Hello,
Hello,
I work on a WIFI authentication project, dealing with EAP/TLS on Freeradius.
I allready read a lots of docs on the net
The certificats are created with xpextensions and installed.
I use freeradius.
My config files are joined.
Client : windows XP pro sp2.
Here is the freeradius
Patrice Oliver wrote:
The certificats are created with xpextensions and installed.
I use freeradius.
Ok. Did you install the CA (or root) cert on the Windows machine?
I see no OK, and no 'not OK'.
I don't understand why 'rlm_eap_tls: No SSL info available. Waiting for
more SSL data.'
I
Alan DeKok a écrit :
Patrice Oliver wrote:
The certificats are created with xpextensions and installed.
I use freeradius.
Ok. Did you install the CA (or root) cert on the Windows machine?
Yes, and the client certificate too.
I see no OK, and no 'not OK'.
I don't understand
Hi Guys/Gals
I have problem where radwho only shows users logged in for two nas'es.
Aswell as only their accounting info goes into the radacct table.
I can see the other users authenticating and i can log into them.
So they must be dailing up No idea why its happening.
Im using
radiusd:
Problem is not with the server but with Windows XP. Have you imported the
correct certificate? Is it in the correct store? What's Windows XP
complaining about in Event Viewer?
Ivan Kalik
Kalik Informatika ISP
Dana 16/11/2007, Patrice Oliver [EMAIL PROTECTED] piše:
Alan DeKok a écrit :
Patrice
Patrice Oliver wrote:
...
Ok. Did you install the CA (or root) cert on the Windows machine?
Yes, and the client certificate too.
Then there isn't much else that can go wrong.
Because the TLS method has not finished. The Windows machine received
the server certificate, and decided
Im seeing the authentication requests from the server and the reply
packets.
What would a accounting packet look like ?
Sorry for asking.
The traffic looks right to me if i do radius -X
Regards
Willem Gerber
[EMAIL PROTECTED] wrote:
Are you getting accounting packets from those access
Are you getting accounting packets from those access servers? Or just
authentication? If nAS is not sending ...
Ivan Kalik
Kalik Informatika ISP
Dana 16/11/2007, Willem Gerber [EMAIL PROTECTED] piše:
Hi Guys/Gals
I have problem where radwho only shows users logged in for two nas'es.
Aswell as
Alan DeKok a écrit :
Patrice Oliver wrote:
Ok. Did you install the CA (or root) cert on the Windows machine?
Yes, and the client certificate too.
Then there isn't much else that can go wrong.
Because the TLS method has not finished. The Windows machine
It's not Access-Request but Accounting-Request. If you don't see them
after the Access-Accept then your NAS is not sending accounting data.
Ivan Kalik
Kalik Informatika iSP
Dana 16/11/2007, Willem Gerber [EMAIL PROTECTED] piše:
Im seeing the authentication requests from the server and the
I self-generated my certificates, and created my own AC, not dependent
of an official AC. Do you think it can be the origin of my problem ?
Best regards.
[EMAIL PROTECTED] a écrit :
Problem is not with the server but with Windows XP. Have you imported the
correct certificate? Is it in the
Hi Krzysztof,
Thanks for sharing your experience.
Please add here:
vlan-assignment-mode string
accounting optional
An 3Com product engineer gave me the same instruction,
unfortunqtly the 4500G does not support the
vlan-assignment-mode and accounting does not take optional
as argument.
Maybe
how can we prevent it?
Restrict the user to a single session. Have a look at the (check)
attribute Simultaneous-Use. If you are using sql accounting you will
need to make slight adjustments to radiusd.conf and sql.conf. Read
instructions in them.
Ivan Kalik
Kalik Informatika ISP
-
List
maybe it would help to install libltdl3-dev or something like that?
Norbert Wegener
Willem Gerber wrote:
Hey Guys
I cant get radius to compile :/
Linux vaughan 2.6.20-1.2307.fc5 #1 Sun Mar 18 20:44:48 EDT 2007 i686
i686 i386 GNU/Linux
Hey Guys
I cant get radius to compile :/
Linux vaughan 2.6.20-1.2307.fc5 #1 Sun Mar 18 20:44:48 EDT 2007 i686
i686 i386 GNU/Linux
/home/willem/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h:
No such file or directory
In file included from rlm_sqlippool.c:37:
Hi everybody,
sorry to ask, but I don' get it.
I'm still trying to upgrade from 1.0.5 to 1.1.7.
Previously, my users fiel looked like this:
[some static entries for special users]
[some entries with Auth-Type=Reject for special conditions]
DEFAULT Auth-Type = LDAP, Called-Station-Id ==
Alan DeKok a écrit :
Patrice Oliver wrote:
If you refer to xpextensions, I used it to create the certificates.
May I send you my eap.conf file ? Reading it should determine a mistake ...
No.
It is not a problem with configuring FreeRADIUS.
And please fix your mailer so it
And have a look at the Event Viewer. Is anything recorded when
conversation stops?
Ivan Kalik
Kalik Informatika ISP
Dana 16/11/2007, Patrice Oliver [EMAIL PROTECTED] piše:
[EMAIL PROTECTED] a écrit :
Sort of. Official CA is already in the store. You just have to add
yours in there. Windows
Patrice Oliver wrote:
If you refer to xpextensions, I used it to create the certificates.
May I send you my eap.conf file ? Reading it should determine a mistake ...
No.
It is not a problem with configuring FreeRADIUS.
And please fix your mailer so it doesn't add SPAM to every subject
Eduardo Lima wrote:
So I'll have to unencrypt all the ldap passwords to use mschapv2???
Yes. See the web page for your options.
What about the ldap database security??
The LDAP database has to be kept secure.
Please go read the web page again.
If you want to use MS-CHAP, your
Norbert Wegener wrote:
...
rlm_ldap: Adding mobile as Huntgroup-Name == VL-SBS-AD02-0001
You can't add the Huntgroup-Name attribute. It's like Group, which
means Unix group, and do lookups in a unix group. Huntgroup-Name means
do lookups in a huntgroup.
Create and use another attribute
Willem Gerber wrote:
I cant get radius to compile :/
...
/home/willem/freeradius-1.1.7/src/include/modpriv.h:7:18: error: ltdl.h:
No such file or directory
That file is included with FreeRADIUS. The build works if you use the
recommend method of:
$ ./configure
$ make
$ make install
If
Sort of. Official CA is already in the store. You just have to add
yours in there. Windows doesn't get on with .pem very well so import
p12 version. Is your root certificate listed in Trusted Root CA store?
Also your client cert should be in Personal.
Ivan Kalik
Kalik Informatika ISP
Dana
Alan DeKok a écrit :
Patrice Oliver wrote:
The certificats are created with xpextensions and installed.
I use freeradius.
Ok. Did you install the CA (or root) cert on the Windows machine?
I see no OK, and no 'not OK'.
I don't understand why 'rlm_eap_tls: No SSL info available.
With version 1.1.7 I want to achieve the following, which is probably
easy in 2.0:
In the authorize section I have an ldap module and an sql module sp1.
group {
ldap1
sp1
}
I want to get an attribute from AD and use the value of that attribute
in a later call to a database
radiusd -AX
[EMAIL PROTECTED] a écrit :
Sort of. Official CA is already in the store. You just have to add
yours in there. Windows doesn't get on with .pem very well so import
p12 version. Is your root certificate listed in Trusted Root CA store?
Also your client cert should be in Personal.
Yes for
So how do I direct the server to use LDAP without setting Auth-Type?
Or is radtest somehow the wrong test tool in the new scenario??
Uncomment ldap in authorize and authenticate sections of radiusd.conf.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
Ldap authentication work with radping (wired connection) but on the wireless,
it keeps failing.
I don't understand this:
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 6
rlm_mschap: No User-Password configured. Cannot create LM-Password.
So I'll have to unencrypt all the ldap passwords to use mschapv2???
What about the ldap database security??
[EMAIL PROTECTED] escreveu:
Ldap authentication work with radping (wired connection) but on the wireless,
it keeps failing.
I don't understand this:
Processing the authenticate
Hi
We has big problem to have many connections from
single user in DSL clients
A single user can authenticate on the different LNS
server to use the internet connection.
how can we prevent it?
As our users are using the dynamic ip, the ip address
is assigned by the LNS not the radius
in this
Hello,
I did inspect event viewer log -- nothing bad for me.
About the root certificate, I used the .der file. Is there a problem with .der
files ?
Cordialement,
Patrice OLIVER
Chef du Projet Ville Hôpital
Responsable Réseaux Sécurité
Hi.
When i've configured my freeradius i've seen 2 metods to create files DH and
random:
first:
DH:
openssl dhparam -check -text -5 512 -out dh
Random:
dd if=/dev/urandom of=random count=2
second:
DH:
date /etc/1x/DH
Random
date /etc/1x/random
And I wondering what is different in theory and
Hello,
I use PPPoE connections through freeradius and mikrotik. What I would like
to do is setup the customer's dynamic queue that is setup through the
radgroupreply table setup so that when the customers log in I can also
assign that queue to a priority based upon the group the customer is
Assign that priority to a queue for [an IP address | a subnet]. Assign
the user [that static IP address | to the pool with addresses from that
subnet].
Ivan Kalik
Kalik Informatika ISP
Dana 16/11/2007, Matthew Neumark [EMAIL PROTECTED] piše:
Hello,
I use PPPoE connections through freeradius
Ivan,
I wish that was a option, but the problem is all my customers already have
ip addresses assigned to them. The ip addresses aren't done by the packet
they order it was done based upon when they signed up. Is there a way to do
a dynamic priority based on per user basis? Like a group setting
Hello.
when trying to compile freeradius under ubuntu 7.10, i get the following error:
gcc -g -O2 -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wall
-D_GNU_SOURCE -DNDEBUG
-I/home/paulb/build/freeradius-1.1.7/src/include
-I/home/paulb/build/freeradius-1.1.7/src/modules/rlm_sql -c
rlm_sqlippool.c
That's not standard radius but VSA teritory.
You can dynamically assign filtering (firewall) type ACL on Mikrotik but
not rate-limiting (shaping) ones. Queue definition will accept multiple
source addresses (sort of an IP address list - it will take more than
one, but how many ...).
Ivan Kalik
ah thanks. seems it hasent been indexed by google yet. sorry for not
searching the archives.
On Nov 16, 2007 5:33 PM, [EMAIL PROTECTED] wrote:
You had this answered yesterday:
http://www.nabble.com/Any-ideas-on-this-compile-errortf4821396.html
Ivan Kalik
Kalik Informatika ISP
-
List
You had this answered yesterday:
http://www.nabble.com/Any-ideas-on-this-compile-errortf4821396.html
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello, I'm using freeradius 1.1.7 on a RHEL4 (built by pkgsrc, though) amd64 box
as a logger/relay for accounting packets. Unfortunately, it looks like it's not
relaying all the accounting packets it receives, since lines such as these
appear in its logs:
Fri Nov 16 17:12:31 2007 : Error:
40 matches
Mail list logo
