[EMAIL PROTECTED] a écrit :
pki-chain.pem contain the concatenation of our 3 level pki hierarchy
( cat itClass1.crt pki-chain.pem ; cat itClass2.crt pki-chain.pem ;
cat itClass3.crt pki-chain.pem )
Did you find somewhere in openssl documentation that you can mix .pem and
crt formats
Jehan PROCACCIA wrote:
what about that CA_path directive ? why is it generating a segmentation
fault when starting radiusd ?
See doc/bugs
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok a écrit :
Jehan PROCACCIA wrote:
what about that CA_path directive ? why is it generating a segmentation
fault when starting radiusd ?
See doc/bugs
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
a link would be greatly
Jehan PROCACCIA wrote:
See doc/bugs
a link would be greatly appreciated .
Ummm... this file ships with the server. If you can't find it in the
tar file, it's usually in /usr/share/doc/something/, depending on your
local installation.
See also the main web site. There's a link on EVERY
Alan DeKok a écrit :
Jehan PROCACCIA wrote:
See doc/bugs
a link would be greatly appreciated .
Ummm... this file ships with the server. If you can't find it in the
tar file, it's usually in /usr/share/doc/something/, depending on your
local installation.
See also the
My initial question is: how to configure eap.conf tls section to load a
multi-level certificate hierarchy (CA bundle) ?
The same as for a single CA. You have configured that properly.
You said that server worked with a single CA but segfaulted when you
replaced it with that bundle. I would
Jehan PROCACCIA wrote:
Actually I wasn't suggesting that it is a bug,
A core dump is a bug. The files I suggested you read contain
instructions that help us fix the bug.
my inital question is how
one can use that CA_path directive
and what the CA_path should contain .
If it's a bug,
The problem is that PAM is never used. This seems to be an artifact of
the fact that rlm_ldap is supposed to fetch a known good password, but
I don't have passwords in the LDAP database. rlm_ldap is indeed
successful in authorizing, but there is no Auth-Type set to handle the
authentication.
If
Erik Karlsson wrote:
I am trying to set up a simple Wlan-authentication using EAP-TTLS to
avoid client certificates and PAM to use the server system
authentication scheme. PAM doesn't know about users, and the users are
situated in a LDAP database, which I think makes it logical to use
Alan DeKok wrote:
Why not also get the passwords from ldap? Why use PAM at all?
Because LDAP isn't a very good solution for handling passwords, IMO. I
prefer Kerberos in its simplicity.
If you want to use PAM, you have to force it via Auth-Type.
Thank you, the problem for me is that
Hi,
Hi,
I've seen that Windows XP does not support EAP-TTLS out of the box. I
know there is at least one package (from SecureW2) that adds this to
windows.
Could somebody suggest me which other packages do the same? Or should I
use the one from SecureW2?
open1x.sf.net, Funk Odyssey,
[EMAIL PROTECTED] wrote:
Hi,
Hi,
I've seen that Windows XP does not support EAP-TTLS out of the box. I
know there is at least one package (from SecureW2) that adds this to
windows.
Could somebody suggest me which other packages do the same? Or should I
use the one from SecureW2?
rgreiner wrote:
Ok, then I got something wrong. Is there any link where I could get more
details about ms-chapv2 inside PEAP, more exactly concerning this
details about password? As far as I knew, ms-chapv2 would always require
cleartext passwords in the database.
No.
Hi
2008/8/20 Alan DeKok [EMAIL PROTECTED]:
Martin Schneider wrote:
- I read in wikipedia, that the spring 2008 release of FreeRadius has
experimental EAP-TNC support. I couldn't find any information on the
FreeRadius homepage or wiki, that this information is correct. Has FreeRadius
EAP-TNC
Martin Schneider wrote:
Does anybody know about a patch or something for FreeRadius that adds
more stable EAP-TNC processing? I heard about a patch from FH Hannover
(http://tnc.inform.fh-hannover.de/wiki/index.php/Main_Page) but I
don't know how good this one works. Did maybe anybody of you
Message: 3
Date: Thu, 21 Aug 2008 08:36:07 +0200
From: Martin Schneider [EMAIL PROTECTED]
Subject: Re: EAP-TNC supported?
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:
[EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1
Hi
Hi Ingo and others
Does anybody know about a patch or something for FreeRadius that adds
more stable EAP-TNC processing? I heard about a patch from FH Hannover
(http://tnc.inform.fh-hannover.de/wiki/index.php/Main_Page) but I
don't know how good this one works. Did maybe anybody of you guys
Message: 4
Date: Thu, 21 Aug 2008 14:39:48 +0200
From: Martin Schneider [EMAIL PROTECTED]
Subject: Re: EAP-TNC supported?
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:
[EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1
Hi
Martin Schneider wrote:
- I read in wikipedia, that the spring 2008 release of FreeRadius has
experimental EAP-TNC support. I couldn't find any information on the
FreeRadius homepage or wiki, that this information is correct. Has FreeRadius
EAP-TNC support? And how experimental is the EAP-TNC
I am trying to test the fast re-authentication using the freeradius. From
the email below looks like free radius supports fast re-authentication.
I am using the freeradius 2.0.5 version. I successfully tested EAP-SIM and
EAP-AKA.
Can some one help me with the radius configuration to test the
indira kolli wrote:
I am trying to test the fast re-authentication using the freeradius.
From the email below looks like free radius supports fast
re-authentication.
With the eap2 module.
I am using the freeradius 2.0.5 version. I successfully tested EAP-SIM
and EAP-AKA.
Can some one
Garber, Neal wrote:
Is it possible to use PEAP/EAP-MSChapV2 (e.g., from a WinXP supplicant)
and authenticate with a local user (i.e., defined in the users file
with a Cleartext-Password). I'm thinking this isn't supported, but I
thought I'd ask to be sure.. Thanks..
Huh? It's supported.
On Wed, Jul 30, 2008 at 04:42:45PM -0300, Davi Baldin wrote:
List,
I was finished with successful FreeRadius 2 with EAP configuration and
MSCHAP2. Everything OK, but when the Access-Accept package are sent back
to client, we missing some attributes mapped from LDAP user account.
I need to
por:
[EMAIL PROTECTED]
31/07/2008 05:13
Favor responder a
FreeRadius users mailing list freeradius-users@lists.freeradius.org
Para
FreeRadius users mailing list freeradius-users@lists.freeradius.org
cc
Assunto
Re: EAP Autentication OK but missing some user attributes to client
[EMAIL PROTECTED
Huh? It's supported. There's no problem.
See my web site for EAP howto's that do exactly this.
Yeah, well I guess I'll blame to many late nights. I jumped the gun in
sending the question as I had it working shortly thereafter. Thanks
anyway for responding Alan and I hope things are
with winbind. and EAP-TLS
runs Ok
thank you
- Message d'origine
De : Alan DeKok [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Samedi, 19 Juillet 2008, 19h05mn 33s
Objet : Re: Re : Re : Re : Re : EAP-TLS OK - EAP-PEAP KO!! why
Geoffroy Arnoud wrote:
Currently, my SIM card can be authenticated using a Cisco supplicant
(eap-sim-draft-v5) with a Cisco Access Registrar RADIUS server
(eap-sim-draft-v5) that gets SIM triplets from an ITP and a HLR simulator.
I'm not sure this is compatible with draft-12 ...
I would
: Re : Re : Re : Re : Re : EAP-TLS OK - EAP-PEAP KO!! why that?
Hello Alan (and all the others too)
I am sory about the delay!
here is the entire log: http://tinypaste.com/5b99b
EAP PEAP still don't work without giving an error message understandable by me!
hope it will be clearer for you!
I
Hi,
so my question is, if the certificate (with server extension) is missing on
the client, could it interfer in EAP-PEAP authentication success?
yes.
you need a RADIUS cert with the extensions...and if doing proper
PEAP, you need the CA installed on the client too - with 'validate
server
alone. thank your for your explanation and your time!
- Message d'origine
De : Ivan Kalik [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Vendredi, 18 Juillet 2008, 20h00mn 31s
Objet : Re: Re : EAP-TLS OK - EAP-PEAP KO!! why
Reveal MAP wrote:
does someone find normal that EAP-TLS authentication works and not EAP-PEAP?
It depends on how you configure the system.
I called a SSID TLS where security is WPA Enterprise. it expet users
to be authenticated via FREERADIUS to be allowed on the network.
so i use a
Re hello:
Now i am trying to authenticate via PEAP a user existing onmy sql database:
the output is too long, mailing list parameters won't accept it. i post part of
the output that seem to give the point of misconfiguration. if it is not
sufficient, please let me know, and i will find a way
Reveal MAP wrote:
Now i am trying to authenticate via PEAP a user existing onmy sql database:
The debug log doesn't show that.
the output is too long, mailing list parameters won't accept it. i post
part of the output that seem to give the point of misconfiguration. if
it is not
@lists.freeradius.org
Envoyé le : Samedi, 19 Juillet 2008, 17h19mn 58s
Objet : Re: Re : Re : EAP-TLS OK - EAP-PEAP KO!! why that?
Reveal MAP wrote:
Now i am trying to authenticate via PEAP a user existing onmy sql database:
The debug log doesn't show that.
the output is too long, mailing list parameters
Reveal MAP wrote:
user=maman
passwd= maman
is a sql based user.
trying peap with sql based user give error message,
Which... is what? Is it a secret?
but trying it with
Ad_based user give no error message, just don't connect...
FreeRADIUS gives no error message? Or the client?
: Alan DeKok [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Samedi, 19 Juillet 2008, 18h07mn 43s
Objet : Re: Re : Re : Re : EAP-TLS OK - EAP-PEAP KO!! why that?
Reveal MAP wrote:
user=maman
passwd= maman
is a sql based user.
trying peap
rlm_mschap: Told to do MS-CHAPv2 for glouglou with NT-Password
expand: --username=%{mschap:User-Name} - --username=glouglou
mschap2: 14
expand: --challenge=%{mschap:Challenge:-00} -
--challenge=91426d1805c9df8e
expand: --nt-response=%{mschap:NT-Response:-00} -
true!
there was a great problem with winbindwhich did'n want to run. I had to rename
winbindd_priviledged to make it work.
so now, the previous error:
---
rlm_mschap: No Cleartext-Password configured. Cannot create LM-Password.
rlm_mschap: No
Hi,
on your command line
locate winbind_privileged
it'll usually be /var/cache/samba/
cd /var/cache/samba/
chgrp radiusd winbind_priviledged (if you run radius as group radiusd)
restart freeradius
i dont see how the error/debug output could be any clearer
alan
-
List
Module: Instantiating eap-mschapv2
mschapv2 {
with_ntdomain_hack = no//i set yes in /etc/raddb/module/mschap
for this
but still stay on no
}
Because this is from eap.conf.
Ivan Kalik
Kalik Informatika ISP
-
List
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: Received EAP-TLV response.
rlm_eap_peap: Had sent TLV failure. User was rejected earlier in
this session.
Read the *whole* debug output; somewhere further up will be the reason
the user was rejected.
-
well...
i am not sure, but it might be: the fact that peap needs user/password and i
just sent username...
or that realm is null...
i read the entire output and am still no sure. anyway, i'll check it as soon as
i will be in front of the machine again!
thank you
-
- Message
i am not sure, but it might be: the fact that peap needs user/password and i
just sent username...
No. Password is in the EAP-Message.
or that realm is null...
Not very likely to be a problem.
i read the entire output and am still no sure. anyway, i'll check it as soon
as i will be in
Kwok Sianbin escribió:
Thanks for the tips.
If the certificates are fine then
the only problem here is the radius server.
XP can not authenticate the client can't get connected.
here the output
Ready to process requests.
User-Name = MarsNet_Client
NAS-IP-Address = 0.0.0.0
++[eap] returns handled
EAP-Message = 0x010300060d20
Message-Authenticator = 0x
State = 0x7382effe7381e2540240fd45d4418b28
Finished request 4.
Going to the next request
Waking up in 4.9 seconds.
Cleaning up request 4 ID 1 with
Hey guys, sorry for the delay.
Yeah after reading your advices, I agree that I misread.
I will use EAP-TTLS with EAP method PAP encapsulated in it.
Thanks Sergio for the link for Windows users : in my case with an
intel wifi card, Intel was kind enough to provide the same kind of
utilities. But
Geoffroy Arnoud wrote:
I have a question about EAP-SIM and EAP-AKA authentication.
Is fast-reauthentication supported (in eap or eap2 module)?
Fast re-authentication is supported only in the eap2 module, so far as
I know.
We should add the EAP-AKA patches to rlm_eap at some point. I've
2008/7/8 joris [EMAIL PROTECTED]:
Hello,
After reading the configuration file radiusd.conf, it explicitly says
that one can't use LDAP as the authentication backend when you use EAP
(in my case, i'm interested in EAP-TTLS).
Nonetheless, I can read elsewhere on the web that some people seem
joris wrote:
After reading the configuration file radiusd.conf, it explicitly says
that one can't use LDAP as the authentication backend when you use EAP
I don't think it says that.
What part of the configuration file leads you to think it's impossible?
Nonetheless, I can read elsewhere
# THIS WILL NOT WORK FOR CHAP, MS-CHAP, or 802.1x (EAP).
That relates to ldap bind as user authentication, not using ldap to
store user information.
Ivan Kalik
Kalik Informatika ISP
Dana 8/7/2008, joris [EMAIL PROTECTED] piše:
Hello,
After reading the configuration file radiusd.conf, it
That's because it's doing EAP mschapv2 not plain mschap. It's normal
to get a couple more Challenge-Requests before process is over.
Ivan Kalik
Kalik Informatika ISP
Dana 7/7/2008, [EMAIL PROTECTED] [EMAIL PROTECTED] piše:
Hello,
I have some problems with freeradius 2.0.5 and ntlm_auth:
freeradius-users@lists.freeradius.org
Betreff: Re: EAP/peap: MSCHAP Success
That's because it's doing EAP mschapv2 not plain mschap. It's normal
to get a couple more Challenge-Requests before process is over.
Ivan Kalik
Kalik Informatika ISP
Dana 7/7/2008, [EMAIL PROTECTED] [EMAIL
freeradius-users@lists.freeradius.org,
freeradius-users@lists.freeradius.org
Betreff: Re: EAP/peap: MSCHAP Success
Hmm, it is in fact doing many access-challenges, but the one I have sent
it the last one... There is no access-accept (and no reject).
Dietmar
Original-Nachricht
]
An: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Betreff: Re: EAP/peap: MSCHAP Success
That's because it's doing EAP mschapv2 not plain mschap. It's normal
to get a couple more Challenge-Requests before process is over.
Ivan Kalik
Kalik Informatika ISP
Dana 7/7/2008
Please, any idea?
Still I have log filenames such as:
auth-detail-20080630 and say nothing about eap method
and contains something like:
Mon Jun 30 08:32:26 2008
Packet-Type = Access-Request
User-Name = anonymous
NAS-IP-Address = 10.128.255.84
Called-Station-Id
Jonathan Gazeley wrote:
I have attached the relevant section of my yum.log to show which
packages were updated. The Radius server was tested once every minute
by authenticating with a test account. This was first reported to fail
at 10:48
Sorry - please read that as 13:48, i.e. halfway
And what does your Freeradius server tell? (i.e. the classical email
of this mailing list: What is the ouput of radiusd -X ?)
Have a nice day!
Am 26.06.2008 um 11:41 schrieb Jonathan Gazeley:
Hello,
Until a couple of days ago, my FreeRadius setup was working
perfectly normally - running
Exec-Program-Wait: plaintext: winbind client not authorized to use
winbindd_pam_auth_crap. Ensure permissions on
/var/cache/samba/winbindd_privileged are set correctly. (0xc022)
Fix that and it will work.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
Jonathan Gazeley wrote:
Yes of course, the output of radiusd -X is attached to this email.
This is the reason we ask for debug output:
...
Exec-Program output: winbind client not authorized to use
winbindd_pam_auth_crap. Ensure permissions on
/var/cache/samba/winbindd_privileged are set
Hi Ivan,
This worked perfectly - thanks very much. I guess you have sharper eyes
than me because I mised those lines in the debug output.
Cheers,
Jonathan
Jonathan Gazeley
Systems Support Specialist
ResNet | Wireless VPN Team
Information Services
University of
2008/6/25 Alan DeKok [EMAIL PROTECTED]:
Sergio Belkin wrote:
I use freeradius 2.0.2, and people can use either ttls or peap as they
want (or can). I'd want to know if it's possible to see what EAP
methodare using users through radius logs...
The EAP type is available in the EAP-Type
Sergio Belkin wrote:
Alan, Do I need to use rlm_perl anyway?
No. The EAP-Type attribute is added by the EAP module. Once the
attribute is there, it can be used, edited, updated, etc. just like
User-Name, or NAS-IP-Address.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
2008/6/26 Alan DeKok [EMAIL PROTECTED]:
Sergio Belkin wrote:
Alan, Do I need to use rlm_perl anyway?
No. The EAP-Type attribute is added by the EAP module. Once the
attribute is there, it can be used, edited, updated, etc. just like
User-Name, or NAS-IP-Address.
Alan DeKok.
I edited
Sergio Belkin wrote:
I edited so radiusd.conf:
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d%{EAP-Type}
and added EAP-Message =* ANY to attrs file, but I see no difference
(any file witt a new name wasn't created)
What am I doing wrong?
You are running auth_log
2008/6/26 Alan DeKok [EMAIL PROTECTED]:
Sergio Belkin wrote:
I edited so radiusd.conf:
detailfile = ${radacctdir}/%{Client-IP-Address}/auth-detail-%Y%m%d%{EAP-Type}
and added EAP-Message =* ANY to attrs file, but I see no difference
(any file witt a new name wasn't created)
What am I
Sergio Belkin wrote:
What am I doing wrong?
You are running auth_log BEFORE eap?
Alan DeKok.
I have the following in sites-enabled/default :
Which has auth_log BEFORE eap, which is WRONG.
How do you expect to log the EAP type when the EAP module hasn't been
run yet?
Alan DeKok.
-
2008/6/26 Alan DeKok [EMAIL PROTECTED]:
Sergio Belkin wrote:
What am I doing wrong?
You are running auth_log BEFORE eap?
Alan DeKok.
I have the following in sites-enabled/default :
Which has auth_log BEFORE eap, which is WRONG.
How do you expect to log the EAP type when the EAP
Sergio Belkin wrote:
I use freeradius 2.0.2, and people can use either ttls or peap as they
want (or can). I'd want to know if it's possible to see what EAP
methodare using users through radius logs...
The EAP type is available in the EAP-Type attribute. You can use it
just like
You can log EAP-Type attribute with rlm_perl.
Ivan Kalik
Kalik Informatika ISP
Dana 24/6/2008, Sergio Belkin [EMAIL PROTECTED] piše:
Hi,
I use freeradius 2.0.2, and people can use either ttls or peap as they
want (or can). I'd want to know if it's possible to see what EAP
methodare using
I have no idea about how to use rlm_perl, would you recommend me some
documentation or usage example?
Thanks in advance!
2008/6/24 Ivan Kalik [EMAIL PROTECTED]:
You can log EAP-Type attribute with rlm_perl.
Ivan Kalik
Kalik Informatika ISP
Dana 24/6/2008, Sergio Belkin [EMAIL PROTECTED]
2008/6/24 Sergio Belkin [EMAIL PROTECTED]:
I have no idea about how to use rlm_perl, would you recommend me some
documentation or usage example?
Thanks in advance!
2008/6/24 Ivan Kalik [EMAIL PROTECTED]:
You can log EAP-Type attribute with rlm_perl.
Ivan Kalik
Kalik Informatika ISP
You can find information about rlm_perl using Google, wiki on freeradius
website or file search on the computer where freeradius is installed.
Ivan Kalik
Kalik Informatika ISP
Dana 24/6/2008, Sergio Belkin [EMAIL PROTECTED] piše:
I have no idea about how to use rlm_perl, would you recommend me
So, you should probably create a new certificate with a certified CA or a
correct own CA. Install openssl and follow a howto on creating new
certificates. Make sure you match Common Name to server.domainname
Furthermore change certificate options (like password) in eap.conf.
gr, jelle
Oh, and when using TLS, install client certificate on client.
2008/6/15 Jelle Langbroek [EMAIL PROTECTED]:
So, you should probably create a new certificate with a certified CA or a
correct own CA. Install openssl and follow a howto on creating new
certificates. Make sure you match Common Name
Alan DeKok wrote:
Frank Sweetser wrote:
The usernames currently don't have a domain portion. Would it be possible for
me to set a default domain for a given username? (The list is small, so would
be manageable for me.) And if so, could you give me at least a rough example
of how I would set
Frank Sweetser wrote:
The usernames currently don't have a domain portion. Would it be possible for
me to set a default domain for a given username? (The list is small, so would
be manageable for me.) And if so, could you give me at least a rough example
of how I would set this up?
You
Alan DeKok wrote:
Frank Sweetser wrote:
The usernames currently don't have a domain portion. Would it be possible
for
me to set a default domain for a given username? (The list is small, so
would
be manageable for me.) And if so, could you give me at least a rough example
of how I
Frank,
It is not really a configuration issue, but more an Identity Management
issue.
It is not common to have a CA per user, but a CA per domain. And per domain
you have users.
So:
User X from domain A has CA 1.
User Y from domain B has CA 2.
If this is what you are trying to achieve you can
In our company, we do have certificates signed by multiple Certificate
Authorities...but there is a hierarchy. So, some users come in from Domain
A (root CA) some come in from Domain B (intermediate CA). So then it's
easyjust maintain the CA_path containing the root and any necessary
I'm happy to be wrong about this, but in my experience, this parameter:
-CApath ca.pem
Needs to be an actual path, not a PEM CA file, where you have performed
these steps:
download certificate authority cert in PEM format
run c_rehash . (openssl script)
On Thu, May 15, 2008 at 10:37 AM,
SecureW2 (List) wrote:
Frank,
It is not really a configuration issue, but more an Identity Management
issue.
It is not common to have a CA per user, but a CA per domain. And per domain
you have users.
In general, I certainly agree. The catch is that I'm attempting to handle
certs and
Read FAQ. It describes this problem regarding PEAP.
Ivan Kalik
Kalik Informatika ISP
Dana 29/5/2008, sriram [EMAIL PROTECTED] piše:
Hi All,
I am facing problem using the FreeRadius version 1.1.7 for
EAP-TTLS/MSCHAPv2. Always I keep seeing the access-challenge on the radius
log. I have attached
Thanks for the hint. What would be the best place and way to do this?
Putting this before pap in authorize { }:
update control {
Auth-Type := PAP
}
does indeed make pap work, but breaks anything else (like eap-mschap).
I also tried:
if
= not :=. Or check if Auth-Type already exists.
Ivan Kalik
Kalik Informatika ISP
Dana 29/5/2008, Bram Matthys (Syzop) [EMAIL PROTECTED] piše:
Thanks for the hint. What would be the best place and way to do this?
Putting this before pap in authorize { }:
update control {
Bram Matthys (Syzop) wrote:
Thanks for the hint. What would be the best place and way to do this?
Putting this before pap in authorize { }:
update control {
Auth-Type := PAP
}
does indeed make pap work, but breaks anything else (like eap-mschap).
Ok... I took Alan's advise of taking it out of pap, my config is now:
authenticate {
..
ntlm_auth_pap
and
authorize {
..(near the end)..
ntlm_auth_pap
I then tried the following statements right before ntlm_auth_pap in
authorize (you said to check if Auth-Type exists, this is the correct way
Bram Matthys (Syzop) wrote:
You don't. You've managed to put the ntml_auth_pap program into the
pap Auth-Type, for reasons I don't understand. Why not just call it
ntlm_auth_pap? After all, they're *different*. The do NOT do the same
thing.
That's what I did first, because it makes
Hi Alan,
Alan DeKok wrote:
Bram Matthys (Syzop) wrote:
Thanks for the hint. What would be the best place and way to do this?
Putting this before pap in authorize { }:
update control {
Auth-Type := PAP
}
does indeed make pap work, but breaks anything
I then tried the following statements right before ntlm_auth_pap in
authorize (you said to check if Auth-Type exists, this is the correct way to
do that, right?):
if (!Control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
Alan DeKok wrote:
I don't think you got my point. If you want to AUTHENTICATE using
ntlm_auth_pap... then call it in the AUTHENTICATION section. Calling it
in the AUTHORIZATION section is not AUTHENTICATION.
You need to:
a) set Auth-Type = ntlm_auth_pap in the authorize{} section
Use unlang to set Auth-Type PAP even if pap returns noop.
Ivan Kalik
Kalik Informatika ISP
Dana 28/5/2008, Bram Matthys (Syzop) [EMAIL PROTECTED] piše:
While I've EAP-TTLS w/EAP-MSCHAPv2 working now with ntlm_auth, I'd also like
to have EAP-TTLS w/PAP working with ntlm_auth (mostly because the
[EMAIL PROTECTED] wrote:
how can i deny access to a user (a certificate)?
Set Auth-Type := Reject
Is a CRL (with the CA_path and c_rehash stuff) the only possibility to
deny access or is it possible to have a *whitelist* (like the CA_path
and c_rehash stuff but as a whitelist) with certs
Kwok Sianbin wrote:
...
#radtest MarsNet Mars123 localhost 0 testing123
User-Name = MarsNet
...
if I change the configuration in radiusd.conf to bind to particular IP
address (eth0) then about radtest failed to Accept.
Because you're sending packets to localhost? Do you know what
Hi Alan,
Please help..Here I have problem that I can't figure out what went wrong!
#radtest MarsNet Mars123 localhost 0 testing123
User-Name = MarsNet
User-Password = Mars123
NAS-IP-Address = 192.168.1.5
NAS-Port = 0
Reply-Message = Hello, MarsNet
if
Joel MBA OYONE wrote:
You'll also need a raddb/sites-enabled/inner-tunnel file. It's not
installed in 2.0.3. This was fixed in 2.0.4.
what is inner-tunnel file intend for ??
Read the comments in the file.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Hi,
You'll also need a raddb/sites-enabled/inner-tunnel file. It's not
installed in 2.0.3. This was fixed in 2.0.4.
what is inner-tunnel file intend for ??
it is a virtual server thats only purpose is to look at the stuff
inside an EAP tunnel - be that PEAP or EAP-TTLS etc etc. using
Thanks Alan, for all your answers hints.
Upgrading to 2.0.4 did the trick, everything seems to work fine now.
Alan DeKok wrote:
...
ttls {
default_eap_type = mschapv2
Are you using EAP-MSCHAPv2, or MS-CHAPv2? See the comments above this
Hi All
An update: I tried using OpenSSL version 9.8c,
but got exact same issues.
Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: Done initial handshake
Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: TLS 1.0 Handshake
[length 038d], Certificate
Wed May 21 19:31:19 2008 : *Error: -- verify
Naunidh S Chadha wrote:
...
Wed May 21 19:31:19 2008 : *Error: -- verify error:num=20:unable to get
local issuer certificate*
Wed May 21 19:31:19 2008 : Debug: rlm_eap_tls: TLS 1.0 Alert [length
0002], fatal unknown_ca
The certificate supplied by the client was not signed by a CA that
the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than Re: Contents of Freeradius-Users digest...
Today's Topics:
1. Re: EAP TLS testing using eapol_test (Alan DeKok)
2. Re: Need to understand flow (Alan DeKok
901 - 1000 of 1949 matches
Mail list logo