After disabled selinux, everything works fine.
Thank you
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5429694.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See
(changed subject to better match content)
On Tue, Jan 24, 2012 at 10:00 PM, Fajar A. Nugraha l...@fajar.net wrote:
2012/1/24 Marinko Tarlać mangi...@gmail.com:
I'm using CentOS so I'll try with the latest 2.1.x from git
The problem which bothers me is that I need more than classic ip-mac
Hi. I need advise/help with my problem.
I'm trying to authenticate with 2 LDAP-servers from freeradius, but without
success.
I have two AD with different domains (e.g. domain1 and domain2, and they
are not linked). I'm trying to authenticate by UPN (username@domainX). I
thought it would be
Hi all.
To let (most (*)) users login with their e-mail address, I'd need to
translate the realm part to a domain.
So I added to proxy.conf :
realm PERSONALE {
}
realm STUDENTI {
}
realm ~^studio\\.unibo\\.it {
Realm := STUDENTI
}
realm ~^studio\\.unibo\\.it {
Realm := PERSONALE
}
realm
Il 25/01/2012 11:19, Pavel Klochan ha scritto:
Hi. I need advise/help with my problem.
I'm trying to authenticate with 2 LDAP-servers from freeradius, but
without success.
I'm just a newbie, but have you tried proxying requests to two different
local servers?
BYtE,
Diego.
-
List
NdK wrote:
To let (most (*)) users login with their e-mail address, I'd need to
translate the realm part to a domain.
I'm not sure why.
So I added to proxy.conf :
...
realm ~^studio\\.unibo\\.it {
Realm := STUDENTI
}
Huh? NOTHING in the documentation or examples says that should
On 01/25/2012 08:27 AM, eric.chang wrote:
After disabled selinux, everything works fine.
Did you:
1. Disable SELinux for freeradius
2. Disable SELinux entirely
If you did number 2. I would STRONGLY advise against it. Instead, if you
must, do this:
setsebool -P radiusd_disable_trans=1
-
On 01/25/2012 10:37 AM, NdK wrote:
Hi all.
To let (most (*)) users login with their e-mail address, I'd need to
translate the realm part to a domain.
Why do you think this is true?
(*) Just 'most' users since I couldn't yet find a way to use the UPN, so
users whose UPN have been changed
Hi,
Did you:
1. Disable SELinux for freeradius
2. Disable SELinux entirely
...well, i'd say read up on SELinux and use the tools to make the correct
policy for FreeRADIUS to work on your system WITH SELinux running
alan
-
List info/subscribe/unsubscribe? See
On 01/25/2012 12:38 PM, Alan Buxey wrote:
Hi,
Did you:
1. Disable SELinux for freeradius
2. Disable SELinux entirely
...well, i'd say read up on SELinux and use the tools to make the correct
policy for FreeRADIUS to work on your system WITH SELinux running
That's certainly what *I*
I assume this ID is generated by the device generating radius, and not
something that is calculated by freeRadius? Is this ID a radius attribute,
such as either Acct-Session-Id or Acct-Unique-Session-Id? Is there a standard
method used to derive this ID for devices that output RADIUS? I am
Travis Dimmig wrote:
I assume this ID is generated by the device generating radius, and not
something that is calculated by freeRadius?
See Wikipedia. That's what it's for.
Is this ID a radius attribute, such as either Acct-Session-Id or
Acct-Unique-Session-Id?
Again, see Wikipedia.
Il 25/01/2012 13:32, Phil Mayers ha scritto:
To let (most (*)) users login with their e-mail address, I'd need to
translate the realm part to a domain.
Why do you think this is true?
'cause ntlm_auth won't authenticate user.n...@unibo.it or
user.name@PERSONALE . It returns no such user. It
Il 25/01/2012 12:48, Alan DeKok ha scritto:
To let (most (*)) users login with their e-mail address, I'd need to
translate the realm part to a domain.
I'm not sure why.
Because KRB5-domain and DNS-domain are different in my setup. And I
can't change it.
So I added to proxy.conf :
...
On 01/25/2012 03:27 AM, eric.chang wrote:
After disabled selinux, everything works fine.
What distribution are you using? FreeRADIUS + SELinux is supposed to to
be a supported combination (with distribution provided packages).
It's important to note that SELinux handles transitions for
Hi,
Il 25/01/2012 13:32, Phil Mayers ha scritto:
To let (most (*)) users login with their e-mail address, I'd need to
translate the realm part to a domain.
Why do you think this is true?
'cause ntlm_auth won't authenticate user.n...@unibo.it or
user.name@PERSONALE . It returns no such
On 01/25/2012 02:30 PM, NdK wrote:
Il 25/01/2012 13:32, Phil Mayers ha scritto:
To let (most (*)) users login with their e-mail address, I'd need to
translate the realm part to a domain.
Why do you think this is true?
'cause ntlm_auth won't authenticate user.n...@unibo.it or
Il 25/01/2012 18:24, Phil Mayers ha scritto:
There are many ways to do this. The simplest is something like follows:
modules/mschap:
...
ntlm_auth = .. \
--username=%{%{Stripped-User-Name}:-%{mschap:User-Name}} \
--nt-domain=YOUR-DOMAIN
That's not doable. If mail is in unibo.it,
Il 25/01/2012 15:58, Alan Buxey ha scritto:
use Stripped-User-Name in the ntlm_auth lineand NT-Domain for
domain (enable ntdomain in authorize) - see the example ntlm_auth
provided with server...
Already tried and discarded.
I think the definitive solution is the one highlighted by Phil.
On 01/25/2012 07:21 PM, NdK wrote:
That's not doable. If mail is in unibo.it, domain is not unibo.it but
PERSONALE. Same if mail is in esterni.unibo.it . But for studio.unibo.it
domain is STUDENTI.
Ok, so you've got 1 AD domain. Not terribly common, but it ought to
work with mapping as per
Paul Stewart p...@paulstewart.org writes:
I'm trying to get an understanding on a FreeRadius installation how to
enable the unisphere.dictionary. There are specific attributes in that file
that we need such as Unisphere-Ingress-Policy-Name. By default, this
dictionary file is commented out
I'm running Freeradius 1.0.1 using MySQL as the database backend.
I need to configure the server so that all users are restricted from using
certain access points (i.e. guest network). It appears I need to use a DEFAULT
user definition in the users file, but I can't find any examples to work
On 25/01/2012 20:35, White III, Joe wrote:
I'm running Freeradius 1.0.1 using MySQL as the database backend.
I need to configure the server so that all users are restricted from using
certain access points (i.e. guest network). It appears I need to use a DEFAULT
user definition in the users
Generally, you can only do this is if the requests from those certain
APs have something which distinguishes them. Then you can match on this
in the users file [using 'DEFAULT'] and set Auth-Type to Reject.
If I have three access points I don't want users to access, can I do something
like
Hi,
Il 25/01/2012 15:58, Alan Buxey ha scritto:
use Stripped-User-Name in the ntlm_auth lineand NT-Domain for
domain (enable ntdomain in authorize) - see the example ntlm_auth
provided with server...
Already tried and discarded.
I think the definitive solution is the one
On Thu, Jan 26, 2012 at 4:37 AM, White III, Joe joe.wh...@arvatousa.com wrote:
Generally, you can only do this is if the requests from those certain
APs have something which distinguishes them. Then you can match on this
in the users file [using 'DEFAULT'] and set Auth-Type to Reject.
If I
So I'm getting some pushback in my organization against using a self-signed CA
for signing my RADIUS server certs. To make a long story short, I was asked to
find out what other people were doing.
For my own reasons, I'd like to know slightly more than that. If you AREN'T
using a self-signed
Hi,
On Thu, Jan 26, 2012 at 12:08:34AM +, McNutt, Justin M. wrote:
long story short, I was asked to find out what other people were
doing.
Self-signed CA.
And just to be clear, is the concensus still that a self-signed
CA is the way to go,
Self-signed CA - you have to distribute the CA
McNutt, Justin M. wrote:
So I'm getting some pushback in my organization against using a self-signed
CA for signing my RADIUS server certs. To make a long story short, I was
asked to find out what other people were doing.
Self-signed CA. *Always*.
And just to be clear, is the concensus
29 matches
Mail list logo
