Hello,
if I'm not wrong, Dial-In Chap Authentication with Cisco IOS
11.2 and freeradius did not work well together.
Does anybody know if this problem is solved on the side of
freeradius, or which Iisco IOS has to be used to make it work?
thanks and regards
Christoph Galuschka
-
List
On Tue, Mar 02, 2004 at 02:28:16PM -0800, Aime wrote:
I installed the libc6-dev and could go further.
In fact as i was having problem compiling , i use
Paul's debian package at www.tbble.com/freeradius but
could not find rlm_sqlcounter that i would like to
try.
Now how can i compile only a
FreeRadius 0.9.0, Cisco 3640 as client.
I'am using freeradius for authenticate dialup users.
External perl-script checks user's account on database, calc
$acct_session_timeout variable and output text string with this:
print Session-Timeout = .$acct_session_timeout.\n;
But Cisco don't drop
I'm trying to get EAP/TLS working, and not having a lot of luck. Anyone
have any pointers? Here's what I've got so far:
Installed freeradius-0.9.3.tar.gz
Figured out how to get it to compile the EAP TLS libs
In 0.9.3 there is a bug that would not let eap/tls works.
Download a fresh cvs
Seems like a Cisco Authorization Problem
Make sure you send
Service-Type := Framed-User
As a reply item also
Otherwise the Cisco will not like it.
Cheers
~~
Mustafa N. Deeb
Technical Director
Palnet Communications Ltd.
Tel: +970-2-2403434
Fax: +970-2-2403430
Hi Mustafa
I've added Service-Type:= Framed-User in radreply table.
But nothing changed.
I use cisco 3660 router.
I think it must have the reason that Session-Timeout was defined in radreply
table. But I can not use this option.
Can you explain to me?
I change Session-Timeout = 100, and after
Hi
First , you need to make sure that you get the correct Radreply Items
using Radtest
2nd, debug aaa authorization.. while you connect
and if you see errors there, you need to consult the cisco Documentation
Cheers
~~
Mustafa N. Deeb
Technical Director
Palnet
Hi,I use radtest:radtest
[EMAIL PROTECTED] abcd local 0 testing123Aaa debug:Sending Access-Accept
of id 126 to 127.0.0.1:32842
Session-Timeout:= 6324
Service-Type:= Framed-User
Framed-Protocol:=PPP
..
the same result in
radtest.
Could you please give me some
advise.
Thanks and
Did
your cisco complain ?
~~
Mustafa N. Deeb
Technical Director
Palnet Communications
Ltd.
Tel: +970-2-2403434
Fax: +970-2-2403430
www.palsms.com
www.paltime.net
www.palnet.com
-Original Message-
From:
[EMAIL PROTECTED] [mailto:[EMAIL
Ok,
I installed openssl-0.9.7c on a clean system (no previous openssl installed)
and set the directories in the configure command but I seems it cannot
find certain files and or attributes in files.
When checking for files it for example says that it can find the openssl.h file
but cannot find
thank you for the reply - but where do these additional operators go? also -
does this mean that the number of valuies that an ldap attribute has can not
be variable? using the example given (value1 .. value3) we can't cope with a
7 valued ldap attribute?
tariq
-Original Message-
From:
as a diagnostic note - the debugging output from radiusd -x does show that
all the attributes are read from the ldap server and the code itself (
modules/rlm_ldap/rlm_ldap.c ) suggests that all of these should be added to
the packet data structure... i'm now trying to find the point between this
Anybody do/did this?
especially, howto send back Radius attribute 25 (user group) from a specific
LDAP attribute to the Cisco VPN 3k through FreeRadius?
My conf:
1. clients.conf:
client 10.0.0.0/8 {
secret = test
shortname = my-network
}
2. dictionary:
ATTRIBUTE
Hello Tom!
Tom Rixom wrote:
I installed openssl-0.9.7c on a clean system (no previous openssl installed)
and set the directories in the configure command but I seems it cannot
find certain files and or attributes in files.
When checking for files it for example says that it can find the
Hi Rok,
Thanks, but I have done exactly the same... but I get the following:
./configure --with-openssl-libraries=/usr/local/ssl/lib/
--with-openssl-includes=/usr/local/ssl/include/
checking for openssl/ssl.h... yes
checking for openssl/err.h... no
checking for openssl/crypto.h... no
checking
A vendor has expressed interest in providing dial-up access for our
institution. They would provide their own proxy-radius server, which
would then talk to our radius server (not installed yet), for
authentication. Our radius server would need to cut log records (session
times) and
Hi, I am running freeradius-0.9.3 on RedHat 9.0. I have found your
documentation and faq page very helpful, however I cannot find an answer to
one question. Can Radius pass a privilege level back to a Cisco switch so
that users are automatically enabled into EXEC mode? I have been trying to
Hi ALL,
We
are in process of initial SRS phase for implmentation of RADIUS server
through RFC 2865, please can any body let me know what is the purpose of
State-Attribute and Proxy-State attribute. The example in RFC 2865 confuses
me , as taken for magic cokkiees.
One more query in mind is
Hello freeradius-users,
I have an DynDNS name in my clients.conf file for my AP2500. This is
necessary because I get a new ip every night.
The problem is that my freeradius perfectly works as long as the ip
behind the DynDNS name is the same as it is when I started the
freeradius
kiel hedjam [EMAIL PROTECTED] wrote:
the debugging mode didn't say nothing
I doubt that very much.
In the meantime I looked up the source code (very easy to read and well
commented) and saw that this spec was implemented
thanks to the rfc_check() function, called just after the building
Shawn Laemmrich [EMAIL PROTECTED] wrote:
Radius starts ok, and the computer associates with the AP, then I get
EAP retry limit reached for Station [MY-IP] MY-MAC-ADDRESS
watching the radius logs scroll by, I don't really see any thing that looks
like an eap request.
You should see
=?big5?q?Vincent=20Chen?= [EMAIL PROTECTED] wrote:
Is there any way that I can see current WEP key so I can confirm
both device using new WEP key after timeout?
No.
They do renegotiate new WEP key after sesstion timeout happens, do
they?
Yes.
Alan DeKok.
-
List
Christoph Galuschka [EMAIL PROTECTED] wrote:
if I'm not wrong, Dial-In Chap Authentication with Cisco IOS
11.2 and freeradius did not work well together.
Why?
Lots of people are using it without a problem, so far as I know.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Ok,
I think I have just tried every version of openssl there is and still no luck.
If I manually overide the Makefile of course everything works... but
why is my openssl config messing up the configure script?
If I comment out all the checks for SSL_new the configuration file again it works...
Tom Rixom [EMAIL PROTECTED] wrote:
When checking for files it for example says that it can find the
openssl.h file but cannot find the files crypto.h, engine.h and so
forth. But if I look the files are there are there...
Look in the 'config.log' file, to see what it was doing, and what
Gerry Gysbers [EMAIL PROTECTED] wrote:
A vendor has expressed interest in providing dial-up access for our
institution. They would provide their own proxy-radius server, which
would then talk to our radius server (not installed yet), for
authentication. Our radius server would need to
John Eckert [EMAIL PROTECTED] wrote:
My assumption is that when freeradius starts it checks the ip for
the DynDNS name in clients.conf and caches it. There is no renew
during runtime.
Is that correct? Anybody having the same problem and a solution.
Yes.
You can work around it
You should use Cisco AV-Pairs which is covered in dictionary.cisco.
Example:
steve Auth-Type := Local, User-Password == testing
Service-Type = Shell-User,
Cisco-AVPair = shell:priv-lvl=15
This will put user steve immediately in enable mode.
Have fun ...
rgds
Karel Stadler
-
Try Session-Timeout = 1234.
If the debug info from the cisco is correct, then
the data sent to the cisco shouldn't work.
To the best of my knowledge cisco doesn't understand the
:= operator. := is a rlm_sql operator and should not be
sent in a radius response. By the time the data is ready to
Hello,
I'm using rlm_sql with FreeRADIUS 0.9.3, everything is working well except
that the following attribute and value seem to be added automatically to
the authorization reply:
Framed-IP-Netmask = 255.255.255.255
I have not got this entry in the tables specified by either
Dear Gerry Gysbers,
There are 2 different things: NTLM authentication of remote access
(it's, in fact, MS-CHAP) and authentication against Windows NT domain.
FreeRADIUS supports each one, but not together.
--Wednesday, March 3, 2004, 6:00:43 PM, you wrote to [EMAIL PROTECTED]:
GG A
Guy Fraser [EMAIL PROTECTED] wrote:
To the best of my knowledge cisco doesn't understand the
:= operator. := is a rlm_sql operator and should not be
sent in a radius response.
It isn't sent in the packet, so it's irrelevant.
By the time the data is ready to send the radius responce the :=
Mike Bartling [EMAIL PROTECTED] wrote:
I'm using rlm_sql with FreeRADIUS 0.9.3, everything is working well except
that the following attribute and value seem to be added automatically to
the authorization reply:
Framed-IP-Netmask = 255.255.255.255
Nothing in the standard configuration
I am having problems with radius grabbing the group memberUid attribute from ldap and
deny initial access to routers users based on the group they are in. Below is a copy
of the ldap configuration I have in my radiusd.conf file, also I have enabled ldap in
the auth section. Any help would be
added not, my config file is not referencing the users file for anything.
Tre
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Tre
Johnston
Sent: Wednesday, March 03, 2004 11:41 AM
To: [EMAIL PROTECTED]
Subject: ldap group authorization...HELP!!!
I am
On Wed, 3 Mar 2004, Tariq Rashid wrote:
thank you for the reply - but where do these additional operators go? also -
does this mean that the number of valuies that an ldap attribute has can not
be variable? using the example given (value1 .. value3) we can't cope with a
7 valued ldap
Hello Wilfried,
You wrote:
WQ ...
WQ Module: Loaded eap
WQ eap: default_eap_type = mschapv2
WQ eap: timer_expire = 60
WQ eap: ignore_unknown_eap_types = no
WQ rlm_eap: Loaded and initialized type md5
WQ ...
I think should be:
eap: default_eap_type = peap
btw: As I know FreeRADIUS
I am going through that three times, but the radius server isn't referencing my
huntgroups file to see which groups has access and which do not. I have it watching
for if something is in the radiusGroupNames dn for the user but I either want it to
look there for the huntgroup, or reference the
Sorry about the freeradius MySQL question. I should have checked the
package list at one of the Redhat Fedora Linux mirror sites before asking.
The additional packages for freeradius include MySQL support. They simply
need to be added from the included rpms on the YARROW CD set.
One of the
Yes, it has rlm_sqlcounter. And I am trying to read document about it,
because I don't know how to use rlm_sqlcounter.
Thanks for your response.
Manh Cuong.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Guy Fraser
Sent: Wednesday, March 03, 2004
It's been a while since I was working on this, and I've made some
further progress but FreeRADIUS is still not doing what I'm after. It is
successfully sending back an Access-Accept packet or Access-Reject
packet as I would like, but none of the reply attributes that correspond
to the group that
--
Hi all
I checked that the FAQ 1.4 and section 2.1
The freeradius is in beta and not for public use
ls it old information?
I would like to have this radius server for DSL authentication as
production server
Thank you
-
List info/subscribe/unsubscribe? See
Ok. I got the presidentlogin working for certain port numbers. Works
great. One more question though, what if I also wanted the
vicepresidentlogin to be able to login to those nas port numbers. For
example:
#NAS PORT 3 = 1800xxx
DEFAULT Nas-Port == 3, User-Name != presidentlogin, Auth-Type
I think you'll find there are plenty of examples of it being used in a
production environment - I think that is just more of a Don't blame us
if something goes wrong clause :D
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent:
44 matches
Mail list logo
