Re: Limit ADSL speed using radius?
Hi,
by not working I mean that if I authenticate on a 4MB line but set the
speed to 384k I still get 4MB. Thanks for all the other replies, though.
I must admit that dealing with Telkom is a formidable task. I will try
to get hold of their dictionary, though.
On 20/05/2013 14:03, Phil Mayers wrote:
> On 20/05/13 12:47, Cooper, Tom wrote:
>> Hi all,
>>
>> How can one limit the ADSL speed on a per customer basis using
>> freeradius? I have been trying a
>> radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people
>> recommend, but it does not look like it is working.
>
> Ok, and what does that mean. "It is not working" is too vague.
>
> Have you run under debug mode ("radiusd -X") and checked that the
> attribute is being returned? If not, have you read the debug to see why?
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
To read FirstRand Bank's Disclaimer for this email click on the following
address or copy into your Internet browser:
https://www.fnb.co.za/disclaimer.html
If you are unable to access the Disclaimer, send a blank e-mail to
firstrandbankdisclai...@fnb.co.za and we will send you a copy of the Disclaimer.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
Franks Andy (RLZ) IT Systems Engineer wrote:
> Thanks for the help.
> Anecdotally, before I get into serious discovery, I've been running
> the freeradius process in extra debugging mode -xx. I'd read somewhere
> that -X makes it run single threaded, but along those lines of thinking
> I wondered if -xx and the extra debug was causing any performance
> issues. I may be off at completely the wrong tangent, but the problem is
> interesting and I like the odd tangent..
Single-threaded versus multiple threads doesn't usually make a big
difference.
> Anyway, anecdotally as I said, with the server running in fresh from a
> reboot, no debugging, and upping the vm to 4 core instead of 1 (just
> playing), the problem seems vastly reduced. Nearly all clients are
> authenticated within 10 seconds,
Any modern CPU should be able to do 100's of EAP sessions per second.
If yours can't do that, it was under-provisioned. That's why adding
more CPUs helped: you gave it more CPU power.
> the consistent off ones are some
> ancient mitel voip phones with pcs running off the back, which the
> switch simply doesn't "see" for ages. It just sits there and eventually
> just sends an auth request. In many cases the switch "sec" debug doesn't
> even report the mac address or any activity for this weird phone, but
> the FR linelog shows it authenticated fine. Really strange.
Well, that's a switch problem.
> By the way, if I was to do chap, since I'm running ldap against AD - no
> available plaintext or other passwords, but I'm running mac-based auth,
> can I just use the authorize process to check for "notfound" and check
> the useraccountcontrol setting is correct from an attribute mapping (or
> just use the useraccountcontrol in an ldap filter and rely on not
> found), then just set the cleartext-password attribute to be
> %{username} using some more unlang , then do nothing special in the chap
> authentication bit, just let it "ok" with the plaintext password or is
> that just all wrong? I figure I don't *really* need a password for
> mac-based auth, since it's always going to be == to the username?
That's one huge sentence. I can't make heads or tails of it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Help with chap
Thanks for the help.
Anecdotally, before I get into serious discovery, I've been running
the freeradius process in extra debugging mode -xx. I'd read somewhere
that -X makes it run single threaded, but along those lines of thinking
I wondered if -xx and the extra debug was causing any performance
issues. I may be off at completely the wrong tangent, but the problem is
interesting and I like the odd tangent..
Anyway, anecdotally as I said, with the server running in fresh from a
reboot, no debugging, and upping the vm to 4 core instead of 1 (just
playing), the problem seems vastly reduced. Nearly all clients are
authenticated within 10 seconds, the consistent off ones are some
ancient mitel voip phones with pcs running off the back, which the
switch simply doesn't "see" for ages. It just sits there and eventually
just sends an auth request. In many cases the switch "sec" debug doesn't
even report the mac address or any activity for this weird phone, but
the FR linelog shows it authenticated fine. Really strange.
Any else got any reports of the procurve switches just sitting there
waiting for something to happen?
The failure of the responses seemed previously to have kicked the switch
into waiting ages then retrying later (the retry is set to 30 seconds
but it was way longer). Anyway, the lack of debug seems to have helped
quite a bit.
By the way, if I was to do chap, since I'm running ldap against AD - no
available plaintext or other passwords, but I'm running mac-based auth,
can I just use the authorize process to check for "notfound" and check
the useraccountcontrol setting is correct from an attribute mapping (or
just use the useraccountcontrol in an ldap filter and rely on not
found), then just set the cleartext-password attribute to be
%{username} using some more unlang , then do nothing special in the chap
authentication bit, just let it "ok" with the plaintext password or is
that just all wrong? I figure I don't *really* need a password for
mac-based auth, since it's always going to be == to the username?
Thanks for the input
Andy
-Original Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Alan DeKok
Sent: 20 May 2013 14:01
To: FreeRadius users mailing list
Subject: Re: Help with chap
Franks Andy (RLZ) IT Systems Engineer wrote:
> Thanks Alan,
> It takes literary a second or so for a single client auth, but
> problems arise with multiple clients. I'll reset a card on the switch
> and capture the logs and see what's happening. Nothing as far as I
> remember pointed towards the ntlm_auth being the issue, it was the
> failure to complete the eap transaction that seemed to be the problem,
> but then I didn't scan each and every line to be honest.
See http://deployingradius.com/
It has instructions for testing PEAP via eapol_test. That lets you do
some limited performance checks.
An alternative is to configure a static user/password. Do performance
checks using that user. If it's a lot faster than ntlm_auth, then the
problem is likely ntlm_auth.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Virtual server setup
Vincent Rusilowicz wrote: > Hi, I am new to FreeRadius and am having some difficulty setting it up. Why? The default configuration works. You should be able to make minor changes to it for things like IP assignment. > My goal is to have requests from separate IP addresses authenticate to > separate user files. That's possible, but probably not exactly what you want. i.e. you're talking about a *solution*. You should instead be talking about the *problem* you're trying to solve. > I have read through documentation and see this is possible but I can not > get it to work. Well... that isn't a useful statement. You haven't said what you tried to do, or what happened when you did tests. > Can anyone provide a lists of steps or example to guide > me through this. I seem to be getting stuck at configuring the virtual > server. Thanks in advance. See raddb/sites-available/README. What *specific* questions do you have? And what's hard about configuring the virtual server? Copy the "default" one, and re-use it. It's an example of a virtual server that works. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius vs Tacacs+
Roberto Carna wrote: > Dear, my chief ask me to choose between Tacacs+ and Radius for switches > and Linux SSH user authentication. Linux authentication doesn't really use TACACS+ or RADIUS. > I see radius is universally supported for every device and OS, but I > can't tell soo much about Tacacs+ because I don'y know very well. TACACS+ is Cisco only. > Can you give me your opinion about the best choice between radius and > tacacs+??? If you want an industry standard protocol used by every switch vendor, use RADIUS. If you want Cisco, use TACACS+. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Radius vs Tacacs+
> Roberto Carna wrote: > Sent: Monday, May 20, 2013 3:43 PM > To: FreeRadius users mailing list > Subject: Radius vs Tacacs+ > > Dear, my chief ask me to choose between Tacacs+ and Radius for switches > and Linux SSH user authentication. This depends primarily on your cryptographic needs, and secondarily on your needs for a consolidated AAA environment. While there are options to provide stronger cryptography for RADIUS, those options are not generally implemented by vendors in switch RADIUS clients. If you are passing your AAA sessions over networks which may leak data, the basic RADIUS secret may not offer the level of protection you need. However, if you feel secure that your control plane is protected, you may want to consider RADIUS as it has better cross-vendor compatibility and also because it can integrate multiple AAA scenarios quite easily, centralizing your AAA services in one place without as much time invested for integration between systems. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using unlang to call a stored procedure
Many thanks Phil, all sorted.
Wrapping the sql:" statement with an update control fixed the Unknown Action
error. Haven't checked that I'm returning the correct stuff yet, but I'm past
this particular problem
Rgds
Alex
On 20 May 2013, at 17:16, Phil Mayers wrote:
> On 20/05/13 16:55, Alex Sharaz wrote:
>
>> In this case I've got
>>
>> Tmp-String-0 := "%{sql:call
>> get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}"
>>
>> get_vlan_id accepts two varchar arguments.
>>
>> Which, when I run radiusd -X -d /etc/freeradius gives me
>>
>> /etc/freeradius/sites-enabled/default[248]: Unknown action '%{sql:CALL
>> get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}'.
>
> Which version of FreeRADIUS is this?
>
> From the source, the error "Unknown action" suggests you've got a syntax
> error. Remember you need to wrap this in an "update" block, like so:
>
> authorize {
> ...
> update control {
>Tmp-String-0 := "%{sql:}"
> }
> if (control:Tmp-String-0 =~ /.../) {
> }
> ...
> }
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using unlang to call a stored procedure
On 20 May 2013, at 17:16, Phil Mayers wrote:
> On 20/05/13 16:55, Alex Sharaz wrote:
>
>> In this case I've got
>>
>> Tmp-String-0 := "%{sql:call
>> get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}"
>>
>> get_vlan_id accepts two varchar arguments.
>>
>> Which, when I run radiusd -X -d /etc/freeradius gives me
>>
>> /etc/freeradius/sites-enabled/default[248]: Unknown action '%{sql:CALL
>> get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}'.
>
> Which version of FreeRADIUS is this?
2.2.0 source
>
> From the source, the error "Unknown action" suggests you've got a syntax
> error. Remember you need to wrap this in an "update" block, like so:
>
> authorize {
> ...
> update control {
>Tmp-String-0 := "%{sql:}"
> }
> if (control:Tmp-String-0 =~ /.../) {
> }
> ...
> }
> -
Ah!
o.k. fair enough
Rgds
Alex
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virtual server setup
Hi, I am new to FreeRadius and am having some difficulty setting it up. My goal is to have requests from separate IP addresses authenticate to separate user files. I have read through documentation and see this is possible but I can not get it to work. Can anyone provide a lists of steps or example to guide me through this. I seem to be getting stuck at configuring the virtual server. Thanks in advance. Vincent Rusilowicz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Limit ADSL speed using radius?
The reply should be Mikrotik-Rate-Limit += 512k/1024k. See http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client for all options and double check spelling. Thanks Brent > > Hi all, > > How can one limit the ADSL speed on a per customer basis using > freeradius? I have been trying a > radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people > recommend, but it does not look like it is working. I have been surfing > the freeradius wiki for days now but no luck. I am using freeradius2- > 2.1.12-3.el5. > > Regards, > To read FirstRand Bank's Disclaimer for this email click on the > following address or copy into your Internet browser: > https://www.fnb.co.za/disclaimer.html > > If you are unable to access the Disclaimer, send a blank e-mail to > firstrandbankdisclai...@fnb.co.za and we will send you a copy of the > Disclaimer. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authenticate SSH users against Freeradius
On Mon, May 20, 2013 at 12:58 PM, Roberto Carna wrote: > Dear, I have: > > (A) One Freeradius server on Debian 6: freeradius installation and > client.conf configuration > (B) Another Debian 6 box with sshd: libpam-radius-auth installation > (C) Several Windows and Linux ssh clients > > In (A) freeradius server, can I define the ssh users in client.conf file > only ??? clients.conf is for the FR clients - not the users. computer1 running FR computer2 running sshd computer2 is the client and belongs in the clients.conf file. > In (B) debian sshd box server, do I have to install a radius client in > addition to libpam-radius-auth package ??? And do I have to define any ssh > user here ?? FR is doing whatever you want it to do in the PAM stack. We only have it perform the authentication, but you could also have it perform authorization, IIRC. You will (also) need to set up local users or a central user repository (LDAP, SQL, etc.) Check libnss-* packages for anything other than /etc/passwd: % apt-cache search libnss libnss-gw-name - nss module that names the current gateway’s IP address libnss-cache - NSS module for using nsscache-generated files libnss-db - NSS module for using Berkeley Databases as a naming service libnss-extrausers - nss module to have an additional passwd, shadow and group file libnss-ldap - NSS module for using LDAP as a naming service libnss-lwres - NSS module for using bind9's lwres as a naming service libnss-myhostname - nss module providing fallback resolution for the current hostname libnss-mysql-bg - NSS module for using MySQL as a naming service libnss-pgsql2 - NSS module for using PostgreSQL as a naming service libpam-ccreds - Pam module to cache authentication credentials libpam-ldap - Pluggable Authentication Module for LDAP libnss3 - Network Security Service libraries libnss3-1d - Network Security Service libraries - transitional package libnss3-dbg - Debugging symbols for the Network Security Service libraries libnss3-dev - Development files for the Network Security Service libraries libnss3-tools - Network Security Service tools libnss-mdns - NSS module for Multicast DNS name resolution libnss-ldapd - NSS module for using LDAP as a naming service nslcd - Daemon for NSS and PAM lookups using LDAP nss-passwords - read passwords from a Mozilla keyring nss-updatedb - Cache name service directories in DB format nsscache - asynchronously synchronise local NSS databases with remote directory services libpathfinder-dev - Development files for pathfinder libpathfinder-nss-1 - Pathfinder integration Library for LibNSS libnss-rainbow2 - nss library for rainbow libnss-winbind - Samba nameservice integration plugins winbind - Samba nameservice integration server libnss-sss - Nss library for the System Security Services Daemon libnss-sshsock2 - NSS module using an ssh socket connection > > Please, I need a good howto because I'm lost. You will need to read a lot to get up to speed. -mz - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: using unlang to call a stored procedure
On 20/05/13 16:55, Alex Sharaz wrote:
In this case I've got
Tmp-String-0 := "%{sql:call
get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}"
get_vlan_id accepts two varchar arguments.
Which, when I run radiusd -X -d /etc/freeradius gives me
/etc/freeradius/sites-enabled/default[248]: Unknown action '%{sql:CALL
get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}'.
Which version of FreeRADIUS is this?
From the source, the error "Unknown action" suggests you've got a
syntax error. Remember you need to wrap this in an "update" block, like so:
authorize {
...
update control {
Tmp-String-0 := "%{sql:}"
}
if (control:Tmp-String-0 =~ /.../) {
}
...
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
using unlang to call a stored procedure
Hi,
I've written a mysql stored procedure that accepts 2 arguments, the nas-ip
address of one of our (HP) switches and the calling station Id of a network
client ( it's a MAC auth so the User-Name=Calling-Station-Id below). The
procedure then queries various back end database tables to figure out which
vlan to drop the client into based upon where it is on the network and the type
of client it is.
Once I've got the vlan back I can decide whether to use RFC 3580 or RFC 4675
when creating the attributes to pass back in the access-accept packet.
Only problem is figuring out how to format the unlang statement.
Elsewhere in my sites-enable/default file I've got
if ( "%{sql:SELECT count(*) from banned_macs where
mac_address=UPPER(TRIM('%{Calling-Station-Id}'))}" > "0" ) {
update control {
Auth-Type := Reject
}
update reply {
Reply-Message := "quarantined, contact ITSO"
}
}
which works just fine and I can block specific mac addresses from connecting to
our wired network.
In this case I've got
Tmp-String-0 := "%{sql:call
get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}"
get_vlan_id accepts two varchar arguments.
Which, when I run radiusd -X -d /etc/freeradius gives me
/etc/freeradius/sites-enabled/default[248]: Unknown action '%{sql:CALL
get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}'.
I found a message on the list that says ………. call a stored procedure by using
"%{}"
Well, from a mysql cli I'd type call get_vlan_id(…….) to run the stored
procedure.
Rgds
Alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang clarification
*You can of course mandate something like the outer identity must equal the inner identity, or require anonymous@..., which would make the identity spoofing issue one of anonymisation alone. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang clarification
When you are using a traditional EAP type, the identity seen in the
EAPOL exchange is authoritative and can be trusted.
(Returning a User-Name AVP in an Access-Accept is unnecessary in this
case unless it needs to be normalised or customised, and is optional
as part of the RADIUS RFCs.)
When you are using a modern tunnelled, TLS protected EAP type, such as
PEAP or TTLS, the identity seen in EAPOL is not authoritative.
Returning a User-Name AVP in an Access-Accept is therefore
semantically mandatory if the NAS is to accurately know the identity
of a connected client. If this is not a concern, it need not return
this. Sadly many NASs do not use the User-Name AVP if it is returned.
Any decisions that a NAS takes directly based on an identity or an
administrator makes looking at the active or historical session
information that a NAS, or its associated management system, presents
is subject to identity spoofing attacks and its associated
implications. The scope of this depends on the use case, of course.
If you have to drop the User-Name attribute in the Access-Accept for a
NAS to work, it is a bug in the NAS. If the NAS does not use the
User-Name AVP, it is deficiency of the NAS.
RFC 2865 states in Section 5.1:
[The User-Name AVP] MAY be sent in an Access-Accept packet, in which
case the client SHOULD use the name returned in the Access-Accept
packet in all Accounting-Request packets for this session.
RFC 3579 states in Section 3:
The User-Name attribute within the Access-Accept packet need not be
the same as the User-Name attribute in the Access-Request.
Nick
On Mon, May 20, 2013 at 3:46 PM, wrote:
> The real username in an EAP conversation is inside the encrypted EAP packets,
> i.e. inside an EAP-TLS tunnel. The one in plain-text is a throw-away one
> (often just @realm or anonymous@realm).
>
> I can only surmise that the update reply in this case wants to ensure that no
> User-Name attribute exists in the reply (which is fair enough, the reply
> shouldn't need to ship a username around in plain-text).
>
> Stefan
>
>
> -Original Message-
> From:
> freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
> [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
> On Behalf Of David Peterson
> Sent: 20 May 2013 15:30
> To: FreeRadius users mailing list
> Subject: RE: Unlang clarification
>
> Hmmm...strange. Actually that code was in the post-auth reject sections and
> this is in the post-auth section:
>
> update reply {
> User-Name !* 0x00 #removes the User-name from the
> Access-acc
> ept
> }
>
> Any thoughts as to why they would add these?
>
> David
>
> -Original Message-
> From:
> freeradius-users-bounces+davidp=wirelessconnections.net@lists.freeradius
> freeradius-users-bounces+.org
> [mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera
> dius.org] On Behalf Of Arran Cudbard-Bell
> Sent: Monday, May 20, 2013 9:59 AM
> To: FreeRadius users mailing list
> Subject: Re: Unlang clarification
>
>
> On 20 May 2013, at 09:34, "David Peterson"
> wrote:
>
>> I am fighting a buggy NAS and was told to add to the
> /sites-enabled/default file in the post-auth section this code:
>>
>> EAP-Message = "0x04040004"
>> User-Name !* 0x00
>> Message-Authenticator =
> "%{Message-Authenticator}"
>>
>> Can someone clarify what this would actually do to the EAP response?
>
> You mean:
>
> update reply {
> EAP-Message = "0x04040004"
> ...
> }
>
> You'd be forcing the server to send an EAP-Failure message, with a static and
> probably incorrect ID. Removing any instances of User-Name from the reply,
> and setting an invalid value for the message authenticator which would be
> overwritten anyway.
>
> -Arran
>
> Arran Cudbard-Bell FreeRADIUS Development Team
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> --
> This e-mail and any attachments may contain confidential, copyright and or
> privileged material, and are for the use of the intended addressee only. If
> you are not the intended addressee or an authorised recipient of the
> addressee please notify us of receipt by returning the e-mail and do not use,
> copy, retain, distribute or disclose the information in or attached to the
> e-mail.
> Any opinions expressed within this e-mail are those of the individual and not
> necessarily of Diamond Light Source Ltd.
> Diamond Light Source Ltd. cannot guarantee that this e-mail or any
> attachments are free from viruses and we cannot accept liability for any
> damage which you may sustain as a result of software viruses which may be
> transmitted in or with the message.
> Diamond Light Source Limited (company no. 4375679). Registered in England and
> Wales with its registered
RE: Limit ADSL speed using radius?
Tom, When you receive radius packets, you can pretty much tell what it is from the headers them selves. Usually there are some hints in the attribute or the way they format stuff. Can you post one of the packets with all attributes NAS is sending you? Maybe I can guess what it is. But for sure mikrotik attributes will not work. 450k user is nothing for freeradius ... Regards, Parham - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unlang clarification
The real username in an EAP conversation is inside the encrypted EAP packets,
i.e. inside an EAP-TLS tunnel. The one in plain-text is a throw-away one (often
just @realm or anonymous@realm).
I can only surmise that the update reply in this case wants to ensure that no
User-Name attribute exists in the reply (which is fair enough, the reply
shouldn't need to ship a username around in plain-text).
Stefan
-Original Message-
From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org]
On Behalf Of David Peterson
Sent: 20 May 2013 15:30
To: FreeRadius users mailing list
Subject: RE: Unlang clarification
Hmmm...strange. Actually that code was in the post-auth reject sections and
this is in the post-auth section:
update reply {
User-Name !* 0x00 #removes the User-name from the
Access-acc
ept
}
Any thoughts as to why they would add these?
David
-Original Message-
From:
freeradius-users-bounces+davidp=wirelessconnections.net@lists.freeradius
freeradius-users-bounces+.org
[mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera
dius.org] On Behalf Of Arran Cudbard-Bell
Sent: Monday, May 20, 2013 9:59 AM
To: FreeRadius users mailing list
Subject: Re: Unlang clarification
On 20 May 2013, at 09:34, "David Peterson"
wrote:
> I am fighting a buggy NAS and was told to add to the
/sites-enabled/default file in the post-auth section this code:
>
> EAP-Message = "0x04040004"
> User-Name !* 0x00
> Message-Authenticator =
"%{Message-Authenticator}"
>
> Can someone clarify what this would actually do to the EAP response?
You mean:
update reply {
EAP-Message = "0x04040004"
...
}
You'd be forcing the server to send an EAP-Failure message, with a static and
probably incorrect ID. Removing any instances of User-Name from the reply, and
setting an invalid value for the message authenticator which would be
overwritten anyway.
-Arran
Arran Cudbard-Bell FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
This e-mail and any attachments may contain confidential, copyright and or
privileged material, and are for the use of the intended addressee only. If you
are not the intended addressee or an authorised recipient of the addressee
please notify us of receipt by returning the e-mail and do not use, copy,
retain, distribute or disclose the information in or attached to the e-mail.
Any opinions expressed within this e-mail are those of the individual and not
necessarily of Diamond Light Source Ltd.
Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments
are free from viruses and we cannot accept liability for any damage which you
may sustain as a result of software viruses which may be transmitted in or with
the message.
Diamond Light Source Limited (company no. 4375679). Registered in England and
Wales with its registered office at Diamond House, Harwell Science and
Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Unlang clarification
Hmmm...strange. Actually that code was in the post-auth reject sections and
this is in the post-auth section:
update reply {
User-Name !* 0x00 #removes the User-name from the
Access-acc
ept
}
Any thoughts as to why they would add these?
David
-Original Message-
From:
freeradius-users-bounces+davidp=wirelessconnections@lists.freeradius.org
[mailto:freeradius-users-bounces+davidp=wirelessconnections.net@lists.freera
dius.org] On Behalf Of Arran Cudbard-Bell
Sent: Monday, May 20, 2013 9:59 AM
To: FreeRadius users mailing list
Subject: Re: Unlang clarification
On 20 May 2013, at 09:34, "David Peterson"
wrote:
> I am fighting a buggy NAS and was told to add to the
/sites-enabled/default file in the post-auth section this code:
>
> EAP-Message = "0x04040004"
> User-Name !* 0x00
> Message-Authenticator =
"%{Message-Authenticator}"
>
> Can someone clarify what this would actually do to the EAP response?
You mean:
update reply {
EAP-Message = "0x04040004"
...
}
You'd be forcing the server to send an EAP-Failure message, with a static
and probably incorrect ID. Removing any instances of User-Name from the
reply, and setting an invalid value for the message authenticator which
would be overwritten anyway.
-Arran
Arran Cudbard-Bell FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Unlang clarification
On 20 May 2013, at 09:34, "David Peterson"
wrote:
> I am fighting a buggy NAS and was told to add to the /sites-enabled/default
> file in the post-auth section this code:
>
> EAP-Message = "0x04040004"
> User-Name !* 0x00
> Message-Authenticator = "%{Message-Authenticator}"
>
> Can someone clarify what this would actually do to the EAP response?
You mean:
update reply {
EAP-Message = "0x04040004"
...
}
You'd be forcing the server to send an EAP-Failure message, with a static and
probably incorrect ID. Removing any instances of User-Name from the reply, and
setting an invalid value for the message authenticator which would be
overwritten anyway.
-Arran
Arran Cudbard-Bell
FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unlang clarification
I am fighting a buggy NAS and was told to add to the /sites-enabled/default
file in the post-auth section this code:
EAP-Message = "0x04040004"
User-Name !* 0x00
Message-Authenticator = "%{Message-Authenticator}"
Can someone clarify what this would actually do to the EAP response?
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Limit ADSL speed using radius?
Hi Tom, Would it be useful to ask Telkom SA and Broadband Infraco for the models of the NASes they use and possibly their dictionaries? Although from what I understand from a GLUG post, that information is... well... difficult to get hold of (even when you're a big fish like Internet Solutions), so you may have some fun ahead at FR. I did see that Telkom intends to deploy (or has already deployed) Huawei equipment for UWB, so you might want to start with Huawei and the big names for NAS devices (Cisco for starters). Regards Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Cooper, Tom Sent: 20 May 2013 13:07 To: freeradius-users@lists.freeradius.org Subject: Re: Limit ADSL speed using radius? We are in South Africa and using the local telco company's NAS'es. They have a mixture of them. Problem is that we have in excess of 450 000 users. On 20/05/2013 13:57, Jonathan Bastin wrote: > What routers are you using for this. > > Regards, > > > Jonathan Bastin > > > - Reply message - > From: "Cooper, Tom" > To: "freeradius-users@lists.freeradius.org" > > Subject: Limit ADSL speed using radius? > Date: Mon, May 20, 2013 12:50 > > > > Hi all, > > How can one limit the ADSL speed on a per customer basis using > freeradius? I have been trying a > radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people > recommend, but it does not look like it is working. I have been surfing > the freeradius wiki for days now but no luck. I am using > freeradius2-2.1.12-3.el5. > > Regards, > To read FirstRand Bank's Disclaimer for this email click on the > following address or copy into your Internet browser: > https://www.fnb.co.za/disclaimer.html > > If you are unable to access the Disclaimer, send a blank e-mail to > firstrandbankdisclai...@fnb.co.za and we will send you a copy of the > Disclaimer. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- > This email (including any attachments) is intended only for the > recipient(s) named above. It may contain confidential or privileged > information and should not be read, copied or otherwise used by any > other person. If you are not the named recipient please contact the > sender and delete the email from your system. The author's incumbent > expressions, views and thoughts are their own and not necessarily > representative of those of the Peer Point Internet Ltd or associated > companies. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html If you are unable to access the Disclaimer, send a blank e-mail to firstrandbankdisclai...@fnb.co.za and we will send you a copy of the Disclaimer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with chap
Franks Andy (RLZ) IT Systems Engineer wrote: > Thanks Alan, > It takes literary a second or so for a single client auth, but > problems arise with multiple clients. I'll reset a card on the switch > and capture the logs and see what's happening. Nothing as far as I > remember pointed towards the ntlm_auth being the issue, it was the > failure to complete the eap transaction that seemed to be the problem, > but then I didn't scan each and every line to be honest. See http://deployingradius.com/ It has instructions for testing PEAP via eapol_test. That lets you do some limited performance checks. An alternative is to configure a static user/password. Do performance checks using that user. If it's a lot faster than ntlm_auth, then the problem is likely ntlm_auth. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit ADSL speed using radius?
Hi Tom, You need to contact Telkom and ask them for their dictionaries. They have some rather "unique" attributes. On 20 May 2013 15:26, "Cooper, Tom" wrote: > We are in South Africa and using the local telco company's NAS'es. They > have a mixture of them. Problem is that we have in excess of 450 000 users. > > > > On 20/05/2013 13:57, Jonathan Bastin wrote: > > What routers are you using for this. > > > > Regards, > > > > > > Jonathan Bastin > > > > > > - Reply message - > > From: "Cooper, Tom" > > To: "freeradius-users@lists.freeradius.org" > > > > Subject: Limit ADSL speed using radius? > > Date: Mon, May 20, 2013 12:50 > > > > > > > > Hi all, > > > > How can one limit the ADSL speed on a per customer basis using > > freeradius? I have been trying a > > radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people > > recommend, but it does not look like it is working. I have been surfing > > the freeradius wiki for days now but no luck. I am using > > freeradius2-2.1.12-3.el5. > > > > Regards, > > To read FirstRand Bank's Disclaimer for this email click on the > > following address or copy into your Internet browser: > > https://www.fnb.co.za/disclaimer.html > > > > If you are unable to access the Disclaimer, send a blank e-mail to > > firstrandbankdisclai...@fnb.co.za and we will send you a copy of the > > Disclaimer. > > - > > List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > > -- > > This email (including any attachments) is intended only for the > > recipient(s) named above. It may contain confidential or privileged > > information and should not be read, copied or otherwise used by any > > other person. If you are not the named recipient please contact the > > sender and delete the email from your system. The author's incumbent > > expressions, views and thoughts are their own and not necessarily > > representative of those of the Peer Point Internet Ltd or associated > > companies. > > > > > > - > > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > To read FirstRand Bank's Disclaimer for this email click on the following > address or copy into your Internet browser: > https://www.fnb.co.za/disclaimer.html > > If you are unable to access the Disclaimer, send a blank e-mail to > firstrandbankdisclai...@fnb.co.za and we will send you a copy of the > Disclaimer. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reference to check items using unlang
Nasser Heidari wrote:
> I've already tried and it doesn't work.
That's a fairly useless response.
> for example I want to check for
> existence of a custom check-item in user profiles with unlang, I try this:
>
> If(control:custom_check_item) {
> ...
> }
>
> This always returns true in my case , doesn't matter if a user have
> custom_check_item in his profile or not.
That's not how unlang works. If an attribute doesn't exist, then
checking for it returns "false".
And you're trying to look for *SQL* profiles via the above check?
That will work only if the SQL module was configured, was used, and then
returned the profile.
You need to run the server in debugging mode in order to see what's
happening. We tell people this in the FAQ, README, "man" page, web
pages, and daily on this list.
There is *no* excuse for failing to look at the debug output.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit ADSL speed using radius?
Cooper, Tom wrote: We are in South Africa and using the local telco company's NAS'es. They have a mixture of them. Problem is that we have in excess of 450 000 users. Does the telco filter attributes you're sending back? Some wholesalers protect their networks by limiting the attributes they'll accept. Richard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit ADSL speed using radius?
Cooper, Tom wrote: > We are in South Africa and using the local telco company's NAS'es. They > have a mixture of them. The rate-limiting attributes are vendor-specific. And some vendors have *no* rate-limiting attributes. > Problem is that we have in excess of 450 000 users. That makes it more difficult. But the real problem is you don't know what attributes to use. Once you know that, using the attributes for 450K users is easy. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: reference to check items using unlang
I've already tried and it doesn't work. for example I want to check for
existence of a custom check-item in user profiles with unlang, I try this:
If(control:custom_check_item) {
...
}
This always returns true in my case , doesn't matter if a user have
custom_check_item in his profile or not.
-Original Message-
From: freeradius-users-bounces+nasser=rasana@lists.freeradius.org
[mailto:freeradius-users-bounces+nasser=rasana@lists.freeradius.org] On
Behalf Of Arran Cudbard-Bell
Sent: Monday, May 20, 2013 4:02 PM
To: FreeRadius users mailing list
Subject: Re: reference to check items using unlang
On 20 May 2013, at 03:03, Nasser Heidari wrote:
> Hi All,
>
> How can I reference to check items using unlang? When I use perl
> script , simply reference it by $RAD_CHECK. For example I want to
> check if there is a check item in sql user profile , then do some
> actions using unlang and if not then ignore it.
> By the way I know that I can do that by querying sql in unlang but I
> wondering if there is a better way for doing that.
>
control:
Arran Cudbard-Bell FreeRADIUS Development Team
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit ADSL speed using radius?
Issues is each NAS vender needs different commands. Cisco is av-pair rate limit You already have mikro tick so you need to know what you are dealing with. Regards, Jonathan Bastin - Reply message - From: "Cooper, Tom" To: "freeradius-users@lists.freeradius.org" Subject: Limit ADSL speed using radius? Date: Mon, May 20, 2013 13:24 We are in South Africa and using the local telco company's NAS'es. They have a mixture of them. Problem is that we have in excess of 450 000 users. On 20/05/2013 13:57, Jonathan Bastin wrote: > What routers are you using for this. > > Regards, > > > Jonathan Bastin > > > - Reply message - > From: "Cooper, Tom" > To: "freeradius-users@lists.freeradius.org" > > Subject: Limit ADSL speed using radius? > Date: Mon, May 20, 2013 12:50 > > > > Hi all, > > How can one limit the ADSL speed on a per customer basis using > freeradius? I have been trying a > radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people > recommend, but it does not look like it is working. I have been surfing > the freeradius wiki for days now but no luck. I am using > freeradius2-2.1.12-3.el5. > > Regards, > To read FirstRand Bank's Disclaimer for this email click on the > following address or copy into your Internet browser: > https://www.fnb.co.za/disclaimer.html > > If you are unable to access the Disclaimer, send a blank e-mail to > firstrandbankdisclai...@fnb.co.za and we will send you a copy of the > Disclaimer. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- > This email (including any attachments) is intended only for the > recipient(s) named above. It may contain confidential or privileged > information and should not be read, copied or otherwise used by any > other person. If you are not the named recipient please contact the > sender and delete the email from your system. The author's incumbent > expressions, views and thoughts are their own and not necessarily > representative of those of the Peer Point Internet Ltd or associated > companies. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html If you are unable to access the Disclaimer, send a blank e-mail to firstrandbankdisclai...@fnb.co.za and we will send you a copy of the Disclaimer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. The author's incumbent expressions, views and thoughts are their own and not necessarily representative of those of the Peer Point Internet Ltd or associated companies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit ADSL speed using radius?
We are in South Africa and using the local telco company's NAS'es. They have a mixture of them. Problem is that we have in excess of 450 000 users. On 20/05/2013 13:57, Jonathan Bastin wrote: > What routers are you using for this. > > Regards, > > > Jonathan Bastin > > > - Reply message - > From: "Cooper, Tom" > To: "freeradius-users@lists.freeradius.org" > > Subject: Limit ADSL speed using radius? > Date: Mon, May 20, 2013 12:50 > > > > Hi all, > > How can one limit the ADSL speed on a per customer basis using > freeradius? I have been trying a > radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people > recommend, but it does not look like it is working. I have been surfing > the freeradius wiki for days now but no luck. I am using > freeradius2-2.1.12-3.el5. > > Regards, > To read FirstRand Bank's Disclaimer for this email click on the > following address or copy into your Internet browser: > https://www.fnb.co.za/disclaimer.html > > If you are unable to access the Disclaimer, send a blank e-mail to > firstrandbankdisclai...@fnb.co.za and we will send you a copy of the > Disclaimer. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- > This email (including any attachments) is intended only for the > recipient(s) named above. It may contain confidential or privileged > information and should not be read, copied or otherwise used by any > other person. If you are not the named recipient please contact the > sender and delete the email from your system. The author's incumbent > expressions, views and thoughts are their own and not necessarily > representative of those of the Peer Point Internet Ltd or associated > companies. > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html If you are unable to access the Disclaimer, send a blank e-mail to firstrandbankdisclai...@fnb.co.za and we will send you a copy of the Disclaimer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit ADSL speed using radius?
On 20/05/13 12:47, Cooper, Tom wrote:
Hi all,
How can one limit the ADSL speed on a per customer basis using
freeradius? I have been trying a
radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people
recommend, but it does not look like it is working.
Ok, and what does that mean. "It is not working" is too vague.
Have you run under debug mode ("radiusd -X") and checked that the
attribute is being returned? If not, have you read the debug to see why?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
On 20/05/13 10:59, stefan.pae...@diamond.ac.uk wrote: Ahhh. According to this conversation: That's a really old conversation. See instead the link I posted in my other email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit ADSL speed using radius?
On Mon, May 20, 2013 at 6:47 PM, Cooper, Tom wrote: > Hi all, > > How can one limit the ADSL speed on a per customer basis using > freeradius? Look at your NAS (i.e. BRAS hardware, rp-pppoe, whatever) documentation (or ask the vendor) to see what attributes it recognize to limit speed. > I have been trying a > radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, That probably works for mikrotik NAS only. Are you using mikrotik? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit ADSL speed using radius?
What routers are you using for this. Regards, Jonathan Bastin - Reply message - From: "Cooper, Tom" To: "freeradius-users@lists.freeradius.org" Subject: Limit ADSL speed using radius? Date: Mon, May 20, 2013 12:50 Hi all, How can one limit the ADSL speed on a per customer basis using freeradius? I have been trying a radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people recommend, but it does not look like it is working. I have been surfing the freeradius wiki for days now but no luck. I am using freeradius2-2.1.12-3.el5. Regards, To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html If you are unable to access the Disclaimer, send a blank e-mail to firstrandbankdisclai...@fnb.co.za and we will send you a copy of the Disclaimer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This email (including any attachments) is intended only for the recipient(s) named above. It may contain confidential or privileged information and should not be read, copied or otherwise used by any other person. If you are not the named recipient please contact the sender and delete the email from your system. The author's incumbent expressions, views and thoughts are their own and not necessarily representative of those of the Peer Point Internet Ltd or associated companies. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Limit ADSL speed using radius?
Hi all, How can one limit the ADSL speed on a per customer basis using freeradius? I have been trying a radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people recommend, but it does not look like it is working. I have been surfing the freeradius wiki for days now but no luck. I am using freeradius2-2.1.12-3.el5. Regards, To read FirstRand Bank's Disclaimer for this email click on the following address or copy into your Internet browser: https://www.fnb.co.za/disclaimer.html If you are unable to access the Disclaimer, send a blank e-mail to firstrandbankdisclai...@fnb.co.za and we will send you a copy of the Disclaimer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: reference to check items using unlang
On 20 May 2013, at 03:03, Nasser Heidari wrote: > Hi All, > > How can I reference to check items using unlang? When I use perl script , > simply reference it by $RAD_CHECK. For example I want to check if there is a > check item in sql user profile , then do some actions using unlang and if > not then ignore it. > By the way I know that I can do that by querying sql in unlang but I > wondering if there is a better way for doing that. > control: Arran Cudbard-Bell FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
Ahhh. According to this conversation: http://freeradius.1045715.n5.nabble.com/PEAP-EAP-TLS-with-client-and-server-certificate-td2760634.html - FR does support PEAP-EAP-TLS :-) Stefan -Original Message- From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Phil Mayers Sent: 20 May 2013 10:49 To: freeradius-users@lists.freeradius.org Subject: Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ? On 20/05/13 10:25, stefan.pae...@diamond.ac.uk wrote: > It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf - you > can configure all supported options in there. Not sure you've understood what he's asking there; he wants to know if you can to PEAP with EAP-TLS as an inner. The main advantage to this is anonymous outer ID. I *think* FR supports this, but I can't remember the details or if there are any caveats. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
On 20/05/13 09:02, Robert wrote: Hi I use freeradius v2.1.10 in Debian Squeeze 6.0.1. I want to know if freeradius supports the following methods : See here: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft-soh/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
On 20/05/13 10:25, stefan.pae...@diamond.ac.uk wrote: It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf – you can configure all supported options in there. Not sure you've understood what he's asking there; he wants to know if you can to PEAP with EAP-TLS as an inner. The main advantage to this is anonymous outer ID. I *think* FR supports this, but I can't remember the details or if there are any caveats. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf - you can configure all supported options in there. Regards Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Robert Sent: 20 May 2013 09:03 To: freeradius-users@lists.freeradius.org Subject: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ? Hi I use freeradius v2.1.10 in Debian Squeeze 6.0.1. I want to know if freeradius supports the following methods : l EAP PEAP/TLS l EAP PEAP/EAP-TLS ? The client I use is wpa_supplicant v0.6.9. Regards, Robert -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?
Hi I use freeradius v2.1.10 in Debian Squeeze 6.0.1. I want to know if freeradius supports the following methods : l EAP PEAP/TLS l EAP PEAP/EAP-TLS ? The client I use is wpa_supplicant v0.6.9. Regards, Robert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
reference to check items using unlang
Hi All, How can I reference to check items using unlang? When I use perl script , simply reference it by $RAD_CHECK. For example I want to check if there is a check item in sql user profile , then do some actions using unlang and if not then ignore it. By the way I know that I can do that by querying sql in unlang but I wondering if there is a better way for doing that. Could you please help me? Regards, Nasser - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
