Hi all,
I have installed freeradius on a debian machine and it work well. In the log
I see that freeradius record failed and accepted authentication, reporting
the user, the password and the user client station, but not the device wich
someone has tried to make access.
For example: from my
Vidar Hatlemark wrote:
I see, so no extra config is needed to route the accounting info from
the file it now uses into the mysql radacct table?
As I said, the sql module is referenced in
raddb/sites-available/default. You need to READ it, and uncomment all
of the references to SQL. This
nf-vale wrote:
I'm also suffering from this Vista disease. But in my case I can
authenticate users using PEAP, from XP SP2 and SP3 clients, even with
Validating Server Certificate checked.
The problem is only with Vista. I've all the windows updates available
installed but I can't get it to
Danilo Molini wrote:
For example: from my pc I try to connect to a router without the correct
credentials. Freeradius log that my PC with IP address 1.1.1.1
has tried to make access with the user admin and
password admin, but do not report the address of the router to wich
someone has tried
UNCLASSIFIED
Running version 2.0.5, with LDAP backend for
authentication/authorization.
Needed functionality: A single user account needs a different
ldap/radius profile depending on which huntgroup the request is coming
in on... the reason is that each user has a different Framed-IP-Address
I try to explain better what I want.
My freeradius server is 10.0.0.1 and the router that use the radius service
is 192.168.0.1 and I try to connecto to the router from my pc with ip
address 172.16.0.1
The log report this information:
Auth: Login OK: [test] (from client myhomenetwork-network
Hi,
how to use (a remote) pop3 server with (a local) freeradius to authenticate
users?
thanks
v.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am Mittwoch, 23. Juli 2008 09:44 schrieb Vittore Zen:
Hi,
how to use (a remote) pop3 server with (a local) freeradius to authenticate
users?
thanks
v.
What POP3 server?
What methods is this using to authenticate (sasl, unix, pam, ...)?
If PAM, see:
http://freeradius.org/pam_radius_auth/
Vittore Zen wrote:
how to use (a remote) pop3 server with (a local) freeradius to
authenticate users?
What do you want to do? Authenticate pop3 users via RADIUS, or have
FreeRADIUS check the pop3 server for valid users?
If (1), see the pop3 documentation for any RADIUS and/or PAM
Danilo Molini wrote:
I try to explain better what I want.
My freeradius server is 10.0.0.1 and the router that
use the radius service is 192.168.0.1 and I try to
connecto to the router from my pc with ip address 172.16.0.1
'connect... how? Administrator login on the router? Please be
splintered thoughts wrote:
I've trying to get ntlm_auth to authenticate several supplicants using
freeradius 1.1.6,
Upgrade.
Is there a way to use regular expressions or otherwise to inspect the
Stripped-User-Name to adjust which radius attribute is used in the
ntlm_auth command, in
Lech Karol Pawłaszek wrote:
I've tested my configuration with eapol_test command (as suggested at
this site[1]) and it works fine. I've tested it against MacOsX 10.4 and
MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2
and it works fine. It doesn't work with Windows Vista
Right. The log lists short name from clients.conf which is a descriptive
name that you give to your routers (so you can tell them apart easier
than with IPs). So, login attempt was onto the router you called
myhomenetwork-network.
Ivan Kalik
Kalik Informatika ISP
Dana 23/7/2008, Danilo Molini
rlm_pap: No clear-text password in the request. Not performing PAP.
++[pap] returns noop
auth: No User-Password or CHAP-Password attribute in the request
auth: Failed to validate the user.
Are you sure your supplicant is set to use PAP inside TTLS? You have
disabled chap and mschap on the server
I'm sorry! I try to connect in telnet...
Moreover, probably I solved my problem with your suggestion.
In the clients.conf I create a specific client for each host on my network,
like this:
client 192.168.0.1/32 {
secret = secret
shortname = router
}
Gurus,
normally, I would do a short check, but currently I've no connection to one
of my running FR, but have to plan some extensions.
Has someone of you done something like the following?
Regarding 'hints' - file: Would it be possible to use
- $INCLUDE /path/file?
- Fall-Trough?
- temp A/V
Gurus,
For my Application, I have to build a central error file, which will be
parsed by the HP Openview agents for monitoring.
I'd like to write major errors raised by FR also into this file. It would be
enough to have the DB errors in there.
How can I configure FR, that these Messages are
Gurus,
Would it be possible to BCD decode a VSA value coming from the NAS?
I'm working in 3GPP environment.
Some of my older GGSNs are sending the 3GPP-IMEISV as it will be delivered
to them by the SGSN, which is BCD encoded. They just put the information
into the 3GPP VSA. Times ago, it was not
Hi,
I am using freeradius 2.0.5 with MySQL, I am very new to Radius and
FreRadius so please pardon my ignorance
I need to reject user if his NAS-IP-Address input attribute does not match
check attributes defined for his group.
For example radgroupcheck
| 1 | GROUP1 | NAS-IP-Address | == |
leopold wrote:
If user is coming from NAS-IP-Address x.x.x.1 or x.x.x.2 or x.x.x.3 the user
should be accepted and reply attributes are sent back
If however if user is coming from NAS-IP-Address y.y.y.1 he should be
rejected (even in the case he provide a valid password and NAS y.y.y.1 is
Hello
We have been using the groupmembership attribute in radius.conf to assign
users to the appropriate vlans. Up until now we've done it based on the type
of LDAP user they are (ie, staff, student, faculty, etc..):
groupmembership_attribute = eduPersonPrimaryAffiliation, (where
Stefan A. wrote:
Gurus,
normally, I would do a short check, but currently I've no connection to one
of my running FR, but have to plan some extensions.
Has someone of you done something like the following?
Regarding 'hints' - file: Would it be possible to use
- $INCLUDE /path/file?
Alan DeKok wrote:
Lech Karol Pawłaszek wrote:
I've tested my configuration with eapol_test command (as suggested at
this site[1]) and it works fine. I've tested it against MacOsX 10.4 and
MacOsX 10.5 and it works fine. I even tested it against Windows XP SP2
and it works fine. It doesn't work
Thank you !
Cristian NOVAC
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lech Karol Pawłaszek wrote:
Vista and XP3 are broken. Microsoft does this deliberately.
Is there any way to un-break it?
Ask Microsoft. I'll ask some of the people who may be (partially)
responsible next week.
I know this is not the place to ask such questions however is there any
Hi,
I'm a new user in freeRADIUS.
I'd like to do a solution like token authentication.
Firts step.
User is authorized by user/password.
Secound step:
For the authentication from LDAP is taken further informations (like UID, date
of birth) and user is asked about it.
I think it is something
Thank you!!!
Cristian Novac.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The problem is that all the users are valid and SQL module returns OK
replyattribute list is empty, so I need somehow reject the user
I did some dirty workaround
if (!reply:Service-Type) {
# reply list does not contain Service-Type
reject
}
See in debug
Alan DeKok wrote:
Lech Karol Pawłaszek wrote:
Vista and XP3 are broken. Microsoft does this deliberately.
Is there any way to un-break it?
Ask Microsoft. I'll ask some of the people who may be (partially)
responsible next week.
I know this is not the place to ask such questions
Sergio escribió:
HI,
continuing with Reveal MAP problem with unknown ca's under eap-tls
using default configuration
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
freeradius tell me this:
rlm_eap_tls: TLS 1.0 Handshake [length
Firts step.
User is authorized by user/password.
That would be radius.
Secound step:
For the authentication from LDAP is taken further informations (like UID, date
of birth) and user is asked about it.
That would be web or some other application that you will need to write.
You sould probably
See in debug output a valid user with valid password comes from wrong
NAS-IP-Address which does not belong to check attributes of the user's group
++[sql] returns ok
That is wrong. If group check fails sql should return notfound. Check
your sql entries again. Have you altered default sql queries
Ivan,
Even with default SQL query it returns OK, because user is defined properly,
it is just check attributes of group do not match
I went to the code and I saw that rlm_sql_process_groups function causes the
whole module to return OK even though NAS-IP-Address attribute does not
match
Note it
http://msdn.microsoft.com/en-us/library/aa813696(VS.85).aspx
To enable logging do the following:
- Netsh wlan set tra yes
- netsh ras set tr * en
- Reproduce your problem
- netsh ras set tr * dis
- Netsh wlan set tra no
If you go to the %windir%\tracing\wireless\ directory you will a load of
Dnia 2008-07-23, śro o godzinie 16:28 +0100, Ivan Kalik pisze:
Firts step.
User is authorized by user/password.
That would be radius.
Secound step:
For the authentication from LDAP is taken further informations (like UID,
date of birth) and user is asked about it.
That would be web
It seems that rlm_sql_process_groups in rlm_sql.c does not handle this
situation
1. If paircompare fails in rlm_sql_process_groups it should not return
found=1
2. rlm_sql_authorize should handle return code of rlm_sql_process_groups so
that if it is not found it should actually return not found
krzychk2 wrote:
I'd like to do a solution like token authentication.
Token authentication is usually done as part of an existing
authentication protocol.
Which authentication protocol do you plan on using?
Firts step.
User is authorized by user/password.
Secound step:
For the
Dnia 2008-07-23, śro o godzinie 21:06 +0200, Alan DeKok pisze:
krzychk2 wrote:
I'd like to do a solution like token authentication.
Token authentication is usually done as part of an existing
authentication protocol.
Which authentication protocol do you plan on using?
Alan DeKok.
Sergio escribió:
Sergio escribió:
HI,
continuing with Reveal MAP problem with unknown ca's under eap-tls
using default configuration
private_key_file = ${certdir}/server.pem
certificate_file = ${certdir}/server.pem
CA_file = ${cadir}/ca.pem
freeradius tell me this:
rlm_eap_tls: TLS 1.0
No, it should return notfound.
I can confirm this. If check is put in radcheck table user will be
rejected but if check (that should fail) is put in radgroupcheck table
user is authenticated. That is not how things should work. It should
return notfound if there is no match in radgroupcheck too.
40 matches
Mail list logo
