Guillaume Chartrand wrote:
Hi, I want to configure my freeradius to authorize my user with an sql
database or if the user isn’t present it would check in AD.
To be clear: get the password from LDAP, or ask AD about the
*authentication*.
authorize {
sql
if (notfound)
Hi.
We have changed the query authorize_check_query to control the nas ip
From where the client try to connect (AP Cisco).
But in peap messages in radius log we have:
PEAP: Sending tunneled request
EAP-Message =
Ramm-Ericson, Johannes wrote:
OK. However, access requests from that particular NAS are in effect not
processed the way I expect because of the lacking NAS-Port which still
leaves me with a problem I need to understand and fix.
There is likely nothing that you can do. This is the reality of
Hi Ivan Kalik
When i set EAP turned on using 802.1x authentication i dont sem to get users
authenticated to the RADIUS Raccheck account table.
How do i enable EAP using 802.1x and allow users to get authenticated to the
RADIUS Server radcheck table which has the user name and login details
Hi
I want Free Radius to authenticate user in my Radcheck table using EAP-TLS
vai 802.1x authentication.
Currently it is authenticating users in users.conf file
Regards
Devinder
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
OK. I can see it instantiated. But you would need unlang to call it as
there is nothing to set the Auth-Type.
There is another way in dealing with pap requests to AD avoiding
ntlm_auth. Uncomment Auth-Type {ldap} in authenticate section and change:
set_auth_type = no
to yes in ldap
eap.conf peap section
copy_request_to_tunnel = no
change it to yes.
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, Enrico Fanti [EMAIL PROTECTED] piše:
Hi.
We have changed the query authorize_check_query to control the nas ip
From where the client try to connect (AP Cisco).
But in
Hi,
Hi Alan.
In old version I don't to create SSL certificates. Just to configure file
radius.conf, eap.conf, users, clients.conf and when I run the program it
work fine.
With a new versions I make same configurations but not work.
¿I think that the SSL certificates can be create alone
Hi,
I have a problem configuring wireless 802.1x authentication with FR and a
Windows client. I use version FR 2.0.3 and think I configured everything
quite well.
FR sends out the Access-Challenge but my windows client does not answer it. I
recreated the default certificates to be sure that
Which EAP? TLS, PEAP, something else? Have you uncommented sql in
authorize section? Debug would help.
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, Devinder Singh [EMAIL PROTECTED] piše:
Hi Ivan Kalik
When i set EAP turned on using 802.1x authentication i dont sem to get users
I tried.
Now my eap.conf peap section is:
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
}
It works now.
Thank you
enrico
Ivan Kalik ha scritto:
eap.conf
Hi Ivan
Im using EAP-TLS authentication.
Could you tell me the sql configuration to allow EAP-TLS to read radcheck
table instead of users.conf file
Thanks
-Devinder
On 04/04/2008, Ivan Kalik [EMAIL PROTECTED] wrote:
Which EAP? TLS, PEAP, something else? Have you uncommented sql in
Good afternoon!
After upgrade 1.1.7 to 2.0.3+ freeradius
I have noticed, that that is brought in the table
has ceased to be processed
Select * from radgroupcheck where groupname='blackholed';
1 181 blackholed Auth-Type := Reject
2 182 blackholed Fall-Through = No
select * from usergroup
rlm_sql (sqlauth): User found in group mppc
He is a member of another group that has higher priority.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radcheck? EAP-TLS is certificate based authentication. What is it reading
from users file? Reply attributes? They should be in radreply table.
This would be so much easier if you would provide relevant information:
user file entry that you want to store in sql; sql data for that user;
radiusd -X
Hmm... And why:
select * from usergroup where
username='[EMAIL PROTECTED]';
1 17652 [EMAIL PROTECTED] blackholed
10
rad_recv: Access-Request packet from host 127.0.0.1 port 23905, id=127,
length=81
User-Name = [EMAIL PROTECTED]
User-Password =
Hi,
WARNING: Found User-Password ==
WARNING: Are you sure you don't mean Cleartext-Password?
WARNING: See man rlm_pap for more information.
lets start getting rid of your errors and warnings. update your 1.1.x
data so that operator is := and attribute is Cleartext-Password, not
Alan DeKok wrote:
Ramm-Ericson, Johannes wrote:
OK. However, access requests from that particular NAS are in effect
not processed the way I expect because of the lacking NAS-Port which
still leaves me with a problem I need to understand and fix.
There is likely nothing that you can do.
1. That entry wasn't there whe server looked.
2. You are not looking into the same database as the server.
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, Dmitry A. Sysoev [EMAIL PROTECTED] piše:
Hmm... And why:
select * from usergroup where
username='[EMAIL PROTECTED]';
1 17652
Yes, I do it. But the my problem is still persent.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, April 04, 2008 2:20 PM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re: Why my schema is not working?
Hi,
WARNING: Found
When you do sample manually sql chooses all correctly. Why the radius does
not fulfil it? Why it does not find, what auth-type is reject?
In 1.1.7 all works fine.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ivan Kalik
Sent: Friday, April 04, 2008
3. blackholed in radgroupcheck an blackholed in usergroup are not the
same. There is space or some character in that field in usergroup table
so GroupName.radgroupcheck doesn't match GroupName.usergroup. Copy the
radgroupcheck statement from the debug and see if that returns anything.
Ivan Kalik
I just and did by debug.
It seems to me, that there is any mistake in processing these
quiries in source codes freeradius.
Sql.conf is _not_ changing in upgrade freeradius and
the database is _not_ changing too.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Or you haven't restarted the server after making configuration changes?
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, Dmitry A. Sysoev [EMAIL PROTECTED] piše:
I just and did by debug.
It seems to me, that there is any mistake in processing these
quiries in source codes freeradius.
Sql.conf
:)) no, I'm restarted service :)
Upgrade was 28.03.2008 and from this date
My blackholed group is not working :(
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ivan Kalik
Sent: Friday, April 04, 2008 4:00 PM
To: freeradius-users@lists.freeradius.org
What happens when you copy and paste the query from the debug? Can you
post the result?
I would doubt that the code is alergic to that particular group and
works for others. blackholed doesn't look like a reserved word.
Queries are executed by mysql not radius server.
Ivan Kalik
Kalik
SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id
1 4732[EMAIL PROTECTED] Cleartext-Password
EBLAImXtaUidLnSa:=
SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id
1
And the warning about using User-Password is now gone from the debug?
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, Dmitry A. Sysoev [EMAIL PROTECTED] piše:
SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id
1 4732[EMAIL PROTECTED]
Yes, a'm fix it.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ivan Kalik
Sent: Friday, April 04, 2008 4:57 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: Why my schema is not working?
And the warning about using User-Password is now gone
Hi,
Yes, I do it. But the my problem is still persent.
have you tried running exactly the same query that FreeRADIUS
runs - as seen in your log - manually? do you get to see
the same happy result?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id
1 4732[EMAIL PROTECTED] Cleartext-Password
EBLAImXtaUidLnSa:=
SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id
1
If in the radius.conf mschap section module I insert the same ntlm_auth
line of the exec. The sql don’t work but AD work. If I put nothing in
mschap section. The SQL works but not AD. So what I did make wrong
1) Do not create your own ntlm_auth module.
2) configure ntlm_auth in the mschap
Hi all im pretty new to Freeradius,
We want to centralize authentification in our envirronement.
I have search on google but i did'nt find any how to about the
configuration of FreeRadius server Vs Nortel Baystack switch's. Some one
can point me in good direction for documentation to set this up?
Basically, this works in hints:
DEFAULT NAS-Port-Id =~ (.+):(.+), NAS-Port !* ANY
NAS-Port = `%{expr:1000*%{1} + %{2}}`,
Fall-Through = Yes
...but this does not:
DEFAULT NAS-Port !* ANY, NAS-Port-Id =~ (.+):(.+)
NAS-Port = `%{expr:1000*%{1} + %{2}}`,
Nortel:
http://www116.nortel.com/docs/bvdoc/ene_tech_pubs/2008_03_26_Authentication_Authorization_and_Accounting_for_ERS_and_ES_TCG_NN48500558.pdf
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, FRANCIS PROVENCHER [EMAIL PROTECTED]
piše:
Hi all im pretty new to Freeradius,
We want to
Hi All,
The University of Sussex recently completed a case study for JANET UK
focusing on implementing the eduroam service using FreeRADIUS. It's not
quite at the same level as the official eduroam cook book, but should
provide FreeRADIUS 2 users wishing to implement eduroam (visited / home)
I've read through the list archives about people's problems with Vista
and FreeRadius, including the recent messages on this list in January,
and a couple of exchanges back in 2006 and 2007. I am running
FreeRadius 1.1.7 on a RHEL 4 box, compiled from Fedora 8's FreeRadius
SRPM. According to the
Hi,
While bypassing password Authentication based on the
Calling-Station-Id, is there a way to still the Authentication to be
handled by rlm_pap and rlm_chap ?
When Exec-Program-Wait is used, PAP/CHAP based authentication can
still be performed by an external perl script. But that is not what
Quoting Phil Mayers:
Basically, this works in hints:
DEFAULT NAS-Port-Id =~ (.+):(.+), NAS-Port !* ANY
NAS-Port = `%{expr:1000*%{1} + %{2}}`,
Fall-Through = Yes
...but this does not:
DEFAULT NAS-Port !* ANY, NAS-Port-Id =~ (.+):(.+)
NAS-Port = `%{expr:1000*%{1} +
Alan, the certificates that i need to take from my old version are the
/certs/*.* ?
Thanks.
--
Message: 3
Date: Fri, 4 Apr 2008 09:13:47 +0100
From: [EMAIL PROTECTED]
Subject: Re: Users cant connect Freeradius 2.0.2
To: FreeRadius users mailing list
Jakob Hirsch wrote:
Quoting Phil Mayers:
Basically, this works in hints:
DEFAULT NAS-Port-Id =~ (.+):(.+), NAS-Port !* ANY
NAS-Port = `%{expr:1000*%{1} + %{2}}`,
Fall-Through = Yes
...but this does not:
DEFAULT NAS-Port !* ANY, NAS-Port-Id =~ (.+):(.+)
NAS-Port =
Hi,
Alan, the certificates that i need to take from my old version are the
/certs/*.* ?
yes. and then make sure they are called correctly in eap.conf
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi all,
I dont know why i can't login into the switch from Unix local user,
Here the log from radius server... (The auth seem to be Successfully
like the log tell.)
rad_recv: Access-Request packet from host 192.168.1.210 port 2048,
id=13, length=59
NAS-IP-Address = 192.168.1.210
Hi.
I have to take the /certs/*.* from old version and put this in new version,
but, I have same problem.
I have made all. For example, I have copied the radius.conf and eap.conf,
and clients.conf, and users from old version to new version, but I have the
same problem.
My clients can't connect.
2008/4/4 Ivan Kalik [EMAIL PROTECTED]:
OK. I can see it instantiated. But you would need unlang to call it as
there is nothing to set the Auth-Type.
There is another way in dealing with pap requests to AD avoiding
ntlm_auth. Uncomment Auth-Type {ldap} in authenticate section and change:
Hi all,
I'm sorry if i'm double posting (Im not sure if the first message was
sent correctly..Sorry if it's the second time you received this
message..)
When i connect with unix/localuser via telnet on my baystack switch i
received message (Access Denied from Radius server)
I take a look on
Hi again,
I want to know what I making wrong. I have an MSSQL database and it's
working great. Now I want to tweak my setup with including some
attribute in group. But it's seems that rlm_sql didn't go see groupcheck
or groupreply. I also put read_groups = yes in mssql.conf
Here is my
FRANCIS PROVENCHER wrote:
When i connect with unix/localuser via telnet on my baystack switch i
received message (Access Denied from Radius server)
Because the Access-Accept is empty. The switch likely needs some
attributes in the Access-Accept in order to allow access. See the
switch
You need Service-Type = Administrative-User in reply as well. Add that to
user entry.
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, FRANCIS PROVENCHER [EMAIL PROTECTED]
piše:
Hi all,
I'm sorry if i'm double posting (Im not sure if the first message was
sent correctly..Sorry if it's the
Arran Cudbard-Bell wrote:
Comments, suggestions and corrections welcome.
http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-study.pdf
Very nice. It's always interesting to see what people do with the server.
I'll also be around at Networkshop 36, so hope to see
DEFAULT Calling-Station_Id == whatever, Auth-Type := Accept
Put that in users file. You don't need exec program.
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, rsg [EMAIL PROTECTED] piše:
Hi,
While bypassing password Authentication based on the
Calling-Station-Id, is there a way to still
It work well!
Thanks all for your answer!
Francis Provencher
Ministère de la Sécurité publique du Québec
Direction des technologies de l'information
Division de la sécurité informatique
Tél: 1 418 646-3258
BlackBery; 1 418 473 6419
Courriel: [EMAIL PROTECTED]
CEH - Certified Ethical Hackers
When trying to compile freebsd port of 2.0.3 on 6.3 with the
postgresql83 library (also from ports), I get the following:
.libs/exec.o(.text+0x536): In function `radius_exec_program':
: undefined reference to `closefrom'
.libs/session.o(.text+0x4fa): In function `rad_check_ts':
: undefined
Hi,
When i connect with unix/localuser via telnet on my baystack switch i
received message (Access Denied from Radius server)
you are getting an authenticate...and access accept...but what
about an authorization. what return attributes must you return
to your kit for a successful telnet into
Alan DeKok wrote:
Ramm-Ericson, Johannes wrote:
From what I understand the current Freeradius code interprets the RFC
statement so that if the NAS-Port attribute is not sent then the
access
request is not processed and subsequently denied (in rlm_radutmp.c -
line 404).
No.
The *radutmp*
Hi,
I am using 2.0.3 version. When I generate certificate using those
files ca.cnf, server.cnf, client.cnf xpextensions Makefile which are
in the directory ../raddb/certs/. Then I use make server.vrfy verify
the server certificate, is OK. make client.vrfy also ok.
I use EAP-TLS
Hi again,
I want to know what I making wrong. I have an MSSQL database and it's
working great. Now I want to tweak my setup with including some
attribute in group. But it's seems that rlm_sql didn't go see groupcheck
or groupreply. I also put read_groups = yes in mssql.conf
Hi! At us
57 matches
Mail list logo