On Tue, Sep 17, 2013 at 07:54:12AM +0100, John Carter wrote:
I've got a Windows 7 machine attempting to connect to FreeRADIUS 2.2.0.
EAP-TLS with a client certificate works fine, but with PEAP/EAP-TLS it
doesn't.
Hi.
make fragment_size in modules/inner-eap smaller then fragment_size in
Hi.
I'm assigning profiles from ldap to User-Profile and I have a corner case
where a user can actually have multiple profiles which returns more then one
record and nothing gets assigned to User-Profile. Is there a way to specify
sizelimit for a ldap lookup to 1?
thanks
Martin
-
List
On Thu, Aug 29, 2013 at 01:35:25PM +, Robert Roll wrote:
I'm getting an EAP error response from the other server about it not liking
the
id number
Supplicant sent unmatched EAP response packet identifier
EAP Response identifier sent by the client has to match EAP Request
On Thu, Aug 29, 2013 at 02:56:44PM +, Robert Roll wrote:
I guess I assumed the id: in the TCP dump below was the EAP Response
Identifier maybe not ? Is there a different
EAP response identifier ?
That is the id of the radius packet. EAP lives insided radius packet AVPs
called
On Wed, Aug 28, 2013 at 10:10:32AM +0400, Iliya Peregoudov wrote:
On 28.08.2013 9:48, Olivier Beytrison wrote:
On 28.08.2013 00:20, Martin Kraus wrote:
Hi. I'm using groups to authorize users and pull radius profiles for the
users.
My config is similar to what the default freeradius
On Wed, Aug 28, 2013 at 07:48:38AM +0200, Olivier Beytrison wrote:
server inner-tunnel {
authorize {
eap
# stop processing authorize on eap identity or mschap success/fail
if ((EAP-Type == 1) || (EAP-Message[0] =~ /^0x02..00061a..$/)) {
noop
}
else {
#
On Wed, Aug 28, 2013 at 03:42:08PM +0100, Arran Cudbard-Bell wrote:
Fine, yes, also TLS. But in the wonderful world of Microsoft supplicants PEAP
usually specifies PEAP with and MSCHAPv2 inner?
Windows 7 supports PEAP+TLS. Unline Network Manager on linux distributions.
and wow did they get
On Wed, Aug 28, 2013 at 02:49:32PM +0100, Arran Cudbard-Bell wrote:
Does anyone have a configuration which gets it down to a single LDAP query
for PEAP?
The following is for EAP-TTLS/EAP-TLS and PEAP/EAP-TLS on my setup.
# When EAP-TLS runs in EAP-TTLS tunnel the id starts at 0x00 and we
On Wed, Aug 28, 2013 at 03:46:53PM +0100, Arran Cudbard-Bell wrote:
OK. Just wondering if you could really get it down to a single lookup, IIRC
you needed the 'known good' NT-Password data for a couple of rounds of
MSCHAPv2?
with
if ( (EAP-Type == Identity) || (EAP-Type == NAK) ||
On Thu, Aug 29, 2013 at 10:39:50AM +1200, Andrej wrote:
On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Thanks Alan,
Your reference is wrong/unknown which means that there's a noop. This means
no operation which means no fticks output
This brings me back to my earlier
On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote:
Again, look at the debug log to see what's happening. *WHY* are you
doing LDAP lookups at all? Can you not delay them?
Hi. I'm using groups to authorize users and pull radius profiles for the users.
My config is similar to what the
Hi.
Is it possible to limit the repeating ldap lookups that happen during mschap
and tls negotiations? Like having an attribute that I could test for which
would tell me that the negotiation is completed?
thanks
martin
-
List info/subscribe/unsubscribe? See
On Mon, Aug 26, 2013 at 02:45:29PM +0100, Arran Cudbard-Bell wrote:
Is it possible to limit the repeating ldap lookups that happen during mschap
and tls negotiations? Like having an attribute that I could test for which
would tell me that the negotiation is completed?
If you list the ldap
On Wed, Aug 21, 2013 at 11:45:11PM +0100, Matthew Newton wrote:
If that's all you're doing, forget about PEAP and just go for
straight EAP-TLS. All PEAP really gives you on top is the SoH
support, and may cause problems with other non-Windows clients.
EAP-TLS should work on more devices.
I'm
On Wed, Aug 21, 2013 at 01:28:08PM +0100, Matthew Newton wrote:
On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote:
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
TLS tunnel is established:
On the assumption that your certificates are OK...
Have
Hi.
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
TLS tunnel is established:
WARNING: !!
WARNING: !! EAP session for state 0x992158e5992955e0 did not finish!
WARNING: !! Please read
On Wed, Aug 21, 2013 at 01:13:57PM +0100, Phil Mayers wrote:
On 21/08/2013 12:17, Martin Kraus wrote:
Hi.
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
Is this really what you mean? TTLS outer and TLS inner, versus PEAP
outer and TLS inner?
Because
On Mon, Jul 22, 2013 at 04:27:30PM +0200, Marco Aresu wrote:
i am getting some problem with authorization in free radius
i configured the users file as below :
DEFAULT Auth-Type := System
cisco Auth-Type := System
Service-Type = NAS-Prompt-User
On Tue, Jul 23, 2013 at 03:12:33PM +0200, Marco Aresu wrote:
now i can logon into the switch but i can with all USERS. Where i can
specify who can access to the switch?
I add a rown in the USERS file user Auth-Type := Reject but nothing
change.
The first match wins in users file unless the
On Fri, Jul 19, 2013 at 06:03:31PM +0200, Dario Palmisano wrote:
•RADIUS-assigned VLANs are not supported when you enable multiple BSSIDs.
So it seems not to be related to the IOS version, is it?
Is there any way to overcome this somehow, if not...
Do you actually need multiple bssids?
On Fri, Jul 19, 2013 at 04:20:51PM +0200, Dario Palmisano wrote:
is this a 'fat/autonomous' AP? if so, then only latest firmware can handle
multiple VLANS per 802.1X SSID with multiple BSSIDs present.
This could be the problem, I found something in the Cisco documentation but
was unsure
On Thu, Jul 04, 2013 at 07:05:09PM +0100, Arran Cudbard-Bell wrote:
Don't try and use the users file for complex stuff like this.
In your profile objects add an attribute for preferredNetwork.
Use ldap xlat to search in the directory for an profile object with a
preferredNetwork attribute
Hi.
I'd like to give users an option to specify which network to connect to
using something like
helpdesk\username@realm
admins\username@realm
I was thinking of stripping the network part in hints and saving it in a
variable say Preferred-Network and then match on it in users
DEFAULT
Hi.
Out of curiosity, which objects does the ldap module check for checkitems and
replyitems? Only the object that identifies the user and the object pointed to
by User-Profile?
I mapped a seeAlso attribute in ldap.attrmap but I don't see it being pulled
from a group object the user is matched
Hi.
I had to create 3 instances for the ldap module. One is the default
ldap {
}
and then I got two named
ldap ldap-eduroam {
}
ldap ldap-netdefault {
}
I'm using the two named for doing attribute pulling in post-proxy.
Now my setup stopped working because suddenly ldap-eduroam was
On Sun, Jun 16, 2013 at 01:15:06PM -0400, Alan DeKok wrote:
Martin Kraus wrote:
Yes I did that before posting. However the only thing that would allow
something like a standard password plus otp is using google authenticator
with
the forward password option through rlm_pam again. I
On Sun, Jun 16, 2013 at 10:46:51AM +0100, Phil Mayers wrote:
There are various ways of doing OTP with FreeRADIUS. Read the
docs/wiki and sample configs, and search the archives of the list.
Yes I did that before posting. However the only thing that would allow
something like a standard password
Hi.
I'd like to have freeradius authenticate users using their password (for
simplicity I'm using /etc/shadow now) and TOTP through liboath. I was hoping
to
use freeradius to centralize this. PAM looked like the easiest way.
I'm using freeradius 2.1.12 from debian wheezy.
PAM confiuration is
28 matches
Mail list logo