Raj Patel wrote:
> as anyone else been using it, I will be happy for some feedback
Honestly, I've never seen much use for Diameter. Not that I'm biased,
but I'd like to know what real-world problem it solves.
Most requirements for diameter are political or commercial, not technical.
Alan
Kevin J wrote:
> Does anybody know about iCHAP?
Nope.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi People
First thank you, I been reading this mailing list for some time and I found
it great source of help
I want to share some info with you and than ask a question
We are slowly moving here into Java and starting to have Diameter
requirements
I found OpenBloX Java Diameter a great sour
And that is good. Windows doesn't need to know who issued that
certificate, only radius server does.
Ivan Kalik
Kalik Informatika ISP
Dana 25/1/2008, "orion" <[EMAIL PROTECTED]> piše:
>its not a problem that windows says about the client certificate :
>"the issuer of this certificate cannot be
Does anybody know about iCHAP?
Kevin,
-
Be a better friend, newshound, and know-it-all with Yahoo! Mobile. Try it now.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 25/01/2008, Alan DeKok <[EMAIL PROTECTED]> wrote:
> In this case, you didn't add the server certificate (or the CA
> certificate) into the root CA store. All of the documentation and
> howto's say you need to do this, so
>
> Alan DeKok.
the ca certificate is the first i import in roo
>Now that you mention it, the billing software _is_ getting replaced
>some time soon, but until then I have to hack radius as a workaround.
>
So alter groups and not passwords.
>Is it not possible to "Fall-Through" failed users to another section
>with its own pool and auth-type: accept?
>
Why? J
orion wrote:
> its not a problem that windows says about the client certificate :
> "the issuer of this certificate cannot be found " ?
Thank you for FINALLY posting the REAL error message. It helps to
post the REAL error message, because you can then get a REAL solution.
In this case, you d
orion wrote:
> but when i import the client.p12 certificate the linkage is
>
> CA certificate
> |- server certificate
> |- client certificate
>
> in that moment the server part tells ( it not allow to issue certificate
> for others).
There's no reason why the intermediate certi
>
>#1:
>
>rad_recv: Accounting-Request packet from host X.X.X.X:46641, id=184,
>length=302
> User-Name = "blah"
> NAS-Port = 2
> NAS-Port-Type = Wireless-802.11
> NAS-Identifier = "XX"
> NAS-IP-Address = X.X.X.X
> Acct-Status-Type = Stop
> Calling-Station-Id = "MAC"
its not a problem that windows says about the client certificate :
"the issuer of this certificate cannot be found " ?
can the certificate be used in this case ?
On 25/01/2008, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote:
>
> >2)or only ca certificate + client certificate ?
> >
> >the second case
>2)or only ca certificate + client certificate ?
>
>the second case the linkage between the ca and client doesnt exist ( as you
>said "is the server the issuer of the client`s certificate" ).
>
Link is not needed. Server checks the client certificate to see if it's
issued by the server (certificat
"Alan DeKok" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
Markus Moeller wrote:
That was the only way I could get it to work. If I use update control
anybody can login, whereas in my setup only a user who exits in ldap get
AUth-Type set to LDAP all other users have an empty valu
I think you need to use Ldap-Group instead of myldap-Ldap-Group or do you use
do_xlat ?
Markus
"cxu" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED]
Background:
When a user associated with the ssid Guest, the user will authenticate
against a FreeRadius server. If he has
im using standart windows mmc.
after import of the CA and Server certificates
the server certificate links to the ca certificate ok
CA certificate
|- server certificate
but when i import the client.p12 certificate the linkage is
CA certificate
|- server certificate
|- client
Have 2.0 running against a Postgresql database. The sql_log code looks
like it functions differently than the sql statements in the postgres
driver (stop packets are another insert instead of an update). Has
anyone already changed out the sql lines match the way it works without
sql_log, don't se
I see. I can, indeed, remove Auth-Type := LDAP from the users file and
it still works. Cool!
However, the behavior described in the documentation is not what I'm
seeing, and I'm still getting (contrary to what I said in my previous
email) authorization requests not being proxied, even though I
Now that you mention it, the billing software _is_ getting replaced
some time soon, but until then I have to hack radius as a workaround.
Is it not possible to "Fall-Through" failed users to another section
with its own pool and auth-type: accept?
Vlad
On Jan 25, 2008 12:16 PM, Andy Billingt
David - agreed. It's a workaround until the billing software can be
modified (or replaced); in combination with an expiry_due check and
also checking whether its the billing system that made the change
though, its not a bad short-term workaround. Needs to be both of those
checks though ;-)
Andy
On
A trigger on the password field is a workaround.
What about if he wants to change a user's password or when it changes back
to bring the connection back on?
Changing the password is not the right way to reject a connection and
everything possible should be done to change the software's behaviour.
Vlad,
are the passwords changed _by the billing system_ for any other
reason? You could use a trigger on the table to make a corresponding
change on the usergroup when the billing system changes the password.
Better though might just be to have a "Expiry Due?" column added to
the users, and then h
Yes, write to Peter Nixon and he will help you.
Ivan Kalik
Kalik Informatika ISP
Dana 25/1/2008, "Marinko Tarlac" <[EMAIL PROTECTED]> piše:
>I would like to register too. Is there any chance for this?
>
>On Jan 25, 2008 5:37 PM, JB <[EMAIL PROTECTED]> wrote:
>
>>
>> Peter Nixon wrote:
>> > We h
That's a very valid point, however we do all the CPE configuration
ourselves. Customer, as a rule, does not have access to the PPPoE
settings.
I think the message they would get is going to say something like
"There is a problem with your internet connection. Please call
blahblahblah to resolve th
So, what would be the difference between a customer who was disconnected, and one who cannot remember his/her password (yeah, this never happens,
right?) There would be no differentiation, and customers who have simply forgotten their password may be upset when you tell then they are
disconnecte
Well, what I'm trying to do is accept the session whether the password
is correct or not, but if it's not correct, assign Framed-IP-Address
from a different IP pool, so our firewall downstream from the NAS can
redirect their HTTP traffic to a payment site.
Vlad
On Jan 25, 2008 11:27 AM, JB <[EM
If it's just a message you want to display, you could use the Reply-
Message attribute.
Of course, your access controler would have to know how handle this
attribute.
JB
Marinko Tarlac wrote:
radius will reply whatever you need but you need to tell him what do
you want.
For example, if y
The only problem with this method is that our billing system is not
(currently) capable of changing the usergroup when the account is
suspended. All it does is change the password.
Vlad
On Jan 25, 2008 11:22 AM, Marinko Tarlac <[EMAIL PROTECTED]> wrote:
> radius will reply whatever you need bu
radius will reply whatever you need but you need to tell him what do you
want.
For example, if you're using mysql, when user account expires you can add
him to specific group and group attributes you can set in radgroupreply
table. (ip pool, tx, rx limit etc.)
On Jan 25, 2008 6:18 PM, Vlad Sedov
Hey folks.
Right now, we use freeradius to authenticate simple pap/chap PPP
clients. When a username/password is rejected, radius simply send back
a reject message to the NAS.
Is it possible to change this behavior so that a failed auth attempt
gets accepted with an alternate IP pool instead of b
I would like to register too. Is there any chance for this?
On Jan 25, 2008 5:37 PM, JB <[EMAIL PROTECTED]> wrote:
>
> Peter Nixon wrote:
> > We have a wiki. You are welcome to contribute...
>
> Account creation/free editing seems to be deactivated...
>
> Bye,
> JB
>
> -
> List info/subscribe/uns
Peter Nixon wrote:
We have a wiki. You are welcome to contribute...
Account creation/free editing seems to be deactivated...
Bye,
JB
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jean-Michel Caricand wrote:
> Well. I made a lot of tests without success. I'm not yet able to REJECT a
> request in a post_proxy function, but that works fine in a authorize
> function.
>
> Does someone have ideas ?
In 2.0, it looks like this isn't dealt with in src/main/event.c around
line
Suraj,
You're better of kerberizing your unix environment and join them with AD.
this way your can have a fully single sign on environment.
including samba file share without entering username and passwords.
This is what you need to do.
1) install SFU3.5 on all your DC's
2) install openldap and m
Le vendredi 25 janvier 2008 12:55, Boian Jordanov a écrit :
> Try with RLM_MODULE_FAIL in post_proxy
>
>
> Best Regards,
> Boian Jordanov
> SNE
> Orbitel - Next Generation Telecom
> tel. +359 2 4004 723
> tel. +359 2 4004 002
>
> On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote:
> >> doesn'
Hi Alan,
Thanks for your answers, mine inline below:
Alan DeKok wrote:
Mother wrote:
I am seeing a strange situation. I receive an accounting-stop request
from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the
corresponding radacct record. However, the NAS is not receiving the ack,
and
--- Alan DeKok <[EMAIL PROTECTED]> wrote:
> Any solution would have exactly the same security
> issues.
Yes; I can understand and appreciate that. Thanks,
Alan.
Regards,
suraj.
Looking for last minute
suraj shankar wrote:
> I understand that pam_radius_auth 'encrypts' the
> password. But if a user has the privileges to change
> the /etc/raddb/server file (and point it to a
> freeradius server), wouldn't he/she be able to siphon
> off the credentials?
Yes.
> Our setup would disallow direct 'r
theSnail wrote:
> I have only this entry in users file:
>
> DEFAULT Auth-Type := Accept
>
> raiudsd -X
>
> users: Matched entry DEFAULT at line 1
>
> but it still try to authenticate against ldap. So the question is:
Why haven't you posted the entire output from "radiusd -X" ?
i.e. you
Mother wrote:
> I am seeing a strange situation. I receive an accounting-stop request
> from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the
> corresponding radacct record. However, the NAS is not receiving the ack,
> and thus re-sends the stop request. On the second request, FreeRADIUS
>
Wm. Josiah Erikson wrote:
># Setting "Auth-Type = LDAP" is ALMOST ALWAYS WRONG. We
># really can't emphasize this enough.
>
> Uh. OK. That's exactly what I'm doing, and it's working :)
Then it works. It's fine.
That message is for the majority of people who force LDAP to
Andrew D Kirch wrote:
> You might try putting it at the top of radiusd.conf
Done.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--- [EMAIL PROTECTED] wrote:
> >Is there a better way, using radius?
> No. Once user is authenticated radius has nothing to
> do with them (you
> say that they can increase privileges after
> authentication). Can't you
> put them in jail.
Yeah, I would eventually do that, if there is no
'better
orion wrote:
> the import of client.p12 is ok but it doesnt have a valid link
> it is ca->server->client
What does that mean?
> and the details of the server certificate tells that "is not authorized
> to issue certificates" .
Where does it say that? Which certificate tool are you using to
>
>Is there a better way, using radius?
>
No. Once user is authenticated radius has nothing to do with them (you
say that they can increase privileges after authentication). Can't you
put them in jail.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius
Hi;
For a long time now, I have been trying to unify the
login credentials, in a heterogeneous environment.
While I am aware of the few available options, I have
decided against them, for varied reasons.
In the last few days, I have been able to produce the
effect which I desired, using pam_radi
>
>users file and EAP-ttls + PAP schema can work togher?
>
Yes. In 2.0.1 you can divert EAP requests to one virtual server, others
to a different virtual server that will be doing ldap auth, ...
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/lis
I have only this entry in users file:
DEFAULT Auth-Type := Accept
raiudsd -X
users: Matched entry DEFAULT at line 1
but it still try to authenticate against ldap. So the question is:
users file and EAP-ttls + PAP schema can work togher?
thanks
--
View this message in context:
http://www.
Update to the problem: the accounting-stop alternate query is actually
an INSERT, not an UPDATE, by default, which actually surprises me, as in
case of a duplicate packet, an INSERT into a properly unique-indexed
table is doomed. I have now simply changed the -alt into an UPDATE
query, so it wo
Le vendredi 25 janvier 2008 12:55, Boian Jordanov a écrit :
> Try with RLM_MODULE_FAIL in post_proxy
>
>
> Best Regards,
> Boian Jordanov
> SNE
> Orbitel - Next Generation Telecom
> tel. +359 2 4004 723
> tel. +359 2 4004 002
>
> On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote:
> >> doesn'
Try with RLM_MODULE_FAIL in post_proxy
Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002
On Jan 25, 2008, at 12:35 PM, Jean-Michel Caricand wrote:
doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you
need pre_proxy
Hi all,
I am seeing a strange situation. I receive an accounting-stop request
from a NAS, and FreeRADIUS (1.1.7 against Oracle) updates the
corresponding radacct record. However, the NAS is not receiving the ack,
and thus re-sends the stop request. On the second request, FreeRADIUS
tries to d
We have a wiki. You are welcome to contribute...
-Peter
On Fri 25 Jan 2008, Marinko Tarlac wrote:
> Ok. Forum sometimes isn't a best solution. WIKI is a good option because
> you'll find all you need without to much off topic.
>
> On Jan 25, 2008 10:18 AM, JB <[EMAIL PROTECTED]> wrote:
> > Nichol
> doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you
> need pre_proxy ?
>
> From radius.conf file
>
> #
> # When the server decides to proxy a request to a home server,
> # the proxied request is first passed through the pre-proxy
> # stage. This stage can re-write the reque
1. Use Cleartext-Password with =: as stated in the server documentation.
2. Post the output of radiusd -X. It's likely that the format for the
MAC address is wrong. It can have : for delimiters or no delimiters at
all.
3. That's not how you end user sessions on any device, Cisco or
otherwise. Put
doesn't make sense to use RLM_MODULE_REJECT in post_proxy. May be you
need pre_proxy ?
From radius.conf file
#
# When the server decides to proxy a request to a home server,
# the proxied request is first passed through the pre-proxy
# stage. This stage can re-write the request, or decide
Ok. Forum sometimes isn't a best solution. WIKI is a good option because
you'll find all you need without to much off topic.
On Jan 25, 2008 10:18 AM, JB <[EMAIL PROTECTED]> wrote:
>
> Nicholas Hall wrote:
> > What's wrong with sharing your experiances with the list? Adding a
> > forum will be j
Hi,
I have a question on rlm_perl and RLM_MODULE_REJECT. If in a function
(post_proxy) I return RLM_MODULE_REJECT I can see this in log :
modcall[post-proxy]: module "perl1" returns reject for request 1
... but my request is still accepted : Access-Accept not Access-Reject !
How to do that ?
Nicholas Hall wrote:
What's wrong with sharing your experiances with the list? Adding a
forum will be just another place I'll have to check to get my
FreeRADIUS fix.
That's right, a forum wouldn't be a great idea.
But this list shouldn't be a replacement for the Wiki either. So
whenever
[EMAIL PROTECTED] wrote:
Hi,
There is a history of this mailing list, but searching something is a nightmare.
Imho forum would be great for that.
Sent from my BlackBerry® wireless device
forums suck imho
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/user
Hi,
> There is a history of this mailing list, but searching something is a
> nightmare.
>
> Imho forum would be great for that.
> Sent from my BlackBerry® wireless device
forums suck imho
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
60 matches
Mail list logo