Alan DeKok wrote:
Patric wrote:
I just want to clarify, if I set the reject_delay to 0, and in my
external script the only thing I do is exit(1);, then freeradius will
return a reject response to the NAS?
It will send a reject to the NAS.
Thanks Alan, you're an absolute gem!
Patrick
Alan DeKok wrote:
Patric wrote:
I just want to clarify, if I set the reject_delay to 0, and in my
external script the only thing I do is exit(1);, then freeradius will
return a reject response to the NAS?
It will send a reject to the NAS.
Sorry if Im flogging a dead horse here...
I
Alan is right ,
under www.unix.gr you can find some stats phps I wrote for FR+mysql ,
small reports are fine indeed, large multi table selects with mYIsam
tables lock the tables
and freeradius starts timing requests out.
The reports are nice though :-)
You see , I know
-BEGIN PGP SIGNED MESSAGE-
Can any one recommend a signed certificate provider whose certificates work
with the
Microsoft 802.1x client. I currently have a system that works fine with a self
signed certificate
but fails to work with a Digicert signed certificate, so we are looking to
Hi,
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
User-Password = TestUser
NAS-Port-Type = Virtual
NAS-Port = 1010101010
NAS-Port-Id = x/x/x/xx.xxx
Connect-Info = AutoShapedVC
Service-Type = Framed-User
Hi,
do you mean a RADIUS *Server* certificate?
Show us the
openssl x509 -noout -text -in your-cert.pem
output of your certificate that is currently not working and we can make a
guess why it might not working.
From the vendor website I can't workout which keyusage extensions and/or
Netscape
We are starting with wireless soon, so I planned to adapt monthlycounter
sqlcounter:
query = SELECT SUM( AcctInputOctets + AcctOutputOctets) FROM radacct
WHERE UserName='%{%k}' AND AcctStartTime FROM_UNIXTIME('%b')
Remove reply-name, change check-name to Max-Monthly-Octets and check with:
I'm trying to use newsyslog on FreeBSD 6.2/freeradius-1.1.6 to rotate my log
files an ensure I will never exceed a certain logfile size. My
newsyslog.conf file says
/var/log/radius/radius.log barry:admin 640 101
*J/var/run/radiusd/radiusd.pid
yupes you are right... it can't stop user from going over the limit,
but i need to kick while the limit reached as time session...
any body success with this ? please tell me how
2007/5/18, [EMAIL PROTECTED] [EMAIL PROTECTED]:
We are starting with wireless soon, so I planned to adapt
[EMAIL PROTECTED] wrote:
you have various other attributes in your real production system - perhaps
you have matching DEFAULT values (eg in users file) which are aiding the
access accept?
If that were the case, then wouldnt this eliminate the problem:
My radiusd.conf authorize section
Arjuna Scagnetto wrote:
can someone tell me a good tutorial about making work freeradius with
ldap and peap on a 802.1x architecture ?
Get LDAP working with PAP authentication, but NOT using ldap bind.
Get PEAP working with passwords in the users file.
Try PEAP with a user
Appears virtual modules can't be used with dynamic expansion.
WARNING: Unknown module redundant_sql_clients in string expansion
%{redundant_sql_clients:SELECT
EXPORT_SET(master.nas_flags,'1','0','',20) FROM `master` WHERE ip1 =
'%{1}' AND ip2 = '%{2}' AND ip3 = '%{3}' AND ip4 = '%{4}' LIMIT
As per my ramblings below, I ran the server in debug level 3, and one
can see that it is the correct DEFAULT entry that it is picking up :
rad_recv: Access-Request packet from host xxx.xxx.xxx.xxx:1820, id=80,
length=139
Framed-Protocol = PPP
User-Name = [EMAIL PROTECTED]
Arran Cudbard-Bell wrote:
Appears virtual modules can't be used with dynamic expansion.
They can't. They're just used to avoid repetitive cut paste,
nothing more.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
Arjuna Scagnetto wrote:
...
PEAP with user whose password is in LDAP
...
userPAssword: {SSHA}tymetcetcetc
This WILL NOT WORK. See:
http://deployingradius.com/documents/protocols/compatibility.html
use clear-text passwords in LDAP. If you can't put clear-text
passwords in LDAP, stop
nikitha george wrote:
I am seeing a very serious memory leak issue with freeradius-1.1.6. The
memory usage of freeradius gone from 3386Byte to 64MB when i was trying
to connect 16 clients with roaming interval of 1 second. More
Access-Requests are coming and we keep saving those requests until
Phil Brown wrote:
Can any one recommend a signed certificate provider whose certificates work
with the
Microsoft 802.1x client. I currently have a system that works fine with a
self signed certificate
but fails to work with a Digicert signed certificate, so we are looking to
purchase a
Angelos Karageorgiou wrote:
You see , I know FR,mysql,posgres,postfix and all the OSS incantations I
need a power point presentation
of all this knowledge, and no Peter I cannot hire you.
I'm writing the book for precisely this reason.
I'm up to about 150 pages right now, and getting
Angelos Karageorgiou wrote:
I have deployed freeradius with mysql backends in the past with great
success (100K users etc.)
but the current people being insecure prefer to fork out 50K euros /
year for oracle RAC licenses
instead of looking into an unsupported platform
That is FUD from
as a general rool of thumb ,always use clear text in the ldap databases
where you are trying to offer enhnanced password protection like
cram-md5 even chap etc.
You need the original data to calculate the hashes from.
O/H Alan DeKok έγραψε:
Arjuna Scagnetto wrote:
...
PEAP with user
A good one for you ,
when using an rlm_sql module if the sql server is down the module fails
to instantiate and FR does not start at all.
Is there a way to force instantation of rml_sql no matter the status of
the sql server.
Specifically I am trying to do
redundant {
sql
fastusers
barry steyn wrote:
Now in my particular case when newsyslog runs from cron it finds that
radius.log, sqltrace.sql and one of the radacct/*/* files have exceeded
their filesize, so it renames them (*.log.n), touches a new file, in the
case of radius.log sends a SIGHUP to radiusd and then
Alan DeKok wrote:
It's a bug in 1.1.x. It's fixed in 2.0.0
Ah great, at least that explains it! I see the latest public release is
1.1.6, is 2.0.0 available perhaps in the cvs? Would you say it is stable
enough to run in production yet? If not any ETA?
Otherwise can you suggest any
On 5/18/07, Alan DeKok [EMAIL PROTECTED] wrote:
Jack J Allen wrote:
Now in my particular case when newsyslog runs from cron it finds that
radius.log, sqltrace.sql and one of the radacct/*/* files have exceeded
their filesize, so it renames them (*.log.n), touches a new file, in the
case of
Ah great, at least that explains it! I see the latest public release is
1.1.6, is 2.0.0 available perhaps in the cvs? Would you say it is stable
enough to run in production yet? If not any ETA?
See the main web page? It's all there...
It seems to be in the news section on all the pages
Patric wrote:
Ah great, at least that explains it! I see the latest public release is
1.1.6, is 2.0.0 available perhaps in the cvs? Would you say it is stable
enough to run in production yet? If not any ETA?
See the main web page? It's all there...
Otherwise can you suggest any previous
Got the requested openssl output via pm.
PKIX extendedKeyUsage is set OK.
Additionally Netscape Cert Type is set accordingly to EKU.
But:
It is a wildcard certificate.
And the SubjectDN contained among commonly used RDNs (like C, ST, L, O, OU
and CN) a view RDNs that are rarely used in
O/H Alan DeKok ??:
Arjuna Scagnetto wrote:
...
PEAP with user whose password is in LDAP
...
userPAssword: {SSHA}tymetcetcetc
This WILL NOT WORK. See:
http://deployingradius.com/documents/protocols/compatibility.html
use clear-text passwords in LDAP. If
Angelos Karageorgiou wrote:
as a general rool of thumb ,always use clear text in the ldap databases
where you are trying to offer enhnanced password protection like
cram-md5 even chap etc.
You need the original data to calculate the hashes from.
O/H Alan DeKok έγραψε:
Arjuna Scagnetto
Arran Cudbard-Bell wrote:
use clear-text passwords in LDAP. If you can't put clear-text
passwords in LDAP, stop trying to use PEAP.
NO ! Calculate the damn NT Hashes... Never put users clear-text
passwords in LDAP if you can avoid it.
Step 1: Get it to work.
Step 2: Get it to work
On Fri 18 May 2007, Patric wrote:
Alan DeKok wrote:
It's a bug in 1.1.x. It's fixed in 2.0.0
Ah great, at least that explains it! I see the latest public release is
1.1.6, is 2.0.0 available perhaps in the cvs? Would you say it is stable
enough to run in production yet? If not any ETA?
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
use clear-text passwords in LDAP. If you can't put clear-text
passwords in LDAP, stop trying to use PEAP.
NO ! Calculate the damn NT Hashes... Never put users clear-text
passwords in LDAP if you can avoid it.
Step 1: Get it to work.
Step
[EMAIL PROTECTED] wrote:
It seems to be in the news section on all the pages *except* the main one.
Your browser has cached the main page.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Appears virtual modules can't be used with dynamic expansion.
They can't. They're just used to avoid repetitive cut paste,
nothing more.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
Another solution would be to perform logging via syslog(3), which
absolves radiusd from trapping and handling signals and file handlers.
Syslog-ng already does this very well -- why duplicate all of that code?
~BAS
On Fri, 2007-05-18 at 14:57 +0200, Jack J Allan wrote:
On 5/18/07, Alan DeKok
Alan DeKok wrote:
See the main web page? It's all there...
Read, and understood :] Out of curiosity I did compile the latest
snapshot, and I see that it is fixed, and even returns the correct
status based on what your external script returns (1 - rejected, 4 -
handled, 5 - invalid,
On 5/18/07, Brian A. Seklecki [EMAIL PROTECTED] wrote:
Another solution would be to perform logging via syslog(3), which
absolves radiusd from trapping and handling signals and file handlers.
Syslog-ng already does this very well -- why duplicate all of that code?
~BAS
I've certainly looked
Alan DeKok wrote:
[EMAIL PROTECTED] wrote:
It seems to be in the news section on all the pages *except* the main one.
Your browser has cached the main page.
Alan you're gonna give us all an inferiority complex if you continue to
be right all the time! ;]
Cheers
Brian A. Seklecki wrote:
Another solution would be to perform logging via syslog(3), which
absolves radiusd from trapping and handling signals and file handlers.
Syslog-ng already does this very well -- why duplicate all of that code?
As always, patches are welcome.
Alan DeKok.
--
So why is it happening in my case then? I can see all the requests gets
cleaned up ( log message was put) but still so much memory is consumed by
radiusd.
You want me post the huge log file..? I badly need this fix now..
Configuration wise i am using the default configuration except users and
In trying to come up with a our own solution to the same problem I
discovered the following previous patch proposal by Michael Joosten
from 2005.
Incorporating this functionality would be greatly appreciated:
configurable checking of user identity (i.e. what the supplicant
tells via EAP
On Fri, 2007-05-18 at 17:09 +0200, Jack J Allan wrote:
On 5/18/07, Brian A. Seklecki [EMAIL PROTECTED] wrote:
Another solution would be to perform logging via syslog(3),
which
absolves radiusd from trapping and handling signals and file
handlers.
nikitha george wrote:
So why is it happening in my case then? I can see all the requests gets
cleaned up ( log message was put) but still so much memory is consumed
by radiusd.
When the server caches the requests, it uses memory to do that. When
it frees the requests, the memory does *not*
Alan DeKok [EMAIL PROTECTED] said:
Try putting it in the hints section. I think the users file
doesn't do the proper translations, unfortunately.
DEFAULT Calling-Station-Id =~ ...
Pool-Name = ...
That might work.
Unfortunately not.
It does produce a slightly different
Keith Moores wrote:
In trying to come up with a our own solution to the same problem I
discovered the following previous patch proposal by Michael Joosten
from 2005.
Incorporating this functionality would be greatly appreciated:
...
I couldn't find any comments on this (other than
Arran Cudbard-Bell wrote:
In that case it would be really useful to be able to use conditionals in
instantiate...
As always, patches are welcome.
i.e. there are higher priority items before 2.0.0 comes out. Maybe
for 2.0.1.
Alan DeKok.
--
http://deployingradius.com - The web
I think I understand the concern as to part 2 of Michael's patch
proposal, but would that apply to incorporating part 1, extending the
check_cert_cn functionality? Would it be useful rework and submit
a patch that just addressed that? A first step?
-Keith
On May 18, 2007, at 1:17 PM,
Hi All,
Does freeradius support 802.16e? Specifically, does it have support for
MSK generation(with EAP-TLS / EAP-TTLS) using 802.16e-12 ?
If yes, could you please tell me the version that supports it? Latest
release?
Thanks
Santhosh
-
List info/subscribe/unsubscribe? See
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
In that case it would be really useful to be able to use conditionals in
instantiate...
As always, patches are welcome.
And there will be ! Though that is dependent on me getting time to learn
c *properly*. Unfortunately most of my time at the
On Fri 18 May 2007, Guy Fraser wrote:
On Fri, 2007-05-18 at 17:09 +0200, Jack J Allan wrote:
On 5/18/07, Brian A. Seklecki [EMAIL PROTECTED] wrote:
Another solution would be to perform logging via syslog(3),
which
absolves radiusd from trapping and handling signals
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
nikitha george wrote:
So why is it happening in my case then? I can see all the requests gets
cleaned up ( log message was put) but still so much memory is consumed
by radiusd.
Memory usage under Linux is a tricky thing.
It depends if you're
Dear All
I have useing freeradius and it is working fine but now i want
to create per user download and upload graph so it is possible but any package
???
$ cat ~/satish/url.txt
http://www.linuxbug.org
Santosh Thondupuri wrote:
Does freeradius support 802.16e? Specifically, does it have support for
MSK generation(with EAP-TLS / EAP-TTLS) using 802.16e-12 ?
EAP-TLS and EAP-TTLS specify how the keys are generated. 802.16 is
just a transport protocol.
Perhaps you could quote a section from
Keith Moores wrote:
I think I understand the concern as to part 2 of Michael's patch
proposal, but would that apply to incorporating part 1, extending the
check_cert_cn functionality? Would it be useful rework and submit
a patch that just addressed that? A first step?
Yes. I prefer
54 matches
Mail list logo