Hi,
What is the best way to maintain a very dynamic user list for freeradius
(on a Linux platform)?
I'm talking about a setup where every few minutes (sometimes every minute)
a user has to be added and/or removed, with in total up to about 200 users
in the user base at the same moment.
Ideally,
On Fri, 2007-11-02 at 09:00 +0100, Jos Vos wrote:
Hi,
What is the best way to maintain a very dynamic user list for freeradius
(on a Linux platform)?
I'm talking about a setup where every few minutes (sometimes every minute)
a user has to be added and/or removed, with in total up to about
of radiusd.conf
modcall: entering group accounting for request 32
radius_xlat: '/var/log/radius/radacct/192.168.1.6/detail-20071102'
rlm_detail: /var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d
expands to /var/log/radius/radacct/192.168.1.6/detail-20071102
modcall[accounting]: module
Wolfgang Burger wrote:
I´m trying to add support for EAP-TTLS and I want to proxy the username
and password of the inner TTLS session to another Radius-Server.
That should work.
Client doing TTLS -- FreeRADIUS -- 3rd-Party Backend-Server with
database of Users
Forwarding of the packets
Background: we use freeradius to provide AAA for our wireless hotspots. We
would also like to use radius authentication for our layer 3 switches. This
brings up the question of security.
Which is going to be more secure, md5 hashed passwords in MySQL, or storing
the passwords for the switch
Reject after first request means that remote server wasn't doing EAP.
Ivan Kalik
Kalik Informatika ISP
Dana 2/11/2007, Wolfgang Burger [EMAIL PROTECTED] piše:
Am 02.11.2007 um 14:58 schrieb Alan DeKok:
Does the tunnel contain a clear-text password? Debug mode will show
this.
What do I
Am 02.11.2007 um 14:58 schrieb Alan DeKok:
Does the tunnel contain a clear-text password? Debug mode will show
this.
What do I have to change, to use the password transmitted in the
TTLS-Tunnel? Or do I have fundamental errors in my idea of how to do
this?
Run the server in
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm :=
other_server
Ivan Kalik
Kalik Informatika ISP
Dana 2/11/2007, Wolfgang Burger [EMAIL PROTECTED] piše:
Hi,
I have a working configuration of FreeRADIUS configured for EAP-TLS.
I´m trying to add support for EAP-TTLS and I want to
Mike O'Connor wrote:
I have a problem with my Cisco 7301's where I apply a address pool via a
Cisco-AVPair (for each wholesale ISP customer) and the wholesale ISP
supplies a Framed-IP-Address at the same time, the connection is kicked
by the cisco.
1.x should be able to filter out the
Adrian wrote:
Since both requests are addressed to domain.com how can I selectively allow
only certain responses to NAS A and others to NAS B?
Match on the Client-IP-Address, or on the NAS-IP-Address attribute.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Frank Winkler wrote:
On the old server, the users were authenticated by regular /etc/passwd
means. I got this working on the new server. As there are some new features
in the later versions, I'd prefer to move the RADIUS users to a separate
smbpasswd-like file but I can't get the
hacklberry wrote:
Here is what I m trying to do:
use my module rlm_xxx to authenticate user bob
- if success i don't need anything else
- if failure i want to proxy the authentication
request to a 3rd party RADIUS server
This is difficult to do, because proxying *is* a kind
Ryan Melendez wrote:
I'm not positive that select is lying about data being available. It
could be that there is data when select is called, but _something_ out
of line grabs it before recvfrom() can get to it.
Like what? There is nothing else listening on that IP address/port.
The socket
Massimo Meregalli wrote:
If the server is started with radiusd -X or radiusd -s
all is fine and
the requests get answered correctly.
Because it doesn't change uid's.
If the server is started with radiusd -y it doesn't
statup
Hi evr,
I'm currently experimenting on freeradius 1.1.6 (on rhl3) my setup seams to be
working fine except a little bug !
I'm using a software to monitor freeradius from the outside this soft is called
(Whistle Blower running on a mac)
This soft attempt to validate a user called Whistle
Shawn Adams wrote:
I've noted that some wireless APs using MAC/MAC authentication send the
MAC in the form:
...
The last seems most prevelent.
For your systems. Others vary.
The RFC's suggest one format, but who follows standards?
Is there a method to configure $RADIUS/user.conf or
Hi,
I have a working configuration of FreeRADIUS configured for EAP-TLS.
I´m trying to add support for EAP-TTLS and I want to proxy the username
and password of the inner TTLS session to another Radius-Server.
Client doing TTLS -- FreeRADIUS -- 3rd-Party Backend-Server with
database of
Martin Pauly wrote:
On Tuesday 30 October 2007 18:35, Alan DeKok wrote:
So... did you run the command to set the DH parameters?
yeah, stupid me: I had looked for it in my own eap.conf,
not in the one provided with the 1.1.5 package.
No DH gets initialized, but the cert problem remains.
Is this compatible with Solaris 10
First time I tried with IP address only, and got the following error.
Oct 25 19:58:20 ada-delegate1 login: [ID 801593 auth.error] pam_radius_auth:
Failed looking up IP address for RADIUS server 10.213.31.186 (errcode=12)
Oct 25 19:58:20 ada-delegate1 login:
Hello all,
I want to make freeradius-2-0-pre2 on a Redhat 3.2.3-47 with
openssl-0.9.7a-33.23.
make gives this error:
/service/freeradius-cvs/radiusd/libtool --mode=compile gcc -g
-O2
-I/service/freeradius-cvs/radiusd/src
Multiple sql/ldap instances. Use one to authorize NAS A and another to
authorize NAS B.
Ivan Kalik
Kalik Informatika ISP
Dana 1/11/2007, Adrian [EMAIL PROTECTED] piše:
Hello Everyone,
I need help setting up custom replies for each NAS in my organization. I.E
I have NAS A and NAS B
When NAS
Hi,
I'm trying to run a freeradius 1.1.7 with ldap as
authorize and
authenticate backend and I'm having trouble with freeradius
startup.
If the server is started with radiusd -X or radiusd -s
all is fine and
the
On Tuesday 30 October 2007 18:35, Alan DeKok wrote:
So... did you run the command to set the DH parameters?
yeah, stupid me: I had looked for it in my own eap.conf,
not in the one provided with the 1.1.5 package.
No DH gets initialized, but the cert problem remains.
Here's the debug output
On Fri 02 Nov 2007, Jos Vos wrote:
Hi,
What is the best way to maintain a very dynamic user list for freeradius
(on a Linux platform)?
I'm talking about a setup where every few minutes (sometimes every minute)
a user has to be added and/or removed, with in total up to about 200 users
in
]: module files returns noop for request 32
modcall: leaving group preacct (returns ok) for request 32
Processing the accounting section of radiusd.conf
modcall: entering group accounting for request 32
radius_xlat: '/var/log/radius/radacct/192.168.1.6/detail-20071102'
rlm_detail: /var/log/radius
You wrote earlier:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1, Proxy-To-Realm :=
other_server
Does that mean, that FreeRADIUS recieves the EAP-Request, takes the
inner TTLS payload and forwards it to itself (localhost) in default?
And i can just redirect it to other_server?
Thanks for
On Fri, 2007-11-02 at 14:33 +0100, Alan DeKok wrote:
Ryan Melendez wrote:
I'm not positive that select is lying about data being available. It
could be that there is data when select is called, but _something_ out
of line grabs it before recvfrom() can get to it.
Like what? There is
Hi,
Hi evr,
I'm currently experimenting on freeradius 1.1.6 (on rhl3) my setup seams to
be working fine except a little bug !
I'm using a software to monitor freeradius from the outside this soft is
called (Whistle Blower running on a mac)
This soft attempt to validate a user
On Fri, Nov 02, 2007 at 11:11:17AM +, Phil Mayers wrote:
Use SQL or LDAP. Running a postgresql server for ~200 row table is very
little effort.
Is http://wiki.freeradius.org/SQL_HOWTO the best documentation on how
to populate / change the DB? Does this also apply to freeradius 1.0.1.
As
J-P Raymond wrote:
This soft attempt to validate a user called Whistle Blower and
freeradius must send a deny packet !
When I : radiusd -X start the process work fine
When I : radiusd start the process times out ???
Set reject_delay = 0.
It's fixed in 2.0-pre, but it should also be
Jos Vos wrote:
As the systems I'll be using for freeradius are currently running RHEL4,
I'm more or less forced to using freeradius 1.0.1 for now. If there are
any caveats, please let me know.
http://freeradius.org/security.html
You *can* manually upgrade to 1.1.7. It's not hard.
Ryan Melendez wrote:
I wish I knew. One thing I specifically mention is that the two radius
servers are bound to two different virtual interfaces with unique IPs.
That shouldn't matter...
So I'm now wondering if there is something fundamentally wrong with how
the kernel treats two udp
Ben Wiechman wrote:
Background: we use freeradius to provide AAA for our wireless hotspots.
We would also like to use radius authentication for our layer 3
switches. This brings up the question of security.
It brings up a question of limited choices.
Which is going to be more secure, md5
Wolfgang Burger wrote:
The output:
mac339:~ system$ sudo radiusd -X
FreeRADIUS Version 2.0.0-pre2, for host powerpc-apple-darwin8.10.0,
Hmm... grab the latest CVS version. It's now called 2.0.0-beta, and
it much better than -pre2. See raddb/sites-available/, and eap.conf for
samples of
Hi Alan
Is there any way of adding or removing the ip_pool bases on a rule ?
I don't know what you mean by that.
I still want the customer isp to be able to set a static ip address but
I have to remove the cisco-avp pair when these come thought, or I want
to add the cisco-avp pair
35 matches
Mail list logo