Hi,
this is a weird one for ya'll.
windows clients (xp sp2 and what not) can be configured to pass there
credentials along to wireless when they authenticate to the computer(to
the AD domain). that seems to work fine.
then randomly it seems to stop working and their login seems to be
relationships, others like your d-links only allow a direct mapping.
Basically it sounds like you are limited by the constraints of you NAS.
Joe Vieira
UNIX Systems Administrator
Clark University
Joel MBA OYONE wrote:
Alan,
I possess a device from D-Link (DWS-3024). it is a wireless switch
controler
for JUST my ldap authorization section, i don't
want to mess with it anywhere else...
--
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
But there are multiple domains in active-directory. How to configure
freeRADIUS or samba can let it support multiple domains?
FreeRADIUS just used Samba to do authentication with AD. The winbind
ntlm_auth API used in Samba cannot authenticate to multiple domains.
that's not entirely true,
this.
the rlm_ldap docs should be most of what you need...
In addition,
I'd like to know if anyone out there has this kind of configuration in
place, and working.
I have it working, I do authorization based on openLDAP ( with groups )
and i do authentication off active directories.
Joe Vieira
UNIX
Hey Alan,
is the LDAP_DEPRECATED stuff all fixed in 2.0.2? just wanna double
check before i compile it and don't pass that option myself...
Thanks,
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
Norbert Wegener wrote:
With 2.0.2 I tried a performance test with eap
*) 0x2aaab0002710
(gdb) print conn-ld
Cannot access memory at address 0x0
(gdb) print conn
$6 = value optimized out
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
Alan DeKok wrote:
Joe Vieira wrote:
So, i just attached gdb to the running server and ended with this seg
fault
if that's the case, why do you think it seems to work fine single threaded?
shrug I dunno...
=(
i am adding a ton of debugging stuff to the function so hopefully it
might give some more insight...
joe
-
List info/subscribe/unsubscribe? See
1319 of rlm_ldap.c , gdb debugging shows me that vals[0] is not a valid
memory location. (always 0xb00020e0)
Try running it without the LDAP module. If it works, then the ldap
module, or the LDAP libraries it uses aren't 64-bit clean.
if that's the case, why do you think
I am consistently getting a segfault (~every 45minutes or so) from line
1319 of rlm_ldap.c , gdb debugging shows me that vals[0] is not a valid
memory location. (always 0xb00020e0)
Try running it without the LDAP module. If it works, then the ldap
module, or the LDAP
model name : Intel(R) Celeron(R) CPU 2.40GHz
Doesn't sound like a 64-bit machine. Dang...
they did make the celeron d line that had a 2.4 that was 64
bitlike around 2006 or so i think... so it could be still..
-
List info/subscribe/unsubscribe? See
Norbert Wegener wrote:
The complete log is at http:// www.wegener-net.de/freeradius/ (url
destroyed)
In line 116518 a client gets a reject, in 119715 the same client an accept.
...
State = 0x00030d00
...
...
All I can guess is that the code
Joe Vieira wrote:
Joe Vieira wrote:
if that's the case, why do you think it seems to work fine single threaded?
shrug I dunno...
so, even tho LDAP_DEPRECATED was set as a cflag in
rlm_ldap/configure.in, it never shows up as a gcc option durring
compilation for some reason
Joe Vieira wrote:
if that's the case, why do you think it seems to work fine single threaded?
shrug I dunno...
So, more or less at this point threading seems to ruin this somehow.
which is really weird.
this same server was running freeradius 1.1.6, then i installed the new
seemingly thus far...
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
[EMAIL PROTECTED] wrote:
Hi,
else you can get into a situation where the compiler assumed the function
(in this case ldap_get_values) returns an int (32bit), but it actually
returns a pointer (64bit on 64
session fails.
could someone help me figure out what that means exactly?
thanks,
--
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Joe Vieira wrote:
Wed Feb 6 10:43:44 2008 : Error: TLS Alert write:fatal:bad record mac
Wed Feb 6 10:43:44 2008 : Error: rlm_eap: SSL error error:1408F119:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Wed Feb 6 10:43:44 2008 : Error: rlm_eap_tls: SSL_read failed
also make sure $_incdir is defined in your .rpmmacros
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
Joe Vieira wrote:
you'll need to either rename everything in the spec file to be
freeradius-server
or just open the tar.gz rename the directory INSIDE IT (which is also
Andrew Long wrote:
OK, can you give me the explicit code here. Here is the file as it exists:
$ cat .rpmmacros
%_topdir %(echo $HOME)/rpmbuild
yea, add this line.
%_incdir /usr/include
or whatever directory you want ...
-
List info/subscribe/unsubscribe? See
you'll need to either rename everything in the spec file to be
freeradius-server
or just open the tar.gz rename the directory INSIDE IT (which is also
freeradius-server) to freeradius-2.0.1... then zip it all back up and
run your spec again and it will work.
Joe Vieira
UNIX Systems
Since we have no idea what the problem is, the answer is likely no.
totally fair =)
If malloc() is core dumping, then something else is going wrong. i.e.
some other part of the server is over-writing memory.
when you say the server i assume you mean freeradius not another app.??
I
I've been trying to pin down a rather elusive segfault for over 2 months now.
and i finally got it to happen inside of gdb.
this is freeradius 1.1.6, on rhel5 x86-64
if this problem is fixed in 2.0 or 1.1.7 please let me know.
Starting program: /usr/sbin/radiusd -X
[Thread debugging using
no - i'd read that as some other part of your 64bit x86 box is trashing
the memory.
hmm, the box itself is totally stable, nothing else has been an issue...
hyperthreading on?
no they are true dualcore Xeon's w/ no hyperthreading.
Joe
-
List info/subscribe/unsubscribe? See
are currently) i could actually imagine going an hour or
even two without any authentication attempts.
--
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
:-00}
--nt-response=%{mschap:NT-Response:-00}
make sure you nake a dictionary attribute for domain as well.
Joe Vieira
UNIX Systems Administrator
Clark University
On Tuesday 11 December 2007 9:29:46 am Dave Gibelli wrote:
Hi
I am testing Freeradius within an 802.1x environment.
I want
I suggest you investigate the user of LDAP groups.
thanks for the suggestion, I did that last night and it worked well for me.
Joe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
, but it never
matches in the users file, can anyone point to what i am doing wrong?
--
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I created the attribute, and i don't get any dictionary errors
[EMAIL PROTECTED] raddb]# cat dictionary | grep VPN
ATTRIBUTE VPNGroupName3001string
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
[EMAIL PROTECTED] wrote:
Attribute is most likely VPN-Group
in the right direction?
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
Joe Vieira wrote:
I created the attribute, and i don't get any dictionary errors
[EMAIL PROTECTED] raddb]# cat dictionary | grep VPN
ATTRIBUTE VPNGroupName3001string
Joe Vieira
UNIX Systems
someone give me a
general example of how they would try to do it?
I was thinking in the ldap mapping file of adding a check item vpngroup
(or whatever) and then using the users file to match off of that to set
a reply of what i am looking for
Joe Vieira
UNIX Systems Administrator
Clark University
before this started happening i changed max request time up to 60 cleanup delay
to 6 max requests to 64 as well as increased the min number of servers to
8. i thought those changes would be pretty harmless, should i have been more
careful with them
maybe max_requests is too high as
It looks like a threading issue. Other than that, I haven't seen
anyone else run into that with 1.1.7.
sorry i made a mistake originally (i sent a correction but it prolly got lost
in the mix of all the messages to this list) i am running 1.1.6. are there any
issues with 1.1.6 and
Hi,
I currently have the server in debug and am waiting to see if it fails with an
actual error. In the mean time this is what i am seeing.
rhel5-64bit freeradius 1.1.7 after about a day and a half one of the threads
decides to use 100% of the CPU it's on, and nothing is logged in the normal
Sorry, i am running 1.1.6 not 7.
Joe
From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Joe Vieira [EMAIL
PROTECTED]
Sent: Tuesday, November 06, 2007 6:22 AM
To: FreeRadius users mailing list
Subject: radius 1.1.7 hangs 100% cpu
Hi,
I currently
Joe Vieira wrote:
before this started happening i changed max request time up to 60 cleanup
delay to 6 max requests to 64 as well as increased the min number of
servers to 8. i thought those changes would be pretty harmless, should i
have been more careful with them?
Leave
cli 00-1B-77-27-B2-48) - freaky line
now, that looks like extended unicode to me in the username...obviously
we don't have a user named that, or even a domain named 'RUN', moreover
it doesn't seem like that username should even have been authorized
thru the ldap rules
--
Joe Vieira
UNIX
the command line
you'll have a MUCH better chance of it working in freeradius.
hints are kinit - get that working also get wbinfo -u listing your
domain users
Joe Vieira
UNIX Systems Administrator
Clark University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Hello,
I am curious about the methodology for using one authorization module
for one type of service and another for a different type of service.
basically we have wireless and VPN that is being authorized and
authenticated through our radius box. i would like to be able to control
authorization
Nevermind, i figured it out.
Joe Vieira wrote:
Hello,
I am curious about the methodology for using one authorization module
for one type of service and another for a different type of service.
basically we have wireless and VPN that is being authorized and
authenticated through our radius
Is it possible to have radius listen on multiple (but not all) ip's /
interfaces on a server?
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
508.793.7287
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Joe Vieira wrote:
Is it possible to have radius listen on multiple (but not all) ip's /
interfaces on a server?
Yes. Use multiple listen directives.
thanks
Joe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You need to compile with ldap depricated option.
Joe
-Original Message-
From: Robert E. Toense [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Sent: 6/25/2007 6:03 PM
Subject: FreeRadius 1.1.6 Segmentation Fault with LDAP
I am
? Is this a configure
option to FreeRadius? If so, I don't see it.
Thanks,
Robert
Joe Vieira wrote:
You need to compile with ldap depricated option.
Joe
-Original Message-
From: Robert E. Toense [EMAIL PROTECTED]
To: freeradius-users@lists.freeradius.org
freeradius-users
attached is my gdb log, looks like something happens with the ldap_set_option()
function. thanks for having a lot
Joe
-Original Message-
From: [EMAIL PROTECTED] on behalf of Alan Dekok
Sent: Wed 6/13/2007 3:33 AM
To: FreeRadius users mailing list
Subject: Re: seg fault
Joe Vieira
Found the issue, i added -DLDAP_DEPRECATED to the CFLAGS.
Joe
Joe Vieira wrote:
Hi,
i've got freeradius 1.1.6 running on rhel5. when i goto do an ldap auth.
i get this
...
Segmentation fault
See doc/bugs
Alan DeKok.
--
http://deployingradius.com - The web site
Hi,
i've got freeradius 1.1.6 running on rhel5. when i goto do an ldap auth. i
get this
Listening on authentication 10.5.5.11:1812
Ready to process requests.
rad_recv: Access-Request packet from host 10.5.5.11:32769, id=76, length=59
User-Name = jvieira
User-Password = test
in my experience, i have seen the hosts PASS their name as
host/HOST$.domain.domain.domain what version of samba are you using?
Christian Hohmann wrote:
Hi members,
I have a problem with the name of hosts. Here is the situation:
I have an LDAP Directory which is filled by samba-Deamon, for
thru the same frustration, blame Microsoft.
Joe Vieira
UNIX Systems Administrator
Clark University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
no. if it worked with XP then the certs are fine - the server needs to be
upgraded to support Vista.
I assumed since he was using the IBM supplicant stuff in XP, that worked around
the cert issues.
Joe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Using freeradius 1.1.5 samba 3.0.24...i have an interesting problem,
and was curious what methods other people would take to solve it.
I am setting up radius for our new wpa2 wireless network, which
means that windows machine auth should work so that people can LOGIN to
their
well, you can use regexp/attr_filter to look for these systems
and then just chop off the activedirectorydomain.domain.domain. part
thus allowing the AD REALM to be forced by yourselves.
I tried something similar i used attr_rewrite to replace the bad parts
of User-Name with the
ah! you really cannot play with User-Name - as you have found, the client
doesnt like that to be changed. what you want to do is copy User-Name
to Stripped-User-Name and then play with Stripped-User-Name - and
use that in the rest of the stages.
how do i copy User-Name to something else?
A B wrote:
I've installed freeradius 1.1.5 and am able to run radtest
successfully on the machine that freeradius is installed on. However,
when I try to run radtest (or NTRadPing or radius test client) it is
unable to connect to the server. Does anyone have any ideas? I do have
the
on accounting *:1813
Ready to process requests.
That doesn't mean that you can access those ports from off of the
box...did you check your firewall configuration to make sure those ports
are accessible?
easy test is to nmap -sU whatever your freeradius box's ip is
On 4/3/07, *joe vieira* [EMAIL
Hey,
Weird question:
I am running freeradius 1.1.5, with samba 3.0.24. configured using
EAP-PEAP, works, when I use a windows XP client and DO NOT do
automatically connect with my domain login name and password, it works
like a charm. However when i DO configure it to auto login it
Sérgio Kojima wrote:
Hello all.
My freeradius1.1.5 is configured to work with openldap and samba PDC,
resume, it works fine when i login with username/password/domain, but
this user already logon one time on domain, that is, the user is on
cache in this windows machine (XP and W2kPRO).
Sérgio Kojima wrote:
Hello all.
My freeradius1.1.5 is configured to work with openldap and samba PDC,
resume, it works fine when i login with username/password/domain, but
this user already logon one time on domain, that is, the user is on
cache in this windows machine (XP and W2kPRO).
Erico Augusto wrote:
Hi,
I'm using EAP-TTLS to supplicant authentication.
to authenticate the users at freeradius, I'm using users file to match
user's password:
user User-Password == test
Reply-Message = success
Is there a way, using DEFAULT, for example,
Erico Augusto wrote:
Hi,
I would like to send clear-text password at post-auth using eap-ttls.
is there a way?
I'm avoiding to write a lot of details about the question. Just using
post-auth I got to send User-password attribute, but it's cyphered at
destination(Yes, there is all the TLS
Sam Schultz wrote:
On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira [EMAIL PROTECTED]
wrote:
Alan DeKok wrote:
joe vieira wrote:
i have eap-peap authentication working against our ad domain.
peachy
keen. what i would like to be able to do is, in our
Sam Schultz wrote:
DEFAULT check_items (ex: Realm == 'your_domain')
Autz-Type := your_ldap_instance (ex: ldap),
Auth-Type := module_instance_for_authentication
so i did what you recommended, which makes sense to do... i have
Autz-type := eap, and in
?
Joe Vieira
UNIX Systems Administrator
Clark University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok wrote:
joe vieira wrote:
i have eap-peap authentication working against our ad domain. peachy
keen. what i would like to be able to do is, in our openldap
environment, store attributes for retrieval by radius, cisco stuff/
etc... i assume the way to do this would
63 matches
Mail list logo