Hi All,
How can I reference to check items using unlang? When I use perl script ,
simply reference it by $RAD_CHECK. For example I want to check if there is a
check item in sql user profile , then do some actions using unlang and if
not then ignore it.
By the way I know that I can do that by
Hi
I use freeradius v2.1.10 in Debian Squeeze 6.0.1.
I want to know if freeradius supports the following methods :
l EAP PEAP/TLS
l EAP PEAP/EAP-TLS
?
The client I use is wpa_supplicant v0.6.9.
Regards,
Robert
-
List info/subscribe/unsubscribe? See
It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf - you can
configure all supported options in there.
Regards
Stefan
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On 20/05/13 10:25, stefan.pae...@diamond.ac.uk wrote:
It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf – you can
configure all supported options in there.
Not sure you've understood what he's asking there; he wants to know if
you can to PEAP with EAP-TLS as an inner.
The main
On 20/05/13 09:02, Robert wrote:
Hi
I use freeradius v2.1.10 in Debian Squeeze 6.0.1.
I want to know if freeradius supports the following methods :
See here:
http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft-soh/
-
List info/subscribe/unsubscribe? See
Ahhh.
According to this conversation:
http://freeradius.1045715.n5.nabble.com/PEAP-EAP-TLS-with-client-and-server-certificate-td2760634.html
- FR does support PEAP-EAP-TLS :-)
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
On 20 May 2013, at 03:03, Nasser Heidari nas...@rasana.net wrote:
Hi All,
How can I reference to check items using unlang? When I use perl script ,
simply reference it by $RAD_CHECK. For example I want to check if there is a
check item in sql user profile , then do some actions using
Hi all,
How can one limit the ADSL speed on a per customer basis using
freeradius? I have been trying a
radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people
recommend, but it does not look like it is working. I have been surfing
the freeradius wiki for days now but no luck. I am
What routers are you using for this.
Regards,
Jonathan Bastin
- Reply message -
From: Cooper, Tom tcoo...@fnb.co.za
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: Limit ADSL speed using radius?
Date: Mon, May 20, 2013 12:50
Hi all,
How
On Mon, May 20, 2013 at 6:47 PM, Cooper, Tom tcoo...@fnb.co.za wrote:
Hi all,
How can one limit the ADSL speed on a per customer basis using
freeradius?
Look at your NAS (i.e. BRAS hardware, rp-pppoe, whatever)
documentation (or ask the vendor) to see what attributes it recognize
to limit
On 20/05/13 10:59, stefan.pae...@diamond.ac.uk wrote:
Ahhh.
According to this conversation:
That's a really old conversation. See instead the link I posted in my
other email.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 20/05/13 12:47, Cooper, Tom wrote:
Hi all,
How can one limit the ADSL speed on a per customer basis using
freeradius? I have been trying a
radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people
recommend, but it does not look like it is working.
Ok, and what does that mean. It is
We are in South Africa and using the local telco company's NAS'es. They
have a mixture of them. Problem is that we have in excess of 450 000 users.
On 20/05/2013 13:57, Jonathan Bastin wrote:
What routers are you using for this.
Regards,
Jonathan Bastin
- Reply message -
Issues is each NAS vender needs different commands.
Cisco is av-pair rate limit
You already have mikro tick so you need to know what you are dealing with.
Regards,
Jonathan Bastin
- Reply message -
From: Cooper, Tom tcoo...@fnb.co.za
To: freeradius-users@lists.freeradius.org
I've already tried and it doesn't work. for example I want to check for
existence of a custom check-item in user profiles with unlang, I try this:
If(control:custom_check_item) {
...
}
This always returns true in my case , doesn't matter if a user have
custom_check_item in his profile or not.
Cooper, Tom wrote:
We are in South Africa and using the local telco company's NAS'es. They
have a mixture of them.
The rate-limiting attributes are vendor-specific. And some vendors
have *no* rate-limiting attributes.
Problem is that we have in excess of 450 000 users.
That makes it
Cooper, Tom wrote:
We are in South Africa and using the local telco company's NAS'es. They
have a mixture of them. Problem is that we have in excess of 450 000 users.
Does the telco filter attributes you're sending back? Some wholesalers
protect their networks by limiting the attributes
Nasser Heidari wrote:
I've already tried and it doesn't work.
That's a fairly useless response.
for example I want to check for
existence of a custom check-item in user profiles with unlang, I try this:
If(control:custom_check_item) {
...
}
This always returns true in my case ,
Hi Tom,
You need to contact Telkom and ask them for their dictionaries.
They have some rather unique attributes.
On 20 May 2013 15:26, Cooper, Tom tcoo...@fnb.co.za wrote:
We are in South Africa and using the local telco company's NAS'es. They
have a mixture of them. Problem is that we have in
Franks Andy (RLZ) IT Systems Engineer wrote:
Thanks Alan,
It takes literary a second or so for a single client auth, but
problems arise with multiple clients. I'll reset a card on the switch
and capture the logs and see what's happening. Nothing as far as I
remember pointed towards the
Hi Tom,
Would it be useful to ask Telkom SA and Broadband Infraco for the models of the
NASes they use and possibly their dictionaries? Although from what I understand
from a GLUG post, that information is... well... difficult to get hold of (even
when you're a big fish like Internet
I am fighting a buggy NAS and was told to add to the /sites-enabled/default
file in the post-auth section this code:
EAP-Message = 0x04040004
User-Name !* 0x00
Message-Authenticator = %{Message-Authenticator}
Can
On 20 May 2013, at 09:34, David Peterson dav...@wirelessconnections.net
wrote:
I am fighting a buggy NAS and was told to add to the /sites-enabled/default
file in the post-auth section this code:
EAP-Message = 0x04040004
User-Name !* 0x00
Hmmm...strange. Actually that code was in the post-auth reject sections and
this is in the post-auth section:
update reply {
User-Name !* 0x00 #removes the User-name from the
Access-acc
ept
}
Any thoughts as to why they would add these?
David
-Original
The real username in an EAP conversation is inside the encrypted EAP packets,
i.e. inside an EAP-TLS tunnel. The one in plain-text is a throw-away one (often
just @realm or anonymous@realm).
I can only surmise that the update reply in this case wants to ensure that no
User-Name attribute
Tom,
When you receive radius packets, you can pretty much tell what it is from the
headers them selves.
Usually there are some hints in the attribute or the way they format stuff.
Can you post one of the packets with all attributes NAS is sending you? Maybe I
can guess what it is.
But for sure
When you are using a traditional EAP type, the identity seen in the
EAPOL exchange is authoritative and can be trusted.
(Returning a User-Name AVP in an Access-Accept is unnecessary in this
case unless it needs to be normalised or customised, and is optional
as part of the RADIUS RFCs.)
When you
*You can of course mandate something like the outer identity must
equal the inner identity, or require anonymous@..., which would make
the identity spoofing issue one of anonymisation alone.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I've written a mysql stored procedure that accepts 2 arguments, the nas-ip
address of one of our (HP) switches and the calling station Id of a network
client ( it's a MAC auth so the User-Name=Calling-Station-Id below). The
procedure then queries various back end database tables to
On 20/05/13 16:55, Alex Sharaz wrote:
In this case I've got
Tmp-String-0 := %{sql:call
get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}
get_vlan_id accepts two varchar arguments.
Which, when I run radiusd -X -d /etc/freeradius gives me
/etc/freeradius/sites-enabled/default[248]:
On Mon, May 20, 2013 at 12:58 PM, Roberto Carna
robertocarn...@gmail.com wrote:
Dear, I have:
(A) One Freeradius server on Debian 6: freeradius installation and
client.conf configuration
(B) Another Debian 6 box with sshd: libpam-radius-auth installation
(C) Several Windows and Linux ssh
The reply should be Mikrotik-Rate-Limit += 512k/1024k. See
http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client for all options and
double check spelling.
Thanks
Brent
Hi all,
How can one limit the ADSL speed on a per customer basis using
freeradius? I have been trying a
radiusReplyItem:
Hi, I am new to FreeRadius and am having some difficulty setting it up.
My goal is to have requests from separate IP addresses authenticate to separate
user files.
I have read through documentation and see this is possible but I can not get it
to work. Can anyone provide a lists of steps or
On 20 May 2013, at 17:16, Phil Mayers wrote:
On 20/05/13 16:55, Alex Sharaz wrote:
In this case I've got
Tmp-String-0 := %{sql:call
get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}
get_vlan_id accepts two varchar arguments.
Which, when I run radiusd -X -d /etc/freeradius
Many thanks Phil, all sorted.
Wrapping the sql: statement with an update control fixed the Unknown Action
error. Haven't checked that I'm returning the correct stuff yet, but I'm past
this particular problem
Rgds
Alex
On 20 May 2013, at 17:16, Phil Mayers wrote:
On 20/05/13 16:55, Alex
Roberto Carna wrote:
Sent: Monday, May 20, 2013 3:43 PM
To: FreeRadius users mailing list
Subject: Radius vs Tacacs+
Dear, my chief ask me to choose between Tacacs+ and Radius for switches
and Linux SSH user authentication.
This depends primarily on your cryptographic needs, and
Roberto Carna wrote:
Dear, my chief ask me to choose between Tacacs+ and Radius for switches
and Linux SSH user authentication.
Linux authentication doesn't really use TACACS+ or RADIUS.
I see radius is universally supported for every device and OS, but I
can't tell soo much about Tacacs+
Vincent Rusilowicz wrote:
Hi, I am new to FreeRadius and am having some difficulty setting it up.
Why? The default configuration works. You should be able to make
minor changes to it for things like IP assignment.
My goal is to have requests from separate IP addresses authenticate to
Thanks for the help.
Anecdotally, before I get into serious discovery, I've been running
the freeradius process in extra debugging mode -xx. I'd read somewhere
that -X makes it run single threaded, but along those lines of thinking
I wondered if -xx and the extra debug was causing any
Franks Andy (RLZ) IT Systems Engineer wrote:
Thanks for the help.
Anecdotally, before I get into serious discovery, I've been running
the freeradius process in extra debugging mode -xx. I'd read somewhere
that -X makes it run single threaded, but along those lines of thinking
I wondered if
40 matches
Mail list logo
