On 28 Aug 2013, at 14:35, Martin Kraus lists...@wujiman.net wrote:
On Wed, Aug 28, 2013 at 07:48:38AM +0200, Olivier Beytrison wrote:
server inner-tunnel {
authorize {
eap
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0]
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query for
PEAP?
What inner?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Were trying to put together a dictionary for the Cisco ASA VPN3000 box.
They have a list of attributes here:
http://www.cisco.com/en/US/docs/security/asa/asa90/configuration/guide/ref_extserver.html#wp1802187
In that list they have type 'boolean', but RADIUS can't encode attributes
smaller than
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query
for PEAP?
What inner?
MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2?
Arran Cudbard-Bell
On Wed, Aug 28, 2013 at 03:11:04PM +0100, Arran Cudbard-Bell wrote:
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query
for PEAP?
What inner?
On 28/08/13 15:11, Arran Cudbard-Bell wrote:
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query for
PEAP?
What inner?
MSHCAPv2 - I thought PEAPv0
On 28 Aug 2013, at 15:26, Matthew Newton m...@leicester.ac.uk wrote:
On Wed, Aug 28, 2013 at 03:11:04PM +0100, Arran Cudbard-Bell wrote:
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration
Yes, Alan B had some comments about that IIRC...
I think Apple these days expect administrators to use the Apple iPhone
Configuration Utility to create a network profile and import that into your
802.1X settings.
Bizarre, but there you are.
Stefan
-Original Message-
Fine, yes,
On Wed, Aug 28, 2013 at 03:42:08PM +0100, Arran Cudbard-Bell wrote:
Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP
usually specifies PEAP with and MSCHAPv2 inner?
Windows 7 supports PEAP+TLS. Unline Network Manager on linux distributions.
and wow did they get
On 28 Aug 2013, at 15:38, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 15:11, Arran Cudbard-Bell wrote:
On 28 Aug 2013, at 15:01, Phil Mayers p.may...@imperial.ac.uk wrote:
On 28/08/13 14:49, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a
Arran wrote:
and wow did they get rid of the 802.1X profile configuration GUI interface in
OSX 10.8? That sucks.
If you think that sucks, wait till you see the horrible things you have to do
to generate a .mobileconfig without access to an OSX server license.
--
Brian S. Julin
-
List
On Wed, Aug 28, 2013 at 02:49:32PM +0100, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query
for PEAP?
The following is for EAP-TTLS/EAP-TLS and PEAP/EAP-TLS on my setup.
# When EAP-TLS runs in EAP-TTLS tunnel the id starts at 0x00 and we
On 28/08/13 15:46, Arran Cudbard-Bell wrote:
OK. Just wondering if you could really get it down to a single
lookup, IIRC you needed the 'known good' NT-Password data for a
couple of rounds of MSCHAPv2?
Nope, just one. The MSCHAP challenge response arrive at you, you
validate them and in turn
On 28/08/13 16:00, Martin Kraus wrote:
I found that if I nest ifs then default = return won't skip the authorize
section and putting the tests on multiple lines doesn't work so it is this
ugly:-)
Yeah, that's an annoyance of the configurable failover stuff.
However this really isn't
Hi Arran.
The cisco asa v9.0 and vpn 3000 aren't the same appliance ( different S.O.,
functions, etc..)
The correct guide with attributes:
http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.1/user/A_RADAtr.html#wp148379
Bye
-Mensaje original-
Arran Cudbard-Bell wrote:
In that list they have type 'boolean', but RADIUS can't encode attributes
smaller than a byte.
For boolean does anyone know if they really mean a standard 32bit integer
with the values 0/1, or
if they're wanting a single byte with the values 0/1, or whether it's
On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote:
Apparently not; you can apparently run EAP-TLS inside PEAP,
which is a new one on me.
Has been running fine here for months. Only real benefit - SoH with
EAP-TLS.
For PEAP/MSCHAP, under 2.x the link someone posted to my
On Wed, Aug 28, 2013 at 03:13:12PM +, Brian Julin wrote:
Arran wrote:
and wow did they get rid of the 802.1X profile configuration GUI interface
in
OSX 10.8? That sucks.
If you think that sucks, wait till you see the horrible things you have to do
to generate a .mobileconfig
On 28.08.2013 17:48, Alan DeKok wrote:
Arran Cudbard-Bell wrote:
In that list they have type 'boolean', but RADIUS can't encode attributes
smaller than a byte.
For boolean does anyone know if they really mean a standard 32bit integer
with the values 0/1, or
if they're wanting a single
On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote:
OK. Just wondering if you could really get it down to a single lookup, IIRC
you needed the 'known good' NT-Password data for a couple of rounds of
MSCHAPv2?
with
if ( (EAP-Type == Identity) || (EAP-Type == NAK) ||
On Wed, Aug 28, 2013 at 04:49:42PM +0100, Matthew Newton wrote:
See the sites-available/check-eap-tls file in v3, and the
mods-available/eap file, option virtual_server in the tls
section.
I backported the patch I wrote to do this to v2 (which is what we
are running); I'm not sure if it
Its been a while since I'Ve used it, but doesn't the iPhone Config Utility
generate mobileconfigs that work on OS X?
http://support.apple.com/kb/DL1465
Dave Aldwinckle
On 2013-08-28 11:13 AM, Brian Julin bju...@clarku.edu wrote:
Arran wrote:
and wow did they get rid of the 802.1X profile
Hi,
If you think that sucks, wait till you see the horrible things you have to do
to generate a .mobileconfig without access to an OSX server license.
what, download the iPhone Configuration Utility? yes, quite horrible ;-)
alan
-
List info/subscribe/unsubscribe? See
OK, fine since everyone seems to have done this more recently than
me, thanks all three of you for the update :-)
This is an improvement. Back when I was messing with it IIRC this was
only available for server 10.7.
The instructions for signing it are easier than I remember them being as well:
On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Thanks Alan,
Your reference is wrong/unknown which means that there's a noop. This means
no operation which means no fticks output
This brings me back to my earlier question: what values are available
where, and when,
via which
On Thu, Aug 29, 2013 at 10:39:50AM +1200, Andrej wrote:
On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Thanks Alan,
Your reference is wrong/unknown which means that there's a noop. This means
no operation which means no fticks output
This brings me back to my earlier
Many thanks indeed. Are you saying I can just take out sim_files from the
authorise in the default file and it should work anyway?
If so, fantastic :)
On 26 August 2013 at 12:11 Iliya Peregoudov iperegu...@cboss.ru wrote:
On 25.08.2013 15:03, ken.farrington wrote:
Module: Linked to sub-module
On 27.08.2013 10:57, ken.farrington wrote:
Many thanks indeed. Are you saying I can just take out sim_files from
the authorise in the default file and it should work anyway?
If so, fantastic :)
My raddb/sites-enabled/default:
authorize {
preprocess
auth_log
chap
mschap
suffix
eap
Fantastic and thanks. On it now :)
On 27 August 2013 at 08:54 Iliya Peregoudov iperegu...@cboss.ru wrote:
On 27.08.2013 10:57, ken.farrington wrote:
Many thanks indeed. Are you saying I can just take out sim_files from
the authorise in the default file and it should work anyway?
If so,
Hello Users --
I'm writing again to verify whether or not my initial question submitted to the
list was seen. Is there anyone on-list who is able and willing to assist in
troubleshooting a PostgreSQL integration with FreeRADIUS? If the initial
message was not received for whatever reason,
On Tue, Aug 27, 2013 at 8:04 PM, mdeche...@comcast.net wrote:
Hello Users --
( cc-ing you directly since it seems you have trouble receiving mails from
the list )
I'm writing again to verify whether or not my initial question submitted
to the list was seen. Is there anyone on-list who is
hi,
yes, it was receivedover a bank holiday weekend. not surprised
you didnt get an answer...we were all enjoying the break.
the DB seems to be loading up and being connected to (and you can
check this with loggin on the pgsql server...) however, THIS bit
is your problems
rlm_sql (sql):
Hi,
I'm trying to find a way to log EAP requests and responses on an IdP in
such way that the inner and outer identity of a request end up on one
line; using linelog via f_ticks I managed to get a slightly more concise
logging going than the detail level in accounting messages. But I'd like
to
On 27 Aug 2013, at 17:59, Andrej andrej.gro...@gmail.com wrote:
Hi,
I'm trying to find a way to log EAP requests and responses on an IdP in such
way that the inner and outer identity of a request end up on one line; using
linelog via f_ticks I managed to get a slightly more concise
On 28 August 2013 05:09, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
Hi Arran,
Is there a way to e.g. pass information from the outer processing on to the
inner so I can log both from there, rather than logging both identities
individually? While it's feasible to have both when
Andrej wrote:
Cool - I'll give that a go. Is there a comprehensive list anywhere of
which kind of values
is permissible in which context?
See the debug output. If it's in the debug output, you can use it.
If it's not in the debug output, it doesn't exist. And you can't use it.
You can
Martin Kraus wrote:
I'm using TTLS+TLS.
Then what are you looking up in ldap?
I can see that the eap { ok = return } automagically skips to the
authentication section but the first two access-requests in the session cause
it to return updated status so the ldap lookups are executed.
I
On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote:
Again, look at the debug log to see what's happening. *WHY* are you
doing LDAP lookups at all? Can you not delay them?
Hi. I'm using groups to authorize users and pull radius profiles for the users.
My config is similar to what the
On 28 August 2013 09:09, Alan DeKok al...@deployingradius.com wrote:
See the debug output. If it's in the debug output, you can use it.
If it's not in the debug output, it doesn't exist. And you can't use it.
You can always reference the outer tunnel from the inner one.
OK. So, I found
On 28.08.2013 00:20, Martin Kraus wrote:
On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote:
Again, look at the debug log to see what's happening. *WHY* are you
doing LDAP lookups at all? Can you not delay them?
Hi. I'm using groups to authorize users and pull radius profiles for
On 24/8/2013 12:00 μμ, Nikolaos Milas wrote:
...and then I could simply use my *exact current configuration* by
simply changing the ldap filter to:
filter =
((macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))
I tested this and it works. (Yet,
Hello,
sorry for the top quoting but i'm using a webmail for replying
nbsp;which is really crap.
nbsp;
accordingly i'm posting here the debug log of a radtest.
the authentication gets rejected because the group matches in the
raddb/users with the following expression:
nbsp;
DEFAULT
Hi Matthew
2013/8/22 Matthew Ceroni matthewcer...@gmail.com
I read that for FreeRadius just combine the cert with the intermediate
cert into one file and then reference that in eap.conf:certificate_file.
I have done that but clients are still failing certificate validation.
Honestly I
On 24 Aug 2013, at 10:00, Nikolaos Milas nmi...@noa.gr wrote:
On 23/8/2013 9:19 μμ, Arran Cudbard-Bell wrote:
It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that
information.
Thanks Arran,
It was NAS-Port indeed. Strangely enough, this is not included either in
...where the three ldap instances above are identical except the filter which
is:
ldap_macauth:
filter =
((macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))
ldap_macauth_NAS_only:
filter =
On 26/8/2013 12:15 μμ, Arran Cudbard-Bell wrote:
No. It's a really inefficient way of doing this.
Thanks Arran,
Yet, would it be logically/technically correct?
Use generic attribute maps or an update ldap schema to pull the necessary
values into control attributes,
and then do the
On 08/26/2013 12:10 AM, mdeche...@comcast.net wrote:
Dear Users --
This is my first posting to the FreeRADIUS users list, so please be patient :)
You're already doing pretty well - you actually posted a full debug,
which hardly anyone does first time!
Ok, so for the SQL case the server
On 08/26/2013 09:04 AM, Atomikramp wrote:
but it's not giving the same result, the check against sql is ignored
and the user is authed successfully.
Because:
[sql] User sogo1 not found
++[sql] returns notfound
-
List info/subscribe/unsubscribe? See
On 25.08.2013 15:03, ken.farrington wrote:
Module: Linked to sub-module rlm_eap_sim
Module: Instantiating eap-sim
rlm_eap_sim is compiled in.
/usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module
'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No
such file or
On 26 Aug 2013, at 11:39, Nikolaos Milas nmi...@noa.gr wrote:
On 26/8/2013 12:15 μμ, Arran Cudbard-Bell wrote:
No. It's a really inefficient way of doing this.
Thanks Arran,
Yet, would it be logically/technically correct?
Sure.
Use generic attribute maps or an update ldap schema
On 08/26/2013 12:11 PM, Iliya Peregoudov wrote:
On 25.08.2013 15:03, ken.farrington wrote:
Module: Linked to sub-module rlm_eap_sim
Module: Instantiating eap-sim
rlm_eap_sim is compiled in.
/usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module
'rlm_sim_files':
So, basically if i didn't understand incorrectly, the user must also exist
in the sql database for it to be checked against the radgroupcheck table and
for attributes in the radreply table to be sent back to the NAS.
nbsp;
an hybrid configuration cannot be done?
as my schema, being an active
On 26/8/2013 2:15 μμ, Arran Cudbard-Bell wrote:
Unless you are querying different DNs for the different Mac-Auth types then
doing this is the wrong way to approach this.
the presence of the attributes in the LDAP object to dictate what type of
authorisation you're doing.
Thanks Arran,
I
Hi.
Is it possible to limit the repeating ldap lookups that happen during mschap
and tls negotiations? Like having an attribute that I could test for which
would tell me that the negotiation is completed?
thanks
martin
-
List info/subscribe/unsubscribe? See
On 26 Aug 2013, at 14:33, Martin Kraus lists...@wujiman.net wrote:
Hi.
Is it possible to limit the repeating ldap lookups that happen during mschap
and tls negotiations? Like having an attribute that I could test for which
would tell me that the negotiation is completed?
If you list the
On Mon, Aug 26, 2013 at 02:45:29PM +0100, Arran Cudbard-Bell wrote:
Is it possible to limit the repeating ldap lookups that happen during mschap
and tls negotiations? Like having an attribute that I could test for which
would tell me that the negotiation is completed?
If you list the ldap
Hello all,
I hope this email finds you all well and is my first post.
I think I have a small problem with my backtrack distro and I am trying to
load eap-sim onto my free radius server 2.1.11. I have followed the guide to
add the relevant parts of the config and when I put the
On 25/08/2013 12:03, ken.farrington wrote:
/usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module
'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No
such file or directory
Your version of FreeRADIUS wasn't compiled with rlm_eap_sim enabled, or
it wasn't
Thanks so much I will try that. Much regards ken.farring...@802.co.uk
Phil Mayers p.may...@imperial.ac.uk wrote:
On 25/08/2013 12:03, ken.farrington wrote:
/usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module
'rlm_sim_files': rlm_sim_files.so: cannot open shared object file:
No
On 23/8/2013 9:19 μμ, Arran Cudbard-Bell wrote:
It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that
information.
Thanks Arran,
It was NAS-Port indeed. Strangely enough, this is not included either in
ldap.attrmap or the freeradius schema. Shouldn't it (and other
On 24/8/2013 12:00 μμ, Nikolaos Milas wrote:
...and then I could simply use my *exact current configuration* by
simply changing the ldap filter to:
filter =
((macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))
...provided that I am storing
On 22 Aug 2013, at 23:02, Franks Andy (RLZ) IT Systems Engineer
andy.fra...@sath.nhs.uk wrote:
evluation
Well at least it'll evaluate instead of evluate now.
In the regex below it's not complaining about the lack of escaping.
It's complaining that _-+ or _-\ is not a valid range (I honestly
On 08/23/2013 09:35 AM, Arran Cudbard-Bell wrote:
Or if you shift that hyphen one to the right, it'll probably work OK too :)
Usually first in the range works:
[-.a-z0-9]
IIRC + doesn't need to be escaped inside a range, same as .
-
List info/subscribe/unsubscribe? See
Yeh, I read that character classes don't need escaping in quite the same
way somewhere, then tried it without escaping but didn't realise it was
down to character position.
I'll give it a try.
Thanks guys.
evluation
Well at least it'll evaluate instead of evluate now.
:-P
-Original
Hello everyone,
i know this might be considered a bizarre situation but well... i was just
wondering if it's possible to do such a thing.
nbsp;
I'm in a situation now where i can successfully retrieve group membership of
users in the active directory LDAP tree using rlm_ldap, and check them
On 14/8/2013 2:39 μμ, Arran Cudbard-Bell wrote:
and in sites-enabled/default:
authorize {
preprocess
chap
mschap
digest
suffix
Do you need all these? Are you ever going to be doing chap/mschap/digest in the
outer server?
First, thanks for the reply.
1. Can we somehow limit a host to connect to only a particular port/NAS
device based on data stored in LDAP attributes (or, respectively, in
flat files) and reject it otherwise?
Yes. See ldap_xlat http://wiki.freeradius.org/modules/Rlm_ldap
Use a query that searches for the value of
On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote:
See ldap_xlathttp://wiki.freeradius.org/modules/Rlm_ldap
Use a query that searches for the value of NAS-IP-Address in the user object in
a custom attribute.
If the query expands to something other than a zero length string, the
attribute
On 23 Aug 2013, at 18:30, Nikolaos Milas nmi...@noa.gr wrote:
On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote:
See ldap_xlathttp://wiki.freeradius.org/modules/Rlm_ldap
Use a query that searches for the value of NAS-IP-Address in the user object
in a custom attribute.
If the query
Atomikramp wrote:
I'm in a situation now where i can successfully retrieve group
membership of users in the active directory LDAP tree using rlm_ldap,
and check them against files.
OK.
so if i have a user with memberOf attribute set to groupA
and i set in the raddb/users the following
Il 23/08/2013 21:31, Alan DeKok ha scritto:
Post the debug output. And what do you have in SQL?
Hello,
thanks for your reply and apologizes for the mistake, unfortunately
(depending from the point of view) since it's weekend i won't be able to
post any debug log till monday as i didn't bring the
On Wed, Aug 21, 2013 at 11:45:11PM +0100, Matthew Newton wrote:
If that's all you're doing, forget about PEAP and just go for
straight EAP-TLS. All PEAP really gives you on top is the SoH
support, and may cause problems with other non-Windows clients.
EAP-TLS should work on more devices.
I'm
On Wed, Aug 21, 2013 at 01:28:08PM +0100, Matthew Newton wrote:
On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote:
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
TLS tunnel is established:
On the assumption that your certificates are OK...
Have
Matthew Newton m...@leicester.ac.uk wrote:
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote:
well looking at man wpa_supplicant I can see
EAP-PEAP/TLS
I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what
it's talking about.
Huh, and I thought MS-PEAP specified only
On 21/08/13 23:44, Chris Parker wrote:
Okay, pardon my confusion then. I had been following a howto online
and it reported that the command when run manually will produce the
key.
Either way, I'm still having a failure in MSCHAP with radtest that
I'm not quite grasping.
Well, as I explained
TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 22/08/13 10:54, Alan Buxey wrote:
TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP
PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no
bare MSCHAP variant, because there's no spec for how to derive the
MSCHAP challenge from the TLS master secret.
The EAP
Phil Mayers wrote:
PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no
bare MSCHAP variant, because there's no spec for how to derive the
MSCHAP challenge from the TLS master secret.
FWIW: PEAP is TLS + inner EAP. That's why there's no PAP / CHAP /
MS-CHAP inside the
Sokphak TOUCH wrote:
I have issue with configure radius. I have one Juniper MX80 for doing as
LNS in my lab and FreeRADIUS Version 2.1.12 installed. I can see there
is successful connected log to radius but after around 1mn it connect
again and again. I have check in MX80 but has no any
Thank you for setting me on the right track; I have followed the directions on
http://deployingradius.com/documents/configuration/active_directory.html (the
bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as per
those directions.
When I run the ntlm_auth command manually,
An interesting one for the list ...
We are installing a Palo Alto firewall and it has a way to pass Username/IP
mappings from FreeRADIUS to a Windows User ID Agent, which is then queried by
the firewall.
The method employed is to use a Perl module (PAN::API), which has a simple API,
Sorry for the individual emails, but I got things working with MSCHAP (w/
ntlm_auth) and WPA-EAP.
My issue was that when I got the two winbind errors, I did some more searching
and there's the potential that the freerad user did not have access to pipe
named: /var/run/samba/winbindd
That pipe
On 22/08/13 15:14, Chris Parker wrote:
Exec-Program output: Reading winbind reply failed! (0xc001)
Check the permissions on the winbind socket directory, specifically that
the freeradius daemon user can access it; this is usually at:
/var/cache/samba/winbindd_privileged
or
On 22/08/13 16:46, Dean, Barry wrote:
Anyone want to throw in 2 cents/pennies worth to this?
Yep, don't do it like this.
Instead, write the user/ip entries to a file using the linelog module,
and use a long-running perl process to tail the file (using File::Tail)
and post them to the PAN.
On Thu, Aug 22, 2013 at 10:30:54AM +0100, Phil Mayers wrote:
Matthew Newton m...@leicester.ac.uk wrote:
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote:
well looking at man wpa_supplicant I can see
EAP-PEAP/TLS
I think that should be PEAP/EAP-TLS. Otherwise I'm not sure
Hi All,
Just a quick question - I've compiled FR3 with pcre regex libraries
and it's working ok. I just can't get it to escape plusses ( + ) though
I've tried between 0 and 6(!) backslashes but all result in:
ERROR: Failed compiling regular expression: bad range inside [] at
offset 10
(0)
On 08/21/2013 05:11 AM, Chris Parker wrote:
Log output:
rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114,
length=57
User-Name = wyse1
User-Password = K503D
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
# Executing section authorize from file
On 08/20/2013 02:27 PM, stefan.pae...@diamond.ac.uk wrote:
Hello all,
I'm currently attempting to use rlm_python to query LDAP (with
python-ldap) and then return an XML string in a VSA
(SAML-AAA-Assertion). However, when I try to load it, I get the
dreaded undefined symbol: PyExc_SystemError
12 with, I know, I know, FreeRADIUS 2.1.10. Python-LDAP was
Well... as Alan says, upgrade. Particularly if you know.
There is no 'out of the box' version for upgrade on Ubuntu 12 at this point
short of having to compile it ourselves, that is (situation is similar to
CentOS 6 where the last
On Wed, Aug 21, 2013 at 09:19:35AM +, stefan.pae...@diamond.ac.uk wrote:
Well... as Alan says, upgrade. Particularly if you know.
There is no 'out of the box' version for upgrade on Ubuntu 12 at
this point short of having to compile it ourselves, that is
Building your own packages on
Hi.
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
TLS tunnel is established:
WARNING: !!
WARNING: !! EAP session for state 0x992158e5992955e0 did not finish!
WARNING: !! Please read
On 21/08/2013 12:17, Martin Kraus wrote:
Hi.
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
Is this really what you mean? TTLS outer and TLS inner, versus PEAP
outer and TLS inner?
Because the latter is unlikely to work; it's not a supported combo per
the PEAP
Building your own packages on Debian/Ubuntu is trivial. There's really
no excuse not to run the latest code.
Matthew, I agree with you, but not when the policy is to only use what is
published on vendor (i.e. Ubuntu) repositories.
But, like I say, that's not a discussion appropriate for the
On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote:
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
TLS tunnel is established:
On the assumption that your certificates are OK...
Have you updated the fragment_size so that the outer is larger
than the
Thank you Phil!
That resolved my first steps, and I figured there was something like that. I
have poured over deployingfreeradius.com, but for the life of me I could not
find anything of assistance for my set up.
I have enabled the ntlm_auth line in modules/mschap but no password is sent to
When I poke around and try to deconstruct the issue, I find that ntlm_auth when
run manually retrieve the NT key, it does not do anything. It just says
NT_STATUS_OK: Success (0x0)
If I run the --diagnostics flag this is what I get...
root@leopard:/etc/freeradius# ntlm_auth --domain=WONKY
On Wed, Aug 21, 2013 at 01:13:57PM +0100, Phil Mayers wrote:
On 21/08/2013 12:17, Martin Kraus wrote:
Hi.
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
Is this really what you mean? TTLS outer and TLS inner, versus PEAP
outer and TLS inner?
Because the
On 21/08/2013 19:28, Chris Parker wrote:
So I doubt this issue is with FR, but more of that Samba is being
cranky. I can never get ntlm_auth to give me that NT key, which I
feel if I could resolve that, I could continue with FR.
No. NT_KEY is only generated by mschap, not by username/password
On 21/08/2013 13:55, Chris Parker wrote:
Thank you Phil! That resolved my first steps, and I figured there was
something like that. I have poured over deployingfreeradius.com, but
for the life of me I could not find anything of assistance for my set
up.
Yeah... to be honest, I think I've just
I am having an issue with intermediate SSL certificate and clients
failing to validate the certificate.
When using intermediate certs in for instance Apache there is a
separate directive where you specify the intermediate certs. Then as
part of the SSL handshake those certs are sent along to the
601 - 700 of 78683 matches
Mail list logo