Re: dialup_admin php notice errors

2011-01-14 Thread mikal

Todd,

I did a setup with FR 2.1.9, Apache 2.2.15, MySQL 5.1 on OpenSUSE (11.2 or
11.3) recently.  Can't recall the specific PHP 5 version offhand.  It did
take a bit of tweaking, but in the end it all worked (or at least the parts
that I was interested in which had more to do with administering user
accounts than Radius servers).  My notes aren't very good or detailed, so
I'd need to take a look at the installation to try and document the list of
configuration changes that I made.

If you're still trying to get this to work then I can try and get access to
that server this weekend.
-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/dialup-admin-php-notice-errors-tp3327906p3341747.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Attribute not passing to NAS?

2010-12-07 Thread mikal

Yep, that's the file I meant.  You're welcome.
-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3296126.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Attribute not passing to NAS?

2010-12-07 Thread mikal

Rob,

I'm doing PEAP here, and I'm assuming that your clients are also?

Maybe post the output from a client connection attempt from radiusd -X.
-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3296090.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Attribute not passing to NAS?

2010-12-07 Thread mikal

Rob,

In your eap.conf set "use_tunneled_reply = yes".  Assuming that it's
currently set to "no".  Working here now after that change.
-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3295956.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Attribute not passing to NAS?

2010-12-06 Thread mikal

Hi Rob,

Nope, no EAP with a Captive Portal.  But I just configured a VNS with EAP,
so I see what you're talking about.  But I think that the problem is that
the Filter-ID isn't being sent in the Access-Accept, and I'm pretty sure
that that's where it should be.  I didn't play with my radius configuration
yet, but I suspect that you (we?) need to modify your config so that the
Filter-ID attribute is sent with the Access-Accept.  All of the packets that
you see between the first Access-Request and the Access-Accept have to do
with setting up the tunnels, certificate validation, etc.

So yep, I see what you're seeing, but I think it's simply a small config
change on the Freeradius side to get it working correctly.  I just don't
know off-hand what needs to be changed, hopefully get a chance to poke
around tomorrow. 


Rob Yamry wrote:
> 
> Hey Mikkal-
>  Im not sure if my last few emails went through the list... I got a msg
> stating they were pending approval since they were too long.  I kept
> digging
> into this and I came across the eapol_test utility:
> http://deployingradius.com/scripts/eapol_test/  I tried running that to
> take
> the client and NAS out of the process.  As far as I can tell, it all looks
> like fine.  Even with a default install of 2.1.10 (and another test using
> new certs with the required OIDs for XP clients:
> http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5),
> I still get those 9 requests.  Are you using EAP?
> 
>   Is anybody else following this that can/test verify that they get the
> same
> responses as I do.
> 
> Thanks-
> Rob
> 
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
> 

-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3295358.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Attribute not passing to NAS?

2010-12-02 Thread mikal

Also, check your radius server configuration on the controller.  Check the
timeout and retry settings (might even try changing the retry value to 1). 
I'm set to retries = 3, timeout = 5 for this server.
-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289974.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Attribute not passing to NAS?

2010-12-02 Thread mikal

"Yes, I have done a packet trace.  The Filter-Id attribute is sent on the 2nd
packet of the authentication attempt, during the first access-challenge. 
After that, Filter-Id isnt mentioned again until after the Access-Accept
packet on the Accounting-Request.  However, on the Accounting-Request packet
its shown as Students, not Faculty.  The whole authentication process is 20
packets, excluding the accounting packets.  The only thing I noticed that
may be out of the ordinary is that there are 10 access-request packets, with
9 of them being duplicates to the first request.  The Filter-Id attribute is
only sent on the first challenge response. Im not sure if this is normal or
not as I dont have anything to compare to.

Do you see something similar with your configuration?"

Nope, one Access-Request, one Access-Accept.  I just turned off accounting
to keep it as clean and simple as possible, so just a request and an accept.

Sounds like this may be the heart of the issue, it sounds as though you
would be fine if you just had 1 Request/Accept since that first Accept
contains the Filter-Id.  It seems as though that is being lost/overwritten
when the second, etc. Accept is received.
-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289961.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Attribute not passing to NAS?

2010-12-02 Thread mikal

Rob,

You shouldn't need to check the "restrict policy" option.  My setup is
actually using a Captive Portal for the users to enter credentials.  So I
start them off with a non-auth policy that uses a "Routed" topology and then
once authenticated uses a "Bridge at AP" topology.

So the controller is serving up the CP page, and then I'm using freeradius
with a MySQL backend.

Did you capture a trace from the controller interface just to ensure that
the attribute/value pair is appearing at the controller interface correctly? 
Wireless Controller->Utilities->Wireless Controller TCP Dump Management.

So my VNS setup looks like:

VNS Name: SMFC
WLAN Service: SMFC
Non-Auth policy: SMFC NonAuth
Auth Policy: SMFC Auth   (support is correct, this will be
overwritten if the radius-accept contains a Filter-Id value that matches a
configured policy)
Restrict policy set unchecked
Enable checked

Under VNS Configuration->Policies I have a policy: named Policy
Name:NewmanN.

I throw a row in my MySQL radreply table to use a Filter-Id value of NewmanN
for a particular user (test.user11 in this case) and I'm off and running. 
If I set the Filter-Id value in my MySQL row to Newmann, or newmanN, etc.
then I get the default policy applied to test.user11.  The same behavior
that you're seeing.

"ktest   Cleartext-Password := "password"
Filter-Id = "Faculty"

When I authenticate with this user I get:

Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID [TEST]
from VNS [TEST] with username [ktest] has been successfully authenticated.
Policy [Students] is applied.

I get the same msg for an ldap user that has the Filter-Id set to Faculty as
well.

For comparison, on the controller my vns settings include:
VNS Name: TEST
WLAN Service: TESTWLAN
Non-Auth policy: NonAuth
Auth Policy: Students   (support told me this doesnt matter what
its set to...the Filter-Id will override this)
Restrict policy set unchecked
Enable checked

I have another policy named Faculty that is assigned the AuthFaculty
topology (which sets the tagged vlan).

How does this compare to your setup?  Do I need the restrict policy set
option checked and config'd?"

-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289846.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Attribute not passing to NAS?

2010-12-02 Thread mikal

Rob,

You need to ensure that the value of Filter-Id maps exactly to the value of
the policy that you're trying to apply.  So you need to have a policy
defined on the controller named "Faculty", not "faculty" or "facultY", but
"Faculty".

For instance, if I have a policy named "NewmanN" and I pass a
Filter-Id="NewmanN" then I get:

Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC]
from VNS [SMFC] with username [test.user11] with mu session timer [52549]
has been successfully authenticated. Policy [NewmanN] is applied.

The desired policy is applied.

If I pass a Filter-Id="Newmann" then I get:

Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC]
from VNS [SMFC] with username [test.user11] with mu session timer [52201]
has been successfully authenticated. Policy [SMFC Auth] is applied.

The default policy for that VNS is applied because there was no policy
matching "Newmann".


-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289720.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Dialup Admin and HTTP Authentication

2010-11-30 Thread mikal

OK, so to get this working I modified the Dialup Admin functions.php3 file to
use $_SERVER instead of $HTTP_SERVER_VARS and to use "REMOTE_USER" instead
of "PHP_AUTH_USER".  PHP_AUTH_USER wasn't being populated, but REMOTE_USER
was so I just used that.  Not sure if that's good, bad or indifferent, but
it does work.
-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Dialup-Admin-and-HTTP-Authentication-tp3285681p3286362.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Dialup Admin and HTTP Authentication

2010-11-29 Thread mikal

Hi,

I'm trying to setup Dialup Admin to use HTTP authentication credentials to
connect to a mysql database.  The HTTP authentication works, but the
PHP_AUTH_USER and PHP_AUTH_PW don't seem to be getting set, when trying to
connect to the DB I get "DEBUG(SQL,MYSQL DRIVER): Connect: User=,Password= 
Could not connect to SQL database" (with SQL Debug enabled for Dialup Admin
and after setting "sql_use_http_credentials = yes" in my admin.conf).

This is with Apache2 2.2 and mod_php5 5.33.  The mysql/functions.php3 file
is using the $HTTP_SERVER_VARS array, is that going to work with php5?  Or
is there something else that I need to configure? 

Thanks in advance!
-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Dialup-Admin-and-HTTP-Authentication-tp3285681p3285681.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Automatically Generating "Expiration" - Freeradius 2.1.9 / mysql 5.1 / dialup admin

2010-11-23 Thread mikal

What I'm trying to do is enable a non-technical person to create temporary,
"guest like" accounts using the dialup admin interface.  The accounts will
be created as needed, they need to expire within a predetermined time
frame(s) and I'm trying to avoid asking the person creating the accounts to
be entering "Expiration".  

So how would I approach having the "Expiration" field auto populated based
on the account creation date/time and a predetermined account lifetime?  For
instance, creation date/time + 12-hours, or date + 1-day.  

Thanks in advance for any guidance.
-- 
View this message in context: 
http://freeradius.1045715.n5.nabble.com/Automatically-Generating-Expiration-Freeradius-2-1-9-mysql-5-1-dialup-admin-tp3277961p3277961.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


Re: Does Dlink DWL-900+ work directly with FreeRadius?

2003-12-23 Thread mikal
Quoting Guy Fraser <[EMAIL PROTECTED]>:

> Go look a the specs at :
>
> http://www.dlink.com/products/?model=DWL-900AP%2b
>
> There is no indication that that AP supports authentication.
>

Since Late 2002, the firmware for the DWL-900AP+ does support 802.1x auth, good
luck getting it to work correcty, though.  If you look on D-Link's support
webpage, you will see an firmware emulator on the DWL-900AP+ page.  In this
emulator it does show that the AP will do 802.1x.  Hope this helps.

Michael Brown

<-->
  mikro network solutions   *http://mikro-net.com/


pgp0.pgp
Description: PGP Digital Signature