On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote:
As you can see, the device wasn't listed in the file, the authentication
went fine, saying that the tunnel that I should get has ID 40, but that
wasn't overwritten by the authorized_macs check...
Add
DEFAULT Auth-Type := Reject
On Mon, Oct 14, 2013 at 10:40:19AM +0100, Matthew Newton wrote:
On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote:
As you can see, the device wasn't listed in the file, the authentication
went fine, saying that the tunnel that I should get has ID 40, but that
wasn't
Fabrizio Vecchi wrote:
First of all, sorry if my email is very long, I am just trying not to
leave any important details out. :)
That's good.
So far, I managed to do the dynamic VLAN assignment, but cannot seem to
get it to work together with the MAC checking.
They key thing to remember
. Then, convert it to the configuration.
Your system is using TTLS. OK... I'll ignore the question of *why*
you're authenticating unknown MACs. That seems weird.
What I am trying to achieve is the following:
1. Authenticate the users through LDAP
2. IF the user is using a device listed
Fabrizio Vecchi wrote:
I guess at the end of the day my question boils down to the following:
where should I put the MAC check, so that the user gets assigned to the
right VLAN?
In post-auth.
If I put it in the authorize part of sites-enabled/default, the VLAN
update request will get
a list of MAC addresses. If the device is in the list, let the user
authenticate through LDAP and get a VLAN depending on the user's group; if
it's not present, authenticate the user against ldap, but assign the user
to a public VLAN, which cannot reach our internal servers.
This is basically
a list of MAC addresses. If the device is in the list, let the user
authenticate through LDAP and get a VLAN depending on the user's group; if
it's not present, authenticate the user against ldap, but assign the user
to a public VLAN, which cannot reach our internal servers.
This is basically
Is there any way to prevent FreeRadius from showing the password in
logs (debug logs) when authentication is done via LDAP?
Current I see :
rad_recv: Access-Request packet from host 192.168.100.2 port 31011,
id=13, length=129
User-Name = username
User-Password = XX
NAS-IP-Address
On 09/30/2013 02:45 PM, Matthew Ceroni wrote:
Is there any way to prevent FreeRadius from showing the password in
logs (debug logs) when authentication is done via LDAP?
Current I see :
rad_recv: Access-Request packet from host 192.168.100.2 port 31011,
id=13, length=129
User-Name
Hi,
Is there any way to prevent FreeRadius from showing the password in
logs (debug logs) when authentication is done via LDAP?
dont run in debug mode. debug mode is there for a reason - to debug
problems. verify if things like passwords are correct. look at the mailing list
archive
Hi,
thanks for the Help. Actually im decided to create a new VM and reinstall the
complete Server. I`m following the complete How-To, but i`m getting two
different Errors.
The First One is this:
It`s under the first Point: Configuring Authentification with Active Directory
I`m startet the
Beliars Fire wrote:
The next Step wbinfo -a *user*%*password *works too, but i`m getting
this Error-Message:
/Could not authenticate user Username%Password with plaintext password/
challenge/response password authentication succeeded
Is this normal? How can I fix it? The Response seems to
Hi,
Could not authenticate user Username%Password with plaintext password
challenge/response password authentication succeeded
thats okay. means you couldnt do PAP and only MSCHAPv2 worked. expected for
that command.
In this Step, i must edit the following line with this text in
12.9.2013 19:36, Arran Cudbard-Bell napsal(a):
On 12 Sep 2013, at 18:18, Miroslav Lednicky miroslav.ledni...@fnusa.cz
mailto:miroslav.ledni...@fnusa.cz wrote:
Hello,
I have Freeradius 2.1.10 with 2 LDAP servers (ldap1 + ldap2) and
Ubuntu 12.04
authorize {
ldap1
if (ok) {
update reply
Hi
While I generally chime in with Alan's later message, one important you
should start reading about and differentiating
is Authentication and Authorization (the later is Accounting of AAA with
RADIUS).
While you can do Authorization using LDAP with AD, you can't do the
Authentication part
Beliars Fire wrote:
- I`m worked to this Tutorial Step-by-Step. On the last two steps, i`m
configured Freeradius to use ntlm_auth This was obviousy wrong, cause
i want to implement LDAP-Severs.
Please, don't think you're smarter than people with decades more
experience than you. It's
Is it correct as above? Do I have to call ldap_dhcp separately in each
section (i.e. twice)?
Hopefully someone else will chime in who's actually used it, but this is what I
believe the order of operations should be:
* Receive DHCP-Discover
- Call LDAP to get the IP assignment
On 31/8/2013 12:03 πμ, Arran Cudbard-Bell wrote:
1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)?
Yes.
I am having a hard time trying to adapt the example at:
http://wiki.freeradius.org/guide/dhcp-for-static-ip-allocation to work
from ldap.
We are starting from
On 13/9/2013 8:40 μμ, Arran Cudbard-Bell wrote:
If you do it the way I suggested I highly recommend you use V3.0.0
(release_branch_3.0.0 or master/HEAD) instead, as the list/attribute handling
is much better.
Thanks,
I'll look into rlm_cache.
I wonder if anyone in this list has created a
On 13 Sep 2013, at 19:47, Nikolaos Milas nmi...@noa.gr wrote:
On 13/9/2013 9:35 μμ, Nikolaos Milas wrote:
Where can I find the v3.0.0 source branch?
Oh, I found it and it includes a spec file for redhat:
https://github.com/FreeRADIUS/freeradius-server/tree/release_branch_3.0.0/redhat
On 13/9/2013 9:35 μμ, Nikolaos Milas wrote:
Where can I find the v3.0.0 source branch?
Oh, I found it and it includes a spec file for redhat:
https://github.com/FreeRADIUS/freeradius-server/tree/release_branch_3.0.0/redhat
Is the spec file in a well-working condition? (I might test, but
is to build using custom ldap libraries, because we
are using LTB OpenLDAP RPM packages
(http://ltb-project.org/wiki/download#openldap).
The libraries as installed by these RPM packages are in
/usr/local/openldap/lib64/ and /usr/local/openldap/include/
In the src.rpm I see:
BuildRequires
--with-rlm-ldap-lib-dir=
--with-rlm-ldap-include-dir=
Top level configure.
Thanks,
Nick
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 12/9/2013 11:47 πμ, Arran Cudbard-Bell wrote:
--with-rlm-ldap-lib-dir=
--with-rlm-ldap-include-dir=
Top level configure.
Thanks Arran,
It worked! I have built and installed the new RPMs and things are
working OK.
Interestingly, trying to build with the default system libs was failing
On 12 Sep 2013, at 11:02, Nikolaos Milas nmi...@noa.gr wrote:
On 12/9/2013 11:47 πμ, Arran Cudbard-Bell wrote:
--with-rlm-ldap-lib-dir=
--with-rlm-ldap-include-dir=
Top level configure.
Thanks Arran,
It worked! I have built and installed the new RPMs and things are working OK
On Thu, Sep 12, 2013 at 3:25 PM, Nikolaos Milas nmi...@noa.gr wrote:
Hello,
I am trying to use http://www.packetfence.org/**downloads/PacketFence/**
freeradius/freeradius-2.2.0-2.**el6.src.rpmhttp://www.packetfence.org/downloads/PacketFence/freeradius/freeradius-2.2.0-2.el6.src.rpmto
create
On 12/9/2013 2:46 μμ, Arran Cudbard-Bell wrote:
Your linker's search path doesn't include the directory the libraries are in.
Hmm, it seems the path is included but the ldap libs therein are not
used because there is an override in /etc/ld.so.conf:
# ldconfig -v | grep -v ^$'\t'
/usr/lib64
Nikolaos Milas wrote:
ldconfig -v output does not list any *ldap* libraries in /usr/lib64
although they exist (while it lists *ldap* libs in
/usr/local/openldap/lib64), obviously because:
Well... this is a local OS issue. You'll need to consult your OS
documentation to figure out what's
On 12 Sep 2013, at 16:29, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
It's like you're asking for flying lessons, and showing up with a
bicycle. There's a bit of a disconnect somewhere.
Not true, they make these awesome little fold up bikes you can chuck in the
back of the
On 12 Sep 2013, at 15:47, Kevin Bigalke beliarsf...@outlook.com wrote:
Hello,
i`m running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login with
802.1 works perfectly. I`m using a Windows LDAP Server for the Login and want
to add a second LDAP-Server for a Fail Over. I`m
Kevin Bigalke wrote:
i`m running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login
with 802.1 works perfectly. I`m using a Windows LDAP Server for the
Login and want to add a second LDAP-Server for a Fail Over. I`m
following the Tutorials to setup my Freeradius Server: **Click
http
Hello,
i`m
running a Freeradius Server 2.1.12 on a Ubuntu 13.04 VM. The Login
with 802.1 works perfectly. I`m using a Windows LDAP Server for the
Login and want to add a second LDAP-Server for a Fail Over. I`m
following the Tutorials to setup my Freeradius Server: *Click*. I`cant find
Hello,
I have Freeradius 2.1.10 with 2 LDAP servers (ldap1 + ldap2) and Ubuntu
12.04
I using it for 802.1x users.
I need switch users from ldap1 to VLAN 1 and users from ldap2 to VLAN 2.
I don't know how can i do it.
My configuration:
/etc/freeradius/modules/ldap:
ldap ldap1
It's like you're asking for flying lessons, and showing up with a
bicycle. There's a bit of a disconnect somewhere.
Not true, they make these awesome little fold up bikes you can chuck in the
back of the plane.
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
-
On 12 Sep 2013, at 18:18, Miroslav Lednicky miroslav.ledni...@fnusa.cz wrote:
Hello,
I have Freeradius 2.1.10 with 2 LDAP servers (ldap1 + ldap2) and Ubuntu 12.04
authorize {
ldap1
if (ok) {
update reply {
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802
On 31/8/2013 5:57 μμ, Nikolaos Milas wrote:
I'll look into DHCP...
Looking at the sites-available/dhcp example setup (on v2.2.0) I see that
the DHCP code is not production-ready.
Based on user feedback and on your involvement with next FreeRadius
release(s) development, do you expect the
On 11 Sep 2013, at 14:49, Nikolaos Milas nmi...@noa.gr wrote:
On 31/8/2013 5:57 μμ, Nikolaos Milas wrote:
I'll look into DHCP...
Looking at the sites-available/dhcp example setup (on v2.2.0) I see that the
DHCP code is not production-ready.
Based on user feedback and on your
On 11 Sep 2013, at 15:37, Nikolaos Milas nmi...@noa.gr wrote:
On 11/9/2013 5:05 μμ, Arran Cudbard-Bell wrote:
Define production-ready...
Production-ready DHCP Server: A DHCP Server that can be used as such in a
real-life, mission-critical, organizational environment, i.e. in a network
On 11/9/2013 5:05 μμ, Arran Cudbard-Bell wrote:
Define production-ready...
Production-ready DHCP Server: A DHCP Server that can be used as such in
a real-life, mission-critical, organizational environment, i.e. in a
network where clients (hosts) will only get an IP address if and only if
Nikolaos Milas wrote:
My understanding is that the term production system implies the
definition above.
It's just a warning. If it works for you, it works.
Does the reference to code apply to the configuration file only
(sites-available/dhcp) or to the DHCP FreeRadius module (as I have
Hi.
I'm assigning profiles from ldap to User-Profile and I have a corner case
where a user can actually have multiple profiles which returns more then one
record and nothing gets assigned to User-Profile. Is there a way to specify
sizelimit for a ldap lookup to 1?
thanks
Martin
-
List info
Hello Alan,
Hachmer, Tobias wrote:
- Rewrite DN?
You can rewrite the DN. That's why it's editable, as the LDAP-UserDn
attribute.
How can I do this and how magic could I rewrite the DN?
The local ldap DIT and the AD DIT are totally different (different OU
structure). It is much more
On 4 Sep 2013, at 06:54, Hachmer, Tobias tobias.hach...@stadt-frankfurt.de
wrote:
Hello Alan,
Hachmer, Tobias wrote:
- Rewrite DN?
You can rewrite the DN. That's why it's editable, as the LDAP-UserDn
attribute.
How can I do this and how magic could I rewrite the DN?
The local
How can I do this and how magic could I rewrite the DN?
The local ldap DIT and the AD DIT are totally different (different OU
structure). It is much more than rewrite the base DN.
When there's no way to determine the DN in AD DIT again I think I can
achieve this more easy using ntlm_auth
On 4 Sep 2013, at 13:10, Hachmer, Tobias tobias.hach...@stadt-frankfurt.de
wrote:
How can I do this and how magic could I rewrite the DN?
The local ldap DIT and the AD DIT are totally different (different OU
structure). It is much more than rewrite the base DN.
When there's no way
responsibility) for User
Authentication.
I have set up an OpenLDAP Master/ Slave construct (syncrepl) for RADIUS
authorization and (fallback) authentication, like:
LDAP Master
(Apr 29 2013 07:47:08)
Here we use Microsoft Active Directory (not in our responsibility) for User
Authentication. I have set up an OpenLDAP Master/ Slave construct
(syncrepl) for RADIUS authorization and (fallback) authentication, like:
LDAP Master
As far as I know it is not possible to use a ldap module to authenticate
agains AD. See this page for protocol compatibility:
Thank you for the answer. But it is possible using simple bind via ldap.
But that's not my problem.
Regards,
Tobias Hachmer
-
List info/subscribe/unsubscribe
Hachmer, Tobias wrote:
- Rewrite DN?
You can rewrite the DN. That's why it's editable, as the LDAP-UserDn
attribute.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dear listmembers,
I have following setup:
- Centos 6.4
- freeradius version: radiusd: FreeRADIUS Version 2.1.12, for host
x86_64-redhat-linux-gnu, built on Oct 3 2012 at 01:22:51
- authorization authentication in ldap (openldap)
What I am trying to achieve
I don’t know how to configure FreeRADIUS to read the “radiusGroupName”
attribute and attach the configured return Items to the return list.
*configured reply items to the reply list.
Using unlang I am able to do this:
if(Ldap-Group ==
cn=aosReadWrite,ou=groups,ou
I don't know how to configure FreeRADIUS to read the radiusGroupName
attribute and attach the configured return Items to the return list.
*configured reply items to the reply list.
Of course, sorry for inaccuracy.
I want to manage these profiles also in ldap. Is this possible?
Well yes
On 31/8/2013 12:03 πμ, Arran Cudbard-Bell wrote:
1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)?
Yes.
2. If so, is there a planned freeradius ldap schema change (in future
versions) to include DHCP-* attributes?
No. But you're welcome to submit a pull request
) host has already a
(manually -or otherwise- preconfigured) static IP address, is there a
way FreeRadius can know which that is, so it can reject the host during
reauth if that IP Address is different than the one specified in the
host's LDAP entry?
Only if the NAS does Accounting packets
On 31 Aug 2013, at 13:49, Nikolaos Milas nmi...@noa.gr wrote:
On 31/8/2013 12:03 πμ, Arran Cudbard-Bell wrote:
1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)?
Yes.
2. If so, is there a planned freeradius ldap schema change (in future
versions) to include DHCP
On 31/8/2013 5:27 μμ, Alan DeKok wrote:
...
Thank you for your clear answers.
I'll look into DHCP and see how I can instruct our Cisco switches send
the Framed-IP-Address attribute.
Thanks again both for the clarifications and for providing FreeRadius to us.
Regards,
Nick
-
List
Hello,
A couple of quick questions.
1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)?
2. If so, is there a planned freeradius ldap schema change (in future
versions) to include DHCP-* attributes?
Please advise.
Thanks,
Nick
-
List info/subscribe/unsubscribe? See http
On 30 Aug 2013, at 19:08, Nikolaos Milas nmi...@noa.gr wrote:
Hello,
A couple of quick questions.
1. Is DHCP functionality supported against an LDAP Server (in v2.2.0)?
Yes.
2. If so, is there a planned freeradius ldap schema change (in future
versions) to include DHCP-* attributes
On 28.08.2013 9:48, Olivier Beytrison wrote:
On 28.08.2013 00:20, Martin Kraus wrote:
Hi. I'm using groups to authorize users and pull radius profiles for the users.
My config is similar to what the default freeradius configuration offers.
Why not just call rlm_ldap from inner-tunnel
On Wed, Aug 28, 2013 at 10:10:32AM +0400, Iliya Peregoudov wrote:
On 28.08.2013 9:48, Olivier Beytrison wrote:
On 28.08.2013 00:20, Martin Kraus wrote:
Hi. I'm using groups to authorize users and pull radius profiles for the
users.
My config is similar to what the default freeradius
On Wed, Aug 28, 2013 at 12:20:12AM +0200, Martin Kraus wrote:
I'm stuck with 2.1.10 on ubuntu:-(
Without trying to come across as if I'm a stuck record... this is
easy to solve.
https://lists.freeradius.org/pipermail/freeradius-users/2013-August/067939.html
Cheers,
Matthew
--
Matthew
or are
the last message
# the client sends at the end of TLS handshake signaling the server has
been authenticated
#
# We would like to do ldap lookups only on the last empty EAP-Message -
not really possible
# But we can skip first few empty messages based on the Identifier field
EAP-Messages are used to acknowledge EAP-Request fragments or are
the last message
# the client sends at the end of TLS handshake signaling the server has
been authenticated
#
# We would like to do ldap lookups only on the last empty EAP-Message -
not really possible
# But we
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query for
PEAP?
What inner?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query
for PEAP?
What inner?
MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2?
Arran Cudbard-Bell a.cudba
On Wed, Aug 28, 2013 at 03:11:04PM +0100, Arran Cudbard-Bell wrote:
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query
for PEAP?
What inner
On 28/08/13 15:11, Arran Cudbard-Bell wrote:
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query for
PEAP?
What inner?
MSHCAPv2 - I thought PEAPv0
which gets it down to a single LDAP query
for PEAP?
What inner?
MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2?
and TLS.
Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP
usually specifies PEAP with and MSCHAPv2 inner?
and wow did they get rid of the 802.1X
Yes, Alan B had some comments about that IIRC...
I think Apple these days expect administrators to use the Apple iPhone
Configuration Utility to create a network profile and import that into your
802.1X settings.
Bizarre, but there you are.
Stefan
-Original Message-
Fine, yes,
On Wed, Aug 28, 2013 at 03:42:08PM +0100, Arran Cudbard-Bell wrote:
Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP
usually specifies PEAP with and MSCHAPv2 inner?
Windows 7 supports PEAP+TLS. Unline Network Manager on linux distributions.
and wow did they get
to a single LDAP query
for PEAP?
What inner?
MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2?
Apparently not; you can apparently run EAP-TLS inside PEAP, which is a new
one on me.
For PEAP/MSCHAP, under 2.x the link someone posted to my horrible hack works.
Or under 3.x, eap { ok = return
Arran wrote:
and wow did they get rid of the 802.1X profile configuration GUI interface in
OSX 10.8? That sucks.
If you think that sucks, wait till you see the horrible things you have to do
to generate a .mobileconfig without access to an OSX server license.
--
Brian S. Julin
-
List
On Wed, Aug 28, 2013 at 02:49:32PM +0100, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query
for PEAP?
The following is for EAP-TTLS/EAP-TLS and PEAP/EAP-TLS on my setup.
# When EAP-TLS runs in EAP-TTLS tunnel the id starts at 0x00 and we
On 28/08/13 15:46, Arran Cudbard-Bell wrote:
OK. Just wondering if you could really get it down to a single
lookup, IIRC you needed the 'known good' NT-Password data for a
couple of rounds of MSCHAPv2?
Nope, just one. The MSCHAP challenge response arrive at you, you
validate them and in turn
On 28/08/13 16:00, Martin Kraus wrote:
I found that if I nest ifs then default = return won't skip the authorize
section and putting the tests on multiple lines doesn't work so it is this
ugly:-)
Yeah, that's an annoyance of the configurable failover stuff.
However this really isn't
horrible hack works. Or under 3.x, eap { ok = return } in
the inner-tunnel also works.
OK. Just wondering if you could really get it down to a single
lookup, IIRC you needed the 'known good' NT-Password data for a
couple of rounds of MSCHAPv2?
Using PEAP/EAP-TLS, we put the LDAP lookup
On Wed, Aug 28, 2013 at 03:13:12PM +, Brian Julin wrote:
Arran wrote:
and wow did they get rid of the 802.1X profile configuration GUI interface
in
OSX 10.8? That sucks.
If you think that sucks, wait till you see the horrible things you have to do
to generate a .mobileconfig
On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote:
OK. Just wondering if you could really get it down to a single lookup, IIRC
you needed the 'known good' NT-Password data for a couple of rounds of
MSCHAPv2?
with
if ( (EAP-Type == Identity) || (EAP-Type == NAK) ||
On Wed, Aug 28, 2013 at 04:49:42PM +0100, Matthew Newton wrote:
See the sites-available/check-eap-tls file in v3, and the
mods-available/eap file, option virtual_server in the tls
section.
I backported the patch I wrote to do this to v2 (which is what we
are running); I'm not sure if it
Its been a while since I'Ve used it, but doesn't the iPhone Config Utility
generate mobileconfigs that work on OS X?
http://support.apple.com/kb/DL1465
Dave Aldwinckle
On 2013-08-28 11:13 AM, Brian Julin bju...@clarku.edu wrote:
Arran wrote:
and wow did they get rid of the 802.1X profile
Hi,
If you think that sucks, wait till you see the horrible things you have to do
to generate a .mobileconfig without access to an OSX server license.
what, download the iPhone Configuration Utility? yes, quite horrible ;-)
alan
-
List info/subscribe/unsubscribe? See
Aldwinckle
Sent: Wednesday, August 28, 2013 2:32 PM
To: FreeRadius users mailing list
Subject: Re: (was) RE: how to limit the repeating ldap lookups
Its been a while since I'Ve used it, but doesn't the iPhone Config Utility
generate mobileconfigs that work on OS X?
http://support.apple.com/kb
Martin Kraus wrote:
I'm using TTLS+TLS.
Then what are you looking up in ldap?
I can see that the eap { ok = return } automagically skips to the
authentication section but the first two access-requests in the session cause
it to return updated status so the ldap lookups are executed.
I
On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote:
Again, look at the debug log to see what's happening. *WHY* are you
doing LDAP lookups at all? Can you not delay them?
Hi. I'm using groups to authorize users and pull radius profiles for the users.
My config is similar to what
On 28.08.2013 00:20, Martin Kraus wrote:
On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote:
Again, look at the debug log to see what's happening. *WHY* are you
doing LDAP lookups at all? Can you not delay them?
Hi. I'm using groups to authorize users and pull radius profiles
On 24/8/2013 12:00 μμ, Nikolaos Milas wrote:
...and then I could simply use my *exact current configuration* by
simply changing the ldap filter to:
filter =
((macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))
I tested this and it works. (Yet
On 24 Aug 2013, at 10:00, Nikolaos Milas nmi...@noa.gr wrote:
On 23/8/2013 9:19 μμ, Arran Cudbard-Bell wrote:
It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that
information.
Thanks Arran,
It was NAS-Port indeed. Strangely enough, this is not included either in
...where the three ldap instances above are identical except the filter which
is:
ldap_macauth:
filter =
((macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))
ldap_macauth_NAS_only:
filter =
((macAddress=%{Calling-Station-Id
On 26/8/2013 12:15 μμ, Arran Cudbard-Bell wrote:
No. It's a really inefficient way of doing this.
Thanks Arran,
Yet, would it be logically/technically correct?
Use generic attribute maps or an update ldap schema to pull the necessary
values into control attributes,
and then do
On 26 Aug 2013, at 11:39, Nikolaos Milas nmi...@noa.gr wrote:
On 26/8/2013 12:15 μμ, Arran Cudbard-Bell wrote:
No. It's a really inefficient way of doing this.
Thanks Arran,
Yet, would it be logically/technically correct?
Sure.
Use generic attribute maps or an update ldap schema
On 26/8/2013 2:15 μμ, Arran Cudbard-Bell wrote:
Unless you are querying different DNs for the different Mac-Auth types then
doing this is the wrong way to approach this.
the presence of the attributes in the LDAP object to dictate what type of
authorisation you're doing.
Thanks Arran,
I
Hi.
Is it possible to limit the repeating ldap lookups that happen during mschap
and tls negotiations? Like having an attribute that I could test for which
would tell me that the negotiation is completed?
thanks
martin
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
On 26 Aug 2013, at 14:33, Martin Kraus lists...@wujiman.net wrote:
Hi.
Is it possible to limit the repeating ldap lookups that happen during mschap
and tls negotiations? Like having an attribute that I could test for which
would tell me that the negotiation is completed?
If you list
On Mon, Aug 26, 2013 at 02:45:29PM +0100, Arran Cudbard-Bell wrote:
Is it possible to limit the repeating ldap lookups that happen during mschap
and tls negotiations? Like having an attribute that I could test for which
would tell me that the negotiation is completed?
If you list the ldap
...and then I could simply use my *exact current configuration* by
simply changing the ldap filter to:
filter =
((macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))
...provided that I am storing the NAS (Cisco switch) IP address
On 24/8/2013 12:00 μμ, Nikolaos Milas wrote:
...and then I could simply use my *exact current configuration* by
simply changing the ldap filter to:
filter =
((macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))
...provided that I am storing
exec
attr_filter.accounting_response
}
session {
}
post-auth {
}
pre-proxy {
}
post-proxy {
}
}
Tests went fine and I am able to run MAC-Auth successfully on a Cisco
2960 over FreeRadius with LDAP backend! Thanks FreeRadius people!
I have 3 main virtual servers
1. Can we somehow limit a host to connect to only a particular port/NAS
device based on data stored in LDAP attributes (or, respectively, in
flat files) and reject it otherwise?
Yes. See ldap_xlat http://wiki.freeradius.org/modules/Rlm_ldap
Use a query that searches for the value
On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote:
See ldap_xlathttp://wiki.freeradius.org/modules/Rlm_ldap
Use a query that searches for the value of NAS-IP-Address in the user object in
a custom attribute.
If the query expands to something other than a zero length string, the
attribute
On 23 Aug 2013, at 18:30, Nikolaos Milas nmi...@noa.gr wrote:
On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote:
See ldap_xlathttp://wiki.freeradius.org/modules/Rlm_ldap
Use a query that searches for the value of NAS-IP-Address in the user object
in a custom attribute.
If the query
1 - 100 of 5184 matches
Mail list logo
