rlm_ldap : user not found
Hello, i had a problem with freeradius and rlm_ldap module sometimes and i don' know why users couldn't authenticate on ldap server. I had this message in radius.log: Auth: Login incorrect (rlm_ldap: User not found): [dupont] and few seconds later the authentification is ok with the same user: Auth: Login OK: [dupont] Maybe a timeout problem with ldap ? Should i modify timeout parameters on radiusd.conf or in slapd.conf ? Maybe a nb of connections ? Sould i increase ldap_connections_number = parameters ? Thanks a lot -- Nicolas Viers | Service Commun Informatique Mél: [EMAIL PROTECTED]| 123, avenue Albert Thomas | 87060 Limoges cedex Tel: 05-55-45-77-09 | Fax: 05-55-45-75-95 http://www.unilim.fr/sci - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
restricting access for users
Hi there, Im a newby here so forgive if I ask obvious questions. Im trying to setup, wel actually I did setup FreeRADIUS Version 1.0.2 on a Linux Debian machine and it is working fine :) But I need to achieve the following setup: We have # cisco routers and switches who are locally managed by on site engineers. So these local engineers have to be able to log in to their devices and not be allowed to log in to devices on other sites. Next to these different site engineers there is a group called NOC. The NOC engineers need to access all devices on all sites. Ive tried several setups by using the huntgroups and using system as authentication method but I can't get the huntgroup validation to work. It looks like the huntgroups are just ignored. Everyone can just enter any device as soon as their usrname and password is matched on the system. Did someone do a similar setup where users where restricted and with a general group that needs access everywhere or can someone tell me how I should take this on. It should be fairly easy I thought Thanks for your help, it is highly appreciated, Martial _ Free blogging with MSN Spaces http://spaces.msn.com/?mkt=nl-be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting access for users
Yes this is my experience as well. Running v 1.0.2 there was nothing in the change log for 1.0.3 to say this was fixed either. Just as a note when I posted these findings nothing came back. I was using an ldap backend as well. It would be great to have a detailed explaination of this one and maybe confirmation that it is not working or wheather is it syntax that causes the problem Alan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martial VdB Sent: 13 June 2005 08:22 To: freeradius-users@lists.freeradius.org Subject: restricting access for users Hi there, Im a newby here so forgive if I ask obvious questions. Im trying to setup, wel actually I did setup FreeRADIUS Version 1.0.2 on a Linux Debian machine and it is working fine :) But I need to achieve the following setup: We have # cisco routers and switches who are locally managed by on site engineers. So these local engineers have to be able to log in to their devices and not be allowed to log in to devices on other sites. Next to these different site engineers there is a group called NOC. The NOC engineers need to access all devices on all sites. Ive tried several setups by using the huntgroups and using system as authentication method but I can't get the huntgroup validation to work. It looks like the huntgroups are just ignored. Everyone can just enter any device as soon as their usrname and password is matched on the system. Did someone do a similar setup where users where restricted and with a general group that needs access everywhere or can someone tell me how I should take this on. It should be fairly easy I thought Thanks for your help, it is highly appreciated, Martial _ Free blogging with MSN Spaces http://spaces.msn.com/?mkt=nl-be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.7 - Release Date: 10/06/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.7 - Release Date: 10/06/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC+EAP authentication
Hi, I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
On Mon, Jun 13, 2005, Jefri bin Dahari wrote: Hi, I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that? I check the MAC address during the authorization using an external perl script, and it works well. -- Alexandre Coninx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting access for users
Hi Alan, thank you for replying, this is how I tried this before, I will try to keep this as short as possible. 1) users: bob Password == bob, Huntgroup-name == diegem Login-Service = 0, Vendor-Specific = 9, Reply-Message = Hello, bob, Cisco-AVpair = shell:priv-lvl=15, Service-Type = NAS-Prompt-User, huntgroups: diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x brusselsNAS-IP-Address == 10.2.x.x I hoped that the nas ip addresses belonging to diegem where only accessable for users who had Huntgroup-name == diegem in their config. But this did not seem to make a difference. ** 2) users: DEFAULT Auth-Type = System Login-Service = 0, Vendor-Specific = 9, Service-Type = NAS-Prompt-User, Cisco-AVpair = shell:priv-lvl=15, $enab15$ bob bobke huntgroups: diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x Group == NOC, brusselsNAS-IP-Address == 10.2.x.x I made bob and bobke local users on my machine and added them to # groups. bob to NOC and bobke to brussels. bob:x:1005:1005::/home/bob: bobke:x:1006:1006::/home/bobke: NOC:x:1005: brussels:x:1006: If the user was not a member of group NOC he would be refused on the NAS servers belonging to huntgroup diegem.Because diegem is linked to group NOC (Group == NOC). This did not work either. In both cases every user was allowed access as soon as the username and passwords checked out. I also had problems with nas ip addresses belonging to more that 1 group. It looked like the groups are processed from top to bottom and as soon as it hits the first entry of that address freeradius allowes access. But for my problem to be solved it should cache information like Group = NOC or for example user_pool = diegem. And compare this information agains an entry in the users file like: user_pool=diegem or checking if on the system bob's primary group is NOC. I did several more combinations but I think one of these 2 should work. Perhaps I made a configuration error ? Big thank you in advance ony for reading and getting into this problem. If I was not clear enough please let me know. Martial Yes this is my experience as well. Running v 1.0.2 there was nothing in the change log for 1.0.3 to say this was fixed either. Just as a note when I posted these findings nothing came back. I was using an ldap backend as well. It would be great to have a detailed explaination of this one and maybe confirmation that it is not working or wheather is it syntax that causes the problem Alan From: Martial VdB [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: restricting access for users Date: Mon, 13 Jun 2005 09:22:14 +0200 Hi there, Im a newby here so forgive if I ask obvious questions. Im trying to setup, wel actually I did setup FreeRADIUS Version 1.0.2 on a Linux Debian machine and it is working fine :) But I need to achieve the following setup: We have # cisco routers and switches who are locally managed by on site engineers. So these local engineers have to be able to log in to their devices and not be allowed to log in to devices on other sites. Next to these different site engineers there is a group called NOC. The NOC engineers need to access all devices on all sites. Ive tried several setups by using the huntgroups and using system as authentication method but I can't get the huntgroup validation to work. It looks like the huntgroups are just ignored. Everyone can just enter any device as soon as their usrname and password is matched on the system. Did someone do a similar setup where users where restricted and with a general group that needs access everywhere or can someone tell me how I should take this on. It should be fairly easy I thought Thanks for your help, it is highly appreciated, Martial _ Free blogging with MSN Spaces http://spaces.msn.com/?mkt=nl-be - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Is your PC infected? Get a FREE online computer virus scan from McAfee® Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting access for users
I have a configuration similar to your no one option. From readinr the huntgroups how to and the users how to, this seems to be the most correct method to use. I have a second issue with this in that the users file has a defulat reject if the group is not matched. This also is not being used correctly by freeradius. The user defaults into that if there group does not match but does not get rejected. Please can someone confirm these findings. Regards alan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Martial VdB Sent: 13 June 2005 13:06 To: freeradius-users@lists.freeradius.org Subject: RE: restricting access for users Hi Alan, thank you for replying, this is how I tried this before, I will try to keep this as short as possible. 1) users: bob Password == bob, Huntgroup-name == diegem Login-Service = 0, Vendor-Specific = 9, Reply-Message = Hello, bob, Cisco-AVpair = shell:priv-lvl=15, Service-Type = NAS-Prompt-User, huntgroups: diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x brusselsNAS-IP-Address == 10.2.x.x I hoped that the nas ip addresses belonging to diegem where only accessable for users who had Huntgroup-name == diegem in their config. But this did not seem to make a difference. ** 2) users: DEFAULT Auth-Type = System Login-Service = 0, Vendor-Specific = 9, Service-Type = NAS-Prompt-User, Cisco-AVpair = shell:priv-lvl=15, $enab15$ bob bobke huntgroups: diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x Group == NOC, brusselsNAS-IP-Address == 10.2.x.x I made bob and bobke local users on my machine and added them to # groups. bob to NOC and bobke to brussels. bob:x:1005:1005::/home/bob: bobke:x:1006:1006::/home/bobke: NOC:x:1005: brussels:x:1006: If the user was not a member of group NOC he would be refused on the NAS servers belonging to huntgroup diegem.Because diegem is linked to group NOC (Group == NOC). This did not work either. In both cases every user was allowed access as soon as the username and passwords checked out. I also had problems with nas ip addresses belonging to more that 1 group. It looked like the groups are processed from top to bottom and as soon as it hits the first entry of that address freeradius allowes access. But for my problem to be solved it should cache information like Group = NOC or for example user_pool = diegem. And compare this information agains an entry in the users file like: user_pool=diegem or checking if on the system bob's primary group is NOC. I did several more combinations but I think one of these 2 should work. Perhaps I made a configuration error ? Big thank you in advance ony for reading and getting into this problem. If I was not clear enough please let me know. Martial Yes this is my experience as well. Running v 1.0.2 there was nothing in the change log for 1.0.3 to say this was fixed either. Just as a note when I posted these findings nothing came back. I was using an ldap backend as well. It would be great to have a detailed explaination of this one and maybe confirmation that it is not working or wheather is it syntax that causes the problem Alan From: Martial VdB [EMAIL PROTECTED] Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org To: freeradius-users@lists.freeradius.org Subject: restricting access for users Date: Mon, 13 Jun 2005 09:22:14 +0200 Hi there, I'm a newby here so forgive if I ask obvious questions. I'm trying to setup, wel actually I did setup FreeRADIUS Version 1.0.2 on a Linux Debian machine and it is working fine :) But I need to achieve the following setup: We have # cisco routers and switches who are locally managed by on site engineers. So these local engineers have to be able to log in to their devices and not be allowed to log in to devices on other sites. Next to these different site engineers there is a group called NOC. The NOC engineers need to access all devices on all sites. I've tried several setups by using the huntgroups and using system as authentication method but I can't get the huntgroup validation to work. It looks like the huntgroups are just ignored. Everyone can just enter any device as soon as their usrname and password is matched on the system. Did someone do a similar setup where users where restricted and with a general group that needs access everywhere or can someone tell me how I should take this on. It should be fairly easy I thought... Thanks for your help, it is highly appreciated, Martial _ Free blogging with MSN
executing external program
Hello guys and girls, While executing a script of mine in the radiusd.conf file I get a very strange error that worries me. /radius_xlat: '/home/vicky/finalprog/compAttrs Access-Request' Exec-Program: /home/vicky/finalprog/compAttrs Access-Request MASTER: Child PID 28050 failed to catch signal 11: killing all active servers./ The script it self is tested aside and it work. What seems to be the problem. I've never seen anything like this before... Thanks for all the suggestions! -- Vicky - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting access for users
Try this. huntgroups diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x diegem NAS-IP-Address == 10.5.x.x brusselsNAS-IP-Address == 10.2.x.x users file #note: there is no default auth-type = system here DEFAULT Group == NOC, Auth-Type := System replyattrs = replyvalues bob Huntgroup-Name == diegem, Auth-Type := System replyattrs = replyvalues... somebrusselluserHuntgroup-Name == brussells, Auth-Type := System reply attrs DEFAULT Auth-Type := Reject That means: If user is in group NOC, match here and authorize the user using system If user bob is coming from huntgroup diegam, match here and authorize user If user somebrusselluser is coming from huntgroup brussells, match If no matches on above, reject the user I suspect that your DEFAULT Auth-Type = system entry is at the top of your users file. Then you have some matching rules. You have a user that comes in but won't match any of your matching rules, so it will default to the auth-type = system entry that it matched at first and simply authorize the user with system. What I have above, specifies to use system when it matches each user entry or the group entry. If there is no match, then it tells you to reject the user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting access for users
I have a second issue with this in that the users file has a defulat reject if the group is not matched. This also is not being used correctly by freeradius. The user defaults into that if there group does not match but does not get rejected. I have never noticed any problems like that myself. I suspect you have something else in your users file that it is matching on. Perhaps a DEFAULT Auth-Type = something? Please post your users file in its entirety (you can remove the # lines if you would like for easier reading) Then post your radiusd -X output showing this behavior. That way you can read the debug info and look for a line that says something like matched users file at 1. Without seeing the users file and the actual debug here its hard to say. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Database connection failure and retry
Ming-Ching Tiew [EMAIL PROTECTED] wrote: With the current state of the drivers, they are not usable. Period. Does this mean: a) you will do something about it? or b) you expect someone else to do something about it? Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: restricting access for users
Dustin I get matchs in my users files. But the huntgroup seems to just be bypassed. Could you PM me with a users file and huntgroups file incase it is a syntax issue. thenks -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dustin Doris Sent: 13 June 2005 14:52 To: FreeRadius users mailing list Subject: RE: restricting access for users I have a second issue with this in that the users file has a defulat reject if the group is not matched. This also is not being used correctly by freeradius. The user defaults into that if there group does not match but does not get rejected. I have never noticed any problems like that myself. I suspect you have something else in your users file that it is matching on. Perhaps a DEFAULT Auth-Type = something? Please post your users file in its entirety (you can remove the # lines if you would like for easier reading) Then post your radiusd -X output showing this behavior. That way you can read the debug info and look for a line that says something like matched users file at 1. Without seeing the users file and the actual debug here its hard to say. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- No virus found in this incoming message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.7 - Release Date: 10/06/2005 -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.0.323 / Virus Database: 267.6.7 - Release Date: 10/06/2005 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Class attribute questions
I just wanted to make sure that I wasn't missing something, and that there isn't an easier way to get at the ASCII inside the octet stream. Edit the dictionary, and change octets to string? I saw discussion in a previous thread (Handling of the 'Class' attribute, this post in particular, http://lists.freeradius.org/mailman/htdig/freeradius-users/2003-July/021 267.html) that implied this was frowned upon, at least when interacting with other RADIUS servers (which is what I'm using FreeRADIUS for), but also because the RFC recommends that it should be treated as undistinguished octets. 2) The rfc's allow for more than one Class attribute (at least in Accounting-Request packets). How does FreeRADIUS treat references to %{Class} when this happens? i.e. Is there a syntax to refer to each instance of the Class attr or get a count of how many are in the packet? The CVS snapshots allow this. 1.0.x doesn't. See doc/variables.txt I read through the current doc/variables.txt in CVS. Looks great. Is this a 1.1.x kind of feature or will it find it's way into a later 1.0.x? Thanks for the reply. -Shawn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multiple logins Freeradius/Mysql
We've set up Simultaneous-Use := 1 - and this seems fine. However, I have my first user - who is really off the net and 'radzap' seems to do nothing (radwho still gives the user as being there). What is the code... in sql.conf... simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 ...for In our previous Radius - we used to simply provide a valid AcctStopTime time - and the user could then login again. What do I need to do to change freeradius to do Simultaneous-Use control using mysql and not using radwho?? I've read doc/Simultaneous-Use - which doesn't use/mention [my]sql. I'm guessing (looking at where radutmp is mentioned)... radiusd.conf has... session { radutmp } Should this be changed to... session { sql } ??? -- . . ___. .__ Posix Systems - Sth Africa. e.164 VOIP ready /| /| / /__ [EMAIL PROTECTED] - Mark J Elkins, Cisco CCIE / |/ |ARK \_/ /__ LKINS Tel: +27 12 807 0590 Cell: +27 82 601 0496 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multiple logins Freeradius/Mysql
I'm having a similar problem. I'm using sql accounting. I've uncommented the simul_count_query query line. I've entered the Simultaneous-Use attribute in the radgroupcheck table with the := op. It's still trying to use checkrad (in the log) no matter what I do. I've read the doc file. Help? --Aaron Mark Elkins wrote: We've set up Simultaneous-Use := 1 - and this seems fine. However, I have my first user - who is really off the net and 'radzap' seems to do nothing (radwho still gives the user as being there). What is the code... in sql.conf... simul_count_query = SELECT COUNT(*) FROM ${acct_table1} WHERE UserName='%{SQL-User-Name}' AND AcctStopTime = 0 ...for In our previous Radius - we used to simply provide a valid AcctStopTime time - and the user could then login again. What do I need to do to change freeradius to do Simultaneous-Use control using mysql and not using radwho?? I've read doc/Simultaneous-Use - which doesn't use/mention [my]sql. I'm guessing (looking at where radutmp is mentioned)... radiusd.conf has... session { radutmp } Should this be changed to... session { sql } ??? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with [microsoft] stuff not working
Upon further inspection i found it was sending 2 other attributes, defaults from my users file i started testing it with radclient, using info one of the NAS's sent, radtest wasn't giving it this extra info i guess and i ended up with these 2 extra attributes Framed-MTU = 576 Framed-Compression = Van-Jacobson-TCP-IP I removed just the MTU and it still worked with the portmasters and started working perfectly find on the TC1000's too I'm not quite sure why it wasn't working with that attribute but it resolved the problem Scott - Original Message - From: Alan DeKok [EMAIL PROTECTED] To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Wednesday, June 08, 2005 1:32 PM Subject: Re: Problem with [microsoft] stuff not working Scott Gusler [EMAIL PROTECTED] wrote: now i dunno what kinda voodoo magic is goin on but it's confusing me About the only thing I can suggest is to re-order the attributes in the FreeRADIUS config, so that they're in the same order as sent by SBR. If necessary, create a hard-coded config to do this for testing. If it works, it's worth your time to fix the rest of the config. And doing the test should take only 10 minutes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Free RADIUS for WLAN - Problems?
Hi Artur Hecker, Very thanks for your help. I think you did a good job and hope you keep doing something like this. Thanks again. Best Regards__Do You Yahoo!?Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Class attribute questions
Shawn K. O'Shea [EMAIL PROTECTED] wrote: I saw discussion in a previous thread (Handling of the 'Class' attribute, this post in particular, http://lists.freeradius.org/mailman/htdig/freeradius-users/2003-July/021 267.html) that implied this was frowned upon, at least when interacting with other RADIUS servers Editing the FreeRADIUS dictionary files will have *zero* impact on other RADIUS servers. I read through the current doc/variables.txt in CVS. Looks great. Is this a 1.1.x kind of feature or will it find it's way into a later 1.0.x? 1.1.x and following. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: bogus session handling in radutmp?
Stefan Winter [EMAIL PROTECTED] wrote: Occasionally, this file gets corrupted: it contains a _plain text_ copy of an accounting packet (exactly as you see them in the detail files) as opposed to the binary format this file is usually in. That sounds to me like file descriptors are being re-used between threads, when they're not supposed to be. It should go away if you stop using the detail module, but you might get something else in radutmp. I've never seen this before, and I'm not sure there's much we can do to the application to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Qry:- How to assgin DNS server IP address to the client through RADIUS server
romel dutta [EMAIL PROTECTED] wrote: Here i am using freeradius-1.0.2 using for AAA function...and pppoe-server as the client Here i need to assgin the DNS ip address to the pppoe-client through the radius. server... pls tell me which attribute is there to assign DNS IP address There is no standard attribute to do this. See the documentation for pppoe to see what it expects. Also tell me it is possible to assign ip address through the freeradius-1.0.2 Yes. Alan DeKOk. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP + RADIUS + local-Auth + LDAP
Florian Prester [EMAIL PROTECTED] wrote: authorize: If I place the users-word before anything else, the authorization should take place by the users-file, which means if an user exists in the users-file it is authoized? correct? It means that the users file is processed before anything else. You don't need to move it, though. The default configuration works. authenticate: If the password matches cleartext/crypt the users is authenticated? correct? Yes. 2.) If I try to uses PEAP and LDAP I need cleartext-passwords!? correct? Or NT-Password. If I add ldap after the users-wordin the authorize-section ldap should only be used, if the user cannot be found in the users-file? No. See doc/configurable_failover If I add password_attribute = sn thr user is authenticated, if the password-hash-challenge is matching the sn-hash-challenge, meaning the sn-attribute is taken as password? correct? Yes. 3.) What means the Groupe-authenticate/authorize if I am using ldap? I'm not sure what you mean by that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: restricting access for users
Martial VdB [EMAIL PROTECTED] wrote: Ive tried several setups by using the huntgroups and using system as authentication method but I can't get the huntgroup validation to work. It looks like the huntgroups are just ignored. Everyone can just enter any device as soon as their usrname and password is matched on the system. The huntgroups don't appear to work in 1.0.x Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
Jefri bin Dahari [EMAIL PROTECTED] wrote: I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that? It can do both. EAP is authentication, MAC checking isn't really authentication. What are you seeing in RADIUS packets, and what do you want to happen? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Generating freeradius 1.0.3
Hello, Running Debian, I have done a $ fakeroot dpkg-buildpackage -b on the freeradius 1.0.3 directory. I get a warning saying remember to run 'libtool --finish /usr/lib/freeradius' which I do when the process finishes, and three error messages: dpkg-shlibdeps: warning: could not find path for libeap-1.0.3.so dpkg-shlibdeps: warning: could not find path for libradius-1.0.3.so dpkg-shlibdeps: warning: could not find path for libradius-1.0.3.so How can I get this done? What is the easiest way to install freeradius 1.0.3 in a Debien system? Thanks. Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Link error (invalid ELF header) in freeradius 1.0.3
Hello, I am getting the following error when running freeradius -X: radiusd.conf[2] Failed to link to module 'rlm_sqlcounter': /usr/lib/freeradius/rlm_sqlcounter.a: invalid ELF header Thanks. Max - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PROBLEM WITH THE CERTIFICATES
=?iso-8859-1?B?R2VvcmdpbmEgTm9lbWkgR29ueuFsZXogQ2ViYWxsb3M=?= [EMAIL PROTECTED] wrote: I know that is a problem with the client certificate.. i imported the root and client certificate to windows. It doesn't appear that the client is sending the certificate to the server. Either the client doesn't have a certificate, or that certificate is not signed by the servers certificate. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Proxim AP-4000 MAC Auth w/multi VLAN assignment support
Hello, I am looking at setting up a group of Proxim AP-4000 wireless gateways. I want to be able to authenticate via the MAC address of each user's laptop WiFi NIC. I am trying to find the raddb tags required to send / receive the information to make this work. Can someone point me in the right direction as far as this goes? Much appreciated to all. Matt - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MAC+EAP authentication
i personally think that it's completely useless. implementing EAP or MAC authentication, meaning that one of both would work, is a huge security hole and requiring both is useless since EAP authentication implicitly filters away everything unauthenticated... (even if i understand that might be necessary for current WiFi phones, etc., please be aware that under linux you can actually change the MAC address with one command...) ciao artur On 6/13/05, Alan DeKok [EMAIL PROTECTED] wrote: Jefri bin Dahari [EMAIL PROTECTED] wrote: I plan to implement simultaneous MAC+EAP authentication for my wireless users. From my observation, Freeradius can only do either MAC or EAP but not MAC and EAP authentication. Can somebody gives me some hints on how to do that? It can do both. EAP is authentication, MAC checking isn't really authentication. What are you seeing in RADIUS packets, and what do you want to happen? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html