1st response On 8 Feb 2013, at 16:09, freeradius-users-requ...@lists.freeradius.org wrote:
> Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: Issues with Freeradius crashing after a sighup (Alan DeKok) > 2. RE: [EAP/TLS] Authenfication through a certificate > (vazoumana fofana) > 3. Re: Session-Timeout anomalies (Bill Isaacs) > 4. Re: Session-Timeout anomalies (Alan DeKok) > 5. Any interoperability issues with Aruba and Freeradius > (Alex Sharaz) > 6. Re: MAc-Auth with EAP (Tunde Ogedengbe) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Fri, 08 Feb 2013 10:10:05 -0500 > From: Alan DeKok <al...@deployingradius.com> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: Issues with Freeradius crashing after a sighup > Message-ID: <5115154d.5070...@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Alex Sharaz wrote: >> Firstly the 2.1 servers > > <shrug> Upgrade. > >> password files are updated every 15 mins and are followed by a "service >> freeradius reload" command to bring them on line. > > See the changelog for 2.2.0. The "passwd" module had issues with > older versions of the server. > > You can also reload individual modules. That will be less likely to > have issues. i.e. > > $ radmin -e "hup passwd" > >> Anyone else seen serve crashes on a reload? > > Unfortunately I've seen this before. I haven't seen enough > information to track it down and fix it, though. > > Alan DeKok. > > > ------------------------------ > > Message: 2 > Date: Fri, 8 Feb 2013 15:24:53 +0000 > From: vazoumana fofana <zoumlan...@hotmail.com> > To: "freeradius-users@lists.freeradius.org" > <freeradius-users@lists.freeradius.org> > Subject: RE: [EAP/TLS] Authenfication through a certificate > Message-ID: <snt137-w406d40d7e02d3b5d51a487d2...@phx.gbl> > Content-Type: text/plain; charset="iso-8859-1" > > > i begin setting up configuration. bit i got two problems : > > client with good certificate can be authenticated even if they're not in > "users" file. > I assume it's due to my code. Here is under authenticate section of default : > > Auth-Type eap { > eap > if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxxxxxxx\// ) { > if ( "%{TLS-Client-Cert-Subject}" =~ /\/xxxxxxxxxxx\// > ) { > ok > } > else { > fail > } > It's like when condition is checked, it bypassed "users" file. > > Maybe, i must move these lines under authorize ? > anyone to confirm it ? > > cheers > > >> Date: Mon, 4 Feb 2013 10:32:22 -0500 >> From: al...@deployingradius.com >> To: freeradius-users@lists.freeradius.org >> Subject: Re: [EAP/TLS] Authenfication through a certificate >> >> vazoumana fofana wrote: >>> i've got question about EAP/TLS and authentification for a client >>> through a certificate ? >>> I succeed setting up. But , i notice that freeradius matches client >>> login with certificate CNAME. >>> Is it possible to change it in order to match email instead of CNAME ? >> >> Yes. >> >> Read the eap.conf file, and the raddb/sites-available/default. This >> is documented. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/f72a3bc9/attachment-0001.html> > > ------------------------------ > > Message: 3 > Date: Fri, 08 Feb 2013 09:35:59 -0600 > From: Bill Isaacs <bill.isa...@island-wifi.com> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: Session-Timeout anomalies > Message-ID: <51151b5f.6060...@island-wifi.com> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > > Ok so the question then is: where the hell is radclient getting the > notion that the account has 2366393 seconds left? > >> That is *entirely* the wrong question. It's why you haven't solved >> the problem yet. >> >> Look at the *radius server* debug output. It's the one sending the >> Session-Timeout. You should be able to figure out where the >> session-timeout is coming from. >> >>> Where is >>> "Session-Timeout" getting this information? Why is it only doing it on >>> some accounts and not others? >> Look at the debug output. >> >> Honestly. >> >> We say this DAILY on this list. There is no excuse for refusing to do >> that. >> >> > Alan, take a deep breath. Of course I've looked at the debug output. > Note my opening sentence, ol' pardner. ;) > > > > ------------------------------ > > Message: 4 > Date: Fri, 08 Feb 2013 10:50:17 -0500 > From: Alan DeKok <al...@deployingradius.com> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: Session-Timeout anomalies > Message-ID: <51151eb9....@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > Bill Isaacs wrote: >> Ok so the question then is: where the hell is radclient getting the >> notion that the account has 2366393 seconds left? > > From the RADIUS server. This isn't magic. radclient doesn't invent > attributes in reply packets. It receives them from the RADIUS server. > >> Alan, take a deep breath. Of course I've looked at the debug output. >> Note my opening sentence, ol' pardner. ;) > > Well... your question about "where does radclient get that value from" > is entirely missing the point. It gets it from the RADIUS server. I've > said this. I have no idea how to convince you it's true. > > And the *only* way to debug the RADIUS server is to look at the debug > output. > > And no, your original message did *not* say you had run the server in > debugging mode. There's only a reference to creating an account for > debugging purposes. There's no "radiusd -X" output. > > My frustration here is that the documentation and my messages cannot > possibly be any more clear. Yet you're wandering around doing > everything *but* what the documentation says, and then wondering why I'm > getting annoyed. > > Run the server in debugging mode. Really. Do it. I mean it. > > If you want to track down the issue to a specific module, update the > config to do: > > update reply { > Reply-Message += "A %{reply:Session-Timeout}" > } > > Cut & paste that through various pieces of authorize, post-auth, etc. > Change the "A" to "B", "C", etc. You should see 10-20 Reply-Messages > in the Access-Accept. Each with a value for Session-Timeout. That lets > you track *what* the value is, and *where* in the config the value is > coming from. > > Then once you know it's a particular module, you can figure out how to > fix that module. > > Right now, you're staring at the radclient output, wondering why the > server isn't working. That's a mistake. > > Alan DeKok. > > > ------------------------------ > > Message: 5 > Date: Fri, 8 Feb 2013 16:08:22 +0000 > From: Alex Sharaz <alex.sha...@york.ac.uk> > To: "freeradius-users@lists.freeradius.org" > <freeradius-users@lists.freeradius.org> > Subject: Any interoperability issues with Aruba and Freeradius > Message-ID: <33b79501-6775-4442-b14e-da574f637...@york.ac.uk> > Content-Type: text/plain; charset=us-ascii > > Hi All, > > I'm sure the answer to this is nope, but ... > > At a recent Aruba training course in amongst the documentation supplied to us > were a couple of presentation slides showing different types of eap > authentication against recommended RADIUS servers for use with Aruba > equipment (Just to be sure the slide heading said Aruba RADIUS > Compatibility). > > The surprising bit was the fact that there was a "No" against Freeradius/TTLS > (MD5,TLS,PEAP,LEAP,FAST all were yes) and a coment that said Freeradius also > supports TTLS. > > Now it my well be that the slide is a bit old and just hasn't been updated > but it does beg the question have any people using Freeradius with Aruba kit > experienced any funnies that needed a specific set of "tweaking" for Aruba? I > really can't imaging that it would be the case, but just thought I'd check. > > Rgds > Alex > > > > ------------------------------ > > Message: 6 > Date: Fri, 8 Feb 2013 16:09:34 +0000 > From: Tunde Ogedengbe <tu...@xtracomonline.com> > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Subject: Re: MAc-Auth with EAP > Message-ID: > <CACXXqacFDThXBDnzPbseQnZv=vygkq0pd6oxkxv+q_s3nkq...@mail.gmail.com> > Content-Type: text/plain; charset="iso-8859-1" > > Ok. Can you pls help with procedure for configuring pre-login on Windows > for 802.1x? Windows is sending packets to RADIUS as > host/machine-name.domain. I would like to have a dedicated userid/password > configured on windows for pre-login machine authentication. > > 'Tunde Ogedengbe > On 8 Feb 2013 13:18, "Phil Mayers" <p.may...@imperial.ac.uk> wrote: > >> On 08/02/13 12:52, Tunde Ogedengbe wrote: >> >> see from the log that the MAC addresses is checked and OK. But there is >>> an [eap] returns reject just after the mac address was successfully >>> checked. I guess I need a way to get radius to force an EAP accept >>> after successful checking of the MAC addresses. >>> >> >> This doesn't work. You can't "force accept" of an EAP session. The >> protocol is challenge/response and must complete correctly at both ends. >> >> Your approach won't work. >> >> Instead, you must configure pre-login 802.1x authentication correct on the >> Windows side, either using machine credentials or user creds. >> - >> List info/subscribe/unsubscribe? See http://www.freeradius.org/** >> list/users.html <http://www.freeradius.org/list/users.html> >> > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: > <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20130208/6504bf9e/attachment.html> > > ------------------------------ > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > > End of Freeradius-Users Digest, Vol 94, Issue 19 > ************************************************ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html