Re: EAP with XP supplicant
hi CVS builds support TTLS and MSCHAPv2, but there's no documentation on this. Does eap-mschapv2 work as PEAP? What's the status with this? (Or should I be using TTLS, and is there a good free XP client for that?) no, PEAP is a different protocol. you could use TTLS with whatever EAP method tunneled in it. The EAP-TLS seems to work regardless of what I put in the users file. If the client certificates match against the server one, it gives access. How do you give finer control than that? I don't think we'll do that in our environment, but I'm curious. (ie: the User-Name supplied in the client certificate wasn't even in my users file, but access was still allowed.) you still have DEFAULT values in your users file, right? if you explicitly reject the user, he will NOT be authenticated. however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?) The AP is configured with TKIP + WEP 128bit cipher encryption, with open authentication (with EAP) and network EAP support. There is no Authentication Key Management (WPA optional/mandatory was an option here, but if I enabled it XP couldn't connect. I thought XP had WPA i didn't try WPA yet, but do you have the XP WPA-patches? i suppose you have *sigh* perhaps also the newest firmware for 1200. support...) My question is, if I just use one client certificate and distributed it to everyone in our group, will the individual connections still be secure? (ie: is the per-session encryption tied to the certificates involved, or some session-specific bit of randomness even when authenticated with the same cert?) Or do I really need to generate each users own certificate? the per-session keys (PMKs sent to the APs and the derived TKIP keys) will be different since they are derived from the TLS master which is based upon random numbers chosen by the peers during the authentication process, so with high probability different for every session. however, virtually it would all be one person for you, ie all users connecting is the one and the same - normal, since you have ONE certified identity. unless you want to use the bug in the server, described above (User-Name/EAP-Id don't have to match CN) by activating the XP option 'use a different user name on connection' and typing in the desired name. however, be assured that then every user could type ANYTHING he wants and probably he would. so, i wouldn't call it secure, unless you have full trust in your co-workers :-) but it will be still difficult to break your links from outside, almost as difficult as when you used different certificates - thanks to TLS. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS.
Hi Anybody has implemented EAP-TTLS, or more details on how to implement EAP TTLS with PAP? I am facing a problem with an ISP has old legacy platform with Merit RADIUS and IBM LDAP, I tried to test with FREE RADIUS and IBM LDAP. IBM LDAP responds nicely to Free RADIUS with crypto password of user. When I enter my username and password through 802.1x Ethernet switch by XP client with md5 challenge. FreeRADIUS debug says MD5 challenge failure It means my Free RADIUS server is not understanding passwords of users. How can I convert the crypto passwords in IBM LDAP to MD5 passwords. Or same thing can be used with EAP-TTLS?? I am confused Thanks in advance Raj Jadhav - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How does FreeRadius work with NAI of Mobile IP ???
Hi, I have installed a Dynamic HUT Mobile IP system on my privat network, it works finel, 192.168.1.0 192.168.2.0 MN ---FA --- HACN 1.31.12.1 2.5 AAA server ? AAA server ? Now i want to install a FreeRadius on the Home Agent to authenticate the access of mobile node using NAI ( Network access Identifier ). but i dont unterstand how AAA working together with NAI of Mobile IP. Does it work only with PPP ( modem dial in) ? or could it works with a VPN gatway ( may be Free/swan) ? do i have to install a radius client/server on the FA ??? thanks -- NEU FÜR ALLE - GMX MediaCenter - für Fotos, Musik, Dateien... Fotoalbum, File Sharing, MMS, Multimedia-Gruß, GMX FotoService Jetzt kostenlos anmelden unter http://www.gmx.net +++ GMX - die erste Adresse für Mail, Message, More! +++ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
Dave, Dave Mussulman wrote: (Or should I be using TTLS, and is there a good free XP client for that?) You can find a free windows 2000 and XP client for TTLS at http://www.alfa-ariss.com/ (the SecureW2 client) Regards, Paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Problems with proxy if TTLS is used
Actually the question is other. Are there any plans to implement (or it is already implemented?) proxying functionality for EAP-TTLS tunneled authentication method (e.g. EAP-MD5,PAP, ) ? If not the TTLS implementation makes no sense. I speak about the bindings between the old authentication methods that can be deployed on whatever legacy RADIUS server and use of FREERADIUS as a proxy to take advantage about security in shared media environments. Pleas comment. Regards Roman -Puvodní zpráva- Od: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] uivatele Alan DeKok Odesláno: 8. októbra 2003 19:06 Komu: [EMAIL PROTECTED] Predmet: Re: Problems with proxy if TTLS is used fastbyte [EMAIL PROTECTED] wrote: Is there any plans to implement proxying for EAP/TTLS in near future? No. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
about EAP over RADIUS in pppd
HI. I am a new comer in this mailing list. Iam testing EAP features of ppp-2.4.2b3. But there(ppp-2.4.2b3) seems not to support EAP over RADIUS. I didn't find any patch for EAP over RADIUS for ppp-2.4.2b3. Is there any patch for it? If any, plz. let me know where it is. OR I tried to make EAP-Message attribute and Message-Authenticator attribute by myself. But I don't understand how to make Message-Authenticator for Access-Request. RFC 2869 says like this: Message-Authenticator = HMAC-MD5 (Type, Identifier, Length, Request Authenticator, Attributes) I don't know what the "Request Authenticator" and what(which part)does "Attributes" mean exactly. Plz, help me. Thanks you for advance.
freeradius-snapshot-20031007 RedHat 7.1
Hello pple, I am actually having a problem with freeradius-snapshot-20031007 on RedHat 7, I get some errors running make. With freeradius-0.9.1.tar.gz I did'nt meet any problems. Am I missing some things or is there a way to install freeradius-snapshot-20031007 on RH 7.1 ? I collected some messages : Thanks by advance for any help. ./configure make rlm_eap_tls.c:231: for each function it appears in.) rlm_eap_tls.c: In function `eaptls_authenticate': rlm_eap_tls.c:462: warning: unused parameter `arg' gmake[10]: *** [rlm_eap_tls.o] Error 1 gmake[10]: Leaving directory `/home/invite/freeradius-snapshot-20031007/src/modules/rlm_eap/types/rlm_eap _tls' gmake[9]: *** [common] Error 1 gmake[9]: Leaving directory `/home/invite/freeradius-snapshot-20031007/src/modules/rlm_eap/types' gmake[8]: *** [static] Error 2 gmake[8]: Leaving directory `/home/invite/freeradius-snapshot-20031007/src/modules/rlm_eap/types' gmake[7]: *** [common] Error 1 gmake[7]: Leaving directory `/home/invite/freeradius-snapshot-20031007/src/modules/rlm_eap' gmake[6]: *** [static] Error 2 gmake[6]: Leaving directory `/home/invite/freeradius-snapshot-20031007/src/modules/rlm_eap' gmake[5]: *** [common] Error 1 gmake[5]: Leaving directory `/home/invite/freeradius-snapshot-20031007/src/modules' gmake[4]: *** [all] Error 2 gmake[4]: Leaving directory `/home/invite/freeradius-snapshot-20031007/src/modules' gmake[3]: *** [common] Error 1 gmake[3]: Leaving directory `/home/invite/freeradius-snapshot-20031007/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/home/invite/freeradius-snapshot-20031007/src' gmake[1]: *** [common] Error 1 gmake[1]: Leaving directory `/home/invite/freeradius-snapshot-20031007' make: *** [all] Error 2 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Weird username proxying bug?
On Wed, 2003-10-08 at 17:55, Chris Parker wrote: At 10:45 AM 10/8/2003, Josh Howlett wrote: I am using freeradius (0.9) to proxy RADIUS packets. I have run into a possible bug. A username with a Windows domain prepended to the user in the format CC\\username gets proxied in the format C\\username; because the domain is CC the authentication fails: snip You haven't removed some of the defaults from the server. IE, the 'hints' file. Try editing the hints file ( or commenting it out of your config from 'radiusd.conf' ). Thanks, that fixed it. josh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Wi-fi networks
I have been trying to get Freeradius setup for use with my wi-fi network but I just can't seem to get the configurations working. My network consists of: Linux server (hard wired) D-Link DWL-6000AP (802.1x enabled) several laptops with DWL-650ab cards If anyone can help I would be deeply grateful, please reply here or via private email if possible. Cheers!!! -- Robert P. McKenzie | GammaRay Technical Services LLC [EMAIL PROTECTED] | [EMAIL PROTECTED] http://www.uk-experience.com | http://www.gammaray-tech.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Wi-fi networks
Not a lot of details that tell anyone where to start with your problem. Provide details about what you're trying to set up, what you expect to happen, and how it is failing. Robert P. McKenzie wrote: I have been trying to get Freeradius setup for use with my wi-fi network but I just can't seem to get the configurations working. My network consists of: Linux server (hard wired) D-Link DWL-6000AP (802.1x enabled) several laptops with DWL-650ab cards If anyone can help I would be deeply grateful, please reply here or via private email if possible. Cheers!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TTLS.
On Thu, 9 Oct 2003, Raj Jadhav wrote: Hi Anybody has implemented EAP-TTLS, or more details on how to implement EAP TTLS with PAP? I am facing a problem with an ISP has old legacy platform with Merit RADIUS and IBM LDAP, I tried to test with FREE RADIUS and IBM LDAP. IBM LDAP responds nicely to Free RADIUS with crypto password of user. When I enter my username and password through 802.1x Ethernet switch by XP client with md5 challenge. FreeRADIUS debug says MD5 challenge failure It means my Free RADIUS server is not understanding passwords of users. How can I convert the crypto passwords in IBM LDAP to MD5 passwords. You can't. EAP-MD5 is the same as CHAP. See: http://www.freeradius.org/faq/#4.4 http://www.freeradius.org/faq/#5.11 Or same thing can be used with EAP-TTLS?? I am confused Thanks in advance Raj Jadhav - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
On Thu, 9 Oct 2003, Artur Hecker wrote: however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?) One thing we could do (this is what iplanet does for certificate authentication) is get the user certificate of the user from ldap and check it with the user supplied. If they match then we can be pretty sure we are dealing with the right user. This should not be too difficult to do using ldap_xlat. Maybe it would require some code changes to ldap_xlat since the usercertificate attribute is of binary type, base64 encoded but i think it's doable. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SQL queries being executed twice
Hi All,
I am trying to configure accounting on my MySQL server and everything
seems to be working fine... except for the fact that there are two
INSERT queries executed for every user logging in. Excerpt from the
radiusd -x command is below:
--CUT-
rad_recv: Accounting-Request packet from host 202.183.67.218:34980,
id=109, length=149
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Identifier = MikroTik
NAS-Port = 19071
NAS-Port-Type = Ethernet
User-Name = aakashshah
Calling-Station-Id = 00:80:AD:83:B3:41
Called-Station-Id = Blaze-World.net
NAS-Port-Id = PPPoe
Acct-Session-Id = 81903a63
Framed-IP-Address = 203.115.66.241
Acct-Authentic = RADIUS
Acct-Status-Type = Start
NAS-IP-Address = 202.183.67.218
Acct-Delay-Time = 0
modcall: entering group preacct
modcall[preacct]: module preprocess returns noop
rlm_realm: No '@' in User-Name = aakashshah, looking up realm NULL
rlm_realm: No such realm NULL
modcall[preacct]: module suffix returns noop
modcall[preacct]: module files returns noop
modcall: group preacct returns noop
modcall: entering group accounting
rlm_acct_unique: Hashing 'NAS-Port-Id = PPPoe,Client-IP-Address =
202.183.67.218,NAS-IP-Address = 202.183.67.218,Acct-Sessio
n-Id = 81903a63,User-Name = aakashshah'
rlm_acct_unique: Acct-Unique-Session-ID = 1d2f299d28c64497.
modcall[accounting]: module acct_unique returns ok
radius_xlat:
'/usr/local/var/log/radius/radacct/202.183.67.218/detail-20031009'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /usr/local/var/log/radius/radacct/
202.183.67.218/detail-20031009
modcall[accounting]: module detail returns ok
modcall[accounting]: module unix returns ok
radius_xlat: 'aakashshah'
rlm_sql (sql): sql_set_user escaped user -- 'aakashshah'
radius_xlat: 'INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId, NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('', '81903a63', '1d2f299d28c64497', 'aakashshah', '',
'202.183.67.218', '19071', 'Ethernet', '2003-10-09 23:46:21', '0', '0',
'RADIUS', '', '', '0', '0', 'Blaze-World.net', '00:80:AD:83:B3:41', '',
'Framed-User', 'PPP', '203.115.66.241', '0', '0')'
radius_xlat: '/usr/local/var/log/radius/sqltrace.sql'
rlm_sql (sql): Reserving sql socket id: 4
rlm_sql_mysql: query: INSERT into radacct (RadAcctId, AcctSessionId,
AcctUniqueId, UserName, Realm, NASIPAddress, NASPortId,NASPortType,
AcctStartTime, AcctStopTime, AcctSessionTime, AcctAuthentic,
ConnectInfo_start, ConnectInfo_stop, AcctInputOctets, AcctOutputOctets,
CalledStationId, CallingStationId, AcctTerminateCause, ServiceType,
FramedProtocol, FramedIPAddress, AcctStartDelay, AcctStopDelay)
values('', '81903a63', '1d2f299d28c64497', 'aakashshah', '',
'202.183.67.218', '19071', 'Ethernet','2003-10-09 23:46:21', '0', '0',
'RADIUS', '', '', '0', '0', 'Blaze-World.net', '00:80:AD:83:B3:41', '',
'Framed-User', 'PPP', '203.115.66.241', '0', '0')
rlm_sql (sql): Released sql socket id: 4
modcall[accounting]: module sql returns ok
--CUT-
Is there anything that I am missing something that I need to check??
Thanks for your time..
Best regards,
Anindya
---
Outgoing mail is certified Virus Free.
Checked by AVG anti-virus system (http://www.grisoft.com).
Version: 6.0.522 / Virus Database: 320 - Release Date: 29/09/2003
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
hi kostas yes, that would be a possibility. in any case we shouldn't be too strict in the comparison. the example i'm thinking about, is the following: given that the certificates are usually issued to real persons, the CN could be e.g. smith. however, with nomadicity he is still smith but he is likely to use something like [EMAIL PROTECTED] which is NOT his CN. i think there are more similar examples in the case of proxying. perhaps we should also allow the usage of other (critical) certified fields instead of the CN - the email address is for example a good choice, since it can directly be used as a fully qualified global user name - since it is by default unique. that's why i am talking about some freely definable handler for comparison, like a function boolean compare(string, string). ciao artur Kostas Kalevras wrote: On Thu, 9 Oct 2003, Artur Hecker wrote: however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?) One thing we could do (this is what iplanet does for certificate authentication) is get the user certificate of the user from ldap and check it with the user supplied. If they match then we can be pretty sure we are dealing with the right user. This should not be too difficult to do using ldap_xlat. Maybe it would require some code changes to ldap_xlat since the usercertificate attribute is of binary type, base64 encoded but i think it's doable. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
On Thu, 9 Oct 2003, Artur Hecker wrote: hi kostas yes, that would be a possibility. in any case we shouldn't be too strict in the comparison. the example i'm thinking about, is the following: given that the certificates are usually issued to real persons, the CN could be e.g. smith. however, with nomadicity he is still smith but he is likely to use something like [EMAIL PROTECTED] which is NOT his CN. i think there are more similar examples in the case of proxying. perhaps we should also allow the usage of other (critical) certified fields instead of the CN - the email address is for example a good choice, since it can directly be used as a fully qualified global user name - since it is by default unique. that's why i am talking about some freely definable handler for comparison, like a function boolean compare(string, string). I am not talking about checking specific attributes of the certificate but rather checking the certificate as a whole. If the certificate was issued to user jim then the usercertificate;binary in ldap and the certificate passed through eap should be exactly the same. ciao artur Kostas Kalevras wrote: On Thu, 9 Oct 2003, Artur Hecker wrote: however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?) One thing we could do (this is what iplanet does for certificate authentication) is get the user certificate of the user from ldap and check it with the user supplied. If they match then we can be pretty sure we are dealing with the right user. This should not be too difficult to do using ldap_xlat. Maybe it would require some code changes to ldap_xlat since the usercertificate attribute is of binary type, base64 encoded but i think it's doable. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Hi I want to authenticate users with username/password stored in an Active Directory server I can access the Active Directory from my freeRADIUS server via rlm_ldap module, i can search and find users into Active Directory, but i can't access the password (even in crypt form). Here is the error message : rlm_ldap: Attribute User-Password is required for authentication 1/ Which is the attribut that store users password in Active Directory ? 2/ With which algorythm the password is encrypted ? 3/ How to tell to rlm_ldap to check not User-Password attribut but another attribut? 4/ How to access this attribute (if possible) ? 5/ If not possible, how can i say to rlm_ldap to try to bind with the user/password pair i want to authenticate and if the bind is successful, to grant access to the user ? 6/ I don't want to use rlm_smb, and if possible not to use PAM (leaks memory) with Kerberos 7/ I don't want to proxy to an IAS server :) Thank You a lot P.S : i have read others mail about this problem but i can't find a way that work _ STOP MORE SPAM with the new MSN 8 and get 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory - rlm_ldap
Hi I want to authenticate users with username/password stored in an Active Directory server I can access the Active Directory from my freeRADIUS server via rlm_ldap module, i can search and find users into Active Directory, but i can't access the password (even in crypt form). Here is the error message : rlm_ldap: Attribute User-Password is required for authentication 1/ Which is the attribut that store users password in Active Directory ? 2/ With which algorythm the password is encrypted ? 3/ How to tell to rlm_ldap to check not User-Password attribut but another attribut? 4/ How to access this attribute (if possible) ? 5/ If not possible, how can i say to rlm_ldap to try to bind with the user/password pair i want to authenticate and if the bind is successful, to grant access to the user ? 6/ I don't want to use rlm_smb, and if possible not to use PAM (leaks memory) with Kerberos 7/ I don't want to proxy to an IAS server :) Thank You a lot P.S : i have read others mail about this problem but i can't find a way that work _ Tired of spam? Get advanced junk mail protection with MSN 8. http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
i understand, but if you do that, you can't proxy requests anymore. AND: this does not solve the problem of user-name being NOT the same as certificate. e.g. if you me and i we both have the complete certificate (you in the LDAP), i could still use some other User-Name thus faking the accounting. ciao artur Kostas Kalevras wrote: On Thu, 9 Oct 2003, Artur Hecker wrote: hi kostas yes, that would be a possibility. in any case we shouldn't be too strict in the comparison. the example i'm thinking about, is the following: given that the certificates are usually issued to real persons, the CN could be e.g. smith. however, with nomadicity he is still smith but he is likely to use something like [EMAIL PROTECTED] which is NOT his CN. i think there are more similar examples in the case of proxying. perhaps we should also allow the usage of other (critical) certified fields instead of the CN - the email address is for example a good choice, since it can directly be used as a fully qualified global user name - since it is by default unique. that's why i am talking about some freely definable handler for comparison, like a function boolean compare(string, string). I am not talking about checking specific attributes of the certificate but rather checking the certificate as a whole. If the certificate was issued to user jim then the usercertificate;binary in ldap and the certificate passed through eap should be exactly the same. ciao artur Kostas Kalevras wrote: On Thu, 9 Oct 2003, Artur Hecker wrote: however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?) One thing we could do (this is what iplanet does for certificate authentication) is get the user certificate of the user from ldap and check it with the user supplied. If they match then we can be pretty sure we are dealing with the right user. This should not be too difficult to do using ldap_xlat. Maybe it would require some code changes to ldap_xlat since the usercertificate attribute is of binary type, base64 encoded but i think it's doable. -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa and Ariss client with FreeRADIUS
Ok, I have tried all I can to get TTLS and PAP working. TTLS and MD5 work
great. Where do I specify pap as the authenticator with ttls? I continue
to get:
/etc/rc.d/rc.radius: line 67: 9985 Segmentation fault $RADIUSD $ARGS
radiusd
I know it is a configuration error on my part, but I cannot figure where? I
do have
Auth-Type PAP {
pap
}
set in authentication and default_eap_type = pap under ttls. What am I
missing?
Thanks - Shon
-Original Message-
From: Nixon, Anthony S. [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 10:49 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Alfa and Ariss client with FreeRADIUS
So I take it that you used default_eap_type = pap under ttls?
-Original Message-
From: Antonia Kujundzic [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 9:40 AM
To: [EMAIL PROTECTED]
Subject: RE: Alfa and Ariss client with FreeRADIUS
Hello!
I have noticed a post to this list in which suggested the Alfa Ariss
client for use as a TTLS client for Win2k. Has anyone actually got this
to
work?
Yes, I had.
Do not forget to include 802.1x patch for Win2k.
The Alfa Ariss client only supports TTLS w/ PAP only. The FUNK
Odyssey 2.22 client works very well. Are there other clients available at
a
respectable price or will this Alfa Ariss client work with FreeRADIUS?
I use AlfaAriss client with Freeradius, and it's working OK.
Antonia
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
This message, including any attachments, is intended only for the use of the
addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It
may be used only by the addressee and may not be divulged without the
express consent of the sender. If you have received this communication in
error, please erase all copies of the message and its attachments and notify
us immediately. Thank you.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
This message, including any attachments, is intended only for the use of the
addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It
may be used only by the addressee and may not be divulged without the
express consent of the sender. If you have received this communication in
error, please erase all copies of the message and its attachments and notify
us immediately. Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa and Ariss client with FreeRADIUS
Hi,
I have downloaded the Alfa and Ariss client yesterday and there was only
TTLS(PAP) support. How do you get working TTLS (EAP-MD5) with this client?
regards
Roman
-Puvodní zpráva-
Od: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] uivatele Nixon,
Anthony S.
Odesláno: 9. októbra 2003 16:03
Komu: '[EMAIL PROTECTED]'
Predmet: RE: Alfa and Ariss client with FreeRADIUS
Ok, I have tried all I can to get TTLS and PAP working. TTLS and MD5 work
great. Where do I specify pap as the authenticator with ttls? I continue
to get:
/etc/rc.d/rc.radius: line 67: 9985 Segmentation fault $RADIUSD $ARGS
radiusd
I know it is a configuration error on my part, but I cannot
figure where? I
do have
Auth-Type PAP {
pap
}
set in authentication and default_eap_type = pap under ttls. What am I
missing?
Thanks - Shon
-Original Message-
From: Nixon, Anthony S. [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 10:49 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Alfa and Ariss client with FreeRADIUS
So I take it that you used default_eap_type = pap under ttls?
-Original Message-
From: Antonia Kujundzic [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 9:40 AM
To: [EMAIL PROTECTED]
Subject: RE: Alfa and Ariss client with FreeRADIUS
Hello!
I have noticed a post to this list in which suggested the Alfa Ariss
client for use as a TTLS client for Win2k. Has anyone actually got this
to
work?
Yes, I had.
Do not forget to include 802.1x patch for Win2k.
The Alfa Ariss client only supports TTLS w/ PAP only. The FUNK
Odyssey 2.22 client works very well. Are there other clients
available at
a
respectable price or will this Alfa Ariss client work with FreeRADIUS?
I use AlfaAriss client with Freeradius, and it's working OK.
Antonia
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--
This message, including any attachments, is intended only for the
use of the
addressee and contains information that is PRIVILEGED and
CONFIDENTIAL. It
may be used only by the addressee and may not be divulged without the
express consent of the sender. If you have received this communication in
error, please erase all copies of the message and its attachments
and notify
us immediately. Thank you.
--
--
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--
This message, including any attachments, is intended only for the
use of the
addressee and contains information that is PRIVILEGED and
CONFIDENTIAL. It
may be used only by the addressee and may not be divulged without the
express consent of the sender. If you have received this communication in
error, please erase all copies of the message and its attachments
and notify
us immediately. Thank you.
--
--
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa and Ariss client with FreeRADIUS
set in authentication and default_eap_type = pap under ttls. What am I missing? actualy PAP is not an EAP type. Change it to MD5 Roman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa and Ariss client with FreeRADIUS
You cannot - Funk supports it quite well in the 2.22 client.
-Original Message-
From: Roman Janos [mailto:[EMAIL PROTECTED]
Sent: Thursday, October 09, 2003 10:11 AM
To: [EMAIL PROTECTED]
Subject: RE: Alfa and Ariss client with FreeRADIUS
Hi,
I have downloaded the Alfa and Ariss client yesterday and there was only
TTLS(PAP) support. How do you get working TTLS (EAP-MD5) with this client?
regards
Roman
-Puvodní zpráva-
Od: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] uzivatele Nixon,
Anthony S.
Odesláno: 9. októbra 2003 16:03
Komu: '[EMAIL PROTECTED]'
Predmet: RE: Alfa and Ariss client with FreeRADIUS
Ok, I have tried all I can to get TTLS and PAP working. TTLS and MD5 work
great. Where do I specify pap as the authenticator with ttls? I continue
to get:
/etc/rc.d/rc.radius: line 67: 9985 Segmentation fault $RADIUSD $ARGS
radiusd
I know it is a configuration error on my part, but I cannot
figure where? I
do have
Auth-Type PAP {
pap
}
set in authentication and default_eap_type = pap under ttls. What am I
missing?
Thanks - Shon
-Original Message-
From: Nixon, Anthony S. [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 10:49 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Alfa and Ariss client with FreeRADIUS
So I take it that you used default_eap_type = pap under ttls?
-Original Message-
From: Antonia Kujundzic [mailto:[EMAIL PROTECTED]
Sent: Friday, October 03, 2003 9:40 AM
To: [EMAIL PROTECTED]
Subject: RE: Alfa and Ariss client with FreeRADIUS
Hello!
I have noticed a post to this list in which suggested the Alfa Ariss
client for use as a TTLS client for Win2k. Has anyone actually got this
to
work?
Yes, I had.
Do not forget to include 802.1x patch for Win2k.
The Alfa Ariss client only supports TTLS w/ PAP only. The FUNK
Odyssey 2.22 client works very well. Are there other clients
available at
a
respectable price or will this Alfa Ariss client work with FreeRADIUS?
I use AlfaAriss client with Freeradius, and it's working OK.
Antonia
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--
This message, including any attachments, is intended only for the
use of the
addressee and contains information that is PRIVILEGED and
CONFIDENTIAL. It
may be used only by the addressee and may not be divulged without the
express consent of the sender. If you have received this communication in
error, please erase all copies of the message and its attachments
and notify
us immediately. Thank you.
--
--
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--
This message, including any attachments, is intended only for the
use of the
addressee and contains information that is PRIVILEGED and
CONFIDENTIAL. It
may be used only by the addressee and may not be divulged without the
express consent of the sender. If you have received this communication in
error, please erase all copies of the message and its attachments
and notify
us immediately. Thank you.
--
--
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
This message, including any attachments, is intended only for the use of the
addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It
may be used only by the addressee and may not be divulged without the
express consent of the sender. If you have received this communication in
error, please erase all copies of the message and its attachments and notify
us immediately. Thank you.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
On Thu, 9 Oct 2003, Artur Hecker wrote: i understand, but if you do that, you can't proxy requests anymore. I don't need to authenticate requests that i am just proxying. The certificate check will be after checking that the certificate is valid. AND: this does not solve the problem of user-name being NOT the same as certificate. e.g. if you me and i we both have the complete certificate (you in the LDAP), i could still use some other User-Name thus faking the accounting. But i use the username in the access-request to find the certificate in ldap. So you can't use a fake username... ciao artur Kostas Kalevras wrote: On Thu, 9 Oct 2003, Artur Hecker wrote: hi kostas yes, that would be a possibility. in any case we shouldn't be too strict in the comparison. the example i'm thinking about, is the following: given that the certificates are usually issued to real persons, the CN could be e.g. smith. however, with nomadicity he is still smith but he is likely to use something like [EMAIL PROTECTED] which is NOT his CN. i think there are more similar examples in the case of proxying. perhaps we should also allow the usage of other (critical) certified fields instead of the CN - the email address is for example a good choice, since it can directly be used as a fully qualified global user name - since it is by default unique. that's why i am talking about some freely definable handler for comparison, like a function boolean compare(string, string). I am not talking about checking specific attributes of the certificate but rather checking the certificate as a whole. If the certificate was issued to user jim then the usercertificate;binary in ldap and the certificate passed through eap should be exactly the same. ciao artur Kostas Kalevras wrote: On Thu, 9 Oct 2003, Artur Hecker wrote: however, it's true that the User-Name content, the certified name AND the EAP-Identity information is not checked for consistency by the server. (EAP-Identity should be equal User-Name - that's the function of the AP, that is something you have a trust with; however, these both compared to the certified name in the certificate could NOT match and the certificate would still be accepted. the question here is: do they have to match as strings or which is the good metrics? perhaps a configurable comparison handler?) One thing we could do (this is what iplanet does for certificate authentication) is get the user certificate of the user from ldap and check it with the user supplied. If they match then we can be pretty sure we are dealing with the right user. This should not be too difficult to do using ldap_xlat. Maybe it would require some code changes to ldap_xlat since the usercertificate attribute is of binary type, base64 encoded but i think it's doable. -- Kostas KalevrasNetwork Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone:+30 210 7721861 'Go back to the shadow'Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa and Ariss client with FreeRADIUS
I understand this, but exactly where do I specify PAP with TTLS? -Original Message- From: Roman Janos [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 10:12 AM To: [EMAIL PROTECTED] Subject: RE: Alfa and Ariss client with FreeRADIUS set in authentication and default_eap_type = pap under ttls. What am I missing? actualy PAP is not an EAP type. Change it to MD5 Roman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
hi kostas ok, now i get it :-) but with your approach you have to put the user certificate into the server's LDAP (which it doesn't necessarily has), i.e. you have to put all certificates on the server AND on clients. it's a bit more difficult, especially if you don't run any kind of certificate repository. I don't need to authenticate requests that i am just proxying. The certificate check will be after checking that the certificate is valid. well, you are right. (however, we have a more complicated thing here, we check locally and then proxy only the authorization, i.e. is this user still valid to the remote host. with this, we don't need to proxy complete TLS exchages (quite big auth delay), we do not need CRLs or other central depositories ... and we do not need user certificates in _all_ visited domains... but i suppose, it's not quite usual though perfectly legal.) But i use the username in the access-request to find the certificate in ldap. So you can't use a fake username... ok, with the limitations mentioned above. sorry, i didn't get it first. still, i would prefer a more traditional method: why would the server need to have all user certs installed? it should be quite simple to compare the User-Name to the configured field in the certificate by using regular expressions and similar. ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Alfa and Ariss client with FreeRADIUS
The diference is in TTLS phase 2 wehere by EAP is send EAP-Response/Identity to RADIUS server where the RADIUS due to user name send challenge with appropriate EAP type. By PAP is send User Name and PAP-Password and due to this information the RADIUS server know thah the PAP shold be used. If I am wrong please correct me. Regards Roman -Puvodní zpráva- Od: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] uivatele Nixon, Anthony S. Odesláno: 9. októbra 2003 16:14 Komu: '[EMAIL PROTECTED]' Predmet: RE: Alfa and Ariss client with FreeRADIUS I understand this, but exactly where do I specify PAP with TTLS? -Original Message- From: Roman Janos [mailto:[EMAIL PROTECTED] Sent: Thursday, October 09, 2003 10:12 AM To: [EMAIL PROTECTED] Subject: RE: Alfa and Ariss client with FreeRADIUS set in authentication and default_eap_type = pap under ttls. What am I missing? actualy PAP is not an EAP type. Change it to MD5 Roman - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- -- This message, including any attachments, is intended only for the use of the addressee and contains information that is PRIVILEGED and CONFIDENTIAL. It may be used only by the addressee and may not be divulged without the express consent of the sender. If you have received this communication in error, please erase all copies of the message and its attachments and notify us immediately. Thank you. -- -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
On Thu, 9 Oct 2003, Artur Hecker wrote: hi kostas ok, now i get it :-) but with your approach you have to put the user certificate into the server's LDAP (which it doesn't necessarily has), i.e. you have to put all certificates on the server AND on clients. it's a bit more difficult, especially if you don't run any kind of certificate repository. I don't need to authenticate requests that i am just proxying. The certificate check will be after checking that the certificate is valid. well, you are right. (however, we have a more complicated thing here, we check locally and then proxy only the authorization, i.e. is this user still valid to the remote host. with this, we don't need to proxy complete TLS exchages (quite big auth delay), we do not need CRLs or other central depositories ... and we do not need user certificates in _all_ visited domains... but i suppose, it's not quite usual though perfectly legal.) But i use the username in the access-request to find the certificate in ldap. So you can't use a fake username... ok, with the limitations mentioned above. sorry, i didn't get it first. still, i would prefer a more traditional method: why would the server need to have all user certs installed? it should be quite simple to compare the User-Name to the configured field in the certificate by using regular expressions and similar. Sure. Both could be just configurable options. If you maintain a CA and an ldap to store user certificates you can enable certificate verification. If not you can just do a regex on the certificate attributes and verify it that way. The only thing left now, is for someone to write these checks :-) ciao artur - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Active Directory - rlm_ldap
Thank You for your answers. But I can't understand why rlm_ldap ask me for User-Password attribute. What do I have to do for rlm_ldap doesn't stop the authentication process because it doen't have a User-Password attribut ? in my case, rlm_ldap doesn't only do a LDAP bind with User/password entered by the supplicant. It does : FreeRADIUS Active Directory LDAP(Bind:User=admin , password=xxx) - LDAP(Bind Succesfull) - LDAP(Search:cn=usertoauthenticate)+list of radius attributes - LDAP(Success:msNPAllowDialin=True) - Then rlm_ldap make the erro message : Needs Attribute User-Password to authenticate I think rlm_ldap would like in the last LDAP packet that the Active Directory return a User-Password attribut. Why? Why not only trying to make an LDAP bind with user/password of the user to authenticate? Or how to turn rlm_ldap in this mode (if there is more than one mode in rlm_ldap) Thank you again _ MSN 8 helps eliminate e-mail viruses. Get 2 months FREE*. http://join.msn.com/?page=features/virus - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: challenge-response with mod_auth_radius-1.5.7
Bruce Pennypacker [EMAIL PROTECTED] wrote: The README file for mod_auth_radius-1.5.7 mentions that challenge-response works on Netscape 3.x and 4.x but not IE. Does anybody have a more up to date list of web browsers that should work? Does Mozilla or Firebird? In particular are there any linux based browsers that will work? The Linux ones should work. On a related note, does anybody know of any linux based RADIUS client test apps? See FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Authorization
Salavat Yalalov [EMAIL PROTECTED] wrote: And when sql authorization failed it never fall-through to rlm_files authorization module. What's wrong? doc/configurable_failover Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problems with proxy if TTLS is used
Roman Janos [EMAIL PROTECTED] wrote: Actually the question is other. Are there any plans to implement (or it is already implemented?) proxying functionality for EAP-TTLS tunneled authentication method (e.g. EAP-MD5,PAP, ) ? No. If not the TTLS implementation makes no sense. I disagree. If you care so much, then submit a patch to implement it. If you're not willing to submit a patch, or to pay someone else to write a patch, then I guess you'll just have to wait for a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius-snapshot-20031007 RedHat 7.1
Picher, Cedric [EMAIL PROTECTED] wrote: I am actually having a problem with freeradius-snapshot-20031007 on RedHat 7, I get some errors running make ... rlm_eap_tls.c:462: warning: unused parameter `arg' gmake[10]: *** [rlm_eap_tls.o] Error 1 I seriously doubt that. You've edited the output to delete a number of lines of text, inside of which is the actual error message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Alfa and Ariss client with FreeRADIUS
Nixon, Anthony S. [EMAIL PROTECTED] wrote: Ok, I have tried all I can to get TTLS and PAP working. TTLS and MD5 work great. Where do I specify pap as the authenticator with ttls? You don't. It just works. ... and default_eap_type = pap under ttls. Which is wrong. Did you read the comments in radiusd.conf, just above that configuration entry? Is PAP a valid EAP type? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory - rlm_ldap
On Thu, 9 Oct 2003, seth666 666 wrote: 1/ Which is the attribut that store users password in Active Directory ? This is 'unicodePwd.' It is a Base64 encoded/unicoded password. 4/ How to access this attribute (if possible) ? To my understating, this attribute can only be written to and not read. This can only be done through a LDAP-SSL connection on port 636/tcp or 3269/tcp (Global Catalog SSL). 5/ If not possible, how can i say to rlm_ldap to try to bind with the user/password pair i want to authenticate and if the bind is successful, to grant access to the user ? I have used the methods you _don't_want_ to use-- kerberos/pam_ldap/pam_krb5. Michael Brown mikro network solutions * http://www.mikro-net.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Problem with running.
Dear Collegues! Now, I write first message to this list. I can be wrong. ;) I'm using freeradius from 0.4.x version. When I was study radius protocol and freeradius config files I found that one of many solutions for my dialup system will be development of my own module. My module was develped by me and works fine from first my version of freeradius to 0.7.1 where it lives now. But, when I try to compile with 0.9.1 on latest gentoo-linux I found some errors in my modules. I fix it. When I run 'radiusd -X' radius got signal 11 (segmentation fault). Look: (my module is rlm_xisp AKA xisp) Please tell me, what changes are made in modules interfaces from 0.7.1 to 0.9.1. What a problem may be with my module? Thank you. radius -X run log Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/radius/etc/raddb/proxy.conf Config: including file: /usr/local/radius/etc/raddb/clients.conf Config: including file: /usr/local/radius/etc/raddb/snmp.conf main: prefix = /usr/local/radius main: localstatedir = /usr/local/radius/var main: logdir = /usr/local/radius/var/log/radius main: libdir = /usr/local/radius/lib main: radacctdir = /usr/local/radius/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 60 main: cleanup_delay = 10 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = yes main: log_file = /usr/local/radius/var/log/radius/radius.log main: log_auth = yes main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/radius/var/run/radiusd.pid main: user = root main: group = root main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/radius/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = no proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients Using deprecated clients file. Support for this will go away soon. read_config_files: reading realms Using deprecated realms file. Support for this will go away soon. radiusd: entering modules setup Module: Library search path is /usr/local/radius/lib Module: Loaded xisp Segmentation fault radius -X run log end -- Alex Radetsky AR2657-RIPE RAD-UANIC - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter ( Monthly Limit)
hello guys why isnt it i got this error when im trying to run radius -xx? rlm_sql (sql): Released sql socket id: 4 modcall[authorize]: module sql returns ok rlm_sqlcounter: Entering module authorize code rlm_sqlcounter: Could not find Check item value pair modcall[authorize]: module monthlycounter returns noop i just added sqlcounter.conf in /etc/raddb and added monthlycounter in radius.conf under authorization. The user can authenticate but the Login-Time doesnt work. They can still Login eventhough they are not in the time span. What im missing here? thanks = [ apellido jr., wilfredo p. ] +63 034 4880-449 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR and Orinoco AP-2000 Problem
Hi,
I'm stumped.
We have a few orinico AP-2000's that we're trying to set up mac-address
control through radius.
The authentication works fine. The shared secrets are correct,
everything's configured right, etc...
Accounting, however, doesn't. When freeradius 0.9.1 (and 0.9.0) receives
an accounting request from any AP2000, it complains that the shared secret
is not the same, and rejects it.
Now, I've read all the e-mails I could find about this, and I've tried all
kinds of things, and I still can't get it to work, with freeradius.
On an off chance, I tried it with cistron radius instead, with basicly the
same exact configuration, and wa-la, everything works!
This is the account record that the AP sends back to radius (as recorded
by cistron):
Thu Oct 9 14:06:52 2003
User-Name = 00-0c-41-0c-f3-ea
Acct-Session-Id = 00-0c-41-0c-f3-ea
NAS-Identifier = wolfe-ap1
NAS-IP-Address = 66.92.46.190
NAS-Port = 2
NAS-Port-Type = 19
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Client-IP-Address = 66.92.46.190
Timestamp = 1065722812
Request-Authenticator = Unverified
I did however notice the following statistics on the orinoco:
Primary Authentication Server
Access Requests 1
Access Accepts 1
Access Retransmissions 3
Access Rejects 0
Access Challenges 0
Malformed Access Responses 0
Authentication Bad Authenticators 1 ?
Timeouts 3
Primary Accounting Server
Accounting Requests 1
Accounting Retransmissions 0
Accounting Responses 1
Accounting Bad Authenticators 1 ?
And any password being passed to radius comes back in a jumbled string of
letters and numbers, about 50 characters long.
This is my freeradius config:
clients:
66.92.46.190 ss
clients.conf:
client 66.92.46.190 {
secret = ss
nastype = portslave
shortname = wolfe1-ap1
}
naslist:
66.92.46.190wolfe1-ap1 portslave
Anyone have any ideas? I'd really like to use freeradius, I want mysql.
Thanks in advance.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP with XP supplicant
Dave Mussulman [EMAIL PROTECTED] wrote: Do people commonly tunnel MD5 over TTLS? Or something else -- password auth? Yes, and yes. TTLS can support any authentication method supported by RADIUS. What software supports this? See the list archives (or posts earlier today) for pointers to a free client for XP. Is anyone working on PEAP support native in FreeRADIUS? There was a patch posted to the freeradius-devel list a few days ago. It may work. I still think PEAP is a better route, without having to put any certificate on the user machine, but I guess that's not an option right now. XP comes with a PEAP client. That is the *only* reason to prefer PEAP over TTLS. In all other aspects, TTLS is light-years better. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco Shared Key Problem - RE: FR and Orinoco AP2000
Maybe try changing your NAS type to other?
--
AA7C EF9F 451F E4AF EB1E 7212 BA37 2882 E813 5B02
--
Jay DeSotel
Systems Administrator
InterLink L.C.
[EMAIL PROTECTED]
On Thu, 9 Oct 2003, Joe Antkowiak wrote:
Ok, so I read a little more, and it looks like there is a problem with my
shared secret, on the orinoco side.
I've entered and re-entered the shared secret on the orinoco AP to no
avail. Just to make sure it works, I tried this exact config with a cisco
AP and it works fine.
Is there something special I have to do when getting an Orinoco AP to talk
to freeradius, ie to/for the shared key? What NAS type should I use?
(Would that have anything to do with this?)
It only authenticates because I have Auth-Type := Accept set on every mac
address user.
-Joe
Hi,
I'm stumped.
We have a few orinico AP-2000's that we're trying to set up mac-address
control through radius.
The authentication works fine. The shared secrets are correct,
everything's configured right, etc...
Accounting, however, doesn't. When freeradius 0.9.1 (and 0.9.0) receives
an accounting request from any AP2000, it complains that the shared secret
is not the same, and rejects it.
Now, I've read all the e-mails I could find about this, and I've tried all
kinds of things, and I still can't get it to work, with freeradius.
On an off chance, I tried it with cistron radius instead, with basicly the
same exact configuration, and wa-la, everything works!
This is the account record that the AP sends back to radius (as recorded
by cistron):
Thu Oct 9 14:06:52 2003
User-Name = 00-0c-41-0c-f3-ea
Acct-Session-Id = 00-0c-41-0c-f3-ea
NAS-Identifier = wolfe-ap1
NAS-IP-Address = 66.92.46.190
NAS-Port = 2
NAS-Port-Type = 19
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Client-IP-Address = 66.92.46.190
Timestamp = 1065722812
Request-Authenticator = Unverified
I did however notice the following statistics on the orinoco:
Primary Authentication Server
Access Requests 1
Access Accepts 1
Access Retransmissions 3
Access Rejects 0
Access Challenges 0
Malformed Access Responses 0
Authentication Bad Authenticators 1 ?
Timeouts 3
Primary Accounting Server
Accounting Requests 1
Accounting Retransmissions 0
Accounting Responses 1
Accounting Bad Authenticators 1 ?
And any password being passed to radius comes back in a jumbled string of
letters and numbers, about 50 characters long.
This is my freeradius config:
clients:
66.92.46.190 ss
clients.conf:
client 66.92.46.190 {
secret = ss
nastype = portslave
shortname = wolfe1-ap1
}
naslist:
66.92.46.190wolfe1-ap1 portslave
Anyone have any ideas? I'd really like to use freeradius, I want mysql.
Thanks in advance.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR and Orinoco AP-2000 Problem
Upgrade to firmware version 2.3.1. It sounds like you're using firmware
version 2.2.2 which had the problem you describe.
--Mike
On Thu, 2003-10-09 at 13:16, Joe Antkowiak wrote:
Hi,
I'm stumped.
We have a few orinico AP-2000's that we're trying to set up mac-address
control through radius.
The authentication works fine. The shared secrets are correct,
everything's configured right, etc...
Accounting, however, doesn't. When freeradius 0.9.1 (and 0.9.0) receives
an accounting request from any AP2000, it complains that the shared secret
is not the same, and rejects it.
Now, I've read all the e-mails I could find about this, and I've tried all
kinds of things, and I still can't get it to work, with freeradius.
On an off chance, I tried it with cistron radius instead, with basicly the
same exact configuration, and wa-la, everything works!
This is the account record that the AP sends back to radius (as recorded
by cistron):
Thu Oct 9 14:06:52 2003
User-Name = 00-0c-41-0c-f3-ea
Acct-Session-Id = 00-0c-41-0c-f3-ea
NAS-Identifier = wolfe-ap1
NAS-IP-Address = 66.92.46.190
NAS-Port = 2
NAS-Port-Type = 19
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Client-IP-Address = 66.92.46.190
Timestamp = 1065722812
Request-Authenticator = Unverified
I did however notice the following statistics on the orinoco:
Primary Authentication Server
Access Requests 1
Access Accepts 1
Access Retransmissions 3
Access Rejects 0
Access Challenges 0
Malformed Access Responses 0
Authentication Bad Authenticators 1 ?
Timeouts 3
Primary Accounting Server
Accounting Requests 1
Accounting Retransmissions 0
Accounting Responses 1
Accounting Bad Authenticators 1 ?
And any password being passed to radius comes back in a jumbled string of
letters and numbers, about 50 characters long.
This is my freeradius config:
clients:
66.92.46.190 ss
clients.conf:
client 66.92.46.190 {
secret = ss
nastype = portslave
shortname = wolfe1-ap1
}
naslist:
66.92.46.190wolfe1-ap1 portslave
Anyone have any ideas? I'd really like to use freeradius, I want mysql.
Thanks in advance.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR and Orinoco AP-2000 Problem
You do have your ssecret set the same in *both* the radacctable and
radiustbl, right?
--Mike
On Thu, 2003-10-09 at 14:24, Joe Antkowiak wrote:
I am using 2.3.1 =(
AP-2000 v2.3.1(554) Do I need a new 2.3.1 build?
Upgrade to firmware version 2.3.1. It sounds like you're using firmware
version 2.2.2 which had the problem you describe.
--Mike
On Thu, 2003-10-09 at 13:16, Joe Antkowiak wrote:
Hi,
I'm stumped.
We have a few orinico AP-2000's that we're trying to set up mac-address
control through radius.
The authentication works fine. The shared secrets are correct,
everything's configured right, etc...
Accounting, however, doesn't. When freeradius 0.9.1 (and 0.9.0)
receives
an accounting request from any AP2000, it complains that the shared
secret
is not the same, and rejects it.
Now, I've read all the e-mails I could find about this, and I've tried
all
kinds of things, and I still can't get it to work, with freeradius.
On an off chance, I tried it with cistron radius instead, with basicly
the
same exact configuration, and wa-la, everything works!
This is the account record that the AP sends back to radius (as recorded
by cistron):
Thu Oct 9 14:06:52 2003
User-Name = 00-0c-41-0c-f3-ea
Acct-Session-Id = 00-0c-41-0c-f3-ea
NAS-Identifier = wolfe-ap1
NAS-IP-Address = 66.92.46.190
NAS-Port = 2
NAS-Port-Type = 19
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Client-IP-Address = 66.92.46.190
Timestamp = 1065722812
Request-Authenticator = Unverified
I did however notice the following statistics on the orinoco:
Primary Authentication Server
Access Requests 1
Access Accepts 1
Access Retransmissions 3
Access Rejects 0
Access Challenges 0
Malformed Access Responses 0
Authentication Bad Authenticators 1 ?
Timeouts 3
Primary Accounting Server
Accounting Requests 1
Accounting Retransmissions 0
Accounting Responses 1
Accounting Bad Authenticators 1 ?
And any password being passed to radius comes back in a jumbled string
of
letters and numbers, about 50 characters long.
This is my freeradius config:
clients:
66.92.46.190 ss
clients.conf:
client 66.92.46.190 {
secret = ss
nastype = portslave
shortname = wolfe1-ap1
}
naslist:
66.92.46.190wolfe1-ap1 portslave
Anyone have any ideas? I'd really like to use freeradius, I want mysql.
Thanks in advance.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Orinoco Shared Key Problem - RE: FR and Orinoco AP2000
Ok, so I read a little more, and it looks like there is a problem with my
shared secret, on the orinoco side.
I've entered and re-entered the shared secret on the orinoco AP to no
avail. Just to make sure it works, I tried this exact config with a cisco
AP and it works fine.
Is there something special I have to do when getting an Orinoco AP to talk
to freeradius, ie to/for the shared key? What NAS type should I use?
(Would that have anything to do with this?)
It only authenticates because I have Auth-Type := Accept set on every mac
address user.
-Joe
Hi,
I'm stumped.
We have a few orinico AP-2000's that we're trying to set up mac-address
control through radius.
The authentication works fine. The shared secrets are correct,
everything's configured right, etc...
Accounting, however, doesn't. When freeradius 0.9.1 (and 0.9.0) receives
an accounting request from any AP2000, it complains that the shared secret
is not the same, and rejects it.
Now, I've read all the e-mails I could find about this, and I've tried all
kinds of things, and I still can't get it to work, with freeradius.
On an off chance, I tried it with cistron radius instead, with basicly the
same exact configuration, and wa-la, everything works!
This is the account record that the AP sends back to radius (as recorded
by cistron):
Thu Oct 9 14:06:52 2003
User-Name = 00-0c-41-0c-f3-ea
Acct-Session-Id = 00-0c-41-0c-f3-ea
NAS-Identifier = wolfe-ap1
NAS-IP-Address = 66.92.46.190
NAS-Port = 2
NAS-Port-Type = 19
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Client-IP-Address = 66.92.46.190
Timestamp = 1065722812
Request-Authenticator = Unverified
I did however notice the following statistics on the orinoco:
Primary Authentication Server
Access Requests 1
Access Accepts 1
Access Retransmissions 3
Access Rejects 0
Access Challenges 0
Malformed Access Responses 0
Authentication Bad Authenticators 1 ?
Timeouts 3
Primary Accounting Server
Accounting Requests 1
Accounting Retransmissions 0
Accounting Responses 1
Accounting Bad Authenticators 1 ?
And any password being passed to radius comes back in a jumbled string of
letters and numbers, about 50 characters long.
This is my freeradius config:
clients:
66.92.46.190 ss
clients.conf:
client 66.92.46.190 {
secret = ss
nastype = portslave
shortname = wolfe1-ap1
}
naslist:
66.92.46.190wolfe1-ap1 portslave
Anyone have any ideas? I'd really like to use freeradius, I want mysql.
Thanks in advance.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR and Orinoco AP-2000 Problem
I'm not using mysql yet...
I have the same ssecret set the same in clients, clients.conf, and
naspasswd. I also tried just setting it in clients.conf.
You do have your ssecret set the same in *both* the radacctable and
radiustbl, right?
--Mike
On Thu, 2003-10-09 at 14:24, Joe Antkowiak wrote:
I am using 2.3.1 =(
AP-2000 v2.3.1(554) Do I need a new 2.3.1 build?
Upgrade to firmware version 2.3.1. It sounds like you're using
firmware
version 2.2.2 which had the problem you describe.
--Mike
On Thu, 2003-10-09 at 13:16, Joe Antkowiak wrote:
Hi,
I'm stumped.
We have a few orinico AP-2000's that we're trying to set up
mac-address
control through radius.
The authentication works fine. The shared secrets are correct,
everything's configured right, etc...
Accounting, however, doesn't. When freeradius 0.9.1 (and 0.9.0)
receives
an accounting request from any AP2000, it complains that the shared
secret
is not the same, and rejects it.
Now, I've read all the e-mails I could find about this, and I've
tried
all
kinds of things, and I still can't get it to work, with freeradius.
On an off chance, I tried it with cistron radius instead, with
basicly
the
same exact configuration, and wa-la, everything works!
This is the account record that the AP sends back to radius (as
recorded
by cistron):
Thu Oct 9 14:06:52 2003
User-Name = 00-0c-41-0c-f3-ea
Acct-Session-Id = 00-0c-41-0c-f3-ea
NAS-Identifier = wolfe-ap1
NAS-IP-Address = 66.92.46.190
NAS-Port = 2
NAS-Port-Type = 19
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Client-IP-Address = 66.92.46.190
Timestamp = 1065722812
Request-Authenticator = Unverified
I did however notice the following statistics on the orinoco:
Primary Authentication Server
Access Requests 1
Access Accepts 1
Access Retransmissions 3
Access Rejects 0
Access Challenges 0
Malformed Access Responses 0
Authentication Bad Authenticators 1 ?
Timeouts 3
Primary Accounting Server
Accounting Requests 1
Accounting Retransmissions 0
Accounting Responses 1
Accounting Bad Authenticators 1 ?
And any password being passed to radius comes back in a jumbled
string
of
letters and numbers, about 50 characters long.
This is my freeradius config:
clients:
66.92.46.190 ss
clients.conf:
client 66.92.46.190 {
secret = ss
nastype = portslave
shortname = wolfe1-ap1
}
naslist:
66.92.46.190wolfe1-ap1 portslave
Anyone have any ideas? I'd really like to use freeradius, I want
mysql.
Thanks in advance.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco Shared Key Problem - RE: FR and Orinoco AP2000
Tried that too... is there another one I need to use maybe? orinoco uses
lucent gear... But would that cause this kind of problem? What exactly
does the NAS-type make radius do differently?
Maybe try changing your NAS type to other?
--
AA7C EF9F 451F E4AF EB1E 7212 BA37 2882 E813 5B02
--
Jay DeSotel
Systems Administrator
InterLink L.C.
[EMAIL PROTECTED]
On Thu, 9 Oct 2003, Joe Antkowiak wrote:
Ok, so I read a little more, and it looks like there is a problem with
my
shared secret, on the orinoco side.
I've entered and re-entered the shared secret on the orinoco AP to no
avail. Just to make sure it works, I tried this exact config with a
cisco
AP and it works fine.
Is there something special I have to do when getting an Orinoco AP to
talk
to freeradius, ie to/for the shared key? What NAS type should I use?
(Would that have anything to do with this?)
It only authenticates because I have Auth-Type := Accept set on every
mac
address user.
-Joe
Hi,
I'm stumped.
We have a few orinico AP-2000's that we're trying to set up
mac-address
control through radius.
The authentication works fine. The shared secrets are correct,
everything's configured right, etc...
Accounting, however, doesn't. When freeradius 0.9.1 (and 0.9.0)
receives
an accounting request from any AP2000, it complains that the shared
secret
is not the same, and rejects it.
Now, I've read all the e-mails I could find about this, and I've tried
all
kinds of things, and I still can't get it to work, with freeradius.
On an off chance, I tried it with cistron radius instead, with basicly
the
same exact configuration, and wa-la, everything works!
This is the account record that the AP sends back to radius (as
recorded
by cistron):
Thu Oct 9 14:06:52 2003
User-Name = 00-0c-41-0c-f3-ea
Acct-Session-Id = 00-0c-41-0c-f3-ea
NAS-Identifier = wolfe-ap1
NAS-IP-Address = 66.92.46.190
NAS-Port = 2
NAS-Port-Type = 19
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Client-IP-Address = 66.92.46.190
Timestamp = 1065722812
Request-Authenticator = Unverified
I did however notice the following statistics on the orinoco:
Primary Authentication Server
Access Requests 1
Access Accepts 1
Access Retransmissions 3
Access Rejects 0
Access Challenges 0
Malformed Access Responses 0
Authentication Bad Authenticators 1 ?
Timeouts 3
Primary Accounting Server
Accounting Requests 1
Accounting Retransmissions 0
Accounting Responses 1
Accounting Bad Authenticators 1 ?
And any password being passed to radius comes back in a jumbled string
of
letters and numbers, about 50 characters long.
This is my freeradius config:
clients:
66.92.46.190 ss
clients.conf:
client 66.92.46.190 {
secret = ss
nastype = portslave
shortname = wolfe1-ap1
}
naslist:
66.92.46.190wolfe1-ap1 portslave
Anyone have any ideas? I'd really like to use freeradius, I want
mysql.
Thanks in advance.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco Shared Key Problem - RE: FR and Orinoco AP2000
It uses it figure out how to detect double logins, I think.
--
AA7C EF9F 451F E4AF EB1E 7212 BA37 2882 E813 5B02
--
Jay DeSotel
Systems Administrator
InterLink L.C.
[EMAIL PROTECTED]
On Thu, 9 Oct 2003, Joe Antkowiak wrote:
Tried that too... is there another one I need to use maybe? orinoco uses
lucent gear... But would that cause this kind of problem? What exactly
does the NAS-type make radius do differently?
Maybe try changing your NAS type to other?
--
AA7C EF9F 451F E4AF EB1E 7212 BA37 2882 E813 5B02
--
Jay DeSotel
Systems Administrator
InterLink L.C.
[EMAIL PROTECTED]
On Thu, 9 Oct 2003, Joe Antkowiak wrote:
Ok, so I read a little more, and it looks like there is a problem with
my
shared secret, on the orinoco side.
I've entered and re-entered the shared secret on the orinoco AP to no
avail. Just to make sure it works, I tried this exact config with a
cisco
AP and it works fine.
Is there something special I have to do when getting an Orinoco AP to
talk
to freeradius, ie to/for the shared key? What NAS type should I use?
(Would that have anything to do with this?)
It only authenticates because I have Auth-Type := Accept set on every
mac
address user.
-Joe
Hi,
I'm stumped.
We have a few orinico AP-2000's that we're trying to set up
mac-address
control through radius.
The authentication works fine. The shared secrets are correct,
everything's configured right, etc...
Accounting, however, doesn't. When freeradius 0.9.1 (and 0.9.0)
receives
an accounting request from any AP2000, it complains that the shared
secret
is not the same, and rejects it.
Now, I've read all the e-mails I could find about this, and I've tried
all
kinds of things, and I still can't get it to work, with freeradius.
On an off chance, I tried it with cistron radius instead, with basicly
the
same exact configuration, and wa-la, everything works!
This is the account record that the AP sends back to radius (as
recorded
by cistron):
Thu Oct 9 14:06:52 2003
User-Name = 00-0c-41-0c-f3-ea
Acct-Session-Id = 00-0c-41-0c-f3-ea
NAS-Identifier = wolfe-ap1
NAS-IP-Address = 66.92.46.190
NAS-Port = 2
NAS-Port-Type = 19
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Client-IP-Address = 66.92.46.190
Timestamp = 1065722812
Request-Authenticator = Unverified
I did however notice the following statistics on the orinoco:
Primary Authentication Server
Access Requests 1
Access Accepts 1
Access Retransmissions 3
Access Rejects 0
Access Challenges 0
Malformed Access Responses 0
Authentication Bad Authenticators 1 ?
Timeouts 3
Primary Accounting Server
Accounting Requests 1
Accounting Retransmissions 0
Accounting Responses 1
Accounting Bad Authenticators 1 ?
And any password being passed to radius comes back in a jumbled string
of
letters and numbers, about 50 characters long.
This is my freeradius config:
clients:
66.92.46.190 ss
clients.conf:
client 66.92.46.190 {
secret = ss
nastype = portslave
shortname = wolfe1-ap1
}
naslist:
66.92.46.190wolfe1-ap1 portslave
Anyone have any ideas? I'd really like to use freeradius, I want
mysql.
Thanks in advance.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disable Simultaneous-Use for proxied users only?
I've run into an interesting dilemma. We've been using Simultaneous-Use checking on our users, and it's worked great. Unfortunately, we're now also offering dialup in other cities through MegaPOP, and since those aren't our servers, obviously we can't snmp or finger-check to see if users are really logged on. We've got several users who are having line or modem problems so they lose their connection un-gracefully and end up with a session stuck in the radacct table. We have to then clear out the session manually so they can log on. I've tried all sorts of combinations of huntgroups, attrs, and users configurations, but I can't seem to come up with a simple configuration that says something like If the user is dialing into these NASes (meaning our own personal ones), check for simultaneous use, otherwise, don't. I'm sure I'm probably making this way too complicated, but I've been over and over the docs on proxy, simultaneous use, huntgroups, users etc, and I'm not getting anywhere. The closest I came was disabling simultaneous use for non-proxied users while leaving it enabled for proxied users, which is the exact opposite. :-) I tried flipping some things around, but no go. Anyone have any ideas on this, or can maybe tell me which doc(s) to go back to again? Does it sound like this is even possible? Thanks! :-) Kristina - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius on OpenBSD (Part X ;))
On OpenBSD 3.4 (-snapshot), both freeradius 0.9.1 and the freeradius snapshot (the one I tried from Sep 28th or so, anyway) compile and run fine with the process described at: http://www.cs.umd.edu/~arunesh/bsd/freeradius.html (there are some rejects when applying the patch, but these can be ignored). I've compiled freeradius 0.9.1 with gcc-3.2.3 on OpenBSD 3.4, and have EAP/TLS working fine. Took a bit more doing than I anticipated, but now I can put ugly boxes all around the house and be connected from them. Yippee. ;-) __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Orinoco Shared Key Problem - RE: FR and Orinoco AP2000
I had to enter the macs in this format 00022d-xx. After that it
worked.
Peggy
Subject:Re: Orinoco Shared Key Problem - RE: FR
and Orinoco AP2000
From: Joe Antkowiak [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Send reply to: [EMAIL PROTECTED]
Date sent: Thu, 9 Oct 2003 15:36:47 -0400 (EDT)
Tried that too... is there another one I need to use maybe? orinoco uses
lucent gear... But would that cause this kind of problem? What exactly
does the NAS-type make radius do differently?
Maybe try changing your NAS type to other?
--
AA7C EF9F 451F E4AF EB1E 7212 BA37 2882 E813 5B02
--
Jay DeSotel
Systems Administrator
InterLink L.C.
[EMAIL PROTECTED]
On Thu, 9 Oct 2003, Joe Antkowiak wrote:
Ok, so I read a little more, and it looks like there is a problem with
my
shared secret, on the orinoco side.
I've entered and re-entered the shared secret on the orinoco AP to no
avail. Just to make sure it works, I tried this exact config with a
cisco
AP and it works fine.
Is there something special I have to do when getting an Orinoco AP to
talk
to freeradius, ie to/for the shared key? What NAS type should I use?
(Would that have anything to do with this?)
It only authenticates because I have Auth-Type := Accept set on every
mac
address user.
-Joe
Hi,
I'm stumped.
We have a few orinico AP-2000's that we're trying to set up
mac-address
control through radius.
The authentication works fine. The shared secrets are correct,
everything's configured right, etc...
Accounting, however, doesn't. When freeradius 0.9.1 (and 0.9.0)
receives
an accounting request from any AP2000, it complains that the shared
secret
is not the same, and rejects it.
Now, I've read all the e-mails I could find about this, and I've tried
all
kinds of things, and I still can't get it to work, with freeradius.
On an off chance, I tried it with cistron radius instead, with basicly
the
same exact configuration, and wa-la, everything works!
This is the account record that the AP sends back to radius (as
recorded
by cistron):
Thu Oct 9 14:06:52 2003
User-Name = 00-0c-41-0c-f3-ea
Acct-Session-Id = 00-0c-41-0c-f3-ea
NAS-Identifier = wolfe-ap1
NAS-IP-Address = 66.92.46.190
NAS-Port = 2
NAS-Port-Type = 19
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Client-IP-Address = 66.92.46.190
Timestamp = 1065722812
Request-Authenticator = Unverified
I did however notice the following statistics on the orinoco:
Primary Authentication Server
Access Requests 1
Access Accepts 1
Access Retransmissions 3
Access Rejects 0
Access Challenges 0
Malformed Access Responses 0
Authentication Bad Authenticators 1 ?
Timeouts 3
Primary Accounting Server
Accounting Requests 1
Accounting Retransmissions 0
Accounting Responses 1
Accounting Bad Authenticators 1 ?
And any password being passed to radius comes back in a jumbled string
of
letters and numbers, about 50 characters long.
This is my freeradius config:
clients:
66.92.46.190 ss
clients.conf:
client 66.92.46.190 {
secret = ss
nastype = portslave
shortname = wolfe1-ap1
}
naslist:
66.92.46.190wolfe1-ap1 portslave
Anyone have any ideas? I'd really like to use freeradius, I want
mysql.
Thanks in advance.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Kazanmanin keyfini bahisnet.net 'le yasayin!
Title: Eng_Tur TURKYE - NGLTERE MACI 11 EKMDE Grup liderini belirleyecek onemli macta, Turk sporseverler, yuksek bilet fiyatlarna ramen karlamaya buyuk ilgi gosterdi. 42 bin koltuk kapasitesi olduu acklanan Fenerbahce ukru Saracolu Stad'nda yaplacak karlamann biletlerinin tamam, dev maca 2 hafta kala satld. Bilet satlarndan yaklak 2.5 trilyon liralk gie haslatnn elde edildii orenildi. Sitemize uye olarak hem macn hem de kazanmann keyfini YAAYIN!!! Turkiye - ngiltere macnn hemen ardndan lig heyecan tekrar balyor! C. Rizespor - GalatasarayGalatasaray, Rize deplasmannda puan aryor. Beikta - DiyarbakrsporBeikta kendi evinde, baarl bir sezon gecirmeyen Diyarbakrspor'la kar karya. Denizlispor - TrabzonsporTrabzonspor, ligin baarl takmlarndan Denizlispor ile puan savanda. Bursaspor - Fenerbahceyi bir sezon geciren Fenerbahce, Bursa'da 3 puana ulaabilecek mi? Bunlarla birlikte butun Turkiye Super Ligi maclarn ve Dunya'daki onemli dier tum karlamalar www.bahisnet.net 'te bulabilir, sonuclar tahmin edebilir ve KAZANABLRSNZ! Bahis.Net KMS-Betshop lisans ve guvencesiyle hizmet vermektedir.Bizden mail almak istemiyorsanz lutfen buraya tklaynz.
Re: Orinoco Shared Key Problem - RE: FR and Orinoco AP2000
What NAS-type did you specify though?
I had to enter the macs in this format 00022d-xx. After that it
worked.
Peggy
Subject: Re: Orinoco Shared Key Problem - RE: FR
and Orinoco AP2000
From: Joe Antkowiak [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Send reply to:[EMAIL PROTECTED]
Date sent:Thu, 9 Oct 2003 15:36:47 -0400 (EDT)
Tried that too... is there another one I need to use maybe? orinoco
uses
lucent gear... But would that cause this kind of problem? What exactly
does the NAS-type make radius do differently?
Maybe try changing your NAS type to other?
--
AA7C EF9F 451F E4AF EB1E 7212 BA37 2882 E813 5B02
--
Jay DeSotel
Systems Administrator
InterLink L.C.
[EMAIL PROTECTED]
On Thu, 9 Oct 2003, Joe Antkowiak wrote:
Ok, so I read a little more, and it looks like there is a problem
with
my
shared secret, on the orinoco side.
I've entered and re-entered the shared secret on the orinoco AP to no
avail. Just to make sure it works, I tried this exact config with a
cisco
AP and it works fine.
Is there something special I have to do when getting an Orinoco AP to
talk
to freeradius, ie to/for the shared key? What NAS type should I use?
(Would that have anything to do with this?)
It only authenticates because I have Auth-Type := Accept set on every
mac
address user.
-Joe
Hi,
I'm stumped.
We have a few orinico AP-2000's that we're trying to set up
mac-address
control through radius.
The authentication works fine. The shared secrets are correct,
everything's configured right, etc...
Accounting, however, doesn't. When freeradius 0.9.1 (and 0.9.0)
receives
an accounting request from any AP2000, it complains that the shared
secret
is not the same, and rejects it.
Now, I've read all the e-mails I could find about this, and I've
tried
all
kinds of things, and I still can't get it to work, with freeradius.
On an off chance, I tried it with cistron radius instead, with
basicly
the
same exact configuration, and wa-la, everything works!
This is the account record that the AP sends back to radius (as
recorded
by cistron):
Thu Oct 9 14:06:52 2003
User-Name = 00-0c-41-0c-f3-ea
Acct-Session-Id = 00-0c-41-0c-f3-ea
NAS-Identifier = wolfe-ap1
NAS-IP-Address = 66.92.46.190
NAS-Port = 2
NAS-Port-Type = 19
Acct-Authentic = RADIUS
Acct-Status-Type = Start
Client-IP-Address = 66.92.46.190
Timestamp = 1065722812
Request-Authenticator = Unverified
I did however notice the following statistics on the orinoco:
Primary Authentication Server
Access Requests 1
Access Accepts 1
Access Retransmissions 3
Access Rejects 0
Access Challenges 0
Malformed Access Responses 0
Authentication Bad Authenticators 1 ?
Timeouts 3
Primary Accounting Server
Accounting Requests 1
Accounting Retransmissions 0
Accounting Responses 1
Accounting Bad Authenticators 1 ?
And any password being passed to radius comes back in a jumbled
string
of
letters and numbers, about 50 characters long.
This is my freeradius config:
clients:
66.92.46.190 ss
clients.conf:
client 66.92.46.190 {
secret = ss
nastype = portslave
shortname = wolfe1-ap1
}
naslist:
66.92.46.190wolfe1-ap1 portslave
Anyone have any ideas? I'd really like to use freeradius, I want
mysql.
Thanks in advance.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
dialup_admin
Good day guys, i tried to add another group using dialup_admin then i try to show groups, the one that ive created doesnt appear in the report. when im check my db (mysql) it apeears that the group ive created is already inserted. here's my output mysql select * from radgroupreply; ++---+++-+--+ | id | GroupName | Attribute | op | Value | prio | ++---+++-+--+ | 1 | admin | Framed-Compression | = | Van-Jacobsen-TCP-IP |0 | | 2 | admin | Framed-Protocol| = | PPP |0 | | 3 | admin | Service-Type | = | Framed-User |0 | | 4 | admin | Auth-Type | = | System |0 | | 5 | admin | Framed-MTU | = | 1500|0 | | 6 | Night-Owl Prepaid | Framed-Protocol| = | PPP |0 | | 7 | Night-Owl Prepaid | Framed-MTU | = | 1500|0 | | 8 | Night-Owl Prepaid | Framed-Compression | = | Van-Jacobsen-TCP-IP |0 | | 9 | Night-Owl Prepaid | Service-Type | = | Framed-User |0 | ++---+++-+--+ The Night-Owl Prepaid group is the one ive inserted through dialup_admin and admin group ive inserted manually. im using dialup_admin which include in freeradius-0.9.0 package. Thanks = [ apellido jr., wilfredo p. ] +63 034 4880-449 If you can't hear me, it's because i'm in parentheses. __ Do you Yahoo!? The New Yahoo! Shopping - with improved product search http://shopping.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
