Amy Hawke wrote:
Both the LDAP authentication and proxying to RSA are working properly. To
get the two working together I have tried changing the response for the LDAP
auth from Access-Accept to Access-Challenge if the request comes from the
correct NAS-IP.
That won't work.
Can you
Craig White wrote:
I was complaining about it a few weeks ago (all my systems have been
upgraded to SP3) and I was made to feel that it was just me.
The first reporter of an issue often gets told it works for everyone
else...
If this is a wide-spread problem with XP SP3, then we'll have to
Anton Borisov wrote:
So, I try to INSERT (unlang) data into my sql table;
This isn't supported.
Oh, I am really very interested in INSERT sql. Please, tell me, Is this
right? Can I insert or update any data into my DB? Can I use another way
for INSERT sql data when I do not use sql
Anton Borisov wrote:
Also may be try to do commit, or check that autocommit is set.
I try to add prepaid system to my equipment.
In this case when quota is reached, equipment sends Access-Request with
quota comsumed and I need to store this data in sql. But. Unfortunately,
I must think
Mike Loosbrock wrote:
Authentication works fine, but reply attributes created by B are not
being returned to radtest unless I configure the following in A:
Hmm.. it *should* work. Maybe it's a bug in 2.0.4?
My understanding is that without any attribute filters in place, the
proxy-reply
I try to add prepaid system to my equipment.
In this case when quota is reached, equipment sends Access-Request with
quota comsumed and I need to store this data in sql. But. Unfortunately,
I must think about how many on-line customers send quota to sql in same
time. Yes, I can write perl script
Both the LDAP authentication and proxying to RSA are working properly. To get
the two working together
.. you need a two factor authentication manager. Freeradius isn't one.
I don't know of any open source ones.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
Fall-Through (yes and Yes work; checked just in case).
Ivan Kalik
Kalik Informatika ISP
Dana 28/1/2009, Mark Jones mjo...@mnsi.net piše:
Ok at least I know it does work.
I will post the debug tommorrow.
But in the mean time can you confirm what the exact attribute you have in
your rad reply
Alan DeKok wrote:
Update the reply. In the inner-tunnel server, post-auth section, add:
...
update outer.reply {
User-Name = %{User-Name}
}
...
Done this, doesn't seem to work. I guess the NAS doesn't accept it.
Tell the NAS which
Update the reply. In the inner-tunnel server, post-auth section, add:
...
update outer.reply {
User-Name = %{User-Name}
}
...
Done this, doesn't seem to work. I guess the NAS doesn't accept it.
Post the debug. Lets see what name is in the Access-Accept
list. I would think that what I am doing is fairly popular? Why are more
people not complaining? This is too bad and if true, very poor.
Can you post the eapol.log and wzctrace.log for the same attempt. I'll
dig through that and see if I can find what is going on.
Ivan Kalik
Kalik Informatika
/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/10.98.6.33/auth-detail-20090128
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.98.6.33/auth-detail-20090128
[auth_log] expand: %t - Wed Jan 28 13:10:04 2009
for example in the policy file type:
permit_only_eap {
if (Calling-Station-Id==001f.3c22.674a) {
...
here, depending on the mac, is due to the user a VLAN
}
this would be after the auntenticacion for PEAP-MSCHAPv2 with
it seems, as if this is working...
But there seems to be another problem or even a bug:
What does this errormessage mean?
rlm_sql_mysql: MYSQL check_error: 1064 received
sqlippool_command: database query error in: 'UPDATE radippool SET
nasipaddress = '',
i know about this expand but it's expanding to only first section of
domain (eg. domain.com mschap expand gives only domain)
i'm wondering it is possible to get to work correct expand beceause
sometimes radius must authorize users from other thrusted domains.
thanks for answer!
2009/1/27
Hi I have a problem:
1. The ldap don't replace(expand) the calling-station-id to the mac
address, just one time(first)
first time:
[ldap] expand:
((employeeType=TRUE)(cn=%{Stripped-User-Name:-%{User-Name}})(macAddress=%{Calling-Station-Id}))
-
i know about this expand but it's expanding to only first section of
domain (eg. domain.com mschap expand gives only domain)
i'm wondering it is possible to get to work correct expand beceause
sometimes radius must authorize users from other thrusted domains.
Can you post an example. If you are
the idea is to authenticate users with LDAP, but once authenticated
check your Calling-Station-Id, and depends on the mac is due to a
specified VLAN
-
Why don't you do this in authorize section where this is normally done?
Why do you want to do it in post-auth? You don't need policy.conf;
unlang
hege wrote:
1. The ldap don't replace(expand) the calling-station-id to the mac
address, just one time(first)
No. *Outside* of the TLS tunnel, the Calling-Station-Id exists.
*Inside*, it doesn't.
Set copy_request_to_tunnel = yes in eap.conf, peap sub-section.
This is documented.
Hi I have a problem:
1. The ldap don't replace(expand) the calling-station-id to the mac
address, just one time(first)
first time:
[ldap] expand:
((employeeType=TRUE)(cn=%{Stripped-User-Name:-%{User-Name}})(macAddress=%{Calling-Station-Id}))
-
Good day!
We have made sql oracle function. This function insert data into sql
table, but we call into this funtion as
select myfunction ('aaa','bb') from dual and it returns
OK: Quota consumed.
And... this is wotking!!
In unlang we added:
if (%{sqlauth: select myfunction ('...','...')
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alan DeKok wrote:
Flamur Rogova wrote:
in my authorize section, I have this,
...
check_password
if(notfound) {
# log notfound to sql, the line below gives error...
%{sql: INSERT INTO test.logs SET test.logs.user='%{User-Name}',
}/auth-detail-%Y%m%d -
/var/log/radius/radacct/10.98.6.33/auth-detail-20090128
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radius/radacct/10.98.6.33/auth-detail-20090128
[auth_log] expand: %t - Wed Jan 28 14:27:45 2009
++[auth_log] returns ok
On Wed, 2009-01-28 at 09:27 +0100, Alan DeKok wrote:
Craig White wrote:
I was complaining about it a few weeks ago (all my systems have been
upgraded to SP3) and I was made to feel that it was just me.
The first reporter of an issue often gets told it works for everyone
else...
If
But there seems to be a problem with this statement now:
-
SELECT framedipaddress FROM radippool WHERE pool_name = 'poolDE' AND
expiry_time NOW() ORDER BY (username 'peter2'), (callingstationid
''), expiry_time LIMIT 1 FOR UPDATE
This statement should receive
t...@kalik.net wrote:
Hi I have a problem:
1. The ldap don't replace(expand) the calling-station-id to the mac
address, just one time(first)
first time:
[ldap] expand:
((employeeType=TRUE)(cn=%{Stripped-User-Name:-%{User-Name}})(macAddress=%{Calling-Station-Id}))
-
Ok low and behold it works this morning.
Just to clarify that I am understanding things correctly.
if you have read_groups = no you can overide it with the fall-through
attribute
if you have read_groups = yes you can not overide it with the fall-through
attribute.
- Original
So, I was going to use eap-tls to have the windows xp workstations sign
into the wireless network before the user logs on (by assigning a cert
to the machine account) but tls is not working for users or machines and
I would like to have a backup. I have eap-peopv0 and eap-ttls working
fine
hege wrote:
I have to use the dictionary.cisco.vpn3000, but if I uncomment it I get
this
error msg:
Attribute number 10 supposed to be type integer, not ipaddr. I've
fixed it in the revision control system.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Just to clarify that I am understanding things correctly.
if you have read_groups = no you can overide it with the fall-through
attribute
Yes.
if you have read_groups = yes you can not overide it with the fall-through
attribute.
It will have no effect.
Ivan Kalik
Kalik Informatika ISP
-
I am out of the office until 02.02.2009.
In urgent cases contact HSS via eMail ad...@ews.biotronik.de, or via
telephone -4616.
Note: This is an automated response to your message Re: rlm_sql ignoring
fall-through attripute in radreply sent on 1/28/09 19:37:05.
This is the only notification
When I try to do MAC auth, it shows No User, though it works fine when I
remove the Calling-Station-Id check item from MySQL. Debug shows quotes
around MAC.I put MAC in database with and without quotes and still errors.
No quotes.
Any ideas?
Log into your database and post here the result of
t...@kalik.net wrote:
list. I would think that what I am doing is fairly popular? Why are more
people not complaining? This is too bad and if true, very poor.
Can you post the eapol.log and wzctrace.log for the same attempt. I'll
dig through that and see if I can find what is going on.
Can you say what you're trying to do? What NAS equipment are you using?
We would like to get two factor authentication working using the
username/password from our current LDAP directories and then
username/RSA token code. The RSA product is unable to connect to our
current directories, so
When I try to do MAC auth, it shows No User, though it works fine when
I
remove the Calling-Station-Id check item from MySQL. Debug shows
quotes
around MAC.I put MAC in database with and without quotes and still
errors.
No quotes.
Any ideas?
Log into your database and post here
Amy Hawke wrote:
We would like to get two factor authentication working using the
username/password from our current LDAP directories and then
username/RSA token code.
That will likely *not* work. The NAS has to support this behavior,
and usually doesn't.
The RSA product is unable to
36 matches
Mail list logo
