I use this combination:
cisco 2950 sw as NAS
freeRadius 2.1.1 as authenticator,
Active Directory as the database,
and the win xp client.
It wokrs fine. I want one more thing, witch is dynamic vlan assignment.
How can I implement it?
My idea is enlarge the AD schema with vlanids and get it with
Must i use Listen options and add the real address? that is 192.168.1.14?
No.
What about clients.conf file? Must i add also the NAS address
Yes.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You have eap-sim examples in /src/tests.
Ivan Kalik
Kalik Informatika ISP
Dana 27/11/2008, Fernando [EMAIL PROTECTED] piše:
[EMAIL PROTECTED] wrote:
So, I don't know how to configure EAP-SIM in freeradius as default EAP
method.
Don't bother. Whatever is the default method, it will get
I managed to get it started, When i do a radcheck i now get the
following error...
..
users: Matched entry DEFAULT at line 152
..
rlm_sql (sql): sql_set_user escaped user -- 'radius'
radius_xlat: 'SELECT id, UserName, Attribute, Value, op FROM
radcheck WHERE Username =
i force in WIndows Client to use only mschap2, but the problem continue:
-
Module: Instantiated radutmp (radutmp)
Listening on authentication *:1812
Listening on accounting *:1813
Ready to process requests.
rad_recv: Access-Request packet from host 150.162.67.254:32858, id=109,
length=53
Are you going to post the end of this message?
Ivan Kalik
Kalik Informatika ISP
Dana 27/11/2008, Jerome Blomart [EMAIL PROTECTED] piše:
Hello,
i am new to freeraidus.
Have set up a radius server for a linksys ap.
- debian server: compiled a freeradius with eap/tls support
- mysql db:
-
And the only thing I found is this:
http://wiki.eduroam.cz/rad_eap_test/
wpa_supplicant's eapol_test, JRadius Simulator
But I'm confused about this script cause I just can't see any
'chalange' or etc in # freeradius -X when $ rad_eap_test
It's nothing to do with the testing tool.
rad_recv:
And what if I'd like to have a pool of NASes each using unique secret
but not to specyfy their IP or domain names to the freeradius config
files?
Is it possible to do so?
It might be in the future. dynamic-clients virtual server works just with
Packet-Src-IP-Address now. There are plans to make
file: users
# default ippools per NAS
$INCLUDE users.ippools
It looks like include doesn't work in users (? any more).
file: users.ippools
# Addresspool for ll-us
DEFAULT NAS-IP-Address == 172.16.30.2, Pool-Name := ll-us_pool
Fall-Through = Yes
Just copy the content of users.ippools
If I don't have the new entry ldapuser, so how can I add the new entries ?
Do you actually know how to use ldap?
Ivan Kalik
Kalik informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do they support Mac-Based Auth + 802.1X on the same port?
In a (very) weird way. It's not mac auth + 802.1x but mac auth *in*
802.1x (mac address is sent as user/pass - requires registry hacking on
XP). And then you can re-authenticate with username/pass.
There is also something called mac
now imho cisco switches don't support mac based authentication with
freeRadius.
They most certainly do. And when you study for your CCNA you will learn
how.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql is commented out in radiusd.conf by default. Enable it somewhere.
This is the old server version. Use the latest one. Even for testing.
It's so much better.
Ivan Kalik
Kalik Informatika ISP
Dana 26/11/2008, Saeed Akhtar [EMAIL PROTECTED] piše:
Debug Trace:
Starting - reading
1.1.3 doesn't use Cleartext-Password. That came in 1.1.4. Read the users
file. It should be User-Password.
Ivan Kalik
Kalik Informatika ISP
Dana 26/11/2008, Saeed Akhtar [EMAIL PROTECTED] piše:
Thanks for ur help setting sql in authorize section of radiusd.conf
solved the problem
Post the debug of the server startup.
Ivan Kalik
Kalik Informatika ISP
Dana 26/11/2008, Saeed Akhtar [EMAIL PROTECTED] piše:
Hi all,
I am having problem to configure Radius to read client information from
mysql database table nas. I found an option at last line of sql.conf
readclients =
Yes that's how I thought it worked. I guess that's ok in some situations
but it's really inflexible in others.
HP ProCurve switches allow you to enable both methods of authentication
together on the same port. It's a little weird how it operates, but it
seems to work very well in most situations.
First freeradius goes to sql and check for the user record... regardless of
result of sql , request is also fwd to jradius. and jradius also checks for
the same username in another database over another server (as im using
jradius for having connectivity to another server)... i want freeradius to
Ask Intel where does that thing write logs and then read them. Answer is
with the supplicant. Looking at the radius server won't help.
Ivan Kalik
Kalik Informatika ISP
Dana 26/11/2008, Martin Silvero [EMAIL PROTECTED] piše:
rad_recv: Access-Request packet from host 10.0.16.4 port 1645, id=6,
if I try mschapv2 in Windons client:
--
rad_recv: Access-Request packet from host 150.162.67.254:32839, id=46,
length=52
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = nobody
NAS-IP-Address = 1.1.1.1
NAS-Port = 0
This is not an mschap request.
Look at perl and sql modules and unlang. You can probably do this using
groups in sql tables without any programming. If you need to impose some
simple policies unlang should be the answer. If you want to do some
complex checks then use perl.
Ivan Kalik
Kalik Informatika ISP
Dana 26/11/2008,
rlm_ldap: performing search in dc=mydomain,dc=com, with filter
(uid=ldapuser)
rlm_ldap: object not found or got ambiguous search result
[ldap] search failed
Either you don't have ldapuser or the user is not unique (there are
several users with that username). Do ldapsearch and see what it
Nothing will go through the switch if mac filtering is enabled. You need
to see if packets are leaving the AP.
How can I check that? Does the WAP54G have the option to check that? As
far as I can see, I can only check if any data gets to the
FreeRadius-server.
Connect it directly to the AP (no
According to this thread, the problem occures as soon as one of the
requests of the WAP54G is unsuccessful (a package is lost):
http://www.linksysinfo.org/forums/archive/index.php?t-36702.html
So what is the situation? Does the AP start working when you switch it
off and on again? Or not? Can
debug? It could be that they just haven't been copied from inner to
outer reply.
Ivan Kalik
Kalik Informatika ISP
Dana 25/11/2008, Mustapha Bouikhif [EMAIL PROTECTED]
piše:
Hi Folk,
I have activated attr_filter for a realm (dr4.cnrs.fr) and want users
from that realm to have 2 possible
I have 1 WAP54G that works sometimes. Read the thread in the links I
included for more details. I used tcpdump to see if any data got
through.
Nothing will go through the switch if mac filtering is enabled. You need
to see if packets are leaving the AP.
Ivan Kalik
Kalik Informatika ISP
-
List
When I use ldapsearch (ldapsearch -x -b 'dc=mydomain,dc=com'
'(objectclass=*)'),return as follows :
Do the same search freeradius does:
rlm_ldap: performing search in dc=mydomain,dc=com, with filter
(uid=ldapuser)
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
# extended LDIF
#
# LDAPv3
# base dc=mydomain,dc=com,uid=ldapuser with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
So you don't have a user entries (uid, userPassword etc.) for ldapuser.
Ivan Kalik
Kalik Informatika ISP
-
Right now I have 1 FreeRadius-server and 3 WAP54G AccessPoints. When I
configure the AP's with WPA-Enterprise and point them to the
FreeRadius-server, the FreeRadius-server doesn't get any data from the
AP's.
I have one WAP54G that works most of the time
OK.
One other has worked once. The third
Am I in the right place?
No. You are looking at the radius server for something configured on the
suppicant.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This is my problem, what can you suggest to me :
I want use 802.1x port auth, although the machines are servers, and
users logging in rarely.
the machines will automaticly do the authentication(this is the goal),
What is the Authenticator (NAS)? You should find in it's documentation
how to set
ldap {
server = localhost
identity = cn=ManagerĄAdc=nchcĄAdc=orgĄAdc=tw
password = hsuan
..
rlm_ldap: bind as cn=Manager??dc=nchc??dc=org??dc=tw/hsuan to localhost:389
rlm_ldap: waiting for bind result ...
rlm_ldap: LDAP login failed: check identity, password
http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_says_.22Could_not_link_..._file_not_found.22.2C_what_do_I_do.3F
Example is for mysql, but it applies to all such messages.
Ivan Kalik
Kalik Informatika ISP
Dana 24/11/2008, Ilya [EMAIL PROTECTED] piše:
hello,
i've got Linux 2.6.9-22
What do these lines?:
rlm_realm: No '@' in User-Name = cert, looking up realm NULL
rlm_realm: No such realm NULL
You haven't configured NULL domain (in proxy.conf) for users without the
domain. Like most people. It's not a problem.
Ivan Kalik
Kalik Informatika ISP
-
List
In the Calling-Station-Id i get the device IP Address and not the MAC!
luckily you dont get a phone number instead ;-) (RFC 2865)
I'm wondering if theres a set in stone standard for Calling-Station-ID
ie should it be a MAC or IP address? or am I being very hopeful?
Don't know about it being
my radius server though is running on server1 and I think that my
failure is related to the fact that I'm generating the certificates and
signing them with server2.
Yes. Same CA has to be used for server and client certificates.
So my questions...
1. Do I set up server1 to be its own CA or do
I have setup a FreeRadius-server and try to get it operational with a
Linksys WAP54G AccessPoint. This seems to work highly unreliable.
I posted a question about this on the Linksys support forums,
but no luck so far:
There is also an unrelated problem that causes the CA to only last 30
days. See here http://bugs.freeradius.org/show_bug.cgi?id=615
Hm, I was under the impression that this was sorted:
http://lists.freeradius.org/pipermail/freeradius-users/2008-September/msg00653.html
That solution works.
OK - that quiets the notification but I still can't figure out the issue
where I can authenticate RRAS, Macintosh and iPod clients against radius
via LDAP using mschapv2 but even with the certificates on Windows XP
clients, with the 'xpextensions' they always try to authenticate as
'uid=anonymous'
I am sorry ! I don't know what are you talking about ?
Can you make it clear for me ? thank you very much !
You have more than one freeradius installation. Freeradius instance that
you are running is not using the configuration files you are changing.
There is probably a default installation
I don't understand the message about unknown_ca in the log below either
because I am acting as my own CA and this same cacert.pem seems to be
happy on the Windows system I imported it on and I've been using it for
a bunch of other daemons.
It probably wants cacert.der.
Ivan Kalik
Kalik
I have check the file (in raddb/modules/ldap), the config file is set the
ldap section as follows :
ldap {
server = localhost
identity = cn=ManagerĄAdc=exampleĄAdc=orgĄAdc=tw
password = hsuan
basedn = dc= exampleĄAdc=orgĄAdc=tw
filter =
rlm_ldap: LDAP login failed: check identity, password settings in ldap
section of radiusd.conf
Slightly missleading - should say:
rlm_ldap: LDAP login failed: check identity, password settings in ldap
module configuration - raddb/modules/ldap
You haven't configured ldap module. Debug is
My question is - is there any reasoning to the above behavior or IÂ have
completly misunderstood how Freeradius conf works.
Yes. Password attribute was wrong. This was changed in 1.1.4 but 1.1.x
continued to tolerate it. It's no longer tolerated in 2.x.
You should also remove Auth-Type EAP
Now we discovered that out EAP-MD5 clients were no more authenticated!!!
I went through the settings to no avail- then by fluke I discovered(by
fluke ofcourse!!) that if I change ...
[EMAIL PROTECTED] Auth-Type :=EAP, User-Password := bar to [EMAIL
PROTECTED] Auth-Type :=EAP,
Would be nice if this was documented somewhere on the Website.
Or am I simply too stupid to find the documentation?
http://freeradius.org/radiusd/man/unlang.html
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have set the radius.conf about ldap as follows :
ldap {
server = localhost
identity = cn=ManagerĄAdc=exampleĄAdc=orgĄAdc=tw
password = hsuan
basedn = dc= exampleĄAdc=orgĄAdc=tw
filter =
((!(objectClass=alias))(uid=%{Stripped-User-Name:-%{User-Name}}))
http://wiki.freeradius.org/index.php/FreeRADIUS_Wiki:FAQ#It_says_.22Could_not_link_..._file_not_found.22.2C_what_do_I_do.3F
Ivan Kalik
Kalik Informatika ISP
Dana 20/11/2008, Saeed Akhtar [EMAIL PROTECTED] piše:
I'm sorry but how to compile/install it using mysql extensions
rlm_sql_mysql... can
Sending Access-Accept of id 148 to 10.249.59.188 port 2155
..
rad_recv: Accounting-Request packet from host 10.249.59.188 port 2155, id=149,
length=78
Acct-Status-Type = Start
Acct-Session-Id = NS-004a
NAS-IP-Address = 10.249.59.188
NAS-Port = 74
Except when it comes to working out the usage stats for each user at the end
of each month.
Its easy to do with all sessions that started in the previous month and have
a Stop status.
But it's difficult when a session rolled over to the next month because the
status is Alive.
We're trying to
So, I don't know how to configure EAP-SIM in freeradius as default EAP
method.
Don't bother. Whatever is the default method, it will get changed to sim
during the negotiation. AFAIK EAP-SIM is supported by default. Add:
sim {
}
to eap.conf supported eap types (like entries for md5 and leap).
If you are such a nasty provider that won't allow users to roll over
unused allowance into the next period even during the existing session -
simply disconnect them at the time the counter resets (use Login-Time on
users connecting on the last day for instance). Be nasty to the end!
Its not
Try fixing obvious errors:
to_char('Cleartest-Password') as attributes,
Cleartext-Password
to_char(password) as value,
to_char('==') as operator
should be :=
FROM dual
union
SELECT to_number('2') as
See:
http://wiki.freeradius.org/index.php/Cisco#IOS_12.x
It's for wired but shouldn't be far off.
Ivan Kalik
Kalik Informatika ISP
Dana 20/11/2008, Tim Gustafson [EMAIL PROTECTED] piše:
Hey,
I know this is a bit off-topic, but I was wondering if anyone on the list
might be able to help with
I'm new to freeradius and i want to configure and test my server... I
have installed server from cvs now when i run radiusd -X its output is
like this:
FreeRADIUS Version 2.0.6, for host i686-pc-linux-gnu, built on Nov 19 2008
at 17:00:09
Copyright (C) 1999-2008 The FreeRADIUS server
Ok. But in which section of radiusd.conf or sites-available/file should
I use unlang ? in post-proxy section ?
Yes, just like attribute filter.
Shall i use switch again to the corresponding realms ?
man unlang says:
-= Remove all matching attributes from the list
I don't want to remove
and here is my /etc/pam_radius_auth.conf (i've tried space / tab delimited )
# server[:port] shared_secret timeout (s)
127.0.0.1 testing123 2
localhost testing123 1
So they are identical from what i can see. Also keep in
mind that radtest works using the secret; testing123.
Sorry if I'm missing
I am trying to add a Wifi AP (aironet 1250). I am trying to use
PEAP/MSCHAPV2 and SAMBA SambaNTpassword (LDAP Back-end).
..
I know that I need to enable ldap somewhere but ... where :D
Authorize section of /etc/raddb/sites-enabled/inner-tunnel.
Ivan Kalik
Kalik Informatika ISP
-
List
I want to configure the freeRADIUS server to return the CLASS
attribute in the ACCESS-ACCEPT message,.
I tried adding the attribute for a user in users file :
vinay Auth-type:=CHAP,User-Password=vinay,Class=Admin
The attribute is parsed. But when i try to connect with a RADIUS
client, the
I am a little confused with this...
tnt-4 wrote:
ntlm_auth in mschap module works only for - mschap requests. It will not
work for pap requests.
Normally, ntlm_auth is set in the MSCHAP module. Authentication requests
from logging into the system, like SSH, uses PAP?
Is there anyway that I
Hi Alan,
Thanks for yot reply.
Bassically i have wireless adapter which has a utility supporting
peap-eapmd5 on Windows XP service pack 2. Is there any way to Know whether
the supplicant is the problem in case of peap-eap-md5, as with the utility
peap-eap-mschapv2 works.
Yes. By doing what you
when I use the with-ntdomain-hack=no the result is :
Where is that line? You should enable it in mschap module. It shouldn't
have any effect on EAP Identity.
[peap] Had sent TLV failure. User was rejected earlier in this session.
Debug you posted is useless. You have deleted the important
wpa_supplicant eapol_test.
Ivan Kalik
Kalik Informatika ISP
Dana 18/11/2008, Queenie de Melo [EMAIL PROTECTED] piše:
Hi,
Can anyone suggest a test radius client supporting PEAP with EAP MD5 ?
I have tried JRadius Simuator , RadiusTest n others but could not get the
option of PEAP with EAP
Let's say for realm dr4.cnrs.fr I would like that only VLAN1 and VLAN2
are permitted.
Use unlang and -=.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Let's say for realm dr4.cnrs.fr I would like that only VLAN1 and VLAN2
are permitted.
Use unlang and -=.
excuse me Ivan, I don't understand. can you explain more...
thanks.
You say attr.filter is not working (and provide no debug) for you. Use
unlang instead. Read man unlang and
Updated manual:
http://deployingradius.com/documents/configuration/active_directory.html
Ivan Kalik
Kalik Informatika ISP
Dana 18/11/2008, Danner, Mearl [EMAIL PROTECTED] piše:
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
worked for me.
-Original Message-
And the matching shared secret for the server and pam_radius_auth.conf
..
Using 'ssh [EMAIL PROTECTED]' password: testing
rad_recv: Access-Request packet from host 127.0.0.1 port 26561, id=106,
length=83
User-Name =
steve
User-Password = \010\n\r\177INCORRECT
..
User-Name = ROUTER\\Hege
Create (local) ream ROUTER { } in proxy.conf.
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = ROUTER\Hege, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type
Thanks very much for the pointer. That looks like what I want, however,
after following those instructions, when I run radiusd -X, I get this
error:
/usr/local/etc/raddb/users[50]: Parse error (check) for entry user:
Unknown value ntlm_auth for attribute Auth-Type
Errors reading
Does EAP-GTC work only with Username n Password?
Yes.
Is there anything additional needed?
No.
What abt EAP-TTLS with EAP-GTC? Would certificates or anything additional to
username and passowrd be required at the client/server side?
You need also a server certificate and to import CA
Dana 17/11/2008, NiTr0 [EMAIL PROTECTED] piše:
I use FreeRADIUS v2.0.1 on server side and FreeRADIUS client library
v1.1.6 with pptpd/pppd on client side. Is there something like
Mpd-drop-user attribute for MPD5? Or I must hangup sessions only by
unusual way with 3rd-party
hi..i am trying the authentication with eap-aka i want to know is there any
option to use sim,eap,peap and oter authentication types at the same time.
Yes. Don't change anything and they will work. You should generate
production certificates for peap once you ensure that it works with
default
tnt-4 wrote:
You have not enabled the module which is supposed to provide Pool-Name
from the configuration in inner-tunnel. But forget that. AP is going to
use DHCP to assign IP address and will ignore Framed-IP-Address.
Ivan Kalik
Kalik Informatika ISP
Dana 14/11/2008, robbe [EMAIL
I followed the manual by removing the entry that was added in users file...
But after testing, I noticed that it did not hit the ntlm_auth command.
You removed it!
ntlm_auth in mschap module works only for - mschap requests. It will not
work for pap requests.
Ivan Kalik
Kalik Informatika ISP
-
My radius server is used to authenticate users from differents relams
(lets say 8) against one ldap server.
My ldap server has 8 different basedn which holds users from the realms.
I want to use unlang to configure radiusd to use a specific ldap module
configuration based on the realm of the
I use unlang, here is my configuration radiusd.conf:
modules {
...
ldap
switch %{Realm} {
case dr4.cnrs.fr {
1. What version is this? Unlang works onl y in 2.x? ldap is not in
radiusd.conf in that version any more.
2. unlang works in server not module
In my /etc/raddb/dictionary file:
ATTRIBUTE My-BaseDN 10 string
radiusd.conf configured like you said (module ldap, authorize section)
radiusd starts and logs says:
freeradius version?
May be cause the ldap module is called before authorize section where
My-BaseDN is defined ??
Why? In
I need to use radius to AUTHENTICATE users and then once they are
authenticated have it pass it over to and LDAP server for Authorization,
I believe this is possible with radius but if anyone has any experience
with this or good links for setting it up I would appreciate it.
Thanks,
LB
-
List
radiusd: FreeRADIUS Version 2.1.1, for host i686-pc-linux-gnu
Then ldap is not in radiusd.conf. ldap is now in raddb/modules/ldap.
authorize in not in radiusd.conf either. It's in
raddb/sites-enabled/default. Are you trying to use new version with a
copy of old radiusd.conf?
Post the whole
Do you mean 10 . the number picked should be between 3000 and 4000 ?
Yes.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi all, I have a problem, can't authenticate my user with win login user/pass.
I use:
- 802.1x
- newest freeradius, and ubuntu 8.4
- eap-tls
- win xp sp2 client, use automatic win logon and pass
When Automatically use my Windows login name and password is unchecked
on the windows, i type
Here is the debug of radiusd (attached file)
You are playing a dangerous game by reusing an old radiusd.conf.
[ldap] expand: %{control:My-BaseDN} -
ou\3dpeople\2cdc\3ddr4\2cdc\3dcnrs\2cdc\3dfr
basedn expansion went well.
rlm_ldap: bind as uid=Manager,%{control:My-BaseDN}/sirc2 to
You can assign different attributes to a user when he dials in then when
he logs in via ssh for instance.
Ivan Kalik
Kalik Informatika ISP
Dana 17/11/2008, liran tal [EMAIL PROTECTED] piše:
Hey everyone,
It's obvious that the structure of the tables allows to assign a user to
several groups
http://freeradius.org/pam_radius_auth/
Ivan Kalik
Kalik Informatika ISP
Dana 16/11/2008, Vinay [EMAIL PROTECTED] piše:
hi there,
We are planning to use FreeRadius Client with PAM.
Could you please give me the document/Links/FAQ
explaining the integration of FreeRADIUS client with PAM?
Thanks
Then move reply attributes to a different DEFAULT entry:
DEFAULT Auth-Type = System
Fall-Through = yes
DEFAULT Group = whatever
Service-Type = whatever
Ivan Kalik
Kalik Informatika ISP
Dana 14/11/2008, Artur Rodrigues [EMAIL PROTECTED] piše:
Hi,
I am
You have not enabled the module which is supposed to provide Pool-Name
from the configuration in inner-tunnel. But forget that. AP is going to
use DHCP to assign IP address and will ignore Framed-IP-Address.
Ivan Kalik
Kalik Informatika ISP
Dana 14/11/2008, robbe [EMAIL PROTECTED] piše:
Hello
Change use_tunneled_reply to yes in peap section of eap.conf.
Ivan Kalik
Kalik Informatika ISP
Dana 14/11/2008, Tod A. Sandman [EMAIL PROTECTED] piše:
Ivan Kalik wrote:
Why don't you map that in ldap.attrmap?
Thanks so much. I removed all LDAP settings from users, and I have
TTLS-PAP
I am upgrading an old machine to a newer version of FreeRadius and i am
having a few problems.
on old system the user file was similar to:
user1 Password=whatever
user2 Password=kdkdkd
etc
I hae ried to copy this idea over to the new version along with the old
I'm running FreeRADIUS on a shiny-new CentOS 5.2 machine.
I'm trying to figure out how to configure FreeRADIUS to authenticate against
an OpenLDAP server using MSCHAPv2. I Googled a lot of different phrases, and
came up with some things that were mildly helpful. Right now, I have
FreeRADIUS
There is nothing to do. It's already active
in default configuration.
Really? Because the default config seems to want to use ntlm_auth to
authenticate mschapv2 users, which is a samba helper designed to authenticate
a user against a samba server, not an OpenLDAP server.
ntlm_auth line is
ntlm_auth line is commented out by default.
Ok, I see that.
From what I understand, MSCHAPv2 needs access to the unencrypted user
password, and OpenLDAP doesn't offer that. I'm guessing I'll have to add an
unencrypted password field to the LDAP server to make this work, but that's
not been
Are there two freeradius installations and you are running the wrong
(unpached) one?
Ivan Kalik
Kalik Informatika ISP
Dana 13/11/2008, Alan DeKok [EMAIL PROTECTED] piše:
Nayan Gjain wrote:
yes i hav configured aka module in eap.conf like this:
Ok... are you SURE that the rlm_eap_aka
I am trying to run freeradius server on linux2.4 version
I am able to ./configure, make, make install successfully.
But when i am running this with -X(debugging), I am getting the following
error message on server:
rlm_eap:Failed to link EAP-Type/aka:file not found
Could you please point me to a specification that requires User-Name
to remain same for the session?
http://freeradius.org/rfc/rfc2865.html#User-Name
It MAY be sent in an Access-Accept packet, in which case the
client SHOULD use the name returned in the Access-Accept packet in
all
It looks like what is happening here is a re-authentication using
machine credentials within the same IEEE 802.11 association. If the
client would have re-associated, hostapd should have started a new
session and in this case, there would have been start/stop acct with
goa and then start/stop
And which Access-Accept would this be referring to? The problem here
is that there can be multiple authentication runs (re-authentication
based on supplicant request or authenticator policy) and should the
supplicant change its identity, the second Access-Accept is likely to
have a different
The following RFC 3580 Chapter 2.1 text is one reason for hostapd behavipr:
Within [IEEE80211], periodic re-authentication may be useful in
preventing reuse of an initialization vector with a given key. Since
successful re-authentication does not result in termination of the
session,
Thanks again! I amended it and it works.
But that is only for testing...
Yes. Now you go on with the manual.
Can I use the MSCHAP method? Or I have to create a module of my own for
users to authenticate?
No, you configure the ntlm_auth line in raddb/modules/mschap.
Ivan Kalik
Kalik
pap against LDAP works fine
chap against LDAP works fine (With ntradping)
They used different password.
Do you mean chap and MSCHAPv2 require passwords in different formats or
something?
No. There is a clear text password stored somewhere.
I can auth CHAP, but with the same username and
I think the problem is the protocol I use : PAP.
I'm not sure that FreeRadius use PAP protocol to communicate with Radius
Server.
And is it normal that I can't see any password when I use a sniffer?
No, the protocol you (or should I say the user) are using is eap not pap.
Freeradius recieved
My radius server (which is not freeradius) rejects my authentication ...
So why are you asking the questions here? Freeradius proxy has nothing
to do with this.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
901 - 1000 of 2007 matches
Mail list logo
