howto set max reauthentication parameter
Hi Mark, Thanks for your answers. It really works for me. Now one more question. How can I force the FastEthernet port(trusted one) to Authorized state? I mean without any EAP authentication how can I set the AP so that it can forward data through Ethernet port? Regards Ankan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
howto set max reauthentication parameter
Hi All, I am using CISCO Aironet 1100 AP and Freeradius server for EAP authentication. Now I want to set max reauthentication (reAuthMax) parameter in AP to some specific value. So please can anyone help me howto set this parameter inside AP? I know it's little bit deviation from the topics freeradius mailing-list discusses. But I am really in trouble with this matter and desperately need someone's help in this regard. And also please can anybody tell me the alternative place where should I post this kind of question? Regards Ankan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
howto set max reauthentication parameter
Hi Mark, Actually I want to know, howto set the total number of authentication/reauthentication params inside CISCO 1100 AP. It means, I want to set the maximum number of authentication attempt after which the trusted port in AP will be finally unauthorized. Also how can I force the AP to start reauthentication? It seems to me that I can set reauthentication interval inside AP, but I am not able to force reauthentication at any time (does not depend on interal) inside AP. Regards Ankan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem regarding WinXP+Freeradius+EAP-TLS packet sequence
Hi Alan and Artur, I am really new to Freeradius. So I missed the FAQ/README section and have posted the ethreal capture without giving the debugging output. I have no intention to show that freeradius implements a potocol incorrectly. I was just curious about the EAP-TLS packet sequence and got some doubtful sequence. I am just trying to understand whether it's my EAP-TLS setup error. Or if it is a bug from Freeradius then developer community should be informed about it. Anyway I have tested even without any User-Password entry against XP's Administrator login. And surprisingly got same result (that Success message before client certificate verification). Am I doing someting wrong? Also now the server log is attached below... Regards Ankan [EMAIL PROTECTED] root]# radiusd -s -X Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = yes proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = no mschap: require_strong = no mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: authtype = MS-CHAP mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /usr/local/var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = tls eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: certificate_file = /usr/local/etc/raddb/certs/cert-srv.pem tls: CA_file = /usr/local/etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /usr/local/etc/raddb/certs/dh tls: random_file = /usr/local/etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) rlm_eap: Loaded and initialized type tls mschapv2: with_ntdomain_hack = no preprocess: with_specialix_jetstream_hack = no preprocess: with_cisco_vsa_hack = no Module: Instantiated preprocess (preprocess) Module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no [/usr/local/etc/raddb/users]:152 WARNING! Changing 'User-Password =' to 'User-Password
Problem regarding WinXP+Freeradius+EAP-TLS packet sequence
. # # # First setup all accounts to be checked against the UNIX /etc/passwd. # (Unless a password was already given earlier in this file). # ankan Auth-Type := EAP, User-Password=ankan Administrator Auth-Type := EAP, User-Password=ixia # Fall-Through = 1 #Auth-Type := System, User-Password = Hello # # Set up different IP address pools for the terminal servers. # Note that the + behind the IP address means that this is the base # IP address. The Port-Id (S0, S1 etc) will be added to it. # #DEFAULTService-Type == Framed-User, Huntgroup-Name == alphen # Framed-IP-Address = 192.168.1.32+, # Fall-Through = Yes #DEFAULTService-Type == Framed-User, Huntgroup-Name == delft # Framed-IP-Address = 192.168.2.32+, # Fall-Through = Yes # # Defaults for all framed connections. # #DEFAULTService-Type == Framed-User # Framed-IP-Address = 255.255.255.254, # Framed-MTU = 576, # Service-Type = Framed-User, # Fall-Through = Yes # # Default for PPP: dynamic IP address, PPP mode, VJ-compression. # NOTE: we do not use Hint = PPP, since PPP might also be auto-detected # by the terminal server in which case there may not be a P suffix. # The terminal server sends Framed-Protocol = PPP for auto PPP. # #DEFAULTFramed-Protocol == PPP # Framed-Protocol = PPP, # Framed-Compression = Van-Jacobson-TCP-IP # # Default for CSLIP: dynamic IP address, SLIP mode, VJ-compression. # #DEFAULTHint == CSLIP # Framed-Protocol = SLIP, # Framed-Compression = Van-Jacobson-TCP-IP # # Default for SLIP: dynamic IP address, SLIP mode. # #DEFAULTHint == SLIP # Framed-Protocol = SLIP # # Last default: rlogin to our main server. # #DEFAULT # Service-Type = Login-User, # Login-Service = Rlogin, # Login-IP-Host = shellbox.ispdomain.com # # # # Last default: shell on the local terminal server. # # # DEFAULT # Service-Type = Shell-User # On no match, the user is denied access. avi Auth-Type := EAP, User-Password=whatever
