Yes. Certificates created with xpextensions will work with Win2K3 clients
as well. But you need to import CA certificate to the trusted
certificate store on Windows clients (XP and 2K3; Win 2K can't be used).
Ivan Kalik
Kalik Informatika ISP
Dana 20/6/2007, Bryant Marsh [EMAIL PROTECTED] piše:
by the book (if you have the latest server version):
John Cleartext-Password := hello
No Auth-Type. Cleartext password attribute will work with ANY auth method.
Ivan Kalik
Kalik Informatika ISP
Dana 20/6/2007, hao chen [EMAIL PROTECTED] piše:
Hi,
I tryed as you said. But it seems I still
Colleen C. Morrissey wrote:
Hi,
Why? If you have the clear-text password on the server, you can just
compare the two. There's no need to configure rlm_pap to do the NT hash.
I don't have the clear text password. Your original reply said this
would work with clear text
Abdul Qadir wrote:
I am using freeradius with SER and oracle. Currently i have one
domain for my SER. I want my SER to support another domain and separate
database for second domain. Is it possible to configure Radius server to
connect with two databases and perform queries based on URI or
vasanth kumar wrote:
Hi everybody,
This is sambu, I have configured FreeRadius-1.0.1-1
Why? Please install 1.1.6.
... My question is how to authenticate both Windows and Linux
servers and ssh,telnet,ftp,apache running on different machines with
Freeradius server. Is it possible to
Colleen C. Morrissey wrote:
I don't have the clear text password. Your original reply said this
would work with clear text password or nt hash. I have the NT hash
and/or I can get the SHA1 base 64 encoded password (which was working
with gtc by itself). Can I get pap/gtc to work with the
Use Cleartext-Password and operator :=
That listing seems to be from the attempt with NT-Password. That entry
should also use := as the operator.
Ivan Kalik
Kalik Informatika ISP
Dana 20/6/2007, Matt Cobb [EMAIL PROTECTED] piše:
I have freeradius 1.1.4 setup as a proxy to an upstream radius
Alexander Serkin wrote:
Hi,
Is the read_groups configuration paramter reading strings
intentionally removed from rlm_sql.c? Why?
I don't think it was ever added. I'm not sure the functionality is
even tested.
i.e. Does it work?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Alan DeKok wrote:
Alexander Serkin wrote:
Hi,
Is the read_groups configuration paramter reading strings
intentionally removed from rlm_sql.c? Why?
I don't think it was ever added. I'm not sure the functionality is
even tested.
i.e. Does it work?
Alan DeKok.
-
List
[EMAIL PROTECTED] wrote:
If you are introducing a new attribute it has to be defined in the
dictionary.
Thanks Ivan - it was over three years ago when the Radius server was
first set up - so I had completely forgotten about the Dictionary part...
Added the 'dictionary.telkom', got this
Hi all,
Is there any way to configure free radius + eap-tls module to avoid to send
CA certificate during EAP-TLS negotiation? As Free Radius is sending it
right now EAP-TLS packets get fragmented and I would like to avoid it.
Thanks in advance.
-
List info/subscribe/unsubscribe? See
Hi,
in the file referenced by the option variable certificate_file in the tls
section only put the server certificate (and optionally the private key) of
your RADIUS server.
i.e. don't put ca certificates of the chain into that file.
I don't know how to prevent the client from sending CA
Is there any way to configure free radius + eap-tls module to avoid to send CA
certificate during EAP-TLS negotiation?
You may have to read the RFC :-). You need the certificates to do EAP-TLS
==
Benjamin K. Eshun
- Message d'origine
Arran Cudbard-Bell wrote:
Alan DeKok wrote:
I don't think it was ever added. I'm not sure the functionality is
even tested.
i.e. Does it work?
Alan DeKok.
Read Groups in SQL ? Yes, very very well tested. It's horribly broken in
1.*.* though, or at least it was for me.
On Wed 20 Jun 2007, Jay Banks wrote:
I spent most of the day getting dialup_admin to work, and I did get it to
work. Not being an mysql expert, I have to say what a blessing Webmin
turned out to be on the project. It sure was nice to be able to easily
use
Webmin to look at data in the
Slightly off-topic. Is anyone aware of a DHCP server with radius
support. Or even just with exec support? I 'd like to setup a DHPC that
will ask a radius server for IP instead of assigning it itself
--
Kostas Kalevras - Network Operations Center
National Technical University of Athens
Hi,
Is there any way to configure free radius + eap-tls module to avoid to send
CA certificate during EAP-TLS negotiation? As Free Radius is sending it right
now EAP-TLS packets get fragmented and I would like to avoid it.
err, no. you need to handle those fragmented packets. where is it
Kostas Kalevras wrote:
Slightly off-topic. Is anyone aware of a DHCP server with radius
support. Or even just with exec support? I 'd like to setup a DHPC that
will ask a radius server for IP instead of assigning it itself
Nope. I spent a while looking at adding RADIUS support to the ISC
Hi,
sowhos breaking the RFCs with respect to ICMP and pmtu? ;-)
I've been hunting one such case recently. Just in case it helps: in our case
it was a BSD firewall that was misconfigured to only allow non-fragmented UDP
packets. I'm not into BSD at all, the guy said something about this
Alan DeKok wrote:
Mark J Elkins wrote:
Added the 'dictionary.telkom', got this $included in 'dictionary' - and
the Warning:.. message has gone. The value of the new variable is now
showing up.
Could you mail a copy here so that other people don't have to go
through this?
That worked. Thank you!
Alan DeKok wrote:
Colleen C. Morrissey wrote:
I don't have the clear text password. Your original reply said this
would work with clear text password or nt hash. I have the NT hash
and/or I can get the SHA1 base 64 encoded password (which was working
with gtc by
Hi Benjamin
2007/6/20, Eshun Benjamin [EMAIL PROTECTED]:
Is there any way to configure free radius + eap-tls module to avoid to
send CA certificate during EAP-TLS negotiation?
You may have to read the RFC :-). You need the certificates to do EAP-TLS
Yes that's clear to me that you need to
The README for 1.1.6 states...
New users of FreeRADIUS should prefer using Cleartext-Password over
User-Password. That is, if the documentation or a web page says to
configure User-Password in a database or server configuration file,
the documentation is likely out of date, and you should use
Hi Alan,
err, no. you need to handle those fragmented packets. where is it failing,
on your network or more
remotely?
Actually, it is not failing. I got a successful authentication I was only
trying to avoid fragmentation if possible.
EAP-TLS places much larger demands on the packet sizes
Hi Karlsen,
2007/6/20, Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED]:
Hi,
in the file referenced by the option variable certificate_file in the
tls
section only put the server certificate (and optionally the private key)
of
your RADIUS server.
I think this might work (after some tests i
Mark J Elkins wrote:
# Contents of file /usr/share/freeradius/dictionary.telkom
Added, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Andrew Long wrote:
I am wondering if the last line is supposed to read, use
Cleartext-Password instead.
Yes. Fixed, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Rafa Marin wrote:
Hi Karlsen,
2007/6/20, Reimer Karlsen-Masur, DFN-CERT [EMAIL PROTECTED]
mailto:[EMAIL PROTECTED]:
Hi,
in the file referenced by the option variable certificate_file in
the tls
section only put the server certificate (and optionally the private
key) of
I am doing the following and have an issue
Issue is on the primary I get duplicate entry on accounting in mysql for a user
I don't use this accounting for nothing but users online listing, I have to use
accounting from the detail file for that.
Ok heres the expanation
I use radrelay so each
Tried:
cobb Cleartext-Password:=secret
same result:
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for [EMAIL PROTECTED] with NT-Password
rlm_mschap:
Matt Cobb wrote:
Tried:
cobb Cleartext-Password:=secret
same result:
Please post the ENTIRE debug output. Trust me, MS-CHAP works in the
server. Put that entry at the TOP of the users file, and it should
work. Odds are you put it in the middle of the users file, and
there's an
Felipe Ceglia - PY1NB wrote:
When I run it thru users file, it is called, and works.
You put it in the reply list in the users file, and the check
table in the SQL database.
Put it in the reply tble in the SQL database.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Can you post the whole conversation from the request. From this snip it
looks like your realm isn't stripped. Try using [EMAIL PROTECTED] as username
in users file instead of cobb.
Ivan Kalik
Kalik Informatika ISP
Dana 20/6/2007, Matt Cobb [EMAIL PROTECTED] piše:
Tried:
cobb
I'm having the same problem on 1.1.6, but when I try the cobb
Cleartext-Password := secret as below, i get this when starting...
/etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown
attribute Cleartext-password
Errors reading /etc/raddb-test/users
radiusd.conf[1052]: files:
Ryan Kramer wrote:
I'm having the same problem on 1.1.6, but when I try the cobb
Cleartext-Password := secret as below, i get this when starting...
/etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown
attribute Cleartext-password
You're not using the dictionaries that
Hi,
I'm having the same problem on 1.1.6, but when I try the cobb
Cleartext-Password := secret as below, i get this when starting...
/etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown
attribute Cleartext-password
Errors reading /etc/raddb-test/users
radiusd.conf[1052]:
I'm trying to require a user to be a member of the wireless group in
ldap to be able to join the wireless. All users can currently join the
wireless. I can't find very much documentation on the groupmembers*
lines in the ldap section of radius.conf. Basically trying to figure out
what I need
Basically trying to
figure out
what I need to add to these lines: groupname_attribute,
groupmembership_filter, and groupmembership_attribute. Also
not sure if
I need to add something to users file like: DEFAULT LDAP-Group ==
wireless. Can anyone provide input on what I need to
Alan,
I believe you that is can work - I just want to know how to configure it
so it does :-)
Here is the output:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /etc/raddb/proxy.conf
Config: including file: /etc/raddb/clients.conf
Hi Ivan,
Sorry I forgot to mention that I did import the cert-clt.p12 and cacert.pem
to the local machine certificate store.
I was reading a document that was saying that the USERS file is not
necessary for authenticating to Active Directory. Is that really true?
Here are my config files.
I know this is a little off topic, but would appreciate any help.
Following instructions at http://radiuswiki.suntel.com.tr/Build
I am getting...
[EMAIL PROTECTED] SPECS]# rpmbuild -bb freeradius.spec
error: Failed build dependencies:
libtool-ltdl-devel is needed by
Slightly off-topic. Is anyone aware of a DHCP server with radius
support. Or even just with exec support? I 'd like to setup a DHPC that
will ask a radius server for IP instead of assigning it itself
A radius server assigning IPs ...that is not radius (!) . May be you mean
the radius
Eshun Benjamin wrote:
Slightly off-topic. Is anyone aware of a DHCP server with radius
support. Or even just with exec support? I 'd like to setup a DHPC that
will ask a radius server for IP instead of assigning it itself
A radius server assigning IPs ...that is not radius (!) . May
ERROR: Failed to open socket:
check the port 1812 if it is being used. Or you can also run radius on the old
school port 1645 for testing.
==
Benjamin K. Eshun
- Message d'origine
De : Debashis Prusty [EMAIL PROTECTED]
À : FreeRadius
On 6/20/07, Andrew Long [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] SPECS]# rpmbuild -bb freeradius.spec
error: Failed build dependencies:
libtool-ltdl-devel is needed by freeradius-1.1.6-0.i386
On Cent 4.4 there is no libtool-ltdl or devel package.
Edit .spec file and remove
Well in my current configuration I have the RADIUS server certificate in
certificate_file and CA certificate in CA_file.
But with that configuration , the radius server is still sending the CA
certificate.
The CA_path folder is empty and the CA_file is commented out. This should work
for you.
Alan DeKok already hit it head on, I had an old version of the radius
dictionary hanging around. -v doesn't list the version of the modules or
dictionary file unfortunately. Swapped in the new one and it works
Ryan
On 6/20/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
Hi,
I'm having the
On 6/20/07, Tomas Hoger [EMAIL PROTECTED] wrote:
On 6/20/07, Andrew Long [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] SPECS]# rpmbuild -bb freeradius.spec
error: Failed build dependencies:
libtool-ltdl-devel is needed by freeradius-1.1.6-0.i386
On Cent 4.4 there is no libtool-ltdl
On 6/20/07, Tomas Hoger [EMAIL PROTECTED] wrote:
On 6/20/07, Andrew Long [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] SPECS]# rpmbuild -bb freeradius.spec
error: Failed build dependencies:
libtool-ltdl-devel is needed by freeradius-1.1.6-0.i386
On Cent 4.4 there is no
On 6/16/07, Josh Howlett [EMAIL PROTECTED] wrote:
Ethan,
Have you got the freeradius-mysql RPM installed?
I don't know if I remembered to post a followup or not, but,
undefined constant messages aside (which are caused by a change to
how PHP requires single quotes), my real problems with
On 6/16/07, Josh Howlett [EMAIL PROTECTED] wrote:
Ethan,
Have you got the freeradius-mysql RPM installed?
I don't know if I remembered to post a followup or not, but,
undefined constant messages aside (which are caused by a
change to how PHP requires single quotes), my real problems
No. I have tried this. As I have mentioned earlier versions like 1.1.4 1.1.6
are working fine. Problem is with version 2.0.0, where the listen part is not
comented. Lets think of something else.
ERROR: Failed to open socket:
check the port 1812 if it is being used. Or you can also run
Is it permissable to use a hostname in clients.conf, as for
a host using dyndns?
Regards,
Andrew Long
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi everyone,
I already configured my freeradius with eap-ttls pap with
authentication on mysql. I obtain authentication, but logs some lines:
Wed Jun 20 19:46:47 2007 : Error: Trying to look up name of unknown
client 127.0.0.1.
Wed Jun 20 19:46:47 2007 : Auth: Login OK: [teste/secret] (from
Debashis Prusty wrote:
No. I have tried this. As I have mentioned earlier versions like 1.1.4
1.1.6 are working fine. Problem is with version 2.0.0, where the listen part
is not comented. Lets think of something else.
As I said earlier , but will say again for clarity.
It *is* a bug in
Hi again...
I am now trying to authenticate a DHCPd request from a mikrotik box.
My freeradius server says that there is a problem with user's password.
How can I tell him (PAP) that this should be ok?
Something strange that I noticed is that the calling station id got
changed from the original
Hey!
I just added Auth-Type := Local for this group, and it worked.
Is there any clever/cleaner way to do it?
Thank you.
Felipe Ceglia - PY1NB wrote:
Hi again...
I am now trying to authenticate a DHCPd request from a mikrotik box.
My freeradius server says that there is a problem with
Just delete that User-Password entry from the radcheck table.
Ivan Kalik
Kalik Informatika ISP
Dana 20/6/2007, Felipe Ceglia - PY1NB [EMAIL PROTECTED]
piše:
Hi again...
I am now trying to authenticate a DHCPd request from a mikrotik box.
My freeradius server says that there is a problem with
Andrew Long wrote:
Is it permissable to use a hostname in clients.conf, as for
a host using dyndns?
You can put hostnames in the clients.conf file, however I'm pretty sure
that FreeRADIUS resolves those names at startup and uses that initial
lookup until it is forced to reread the clients.conf
-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On Behalf Of Dennis Skinner
Sent: Wednesday, June 20, 2007 3:37 PM
To: FreeRadius users mailing list
Subject: Re: 1.1.6 name resolution
Andrew Long wrote:
Is it permissable to use a
Hi All,
I have noticed that in latest versions of rlm_digest the part with converting
of the attributes to something useful (DEBUG(rlm_digest: Converting
Digest-Attributes to something sane...)) was moved from authorize section to
authenticate section. There was even a discussion a while
OK. What does the Event Viewer on Win2K3 client say about failed login
attempts. Has it recieved Access-Challenge packet? There might be a
firewall problem.
Ivan Kalik
Kalik Informatika ISP
Dana 20/6/2007, Bryant Marsh [EMAIL PROTECTED] piše:
Hi Ivan,
Sorry I forgot to mention that I did
http://www.die.net/doc/linux/man/man5/rlm_attr_rewrite.5.html
Ivan Kalik
Kalik Informatika ISP
Dana 20/6/2007, Ashraf Al-Basti [EMAIL PROTECTED] piše:
Dear,
i need to add attributes in the proxy reply message, how can i do that
using attrib_rewrite?
-
List info/subscribe/unsubscribe? See
DEFAULT LDAP-Group!=wireless, Auth-Type:=Reject
Reply-Message=You are not allowed to connect
Ivan Kalik
Kalik Informatika ISP
Dana 20/6/2007, Cody Jarrett [EMAIL PROTECTED] piše:
So it will search and find the group, but I can still connect with my
user even though it isn't
Hi Ivan,
There are Event log errors in Application and System.
Event ID 1053 - Windows cannot determine the user or computer name. ().
Group Policy processing aborted. Or error: The specified user does not
exist.
Event ID 5719 - The system cannot log you on now because the domain name
is not
Alan DeKok wrote:
Hugh Messenger wrote:
So far the only errors I'm seeing are these:
==29820== Thread 2:
==29820== Invalid write of size 1
==29820==at 0x4819294: strNcpy (misc.c:187)
==29820==by 0x4CC43F3: sqlippool_postauth (rlm_sqlippool.c:527)
That's... fairly broken.
You don't need users file if all user/pass information is stored in AD.
Can you check if imported certificate is in Trusted Root and not
some other certificate folder. I can't think of any other reason why
the conversation wouldn't start with your network configuration.
Ivan Kalik
Kalik
Yes, the cert-clt.p12 is imported to the personal and the cacert.pem is in
the trusted root certificates.
I was looking at another document that was putting chmod 0444 on the
cert-clt.p12 and chmod 0400 on the cacert.pem.
Then, chown to radius:users on both.
Is that necessary?
Thanks,
Bryant.
By reading the wiki, it said FreeRadius runs on AIX. Any documentation about
how to install FreeRadius on AIX? Please let me know. Thanks.
Peter Nixonn wrote:
On Fri 15 Jun 2007, nguyenvinht wrote:
Thanks Arran.
How and where do I implement those codes in AIX RADIUS? Doable on AIX
Hi Arran and all,
In message [EMAIL PROTECTED], Arran Cudbard-Bell
[EMAIL PROTECTED] writes
Debashis Prusty wrote:
No. I have tried this. As I have mentioned earlier versions like
1.1.4 1.1.6 are working fine. Problem is with version 2.0.0, where
the listen part is not comented. Lets think
70 matches
Mail list logo