On 18/04/12 16:24, Martin Silvero wrote:
Hi,
I use freeradius with cisco access point and vlans assignment, work fine
but now I try to use Cisco Wireless Controller and the vlan assignment
dont work.
Can you help me?
If you are sending the VLAN attributes, then FreeRADIUS is working.
Check th
On 18/04/12 15:30, Ivo Vastert wrote:
Hi,
I'm currently having a issue implementing a regular expression within the attrs
configuration file.
When i try to group entry's within a regular expression the configuration is
rejected:
What does that mean? "Rejected" how?
For example:
This entr
On 18/04/12 13:16, Tobias Hachmer wrote:
Ok, I configure the same users, these are about 10-15 users, which
are stored in Active Directory, in the sql database. The sql database
schould be used for authentication only if the ldap servers are not
available.
So the SQL server contains an "emerge
On 18/04/12 09:40, Tobias Hachmer wrote:
Hello list,
I'm using a sql database for authorization and ldap for authentication.
For fail-over reasons I want to authenticate against user-password
information stored in my sql database if my ldap servers are not
available (all ldap modules return fail
On 17/04/12 12:48, DaveA wrote:
Hello,
I would like to default reject users who have a "/" or "\" in their
username. Often users will misconfigure their machines and Windows will send
the host\username, which will never be a valid login here.
Do you mean thing like:
MY-PC\otherwisevaliduserna
On 04/15/2012 09:51 PM, Ali Majdzadeh wrote:
Hi
Tnx for Ur fast reply.
As I explained, I know that the format is differ from the original
attributes. I want to know that:
If I want to run it from commandline, how can I convert the challenge and
response attributes to which they can be used in
>
>
>with radius –X , I saw that the challenge and response is differ from
>that
>I got in auth_log in same session. So if I run ntlm_auth with new
>values,
>it’s OK! what’s wrong?
Freeradius processes the mschapv2 challenge into a different format required by
samba. There's nothing "wrong". Thi
On 13/04/12 16:04, Alan DeKok wrote:
Don't do that. That kind of a configuration on a firewall is bad.
To be fair, my experience has been that most firewalls will timeout
inactive connections. Some won't even let you turn it off.
TCP keepalive might be an option here?
-
List info/subscr
On 30/03/12 12:51, Heinrich, Sebastian wrote:
I apologize for bothering you. I thought that somewhere might be a how-to to
solve this.
Unfortunately there's nothing to "solve". This is just how PEAP/MSCHAP
works; there is a server cert, and for it to be secure, you must
validate it.
There
On 30/03/12 11:58, Morris, Andi wrote:
Hi Ricardo, Sorry it was a brief answer but I'm also unsure of where
to turn next with this, especially as you are seeing the same issue
with different network hardware.
Well, you guys need to debug your network hardware (and Ricardo needs to
use a thread
On 30/03/12 10:54, Heinrich, Sebastian wrote:
Now I am totally confused. Fajar says that it is not so easy to crack
the passwords and Phil says the opposite. I am not a hacker. Can
anybody say that this would be easy to do or not:
I didn't say it was easy. I said it was *possible*.
And you're
On 30/03/12 10:38, Fajar A. Nugraha wrote:
How easy is it to crack
such a password? An authentification wouldn't have happened but the
attacker would have had the encrypted usernames and passwords.
They won't.
Not immediately. But MSCHAP is a complex (and old) algorithm, and it is
possible
On 30/03/12 10:18, Heinrich, Sebastian wrote:
We don't want to install certificates on the clients, but the problem
that is given in wikipedia is that anybody can install an access point
with the same ssid and a client that would connect with it would give
him his MSCHAP encrypted username and pa
On 29/03/12 13:24, Heinrich, Sebastian wrote:
Hello Everybody,
I have two questions for my understanding. I set up FreeRADIUS to
authenticate against our Active Directory. I read in the readme that
this couldn´t be done with the ldap module, so I did it with SAMBA. It
works fine for MSCHAPv2. Bu
On 29/03/12 11:46, Heilz wrote:
Hi,
I'm fairly new to the topic but I got the assignment to find out if the fact
that the shared secrets for user logins are in plain-text could be a problem
security-wise.
Do you really mean "shared secrets"? This is a term normally applied to
the RADIUS secret
On 28/03/12 15:05, Sebastijan Šilec wrote:
I'm upgrading FreeRadius form version 1.x to 2.x and transfered the
configs.
I have a problem with definig authrize and authenticate sections.
I've defined 2 ldap modules (ldap and ldap1) connecting to same LDAP
servers but to different OU's
The old c
On 27/03/12 23:38, Brian De Wolf wrote:
On Mon, 26 Mar 2012 11:46:22 -0700
Scott McLane Gardner wrote:
If I can't use if statements in a load balance block, can anyone
suggest another way to go about accomplishing what I want to do here?
After reading this thread and realizing it affects my
On 27/03/12 16:17, Khapare Joshi wrote:
And in /var/log/radius/radius.log -- i get nothing
Tue Mar 27 13:29:13 2012 : Info: Loaded virtual server
Tue Mar 27 13:29:13 2012 : Info: Ready to process requests.
Tue Mar 27 14:23:53 2012 : Info: Exiting normally.
Tue Mar 27 14:23:53 2012 : Info: Load
On 27/03/12 15:07, Scott McLane Gardner wrote:
I'd be surprised if using Ldap-Group in the user's file
resulted in load balancing of the group membership
queries to the LDAP servers. Does it?
It does, actually. Or at least it appears to. The first time it used ldap2
and the second time it use
On 03/26/2012 10:01 AM, Glen Harris wrote:
Server: Debian 6 (Squeeze) 2.6.32-5-amd64
FreeRadius: 2.1.10 (Debian package)
Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator)
Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP
MD5 and PAP.
I'm trying to set up a simple
On 03/25/2012 12:09 PM, Fajar A. Nugraha wrote:
On Sun, Mar 25, 2012 at 4:47 PM, dhanushka ranasinghe
wrote:
Hi..
we changed Auth-Type := Accept to Auth-Type := PAP , then it starts to work
You shouldn't need to do that. A cleaner way would be to read
http://freeradius.org/radiusd/man/user
On 03/24/2012 10:26 PM, Brian Julin wrote:
Can you explain what threat model you think this addresses?
It limits the exposed fuzzable surface. Any vulnerabilities present or
introduced
in the low level RADIUS packet processing compromise only the external
server. The packets that reach the
On 03/24/2012 05:51 AM, dhanushka ranasinghe wrote:
Hi guys,
im using freeradius with LDAP , and its authentication works fine when
i use following configuration.
server = "ldap.home.com"
identity = "cn=admin,dc=home,dc=com"
password = home
basedn = "ou=users,
On 03/23/2012 11:07 PM, Javier Ruiz Escalante wrote:
I have realized that my radius system does not record the logging
information in my radius Data base, in radacct table, but nevertheless
creates a folder in /var/log/freeradius for every NAS which is called
“radacct” inside this folder there i
On 03/23/2012 04:16 PM, Javier Ruiz Escalante wrote:
Hello,
Despite taht my user is authenticated, I don't get the data in RADACCT
table, my output is this one. Can anybody help me?
Your NAS didn't send any accounting packets. So no accounting packets
were logged to the database.
-
List info
On 03/23/2012 04:02 PM, Brian Julin wrote:
Not sure, but you should consider running non-virtual instances
(not that hard to do) and using privilage separation such that
there is little potential for exposure of your internal authentication
structure or internally-utilized crypto material to an e
On 03/23/2012 02:12 PM, mark.le...@stfc.ac.uk wrote:
isn’t possible, do I have any other options? Would a solution be to make
the virtual servers listen on two different IP addresses, and configure
the NAS to use a different RADIUS server IP address for each SSID?
That is the common solution,
On 22/03/12 15:27, PENZ Robert wrote:
Hi!
Thx for the fast response!
But how to I execute the SQL authorize_reply_query query after I did
a EAP authentication? I don't do that currently in post-auth. I just
have the sql modul activated in authorize.
Like this:
post-auth {
if (TLS-Client-C
On 21/03/12 10:49, Matthew Newton wrote:
On Wed, Mar 21, 2012 at 11:07:16AM +0100, Stefan Winter wrote:
The value should be new for every Access-Accept. I wonder how to
generate such a random value with unlang. Is there some {%rand} or
anything like that?
http://freeradius.org/press/index.html
On 21/03/12 10:07, Stefan Winter wrote:
Hi,
in some weird business case, I would like to generate a one-time use
token for later consumption in post-auth. So when the user is accepted,
trigger an
{sql:INSERT randomvalue INTO someplace}
The value should be new for every Access-Accept. I wonder
On 16/03/12 16:57, fulvio fabiani wrote:
Hi all,
i’ve a problem with concurrent accounting requests with free radius 2.1.11.
Upgrade to 2.1.12 and try again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 16/03/12 16:14, pamela pomary wrote:
I read online,it is not possible to do md5 with MS-CHAP. I don't want to
This is correct.
save users passwords in clear text. How can I achieve encrypting user's
passwords in MySQL database. I have Freeradius2.1.12 installed. Please I
will be grateful
On 14/03/12 19:04, ryuukuu wrote:
Hello All,
I've got a question about the settings for limiting access/authenticating to
a specific LDAP group. I have setup a group on my OpenLDAP called "RADIUS"
and I want the users in there to be the only ones that have access. The
problem I am having is with
On 03/15/2012 12:36 PM, Altaf Husain wrote:
Hi,
We are using FreeRadius ver 2.1.12, I had query regarding EAP-AKA
support in eap2 module, its mentioned in FreeRadius website that
"This module is experimental, and may not be ready for use in a
production environment", Is it sti
On 03/15/2012 09:11 PM, Aidan Rowe wrote:
Any possible updates on this? It seems at some point the man pages
changed from using INSERTs and UPDATEs to only using INSERTS.
I'm guessing here, but I suspect the problem with doing UPDATEs is that
they noop if the row isn't present. This can happe
On 03/15/2012 07:38 AM, Christiaan Rademan wrote:
Can you please advice me on anything I should watch out for or plan for?
I'm sure others will chip in, but basically: don't worry about
FreeRADIUS, worry about your SQL database.
FreeRADIUS itself can handle a truly enormous rate of authenti
On 13/03/12 09:50, Mohamed Lrhazi wrote:
Hello,
My LDAP server has the passwords stored in MD4 encoded format, which I
am suspecting is the same as NT format...
Is there a way to tell freeradius to treat {MD4} as it it was {NT} ?
You could change the source code. Or re-write the attribute:
a
On 03/13/2012 06:07 AM, Morteza Milani wrote:
Hi,
I don't know what's wrong with freeradius. It's running but does not
handle authentication requests. After restarting, it works fine but
after a while it goes to sleep;)
Which version are you running?
What sort of config do you have - do you
On 12/03/12 18:23, u...@3.am wrote:
...and you just hit on something that solved the problem. It seems that FR was
getting the group info from LDAP indirectly, through the PAM module, which was
Actually, probably not.
It probably gets the groups via nss_ldap, through nssswitch.
-
List info/s
On 12/03/12 15:44, u...@3.am wrote:
DEFAULT Group == "FOO", Pool-Name :="FOO_pool"
"Group" is probably empty. I can't remember what module, if any, fills
it out.
What do you *think* "Group" will contain? It won't contain LDAP groups.
-
List info/subscribe/unsubscribe? See http://ww
On Fri, Mar 09, 2012 at 10:59:46AM -0500, u...@3.am wrote:
authorize {
preprocess
redundant LDAP{
ldap1
ldap2
}
# The ldap module will set Auth-Type to LDAP if it has not
# already
On 03/08/2012 05:09 PM, Andres Septer wrote:
Check the winbind log files,
Did that already. Nothing interesting there, only lines like
[2012/03/08 14:32:17.115991, 3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[25675]: request location of privileged pipe
[2012/03/08 14:32:17.11
On 03/08/2012 04:44 PM, Morris, Andi wrote:
I’m trying to trace an access attempt that occurred today so that I can
categorically say to a user that you were successfully connected to our
network, or not, whatever the case maybe. However I’m struggling to
create a chain of events by going through
On 08/03/12 11:56, Andres Septer wrote:
--nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a
Thu Mar 8 13:42:03 2012 : Debug: Exec-Program output: Reading winbind
reply failed! (0xc001)
Weird. It looks a bit like ntlm_auth failed completely here.
Check for permissions, SELinux s
On 03/06/2012 02:10 AM, u...@3.am wrote:
On 28/02/12 21:16, u...@3.am wrote:
However, we just noticed that password expiry isn't working. I suspect this is
because we are still using all the original POSIX attributes and none of them
look
like good for mapping to the ones supplied by FreeR
>Mon Mar 5 14:45:55 2012 : Debug: Exec-Program-Wait: plaintext: winbind
>client not authorized to use winbindd_pam_auth_crap. Ensure permissions
>on
>/var/run/samba/winbindd_privileged are set correctly. (0xc022)
Did you spot this?
--
Sent from my phone. Please excuse brevity and typos.
-
On 03/05/2012 07:39 PM, Wenjuan Lin wrote:
Hello,
I just had a freeradius server (2.1.12, prebuilt for
x86_64-redhat-linux-gnu) setup for development testing purpose.
However I couldn’t configure this server for TCP connection. By the
email thread dated back 09/2009, freeradius should have TCP
t
On 03/05/2012 06:31 PM, Brian Gold wrote:
I've uploaded the radius -X output to http://pastebin.com/Fgr60hXr since it was
pretty long.
Weird; that all looks good to me. I guess the problem must be on the
Windows side, but I'm not super familiar with TTLS so am not sure what
it might be.
-
On 05/03/12 16:16, Morris, Andi wrote:
Hi all,
Apologies for being slightly off topic.
Does anyone else get a problem with Windows 7 clients prompting for the
radius credentials 2 or 3 times before finally accepting them? No errors
are shown on the radius side, and I’ve read that this is a prob
On 05/03/12 15:05, Brian Gold wrote:
We've been using SecureW2's client with our Freeradius server using
EAP-TTLS/PAP authentication. From doing some very preliminary testing
with the Windows 8 consumer preview, I've noticed that MS is now
including EAP-TTLS support directly in windows. Unfortuna
On 05/03/12 13:55, Javier Ruiz Escalante wrote:
Good afternoon,
I'm new in Radius and I have no clue what happens, can anybody help me?
from the server in the command line works fine, from the wireless client
get this one.
Mon Mar 5 12:36:33 2012 : Debug: WARNING: Unprintable characters in t
On 05/03/12 12:56, Stefano Zanmarchi wrote:
Thanks a lot Phil for your kind answer.
Could you please tell me which is the weird part of the configuration?
Do you mean the use of ttls-pap with openldap or the fact that serverB
is there only
to proxy requests to serverA?
The latter. I'm sure you
On 05/03/12 09:38, Stefano Zanmarchi wrote:
Hi,
my first post here, a newbie question, thanks for your help.
I'm going to set up two freeradius servers (2.1.7 on RHEL 5.5).
ServerB will be connected to an AP and I want it to proxy all EAP
requests to serverA (TTLS-PAP
will be the only method acc
On 01/03/12 18:25, whopeman wrote:
Hi,
I am fairly new to FreeRADIUS, so pelase bear with me a bit. I have
searched the forums and websites to find an implementation that allows me to
configure my server to process BOTH PEAP MSCHAP and PEAP/EAP-GTC (v0 and
v1). I have not found anyone tryin
On 01/03/12 10:16, Anto wrote:
Hello
In the coming days I will set up a freeradius server for access
control and accounting. I've been looking for information on
freeradius and high availability, since my idea is to have two servers
in case one fails, continue to operate with the other, but I ju
On 28/02/12 21:16, u...@3.am wrote:
Hi:
We've been running various versions of FreeRadius for years, currently 2.1.10 in
this application. A while ago, we switched from PAM (unix) auth to LDAP auth.
Everything worked fine after the switch...POSIX attributes for group membership
correctly alloca
On 02/28/2012 07:54 AM, Mohit Aron wrote:
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
You have failed to setup the required certs on
On 02/24/2012 05:10 PM, Jesse Crayston wrote:
Trying to get my users to have the same password on a radius server, as
they do on the google apps domain.
That might be tricky.
Since you can't read the passwords from an apps domain, the only thing
you could possibly do is use it as an "oracle"
On 24/02/12 15:43, Jesse Crayston wrote:
Hello,
I'm wondering if I could get help, or find documentation(even just a
draft) on setting up Oauth2 on a freeradius server(omniauth?). I'm
looking to use my google apps domain user database, to manage users, and
control access through an Untangle capt
On 02/24/2012 07:38 AM, Alan DeKok wrote:
TTLS doesn't generate it. My guess is that Cisco has invented
something themselves which defines EAP-Key-Name. Find out what that is,
and we can implement it in FreeRADIUS.
FWIW, a bit more digging shows section 1.4.1 of RFC 5247 is relevant,
say
On 23/02/12 16:26, Matija Levec wrote:
What should be configured for radius to also send EAP-Key-Name AVP?
AFAIK that is not implemented yet.
I've only skimmed them, but AFAIK most AAA servers and EAP methods don't
generate EAP-Key-Name yet. I'm not sure what the correct value for this
att
On 02/21/2012 11:04 PM, Tim White wrote:
Following on from my previous email, I've checked an x86 machine as
well, and get the same behaviour.
I should hope so; SQL is not architecture specific!
Your original solution was correct as far as I could see; if there's any
chance a column might be
On 02/16/2012 09:35 AM, Morris, Andi wrote:
Hi all,
I’m trying to configure my freeradius server to prompt the user to
retype their credentials if they mistype the username or password so
that they can be authenticated via dot1x.
Does your NAS support this attribute? You are sending it just fi
On 14/02/12 11:18, justi...@mac.com wrote:
NAS are set up by partner companies all around the world. We can tell
them to fix the NAS but maybe it can take weeks and we don't want to
allow misconfigured NAS in the accounting at all.
Freeradius can perform arbitrary processing, to ignore or accep
On 14/02/12 10:59, justi...@mac.com wrote:
Thanks, i haven't used preacct before, in what module is this, can
you send detailed solution? Sorry, i am only a beginner in writing
customized things for freeradius.
This is a section in the standard virtual server config. If you look in
sites-enabl
On 14/02/12 10:27, justi...@mac.com wrote:
Hi all,
we are using freeradius with mysql.
Accounting works fine, but we discovered that the server is doing
accounting for users which don't exist at all in our system. They are
probably local users but accounting information is sent to our
servers.
On 02/10/2012 09:09 PM, NdK wrote:
Can't create "users" in AD. Just machine accounts. Maybe it's possible
to use the (or "a dedicated") *machine* account credentials?
rlm_ldap just needs a bind DN. Any ldap DN with permissions to bind to
the directory and execute the searches you need will su
On 02/10/2012 05:53 PM, Luis Písco wrote:
But the My-Group==2 is not evaluated.
It is not possible to assign a value to an item and use it later on the
users file?
No.
The example you show sets My-Group on the *reply*. The "users" file can
match on request items only.
It is possible get
On 02/10/2012 05:46 PM, Alan Buxey wrote:
Hmmm.
Don't update user-name. Set or update stripped-user-name instead and use
that in the mschap auth
The mschap module doesn't honour Stripped-User-Name anywhere. The only
place it would work would be in the ntlm_auth command line xlat, and
he's no
On 10/02/12 14:38, NdK wrote:
Hello all.
Is it possible to bind to AD's LDAP using the Kerberos ticket obtained
at join time?
This question does not make sense. Joining a domain doesn't "obtain a
kerberos ticket". It creates a machine account principal, and a shared
secret (password) that ca
On 10/02/12 14:36, Francois Gaudreault wrote:
Hi Phil,
Still no go. Now EAP complains :
[eap] Identity does not match User-Name, setting from EAP Identity.
Oh dear...
I'll need to test this, but I have a horrible feeling you're between a
rock & hard place here - EAP identity check is des
>I Cannot have two separate users file, the users file is common to both
>
>virtual servers.
>Is there a way to have a users file for eac hvirtual server ?
>I did not find it is possibile from documentation.
>
>
>Ricdk
Yes you can. This is a core feature of the server. You need to look at the doc
On 10/02/12 11:33, Riccardo Veraldi wrote:
Hello,
I have a radius infrastructure with multiple ESSID.
in particular I have the eduroam ESSID and another local ESSID.
They are managed by my freeradius2 server with 2 virtual-server
instances, one for eduroam and the other for my local ESSID.
Both a
On 02/09/2012 11:56 PM, Rami AlZaid wrote:
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
I know nothing about EAP-SIM, but I don't think this message matters;
you see it all the time in debugs, and I think you can ignore it.
-
List info/subscribe/unsubscribe? See http://
On 02/09/2012 07:55 PM, Francois Gaudreault wrote:
Doing the MS-CHAP-User-Name change got me this error :
mschapv2] # Executing group from file
/etc/raddb/sites-enabled/packetfence-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Found NT-Password
[mschap] ERROR: User-Name (host/dti-da
On 09/02/12 15:49, Walter Gould wrote:
All,
I have FR vmps configured to query postgresql for a mac address and
return the vlan that is assigned to it. That is working well. However, I
would like to configure vmps to return a "fallback" or guest vlan for
cases when a mac address is not in the da
On 09/02/12 16:42, Alan DeKok wrote:
The issue could be somewhere else. From what I recall, host
authentication is... weird. The name in the MS-CHAP blob might *not* be
the same as the User-Name field. If that happens, the calculated
response using the User-Name will be wrong.
Looking
On 09/02/12 17:02, Phil Mayers wrote:
On 09/02/12 16:49, Francois Gaudreault wrote:
On 12-02-09 11:41 AM, Alan Buxey wrote:
hmm, with nt_domain_hack = yes and --username=%{%{mschap:User-Name}
used for
the auth attempt , things shoud work
By saying "--username=%{mshcap:user-name}"
On 09/02/12 16:49, Francois Gaudreault wrote:
On 12-02-09 11:41 AM, Alan Buxey wrote:
hmm, with nt_domain_hack = yes and --username=%{%{mschap:User-Name}
used for
the auth attempt , things shoud work
By saying "--username=%{mshcap:user-name}" you refer to the ntlm_auth
line in the mschap modul
On 02/09/2012 02:18 AM, Fajar A. Nugraha wrote:
On Thu, Feb 9, 2012 at 7:49 AM, Will Richmond
wrote:
Does there exist an "xlat:" that NT-hashs new cleartext password,
deletes the change pass xtrl attribute in users file and then
writes the new pass there? or am I going about this the wrong way
On 08/02/12 15:56, John Doppke wrote:
Does someone know if freeradius can update an LDAP user attribute as part of
post processing?
As far as I'm aware, that's not currently possible via rlm_ldap.
You could use a wrapper script around "ldapmodify", called via the
"exec" module.
-
List info/
On Tue, Feb 07, 2012 at 08:27:38AM +0100, Alan DeKok wrote:
Will Richmond wrote:
Hi, does free radius support password change feature
No.
when authenticating cisco asa vpn users via the radius server? authentication
method doesnt matter, I am just wondering if its possible to force a local
On 06/02/12 15:53, Cornelius Kölbel wrote:
... but it seems that the ldap_groupcmp does not support pattern matching?
Am I right or does anybody has another idea?
Ldap-Group isn't a "real" attribute. It is a virtual attribute, that
triggers a search in the directory when you compare to it.
On 02/03/2012 05:23 PM, NdK wrote:
*or* win uses the username to calculate the response. Since users *can*
actually log in to their accounts using their mail address... Maybe win
caches (or looks up) the real username?
Sure. If the client uses the "right" values as input to the crypto hash,
t
On 02/03/2012 04:56 PM, NdK wrote:
There must be a misunderstanding. I'm not asking advice about the query
itself (that would be OT here).*Given* that the query should (and that
'should' is not FR-related) return a 4-rows answer that I must translate
to a single row, how do I translate it to a s
On 02/03/2012 02:08 PM, Dan Letkeman wrote:
Ok, so there are two problems with these scenarios in our environment.
We do not run AD, we run eEdirectory, and the computers are not
assgined to the users, they are all shared computer labs. This is why
Ah.
This has come up on the list before. I
On 02/03/2012 12:27 AM, Dan Letkeman wrote:
This would be a nightmare to manage. We have 2000+ clients. I see
the advantage, if the certificate was compromised that this would be
important, but how in the world would you manage this?
Use the Microsoft CA, and use machine auto-enrollment. It
On 02/02/2012 05:33 PM, NdK wrote:
Il 02/02/2012 13:35, McNutt, Justin M. ha scritto:
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
com
On 02/02/2012 04:19 PM, Gilmour, Scott wrote:
Hi,
I have a 2008 Server Certificate Authority. I want to use my 2008 Server
Certificates with my FreeRadius Server.
I have been searching online but haven't found anything that fully explains how
to accomplish this.
I know I will need to use opens
On 02/02/2012 02:45 PM, Gilmour, Scott wrote:
Hi,
I was able to figure out my clock skew issue. I had to go to regedit on my
2008 Server and goto:
HKEY_LOCAL_MACHINE>SYSTEM>Current Control Set>services>W32Time> Parameters
Then select NTP Server to change the server address ip and change the Ty
On 02/02/2012 12:35 PM, McNutt, Justin M. wrote:
We just finished a many-year span trying to get users to understand
and use DOM\user. They don't get it, at least not consistently. A
Not unreasonably. It's a failure of the IT Industry to solve
credentials. Most attention gets paid to passwo
On 02/01/2012 09:57 PM, McNutt, Justin M. wrote:
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
complex policies OR mandate your users
On 01/31/2012 03:32 PM, Gilmour, Scott wrote:
Hi,
I am following the FreeRadius Beginners Guide book on how to
join a domain. I keep on getting this error when running the command.
root@FreeRadius:/etc# net ads join -U Administrator
Enter Administrator's password:
Using short domain name --
On 01/28/2012 09:57 AM, Morteza Milani wrote:
Hi,
Our company is using freeradius as a VPN authentication&
authorization system. In worse-case say we would have 1 Million users. Beside
scaling our market, we are going to develop an application to analyze
users with data mining algorithms.
Curre
On 01/27/2012 12:29 AM, Christ Schlacta wrote:
I've attached android, windows 7, macosx, and ubuntu linux to an
eap-tls network using wpa2-eap-tls, which requires client and CA certs.
it's no issue once you know what you're doing. the hardest part is the
nearly complete lack of documentation fo
On 01/26/2012 09:46 PM, Alan Buxey wrote:
Hi,
Everything works perfect except the conditional checking for
Client-Shortname. I tried using:
*if (Client-Shortname =~ /^localhost/) {*
thats wrong
Really? That's my fault then - I had the impression that
Client-Shortname was one of the virtua
On 01/26/2012 04:42 PM, Phil Mayers wrote:
3. Run the LDAP module, then compare the attribute. Note - because
you've mapped the item to check/control lists, you can't use a "users"
file - you must use unlang, like so:
Damn, sorry, this should be:
authorize {
...
l
On 01/26/2012 02:41 PM, suggestme wrote:
## I tried using Called-Station-Id to check the condition; which is ok for
now for testing ; but which I guess is not feasible if there are thousands
of NAS devices. I don't know what would be best test condition for this.
There are many options. You co
On 01/26/2012 09:36 AM, NdK wrote:
Since it seems I have to do EXACTLY the same mapping both in "default"
and "inner-tunnel" sites, I saved my "if" chain in unibo.map and used
$INCLUDE to insert it in both virtual servers, just after the opening
brace of authorize. Hope it's the correct thing to
On 01/26/2012 01:43 AM, Matthew Newton wrote:
Public CA - easier as you don't have to distribute the CA cert.
You're open to spoofing attacks where someone can get another cert
from the same CA and put it on a rogue RADIUS server. These days
it seems anyone can get a public-CA certificate for a
601 - 700 of 2037 matches
Mail list logo