So for Session-Type and for Post-Auth-Type, they should all go into
acct_users as well?
What is Session-Type? Do you mean Service-Type?
No, things relevant to authenticating and authorizing users go into users
file. Users file will be used when processing Access-Request packets.
Things relevant
Thanks for the response. My original email was very lengthy, but at the bottom
you can see a wireshark capture showing the packet arrival. (My understanding
is wireshark is a pretty GUI based on tcpdump)
Yes, it arrived but can't get through the firewall. You say you are
using default
Something may be wacky with the network configuration on the 10.10.10.10
machine. The packet capture shows that the NAS-IP-Address attribute is set
to 127.0.0.2 but it should be 10.10.10.10.
I second that. Who knows what's going on with .11 as well.
Since 127.0.0.2 is not in
clients.conf, the
I am using a passwd module to authorize users.
No, you are using passwd module to store passwords.
First passwd module
checks
It doesn't check anything - it returns the password stored for that user.
cisco_users file (format = *User-Name:Cleartext-Password) and
then passwd module must check
Condition:
1. I have a local realm (suffix), xyz.com. I'm using freeradius 2.1.3+mysql.
2. My own user's username in mysql radcheck table is store in usern...@xyz.com
format
3. A person want me to proxy his prefix ABC/his-customer-usern...@myrealm to
his radius server, i.e:
Ok! Then I have one a question about moving Accounting packets through
my network:
When I login to cisco on log server(radius server) I racieve a:
tcpdump port 1813
15:48:00.281073 IP 192.168.255.10.radacct carlogg.radacct: RADIUS,
Accounting Request (4), id: 0x67 length: 93
15:48:00.281727 IP
Regarding realms handled in the local server (mysql) and accounting...
I have defined realms in the users file such as:
DEFAULT Realm == example.com, Autz-Type := SQL_EXAMPLE
and in radiusd.conf I add in authorize { }
Autz-Type SQL_EXAMPLE {
Now I present fully situation on a trouble process
I don't see a problem.
1) User connect to the cisco
1.1) radiusd -X
Authentication works, accounting Start works.
2.) User run some command
2.1) radiusd -X
(nothing)
Of course. Radius doesn't do command accounting. That's TACACS.
3)
but cisco log about accounting evrytime send message like this
Mar 6 08:57:48 192.168.255.10 210: 000207: Mar 6 08:57:48 MSK:
%RADIUS-3-NOACCOUNTINGRESPONS
Stop for session 0074 failed to receive Accounting Response.
You are wondering about accounting on your radius server -
Now, this is still not working:
having it as User-Name := '%{reply:User-Name}' still gives me an
Access-Accept with text instead of variable value.
Also, using double quotes yields the exact same result.
Sending Access-Accept of id 127 to xx.xx.xx.xx port 32785
User-Name =
Is there any way to do what I want without upgrading?
You can try users file:
DEFAULT Ldap-Group == staff
some reply
DEFAULT Ldap-Group == student
some other reply
DEFAULT Auth-Type := Reject
That should be at the end of the users file (ie. anything
++[detail] returns ok
rlm_counter: We only run on Accounting-Stop packets.
++[daily] returns noop
++[unix] returns fail
Finished request 5.
unix module is failing. If you are not using it comment it out from the
accounting section.
Ivan Kalik
Kalik Informatika ISP
-
List
OK, I comment all unix section in site-enable/default, but result is the
same!
In pucture below I thurned on debug on cisco about accounting, therefore
cisco work correctly, but radius server not recieve Accounting-Request? Why?
001534: Mar 6 22:38:57: tty2 AAA/AUTHOR/EXEC (3942780195):
If you mean when I type a some command on cisco shell, in the cisco
console already I show you (much more), else you mean a radius server
then I must disappoint you there is a silent, nothing to do!
If you consider for important all debug information on radius when user
login-run some
i tried to get coopa chilli running, but i have problems with radius and
mysql. Radius works with users from files, but not with mysql. I can
only see on startup some mysql messages (connect) but no queries at all.
..
Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling sql
(rlm_sql)
3. Send all of the debug output from the radius server. The useful
information is missing from this section of the debug output:
Wed Mar 4 20:00:03 2009 : Debug: ++[unix] returns notfound
Wed Mar 4 20:00:03 2009 : Debug: modsingle[authorize]: calling sql
(rlm_sql) for request 1
Wed Mar 4
Thanks Phil,
I have tried that but regrettably it does not work.
According to my logs eap returns updated every round when doing authorize.
(During the authenticate stage eap returns handled except the last round
where it returns ok)
The comment preceeding eap in the default config says:
#
I have tested updated = return and it behaves as expected.
That is authorize always returns without reading the database so the
attributes are never set.
Remeber that eap returns updated every round including the last one where
the database should be consulted.
I need a test that returns true
I am running FreeRADIUS 2.1.3 on a machine that is also a NIS client.
Using radtest, I find that local user accounts are accepted, but NIS
accounts are rejected.
Well, yes. How is freeradius suposed to talk to NIS? Perhaps PAM? Or is
there some ntlm_auth type script?
I have not changed anything
any hint please ?!! , can i modify the value of reply attributes ?
Are you using server version that is years out of date? This works in
current version.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've been trying unsuccessfully to get this setup to work, but unfortunately
haven't been able so far.
My need is to return the contents of three LDAP fields as replies on the
Access-Accept package.
The setup is for EAP/TTLS, mostly following eduRoam's setup guide (EduROAM
Cookbook -- DJ
There's cisco debug:
And this is freeradius list. Feel free to send this to your friendly
Cisco support people.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hmm, that gives me a policy problem, my company *does not* use Linux.
And they are in Internet business? Not for long.
Is there any Windows ports out there?
freeradius.net (this is support for versions from freeradius.org). Not a
real port but it works. It has support for mysql, but not for
Oh, this is Windows. Uninstall the whole thing. You can download that
version in default configuration from freeradius.net. Do fresh install.
Just edit clients.conf and users file.
Windows version supports mysql but not much more. You are far better of
with current (Linux) version.
Ivan Kalik
This kind of handling of rejected users should be handled by your NAS.
Radius server is suposed to reject users with bad passwords. You can
make policy on your NAS to place them in a restricted VLAN instead of
dropping the connection.
Ivan Kalik
Kalik Informatika ISP
Dana 4/3/2009, Jack D.
Are there room for a newbee question here? This is my first Radius server.
I get the message No known good password when trying to authenticate users
The users are coming from one of two possible VPN tunnels. I assume
clients.conf is correctly configured.
Any help is highly appreciated.
Best
The version is 1.1.7-r0.0.2.
I assume -X means debug mode (I really *am* a newbee)
Being a newby, what prompted you to remove files from authorize? You are
storing the password in users file, yet you have removed files from the
configuration???
I'll try Cleartext-Password instead of
Ooops, I took over for a 3. party consultant who gave up.
Luckily, I still have the original clients.conf. I'll try that one.
It's in radiusd.conf in 1.1.7.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've got a problem with my eap-tls configuration : the server is accepting
the device ( rad_check_password: Auth-Type = Accept, accepting the user),
but it doesn't connect to the to access-point (HP Procurve).
You broke EAP trying to force Auth-Type Accept.
Ivan Kalik
Kalik Informatika ISP
-
Thanks for you response, what should I set as Auth-Type, as 'Auth-Type :=
eap' is not recommended (cf. coment in eap.conf) ?
You don't set anything. Server will set what it needs. It just works.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
We got 2 problems when setting up a virtual server (testing.mydomain) to
handle requests for realm @testing.mydomain:
1. we defined a new ldap server in modules/ldap and want to use it for
authorization/authentication of realm @testing.mydomain, but have no
idea how to use it since the ldap
I am working with FR some years ago, and I have implemented a prepaid card
system. I want to get an account which are not valid until some date. I am
looking for some freeradius attribute which means 'account invalid until 15th
march 2009'.
No ready-made attribute. You can define your
I am running a Freeradius server which queries a MySQL database (Vexim)
for authentication of dial-up users. I would like to create two classes
of dial-up users, Internet users and email-only users. The Intetrnet
users have full Internet access while the email-only users can only
access SMTP, POP
I take it that means EAP-PEAP (as well ass EAP-TTLS) provides
protected tunnel already, and as such when used in PEAP-GTC, it may be
used to provide support for cleartext password. Is my interpretation
correct?
Yes. But you (ie. server) don't have a password (clear or encrypted) for
matching.
So in short if I want to do bind as user in PEAP-GTC, I can't
combine it with other authentication methods (like pam)? Too bad.
Why is it too bad. Just don't use bind as user. You should avoid
using methods where Auth-Type is forced. They are very difficult to
combine with other methods.
Ivan
So I think what will happen is this:
- username/tokencode-password is passed from the Cisco ASA device
- this data is passed in cleartext to the script
- script splits the username/tokencode and username/password
- script proxies the u/tc via RADIUS to SecurID
- script uses PAP to pass
Executing this script during last 24h (with nohup), from the radius machine, I
got always latencies below 1 second
Below 1 second or below 1/100th of a second? Near 1 second for such a
simple query is *very* slow. Have in mind that insert into radacct is
going to take some 100 times
I have this entry in my users file
DEFAULT Called-Station-Id =~ .*MMP
Auth-Type := Reject
Should be:
DEFAULT Called-Station-Id =~ .*MMP, Auth-Type := Reject
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The LDAP server I'm authenticating against is Lotus Domino, which
stores user password in a Lotus-specific encryption. The only way to
use freeradius to authenticate against it is with bind as user.
Talk about painting yourself into a corner.
The thing that I don't get yet is why on normal
I finally figured out how to compile the module. Its actually quite
simple once you figure out the new structure. The problem I still
have is how to incorporate that into the new conf file. There used to
be authorize and accounting sections that listed the modules. I can't
find where that has
Great! It works perfectly.
Other than enabling ldap in authorize and authenticate in
inner-tunnel, I also had to change eap.conf's gtc section to auth_type
= LDAP.
This works, but it brings up another problem. Setting auth_type to
PAP, Local, or commented out on gtc section does not work for
I have MySQL 5.0.67 and PostgreSQL 8.3.6 and freeRADIUS 2.17 installed on
GNU/Linux Fedora 10 distribution. I have identical radius databases on both
MySQL and PostgreSQL. When I use the PostgreSQL, the groupname field in the
radacct table gets filled in but when I change the database to MySQL,
Can you show some examples please? I try to do like this:
noresetBytecounter
if (reject) {
update reply {
Reply-Message := Traffic limit exceeded.
}
}
but if noresetBytecounter return reject freeradius immediatly return
reject
to user and do not
Thanks for your reply. I have got some questions to ask. We have different
types of clients (Or, connections) in our system; Dial-Up, ADSL, VoIP, CHAP,
MS-CHAP, MS-CHAPv2 and ... . Each of these clients need different
authorization method. Now, where should our authorization code reside? Shall
we
Thanks for your reply. Sorry if my question is elementary, but this is the
last one. What is the difference between creating a customized module to do
Authorization/Post-Authentication and using external programs as instances
of rlm_exec module to the so-called functionalities?
Module is much
Sorry, i read mans and comments in config and try to do like you say but
it's not work as i need. I have sqlcounter:
sqlcounter noresetBytecounter {
counter-name = Total-Max-Octets
check-name = Max-Octets
reply-name = ChilliSpot-Max-Total-Octets
sqlmod-inst =
is it possible to call only a simple Stored Procedure (SP) on the
MySQL-Server to
do the Accounting Job, like the sql-log module (rlm_sql_log(5)), but
do not log in file,
instead of this, call the SP:
I can't find more Information for such configuration.
unlang supports only SELECT statements.
I can do like this:
if (!reply:ChilliSpot-Max-Total-Octets) {
update reply {
Reply-Message := Traffic limit exceeded.
}
}
but if user enter wrong password Traffic limit exceeded. error message
will be displayed.
I had a look at the
Thank you. I see this solution in the internet, but i need configurable
Reply-Message, becouse i want to limit not only traffic, but session time
too.
Actually, I can recall that sqlcounter had configurable Reply-Message in
early days (I had 1.0.5 where it was configurable). Download 1.0.5 and
1) can I access to all accounting releated information from the perl
module like in the sql-module?
You said that you want to call a stored procedure. Yes, your database
does have access to all the information stored in it.
Are any examples out there?
$query = CALL your_procedure;
If you need
rad_recv: Access-Request packet from host 127.0.0.1:54057, id=172, length=59
User-Name = monitor
User-Password =
NAS-IP-Address = 255.255.255.255
NAS-Port = 1812
Processing the authorize section of radiusd.conf
modcall: entering group authorize for
Tnx for the quick answer. In the meantime I figured out my problem.
In 'users' file I commented out:
-
# First setup all accounts to be checked against the UNIX /etc/passwd.
# (Unless a password was already given earlier in this file).
#
#DEFAULTAuth-Type = System
# Fall-Through
I have a wired 802.1x auth setup on cisco gear. I would like to
record the IP address of machines that connect and are authorized. Is
this possible?
I currently see NAS-IP-Address and Client-IP-Address as the IP of the
switch. The Calling-Station-Id is the correct mac address of the
authorized
I am facing strange issue while running radtest from remote IP and
radiusd running on other IP but on the same network.
My Radius server is not listening to any other client except localhost.
I've added all clients entries in clients.conf file.
What could be the issue?
clients.conf file doesn't
I installed freeradius and have noticed that all while other fields are
filled in on the radacct table some are not. Of particular importance to me
is the groupname field. I need this field because I need to know which group
the customer is from so that I charge them accordingly. A person may
I configured my freeradius 1.1.7 + oracle + cisco 3750 switch to do 802.1x
authentication for wired client. I configured it with EAP/MD5 method and it
works well. Now I want to use peap/mschap-v2 method,but I didn't configure
LDAP in radiusd.conf,and when the server start it report some
I went through a document in the Internet that says EAP does not support
MD5 hashes, only EAP-GTC and PAP does.
Can someone suggest a solution for getting users authenticated through
AP whith their passwords stored in MD5??
You can't use PEAP. Install SecureW2 on all the clients and use EAP
but using LDAP user with auth_type = PAP in gtc section does not work
#==
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/gtc
[eap] processing type gtc
[gtc] +- entering group PAP {...}
I have accounting turned on, but I don't see the authed machines IP on
that of the NAS.
Post the debug of accounting packet. Start might not but stop should have
it.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here's a complete debug log from radius startup tested with wifi client,
same user and password, same config files. Somehow in this config LDAP
never got to bind as my user.
http://pastebin.com/f37aaf2b2
Ah, bind as user works only for pap requests not eap. This is
documented in ldap module
I facing this problem with my Freeradius 2.1.3, and I don't know how to solve
it :(
My NAS is sending only accounting registers to my freeradius server. My
freeradius server, is configured to store these registers into a MySQL server.
I have configured max_request_time = 120, in the case of MySQL
I tried editing the dialup.conf and added groupname with a value of
'%{SQL-Group}' but still it writes nothing for the groupname in the radacct
table. Can you help me as to how exactly I have to edit the dialup.conf ?
That is fine, only the attribute is wrong. ASFAIK Class is the only
attribute
and do you know if the accouting registers is lost? or another child retries
the insert into the database?
They usually are - there are no handles to write to the database as the
whole server gets blocked. I haven't seen tha case where single handle
would dia and the rest of them would continue
I have a little problem with freeradius. And i can't find any solution for it..
We have logged failed login attempt following statement: (Its taken
from Freeradius Wiki)
Post-Auth-Type REJECT {
# Login failed: log to SQL database.
sql
}
However when we use rlm_sqlcounter this
Scenario:
To pilot the SecurID product, we selected VPN access to a part of our
network, protected by a Cisco ASA5500 series device. We are in the
process of moving away from the MS IAS RADIUS solution to FreeRADIUS.
We know that MS IAS cannot do what we want to do.
What we want to do:
When a
Mon Feb 23 19:54:36 2009 : Info: [files] expand:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
-
(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=)))
Try %{control:Ldap-UserDn} in
The
result is the same, with both attributes the CHAP module throws the same
error. Any ideas?
Post the debug.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've been trying to autheticate a Wireless Acess Point through a Radius
Server for last 1 month, but things doesn't seem to be working for me.
The Radius Server is authenticating when I test it with the radtest
command. It also worked for a Cisco 2950 switch. But no luck when I use
the Access
By the way, the authorization external program sets my customized Auth-Type
so that in the authentication section, I can use it to authenticate clients
using my authentication external program which is another instance of the
rlm_exec module (the second one).
Why?
The main problem is the way
Whats happening here? It's like the radius tries to send a request back to
the supplicant, but gives up...
No. Client gives up - it didn't send client certificate.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks for your reply. You are right and I do know that this is not the
right way to get things done, but what we have got here is a sophisticated
and feature-balloted AAA system which is totally based on external programs.
So what would be the problem in sorting out your features in
Thanks for reply. But the client that I use, only supports PAP and CHAP
requests and neither of them initiates the server to send an Access Challenge.
So what is client going to do with the challenge when it gets it?
That is why I tried to create the challenge with the help of the perl module
But the server doesn't send the reply to the client (Timeout at clientside)
rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71
User-Name = radius
NAS-IP-Address = 10.0.1.131
CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a
CHAP-Challenge =
Thanks for your reply. The problem is time. We should find an immediate
solution. Anyway, thanks again.
Immediate solution is *not* trying to invent a new kind of hole on the
flower pot. Don't use custom authentication script - use existing
server modules. Whatever additional checks you think
I'm trying to figure out how to check to see if the auth type is
mschap in the users file. I can find tons of help on setting the
Auth-Type, but not a lot on how to compare it.
Additional background info:
I'm running 802.1x with two auth types, certificate based and mschap.
It's EAP-Type not
Thanks for your attention. Yes, you are right, we should organize our system
regarding the structure of freeradius. I have lots of questions to ask. I am
going to coherently form them; would you please trace this thread?
I do hang around. This is what you should plan for:
- checks that need to
Yes. There is no problem in composing Cleartext-Password on the fly
from users password and the token.It shouldn't be too difficult to
create a perl script that does that.
Excellent! So the username and tokencode/password is passed from the
NAS (ASA5500) to the FreeRADIUS server and we create
Does freeradius support SHA hashed passwords (on ldap backend)?
Yes. This is documented in doc/rlm_ldap included with the server.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well I am new to this, I found a package in Ubuntu for it so the installation
was ok but there is one thing I went to the site I want a normal
configuration. I am trying to test that the radius is working after the
installation. Then I want to add a perl script that will handle my Authblock
I
I presume this expression would do the magic for me. But if for SQL
authentication how do I enforce that from the SQL tables?
Put Calling-Station-Id, expression and =~ as operator for that user in
radcheck. But regex is not working well in 2.1.3. Better wait a few days
for 2.1.4.
Ivan Kalik
and then Page text matches.
tnt-4 wrote:
Well I am new to this, I found a package in Ubuntu for it so the
installation
was ok but there is one thing I went to the site I want a normal
configuration. I am trying to test that the radius is working after the
installation. Then I want to add a perl script
I want to test a radius client with the freeradius server. Access
Requests and Replies works fine, but although I searched this mailing
list and several websites I still have no idea how to trigger an Access
Challenge. It would be very nice, if somebody could tell me how I have
to configure
yes i did but didnt get it, but I will do it again.
I will try to understand it as much as I can.
Hm, so you have trouble following simple instructions with ready-made
examples. Yet you are planning a perl application accessing data via
stored procedures in Oracle. Well, good luck with that.
I am using freeradius-1.1.7. In order to authenticate users using an
external program, I have created an instance of the rlm_exec module which
contains the properties of the external program. In the radiusd.conf, I have
called the instance in the authentication section. Now, as I want to
So there is no way at all to get the client to pick up the cert chain
without directly installing the intermediate cert on it?
No.
Is this
actually a client issue of it refusing to use chains for this then,
rather than a FreeRADIUS issue of it not passing the chain?
Yes.
Thanks very much for
# Can freeradius talk to the ldap box using TLS/SSL (ldaps)
Yes. See tls section in ldap module.
# Can freeradius read hashed credentials from the LDAP store and then
actually use them???
Yes. You will have to enable auto-headers in pap module if you are
storing them with headers in
i didn't force any authentication, I left the users file by default, when i
tried to login i got this:
..
++[files] returns noop
OK. Files are empty now. But ...
expand: %{User-Name} - juanpal
rlm_sql (sql): sql_set_user escaped user -- 'juanpal'
rlm_sql (sql): Reserving sql socket id:
rlm_pap: Normalizing MD5-Password from hex encoding
++[pap] returns updated
Try with Cleartext-Password first. And use := not == as operator.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is this normal or can I configure the radiusd to return all values
from the multivalued
LDAP attribute?
+=
http://wiki.freeradius.org/Operators
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I change the password user from md5 to User-Password and can login.
I don't know if that was the suggestion, but thanks a lot
Try with Cleartext-Password first. And use := not == as operator.
No. I ment what I wrote. User-Password shouldn't be used. Use
Cleartext-Password.
Ivan Kalik
Kalik
I believe I did all I had to enable my freeradius server to chat to
windows AD
I did changes to my FreeRADIUS configuration according
http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO
I have news for you - you haven't done any of this:
I didn't change anything in the config file which we used on the 1.1.3
version of freeradius. I guess something goes wrong with the empty expand
message in debug mode.
While searching for this error I found something about the groupchecktable
which we never used. In the config this option is
My question now is, how do I login to AD using a new user that has never
logged on to the box before? I'm getting an error saying domain AD
unavailable, but if I use username that I used to login before 802.1x
enforcement all is looking good...
I am not sure what the problem is from your
I was incorrect about us doing EAP-TLS. We're doing EAP-PEAP, which does
not require a client certificate. My understanding however is that for
passing of the server certificate to validate our server to the clients
the options with the tls subsection of the eap.conf file are still used.
For
Now I use 3-4 different LDAP.
I want run scripts depend on access or reject, not every time.
how can i configure it.
Unlang in post-auth / Post-Auth-Type REJECT sections.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
My problem is that my windows box has no way of communicating with AD
server to verify user credentials for initial login screen (reason for
that is because switch port state is uncontrolled and no other but EAPOL
traffic can pass through)
Is there any way setting my windows box so that user gets
Googling suggested that simply catting the 2 certs (server and
intermediate) into a single file (server at top, intermediate at bottom)
and listing that in the config as the certificate_file should work
No, that's not going to work. Client machine will still look for the
intermediate CA in it's
Freeradius don't authenticate with mysql, so it uses another ways like EAP,
PAP an others.
I had been edited the users file in the attribute auth-type with various
values: Local, EAP, PAP, System...
Why? All the freeradius documentation says that you *shouldn't* force
the Auth-Type.
As you
My goal is to assign vlans from some Organizational Units in AD.
So do it. You don't need to force any Auth or Autz types. Set up the
group membership filter in ldap module. It will give you Ldap-Group
which you can use to assign vlans:
DEFAULT Ldap-Group == something
some
I am trying to configure free radius to work with our 28 NASs.
These NASs are split into two groups, at different locations (equal
split 14-14).
ll NASs report NAS-IP-Address correctly (ie uniquely)
Any device requesting authentication randomly connects to any one of the
28 NASs.
All devices are
401 - 500 of 2007 matches
Mail list logo