Alan DeKok wrote:
Alexander Serkin <[EMAIL PROTECTED]> wrote:
No. It takes the time that the packet was received. The
Event-Timestamp attribute MAY be a lie.
oops. When and why? Have not seen a lie from cisco NASes yet.
Set the time wrong on the Cisco box, then look at Event-Timestamp.
Set t
In the next few days we will be moving the freeradius-users and
freeradius-devel lists to a different server. It will still be
mailman, and nobody should notice (famous last words).
This is because Cistron Broadband has been sold to XS4ALL Internet
at the end of last year, and we've been busy movi
"CHui" <[EMAIL PROTECTED]> wrote:
> Since the Radius accounting start-stop are sent by the access point, does it
> mean that the AP (Radius client) uses the "outer identity" for Radius
> accounting records?
Yes. The inner identity is inside of a TLS tunnel, and the NAS
can't see it.
> Could
YOu'll need to run a script to set the 'expiration' when the user first logs
in.
--- Marcin Jessa <[EMAIL PROTECTED]> wrote:
> Hi.
>
> I set up FreeRadius with MySQL backend and sqlcounter to be able to limit
> session time of a user.
> It works great but I miss one thing.
> I'd like a user to b
I have observed that some of the accounting records in the detail-mmdd
file contain “User-Name” value that does not match the ldap user
name that was used in the 802.1x authentication. The details entries correspond
to Mac clients were correct. But the Windows users running SecureW2 w
"John Riggs" <[EMAIL PROTECTED]> wrote:
> The connect type is a PPP connection. I hope this is enough info
> this is my first time configuring a radius server. Thanks
Run the server in debugging mode, as suggested in the README,
INSTALL, and FAQ.
Alan DeKok.
-
List info/subscribe/unsubscri
>
> You can't use PEAP unless you have plaintext passwords stored in the
> LDAP or NT/LM password hashes. To use LDAP bind to authenticate you will
> need to use TTLS with PAP as inner tunnel authentication. This is how
> you can configure your clients to use TTLS+PAP
>
The passwords are reve
>Please post radiusd -X output. Specifically the part on ldap searches and
>where the USERS file is matched.
Relevant part of radius -X
(auth is successful and group correct)
rad_recv: Access-Request packet from host 10.250.3.1:56020, id=246, length=188
NAS-Identifier = "radiowavetest.
The test user “bob” seems to work fine on the box with radtest however it
will not work dialing in.
The user name and password
will not authenticate the user. We want to use the linux passwd file for
user and password authentication. I use “P%username” and Password to log into
the working
What does radius say when you run it in debug mode?
On Thu, 19 May 2005 16:20:35 -0400
Joseph Abadi <[EMAIL PROTECTED]> wrote:
> hey,
>
> I recently installed freeradius 1.0.2 on Ubuntu Warty (kernel 2.6.8).
> The idea is to use the radius server with a mysql database to
> authenticate users in
> -Original Message-
> On Behalf Of Joseph Abadi
> I then configured the access point, but., when I
> try to join the wireless network on a win xp client, it hangs
> ... no authentication happens, it never prompts me for a
> username or a password. It simply hangs stating that "win
hey,
I recently installed freeradius 1.0.2 on Ubuntu Warty (kernel 2.6.8).
The idea is to use the radius server with a mysql database to
authenticate users into a wireless network, using a 3com access point.
The configuration seems straightforward (uncomment sql in the
authorize and accounting sec
Hi.
I set up FreeRadius with MySQL backend and sqlcounter to be able to limit
session time of a user.
It works great but I miss one thing.
I'd like a user to be able to login for say 12 hours but the user account
itself would expire after one day after his first login, even if the 12 hours
tim
"Palmer J.D.F." <[EMAIL PROTECTED]> wrote:
> Could someone tell me if it's possible to use Freeradius to proxy radius
> requests to different radius servers depending on a combination of a user's
> realm and the originating NAS-IP-Address; or any other distinguishable NAS
> variable for that matter
Alexander Serkin <[EMAIL PROTECTED]> wrote:
> > No. It takes the time that the packet was received. The
> > Event-Timestamp attribute MAY be a lie.
>
> oops. When and why? Have not seen a lie from cisco NASes yet.
Set the time wrong on the Cisco box, then look at Event-Timestamp.
It happ
Thomas Boutell <[EMAIL PROTECTED]> wrote:
> Okay, but how do I pass the good or bad news back to radius at the
> end of my script? Exit status? Standard output? And how would I
> hook this into authorization? A really useful example would
> be great,
scripts/exec-program-wait
Alan DeKok.
-
Yes. Their demo tokens *are* software tokens. You must install the EUS
to be able to enter your PIN associated with their tokens and obtain a
OTP from the token. You can then enter the OTP as your password in
response to the challenge from the RADIUS server. Some applications
also have plugins
Matt McFarlane wrote:
Totally new to radius. I've installed freeradius 1.02 --with-edir on Suse 9. Attempting to use 802.1X auth from wireless user behind HP 420 AP using WinXP to an eDir tree via LDAP. When I use radtest the bind is successful. However when using the 802.1X supplicant I get th
Alexander Serkin <[EMAIL PROTECTED]> wrote:
> And finally i can modify the timezone presentation by Solaris zone
> info compiler so that it would be +0400, but radiusd modifies it
> into =2B0400, and that confuses oracle completely:
Look for "safe" in sql.conf.
Alan DeKok.
-
List info/subsc
Thanks. Is there no way that you can get away from installing their
software? I suppose you have to install the software if you want to
initialize the tokens, right?
Guy Davies wrote:
Hi Maqbool,
It's easier to use PAP and simply proxy the requests to the (very
trivial) RADIUS frontend on the
On Thu, 19 May 2005, Thomas Boutell wrote:
> Dustin Doris wrote:
>
> > Check out exec echo in radiusd.conf. That is an example using exec to run
> > a script.
> >
> > Read variables.txt in doc/
> >
> > For your first script, make it this.
> > #!/bin/sh
> > printenv > /tmp/example
> >
> > It passe
Hi Maqbool,
It's easier to use PAP and simply proxy the requests to the (very
trivial) RADIUS frontend on the CRYPTOCard server. I've got that
working with EAP-TTLS/PAP. The inner PAP auth carries the username/otp
generated from the CRYPTOCard EUS.
Rgds,
Guy
> -Original Message-
> Fro
Dustin Doris wrote:
Check out exec echo in radiusd.conf. That is an example using exec to run
a script.
Read variables.txt in doc/
For your first script, make it this.
#!/bin/sh
printenv > /tmp/example
It passes all the variables to your script as environmental variables.
This will show you.
Okay,
Hi,
I have downloaded a trial version of the Cryptocard software from the
website. This comes with 10 software tokens. I am trying to get these
tokens to work with the x99 module in freeradius.
Anyone have any ideas on how to extract the key for the Software
tokens? The cryptocard software g
Hi,
Could someone tell me if it's possible to use Freeradius to proxy radius
requests to different radius servers depending on a combination of a user's
realm and the originating NAS-IP-Address; or any other distinguishable NAS
variable for that matter.
I have two types of NAS and what I'm trying
On Thu, 19 May 2005, alan walters wrote:
> I am attempting to work this out. I have the following set in my modules in
> ldap of the radiusd.conf
>
> groupname_attribute = cn
> groupmembership_attribute = radiusGroupName
>
> I have this in my users file.
>
> DEFAULT Ldap-Group == lisdoonvar
On Thu, 19 May 2005, Thomas Boutell wrote:
> Alan DeKok wrote:
>
> > You can always have a shell script do the authentication for you.
> > It can run ntlm_auth, and if that returns "notfound", it can then run
> > "radclient" to send the request to another RADIUS server. It's ugly,
> > but it wi
I am attempting to work this out. I have the following set in my modules in
ldap of the radiusd.conf
groupname_attribute = cn
groupmembership_attribute = radiusGroupName
I have this in my users file.
DEFAULT Ldap-Group == lisdoonvarna
Huntgroup-Name == internet,
User-Profile :=
> Sent: Tuesday, May 17, 2005 3:50 PM
> FreeRADIUS' use of groups in the sql module is not the same as
> using Unix groups in the users file. You cannot create
> separate check conditions in separate SQL groups and then
> send only the reply elements from that same group.
Mike:
Thanks for
> The function infotag get aaa_avpair x returns the value
> of the x atribute from the radius' reply attributes, you
> can use it for any attribute of the radius' reply string,
> they're defined by the tcl/ivr standard api from cisco, i
> mean, it's included in the IOS of the NAS, this
Alan DeKok wrote:
You can always have a shell script do the authentication for you.
It can run ntlm_auth, and if that returns "notfound", it can then run
"radclient" to send the request to another RADIUS server. It's ugly,
but it will work.
Actually that would be very sraightforward for me. But
it doesen't work with this options. without "check_crl = yes" it works fine.
the tls section looks like that:
tls {
private_key_password = **
private_key_file =
${raddbdir}/certs/[EMAIL PROTECTED]
certific
On Wed, 18 May 2005, Matthew Hunter wrote:
How do I get freeradius to check both ldap servers for a user. I have
ldap configured already for redundency but I want it to look at the
first ldap server and if the user is not found then check the second
ldap server.
Yes. See doc/configurable_failover
Hi all
I'd like to set up monthly bandwidth limits per user. I've see a few
questions about this, but few answers and there doesn't seem to be any
documentation on it. I'm assuming this could be done by modifying the
counter module to use bandwidth instead of time values? Has anyone got a
working
Hello,
I would like to perform some control over the attributes returned post-proxy
in a realm but let any attribute return for the other realms.
my ${confdir}/attrs is:
realm1
Service-Type == Framed-User,
Login-Service =* ANY,
Login-TCP-Port =* ANY,
Framed-IP-Address
Hi guys,
I try to implement EAP-TLS for wireless users. My
server is Redhat 7.3. I use Freeradius 1.0.0 and Openssl 0.9.7b. I have been
trying and reading Freeradius archive e-mails for a couple of month but my
system still doesn't up. I compile with ./configure
--with-openssl-includes=/us
Hi all.
I'm using Linux RedHat 8, installed with NoCAT
authentication server and gateway operating in ONE
machine. I'm using Mysql as Accounting server and
database. RADIUS server and MySQL server operates
within the same machine (but saperate machine from
NOCAT). We are using Sun Sparc 5 with sola
37 matches
Mail list logo
