Configuring the default_eap_type = mschapv2 in the ttls section
allowed the EAP authentication to succeed. It had been at the default
setting of md5.
On Wed, Mar 30, 2011 at 12:49 PM, Jim Rice jmrice6...@yahoo.com wrote:
Hi Ben,
I really appreciate you taking the time to help me with this.
You still don't have the certificates set up correctly.
Find the ca certificate you have configured in eap.conf.
# openssl x509 -text -in {ca certificate from step 1}
Now compare that to the certificates on your SM. They don't match. You
either are using the wrong certificate on the server, or
If you are getting this error:
WARNING: !!
WARNING: !! EAP session for state 0xf2937007f695654f did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
WARNING:
You don't have the right CA certificate installed on the SM. Check the
certificates listed under the Security tab in the SM and make sure
that YOUR CA cert is shown in one of the two available slots.
You might also be running into an issue with the issue date on the
certificate if the AP doesn't
of this...)
--- On Tue, 3/29/11, Ben Wiechman wiechman.li...@gmail.com wrote:
You don't have the right CA
certificate installed on the SM. Check the
certificates listed under the Security tab in the SM and
make sure
that YOUR CA cert is shown in one of the two available
slots.
-
List info/subscribe
We were aware of the vlan problem with 11.0.
(Of course, no one uses those ;-)
If only... lol
Ben
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Note that time might be an issue if the AP pushes the auth request
through after a reboot before it has received a response from the NTP
server and correctly configured the time. I'm not sure how much danger
there is that this will happen. I haven't seen it in production that I
am aware of,
http://www.ietf.org/rfc/rfc5176.txt
google is your friend...
On Thu, Mar 24, 2011 at 7:56 AM, Euler Thomas Garcia
euler.gar...@pocos-net.com.br wrote:
Hi
sorry, I do not know if this issue was discussed earlier. Wonder if it is
possible to change parameters of the session on the fly eg
heh
On Wed, Mar 9, 2011 at 3:29 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Hi,
in the QA department. *You* are the QA department.
I was under the general impression that QA is no longer done for
commercial software either...
ha! yes, i agree :-)
alan
-
List
The inner tunnel virtual server can be specified in the eap configuration.
By default it is the inner tunnel virtual server. J
See the ttls/peap/etc sections of eap.conf
Ben
From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org
Look at the WiMAX dictionary. You are telling the it to send the string 0.
You either want to send an int, or use the values for WiMAX-DM-Action-Code
defined in the WiMAX dictionary. Personally I feel the second method is
preferred if you are generating policy as it is obvious what the intended
specific. As I can't
release
details, is required to be in a dictionary file in order to work
properly?
David
-Original Message-
From: Ben Wiechman [mailto:wiechman.li...@gmail.com]
Sent: Tuesday, January 11, 2011 10:36 AM
To: David Peterson-WirelessConnections; FreeRadius users
Quick SQL dump:
INSERT INTO `radgroupreply` (`id`, `groupname`, `attribute`, `op`, `value`)
VALUES
(208, 'WiMAX_Test3', 'WiMAX-QoS-Id', ':=', '101'),
(209, 'WiMAX_Test3', 'WiMAX-Service-Class-Name', ':=', 'DATA'),
(210, 'WiMAX_Test3', 'WiMAX-Schedule-Type', ':=', 'Best-Effort'),
(211,
On Thu, Jan 6, 2011 at 4:18 AM, Alan DeKok al...@deployingradius.com wrote:
Ben Wiechman wrote:
I've been testing EAP-TTLS/MSCHAPv2 authentication with a network
device. FreeRADIUS keeps complaining about EAP sessions not finishing
with the link to the certificate compatibility wiki link
I've been testing EAP-TTLS/MSCHAPv2 authentication with a network
device. FreeRADIUS keeps complaining about EAP sessions not finishing
with the link to the certificate compatibility wiki link, however the
authentication process completes successfully. Looking at the packet
exchanges more
I believe you can only use the actual vid and not a vlan name (i.e.
VLAN_200) in the vlan and access lists. At least under the older TDD builds
this is the case, so I presume the same limitations apply to the 16e
services.
Ben
On Tue, Dec 14, 2010 at 6:59 AM, Wilson, Stuart swils...@harris.com
I don't know of a way to do that in dialup_admin, but you could potentially
look at using a trigger on insert in MySQL. That might be problematic
however if you have some users that you don't want to automatically assign
this Expiration to.
Otherwise if the services assigned are simple it might
] On Behalf Of
Alan DeKok
Sent: Wednesday, November 10, 2010 7:01 AM
To: FreeRadius users mailing list
Subject: Re: Mikrotik Dictionaries
Ben Wiechman wrote:
It appears that the Mikrotik dictionary was removed from
/usr/share/dictionary in commit 38cee089d7f88a4e517d when the
Motorola
It appears that the Mikrotik dictionary was removed from
/usr/share/dictionary in commit 38cee089d7f88a4e517d when the Motorola WiMAX
dictionaries were added. Was this intentional or an oversight?
Ben
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Try the following:
update disconnect {
User-Name = %{User-Name}
Calling-Station-Id = %{Calling-Station-Id}
WiMAX-AAA-Session-Id = %{WiMAX-AAA-Session-Id} (same as that
returned during network entry)
WiMAX-DM-Action-Code = Deregister-MS
}
I know this works. I see
I don't have access to an Alvarion ASN-GW so I can't specifically test this
all. Looking back over the service assignment again I see I didn't grab
everything. I did grab the QOS descriptors, but missed the packet flow
descriptor.
This is the corrected full sample service that provisions services
That service profile does not look at all correct. It's a mixed bag of
pre-provisioned services and AAA provisioned services.
Here is a sample service definition that works with our ASN-GW:
WiMAX-QoS-Id:= 101
WiMAX-Service-Class-Name:= DATA
WiMAX-Schedule-Type :=
Step 1: Read the wimax dictionary file. It will help you understand what
types of data you need to be putting into each attribute.
update disconnect {
User-Name = %{User-Name}
Calling-Station-Id = %{Calling-Station-Id}
WiMAX-AAA-Session-Id = %{WiMAX-AAA-Session-Id}
We use this every day for wifi hotspots off a Mikrotik. It works without
issues.
From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org
[mailto:freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org]
On Behalf Of Spacelee
Sent: Thursday, August 12,
Are you by chance testing the FreeRADIUS ready version of Alvarion's BTS
firmware?
-Original Message-
From: freeradius-users-
bounces+wiechman.lists=gmail@lists.freeradius.org
[mailto:freeradius-users-
bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of
David
Dennis
Sent: Wednesday, June 30, 2010 2:32 PM
To: FreeRadius users mailing list
Subject: Re: Failed disabling Core Dumps on RHEL - SELinux Updates
On 06/30/2010 03:06 PM, Ben Wiechman wrote:
Despite the fact that this was against 2.1.9, not the freeradius2 rpm
that
is available with RHEL
To: FreeRadius users mailing list
Subject: Re: Failed disabling Core Dumps on RHEL - SELinux Updates
On 06/30/2010 03:06 PM, Ben Wiechman wrote:
Despite the fact that this was against 2.1.9, not the freeradius2 rpm
that
is available with RHEL?
Yes. It's a policy problem and it needs
Is the lack of information in the Response-Packet-Type attribute
expected in
a response to a coa or disconnect request and the switch should be
updated
to use %{proxy-reply:Packet-Type} (this does work) or should the
Response-Packet-Type attribute be populated for a response to a coa
or
modifications to the default
SELinux policy
# cat freeradius2.te
module freeradius2 1.0;
require {
type radiusd_t;
class process setrlimit;
}
#= radiusd_t ==
allow radiusd_t self:process setrlimit;
This allowed the daemon to properly disable core dumps.
Ben
] On Behalf Of
John Dennis
Sent: Wednesday, June 30, 2010 9:56 AM
To: FreeRadius users mailing list
Subject: Re: Failed disabling Core Dumps on RHEL - SELinux Updates
On 06/30/2010 10:29 AM, Ben Wiechman wrote:
A note for those that may run into this as well.
When updating FR to 2.1.9
The dictionary that is displayed by Wichorus in their documentation is for
their own internal MIG product and the syntax has been modified from that
typically used by FreeRADIUS.
Wichorus uses a mix of attributes from NWG release 1.2, 1.3, and beyond.
Attached is a sample WiMAX dictionary that
Since I see this from time to time I've attached a fairly functional virtual
server and policy for use with a WiMAX ASN-GW.
Some notes:
- You may want to merge some of the configuration files
(dictionary/policy.conf/etc) to avoid overwriting any site local updates
that already exist.
- We use
Ntradping
http://www.novell.com/coolsolutions/tools/14377.html
I believe this is the tool you are looking for.
Ben
-Original Message-
From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org
Does anyone have version 2.1.7 of the RHEL freeradius 2 rpms that John
graciously provided?
Thanks
Ben
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Is the integer type in the dictionaries signed or unsigned? It appears from
the release notes for 2.1.8 that it is, but this is not noted in the
dictionary file that I have seen so would like to confirm.
Ben
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am generating a CSR for Verisign (WiMAX) to support EAP-TTLS. Some of the
examples I see use the -nodes switch when generating the CSR, and others do
not.
Is the use of nodes CA specific, or why would I want to or not want to use
-nodes. I see that when it is used the private key will not be
This time I used:
|298|t...@internet.quimefa.cu|MD5-Password | := | password
|313|t...@internet.quimefa.cu|Calling-Station-Id | =~ | 6480342|55
and it still accepts the user from regardless of the phone number it's
using. this is what comes up
in the debug.
[..]
Alvarion does not support Interim updates, nor do they provide any of the
other information you are looking for.
Ben
-Original Message-
From: freeradius-users-
bounces+wiechman.lists=gmail@lists.freeradius.org
[mailto:freeradius-users-
with DynDNS (? ?)
3. RE: SSID based authentication (Garber, Neal)
4. RE: Accounting : Alvarion WiMax Base Station as NAS (Ben Wiechman)
5. Re: Authenticate Many Sites on dynamic IPs through One
Freeradius Server (Charles (KOL) Goma)
6. Re: Book About Free-Radius
Thanks
On Fri, Oct 30, 2009 at 6:42 AM, Alan DeKok al...@deployingradius.comwrote:
Ben Wiechman wrote:
Is the following stub for filtering Access-Challenge attributes from
sites-available/default for future use?
There are some typos that are fix in the git stable branch.
Alan DeKok
Or NTRadPing for Windows.
On Fri, Oct 30, 2009 at 7:59 AM, Ana Gallardo ana.gallardo...@gmail.comwrote:
Can you tell me if there is tool that I can use to test mschap
authentication rahter than use local radtest it can be linux or windows
app.
Is the following stub for filtering Access-Challenge attributes from
sites-available/default for future use?
# Auth-Type eap {
# eap {
# handled = 1
# }
# if (handled (Response-Packet-Type == Access-Challenge)) {
#
http://lmgtfy.com/?q=does+not+support+authentication+protocol+requested+by%2
0server+consider+upgrading+MySQL+client
-Original Message-
From: freeradius-users-
bounces+wiechman.lists=gmail@lists.freeradius.org
[mailto:freeradius-users-
Another question i have, When I spoke briefly to the folks at Network
RADIUS, they told me that freeRadius includes the required db schema
for mySQL. When I installed mySQL 5.1, there was a db in there that I
didn't recognize, called information_schema, comprised of 28 tables.
Is this it,
Attribs for the
IPCS
mode - of which there is absolutely no details of in the Alvarion
manuals!
Cheers
Steve
On Thu, 09 Jul 2009 09:05:30 +0700, Ben Wiechman
wiechman.li...@gmail.com wrote:
Remove the trailing semicolon.
The documentation isn't very clear on that point
in advance
Steve
On Thu, 09 Jul 2009 09:17:32 +0700, Ben Wiechman
wiechman.li...@gmail.com wrote:
Actually authorization in their hybrid 16d system that Steve is using
is
very seamless. We've looked at many solutions and in most
configuration/service assignment revolves around some kind
At this point, it's difficult to recommend Alvarion for anything.
Even ignoring the interop issues, they've made it clear that they're not
interested in supporting the customers who purchased their equipment.
Oh they'll support it... it's called turn-key professional services. :)
Ben
-
Remove the trailing semicolon.
The documentation isn't very clear on that point, but the semicolon is only
needed as a separator if you are supplying multiple services to the BTS. It
should not be included as the trailing character.
The debug output for this was... unhelpful in earlier
Actually authorization in their hybrid 16d system that Steve is using is
very seamless. We've looked at many solutions and in most
configuration/service assignment revolves around some kind of custom NMS
that is a complete kludge or require service levels to be configured in each
MS individually.
If you are not generating the original keying material (i.e. you are the
V-AAA) I would think you would need to proxy this request to the H-AAA as
well as the required keys are going to be available there. You are not
receiving the WiMAX-vHA-IP-MIP4 which would indicate that the V-AAA is
capable
It looks like you're using the non-802.16e release. If you are using 802.16e
someone sent you the wrong information.
The service configuration is different under Eth CS and IP CS. Which are you
using?
Ben
-Original Message-
From: freeradius-users-
If you require synchronous replication and your queries are conducive to it
there is MySQL Cluster. You might get some of the functionality you want
with DRBD (but write performance hits) and MySQL, which is supported
officially by MySQL, or through the use of circular replication with a pair
of
We set num_sql_socks to 25. We had them set to 10 but ran into issues when
massive numbers of subscribers were attempting to enter the network at once
- for example when we would power cycle a base station with 400 subscribers
on it for maintenance.
Ben Wiechman
From: freeradius-users
in the case that the address was offered to
multiple clients.
Ben Wiechman
From: freeradius-users-bounces+ben=wisper-wireless@lists.freeradius.org
[mailto:freeradius-users-bounces+ben=wisper-wireless@lists.freeradius.or
g] On Behalf Of Padam J Singh
Sent: Thursday, January 15, 2009
Can anyone who is using FR to authenticate a 802.16e WiMAX network speak a
bit about which ASN-GW they are using and any issues they are encountering?
Of particular interest is the ASN-GW offered by Cisco.
Ben Wiechman
Network Admin
Wisper High Speed Internet
-
List info/subscribe
Working on that right now actually. I have the basic framework set up in my
Prizm config and in the radius database, plan on testing some stuff next
week.
Ben Wiechman
Network Admin
Wisper High Speed Internet
[EMAIL PROTECTED]
-Original Message-
From: freeradius-users-bounces+ben
. This is
strange to me however as my primary server has nearly no timeouts with the
same config, same hardware, same OS, same network path.
Any tips on tracking down where the issue might be?
Ben Wiechman
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Just a wild guess: could it be that the server is in some power
saving mode and therefore needs too much time either to process the
request or to wake-up fully before processing the request?
Ben Wiechman
Have a nice day!
Nicolas Goutte
extragroup GmbH - Karlsruhe
Waldstr
-Original Message-
From: freeradius-users-bounces+ben=wisper-
[EMAIL PROTECTED] [mailto:freeradius-users-
[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Sunday, April 06, 2008 12:15 PM
To: FreeRadius users mailing list
Subject: Re: RPM Build Errors
Hi,
On Sun, Apr 06,
Also, will this take care of both accounting log info and authentication
log
info?
No. See doc/Post-Auth-Type and the post-auth section.
Thanks, I'll look there. I'm not much concerned with the accounting info.
Our wimax base stations send a keepalive auth request at rather frequent
Is there an equivalent way to do this using sql? Ie radreply/radgroupreply?
Also, will this take care of both accounting log info and authentication log
info?
Ben Wiechman
Network Admin
Wisper High Speed Internet
[EMAIL PROTECTED]
-Original Message-
From: freeradius-users-bounces+ben=wisper
I had to do a little digging, but I got md5 auth set up and working. Thanks
for the help. I was more comfortable doing that than changing permissions on
the /etc/shadow and dealing with modifying SELinux attributes.
Thanks for the help.
Ben Wiechman
-Original Message-
From: [EMAIL
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Friday, November 02, 2007 6:42 PM
To: FreeRadius users mailing list
Subject: Re: Security of sql md5 vs unix auth
Ben Wiechman wrote:
Background: we use freeradius to provide AAA for our
accounts in the /etc/shadow file (I had to set
the file to world readable to allow the radiusd process to read the file.).
Or is there another, better alternative that I just don't know about?
Ben Wiechman
Wisper High Speed Internet
Office: 866.394.7737
Direct: 320.256.0184
Cell: 320.247.3224
64 matches
Mail list logo
