the Cisco ACS solution with Freeradius, including:
1. Shell (telnet/ssh) access to network switches/routers/firewalls
2. EAP-TLS to the
Alan DeKok wrote:
rsg wrote:
They are not on the same LAN. This delay is induced by SQL based IP assignment.
Specially when around 30 concurrent Auth queries are made, the
accounting response (Start) takes about 30 seconds (Delayed by New
Auth requests) to reach NAS leading to the ultimate
Lemaster, Rob wrote:
Lemaster, Rob wrote:
I recently upgraded to 2.0.4, and now I'm seeing the following error
when I start FreeRADIUS:
...
Sat May 3 20:21:39 2008 : Error: ERROR: Failed to open socket:
Sat May 3 20:21:39 2008 : Error:
/opt/freeradius-2.0.4/etc/raddb/radiusd.conf[210]:
rad_recv: Access-Request packet from host 192.168.1.227
http://192.168.1.227 port 33361, id=96, length=252
User-Name = [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]
X-Ascend-Netware-timeout = 1785686126
X-Ascend-Send-Secret = 0x3139322e3136382e312e323237
Alan DeKok wrote:
Khaiti, Issam (ext) wrote:
I need a procedure to convert usernames from upper to lower letters. The
entries in the fastuser files are all in lower letters. When an
access-request comes where the username is in uppercase it has to be
converted to lowercase otherwise the
Phil Mayers wrote:
Alan DeKok wrote:
Khaiti, Issam (ext) wrote:
I need a procedure to convert usernames from upper to lower letters. The
entries in the fastuser files are all in lower letters. When an
access-request comes where the username is in uppercase it has to be
converted to lowercase
Rob VanDusen wrote:
I'm very new to both Linux and FreeRadius, so please excuse me if
this is too easy a question. After a couple weeks of fighting,
reading, testing and reconfiguring - I finally managed to get
FreeRadius 2.x working with my Novell eDirectory. Right now my eDir
tree is made up
Rob VanDusen wrote:
Yes Phil, that is the unfortunate configuration I have inherited with
the job. This is a school district, they really want to keep each
school building as it's own top-level O. I work in the ESB building,
Ok.
so that was the baseDN I used for testing. I'd rather not have
[EMAIL PROTECTED] wrote:
hi,
recently upgraded a 2.0.4 CVS system to the 2.0.5 CVS
and now the radius.log doesnt get populated with any
OK or FAIL messages when users log in.
config log{} section as per the standard distro and unchanged
from the 2.0.4 - which logged these things
auth =
Dubreuil, Gilles wrote:
All,
Is someone being able to run version 2 on Red Hat 5.x?
Yes
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Brad Furst wrote:
Ivan Kalik wrote:
Create multiple sql instances. Create Autz-Type entry for each in
authorize section. Then add something like this in users file.
DEFAULT Real == whatever, Autz-Type = sqlwhatever
This is much simpler with unlang in 2.0 (no Autz-Type entries needed,
Alan DeKok wrote:
Michael Griego wrote:
I did a little looking into this this evening. This assessment looks to
be correct as it looks to be related to compiler optimizations. With
the optimizations disabled in Make.inc, FreeRADIUS will start up on the
correct port. For the fr_socket
Tuc at T-B-O-H.NET wrote:
I seem to have some sort of anomoly that sqltrace is active in my server
even though its not in debug mode. Thats not a big deal.
no. that'll be right. sqltrace is nothing directly to do with server
debug mode - its a debug mode of the sql module - its enabled
post-auth {
# rejected requests
Post-Auth-Type REJECT {
log_reject
}
# accepted requests
log_accept
}
But unfortunately, post-auth seems to be entered twice, and the log
looks like this:
2008-05-21 15:18:51 REJECT radius.test
Nicolas Goutte wrote:
Am 27.05.2008 um 18:20 schrieb Giovanni Lovato:
Alan DeKok wrote:
Giovanni Lovato wrote:
I compiled deb packages from 2.0.4 sources. I would use rlm_sqlippool
but I get this message:
symbol lookup error: /usr/lib/freeradius/rlm_sqlippool-2.0.4.so:
undefined symbol:
[EMAIL PROTECTED] wrote:
Hi,
Please note, this bug only seems to be present in the F-9 (recently
released version 9 of Fedora).
For the time being I will build the F-9 FreeRADIUS packages without
optimization until this is resolved.
is it a case of this bug doing OTHER things to the
Graham Marsh wrote:
Hi
Have set up freeradius on a SLES10SP1 box in order to do 802.1X
authentication. All is fine if the client submits a request using just
the user name e.g. test05 in the case below:
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate
[EMAIL PROTECTED] wrote:
hi,
you need to remove the domain suffix but you cannot
play with the User-Name attribute or the response will
be wrong - use the 'stripped-user-name' attribute
for the authenticate step - and ensure that if you
are querying an LDAP or AD et cin that stage that DOMAIN
Phil Mayers wrote:
[EMAIL PROTECTED] wrote:
hi,
you need to remove the domain suffix but you cannot
play with the User-Name attribute or the response will
be wrong - use the 'stripped-user-name' attribute
for the authenticate step - and ensure that if you
are querying an LDAP or AD et cin
On Tue, Jun 10, 2008 at 07:32:45PM -0700, Newall, Bryce wrote:
login credentials each time. The Use Windows login credentials (or
whatever it's called; can't remember off the top of my head) option is
checked. In fact, if I un-check it and have Windows prompt me for the
credentials, then the
On Sat, Jun 14, 2008 at 10:12:20AM -0400, Richard Siddall wrote:
Pete Kay wrote:
I am working on deploying 2 load balancing freeradius in a HA environment.
Could someone suggest the best way to do it? I am comfortable with using
ldirector as the load balancer, but I am not sure how to do the
This:
rad_recv: Access-Request packet from host 192.48.19.111:49154, id=0, length=108
User-Name = [EMAIL PROTECTED]
User-Password = toto
Cisco-AVPair = shell:priv-lvl=1
NAS-IP-Address = 192.48.19.111
...is not an MS-CHAP request, as the later debug tells you:
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in
this session.
Read the *whole* debug output; somewhere further up will be the reason
the user was rejected.
-
Stefan A. wrote:
Gurus,
normally, I would do a short check, but currently I've no connection to one
of my running FR, but have to plan some extensions.
Has someone of you done something like the following?
Regarding 'hints' - file: Would it be possible to use
- $INCLUDE /path/file?
Alan DeKok wrote:
Lech Karol Pawłaszek wrote:
Vista and XP3 are broken. Microsoft does this deliberately.
Is there any way to un-break it?
Ask Microsoft. I'll ask some of the people who may be (partially)
responsible next week.
I know this is not the place to ask such questions
Lech Karol Pawłaszek wrote:
SecureW2 (List) wrote:
http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx
Nice article. However I don't understand a few things. What's pdb
pdbpath? I'm not good at Windows.
Good lord... they've made the EAP logging *worse*. I didn't think that
was
ok :) I provide certificate files and eap.conf in a tar ball to not to
post a mail too long.
If I print [EMAIL PROTECTED] in text form I see how radius is the
issuer of the certificate. This is the default PKI and I don't know what
I'm doing wrong.
Thanks for your attention.
I get the
Yeah!! Then you're agree with me. I've been explaining (trying) in this
forum that client cert must be signed by ca cert. bootstrap command sign
client cert with server.key and this not works. The solution is to
replace de signing in certs/Makefile (-key server.key -cert server.pem
should be
Khalukhin Alexander wrote:
Hi all! I'm using 'sql' module in accounting to log all the radius
packets from remote radius client (cisco 2600). I've investigated, that
accounting packets are received in right order (Start then Stop),
but putted into DB log table in wrong order (Stop then Start).
On Thu, Jul 24, 2008 at 09:14:54PM +0200, Alan DeKok wrote:
Phil Mayers wrote:
Alan - it does look to my untrained eye as if the client.crt Makefile
target in /etc/raddb/certs is signing the client key with the server
key. Is this intentional, or a bug?
It's intentional. It's a perfectly
see the logf there: http://tinypaste.com/5b99b
Your problem is nothing to do with certificates. The PEAP tunnel gets
setup correctly, the MS-CHAP client-server auth succeeds, but the final
server-client (mutual) auth appears to fail.
This could be for a number of reasons, but it's a
201 - 300 of 1979 matches
Mail list logo