On Wed, 2013-04-17 at 22:03 -0500, Andres Gomez Ruiz wrote:
So I have many users using the same username putting one, two,
three, ...etc., spaces after the username.
How can I solve this situation?
May be with a SQL query that ignores the spaces in the username?
(talking about the
You can add
if (%{User-Name} =~ / /) {
reject
}
at the start of the authorize section.
This rule will reject user(s) in case they add blank spaces before or after the
username...
On 18.4.2013 9:47, Wilco Baan Hofman wrote:
On Wed, 2013-04-17 at 22:03 -0500, Andres Gomez Ruiz
Hi,
You can add
if (%{User-Name} =~ / /) {
reject
}
at the start of the authorize section.
This rule will reject user(s) in case they add blank spaces before or after
the username...
invoke a policy. there are examples and usable methods already in
policy.conf (2.x) and
What I found from wiki that we don't require to set Auth-Type freeradius
will determine from request automatically , so I removed
DEFAULT Auth-Type = Reject from users file , is that OK ?
With this at-least radtest starts working
but still request from captive portal didnt worked , What I found
Hi everybody,
I'm having some problems with freeradius and ldap authentication.
I need to authenticate an user connecting in vpn to my pptpd daemon,
which will ask permission to freeradius.
I installed freeradius and configured it to use ldap in this way (i
stripped comments to shorten the
On 18 Apr 2013, at 11:43, Alberto Aldrigo aaldr...@ca-tron.com wrote:
rad_recv: Access-Request packet from host 10.1.98.52 port 45105, id=139,
length=77
Service-Type = Framed-User
Framed-Protocol = PPP
User-Name = user
Calling-Station-Id = 10.1.0.136
NAS-IP-Address =
On Thu, Apr 18, 2013 at 05:52:16PM +1200, Peter Lambrechtsen wrote:
When I setup the post-auth policy to send a update disconnect it works fine
if the response is an access accept. But if I update the control to access
reject the disconnect module gives me a noop.
As a guess:
The
Hi
I had same trouble.. in version 1.x of radius.. and had to did queries like
above with regex... but for luck in the new version 2.x just have to enable
the policy.conf in the authorization module.. and your problem will be solve
regards.
2013/4/18 a.l.m.bu...@lboro.ac.uk
Hi,
You
Chitrang Srivastava wrote:
What I found from wiki that we don't require to set Auth-Type
freeradius will determine from request automatically , so I removed
DEFAULT Auth-Type = Reject from users file , is that OK ?
With this at-least radtest starts working
but still request from captive
debug log are attched in earlier reply, Please see
On Thu, Apr 18, 2013 at 6:49 PM, Alan DeKok al...@deployingradius.comwrote:
Chitrang Srivastava wrote:
What I found from wiki that we don't require to set Auth-Type
freeradius will determine from request automatically , so I removed
Hi Alan,
On 04/17/2013 05:50 PM, Alan DeKok wrote:
John Center wrote:
I see this isn't
defined in the v2.2 FreeRADIUS internal dictionary, though there is a
gap in the numbering where it would be. If I understand it correctly,
it looks like one could have a profiles file with individual
Dear All,
I am curious if it is possible today with FreeRADIUS to normalise the
identity that is returned in the User-Name AVP in an Access-Accept?
Hypothetically, lets say that a client uses the PEAP EAP type and logs
in successfully using an inner-identity of its choosing in a valid
format.
Chitrang Srivastava wrote:
debug log are attched in earlier reply, Please see
No, they're not.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nick Lowe wrote:
I am curious if it is possible today with FreeRADIUS to normalise the
identity that is returned in the User-Name AVP in an Access-Accept?
Yes. You can do pretty much anything you want.
RFC 2865 states in Section 5.1:
[The User-Name AVP] MAY be sent in an Access-Accept
Hi Matthew,
On 04/17/2013 05:53 PM, Matthew Newton wrote:
On Wed, Apr 17, 2013 at 05:04:11PM -0400, John Center wrote:
it correctly, it looks like one could have a profiles file with
individual named profiles defined containing NAS-specific text that
would be sent back to the NAS as is upon
Thanks, Alan!
I have got a feature request with Aerohive, our wireless vendor, to
support treating the User-Name AVP as being authoritative which they
are being pretty receptive and responsive to.
(I think RADIUS clients need to stop treating the outer identity as
being authoritative if and
On 18/04/13 16:06, Nick Lowe wrote:
Thanks, Alan!
I have got a feature request with Aerohive, our wireless vendor, to
support treating the User-Name AVP as being authoritative which they
are being pretty receptive and responsive to.
(I think RADIUS clients need to stop treating the outer
Nick Lowe wrote:
It would be great if, rather than manually having to create mappings
and rewrite the identity, having successfully performed authentication
FreeRADIUS were able to inherently spit out the identity in a
normalised form knowing the username and the realm. (Perhaps I am not
I would have thought that it is perfectly reasonable to return the
identity back in the case you have roaming federations as long as it
was an agreed requirement beforehand.
I am of the opinion that this -should- be mandated as part of Eduroam,
for example.
-
List info/subscribe/unsubscribe? See
Nick Lowe wrote:
So, a compliant NAS that is able to treat the User-Name AVP as being
authoritative would get to see the real, inner identity and in a
normalised form.
As an aside to the mechanics of this, if you do this, test your NAS under
simulated user load. We found that our Cisco WLC
I would default the behaviour to not send the User-Name attribute in
the Access-Accept but give the ability to have it trivially enabled
with a toggle.
And where it is enabled, by default, send it in the normalised
user@realm format unless configured otherwise. (That would be the
general case as
Nick Lowe wrote:
I would have thought that it is perfectly reasonable to return the
identity back in the case you have roaming federations as long as it
was an agreed requirement beforehand.
I am of the opinion that this -should- be mandated as part of Eduroam,
for example.
I'd have to
What 'I'm doing at the moment. For our outward facing radius servers, with any
inbound auth requests from york users elsewhere, I normalise the username in
the Access-Accept packet to have the york.ac.uk realm appended if its not there
A
On 18 Apr 2013, at 16:43, Nick Lowe nick.l...@gmail.com
On 18/04/13 16:29, Nick Lowe wrote:
I would have thought that it is perfectly reasonable to return the
identity back in the case you have roaming federations as long as it
was an agreed requirement beforehand.
Maybe, maybe not.
If the home site were in a jurisdiction with data protection
As an aside to the mechanics of this, if you do this, test your NAS under
simulated user load. We found that our Cisco WLC equipment didn't like
that and leaked internal resources, which eventually ran out. We were
adding some additional information to the username, so we had many more
That's a very fair point. A problem with anonymous identities though
also comes where you have features at the edge that 'do things' based
on the identity. Often you will just want an anonymised unique
identity for each discrete user, but not necessarily their real
identity.
Food for thought...
So which id are you talking about?
if its the outer and the user has configured the machine correctly, all you're
going to see is @realm - not much use other than it's that institution
if its the inner then o.k. you've got a realm from the outer user-name and a
userid from the inner but any
Attaching
Auth Type is MSCHAPv2 (TTLS)
Data source is on LDAP
radtest is working
wifi authentication is also working ( configured the access point to use
TTLS-MSCHAPv2)
open wifi with captive portal (lightttpd) is *not * working
What I found is captive portal server is sending a non-EAP message
I honestly don't see what the problem is with writing it yourself - it's not
rocket science - but OTOH a set of examples in the default config would be a
good thing too.
No problem at all, rather, I would have simply thought that it lowers
the barrier to entry, requiring less concious thought
Agreed, the main concern for me would be leakage via wireless.
I see the main purpose of identity privacy with PKI EAPs being to
protect the identity from being trivially snooped by an outsider.
With federations, I think it would be perfectly reasonable to expect
and require the real
On 18/04/13 16:59, Nick Lowe wrote:
That's a very fair point. A problem with anonymous identities though
also comes where you have features at the edge that 'do things' based
on the identity. Often you will just want an anonymised unique
identity for each discrete user, but not necessarily their
So which id are you talking about?
if its the outer and the user has configured the machine correctly, all
you're going to see is @realm - not much use other than it's that
institution
if its the inner then o.k. you've got a realm from the outer user-name and a
userid from the inner but
Eduroam visited ORPS and home server ORPS should support CUI. Where the NAS
at the visited site lacks support for CUI, and the NAS supports setting
values for attributes associated with a session, a globally and temporarily
unique identifier should be set (via Access-Accept/COA/SNMP) and
Hi,
in latest 2.x and 3.x code check out the canonicalisation policy - this
sorts out the MAC format. you could do the same for the User-Name. note that
there are data protection issues in play - for example, if a user has chosen
(and is allowed) to use anonymous outerid, then why are you
Dear All,
If anybody still uses any Comware v3 switches anywhere with 802.1X,
they had a bug until recently where they would drop and not respond to
all EAPOL v2 and v3 in flagrant violation to the 802.1X-2001
specification.
These are switches such as:
3Com 4500, 5500 or 5500G series
H3C S3600,
In response to a private email I had asking for clarification, sorry,
I meant the 10/100 4210s which run Comware v3, not 4210Gs which run
Comware v5...
The actual error you will see on such switched with terminal
debugging enabled along with debugging dot1x all you'll see on
afflicted devices is:
Great, hit send by accident with a sentence half constructed.
Hopefully you'll get the gist!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Apr 18, 2013 at 11:35 PM, Matthew Newton m...@leicester.ac.uk wrote:
On Thu, Apr 18, 2013 at 05:52:16PM +1200, Peter Lambrechtsen wrote:
When I setup the post-auth policy to send a update disconnect it works fine
if the response is an access accept. But if I update the control to access
Thanks for the heads up on this. We use some of these with dot1x.
For reference to others, if you still have any 5500-SIs, that were
discontinued years back, they do today run 5500-EI code with all features.
Many folks still run these with old software because they do not know that
this is the
On Thu, Apr 18, 2013 at 09:37:06PM +0530, Chitrang Srivastava wrote:
radtest is working
wifi authentication is also working ( configured the access point to use
TTLS-MSCHAPv2)
ok.
open wifi with captive portal (lightttpd) is *not * working
right.
What I found is captive portal server is
40 matches
Mail list logo
