Re: question about windows users
so..somewhere along the line you are playing with the User-Name attribute...something which you cannot do with EAP - if you take a standard 2.1.6 install and make the basic changes to your eap.conf and clients.conf it will work. which Linux distribution should I use? So far I tryied debian-etchnhalf, or CentOS, and in every How to its written that I have to compile it by mysefl. This how to didnt work anyway... so I will try what you will suggest. Bartosz. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Removing tunnel attributes only for specific NAS
Hey Ignacio, I am in a need to get a Nomadix AG3100 gateway to do the same thing as you have done - get it authenticate to FreeRADIUS and redirect to portal pages for a simple user/pass login. I've exchanged a bunch of emails with their support team (which is awful) and read their guides but it's terribly cumbersome and seems that some kind of XML interface is required to be implemented. I was hoping to get some pointers from you on getting this working, Thanks, Liran. On Mon, Jul 24, 2006 at 12:14 PM, Ignacio Siles ignacio.si...@libera.netwrote: Hello, I am trying to implement a Nomadix AG-5000 public NAS in a in a network with an existing FreeRADIUS server. The environment is as follows: - The customer wants nomadix to make public authentication (with captive portal and PAP) for guest users, and employees who can’t use the protected wireless network working with WPA-Enterprise authentication. - The employees´ user names and passwords are stored in a LDAP structure. - There is a freeRADIUS v 1.0.5 server which asks that LDAP structure for authentication. So the Nomadix is configured as RADIUS client, connected to the FreeRADIUS server. I have tested the connection with test users stored in freeRADIUS´ “users” file, and everything worked fine. The problem starts with the Access-Accept RADIUS message. This message includes some tunnel attributes stored in the LDAP, which are necessary for the other networks to work properly. But the Nomadix does not understand those attributes and drops the Access-Accept messages, resulting in a failed authentication. The solution I’m thinking about is to remove this tunnel atributes of the Access-Accept message should they be sent to the Nomadix. I’ve read about rlm_attr_filter, but I don’t know how to configure it to remove tunnel attribures should the Nomadix be acting as the NAS. File /etc/raddb/attrs: DEFAULT Packet-type =* ANY, EAP-Message =* ANY, User-Name =* ANY, Message-Authenticator =* ANY, State =* ANY, Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802 Tunnel-Private-Group-Id := “55” Thank you in advance, - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius mysql apache2 for Wi Fi hotspotsetup
Hey Jerome, I am in a need to get a Nomadix AG3100 gateway to do the same thing as you have done - get it authenticate to FreeRADIUS and redirect to portal pages for a simple user/pass login. I've exchanged a bunch of emails with their support team (which is awful) and read their guides but it's terribly cumbersome and seems that some kind of XML interface is required to be implemented. I was hoping to get some pointers from you on getting this working, Thanks, Liran. On Thu, Mar 22, 2007 at 1:17 PM, Mini Jerome minijer...@gmail.com wrote: Hi, I have installed free radius to work with mysql on Ubuntu 6.0.6 with radiusclient Nomadicx AG 2000 and it works fine. At present on Nomadix , internal web server is on and it gives the login and logout pages whenever a mysql databse username and passwords are submitted ,session starts on radius server I would like to make the login/logout pages from an external web server instead of internal webserver of nomadix which is configured on Nomadix and restrict users to go to loginpage forcefully , whenever the wifi customer has been assigned dynamic IP from Nomadix. Can any one help// Mini Jerome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes: acctoutputoctects and acctinputoctect inmikrotik
Hey Santiago, I am in a need to get a Nomadix AG3100 gateway to do the same thing as you have done - get it authenticate to FreeRADIUS and redirect to portal pages for a simple user/pass login. I've exchanged a bunch of emails with their support team (which is awful) and read their guides but it's terribly cumbersome and seems that some kind of XML interface is required to be implemented. I was hoping to get some pointers from you on getting this working, Thanks, Liran. On Wed, Jul 25, 2007 at 9:57 AM, Santiago Balaguer García santiago...@hotmail.com wrote: However, I work with a Nomadix 2000 and Nomadix 2100, and I did the same 10 MB download. So I did a test downloading the last MT firmware version: 2.9.44 (10.4 MB): Nomadix [Acct-Input-Octets]: 12533328 Nomadix [Acct-Output-Octets]: 271598 Mikrotik[Acct-Input-Octets]: 248630 Mikrotik[Acct-Output-Octets]: 11441495 Are you sure that it works fine? -- From: *t...@kalik.co.yu* Reply-To: *FreeRadius users mailing list freeradius-users@lists.freeradius.org* To: *FreeRadius users mailing list freeradius-users@lists.freeradius.org* Subject: *Re: RADIUS attributes: acctoutputoctects and acctinputoctect inmikrotik* Date: *Tue, 24 Jul 2007 20:16:10 +0100* I have RouterOSv2.9 and input is input and output is output. Ivan Kalik Kalik Informatika ISP Dana 24/7/2007, Santiago Balaguer García santiago...@hotmail.com pi¹e: Hi, I am working with freeradius and mirkrotik routers since two years. However, I have never realized that the radius attributes acctoutputoctects and acctinputoctects are intechanged in mikrotik. Does anyone know ths mikrotik bug? SantiagoÉxitos, grandes clásicos y novedades. Un millón de canciones en MSN Music. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Recibe ofertas de empleo adaptadas a tu perfil. Introduce tu CV en MSN Empleo. http://g.msn.com/8HMBESES/2752??PS=47575 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Long attribute name
I know it's almost trivial to go an alter the table column size, but for users convenience, the sql attribute length should be increased. Currently the schema.sql which comes with the distribution is varchar(32). One of the motorola wimax attributes is 39 characters, Motorola-WiMAX-Maximum-Commit-Bandwidth. And I notice the mysql silently truncate the inserted string. Regards. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Hi, which Linux distribution should I use? So far I tryied debian-etchnhalf, or CentOS, and in every How to its written that I have to compile it by mysefl. This how to didnt work anyway... so I will try what you will suggest. Bartosz. theres nothing wrong with compiling it yourself - so long as you have the right dev libraries installed so all the bits you want get compiled.. you can check whats not going to be built be parsing the configure output eg ./configure --with-options-you-want | grep WARNING ignore the WARNING entries for things you care not about and fix the WARNING that you need (eap PEAP) by installing the needed librarieseg openssl-devel some distros come with a more recent FreeRADIUS (or have RPM / PKG available for them - eg Fedora Core 11) the default config from the source build is pretty much ready for anything you want after just editing a few lines in the config (so long as the supporting code - eg EAP ) has been compiled alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
On Sun, May 17, 2009 at 11:33 PM, John Dennis jden...@redhat.com wrote: We expect to provide an official update to RHEL with a 2.x version of FreeRADIUS in the next update cycle which would be RHEL 5.5, So how do you plan to provide seamless upgrade for RHEL 5 users? Is freeradius 1.1.3 config compatible with 2.x? Or do we have to do a clean install? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Checkval with Calling-station-id works fine ! And I want to check also the IP
of the NAS to authenticate my user.
rlm_checkval: Item Name: Calling-Station-Id, Value: 192.168.0.80
rlm_checkval: Value Name: Calling-Station-Id, Value: 192.168.0.80
++[station-check] returns ok
NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did
it come out like that in checkval when elsewhere in the debug it looks OK.
I try with Client-IP-Address instead of NAS-IP-Address but it don't works:
rad_recv: Access-Request packet from host 192.168.0.50 port 1812, id=162,
length=80
NAS-IP-Address = 192.168.0.50
NAS-Port = 1
NAS-Port-Type = Virtual
User-Name = fmehault
Calling-Station-Id = 192.168.0.80
User-Password = toto
+- entering group authorize {...}
[...]
rlm_checkval: Could not find item named Client-IP-Address in request
rlm_checkval: Could not find attribute named Client-IP-Address in check pairs
++[nas-check] returns notfound
My ldap:
dn: cn=Francois MEHAULT,ou=Utilisateurs,dc=netplus,dc=fr
givenName:: RnJhbsOnb2lz
sn: MEHAULT
uid: fmehault
cn: Francois MEHAULT
homeDirectory: /home/admins/fmehault
loginShell: /usr/local/bin/zsh
gidNumber: 1203
uidNumber: 1203
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: radiusprofile
objectClass: hostObject
radiusGroupName: stagiaire
userPassword: {MD5}9x2+UmKKP4OnerSUgXUlxg==
radiusNASIpAddress: 192.168.0.50
host: labobe1
radiusCheckItem: Client-IP-Address = 192.168.0.50
radiusCallingStationId: 192.168.0.80
My checval modul:
checkval station-check {
item-name = Calling-Station-Id
check-name = Calling-Station-Id
data-type = string
notfound-reject = yes
}
checkval nas-check {
item-name = Client-IP-Address
check-name = Client-IP-Address
data-type = ipaddr
notfound-reject = yes
}
Thanks Ivan Kalik for your first response
Regards,
François
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Ivan Kalik
Envoyé : lundi 11 mai 2009 13:29
À : FreeRadius users mailing list
Objet : Re: check-item NAS-IP-ADdress Calling-Station-ID with openldap
I want to use FreeRadius to administer network equipement. I use also
OpenLDAP to stock information about users. FreeRADIUS and OpenLDAP are
installed on the same server FreeBSD 7.0.
I contact a Network equipement (like catalyst cisco 2950 v12.1) with putty
(ssh/telnet).
I have 2 questions :
- Why my calling-station-id in the request is a IP and not a MAC
?
Because you are using telnet/ssh. Same applies to VPN. PPPoE (wired and
wireless) request should have mac address in that field. Dial-up should
have phone number.
- When I authenticate on the cisco 2950, I have in my log «
rlm_checkval: Item Name: NAS-IP-Address, Value: À¨ » instead of
192.168.0.50, what is the problem ???
NAS-IP-Address can be forged. Use Client-IP-Address. I am not sure why did
it come out like that in checkval when elsewhere in the debug it looks OK.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
R: R: Common error on sql_counter on Ver 2.1.5
PS. You have either disabled group checking or removed group membership
query.
Ivan Kalik
Kalik Informatika ISP
None of them. Group checking is enabled (read_groups = yes) and the query
(authorize_group_check_query = SELECT ... ) is defined in sql module. But
simply the query isn't executed. Any Ideas?
Now the attribute is Cleartext-Password and the op is := in radcheck ...
The output now is shorter (without any warnings) but still no counter.
Here it is:
--
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.4.203 port 37145, id=67,
lengt
h=76
User-Name = mauro
User-Password = flower
NAS-IP-Address = 127.0.0.1
NAS-Port = 1
Called-Station-Id = 00-03-9D-4A-0A-0A
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[sql] expand: %{User-Name} - mauro
[sql] sql_set_user escaped user -- 'mauro'
rlm_sql (sql): Reserving sql socket id: 4
[sql] expand: SELECT id, UserName, Attribute, Value, op FROM
UtentiAutorizzati
WHERE UserName = '%{SQL-User-Name}' AND MACADDWAN = '%{Called-Station-Id}'
AND
(CheckOnLine - UtentiConnessi) 0 AND DataScadenza GetDate() - SELECT
id, Us
erName, Attribute, Value, op FROM UtentiAutorizzati WHERE UserName = 'mauro'
AND
MACADDWAN = '00-03-9D-4A-0A-0A' AND (CheckOnLine - UtentiConnessi) 0 AND
Data
Scadenza GetDate()
query: SELECT id, UserName, Attribute, Value, op FROM UtentiAutorizzati
WHERE U
serName = 'mauro' AND MACADDWAN = '00-03-9D-4A-0A-0A' AND (CheckOnLine -
UtentiC
onnessi) 0 AND DataScadenza GetDate()
[sql] User found in radcheck table
[sql] expand: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE
Userna
me = '%{SQL-User-Name}' ORDER BY id - SELECT id,UserName,Attribute,Value,op
FRO
M radreply WHERE Username = 'mauro' ORDER BY id
query: SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'ma
uro' ORDER BY id
rlm_sql (sql): Released sql socket id: 4
++[sql] returns ok
rlm_sqlcounter: Entering module authorize code
rlm_sqlcounter: Could not find Check item value pair
++[sessioncounter] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request is correct.
+- entering group post-auth {...}
++[exec] returns noop
Sending Access-Accept of id 67 to 192.168.4.203 port 37145
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 0 ID 67 with timestamp +134
Ready to process requests.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Complete Configuration of freeRadius
Dear all, I am a students, and i want to implement wireless LAN with MAC based authentication by using freeRadius. I installed freeRadius on Fedora Core 6. I need complete configuration of freeRadius. Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
Ok, I downloaded 2.1.6
# unp freeradius-server-2.1.6.tar.gz
# cd /usr/src/freeradius-server-2.1.6
# dpkg-buildpackage -rfakeroot -uc -us
# dpkg -i freeradius_2.1.6-0_i386.deb
- instalator create ca and server certs in /etc/freeradius/certs directory
# cd /etc/freeradius/certs
# make client
next I made a copy of ca.der and client.p12 to xp directory,
next I opened mmc and install both of them to Trusted Root Certificate
Authorities and to Personal
exclamation mark on client certificate:
windows does not have enough information to verify this certificate
you have private key that corresponds to this certificate
http://w974.wrzuta.pl/obraz/powieksz/1RnZvXjxueu
changes in /etc/freeradius/eap.conf
only one line has been changed:
default_eap_type = peap
changes in /etc/freeradius/clients.conf
client 192.168.5.0/24 {
secret = password
shortname = private-network-2
}
log:
#/etc/init.d/freeradius stop
#freeradius -X
FreeRADIUS Version 2.1.6, for host i486-pc-linux-gnu, built on May 19 2009
at 09:45:44
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/freeradius/radiusd.conf
including configuration file /etc/freeradius/proxy.conf
including configuration file /etc/freeradius/clients.conf
including files in directory /etc/freeradius/modules/
including configuration file /etc/freeradius/modules/pam
including configuration file /etc/freeradius/modules/pap
including configuration file /etc/freeradius/modules/otp
including configuration file /etc/freeradius/modules/chap
including configuration file /etc/freeradius/modules/echo
including configuration file /etc/freeradius/modules/exec
including configuration file /etc/freeradius/modules/expr
including configuration file /etc/freeradius/modules/ldap
including configuration file /etc/freeradius/modules/krb5
including configuration file /etc/freeradius/modules/perl
including configuration file /etc/freeradius/modules/unix
including configuration file /etc/freeradius/modules/inner-eap
including configuration file /etc/freeradius/modules/radutmp
including configuration file /etc/freeradius/modules/counter
including configuration file /etc/freeradius/modules/acct_unique
including configuration file /etc/freeradius/modules/files
including configuration file /etc/freeradius/modules/realm
including configuration file /etc/freeradius/modules/wimax
including configuration file /etc/freeradius/modules/mac2vlan
including configuration file /etc/freeradius/modules/linelog
including configuration file
/etc/freeradius/modules/sqlcounter_expire_on_login
including configuration file /etc/freeradius/modules/detail.example.com
including configuration file /etc/freeradius/modules/checkval
including configuration file /etc/freeradius/modules/logintime
including configuration file /etc/freeradius/modules/sql_log
including configuration file /etc/freeradius/modules/sradutmp
including configuration file /etc/freeradius/modules/always
including configuration file /etc/freeradius/modules/attr_rewrite
including configuration file /etc/freeradius/modules/detail
including configuration file /etc/freeradius/modules/digest
including configuration file /etc/freeradius/modules/ippool
including configuration file /etc/freeradius/modules/mac2ip
including configuration file /etc/freeradius/modules/mschap
including configuration file /etc/freeradius/modules/smbpasswd
including configuration file /etc/freeradius/modules/passwd
including configuration file /etc/freeradius/modules/policy
including configuration file /etc/freeradius/modules/smsotp
including configuration file /etc/freeradius/modules/etc_group
including configuration file /etc/freeradius/modules/preprocess
including configuration file /etc/freeradius/modules/attr_filter
including configuration file /etc/freeradius/modules/detail.log
including configuration file /etc/freeradius/modules/expiration
including configuration file /etc/freeradius/eap.conf
including configuration file /etc/freeradius/policy.conf
including files in directory /etc/freeradius/sites-enabled/
including configuration file /etc/freeradius/sites-enabled/default
including configuration file /etc/freeradius/sites-enabled/inner-tunnel
including configuration file /etc/freeradius/sites-enabled/control-socket
group = freerad
user = freerad
including dictionary file /etc/freeradius/dictionary
main {
prefix = /usr
localstatedir = /var
logdir = /var/log/freeradius
libdir = /usr/lib/freeradius
radacctdir = /var/log/freeradius/radacct
hostname_lookups = no
max_request_time = 30
cleanup_delay = 5
max_requests = 1024
allow_core_dumps = no
pidfile = /var/run/freeradius/freeradius.pid
Re: Complete Configuration of freeRadius
I am a students, and i want to implement wireless LAN with MAC based authentication by using freeRadius. I installed freeRadius on Fedora Core 6. I need complete configuration of freeRadius. It's already configured. It will do that in default configuration. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: R: R: Common error on sql_counter on Ver 2.1.5
PS. You have either disabled group checking or removed group membership query. Ivan Kalik Kalik Informatika ISP None of them. Group checking is enabled (read_groups = yes) and the query (authorize_group_check_query = SELECT ... ) is defined in sql module. But simply the query isn't executed. Any Ideas? No, group *membership* query (when I write membership, I do mean membership). Have you just copied queries from the old version without looking if anything has changed? If you are upgrading from old version to a new one, which documentation should you follow - old or new? You opted for old, and are now wondering why things aren't working. It's no mistery to me. Use *new* documentation (user entries, sql queries, etc.). Configuration is largely compatible but things do change over years. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius 2.1.1 and SQLite database
Has anyone done any work with FreeRadius 2.1.1 or higher and SQLite as the backend db. Working on a single router solution with OpenWRT with FreeRadius running PEAP and EAP-TLS auth. Would love to have it working with sqlite as that is the smallest DB footprint of all the supported databases for Free Radius. Has anyone done work with the sqlite db and give me some pointers on the database setup for sqlite, looks like I need to create a file called sqlite_radius_client_database but not sure what the structure should be... And google isn't helping much either. Any assistance would be great. Many thanks Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
# make client next I made a copy of ca.der and client.p12 to xp directory, next I opened mmc and install both of them to Trusted Root Certificate Authorities and to Personal exclamation mark on client certificate: windows does not have enough information to verify this certificate you have private key that corresponds to this certificate This is explained in raddb/certs/README - Compatibility. You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS attributes: acctoutputoctects and acctinputoctect inmikrotik
On Tue, May 19, 2009 at 9:10 AM, liran tal liransgar...@gmail.com wrote: Hey Santiago, I am in a need to get a Nomadix AG3100 gateway to do the same thing as you have done - get it authenticate to FreeRADIUS and redirect to portal pages for a simple user/pass login. I've exchanged a bunch of emails with their support team (which is awful) and read their guides but it's terribly cumbersome and seems that some kind of XML interface is required to be implemented. I was hoping to get some pointers from you on getting this working, We have implemented a solution with the Nomadix access gateway, using an external web server and the XML Web Services interface. If you just needs simple RADIUS login it is easiest to use the internal web server (IWS), this can be configured without using the XML web services. See the User Manual to understand how this works, We have had no problems with Nomadix to interact with FreeRADIUS and other RADIUS servers. --- mvh Brage Rønning Tukkensæter Trådløse Trondheim AS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.1 and SQLite database
Peter Lambrechtsen wrote: Has anyone done any work with FreeRadius 2.1.1 or higher and SQLite as the backend db. Nope. Would love to have it working with sqlite as that is the smallest DB footprint of all the supported databases for Free Radius. Write the code... submit it back. Has anyone done work with the sqlite db and give me some pointers on the database setup for sqlite, looks like I need to create a file called sqlite_radius_client_database but not sure what the structure should be... And google isn't helping much either. Apple uses it for their OS X Server system. The clients go into SQLite, so that their administration system doesn't have to deal with MySQL, PostgreSQL, or flat-text files. The schema is just the normal NAS schema, as with the other SQL drivers. To have it use the radcheck, radreply, etc. tables, you'll have to define the schemas, create the DB, and define the queries. It *should* work, so long as you use the hard-coded DB file name. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Change of Authorization (RFC 3576 / 5176)
I have just committed *full* support for CoA to the stable and master branches on git.freeradius.org. I'd like to thank the sponsor of this work, who wishes to remain anonymous. In 2.1.6, the server could *originate* CoA packets. e.g. If the users bandwidth consumption is over a quota, send a packet to disconnect them. In the current git code, it can now *receive* CoA packets. This also means full proxying of CoA packets. It is now possible to implement functionality such as: disconnect user bob This can be done by sending a CoA packet to the server, with User-Name of bob. The policies on the server can then look up in the accounting database to see where that user has logged in, and fill in the rest of the CoA packet with NAS IP, port, etc. The resulting packet can then be sent to the NAS. The only caveat is that none of these policies have been written. The functionality works, and has been tested with switches from at least one major networking vendor. We now need help to create the policies, schemas, etc. to implement the required functionality. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
communication safe ssh - NAS - FreeRADIUS ?
Hi, I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don't understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS ... Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha ... and how ? Thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
So in other words this script is for all clients exept microsofts-like ? You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. do you have such altered makefile? On Tue, May 19, 2009 at 1:35 PM, Ivan Kalik t...@kalik.net wrote: # make client next I made a copy of ca.der and client.p12 to xp directory, next I opened mmc and install both of them to Trusted Root Certificate Authorities and to Personal exclamation mark on client certificate: windows does not have enough information to verify this certificate you have private key that corresponds to this certificate This is explained in raddb/certs/README - Compatibility. You should try altering make client command in Makefile so that client certificates are signed by ca and not server certificate. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: communication safe ssh - NAS - FreeRADIUS ?
Am 19.05.2009 um 14:14 schrieb François Mehault: Hi, I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don’t understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS … Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear- text. Is it possible to use md5, ssha … and how ? For the compatibility, see http://deployingradius.com/documents/ protocols/compatibility.html Thanks, Regards, François - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ users.html Have a nice day! Nicolas Goutte extragroup GmbH - Karlsruhe Waldstr. 49 76133 Karlsruhe Germany Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle Registergericht: Amtsgericht Münster / HRB: 5624 Steuer Nr.: 337/5903/0421 / UstID: DE 204607841 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Well, I am using checkval to check the attribute NAS-IP-Address, what I want : I have several users and several NAS, some users allows to authenticate on some NAS, and others not. I use an openldap database. Each users have an attribute radiusCheckItem. I don't know if I am right, if it's the good way to do what I need, but I am a novice with freeRadisu and OpenLDAP. -Message d'origine- De : Ivan Kalik [mailto:t...@kalik.net] Envoyé : mardi 19 mai 2009 13:46 À : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap [...] rlm_checkval: Could not find item named Client-IP-Address in request rlm_checkval: Could not find attribute named Client-IP-Address in check pairs ++[nas-check] returns notfound OK. It can't work since Client-IP-Address is not in the request. Can you remind me: why are you using checkval? Multiple values for NAS IP? Your user entry has only one. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: communication safe ssh - NAS - FreeRADIUS ?
Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for
example, and freeradius check the MD5 hash. So I understand I have to use PAP ?
In my modul ldap I think I have to put « password_attribute = userPassword ».
But If I do, I have to put my password in clear in my ldap, otherwise it don't
works. Also, I can comment the « password_attribute = userPassword » in my ldap
module and put my password in md5/ssha etc... in openldap and it works. But I
don't know very well why ??
modules {
Module: Checking authenticate {...} for more modules to load
Module: Linked to module rlm_pap
Module: Instantiating pap
pap {
encryption_scheme = auto
auto_header = no
}
Module: Linked to module rlm_chap
Module: Instantiating chap
Module: Linked to module rlm_mschap
Module: Instantiating mschap
mschap {
use_mppe = yes
require_encryption = no
require_strong = no
with_ntdomain_hack = no
}
Module: Linked to module rlm_unix
Module: Instantiating unix
unix {
radwtmp = /var/log/radwtmp
}
Module: Linked to module rlm_eap
Module: Instantiating eap
eap {
default_eap_type = md5
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = 2048
}
Module: Linked to sub-module rlm_eap_md5
Module: Instantiating eap-md5
Module: Linked to sub-module rlm_eap_leap
Module: Instantiating eap-leap
Module: Linked to sub-module rlm_eap_gtc
Module: Instantiating eap-gtc
gtc {
challenge = Password:
auth_type = PAP
}
Module: Linked to sub-module rlm_eap_tls
Module: Instantiating eap-tls
tls {
rsa_key_exchange = no
dh_key_exchange = yes
rsa_key_length = 512
dh_key_length = 512
verify_depth = 0
pem_file_type = yes
private_key_file = /usr/local/etc/raddb/certs/server.pem
certificate_file = /usr/local/etc/raddb/certs/server.pem
CA_file = /usr/local/etc/raddb/certs/ca.pem
private_key_password = whatever
dh_file = /usr/local/etc/raddb/certs/dh
random_file = /usr/local/etc/raddb/certs/random
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = DEFAULT
make_cert_command = /usr/local/etc/raddb/certs/bootstrap
cache {
enable = no
lifetime = 24
max_entries = 255
}
}
Module: Linked to sub-module rlm_eap_ttls
Module: Instantiating eap-ttls
ttls {
default_eap_type = md5
copy_request_to_tunnel = no
use_tunneled_reply = no
virtual_server = inner-tunnel
}
Module: Linked to sub-module rlm_eap_peap
Module: Instantiating eap-peap
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = no
use_tunneled_reply = no
proxy_tunneled_request_as_eap = yes
virtual_server = inner-tunnel
}
Module: Linked to sub-module rlm_eap_mschapv2
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no
}
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Nicolas Goutte
Envoyé : mardi 19 mai 2009 14:45
À : FreeRadius users mailing list
Objet : Re: communication safe ssh - NAS - FreeRADIUS ?
Am 19.05.2009 um 14:14 schrieb François Mehault:
Hi,
I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I
don't understand in my case and i would like to know if the communication
between my cisco equipment and my FreeRadius safe is. I have a secret shared
between both. I understand that the communciation between freeradius and the
client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS
...
Someone can confirm me please if the communication is safe ? because I afraid
to see in the file users my password in clear-text. Is it possible to use md5,
ssha ... and how ?
For the compatibility, see
http://deployingradius.com/documents/protocols/compatibility.html
Thanks,
Regards,
François
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have a nice day!
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany
Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: communication safe ssh - NAS - FreeRADIUS ?
I authenticate on cisco equipments via ssh/telnet. There is no supplicant, so I don't understand in my case and i would like to know if the communication between my cisco equipment and my FreeRadius safe is. I have a secret shared between both. I understand that the communciation between freeradius and the client radius use the protocol Radius. But in my case there is no PEAP, EAP/TLS ... Someone can confirm me please if the communication is safe ? because I afraid to see in the file users my password in clear-text. Is it possible to use md5, ssha ... and how ? Radius protocol *uses* md5 to encrypt password in the request. http://www.ietf.org/rfc/rfc2865.txt Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
Fajar A. Nugraha wrote: So how do you plan to provide seamless upgrade for RHEL 5 users? Upgrades across a major version number of software require manual changes to the configuration. Is freeradius 1.1.3 config compatible with 2.x? Or do we have to do a clean install? The configuration is *similar*, but not identical. I would suggest a clean install, followed by a manual migration of the configuration. It shouldn't take too long. An hour to a day, at most. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: communication safe ssh - NAS - FreeRADIUS ?
Oki, thanks. In fact, I want my radius client crypt my passwd in md5 for
example, and freeradius check the MD5 hash. So I understand I have to use
PAP ? In my modul ldap I think I have to put « password_attribute =
userPassword ». But If I do, I have to put my password in clear in my
ldap, otherwise it don't works.
Store password as {md5} and then encrypted value and enable auto header
detection in pap module (it's disabled by default):
pap {
encryption_scheme = auto
auto_header = no
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I created once again certs by myself, giving common name for user cert the
same like in example
u...@example.com, I place them on xp client - both of them looks ok,
now something is happening (anyway like Aragorn said: still not king):
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206,
length=147
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = u...@example.com
Called-Station-Id = 00-0C-30-81-9B-EE
Calling-Station-Id = 00-0A-E4-13-1A-02
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x02150175736572406578616d706c652e636f6d
Message-Authenticator = 0x380489e7e9bb9568103d6ee3dccdfb15
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] Looking up realm example.com for User-Name = u...@example.com
[suffix] Found realm example.com
[suffix] Adding Stripped-User-Name = user
[suffix] Adding Realm = example.com
[suffix] Proxying request from user user to realm example.com
[suffix] Preparing to proxy authentication request to realm example.com
++[suffix] returns updated
[eap] Request is supposed to be proxied to Realm example.com. Not doing
EAP.
++[eap] returns noop
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Sending Access-Request of id 14 to 127.0.0.1 port 1812
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = user
Called-Station-Id = 00-0C-30-81-9B-EE
Calling-Station-Id = 00-0A-E4-13-1A-02
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x02150175736572406578616d706c652e636f6d
Message-Authenticator = 0x
Proxy-State = 0x323036
Proxying request 0 to home server 127.0.0.1 port 1812
Sending Access-Request of id 14 to 127.0.0.1 port 1812
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = user
Called-Station-Id = 00-0C-30-81-9B-EE
Calling-Station-Id = 00-0A-E4-13-1A-02
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x02150175736572406578616d706c652e636f6d
Message-Authenticator = 0x
Proxy-State = 0x323036
Going to the next request
Waking up in 0.9 seconds.
rad_recv: Access-Request packet from host 127.0.0.1 port 1814, id=14,
length=140
NAS-IP-Address = 192.168.5.206
NAS-Port = 50046
NAS-Port-Type = Ethernet
User-Name = user
Called-Station-Id = 00-0C-30-81-9B-EE
Calling-Station-Id = 00-0A-E4-13-1A-02
Service-Type = Framed-User
Framed-MTU = 1500
EAP-Message = 0x02150175736572406578616d706c652e636f6d
Message-Authenticator = 0x2fe31c62e81552bf7a752f0c4a4b1633
Proxy-State = 0x323036
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = user, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 0 length 21
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns updated
++[files] returns noop
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
[eap] Failed in handler
++[eap] returns invalid
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - user
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 1 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 1
Sending Access-Reject of id 14 to 127.0.0.1 port 1814
Proxy-State = 0x323036
Waking up in 4.9 seconds.
rad_recv: Access-Reject packet from host 127.0.0.1 port 1812, id=14,
length=25
Proxy-State = 0x323036
+- entering group post-proxy {...}
[eap] No pre-existing handler found
++[eap] returns noop
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - u...@example.com
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Sending Access-Reject of id 206 to 192.168.5.206 port 1812
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 1 ID 14 with timestamp +43
Cleaning up request 0 ID 206 with timestamp +43
Ready to process requests.
On Tue, May 19, 2009 at 2:23 PM, Bartosz Chodzinski
Re: RFE configure script report
Can the ./configure script be made to report at the end what modules it found it can build. The ./configure output does have this information but it's not easy to follow. i guess you are asking this after seeing similar feature in other software? yes, net-snmp, xine-lib and conky are the first that comes to my mind -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about windows users
I created once again certs by myself, giving common name for user cert the
same like in example
u...@example.com, I place them on xp client - both of them looks ok,
now something is happening (anyway like Aragorn said: still not king):
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.5.206 port 1812, id=206,
length=147
...
User-Name = u...@example.com
...
[suffix] Found realm example.com
[suffix] Adding Stripped-User-Name = user
[suffix] Adding Realm = example.com
[suffix] Proxying request from user user to realm example.com
[suffix] Preparing to proxy authentication request to realm example.com
++[suffix] returns updated
...
Sending Access-Request of id 14 to 127.0.0.1 port 1812
...
User-Name = user
...
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Identity does not match User-Name, setting from EAP Identity.
...
Don't strip the username. Why do you proxy this anyway? Create it as a
local realm:
realm example.com {
}
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Complete Configuration of freeRadius
Ivan Kalik wrote: I am a students, and i want to implement wireless LAN with MAC based authentication by using freeRadius. I installed freeRadius on Fedora Core 6. I need complete configuration of freeRadius. It's already configured. It will do that in default configuration. Be careful, FC-6 (Fedora Core 6) is quite old in Fedora terms. The current version of Fedora is 10 and next week FC-11 will be released. The version of freeradius in FC-6 is the ancient 1.1.3. As of last night FC-9 and FC-10 have the most current freeradius 2.1.6 RPM's available in the testing repository. I think it's fair to say the it's already configured is more a property of the 2.x series rather than the 1.x series. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dynamic clients and NAS-Identifier
Hi Alan, I realise, i've asked for the before, and it is on your todo list, but I'd like to make a case again for maybe getting it moved up higher onto the list. The current clients structure identify the NAS's by ip address. While this is perfect for corporate environments, it is not so perfect for the hotspot environment in which we operate. We have a central radius server for many different hotspot owners. Hotspots are running chillispot. We need to somehow authenticate the nas, so someone can not send rough accounting info to radius. The only way to currently identify a NAS is by IP address. You can then lookup the NAS, and create a radius secret based on the IP address. This is done using the dynamic_clients virtual server. The problem is that the hotspots can be anywhere. They are mostly behind ADSL lines. The source ip address of the radius packet is therefore not predictable. The only other way I can thing of is identifying the nas by the NAS-Identifier. To sum up. Currently a nas is authenticated by ip address/radius secret. I feel that being able to authenticate a nas by nas identifier/radius secret is a very good enhancement. I'm sure that I'm not the only one that have NAS's behind dynamic IPs, and this would make radius traffic from such NAS's much more secure. I'm prepared to do it myself, but by c skills really suck. I can only do copy and paste type editing. I've spent a few hours looking at the code, and it seems that (in listen.c) you need to create the value pairs somehow before sending the packet to module_authorize, but I have no clue how to even attempt this. I'm fully prepared to try and contribute somehow, but this is way out of my league. Anyway, end of long story. I simply hope to get this maybe moved a bit higher up on the todo list. Thanks!!! -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap
Thanks Ivan ! With huntgroup it works perfectly, now I am searching to manage my huntgroup whith ldap, no longer with the file huntgroup. Each users have the primitive radiusHuntgroupName, but I want to define my huntgroup in ldap, is it possible you think ? Regards, Francois -Message d'origine- De : Ivan Kalik [mailto:t...@kalik.net] Envoyé : mardi 19 mai 2009 15:09 À : François Mehault Objet : RE: check-item NAS-IP-ADdress Calling-Station-ID with openldap Well, I am using checkval to check the attribute NAS-IP-Address, what I want : I have several users and several NAS, some users allows to authenticate on some NAS, and others not. I use an openldap database. Each users have an attribute radiusCheckItem. I don't know if I am right, if it's the good way to do what I need, but I am a novice with freeRadisu and OpenLDAP. Well, if user is going to have only one value for NAS IP, then you don't need checkval - just map appropriate attribute as check item in raddb/ldap.attrmap. If he should be allowed on several devices it might be better to use huntgroups/sqlhuntgroups - as long as there are not too many combinations. Same applies to mac address - if user can use only one there is no need to use checkval. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
help me: proxing towards 2 different networks
Hi all,
Thanks in advance for your help.
Here is our Scenario which is working now:
1. Radius Client sends packets towards Radius Proxy (from
192.168.1.2 to 192.168.1.3)
2. Radius proxy listen on 192.168.1.3 for authentication packet and
forwarding them towards two different network (192.168.14.4 and
192.168.24.4)
Can I configure this scenario using FreeRadius?
The current configuration is:
First configuration
Radiusd.conf
listen {
ipaddr = 192.168.1.2
port = 1812
type = auth
interface = eth18
}
proxy.conf
home_server Server1 {
type = auth
ipaddr = 192.168.14.4
port = 1812
secret = SECRET
require_message_authenticator = yes
}
home_server Server2 {
type = auth
ipaddr = 192.168.24.4
port = 1812
secret = SECRET
require_message_authenticator = yes
}
home_server_pool Serverpool1 {
type = fail-over
home_server = Server1
}
home_server_pool Serverpool2 {
type = fail-over
home_server = Server2
}
realm isp1.com {
auth_pool = Serverpool1
}
realm isp2.com {
auth_pool = Serverpool2
}
Results:
Expiration of the Timeout
Second configuration
Adding in radiusd.conf:
listen {
ipaddr = 192.168.14.3
port = 1812
type = proxy
}
Results:
The packet is received correctly by Server1, but I can't send any packet
towards Server2.
Latest configuration
Adding in radiusd.conf:
listen {
ipaddr = 192.168.14.3
port = 1812
type = proxy
}
listen {
ipaddr = 192.168.24.3
port = 1812
type = proxy
}
Results:
Expiration of the Timeout
image002.jpg-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: help me: proxing towards 2 different networks
Marco De Magistris wrote: 1. Radius Client sends packets towards Radius Proxy (from 192.168.1.2 to 192.168.1.3) 2. Radius proxy listen on 192.168.1.3 for authentication packet and forwarding them towards two different network (192.168.14.4 and 192.168.24.4) Can I configure this scenario using FreeRadius? No. RADIUS doesn't work like that. Why do you want to do this? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius 2.1.1 and SQLite database
On 20/05/2009, at 12:00 AM, Alan DeKok al...@deployingradius.com wrote: Peter Lambrechtsen wrote: Has anyone done any work with FreeRadius 2.1.1 or higher and SQLite as the backend db. Nope. Would love to have it working with sqlite as that is the smallest DB footprint of all the supported databases for Free Radius. Write the code... submit it back. Will do Has anyone done work with the sqlite db and give me some pointers on the database setup for sqlite, looks like I need to create a file called sqlite_radius_client_database but not sure what the structure should be... And google isn't helping much either. Apple uses it for their OS X Server system. The clients go into SQLite, so that their administration system doesn't have to deal with MySQL, PostgreSQL, or flat-text files. The schema is just the normal NAS schema, as with the other SQL drivers. To have it use the radcheck, radreply, etc. tables, you'll have to define the schemas, create the DB, and define the queries. It *should* work, so long as you use the hard-coded DB file name. Ok I will have a go and submit my results back to the users/devel lists depending upon how I get along. The final destination is a single wifi router such as asus 500p which has a usb port that can take stick for local storage to host db with captive portal and wpa for either PEAP or tls logon ssids with web admin backend. All with openwrt. Will let you know how I get along with the freeradius component. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: current RHEL/CentOS pre-built packages (Was: freeRADIUS)
Fajar A. Nugraha wrote: On Sun, May 17, 2009 at 11:33 PM, John Dennis jden...@redhat.com wrote: We expect to provide an official update to RHEL with a 2.x version of FreeRADIUS in the next update cycle which would be RHEL 5.5, So how do you plan to provide seamless upgrade for RHEL 5 users? Is freeradius 1.1.3 config compatible with 2.x? Or do we have to do a clean install? Please note what Alan said about upgrades across major versions requiring manual configuration. Also, the package will have a different name, rather than freeradius it will be named freeradius2, however (and this is critical) it will conflict at the file level, in other words the both freeradius and freeradius2 cannot be simultaneously installed. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
