Re: Radius packet ID

On 1/23/2010 2:07 AM, Alan DeKok wrote: Padam J Singh wrote: Hi, The RADIUS packet has a 8 bit ID field. This ID field is used to track the requests both in the NAS and the RADIUS server. The question is, does the ID need to be unique between the NAS and RADIUS Server for all packet types

Re: EAP Session resumption && reply attributes

On 1/17/2010 8:37 AM, Alexander Clouter wrote: James J J Hooper wrote: In order to also return e.g. VLAN IDs (that could be computed from the inner User-Name in a non-session-resumption enabled config), I can move the config that sets the VLAN to the outer tunnel post-auth&& ensure the inn

Re: A special user to matcheon all usernames

On 15/01/2010 20:31, pang_jiacai wrote: > Hi,all: >I want to kown how to configure a special user to match all > usernames .I just want to authorize sussessfully even though the > username don't exist.this is for emergency while my database is > destoryed,I will let all user pass through with

Re: FR 2.1.8 Issue - Unjustified(?) Access-Rejects.

Random info: PEAP/SoH in fact *does* send traffic inside the tunnel on session resumption - the spec has the SoH exchanged even when resumed, adding a round trip, but it doesn't re-run the inner mschap auth. Weird. The authentication state hasn't changed if the session can be re-established

Re: Multiple Realms per NAS

On 1/6/2010 12:13 PM, Nalin Mistry wrote: We have just installed FreeRADIUS and have basic functionality working for ISP and Hotspot applications. For the ISP application, we would like to specify the realms supported on a NAS basis. Is this feasible and how would one go about configuring it.

Re: Reject Calling-Station-Id

On 1/5/2010 5:58 AM, EasyHorpak.com wrote: Charles wrote: I am also facing the same problem - Need to blacklist range of IPs - Original Message - *From:* Neville *To:* freeradius-users@lists.freeradius.org

Re: OT: MS do I hate thee?

On 30/12/2009 17:12, Alexander Clouter wrote: > Difan Zhao wrote: > >> So I assume that none of you guys use MS Exchange server then... Do you >> guys all hate MS and support open source?? I am a windows guy but I am >> on your side!! >> >> > I would not say 'hate', just find it completely

Re: Recall: MAC authentication bypass ---How?am?Isupposedto?edit?theusersfile to include multiple MACaddresses??

dius-users@lists.freeradius.org > Subject: Re: Recall: MAC authentication bypass > ---How?am?Isupposedto?edit?theusersfile to include multiple > MACaddresses?? > > Arran Cudbard-Bell wrote: > >> On 29/12/2009 14:45, Difan Zhao wrote: >> >>> Difan Zh

Re: MAC authentication bypass --- How amIsupposedto?edit?theusersfile to include multiple MAC addresses??

Should be: if(request:User-Password == "%{request:User-Name}") { > > However when I try to run Radius I keep getting this error: > > > > Expected regular expression at: request:User-Password) > > /etc/raddb/sites-enabled/default[308]: Failed to parse "if" subsection. > > Errors initializing modu

Re: Recall: MAC authentication bypass --- How am Isupposedto?edit?theusersfile to include multiple MAC addresses??

On 29/12/2009 14:45, Difan Zhao wrote: > > Difan Zhao would like to recall the message, "MAC authentication > bypass --- How am Isupposedto?edit?theusersfile to include multiple > MAC addresses??". > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I've often w

Re: Rejecting User By their Calling-Station-Id (Mac Address)

after a reject. e.g. Authenticate { eap { reject = 1 } if(reject){ do more stuff... } } -Arran > > > On Sat, Dec 26, 2009 at 1:16 PM, Arran Cudbard-Bell > mailto:a.cudbard-b...@sussex.ac.uk>> wrote: > > On 26/12/2009 10:11, Alex M wrot

Re: Rejecting User By their Calling-Station-Id (Mac Address)

On 26/12/2009 10:11, Alex M wrote: > As suggested I just tried to replace operator = with := and even with > == but reply message is not getting outputted :( > Maybe I'm missing something? Try moving the reject to after the update stanza. I think a return code of reject stops the server processing

Re: Rejecting User By their Calling-Station-Id (Mac Address)

On 26/12/2009 08:05, Alex M wrote: > Ok I still having trouble with this. Here is my code: > > > if (Calling-Station-Id == "%{sql: SELECT mac FROM `lrc_banlist` > WHERE mac='%{Calling-Station-Id}'}") { >

Re: MAC authentication bypass --- How am I supposedto?edit?theusers file to include multiple MAC addresses??

Difan Zhao wrote: Hey guys, So I finally started configuring this *MAC auth bypass* thing... I am editing the *raddb/policy.conf* to include the "*rewrite_calling_station_id*" function/module however when I am trying to run the *radiusd –X* I got this error: "/etc/raddb/policy.conf[72]: Pa

Re: MAC authentication bypass --- How am I supposed to?edit?theusers?file to include multiple MAC addresses??

On 21/12/2009 09:05, Alexander Clouter wrote: > Arran Cudbard-Bell wrote: > >>> >>> the real answer is to get the vendors to sort their cheap shoddy kit out ;-) >>> >> >> Ahem *Vendor :P - - Sorry I have to do it or they beat me :( &

Re: MAC authentication bypass --- How am I supposed to?edit?theusers file to include multiple MAC addresses??

On 21/12/2009 09:15, Alan Buxey wrote: > Hi, > > >>> yep - but a user could just as easily log in with the user-name of >>> 00:11:22:33:44:55 ;-) >>> >>> >> Not when you say !EAP-Message too :) >> > ...and how does that stop, lets just say for example, some user coming > along with

Re: MAC authentication bypass --- How am I supposed to edit?theusers file to include multiple MAC addresses??

On 20/12/2009 22:44, Alan Buxey wrote: > Hi, > > >> some would say that is a controversial MAC address regexp, but I >> guess you just do things differently 'up north' eh? :) >> > hey, it was a quick hackup example to deal with the question. > > >> 'cheese112233xxyyzzTASTY' would e

Re: evaluated result is wrong

On 20/12/2009 17:46, Alan DeKok wrote: > Stephan Kirsten wrote: > >> I have a question regarding this debug log output. I'm a bit confused >> about this logic operations and the boolean result: >> > "signed 32-bit integer" > > >> Sun Dec 20 15:44:46 2009 : Info:expand: %{contro

Re: evaluated result is wrong

On 20/12/2009 17:40, Stephan Kirsten wrote: > Arran Cudbard-Bell schrieb: >>> I have a question regarding this debug log output. I'm a bit confused >>> about this logic operations and the boolean result: >>> >>> Sun Dec 20 15:44:46 2

Re: evaluated result is wrong

> I have a question regarding this debug log output. I'm a bit confused > about this logic operations and the boolean result: > > Sun Dec 20 15:44:46 2009 : Info: ++? if ("%{control:Tmp-Integer-4}" >= > "%{control:Tmp-Integer-5}") > Sun Dec 20 15:44:46 2009 : Info:expand: > %{control:Tmp-I

Re: Accounting question

sessionid` = %{request:Class} LIMIT 1}" } if(Tmp-String-0){ update request { User-Name := "%{request:Tmp-String-0}" } } } The good option is also nice as it allows you to link postauth and accounting re

Re: unlang after chap returns reject

www.EasyHorpak.com - แหล่งค้นหาหอพัก,อพาร์ทเมนท์,แมนชั่น,คอนโด,โรงแรม > http://www.EasyZoneCorp.net - ซอฟแวร์จัดการ internet คุณภาพสูง Hotpsot และ > PPPoE ,Anti NetCut, Mac spoof > http://www.thai-school.net - เว็บไซต์โรงเรียน,ศิษย์เก่า สำเร็จรูป > EasyZone SuperLink <http:

Re: Accounting question

unting packets. -Arran David -----Original Message- From: Arran Cudbard-Bell [mailto:a.cudbard-b...@sussex.ac.uk] Sent: Tuesday, December 15, 2009 10:56 AM To: David Peterson-WirelessConnections; FreeRadius users mailing list Subject: Re: Accounting question David Peterson wrote: Here is the acco

Re: Accounting question

David Peterson wrote: Here is the accounting packet information I am getting: rad_recv: Accounting-Request packet from host 172.16.4.2 port 1813, id=5, length=239 Acct-Status-Type = Start WiMAX-Beginning-Of-Session = 1 WiMAX-IP-Technology = Reserved-0 Acct-Session-

Re: Handling proxied accounting updates that have been delayed

Ignore me... signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Handling proxied accounting updates that have been delayed

>> Any advise or experiences would be much appreciated! >> > Fix the SQL queries so that the right information goes into the DB. > > Note that the calculated times may be off by a second or two, due to > limited time resolution. > > It may be worth updating the server to create a "Acct-

Re: Pre-release of Version 2.1.8

Did you check the XLAT fixes in? I saw commits for a couple of fixes but not the modified code in xlat.c... > i guess this version also solved "ASSERT FAILED event.c[2682]: request->ev != > NULL" issue? > > > > - Original Message > From: Bjørn Mork > To: FreeRadius users mailing list

Re: Windows client MS-chap auto-reauthentication

> The windows supplicant should remove cached credentials if you return an > EAP-Failure before the > EAP type is negotiated. > * EAP Method signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Windows client MS-chap auto-reauthentication

Alan Buxey wrote: > hi, > > XP caches successful connections - Vista does too IIRC so I'm not > sure why you are seeing different behaviour.. anyhow..you can clear > the credentials by blatting a registry on eg logout or login. > the RADIUS server wont see the difference between std login and > cac

Re: wpa/wpa2 on logs

npatched clients out there, who'll connect to your network and select WPA/TKIP even though the hardware is capable of better. Until you actually make the switch over, you won't know how many clients really really can't support WPA2. - - We bit the bullet and turned off TKIP support o

Re: wpa/wpa2 on logs

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 14/10/2009 13:34, Sergio Belkin wrote: > 2009/10/14 Arran Cudbard-Bell : >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 13/10/2009 18:53, Sergio Belkin wrote: >>> Hi, >>> >>> Is

Re: wpa/wpa2 on logs

ntication attempts. - -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE- Ver

Re: Proxying accounting to create a 'tee'

> I settled on something similar to this. The outer server (processing > requests from the NAS) uses redundant-load-balance to write round-robin > across several (currently 5) detail files. > > Five detail listeners (one for each detail file) then feed data to their > final destinations (remote pr

Re: EAP/TTLS + virtual_server woes

a fix in a later versions. Arran - -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 -BEGIN PGP SIGNATURE--

Re: First steps towards RadSec support

at TCP is mature and implemented properly in most modern operating systems... - -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE

Re: Using Attributes to differentiate between different EAP types

ot;EAP-Type","outer.EAP-Type".) >>> but >>>> freeradius does not even parse the configuration. I've tried %{} and >>> just >>>> the bare variables (which works for "outer.NAS-IP-Address"). >>> >>> It's th

Re: Pre-release of 2.1.7

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/09/2009 13:07, Thor Spruyt wrote: > >> - Oorspronkelijk bericht - >> Van > : Arran Cudbard-Bell [mailto:a.cudbard-b...@sussex.ac.uk] >> Verzonden > : woensdag > , september > 9, 2009 01:31 PM >>

Re: Pre-release of 2.1.7

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/09/2009 11:18, nf-vale wrote: > On Tuesday 08 September 2009 21:17:07 Arran Cudbard-Bell wrote: >> Alan DeKok wrote: >>> Thor Spruyt wrote: >>>> I've been away from FR evolution for a while... I must say I'

Re: Pre-release of 2.1.7

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 09/09/2009 10:40, Alexander Clouter wrote: > Arran Cudbard-Bell wrote: >> >> I'm sad whenever I see someone using a PC, why can't they have an OS >> like a Mac Book. >> >> *ducks and covers* >> &g

Re: Pre-release of 2.1.7

Alan DeKok wrote: > Thor Spruyt wrote: > >> I've been away from FR evolution for a while... I must say I'm really >> surprised what's possible now with 2.1.7 compared to 1.1.7 (still running in >> production), nice job! >> > > 2.1.x is amazing compared to 1.1.x. > > I'm sad every time

Re: Pre-release of 2.1.7

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/09/2009 17:11, Arran Cudbard-Bell wrote: > On 08/09/2009 16:45, Garber, Neal wrote: >>> It won't make 2.1.8. Please submit a bug report and attach the patch. >>> My preference for the patch is to split it into 2-

Re: Pre-release of 2.1.7

before it > is included in a release to get additional confirmation that it doesn't break > anything. > What functionality does the patch add? Thanks, Arran - -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University

Re: What problem does the FreeRADIUS wiki have?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 07/09/2009 17:51, Arran Cudbard-Bell wrote: > As per title. > > -Arran Whatever it was seems to have resolved itself. - -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engi

What problem does the FreeRADIUS wiki have?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 As per title. - -Arran - -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228

Re: Pre-release of 2.1.7

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 03/09/2009 14:16, Alan DeKok wrote: > Arran Cudbard-Bell wrote: > ... >> gcc .libs/radiusdS.o -o .libs/radiusd .libs/acct.o .libs/auth.o >> .libs/client.o .libs/conffile.o .libs/crypt.o .libs/exec.o .libs/ >> .lib

Re: Pre-release of 2.1.7

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 > Will try OSX build shortly... > Builds fine with OSX Server 10.5.7: ./configure --prefix=/usr/local/freeradius-2.1.7 --with-dhcp --with-vmps=no --with-openssl --without-rlm_perl --enable-ltdl-install=no - -- Arran Cudbard-Bell , S

Re: Pre-release of 2.1.7

make[4]: *** [radiusd] Error 1 make[4]: Leaving directory `/usr/local/src/freeradius-server-2.1.7/src/main' make[3]: *** [common] Error 2 make[3]: Leaving directory `/usr/local/src/freeradius-server-2.1.7/src' make[2]: *** [all] Error 2 make[2]: Leaving directory `/usr/local/src/freerad

Re: freeradius2.1.6| buffered-sql | acctstoptime problems

Alan DeKok wrote: > Ivan Kalik wrote: > >> Counter? Write detail.work.counter onto the disk, increment it every time >> packet is processed and return to zero when detail.work is deleted. It >> will say how many packets to skip when radiusd is restarted. >> > > Hmm... OK. Or slightly dif

Re: Proxying accounting to create a 'tee'

Alan DeKok wrote: > Arran Cudbard-Bell wrote: > >> Sure, want me to open one for the unlang rcode inheritance bug too? >> > > Yes, thanks. > > Done. >> Also you need to add the CSS files back in for the bug tracking system. >> Curr

Re: Proxying accounting to create a 'tee'

Alan DeKok wrote: > Arran Cudbard-Bell wrote: > >> Ideally there'd be a mechanism to remove Accounting-Requests after X number >> of attempts at proxying. At the moment were using a request expiry time >> based on the length of the period between the >>

Re: Setting FreeRadius and Ldap. - Getting Educated Now

e PMK. Were mandating WPA2-AES for this academic year. - -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25

Re: unlang: matching for 'Access-Accept'

; FALSE > . > > Could version 2.1.4 have a bug in this area ? No. Wrong list. I think it's something like Proxy-Reply:Packet-Type, check man unlang for details. You didn't specify you were wanting to match a Proxied Accept in your original post. - -Arran - -- Ar

Re: Proxying accounting to create a 'tee'

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/08/2009 13:56, Alan DeKok wrote: > Arran Cudbard-Bell wrote: >> No, that'll get you the timestamp of when the packet was read back into the >> server. The only way to calculate the original received timestamp is to >&g

Re: Proxying accounting to create a 'tee'

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/08/2009 16:46, John Morrissey wrote: > On Sat, Aug 22, 2009 at 01:59:00AM +0100, Arran Cudbard-Bell wrote: >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA1 >> >> On 21/08/2009 21:15, John Morrissey wrote: >&g

Re: Proxying accounting to create a 'tee'

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 23/08/2009 18:17, Fajar A. Nugraha wrote: > On Sun, Aug 23, 2009 at 11:54 PM, Ivan Kalik wrote: >>> On Sat, Aug 22, 2009 at 5:53 PM, Arran >>> Cudbard-Bell wrote: >>>> Fajar A. Nugraha wrote: >>>>>

Re: Proxying accounting to create a 'tee'

Fajar A. Nugraha wrote: > On Sat, Aug 22, 2009 at 7:59 AM, Arran > Cudbard-Bell wrote: > >> On 21/08/2009 21:15, John Morrissey wrote: >> > > >>> Is decoupled-accounting (writing all detail to disk and replaying it >>> serialized with

Re: Proxying accounting to create a 'tee'

1 20:10:39 2009 > rlm_detail: Freeradius-Proxied-To = 66.133.129.108 > ++[detail.dpi-proxy-tee] returns ok > } > Finished request 0. > Cleaning up request 0 ID 24 with timestamp +2 > Going to the next request > WARNING: Marking home server 66.133.129.108 port 1813 as zombie (it loo

Re: segfault with regex and hint

Hi, Long time no see. Indeed. Arran Cudbard-Bell wrote: You using ProCurve NAS then? Or have other people started using Service-Type = 'Call-Check' to hint at Mac-Auth? Cisco always have from what I can tell, well since they introduced mac auth back roughly two or so years

Re: segfault with regex and hint

Hello! You using ProCurve NAS then? Or have other people started using Service-Type = 'Call-Check' to hint at Mac-Auth? -Arran > > Alan Buxey wrote: > >>> It's that time of year to overhaul the cesspool that makes up my >>> FreeRADIUS config files. >>> >>> I am running FreeRADIUS from git[1]

Re: Proxying accounting to create a 'tee'

vol...@ufamts.ru wrote: > Alan DeKok wrote: > >> What do you mean "duplicate records"? >> >> Alan DeKok. >> > > If home server does not respond, FR does not respond too -> NAS repeats > request -> FR writes request data to SQL again. > > So we got two problems: > 1) repeating requests > 2)

Re: Proxying accounting to create a 'tee'

e and the next request is processed. This also has the advantage of buffering requests in case of the remote server goes down. For additional Tees into other DBs,Remote server just create additional detail writer/reader pairs. Regards, Arran -- Arran Cudbard-Bell , Systems Administrator (AAA),

Re: PEAP / mschapv2 Error Messages

themselves, then it'd be pretty easy to write a small web app to look through the failure codes and convert them into something humanly readable. Arran -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Bri

Re: Problem with MAC authorization..(again)

MD5 and EAP-TTLS-PAP. But not with methods such as EAP-TTLS-MSCHAPv2 or EAP-PEAP. Regards, Arran -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF

Re: freeradius2.1.6 module errors

It used to get angry when you did that -- On 12 Aug 2009, at 20:49, Alan Buxey wrote: Hi, default { accounting { if(Acct-Status-Type = 'stop'){ sql or edit the required dialup.conf for the chosen SQL solution and only have the STOP insert command there? alan - Li

Re: freeradius2.1.6 module errors

To: FreeRadius users mailing list mailto:freeradius-users@lists.freeradius.org>> Message-ID: <4a828b19.7070...@deployingradius.com <mailto:4a828b19.7070...@deployingradius.com>> Content-Type: text/plain; charset=ISO-8859-1 David Jansen wrote: > Although passwords are filtered in radius log i do still see unencrypted > p

Re: convert redius request to soap request

shivashankar wrote: > hi , > > > give me assistence > > i new to freeradius > > how to convert radius request to SOAP request. > > is there any way to do this... > > Yes using rlm_perl or rlm_python, but there are no standard scripts to do this. In my experience Web Service APIs can be

Re: Mac based authentication

filtering mac address (calling-station-id) as username and password, so that client can authenticate directly. Please help me to configure freeradius so that i can implement that i explain before. Sure, see here http://wiki.freeradius.org/Mac-Auth Regards, Arran -- Arran Cudbard-Bell

Re: AW: EAP errors in 2.1.1

the EAP stanza? Arran -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/unsubs

Re: White papers: Scaling FreeRADIUS & MySQL

ling users to quickly and simply replicate the solution in their own environment. Read the guide, posted here: http://www.mysql.com/why-mysql/white-papers/mysql_wp_deploying_FreeRADIUS.php - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Arran Cudbard-Bell , Sys

Re: make install without messing with previous configuration?

Leighton Man wrote: > Hi, > I tar the entire raddb directory (from the level above), reinstall, and untar > the original config over the top of the new one. That way I can keep multiple > configs whilst experimenting and switch between them. > Just move the raddb directory to /etc/raddb and ch

Re: want to authorise but not authenticate

on a different port that does the authorisation job only. its a little natty but seems the best way :-| Can't you bind the same virtual server to multiple IPs? Less duplication... Arran -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1

Re: want to authorise but not authenticate

addresses ? Arran -- Arran Cudbard-Bell , Systems Administrator (AAA), Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E 71A9 25BB 1E68 54A2 - List info/subscribe/uns

Re: want to authorise but not authenticate

at the system can send a username=password for authorization AND a proper authentication can happen WITHOUT (hers a gotcha) the user doing something cute like putting their username in as their password! ;-) Slightly confused as to what you want... Try again without the caffeine ? Arran

Re: Old password 'grace period'

[JK] This works beautifully.I want to thank Arran and others for the quick response. Very much appreciated. Excellent. Glad to hear :) Thanks, Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT

Re: Intermediate Certs in EAP-TLS - Confirmed Client-side Problem?

Alan DeKok wrote: > Aaron Mahler wrote: > >> It is issued by GoDaddy and does trace back to a valid root cert that >> I've found exists by default on my OS X systems. >> > > This isn't a good idea for RADIUS systems. It means that the 802.1X > clients will happily hand their credential

Re: Definitive Word on FreeRadius/LDAP/EAP Requirements

can't use passwords stored on Ldap server. It can with EAP-TTLS-PAP or anything else that provides a cleartext password. -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1,

Re: Definitive Word on FreeRadius/LDAP/EAP Requirements

On 26/6/09 15:19, Aaron Mahler wrote: On Jun 26, 2009, at 10:00 AM, Arran Cudbard-Bell wrote: - Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner What EAP method are you using... The dif

Re: Definitive Word on FreeRadius/LDAP/EAP Requirements

- Some have said EAP and LDAP can't be combined because LDAP requires plain text passwords here and EAP doesn't play ball in that manner What EAP method are you using... The different EAP methods have different requirements. -- Arran Cudbard-Bell (a.cudbard-b...@su

Re: Old password 'grace period'

On 25/6/09 14:53, Arran Cudbard-Bell wrote: On 25/6/09 12:01, a.l.m.bu...@lboro.ac.uk wrote: Hi, I leave you guys alone for 5 minutes 8-) as i said, theres probably a way of doing it *sigh* the Coffee excuse doesn't work past lunch time does it... (missed out some curly b

Re: Old password 'grace period'

d hashes created on first call to rlm_mschap update control { NT-Password -= "%{control:NT-Password}" LM-Password -= "%{control:LM-Password}" } mschap } } Arran -- Arran Cudbard-Bell

Re: Old password 'grace period'

ot;%{sql_old:SELECT}" } mschap } } } Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of

Old password 'grace period'

Original Message Subject: Re: Old password 'grace period' Date: Thu, 25 Jun 2009 12:11:07 +0100 From: Arran Cudbard-Bell Organization: University of Sussex To: t...@kalik.net [snip] I have tested something like this yesterday - it doesn't. You can't ju

Re: Old password 'grace period'

... If this doesn't work, post the debug output. There are some issues with rcode priority assignments and unlang, but they're possible to work around. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure S

Re: Old password 'grace period'

John Kane wrote: > I've been asked to implement freeradius on a proprietary system that > uses the concept of a password 'grace period', a brief time period > during which both the old and new passwords should be allowed. Is this > possible with freeradius? > > The system uses pptp client access (M

Re: [rad] Re: SOLVED Re: pseudo-newbie exec scripts and session-time

the Authentication protocol used in 802.1X (WPA-Enterprise etc...). [snip] That's what I hope for. That people who mean to help really do help. I have my answer. My problem is solved. I can jsut walk away. But that doesn't help the next person who falls over the same shortfall in the

Re: Sleep before a response?

Stephen Bowman wrote: > I have a broken NAS with a bad race condition, and need to delay > responses to it (like "sleep 1;"). Is there an easy method (maybe via > unlang?) to do this? > Simple solution would be to use the exec module with "sleep 1;" Arran signature.asc Description: OpenPGP

Re: DHCP code in 2.0.4+

On 9/6/09 14:20, Karl Auer wrote: On Tue, 2009-06-09 at 14:07 +0100, Arran Cudbard-Bell wrote: See earlier messages in this thread. I (a) found a theoretical issue with the protocol, and (b) demonstrated it in a live system. I missed it. What was it again? When we tried it back in 2007

Re: DHCP code in 2.0.4+

stances of ISC DHCPD started handing out duplicate leases completely arbitrarily. We scrapped the second instance and went down to a single one. Haven't tried it again since. It didn't work then... it may do now. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication

Re: New name to reflect new functionality (was RE: DHCP code in 2.0.4+)

SyNC - Synergous/Synchronous Network Control, also reads as (Sync) SyNAC - Synergous/Synchronous Network Access Control Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, U

Re: DHCP code in 2.0.4+

a.l.m.bu...@lboro.ac.uk wrote: > Hi, > > >> It's not a good sign that we bicker about terminology. Suffice it to say >> > > whilst it was interesting that FreeRADIUS got DHCP support - certainly > for those that want to ensure policy actually works - I never thought we'd > get to have such

Re: DHCP code in 2.0.4+

Ok i'm going to try and draw this back into a central thread. On 7/6/09 17:57, Karl Auer wrote: On Sun, 2009-06-07 at 17:20 +0100, Arran Cudbard-Bell wrote: For purposes of resilience there is absolutely no requirement for DHCP servers to communicate with each other directly. They just n

Re: Reply-message and supplicant

ion messages on XP. On Vista, an EAPHost API method can get them if they ask. A RasEap API method is SOL, because they are discarded and not responded to, breaking the protocol. (Ask me how I know ;^} ) Look for a forthcoming patch for Vista. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.u

Re: eap-peap username/password problem

tokens. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex, Brighton, BN1 9QT DDI+FAX: +44 1273 873900 | INT: 3900 GPG: 86FF A285 1AA1 EE40 D228 7C2E

Re: Reply-message and supplicant

and it seems like a sensible feature so I'm sure Cisco et al will have implemented it too. Arran -- Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk), Authentication, Authorisation and Accounting Officer, Infrastructure Services (IT Services), E1-1-08, Engineering 1, University Of Sussex,

Re: Reply-message and supplicant

> > # > # Make Reply-Message RFC3748 2.6.5 compliant > # * # # Make Reply-Message RFC3579 2.6.5 compliant # Odd that the mime encoded GPG sig validates ok, but the in-line one doesn't... I wonder what's going on there. signature.asc Description: OpenPGP digital signa

Re: Reply-message and supplicant

Alan DeKok wrote: > Arran Cudbard-Bell wrote: > >> There's no reason why you couldn't tunnel IPv4 so long as the packets >> had a valid EAP header prepended to them. Send your EAP start, send the >> identity response... then you can pretty much do whatever you

Re: DHCP code in 2.0.4+

Alexander Clouter wrote: > Fajar A. Nugraha wrote: > >> On Sun, Jun 7, 2009 at 8:09 PM, Arran >> Cudbard-Bell wrote: >> >>> Karl Auer wrote: >>> >>>> On Sun, 2009-06-07 at 12:22 +0100, Alexander Clouter wrote: >>>>

Re: DHCP code in 2.0.4+

Alexander Clouter wrote: > Karl Auer wrote: > >> On Sun, 2009-06-07 at 14:09 +0100, Arran Cudbard-Bell wrote: >> >>> Karl Auer wrote: >>> >>>> DHCP failover and load-balancing are not simple *at all*. >>>> >&

Re: DHCP code in 2.0.4+

Fajar A. Nugraha wrote: > On Sun, Jun 7, 2009 at 8:09 PM, Arran > Cudbard-Bell wrote: > >> Karl Auer wrote: >> >>> On Sun, 2009-06-07 at 12:22 +0100, Alexander Clouter wrote: >>> >>> >>>> I have been using DHCP with a L

Re: DHCP code in 2.0.4+

Karl Auer wrote: > On Sun, 2009-06-07 at 14:09 +0100, Arran Cudbard-Bell wrote: > >> Karl Auer wrote: >> >>> DHCP failover and load-balancing are not simple *at all*. >>> >>> >> They're trivial once you're storing

<    5   6   7   8   9   10   11   12   13   14   >