Re: Troube with matching LDAP group membership in authorize
In any case, if you carefully read the text you quoted, you'll see a solution that doesn't require patches: List ALL ldap modules in the instantiate section, and list ldap_enable last. Alan DeKok. Yes, that's what I ended up doing. However, I lose the ability to do load-balance and redunancy constructs. rlm_ldap indicates that I can list multiple LDAP servers for the host in radius.conf. How exactly does that work compared to redundancy or load-balance? Does it try the first, then the second, etc every time? Does it round-robin? Thanks, -richard Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troube with matching LDAP group membership in authorize
Richard Hesse wrote: Yes, that's what I ended up doing. However, I lose the ability to do load-balance and redunancy constructs. Why? rlm_ldap indicates that I can list multiple LDAP servers for the host in radius.conf. How exactly does that work compared to redundancy or load-balance? Does it try the first, then the second, etc every time? Does it round-robin? doc/configurable_failover doc/load-balance.txt Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Troube with matching LDAP group membership in authorize
Richard Hesse wrote: Nevermind I found the problem. There's a limitation in ldap_groupcmp() such that only the last LDAP module instantiated is actually checked -- ignoring whatever you specify. I found this info from http://lists.cistron.nl/pipermail/freeradius-users/2004-June/033220.html. That's for the attribute Ldap-Group. The module-name-prefixed version, ldap_enable-Ldap-Group should work fine. Your original mail listed: Hint file: DEFAULT NAS-Port-Type == Virtual, Service-Type == NAS-Prompt-User, ldap_enable-Ldap-Group := operations, Autz-Type := ldap_enable, Auth-Type := LDAP You are using := to compare ldap_enable-Ldap-Group - use == Try setting the Autz-Type in the users file - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Disconnect user in radius
Dear ALL I have useing freeradius with microsoft mssql now my question is how do i disconnect user from freeradius means example:- user xyz is online and i want to disconnect user from radius so what is the option for this task ?? is there any script or any option to integrate with webpage of dialupadmin ??? Satish Patel - Heres a new way to find what you're looking for - Yahoo! Answers - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RLM_OTP question about time based security tokens
Dear all, does the rlm_otp module also support time based otps without challange response ? background: actualy i have a cell phone that generates a time based otp. now i want to do the authentication process with the help of the rlm_opt module. is it possible or do i have to write my own tool and then execute it via exec-wait?? thanks and greetings peter _ Sie suchen E-Mails, Dokumente oder Fotos? Die neue MSN Suche Toolbar mit Windows-Desktopsuche liefert in sekundenschnelle Ergebnisse. Jetzt neu! http://desktop.msn.de/ Jetzt gratis downloaden! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
failed login accounting with dialup admin
I have a small accounting problem with freeradius and dialup admin which I can't find a way to solve it. I've set freeradius to authenticate EAP-TLS, I want to log people who failed to authenticate to mysql with rlm_sql, which will show in dialup admin failed login page. I put in radiusd.con post-auth section the sql module: Post-Auth-Type REJECT { #insert-module-name-here sql } the post-auth query in sql.conf: postauth_query = INSERT into ${postauth_table} (id, user, pass, reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap- Password}', '%{reply:Packet-Type}', NOW()) the sql query runs well, it put the failed login to the radpostauth table but the dialup admin failed login page is searching to the radacct table for the failed user which will never find it. am I doing the right way to put the sql module inside the post-auth? or should I put it in other section? I don't want to change the postauth_query but is there any way to add another query to put the data to radacct table? thanks in advance - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql - Replacing User-Password in config items with Cleartext-Password
Hi! I am using mysql module as the authorization module and I get the following warning: !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! How can I force sql module to put the password value taken from the database into the Cleartext-Password instead od User-Password?? And one more question but about digest module: Will it work if I will use a sql module in authorize section and then digest in the authentication?? Thank you for any help. Bests -Tomasz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql - Replacing User-Password in config items with Cleartext-Password
tzieleniewski wrote: I am using mysql module as the authorization module and I get the following warning: !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the known good !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! How can I force sql module to put the password value taken from the database into the Cleartext-Password instead od User-Password?? Update the data in the SQL database? You have the string User-Password. Change it to Cleartext-Password. And one more question but about digest module: Will it work if I will use a sql module in authorize section and then digest in the authentication?? Yes. You should list digest in the authorize section, too, as the example config file shows. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Why Freeradius and Mysql dont work?
yao guoxian wrote: input command:./bin/mysql -u root output results:Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 2 to server version: 5.0.20-standard-log *sigh* You installed MySQL but did none of the security things that it probably told you to do during the install (that it definitely tells you to do in the manual). Please go read the docs for MySQL. You are not having FreeRADIUS problems, you are having MySQL problems, the largest of which is that you haven't read the manual. Here's a hint, you didn't need to reset the root password, you never set one in the first place! Now, go read. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect user in radius
satish patel wrote: I have useing freeradius with microsoft mssql now my question is how do i disconnect user from freeradius means example:- user xyz is online and i want to disconnect user from radius so what is the option for this task ?? is there any script or any option to integrate with webpage of dialupadmin ??? You need to change your thinking. The user is not connected to RADIUS. Never was. That isn't what RADIUS does. The user is connected to your NAS. Check the NAS docs for disconnecting a user. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect user in radius
You can send a Disconnect-Message from the RADIUS server to the client to disconnect them if the NAS supports DM/COA. The DM will cause the NAS to drop the connection effectively disconnecting them from any services they were using. Dennis Skinner wrote: satish patel wrote: I have useing freeradius with microsoft mssql now my question is how do i disconnect user from freeradius means example:- user xyz is online and i want to disconnect user from radius so what is the option for this task ?? is there any script or any option to integrate with webpage of dialupadmin ??? You need to change your thinking. The user is not connected to RADIUS. Never was. That isn't what RADIUS does. The user is connected to your NAS. Check the NAS docs for disconnecting a user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql - Replacing User-Password in config items with Cleartext-Password
Alan DeKok napisał(a): tzieleniewski wrote: I am using mysql module as the authorization module and I get the following warning: !!! !!!Replacing User-Password in config items with Cleartext-Password. !!! !!! !!! Please update your configuration so that the "known good" !!! !!! clear text password is in Cleartext-Password, and not in User-Password. !!! !!! How can I force sql module to put the password value taken from the database into the Cleartext-Password instead od User-Password?? Update the data in the SQL database? You have the string "User-Password". Change it to "Cleartext-Password". And one more question but about digest module: Will it work if I will use a sql module in authorize section and then digest in the authentication?? Yes. You should list "digest" in the authorize section, too, as the example config file shows. Thanks for your answer. Please answer my one more question so I will be sure I understand matters right. the authorize section is the section which defines procedures responsible for granting a user an access to specific type of service. For instance if we use sql or files module in authorize section we can intuitivly imagine that they do some checks about user data. For instance checks if data are present in the users file or in the data base. And then in the authentication section they are for innstance authenticate with the pap module wich makes the verification between the data received from access packet and those taken from the users file or data base. but there is another situation a little bit confusing when we for instance call the chap, mschap or ldap modules in the authorize section and then in the authenticate section. Does it work this way that somehow those modules know that they are invoked in different phases(authorize, authenticate) and perform different operations according to the needs?? Or for instance the digest module what those the authorize section really do?? Does it take any data from the users file ?? Or it just check the data format and stuff?? for instance authorise { preprocess chap mschap } authenticate { authtype PAP { pap } authtype CHAP { chap } authtype MS-CHAP{ mschap } } I can really get the filling of those authtype declarations in the authenticate section Im sure that few words of explanation will make me to understand everything. Thank for any help Tomasz Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: The EAP Saga continues.
Alright, I'm going to step back and talk conceptually. The issue is that the laptops use a combination of LDAP and Kerberos to authenticate to the Domain Controllers. (OpenLDAP and a Kerberos KDC.) to authorize and authenticate Humans. So you get a Chicken/Egg issue. You can't authenticate Humans until you authenticate nodes, but a Human could not enter MS-CHAPv2 passwords wothout logging in. I want to be able to assign a Certificate to a Host, as long as the Host carries the certificate, it can talk on the network. The Cert should be individualized to each host. So, I'd like to be able give a host a cert, and then let them use the network so they can login with User/Password. I have a working CA now. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR not honoring AutzType
I've been trying to set up FR in a realm-based configuration using only LOCAL realms that are passed to different MySQL tables via different instances. This setup, like several previous questions posted to this list for similar setups, requires conditional branching. The solution as suggested in those posts was to use an Autz-Type block within the authorize block, and an Auth-Type block within the authenticate block to use appropriate module instances for the given realm. The problem I am having is that no matter what I set Autz-Type to, or where I set it, FR doesn't seem to honor it. I've tried putting it in hints entries, user entries, and realm entries; all suggestions that had been posted in response to similar issues. Another problem that compounds this one is that different posters refer to Autz-Type differently: autztype, AutzType, Autz-Type. Is the difference significant, or is this one of those cases where they ALL are valid, but do exactly the same thing? I would have thought there would be some way to use the Realm variable that the rlm_realm strips from the User-Name attribute directly within the Authorize Authenticate blocks, but it appears the most straight-forward way of using a block like 'realm bogus {}' causes FR to confuse the block for another module instance definition. Any insights anyone may have on this would be appreciated. Following are the relevant configuration output segments: radiusd.conf, authorize block: Autz-Type SQL-BOGUS { sql-bogus } radiusd.conf, authenticate block: Auth-Type SQL-BOGUS { sql-bogus } hints: DEFAULT Prefix == BOGUS\, Strip-User-Name = Yes Hint = MIE Login, Service-Type = Framed-User, Autz-Type := SQL-BOGUS, Auth-Type := SQL-BOGUS users: DEFAULT Realm == bogus, Autz-Type := SQL-BOGUS mysql bogus realms' radcheck table: ++--+---++--+ | id | UserName | Attribute | op | Value| ++--+---++--+ | 6 | user | User-Password | == | password | | 7 | user | Auth-Type | := | Local| ++--+---++--+ radiusd -X -A (snippet 1, module instantiation): rlm_sql (sql-bogus): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql-bogus): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql-bogus): starting 0 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #0 rlm_sql (sql-bogus): Connected new DB handle, #0 rlm_sql (sql-bogus): starting 1 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #1 rlm_sql (sql-bogus): Connected new DB handle, #1 rlm_sql (sql-bogus): starting 2 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #2 rlm_sql (sql-bogus): Connected new DB handle, #2 rlm_sql (sql-bogus): starting 3 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #3 rlm_sql (sql-bogus): Connected new DB handle, #3 rlm_sql (sql-bogus): starting 4 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #4 rlm_sql (sql-bogus): Connected new DB handle, #4 Module: Instantiated sql (sql-bogus) radiusd -X -A (snippet 2, module *NOT* getting used): modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: Looking up realm bogus for User-Name = bogus\user rlm_realm: Found realm bogus rlm_realm: Adding Stripped-User-Name = user rlm_realm: Proxying request from user user to realm bogus rlm_realm: Adding Realm = bogus rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module ntdomain returns noop for request 0 rlm_eap: EAP packet type response id 0 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 NOTE: My module order, and the fact that radius found the bogus realm means that there should be SQL auth lines appearing immediately after the mschap returns noop line. They don't show up, which means FR either wasn't seeing Autz-Type at that point, or some other module changed it. Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 Concerned about your privacy? Instantly send FREE secure email, no account required http://www.hushmail.com/send?l=480 Get the best prices on SSL certificates from Hushmail https://www.hushssl.com?l=485 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Disconnect user in radius
Michael Lecuyer wrote: You can send a Disconnect-Message from the RADIUS server to the client to disconnect them if the NAS supports DM/COA. The DM will cause the NAS to drop the connection effectively disconnecting them from any services they were using. Yesin other words Check the NAS docs for disconnecting a user. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Removing characters from usernames
Is there a way to parse the input of a username and password before it is passed to the back end database? I'm doing mac address authentication and some devices are passing the mac address with dashes, where I need to have no separation between the octets. I basically need to strip out these dashes from the input. Thanks Andy Zirkel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
return-codes on reject
Hello list, Im using freeradius-1.1.2 whit ms-sql. I'm having serius problems with return-codes on reject messages. All was working fine with previus version of freeradius. I was reading something about that is not allowed return-codes on reject, but I think it is wrong because most of return-codes goes on reject messages. Only return-code = 0 (authorization succeeded) goes on access=accept. The rest, for example 2 (invalid pin), 9 destination number blocked, 12 insufficient balance, etc etc, are return-codes that go on reject. Please, I need solve this ASAP, Regards, Guido - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql - Replacing User-Password in config items with Cleartext-Password
TZieleniewski wrote: the authorize section is the section which defines procedures responsible for granting a user an access to specific type of service. For instance if we use sql or files module in authorize section we can intuitivly imagine that they do some checks about user data. For instance checks if data are present in the users file or in the data base. yes And then in the authentication section they are for innstance authenticate with the pap module wich makes the verification between the data received from access packet and those taken from the users file or data base. yes but there is another situation a little bit confusing when we for instance call the chap, mschap or ldap modules in the authorize section and then in the authenticate section. Does it work this way that somehow those modules know that they are invoked in different phases(authorize, authenticate) Yes. Taking e.g. mschap as an example - during the authorize phase, the module looks at the request and does this: * IF the ms-chap-challenge and ms-chap-response attributes exist * THEN set Auth-Type = MS-CHAP During the authenticate phase it says: * Get ms-chap-challenge * Get User-Password from config items * Compute correct response * If corrct == ms-chap-response: ... and perform different operations according to the needs?? Or for instance the digest module what those the authorize section really do?? Does it take any data from the users file ?? Or it just check the data format and stuff?? for instance authorise { preprocess chap mschap } authenticate { authtype PAP { pap } authtype CHAP { chap } authtype MS-CHAP{ mschap } } I can really get the filling of those authtype declarations in the authenticate section Im sure that few words of explanation will make me to understand everything. Basically, the *algorithm* modules just check to see if they're applicable to a request during authorize. If they are applicable they arrange to run themselves again during authenticate, *after* data for authentication has been added to the request. Hope that helps - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR not honoring AutzType
Sam Schultz wrote: radiusd.conf, authorize block: Autz-Type SQL-BOGUS { sql-bogus } radiusd.conf, authenticate block: Auth-Type SQL-BOGUS { sql-bogus } Both of these are incomplete. The latter is almost certainly not valid - rlm_sql doesn't have an authenticate handler, so can't sensibly run during the authenticate block. You need to add config items e.g. User-Password to the request and run a different module e.g. PAP, mschap to run the authentication. hints: DEFAULT Prefix == BOGUS\, Strip-User-Name = Yes Hint = MIE Login, Service-Type = Framed-User, Autz-Type := SQL-BOGUS, Auth-Type := SQL-BOGUS Both wrong. Autz-Type and Auth-Type are configure items and therefore get set on the first line of a users entry. Since this is a hints file you've added them to the request items here (which is meaningless). You also shouldn't set Auth-Type (and anyway are setting it to a meaningless value, see above) users: DEFAULT Realm == bogus, Autz-Type := SQL-BOGUS This should work, but you've removed files from your authorize section so it's not running - hence it breaks. mysql bogus realms' radcheck table: ++--+---++--+ | id | UserName | Attribute | op | Value| ++--+---++--+ | 6 | user | User-Password | == | password | | 7 | user | Auth-Type | := | Local| ++--+---++--+ Don't use == for User-Password. Use := radiusd -X -A (snippet 1, module instantiation): rlm_sql (sql-bogus): Driver rlm_sql_mysql (module rlm_sql_mysql) loaded and linked rlm_sql (sql-bogus): Attempting to connect to [EMAIL PROTECTED]:/radius rlm_sql (sql-bogus): starting 0 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #0 rlm_sql (sql-bogus): Connected new DB handle, #0 rlm_sql (sql-bogus): starting 1 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #1 rlm_sql (sql-bogus): Connected new DB handle, #1 rlm_sql (sql-bogus): starting 2 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #2 rlm_sql (sql-bogus): Connected new DB handle, #2 rlm_sql (sql-bogus): starting 3 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #3 rlm_sql (sql-bogus): Connected new DB handle, #3 rlm_sql (sql-bogus): starting 4 rlm_sql (sql-bogus): Attempting to connect rlm_sql_mysql #4 rlm_sql (sql-bogus): Connected new DB handle, #4 Module: Instantiated sql (sql-bogus) radiusd -X -A (snippet 2, module *NOT* getting used): modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_realm: Looking up realm bogus for User-Name = bogus\user rlm_realm: Found realm bogus rlm_realm: Adding Stripped-User-Name = user rlm_realm: Proxying request from user user to realm bogus rlm_realm: Adding Realm = bogus rlm_realm: Authentication realm is LOCAL. modcall[authorize]: module ntdomain returns noop for request 0 rlm_eap: EAP packet type response id 0 length 15 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 modcall: leaving group authorize (returns updated) for request 0 Note, no: module files ...hence your entry in the users file is not being processed and as discussed your entry in the hints file is formatted wrong. NOTE: My module order, and the fact that radius found the bogus realm means that there should be SQL auth lines appearing immediately after the mschap returns noop line. They don't show up, which means FR either wasn't seeing Autz-Type at that point, or some other module changed it. I disagree. I think you've broken your configuration. The details you've posted above are clearly incomplete so I can only guess. Please post your actual, full configs - not extracts - and your actual full debug output - not extracts. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: a freeradious/wireless solution for a school
Hi Michael, I have setup the chillispot+freeRadius+Win2k3AD for my wireless network. Everything is working but the AD authentication. Apparently the reason not working is because AD does not like the CHAP authentication and AD likes MS-CHAP. I do not know how to configure and where to configure my Linux box to use MS-CHAP instead of CHAP. Have you done this before? If you do would you please teach me how to rectify this problem. Please see the following output from $ Radius -X when a wireless client uses administrator logon into the chillispot web logon page: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1:32772, id=0, length=223 User-Name = administrator CHAP-Challenge = 0xa784482e8ac92fd573e87bbbad9ca58f CHAP-Password = 0x00f54cc04e288eec67feff0b13e9448bd2 NAS-IP-Address = 0.0.0.0 Service-Type = Login-User Framed-IP-Address = 192.168.182.5 Calling-Station-Id = 00-16-6F-79-91-F4 Called-Station-Id = 00-05-5D-9E-0F-94 NAS-Identifier = nas01 Acct-Session-Id = 45aec9a9 NAS-Port-Type = Wireless-802.11 NAS-Port = 0 Message-Authenticator = 0x97668bae73249b0dd4755ab03d364f34 WISPr-Logoff-URL = http://192.168.182.1:3990/logoff; Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_chap: Setting 'Auth-Type := CHAP' modcall[authorize]: module chap returns ok for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = administrator, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 rlm_eap: No EAP-Message, not doing EAP modcall[authorize]: module eap returns noop for request 0 users: Matched DEFAULT at 153 modcall[authorize]: module files returns ok for request 0 modcall: group authorize returns ok for request 0 rad_check_password: Found Auth-Type CHAP auth: type CHAP Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 0 rlm_chap: login attempt by administrator with CHAP password rlm_chap: Could not find clear text password for user administrator modcall[authenticate]: module chap returns invalid for request 0 modcall: group Auth-Type returns invalid for request 0 auth: Failed to validate the user. Delaying request 0 for 1 seconds Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 1 seconds... --- Walking the entire request list --- Waking up in 1 seconds... rad_recv: Access-Request packet from host 127.0.0.1:32772, id=0, length=223 Sending Access-Reject of id 0 to 127.0.0.1:32772 --- Walking the entire request list --- Waking up in 4 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 0 with timestamp 45aecedc Nothing to do. Sleeping until we see a request. Many thanks in advance. John Wan -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] s.org] On Behalf Of gkalinec Sent: Friday, 26 January 2007 2:06 AM To: freeradius-users@lists.freeradius.org Subject: RE: a freeradious/wireless solution for a school The database is not a problem, since we have a huge one in place, one stored in Active Directory (for which I can use the freeradius LDAP module) or MySQL one. The database is really our main strength, since we have tons of information about every student, staff and parent in (its what my main job responsibility entails). A quick question, however, would this be just as eay to set up on a Macintosh? (since many of my supplicants will be macs..) German Kalinec King, Michael wrote: Without being too subtle, You've mis-understood much of the research you've read. Don't worry about it, there is quite a bit of contradictory information out there. There's quite a bit of background information, so it'll be a little bit before I mention FreeRADIUS. First. It's WPA, not WAP. (Different fields of technology) Forget much of what you've read. First, This is what you have been doing. Its called MAC filtering. The AP will only talk to MAC's that it has in it's table. In short, this is useless, since if I wanted to get on, I'd just fire up a packet sniffer. (They're free and easy to get. http://www.wireshark.org/ for example) Copy some poor souls MAC address, and I'm on. It's an administrative nightmare. You should not do this. A second form of this, is to load all the MAC addresses into a radius server, then the AP will interrogate Radius to find out if it's on it's allow list. This is as useless as the way your doing it now, because I can still easily copy your MAC address. You should not do this either. Second: You mention