W dniu 19.01.2010 15:06, Alan DeKok pisze:
Stefan Winter wrote:
every now and then there's a mild interest on this list about enabling
EAP-FAST. In our eduroam RD group, we are currently looking into
EAP-FAST, which naturally includes FreeRADIUS support. Is it worthwhile
posting our results
Maja Wolniewicz wrote:
A few changes in FreeRADIUS are needed to provide some configuration
variables to the hostap EAP library.
Could you send the changes as a patch? That way we can apply them to
the server, and make it easier for everyone else.
The biggest problem is that this solution
Hi,
In order to also return e.g. VLAN IDs (that could be computed from the
inner User-Name in a non-session-resumption enabled config), I can move
the config that sets the VLAN to the outer tunnel post-auth ensure the
inner tunnel sets:
reply:outer User-Name to request:inner User-Name
So I reverted to the default conf by copying the confs from the source
package. I was forced to alter two lines.
$diff eap.conf /etc/freeradius/eap.conf
155c155
private_key_file = ${certdir}/server.pem
---
private_key_file = ${certdir}/server.key
$diff users
So I reverted to the default conf by copying the confs from the source
package. I was forced to alter two lines.
$diff eap.conf /etc/freeradius/eap.conf
155c155
private_key_file = ${certdir}/server.pem
---
private_key_file = ${certdir}/server.key
$diff users
hi,
nostrip in the example.com in proxy.conf
set the auth to LOCAL
this will then get handled locally and the inner-tunnel will
deal with the EAP properly.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I edited proxy.conf to include:
realm example.com {
nostrip
}
and I edited users to read:
user Auth-Type := Local
but no beans, back to the 200+ Proxy-State attributes and a DoS. I also
tried a few capitalizations of the word 'local' just in case it was
sensitive to that,
Huckle Berry wrote:
I edited proxy.conf to include:
realm example.com http://example.com {
nostrip
}
and I edited users to read:
user Auth-Type := Local
Delete that. You don't need it.
but no beans, back to the 200+ Proxy-State attributes and a DoS.
Sorry but
Huckle Berry wrote:
Maybe proxy to itself was a bad way to describe it, you can interpret
the output yourself if you'd like. I took the last 4096 lines of output
... from an endless loop which repeats the same thing.
Why not send the *top* of the output, before it starts to loop back to
For all I know, the top of the output could be 10,000 (or more) lines up.
Funny thing about endless loops, they tend to go on for quite a while. If
you want, I'll post my conf files, which should be the same as the top of
the output, no? The example.com realm should be in proxy.conf if you want
Huckle Berry wrote:
First off, forgive me if this has been asked before on this list (I did
do a search first, yet no results proved useful).
I am on a fact finding mission to see whether freeradius is going to be
feasible to deploy in my environment (~50 users over ~40 windows and
linux
At this point, I'm wondering if I should put eap.conf back to it's original
conf. Every tutorial I've seen has recommended those changes, but none of
them were really for the 2.x.x version of freeradius.
It's either that or the users file as those are the only two I've touched.
Certainly most of
Huckle Berry wrote:
At this point, I'm wondering if I should put eap.conf back to it's
original conf. Every tutorial I've seen has recommended those changes,
but none of them were really for the 2.x.x version of freeradius.
The documentation for FreeRADIUS says explicitly: nearly every third
James J J Hooper jjj.hoo...@bristol.ac.uk wrote:
In order to also return e.g. VLAN IDs (that could be computed from the
inner User-Name in a non-session-resumption enabled config), I can move
the config that sets the VLAN to the outer tunnel post-auth ensure the
inner tunnel sets:
Hi,
One thing to remember, is for *your* users roaming at other universities
to remember to remove the reply:User-Name attribute to protect the
guilty. :)
the best thing to do for this is to create a new virtual server - eg 'eduroam' -
which is identical to your normal stuff EXCEPT that it
Hi,
First off, forgive me if this has been asked before on this list (I did do a
search first, yet no results proved useful).
I am on a fact finding mission to see whether freeradius is going to be
feasible to deploy in my environment (~50 users over ~40 windows and linux
desktops). On
On 17/01/2010 20:22, Alan Buxey wrote:
Hi,
One thing to remember, is for *your* users roaming at other universities
to remember to remove the reply:User-Name attribute to protect the
guilty. :)
the best thing to do for this is to create a new virtual server - eg 'eduroam' -
which is
On Sun, Jan 17, 2010 at 3:33 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
okay. EAP user-name doesnt match the original identity...and no user
found either.
2 things you need to ensure
1) in proxy.conf you have 'nostrip' defined for example.com
This was beginning to occur to me.
Huckle Berry wrote:
This was beginning to occur to me. Initially I ignored proxy.conf
because i figured I would never need to proxy anything, but I now see FR
proxies to itself...
It treats the inner tunnel session as a (largely) independent RADIUS
request. This makes server design
1.- Sorry for the HTML mail mess.
2.- Now I have signed the client certificate by using the Makefile
v.2.1.8-pre (just to be sure that I generate correctly the certificates).
So, client certificate:
-
subject=/C=FR/ST=Isere/O=ESRF/CN=swatzy01.esrf.fr/emailaddress=u...@example.com
-
Hi Fernando,
It is highly recommended that you turn off HTML capability on your e-mail
client to post comments to this list. Many people on the list have chosen to
use mail programs that aren't HTML capable and they can barely read your
message -- it shows up as HTML junk.
If you're using a
Hi again:
I have just tried with both CN that I could found at my 'client
certificate'
subject=/C=FR/ST=Isere/O=ESRF/CN=swatzy01.esrf.fr/emailaddress=u...@example.com
issuer=/C=FR/ST=Isere/L=Grenoble/O=ESRF/emailaddress=ad...@example.com/CN=radiusserv.esrf.fr
So I have tested with:
- Server
!DOCTYPE html PUBLIC -//W3C//DTD HTML 4.01 Transitional//EN
html
head
meta content=text/html;charset=ISO-8859-1 http-equiv=Content-Type
/head
body bgcolor=#ff text=#00
Hi again:br
br
I have just tried with both CN that I could found at my 'client
certificate'br
br
bigttsmalla
Hi,
...and I guest it is not due to the Client Certificate because it was
succeed authenticated in the previous tests
Probably is due to I am not sure what I should write in the box reserved for
Server or Certificate Name (on the Step 2 of 2 at the supplicant windows
software)
Anyone
...and I guest it is not due to the Client Certificate because it was
succeed authenticated in the previous tests
Probably is due to I am not sure what I should write in the box reserved
for Server or Certificate Name (on the Step 2 of 2 at the supplicant
windows software)
Anyone knows what
t...@kalik.net wrote:
Some Windows versions refuse to recongnise server certificate as an
intermediate CA. Try altering certs/Makefile to sign client certificates
with ca certificate instead of server certificate.
This will be fixed in 2.1.8.
Alan DeKok
-
List info/subscribe/unsubscribe?
Permissions are now 600 for client.[pem|key] and [ca|server].pem (still
using ca and also server certificate on client), but the result is
similar.
Does it still say unknown ca or something else? If it's something else
you need to poost a new debug. If it's still the same you need to go to
t...@kalik.net wrote:
Permissions are now 600 for client.[pem|key] and [ca|server].pem (still
using ca and also server certificate on client), but the result is
similar.
Does it still say unknown ca or something else? If it's something else
you need to poost a new debug. If it's still the
t...@kalik.net wrote:
t...@kalik.net wrote:
Also tried modify wpa_supplicant conf:
- ca_cert=ca.pem
+ ca_cert=server.pem
But with the same result.
Because the path is wrong, ie. certificate is not there. Put the correct
path to where you have imported the certificate.
Ivan Kalik
-
t...@kalik.net wrote:
Also tried modify wpa_supplicant conf:
- ca_cert=ca.pem
+ ca_cert=server.pem
But with the same result.
Because the path is wrong, ie. certificate is not there. Put the correct
path to where you have imported the certificate.
Ivan Kalik
-
List
On Mon, 2009-11-23 at 20:37 +0100, Tomas Pelka wrote:
t...@kalik.net wrote:
Also tried modify wpa_supplicant conf:
- ca_cert=ca.pem
+ ca_cert=server.pem
But with the same result.
Because the path is wrong, ie. certificate is not there. Put the correct
path to where you have
Paul Ryszka wrote:
On Mon, 2009-11-23 at 20:37 +0100, Tomas Pelka wrote:
t...@kalik.net wrote:
Also tried modify wpa_supplicant conf:
- ca_cert=ca.pem
+ ca_cert=server.pem
But with the same result.
Because the path is wrong, ie. certificate is not there. Put the correct
path to where you
t...@kalik.net wrote:
Also tried modify wpa_supplicant conf:
- ca_cert=ca.pem
+ ca_cert=server.pem
But with the same result.
Because the path is wrong, ie. certificate is not there. Put the correct
path to where you have imported the certificate.
Ivan Kalik
-
List
Paul Ryszka wrote:
On Mon, 2009-11-23 at 20:37 +0100, Tomas Pelka wrote:
t...@kalik.net wrote:
Also tried modify wpa_supplicant conf:
- ca_cert=ca.pem
+ ca_cert=server.pem
But with the same result.
Because the path is wrong, ie. certificate is not there. Put the
correct
path to where
Hi,
Problem is on the server site, isn't it? CA and server certs are now in
same dir as whole RADIUS configuration, is necessary put certs into
trusted directory like /etc/ssl/certs?
you can stick them whereever the server user can read them - but you must
specify the path of the file
t...@kalik.net wrote:
So the problem is in certificate:
[tls] TLS 1.0 Handshake [length 038d], Certificate
-- verify error:num=20:unable to get local issuer certificate
[tls] TLS 1.0 Alert [length 0002], fatal unknown_ca
That means that you haven't imported self-signed ca certificate
Also tried modify wpa_supplicant conf:
- ca_cert=ca.pem
+ ca_cert=server.pem
But with the same result.
Because the path is wrong, ie. certificate is not there. Put the correct
path to where you have imported the certificate.
Ivan Kalik
-
List info/subscribe/unsubscribe? See
t...@kalik.net wrote:
Alan DeKok wrote:
Tomas Pelka wrote:
have a problem with advanced EAP authentication methods including
PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2.
I wouldn't call them advanced...
Certs was created with the makefile included in freeradius sources.
All my experiments
Tomas Pelka wrote:
t...@kalik.net wrote:
Alan DeKok wrote:
Tomas Pelka wrote:
have a problem with advanced EAP authentication methods including
PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2.
I wouldn't call them advanced...
Certs was created with the makefile included in freeradius sources.
All
So the problem is in certificate:
[tls] TLS 1.0 Handshake [length 038d], Certificate
-- verify error:num=20:unable to get local issuer certificate
[tls] TLS 1.0 Alert [length 0002], fatal unknown_ca
That means that you haven't imported self-signed ca certificate onto the
client.
#
Tomas Pelka wrote:
have a problem with advanced EAP authentication methods including
PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2.
I wouldn't call them advanced...
Certs was created with the makefile included in freeradius sources.
All my experiments ending with: decapsulated EAP packet (code=4
Alan DeKok wrote:
Tomas Pelka wrote:
have a problem with advanced EAP authentication methods including
PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2.
I wouldn't call them advanced...
Certs was created with the makefile included in freeradius sources.
All my experiments ending with:
Alan DeKok wrote:
Tomas Pelka wrote:
have a problem with advanced EAP authentication methods including
PEAP, EAP-TLS, EAP-TTLS-MD5/MSCHAPV2.
I wouldn't call them advanced...
Certs was created with the makefile included in freeradius sources.
All my experiments ending with: decapsulated
On 11/19/2009 01:43 PM, Andy Theuninck wrote:
I'm trying to set up freeradius to handle WPA authentication on my
network. I've managed to get the AP radius servers talking to one
another and the SSL certificates loaded and configured, but I can't
figure out how to get the username passwords
Ideally, I'm looking for an pointers what I'm doing wrong
1.1.3 is not latest available for CentoOS:
http://wiki.freeradius.org/Red_Hat_FAQ
OR an
indication that what I'm trying to pull off is impossible.
You are using EAP-TTLS/MS-CHAP with system (crypted) passwords. It's
impossible:
Andy Theuninck gohan...@gmail.com writes:
I'm trying to set up freeradius to handle WPA authentication on my
network. I've managed to get the AP radius servers talking to one
another and the SSL certificates loaded and configured, but I can't
figure out how to get the username passwords
1.1.3 is not latest available for CentoOS:
http://wiki.freeradius.org/Red_Hat_FAQ
Understood. I meant it was the latest version the package manager
would grab for me.
You are using EAP-TTLS/MS-CHAP with system (crypted) passwords. It's
impossible:
1.1.3 is not latest available for CentoOS:
http://wiki.freeradius.org/Red_Hat_FAQ
Understood. I meant it was the latest version the package manager
would grab for me.
You are using EAP-TTLS/MS-CHAP with system (crypted) passwords. It's
impossible:
Hi,
In the meantime, I managed to make a new mess. I accidentally ran
radiusd without the -X option and couldn't figure out how to
properly stop it so I just killed the process. Now when I run
radiusd -X, it claims to be listening on 1812 and 1813, but nmap says
it isn't and I can't get a telnet
Hi,
Apologies if previous email appeared in nasty HTML format :-|
Alan
No virus found in this outgoing message.
Checked by AVG - www.avg.com
Version: 9.0.707 / Virus Database: 270.14.73/2513 - Release Date: 11/19/09
07:51:00
-
List info/subscribe/unsubscribe? See
Nmap? Why scan ports when you can simply eg 'netstat -an | grep 1812'
Lack of thinking on my part? No offense taken; my way was definitely roundabout.
Anyhow, after killall restart, this is kind of odd:
# netstat -anp | grep 1812
udp0 0 0.0.0.0:18120.0.0.0:*
Andy Theuninck wrote:
It looks like radius is opening UDP 1812 (and 1813) but not the
corresponding TCP ports anymore and that's why I suddenly can't
connect to it - unless I'm misreading the services file and radiusd
uses strictly UDP.
RADIUS uses only UDP.
At least, until my IETF RFC
RADIUS uses only UDP.
Good to know. Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Apologies if it's bad form to reply to myself.
radtest didn't have any connection problems, so I just rebooted the AP
and that seemed to take care of it.
I realized I had a perfectly serviceable smbpassword file mirroring
/etc/shaddow and that seems to work just fine with MS-CHAP. Now, my
setup
I realized I had a perfectly serviceable smbpassword file mirroring
/etc/shaddow and that seems to work just fine with MS-CHAP. Now, my
setup still doesn't *work*, but the debug output from radius sure
looks like it's accepting the username password and sending back an
OK. So I think I have
Well, you are using 1.1.3. It's known not to work with Vista, XP SP3 and
probably more supplicants. You should upgrade to current version (follow
RedHat FAQ).
Good to know. I'll have to look into that next.
Sending Access-Accept of id 0 to 192.168.1.253 port 2048
MS-MPPE-Recv-Key =
Alan DeKok ha scritto:
marco perugini wrote:
hi list, i use freeradius [v 2.1.1] in wimax context and from yesterday
this message is driving me crazy: "EAP session matching the State variable".
That's "NO eap session matching..."
here's the use-case: i do
marco perugini wrote:
is there a way to restart eap session? is there some script to run to
have EAP
restarted from scratch?
Your supplicant needs to re-start the EAP session. This is a question
for your local OS vendor.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
thank a
lot for your feedback alan!
marco
Alan DeKok ha scritto:
marco perugini wrote:
is there a way to restart eap session? is there some script to run to
have EAP
restarted from scratch?
Your supplicant needs to re-start the EAP session. This is a question
for
Divyank Rastogi wrote:
I was going through FreeRadius1.1.8 code when i saw that unlike the SRC
code which is LGPL, EAP code is under GPL.
You need to read the licenses to the source code you are using. In
this case, you haven't read them carefully enough.
The src/lib directory is LGPL.
marco perugini wrote:
hi list, i use freeradius [v 2.1.1] in wimax context and from yesterday
this message is driving me crazy: EAP session matching the State variable.
That's NO eap session matching...
here's the use-case: i do auth and connection all right but if/when i lost my
2009/10/8 Vincenzo Agosti vago...@unisa.it:
Hello,
anyone have to suggest a free EAP-GTC supplicant for Windows XP?
These are what I tested (with freeradius + LDAP + PEAP + GTC) and
works on my setup:
- http://www.securew2.com/ (a little confusinng to setup for me, but it works)
-
Alexander Clouter wrote:
If you use the 'virtual_server' functionality in the ttls{} section of
eap.conf, everything works great if you get an Access-Accept from the
inner virtual server ('auth' for me). When I say works great, I mean
the 'post-auth' section of the EAP calling ('auth-eap')
Ivan Kalik t...@kalik.net wrote:
Okay, I munched over the source code and I'm guessing I'm being a
crettin, but I'm hoping you can tell me what I'm doing wrong.
If you use the 'virtual_server' functionality in the ttls{} section of
eap.conf, everything works great if you get an Access-Accept
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
So you have two issues:
1) Post-Auth REJECT isn't processed in the inner tunnel
2) Authenticate-EAP does not process additional statements after EAP has
rejected the user.
Regarding 1: I've discussed this with Alan before. Not running Post-Auth in
Hi,
I was expecting a reply from you, what took you so long! :)
Arran Cudbard-Bell a.cudbard-b...@sussex.ac.uk wrote:
So you have two issues:
1) Post-Auth REJECT isn't processed in the inner tunnel
2) Authenticate-EAP does not process additional statements after EAP
has rejected the
Okay, I munched over the source code and I'm guessing I'm being a
crettin, but I'm hoping you can tell me what I'm doing wrong.
If you use the 'virtual_server' functionality in the ttls{} section of
eap.conf, everything works great if you get an Access-Accept from the
inner virtual server
The problem about opennssl is solved afer make clean or/and reboot but my
main problem about converting EAP-Response/Identity to Radius
Access-Request without EAP message inside to my existing Radius server stay
alive :-(
This is the debug message :
debian:~# radiusd -X
FreeRADIUS Version
The problem about opennssl is solved afer make clean or/and reboot but my
main problem about converting EAP-Response/Identity to Radius
Access-Request without EAP message inside to my existing Radius server
stay
alive :-(
I was under the impression that I have told you what is the likely
Hi,
is it possible that because of the configuration of the proxy.conf (proxying
to an external radius), I don't use configuration on eap.conf (wich would
be use only for local authentication) ? It would be the explanation i send
EAP messages.
2009/9/26 Jacques FOUCHER jacques.fouc...@gmail.com
I copied proxy-inner-tunnel from sites-available to sites-enabled
I declared proxy-inner-tunnel in eap.conf but unfortunaly, EAP is
still proxified
*eap.conf*
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes (or no)
Hi everybody,
thanks to Daniil and Yvan who helped me, but unfortunalety, my problem still
alive.
First , I want to explain again what I want to do, because may be there is a
missunderstanding. I have a wireless system wich need EAP and my users are
allready known in a Radius system (Radius n°2)
The idea is to use in between a freeradius (Radius n°1) wich will convert
EAP-Response/Identity from Access Point and will forward Radius
Access-Request without EAP message inside to my existing Radius server
(Radius n°2).
This weekend, i updated frreradius to the last version 2.1.7. I
thanks Yvan,
looking at debug, I saw :
Ignoring EAP-Type/tls because we do not have OpenSSL support.
Ignoring EAP-Type/ttls because we do not have OpenSSL support.
Ignoring EAP-Type/peap because we do not have OpenSSL support.
So:
I installed that :
apt-get install openssl
apt-get install
Hi,
I copied proxy-inner-tunnel from sites-available to sites-enabled
I declared proxy-inner-tunnel in eap.conf but unfortunaly, EAP is still
proxified
*eap.conf*
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes (or no)
I want to use eap to authenticate Wireless users on an radius server wich
don't know EAP protocol. It seems that is possible to do that using a
proxy
freeradius
As the first radius i use freeradius Version 2.0.4
Use current version. See raddb/sites-available/proxy-inner-tunnel.
Ivan
leopold wrote:
Just to confirm that the following scenario cannot cause the same problem:
Client sends Access-Request and the server responds with Access-Challenge
but the response never reaches the client. The client retransmits exact same
packet again
If that happens, then the duplicate
Alan thank you very much for your explanation.
Just to confirm that the following scenario cannot cause the same problem:
Client sends Access-Request and the server responds with Access-Challenge
but the response never reaches the client. The client retransmits exact same
packet again and the
leopold wrote:
We are using 2.1.4 version and sometimes we see the following error
Wed Sep 16 11:21:01 2009 : Error: rlm_eap: Failed to store handler
That error means that the current EAP packet is *already* in the
list of known EAP sessions. So trying to insert it twice is bad.
This error
Michael Fischer wrote:
I'm trying to set up 802.1x authentication on my Enterasys AccessPoints
using freeradius and eDirectory.
Freeradius and eDirectory work like a charm when I use it for Cisco-VPN
authentication.
Which is likely PAP (i.e. clear-text password).
rlm_ldap: Error
On 9/09/2009, at 2:43 AM, Alan DeKok al...@deployingradius.com wrote:
Michael Fischer wrote:
I'm trying to set up 802.1x authentication on my Enterasys
AccessPoints
using freeradius and eDirectory.
Freeradius and eDirectory work like a charm when I use it for Cisco-
VPN
authentication.
Wegener, Norbert wrote:
We are seeing an increasing number of eap error messages:
Error: rlm_eap: No EAP session matching the State variable
As mentioned in the Changelog in later version an eap error has been detected
and fixed in 2.1.4
Fix EAP-TLS bug. Patch from Arnaud Ebalard
Is
Hi,
We are seeing an increasing number of eap error messages:
Error: rlm_eap: No EAP session matching the State variable
either your EAP stuff is being proxied to your server via different
servers and therefore not matching (all the EAP session must go
through the same proxy path), or the
Hello guys! I was hoping you could help me with something its been
troubling me the last two days. Im using a freeradius to authtenticate
users on a WPA-Enterprise enviroment. What i would like to do now is to
add another layer of security matching the MAC address of the user as well
the
Harry Lachanas wrote:
One issue that we observed was that after some idle time on the client,
the client gets disconected and it fails to auto-re-authorize.
Then one has to disconect manually and reauthorize ... ( nothing in the
logs of freeradius indicates that .. )
If there is no RADIUS
le...@aecom.yu.edu wrote:
I run into some difficulties troubleshooting Freeradius.
I turned on tls, with valid certificates and key file and the debug
output stops at this message, not going any further. The permissions on
cert and key files are fine, I even tried setting the radiusd user to
excel...@gmx.net wrote:
Freeradius is 2.x on a Debian 5.0. My first attempt was with MD5, which
works without any problem.
Next step is TLS, which works at 50%. Well, the client authentication of TLS
works, but when I configure to do a server authentication within the IP
phone´s setup, it
Hi,
Are you using self-signed CA certificate? Did you install it on the phone?
Of course, the certificate is a self-signed CA certificate and it is installed
on the phone.
The phone authenticates against the freeradius service without any problem.
But when I want the phone to authenticate or
Sorry, I just c/p that line from other link
here is mine
exec ntlm_auth_pap {
wait = yes
input_pairs = request
shell_excape = yes
output = none
program = /usr/bin/ntlm_auth --request-nt-key --domain=EXCHANGE
--username=%{mschap:User-Name}
In eap.conf, for eap-ttls there is a line
virtual_server = inner-tunnel
I put this part of your code in /etc/freeradius/sites-enabled/inner-tunnel
and /etc/freeradius/sites-available/inner-tunnel files, like this
Auth-Type PAP
{
pap
}
if(!control:Auth-Type) {
update control {
Sorry, I just c/p that line from other link
here is mine
exec ntlm_auth_pap {
wait = yes
input_pairs = request
shell_excape = yes
output = none
program = /usr/bin/ntlm_auth --request-nt-key --domain=EXCHANGE
--username=%{mschap:User-Name}
On Fri, Jun 26, 2009 at 9:57 AM, Petar Marinkovic hig...@gmail.com wrote:
Sorry, I just c/p that line from other link
here is mine
exec ntlm_auth_pap {
wait = yes
input_pairs = request
shell_excape = yes
output = none
program = /usr/bin/ntlm_auth
Similar error, again when the server is starting
Module: Linked to module rlm_files
Module: Instantiating files
files {
usersfile = /etc/freeradius/users
acctusersfile = /etc/freeradius/acct_users
preproxy_usersfile = /etc/freeradius/preproxy_users
compat = no
}
Yes, I reverted authenticate part to
Auth-Type PAP {
pap
}
On Fri, Jun 26, 2009 at 11:26, Ivan Kalik t...@kalik.net wrote:
Sorry, I just c/p that line from other link
here is mine
exec ntlm_auth_pap {
wait = yes
input_pairs = request
shell_excape =
Ah yes, now it started, thanks a lot. Will see if now EAP-TTLS with PAP
works.
Thanks a lot mate, you saved my life (for now :)
Cheers,
Petar
On Fri, Jun 26, 2009 at 11:38, Ivan Kalik t...@kalik.net wrote:
Similar error, again when the server is starting
Module: Linked to module
Ok, that works, many thanks for this :)
What's left for me, I would like to authenticate users in domain with LEAP
and TTLS-GTC. Also, what's needed to make EAP-TTLS with CHAP work? I know
you can't use ntlm_auth for that, so what do I need to put inside users
file? Will creating test user, for
Hi Ivan,
All of this is for testing purposes. So, I just need all of those methods to
work, if it can't work with domain, then cleartext password will be fine.
Can you give me some more info about seting up TTLS-GTC, testing is being
done on Windows XP. Also, for EAP-TTLS with chap, enabling user
Thing is that, colleague has a software, developed by his company, I cannot
disclose which one, that can test eap-gtc,and that works. And the thing is,
when he tries to connect to freeradius server I set up, he cannot auth with
domain username and pw. He can auth with EAP-TLS, EAP-TTLS with PAP,
having a new voip pbx (OmniPCX Enterprise 9.0) from Alcatel-Lucent, I now
try to setup 802.1x with the phones, an Alcatel-Lucent IP Touch 4028 EE.
Freeradius is 2.x on a Debian 5.0. My first attempt was with MD5, which
works without any problem.
Next step is TLS, which works at 50%. Well,
Hi,
exec ntlm_auth_pap {
wait = yes
input_pairs = request
shell_escape = yes
output = none
program = /path/to/ntlm_auth --username=%{User-Name}
--domain=EXCHANGE --password=%{User-Password}
601 - 700 of 1949 matches
Mail list logo
