Arran Cudbard-Bell a.cudba...@freeradius.org writes:
The wiki does NOT require you to login to view content, that's the
whole point of the new wiki. You're trying to access a page that
doesn't exist. If you had even bothered to read the URL you'd have
seen that it contained the word create,
Mr Dash Four wrote:
In other words, EAP-TTLS/EAP-TLS isn't actually supported in freeRADIUS?
If you're going to be an idiot, you can be unsubscribed from this list.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mr Dash Four wrote:
Networks, no matter how secure, can be compromised. As I pointed out
previously - one can never be too careful.
You're not smart if you regurgitate trite phrases.
You're smart if you spend the time to understand what you're talking
about.
You haven't done that.
of this in the default configs in recent 2.1.x versions - see
raddb/modules/inner-eap. Once you've done that, use the 2nd module
inside your inner-tunnel, like so:
eap {
tls {
... cert setup
}
ttls {
...
virtual-server = inner-tunne
}
}
eap eap-inner {
tls {
... 2nd ca setup
Phil Mayers wrote:
Thanks for the public service announcement. Do you seriously think
And we stop there.
He didn't.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 11/26/2011 11:49 PM, Mr Dash Four wrote:
so it is, you can only protect your AP client with the shared secret
key.
Not necessarily. If the switch to which the WAP is connected supports
802.1x, it could act as a NAS and authenticate the WAP with EAP/TLS.
By WAP I take it you mean
On 27 Nov 2011, at 00:40, Mr Dash Four wrote:
In other words, EAP-TTLS/EAP-TLS isn't actually supported in
freeRADIUS?
It is. I believe you misunderstood how RADIUS works.
Maybe, considering I've been reading about RADIUS for just over 2 days...
Why don't you try reading about
Hi,
Firstly, all radius packets carrying EAP MUST carry a
snip
thanks Phil for this concise overview..however
Is the shared secret ideal? No. Is RADSEC better? Yes. Do any NAS
vendors support it? No. Can we afford to stop using RADIUS? No.
LANCOM do
eg
Am 27.11.2011 10:17, schrieb Phil Mayers:
On 11/27/2011 12:51 AM, Mr Dash Four wrote:
No, the shared secret is not transmitted over the wire.
For additinal information see RFC2865, §2:
When a password is present, it is hidden using a method based on the
RSA Message Digest Algorithm MD5.
Andreas Rudat wrote:
but I understand it correctly, the shared_secret is just using as
trusted AP password?
No.
Read the RFCs to understand what the shared secret does. Or read the
RADIUS Wikipedia page.
It's what we did.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
In other words, EAP-TTLS/EAP-TLS isn't actually supported in freeRADIUS?
If you're going to be an idiot, you can be unsubscribed from this list.
It takes one to know one. I'd stop acting DeCock if I were you though.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
Networks, no matter how secure, can be compromised. As I pointed out
previously - one can never be too careful.
You're not smart if you regurgitate trite phrases.
And you are not smart either when you start throwing insults around.
You're smart if you spend the time to
MD5 is broken.
Thanks for the public service announcement.
Pleasure!
Do you seriously think the IETF, and the people responsible for RADIUS
protocol evolution, aren't aware of this?
Seriously, what would you like us to do exactly? Travel back in time
to the mid 1990s and re-do the first
No. WAP == Wireless Access Point.
Noted, thanks.
indeed the case - the client will be a Linux-based device with
wpa_supplicant and a driver which supports nl80211/cfg80211, so I can
configure - at least on the client's part - EAP-TTLS/EAP-TLS
authentication. My aim is to do the same on AP
.
You think the RADSEC guys are going to mess with it just because it's used for
transporting RADIUS packets?
Where did I said or implied that? Touche!
OK, my understanding of EAP-TTLS/EAP-TLS is that the authentication happens in
two distinct stages: the first stage (EAP-TTLS) is the outer
Mr Dash Four wrote:
It takes one to know one. I'd stop acting DeCock if I were you though.
Congratulations. You've been unsubscribed.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
actual on-topic
results - on page one. Microsoft Technet unfortunately, but better than
nothing.
Now to get more down to the topic. You mention that security is
paramount, which is correct. When you are using EAP-TLS or EAP-TTLS,
security of your transmitted credentials comes by virtue of the TLS
Stefan Winter wrote:
I think what Alan was trying to point out is that
He's been unsubscribed from the list.
It's OK to not understand RADIUS. It's OK to ask questions. It's OK
to ask for help. That's what the list is for.
It's *not* OK to say I've only been doing RADIUS for 2 days,
-MD5, EAP-TLS). (line 78). Is that so?
As for the actual EAP-TTLS/EAP-TLS authentication process I have another
query - my understanding of the theory behind this method is that the
authentication/authorisation process is done in two distinct phases -
outer and inner authentication. This also
) distributed with the source code (I
am using 2.1.12) states that Currently Freeradius supports only 2
EAP-Types (EAP-MD5, EAP-TLS). (line 78). Is that so?
As for the actual EAP-TTLS/EAP-TLS authentication process I have
another query - my understanding of the theory behind this method
of password or shared secret specified.
so it is, you can only protect your AP client with the shared secret key.
In other words, EAP-TTLS/EAP-TLS isn't actually supported in freeRADIUS?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
) - it seems that
freeRADIUS always needs some sort of password or shared secret
specified.
so it is, you can only protect your AP client with the shared secret
key.
In other words, EAP-TTLS/EAP-TLS isn't actually supported in
freeRADIUS?
It is. I believe you misunderstood how RADIUS works
Sven Hartge s...@svenhartge.de wrote:
Yes, this is kind of weak. And because of this weakness a protocol like
RADsec has been developed, which is essentially
RADIUS-with-SSL-over-TCP, thus providing strong encryption of the whole
RADIUS session.
Addition: The first FreeRADIUS version to
On 11/26/2011 04:32 PM, Andreas Rudat wrote:
so it is, you can only protect your AP client with the shared secret key.
Not necessarily. If the switch to which the WAP is connected supports
802.1x, it could act as a NAS and authenticate the WAP with EAP/TLS
In other words, EAP-TTLS/EAP-TLS isn't actually supported in
freeRADIUS?
It is. I believe you misunderstood how RADIUS works.
Maybe, considering I've been reading about RADIUS for just over 2 days...
The connection between the AP (called NAS in RADIUS) and the
RADIUS-Server is only
Addition: The first FreeRADIUS version to include native RADsec support
will be 3.0. To use it with a version below that, you usually proxy your
normal RADIUS request through a software like radsecproxy.
Very interesting indeed. How about tunnelling (via ssh for example) - is
that a similar
so it is, you can only protect your AP client with the shared secret key.
Not necessarily. If the switch to which the WAP is connected supports
802.1x, it could act as a NAS and authenticate the WAP with EAP/TLS.
By WAP I take it you mean the wireless client, right? If so
Mr Dash Four mr.dash.f...@googlemail.com wrote:
In other words, EAP-TTLS/EAP-TLS isn't actually supported in
freeRADIUS?
It is. I believe you misunderstood how RADIUS works.
Maybe, considering I've been reading about RADIUS for just over 2 days...
The connection between the AP (called
Mr Dash Four mr.dash.f...@googlemail.com wrote:
Addition: The first FreeRADIUS version to include native RADsec
support will be 3.0. To use it with a version below that, you usually
proxy your normal RADIUS request through a software like radsecproxy.
Very interesting indeed. How about
/key
(fetched/presented on request if I configure this on the client side).
For the second phase (EAP-TLS) - there is, again, the CA certificate,
the client certificate/key (which is used to actually authenticate the
client) and the server certificate/key. For this second phase the CA,
server
Well, if you cannot trust your own internal network, then you have other
problems than securing your RADIUS authentication.
Networks, no matter how secure, can be compromised. As I pointed out
previously - one can never be too careful.
-
List info/subscribe/unsubscribe? See
examing the TLS-Client-Cert-Subject variable in a FreeRADIUS
unlang policy, and possibly use this to query your LDAP server via LDAP xlat.
For example:
authorize {
...
eap
if (TLS-Client-Cert-Subject) {
# we've done enough EAP-TLS to know the client cert
update request
On Oct 15, 2011, at 12:41 PM, Alan DeKok wrote:
subcon wrote:
Imagine I want to store x509 certificate data (specifically a client
certificate) in an attribute in LDAP (perhaps as a binary attribute, etc).
That's outside of the scope of FreeRADIUS.
Obviously. I had not actually said
with eap+tls:
Follow the EAP-TLS guide on the web site. It *will* work.
Here's my error output:
*[peap] TLS 1.0 Alert [length 0002], fatal unknown_ca
TLS Alert read:fatal:unknown CA
TLS_accept: failed in SSLv3 read client certificate A
That is relatively clear: the client certificate
On Fri, Nov 18, 2011 at 3:02 AM, Enrique Llanos Vargas
ellan...@gmail.com wrote:
I
don't find a way to make it work with eap+tls:
I don't really want to use TLS, so if you help me to disable TLS, it'll be
fine for me.
You want to make it work with eap+tls, but you don't really want to
use
On 11/16/2011 11:36 PM, Houston-III, Lester L wrote:
Basically, I want to provide some data that's obtained from an
external source to my VPN client that is made available to JRADIUS
via FreeRADIUS. I need this data to be available for the
authorization phase because it will be used by JRADIUS
Houston-III, Lester L wrote:
Basically, I want to provide some data that's obtained from an external
source to my VPN client that is made available to JRADIUS via FreeRADIUS. I
need this data to be available for the authorization phase because it will be
used by JRADIUS for determining
@lists.freeradius.org
[mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Thursday, November 17, 2011 5:15 AM
To: FreeRadius users mailing list
Subject: Re: EAP-TLS Attributes
Houston-III, Lester L wrote:
Basically, I want to provide
-
From:
freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org
[mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Thursday, November 17, 2011 5:15 AM
To: FreeRadius users mailing list
Subject: Re: EAP-TLS
Hi guys,
I've just installed a freeradius+mysql on a debian 6.0.3, first test from
localhost with radtest and mysql user auth (radcheck table) worked well,
2nd test with radeaptest with mysql and md5 eap method worked well too, but
I don't find a way to make it work with eap+tls:
Here's my error
Hi guys,
I've just installed a freeradius+mysql on a debian 6.0.3, first test from
localhost with radtest and mysql user auth (radcheck table) worked well, 2nd
test with radeaptest with mysql and md5 eap method worked well too, but I
don't find a way to make it work with eap+tls:
Here's my error
is StrongSwan. FreeRADIUS is
using LDAP for authorization and I have JRADIUS connected for performing post
authorization. Currently, I'm using EAP-TLS for connectivity from the
StrongSwan VPN client down to JRADIUS and this is working well.
What I want to do now is have the StrongSwan VPN client inject
On 11/16/2011 09:53 PM, Houston-III, Lester L wrote:
What I want to do now is have the StrongSwan VPN client inject some
custom data into the EAP message so that data can be propagated through
to JRADIUS for use in the post authorization method. Maybe something
like creating my own attribute or
Basically, I want to provide some data that's obtained from an external source
to my VPN client that is made available to JRADIUS via FreeRADIUS. I need this
data to be available for the authorization phase because it will be used by
JRADIUS for determining whether a user is authorized for
Hi all,
problem has been on my side. I miss to add another one CRL into certs directory.
Thank you for all your help!
Best regards,
—
Martin Čmelík
2011/11/14 Martin Čmelík martin.cme...@gmail.com:
Hi Alan,
I did, there is nothing about it.
Only this:
# Check the Certificate
Houston-III, Lester L wrote:
I’m trying to configure my FreeRADIUS server to support EAP-TLS but it
keeps reporting that there is no OpenSSL support.
You need to install the openssl-dev package. It includes the OpenSSL
header files.
This is probably on the Wiki, under building it yourself
I have installed the openssl-dev package, but FR stills thinks openssl is not
installed.
You need to install the openssl-dev package. It includes the OpenSSL
header files.
This is probably on the Wiki, under building it yourself.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
@lists.freeradius.org
[mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Tuesday, November 15, 2011 3:25 AM
To: FreeRadius users mailing list
Subject: Re: Issues with EAP-TLS and OpenSSL
Houston-III, Lester L wrote:
I’m trying to configure
Houston-III, Lester L wrote:
I finally got FR to recognize the openssl install. Not sure what I did to
fix it, but I installed some additional packages that required openssl such
as Kerberos and that seemed to fix things.
For the record, installing Kerberos won't fix OpenSSL issues.
@lists.freeradius.org
[mailto:freeradius-users-bounces+lester.l.houston-iii=boeing@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: Tuesday, November 15, 2011 11:44 AM
To: FreeRadius users mailing list
Subject: Re: Issues with EAP-TLS and OpenSSL
Houston-III, Lester L wrote:
I finally got
Houston-III, Lester L wrote:
The rlm_eap_tls was built and I think it was installed, but I'm still getting
the following errors when running the server. The last line is probably
shown because the tls section of eap.conf is ignored, but I'm not sure why
I'm getting the other lines when I
Hi,
nobody knows how setup freeradius to check new CRL lists? Should I
provide more information (it is not easy to take output from radiusd
-X, but if it is essential I can try it)?
Thank you for any suggestion
—
Martin Čmelík
2011/11/10 Martin Čmelík martin.cme...@gmail.com:
Hi,
I
Martin Čmelík wrote:
nobody knows how setup freeradius to check new CRL lists?
FreeRADIUS uses OpenSSL for CRLs (and everything SSL). OpenSSL does
not support dynamically adding CRLs at run time.
See the ocsp support in 2.1.12.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Hi,
maybe that I explain it wrong.
We have now 4 CAs and 4 CRL lists where checking against them working
fine. I must add two new CAs (into ca.pam as others), but Freeradius
cant compare User certificate against correct crl list (crl5.pam,
crl6.pam).
Question is: When Freeradius receive user
Martin Čmelík wrote:
Question is: When Freeradius receive user certificate how daemon find
correct CRL list in certs directory?
Read raddb/eap.conf. This is documented.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Question is: When Freeradius receive user certificate how daemon find
correct CRL list in certs directory?
The CRL needs to be in the same directory as the CAs, and needs to be
hashed with c_rehash just like the CA certs. CRLs automatically get the
hash suffix .r0 instead of .0.
You will
Hi Alan,
I did, there is nothing about it.
Only this:
# Check the Certificate Revocation List
#
# 1) Copy CA certificates and CRLs to same directory.
# 2) Execute 'c_rehash CA certsCRLs Directory'.
#'c_rehash' is OpenSSL's command.
# 3) uncomment the line below.
# 5) Restart radiusd
#
I'm trying to configure my FreeRADIUS server to support EAP-TLS but it keeps
reporting that there is no OpenSSL support. I'm currently using FreeRADIUS
version 2.1.12 on Centos 6. I built the server from source because I needed to
include the JRADIUS plugin. I have been able to get things
Hi,
I downloaded current stable freeradius version 2.1.12 and import
configuration from old server (rewrite etc/raddb).
Everything seems to be OK, but I must now add another two trusted CAs
into ca.pem and also enable checking against CRL files as for other.
Lets say that eap.conf is setup by
Hello all,
I have a policy in my post-auth that calculates a hash function
based on
the real-identify of the user. The idea is that if the request is EAP-TTLS then
I want to
use the User-Name property of the inner tunnel, whereas if the request is for
EAP-TLS I
want to use
is for EAP-TLS I want to use the BUF-Name (if
I’ve got it correctly).
BUF-Name is not a standard attribute.
How do I determine in my policy whether we are doing EAP-TLS or
EAP-TTLS? Can anyone help with that ‘if’ I am looking for?
I'm not clear on exactly what you want. Perhaps you could
to use the User-Name property of the inner
tunnel, whereas if the request is for EAP-TLS I want to use the
BUF-Name (if I've got it correctly).
BUF-Name is not a standard attribute.
You are right, I just grabbed that from the debug output. I guess
TLS-Client-Cert-CN is far more appropriate
Hello all,
I want to get my FR configuration to allow only EAP-TLS based
authentications.
Am I right in thinking that if I leave enabled only the EAP-TLS, the
EAP-TTLS and PEAP parts in my eap.conf file, I would basically achieve what
I want? In order words, essentially
Panagiotis Georgopoulos wrote:
Am I right in thinking that if I leave enabled only the EAP-TLS, the
EAP-TTLS and PEAP parts in my eap.conf file, I would basically achieve
what I want? In order words, essentially disable md5, leap, gtc,
mschapv2 in the eap.conf.
To allow only EAP-TLS, simply
Panagiotis Georgopoulos wrote:
Am I right in thinking that if I leave enabled only the EAP-TLS, the
EAP-TTLS and PEAP parts in my eap.conf file, I would basically achieve
what I want? In order words, essentially disable md5, leap, gtc,
mschapv2 in the eap.conf.
To allow only EAP-TLS
,
if I configure only EAP-TLS, TTLS and PEAP in eap.conf, I should be ok,
right?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
server via LDAP xlat. For example:
authorize {
...
eap
if (TLS-Client-Cert-Subject) {
# we've done enough EAP-TLS to know the client cert
update request {
Tmp-String-0 :=
%{ldap:ldap:///basedn?cn?sub?certsubject=%{TLS-Client-Cert-Subject}};
}
if (Tmp
subcon wrote:
Imagine I want to store x509 certificate data (specifically a client
certificate) in an attribute in LDAP (perhaps as a binary attribute, etc).
That's outside of the scope of FreeRADIUS.
I would like FreeRADIUS, should it be passed a client certificate INSTEAD of
a
...@ibs.dn.ua) [11.04.10 12:11] wrote:
Hi,
may somebody advice, please
i have:
uname
FreeBSD 8.1-RELEASE amd64
radiusd -v
radiusd: FreeRADIUS Version 2.1.10, for host amd64-portbld-freebsd8.1,
built on Apr 4 2011 at 22:44:15
radiusd configured with EAP-TLS only and works fine with xNIX
a user and password).
Is this possible? Does this make sense to you? Let me know if I need to
re-explain anything.
Thank you,
subcon
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FreeRADIUS-EAP-TLS-Lookup-Client-Cert-From-LDAP-DIT-tp4904006p4904006.html
Sent from
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, September 01, 2011 8:48 PM
Subject: Re: EAP-TLS/PEAP authentication problem(can notreply
correctattribute)
gary wrote:
I do not define my private attribute while I follow the WISPr such as
Bandwidth-Max-Up
user login it can not reply correct
attribute that I configure in the radgroupreply table.
Can anyone give some idea?
BR//Gary
- Original Message -
From: Arran Cudbard-Bell
To: FreeRadius users mailing list
Sent: Wednesday, August 31, 2011 2:21 PM
Subject: Re: EAP-TLS/PEAP
gary wrote:
I do not define my private attribute while I follow the WISPr such as
Bandwidth-Max-Up and Bandwidth-Max-Down.
It is no problem that I use UAM method(user login with login page by
user name/password) and freeradius can reply correct attribute.
But when I use PEAP
On 31 Aug 2011, at 04:37, gary wrote:
Hi All
I have NAS client which support WISPr standard working with freeradius
2.1.10+MySQL 5.5 install on Fedora OS.
I create my test certificate and configure EAP-TLS/PEAP authentication well
in my setup.
I am using WINDOWS XP as client pc it can
On 31 Aug 2011, at 08:11, Arran Cudbard-Bell wrote:
On 31 Aug 2011, at 04:37, gary wrote:
Hi All
I have NAS client which support WISPr standard working with freeradius
2.1.10+MySQL 5.5 install on Fedora OS.
I create my test certificate and configure EAP-TLS/PEAP authentication well
Hi All
I have NAS client which support WISPr standard working with freeradius
2.1.10+MySQL 5.5 install on Fedora OS.
I create my test certificate and configure EAP-TLS/PEAP authentication well in
my setup.
I am using WINDOWS XP as client pc it can pass authentication but freeradius
can
Christ Schlacta wrote:
I always thought it was odd that the default makefile tried to sign the
client certificate with the server certificate without the server
certificate being signed with CA properties of any sort.
Yes, well...
I thought it
was some advanced chained root thing, but I
On Wed, 29 Jun 2011 15:03:33 +0200, Alan DeKok al...@deployingradius.com
wrote:
I thought it was some advanced chained root thing, but I never got it
to
work even once, so I wrote my own, but it sucks. I think it may be a
bug,
and you just reminded me of that. someone who knows what they're
Hi folks,
I have a problem in my freeradius setup and I'm looking for some hints
about that.
Scenario:
1) GNU/Linux client w/ WPA supplicant configured to request access through
EAP-TLS using a certificate (in order to achieve 802.1x ethernet
authentication)
2) 802.1x enabled switch where
Marco Londero wrote:
Freeradius debug log of the issue is here:
The certificate produced by the client is unknown to the server.
Any tips? Thank you!
Use the correct certificates.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 06/28/2011 08:41 AM, Marco Londero wrote:
Hi folks,
I have a problem in my freeradius setup and I'm looking for some hints
about that.
Scenario:
1) GNU/Linux client w/ WPA supplicant configured to request access through
EAP-TLS using a certificate (in order to achieve 802.1x ethernet
On Tue, 28 Jun 2011 10:28:45 +0200, Alan DeKok al...@deployingradius.com
wrote:
Use the correct certificates.
I re-generated client certificate and signed it w/ CA one instead of
server (default Makefile conf) and worked.
Sorry for the noise.
--
mandi, Marco
-
List
On 6/28/2011 01:52, Marco Londero wrote:
On Tue, 28 Jun 2011 10:28:45 +0200, Alan DeKokal...@deployingradius.com
wrote:
Use the correct certificates.
I re-generated client certificate and signed it w/ CA one instead of
server (default Makefile conf) and worked.
Sorry for the noise.
I
Alexandros Gougousoudis wrote:
Phil, I also understand a lot of things and I can read, but the
documentation of FR is not ideal. I've googled around, looked examples
and had more questions than before. Where are all these features
documented, like the if then-things in the conf, all the
Gary Gatten wrote:
Good point about configuring multiple things at once - but that is a recipe
- right? Several ingredients that make a tasty cake?
Yes. It should be done as a recipe with multiple steps. See
http://deployingradius.com for examples.
I think it would be a pretty common
On 16/05/11 20:26, Alan DeKok wrote:
My $0.02 is that we should use github. They now support git-backed
Wikis, which use markdown. It's close enough, and has a lot of benefits.
I quite like Markdown.
We have some internal introduction to radius and introduction to
FreeRADIUS documents.
Hi,
I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation.
What I want to do is:
A host-based authentification for my workstations. All the names of the
workstations are in LDAP, the authentification itself should be done
with EAP-TLS. I would like to have a hint, how
with EAP-TLS. I would like to have a hint, how to start EAP when the
LDAP-Query was successfull. The LDAP-Query works I think, FR says:
[ldap] user scit-beerchen authorized to use remote access, but then it
tries to make some kind of password authentification (I have no password
for workstations in LDAP
Alexandros Gougousoudis wrote:
A host-based authentification for my workstations. All the names of the
workstations are in LDAP, the authentification itself should be done
with EAP-TLS. I would like to have a hint, how to start EAP when the
LDAP-Query was successfull.
You don't.
Instead
) - FALSE
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns noop
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/tls
[eap] processing type tls
[tls
Hi Alan,
Alan DeKok schrieb:
You're forcing Auth-Type, and using ntlm_auth for EAP-TLS. This is wrong.
Don't force Auth-Type.
I didn't want that, now after kicking out ntlm_auth things work, even
the cert has been accepted. I assume the problem I had was, that the
time of the radius
On 05/16/2011 10:13 AM, Alexandros Gougousoudis wrote:
Phil, I also understand a lot of things and I can read, but the
documentation of FR is not ideal. I've googled around, looked examples
and had more questions than before. Where are all these features
documented, like the if then-things in
Hi John,
Just to chime in, I find all of the comments in radiusd.conf, etc.
distracting overwhelming. I strip out the comments from the files I'm
using - usually to find out how simple the configuration really is.
When I'm missing something, I refer back to the original files look up
the
John,
I believe Alan started a project to try and improve documentation in May last
year. A few documents were converted RST format, but I don't think it was ever
completed.
I'm going to suggest the same thing I did back then. Add RST support to the
Wiki, setup a well defined documentation
On 05/16/2011 02:20 PM, Arran Cudbard-Bell wrote:
John,
I believe Alan started a project to try and improve documentation in
May last year. A few documents were converted RST format, but I don't
think it was ever completed.
I'm going to suggest the same thing I did back then. Add RST support
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of John Dennis
Sent: Monday, May 16, 2011 1:52 PM
To: FreeRadius users mailing list
Subject: Re: documentation and project organization (Was: Using LDAP with
EAP-TLS)
On 05/16/2011 02:20 PM, Arran Cudbard-Bell wrote
Arran Cudbard-Bell wrote:
I believe Alan started a project to try and improve documentation in May last
year. A few documents were converted RST format, but I don't think it was
ever completed.
I received a number of patches from one person, a few from another one
or two, and nothing else.
John Dennis wrote:
Sounds like a fine plan to me. I do recall the documentation effort from
last year. But the various promises of documentation seem to wither on
the vine, the effort you cite is a perfect example. Maybe Alan's book is
the answer, but that's been promised for a long time too.
Gary Gatten wrote:
I will step up to the plate and offer up a standard format for a Recipe. I
will pick an easy deployment scenario - such as: How do I configure FR to
authenticate VTY access to my Cisco gear using AD on the backend, and users
must be a member of GroupX
That's
John Center wrote:
Just to chime in, I find all of the comments in radiusd.conf, etc.
distracting overwhelming. I strip out the comments from the files I'm
using - usually to find out how simple the configuration really is. When
I'm missing something, I refer back to the original files look
201 - 300 of 1808 matches
Mail list logo