Just an FYI (sorry if this has already been covered):
If you update FR via yum in CentOS or RedHat, as is usual practice with RPMs,
conf
files that have been modified are not overwritten, so the new version is
installed
with an .rpmnew suffix.
This works great for most of the config files, but
On Sat, Mar 10, 2012 at 5:29 AM, u...@3.am wrote:
So to save lots of time and configuration problem: does your LDAP
store user passwords in clear text or any common hash (e.g. md5,
unix)? If yes, AND you know what the LDAP attribute is, you don't even
need an LDAP section in authenticate.
On 12/03/12 15:44, u...@3.am wrote:
DEFAULT Group == FOO, Pool-Name :=FOO_pool
Group is probably empty. I can't remember what module, if any, fills
it out.
What do you *think* Group will contain? It won't contain LDAP groups.
I was about to post about this..I just did a test with
Hi,
DEFAULT Group == FOO, Pool-Name :=FOO_pool
Group is probably empty. I can't remember what module, if any, fills
it out.
# The Group and Group-Name attributes are automatically created by
# the Unix module, and do checking against /etc/group automatically.
# This means
On Sat, Mar 10, 2012 at 10:47 AM, u...@3.am wrote:
Both hashes are supported, thanks for the link. I assume I need to define
something to map to, as well? Like this:
raddb/dictionary: ATTRIBUTE userPassword 3004 string
err... no.
raddb/ldap.attrmap: checkItem
Hi:
Trying to set up a new RADIUS 2.1.12 server with LDAP. It configured and built
all the modules I need, including rlm_ldap, once I installed the dependencies.
I
took all of the same config files that I have working on servers running 2.1.9
and
2.1.10, but 2.1.12 rlm_ldap doesn't seem
u...@3.am wrote:
Trying to set up a new RADIUS 2.1.12 server with LDAP. It configured and
built
all the modules I need, including rlm_ldap, once I installed the
dependencies.
I
took all of the same config files that I have working on servers running
2.1.9
and
2.1.10, but 2.1.12
u...@3.am wrote:
Trying to set up a new RADIUS 2.1.12 server with LDAP. It configured and
built
all the modules I need, including rlm_ldap, once I installed the
dependencies.
I
took all of the same config files that I have working on servers running
2.1.9
and
2.1.10, but 2.1.12
On Sat, Mar 10, 2012 at 3:23 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On Fri, Mar 09, 2012 at 10:59:46AM -0500, u...@3.am wrote:
authenticate {
#Auth-Type LDAP {
redundant LDAP{
ldap1
ldap2
}
Using ldap in the authenticate
On Sat, Mar 10, 2012 at 5:29 AM, u...@3.am wrote:
So to save lots of time and configuration problem: does your LDAP
store user passwords in clear text or any common hash (e.g. md5,
unix)? If yes, AND you know what the LDAP attribute is, you don't even
need an LDAP section in authenticate.
On 03/06/2012 02:10 AM, u...@3.am wrote:
On 28/02/12 21:16, u...@3.am wrote:
However, we just noticed that password expiry isn't working. I suspect
this is
because we are still using all the original POSIX attributes and none of
them look
like good for mapping to the ones supplied by
On Tue, Mar 6, 2012 at 9:20 PM, u...@3.am wrote:
++? if (control:Shadow-Current control:Shadow-Expires)
Failed parsing control:Shadow-Expires: Unknown value control:Shadow-Expires
for
attribute Shadow-Current
Try
if (control:Shadow-Current %{control:Shadow-Expires})
That did it!
On 28/02/12 21:16, u...@3.am wrote:
However, we just noticed that password expiry isn't working. I suspect this
is
because we are still using all the original POSIX attributes and none of them
look
like good for mapping to the ones supplied by FreeRADIUS. I see: checkItem
Expiration
u...@3.am wrote:
I didn't ignore any response. I have no reason to worry about whether
Expiration
will work in users because A) I'm not using users, I'm using LDAP and B)
expiry
worked fine using rlm_pam and /etc/shadow.
Once again, you completely misunderstand my point. This is rude.
u...@3.am wrote:
checkItem Expiration radiusExpiration
Did you check that the LDAP module is returning this attribute for the
query?
No, I don't expect it to, since I don't have that attribute or anything that
looks
like it might be a good substitute.
So...
On 28/02/12 21:16, u...@3.am wrote:
Hi:
We've been running various versions of FreeRadius for years, currently
2.1.10 in
this application. A while ago, we switched from PAM (unix) auth to LDAP
auth.
Everything worked fine after the switch...POSIX attributes for group
membership
LDAP returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = ldaptest, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
[files] users: Matched entry DEFAULT
u...@3.am wrote:
However, we just noticed that password expiry isn't working. I suspect this
is
because we are still using all the original POSIX attributes and none of them
look
like good for mapping to the ones supplied by FreeRADIUS. I see:
checkItem Expiration
On Wed, Feb 29, 2012 at 4:16 AM, u...@3.am wrote:
Hi:
We've been running various versions of FreeRadius for years, currently
2.1.10 in
this application. A while ago, we switched from PAM (unix) auth to LDAP
auth.
Everything worked fine after the switch...POSIX attributes for group
Hello,
I would like to help with this:
I have Freeradius version 2.1.6
I have it running with SQL and DialupAdmin.
How do I give access to wifi users who authenticate with username pass over
PEAP
only to a group of users?
I mean that authorised would be only users from group WIFI and not
[suffix] No '@' in User-Name = ldapuser, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
[ldap] performing user authorization for ldapuser
[ldap]expand
Just a gap of our users file, we have 18 default lines and additional 4 for a
local/PAP user:
DEFAULT Auth-Type := LDAP, Huntgroup-Name == consoleserver, LDAP-Group ==
LDAP-GROUP-Team-a
Login-Service = Telnet
FWIW, since it's the LDAP-Group attribute that you're having trouble
I can tell that ldap failover config is a FAQ by the number of hits I found
searching for this, but it seems that many of the config examples are for
older versions of FreeRADIUS. In any case, this is what I've tried, but it's
not working:
In radiusd.conf:
ldap ldap1{
u...@3.am wrote:
I can tell that ldap failover config is a FAQ by the number of hits I found
searching for this, but it seems that many of the config examples are for
older versions of FreeRADIUS. In any case, this is what I've tried, but
it's
not working:
See the FAQ for it doesn't
guest users. I can
set
up a new FreeRADIUS server (I've done many of those) backend for this,
but
am unfamiliar with 2 things that will be different here, which are:
1) A Web front end for a clerical type to enter in temporary accounts to
FreeRADIUS. I imagine there must be a simple php
On my client's wifi network, we are authenticating staff users via
FreeRADIUS against the corporate LDAP database.
I've created a new SSID/WLAN with an IP pool that I've restricted through
router ACLs that we want to deploy for temporary guest users. I can set
up a new FreeRADIUS server (I've
I've had FreeRadius 2.1.6 running ippools fine on one linux server and just
installed it on a new one. They run with --prefix=/usr on both servers, which
neccessitated me putting /usr/lib in /etc/ld.so.conf to get rlm_ippool to load
on the new server.
I copied over the old raddb tree, but
Replying to myself...I'm a dope. I deleted all the db.*ippool* files and
let it create new ones and it's fine now.
On Thu, 27 Aug 2009, u...@3.am wrote:
I've had FreeRadius 2.1.6 running ippools fine on one linux server and just
installed it on a new one. They run with --prefix=/usr on
On Mon, 6 Jul 2009, Gilloteau Frederic wrote:
Hello,
I use freeradius 2.1.1-7 and a CISCO router (IOS 12.4(6)T9) to provide VPN
connections.
and the CISCO router gets it ...
.. but never assign it to remote users, the cisco router assigns an IP address
from its local pool.
The interesting
Hi Dogus:
In addition to the radiusd.conf and users file config that I assume you've
already figured out, you have to define the pool names in raddb/default if
you're going to use any pool name other than main_pool. ie:
# Return an address to the IP Pool when we see a stop record.
On Wed, 3 Jun 2009, Alan DeKok wrote:
Because you don't have the GDBM libraries or header files.
Ok, I installed those, and while I was at it, installed the latest
radiusd. The first error I got involved the experimental
raddb/sites-available/control-socket which was included in the old
Replying to myselferm, never mind...I must have a fairly old
raddb/radiusd.conf...I found this by googling:
db_dir = $(raddbdir) ==
It should be:
db_dir = ${raddbdir} (brackets are wrong)
On Wed, 3 Jun 2009, u...@3.am wrote:
On Wed, 3 Jun 2009, Alan DeKok wrote:
Because you
Hi:
I am trying to configure a server-side IP pool for select pptp users to
bypass the NAS's internal pool. The documentation appears sparse, but
this is what I've done so far:
In raddb/radiusd.conf:
ippool users_pool {
range-start = 172.16.1.2
On Tue, 2 Jun 2009, Alan DeKok wrote:
u...@3.am wrote:
I am trying to configure a server-side IP pool for select pptp users to
bypass the NAS's internal pool. The documentation appears sparse, but
this is what I've done so far:
In raddb/radiusd.conf:
ippool users_pool {
The
FYI: Cisco TAC quickly found my config problem. I took out:
aaa authorization network default if-authenticated
and replaced it with:
aaa authorization network default group radius local
and that did it. Thanks for all of your suggestions! Next up is to start
defining pools
Hi:
I've used Livingston and Cistron radiusd's in the past with dialup ppp
users and Cisco/Lucent NASes and have been able to do this with no
problems.
Users are currently authenticating fine and getting assigned IPs from the
IP pool as defined in the Cisco NAS. However, I'd like to have
group authorize
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
rlm_realm: No '@' in User-Name = testuser, looking up realm NULL
rlm_realm: No such realm NULL
++[suffix] returns noop
rlm_eap: No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns updated
In any case, I really appreciate it if you can at least give my radiusd
config the thumbs up for this...I can open a ticket with Cisco TAC if so.
James Smallacombe PlantageNet, Inc. CEO and Janitor
u...@3.am http://3.am
]
Tue May 26 23:26:48 2009 : rcvd [IPCP ConfAck id=0x3 addr 172.16.30.9
ms-dns1
10.2.2.2]
Tue May 26 23:26:48 2009 : ipcp: up
Tue May 26 23:26:48 2009 : local IP address 172.16.30.9
Tue May 26 23:26:48 2009 : remote IP address 192.168.7.1
Tue May 26 23:26:48 2009 : primary DNS address 10.1.1.1
Tue
:
+- entering group post-auth
++[exec] returns noop
Framed-Protocol == PPP
Framed-IP-Address = 192.168.1.2 (The address I want)
Framed-IP-Netmask = 255.255.255.0
Framed-Compression = Van-Jacobson-TCP-IP
Finished request 1.
Going to the next request
Waking up in 4.9 seconds
On Wed, 7 Jan 2009, Jeff Crowe wrote:
I was running into this problem on my Redback. The issue was the Redback
wanted an IP address in the same subnet so I had to setup 192.168.1.1/24 as
a sub interface to allow subscribers to be assigned addresses in the
192.168.1.x/24 range. My Shasta was
Sorry for the top-post, but I'm replying to myself and I want to keep my
questions clear. I tried creating two different ippools in the
radiusd.conf using the different ranges I want to use, but the client
ignored it and went only to the pool that the Cisco has. I then changed
the Cisco
Hi:
In my years running a dialup ISP, I used Cistron Radius and Cisco and
Lucent NAS's. I am no using FreeRadius and a Cisco router to authenticate
pptp VPN users. The default IP address pool is defined in the Cisco like
this (parsed):
interface Virtual-Template1
peer default ip address
I understand that radius authenticating ppp (PPTP in this case)
connections against shadow passwords requires cleartext authentication
(PAP).
Does PAM allow you to work around this? From reading what I can find on
PAM, it would seem that FreeRADIUS would pass off the authentication
44 matches
Mail list logo