Hi.
I have a endless proxy looping problem.
1. problem username format: use...@my-realm@other-realm
2. on the freeradius, i proxy (nostrip) suffix @other-realm to partner's
radiator radius server
3. on my partner then proxy back (nostrip) the same username base on @my-realm
to my freeradius
piston wrote:
I have a endless proxy looping problem.
You probably haven't had it for long. If it's been looping packets
for a long time, you would have noticed.
1. problem username format: use...@my-realm@other-realm
2. on the freeradius, i proxy (nostrip) suffix @other-realm to partner's
Alan DeKok wrote:
Markus Wernig wrote:
Could not find a place where to initialise the passwd module.
You list it in the authorize section.
This lead to errors (from memory: no config found for passwd module).
I then used the etc_group module from the example, listed _that_ in
authorize
t...@kalik.net wrote:
Did you read rlm_passwd man page?
It's %{control:My-Group-Name}. Quotes, list and all.
Yes, that did it! Quotes were there, but the control list part wasn't.
Thank you for your help!
ps: It might be just me, but I was far from deducting that from the man
page:
Hello again
Following up on the previous thread, I am looking for a possibility to
assign different DNS servers and DNS suffixes to clients based on the
Unix group they are in.
I have found the MS-Primary-DNS-Server and MS-Secondary-DNS-Server
attribute, which I assume will control the
Augusto G. Andreollo wrote:
I must've been doing something wrong.. When I erased everything and
retyped it again, it's now returning OK as given.
Weird... OK
My problem now is that it only returns correctly when the module returns
OK. If the LDAP returns anything else (fail, rejected,
Arran Cudbard-Bell wrote:
Alan DeKok wrote:
A magical check box appeared in the XP SP3 and Vista supplicant
'Enable Quarantine Checks'. It'd be a huge win if FR could expose
these values so that they were usable for policy decisions.
Yup.
Hmm, could you sling it over my way as well. I'm
Piotr Janusz wrote:
I have used an outside certificate authority and have few clients that
have the certicifates' subject similar to:
E = user-n...@domain.tld
CN = Some-constant-text
CN is constant on all certificates.
Freeradius gets the User-name attribute set to CN.
Any way to
Jason Frisvold wrote:
I recently set up a new freeradius installation for VPN authentication.
This is my first foray into using the LDAP module and, while I am
successfully authenticating, I want to make sure that my config is both
correct and streamlined. I am seeing a few failed
Josh Hiner wrote:
I want to make it so that users who use eap-peapv0 have to be in the
wireless group to logon. I have this set in the users file:
DEFAULTCalled-Station-Id =~ CCISD-REMC1, Group != wireless,
Auth-Type := Reject
This works great buuut I have successfully setup
Are you using interim updates?
No. This is ordinary dial-up.
If yes, is there any special method to
make it more efficient? On a DSL environment where users are mostly
auto-connect (i.e. modem redials automatically when disconnected)
interim updates seems to contribute most load.
Do all updates
Markus Wernig wrote:
Following up on the previous thread, I am looking for a possibility to
assign different DNS servers and DNS suffixes to clients based on the
Unix group they are in.
A different question is: Will the NAS do anything with these attributes?
The usual answer is... no.
I
I spent 3 weeks trying to make FreeRadius work with PEAPv0 and WinXP SP3
native supplicant. I can authenticate using local flat file or ntlm_auth but
authentication from WinXP doesn't work.
++[mschap] returns ok
MSCHAP Success
++[eap] returns handled
} # server inner-tunnel
[peap] Got tunneled
Please link me to a resources on how to make FreeRadius to work with postgreSQL
on Ubuntu 8.04 LTS?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Please link me to a resources on how to make FreeRadius to work with
postgreSQL on Ubuntu 8.04 LTS?
-
You configure raddb/sql.conf. And create the database with scripts in
raddb/sql/postgresql/. Then uncomment sql where you need it (authorize,
accounting, session, ...) in
Please link me to a resources on how to make FreeRadius to work with
postgreSQL on Ubuntu 8.04 LTS?
You configure raddb/sql.conf. And create the database with scripts in
raddb/sql/postgresql/. Then uncomment sql where you need it (authorize,
accounting, session, ...) in
On Tue, Mar 17, 2009 at 5:39 PM, t...@kalik.net wrote:
On a DSL environment where users are mostly
auto-connect (i.e. modem redials automatically when disconnected)
interim updates seems to contribute most load.
Do all updates come at the same time? Using buffered-sql or such virtual
servers
I am currently looking into testing freeradius and started reading a couple
of wiki/doc/man pages on the subject and ended on that SQL_HOWTO page. One
of the prerequisite is to already have the NAS configured. Do you have any
suggestion for a NAS running on a linux box ?
radtest is installed
Hi,
Please link me to a resources on how to make FreeRadius to work with
postgreSQL on Ubuntu 8.04 LTS?
follow the usual MySQL/SQL stuff - just use postgres instead -
ie
1) install postgres
2) configure postgres
3) install FreeRADIUS with postgres support
4) configure FreeRADIUS
part 4
Hi,
but it does not show (for example) what happens when freeradius is
stopped and restarted before all entries in the detail file processed
: Does it re-process everything, or does it ignore everything and only
process new detail log.
if you run it, you'll see what it does and how it does
Please come back later and tell us your experience with postgre.. :)
On Tue, Mar 17, 2009 at 12:34 PM, t...@kalik.net wrote:
I am currently looking into testing freeradius and started reading a
couple
of wiki/doc/man pages on the subject and ended on that SQL_HOWTO page. One
of the
How does buffered-sql read the detail file? I see
filename = ${radacctdir}/detail
but it does not show (for example) what happens when freeradius is
stopped and restarted before all entries in the detail file processed
: Does it re-process everything, or does it ignore everything and only
Sorry for bothering but what if detail file is on daily basis ...
detail-20090101 for example...
On Tue, Mar 17, 2009 at 12:43 PM, t...@kalik.net wrote:
How does buffered-sql read the detail file? I see
filename = ${radacctdir}/detail
but it does not show (for example) what happens when
Sorry for bothering but what if detail file is on daily basis ...
detail-20090101 for example...
If you want to keep daily detail file then create two detail instances -
one that is rotated daily and one that writes to a file with constant
name. Point detail reader to one with the constant name.
Hi,
Sorry for bothering but what if detail file is on daily basis ...
detail-20090101 for example...
As Ivan says - if you are using buffered-sql and tking in that detail
file, then there will be nothing to rotate or deal with - everything
that is currently in the detail file get slurped into
ntlm_auth authenticates the user but exchange can't complete after that.
This was noted previously on the list. Most people resolved this by
reverting to stable Samba version. Samba 3.2.x seem to be the problem.
Hi,
Downgrade to 3.0.28 helped!
Thanks,
Mateusz
-
List
Greetings list,
I have finally been able to upgrade my secondary freeradius server to
2.1.3 and I must commend everyone on their hard work, the changes are
great :)
I am having some trouble but would like to clarify my understanding
before posting all my problem details in case I have
Hi,
I have finally been able to upgrade my secondary freeradius server to
2.1.3 and I must commend everyone on their hard work, the changes are
great :)
any reason why not 2.1.4 ? :-)
Is my understanding in this correct, that server 1 will send the request
to server 2, and server 2
On Mar 17, 2009, at 5:37 AM, Alan DeKok wrote:
Likely because the LDAP connections time out, and are closed.
Yes... that little traffic will result in LDAP connection timeouts.
Hrm...Ok, I can accept that. Is there a way to force a keepalive
or something?
In our users file, we
I have finally been able to upgrade my secondary freeradius server to
2.1.3 and I must commend everyone on their hard work, the changes are
great :)
I am having some trouble but would like to clarify my understanding
before posting all my problem details in case I have misunderstood
something.
My
a.l.m.bu...@lboro.ac.uk wrote:
Hi,
I have finally been able to upgrade my secondary freeradius server to
2.1.3 and I must commend everyone on their hard work, the changes are
great :)
any reason why not 2.1.4 ? :-)
Because there isn't a valid 2.1.4 tar file? Which leads me to
Fantastic Ivan, thats exactly what I was heading towards :)
Let me try this and see if my root problem is resolved!
Thanks
Configure server 2 *not* to proxy requests coming from server 1 back to
it. And server 1 not to proxy requests coming from server 2 back to it.
There is no reason to send
John Dennis wrote:
Because there isn't a valid 2.1.4 tar file? Which leads me to the
question what's happening with it? The 2.1.4 file that's currently on
the download server has a VERSION file specifying 2.1.5. So we've either
need a 2.1.5 tar file or a 2.1.4 tar file with a 2.1.4 VERSION
On Tue, 2009-03-17 at 10:11 +0100, Alan DeKok wrote:
My problem now is that it only returns correctly when the module returns
OK. If the LDAP returns anything else (fail, rejected, notfound), it
just completely skips over the IFs block and goes straight to Post-Auth.
Is that expected?
Hi all,
Since several months ago, I've been developing two new freeradius
modules, a non-eap module and a EAP module. I made my development in
Freeradius 2.0.2 and all work fine, today I've decided to migrate my
modules to the new Freeradius version 2.1.4, no problems with the
migration.
Dear All
I hope anyone can help me with these errors I have in the
radius.log file:
Error: rlm_sql_getvpdata: database query error
Error: rlm_sql (sql): SQL query error; rejecting user
Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record -
0
I am using freeradius
Fernando wrote:
After the installation, I run my modules but a strange error has appear.
Whether I run my non-EAP module without load my EAP module it works fine
but whether I load my EAP module the non-EAP module crash. Showing this
message:
Program received signal SIGSEGV, Segmentation
Augusto G. Andreollo wrote:
Hmm.. thing is, the post-auth sql query is already being processed, to
log the Access-Reject..
Yes.. I know. But the return code from the LDAP module in the
*authorize* section is lost by then.
Is there any other way I could extract the
rejection reason from
Dear All
I hope anyone can help me with these errors I have in the
radius.log file:
Error: rlm_sql_getvpdata: database query error
Error: rlm_sql (sql): SQL query error; rejecting user
Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record -
0
I am using freeradius
Alan DeKok wrote:
Fernando wrote:
After the installation, I run my modules but a strange error has appear.
Whether I run my non-EAP module without load my EAP module it works fine
but whether I load my EAP module the non-EAP module crash. Showing this
message:
Program received signal
I hope anyone can help me with these errors I have in the
radius.log file:
Error: rlm_sql_getvpdata: database query error
Error: rlm_sql (sql): SQL query error; rejecting user
Error: rlm_sql (sql): Couldn't update SQL accounting ALIVE record -
0
I am using freeradius 1.1.7 with
On Mon, Mar 16, 2009 at 11:56 PM, Arran Cudbard-Bell
a.cudbard-b...@sussex.ac.uk wrote:
A magical check box appeared in the XP SP3 and Vista supplicant
'Enable Quarantine Checks'. It'd be a huge win if FR could expose
these values so that they were usable for policy decisions.
This requires
I've made no progress in finding a solution to my MSCHAP problem. To
summarize, Winbind and FreeRadius authenticate via PAP fine on both
servers (RedHat V5), but MSCHAP fails on one of the two (see below). I
tried tar'ing up the entire /etc/raddb directory and copied it to the
other machine,
Do you really want to accept these users without checking their
passwords? That's a *very* bad idea.
I agree. What am I missing? I thought the user passwords were
checked by the ldap module via the authentication section. Is that
not correct?
Remove those entries in users file. They are
I've made no progress in finding a solution to my MSCHAP problem. To
summarize, Winbind and FreeRadius authenticate via PAP fine on both
servers (RedHat V5), but MSCHAP fails on one of the two (see below). I
tried tar'ing up the entire /etc/raddb directory and copied it to the
other machine, but
Hi,
I've made no progress in finding a solution to my MSCHAP problem. To
summarize, Winbind and FreeRadius authenticate via PAP fine on both
servers (RedHat V5), but MSCHAP fails on one of the two (see below). I
tried tar'ing up the entire /etc/raddb directory and copied it to the
On Tue, 17 Mar 2009, t...@kalik.net wrote:
I've made no progress in finding a solution to my MSCHAP problem. To
summarize, Winbind and FreeRadius authenticate via PAP fine on both
servers (RedHat V5), but MSCHAP fails on one of the two (see below). I
tried tar'ing up the entire /etc/raddb
On Tue, 17 Mar 2009, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
I've made no progress in finding a solution to my MSCHAP problem. To
summarize, Winbind and FreeRadius authenticate via PAP fine on both
servers (RedHat V5), but MSCHAP fails on one of the two (see below). I
tried tar'ing up the entire
Hello,
I'm trying to conceal plain-text passwords from my radius.radcheck
database in order to it'll be useless if it's stolen.
My config is FreeBSD 7.0 + FreeRadius1.1.7 + mpd4 + MySQL-5.0.67
(windowsXP and Vista Clients)
Well, I found a solution here
On 17/3/09 17:05, Mike Diggins mike.digg...@mcmaster.ca wrote:
On Tue, 17 Mar 2009, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
I've made no progress in finding a solution to my MSCHAP problem. To
summarize, Winbind and FreeRadius authenticate via PAP fine on both
[ ... ]
/etc/krb5.conf ?
I
On 17/3/09 16:26, Jouni Malinen wrote:
On Mon, Mar 16, 2009 at 11:56 PM, Arran Cudbard-Bell
a.cudbard-b...@sussex.ac.uk wrote:
A magical check box appeared in the XP SP3 and Vista supplicant
'Enable Quarantine Checks'. It'd be a huge win if FR could expose
these values so that they were usable
-Protocol = PPP
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radacct/10.1.1.1/auth-detail-20090317
[auth_log] /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to /var/log/radacct
I'm having trouble getting FreeRADIUS to run programs called by
Exec-Program-Wait in the newest version of FreeRADIUS (version 2.1.3).
I'm using a custom C script that used to work with all versions of
FreeRADIUS prior to version 2.
Read comments in exec module configuration file
Replying to myself... I missed uncommenting exec from the post-auth
section of default site. Everything is working now. Sorry for the
wasting your valuable mailbox space.
Jeremiah
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It that possible to get hashed passwords together with MS_CHAP?
http://deployingradius.com/documents/protocols/compatibility.html
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yuriy Grishin wrote:
Hello,
I'm trying to conceal plain-text passwords from my radius.radcheck
database in order to it'll be useless if it's stolen.
That's admirable, but generally useless. And often counter-productive.
| 1 | user1| Password-With-Header | := |
t...@kalik.net wrote:
It that possible to get hashed passwords together with MS_CHAP?
http://deployingradius.com/documents/protocols/compatibility.html
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello all,
My other email to the list from last week appears to have disappeared into
the ether...probably too big with the whole config file.
Hopefull someone can offer advice on this issue. If I start up radiusd (on
SuSE/OES linux, install from Yast) with the standard script in init.d it
t...@kalik.net wrote:
Remove those entries in users file. They are bypassing password checking.
If you want to accept only some ldap groups use unlang. Something like:
if(Ldap-Group == something || Ldap-Group == something_else) {
ok
}
else {
update control {
Auth-Type
Alan DeKok wrote:
Yuriy Grishin wrote:
Hello,
I'm trying to conceal plain-text passwords from my radius.radcheck
database in order to it'll be useless if it's stolen.
That's admirable, but generally useless. And often counter-productive.
You bet, I've spent all the day and
Remove those entries in users file. They are bypassing password checking.
If you want to accept only some ldap groups use unlang. Something like:
if(Ldap-Group == something || Ldap-Group == something_else) {
ok
}
else {
update control {
Auth-Type := Reject
}
}
On Tue, Mar 17, 2009 at 7:40 PM, Arran Cudbard-Bell
a.cudbard-b...@sussex.ac.uk wrote:
On 17/3/09 16:26, Jouni Malinen wrote:
There is specification available for all the needed functionality and
you should be able to find example code on how to do this in hostapd
Very interesting. Which
Title: Private Message from Cdv
Cdv D has sent you a private message Click to read messagePlease read it or Cdv will think you ignored this :( This message has been forwarded at the request of duraivel...@gmail.com. To block all emails from FanIQ, please click here. FanIQ is
Maybe not perfect for this list, but I gotta think somone on here has
done this before.
We just got handed over 500 DSL subscribers. Old ISP is dead, no
records, no accounting data. Just the ATM PVC's are on our network.
I'm trying to figure out how to do a one time redirect so that they
sign
Title: Private Message from Cdv
Cdv D has sent you a private message Click to read messagePlease read it or Cdv will think you ignored this :( This message has been forwarded at the request of duraivel...@gmail.com. To block all emails from FanIQ, please click here. FanIQ is
Hello, could some one with a such experience to provide a STEP BY STEP
procedure to configure
eap2 module: which configuration files have to be update and how ?
Thanks in advance, Leonid.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
My other email to the list from last week appears to have disappeared into
the ether...probably too big with the whole config file.
Hopefull someone can offer advice on this issue. If I start up radiusd (on
SuSE/OES linux, install from Yast) with the standard script in init.d it
67 matches
Mail list logo