Re: freeradius query on password encryption and decryption

On 20/12/12 11:50, Yashaswini Sathyanarayana wrote: WARNING: Unprintable characters in the password. Double-check the shared secret on the server and the NAS! This message is accurate. You have a typo, or the NAS is buggy. Re-set the shared secret to something VERY SIMPLE e.g. abc123 - no

Re: Problem with proxying request

On 18/12/12 15:29, BALSIANOK, Peter wrote: No iptables, ipfw, pf, etc. . When i use radclient and sends accounting request ( from server were freeradius is placed ) to 3rdparty radius i got correct answer. Then use ordinary system diagnostic tools (strace, etc.) to determine why the packet isn

Re: Problem with proxying request

On 18/12/12 13:11, BALSIANOK, Peter wrote: Hi, I try to send proxy request via freeradius-2.2.0, but as i can see in the debug output, freeradius didn`t process Accounting Response ( tcpdump shows, that server got response ) Firewall (iptables, ipfw, pf, etc.) - List info/subscribe/unsubscribe

Re: Auth-Type already set?

You've trimmed the debug, but based on what you did give, the client isn't sending pap - it is sending chap. The client chooses the auth method - you can't force it at the server Lorenzo Milesi wrote: >I'm having a problem with FR2.1.10 and MD5 Passwords with MySQL. > >When I try to enable PA

Re: EAP

On 13/12/12 15:55, David Peterson wrote: I am troubleshooting potential issues on a WiMax system. Typically we have the FR server on a LAN link but some customers have WAN links. My thought is disconnects on a re-auth session causing outages. I guess it might be WAN RTT. To an extent, it dep

Re: EAP

On 13/12/12 15:43, David Peterson wrote: Hmm so if say the wireless inserted 55-65ms of latency and we have another 50ms of WAN latency it could cause some real issues with EAP. It shouldn't cause issues - but you will observe the latency (as well clients when authenticating). Most EAP timer

Re: EAP

On 13/12/12 15:22, David Peterson wrote: I wanted to ping the Eduroam people about EAP over WAN links. Are there considerations that can cause connectivity issues that I should be examining? Well... maybe. EAP is lockstep, so round-trip time is a factor - if your RTT is 100ms and your EAP ex

Re: share information between authorize and authenticate sections (rlm_perl & rlm_python)

On 12/12/12 22:04, laurent.fe...@free.fr wrote: Hello, If someone can advise me... How to share information between the authorize() function and the authenticate() function within a perl or python script ? Just set an attribute: authorize { update request { Tmp-String-0 := "%{some:expa

Re: refowarding the radius request when authentication fails

On 12/12/12 22:14, laurent.fe...@free.fr wrote: Hello, in the authentication step, i try several authentication against otp server, but if all are failed if the user is not know, i would like to re forward the radius request to another radius server. The server can't do that, because it doesn'

Re: AW: AW: EAP-TLS Failed in handler question

On 10/12/12 20:00, PENZ Robert wrote: @PhilMayers: Did you get the Mail with the full logfile? do you need more? Ok, your NAS is buggy I'm afraid. In some small percentage of cases, it is not handling the wrapping of EAP id values from 255 to 0. The following sequence of (redacted) packets s

Re: AW: AW: EAP-TLS Failed in handler question

On 12/10/2012 08:00 PM, PENZ Robert wrote: @PhilMayers: Did you get the Mail with the full logfile? do you need more? I did, but honestly I prioritise personal "help" emails lower than ones to the list, sorry. I'll see if I have time to look today. - List info/subscribe/unsubscribe? See http

Re: computer authentication

On 12/09/2012 08:18 PM, Dan Letkeman wrote: SOLVED. Modified my proxy.conf file as per another list post. You cannot just add the 'nostrip' option to the realm. You must remove the home_server and home_server_pool, but keep the options from the home_server and put them under the realm. This

Re: computer authentication

On 07/12/12 16:34, Dan Letkeman wrote: [mschapv2] # Executing group from file /etc/raddb/sites-enabled/inner-tunnel [mschapv2] +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Cannot create NT-Passw

Re: ldap eDir support in master branch

On 06/12/12 16:45, Olivier Beytrison wrote: Hi, Now that I have my packages, i've started deploying FR3 for our eduroam federation. And I just saw that the eDir support is gone. now my question is : 1. is it abandoned ? 2. is it not yet ported to the new rlm_ldap code ? No-one who has eDir fo

Re: Eduroam & FreeRadius not working so well

On 12/06/2012 10:16 AM, Alan Buxey wrote: Hi, home_server_pool EDUROAM-FTLR { type= fail-over home_server = proxy1 home_server = proxy2 } I would use: type = client-port-balance to balance between the 2. (that method en

Re: Python access to attribute lists

On 12/05/2012 05:59 PM, laurent.fe...@free.fr wrote: Moreover, the request list is a read only list. I wanted to modify the user-name in the authorization function in python, but you cannot, only rlm_perl is able to do that. Yes, if someone could enhance the rlm_python it will be great. I looked

Re: Define New Attribute

On 12/05/2012 12:53 PM, Alexandre J. Correa (Onda) wrote: Finished request 0. Going to the next request Waking up in 4.9 seconds. rad_recv: Accounting-Request packet from host 192.168.2.200 port 55834, id=129, length=149 Service-Type = Framed-User Framed-Protocol = PPP As you

Re: AW: AW: EAP-TLS Failed in handler question

On 12/04/2012 03:59 PM, PENZ Robert wrote: There is no other packet between this two and only 5 seconds, server has not been restarted. Weird. But we need the *full* debug please! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius authentication problems

On 12/04/2012 07:32 AM, Taneli Virtanen wrote: User[client mac address] fails authentication too many times in a row when joining WLAN[opetus-x/opetusx] at AP[ap1 ]. User[client mac address] is temporarily blocked from the system for [3

Re: 802.1x Issue

On 03/12/12 16:04, Brekler Custodio wrote: Have you guys hear about SecureW2 ? Yes. It's a supplicant (or plugin? I can't remember) with support for EAP-TTLS/PAP on older versions of windows. People from Cloudpath Networks said they can make it work MD5 hash passwords on 802.1x with TTLS-PA

Re: 802.1X PEAP / MSCHAPv2 (with nt-password)

On 30/11/12 16:39, Thomas Dupas wrote: Dear, at the risk of falling in a known trap. I've read enough statements that one can't do mschapv2 with openldap, unless you store the passwords in clear-text. I know that That's not true. You need the NT hash to perform mschapv2. Therefore, you either

Re: 802.1x Issue

On 11/29/2012 10:44 PM, Brekler Custodio wrote: rlm_sql_mysql: MYSQL check_error: 1054 received rlm_sql_getvpdata: database query error This should be clear. You've mangled the SQL queries or, more likely, not setup the SQL database right. - List info/subscribe/unsubscribe? See http://www.fr

Re: Detail file

On 28/11/12 14:57, BALSIANOK, Peter wrote: Last question. Is writing to detail file serialized ( paralel threads can write data at the same time to one file ) ? Yes. The detail writer (and reader) use locking. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius several segfaults at heavy load and startup ?

On 28/11/12 10:52, Johan Meiring wrote: On 2012/11/28 11:50 AM, Phil Mayers wrote: root@itop0-db0:/scripts# LD_PRELOAD=/usr/lib/libperl.so.5.10 Why are you fiddling with LD_PRELOAD? On my debian boxes FR cannot run without preload. Yuck. It's probably some libtool horror in 2.

Re: Regarding Proxy sockets

On 11/28/2012 09:27 AM, ramakrishna wrote: Hi, I have been using freeradius 2.2 for a while now. When i start the radius server in debug mode, I observed server creating proxy sockets. please find the log below. * ... adding new socket proxy address * port 61412 ... adding new socket proxy a

Re: Freeradius several segfaults at heavy load and startup ?

On 11/28/2012 04:28 AM, Alexander Silveröhrt wrote: Hello, Wondered if anyone have any idea about below. If started with flag –X everything starts up ok but without –X then it crashes with these messages in the log.(atleast most of the time if one is persistent then it may well start up properly

Re: matching entry in users file

On 27/11/12 17:42, vazoumana fofana wrote: napoleon SMD5-Password :="yyy" napoleon : NT-Password := "xx" This is wrong. Read the "man users" page for info on the correct syntax. Either of the following two works: napoleonSMD5-Password := "xx", NT-Password :=

Re: Newbie question about rlm_exec usage

On 11/24/2012 08:40 PM, Hoggins! wrote: I don't know if I understand the process correctly : as far as I understand, an authentication request is handled successively by the listed modules in the authorize {} section, right ? So, now that I figured that I have to use PAP as phase2, I can have th

Re: Debian (Squeeze) FreeRadius package missing config files

On 21/11/12 15:18, David Gethings wrote: Hi All, It appears that the Debian package for freeradius 2.1.10 does not install the configuration files. At least that is what is happening on my system. As I try to resolve this is it possible to get a copy of the config files from some other location?

Re: AW: EAP-TLS Failed in handler question

On 21/11/12 12:00, PENZ Robert wrote: With first packet I meant first packet the radius server saw in some time ... the switch forces a reauthentification every 2h A re-auth is a fresh EAP session. So even on a re-auth, the first packet would not have a "State" attribute, absent software bug

Re: Statistics on EAP methods widely used

On 20/11/12 17:50, Panagiotis Georgopoulos wrote: 91 0d 501 03 4848 15 7540 01 35801 19 So, about 75% PEAP, 10% TTLS, 15% identity packets, less than 0.2% TLS. Thanks a lot for this specific results. Essentially you are proving my point :-) At first you said that 9

Re: Statistics on EAP methods widely used

On 20/11/12 14:19, Panagiotis Georgopoulos wrote: Yeap, I understand this but telling people that you are doing EAP-TLS, or EAP-TTLS, or PEAP, or whatever does not really expose your network. Many companies have this information on the web already in "how-to-connect-to-our-wifi" guides. It seem

Re: freeradius retransmit of EAP-TTLS start packet with incorrect packet id

On 19/11/12 16:27, Alan DeKok wrote: There are patches going into 3.0 which will detect RADIUS retransmits over multiple proxy hops. That is a rare case, but more likely in the case of eduroam. Fixing it is good. Ooh, really? What solution did you hit on? - List info/subscribe/unsubscribe

Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

On 20/11/12 12:38, Swaraj wrote: Tue Nov 20 16:48:05 2012 : Error: rlm_eap: SSL error error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01 That's very odd. It looks like a problem with OpenSSL - maybe endian-ness or something? I created certificates with the fo

Re: EAP-TLS error: RSA_padding_check_PKCS1_type_1:block type is not 01

On 20/11/12 13:26, Alan DeKok wrote: Swaraj wrote: I'm using Freeradius server2.1.12 on x86 fedora14. My client is using (armel ubuntu 10.04 lucid) IMX53 board. When I try connecting to radius server I am receiving the following errors. The client is broken. It's not doing SSL correctly.

Re: Statistics on EAP methods widely used

On 20/11/12 12:53, Panagiotis Georgopoulos wrote: Hello all, I apologize for the “spam” but I thought that you would be able to give me a couple of pointers on the following. I am trying to find some statistics on what is the most commonly deployed/used EAP met

Re: Novice Question

On 11/20/2012 10:23 AM, Tzvika Gelber wrote: radius1 Cleartext-Password := "radius1" Tunnel-Type = "VLAN" Tunnel-Medium-Type = "IEEE-802" Tunnel-Private-Group-Id = "1" This is wrong; see "man users" and the other examples in this file. You can't have a blank link betwee

Re: Proxying PEAP/MSCHAPv2 to NPS errors

On 19/11/12 17:42, Seth Lampman wrote: I've been to that site and looked around before as well as countless Google searches. The only thing remotely close to my issue is the certificate and No, this issue is a crash. Totally different. doc/bugs basically describes running the server under "gd

Re: Personalizing ldap filters from users file

On 11/19/2012 09:48 AM, Angel L. Mateo wrote: ldap { ... filter = "(&(mail=%{User-Name})(schacUserStatus=: %{X-Atica-Service}:enabled))" ... } DEFAULT X-Actica-Service = 'vpn', Auth-Type = LDAP, Realm == um.es User-Name := `%{User-Name}`, Fall-Through = No But this

Re: EAP-TLS Failed in handler question

On 11/19/2012 08:23 AM, PENZ Robert wrote: My first question is, how can I decode a EAP-Message from the debug Wireshark, or read the EAP RFC and decode it manually (see below) log to check if the request is itself ok. Here is first packet from No, this is *not* the first packet, because i

Re: MS-CHAPv2 change password not working in master

On 16/11/12 14:08, Carlos Velasco wrote: On 16/11/12 11:43, Carlos Velasco wrote: I don't see LM hashes allowed in the Radius attributes for password change. Don't seem Cisco using them. Sorry yes ignore me; I'm being dumb. Ok. After further findings... it is a bug in Cisco IOS router vers

Re: poptop pptpd + freeradius

On 16/11/12 11:20, Dmitry Korzhevin wrote: Guys, Same server, i am trying to configure pptpd with radius, please give advice, why it is not working. Radius auth is succesfull.. RADIUS is fine, this isn't a question for the FR list. /etc/ppp/options.pptpd http://dpaste.com/832026/ I think

Re: MS-CHAPv2 change password not working in master

On 16/11/12 11:43, Carlos Velasco wrote: I don't see LM hashes allowed in the Radius attributes for password change. Don't seem Cisco using them. Sorry yes ignore me; I'm being dumb. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: MS-CHAPv2 change password not working in master

On 11/16/2012 11:27 AM, Carlos Velasco wrote: According to RFC2548, after 0x0701 should be the "Encrypted-Hash" 16 octects, but they are all 00. I am trying to find out why, seems a bug in Cisco part. But I think this works fine with Cisco ACS radius. :S The CPW packet lets you send the NT a

Re: building "master" under mock buildroot

On 11/16/2012 10:55 AM, Arran Cudbard-Bell wrote: Done. Yeah there were some pretty poor typos, looks like no one's actually tried to build that code in a while. We really need to get an automated build system setup again. Even if the server is almost completely devoid of unit tests and functio

Re: MS-CHAPv2 change password not working in master

On 11/16/2012 10:00 AM, Carlos Velasco wrote: windows popup in Cisco VPN client, but the change password process fails: ntlm_auth said: Password-Change: No Password-Change-Error: Wrong Password . . Hmm. Winbind logs also shows: NT_STATUS_WRONG_PASSWORD Looking into code I suppose the probl

Re: building "master" under mock buildroot

On 15/11/12 17:20, Arran Cudbard-Bell wrote: Regarding the patches: * grep works fine if you stick with BREs Sure, whatever works. * PCAP_NETMASK_UNKNOWN is actually defined as: #define PCAP_NETMASK_UNKNOWN0x I was basing that off here: http://seclists.org/wireshark/2010/Jul/1

Re: EAP-SIM authentication failed

On 15/11/12 16:46, Yann R. Moupinda wrote: Has anyone an idea why the MAC not matches although Client and Server are using the same algorithm version (Version 1 mentioned in AT_VERSION_LIST from Server and in AT_SELECTED_VERSION from client) ? It's probably a bug somewhere. Very likely, the wr

Re: building "master" under mock buildroot

On 15/11/12 15:27, Phil Mayers wrote: On 15/11/12 13:37, Phil Mayers wrote: On 15/11/12 13:15, Alan DeKok wrote: Phil Mayers wrote: Making all in src/include... gmake[4]: *** [features.h] Error 1 Ah. I had fixed that for the new make, but not the old system. I've pushed a fix. T

Re: building "master" under mock buildroot

On 15/11/12 13:37, Phil Mayers wrote: On 15/11/12 13:15, Alan DeKok wrote: Phil Mayers wrote: Making all in src/include... gmake[4]: *** [features.h] Error 1 Ah. I had fixed that for the new make, but not the old system. I've pushed a fix. That's not it sadly :o( Ok, I

Re: building "master" under mock buildroot

On 15/11/12 13:15, Alan DeKok wrote: Phil Mayers wrote: Making all in src/include... gmake[4]: *** [features.h] Error 1 Ah. I had fixed that for the new make, but not the old system. I've pushed a fix. That's not it sadly :o( More annoying, if I "mock shell"

building "master" under mock buildroot

All, I'm preparing a FreeRADIUS 3 RPM, in the hope we can move to a pre-release of the "master" branch, for a bit of soak testing but also because I'm tired of backporting stuff to our local 2.x branch ;o) Sadly, the source builds fine in the "native" OS, but doesn't build under "mock" (and

Re: AcctSessionId UNIQUE

On 15/11/12 11:51, Lorenzo Milesi wrote: Is there any contraindication in marking the radacct.AcctSessionId column UNIQUE? Yes. It's not guaranteed to be unique. At most, you might want to make the combination (nasipaddress, acctsessionid) unique, but only if you KNOW your NAS won't ever gen

Re: Complex eduroam radius design

On 11/14/2012 06:54 PM, Brian Julin wrote: Phil Mayers wrote: Yes. However, buying separate certs might not be a good idea as it will complicate the client setup - they'll all have to come from the same CA and share the same CN (or you'll have to rely on wildcard CN matching on t

Re: Complex eduroam radius design

On 13/11/12 16:38, Olivier Beytrison wrote: Well not really a solution here. The central LDAP system is one of the Fair enough. To summarize, if I proxy the outer tunnel, there will be more load on the central server, and I'll add the custom attributes to the outer reply in order for the loc

Re: Complex eduroam radius design

On 13/11/12 14:45, Olivier Beytrison wrote: Hello, We're planning to deploy eduroam centrally for all the university of applied science of west-switzerland. (consists of ~27 schools and 25'000 people). On one side, we will have the central radius servers, connected to the central ldap backend w

Re: ERROR: No authenticate method (Auth-Type) found for the request: Rejecting the user

On 11/10/2012 03:54 AM, Shravan S G wrote: Hi all, I am trying to configure FreeRadius 2.2.0. I am trying to test with the radtest utility. However, when I run radtest, on my radiusd server, I get the following error - "ERROR: No authenticate method (Auth-Type) found for the request: Rejecting t

Re: Aliased IPs

James Devine wrote: >I have a freeradius server which has multiple IPs aliased on the same >interface. This works if I specify each IP explicitly in its own >listen { >} section but if I try to listen on * all responses are sent from the >same >IP regardless of which IP the request was received

Re: Concatenating/inserting strings with backslashes

On 09/11/12 15:39, Brian Candler wrote: Here's something weird. I'm trying to concatenate some strings which contain (i.e. not a newline). Uh oh... here be dragons! In a normal string literal, I have to enter four backslashes: update reply { Reply-Message := "anb" } ("\\n" gives

Re: EAP / MSCHAP / Certificate Troubles

On 11/08/2012 06:45 PM, Jordan Dohms wrote: EAP-MSCHAPV2: Invalid authenticator response in success request This suggests the problem isn't certs, since you're inside the PEAP tunnel at this point. Check that samba/winbind are working ok, patched to the same level, etc. - it looks like the

Re: Wireless EAP-TLS Login from Notebook with User and PASSWORD

On 11/07/2012 08:33 AM, sierramailp...@gmx.de wrote: Hey there, I’ve setup a freeradius Server and am using EAP-TLS, and would need some help from you. The users file contains the username and the password beeing allowed to connect after TLS Connection has been established, and this is working

Re: EAP-SIM authentication failed

On 06/11/12 13:34, Francois Gaudreault wrote: Hi, -what should I configure to get more than 2 Access-Request You don't. The client is stopping because it thinks something is wrong. Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug on the client. You need to al

Re: EAP-SIM authentication failed

On 06/11/12 10:55, Yann R. Moupinda wrote: Hi guys, for my thesis i need to realize a EAP-SIM Authentication testbed. I'm using a Nokia E52 with EAP-SIM, a MIKROTIK router as access point and FreeRADIUS 2.1.10 as Radius server. I have added the necessary commands Upgrade. Some fixes for EAP-SI

Re: rlm_perl and threads

On 05/11/12 13:36, Edgar Fuß wrote: Yes. Likely, even. Thanks. So will these then be two distinct Perl interpreters or two instances of the same Perl interpreter? From the Perl script's point of view, what will the two instances share? Can you hint me to any documentation covering this? I'm no

Re: rlm_perl and threads

On 05/11/12 12:34, Edgar Fuß wrote: Sorry if this sounds like a stupid question with an obvious answer, but I could not easily find this documented. If I have an rlm_perl script, is it possible that multiple instances of it are running concurrently due to FreeRADIUS' threading? Yes. Likely, ev

Re: Issue with MSCHAP

Your only choices are outlined at the url you were given I'm afraid - store the cleartext or nt hash of the password, which will entail a password change (or capture); or switch to eap-ttls/pap. This is a property of the cryptographic aspects of the algorithms in question and can't be worked ar

Re: No luck connecting from a ZyXEL NWA3160-N AP

On 02/11/12 14:56, Erich Titl wrote: authenticating against a MySQL database appeast to work fine using radtest This is not really a good test. radtest is sending "pap". Download the "wpa_supplicant" sources and compile "eapol_test". I connected a ZyXEL NWA 3160-N (latest Firmware), generat

Re: 2.2.0 config files

On 11/02/2012 08:35 AM, Fajar A. Nugraha wrote: On Fri, Nov 2, 2012 at 3:28 PM, Brian Candler wrote: A colleague was upgrading some boxes from (I think) 2.1.10 to 2.2.0, and says that expansions of the form %{Foo:-0} stopped working, and had to be replaced with %{%{Foo}:-0} Is that expected? I

Re: User-Name (machine\user) is not the same as MS-CHAP Name (user) from EAP-MSCHAPv2 error

On 01/11/12 11:22, Gokhan Gunyol wrote: Hi; We upgraded our radius to Freeradius 2.1.10 version on Ubuntu 32bit from an old version Which old version. Our problem is windows xp clients cant login to wireless and radius has “User-Name (machine\user) is not the same as MS-CHAP Name (user) fr

Re: LDAP attribute mapping

+1 Personally I'd rather the latter format everywhere, even unlang: update { request:foo = 1 } John Dennis wrote: > >What I'd like to see is the individual modules converging on common >behavior so there is a consistent model. > >I suspect a number of the modules were written independently

Re: ChilliSpot-UAM-Allowed on witch mysql table ?

On 10/27/2012 05:03 PM, yzy-oui-fi wrote: Hi, I just wonder if this parameter should be set on Raddact or radreply or what ever. Attributes you want to send go in radreply or radgroupreply, if you're using groups. Attributes never go in radacct; radacct stores accounting info. - List info/s

Re: Ignoring too-frequent accounting packets from buggy NAS

On 26/10/12 15:03, Arran Cudbard-Bell wrote: On 26 Oct 2012, at 14:51, Phil Mayers wrote: On 26/10/12 14:20, Arran Cudbard-Bell wrote: It can, see wiki :) http://wiki.freeradius.org/modules/Rlm_cache In fact it documents your *exact* use case with config examples and everything

Re: Ignoring too-frequent accounting packets from buggy NAS

On 26/10/12 14:20, Arran Cudbard-Bell wrote: It can, see wiki :) http://wiki.freeradius.org/modules/Rlm_cache In fact it documents your *exact* use case with config examples and everything. *twilight zone music* Ha spooky! N.B. I note the module comments might confuse people, since it does

Ignoring too-frequent accounting packets from buggy NAS

All, We are having a problem with our Cisco lightweight wireless since a recent firmware upgrade. I am delving into it, and will probably open a TAC case, but in the meantime I need a solution. The specific issue is that the NAS is sending interim accounting very, very frequently, in violati

Re: sqlippool - duplicated ip address after freeradius restart

On 23/10/12 11:52, Antonio Modesto wrote: Hi, I use radius sqlippool to assign IP address to my users, yesterday, after a restart on radius service, it started to assign IP address that were already in use to the users. I'm almost crazy here, I don't know what can be causing this, we have been u

Re: MS-CHAP-V2 allow_retry on ldap authentification

On 23/10/12 10:52, Daniel Ekman wrote: the send_error was added to version 2.1.11 as a bug fix "Allow EAP-MSCHAPv2 to send error message to client. This change allows some clients to prompt the user for a new password. See raddb/eap.conf, mschapv2 section, "send_error"." I know that. I mean "l

Re: MS-CHAP-V2 allow_retry on ldap authentification

On 10/22/2012 09:13 AM, Daniel Ekman wrote: Hi list, I have a fairly large user base doing WPA2-enterprise from various OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is authenticating via LDAP and things are running pretty well, only snag I have currently with this is when peopl

Re: mysql ip pool guide or documentation

Sebastien Boucher wrote: >hello, > >Sorry for asking a question that was probably asked and answered before >but >i could not find anything. > >Can anyone direct me to a guide or some sort of documentation on how to >configure ip pool for freeradius using a mysql database ? > >thank you for your

Re: ntlm_auth - No logon workstation trust account

Bryce Mackintosh wrote: >The problem isn't specific to one machine - All the machines I test >cause >the same ntlm_auth result. They are all correctly joined to the domain. > > >On 19 October 2012 13:28, Chitrang Srivastava >> wrote: > >> Did the machine joined the AD domain before ntlm_auth (use

Re: Tacacs+ Super-User issue.

This isn't a freeradius problem -- Sent from my phone. Please excuse brevity and typos. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Compliance testing of Free Radius Client

On 10/17/2012 08:26 AM, Arpit Jain wrote: Does it mean that freeradius client is just a dummy client and there is no point in performing compliance testing on it? radclient and radeapclient are not NASes. They don't provide service to users, and they don't run as daemons. They're for server

Re: FreeRADIUS Issue -

On 10/16/2012 08:09 AM, Nandkumar Palkar wrote: Found Auth-Type = MSCHAP # Executing group from file /etc/freeradius/sites-enabled/inner-tunnel +- entering group MS-CHAP {...} [mschap] No Cleartext-Password configured. Cannot create LM-Password. [mschap] No Cleartext-Password configured. Canno

Re: Query help

On 10/12/2012 09:16 AM, Jonathan Bastin wrote: Issue with doing it that way is you would get decimal values returned which freeradius can't deal with. As others have pointed out - that's trivially dealt with. Hell, use right-shift if you want: select limit >> 10 select quota >> 10 ...it does

Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

On 12/10/12 13:59, Alexandros Gougousoudis wrote: Hi David, David Mitton schrieb: If the OP is observing such behavior, he needs to figure out why (what turned it on, is it consistent or the same for all users) and work with that. It is consistent for all machines in the network. To figure ou

Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

On 12/10/12 13:48, David Mitton wrote: The behavior _is_ configurable, but as you have observed for your particular network, the default is not to attempt machine auth. It is configurable on a per-network connection basis, I'm getting fuzzy on if it's adapter or SSID based. No, you've misunde

Re: rlm_sql: can I avoid queries on radcheck?

On 12/10/12 12:15, Stefano Zanmarchi wrote: Hi, we're using rlm_sql to perform authorization based on a couple of sql tables ('eduroam_diritto_uso' and 'eduroam_mac_registrati') , it's working fine. Now mysql logs show that radiusd is still performing queries on radcheck, radgroupcheck. Can I av

Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

On 10/12/2012 09:59 AM, Alexandros Gougousoudis wrote: Hi Phil, Phil Mayers schrieb: I don't understand - you're saying that, for windows clients: 1. On wi-fi they send host/name.domain.com 2. On LAN, then send... something else? Are you sure? We don't see that. Exactl

Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

On 10/12/2012 09:55 AM, Alexandros Gougousoudis wrote: Hi Alan, Alan DeKok schrieb: Freeradius. Using Linux I can send whatever I want as the loginname. If you know you can change the client, than change the client. This is exactly what I want to do! Change the loginname, the clients send

Re: customized format of log file

On 10/12/2012 09:46 AM, Chuang Okis wrote: It can output the first column "Packet-Type" of my customized authlog correctly, but what if I need to output other columns in the same file? Add them to the format. I don't think you have understood how the linelog modules works. Please read the sa

Re: EAP-PEAP with NT-Password stored in mysql database

On 11/10/12 16:23, Hocine M wrote: Hi, First apologize my english, j'm french. No problem. i don't use the default virtual server, i only use one filel3_wifi_peap (where i use sql_auth for auth and sql_acct for accounting) Your config is broken: +- entering group authorize {...} ++[p

Re: Sending null BaseDN

On 11/10/12 15:13, Walter Huf wrote: For a certain use-case of mine, I need to connect to the Active Directory Global Catalog port of 3268 and do a search with a BaseDN of "". What is the correct way to do this with FreeRADIUS? Why doesn't it work if you just use an empty string? From the code,

Re: EAP-TLS Machine-Auth Windows: difference between LAN and WiFi

On 11/10/12 12:43, Alexandros Gougousoudis wrote: Hi, we're using FR 2.0 for our machine authentication for XP to Win7 with EAP-TLS. Everything is working so far, but I noticed a difference between authenticating via WLAN and LAN, which starts to be a problem for us now. If I make a auth via LAN

Re: Restricting users to AD domain computers

On 11/10/12 12:55, Bryce Mackintosh wrote: Okay, ignoring how I currently have things setup, how would other people go about controlling the users and devices on a wifi network by means of 802.1x, freeradius using AD for authentication and Win XP Pro SP3 We don't bother. It's not obvious why

Re: SV: SV: EXEC Access-challenge

On 11/10/12 11:53, Thomas Raabo - Zitcom A/S wrote: How do you change the order it phil? You type things in the right order. As per my original email, do this: authorize { ... YOUR_EXEC_MODULE if (updated) { ... } ... } - List info/subscribe/unsubscribe? See http://www.freeradius.org/

Re: Restricting users to AD domain computers

On 11/10/12 11:03, Bryce Mackintosh wrote: Hi, I'm currently using FreeRadius to control access to our wifi network with PEAP-TLS, and authenticating users against their AD accounts. I now need to somehow additionally restrict the users wifi access to only the machines that are joined to the Win

Re: SV: EXEC Access-challenge

On 11/10/12 10:57, Thomas Raabo - Zitcom A/S wrote: Thats seems like a way to go. But your right... Its very hard to find documentation on this topic. Sure. The assumption is that Access-Challenge methods are generated by auth method code in "rlm". It's a testament to how flexible the server

Re: EXEC Access-challenge

On 10/11/2012 09:23 AM, Thomas Raabo - Zitcom A/S wrote: I´am trying to create a php OTP script with challenge reponse. echo "Reply-Message += \"Enter SMS\",\n"; echo "State += \"$random\",\n"; echo "Response-Packet-Type = \"Access-Challenge\",\n"; I think that needs to be a control item, no

Re: your mail

On 10/10/12 18:30, Andrew Precht wrote: Found Auth-Type = perl # Executing group from file /etc/raddb/sites-enabled/default +- entering group perl {...} rlm_perl: perl_embed:: module = /etc/raddb/sjpl.pl , func = authenticate exit status= Undefined subroutine &main::get called at /etc/raddb/sjpl

Re: your mail

On 09/10/12 23:32, Andrew Precht wrote: to: module = /etc/raddb/sjpl.pl Also, in the perl file I have uncommented the line: func_authenticate = authenticate Next, in /etc/raddb/sites-enabled/default I added perl to the authenticate {} section. Your problem is that the script is just wrong.

Re: Query help

On 10/10/12 15:25, Jonathan Bastin wrote: To me it looks like the value is wrapping. Is this due to that even the interpreter in the site config file is 32-bit only. If this is the case I presume my only resort it perl. If this is the case could someone help me convert this? You could divide b

<    1   2   3   4   5   6   7   8   9   10   >