Hi,
If you think that sucks, wait till you see the horrible things you have to do
to generate a .mobileconfig without access to an OSX server license.
what, download the iPhone Configuration Utility? yes, quite horrible ;-)
alan
-
List info/subscribe/unsubscribe? See
Aldwinckle
Sent: Wednesday, August 28, 2013 2:32 PM
To: FreeRadius users mailing list
Subject: Re: (was) RE: how to limit the repeating ldap lookups
Its been a while since I'Ve used it, but doesn't the iPhone Config Utility
generate mobileconfigs that work on OS X?
http://support.apple.com/kb
On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Thanks Alan,
Your reference is wrong/unknown which means that there's a noop. This means
no operation which means no fticks output
This brings me back to my earlier question: what values are available
where, and when,
via which
On Thu, Aug 29, 2013 at 10:39:50AM +1200, Andrej wrote:
On 28 August 2013 18:49, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Thanks Alan,
Your reference is wrong/unknown which means that there's a noop. This means
no operation which means no fticks output
This brings me back to my earlier
Many thanks indeed. Are you saying I can just take out sim_files from the
authorise in the default file and it should work anyway?
If so, fantastic :)
On 26 August 2013 at 12:11 Iliya Peregoudov iperegu...@cboss.ru wrote:
On 25.08.2013 15:03, ken.farrington wrote:
Module: Linked to sub-module
On 27.08.2013 10:57, ken.farrington wrote:
Many thanks indeed. Are you saying I can just take out sim_files from
the authorise in the default file and it should work anyway?
If so, fantastic :)
My raddb/sites-enabled/default:
authorize {
preprocess
auth_log
chap
mschap
suffix
eap
Fantastic and thanks. On it now :)
On 27 August 2013 at 08:54 Iliya Peregoudov iperegu...@cboss.ru wrote:
On 27.08.2013 10:57, ken.farrington wrote:
Many thanks indeed. Are you saying I can just take out sim_files from
the authorise in the default file and it should work anyway?
If so,
On Tue, Aug 27, 2013 at 8:04 PM, mdeche...@comcast.net wrote:
Hello Users --
( cc-ing you directly since it seems you have trouble receiving mails from
the list )
I'm writing again to verify whether or not my initial question submitted
to the list was seen. Is there anyone on-list who is
hi,
yes, it was receivedover a bank holiday weekend. not surprised
you didnt get an answer...we were all enjoying the break.
the DB seems to be loading up and being connected to (and you can
check this with loggin on the pgsql server...) however, THIS bit
is your problems
rlm_sql (sql):
On 27 Aug 2013, at 17:59, Andrej andrej.gro...@gmail.com wrote:
Hi,
I'm trying to find a way to log EAP requests and responses on an IdP in such
way that the inner and outer identity of a request end up on one line; using
linelog via f_ticks I managed to get a slightly more concise
On 28 August 2013 05:09, Arran Cudbard-Bell a.cudba...@freeradius.org wrote:
Hi Arran,
Is there a way to e.g. pass information from the outer processing on to the
inner so I can log both from there, rather than logging both identities
individually? While it's feasible to have both when
Andrej wrote:
Cool - I'll give that a go. Is there a comprehensive list anywhere of
which kind of values
is permissible in which context?
See the debug output. If it's in the debug output, you can use it.
If it's not in the debug output, it doesn't exist. And you can't use it.
You can
Martin Kraus wrote:
I'm using TTLS+TLS.
Then what are you looking up in ldap?
I can see that the eap { ok = return } automagically skips to the
authentication section but the first two access-requests in the session cause
it to return updated status so the ldap lookups are executed.
I
On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote:
Again, look at the debug log to see what's happening. *WHY* are you
doing LDAP lookups at all? Can you not delay them?
Hi. I'm using groups to authorize users and pull radius profiles for the users.
My config is similar to what the
On 28 August 2013 09:09, Alan DeKok al...@deployingradius.com wrote:
See the debug output. If it's in the debug output, you can use it.
If it's not in the debug output, it doesn't exist. And you can't use it.
You can always reference the outer tunnel from the inner one.
OK. So, I found
On 28.08.2013 00:20, Martin Kraus wrote:
On Tue, Aug 27, 2013 at 05:20:32PM -0400, Alan DeKok wrote:
Again, look at the debug log to see what's happening. *WHY* are you
doing LDAP lookups at all? Can you not delay them?
Hi. I'm using groups to authorize users and pull radius profiles for
On 24/8/2013 12:00 μμ, Nikolaos Milas wrote:
...and then I could simply use my *exact current configuration* by
simply changing the ldap filter to:
filter =
((macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))
I tested this and it works. (Yet,
;
To: FreeRadius users mailing list
lt;freeradius-users@lists.freeradius.orggt;
Oggetto: Re: Groups in active directory and checks in MySQL
Data: 23/08/13 21:32
Atomikramp wrote:
gt; I'm in a situation now where i can successfully retrieve group
gt; membership of users in the active
Hi Matthew
2013/8/22 Matthew Ceroni matthewcer...@gmail.com
I read that for FreeRadius just combine the cert with the intermediate
cert into one file and then reference that in eap.conf:certificate_file.
I have done that but clients are still failing certificate validation.
Honestly I
On 24 Aug 2013, at 10:00, Nikolaos Milas nmi...@noa.gr wrote:
On 23/8/2013 9:19 μμ, Arran Cudbard-Bell wrote:
It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that
information.
Thanks Arran,
It was NAS-Port indeed. Strangely enough, this is not included either in
...where the three ldap instances above are identical except the filter which
is:
ldap_macauth:
filter =
((macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))
ldap_macauth_NAS_only:
filter =
On 26/8/2013 12:15 μμ, Arran Cudbard-Bell wrote:
No. It's a really inefficient way of doing this.
Thanks Arran,
Yet, would it be logically/technically correct?
Use generic attribute maps or an update ldap schema to pull the necessary
values into control attributes,
and then do the
On 08/26/2013 12:10 AM, mdeche...@comcast.net wrote:
Dear Users --
This is my first posting to the FreeRADIUS users list, so please be patient :)
You're already doing pretty well - you actually posted a full debug,
which hardly anyone does first time!
Ok, so for the SQL case the server
On 08/26/2013 09:04 AM, Atomikramp wrote:
but it's not giving the same result, the check against sql is ignored
and the user is authed successfully.
Because:
[sql] User sogo1 not found
++[sql] returns notfound
-
List info/subscribe/unsubscribe? See
On 25.08.2013 15:03, ken.farrington wrote:
Module: Linked to sub-module rlm_eap_sim
Module: Instantiating eap-sim
rlm_eap_sim is compiled in.
/usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module
'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No
such file or
On 26 Aug 2013, at 11:39, Nikolaos Milas nmi...@noa.gr wrote:
On 26/8/2013 12:15 μμ, Arran Cudbard-Bell wrote:
No. It's a really inefficient way of doing this.
Thanks Arran,
Yet, would it be logically/technically correct?
Sure.
Use generic attribute maps or an update ldap schema
On 08/26/2013 12:11 PM, Iliya Peregoudov wrote:
On 25.08.2013 15:03, ken.farrington wrote:
Module: Linked to sub-module rlm_eap_sim
Module: Instantiating eap-sim
rlm_eap_sim is compiled in.
/usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module
'rlm_sim_files':
;freeradius-users@lists.freeradius.orggt;
Oggetto: Re: Groups in active directory and checks in MySQL
Data: 26/08/13 13:22
On 08/26/2013 09:04 AM, Atomikramp wrote:
gt; but it's not giving the same result, the check against sql is ignored
gt; and the user is authed successfully
On 26/8/2013 2:15 μμ, Arran Cudbard-Bell wrote:
Unless you are querying different DNs for the different Mac-Auth types then
doing this is the wrong way to approach this.
the presence of the attributes in the LDAP object to dictate what type of
authorisation you're doing.
Thanks Arran,
I
On 26 Aug 2013, at 14:33, Martin Kraus lists...@wujiman.net wrote:
Hi.
Is it possible to limit the repeating ldap lookups that happen during mschap
and tls negotiations? Like having an attribute that I could test for which
would tell me that the negotiation is completed?
If you list the
On Mon, Aug 26, 2013 at 02:45:29PM +0100, Arran Cudbard-Bell wrote:
Is it possible to limit the repeating ldap lookups that happen during mschap
and tls negotiations? Like having an attribute that I could test for which
would tell me that the negotiation is completed?
If you list the ldap
Hello all,
I hope this email finds you all well and is my first post.
I think I have a small problem with my backtrack distro and I am trying to
load eap-sim onto my free radius server 2.1.11. I have followed the guide to
add the relevant parts of the config and when I put the
On 25/08/2013 12:03, ken.farrington wrote:
/usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module
'rlm_sim_files': rlm_sim_files.so: cannot open shared object file: No
such file or directory
Your version of FreeRADIUS wasn't compiled with rlm_eap_sim enabled, or
it wasn't
Thanks so much I will try that. Much regards ken.farring...@802.co.uk
Phil Mayers p.may...@imperial.ac.uk wrote:
On 25/08/2013 12:03, ken.farrington wrote:
/usr/local/etc/raddb/modules/sim_files[1]: Failed to link to module
'rlm_sim_files': rlm_sim_files.so: cannot open shared object file:
No
On 23/8/2013 9:19 μμ, Arran Cudbard-Bell wrote:
It'll either be in NAS-Port or NAS-Port-ID if the NAS is providing that
information.
Thanks Arran,
It was NAS-Port indeed. Strangely enough, this is not included either in
ldap.attrmap or the freeradius schema. Shouldn't it (and other
On 24/8/2013 12:00 μμ, Nikolaos Milas wrote:
...and then I could simply use my *exact current configuration* by
simply changing the ldap filter to:
filter =
((macAddress=%{Calling-Station-Id})(radiusNASIpAddress=%{NAS-IP-Address})(radiusHint=%{NAS-Port}))
...provided that I am storing
On 22 Aug 2013, at 23:02, Franks Andy (RLZ) IT Systems Engineer
andy.fra...@sath.nhs.uk wrote:
evluation
Well at least it'll evaluate instead of evluate now.
In the regex below it's not complaining about the lack of escaping.
It's complaining that _-+ or _-\ is not a valid range (I honestly
On 08/23/2013 09:35 AM, Arran Cudbard-Bell wrote:
Or if you shift that hyphen one to the right, it'll probably work OK too :)
Usually first in the range works:
[-.a-z0-9]
IIRC + doesn't need to be escaped inside a range, same as .
-
List info/subscribe/unsubscribe? See
Message-
From:
freeradius-users-bounces+andy.franks=sath.nhs...@lists.freeradius.org
[mailto:freeradius-users-bounces+andy.franks=sath.nhs.uk@lists.freeradiu
s.org] On Behalf Of Phil Mayers
Sent: 23 August 2013 09:52
To: freeradius-users@lists.freeradius.org
Subject: Re: Escaping regex + character
On 14/8/2013 2:39 μμ, Arran Cudbard-Bell wrote:
and in sites-enabled/default:
authorize {
preprocess
chap
mschap
digest
suffix
Do you need all these? Are you ever going to be doing chap/mschap/digest in the
outer server?
First, thanks for the reply.
1. Can we somehow limit a host to connect to only a particular port/NAS
device based on data stored in LDAP attributes (or, respectively, in
flat files) and reject it otherwise?
Yes. See ldap_xlat http://wiki.freeradius.org/modules/Rlm_ldap
Use a query that searches for the value of
On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote:
See ldap_xlathttp://wiki.freeradius.org/modules/Rlm_ldap
Use a query that searches for the value of NAS-IP-Address in the user object in
a custom attribute.
If the query expands to something other than a zero length string, the
attribute
On 23 Aug 2013, at 18:30, Nikolaos Milas nmi...@noa.gr wrote:
On 23/8/2013 7:25 μμ, Arran Cudbard-Bell wrote:
See ldap_xlathttp://wiki.freeradius.org/modules/Rlm_ldap
Use a query that searches for the value of NAS-IP-Address in the user object
in a custom attribute.
If the query
Atomikramp wrote:
I'm in a situation now where i can successfully retrieve group
membership of users in the active directory LDAP tree using rlm_ldap,
and check them against files.
OK.
so if i have a user with memberOf attribute set to groupA
and i set in the raddb/users the following
Il 23/08/2013 21:31, Alan DeKok ha scritto:
Post the debug output. And what do you have in SQL?
Hello,
thanks for your reply and apologizes for the mistake, unfortunately
(depending from the point of view) since it's weekend i won't be able to
post any debug log till monday as i didn't bring the
On Wed, Aug 21, 2013 at 11:45:11PM +0100, Matthew Newton wrote:
If that's all you're doing, forget about PEAP and just go for
straight EAP-TLS. All PEAP really gives you on top is the SoH
support, and may cause problems with other non-Windows clients.
EAP-TLS should work on more devices.
I'm
On Wed, Aug 21, 2013 at 01:28:08PM +0100, Matthew Newton wrote:
On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote:
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
TLS tunnel is established:
On the assumption that your certificates are OK...
Have
Matthew Newton m...@leicester.ac.uk wrote:
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote:
well looking at man wpa_supplicant I can see
EAP-PEAP/TLS
I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what
it's talking about.
Huh, and I thought MS-PEAP specified only
On 21/08/13 23:44, Chris Parker wrote:
Okay, pardon my confusion then. I had been following a howto online
and it reported that the command when run manually will produce the
key.
Either way, I'm still having a failure in MSCHAP with radtest that
I'm not quite grasping.
Well, as I explained
TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 22/08/13 10:54, Alan Buxey wrote:
TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP
PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no
bare MSCHAP variant, because there's no spec for how to derive the
MSCHAP challenge from the TLS master secret.
The EAP
Phil Mayers wrote:
PEAP/MSCHAP is *always* PEAP/EAP-MSCHAPv2 IIRC. Unlike TTLS there's no
bare MSCHAP variant, because there's no spec for how to derive the
MSCHAP challenge from the TLS master secret.
FWIW: PEAP is TLS + inner EAP. That's why there's no PAP / CHAP /
MS-CHAP inside the
Sokphak TOUCH wrote:
I have issue with configure radius. I have one Juniper MX80 for doing as
LNS in my lab and FreeRADIUS Version 2.1.12 installed. I can see there
is successful connected log to radius but after around 1mn it connect
again and again. I have check in MX80 but has no any
Thank you for setting me on the right track; I have followed the directions on
http://deployingradius.com/documents/configuration/active_directory.html (the
bottom section on MSCHAP) and have ntlm_auth in the authenticate {} - as per
those directions.
When I run the ntlm_auth command manually,
Sorry for the individual emails, but I got things working with MSCHAP (w/
ntlm_auth) and WPA-EAP.
My issue was that when I got the two winbind errors, I did some more searching
and there's the potential that the freerad user did not have access to pipe
named: /var/run/samba/winbindd
That pipe
On 22/08/13 15:14, Chris Parker wrote:
Exec-Program output: Reading winbind reply failed! (0xc001)
Check the permissions on the winbind socket directory, specifically that
the freeradius daemon user can access it; this is usually at:
/var/cache/samba/winbindd_privileged
or
On 22/08/13 16:46, Dean, Barry wrote:
Anyone want to throw in 2 cents/pennies worth to this?
Yep, don't do it like this.
Instead, write the user/ip entries to a file using the linelog module,
and use a long-running perl process to tail the file (using File::Tail)
and post them to the PAN.
On Thu, Aug 22, 2013 at 10:30:54AM +0100, Phil Mayers wrote:
Matthew Newton m...@leicester.ac.uk wrote:
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote:
well looking at man wpa_supplicant I can see
EAP-PEAP/TLS
I think that should be PEAP/EAP-TLS. Otherwise I'm not sure
On 08/21/2013 05:11 AM, Chris Parker wrote:
Log output:
rad_recv: Access-Request packet from host 127.0.0.1 port 35826, id=114,
length=57
User-Name = wyse1
User-Password = K503D
NAS-IP-Address = 127.0.1.1
NAS-Port = 1812
# Executing section authorize from file
On 08/20/2013 02:27 PM, stefan.pae...@diamond.ac.uk wrote:
Hello all,
I'm currently attempting to use rlm_python to query LDAP (with
python-ldap) and then return an XML string in a VSA
(SAML-AAA-Assertion). However, when I try to load it, I get the
dreaded undefined symbol: PyExc_SystemError
12 with, I know, I know, FreeRADIUS 2.1.10. Python-LDAP was
Well... as Alan says, upgrade. Particularly if you know.
There is no 'out of the box' version for upgrade on Ubuntu 12 at this point
short of having to compile it ourselves, that is (situation is similar to
CentOS 6 where the last
On Wed, Aug 21, 2013 at 09:19:35AM +, stefan.pae...@diamond.ac.uk wrote:
Well... as Alan says, upgrade. Particularly if you know.
There is no 'out of the box' version for upgrade on Ubuntu 12 at
this point short of having to compile it ourselves, that is
Building your own packages on
On 21/08/2013 12:17, Martin Kraus wrote:
Hi.
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
Is this really what you mean? TTLS outer and TLS inner, versus PEAP
outer and TLS inner?
Because the latter is unlikely to work; it's not a supported combo per
the PEAP
Building your own packages on Debian/Ubuntu is trivial. There's really
no excuse not to run the latest code.
Matthew, I agree with you, but not when the policy is to only use what is
published on vendor (i.e. Ubuntu) repositories.
But, like I say, that's not a discussion appropriate for the
On Wed, Aug 21, 2013 at 01:17:02PM +0200, Martin Kraus wrote:
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
TLS tunnel is established:
On the assumption that your certificates are OK...
Have you updated the fragment_size so that the outer is larger
than the
Thank you Phil!
That resolved my first steps, and I figured there was something like that. I
have poured over deployingfreeradius.com, but for the life of me I could not
find anything of assistance for my set up.
I have enabled the ntlm_auth line in modules/mschap but no password is sent to
When I poke around and try to deconstruct the issue, I find that ntlm_auth when
run manually retrieve the NT key, it does not do anything. It just says
NT_STATUS_OK: Success (0x0)
If I run the --diagnostics flag this is what I get...
root@leopard:/etc/freeradius# ntlm_auth --domain=WONKY
On Wed, Aug 21, 2013 at 01:13:57PM +0100, Phil Mayers wrote:
On 21/08/2013 12:17, Martin Kraus wrote:
Hi.
I managed to get EAP-TTLS/TLS working but EAP-PEAP/TLS fails after the outer
Is this really what you mean? TTLS outer and TLS inner, versus PEAP
outer and TLS inner?
Because the
On 21/08/2013 19:28, Chris Parker wrote:
So I doubt this issue is with FR, but more of that Samba is being
cranky. I can never get ntlm_auth to give me that NT key, which I
feel if I could resolve that, I could continue with FR.
No. NT_KEY is only generated by mschap, not by username/password
as-is; it's a
sample config for people to build on if the have advanced knowledge of
the server.
Re-read the stuff on deployingradius.com - if you're trying to do
WPA-Enterprise (aka 802.1x) then it is definitive. If you're trying to
do something else, describe what, and show a *full* debug of a client
Okay, pardon my confusion then. I had been following a howto online and it
reported that the command when run manually will produce the key.
Either way, I'm still having a failure in MSCHAP with radtest that I'm not
quite grasping.
On Aug 21, 2013, at 17:49, Phil Mayers
On Wed, Aug 21, 2013 at 09:52:14PM +0200, Martin Kraus wrote:
well looking at man wpa_supplicant I can see
EAP-PEAP/TLS
I think that should be PEAP/EAP-TLS. Otherwise I'm not sure what
it's talking about.
also from my google searches it might be possible that windows supports
PEAP/TLS as
noted. tks
On Tue, Aug 20, 2013 at 9:43 PM, Alan DeKok al...@deployingradius.comwrote:
ultaman khoo wrote:
Thanks alan, i alreaady on it right now, anything from the RFC that you
aware of can challenge the back the changes of NAS ip is wrong? Thanks
All of the RADIUS RFCs assume that
Think about the login time ... If you create an account for the future then if
it has a start validity date. ..
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks alan, i alreaady on it right now, anything from the RFC that you
aware of can challenge the back the changes of NAS ip is wrong? Thanks
On Fri, Aug 16, 2013 at 10:41 AM, Alan DeKok al...@deployingradius.comwrote:
ultaman khoo wrote:
btw the nas ip changes is due to NAS system
ultaman khoo wrote:
Thanks alan, i alreaady on it right now, anything from the RFC that you
aware of can challenge the back the changes of NAS ip is wrong? Thanks
All of the RADIUS RFCs assume that a client has one IP, and only one IP.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
stefan.pae...@diamond.ac.uk wrote:
Hello all,
I'm currently attempting to use rlm_python to query LDAP (with python-ldap)
and then return an XML string in a VSA (SAML-AAA-Assertion). However, when I
try to load it, I get the dreaded undefined symbol: PyExc_SystemError
error. This is on
mr. s wrote:
From the logs I interpret, the error is incorrect password for the user.
Is this correct interpretation?
No.
[pap] Using clear text password **-User-Not-Allowed-To-Use-This-NAS-**
This is not in the default configuration.
You're supposed to understand the configuration
Understood, however I am not the one who set this up or created the
non-default configuration. Any other guidance is greatly appreciated.
Thanks-
On Tue, Aug 20, 2013 at 8:30 PM, Alan DeKok al...@deployingradius.comwrote:
mr. s wrote:
From the logs I interpret, the error is incorrect
mr. s wrote:
Understood, however I am not the one who set this up or created the
non-default configuration. Any other guidance is greatly appreciated.
Ask the people who created this configuration. We didn't create it,
and we don't have access to your system to debug it.
The data is in
And thats the rub, thanks very very much. It is a stored query in our sql.
Easy once you know where its at.
On Tue, Aug 20, 2013 at 9:54 PM, Alan DeKok al...@deployingradius.comwrote:
mr. s wrote:
Understood, however I am not the one who set this up or created the
non-default
Matthias Nagel matthias.h.na...@gmail.com wrote:
Hello,
if a do a smbencrypt ä then the output for the NT hash is
B5CF5E386433C7CB69E43ED774717792 but the correct hash would be
3104EAB484D59EFABCEA2C44B07F41D3. (If you do not see the letter: It
is a small a with two dots, unicode code point
Hi Phil,
Probably a fairly trivial patch if you feel like it ;o)
I had a quick glace at the source code and I found two files named
smbencrypt.c. If you give me a hint, which is the correct file to start with,
I will brosw the source code from that point and see what I can do. But
probably not
On 08/16/2013 08:24 AM, nicolas@ricoh-industrie.fr wrote:
Hi list,
I'm searching the best way to configure a policy to split the domain
and the prefix ' /host' when it is a computer connection.
You probably don't want to do this.
Instead, you probably want to use the expansion:
Nice, thanks
But in this case, how to tell Freeradius to use this variable when it's a host
connection ?
Because, I had already split User-Name variable into Stripped-User-name and use
that into post-auth
section to log correct syntax user.
So if I tell Freeradius to used variable
On 08/14/2013 09:25 PM, McNutt, Justin M. wrote:
One other thing with multiple interfaces: RHEL 6 comes with some
anti-spoofing features in the kernel enabled by default. I'm afraid
As I noted elsewhere in the thread, the terms to google for this are
martians and rp filter, and you are
From: Phil Mayers p.may...@imperial.ac.uk
If radiusd -X isn't reporting *anything*, then it's not reaching
FreeRADIUS, which means some part of the network stack is dropping it.
If you're sure your iptables are correct, google linux log martians and
linux rp filter. RHEL6 has different
ultaman khoo wrote:
I have faced an issue with NAS IP Changes
RADIUS assumes that NAS IPs don't change. If they do, you are running
a VERY unusual system.
causes radius accouting insert
instead of update, this has causes an issue with the reporting wenever
the NAS IP changes, for example
Darlington, Andrew wrote:
I’m trying to setup a very basic test server using FreeRADIUS (running
on Ubuntu 12.04) that uses PEAP with the example certificates generated
by FreeRADIUS.
See http://deployingradius.com It has a detailed guide for EAP / PEAP.
Couldn't open
Hi Alan,
Thanks for your response.
Initially FreeRadius would not start and I did get an error indicating
that the remote_secret_reject module failed to load. There was no reason
given even with -XXX. I found since then that I was missing a brace.
Now I can get FreeRadius to start. I still seem
Sigh. I broke the cardinal rule of the list _again_.
I'Ll grab a full debug log now.
Sorry for the spam.
Dave Aldwinckle
On 2013-08-13 11:22 AM, Alan DeKok al...@deployingradius.com wrote:
David Aldwinckle wrote:
Is there a way that I can deny a specific realm when an access request
is
David Aldwinckle wrote:
Initially FreeRadius would not start and I did get an error indicating
that the remote_secret_reject module failed to load. There was no reason
given even with -XXX. I found since then that I was missing a brace.
Now I can get FreeRadius to start. I still seem to be
Thanks for the fast reply.
See http://deployingradius.com It has a detailed guide for EAP / PEAP.
I'm actually following that one, it's very helpful, however I keep running into
problems that aren't covered.
You're running it as a normal user, and the file is owned by root (or
another
Hi,
I'm trying to setup a very basic test server using FreeRADIUS (running on
Ubuntu 12.04) that uses PEAP with the example certificates generated by
FreeRADIUS.
out of the box, freeRADIUS works - you just need, for testing
to add your user/pass to the 'users' file and your NAS to
Hi,
Initially FreeRadius would not start and I did get an error indicating
that the remote_secret_reject module failed to load. There was no reason
given even with -XXX. I found since then that I was missing a brace.
Now I can get FreeRadius to start. I still seem to be missing something
hi,
check permissions/owner etc of /etc/freeradius and the contents
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 15/08/13 14:30, Darlington, Andrew wrote:
Couldn't open /etc/freeradius/acct_users for reading: Permission denied
Errors reading /etc/freeradius/acct_users
/etc/freeradius/modules/files[7]: Instantiation failed for module files
/etc/freeradius/sites-enabled/inner-tunnel[124]: Failed to load
Hi
Thanks for all the replies!
Going through all the permissions of the various files freeradius complained
about fixed it like Phil Mayers and Alan said.
I also fixed the radtest problem. This just need to have freeradius restarted
normally.
I'm now working on PEAP with an Ubuntu client
ultaman khoo wrote:
I have faced an issue with NAS IP Changes
RADIUS assumes that NAS IPs don't change. If they do, you are running
a VERY unusual system.
Do you mean it doesnt conform to the radius acct RFC standard in this case?
if im get it right the FR3.0 should have take care of the NAS
btw the nas ip changes is due to NAS system supplying the radius acct
has failover to the backup unit, radius acct is then supply from there. so
it get change
On Fri, Aug 16, 2013 at 7:39 AM, ultaman khoo ultaman.k...@gmail.comwrote:
ultaman khoo wrote:
I have faced an issue with NAS IP
501 - 600 of 59048 matches
Mail list logo