Re: Pre-release of 2.1.7
It's been a while since 2.1.6, and it's getting close to time for 2.1.7. In order to ensure the stability of the software, we need your help. Please download the pre release of 2.1.7 from: http://git.freeradius.org/pre/ Build it, install it, and see if there are issues. The directory also includes Debian packages for Ubuntu 8.0.4. Would this packages work on Debian Lenny? -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and CouchDB
Has anyone tried to run Freeradius with all the data stored in CouchDB? CouchDB uses a HTTP interface so maybe the only thing needed is http client support in ulang? -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: set absolute lifetimes
Use Expiration attribute. And where? radcheck? What should I check? If Expiration is... what is CurrentTime as Value in SQL? it's a check item, FreeRadius will use it to allow or deny access and to set Session-Timeout if needed. -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFE configure script report
Can the ./configure script be made to report at the end what modules it found it can build. The ./configure output does have this information but it's not easy to follow. i guess you are asking this after seeing similar feature in other software? yes, net-snmp, xine-lib and conky are the first that comes to my mind -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RFE configure script report
Can the ./configure script be made to report at the end what modules it found it can build. The ./configure output does have this information but it's not easy to follow. -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Building rlm_sql_oracle
Has enybody successfully built freeradius 2.1.4 with instant client? I have installed oracle instant client basic 10.2.0.4 + sqlplus + sdk for linux x86_64, everything from rpm. I can successfully connect with sqlplus64, paths are correct but when I execute configure in rlm_sql_oracle I am getting Have you tried/checked the ORACLE_HOME environment variable? I inslled instant-client from Debian packages, and it didn't set this env-var by default. -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap filter depending on NAS
I try to ask my questions more precisely: * what are the radius ldap attributes meant for? Is only for accounting or can we use them for something else? Nothing in any of my messages said anything about the LDAP attributes being used only for accounting. Yet here you are... ignoring all of my comments about what those attributes do, and inventing that they are only for accounting. This is known as being rude. You might disagree, but the reality is you've gone out of your way to ignore, distort, and misinterpret what I've said. There's a proverb Don't attribute to malice that what can be explained by incompetence maybe his english skills are just not so great so he mis-represented what he was trying to do. -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
linking gdbm_compat in rlm_dbm
I've noticed that the check that ./configure script does in order to find out if gdbm si used only tries to link with gdbm_compat. But the man page of gdbm says: If you wish to use the dbm or ndbm compatibility routines, you must link in the gdbm_compat library as well. For example: gcc -o prog proc.c -lgdbm -lgdbm_compat and indeed on any vanilla system this is the case. Debian, OTOH have patched their libgdbm_compat. -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fall-Through attribute, reply or configure item?
I'm reading the documentation of freeradius 2.1.3 (I've not gone through it all yet) and I find that Fall-Through = Yes is always specified as a reply attribute. But it isn't a real reply attribute isn't it? It's more of a configure attribute like Cleartext-Password, right? So it should be used in a check line with := (or radcheck DB table). I understand that changing this will probably mean to much work for FR administrators, I'm only asking to make things clearer to me. ps. is there a list of the special configure attributes that freeradius works with? -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fall-Through attribute, reply or configure item?
But it isn't a real reply attribute isn't it? It's more of a configure attribute like Cleartext-Password, right? So it should be used in a check line with := (or radcheck DB table). Theoretically, yes. Practically, no. There are 100,000 deployments on the server using the existing functionality of Fall-Through, along with lots of documentation. Changing it for the sake of purity is a waste of time. Of course, I understand that. I will be explaining Freeradius to some coworkers, including why we have to use Cleartext-Password and about the := operator in check lines, and somehow I came to Fall-Through that seemed like a configuration item. I had to know exactly what's going on, so I can prepare better. thanks. -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit access of a SSID to a certain LDAP group
I need to have different WLANs for different Users who are in LDAP groups. The user of group A should be able to use WLAN A but not WLAN B and so on. How on earth do I configure this? Where is SSID in the request? Called-Station-Id? NAS-Identifier? DEFAULT Ldap-Group == whatever, regex check on the attribute which holds SSID DEFAULT Ldap-Group == another, same for second SSID etc. DEFAULT Auth-Type := Reject (force reject on those that don't match) Interesting, I have a similar situation except that I want to authorize users from one SSID with ActiveDirectory, and from the other SSID with a local mysql. How would I do that? -- damjan | дамјан This is my jabber ID -- dam...@bagra.net.mk -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and server certificate
Just to be sure, all EAP types require the radius server to have a certificate right? and this certificate, i.e. it's parent needs to be installed in the supplicants, right? -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PopToP VPN + FreeRadius
Find out in documentation if PopTop supports Session-Timeout radius attribute. Or simply send it and see if the user gets disconnected after set time. If it does then counters/sqlcounters will work. pppd (it's radius plugin) supports Session-Timeout (and Session-Octets-Limit) so if PopTop uses pppd to establish and authorize the ppp session (and I see no reason not to) .. it will support that. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: error after updating to freeradius 2.0.1
Check that nothing is listening on port 1812, even for IPv6. Nothing listening except for ssh. Since ssh is TCP, you know that radius is UDP and you need to check with netstat -ulnp ERROR: Failed to open socket: /etc/freeradius/radiusd.conf[182]: Error binding to port for 0.0.0.0 port 1812 BTW If you are using some virtualization or similar software, I've heard some of them don't support binding to 0.0.0.0 so you'll have to bind to the specific ip address. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-client in pppd
I need the feature to specify the local ip address for the radius requests in PPPd and I see that freeradius-client-1.1.5 has that feature. Is there any patch to make pppd use this radius client instead of it's own copy of the old radiusclient? No comments on this??? -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius-client in pppd
Is there any patch to make pppd use this radius client instead of it's own copy of the old radiusclient? No comments on this??? Maybe if you ask this question on a pppd mailing list, chances of getting a response are higher. I don't think there is a pppd mail list. Thats why I ask here. Also because freeradius-client is a ofspring of libradiusclient that was used in pppd. I thought that freeradius people might know what the changes were from that old version to today. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius-client in pppd
I need the feature to specify the local ip address for the radius requests in PPPd and I see that freeradius-client-1.1.5 has that feature. Is there any patch to make pppd use this radius client instead of it's own copy of the old radiusclient? -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
make install R=... and integrated libtool problem (and sollution)
I've tried to make an ArchLinux package of freeradius 1.1.2, but although the compile would go fine and compile all the modules, when I would do 'make install R=/tmp/pkg-fr' it would not install any of the *.so files for the modules in /usr/lib/freeradius. I've noticed in the output of make install that when libtool tries to relink the libraries it looks for libradius.so in /usr/lib/freeradius and not in /tmp/pkg-fr/usr/lib/freeradius/. The sollution for me was to use the system installed libtool (1.5.22 in ArchLinux) instead of the freeradius internal libtool (version 1.4.2) Maybe the freeradius source needs to update the included libtool? -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.1.0 with rp-pppoe 3.8 pppoe-server
Below is the output from the /var/run/radattr.ppp0 :- Idle-Timeout 300 Below is the output from radiusd -X :- Sending Access-Accept of id 74 to 127.0.0.1 port 32797 Idle-Timeout = 300 RP-Upstream-Speed-Limit = 64 RP-Downstream-Speed-Limit = 128 Finished request 8 I don't see any RP-Upstream-Speed-Limit or RP-Downstream-Speed-Limit...why? You need to have the dictionary with RP-Upstream-Speed-Limit and RP-Downstream-Speed-Limit installed in /etc/radiusclient/ and /etc/radiusclient/radiusclient.conf . -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 1.1.0 with rp-pppoe 3.8 pppoe-server
I have a Red Hat 9.0 system with the following software: - ppp 2.4.4b1 rp-pppoe 3.8 freeradius 1.1.0 I saw the following in /usr/local/share/freeradius/dictionary.roaringpenguin RP-Upstream-Speed-Limit RP-Downstream-Speed-Limit I did perform a download speed test and the download speed is not correct. I can't get 128kbits but I get the full speed of 1Mbps, why? rp-pppoe + pppd don't support those Radius attributes. to limit the user you'll need to create an /etc/ppp/ip-up script that will parse /var/run/radattr.ppp0 for those attributes, and then you can apply tc rules to limit the traffic. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address, it's a Jabber ID --^ :) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Client authenticated but no internet connection
The clients can login (through chillispot login page) and authenticate via the radius server and mysqldb. So they have an IP like 192.168.182.5. But even if they get authenticated they still cannot connect to the internet. And I have no idea why. This looks to me like a question for the chillispot mailing list. But, just a wild guess, did you enable NAT on the router (the one with chillispot)? -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I set Autz-Type in hints file?
and looking at the source of rlm_files.c, check_pairs is config_items. It's a bit confusing to use different words for the same thing. So submit patches. This isn't a commerical product where people get paid money to do copy editing, so you have to expect some level of problems. And I'll be honest, people who complain about free software really *do* have the choice of paying for commercial software, with fancy copy-edited documentation. No one here is getting paid to listen to complaints about how crappy the product is. I didn't complain, and I'm willing to submit patches to the documentation, (actually I've done some simple editing in the WiKi). Of course I don't have the knowledge you have about freeradius, so I still have to ask you (or some other of the knowledgeable people here) :) Anyway, freeradius is great software (never said it was crappy), keep up the good work. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I set Autz-Type in hints file?
I have this in the hints file: DEFAULT Called-Station-Id == 987654321, Autz-Type := DialUp I don't think that will do what you want. I suggest using the users file. Yep, I tried it and it doesn't work when in the hints file... It works when I set that DEFAULT entry in the users file. Can you explain what the difference is? Reading the Freeradius documentation I supposed that in the preprocess module the Autz-Type config value is setup, and then the authorize would consider that and branch appropriately? -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: patch for sqlcounter, please test!
query = SELECT TO_DAYS(NOW()) - MIN(TO_DAYS(AcctStartTime)) FROM radacct WHERE UserName = '%{%k}' LIMIT 1; this actually works very well, a user logs in and is allowed to access to the network until the date changes e.g. the second time if he is allowed access for two days. but as i am saving the days as days in the mysql database, i run into trouble with Session-Timeout because rlm_sqlcounter assumes that the query returns seconds and the user gets a session timeout of the remaining days as seconds (a value between 1 and 7!). putting the day limit as seconds into the database does (in my case/opinion) not make any sense here. Hmm.. this is the first time I see your question, but you could've modified your query like so: query = SELECT 3600*TO_DAYS(NOW()) - MIN(TO_DAYS(AcctStartTime)) Alternativelly, you could use the Expire attribute, you just put a date in it, and Freeradius will calculate the Session-Timeout. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [FREERADIUS] Re: patch for sqlcounter, please test!
Hello. I'm also interested in this. What Expire attribute? The attribute name is actually Expiration. You set it in rad(group)check to something like Expiration == 24 Dec 2005 14:00:00, and if the user connects in 13:48, he'll get a 12 minutes of Session-Timeout. Can't find any reference of that attribute in the dictionaries. It is in the dictionary, unfortunenatelly it's seems it's not documented anywhere. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can I set Autz-Type in hints file?
Yep, I tried it and it doesn't work when in the hints file... It works when I set that DEFAULT entry in the users file. Can you explain what the difference is? Read the documentation for the differences between the users file and the hints file. Those are the differences. Well, I must say the documentation for freeradius is a bit of a mess... I'm guessing from the comments in the hints file that the preprocess module doesn't set the config items it only modifies the request items (or adds to them)... quick searching through the source implies this. Well, while on the documentaion... the aaa.txt file says During authorization and authentication processes, there are 3 lists of RADIUS attributes supported by FreeRADIUS: request items, config items and reply items. but the processing_users_file says A request has initially an empty check list and an empty reply list attached to it. So each request has 3 A/V pairlists associated with it - the request list (as originated from the terminal server) - the check list (initially empty) - the reply list (initially empty) and looking at the source of rlm_files.c, check_pairs is config_items. It's a bit confusing to use different words for the same thing. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Can I set Autz-Type in hints file?
I have this in the hints file: DEFAULT Called-Station-Id == 987654321, Autz-Type := DialUp And this in radiusd.conf: files dunfiles { usersfile = ${confdir}/users.dun acctusersfile = ${confdir}/acct_users preproxy_usersfile = ${confdir}/preproxy_users compat = no } ... authorize { Autz-Type DialUp { dunfiles } I don't have much more in authorize section: preprocess chap mschap suffix But when I make a request with Called-Station-Id = 987654321, I get this: modcall: entering group authorize for request 1 hints: Matched DEFAULT at 78 modcall[authorize]: module preprocess returns ok for request 1 ... modcall: group authorize returns ok for request 1 auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user auth: Failed to validate the user. I don't see anywhere that dunfiles instance is used? -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
I really don't know why everybody is telling that such config would be impossible. It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch enforce their limit on the next login. It is possible, but that depends on your NAS equipment. Chillispot will use the radius reply attribute ChilliSpot-Max-Total-Octets to specify how much octets the user is allowed to transfer. Once the user passes the limit he is deauthenticated and his session ends. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_sqlcounter and something else than Session-Timeout
It's impossible to enforce traffic limiting *during* a users session. So if a user is a tiny bit below their limit and logs in again, they can go over their limit. The server will only catch enforce their limit on the next login. It is possible, but that depends on your NAS equipment. Chillispot will use the radius reply attribute ChilliSpot-Max-Total-Octets to specify how much octets the user is allowed to transfer. Once the user passes the limit he is deauthenticated and his session ends. BTW. Chillispot (free software) also supports ChilliSpot-Max-Input-Octets and ChilliSpot-Max-Output-Octets atributes, if you want to separatelly limit the traffic. All the radius attributes Chillispot supports are documented here: http://www.chillispot.org/features.html#mozTocId36714 -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_sqlcounter and something else than Session-Timeout
Currently rlm_sqlcounter sums all the session time used by a user, via a MySQL query (summing all the AcctSessionTime) and returns a coresponding Session-Timeout reply to the nas. Now, in my application, I limit users by bytes transfered, so I need to sum AcctInputOctets and AcctOutputOctets, compare that sum to a check attribute (let's call it Max-All-Transfer) and return a coresponding ChilliSpot-Max-Total-Octets. I beleive this is not configurable in rlm_sqlcounter? I could try to make a patch if someone is willing to help me and guide me a bit. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and LDAP : to be continued
rather confusing. I have to admit, I have never used chillispot, but I've just visited their website and in FAQ I found Why should I use CHAP-Challenge and CHAP-Password? so this makes me think that Chillispot uses CHAP authorization. And when you use CHAP, you do NOT need LDAP as authorisation, but as a password storage. Okay - great.. what now? You can setup chillispot to use PAP too. see the documentation about uamsecret. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: More than one sentence in accounting_stop_query
I want to make 2 SQL consultations in the accounting_stop_query field. (in sql.conf) Define a new section like that sql {...} in sql.conf (for example call it postsql), and then invoke it in radiusd.conf in accounting { ... } section: accounting { detail sql postacctsql } You see, all of those methods will be invoked for all acounting packets. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius .. EAP/PEAP ... no accounting
DAMN !!! freeradius don't log the accounting and i don't find what is the problem.. all the config on radiusd.conf about auth and accounting seem to be ok.. First of all are you sure your access point sends accounting? -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Accounting and anonymous outer identity in EAP-TTLS
Shouldn't the := operator in user replace the User-Name = anonymous, or it doesn't because files is before sql in the authorize section, and my users are in the MySQL database? Yes, and it shouldn't matter that the users are in SQL. I suspect that something else is adding the anonymous username in the reply. The EAP module does this, but it checks to see if a User-name already exists. If so, it doesn't copy it. I changed User-Name := `testtest`, in users and this is what I got: Sending Access-Accept of id 88 to 217.16.68.220:2640 User-Name := testtest User-Name := testtest Idle-Timeout := 300 Which, I guess, means it's the files module that adds the User-Name twice.. or not?? Anyway, the Accounting-Request I got still had User-Name = anonymous, so I'll need to solve that first I guess.. -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Accounting and anonymous outer identity in EAP-TTLS
I've been searching the mail list about this, but haven't found a definitive sollution. The scenario, I'm using WPA2 access points, they are setup to authorize users against my freeradius server. The freeradius server is setup to use a MySQL database, and eap-ttls is configured (and that works ok). My Windows clients connect with the SecureW2 (1) supplicant. The problem is that radius accounting requests have the User-Name = anonymous attribute/value, so I can't separate accounting from different users. I've tried to replace the User-Name in the Access-Accept reply, with this configuration: - I have this in the users file: DEFAULT FreeradiusProxiedTo == 127.0.0.1 User-Name := %{User-Name}, FallThrough = yes BTW I've tried User-Name = %{User-Name} too. And this is the authorize section in radiusd.conf: authorize { preprocess chap mschap suffix eap files sql } The problem is that the Access-Accept reply from freeradius has two User-Name AV pairs, like this: User-Name := anonymous User-Name := damjan And the accounting packet has the User-Name = anonymous AV pair. Shouldn't the := operator in user replace the User-Name = anonymous, or it doesn't because files is before sql in the authorize section, and my users are in the MySQL database?... and if I put sql before files, that DEFAULT entry will not be triggered, am I right? Can I just remove UserName from the authorize_reply_query SELECT in sql.conf? Note however that the same radius instance is used for non-EAP clients too, those clients authenticate through chillispot and use plain and simple PAP. My platform is: slackware linux 10.1 openssl-0.9.7e freeradius-1.0.2 (I'd update if that's a sollution but this system has several radius instances (ports) in production use) (1) http://www.securew2.com/ -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - 802.1x WPA-TKIP, WPA2-AES settings
add to it: forward the DHCPDISCOVER to the DS if no internal table entry for this MAC is found. yapp, that would be even very easy to integrate. but i don't think that _any_ AP does that. Well, an AP that does 802.1x + chillispot is all you need :) You get the accounting, bandwidth shapping and traffic limits for free just for the case: no, it is NOT possible to assign IP addresses by 802.1X; you have to do DHCP after the authentication (yes, it is strange). A clever AP could support this: 1. Serving DHCP to the wireless netowork only 2. Getting the Framed-IP-Address from the radius Access-Accept, and putting it in a internal table (MAC - IP) 3. Serving that exact IP via DHCP when the subsciber asks for a lease. I don't know of an AP that does that, though. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- damjan | дамјан This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS - 802.1x WPA-TKIP, WPA2-AES settings
just for the case: no, it is NOT possible to assign IP addresses by 802.1X; you have to do DHCP after the authentication (yes, it is strange). A clever AP could support this: 1. Serving DHCP to the wireless netowork only 2. Getting the Framed-IP-Address from the radius Access-Accept, and putting it in a internal table (MAC - IP) 3. Serving that exact IP via DHCP when the subsciber asks for a lease. I don't know of an AP that does that, though. -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radwtmp 2GB file size limit
Apache also dies when it hits the 2GB limit for a log file, so maybe it is an unwritten FS limit? No, your Apache is not compiled with large files support (LSB). If you compile your own Apache ./configure it like this (if I remember corectly): CFLAGS='-D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64' ./configure ... If you use a packaged Apache complain to your source of packages. -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap sha1 mschap peap pap
TTLS uses different tunneled authentication methods. Check those to see what's possible. TTLS + PAP should work doesnt it. -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.0-pre1 released
3. Is there a way to put the rlm_ modules in /usr/lib/freeradius while the main libraries stay in {prefix}/lib? Which main libraries? Well, I was under impression that libradius.so and perhaps libeap.so could be used by other programs as well ... I guess I was wrong... compiling with: ./configure --with-experimental-modules --prefix=/usr \ --sysconfdir=/etc --localstatedir=/var --libdir=/usr/lib/freeradius now. Thanks. -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS 1.0.0-pre1 released
We are proud to announce that the 1.0.0 release cycle for FreeRADIUS is entering its final stages. The first pre-release wide-area-test tarball is on the FreeRADIUS website: http://www.freeradius.org/ Congratulations, I have several questions: 1. why is the option --with-large-files no by default? Are there any shortcommings? 2. Why is the option --with-udpfromto no by default? The way I understand it this should be on. 3. Is there a way to put the rlm_ modules in /usr/lib/freeradius while the main libraries stay in {prefix}/lib? -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MS-CHAP/PEAP
PEAP requires a certificate for the server, but not for the clients. What are the differences between PEAP and EAP-TTLS? Which one is more secure? Which one has broader support in supplicants? Can I use both eap-ttls and peap? -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
Would it be right to say that a RADIUS server in 802.1X authentication allows a client to be authenticated but can not unauthenticate a authenticated client and let the AP(Nas) know about this unauthentication. I guess it comes down to RADIUS server responds to clients but does not initiate talking to clients. That's true, the radius server just responds to the NAS equipment (being that wireless access point or a dial-up access server or a VPN access server etc...). So, if I log on with my XP laptop through 802.1X successfully and then a few minutes later, the system admin logged off all users (including me) with the intent to force reauthentications. But, my laptop thinks it's still authenticated and logged in. Well if the admin, instructs the NAS equipment to log-off all the users your laptop should know immediately that its disassociated from the wifi AP. When your laptop ties to log-on again, and makes that request to the AP, the AP will contact the radius server again. -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Q]: Assigning VLANs and restricting logins?
Admin can/would log off the logged in clients on the domain that the RADIUS server resides. That's not a problem. But how does one tell NAS equipment about it? In my case, What would be the protocol to do ask NAS equipment to disassociate certain clients? Obviously that depends from NAS to NAS, for ex. I can telnet into my dial-up access server and kick a user by his ID. btw, if you don't tell the NAS equipment that a user should be logged-off you've done nothing by Admin can/would log off the logged in clients on the domain that the RADIUS server resides. What would that accomplish (I dont even understand how do you think that will work?!?) -- damjan | This is my jabber ID -- [EMAIL PROTECTED] -- not my mail address!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html