On 1/28/2011 3:48 AM, Alan DeKok wrote:
Put the unlang in the authenticate section, after eap:
Auth-Type eap {
eap
if (...) {
...
}
}
Thank you!! That did the trick. The entirety of my authenticate
section is
For years, we've been doing simple EAP-TLS with various versions of
FreeRADIUS. Now, a new requirement has come down to me such that radius
will have to reject certain valid client certs based on a string in the
Subject field of the client cert.
I've met this need (using 2.1.11 from git) with a
On 1/27/2011 1:14 PM, Alan Buxey wrote:
you are authenticating...and then rejecting in the post-auth
stage. you really need to break the process in the authentication
stage.
Thanks. That's actually my goal. But unlang isn't allowed in
authenticate{}, and my attempts to sneak it into the
On 1/27/2011 1:24 PM, Matt Garretson wrote:
Thanks. That's actually my goal. But unlang isn't allowed in
authenticate{}, and my attempts to sneak it into the authentication
phase via the tls{} section in eap.conf didn't seem to work.
Any other ways to do it?
Replying to myself here I
On 1/27/2011 3:41 PM, Matt Garretson wrote:
The XP client still tries three times (duh), but at least radius.log reflects
a failure:
Error: TLS_accept: error in SSLv3 read client certificate B
Error: rlm_eap: SSL error error:140890B2:SSL
routines:SSL3_GET_CLIENT_CERTIFICATE:no
On 1/27/2011 3:03 PM, Phil Mayers wrote:
I've met this need (using 2.1.11 from git) with a simple bit of unlang
in post-auth{}:
if ( %{TLS-Client-Cert-Subject} =~ /OU=Evil/ ) {
reject
}
Just put this in the authorize section? If it's early in the EAP
conversation, TLS-Client-*
Builds okay on Fedora 7 and Fedora 10:
./configure --with-system-libtool --prefix=/opt/radius --localstatedir=/var
make tests also passes on both, FWIW. But I won't be able
to actually install it for a week or two.
Alan, thanks for all of your hard work on FreeRADIUS!
-Matt
-
List
Alan DeKok wrote:
Slava wrote:
Could anyone tell me if there exists a solution to integrate FR with a
POP3 server
Look for patches to let cucipop do RADIUS authentication. If there
are none, maybe cucipop does PAM authentication. You could then use the
PAM RADIUS module.
FWIW, Qpopper
Sergio Belkin wrote:
I can't compile freeradius-2.0.2 on Centos 5.1 x86_64. It outputs:
/usr/lib/libltdl.so: could not read symbols: File in wrong format
collect2: ld returned 1 exit status
You might try using your system's own libtool. Try these
configure options:
Alan T DeKok wrote:
January 10, 2007 - Version 2.0.0 has been released.
Congratulations, and thanks for all your hard work on FreeRADIUS!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi...
Matt Ashfield wrote:
We're running FR to authenticate users on our wireless network. It appears
that radius is randomly stopping/crashing. I have checked logs, but have
been unable to locate the problem and am wondering if someone could point me
For what it's worth (probably not
Fred Zinsli wrote:
I am attempting to build an RPM from source on my FC5 box.
Try to get a more recent source RPM from a repository, and
then tweak the spec file to fit your needs. The Fedora builds will
support MySQL by default. It'd be easier than trying to write
your own spec file from
Fred Zinsli wrote:
I have got a copy of 1.1.7 source but my issue is that I don't know how
to enable mysql in the spec file.
The spec file that comes in the Fedora source RPM I suggested shows you
exactly how to do it. In fact, it's done for you. :)
Also, do I have to have mysql
Alan DeKok wrote:
That would seem to be the case, yes. But it's very weird. Doubly so
since there's no code in rlm_krb5 that depends on debug_flag = 2.
So... the culprit is likely elsewhere. Exactly where it is located is
difficult to say.
Thanks, Alan. Just a quick update...
This may be a Fedora/Kerberos issue rather than a Freeradius issue, but...
Has anyone experienced radiusd -X segfaulting when using rlm_krb5?
This is under Fedora 7 (x86_64), with freeradius 1.1.6 and 2.0.0-pre1
built from source tarballs. (I am trying to migrate to this environment
from a
Hi, i've had EAP-TLS working well for a few weeks now, but am
wondering about the most secure way to set up the dh and random
files. Initially i just created static files using commands
found in the list archives and/or the eap howto:
openssl dhparam -text -5 -out /opt/radius/etc/dh 512
dd
16 matches
Mail list logo