hi,
when i m using the radtest command to test the server,
eg: radtest Mahalakshmi test localhost 0 testing123
i got Access- Accept Packet from server.
but when i m using raclient,
echo User-Name = Mahalakshmi | radclient localhost auth testing123
i got Access-Reject packet .
can anyone say wat
of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
radius_xlat: '/var/log/freeradius/radacct/127.0.0.1/auth-detail-20070629'
rlm_detail: /var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log
Hi,
when i m using the radtest command to test the server,
eg: radtest Mahalakshmi test localhost 0 testing123
i got Access- Accept Packet from server.
but when i m using raclient,
echo User-Name = Mahalakshmi | radclient localhost auth testing123
i got Access-Reject packet .
can anyone
Hi.
Eshun Benjamin wrote:
Well in my current configuration I have the RADIUS server certificate in
certificate_file and CA certificate in CA_file.
But with that configuration , the radius server is still sending the CA
certificate.
The CA_path folder is empty and the CA_file is commented
Does the switch have the IP address of the server?
Yes, the switch is setup in the same way as my wireless routers (which
work) and no errors are detected when I start radiusd in debug
mode...although if the switch isn't seeing the server then there
probably wouldn't be any errors, I'm
Hi Reimer,
How do you check if FreeRadius is actually sending the chain?
I find Wireshark useful for this. It re-assembles the fragmented TLS
handshake, which makes it much easier to understand...
josh.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can you debug radius on the switch? It should have some kind of a log.
Ivan Kalik
Kalik Informatika ISP
Dana 29/6/2007, Darren Maden [EMAIL PROTECTED] piše:
Does the switch have the IP address of the server?
Yes, the switch is setup in the same way as my wireless routers (which
work)
PS. If the suppicant gets authenticated and switch hasn't contacted
RADIUS server, then the authentication is set up to be local.
Ivan Kalik
Kalik Informatika ISP
Dana 29/6/2007, Darren Maden [EMAIL PROTECTED] piše:
Does the switch have the IP address of the server?
Yes, the switch is
Can you debug radius on the switch? It should have some kind of a log.
No, after a quick look around the configs and a search of the manual for
words like log, logging and debug, I couldn't find anything, the
only thing I have is a sniffing port, which I used.
PS. If the suppicant
Hi,
Oh and by broken I mean windows XP type broken, as in will only attempt
TLS authentication broken... and sends the username and password a user
logged into the machine with by default broken... and so can never work
out of the box broken.
FWIW, an unconfigured Windows XP box will not
Hi,
Rafa Marín López wrote:
Reimer Karlsen-Masur, DFN-CERT escribió:
Hi Karlsen,
thanks for the answer, please see inline...
Argh, your misunderstanding is because of the inline
documentation/default setup of the eap config file.
*Trusted* CAs for client auth are stored in
CA_file
or
hi,
i've a proxy with freeradius 1.1.6 in load balacing with two back-end
radius 1.1.6
my proxy is configured like this
realm APPLI1 {
type= radius
authhost= xx.xx.xx.xx:1820
accthost= xx.xx.xx.xx:1821
ldflag = round_robin
Darren Maden wrote:
But why is the supplicant receiving success packets? Could the switch
be trying to authenticate it itself in some way?
Perhaps. But the success packets you talked about weren't EAPOL
packets. (Unless I really misunderstood your email)
If the client machine thinks
EXT / GFI REBOLJ Jean-Pierre wrote:
hi,
i've a proxy with freeradius 1.1.6 in load balacing with two back-end
radius 1.1.6
...
the problem is that I see the Authentication request and response then
Accounting start on the fisrt back-end server and the accounting stop
on the second backend
On Thu, 2007-06-28 at 12:16 -0500, Hugh Messenger wrote:
Forgive me if meta-discussions are frowned upon.
I was just wandering what tools and utilities (not shipped with
freeradius) people find useful in day to day admin and testing.
eapol_client from the wpa_supplicant distro was
On 6/29/07, Alan DeKok [EMAIL PROTECTED] wrote:
Accounting start on the fisrt back-end server and the accounting stop
on the second backend server.
is this a bug or a problem of configuration ?
It's the way load balancing works. It's documented as working this
way. Requests get
1) If the RADIUS server isn't receiving packets, blame the NAS
2) If the NAS isn't sending packets, it's because no one is logging in
3) If someone is trying to log in, and nothing happens, blame the NAS
I decided to blame the NAS...so I reset it to factory, ie no VLANs or
anything
-Original Message-
From:
[EMAIL PROTECTED]
org
[mailto:[EMAIL PROTECTED]
eradius.org] On Behalf Of Phil Mayers
Sent: 29 June 2007 10:35
To: FreeRadius users mailing list
Subject: Re: [meta] admin tools and utilities
On Thu, 2007-06-28 at 12:16 -0500, Hugh Messenger wrote:
inverse wrote:
in my setup, log dirs live in a shared filesystem,
NFS mounted? Don't. If NFS goes away, any application using those
directories will lock, and be unkillable.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan wrote:
NFS mounted? Don't. If NFS goes away, any application using those
directories will lock, and be unkillable.
it's part of a red hat cluster, and it's managed by that software
suite. If a machine dies a transparent switch occurs.
If it fails I'll get angry with red hat --so far
Peter Nixon [EMAIL PROTECTED] said:
On Thu 28 Jun 2007, Hugh Messenger wrote:
Peter Nixon [EMAIL PROTECTED] said:
On Thu 28 Jun 2007, Alan DeKok wrote:
Hugh Messenger wrote:
With my current configuration, if sqlippool cannot assign an IP,
the
authentication still succeeds.
EXT / GFI REBOLJ Jean-Pierre [EMAIL PROTECTED] said:
[snip]
ldflag = round_robin
[snip]
the problem is that I see the Authentication request and response then
Accounting start on the fisrt back-end server and the accounting stop
on the second backend server.
That sounds like
Hi,
I'm using Freeradius 1.1.6 with PostgreSQL 8.1.
When I try to do #radtest joao senhasecreta 127.0.0.1:1812 0 testing123
Te radiusd (in debug mode) returns:
#rad_recv: Access-Request packet from host 127.0.0.1:32779, id=220, length=56
#User-Name = joao
#User-Password =
Hi
iam compiling on FC5
radius 1.1.6
iam getting the following error
any help
s.lo proxy.lo radiusd.lo radius_snmp.lo request_list.lo session.lo smux.lo
threads.lo util.lo valuepair.lo version.lo timestr.lo xlat.lo \
-dlpreopen ../modules/rlm_python/rlm_python.la -lnsl -lresolv
I have an issue
My software issues the Ascend-Data-Filter as such to the users file
Ascend-Data-Filter = ip in forward tcp est,
Ascend-Data-Filter = ip in forward dstip a.a.a.a/32,
Ascend-Data-Filter = ip in forward dstip a.a.a.a/32,
Ascend-Data-Filter = ip in forward dstip a.a.a.a/32,
Are those filters different for every user? If they are the same (or
there are just a few conbinations) make DEFAULT entry with them and
don't put them in every users configuration.
Ivan Kalik
Kalik Informatika ISP
Dana 29/6/2007, Jeff [EMAIL PROTECTED] piše:
I have an issue
My software
suppose we could, but it does grow.
Be nice if one could have the file include another file for defaults
and call that file from the users file
_
From: [EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Fri, 29 Jun 2007 17:36:57 -0400
Subject:
No need. You can create groups with rlm_password, make DEFAULT entry for
each group and add appropriate filters to users in those groups.
Ivan Kalik
Kalik Informatika ISP
Dana 29/6/2007, Jeff [EMAIL PROTECTED] piše:
suppose we could, but it does grow.
Be nice if one could have the file
Hi,
You haven't pasted the whole log, but judging from the following lines:
Postgresql check_error: PGRES_FATAL_ERROR, returning
SQL_DOWN
I suspect that freeradius can't talk to the database. Have a look at
the beginning of the debug messages, you should be able to see the
lines referring to the
I'm trying to get Windows XP authenticating using logon username/password.
# freeradius -X
[...]
rad_recv: Access-Request packet from host 192.168.12.3:1048, id=0,
length=217
Message-Authenticator = 0xdbb...
Service-Type = Framed-User
User-Name = TELPERION\\heruan
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 172
What's in these entries in users file? Have you got Auth-Type:=EAP
somewhere?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EMAIL PROTECTED] wrote:
users: Matched entry DEFAULT at line 153
users: Matched entry DEFAULT at line 172
What's in these entries in users file?
My `user' file is the default coming with FreeRADIUS:
153: DEFAULT Auth-Type = System
Fall-Through = 1
172: DEFAULT Service-Type
Hi
I have a setup like this for most of the users in the users file:
rokkyHuntgroup-Name == ADSL, Password == xyx
Framed-Protocol = PPP,
Framed-IP-Address = 203.173.162.107,
IHUG-Speed-Down = 5000,
Service-Type = Framed-User
I have never used that, where is the documentation on setting the up, ie using
filters, etc
_
From: [EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Fri, 29 Jun 2007 19:29:10 -0400
Subject: Re: Ascend-Data-Filter Issues
No need. You can create
Never mind I found it, let my fingers do the walking
_
From: Jeff [mailto:[EMAIL PROTECTED]
To: FreeRadius users mailing list [mailto:[EMAIL PROTECTED]
Sent: Fri, 29 Jun 2007 20:37:25 -0400
Subject: Re: Ascend-Data-Filter Issues
I have never used that, where is the documentation
Yes. User specific check (password) in radcheck, group specific checks
(connection type) in radgruopcheck: group specific replies in
radgroupreply, user specific replies in radreply; assign users to groups
in usergroup.
And you can always combine sql with users file. Looking at your user
entries
Hi,
I would prefer to avoid user files all together. Currently we have
over 100k customers (heaps of them have 'user-specific' setup, not
just static ips). Customers change connection properties through a
web-based interface and we need to speed up the propagation of those
changes (currently we
gmake[4]: Leaving directory `/usr/local/src/cdrtools/freeradius-1.1.6
/src/modules'
Making all in main...
gmake[4]: Entering directory `/usr/local/src/cdrtools/freeradius-1.1.6
/src/main'
/usr/local/src/cdrtools/freeradius-1.1.6/libtool --mode=link gcc
-export-dynamic -dlopen self \
-pie
Jeff wrote:
My software issues the Ascend-Data-Filter as such to the users file
As you've noted before. The answer won't change.
I have noticed to get the Ascend-Data-Filter to read th other filters to
the next line it needs the += or its stops on the 1st one.
The documentation
39 matches
Mail list logo