We are getting unexpected behavior from FreeRADIUS 2.2.x (built from current
git).
We want to check if a user is BLOCKED first, and only then do we want to
perform some other checks.
Our current config looks like this:
authorize {
#auth_log # uncomment for debugging
Bruce Bauman wrote:
We want to stop executing the BUNCH OF UNLANG CODE in the first two
cases (infected and tempsus), effectively doing something like a return.
There is a return code. See doc/configurable_failover.rst:
ok {
ok = return
}
That may work. The issue is that
We want to stop executing the BUNCH OF UNLANG CODE in the first two cases
(infected and tempsus), effectively doing something like a return.
Where you have ok in the case stanzas, put
ok {
ok = return
}
-Arran
Arran Cudbard-Bell a.cudba...@freeradius.org
FreeRADIUS Development Team
Hi,
A simple thing:
infected case
update control {
Tmp-String-0 := stop
}
...
if (Tmp-String-0 != stop) {
BUNCH OF UNLANG CODE
}
That should work. Ugly, but functional.
this is pretty much what I was
On 2 Oct 2013, at 22:57, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
A simple thing:
infected case
update control {
Tmp-String-0 := stop
}
...
if (Tmp-String-0 != stop) {
BUNCH OF UNLANG CODE
}
That should work. Ugly,
to 2.2.X
you can build your own debian package from source
http://wiki.freeradius.org/building/Build#Building-Debian-packages
After the OS update and FreeRADIUS updates, freeradius is now seg faulting
after trying to process the authorize section when a wireless client attempts
to connect via
Hi,
in perl, i could write some new attributes in RAD_CHECK ??, then
authenticate() will access them.
in python, attributes are read only, so i cannot use them to pass information
to authenticate().
A simple database, like redis, could be a solution by adding info with the id
of the
On 12/12/12 22:04, laurent.fe...@free.fr wrote:
Hello,
If someone can advise me...
How to share information between the authorize() function and the
authenticate() function within a perl or python script ?
Just set an attribute:
authorize {
update request {
Tmp-String-0
Yes, just found this attribute. Thanks. Works well with Perl :), but not with
Python :(
- Mail original -
De: Phil Mayers p.may...@imperial.ac.uk
À: freeradius-users@lists.freeradius.org
Envoyé: Jeudi 13 Décembre 2012 13:05:23
Objet: Re: share information between authorize
Hello,
If someone can advise me...
How to share information between the authorize() function and the
authenticate() function within a perl or python script ?
For example, i get some information from a database in authorize() that will
reuse it in authenticate()?
I could resubmit the sql request
shell_escape = yes
}
and my sites-enabled/switch its this:
authorize {
exec
expiration
chap
}
authenticate {
chap
}
post-auth {
exec
}
When i wired with my PC Log Says following:
# Executing section authorize from file /etc/freeradius/sites-enabled
Hello,
I'm useing FreeRADIUS in Version 2.1.10.
I would configure my Switch-Ports Mac-Based. When a Computer wired a
Perl-Script should check the Username and gives VLAN back.
Why so complicated?
FreeRADIUS can do this out of the box, provided the NAS (switch) can do this.
--
Dr.
We use more then two VLANs.
The PCs authorize with the MAC-Address. So i would check the Database for this
MAC and read the defined VLAN.
Am 30.10.2012 um 14:55 schrieb Michael Schwartzkopff mi...@schwartzkopff.org:
Hello,
I'm useing FreeRADIUS in Version 2.1.10.
I would configure my
Is it possible to do authentication and then authorization on the SQL db?
Med venlig hilsen | Best regards
Thomas Raabo
Senior Network Engineer CCIE #33466
[Beskrivelse: Beskrivelse: cid:image001.jpg@01CB9163.2FCD3AC0]
_
Thomas Raabo - Zitcom A/S wrote:
Is it possible to do authentication and then authorization on the SQL db?
post-auth {
...
sql.authorize
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
if user is in SQL.
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
Auth-Type zotp {
ZOTP
}
unix
eap
}
authorize
Hi list,
I'm trying to set authorize section in my default sites file.
I need to allow traffic users in terms of time and bandwidth.
So, my attempts were like these:
authorize{
dailycounter
if (Auth-Type == Reject) { #I tried also if(!ok) or
if (reject
On 22/08/12 12:28, Ilaria De Marinis wrote:
Hi list,
I'm trying to set authorize section in my default sites file.
I need to allow traffic users in terms of time and bandwidth.
So, my attempts were like these:
authorize{
dailycounter
if (Auth-Type == Reject) { #I
Ilaria De Marinis wrote:
authorize{
dailycounter
if (Auth-Type == Reject) { #I tried also if(!ok) or
if (reject)
That doesn't work. If the module returns reject, then the
authorize section stops immediately. You can't catch a reject.
Alan DeKok.
-
List info
Thank you
I want to allow user to surf for 1 hour and for 300MB.
If you exceed both limits, you'll be not anymore authorized to access
Internet.
Regards
Ilaria
Il 22/08/12 13:47, Phil Mayers ha scritto:
On 22/08/12 12:28, Ilaria De Marinis wrote:
Hi list,
I'm trying to set authorize
On Wed, Aug 22, 2012 at 7:39 PM, Ilaria De Marinis
ilaria.demari...@caspur.it wrote:
Thank you
I want to allow user to surf for 1 hour and for 300MB.
AND there as in if a user have been online for 1 hour but total
traffic is only 100 MB, allow him/her to go online again with maximum
traffic
On 22/08/12 13:39, Ilaria De Marinis wrote:
Thank you
I want to allow user to surf for 1 hour and for 300MB.
If you exceed both limits, you'll be not anymore authorized to access
Internet.
See doc/configurable_failover. There are examples of this. You will need
to use a group {} block
Thank you everybody
this setting works
group {
dailybandwidthcounter {
ok = 2
reject = 1
}
dailycounter {
ok = 2
reject = 1
}
}
regards
Ilaria
Il 22/08/12 15:27, Phil Mayers
ajay shekhar wrote:
Does setting Service-Type AVP to Authorize-Only in a RADIUS REQUEST make
FreeRADIUS do only the authorization part?
No. You still need to set 'Auth-Type := Accept' in order to return an
Access-Accept.
I do not know much about of how freeRADIUS works, but I am looking
Hi,
Does setting Service-Type AVP to Authorize-Only in a RADIUS REQUEST make
FreeRADIUS do only the authorization part?
I am using FreeRADIUS Version 2.1.12.
I do not know much about of how freeRADIUS works, but I am looking to get
either of these scenarios working -
Case 1:
authenticate
/active_directory.html)
which works great.
I understand that I cannot authorize using ntlm_auth so I want to set
up the ldap module for authorization, e.g. perform checks on group
memberships.
The ldap bind with the builtin Administrator and also the ldap search
in the basedn for the builtin account
)
which works great.
I understand that I cannot authorize using ntlm_auth so I want to set
up the ldap module for authorization, e.g. perform checks on group
memberships.
I (sort of) solved exactly the same problem. I will post my solution in
MSSCHAP auth + LDAP authorizaton shortly. Stay
Am 04.04.2012 12:30, schrieb Andres Septer:
I (sort of) solved exactly the same problem. I will post my solution
in
MSSCHAP auth + LDAP authorizaton shortly. Stay tuned.
# Note to Andres Septer:
Thanks for your reply, but I fixed my problem by now without giving the
ldap bind user any
Thanks a lot, works like a charm.
Am 06.03.2012 um 18:42 schrieb Alan DeKok:
Christoph Litauer wrote:
... I don't think this is what I need.
Yes, it is.
I want some kind of requests (the ones including Colubris-AVPair =
ssid:tsunami) to _only_ be handled by dbm, successful or not. I
Dear freeradius users,
maybe you can help me with a - probably simple - problem in authorizing wlan
users. I am using freeradius 1.1.7 (on SLES 10sp4).
My working configuration is able to authorize users with modules dbm and ldap.
Dbm is used for mac-authentication, ldap for 802.1x
Christoph Litauer wrote:
maybe you can help me with a - probably simple - problem in authorizing wlan
users. I am using freeradius 1.1.7 (on SLES 10sp4).
Upgrade to 2.1.12.
My working configuration is able to authorize users with modules dbm and
ldap. Dbm is used for mac-authentication
that, but ...
My working configuration is able to authorize users with modules dbm and
ldap. Dbm is used for mac-authentication, ldap for 802.1x-authentication.
For some reason I need to reduce the number of requests our ldap server(s)
gets. The actual configuration checks a mac address against
Christoph Litauer wrote:
... I don't think this is what I need.
Yes, it is.
I want some kind of requests (the ones including Colubris-AVPair =
ssid:tsunami) to _only_ be handled by dbm, successful or not. I read your
suggestion as check against dbm. If successful return, if not check
= no
}
Module: Checking authorize {...} for more modules to load
Module: Linked to module rlm_realm
Module: Instantiating module suffix from file
/etc/freeradius/modules/realm
realm suffix {
format = suffix
delimiter = @
ignore_default = no
ignore_null
nothing, only adding the attribute in
radgroupcheck is sufficient. In FreeRADIUS 1.1.7, my job partner doesn't
need to do extra configuration.
Thanks again.
Regards,
Toni.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Authorize-with-extra-attributes-tp5462759p5462884.html
Hi all,
I notice that when rlm_eap_tls checks the user's certificate, it does so in the
authenticate section instead of the authorize section, and in the process none
of the fields in the certificate are available to other modules until post_auth.
Would there be any ill effects
Graham Leggett wrote:
I notice that when rlm_eap_tls checks the user's certificate, it does so in
the authenticate section instead of the authorize section,
It does it when it decodes the EAP packet, and does the SSL stuff.
This is due to how the EAP module is designed.
and in the process
On 10 Jan 2012, at 2:27 PM, Alan DeKok wrote:
Would there be any ill effects if the rlm_eap_tls certificate parsing was
moved from the authenticate section to the authorize section?
Likely not. But the difficulty is doing that *only* for the EAP-TLS
code. The EAP modules currently do
I am confused, as to the layout of the users file. I have a simple:
DEFAULT Auth-Type = System
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-MTU = 1500
yet, when I start radius (in debug), and attempt a dial-in, it nags the
following:
WARNING: Empty authorize
the
following:
WARNING: Empty authorize section. Using default return values.
You edited the default configuration and broke it. Don't do that.
ERROR: No authenticate method (Auth-Type) founf for the request:
Rejecting the user
Again, this comes only if you edit the configuration and break it.
So
radiusd -X
Default install will work. Ensure you have at least 'default' virtual server in
sites-enabled
alan
--
Message may be brief as it has been sent from my mobile
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
), and attempt a dial-in, it nags the
following:
WARNING: Empty authorize section. Using default return values.
You edited the default configuration and broke it. Don't do that.
Actually, I loaded the freeradius from the freebsd ports system, and IT
never placed any of the raddb folders sub
Jim Pazarena wrote:
Actually, I loaded the freeradius from the freebsd ports system, and IT
never placed any of the raddb folders sub folders OR CONTENTS in
place.
Well... that's broken.
I didn't know that; so I started commenting out the sections in the
radiusd.conf which would not
Hi all,
I apologize in advance if this question has been answered previously
but I have searched extensively and cannot find discussion of this
particular topic.
What I am wanting to setup, at least initially, is a WPA2 enterprise
(802.11i) wireless access point that will authorize ANY user
point that will authorize ANY user (accept
all credentials/username-password combinations) and thereby provide
encrypted wireless access as well as confirmation of the access
point's identity, but not restrict which users can connect.
Your body doesn't mention PEAP, but your subject does. If you have
Fred fred.mai...@gmail.com wrote:
If I want to test those values, i used to to something like :
if ( Ldap-Group == AdminRW ) { do something }
This makes a new ldap access to be done by the server for an array
attribute which has already been retrieved by server.
Is there any other way to
Hi all,
When using ldap with freeradius, radiusGroupName attributes can be
retrived during execution of ldap module.
groupname_attribute = radiusGroupName
groupmembership_filter =
((uid=%{%{Stripped-User-Name}:-%{User-Name}})(objectclass=radiusProfile))
trying to do mac authorization as per
http://wiki.freeradius.org/Mac-Auth#Mac-Auth+authorisation+by+SSID+SQL
In fact my attempt is much simpler as I just have a very simple table
containing the mac address of system to accept. My conf looks like that:
authorize {
...
# newer authorized
Here is the module:
sql sql_local {
database = mysql
driver = rlm_sql_${database}
server = localhost
login = radius
password =
radius_db = radius-MAB
read_groups = no
sqltrace = yes
Of course!
Didnt instantiate it properly!
Thanks!
On Fri, Aug 26, 2011 at 9:31 AM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
Here is the module:
sql sql_local {
database = mysql
driver = rlm_sql_${database}
server = localhost
login =
Hi,
I am trying to do mac authorization as per
http://wiki.freeradius.org/Mac-Auth#Mac-Auth+authorisation+by+SSID+SQL
In fact my attempt is much simpler as I just have a very simple table
containing the mac address of system to accept. My conf looks like that:
authorize {
...
# newer
#Mac-Auth+authorisation+by+SSID+SQL
In fact my attempt is much simpler as I just have a very simple table
containing the mac address of system to accept. My conf looks like that:
authorize {
...
# newer authorized macs
if(%{sql_local:SELECT COUNT(mac) FROM authorized_macs
Hi,
I'm currently trying to implement an authorization process only, between a
Cisco GGSN and Freeradius.
My idea is for the freeradius to authenticate regardless of the MS (IMSI)
and after authentication it Queries a Postgresql Database based upon IMSI to
get the IP Pool that he will be used.
On 26/05/11 12:06, Pedro Costa wrote:
But my issue is that i'm not able to authenticate (regardless of the
IMSI - No database query is required for this) and execute the SQL XLAT
being (the SQL SELECT that will get the IP Pool name for the specific IMSI).
Why not? Be specific. Tell us what
Hello friends,
I am running pam_radius_auth.sonbsp;client on one machine and freeRadius
server on the other machine.
Authentication is happening fine for the user accounts. I want to give certain
privilege levels to each user on client machine.
For example network_admin, security_admin, guest
On Tue, Feb 01, 2011 at 02:33:33PM -0800, Brett Littrell wrote:
The authenticate section is used to just verify that you are who
you are, via certs, username/password, token etc. The authorize
section is where you define the sources for all the information you
want FR
Hey Brian,
Very interesting, I would have thought Authenticate came first then
Authorize since you need to authenticate in order to be authorized. If that is
the case and say you pull the vlan ids from ldap, or some other directory, how
would Freeradius know what those values are prior
Authenticate came first then
Authorize since you need to authenticate in order to be authorized. If that
is the case and say you pull the vlan ids from ldap, or some other
directory, how would Freeradius know what those values are prior to knowing
who you are? Or are you saying that the way
On Wed, Feb 02, 2011 at 07:23:39AM -0800, Brett Littrell wrote:
Very interesting, I would have thought Authenticate came first then
Authorize since you need to authenticate in order to be authorized.
The RADIUS protocol kind of fuzzes the two concepts: an Accept-Request is
both
would have thought Authenticate came first then
Authorize since you need to authenticate in order to be authorized.
The RADIUS protocol kind of fuzzes the two concepts: an Accept-Request is
both a request for authentication and authorization. An Access-Reject could
mean either that you weren't
, Brett Littrell wrote:
Very interesting, I would have thought Authenticate came first
then
Authorize since you need to authenticate in order to be authorized.
The RADIUS protocol kind of fuzzes the two concepts: an Accept-Request is
both a request for authentication
Hi All,
I'm trying to find out what to use (if anything) in the authorize
section when authenticating clients via MSCHAP-v2 and AD credentials.
The how-to at deployingradius.com only speaks to the authentication
section.
If I only want to ensure that the username/password credentials are
valid
Hi,
I'm trying to find out what to use (if anything) in the authorize
section when authenticating clients via MSCHAP-v2 and AD credentials.
The how-to at deployingradius.com only speaks to the authentication
section.
If I only want to ensure that the username/password credentials
Right, I do understand the distinction which is why I asked the
question.
I didn't know if the tutorial just assumed everyone was authorized and
then granted access as long as the userid/password matched AD or if
there's something missing that should be addressed in authorize.
Cheers,
Harry
Hi Harry,
So this is the way I understand it.
The authenticate section is used to just verify that you are who you are,
via certs, username/password, token etc. The authorize section is where you
define the sources for all the information you want FR to respond to. So to
just
Thank you very much for your responses.
Conversely, you could comment out/remove the use Data::Dumper line
since you're not using it. It's mainly for debugging and easily
printing the entire contents of an object/array/hash/etc.
Ok, Kevin, I don't use Data::Dumper and I can run Freeradius
Hello,
I have a string attribute named Relaciones in my ldap.
This attribute can have more than one value. Actually I return those values
in the reply:
Sending Access-Accept of id 229 to X.X.X.X port 32796
Relaciones += -11
Relaciones += 03
Relaciones += -01
I want to authorize
to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize module to
check all the attributes Relaciones whit a regex, but I don't know how can
I check all the attributes, and how can I stop procesing the attributes if I
found
Ana Gallardo wrote:
I want to authorize the access only if there is one attibute Relaciones
whith a positive value. So I would like to use unlang in authorize
module to check all the attributes Relaciones whit a regex, but I
don't know how can I check all the attributes, and how can I stop
constantRLM_MODULE_REJECT=0;# /* immediately reject the
request */
use constantRLM_MODULE_OK=2;# /* the module is OK, continue */
sub authorize {
my $attr;
my $valor;
while (($attr,$valor)= each(%RAD_REPLY{'Relaciones'}){
if ($valor =~ /^([0-9]{2
On 22/10/10 13:16, Ana Gallardo wrote:
Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module
Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined
symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64.
at /usr/lib/perl/5.10/Data/Dumper.pm line 36
You
On 10/22/10 6:25 AM, Jonathan Gazeley wrote:
On 22/10/10 13:16, Ana Gallardo wrote:
Can't load '/usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so' for module
Data::Dumper: /usr/lib/perl/5.10/auto/Data/Dumper/Dumper.so: undefined
symbol: Perl_sv_cmp at /usr/lib/perl/5.10/XSLoader.pm line 64.
at
return fail
username/password are rejected directly.
Except that the files module never returns fail. See the source code.
This is not what I want. I want that if files fail then check ldap.
How I can configure radius to implement this functionality?
authorize {
...
files
is the right way.
server dialup {
authorize {
preprocess
expiration
logintime
if (Called-Station-Id == 11) {
sql_dialup
pap
}
elsif (Called-Station-Id == 12 %{sql_dialup: SELECT
SUM(acctsessiontime) FROM
t...@kalik.net writes:
What's the difference?
Tbh, I don't even understand the what group queries are. Documentation
seems to be kind of lacking. Not your fault I know, but I don't want you
to
think I haven't tried finding this out for myself!
It's not kind of lacking! You have
.
Anyway, I still have the problem that I'm not having attributes returned.
It's because my two stored procedures are not being run.
I have groupcheck_sp and groupreply_sp which used to get executed in my
old
1.1.x setup in the authorize section but now that doesn't seem to happen.
I
Hi,
I'm trying to upgrade my setup from freeradius 1 to freeradius 2.
I've been making little changes to the config as suggested in the doc and I
managed to get my setup connecting to my mssql backend. However, when I try
and authorize with a user/pass, I get an error - actually more
Hi,
managed to get my setup connecting to my mssql backend. However, when I try
and authorize with a user/pass, I get an error - actually more of a warning.
I've Googled about but although others have had this error I haven't really
seen a good explanation of why it occurs let alone how
Robert White rwh...@globalgossip.net writes:
I'm trying to upgrade my setup from freeradius 1 to freeradius 2.
I've been making little changes to the config as suggested in the doc and I
managed to get my setup connecting to my mssql backend. However, when I try
and authorize with a user
Hi, guys,
I have successfully set up FreeRADIUS server to use Active Directory to
authenticate LAN users.
My authorize{} and authenticate{} section configuration in radiusd.conf
file looks like this:
authorize {
preprocess
eap
mschap
}
authenticate {
Auth-Type
bastardinho69 wrote:
I have successfully set up FreeRADIUS server to use Active Directory to
authenticate LAN users.
My authorize{} and authenticate{} section configuration in radiusd.conf
file looks like this:
If you're using AD for authentication, those sections do *not* look
like
Hi,
I have freeradius 2.0.5 configured to use pam (using kerb) for
user authentication. I am trying to find out if it is possible to
limit access based on ldap groups. I've checked the list archive as
well as the web and am not able to find a solution.
I'd appreciate it very much
Zahid Mehmood wrote:
I have freeradius 2.0.5 configured to use pam (using kerb) for user
authentication. I am trying to find out if it is possible to limit
access based on ldap groups. I've checked the list archive as well as
the web and am not able to find a solution.
Yes. The
@kesm0724
FreeRadius version is?
On Wed, Oct 8, 2008 at 4:22 AM, Alan DeKok [EMAIL PROTECTED]wrote:
kesm0724 wrote:
Does the Unresponsive Child in module files component authorize allude
to
something I have misconfigured in the virtual server or a process that is
hung?
The server
in component authorize
@kesm0724
FreeRadius version is?
On Wed, Oct 8, 2008 at 4:22 AM, Alan DeKok [EMAIL PROTECTED]
wrote:
kesm0724 wrote:
Does the Unresponsive Child in module files component authorize
allude to
something I have misconfigured in the virtual server or a process
Does the Unresponsive Child in module files component authorize allude to
something I have misconfigured in the virtual server or a process that is
hung? I can certainly post the debug if it is necessary to troubleshoot
this issue...
Tue Oct 7 12:14:26 2008 : Error: Discarding duplicate
kesm0724 wrote:
Does the Unresponsive Child in module files component authorize allude to
something I have misconfigured in the virtual server or a process that is
hung?
The server is blocked somewhere.
Tue Oct 7 12:14:43 2008 : Error: WARNING: Unresponsive child (id
3054615440
Hi,
I am using freeradius (rlm_perl) for a VoIP system for a long time now
and today I tried to use it for routing purposes as well.
In my authorize function of my perl script I am assigning the routing info
to $RAD_REPLY :
...
my @final_routing
Guillaume Chartrand wrote:
Hi, I want to configure my freeradius to authorize my user with an sql
database or if the user isn’t present it would check in AD.
To be clear: get the password from LDAP, or ask AD about the
*authentication*.
authorize {
sql
if (notfound
Hi
I want Free Radius to authenticate user in my Radcheck table using EAP-TLS
vai 802.1x authentication.
Currently it is authenticating users in users.conf file
Regards
Devinder
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
module
4) test that AD authentication works (ignoring SQL for now)
3) update the authorize section to look like this:
authorize {
preprocess
sql
if (ok) {
update control {
MS-CHAP-Use-NTLM-Auth
works, and (2) if they admitted it was
that easy, their howto pages would be 4 lines long.
You have to change the reference to ldap in sites-available/default.
to the instance name. e.g. ldap_wireless.
In the authorize stanza, then? So I replace
Yes. You replace ldap with ldap_authorize
Chris wrote:
What is the proper way to call a specific LDAP module based on
NAS-IP-Address (or huntgroup, probably)?
authorize {
...
if (NAS-IP-Address == 1.2.3.4) {
ldap_1
}
elsif (NAS-IP-Address == 3.4.5.6) {
ldap_2
to a different message:
What is the proper way to call a specific LDAP module based on
NAS-IP-Address (or huntgroup, probably)?
authorize {
...
if (NAS-IP-Address == 1.2.3.4) {
ldap_1
}
elsif (NAS-IP-Address == 3.4.5.6) {
ldap_2
Sylvain Robitaille wrote:
On the one hand, OH!!! I think I'm starting to understand, but on the
other hand, I appear to still not be doing it quite right. I put into
the authorize section of sites-available/default:
...
However, then the request carries on to the inner-tunnel of the TTLS
... In that case the inner-tunnel isn't printing to debug output
the request as it is received at that point?
Ok, I think I see it now. The debug output from the inner-tunnel starts
here then?
...
rlm_eap_ttls: Session established. Proceeding to decode tunneled attributes.
+- entering group authorize
Sylvain Robitaille wrote:
I apologize if I'm seeming dense, or leaving the impression that I
haven't read documentation that you've already pointed me at. I *have*
read that documentation, but I think the problem is that I'm struggling
to wrap my head around the details, perhaps because it
Hi, I want to configure my freeradius to authorize my user with an sql
database or if the user isn't present it would check in AD.
Here is my conf for now.
authorize {
preprocess
sql
if (notfound) {
ntlm_auth
}
eap
expiration
.
What I'm aiming to accomplish, however, is that the FreeRADIUS server
will authorize users for different services based on a slightly
different LDAP query. The users are in various groups, which can be
checked by supplying an LDAP query filter that checks the memberOf
attribute; Users in group
who
think it's hard... because they butcher the default configs.)
What I'm aiming to accomplish, however, is that the FreeRADIUS server
will authorize users for different services based on a slightly
different LDAP query. The users are in various groups, which can be
checked by supplying
1 - 100 of 236 matches
Mail list logo