hi
just one comment.
On 30 Apr 2008, at 10:59, Arran Cudbard-Bell wrote:
Artur Hecker wrote:
Hi Arran
In my eyes, the fact that it is not confirmed is a minor issue.
It's probably a reasonable design choice: as you said, the
controlled port at the Auth may be in the authorized state
Hi Alan
On 30 Apr 2008, at 13:50, Alan DeKok wrote:
Artur Hecker wrote:
Imo, there are no dependencies between DHCP and dot1X.
That can be fixed. EAP methods can be leveraged to push keys to the
client, which can sign the DHCP packet (RFC 3118). This also lets the
client know it's
Hi
On 30 Apr 2008, at 14:08, Alan DeKok wrote:
Artur Hecker wrote:
Yes, as I said, the dependency in that sense might make sense. We
did it
in a student project, and I rather see the problem at the network
side:
the EAP-Server and the DHCP server almost never reside at the same
machine
Hi Arran
well, there is a big difference: the EAP-Success (unsigned, *sigh*)
is the confirmation necessary for supplicant to know if it proceeds
or not (DHCP, data comm, etc). (By the way, it's difficult to
compare: the EAP-Success is EAP, while EAPOL is dot1X). The EAPOL-
Logoff is not
Hi
That said, I agree with the underlying strategy. I would have
loved to
see DHCP integrated with 802.1X from the very beginning. Actually, I
would have gone farther and rather proposed a virtual and generic
signaling protocol for the session opening, where a client can
negotiate
all kinds
Hi
This is where it gets interesting. Just because the dot1x
controlled port is in the closed state, it does not mean that
another .1D bridge filter can't be open and allow traffic. HP et
al have introduced (or are attempting) to introduce two tiered
authentication, where the client is
Hi Arran
In my eyes, the fact that it is not confirmed is a minor issue. It's
probably a reasonable design choice: as you said, the controlled port
at the Auth may be in the authorized state, while the client might
think that is unauthorized, so what? This can happen at any time
anyway,
Hello Allan
On 14 Nov 2007, at 00:15, Allan Riordan Boll wrote:
Maybe I missed it, but what client do you use? Windows does not yet
support TTLS natively.
yes sorry, i forgot to say. I am already using SecureW2 of course.
And it does work, it's just very slow at authenticating... Also,
Allan,
Maybe I missed it, but what client do you use? Windows does not yet
support TTLS natively.
Artur
On 13 Nov 2007, at 16:23, Alan DeKok wrote:
Allan Riordan Boll wrote:
The problem is that authenticating takes around 20 seconds. While
running the server in a terminal with the -X
Hello
On 24 Sep 2007, at 09:58, Alan DeKok wrote:
Stefan Winter wrote:
I wonder what the sentence about MAX packet size on APs is about.
Is it their
maximum allowed length of a RADIUS packet? Frankly, that would be
quite
stupid because packets can legitimately be much larger than that.
David
Just one word on it: you are citing a RADIUS specific RFC. Thus, Acct-
Input-Octets is the value perceived by RADIUS instances. RADIUS RFCs
cannot possibly specify how terminals, wireless cards, GSM phones
etc. should or should not count packets, traffic, connections, etc.
It can
Stefan,
the message included seems to me an EAP Success message (Code 0x03)
and in no way an EAP Message/EAP Request/Notification (would be
0x01yy02). I do not see the problem at a first glance - am I
mistaken?
Artur
On 19 Sep 2007, at 13:11, Stefan Winter wrote:
Hello,
it
Hi George
I guess it is more a question of definition of the scope of the
authorization and authentication than of the actual mechanisms. I
would invite you to read the RADIUS RFCs since your conclusions sound
a little bit hasty.
In RADIUS and in freeradius in particular the
Regarding the subject, it's still much better than the following
headline: A startup dies on pre1 :-)))
Sorry, couldn't help thinking of it when reading the mail. Anyway, a
hale to the project that has already helped so many new companies to
construct their businnesses...
On 28 Aug
Hello
In the default configuration, if a User-Password is defined for a
user, the user can be authenticated by all applicable authentication
types. That is the sense and the beauty of the default configuration :-)
However, in a practical deployment, a serious security policy is
likely to
Hi
On 23 Jul 2007, at 11:21, Phil Mayers wrote:
On Mon, 2007-07-23 at 10:20 +0200, Artur Hecker wrote:
Hello
In the default configuration, if a User-Password is defined for a
user, the user can be authenticated by all applicable authentication
types. That is the sense and the beauty
reported client wants to ttls, while we
require peap, rejecting the user (or vice versa).
Not sure it is the intended way, so I hope the behaviour won't change
in the next release. But it works.
Greetings and thanks
artur
On 23 Jul 2007, at 13:14, Artur Hecker wrote:
Hi
On 23 Jul 2007
hi
the following line seems to be principally correct (don't use
explicit Auth-Type):
a User-Password == a
the eap module fails in authentication because it can't find the User-
Password for the user. Make sure that the files module is used in
authorize i.e. that the users file
hi
I've installed freeradius 1.1.0 from cvs and I'm doing EAP-PEAP using
ntlm_auth for authentication. freeradius segfaults while sending the
access-accept packet.
In my first post someone instructed me to enable coredumps in
freeradius
and post the result.
just a thought - wouldn't it
hi Josh
sorry to catch up so late on this.
I mean EAP over RADIUS within a roaming consortium. A good example
of one, which I'm involved in, is eduroam (www.eduroam.org).
i took a look at this, it is mostly TERENA stuff for RADIUS... imho
it only concerns the provider-provider interface
hi Josh
i know it's a bit OT but i think that it might still be interesting
for some of us.
I'll try and keep this brief, because it's a bit OT. WPS doesn't
seem to offer anything particularly novel, besides a proprietary
mechanism for configuring the Windows supplicant.
imho it's as
hmmm.
i am not sure if the question is to be impressed. it is simply true
that some signaling is necessary to allow user to choose a network
(e.g. an operator). in usual hotspots you end up with a web page
which can present you all the information you need (e.g. prices,
names, available
hi
i don't want to tell nonsense, but as far as I know, LEAP is not a pure
EAP type. the AP has thus to support it. and the WRT54 does not.
do not blame the WRT, blame LEAP and its design. and it has nothing to
do with 802.1X - standard 802.1X protocols should work with WRT54.
ciao
artur
in
sql tables: if EAP-Type not this value, then add Auth-Type=...)
ciao
artur
Alan DeKok wrote:
Artur Hecker [EMAIL PROTECTED] wrote:
user_ttls EAP-Type != PEAP
that however only prohibits the usage of PEAP for user_ttls while i
would like to only enable TTLS for this specific user
.
could somebody explain me how I can translate it into an SQL config?
ciao
artur
Artur Hecker wrote:
hi Alan
hi Stefan
thanks for your help. I think I understand the idea. however my problems
are on the implementation level.
two things are still not clear to me.
1. we use 'sql
hi
J Zakhar wrote:
Having some trouble setting up PEAP with a windows XP workstation, a
Cisco 350 AP (upgraded to IOS version 12.2), I am using the default XP
Client to set things up. Many moons ago I had LEAP working great, the
hard drive on this linux machine failed and it was time to
hi Alan
context: on a Fedora Core 3 system (linux 2.6.9) I configured n=5
but FR would not start but one instance. also in the radiusd -X there
is no notice of thread-pool config being read.
FC4 uses a newer Linux kernel, which *correctly* shows only one
process via ps, even when
hi
we have a Wifi 802.1X network with both TTLS and PEAP users (TTLS/PAP
mostly for non-windows machines, PEAP/MSCHAPv2 for windows machines).
(we also have TLS users, but that's out of scope).
both work like a charm. however, we'd like to prevent PEAP accounts to
log in with TTLS and
hi
[EMAIL PROTECTED] wrote:
we naively try to specify EAP-Type == PEAP for user_peap
and == TTLS for
user_ttls but that breaks both methods (which seems
normal since this
EAP-Type definition is not correct for the internal EAP
method which
however uses the same user name).
Why not almost
hi Alan
ok, no i meant the daemon mode. sorry, my comment was a bit misleading.
it's just that i would expect FR to show every configuration token it
has read. and thread pool seems to be ignored in the debug.
It prints out the configuration it *uses*. It reads pretty much
anything from
hi guys
has anybody ever noticed any difficulties of FR to launch multiple
initial threads? (thread_pool: start_servers n)
context: on a Fedora Core 3 system (linux 2.6.9) I configured n=5 but FR
would not start but one instance. also in the radiusd -X there is no
notice of thread-pool
hi alan
sorry for the delay.
you might be right. yet i think that we might ignore some opportunities
which would be possible/supported by diameter.
Like... what?
well, from my perspective the main arguments would be:
- reliability (especially for accounting)
in every related
hi
just a small preamble: i perfectly understand your position and i do not
expect you to start a diameter implementation tomorrow :-) for me it's
merely a strategic discussion.
Alan DeKok wrote:
Artur Hecker [EMAIL PROTECTED] wrote:
well, from my perspective the main arguments would
apparently we do agree. thanks to Josh for his comment. just one thing:
Alan DeKok wrote:
Josh Howlett [EMAIL PROTECTED] wrote:
I think the point the original poster was making was that Diameter
allows arbitrary conversations between NASes and servers that are
initiated by either party, via
Alan DeKok wrote:
See wire diameter, from Taiwan. I recall it's a student project,
but it does give a minimal diameter server.
But again, can you think of *one* client implementation of diameter?
I can't.
well, that's not the point since diameter would be backwards compatible
to
by the client is indeed quite ridiculous.
the main problem with radius is IMHO its client-server nature. it
inherently lacks control. also TCP in dimaeter and defined TLS in proxy
mode might be advantageous.
ciao
artur
Alan DeKok wrote:
Artur Hecker [EMAIL PROTECTED] wrote:
well, that's
or simply put 'eap' as the last module in the authorize section. should
be the same.
Jefri bin Dahari wrote:
It works. Thank you very much Vladimir.
- Original Message - From: Vladimir Vuksan [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Alan,
well, unfortunately not really. and most importantly: it does not
assure the users use the known SOFTware to access the net.
imho, hardware has never ever represented a problem so far.
ciao
artur
On 6/14/05, Alan DeKok [EMAIL PROTECTED] wrote:
Artur Hecker [EMAIL PROTECTED] wrote
i personally think that it's completely useless.
implementing EAP or MAC authentication, meaning that one of both would
work, is a huge security hole and requiring both is useless since EAP
authentication implicitly filters away everything unauthenticated...
(even if i understand that might be
disconnect and reconnect, Instead I must enter my username and password,
It automatically
connect without a login prompt.
you mean with PEAP/MS-CHAPv2? yes, Windows XP stores the credentials in
the registry.
http://support.microsoft.com/default.aspx?scid=kb;en-us;823731
ciao
artur
--
Artur
would you mind writing down a small doc with your experiences?
i'm sure it would be nice to know for everyone.
Jim Seymour wrote:
Alan DeKok [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] (Jim Seymour) wrote:
Clarification: Giving the server ADMINNB\jseymour works. Giving it
just jseymour does not.
sorry for this response but the failure in that specific scenario is
very unlikely to be on the server.
the Session-Timeout value and the Accounting events have to be
respected/generated at the client. so, if you don't have the Accounting
Stop for a disconnected user, then the client is no
die sind glaube ich in den neuesten releases von freeradius bereits
vorhanden, oder? schau mal im verzeichnis rum... weiss nicht wo.
ciao
artur
PhonTom wrote:
Liebe Leser!
Ich habe Freeradius auf CentOS 4.0 laufen und bekomm mit meinem openssl
Keine Zertifikate erstellt. Pfade usw. habe
Nurul probably means client isolation.
Nurul, your issues are not really related to freeradius.
You can authenticate over whatever you want to freeradius. However,
that's not your point. For what you want to do, you need to setup the
access controller which is just another NAS in AAA slang. WLAN
host 10.0.1.3:21645, id=152, length=191
Sending Access-Reject of id 152 to 10.0.1.3:21645
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
___
Artur Hecker
http://www.enst.fr/~hecker
ENST Paris
hi
TKIP is the encryption method used on the wireless link. radius is
designed to be independent of the access technology used by the NAS.
in other words, TKIP is something which is not known to the radius
server - by design. the radius server will - if available - provide the
NAS (802.11
hi
i just looked in the doc directory, the source code and a bit on the web
and could not find any recent info on which version of EAP-PEAP is
supported by freeradius. from what i've found till now, only PEAPv0 with
MS-CHAPv2 is supported (this however dates back to June 2004). has it by
any
FYI: EAP-TLS vulnerability in cisco ACS
http://www.cisco.com/warp/public/707/cisco-sa-20041102-acs-eap-tls.shtml
ciao
artur
PS it's a bit out of topic, but well, they also have their problems :-)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
hi
as far as I know, german 11 division has been using freeradius for
years for the access control of their xDSL users.
however, i'm not up to date...
ciao
artur
Henning,Rhiannon Michelle wrote:
Do you mind if I ask which radius server you were using before? How many
users are you currently
hi
Now take the EAP-Message:
0x 02 02 000d 01 74 65 73 74 75 73 65 72
hex code id length data (9 octets)
Splitting done right? If so, code, id, and length are consistent with
rlm_eap: EAP packet type response id 2 length 13
But why are there only 9 bytes of data -- I expect 13?
Is
patrick,
if i understand your problem correctly, you want to have a different EAP
type per SSID using the cisco APs of the 12 series.
there are basically two major possibilities to do so, independently of
what has been said before:
1. in AP 12 you can assign an authentication server per SSID.
hi
1. in AP 12 you can assign an authentication server per SSID.
from here on, you could have two different servers, one for
LEAP and the other for EAP/TLS.
Can loopbacks be used on a FreeRadius server so that it control the EAP
type allowed based on the targeted interface? Not needed if I can
add to it: forward the DHCPDISCOVER to the DS if no internal table entry
for this MAC is found. yapp, that would be even very easy to integrate.
but i don't think that _any_ AP does that.
ciao
artur
Damjan wrote:
just for the case: no, it is
NOT possible to assign IP addresses by 802.1X; you
hi
However, how to direct or tell the authenticated
Radius client/station go to get the IP address from
the DHCP server, in other words, is in the RADIUS
server where to indicate the DHCP server IP address
(or point to my DSL router 192.168.1.1).
no. radius is used till to the point when the
hi
Are there any instruction, step-by-step on how to
build the RADIUS server for WPA and WPA2
(802.11a/b/g).
yes, there are. today, it should work out of the box (well, there is
no box, but still).
the good news from the pov of the radius server is that all these things
you mentioned are
it's a function of your access point. freeradius delivers the necessary
keying data. your access point (authenticator) has to use it to produce
the wep keys. similarly, your wireless client (supplicant) produces its
keying data and the both latter can negotiate the wep keys together.
thus,
hi
When you say freeradius delivers the necessary keying data, do you
mean these two following keys?
MS-MPPE-Recv-Key =
0xc0eb6159c1ccc924b524d39c21f3c41588c60dd41945a1480b9119ef809c3060
MS-MPPE-Send-Key =
0xd9e5ca0d05d2430c4e8abea402d47d742bf80ff361945a76f0d0b14e6b84a656
that's exact.
the
ok, whatever a PEAP request means in the original mail :-)
it would be crazy to constantly deliver the same value, what would it be
good for? that's why it's called dynamic WEP...
ciao
artur
Alan DeKok wrote:
Artur Hecker [EMAIL PROTECTED] wrote:
the values in MS-MPPE-Recv-Key and MS-MPPE-Send
hi
But will PAP be supported by supplicants running on Windows and Mac OS-X ?
If you are going to use EAP-TTLS you must use the SecureW2 client since windows
do not support EAP-TTLS. SecureW2 supports PAP so you should be fine. I have no
idea about MacOS X though since it's a unix flavor maybe
hi
actually, the WISPr BP by the Wi-Fi Alliance is not a standard, it's
explicitly marked as non-normative of any kind and called best practice
for WISP roaming.
since Wi-Fi alliance still considers 802.1X as not wide-spread enough,
they did not include it in their current recommendations but
hi lars
I'm writing the HOWTO in DocBook XML, and can then later be converted
to html, pdf, ... - I don't belive docbook has support for inline
html.. overall I think images are better.
ok :-)
I'm a little uncertain here: xsupplicant claims to have support for
dynaic WEP (which I'll try later),
: Lars Strand [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: Friday, July 23, 2004 8:02 PM
Subject: Re: 802.1X HOWTO (draft)
On Thu, 22 Jul 2004, Artur Hecker wrote:
1. the document needs a quick native speaker review. guys?
The tldp.org have a language review before it is published ;-)
2. remove
ah, nice.
i took a rapid look, it looks good.
just some detials:
1. the document needs a quick native speaker review. guys?
2. remove the repetitions of the form how 802.1X works.
3. add links to XSupplicant and FreeRadius in the abstract.
4. Authenticator config: since the images you include are
hi
No. I was going to release it last Friday, but my wife released
Baby 1.0 first. That took priority, oddly enough.
Give me a few days to sleep...
Alan DeKok.
wow, really??? i can only hope then that this time the feature freeze
came early enough and that the involved developers did a
this feature is usually called reading emails in threads and it
probably exists since the creation of email in _every_ client i know.
i recommend you stop advertising for gmail here.
ciao
artur
Evan Stenmark wrote:
If you use email to search through the freeradius-users list, then I
recommend
hi
Epp, Ladd J wrote:
Turns out that the wireless adapter I was using wasn't working right
with EAP. I'm not sure why. I finally got a hold of a Cisco 350
PCMCIA card and it worked almost immediately using the XP supplicant.
well, that's surprising: my cisco 350 would not do dynamic WEP with
hi
Anyway I have tested even without any User-Password entry against XP's Administrator login. And surprisingly got same result (that Success message before client certificate verification). Am I doing someting wrong?
well, imho, it should not behave in a wrong way even if there is a user...
i
hi
sorry, it was my fault, i misread your XP supplicant as xsupplicant. :-)
some kind if issue between the Cisco card and xsupplicant? I have
yes, indeed there is. xsupplicant does not seem to support the way the
newest drivers handle some packets.
Pardon my RADIUS newbie wording... all
hi
alan, please see the remark in text.
[EMAIL PROTECTED] wrote:
I am testing EAP-TLS with Windows XP(EAP-TLS supplicant) ,
Freeradius(running on Redhat 9) and Cisco Aironet 1100 series Access
Point. I have done all the required setup and EAP-TLS authentication
has been successful with that setup.
hi
Has anyone here had any experience with the Aironet 1200 / TLS-PEAP /
FreeRADIUS combination of hardware/software? For some reason, the
yes. it works.
Aironet is not trying to communicate with FreeRADIUS (radiusd XX shows
no communication attempts). I know this is leaning more towards a
hi
If I set up my access point as a Wireless Domain Service, it can
communicate with the FreeRADIUS server, no problem. So, there aren't any
communication blocks going on here. The odd things is that I've followed
well, i don't know what WDS is (if you have any futher info on this, i'm
always
hi
WDS allows clients to roam between access points without having to
re-associate each time. It communicates with the RADIUS server for
authentication between access points. I have been successful in getting
that to authenticate.
ok, looks like a proprietary IAPP to me. IAPP uses TCP from client
try that. the certificates also need the corresponding extensions,
don't forget.
ciao
artr
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
yes, who are neither in users nor in the SQL db.
ciao
artur
ro0ot wrote:
So, it will reject users that is not in the /etc/raddb/users file?
Regards,
ro0ot
NGUYEN Tuan Anh wrote:
It works!!
Thank you very much Artur!!
Ciao
Artur Hecker wrote:
hi
ok, that's a bit messy though. take a look
hi
Thx for your help Artur, but I forgot to say my authenticator is a Cisco
switch 3550, then not a wireless access-point. There's something I don't
understand, with PEAP or EAP-MD5, the windows 2000 supplicant answer to
identity request send by the switch but with EAP-TLS, it stay sleeping
hi Frederic
I think, they are well installed, like it's explained in most HOWTOs, but..
then i don't know.
What do you want to say is that win2K is going to take EAP-Identity value
in client certificate, before EAP-TLS challenge start ??
I don't think so, it doesn't work like that with
hi
strictly spoken, the server-to-client communication is not defined
within RADIUS protocol which follows the client-server comm. model.
this possibility does exist in DIAMETER (if you find an NAS which
understands it, please shout!)
practically, cisco does something like that in RADIUS (but
i think the problem is that you are trying to use WEP within your access
point but no WEP is configured within the 802.11 client on the terminal
(which is NOT included in Win2k).
use the external 802.11 client of your wireless network adapter and
activate WEP (whichever form of it). that will
yes, that's normal since the authentication works for ALL validly
certified clients.
you have to explicitly REJECT the users NOT in your data base.
ciao
artur
NGUYEN Tuan Anh wrote:
Hi, I'm trying to install a system with FreeRADIUS and MySQL and EAP-TLS
as authentication protocol. Everything
congratulations, your server works as it should.
Access Reject is NOT an error, it's what the server is supposed to do
for the unknown users.
ciao
artur
ps
[EMAIL PROTECTED]:~$ radtest --help
Usage: radtest user passwd radius-server[:port] nas-port-number secret
i don't think you have a user
: Artur Hecker [mailto:[EMAIL PROTECTED]
Sent: Monday, May 24, 2004 5:40 PM
To: [EMAIL PROTECTED]
Subject: Re: Dynamic VLAN assignment
i don't know, but i would say execute an external program which reads a
VLAN list file and attibutes and marks as used the next unused VLAN.
but you will end up
budget if
anybody out there wants to help code it)
:-)
Thanks,
Dan.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ok, i've got it.
obviously, i thought you were talking about a new possibility. always
interested... :-)
thanks
artur
Alan DeKok wrote:
Artur Hecker [EMAIL PROTECTED] wrote:
well, theortically, it needs a signing capacity (represented by an
included extension) to do this. anyway, in my config
where you want it to: there is an INCLUDE line in your radiusd.conf.
make it include YOUR file and it will work - provided that the server
has the rights to read it.
usually it's called 'eap.conf' and it is in the raddb dir.
ciao
artur
BLANCA FERRERO RODRIGUEZ wrote:
Could anyone tell me
in the current release version (0.9.3) - to my knowledge - there is no
eap.conf, the eap configuration is rather directly in the radiusd.conf file.
ciao
artur
BLANCA FERRERO RODRIGUEZ wrote:
usually it's called 'eap.conf' and it is in the raddb dir.
I have already searched in tha dir but I
DeKok.
- List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
user into the EAP-Identity Response, he will be granted to
access the system.
to my knowledge, patches are needed to stop this (something has to check
whether the User-Name equals something (CN?) in the certificate).
ciao
artur
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe
hi Alan
Yes. The users file is just one form of controlling user access.
You can store users in SQL, LDAP, or in signed certificates.
i have a silly question: which signed certificates? do you have more
info on this?
ciao
artur
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe
not but what is it exactly good for?
ciao
artur
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
this is imho not a help service for cisco hardware. however, i'm sure
that by opening a web browser and connecting to your AP 1100 address you
will find all the answers you need, quasi automagically. just read the
web pages of the ap, it is self-explanatory.
ciao
artur
Aoun Shah wrote:
Hi,
hi
i need to know how the ip addresses in the eap-tls packets are modified in
order to allow proxying between two different domains.
eap/tls packets do not contain any IP addresses. no ip addresses are
ever modified.
My scenario is the following:
- two domains with an internal radius server
also this one:
http://www.drizzle.com/~aboba/IEEE/draft-ietf-cat-iakerb-09.txt
Artur Hecker wrote:
hi :-)
this is called EAP-GSS and it does exist:
http://www.drizzle.com/~aboba/IEEE/draft-aboba-pppext-eapgss-12.txt
there have been some troubles with standard kerberos detected by Thomas
Wu
Services Dept.
Brevard County Library System
-- Original Message --
From: Artur Hecker [EMAIL PROTECTED]
Reply-To: [EMAIL PROTECTED]
Date: Thu, 25 Mar 2004 09:34:17 +0100
hi list
now it's a bit out of scope but i am sure some of you have some
hi list
now it's a bit out of scope but i am sure some of you have some
experiences with xsupplicant. i'm doing EAP/TLS over cisco 350 card and
cisco 1200 or 350 APs to the 0.9.3 release of freeradius and it's
actually a bit funny since (one of the latest) xsupplicant doesn't stop
no, that's wrong. DON'T force the Auth-Type. do it as i said before.
ciao
artur
Mihai RUSU wrote:
Hi again
Sorry for the SPAM, I solved my problem after a while, the solution was to
have a line like this in users:
dizzy Auth-Type := EAP, User-Password = parola
On Mon, 22 Mar 2004, Mihai RUSU
hi
But caching is disabled (as in the default config, cache = no) and still
unix module fails to load on server startup or check config (the last
lines):
Module: Loaded Pam
pam: pam_auth = radiusd
Module: Instantiated pam (pam)
radiusd.conf[545] Failed to link to module 'rlm_unix': file not
hi
Acording to strace -s is not enough to execute with root rights, I had to
comment the user/group entries from radiusd.conf. Anyway, even running as
root it fails the same way :-/
hmm? if you execute it in debug mode as root, it runs as root. it reads
but should ignore the rights you set in
legitimate users and creating a DoS problem.
all issues you talk about are true: accounting without any changes is a
problem. as explained above, due to the quite different requirements
there is imho no such thing as a general solution.
ciao
artur
--
Artur Hecker
artur[at]hecker.info
-
List
and the radius server can
be protected from listeners by other means: IPsec, dedicated VLANs, etc.
ciao
artur
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
to generate here.
look e.g. at eap_identity or username attribute? thread by Lars
Viklund, Tue, 19 Nov 2002 19:05:26 +0100.
ciao
artur
--
Artur Hecker
artur[at]hecker.info
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1 - 100 of 115 matches
Mail list logo