Re: need help - force EAP-TTLS to validate the server certificate
I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. sorry that I ask again but I want to be sure that I didn´t understand anything wrong. Is it not generally possible to configure the freeradius server so that only clients with username/password and client certificate can login successfully? For expample only users who choose PEAP with the right username and password and having a client certificate can login successfully. Or is the problem with the error in reading client certificate a problem in the clients? Thanks a lot! Original-Nachricht Datum: Fri, 17 Sep 2010 11:26:56 -0400 Von: John Dennis jden...@redhat.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org CC: Klaus Laus superkla...@gmx.de Betreff: Re: need help - force EAP-TTLS to validate the server certificate On 09/17/2010 11:00 AM, Klaus Laus wrote: thanks a lot for your answer. Either move the files module before eap, or use unlang to set it: authorize { ... update control { EAP-TLS-Require-Client-Cert = yes } eap ... } I did the changes in the authorize section, and freeradius seems to require the client certificate. But the server is not accept my certificate. I don't think that the certificate is bad because I can login any client with the same certificate when I use TLS instead of PEAP. This is my way to login with PEAP on a windows xp client maybe I do anything wrong? : I import the pksc12 certificate from the freeradius server in the windows xp certificate management. When I type certmgr.msc under run I can see that the certificate is successfully imported. Then I scan for the wireless networks and connect to wifix, I use PEAP with MSCHAP v.2 and type in testuser as user with the correct password. Here you can see the debug output (freeradius did not find my certificate): That's right, the server didn't get your cert, it's right in the debug. As Alan said this isn't a server issue, it's a client issue, figure out why your client is not returning a cert. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. -- John Dennis jden...@redhat.com Looking to carve out IT costs? www.redhat.com/carveoutcosts/ -- GMX DSL SOMMER-SPECIAL: Surf Phone Flat 16.000 für nur 19,99 Euro/mtl.!* http://portal.gmx.net/de/go/dsl - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which samba version / patch for Active Directory 2008
Neil Prockter wrote: Well things have taken a turn for the worse. At the weekend we upgraded the last AD Domain controller to 2008r2 (still in AD2003 mode) and the radius servers instantly stopped working with named pipe disconnected and now ntlm --username and wbinfo -a no longer work. That's a Samba problem, unfortunately... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: which samba version / patch for Active Directory 2008
On 21/09/10 08:57, Alan DeKok wrote: Neil Prockter wrote: Well things have taken a turn for the worse. At the weekend we upgraded the last AD Domain controller to 2008r2 (still in AD2003 mode) and the radius servers instantly stopped working with named pipe disconnected and now ntlm --username and wbinfo -a no longer work. That's a Samba problem, unfortunately... Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thanks to all for your help. I applied the patch from https://bugzilla.samba.org/show_bug.cgi?id=7568 to samba 3.5.5. and all is well. This patch is to be included in next 3.4 and 3.5 releases so hopefully no one else will suffer the same head banging against wall confusion. Neil Please access the attached hyperlink for an important electronic communications disclaimer: http://www.lse.ac.uk/collections/planningAndCorporatePolicy/legalandComplianceTeam/legal/disclaimer.htm - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht Datum: Tue, 21 Sep 2010 09:33:29 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Newbie
++[files] returns noop Was the key I was editing the wrong users file... all is well now... Thanks tons! -Original Message- From: freeradius-users-bounces+curtis.h.schwartz=nasa@lists.freeradius.org [mailto:freeradius-users-bounces+curtis.h.schwartz=nasa@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Monday, September 20, 2010 4:21 PM To: freeradius-users@lists.freeradius.org Subject: Re: Newbie On 09/20/2010 08:45 PM, Schwartz, Curtis H. (GSFC-443.0)[SGT, INC] wrote: Edit the users file, and add the following line of text at the top, before anything else: testing Cleartext-Password := password You say this, but then: ++[files] returns noop Are you sure you edited the right file? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about sending VLAN attributes to Access Points
Hello, is it possible to send attributes based on the used SSID? Setup: SSID_X - Access Point - Freeradius - ntlm_auth - Active Directory So, if an user enters SSID_X, Freeradius puts him into VLAN1234. If the same person enters SSID_Y, he shall stay in the default VLAN1000. (Both SSIDs use 802.1X against the same Freeradius Server. There has to be only one radius server.) I also discovered a hack to get a similar behavior. For example: DOMAIN\user Auth-Type = ntlm_auth Tunnel-Type = 13, Tunnel-Medium-Type = 6, Tunnel-Private-Group-ID = 1234 If the user uses DOMAIN\user as username, he enters VLAN1234. Using domain\user makes him stay within the default VLAN1000, because domain\user does not match the users configuration. The Active Directory does not care about big and small letters and allows both usernames. But still, is it possible to send attributes based on the used SSID? So long, Aiko -- :wq ✉ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. So... the issue is that you haven't configured the client to use the client certificate. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? Ask Microsoft how their software works. It's annoying to have you ask a question here when you *already* know that you haven't configured the client certificate for PEAP. It means that you *know* it's not sending a client certificate. You *know* you haven't configured one on the client. And you *still* post the FreeRADIUS debug output, asking us to debug the *server* to see why the client certificate isn't being used. Microsoft has documentation for Windows. Read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: need help - force EAP-TTLS to validate the server certificate
EAP/PEAP requires a server certificate. You can opt for the M$ supplicant to verify it but it does not use a client certificate. That's why there is no option to pick the client cert when setting up PEAP. -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 5:17 AM To: FreeRadius users mailing list Subject: Re: need help - force EAP-TTLS to validate the server certificate The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht Datum: Tue, 21 Sep 2010 09:33:29 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
I *only* want to know all the time if it´s possible to login on a client with user/userpassword and client certificate. I pleased you *only* to say *no* or *yes* and maybe one sentence more. I know you´re a freeradius expert not a M$ expert but I thought when you know how to set up a server you just know how to configure any clients. When you don´t want to answer me that question it´s ok, I can search on M$ websites, you´re right. But I think if you wanted you could simply answer my question. nevertheless thank you for the great help with the configuration of the server. Greetings misterklaus Original-Nachricht Datum: Tue, 21 Sep 2010 14:21:26 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. So... the issue is that you haven't configured the client to use the client certificate. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? Ask Microsoft how their software works. It's annoying to have you ask a question here when you *already* know that you haven't configured the client certificate for PEAP. It means that you *know* it's not sending a client certificate. You *know* you haven't configured one on the client. And you *still* post the FreeRADIUS debug output, asking us to debug the *server* to see why the client certificate isn't being used. Microsoft has documentation for Windows. Read it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: need help - force EAP-TTLS to validate the server certificate
Klaus Laus wrote: I *only* want to know all the time if it´s possible to login on a client with user/userpassword and client certificate. I pleased you *only* to say *no* or *yes* and maybe one sentence more. I know you´re a freeradius expert not a M$ expert but I thought when you know how to set up a server you just know how to configure any clients. When you don´t want to answer me that question it´s ok, I can search on M$ websites, you´re right. But I think if you wanted you could simply answer my question. Honestly, I haven't configured a Windows system for EAP in 3-4 years. And my frustration wasn't about asking a Microsoft question. It's that you were *hiding* information. The information you hid from us was *exactly* the information needed to solve the problem. That was not nice. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Several perl instances
Hi! How i can create several perl instances for several virtual hosts (DHCP, AAA etc)? -- Sergey V. Sokolov nic-hdl: SVS141-RIPE X-NCC-RegID: ru.gorizont - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
JRadius need FreeRadius?
Hi To install JRadius server, I must install freeRadius server? thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RE: need help - force EAP-TTLS to validate the server certificate
A lot of thanks for your answer Mearl Danner, I read the pages of M$ but I didn´t found any possibilitys to configure the clients so, that the client is use a username/password and certificate. Do you know how I can do these settings or if it´s generelly not possible? thanks again Original-Nachricht Datum: Tue, 21 Sep 2010 08:02:27 -0500 Von: Danner, Mearl jmdan...@samford.edu An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: RE: need help - force EAP-TTLS to validate the server certificate EAP/PEAP requires a server certificate. You can opt for the M$ supplicant to verify it but it does not use a client certificate. That's why there is no option to pick the client cert when setting up PEAP. -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 5:17 AM To: FreeRadius users mailing list Subject: Re: need help - force EAP-TTLS to validate the server certificate The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht Datum: Tue, 21 Sep 2010 09:33:29 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RE: need help - force EAP-TTLS to validate the server certificate
Not possible with the Microsoft supplicant as far as I know. PEAP encapsulation doesn't support client certificates. Probably what you want is EAP-TTLS which is not supported by Microsoft. You'll need a third party supplicant for it. Might look at this for reference: http://en.wikipedia.org/wiki/Extensible_Authentication_Protocol -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 10:30 AM To: FreeRadius users mailing list Subject: Re: RE: need help - force EAP-TTLS to validate the server certificate A lot of thanks for your answer Mearl Danner, I read the pages of M$ but I didn´t found any possibilitys to configure the clients so, that the client is use a username/password and certificate. Do you know how I can do these settings or if it´s generelly not possible? thanks again Original-Nachricht Datum: Tue, 21 Sep 2010 08:02:27 -0500 Von: Danner, Mearl jmdan...@samford.edu An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: RE: need help - force EAP-TTLS to validate the server certificate EAP/PEAP requires a server certificate. You can opt for the M$ supplicant to verify it but it does not use a client certificate. That's why there is no option to pick the client cert when setting up PEAP. -Original Message- From: freeradius-users-bounces+jmdanner=samford@lists.freeradius.org [mailto:freeradius-users-bounces+jmdanner=samford@lists.freeradius.org] On Behalf Of Klaus Laus Sent: Tuesday, September 21, 2010 5:17 AM To: FreeRadius users mailing list Subject: Re: need help - force EAP-TTLS to validate the server certificate The message is clear. Yes I created a client certificate and imported it into the client. When I use TLS to connect to the freeradius server I can choose the client certificate in the TLS dialog and the client can login successfully. When I use PEAP to login I have to type in my username and password in the PEAP dialog from windows but I can not select a client certificate, the certificate is imported successfully in the windows certificate manager. Should I be able to choose a client certificate in the PEAP dialog or should it work when the certificate is saved in the windows certificate manager and I only have to type in my username and password in the PEAP dialog? I want to allow only PEAP logins (or username/password logins) with client certificate. Original-Nachricht Datum: Tue, 21 Sep 2010 09:33:29 +0200 Von: Alan DeKok al...@deployingradius.com An: FreeRadius users mailing list freeradius-users@lists.freeradius.org Betreff: Re: need help - force EAP-TTLS to validate the server certificate Klaus Laus wrote: I tried to login from another client, but it´s the same problem. TLS Alert write:fatal:handshake failure TLS_accept:error in SSLv3 read client certificate B rlm_eap: SSL error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did not return a certificate SSL: SSL_read failed in a system call (-1), TLS session fails. That message should be clear. The supplicant didn't send a client certificate. Did you create a client certificate? If so, did you copy it to the client? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- GRATIS: Spider-Man 1-3 sowie 300 weitere Videos! Jetzt freischalten! http://portal.gmx.net/de/go/maxdome - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Several perl instances
Hi, How i can create several perl instances for several virtual hosts (DHCP, AAA etc)? give them names and identities...then call them that from the virtual host etc eg perl dhcp-perl { stuff here } perl main-code { stuff here } where 'stuff here' is taken from the current supplied perl {} code but mofified for your own purpose. note, this can be used for all moduleseg sql stuff too alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users match list criteria and vendor identification
Hi I am trying to find a list of the criteria you can use in the users file on the match line, I came across a lengthy list/table earlier but can't seem to find it again. I have looked at the attributes RFC, but I'm looking more for something that will list things like Group-Name, Auth-Type, and more importantly the other possible criteria I can include there. One of the things I am curious to see is if there is a Vendor-ID attribute, does anyone know if there is? Any help is greatly appreciated. Cheers Cam. -- We are all in the gutter, but some of us are looking at the stars. - Oscar Wilde - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Originate COA home_server
Hi, I've configured originate COA using the originate-coa as an example. My (relevant/edited for privacy) configuration looks like this: client 11.22.33.44 { secret = verysecret shortname = test nastype = other virtual_server = my_virtual_server coa_server = my-coa } home_server my-coa { type = coa ipaddr = 11.22.33.44 port = 3799 secret = blah coa { irt = 2 mrt = 16 mrc = 5 mrd = 30 } } home_server_pool blah { type = fail-over home_server = my-coa } - This works perfectly. The home_server_pool seems unnecesary though, but if I leave it out, freeradius -X complains that the home_server does not exist. - /etc/freeradius/sites-enabled/my-config[1]: No such home_server or home_server_pool my-coa - It almost seems that the home_server_pool is neccesary to instantiate the home_server. Reading proxy.conf and the originate-coa example, it seems that a home_server_pool is only neccesary if you want to actually fail-over/round-robin, etc I'm sure I can leave the config as is, as the home_server_pool is never actually referenced. Am I completely confused? -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Core with 64Bit pam_radius_auth on Solaris 9
Hello I've managed to compile pam_radius-1.3.17 both 32Bit and 64Bit. I had to add -lsocket as part of linking to get it to work and modified the make file to have -m64 to compile on 64bit When I compile it for 64Bit this is my make output: gcc -Wall -fPIC -m64 -c pam_radius_auth.c -o pam_radius_auth.o pam_radius_auth.c: In function `ipstr2long': pam_radius_auth.c:185: warning: subscript has type `char' pam_radius_auth.c: In function `good_ipaddr': pam_radius_auth.c:221: warning: subscript has type `char' pam_radius_auth.c: In function `host2server': pam_radius_auth.c:277: warning: subscript has type `char' pam_radius_auth.c: In function `rad_converse': pam_radius_auth.c:1027: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1030: warning: passing arg 2 of pointer to function from incompatible pointer type pam_radius_auth.c: In function `pam_sm_authenticate': pam_radius_auth.c:1081: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1097: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1102: warning: assignment from incompatible pointer type pam_radius_auth.c:1121: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1135: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1168: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_private_session': pam_radius_auth.c:1300: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1321: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c: In function `pam_sm_chauthtok': pam_radius_auth.c:1407: warning: passing arg 2 of `pam_get_user' from incompatible pointer type pam_radius_auth.c:1428: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1437: warning: passing arg 3 of `pam_get_item' from incompatible pointer type pam_radius_auth.c:1442: warning: passing arg 3 of `pam_get_item' from incompatible pointer type gcc -Wall -fPIC -m64 -m64 -I/usr/local/include -R/usr/local/lib/sparcv9 -c md5.c gcc -R/usr/local/lib/sparcv9 -m64 -shared pam_radius_auth.o md5.o -lpam -lsocket -lc -o pam_radius_auth.so Which is all well and good. But when I try and use the 64Bit version of pamtester it core dumps. The 32Bit version compiles fine, and 32bit version of pamtester also works fine. ./pamtester jpam peter authenticate Password: Bus Error (core dumped) In /var/adm/messages I get: Sep 22 13:51:46 sf2428 genunix: [ID 603404 kern.notice] NOTICE: core_log: pamtester[13662] core dumped: /var/core/core_sol9_pamtester_0_0_1285120305_13662 Any suggestions on what to do with gdb or to debug this problem?? I've seen a number of posts such as this one: http://networking.itags.org/networking-tech/58575/ Talking about changing the typedef for md5.h -#define uint32 u_int32_t +#define uint32 uint32_t However 1.3.17 already seems to have this patch. struct MD5Context { uint32_t buf[4]; uint32_t bits[2]; unsigned char in[64]; }; I'm no C developer so not sure where to go to from here. Any suggestions would be gratefully accepted. Cheers Peter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: users match list criteria and vendor identification
Cameron Wood wrote: Hi I am trying to find a list of the criteria you can use in the users file on the match line, I came across a lengthy list/table earlier but can't seem to find it again. $ man users ? I have looked at the attributes RFC, but I'm looking more for something that will list things like Group-Name, Auth-Type, and more importantly the other possible criteria I can include there. That isn't documented, unfortunately. We welcome additional documentation, however. One of the things I am curious to see is if there is a Vendor-ID attribute, does anyone know if there is? I have no idea what that means. The server comes with many vendor-specific dictionaries. You can read them to find out which VSAs are defined. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: instantiating attr filter.access reject
shawky skaff wrote: Hi, It seem to have radiusd running ok, but when I run radiusd -X in the debug tool, the following lines are highlighted red and I'm not sure what they mean or how to fix it. Don't worry about it. It's fine. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html