WiSPr

[Luke Hammond]

Hey al, iread that i can rate limit on a per user basis with the 
WISPr-Bandwidth-Max-Down and Up.. correct?


Can someone please tell me how i can do this?  I have freeradius running 
on Ubuntu server, with mysql atabase and daloradius for web management.


My users connect to the freeradius through the captive portal on my 
pfSense firewall.


Thanks in advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WiSPr

[Luke Hammond]

By NAS i assume you men my pfsense. There isnt anywhere within 
Freeradius to traffic shape? are you saying it has to be done on the 
router and not in freeradius?



On 14/09/2011 12:11 PM, Suman Dash wrote:
Bandwidth Limit greatly depends on NAS. If yous NAS supports it then 
it can be done !


On Wed, Sep 14, 2011 at 7:29 PM, Luke Hammond l...@dezignbrasil.com 
mailto:l...@dezignbrasil.com wrote:


Hey al, iread that i can rate limit on a per user basis with the
WISPr-Bandwidth-Max-Down and Up.. correct?

Can someone please tell me how i can do this?  I have freeradius
running on Ubuntu server, with mysql atabase and daloradius for
web management.

My users connect to the freeradius through the captive portal on
my pfSense firewall.

Thanks in advance

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: WiSPr

[Luke Hammond]

Thanks Suman. WIll take a look.

On 14/09/2011 1:11 PM, Suman Dash wrote:
WISPr-Bandwidth-Max-Down / UP is indeed the Attribute which you are 
looking. But you need search the mailing lists and find out how to add 
those into radreply/radgroup reply.


Hint : Read http://wiki.freeradius.org/Rlm_sql

Regards
Suman

On Wed, Sep 14, 2011 at 9:34 PM, Suman Dash sumand...@gmail.com 
mailto:sumand...@gmail.com wrote:


Exactly ! Traffic Shaping has nothing to do with RADIUS. RADIUS
will send values as configured to NAS. If NAS understands then NAS
can use those attributes and do much more than just Traffic Shaping.

Check the RADIUS dictionary of pfsense and you can find the
attributes which will be used to control traffic.

Once you get the attributes, use the same as Reply-Items and it
will work like a charm.

Read the basic documentation of RADIUS to understand how it works.
There is already a lot of discussion regarding *lazy peoples*

Regards
Suman


On Wed, Sep 14, 2011 at 9:18 PM, Luke Hammond
l...@dezignbrasil.com mailto:l...@dezignbrasil.com wrote:

By NAS i assume you men my pfsense. There isnt anywhere within
Freeradius to traffic shape? are you saying it has to be done
on the router and not in freeradius?


On 14/09/2011 12:11 PM, Suman Dash wrote:

Bandwidth Limit greatly depends on NAS. If yous NAS supports
it then it can be done !

On Wed, Sep 14, 2011 at 7:29 PM, Luke Hammond
l...@dezignbrasil.com mailto:l...@dezignbrasil.com wrote:

Hey al, iread that i can rate limit on a per user basis
with the WISPr-Bandwidth-Max-Down and Up.. correct?

Can someone please tell me how i can do this?  I have
freeradius running on Ubuntu server, with mysql atabase
and daloradius for web management.

My users connect to the freeradius through the captive
portal on my pfSense firewall.

Thanks in advance

-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html




-
List info/subscribe/unsubscribe? 
Seehttp://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Unique Identifier

[Luke Hammond]

Can someone please let me know if FreeRADIUS can assign a certain unique 
ID per client added to the database?  I want my client numbers to 
automatically increment as i add them. i am guessing this is possible?



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Default tables

[Luke Hammond]

Thanks Alan, i have another question regarding this. I have inported the 
schema.sql and i get 7 tables in the database.  Am i to assume that this 
is all working? Just that i remeber a while ago i followed a tutorial 
for using Freeradius2 with daloRADIUS for management, and i had around 
20 tables, many to do with Biling and userinfo.. What am i doing wrong here?




On 30/06/2011 3:08 AM, Alan DeKok wrote:

Luke Hammond wrote:

Sorry if this question is deemed as bein g silly, but i cant find a
straight answer for this anywhere..

What are the default tables that are installed with FreeRADIUS when i
use MySQL for the database?

   None.  You need to install them manually.

   See raddb/sql/mysql/

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Default tables

[Luke Hammond]

Ah ok, thanks for the reply Alan. I was trying a tutorial that used 
daloradius for administration, and that had a sql schema file that 
inmported some tables, it just that it didn't have a whole bunch of 
billing tables that i got from a previous install so wasnt sure what was 
going wrong.




On 30/06/2011 3:08 AM, Alan DeKok wrote:

Luke Hammond wrote:

Sorry if this question is deemed as bein g silly, but i cant find a
straight answer for this anywhere..

What are the default tables that are installed with FreeRADIUS when i
use MySQL for the database?

   None.  You need to install them manually.

   See raddb/sql/mysql/

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Default tables

[Luke Hammond]

Sorry if this question is deemed as bein g silly, but i cant find a 
straight answer for this anywhere..


What are the default tables that are installed with FreeRADIUS when i 
use MySQL for the database?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

How to test raduis is working.. can't find radtest

[Luke Hammond]

I have just installed FreeRADIUS 2.07 i think it is.. anyways. i 
followed a tutorial on how to install in with MySQL on Centos 5 and when 
i get to the part about testing the database using radtest.. it doesnt 
work. radtest is not where it should be, have looked on google to try 
and work out where esactly this 'radtest' lives, but all the locations 
it i supposed to be.. it isnt!


So, where should it be and why isnt it there? do i have to install it 
separately?  Also, how do i test that my radius is working and accepting 
logins without it?

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to test raduis is working.. can't find radtest

[Luke Hammond]

Thanks for the reply, i installed it from the Package Manager in Gnome, 
centos 5.6.


Ill try what you suggested, thankyou.


On 25/05/2011 6:28 PM, Phil Mayers wrote:

On 05/25/2011 10:06 PM, Luke Hammond wrote:

I have just installed FreeRADIUS 2.07 i think it is.. anyways. i
followed a tutorial on how to install in with MySQL on Centos 5 and when
i get to the part about testing the database using radtest.. it doesnt
work. radtest is not where it should be, have looked on google to try
and work out where esactly this 'radtest' lives, but all the locations
it i supposed to be.. it isnt!

So, where should it be and why isnt it there? do i have to install it
separately? Also, how do i test that my radius is working and accepting
logins without it?


This isn't really a FreeRADIUS question; it's either a basic unix 
question, or one specific to the distribution of Linux you're using.


Anyway: How did you install FreeRADIUS. If you installed it from the 
RPM, are you sure you installed all the RPMs you needed? Perhaps the 
server and client tools are split into separate RPMs? I see Fedora has 
freeradius-utils RPM - maybe Centos has that too?


If you installed it from source - have you looked into the directory 
you installed it into (/usr/local usually)


Try: locate radtest
Or : find / | fgrep radtest

Try: yum provides '*/radtest'
-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Using Freeradius2

[Luke Hammond]

Hey all, is there any good resources on how to actually use Freeradius2 
once its installed?


I have it running along with CoovaChilli as my captive portal, and 
daloRADIUS for the GUI (As i wil have people inputting users that have 
no idea about how to use command..).


My problem is this: we have clients that are people in teh ir houses 
that connect to our wireless network, COoca login page appears and they 
login with the username and password that i input into daloRADIUS. I 
have a few clients that are small Lan Houses that want to use our 
system, but i am unsure if i can have them not need to login through the 
CoovaChilli portal, and they just get authenticated via MAC address of 
their Antenna? I can't find any good documentation on how to do anything 
with Freeradius.


Thanks in Advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Using Freeradius2

[Luke Hammond]

Hey thanks for the reply.. Probably should have mentioned that i know 
pretty much nothing about Linux, apart from using with a GUI..


Yes what you said is right, would like some people login with 
username/password, and some qith MAC.


Ill take a look at some of those things you mentioned. Thanks.


On 18/03/2011 9:19 PM, Gary Gatten wrote:

Dude, you are SO gonna get flamed - put your flame suit on! Hopefully Mr. DeKok 
is in a good mood! ;-)

So you want some users to auth with username/passwd; and others with MAC or 
some other means?

There's been numerous posts about similar requirements, plus:

Man unlang, man radiusd, etc.  Also, some good info and examples embedded in 
the various config files and samples in the various dirs.  Also wiki's... And I 
think. www.supportingradius.org?  Not sure on the url.

Dig around a bit and you'll find a $hit load of doc, and probably some good 
examples of others that did exactly what you want.



- Original Message -
From: Luke Hammond [mailto:l...@dezignbrasil.com]
Sent: Friday, March 18, 2011 03:24 PM
To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org
Subject: Using Freeradius2

Hey all, is there any good resources on how to actually use Freeradius2
once its installed?

I have it running along with CoovaChilli as my captive portal, and
daloRADIUS for the GUI (As i wil have people inputting users that have
no idea about how to use command..).

My problem is this: we have clients that are people in teh ir houses
that connect to our wireless network, COoca login page appears and they
login with the username and password that i input into daloRADIUS. I
have a few clients that are small Lan Houses that want to use our
system, but i am unsure if i can have them not need to login through the
CoovaChilli portal, and they just get authenticated via MAC address of
their Antenna? I can't find any good documentation on how to do anything
with Freeradius.

Thanks in Advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
  and may contain information that is privileged and/or confidential.
  If you are not the intended recipient, you are hereby notified that
  any review, use, dissemination, disclosure or copying of this email
  and its attachments, if any, is strictly prohibited.  If you have
  received this email in error, please immediately notify the sender by
  return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius2 and OSX clients no TLS

[Luke Hammond]

Just a side question, how did you get Freedradius to give you a login 
window? i tried this and couldn't see how to get it to work.. so had to 
use another portal for this.



On 5/03/2011 2:10 PM, Gary Gatten wrote:

FR just does what its told. I think the settings need to be changed on your 
wireless gear.

- Original Message -
From: Guy [mailto:g...@britewhite.net]
Sent: Saturday, March 05, 2011 10:46 AM
To: freeradius-users@lists.freeradius.orgfreeradius-users@lists.freeradius.org
Subject: Freeradius2 and OSX clients no TLS

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and 
I have it basically working.  my iPhone/iPad are able to authenticate and 
connect via the base station.  However my Mac (OSX 10.6 Snow leopard) Laptops 
are having issues.

I do not want to push out Client certificates to the laptops. I also do not 
want people to have to perform any customisations on the clients.

When the laptop attempts to join the network I get a nice login window, with 
username/password. This is fine.  However without playing with the network 
settings (802.1x settings).  I'm not able to join the network because I do not 
have a client Cert:

Sat Mar  5 16:21:28 2011 : Error: --  verify error:num=19:self signed 
certificate in certificate chain
Sat Mar  5 16:21:28 2011 : Error: TLS Alert write:fatal:unknown CA
Sat Mar  5 16:21:28 2011 : Error: TLS_accept:error in SSLv3 read client 
certificate B
Sat Mar  5 16:21:28 2011 : Error: rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sat Mar  5 16:21:28 2011 : Error: SSL: SSL_read failed in a system call (-1), 
TLS session fails.
Sat Mar  5 16:21:28 2011 : Auth: Login incorrect: [guy/via Auth-Type = EAP] 
(from client extreme port 0 cli 00-19-E3-E1-BA-C5)


However if I do change the 802.1x settings on the mac to not try and to TLS 
then I'm able to connect just fine.  either by PEAP, or TTLS..

So finally my question... How can I reconfigure Radius to not try and offer TLS 
or if it does offer TLS to not die if a cert is not presented??

I have tried some suggestions such as commenting out the CA in the eap.conf 
file, but still I fail to pass the TLS.

Thanks

- ---Guy
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

iEYEARECAAYFAk1yaQcACgkQDc8ue1+sfKEcAQCfYRVtzNb1UcRa9hf+PM3ipToT
zCgAn2TGSTOAjigyWLYwTm4HDcy12l9L
=JyX7
-END PGP SIGNATURE-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
  and may contain information that is privileged and/or confidential.
  If you are not the intended recipient, you are hereby notified that
  any review, use, dissemination, disclosure or copying of this email
  and its attachments, if any, is strictly prohibited.  If you have
  received this email in error, please immediately notify the sender by
  return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius2 and OSX clients no TLS

[Luke Hammond]

Ahh ok. thanks. THought you were talking about a captive portal.

On 5/03/2011 2:39 PM, Guy wrote:

it wasn't Freeradius providing the login window, it was OSX... trying to logon 
to the WiFi Network

--Guy

On 5 Mar 2011, at 17:26, Luke Hammond wrote:


Just a side question, how did you get Freedradius to give you a login window? i 
tried this and couldn't see how to get it to work.. so had to use another 
portal for this.


On 5/03/2011 2:10 PM, Gary Gatten wrote:

FR just does what its told. I think the settings need to be changed on your 
wireless gear.

- Original Message -
From: Guy [mailto:g...@britewhite.net]
Sent: Saturday, March 05, 2011 10:46 AM
To: freeradius-users@lists.freeradius.orgfreeradius-users@lists.freeradius.org
Subject: Freeradius2 and OSX clients no TLS

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and 
I have it basically working.  my iPhone/iPad are able to authenticate and 
connect via the base station.  However my Mac (OSX 10.6 Snow leopard) Laptops 
are having issues.

I do not want to push out Client certificates to the laptops. I also do not 
want people to have to perform any customisations on the clients.

When the laptop attempts to join the network I get a nice login window, with 
username/password. This is fine.  However without playing with the network 
settings (802.1x settings).  I'm not able to join the network because I do not 
have a client Cert:

Sat Mar  5 16:21:28 2011 : Error: --   verify error:num=19:self signed 
certificate in certificate chain
Sat Mar  5 16:21:28 2011 : Error: TLS Alert write:fatal:unknown CA
Sat Mar  5 16:21:28 2011 : Error: TLS_accept:error in SSLv3 read client 
certificate B
Sat Mar  5 16:21:28 2011 : Error: rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sat Mar  5 16:21:28 2011 : Error: SSL: SSL_read failed in a system call (-1), 
TLS session fails.
Sat Mar  5 16:21:28 2011 : Auth: Login incorrect: [guy/via Auth-Type = EAP] 
(from client extreme port 0 cli 00-19-E3-E1-BA-C5)


However if I do change the 802.1x settings on the mac to not try and to TLS 
then I'm able to connect just fine.  either by PEAP, or TTLS..

So finally my question... How can I reconfigure Radius to not try and offer TLS 
or if it does offer TLS to not die if a cert is not presented??

I have tried some suggestions such as commenting out the CA in the eap.conf 
file, but still I fail to pass the TLS.

Thanks

- ---Guy
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

iEYEARECAAYFAk1yaQcACgkQDc8ue1+sfKEcAQCfYRVtzNb1UcRa9hf+PM3ipToT
zCgAn2TGSTOAjigyWLYwTm4HDcy12l9L
=JyX7
-END PGP SIGNATURE-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
  and may contain information that is privileged and/or confidential.
  If you are not the intended recipient, you are hereby notified that
  any review, use, dissemination, disclosure or copying of this email
  and its attachments, if any, is strictly prohibited.  If you have
  received this email in error, please immediately notify the sender by
  return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius2 and OSX clients no TLS

[Luke Hammond]

Cool, well if you need that part, i have Coovachilli running quite 
nicely..  I thought that Freeradius had its own captive portal, but 
couldnt see any way to get it working


On 5/03/2011 3:08 PM, Guy wrote:

That comes later! :)

--Guy

On 5 Mar 2011, at 17:56, Luke Hammond wrote:


Ahh ok. thanks. THought you were talking about a captive portal.

On 5/03/2011 2:39 PM, Guy wrote:

it wasn't Freeradius providing the login window, it was OSX... trying to logon 
to the WiFi Network

--Guy

On 5 Mar 2011, at 17:26, Luke Hammond wrote:


Just a side question, how did you get Freedradius to give you a login window? i 
tried this and couldn't see how to get it to work.. so had to use another 
portal for this.


On 5/03/2011 2:10 PM, Gary Gatten wrote:

FR just does what its told. I think the settings need to be changed on your 
wireless gear.

- Original Message -
From: Guy [mailto:g...@britewhite.net]
Sent: Saturday, March 05, 2011 10:46 AM
To: freeradius-users@lists.freeradius.orgfreeradius-users@lists.freeradius.org
Subject: Freeradius2 and OSX clients no TLS

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Hi,

I'm setting up Freeradius2 (FreeRADIUS Version 2.1.7) for WPA Enterprise 2, and 
I have it basically working.  my iPhone/iPad are able to authenticate and 
connect via the base station.  However my Mac (OSX 10.6 Snow leopard) Laptops 
are having issues.

I do not want to push out Client certificates to the laptops. I also do not 
want people to have to perform any customisations on the clients.

When the laptop attempts to join the network I get a nice login window, with 
username/password. This is fine.  However without playing with the network 
settings (802.1x settings).  I'm not able to join the network because I do not 
have a client Cert:

Sat Mar  5 16:21:28 2011 : Error: --verify error:num=19:self signed 
certificate in certificate chain
Sat Mar  5 16:21:28 2011 : Error: TLS Alert write:fatal:unknown CA
Sat Mar  5 16:21:28 2011 : Error: TLS_accept:error in SSLv3 read client 
certificate B
Sat Mar  5 16:21:28 2011 : Error: rlm_eap: SSL error error:140890B2:SSL 
routines:SSL3_GET_CLIENT_CERTIFICATE:no certificate returned
Sat Mar  5 16:21:28 2011 : Error: SSL: SSL_read failed in a system call (-1), 
TLS session fails.
Sat Mar  5 16:21:28 2011 : Auth: Login incorrect: [guy/via Auth-Type = EAP] 
(from client extreme port 0 cli 00-19-E3-E1-BA-C5)


However if I do change the 802.1x settings on the mac to not try and to TLS 
then I'm able to connect just fine.  either by PEAP, or TTLS..

So finally my question... How can I reconfigure Radius to not try and offer TLS 
or if it does offer TLS to not die if a cert is not presented??

I have tried some suggestions such as commenting out the CA in the eap.conf 
file, but still I fail to pass the TLS.

Thanks

- ---Guy
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)

iEYEARECAAYFAk1yaQcACgkQDc8ue1+sfKEcAQCfYRVtzNb1UcRa9hf+PM3ipToT
zCgAn2TGSTOAjigyWLYwTm4HDcy12l9L
=JyX7
-END PGP SIGNATURE-

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html





font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
  and may contain information that is privileged and/or confidential.
  If you are not the intended recipient, you are hereby notified that
  any review, use, dissemination, disclosure or copying of this email
  and its attachments, if any, is strictly prohibited.  If you have
  received this email in error, please immediately notify the sender by
  return email and delete this email from your system.
/font


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help needed with user authentication

[Luke Hammond]

Thanks for that... I dounf coovachilli and installed it, now my 
freeradius wont start.. when i type: radiusd -X i get a whole lot of 
errors, any ideas where i could have gone wrong?


We have a cisco 2800 or 2850 on its way from the company we have 
purchased our internet link from, so i am not sure if that can do the 
captive portal thing?




On 19/01/2011 4:24 AM, Fajar A. Nugraha wrote:
On Wed, Jan 19, 2011 at 1:52 PM, Johan Meiring 
jmeir...@pcservices.co.za mailto:jmeir...@pcservices.co.za wrote:


On 2011/01/19 04:24 AM, Luke Hammond wrote:

I want to have a wireless network, that will be
open, and when a user connects and tries to browse they get
redirected to a
page where they have to login


It's called captive portal
http://en.wikipedia.org/wiki/Captive_portal

Try
coova.org/CoovaChilli http://coova.org/CoovaChilli


What we usually do:
- get a wireless AP which has captive portal feature. I find it easier 
than having to install a captive portal manually on a server.
For example, if you're willing to use third-party firmware, dd-wrt 
support these devices: 
http://www.dd-wrt.com/wiki/index.php/Supported_Devices

- get a radius server (you already have that)
- get a login page. Something like 
http://net-mai.net/files/hotspotlogin.php.txt

- adjust settings as required

--
Fajar


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Help needed with user authentication

[Luke Hammond]

Hey, i am new so sorry that i know nothing about Freeradius.

Basically, i found a tutorial and followed it to get Freeradius2, Mysql 
and Daloradius working together.. that part is ok.


But i am confused with this:  I want to have a wireless network, that 
will be open, and when a user connects and tries to browse they get 
redirected to a page where they have to login, and that will talk to 
freeradius to make sure the user is authorised, then it will accept them 
and continue to where they were trying to browse to.. Thats basically 
what i need, but how does Freeradius do that? Where is that page so i 
can edit it with my logo or whatever?  Or do i need more software to 
have that login page?


Please assist, am desperate here to get this working.. thanks in advance!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

auth type as check item in users file

[Luke]

Hi,

I'm trying to figure out how to check to see if the auth type is
mschap in the users file.  I can find tons of help on setting the
Auth-Type, but not a lot on how to compare it.

Additional background info:
I'm running 802.1x with two auth types, certificate based and mschap.
I have a default (meaning, no other checks performed) users entry to
assign anyone who authenticates but doesn't match a group entry
further up the file into a specific vlan.

However, if I'm going to add in certificate based authentication,
these will also hit that default setting, and I don't want it to... I
want the certificate based authenticators to not have a vlan assigned
to them by 802.1x.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_ldap and Stripped-User-Name

[Luke]

Finally found that {mschap:User-Name} will work for me.
Thanks anyway :)

On Mon, Nov 3, 2008 at 5:27 PM, Luke [EMAIL PROTECTED] wrote:
 I'm trying to use rlm_ldap to do group lookups for dynamic vlan assignment.

 I've got freeradius (version 2.1.1) to connect to my ldap server, but
 when it tries searching, it's not working correctly.

 I'm not getting a Stripped-User-Name, and the non-stripped user name
 is coming across as domain\5cusername.

 I've been looking around for a couple of hours now, and have yet to
 find out how to make it either
 a) give me a stripped user name or
 b) figure out some way to strip the username myself.

 I was trying to use something I had found before where someone was
 using attr_rewrite to manually create the Stripped-User-Name, but it
 wasn't working at all.

 The first part was copying User-Name into Stripped-User-Name, and
 since the original username happens to have the string \t in it, it
 was interpreting that as a tab, instead of straight copying the text.
 Then when I tried to do regex replacement on it, the string was in
 this crazy state where it had a bunch of extra spaces in it due to the
 \t being interpreted as a tab.

 Can someone help me out with this?  I'm not sure what I'm doing wrong
 that's preventing the Stripped-User-Name from working in the first
 place, or how to work around the fact that the attr_rewrite is not
 directly copying the text into my variable, and is instead
 interpreting it.

 Thanks,
 Luke

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

rlm_ldap and Stripped-User-Name

[Luke]

I'm trying to use rlm_ldap to do group lookups for dynamic vlan assignment.

I've got freeradius (version 2.1.1) to connect to my ldap server, but
when it tries searching, it's not working correctly.

I'm not getting a Stripped-User-Name, and the non-stripped user name
is coming across as domain\5cusername.

I've been looking around for a couple of hours now, and have yet to
find out how to make it either
a) give me a stripped user name or
b) figure out some way to strip the username myself.

I was trying to use something I had found before where someone was
using attr_rewrite to manually create the Stripped-User-Name, but it
wasn't working at all.

The first part was copying User-Name into Stripped-User-Name, and
since the original username happens to have the string \t in it, it
was interpreting that as a tab, instead of straight copying the text.
Then when I tried to do regex replacement on it, the string was in
this crazy state where it had a bunch of extra spaces in it due to the
\t being interpreted as a tab.

Can someone help me out with this?  I'm not sure what I'm doing wrong
that's preventing the Stripped-User-Name from working in the first
place, or how to work around the fact that the attr_rewrite is not
directly copying the text into my variable, and is instead
interpreting it.

Thanks,
Luke
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Dell 6248 and Dynamic VLAN Assignment

[Luke]

Hi :)

I'm trying to get dynamic VLAN assignment to work with my Dell 6248,
which they officially support as of firmware revision 2.1.0.13.

I'm using freeradius version 2.1.1

I think I'm sending the information the correct way from freeradius, to wit:

DEFAULT Auth-Type == MS-CHAP
Tunnel-Type = VLAN,
Tunnel-Medium-Type = 802,
Tunnel-Private-Group-ID = 3

(this is in my users file)

When watching the debug output from radiusd -X, I can see it sending
these messages back to the Dell switch.  However, the dell switch is
not correctly assigning the VLAN.

The information from the release notes from Dell is as follows:

802.1x Option 81
The Tunnel Attribute indicates the tunneling protocol to be used or
the tunneling protocol in use at the Authenticator. In particular, it
may be desirable to allow a supplicant (MAC based) or port (Port
Based) to be placed into a particular Virtual LAN (VLAN) based on the
result of the authentication. To achieve the distribution of the VLAN
id to the supplicant, the tunnel attribute can be used.
For use in VLAN assignment, the following tunnel attributes are used:
Tunnel-Type=VLAN (13)
Tunnel-Medium-Type=802
Tunnel-Private-Group-ID=VLANID, where VLANID is 12-bits, taking a
value between 1 and 4093.
The NAS-IP Attribute indicates the identifying IP Address of the NAS
(Switch or Access Point) which is requesting authentication of the
user, and should be unique to the NAS within the scope of the RADIUS
server. NAS-IP-Address is only used in Access-Request packets. Either
NAS-IP-Address or NAS-Identifier must be present in an Access-Request
packet.

I can see from my Dell switch that this stuff is enabled, but for some
reason it's still not setting the VLAN.

Does anyone have any suggestions?

Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP and Windows 2003 AD LDAP

[Luke]

Alan DeKok wrote:

Luke [EMAIL PROTECTED] wrote:
  

Unfortunately I need to support CHAP because it is used by an external
global Dial-Up provider which the freeradius machine is authenticating for.


  If the passwords are in AD your ONLY choice is to use IAS, and even
then, only if ALL of the passwords are stored via what they call
using reversible encryption.
  

Thanks Alan - looks like it is not possible (we do not want to use IAS
and store passwords using reversible encryption - which would also mean
resetting every user's password).

I'm going to need to talk to our global dial-up provider to see if they
can send the radius request using anything other than CHAP if possible.

Thanks again,

Luke

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

CHAP and Windows 2003 AD LDAP

[Luke]

Hi,

I'm trying to get a freeradius server (v1.0.1) to work with CHAP and
querying a Windows 2003 Active Directory server using LDAP.

I've got LDAP working for PAP queries, but CHAP comes back with the
rlm_chap: Could not find clear text password.

Now I've read the FAQ and followed those notes, but I'm not sure what
the values should be for the password_header, password_attribute and
password_radius_attribute?

Any help would be much appreciated,

Thanks,

Luke

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: CHAP and Windows 2003 AD LDAP

[Luke]

Stefan Winter wrote:

I've got LDAP working for PAP queries, but CHAP comes back with the
rlm_chap: Could not find clear text password.



AD and LDAP-mode don't work together. The AD server will not give away the 
user's attribute. If you want CHAP to work, you will need to use ntlm_auth. 
  

Thanks for the responses guys.

Unfortunately I need to support CHAP because it is used by an external
global Dial-Up provider which the freeradius machine is authenticating for.

The whole idea of using LDAP was because the machine was in the DMZ, and
LDAP would allow us to lock it down more by only allowing the bind user
access to certain parts of the AD tree. If I use ntlm_auth, the box will
have to be joined to the domain (from my understanding) - wouldn't this
represent quite a big security risk? Will ntlm_auth also do PAP (used by
another provider authenticating against the server) where the password
is in clear-text?

 There's also a great tutorial on the topic, which is 
referenced here quite often by Charles Schwartz, see the archives for that 
one as well.
  

It's at
http://homepages.lu/charlesschwartz/radius/freeRadius_AD_tutorial.pdf I
believe (for anyone else which wants to have a look).

Thanks,

Luke
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

accounting question

[luke]

Hi,

I have a question about radius,
Is there anyone on this list that can help?
I'm sure this is a very common request.

I have a situation where radius accounting is logged to a mysql database.
I'd like to find a way to show the accurate number of users that are currently
online.

Up till now this has been done by querying the database to find entries in the
radacct table that have value 0 for AccountStopTime.
However there are quite a number of entries in this 'radacct' table that have
the 0 as AccountStopTime but are not active sessions.

What would be a way to get just the sessions that are active?


kind regards,
Luke
-- 
._
:|  .| |.|/.|_
:|__.|_|.|\.|_
:0421 276 282.

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html