rrperez wrote:
Thanks for the response David,
Now, I have solved the problem locally by putting an attribute in the
ldap.attrmap but then another problem appears through the wireless network,
MSCHAPv2 fails.
...
Is there a way for me to solve the mschapv2 error?
Store the passwords in a
Etienne Philip Pretorius wrote:
I need to make localhost select the correct virtual server based on a
custom attribute that is passed to Freeradius.
Virtual servers don't work that way.
I have three virtual servers, and I use scripts to inject radius
accounting packets into the radius
On 2010/08/09 11:14 PM, Alan DeKok wrote:
The accounting data is sent in the clear on a LAN. This shouldn't be
a problem.
If you're sending accounting data across the Internet, use IPSec.
Don't even pretend to use anything else. RADIUS (and TACACS+) security
is simply not as good as
Hi,
My thinking was to use radsecproxy-freeradius (my nas, coova, supports
radsec).
Any comments on ipsec vs radsec?
RADIUS with TLS over TCP (what some define as 'RADSec') is good. cant wait
until
all mainstream RADIUS servers support it natively. until then, RADSecproxy
will do
what
Thanks for the response Alan,
I just need to store the user passwords on my ldap server to be in the form
of clear-text or nt hash. I read some documentation that microsoft clients
only authenticate with MS-CHAP/v2. What if I use the EAP-GTC for my wireless
authentication, is that possible?
--
I'd like to share approved contacts with you on Boxbe
Here's the link: https://www.boxbe.com/register?tc=4159834829_1430679976
-Sizo
This message was sent at the request of ooz...@gmail.com.
If you want to opt-out of invitations from Boxbe members, use this link:
Thanks Alan,
At the moment we have restricted the accounting data to a layer 2 VPLS
segment however I'll investigate the use of IPSEC as well to let those that
worry about these things sleep better at night.
n
On Tue, Aug 10, 2010 at 3:53 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Thank you
Baically what I have done is this. I wanting to use freeradius to be the
radius server for a few of my hotspots.
They use two different NAS devices.Now the problem I faced is that both
NASes use different VSA's for limiting users bandwidth. So my perl script
will check the
Subject: Re: Freeradius accounting issues
From: a.cudba...@googlemail.com
Date: Fri, 6 Aug 2010 15:19:24 -0700
To: freeradius-users@lists.freeradius.org
On Aug 6, 2010, at 3:12 PM, Marinko Tarlac wrote:
Or you can simple make small changes in SQL queries for accounting and you
Hello,
We recently had a event during which our radius server lost connectivity to
our Active Directory server. all the network gear could contact radius so
none fell back to the backup authentication method (local), but because AD
was down we couldn't get into our devices. is there a way to use
Am 10.08.2010 um 16:54 schrieb Aqdas Muneer:
Hello,
We recently had a event during which our radius server lost
connectivity to our Active Directory server. all the network gear
could contact radius so none fell back to the backup authentication
method (local), but because AD was down
so this is what i have in my users file. how can i make it so that the admin
account is only used if AD is inaccessible?
admin Huntgroup-Name == network-admin, Cleartext-Password :=
x
Service-Type := NAS-Prompt-User,
cisco-avpair :=
Hi Guys
I was wondering if there was any easy way to import the accounting packets
recorded in the flat files located at /var/log/freeradius/radacct into a
MySQL database...
My entries in the flat files looks like this (entry stripped) :-
Wed Jul 7 22:37:39 2010
NAS-IP-Address =
Chun (Andrew) Xu wrote:
You will need EAP-MD5 to do authentication with Juniper EX switch as
authenticator. Enable eap in your authorize and authenticate
section. The default settings in eap.conf should work without any
tweaks.
Great. That worked smoothly. Thank you!
freenetMail - Der
rad_recv: Access-Request packet from host 10.10.10.254 port 58798,
id=45, length=118
User-Name = aa7f9c90
NAS-Port = 119
EAP-Message = 0x021101616130303030376639633930
Message-Authenticator = 0x4ab3cccda64e92e76dfa2a97172cebca
Acct-Session-Id =
__ Information from ESET NOD32 Antivirus, version of virus signature
database 5354 (20100810) __
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi all,
Does freeradius support receiving Interim-Update with the accounting
info? meaning updating the radacct table with user usage / session
time at regular intervals?
Regards
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Phil Mayers wrote:
You've enabled 802.1x, not MAC-based VLANs. You'll need to configure 802.1x
at the servers or configure MAC-based auth at the switch.
I thought I'd. Indeed authentication is working now, however the switch doesn't
assign clients to the VLAN the RADIUS server instructs to.
I hope someone can help me.
I have written in about this problem before so please forgive me, but it
is still plaguing me : )
Quickly, my problem is users cannot log in using usern...@domain but can
login fine with domain\username.
One person mentioned the realms module, but when I look at it
Access-Accept
[eap] Freeing handler
rlm_eap_ttls: Freeing handler for user john
++[eap] returns ok
+- entering group post-auth {...}
[reply_log] expand: /var/log/freeradius/radacct/%{Client-IP-
Address}/reply-detail-%Y%m%d - /var/log/freeradius/radacct/127.0.0.1/reply-
detail-20100810
Does freeradius support receiving Interim-Update with the accounting
info? meaning updating the radacct table with user usage / session
time at regular intervals?
Yes. You need to make sure that your NAS is configured to send the updates.
Tim
-
List info/subscribe/unsubscribe? See
I really think the VLAN assignment problem is related to your EX4200 VC.
FreeRadius had done its job. You probably have to contact JTAC. BTW, which
version of JUNOS are you running on the EX4200 VC? The latest version JTAC
recommended is 10.0S6.1. Hope this will help.
-Original
I forgot to mention one thing. I am using VLAN name instead of VLAN ID to do
dynamic VLAN assignment. It works for me. You could try the followings.
aa7f9c90Auth-Type := EAP, Cleartext-Password == aa7f9c90
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Currently I use 2.1.4. This functionality is supported in 2.14 release?.
Regards
On Tue, Aug 10, 2010 at 6:54 PM, Tim Sylvester
tim.sylves...@networkradius.com wrote:
Does freeradius support receiving Interim-Update with the accounting
info? meaning updating the radacct table with user usage
Ok, I believe that I may have done this. In the dialup.conf file I edited
accounting_stop_query to update my attribute. It is the only place were I
saw anything happening on account-stop.
Hope that is correct.
On Tue, Aug 10, 2010 at 3:20 PM, Tyller D tyll...@gmail.com wrote:
Thank you
Hi,
I want to secure my WPA network with PEAP-MSCHAPv2 and EAP-TLS.
The first one already works (including LDAP server) but the second one
fails. This is the output of freeradius -X:
n
Ready to process requests.
rad_recv: Access-Request packet from host 192.168.200.151 port 2049,
id=0,
Lukas Haase wrote:
I searched a lot in the net and all I found was that the supplicant
should be broken because it should send a username along.
Yes. The supplicant is broken.
*Or* you somehow managed to get it to do 802.1X with an empty user name.
Well, I can not image this because
Sallee, Stephen (Jake) wrote:
Quickly, my problem is users cannot log in using usern...@domain but can
login fine with domain\username.
So... what is different in the debug log between the two requests?
One person mentioned the realms module, but when I look at it the
default conf looks
Greetings,
Trying to get FreeRADIUS 2.1.8 to authenticate VPN users for PfSense's
PPTP server.
I am having an issue similar to the one in this old list post:
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg40632.html.
When I try to log into the VPN from a Windows
Hello All,
There are quite a few components coming into play here so I'm not exactly
sure whats breaking where.
Let me start with explaining our setup:
We use cisco 1142 agn lightweight access points connected to a 4402
Wireless Lan Controller
This controller is doing radius
When Joining from my Android, it comes accross as:
Tue Aug 10 11:26:53 2010
User-Name = 1fT6ESzC4Dbj9oIpiJjjfg==
(A few chars changed to prevent the username from being figured out)
This somehow is authenticating correctly because I get an IP address (in the
incorrect vlan)
Hi,
Am 10.08.2010 22:20, schrieb Alan DeKok:
Lukas Haase wrote:
I searched a lot in the net and all I found was that the supplicant
should be broken because it should send a username along.
Yes. The supplicant is broken.
Thank you. Seems so. Windows is broken! ARGH!
(Works with a
Hi,
I think I have a simple question: Today I upgraded from WPA-PSK to WPA
Enterprise and use PEAP-MSCHAPv2 for users (using logins) now and I want
to use EAP-TLS for machines.
How can I configure a WinXP machine such that login is *not* associated
to a user but to the machine? As such,
I have figured out where my mistake was. I needed to have the users file
being used in the authorize section, but I shouldn't have had Auth-Type :=
Accept at the end of each line for the Groups, otherwise if the Auth-Type
is set to Accept the authenticate section is never run through.
So now
Thomas Donnelly wrote:
When Joining from my Android, it comes accross as:
Tue Aug 10 11:26:53 2010
User-Name = 1fT6ESzC4Dbj9oIpiJjjfg==
Arg. Base-64 encoded?
(A few chars changed to prevent the username from being figured out)
This somehow is authenticating correctly because
Cory Johnson wrote:
When I try to log into the VPN from a Windows client, I get the error
message: Error 691: Access was denied because the user name and/or
password was invalid on the domain., but radius logs show
Access-Accept.
You misconfigured the server, and broke it.
My major
Antony King wrote:
The 'live' server is a centos5.5 box. I've tried with the standard
freeradius2
package (version 2.1.7) and a version compiled from SRPMS in case there was a
problem with ttls in that version. The configuration was copied over from the
test server, with new keys
Peter Lambrechtsen wrote:
I have figured out where my mistake was. I needed to have the users
file being used in the authorize section, but I shouldn't have had
Auth-Type := Accept at the end of each line for the Groups, otherwise
if the Auth-Type is set to Accept the authenticate section is
Jason Fenner wrote:
However, when I test PEAP using eapol_test authentication also works
fine, but the ldap group checking occurs only on the outer-tunnel
username. In this case, the outer tunnel is created using the username
anonymous. This user doesn't exist in AD, so a failure is the
Lukas Haase wrote:
I think I have a simple question: Today I upgraded from WPA-PSK to WPA
Enterprise and use PEAP-MSCHAPv2 for users (using logins) now and I want
to use EAP-TLS for machines.
..
I tried to add the client certificate for EAP-TLS to the computer
certificate store. But the
On Wed, Aug 11, 2010 at 12:40 PM, Alan DeKok al...@deployingradius.comwrote:
Peter Lambrechtsen wrote:
I have figured out where my mistake was. I needed to have the users
file being used in the authorize section, but I shouldn't have had
Auth-Type := Accept at the end of each line for the
Hi,
Thank you for your reply!
Am 11.08.2010 02:46, schrieb Alan DeKok:
Lukas Haase wrote:
[...]
This is really a Windows questions.
Yes, I was not sure, that is way I set [OT?]...
This can't be true?! there must be a way to connect the whole machine
using a certificate (not just the
I have found a working solution for my environment and wanted to share
it with the list in case it may help someone else.
In my proxy.conf file I added the following
--
realm domainName1 {
}
Realm domainName2{
}
--
That fixed my realm problem, not sure why...
--On 10 August 2010 17:24 -0500 Thomas Donnelly tad1...@gmail.com wrote:
Hello All,
There are quite a few components coming into play here so I'm not exactly
sure whats breaking where.
Let me start with explaining our setup:
We use cisco 1142 agn lightweight access points connected to a
44 matches
Mail list logo