Good morning,
for logging and monitoring purposes, I need to add the time spend for a
particular Flow to a Logfile.
Best would be to have something like '%l', but in a resolution of
milliseconds.
If I would have the runtime variable of (e.g.) %t for
timestamp.milliseconds I could try something
I am asking about MySQL connections to a database *other than* the usual
radius database.
For one of my wireless SSIDs, part of the authorization process invokes
a perl script which opens a MySQL handle to a different database, does a
query, destroys the handle, and returns the value to
Stefan A. wrote:
Best would be to have something like '%l', but in a resolution of
milliseconds.
This is impossible.
The dates and elapsed times in RADIUS have a resolution down to one
second, but no more.
It's possible to fake adding milliseconds, but they will bear little
relation to
Jonathan Gazeley wrote:
What's the approved method for making radiusd open persistent
connections to an arbitrary database, and then using these handles from
a perl module?
Use static variables in the Perl code. This is really a Perl question.
Alan DeKok.
-
List
On 02/09/2011 10:38 AM, Alan DeKok wrote:
Jonathan Gazeley wrote:
What's the approved method for making radiusd open persistent
connections to an arbitrary database, and then using these handles from
a perl module?
Use static variables in the Perl code. This is really a Perl question.
Jonathan Gazeley wrote:
I want radiusd to open the handles at startup, in the same way that it
already opens its own handles.
Read the example.pl file:
# If you are using DBI and do some queries to DB, please be sure to
# use the CLONE function to initialize the DBI connection to DB.
Then
Jonathan Gazeley jonathan.gaze...@bristol.ac.uk wrote:
I am asking about MySQL connections to a database *other than* the usual
radius database.
For one of my wireless SSIDs, part of the authorization process invokes
a perl script which opens a MySQL handle to a different database, does a
On 02/09/2011 10:33 AM, Alexander Clouter wrote:
However, why do you need to close the handle? Just when you open it, do
your work, store it to the side in a hash and mark it available for use
(remember to add locking as it sounds like your script is threaded).
Please excuse the ignorance -
I see it useful too, when specifying for example response_window that
instead
of be 1 One second could be 1200 as in twelve hundred milliseconds.
I have found some devices that time out in 3 seconds , in these cases you
still
want to retry at least once . Of course here the network delay is
Jonathan Gazeley jonathan.gaze...@bristol.ac.uk wrote:
However, why do you need to close the handle? Just when you open it, do
your work, store it to the side in a hash and mark it available for use
(remember to add locking as it sounds like your script is threaded).
Please excuse the
Greetings all,
We have a couple of Cisco switches that we administer using SSH sessions. Now I
have been asked if we can authenticate the SSH login on our Windows 2008 Active
Directory using our Freeradius (2.1.10) installation.
I have been looking and found:
http://wiki.freeradius.org/Cisco
If no one else jumps in I can he'll you out in a couple hours.
- Original Message -
From: Schaatsbergen, Chris [mailto:chris.schaatsber...@aleo-solar.de]
Sent: Wednesday, February 09, 2011 09:24 AM
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject:
Hi Chris,
We use TACACS+ to administer our switches here and I can tell you that I
had to add extra stuff to the TACACS replies to allow authorization to manage
the switches. So you may be able to login via radius but somewhere you are
going to have to send information to the switch on
, processing
delays, etc. will all affect the results.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
__ Information from ESET Smart Security, version of virus signature
database 5858 (20110209) __
The message was checked
Authentication with ntlm-auth and require-membership-of works well for us.
Right now we simply authenticate the login/vty session with AD, and the secret
is authorized locally by the switch. So, each person gets the vty session
with their own unique credentials validated via ntlm-auth and AD.
Yep, simple auth should be no problem, I was referring to pushing the
authorization out to the switch. So for us, we login and are
automatically at the enable level we defined in TACACS. When I was
researching this, I believe it said you could get all the same stuff
with Radius, the only real
On Wed, Feb 09, 2011 at 04:24:05PM +0100, Schaatsbergen, Chris wrote:
We have a couple of Cisco switches that we administer using SSH sessions.
Now I have been asked if we can authenticate the SSH login on our Windows
2008 Active Directory using our Freeradius (2.1.10) installation.
The
Greetings Gary,
Well, this does sound like what I would like to achieve, we only have 3 users
to administer the Cisco switches, though all domain admins (7) could do it.
We currently have one admin user account and all domain admins know the
password.
To go to priv level (enable) we will
I had a look into this and as far as I could tell, the conversation
between the switch and the radius server was not encrypted unless you
use TACACS. Does anyone know if this conversation can be encrypted while
using Freeradius, as otherwise the domain login details are presumably
being sent
I *think* you are correct. Between FR and AD it may just be a one-way-hash of
the pw, but not sure. FR can't support anything the NAS doesn't. Well, it
could but what good would it do?
I remember reading about a new / different flavor of RADIUS that includes
encryption, but I forget what
Hey Oli,
I think it is always a good idea to keep the switch management on a
separate management vlan, regardless of wether you encrypt the info or not.
Between Cisco and Radius servers it does encrypt the password but I don't think
it does much else. Gary may be right that it just
Thanks, Alan - got it fixed now.
On 8 Feb 2011, at 21:15, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Entered bob as username, testing123 as password
I get No such realm 'NULL'
So added
-
realm test {
authhost = LOCAL
accthost = LOCAL
}
realm LOCAL {
}
On Wed, Feb 09, 2011 at 09:35:35AM -0800, Brett Littrell wrote:
I think it is always a good idea to keep the switch management on a
separate management vlan, regardless of wether you encrypt the info or
not. Between Cisco and Radius servers it does encrypt the password but
I
Ya, your right, I meant the CAM table. flooding the CAM table with MAC
addresses caused all the traffic to broadcast to all ports. My bad, but it
is/was a fundamental flaw in the way switches work, I know Cisco had a fix out
for it but it did not work with dot1x and DVlans.
The moral of
Brian Candler b.cand...@pobox.com wrote:
Incidentally, it's quite reasonable to use RADIUS for authentication and
authorization, and TACACS for accounting (e.g. point your aaa accounting at
an instance of tac_plus). Then you have a real-time log of individual
commands run.
I would say it
Was reading (I know, scary) and came across this in the policy.conf:
#
# If you want the server to pretend that it is dead,
# then use the do_not_respond policy.
#
do_not_respond {
update control {
Hello friends,
I am running pam_radius_auth.sonbsp;client on one machine and freeRadius
server on the other machine.
Authentication is happening fine for the user accounts. I want to give certain
privilege levels to each user on client machine.
For example network_admin, security_admin, guest
I'm trying to set up a FreeRADIUS server in our organization, and the
corporate preference is to run on Windows. I've got FreeRADIUS to compile
and have successfully completed the PAP test (from
http://deployingradius.com/documents/configuration/pap.html) to make sure it
works. Now I'm looking
Frankly, running Free Radius on windows sounds like a bad idea,
especially should you ever need to update it or have another person
(maybe 5 years down the road) change it a bit. Generally, running
server process under cygwin is a lot of extra work for not much
convenience. I would suggest either
29 matches
Mail list logo
