Re: Dynamic VLAN assignment depending on LDAP user group and MAC address

Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list

Re: Dynamic VLAN assignment depending on LDAP user group and MAC address

On Mon, Oct 14, 2013 at 10:40:19AM +0100, Matthew Newton wrote: On Fri, Oct 11, 2013 at 05:41:07PM +0100, Fabrizio Vecchi wrote: As you can see, the device wasn't listed in the file, the authentication went fine, saying that the tunnel that I should get has ID 40, but that wasn't

Re: radwho not working

++[radutmp] returns ok ++[exec] returns noop From that, have you tried the following? radwho -F /var/log/radius/radutmp See also radwho(1). Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH

Re: Cache for machine authentication

On Fri, Oct 04, 2013 at 09:54:29AM -0400, Garber, Neal wrote: Can someone tell me if it is possible in FR to cache in memory (for a short amount of time) Calling-Station-Id from successful rlm_cache ? http://wiki.freeradius.org/modules/Rlm_cache Matthew -- Matthew Newton, Ph.D. m

Re: ubuntu postgresql unknown client

address * port 1814 Ready to process requests. Ignoring request to authentication address * port 1812 from unknown client 127.0.0.1 port 52834 ^^ Make sure there is an entry for 127.0.0.1 in your clients.conf. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems

Re: Freeradius authenticate against Active directory

Stripped-User-Name instead of User-Name, e.g. ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --domain=abc.ac.uk --username=%{Stripped-User-Name} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist

Re: [ANN] Version 3.0.0-rc1

'make install' on top of a working config on a server and trust the install to not touch any local changes. Even if I'm 99.99% sure it won't, I'd be too worried to do it when there's an easy alternative. But I guess some are just more adventurous than me! :) Cheers, Matthew -- Matthew Newton

Re: Checking TLS-Cert-* and and accept/reject based on them

features, forget the paid support and ask here like you just did. If the support is worth anything, of course, then I'm sure they'll be delighted to build later packages for you that include the patch. :-) Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure

Re: range of mac addresses

for obvious reasons... If you're doing CHAP (or something that needs the full cleartext password) then you're probably limited anyway, as the only way you're going to get the right cleartext password from a username in a range when you don't list them all is to refer to said username. Matthew -- Matthew

Re: how to limit the repeating ldap lookups

On Wed, Aug 28, 2013 at 12:20:12AM +0200, Martin Kraus wrote: I'm stuck with 2.1.10 on ubuntu:-( Without trying to come across as if I'm a stuck record... this is easy to solve. https://lists.freeradius.org/pipermail/freeradius-users/2013-August/067939.html Cheers, Matthew -- Matthew

Re: how to limit the repeating ldap lookups

? MSHCAPv2 - I thought PEAPv0 was only MSCHAPv2? and TLS. m. -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info

Re: how to limit the repeating ldap lookups

in the tls section. I backported the patch I wrote to do this to v2 (which is what we are running); I'm not sure if it made it into the released 2.x code (I doubt it). It's an easy patch it anyone wants to do it themselves. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist

Re: (was) RE: how to limit the repeating ldap lookups

without access to an OSX server license. http://support.apple.com/kb/DL1466 ? But this is getting a bit off-topic. m. -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact

Re: how to limit the repeating ldap lookups

On Wed, Aug 28, 2013 at 04:49:42PM +0100, Matthew Newton wrote: See the sites-available/check-eap-tls file in v3, and the mods-available/eap file, option virtual_server in the tls section. I backported the patch I wrote to do this to v2 (which is what we are running); I'm not sure

Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails

On Thu, Aug 22, 2013 at 10:30:54AM +0100, Phil Mayers wrote: Matthew Newton m...@leicester.ac.uk wrote: On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote: well looking at man wpa_supplicant I can see EAP-PEAP/TLS I think that should be PEAP/EAP-TLS. Otherwise I'm not sure

Re: rlm_python

://notes.asd.me.uk/2012/01/27/compiling_freeradius_from_git_on_debian/ Note these both give you packages - so you can easily uninstall etc as required, or roll back to the distribution ones. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services

Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails

? I did a write-up on getting this to work (see http://q.asd.me.uk/pet ) - fragment_size was the biggest gotcha IIRC. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

Re: debian, wpa_supplicant, TTLS/TLS working, PEAP/TLS fails

-TLS by doing PEAP/EAP-TLS - it's still certificate (machine auth) only. My advice would be to stick with PEAP/EAP-MSCHAPv2 and use deployment tools to get the devices configured correctly. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T

Re: Multiple policy files

in that directory (without the policy { } wrapper of course). That's how it is now done by default in version 3. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help

Re: Freeradius -username for authentication is not picking from users file.

: Debug: shortname = BTS111 Fri Aug 2 16:45:25 2013 : Debug: nastype = other Fri Aug 2 16:45:25 2013 : Debug: } You've also got two netblocks that clash there. I'm not sure it will hurt, but you probably want to remove one of them, or fix the netmask. Matthew -- Matthew Newton, Ph.D. m

Re: OCSP http requests

could do it by hacking the openssl library I guess. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info

Re: Authorization failed in cisco switch

of id 70 to 172.31.61.224 port 1812 ... The RADIUS server sent an Access-Accept. That means that if you still can't get in, it's the switch that has the problem. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester

Re: Post Auth Configurations

the customized message. Is there a way to test the user/pw combo first and *then* perform unlang logic? That's what the post-auth section is for. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH

Re: Loading fails without reporting an error

messages or locations to print them, but the pull request will give the right starting pointers :-) Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk

Re: Loading fails without reporting an error

On Fri, Jul 12, 2013 at 11:24:54AM +0100, Matthew Newton wrote: On Fri, Jul 12, 2013 at 11:19:00AM +0200, Alan DeKok wrote: Lovaas,Steven wrote: I had a mismatch between the type of the home_server localhost (auth), and the attribute used in one of the realms pointing to the pool

Re: LDAP authentication filter based on source SSID

for that. Any suggestion?! This came up the other day; I don't think there was a resolution. It's not a FreeRADIUS issue - you're probably best off talking to Cisco TAC. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University

Re: freeradius using linux user passwd

Hi, On Tue, Jul 09, 2013 at 10:58:15AM -0700, Julian Macassey wrote: On 2013-07-09 at 10:18, Matthew Newton (m...@leicester.ac.uk) wrote: Try adding the following to the *top* of your users file: evergreen Cleartext-Password := pa55word, MS-CHAP-Use-NTLM-Auth := 0 When I use the users

Re: freeradius using linux user passwd

it can't authenticate the user. Given a cleartext password as above, you should be good to go. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn

Re: freeradius using linux user passwd

Access-Reject of id 73 to 10.1.1.211 port 35032 Waking up in 4.9 seconds. -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List

Re: Problem with CISCO WIRELESS CONTROLLER and RADIUS Authentication

it? I would check that your WLANs are correctly configured with the RADIUS servers in the controller. You shouldn't need to configure the APs like this. You're better off asking on another mailing list, though. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure

Re: Mac-auth. authorized_macs file sintax

(this goes to the NAS) and will disconnect without an EAP Success. You probably want EAP-TLS if you want host (rather than user) based authentication on wireless. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester

Re: Mac-auth. authorized_macs file sintax

. You just can't authenticate based on the MAC address only if you're doing EAP. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith

Re: Authentication using LDAP for 802.1x

- Upgrade from 2.1.12 to 2.2.x, as there are security issues pre 2.2.x. Save yourself some round trip packets by setting default_eap_type = ttls in eap.conf Save yourself some LDAP lookups by removing ldap from the outer. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems

Re: Mysql xlat help

. If you can't or won't, then please find some commercial paid support for your problems and stop wasting people's time having to read e-mails that they can't help with. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University

Re: buffered-sql, radsqlrelay and fault resilience

-- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: user from particular NAS-IP-Address

can be spoofed if you permit NASes not under your own control. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List

Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

round trips, it will auth faster, too). Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe

Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

? Same thing, but usually referred to as PEAP/EAP-TLS (or sometimes, probably incorrectly, EAP-PEAP/EAP-TLS). Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact

Re: Bug in CUI generation? Is this a known issue?

has: if (isdigit(l[1])) break; which stops looking for a module_name (e.g. md5 if the first character after the : is a digit. Fixed in 3.0 (see 4fd62ce9 22 August 2012). Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University

Re: Proxy Treatment of PAP/Chap Auth Types

both servers so we can see what's happening. A small section doesn't help much. You should use Cleartext-Password in place of User-Password in the config. There is no difference, and User-Password is deprecated and going away in 3.0. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems

Re: Proxy Treatment of PAP/Chap Auth Types

impossible to tell much more. Matthew From: Matthew Newton m...@leicester.ac.uk To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Sent: Friday, 3 May 2013 6:21 PM Subject: Re: Proxy Treatment of PAP/Chap Auth Types On Fri, May 03, 2013

Re: get some invalid value in User-Name attribute

so, if it is a problem, that is where to fix it. It's nothing to do with FreeRADIUS. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253

Re: [Help] How to control the authentication session timeout

{ Session-Timeout : = 7200 } It should be: post-auth { update reply { Session-Timeout := 7200 } } (e.g. no space between : and =) HTH, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester

Re: captive portal auth with freeradius

to FreeRADIUS. Like already pointed out, if it's AD, this isn't likely to happen. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith

Re: captive portal auth with freeradius

-- comment out ntlm_auth } } Then it should take your User-Name and User-Password, check them using the ntlm_auth utility rather than the pap module (the ntlm_auth module is just an instantiation of exec). Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure

Re: captive portal auth with freeradius

method for PAP. The PAP module can't do it for you, as it knows nothing about the ntlm_auth utility, so you have to call it yourself, using something like the config I gave you just now. Matthew On Fri, Apr 19, 2013 at 9:56 PM, Matthew Newton m...@leicester.ac.ukwrote: On Fri, Apr 19, 2013

Re: Sending a disconnect message when replying with an access reject.

-Type REJECT section in the inner-tunnel is never called. This is fixed in v2.x.x HEAD and master. Post-Auth-Type REJECT in the outer tunnel is fine. This might be your problem. Or perhaps I am just doing something wrong. You didn't send output from radiusd -X. Matthew -- Matthew Newton, Ph.D

Re: captive portal auth with freeradius

at present to go digging to find out). Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe

Re: rlm_passwd help

/shouldn't/ need to do this - FR will generally work this out by itself - just make sure 'passwd' is above 'pap' in authorize. Setting this might cause you problems in the future. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services

Re: Trimming character of variables within configuration files

' - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith

Re: captive portal auth with freeradius

the entry to the users file, then try logging in with that username/password. To help further, we're going to need more information. Primarily, *complete* debugging output, generated by running in debug mode with radiusd -X Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist

Re: Trimming character of variables within configuration files

attribute, so it will not change the attribute. Then look at the debug output to check that it actually did what you asked (e.g. the regex is right, etc). Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester

Re: Setting different IDLE-TIMEOUTS based on IP Address

checked? Perhaps a regex thing? [preprocess]expand: %{NAS-IP-Address} - 192.168.0.15 ++[preprocess] returns ok huntgroups is definitely being read (it's read by preprocess), but the lines might not be being matched. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist

Re: Setting different IDLE-TIMEOUTS based on IP Address

Hi, On Wed, Apr 17, 2013 at 08:38:36PM +0100, Matthew Newton wrote: On Wed, Apr 17, 2013 at 12:32:32PM -0500, John Giordano wrote: So in huntgroups I have: ### RADIUS HUNTGROUP TEST - jg ### MSP7345 NAS-IP-Address =~ /^10\.99\.3\./ SNJ7000 NAS-IP-Address =~ /^10\.3\.99

Re: Setting different IDLE-TIMEOUTS based on IP Address

bunch of entries in huntgroups... either manually or through a Perl script. :) Cheers! -jg -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253

Re: Profile-Name attribute

in the Idle-Timeout thread :-) Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http

Re: Setting different IDLE-TIMEOUTS based on IP Address

suggested. Note the above splits the config over two locations. If you want to keep it all in one place, use unlang like Alan said. If it doesn't look tidy, put it in the policy.conf file and then call the policy name instead. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist

Re: OCSP parsing in client certificate

anyway :-) Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http

Re: Setting different IDLE-TIMEOUTS based on IP Address

: update reply { Idle-Timeout := %{client:myidlevalue} } (may want an if{} around it if myidlevalue isn't defined for all clients) :) Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United

Re: MAC Address Auth

,     Ip_Address_Pool_Name = pool_128,     Framed-Address = 255.255.255.254,     Framed-Netmask = 255.255.255.255,     Fall-Through = 0 Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

Re: Auth-Type krb5 not recognized by v2.1.12

-- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Auth-Type krb5 not recognized by v2.1.12

being set by something else beforehand, and needed the := to force it. But unlang is probably tidier than files here. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

Re: Server switch

control { Proxy-To-Realm := wifiproxy } } ... } } This should work between different servers; I'm not sure if you'll hit the only one internal proxy limit on one server. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T

Re: Server switch

On Tue, Mar 26, 2013 at 02:20:40PM +0100, Emmanuel BILLOT wrote: How about hyphen SSID ? ex : WIFI-TEST I failed in writing regex for it... if (Calling-Station-Id =~ /^.*:([a-zA-Z-]+)$/) { Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T

Re: Server switch

-- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Server switch

' { update control { Proxy-To-Realm := testproxy } } case 'WIFI' { update control { Proxy-To-Realm := wifiproxy } } } } Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T

Re: post-auth not being entered in inner-tunnel

was skipped, so inner post-auth was only called for success. Some confirmation would be useful - I haven't got time to check right now. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH

Re: Instantiating modules

it in the virtual server. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http

Re: Instantiating modules

On Thu, Mar 14, 2013 at 03:04:08PM +, Jonathan Gazeley wrote: On 14/03/13 14:26, Matthew Newton wrote: Just put it in the global instantiate section, as above, then use it in the virtual server. The point of my exercise is to make my FreeRADIUS config fully modular in preparation for my

Re: post-auth not being entered in inner-tunnel

, as it then won't call post-auth at all. I'd suggest that either a00c4432 needs backing out, or 00cadac7 and need backporting as well. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom

Re: post-auth not being entered in inner-tunnel

, or 00cadac7 and need backporting as well. should have read: I'd suggest that either a00c4432 needs backing out, or 00cadac7 and c625bf173 need backporting as well. There are three commits in series that all go together. Cheers! Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems

Re: Free Radius 2.1.1 showing clear text password at the debug mode

something different that can handle auth without plaintext passwords. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith

Re: simulate Point Access

can run eapol_test on a different machine than FreeRADIUS if you want to - just make sure you set up a client for the test machine in the FR config. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1

Re: Issues with Freeradius crashing after a sighup

of a reload. It's not likely to make much of a difference. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe

Re: freeradius accounting of cdr and quotes for string attributes

}\ ... } Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list

Re: mac address format

based auth, it's not likely to go well... Sorry if this is a FAQ, of course I've not changed anything within my conf since 2009 ! You should upgrade. There have been security bugs fixed in 2.2.0. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Specialist, Infrastructure Services

Re: upgrading freeradius

is also likely to get you a lot of 'go away and upgrade' responses, rather than answers to your question... Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom - List info

Re: Log format

. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http

Re: computer authentication

. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http

Re: 802.1x Issue

Windows devices (especially as part of a windows domain), then EAP-TLS can also be another good option. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help

Re: SV: Freeradius several segfaults at heavy load and startup ?

compiled yourself, or own-built packages (from git?), or the standard Debian packages from their repo? Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help

Re: files Authentication problem

Auth-Type := Local, Cleartext-Password := 00c51180d29c Alcatel-Lucent-Auth-Group = 4 As the debug log says, Remove Auth-Type := Local from the above. Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthew Newton, Ph.D. m

Re: files Authentication problem

Auth-Type := Local, Cleartext-Password := 00c51180d29c Alcatel-Lucent-Auth-Group = 4 As the debug log says, Remove Auth-Type := Local from the above. Matthew - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthew Newton, Ph.D. m

Re: problem with test aaa-server in ciscoasa

to get more help if you send the debug output from FreeRADIUS (radiusd -X). Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith

Re: Git master branch Debian build

.mk files in that dir), remove @ characters at the beginning of the lines. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253

Re: files Authentication problem

On Wed, Nov 21, 2012 at 09:01:22AM +0100, alexdhel...@free.fr wrote: 00c51180d29c Auth-Type := Local, Cleartext-Password := 00c51180d29c Alcatel-Lucent-Auth-Group = 4 As the debug log says, Remove Auth-Type := Local from the above. Matthew -- Matthew Newton, Ph.D. m

Re: Git master branch Debian build

/freeradius: error while loading shared libraries: build/lib/relink/.libs/rlm_acctlog.so: cannot open shared object file: No such file or directory No time to look right now - maybe tomorrow. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T

Re: FreeRADIUS + Mysql + xl2tpd and pptpd

--- Dmitry KORZHEVIN System Administrator STIDIA S.A. - Luxembourg e: dmitry.korzhe...@stidia.com m: +38 093 874 5453 w: http://www.stidia.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Matthew Newton, Ph.D. m...@le.ac.uk Systems

Re: help:freeradius + ldap + cisco ap can not work

, is not clear text. You need clear text passwords or NTLM (NT-Password) for mschap to work. http://deployingradius.com/documents/protocols/compatibility.html Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester

Re: Cannot Authenticate Local User

requests. You've missed the rest of the log off that contains the actual authentication attempt, so we can't see what's broken. Try again with rtestCleartext-Password := rtest at the top of the users file. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks

Re: No EAP Start, assuming it's an on-going EAP conversation

a security vulnerability in anything older. Cheers Matthew [0] http://notes.asd.me.uk/2011/01/11/freeradius-and-ntlm_auth-reminder-from-a-silent-failure/ -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester

Re: rlm_eap_ttls: Cannot tunnel EAP-Type/ttls inside of TTLS

ttls ... Module: Linked to sub-module rlm_eap_ttls Module: Instantiating eap-ttls ttls { default_eap_type = ttls Try setting that to something other than ttls. For instance, mschapv2, to match your PEAP section. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems

Re: LDAP attribute mapping

} Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org

Re: Regarding pam_radius_auth to be integrated with busybox

! Can you please suggest what might be the issue is? I am getting password Please read the debug output. It's telling you the answer. Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH

Re: No Realm in table radacct

in the Accounting-Request that was returned to the NAS in the Access-Accept, not the User-Name that they used in the Access-Request. Therefore the result from FreeRADIUS does directly affect what is sent for Accounting. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect

Re: Indeterministic EAP error

, but it's nothing like as often as it used to be. In short, it's a client/NAS issue, as already stated. Hope that helps, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United

Re: getting rejected, please give me some light.

of the 'users' file. Move it to the top. (And add pap back in). Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk

Re: Identifying Virtual-Server from Inner-Tunnel

it. Personally unless functionality was a lot different (which it doesn't sound like it is), I'd probably do it all in one outer server and test based on request attribute or Packet-Dst-Port, but if it works then it's OK. Cheers Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect

Re: simple accounting proxy setup.

haven't enabled copy-acct-to-home-server correctly. You should then see that pick up packets and process them. Cheers, Matthew -- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United

Re: simple accounting proxy setup.

-- Matthew Newton, Ph.D. m...@le.ac.uk Systems Architect (UNIX and Networks), Network Services, I.T. Services, University of Leicester, Leicester LE1 7RH, United Kingdom For IT help contact helpdesk extn. 2253, ith...@le.ac.uk - List info/subscribe/unsubscribe? See http://www.freeradius.org/list

  1   2   3   >