Hi,
I know this subject have been brought up but I'm kind of stuck and I hope
I can get a little help.
I am trying to assign vlans from freeradius to a cisco 3550 switch but its
not working.
I keep getting the following in the debug in the switch:
3w6d: RADIUS:
Hi Alan and thanks for your reply,
I changed it as you suggested and I still got the same behavior:
Users
wassim Cleartext-Password := wassim
Tunnel-Medium-Type = IEEE-802,
Tunnel-Type = VLAN,
Tunnel-Private-Group-Id = 100
Radiusd -X:
# Executing section post-auth from
On 04/25/2012 08:52 AM, Wassim Zaarour wrote:
Hi Alan and thanks for your reply,
I changed it as you suggested and I still got the same behavior:
You're sending the right replies; the problem is with the NAS. Suggest
you consult the Cisco docs.
The 3550 is an older switch; are you sure it
Hi Phil,
Look at this
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg40162.
html
The user says that it worked, I tried the attributes he used and still got
the same error.
On 4/25/12 11:10 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 04/25/2012 08:52 AM,
Hi all,
My PKI infrastructure is hierarchical, meaning that client certificate path
looks like below:
ROOT_CA-Sub1_CA-Sub2_CA-Client_Cert
Client_Cert Sub2_CA purposes are set correctly.
After I import client certificate (client.p12) into the Windows Cert Store
the following events occur:
-Root
As soon as I delete Sub2 CA (that is, the CA certificate of the certificate
authority which issued client's certificate) I am able to connect
successfully.
Does FR know this Sub2 CA? i.e: is CA certificate chain file referenced in
eap.conf?
If not, try to concatenate certificate authority
As I mentioned before CA_file in the eap.conf is set to
${cadir}/Sub2_CA_*entire_chain*.pem
Is there any difference between concatenated CA file and certificate chain?
Gabriel
--
View this message in context:
Well, yes, there is. What I meant to say is, you need to set CA to a file
which has all the certificates of the chain: ROOT_CA, Sub1_CA and Sub2_CA.
When speaking to certificate files, I call the concatenated one
certificate chain file, but it's another concept:
I am seeing EAP in the messages. Have you enabled EAP in your inner-tunnel
or at all in your config?
Either way this seems pretty clear:
3w6d: RADIUS: no appropriate authorization type for user.
David
From:
Ok, to be sure that we understand each other...
My Sub2_CA_entire_chain.pem looks like this:
-BEGIN CERTIFICATE-
XX
-END CERTIFICATE-
-BEGIN CERTIFICATE-
Y
-END CERTIFICATE-
-BEGIN CERTIFICATE-
Hello everyone.
I have a very weird problem with my setup.
my clients.conf
client 127.0.0.1 {
secret = testing123
shortname = Localhost
}
client 20.20.20.20 {
secret = pfsense
shortname = pfsense
}
client 20.20.20.17 {
secret
On 25/04/12 09:28, Wassim Zaarour wrote:
Hi Phil,
Look at this
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg40162.
html
The user says that it worked, I tried the attributes he used and still got
the same error.
Then logically, the problem is at your end. Check the
On 25/04/12 10:39, jinx_20 wrote:
Is there any way to configure FreeRadius server to explicitly accept
intermediate CAs received from the client supplicant?
No, it should not be needed and should work; but there might be a logic
error in the various SSL verify options or callbacks; OpenSSL
Check that the firewall in front of your radius server accept 1812 to
1814 tcp connexion.
Le mercredi 25 avril 2012 à 13:58 +0300, NorthPole a écrit :
Hello everyone.
I have a very weird problem with my setup.
my clients.conf
client 127.0.0.1 {
secret = testing123
On 25/04/12 11:58, NorthPole wrote:
with this setup I can only connect through the pfsense's captive portal
when I try to use radtest in both localhost and the remote ubuntu i
get a nas not found response
You are running an external script, and it is giving the error. Fix the
external
2012/4/25 jinx_20 gabriel_skup...@o2.pl
Ok, to be sure that we understand each other...
My Sub2_CA_entire_chain.pem looks like this:
-BEGIN CERTIFICATE-
XX
-END CERTIFICATE-
-BEGIN CERTIFICATE-
Y
-END
Hi David,
Yes eap is enabled in both inner-tunnel and default configuration.
From: David Peterson dav...@wirelessconnections.net
Organization: Wireless Connections
Reply-To: dav...@wirelessconnections.net, FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Date:
Alexander Kulbiy wrote:
I'm trying to configure RADIUS server that would be used for
authentication of users in Wi-Fi network with WPA-enterprise encryption.
To do this I'm trying to use EAP + LDAP inside of freeradius.
The problem is that I see in log:
You edited the default configuration
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on
Feb 2 2012 at 15:38:19
OpenSSL 0.9.8o 01 Jun 2010
I wouldn't like to share our private production certificates but if you
really need it to help us I will set up a mirror testing PKI environment and
send you all
NorthPole wrote:
with this setup I can only connect through the pfsense's captive portal
when I try to use radtest in both localhost and the remote ubuntu i
get a nas not found response
That message is not part of the default configuration.
[pap] Found existing Auth-Type, not changing it.
Hi,
On Wed, Apr 25, 2012 at 01:47:09PM +0300, Alexander Kulbiy wrote:
Hello all,
I'm trying to configure RADIUS server that would be used for authentication
of users in Wi-Fi network with WPA-enterprise encryption. To do this I'm
trying to use EAP + LDAP inside of freeradius.
You're using
My worst fear came true...
Now I have to find why the custom(?) external script returns errors
and the guy who possibly wrote it quit ages ago.
I'll need coffee for this.
Thank you for the prompt and enlightening response. :-)
On Wed, Apr 25, 2012 at 2:20 PM, Phil Mayers p.may...@imperial.ac.uk
Hello all,
Thanks for your fast answers.
Matthew, as I understood from link you've posted I have to use TTLS/GTC to
be able to use MD5 passwords. Can you help me understand how can I do that?
I've tried to reset all configuration to default as Alan suggested but I
still see that MSCHAPv2 auth
Alexander Kulbiy wrote:
Matthew, as I understood from link you've posted I have to use TTLS/GTC
to be able to use MD5 passwords. Can you help me understand how can I do
that?
Edit the configuration on the client PC, to set TTLS/GTC.
I've tried to reset all configuration to default as Alan
Hi,
My worst fear came true...
Now I have to find why the custom(?) external script returns errors
and the guy who possibly wrote it quit ages ago.
I'll need coffee for this.
read the script. its likely that it has a list of NAS or queries a DB
for a list of NAS. you just need to ensure your
In the db the only relevant tables included my nas (ip 20.20.20.17)
in which conf file Is defined the path of the external script?
On Wed, Apr 25, 2012 at 3:49 PM, alan buxey a.l.m.bu...@lboro.ac.uk wrote:
Hi,
My worst fear came true...
Now I have to find why the custom(?) external script
We are using the Cisco ACS 5.3 as a RADIUS for database authentication and
authorization. The purpose is to authenticate incoming users based on the
NAS-PORT-ID. The problem is that we cannot find any solution for the Service
Router (Alcatel 7750) to send the NAS-PORT-ID to act as USERNAME. The
We are using the Cisco ACS 5.3 as a RADIUS for database authentication and
authorization. The purpose is to authenticate incoming users based on the
NAS-PORT-ID. The problem is that we cannot find any solution for the Service
Router (Alcatel 7750) to send the NAS-PORT-ID to act as USERNAME. The
Wassim Zaarour wrote:
Look at this
http://www.mail-archive.com/freeradius-users@lists.freeradius.org/msg40162.html
The user says that it worked, I tried the attributes he used and still got
the same error.
I don't even know how this was ever working for that user. On my wired switch
Hello Alan,
Finally I got it. I had to change client settings and now everything is
fine.
Thanks a lot,
Alexander
On Wed, Apr 25, 2012 at 3:45 PM, Alan DeKok al...@deployingradius.comwrote:
Alexander Kulbiy wrote:
Matthew, as I understood from link you've posted I have to use TTLS/GTC
to
Try configure your NAS to set the correct IP address in the
access-request packet for the NAS-IP-Address Attribute.
This is from your debug output:
rad_recv: Access-Request packet from host 20.20.20.17 port 55281,
id=56, length=67
User-Name = northpole
User-Password = 1234
Next time put something in subject so we can know something about your
problem... :)
On 25.4.2012 15:03, Xbert_badstuber wrote:
We are using the Cisco ACS 5.3 as a RADIUS for database authentication and
authorization. The purpose is to authenticate incoming users based on the
NAS-PORT-ID. The
I have a more of an abstract question as to proxy functionality. Can you do
the following:
b...@bob.com password test
bob.com - proxy to localhost
b...@bob.com - reply Access Deny
This would be the norm for that realm, just deny everyone.
Except for bob's boss:
b...@bob.com password
On Wed, Apr 25, 2012 at 09:19:58AM -0400, David Peterson wrote:
I have a more of an abstract question as to proxy functionality. Can you do
the following:
b...@bob.com password test
bob.com - proxy to localhost
b...@bob.com - reply Access Deny
This would be the norm for that realm,
On 25/04/12 12:42, jinx_20 wrote:
freeradius: FreeRADIUS Version 2.1.12, for host x86_64-pc-linux-gnu, built on
Feb 2 2012 at 15:38:19
OpenSSL 0.9.8o 01 Jun 2010
I wouldn't like to share our private production certificates but if you
really need it to help us I will set up a mirror testing PKI
Xbert_badstuber wrote:
The ACS requires a USERNAME and there is not a way to manipulate the
User-Name value once it is received.
Ugh. Use a real RADIUS server. :)
We heard that it could be possible to use the freeradius to act as a proxy
for the Cisco secure ACS.
This is what we
Awesome thanks! I will likely be in testing mode on this in the near future
so I will update the list when I get to that stage.
David
-Original Message-
From: Matthew Newton [mailto:m...@leicester.ac.uk]
Sent: Wednesday, April 25, 2012 9:57 AM
To: David Peterson-WirelessConnections;
Tobias you are absolutely right.
I managed to get the correct response :-)
now I only need to add functionality to parse for the source address :-)
thank you all
On Wed, Apr 25, 2012 at 4:11 PM, Tobias Hachmer li...@kokelnet.de wrote:
Try configure your NAS to set the correct IP address in the
Hallo Axel,
Dein Deutsch ist gut, aber ich antworte auf Englisch.
You can download the daemon from the freeradius mailing list or the
attachment of this e-mail, I configured the following:
users:
DEFAULT Auth-Type := smsotp
sites-enabled/default:
authenticate {
Auth-Type smsotp {
Hehe, yes i know... :) That became a little bit wrong... ;)
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Re-We-are-using-the-Cisco-ACS-5-3-as-a-RADIUS-for-database-authentication-and-authorization-The-purp-tp5664867p5665034.html
Sent from the FreeRadius - User
Hello Axel,
Thanks a lot for your answer. Yet I see the complete process :-) If I
just want a normal PAP authent, It's just the same as your
configuration, but instead of ntlm_auth I let PAP, no?
yes, and use the following users entries:
Administrator Cleartext-Password := password,
Corey Jones wrote:
-- Forwarded message --
...
That's not nice. Is it really that difficult to post the *original*
message? Why forward a bounce?
I'm trying to get a freeradius server up and running but I'm having
trouble with the attributes I've included in the master
Hi Brian,
Thanks for your reply, where do I exactly need to put this configuration?
In the users file?
Do you have any experience with the 2960 switches?
Wassim
On 4/25/12 4:07 PM, Brian Julin bju...@clarku.edu wrote:
Wassim Zaarour wrote:
Look at this
Hi,
Thanks for your reply, where do I exactly need to put this configuration?
In the users file?
I can tell you right now that you dont need that hack to assign VLANs on cisco
switches (well, not if you are running reasonably up to date firmware on the
cisco devices anyway - ie something less
We are modifying the Wireless acccess to our LAN.
We are trying to use a Cisco WLC and our freeradius. We've been using this
same freeradius for authenticating users against the corporate LDAP. Now
we want WLC to talk to the radius server without losing any functionality
like user authentication
I have a working setup using FreeRadius 2.1.10 doing PEAP/MSCHAPv2 against a
2008 R2 Domain Controller via Samba 2.3.5.6 all running on Debian 6.0.4. My
clients are D-Link DWL3200 and D-Link DAP-2360 access points. I am using the
builtin Windows XP SP3 802.1x supplicant.
Currently FreeRadius
Alan Buxley wrote
I can tell you right now that you dont need that hack to assign VLANs on cisco
switches (well, not if you are running reasonably up to date firmware on the
cisco devices anyway - ie something less than 2 years old)
The latest public firmware for the 3550 is 3+ years old,
Hi,
On Wed, Apr 25, 2012 at 04:49:29PM -0300, Martin Silvero wrote:
Our main problem is that the vlan assingment is not working when
we use the WLC. The scenario with the APs talking to the radius
directly works fine, but when we use lightweight AP and the WLC
we can see that the vlan
On Wed, Apr 25, 2012 at 11:52:15AM -0800, Kevin Elliott wrote:
Currently FreeRadius will send back Access-Accepts for *both*
user and machine/host accounts (in the Active Directory context
of those terms). I would like to configure FreeRadius to ignore
or reject authentication requests using
Hi,
Currently FreeRadius will send back Access-Accepts for *both* user and
machine/host accounts (in the Active Directory context of those terms). I
would like to configure FreeRadius to ignore or reject authentication
requests using the user creditionals. I spent the better part of
hi,
Matthew, I would say the check is a little sparseand assumes
nothing else is in play...such as realms/proxying for what if
my username was
host\u...@other.realm.com
its quite likely that this user would get proxied back to their
home site.hence better to ensure the regex pattern
Hi
On Wed, Apr 25, 2012 at 11:58:06PM +0100, alan buxey wrote:
Matthew, I would say the check is a little sparseand assumes
Yeah, good idea checking the RHS of the username - hadn't thought
of that (scuttles off to implement it :) )
oh. actually, yes, you should ignore that i said add it
52 matches
Mail list logo