Hi,
There is a history of this mailing list, but searching something is a
nightmare.
Imho forum would be great for that.
Sent from my BlackBerry® wireless device
forums suck imho
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EMAIL PROTECTED] wrote:
Hi,
There is a history of this mailing list, but searching something is a nightmare.
Imho forum would be great for that.
Sent from my BlackBerry® wireless device
forums suck imho
alan
-
List info/subscribe/unsubscribe? See
Nicholas Hall wrote:
What's wrong with sharing your experiances with the list? Adding a
forum will be just another place I'll have to check to get my
FreeRADIUS fix.
That's right, a forum wouldn't be a great idea.
But this list shouldn't be a replacement for the Wiki either. So
Hi,
I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function
(post_proxy) I return RLM_MODULE_REJECT I can see this in log :
modcall[post-proxy]: module perl1 returns reject for request 1
... but my request is still accepted : Access-Accept not Access-Reject !
How to do that ?
doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you
need pre_proxy ?
From radius.conf file
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide
Ok. Forum sometimes isn't a best solution. WIKI is a good option because
you'll find all you need without to much off topic.
On Jan 25, 2008 10:18 AM, JB [EMAIL PROTECTED] wrote:
Nicholas Hall wrote:
What's wrong with sharing your experiances with the list? Adding a
forum will be just
1. Use Cleartext-Password with =: as stated in the server documentation.
2. Post the output of radiusd -X. It's likely that the format for the
MAC address is wrong. It can have : for delimiters or no delimiters at
all.
3. That's not how you end user sessions on any device, Cisco or
otherwise.
doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you
need pre_proxy ?
From radius.conf file
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or
We have a wiki. You are welcome to contribute...
-Peter
On Fri 25 Jan 2008, Marinko Tarlac wrote:
Ok. Forum sometimes isn't a best solution. WIKI is a good option because
you'll find all you need without to much off topic.
On Jan 25, 2008 10:18 AM, JB [EMAIL PROTECTED] wrote:
Nicholas Hall
Hi all,
I am seeing a strange situation. I receive an accounting-stop request
from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the
corresponding radacct record. However, the NAS is not receiving the ack,
and thus re-sends the stop request. On the second request, FreeRADIUS
tries to
Try with RLM_MODULE_FAIL in post_proxy
Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002
On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote:
doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you
need
Le vendredi 25 janvier 2008 12:55, Boian Jordanov a écrit :
Try with RLM_MODULE_FAIL in post_proxy
Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002
On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote:
doesn't make sense
Hi;
For a long time now, I have been trying to unify the
login credentials, in a heterogeneous environment.
While I am aware of the few available options, I have
decided against them, for varied reasons.
In the last few days, I have been able to produce the
effect which I desired, using
users file and EAP-ttls + PAP schema can work togher?
Yes. In 2.0.1 you can divert EAP requests to one virtual server, others
to a different virtual server that will be doing ldap auth, ...
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
I have only this entry in users file:
DEFAULT Auth-Type := Accept
raiudsd -X
users: Matched entry DEFAULT at line 1
but it still try to authenticate against ldap. So the question is:
users file and EAP-ttls + PAP schema can work togher?
thanks
--
View this message in context:
Update to the problem: the accounting-stop alternate query is actually
an INSERT, not an UPDATE, by default, which actually surprises me, as in
case of a duplicate packet, an INSERT into a properly unique-indexed
table is doomed. I have now simply changed the -alt into an UPDATE
query, so it
That's a very valid point, however we do all the CPE configuration
ourselves. Customer, as a rule, does not have access to the PPPoE
settings.
I think the message they would get is going to say something like
There is a problem with your internet connection. Please call
blahblahblah to resolve
And that is good. Windows doesn't need to know who issued that
certificate, only radius server does.
Ivan Kalik
Kalik Informatika ISP
Dana 25/1/2008, orion [EMAIL PROTECTED] piše:
its not a problem that windows says about the client certificate :
the issuer of this certificate cannot be found
Raj Patel wrote:
as anyone else been using it, I will be happy for some feedback
Honestly, I've never seen much use for Diameter. Not that I'm biased,
but I'd like to know what real-world problem it solves.
Most requirements for diameter are political or commercial, not technical.
Alan
Kevin J wrote:
Does anybody know about iCHAP?
Nope.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi People
First thank you, I been reading this mailing list for some time and I found
it great source of help
I want to share some info with you and than ask a question
We are slowly moving here into Java and starting to have Diameter
requirements
I found OpenBloX Java Diameter a great
Does anybody know about iCHAP?
Kevin,
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2)or only ca certificate + client certificate ?
the second case the linkage between the ca and client doesnt exist ( as you
said is the server the issuer of the client`s certificate ).
Link is not needed. Server checks the client certificate to see if it's
issued by the server (certificate).
Alan DeKok [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Markus Moeller wrote:
That was the only way I could get it to work. If I use update control
anybody can login, whereas in my setup only a user who exits in ldap get
AUth-Type set to LDAP all other users have an empty value
I see. I can, indeed, remove Auth-Type := LDAP from the users file and
it still works. Cool!
However, the behavior described in the documentation is not what I'm
seeing, and I'm still getting (contrary to what I said in my previous
email) authorization requests not being proxied, even though
Now that you mention it, the billing software _is_ getting replaced
some time soon, but until then I have to hack radius as a workaround.
Is it not possible to Fall-Through failed users to another section
with its own pool and auth-type: accept?
Vlad
On Jan 25, 2008 12:16 PM, Andy
Vlad,
are the passwords changed _by the billing system_ for any other
reason? You could use a trigger on the table to make a corresponding
change on the usergroup when the billing system changes the password.
Better though might just be to have a Expiry Due? column added to
the users, and then
Suraj,
You're better of kerberizing your unix environment and join them with AD.
this way your can have a fully single sign on environment.
including samba file share without entering username and passwords.
This is what you need to do.
1) install SFU3.5 on all your DC's
2) install openldap and
Hi Alan,
Thanks for your answers, mine inline below:
Alan DeKok wrote:
Mother wrote:
I am seeing a strange situation. I receive an accounting-stop request
from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the
corresponding radacct record. However, the NAS is not receiving the ack,
and
--- Alan DeKok [EMAIL PROTECTED] wrote:
Any solution would have exactly the same security
issues.
Yes; I can understand and appreciate that. Thanks,
Alan.
Regards,
suraj.
Looking for last minute
Andrew D Kirch wrote:
You might try putting it at the top of radiusd.conf
Done.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is there a better way, using radius?
No. Once user is authenticated radius has nothing to do with them (you
say that they can increase privileges after authentication). Can't you
put them in jail.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
#1:
rad_recv: Accounting-Request packet from host X.X.X.X:46641, id=184,
length=302
User-Name = blah
NAS-Port = 2
NAS-Port-Type = Wireless-802.11
NAS-Identifier = XX
NAS-IP-Address = X.X.X.X
Acct-Status-Type = Stop
Calling-Station-Id = MAC
I think you need to use Ldap-Group instead of myldap-Ldap-Group or do you use
do_xlat ?
Markus
cxu [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]
Background:
When a user associated with the ssid Guest, the user will authenticate
against a FreeRadius server. If he has a
orion wrote:
the import of client.p12 is ok but it doesnt have a valid link
it is ca-server-client
What does that mean?
and the details of the server certificate tells that is not authorized
to issue certificates .
Where does it say that? Which certificate tool are you using to look
at
--- [EMAIL PROTECTED] wrote:
Is there a better way, using radius?
No. Once user is authenticated radius has nothing to
do with them (you
say that they can increase privileges after
authentication). Can't you
put them in jail.
Yeah, I would eventually do that, if there is no
'better way'.
Wm. Josiah Erikson wrote:
# Setting Auth-Type = LDAP is ALMOST ALWAYS WRONG. We
# really can't emphasize this enough.
Uh. OK. That's exactly what I'm doing, and it's working :)
Then it works. It's fine.
That message is for the majority of people who force LDAP to be
Have 2.0 running against a Postgresql database. The sql_log code looks
like it functions differently than the sql statements in the postgres
driver (stop packets are another insert instead of an update). Has
anyone already changed out the sql lines match the way it works without
sql_log, don't
Mother wrote:
I am seeing a strange situation. I receive an accounting-stop request
from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the
corresponding radacct record. However, the NAS is not receiving the ack,
and thus re-sends the stop request. On the second request, FreeRADIUS
theSnail wrote:
I have only this entry in users file:
DEFAULT Auth-Type := Accept
raiudsd -X
users: Matched entry DEFAULT at line 1
but it still try to authenticate against ldap. So the question is:
Why haven't you posted the entire output from radiusd -X ?
i.e. you configured
suraj shankar wrote:
I understand that pam_radius_auth 'encrypts' the
password. But if a user has the privileges to change
the /etc/raddb/server file (and point it to a
freeradius server), wouldn't he/she be able to siphon
off the credentials?
Yes.
Our setup would disallow direct 'root'
Yes, write to Peter Nixon and he will help you.
Ivan Kalik
Kalik Informatika ISP
Dana 25/1/2008, Marinko Tarlac [EMAIL PROTECTED] piše:
I would like to register too. Is there any chance for this?
On Jan 25, 2008 5:37 PM, JB [EMAIL PROTECTED] wrote:
Peter Nixon wrote:
We have a wiki. You
So, what would be the difference between a customer who was disconnected, and one who cannot remember his/her password (yeah, this never happens,
right?) There would be no differentiation, and customers who have simply forgotten their password may be upset when you tell then they are
The only problem with this method is that our billing system is not
(currently) capable of changing the usergroup when the account is
suspended. All it does is change the password.
Vlad
On Jan 25, 2008 11:22 AM, Marinko Tarlac [EMAIL PROTECTED] wrote:
radius will reply whatever you need but
I would like to register too. Is there any chance for this?
On Jan 25, 2008 5:37 PM, JB [EMAIL PROTECTED] wrote:
Peter Nixon wrote:
We have a wiki. You are welcome to contribute...
Account creation/free editing seems to be deactivated...
Bye,
JB
-
List info/subscribe/unsubscribe? See
Jean-Michel Caricand wrote:
Well. I made a lot of tests without success. I'm not yet able to REJECT a
request in a post_proxy function, but that works fine in a authorize
function.
Does someone have ideas ?
In 2.0, it looks like this isn't dealt with in src/main/event.c around
line
Le vendredi 25 janvier 2008 12:55, Boian Jordanov a écrit :
Try with RLM_MODULE_FAIL in post_proxy
Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002
On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote:
doesn't make sense
Peter Nixon wrote:
We have a wiki. You are welcome to contribute...
Account creation/free editing seems to be deactivated...
Bye,
JB
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hey folks.
Right now, we use freeradius to authenticate simple pap/chap PPP
clients. When a username/password is rejected, radius simply send back
a reject message to the NAS.
Is it possible to change this behavior so that a failed auth attempt
gets accepted with an alternate IP pool instead of
radius will reply whatever you need but you need to tell him what do you
want.
For example, if you're using mysql, when user account expires you can add
him to specific group and group attributes you can set in radgroupreply
table. (ip pool, tx, rx limit etc.)
On Jan 25, 2008 6:18 PM, Vlad Sedov
If it's just a message you want to display, you could use the Reply-
Message attribute.
Of course, your access controler would have to know how handle this
attribute.
JB
Marinko Tarlac wrote:
radius will reply whatever you need but you need to tell him what do
you want.
For example, if
A trigger on the password field is a workaround.
What about if he wants to change a user's password or when it changes back
to bring the connection back on?
Changing the password is not the right way to reject a connection and
everything possible should be done to change the software's behaviour.
David - agreed. It's a workaround until the billing software can be
modified (or replaced); in combination with an expiry_due check and
also checking whether its the billing system that made the change
though, its not a bad short-term workaround. Needs to be both of those
checks though ;-)
Andy
im using standart windows mmc.
after import of the CA and Server certificates
the server certificate links to the ca certificate ok
CA certificate
|- server certificate
but when i import the client.p12 certificate the linkage is
CA certificate
|- server certificate
|-
its not a problem that windows says about the client certificate :
the issuer of this certificate cannot be found ?
can the certificate be used in this case ?
On 25/01/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
2)or only ca certificate + client certificate ?
the second case the
orion wrote:
but when i import the client.p12 certificate the linkage is
CA certificate
|- server certificate
|- client certificate
in that moment the server part tells ( it not allow to issue certificate
for others).
There's no reason why the intermediate certificate
orion wrote:
its not a problem that windows says about the client certificate :
the issuer of this certificate cannot be found ?
Thank you for FINALLY posting the REAL error message. It helps to
post the REAL error message, because you can then get a REAL solution.
In this case, you
Now that you mention it, the billing software _is_ getting replaced
some time soon, but until then I have to hack radius as a workaround.
So alter groups and not passwords.
Is it not possible to Fall-Through failed users to another section
with its own pool and auth-type: accept?
Why? Just
58 matches
Mail list logo
