Hi All
We are using FR 2.1.5 for authenticating wireless users against our LDAP
database. Recently, our student wireless vlan is getting too large, and we
wish to subdivide it.
Currently we place users in the appropriate vlan based on the user type
returned via the
Hi,
I'm running FreeRADIUS Version 2.1.5. We are trying to do system
authentication for some users. Doing this by creating huntgroups based on
NAS-IP-Address, and then telling that huntgroup to use System for
authentication.
The problem is that although the Access-Request packet is shown
I just figured that out via a sniff. Thanks for the note. I'll go after the
requesting software now.
From: Garber, Neal [mailto:neal.gar...@energyeast.com]
Sent: November 25, 2009 2:27 PM
To: 'm...@unb.ca'; 'FreeRadius users mailing list'
Subject: RE: showing NAS-IP of 127.0.01 instead of
PROTECTED]
Sent: Friday, August 01, 2008 8:27 AM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re: groupmembership and vlan assignment
Matt Ashfield wrote:
Hmmm...welll I was hoping for another way to assign vlans based on ldap
attributes, but I don't figure on rewriting rlm_ldap
Is there a way to regexp checking on the group_membership field instead?
Thanks
Matt Ashfield
[EMAIL PROTECTED]
-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 3:23 PM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re
That's what I was afraid of. Any suggestions to getting around this?
Thanks
Matt Ashfield
[EMAIL PROTECTED]
-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: Monday, July 28, 2008 3:23 PM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re
]; FreeRadius users mailing list
Subject: Re: groupmembership and vlan assignment
Matt Ashfield wrote:
That's what I was afraid of. Any suggestions to getting around this?
Edit the source code to rlm_ldap to implement regex checks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
=~ .*staff1, Autz-Type := Ldap1, Auth-Type := Ldap1
Where unbldap-Ldap-Group gets set via
groupmembership_attribute = eduPersonPrimaryAffiliation
and eduPersonEntitlement: urn:mace:uni.ca:wireless?vlan=staff1 in LDAP
Thanks
Matt Ashfield
[EMAIL PROTECTED]
From: [EMAIL PROTECTED
Hello
We have been using the groupmembership attribute in radius.conf to assign
users to the appropriate vlans. Up until now we've done it based on the type
of LDAP user they are (ie, staff, student, faculty, etc..):
groupmembership_attribute = eduPersonPrimaryAffiliation, (where
will
# add MS-CHAP-MPPE-Keys for MS-CHAPv1 and
# MS-MPPE-Recv-Key/MS-MPPE-Send-Key for MS-CHAPv2
#
#use_mppe = no
use_mppe = no
Thoughts?
Matt Ashfield
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED
wpa_supplicant
JRadius Simulator
Ivan Kalik
Kalik Informatika ISP
Dana 10/6/2008, Matt Ashfield [EMAIL PROTECTED] piše:
I'd like to test this with PEAP/MSCHAP requests if possible. Is there a
howto? Clearly I'm down the wrong path here.
Matt
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL
]
-Original Message-
From: Thibault Le Meur [mailto:[EMAIL PROTECTED]
Sent: Monday, May 26, 2008 11:00 AM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re: FR and PEAP question
Matt Ashfield a écrit :
Hi,
Were looking into using PEAP with MSChapV2, instead of PAP (don
-users@lists.freeradius.org
Subject: RE: FR and PEAP question
FreeRADIUS-Proxied-To == 127.0.0.1 will match only for eap requests. You
can't test for it with pap requests (radtest).
Ivan Kalik
Kalik Informatika ISP
Dana 10/6/2008, Matt Ashfield [EMAIL PROTECTED] piše:
I thought it would get
I can't seem to get to deployingradius.com website. Anyone know if this is
down?
Matt
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
We have two FR servers (running 1.1.15) on Red Hat machines.
We are using it to authenticate wireless users against an LDAP directory.
Occasionally, one of the FR servers (it happens to each, just not at the
same time), stops working. The service remains up, but it's like the
conversation
What kind of error messages are you getting in your log when it blows up?
Quoting Phil Mayers [EMAIL PROTECTED]:
On Mon, 2007-09-24 at 15:39 -0400, Nathan Hay wrote:
I am a newbie, running 3 (for redundancy) FreeRadius servers (1.1.7)
on SUSE 10 SP1 (32-bit) to authenticate our wireless
client
hh2380:20006 - ID: 133 due to unfinished request 922
After the error it crashed. Not sure why I'm seeing this. Any thoughts are
welcome!?
thanks
Matt
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Ashfield
Sent: Tuesday
version of FR? modules or backend auth system used?
Using FR 1.1.5 and using mod_auth_ldap for auth
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
We're running FR to authenticate users on our wireless network. It appears
that radius is randomly stopping/crashing. I have checked logs, but have
been unable to locate the problem and am wondering if someone could point me
in a good location to look for reasons for the failure.
I've
Hi
I'm trying to do PEAP authentication against a user listed in my users file
instead of an AD or LDAP. I'm just doing this initially for some proof of
concept stuff.
I'm wondering how I need to set up the user in the users file? Currently my
entry looks like:
testuser User-Password ==
-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Matt Ashfield
Sent: May 2, 2007 11:29 AM
To: 'FreeRadius users mailing list'
Subject: Force Inner=Outer identity
Hi All
Using EAP-TTLS PAP with FR authenticated against LDAP. In looking at our
monitoring software, it displays
. Makes
user tracking quite difficult.
Is there any way to force a users's outer identity to equal their inner
identity?
Thanks
Matt Ashfield
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
on a workaround?
Thanks for any advice.
Cheers
Matt Ashfield
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
users mailing list
Subject: Re: NAS not accepting the Access-Accept?
Matt Ashfield wrote:
HI,
I have a network switch that I'm trying to configure to allow Console port
authentication via RADIUS.
In the documentation of the switch it says:
To provide each user with appropriate levels
HI, I realize this was a thread from over a month ago, but thought I'd ask
anyway. I have my original post, followed by your reply, followed by my new
question.
First off, my original post:
We're using FreeRadius to authenticating our wireless users (who's
credentials are stored in LDAP). But
Hi,
We'd like to use FR to assign users on our wired network to one of 30
different vlans on campus, based on an LDAP field. Currently, we are doing
this with huntgroups. Namely, we create a huntgroup for the NAS (in our
case, a network switch), and then in the users file, we put the following:
your ldap schema and add a field for the vlan a user should
belong too.
then all you would need is to query that field and propogate the variable.
Tunnel-Private-Group-Id=`%{private-vlan}`
On 4/19/07, Matt Ashfield [EMAIL PROTECTED] wrote:
Hi,
We'd like to use FR to assign users on our wired
to
the edge.
Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033
[EMAIL PROTECTED]
-Original Message-
From: robinson santos [mailto:[EMAIL PROTECTED]
Sent: April 19, 2007 12:31 PM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
HI all,
We're using FR authenticating against LDAP to implement our wireless
solution. Basically, we are looking at the LDAP field of record type and
determining if it is a staff or a student, and assigning a vlan based on
that. Pretty simple and it works. However, there are two issues with this:
Hi All
We are seeing the following error:
Error: rlm_ldap: ldap_search() failed: Timed out while waiting for server to
respond. Please increase the timeout.
Our radius server talks to our LDAP server through a firewall. I'm wondering
if this has to do with the session lifetime setting on the
Hi,
We're using FreeRadius to authenticating our wireless users (who's
credentials are stored in LDAP). But we'd also like to use it to
authenticate a select few users who need access to our networking gear. Our
networking gear is setup to do this, but I'm not sure how to set this up in
[EMAIL PROTECTED]
-Original Message-
From: Alan DeKok [mailto:[EMAIL PROTECTED]
Sent: March 14, 2007 3:50 PM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re: restricting users access to clients?
Matt Ashfield wrote:
We're using FreeRadius to authenticating our wireless
Hi,
We've been working on having a setup that can authenticate users against
LDAP via EAP (Chap) as well as System users.
We can get it to do one or the other, but not both. Is it possible to do
both? If so, how?
Thanks
Matt
[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See
11:21 AM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re: EAP and System users?
Matt Ashfield wrote:
We've been working on having a setup that can authenticate users against
LDAP via EAP (Chap) as well as System users.
http://deployingradius.com/documents/protocols
users mailing list
Subject: Re: guest acces?
Matt Ashfield wrote:
Now I know Alan does not recommend DEFAULT Auth-Type, but for here, I
think
it might be necessary. So in my users file, I added the following:
DEFAULT Auth-Type := System
Fall-Through = Yes
Don't use :=, use
Hi,
I'm using EAP-TTLS-PAP aginst LDAP, however I want to provide guest access
to users without adding these users to the LDAP directory.
I know I could add them as local users to the /etc/raddb/users file, but
that would involve a SIGHUP, and I'd prefer to avoid that if I could.
Instead, what
Hi,
I'm trying to set up a restricted users group to deny access to users so I
don't have to create an entry for each one in the users file.
Based on the WIKI FAQ, I found:
The following entry denies access to a group of users. The same restrictions
as above on location in the raddb/users file
I'm pouring through the alphabet soup of all of this and have a few
questions that keep popping up.
During a pap conversation, the radius server ends up with the
username/password passed to it from the client. It then encrypts the
password to match the encryption of the stored password in ldap
PROTECTED]; FreeRadius users mailing list
Subject: Re: EAP-PEAP/MS-ChapV2 password storing options
Matt Ashfield wrote:
We're trying to implement username/password authentication and so far are
using EAP-PAP (with secureW2 client) because our passwords are stored in
LDAP in a 1-way encrypted hash
Hi All,
I'm sure this is a simple question, and I thought I'd pose it here in hopes
of a quick response.
We're trying to implement username/password authentication and so far are
using EAP-PAP (with secureW2 client) because our passwords are stored in
LDAP in a 1-way encrypted hash.
We're
Hi All
We're in the process of setting up our wireless system to use radius
authentication against our usernames/passwords which are stored in LDAP.
We have come across an issue in testing the radius server. We are using
Freeradius.
The way we have this setup is quite standard (I hope). The
Hi all,
This is probably a bit newbie-ish, but I thought I'd try anyway. We are
trying to authenticate users based on the username/password given AND the
vlan they are authenticating from. Is this possible?
A quick overview of our scenario is as follows:
- Wireless service offering an SSID/VLAN
Ok, Well that might be what I'm looking for. How do you get Radius to check
for username,password and vlan/ssid? Can you do a quick cut/paste job of
what I need to place in my conf files?
Also what AP's are you using that allow you to get them to send the
ssid/vlan to Radius? Just curious
I'm a bit confused on this one.
I want my users vlan'd based on their affiliation (ie, staff, student) In my
radiusd.conf file, under ldap, I've put:
groupmembership_attribute = eduPersonPrimaryAffiliation
Do I need to do more in my radiusd.conf file than that?
I assume this means assign them
My ldap section from radiusd.conf looks like:
ldap {
server = ldapserver.net.org
identity = uid=name,dc=net,dc=org
password = password
basedn = ou=stuffdc=net,dc=org
filter = (uid=%{Stripped-User-Name:-%{User-Name}})
Hi All,
I'm trying to add a user to a vlan based on an ldap attribute. I've checked
out: http://vuksan.com/linux/dot1x/802-1x-LDAP.html annd saw the following
would have to be added to the user's ldap record:
radiusTunnelMediumType: IEEE-802
radiusTunnelType: VLAN
radiusTunnelPrivateGroupId: 2
by the authenticator to the ssha-1 password
stored in ldap?
Thanks
Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: July 17, 2006 7:51 PM
To: [EMAIL
{
encryption_scheme = sha1
}
Cheers
Matt Ashfield
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Phil Mayers
Sent: July 15, 2006 8:09 AM
To: FreeRadius users mailing list
Subject: Re: EAP-TTLS-PAP-LDAP
Rohaizam Abu Bakar wrote:
Thanks
CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
unix
# Auth-Type LDAP {
# ldap
# }
eap
}
The first line in my users file for my Access Point is:
DEFAULT Auth-Type = ldap
Fall-Through = 1
Matt
Hi All
I'm trying to do 802.1x authentication using freeradius against an LDAP
directory which stores the userPassword in an ssha-1 hash. My question is,
is this possible? If so, how do I configure mschap for ssha-1 passwords?
Thanks for your time/advice,
Cheers
Matt
-
List
Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: July 17, 2006 4:00 PM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re
Hi All
I'm trying to do EAP-PEAP (with MSCHAPv2) radius authentication against an
LDAP database with my passwords stored in clear text on the directory. I'm
thinking my issues right now are with certificates.
Can someone give me a quick explanation of what certificate requirements I
need to
.
Thanks
Matt
[EMAIL PROTECTED]
-Original Message-
From: Zoltan Ori [mailto:[EMAIL PROTECTED]
Sent: July 11, 2006 12:33 PM
To: [EMAIL PROTECTED]; 'FreeRadius users mailing list'
Subject: Re: an infamous LDAP-FreeRadius question
On Tuesday 11 July 2006 10:10, Matt Ashfield wrote:
When I
seen quite a bit of threads concerning this but as mentioned in my initial
email, they can be tough to follow.
Thanks
Matt Ashfield
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: July 10, 2006 4:51 PM
To: [EMAIL PROTECTED]; FreeRadius users
Actually, I only have the ldap -to- radius authentication when doing a
radtest. There's no eap involved at that point. I think my issue of adding
the EAP/802.1x stuff is where I'm hitting the snag.
Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447
Hi All,
I know this has been discussed at length on this list, but it's kinda
confusing reading through the archive and making sense of all the threaded
discussions. What I didn't see (and I apologize if it's there) is if anyone
has a HowTo or something similar on how to configure Freeradius for
56 matches
Mail list logo