Gong Cheng wrote:
Hi,
I wonder if there is a way
- not to include Session-Timeout value intended for Access-Accept in
Access-Challenge messages?
In 2.1.7, see raddb/sites-available/default. Look for
Access-Challenge. There is sample configuration.
- or to configure a different
Alexander Kubatkin wrote:
problem with build:
Ok... wait a bit, and then grab another copy of the source.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 7/7/09 17:01, Ivan Kalik wrote:
Yes.
if(((!reply:...) || (reply:... = )) Huntgroup-Name = whatever)
This works for those users that have the attribute set as a fallback
measure but how do I stop it from returning the attribute when it was
retrieved from LDAP, again I only want this
HI All,
I am trying to configure the two wimax qos profiles for the single user as
one for uplink and another for downlink.
If i configure the same attributes two times, in the Access-Accept message
the first configured wimax attribute value only is sending but its not
sending the same attribute
On Среда 08 июля 2009 10:47:41 Alan DeKok wrote:
Alexander Kubatkin wrote:
problem with build:
Ok... wait a bit, and then grab another copy of the source.
Alan DeKok.
trying to build from:
freeradius-server-2.1.7.tar.bz2 08-Jul-2009 08:57 2.4M
without success...
Hi All,
I am sure i'm not the only person experiencing this problem. It seems
when using the python module to handle auth/acct.
If you include the MySQLdb module in the python script freeradius then
dies and is unable to load the pythong module.
I am using the latest stable freeradius
Alexander Kubatkin wrote:
trying to build from:
freeradius-server-2.1.7.tar.bz2 08-Jul-2009 08:57 2.4M
Yes... the fix wasn't in yet.
If you want the latest version, use git.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ivan Kalik wrote:
Ivan Kalik wrote:
One thing stands out though in the output of freeradius -X (only after
changing the order of suffix and ntdomain in sites-available/default
and
radiusd.conf:
++[mschap] returns noop
rlm_realm: Looking up realm IPSO0 for User-Name =
IPSO0\andrei.staicu
Andrei-Florian Staicu wrote:
Hello again. I've reached the output from here:
http://pastebin.com/d19f28a24 , and i still don't understand why it
doesen't call the ntlm_auth line
It looks like you are adding a Proxy-To-Realm := LOCAL.
...
PEAP: Sending tunneled request
EAP-Message
Hopefully someone has come across this before and can easily answer the
question I am attempting to get an Alvarion Breezemax basestation working
with FreeRadius for provisioning of services.
Best advice you are going to get here is: avoid Alvarion if possible.
Ivan Kalik
Kalik Informatika
On 7/7/09 17:01, Ivan Kalik wrote:
Yes.
if(((!reply:...) || (reply:... = )) Huntgroup-Name = whatever)
This works for those users that have the attribute set as a fallback
measure but how do I stop it from returning the attribute when it was
retrieved from LDAP, again I only want this
Unfortunately not possible - I am doing this on behalf of a customer who
has already had the network installed (albeit poorly) and I am trying to
give them some control over it.
I have quick discovered that Alvarion on somewhat how is best to put it .
. unique . . in there Radius
Can you do radtest from the home server? Or that shows
wrong shared secret
too?
the home server isnt a freeeradius server. its a ncp radius
server
I checked the secret again. they are the same!
The error message is not my problem. The problem is: why
sends freeradius 2 requests to the home
I am sure i'm not the only person experiencing this problem. It seems
when using the python module to handle auth/acct.
If you include the MySQLdb module in the python script freeradius then
dies and is unable to load the pythong module.
I am using the latest stable freeradius version 2.1.6,
hi,
heres one for a wednesday morning.
we have a system that we've been done plain authorizations
via FreeRADIUS - the device sends the following RADIUS request
username: userid
password: userid
(ie the system sends the username and makes the password the same)
okay. fair enougha bit of
Can you do radtest from the home server? Or that shows
wrong shared secret
too?
the home server isnt a freeeradius server. its a ncp radius
server
I checked the secret again. they are the same!
The error message is not my problem. The problem is: why
sends freeradius 2 requests to the
Yeah sure does,
If I remove the line import MySQLdb it works fine.
It seems to definanetly have a issue with this module. I've also tried
sqlobject as a module and I get the same problem.
Thanks,
Mike
Ivan Kalik wrote:
I am sure i'm not the only person experiencing this problem. It seems
Alan DeKok wrote:
Andrei-Florian Staicu wrote:
Hello again. I've reached the output from here:
http://pastebin.com/d19f28a24 , and i still don't understand why it
doesen't call the ntlm_auth line
It looks like you are adding a Proxy-To-Realm := LOCAL.
...
PEAP: Sending
On 8/7/09 10:19, a.l.m.bu...@lboro.ac.uk wrote:
hi,
heres one for a wednesday morning.
we have a system that we've been done plain authorizations
via FreeRADIUS - the device sends the following RADIUS request
username: userid
password: userid
(ie the system sends the username and makes the
we have a system that we've been done plain authorizations
via FreeRADIUS - the device sends the following RADIUS request
username: userid
password: userid
(ie the system sends the username and makes the password the same)
okay. fair enougha bit of unlang and a check that if the
I am trying to configure the two wimax qos profiles for the single user as
one for uplink and another for downlink.
If i configure the same attributes two times, in the Access-Accept message
the first configured wimax attribute value only is sending but its not
sending the same attribute
Hello there!
Hope you can help.
I´m running freeradius 2.1.6 on sles 11 and do LDAP-Authentificaiton on
Radius.
EAP/TTLS with cleartext-password against ldap works fine.
PEAP/MSCHAP with universal password retrieval works fine.
Ldap-Groups work fine.
Load-Balancing with multiple ldap-servers
Hi list,
I have been trying to configure FreeRADIUS 2.1.6 on Solaris 10 (sparc)
but I am having issues with the rlm_ldap module not being able to locate
libldap_r.
I have installed the OpenSSL and OpenLDAP packages + dependencies from
Sunfreeware.
When issuing the plain ./configure it returns
# ./configure
...
checking for ldap_init in -lldap_r... no
checking for ldap.h... yes
configure: WARNING: silently not building rlm_ldap.
configure: WARNING: FAILURE: rlm_ldap requires: libldap_r.
configure: creating ./config.status
config.status: creating Makefile
When manually
On 8/7/09 12:00, Ivan Kalik wrote:
Your linker is probably looking in /usr/lib but not in /usr/local/lib. Add
the correct path.
I have tried with the following set:
export LD_LIBRARY_PATH=/usr/local/lib
and I still get the same errors.
Steve
--
Steven Carr
Systems Development Officer
Am 08.07.2009 um 13:07 schrieb Steven Carr:
On 8/7/09 12:00, Ivan Kalik wrote:
Your linker is probably looking in /usr/lib but not in /usr/local/
lib. Add
the correct path.
I have tried with the following set:
export LD_LIBRARY_PATH=/usr/local/lib
checking for ldap_init in -lldap_r...
\
NAS-IP-Address = 172.x.x.x
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
expand:
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20090708
[auth_log]
/var/log/freeradius/radacct
On 8/7/09 12:12, Nicolas Goutte wrote:
checking for ldap_init in -lldap_r... no
-lldap means compile time linking. By using LD_LIBRARY_PATH you change
only runtime linking, which is not the same
I have found the error, looking in the config.log file I have the following:
Hi,
authorize {
if((User-Name == User-Password) %{ldap:etc...}){
update control {
Auth-Type := 'NULL'
}
}
else {
// Authentication modules
}
}
Auth-Type NULL {
ok
}
this is pretty uch
On 8/7/09 12:39, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
authorize {
if((User-Name == User-Password) %{ldap:etc...}){
update control {
Auth-Type := 'NULL'
}
}
else {
// Authentication modules
}
Hey,
Matching an entry based on the NAS's IP Address value in the request is
doable
via DEFAULT NAS-IP-Address == 1.2.3.4 ...
How about if I wouldn't want to count on that attribute and I'd rather just
want to
match based on the NAS entry itself (which is read from mysql) or the
shortname
Hi,
Listen on multiple interfaces and use the packet destination IP attribute
with Unlang to determine policy? Then point the different services at the
different IP addresses ?
currently this is what we are looking at - a new virtual
server on a different port that does the authorisation
/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
-
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20090708
[auth_log]
/var/log/freeradius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/var/log/freeradius/radacct/127.0.0.1/auth-detail-20090708
expand: %t - Wed Jul 8 13
Matching an entry based on the NAS's IP Address value in the request is
doable
via DEFAULT NAS-IP-Address == 1.2.3.4 ...
How about if I wouldn't want to count on that attribute and I'd rather
just
want to
match based on the NAS entry itself (which is read from mysql) or the
shortname
On 8/7/09 13:20, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Listen on multiple interfaces and use the packet destination IP attribute with
Unlang to determine policy? Then point the different services at the different
IP addresses ?
currently this is what we are looking at - a new virtual
server
On 8/7/09 08:18, Steven Carr wrote:
On 7/7/09 17:01, Ivan Kalik wrote:
Yes.
if(((!reply:...) || (reply:... = )) Huntgroup-Name = whatever)
This works for those users that have the attribute set as a fallback
measure but how do I stop it from returning the attribute when it was
retrieved
Arran Cudbard-Bell wrote:
On 8/7/09 13:20, a.l.m.bu...@lboro.ac.uk wrote:
Can't you bind the same virtual server to multiple IPs? Less duplication...
listen {
... # ip 1
virtual_server = foo
}
listen {
... # ip 2
virtual_server = foo
}
Alan DeKok.
-
List
Is it not possible to use something like...
if ((!Huntgroup-Name) || (Huntgroup-Name != ciscoswitches)) {
update reply {
Tunnel-Private-Group-ID -=
Tunnel-Type -=
Tunnel-Medium-Type -=
}
On 07/08/2009 04:16 AM, Michael da Silva Pereira wrote:
Hi All,
I am sure i'm not the only person experiencing this problem. It seems
when using the python module to handle auth/acct.
If you include the MySQLdb module in the python script freeradius then
dies and is unable to load the pythong
On 8/7/09 14:19, Ivan Kalik wrote:
Obviously not. There is no wildcard. If you want wildcard use attribute
filter instead of update reply.
Tried that too, but the attribute filter only seems to allow you to
filter on items that you want to be returned, rather than filter out
those that you
On 8/7/09 14:19, Ivan Kalik wrote:
Obviously not. There is no wildcard. If you want wildcard use attribute
filter instead of update reply.
Tried that too, but the attribute filter only seems to allow you to
filter on items that you want to be returned, rather than filter out
those that you
Hello,
I am configuring FreeRadius 2.1.6 to athenticate MS Vista user
using EAP-PEAP protocol.
The file users looks as follows:
csd-notebook\user_name Cleartext-Password := user_password
Where csd-notebook is notebook name.
This setting is working.
But I would like to make 2 improvements
On 8/7/09 14:36, Ivan Kalik wrote:
Well, reply attributes don't appear from nowhere - *you* configure them!
List what you want to leave in the packet (lets say Service-Type) - rest
will be deleted.
That is the issue, I do not know what attributes we do want, only what
we don't want.
We only
Martin,
The Internet Draft address what you described in web client/Apache
server and mail client and mail server applications. The TLS-EAp
extension is leveraging existing user credential and profile in AAA
server. In addition, you have flexibility to choose different
authentication method using
Steven Carr wrote:
That is the issue, I do not know what attributes we do want, only what
we don't want.
If you don't want the attributes, it would be simplest to not add them
in the first place.
We only want to send back the VLAN switching dot1x attributes if the
request comes from a
Alan,
They most certainly do!
I just debugged a case where the Cisco 1200 takes the 30s Session-Timeout
that the Microsoft IAS server sends and treats it as a response timeout. (It
then aborts the authentication, which I believe is wrong, but that's another
story)
When doing a
Hi all,
We setup proxy (on freeradius 2.1.3) by putting following lines in users
and acct_users:
DEFAULT Huntgroup-Name == Aruba, Aruba-Essid-Name == Univ
WiFi, Realm != localream.mydomain, Proxy-to-realm := remoteRealm
Authentication works properly while User-Name in accounting data,
On 8/7/09 15:07, Alan DeKok wrote:
You can map that VLAN number to a server-side attribute. Then, copy
it to the correct tunnel attribute when you want.
e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
if (... i want to send vlan) {
update reply {
We setup proxy (on freeradius 2.1.3) by putting following lines in users
and acct_users:
DEFAULT Huntgroup-Name == Aruba, Aruba-Essid-Name == Univ
WiFi, Realm != localream.mydomain, Proxy-to-realm := remoteRealm
Authentication works properly while User-Name in accounting data, the
e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
if (... i want to send vlan) {
update reply {
Tunnel-Private-Group-Id = %{Tmp-String-0}
reply:Tmp-String-0
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
Hi,
csd-notebook\user_name Cleartext-Password := user_password
Where csd-notebook is notebook name.
This setting is working.
But I would like to make 2 improvements to current configuration.
1. to have an ability to specify only user name in users file in order to
not depend on user
On 8/7/09 16:21, Ivan Kalik wrote:
e.g. map it to Tmp-String-0, (ldap.attrmap), and then do:
if (... i want to send vlan) {
update reply {
Tunnel-Private-Group-Id = %{Tmp-String-0}
reply:Tmp-String-0
Pants! I was almost certain I'd tried that
Ivan Kalik wrote:
reply:Tmp-String-0
Whoops.. that's my typo.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
We setup proxy (on freeradius 2.1.3) by putting following lines in
users and acct_users:
DEFAULT Huntgroup-Name == Aruba, Aruba-Essid-Name == Univ
WiFi, Realm != localream.mydomain, Proxy-to-realm := remoteRealm
Authentication works properly while User-Name in accounting data,
Hi Alan, thanks for the answer. (and thanks to David too).
I can't seem to find 2.1.7 yet, but I will keep this in mind.
Just as an FYI, I do see commercial NAS code that implements this.
Alan DeKok-2 wrote:
Gong Cheng wrote:
Hi,
I wonder if there is a way
- not to include
Just checked hostapd and it seems to implement this too:
hostapd/ieee802_1x.c:
case RADIUS_CODE_ACCESS_CHALLENGE:
sm-eap_if-aaaEapReq = TRUE;
if (session_timeout_set) {
/* RFC 2869, Ch. 2.3.2; RFC 3580, Ch. 3.17 */
I try to authenticate on sshd through pam by the pam_radius_auth, my
platform is based on PowerPc(big endian). After changes in md5 file i
accepted authentication is ok on the radius server, but my side of sshd is
failed( i don't succeed to accept the session when i try to connect to sshd
) with
How to control a wpa_supplicant client request can only send to a hostapd
NAS?
My network struct was following:
RADIUS(freeradius)
|
Remove the trailing semicolon.
The documentation isn't very clear on that point, but the semicolon is only
needed as a separator if you are supplying multiple services to the BTS. It
should not be included as the trailing character.
The debug output for this was... unhelpful in earlier
Actually authorization in their hybrid 16d system that Steve is using is
very seamless. We've looked at many solutions and in most
configuration/service assignment revolves around some kind of custom NMS
that is a complete kludge or require service levels to be configured in each
MS individually.
How to control a wpa_supplicant client request can only send to a hostapd
NAS?
My network struct was following:
RADIUS(freeradius)
|
Thanks Ben,
Can you just clarify that it is the service is defined using the
Filter-ID attrib?
Yes the service is for Eth CS although I think it's 16e capable - but due
to a complete lack of response from Alvarion I do not exactly know!
On that note I am also trying to find out the
Hi Ben,
Right then now I'm getting somewhere! That does indeed work and what's
more annoying is I tried removing the semi colon yesterday - however what
I failed to notice was in my service profile string the c: for VLAN
classification for some reason I had entered a capital C - d'oh!!!
How to control a wpa_supplicant client request can only send to a hostapd
NAS?
My network struct was following:
RADIUS(freeradius)
|
64 matches
Mail list logo