to be sent prior to completion of an EAP authentication method).
Sending it after EAP-Success or EAP-Failure would look like an attempt
to initiate another authentication exchange.
It may be possible to send it before the EAP-Success/EAP-Failure message for
some EAP methods, but chances are not all
. In newer firmware releases this
has been fixed.
It may be possible to send it before the EAP-Success/EAP-Failure message for
some EAP methods, but chances are not all supplicants will like it, and most
probably won't display anything.
EAP-Notification is not really supported in general
.
Their 802.1X implementation was pre RFC3579. In newer firmware
releases this has been fixed.
It may be possible to send it before the EAP-Success/EAP-Failure
message for some EAP methods, but chances are not all supplicants
will like it, and most probably won't display anything.
EAP
-Failure would look like an attempt
to initiate another authentication exchange.
Their 802.1X implementation was pre RFC3579. In newer firmware releases
this has been fixed.
It may be possible to send it before the EAP-Success/EAP-Failure message
for some EAP methods, but chances are not all
}
Possible to have that reject command to return some code that Windows
client can understand like No MAC address etc?
Thanks in advance
Danny
--
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
or not
if(!control:Calling-Station-Id){
reject
}
Possible to have that reject command to return some code that Windows
client can understand like No MAC address etc?
Thanks in advance
Danny
you could send back a reply-message.
But it is forbidden if you are doing EAP
hi,
we would all love to be able to send a relevant error message to our
clients if they fail to authenticate (either locally or remotely).
but we cant. :-(
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks a lot :)
Well i guess we just have to live with it :)
-Danny
On Tue, Mar 19, 2013 at 12:07 AM, a.l.m.bu...@lboro.ac.uk wrote:
hi,
we would all love to be able to send a relevant error message to our
clients if they fail to authenticate (either locally or remotely).
but we cant. :-(
-Notification
and send it after the EAP-Success or EAP-Failure.
The native OSX supplicant used to log this even though it never displayed it to
the user.
The Windows supplicant ignored it completely.
WPA_Supplicant restarted authentication and went into an infinite
authentication loop.
It may be possible
On 03/04/2013 11:03 PM, Phil Mayers wrote:
There are a bunch of subtleties in this whole area - some devices
offer knobs to control giaddr in the case of multinettings, and some
devices offer knobs to control srcip - but, in my experience, you are
asking for trouble if giaddr is not valid
On 03/01/2013 04:12 PM, Alan DeKok wrote:
Can you supply the debug output?
When set that freeradius sends IP, NETMASK, DNS... *WITHOUT DEFAULT
GATEWAY*:
*This packet is sent to RELAY_IP*
*$RAD_REPLY{'DHCP-Gateway-IP-Address'} NOT SENT*
Igor Smitran wrote:
On 03/01/2013 04:12 PM, Alan DeKok wrote:
Can you supply the debug output?
When set that freeradius sends IP, NETMASK, DNS... *WITHOUT DEFAULT
GATEWAY*:
The point of asking for debug output is to see what the server is doing.
I'm not sure what the rest of your message
On 03/04/2013 04:54 PM, Alan DeKok wrote:
The point of asking for debug output is to see what the server is doing.
I'm not sure what the rest of your message means. The server defaults
to copying the giaddr from the request to the reply. This is so that
the reply can use the giaddr as
Igor Smitran wrote:
As you can see CMTS will relay all requests from CM's and CPE's over
primary interface address (private_ip/255.255.192.0)
radius will get all requests from that IP. all offers need to go back to
that same ip, no matter what giaddr is sent to client.
Ah, OK.
As always:
On 03/04/2013 07:05 PM, Igor Smitran wrote:
As you can see CMTS will relay all requests from CM's and CPE's over
primary interface address (private_ip/255.255.192.0)
radius will get all requests from that IP. all offers need to go back to
that same ip, no matter what giaddr is sent to client.
Phil Mayers wrote:
Second, reply to giaddr is mandated in the DHCP spec; are you *sure*
you have other DHCP servers which reply to source ip? Which servers?
The issue is that giaddr serves two purposes. In the request, it
indicates that the server MUST send the reply to that IP.
In the
On 03/04/2013 08:59 PM, Alan DeKok wrote:
Phil Mayers wrote:
Second, reply to giaddr is mandated in the DHCP spec; are you *sure*
you have other DHCP servers which reply to source ip? Which servers?
The issue is that giaddr serves two purposes. In the request, it
indicates that the server
Phil Mayers wrote:
Perhaps I've misunderstood, but this doesn't reflect the DHCP behaviour
I've seen on normal clients.
It's possible.
As far as I know, it goes (starting from INIT, as opposed to INIT-REBOOT
which effectively starts from step 4):
1. Client sends DISCOVER to broadcast
In case when freeradius is talking to a DHCP relay it should *always*
send answears to a initiating relay IP. But, it doesn't.
Cisco CMTS is using 10.10.10.1 as his giaddr for all requests made by
CM's, MTA's and CPE's.
All replies should go to 10.10.10.1.
But, currently, if CPE gets public
Igor Smitran wrote:
In case when freeradius is talking to a DHCP relay it should *always*
send answears to a initiating relay IP. But, it doesn't.
Can you supply the debug output?
Cisco CMTS is using 10.10.10.1 as his giaddr for all requests made by
CM's, MTA's and CPE's.
All replies
Hello All,
Is it possible to display the running config of freeradius without having
to capture the output of radiusd -X?
Best regards,
Bertalan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
? It's all on disk.
And if that's changed since the server was run then radiusd -X won't help. You
know you can run a check/verify instance...? And that using radmin you can
check the configuration of particular modules in the current running instance?
alan
-
List info/subscribe/unsubscribe?
Joshua Paye wrote:
Hello,
Would like to get the value of request:EAP-Type after the authorize
section of the site config has been processed, and have it returned in
the debug output or logged, so I can look at it. Is ther a way to do this?
$ man unlang
This is documented.
Alan
:
Placed in site config: %{request:EAP-Type}
Corresponding debug output: expand: %{request:EAP-Type} - Identity
Thanks,
Joshua
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Possible-to-display-capture-values-of-variables-attributes-at-various-points-in-the-RADIUS
Hello,
Would like to get the value of request:EAP-Type after the authorize
section of the site config has been processed, and have it returned in the
debug output or logged, so I can look at it. Is ther a way to do this?
Thanks,
Joshua
-
List info/subscribe/unsubscribe? See
I recently set up a banned mac address database to reject authentication
from proved compromised clients.
I'd like to have a significant record in freeradius logfile for
connection debugging reasons.
Ways I use to implement this results in ambiguous Invalid user or
Login incorrect misleading
Daniele Albrizio wrote:
Ways I use to implement this results in ambiguous Invalid user or
Login incorrect misleading messages in radius.log .
Well, rejecting users means that something is invalid or incorrect.
Users are in effect valid and correct, but their equipment is not.
Does
On 11/05/12 20:25, Mike wrote:
Phil,
I meant to say proxy-request, not proxy-reply.
Ah, ok.
Secondly, why would you need a log file to show an attribute
expanding to nothing? I just told you it is expanding to nothing aka
it has no assigned value once reaching the pre-proxy stage.
Hello,
Is it possible store and access an ldap attribute in pre-proxy?
1. Attribute defined in dictionary
2. Attribute mapped in ldap.attrmap
2. Trying to access using:
pre-proxy {
If (%{reply:attributename} == cookies {
update proxy-reply {
Whatever = cookies
}}
}
the problem is the attribute
On 11/05/12 16:39, Mike wrote:
Hello,
Is it possible store and access an ldap attribute in pre-proxy? 1.
Attribute defined in dictionary 2. Attribute mapped in ldap.attrmap
2. Trying to access using:
pre-proxy { If (%{reply:attributename} == cookies { update
proxy-reply { Whatever = cookies
+0100
From: Phil Mayers p.may...@imperial.ac.uk
To: freeradius-users@lists.freeradius.org
Subject: Re: Ldap attribute in pre-proxy possible?
Message-ID: 4fad475c.7090...@imperial.ac.uk
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
On 11/05/12 16:39, Mike wrote:
Hello
Hi,
Secondly, why would you need a log file to show an attribute expanding to
nothing? I just told you it is expanding to nothing aka it has no assigned
value once reaching the pre-proxy stage.
as per the mailing list information, no radiusd -X, no help
alan
-
List
the Radius Server locate in my company rather
than the traditional wpa/wpa2 ways.
for honestly,i am new to freeRadius,i even not really sure if is it a
possible project?
The radius server could have a static WAN ip address,but all the APs could
only got a LAN ip address like 192.168.*.*,when I
even not really sure if is it a
possible project?
The radius server could have a static WAN ip address,but all the APs could
only got a LAN ip address like 192.168.*.*,when I set up the freeRadius+Mysql
system,how could i distinguish different AP?
Depends on the AP, some will send the NAS
need to get authentication through the Radius Server locate in my
company rather than the traditional wpa/wpa2 ways.
for honestly,i am new to freeRadius,i even not really sure if is it a
possible project?
The radius server could have a static WAN ip address,but all the APs
could only got
be absent/null, coalesce or nullif are required. I
don't use rlm_sqlcounter so can't say whether absent/null values are
expected or a peculiarity of your setup, but a mix of both is possible.
Debug logs follow, the first being the initial login for the day,
showing sqlcounter not finding
Following on from my previous email, I've checked an x86 machine as
well, and get the same behaviour.
Debug logs follow, the first being the initial login for the day,
showing sqlcounter not finding an integer and hence returning noop. The
second being after an initial login where a correct
Hi All.
I am using the following SQL in sqlcounter for a MySQL database in the
Grase Hotspot project, as part of daily/hourly/monthly counters.
query = SELECT SUM(acctsessiontime - \
GREATEST((%b - UNIX_TIMESTAMP(acctstarttime)), 0)) \
FROM radacct
I would like to just have freeRadius authenticate against my active
directory in windows using only the user name and password in Active
Directory for authentication. Is this possible to do I don't want to
have to mess with installing certificates on the user machines or the
server
McSparin, Joe wrote:
I would like to just have freeRadius authenticate against my active
directory in windows using only the user name and password in Active
Directory for authentication. Is this possible to do I don't want to
have to mess with installing certificates on the user machines
On Tue, Dec 27, 2011 at 3:42 AM, McSparin, Joe
jmcspa...@hillcountrymemorial.org wrote:
I would like to just have freeRadius authenticate against my active
directory in windows using only the user name and password in Active
Directory for authentication. Is this possible to do I don't want
Did my last mail made it?
- Last Mail: -
Phil, you got it working!
All of what you wrote was right:
- added Cleartext-Password2 to
/usr/share/freeradius/dictionary.freeradius.internal
- created user file like this:
user Cleartext-Password := 1, Cleartext-Password2 += 2
- updated
Hi,
I am trying to set up something very basic (at least from my point of view):
I would like to have a User with multiple passwords (two actually). How
would I do this? I tried the following:
*alice Auth-Type=Local, Cleartext-Password := test1
alice Auth-Type=Local, Cleartext-Password := test2*
-Type=Local, Cleartext-Password := test2/
Do not set Auth-Type. It's almost always wrong, and is certainly wrong
in this case.
It might be possible to have 1 password; but it will probably only work
for PAP requests, unless you play carefully with module failover.
It also probably won't work
/default[62]: Errors parsing authorize section.
Any idea what might cause the trouble? Line 154 is the if
(User-Password line.
BTW: It is not possible with RegEx?
Best regards from Germany
2011/7/7 Phil Mayers p.may...@imperial.ac.uk
On 07/07/11 09:51, Equin Nix wrote:
Hi,
I am trying
cause the trouble? Line 154 is the if
(User-Password line.
BTW: It is not possible with RegEx?
Best regards from Germany
2011/7/7 Phil Mayers p.may...@imperial.ac.uk
On 07/07/11 09:51, Equin Nix wrote:
Hi,
I am trying to set up something very basic (at least from my point
On Thu, Jul 7, 2011 at 7:18 PM, Equin Nix equin@googlemail.com wrote:
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem to
be far far from mine, but I think I get the point.
I tried to add the following to sites-enabled/default (int authorize
section)
idea what might cause the trouble? Line 154 is the if
(User-Password line.
BTW: It is not possible with RegEx?
Best regards from Germany
2011/7/7 Phil Mayers p.may...@imperial.ac.uk
On 07/07/11 09:51, Equin Nix wrote:
Hi,
I am trying to set up something very basic (at least
On 07/07/11 13:18, Equin Nix wrote:
Hi Phil,
thanks a lot for the fast answer! Unfortunatelly your radius-skills seem
to be far far from mine, but I think I get the point.
I tried to add the following to /sites-enabled/default/ (int authorize
section) (Its not a full copy of your text, I
).
This is the error:
[...]
/etc/freeradius/sites-enabled/default[154]: Subsection of module instance
call not allowed
/etc/freeradius/sites-enabled/default[62]: Errors parsing authorize
section.
Any idea what might cause the trouble? Line 154 is the if
(User-Password line.
BTW: It is not possible
= 1812
secret =
}
home_server_pool IAS {
type = client-port-balance
home_server = IAS
}
realm IAS {
auth_pool = IAS
}
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Two-phase-pass-thru-authentication-possible-tp4492840p4492840.html
Sent from the FreeRadius
I've got an interesting problem to try to solve and was curious if such a
concept is even possible with FreeRadius.
I've got to implement mac address filtering to a Cisco WiFi (WLC plus
numerous LWAPPs) system that also requires Active Directory authentication
of the Windows credentials
On 03/05/11 21:41, Alexander Clouter wrote:
Daniele Albrizio albri...@univ.trieste.it wrote:
I suspect the cacertfile attribute is not correctly re-instantiated
and only the value of the first request is used to check against when
instantiating a new ldaps connection.
Without a doubt the
On 04/05/11 09:37, Daniele Albrizio wrote:
On 03/05/11 21:41, Alexander Clouter wrote:
Daniele Albrizioalbri...@univ.trieste.it wrote:
I suspect the cacertfile attribute is not correctly re-instantiated
and only the value of the first request is used to check against when
instantiating a new
Hi all
is there anybody can tell me why my mikrotik ppp user sometimes authenticate
fail on free radius?
how to fix it?
after few mins it will be oke...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 05/04/2011 08:46 PM, Tanjil Ahmed wrote:
Hi all
is there anybody can tell me why my mikrotik ppp user sometimes
authenticate fail on free radius?
Please don't hijack an existing thread. Start a new one.
how to fix it?
after few mins it will be oke...
You need to give us more
I've two ldaps backends instantiated like:
authorize {
...
Autz-Type OPENLDAP {
openldap
}
Autz-Type ADLDAP {
adldap
}
...
}
authenticate {
...
Auth-Type OPENLDAP {
openldap
}
Auth-Type ADLDAP
On 03/05/11 19:00, Daniele Albrizio wrote:
I've two ldaps backends instantiated like:
Forgot...
Using compiled freeradius-server-2.1.10 on Debian GNU/Linux 6.0
--
Daniele ALBRIZIO - albri...@univ.trieste.it
Tel. +39-040.558.3319
UNIVERSITY OF TRIESTE - Network Services
Daniele Albrizio albri...@univ.trieste.it wrote:
I suspect the cacertfile attribute is not correctly re-instantiated
and only the value of the first request is used to check against when
instantiating a new ldaps connection.
Without a doubt the chaining is not working on your LDAP servers.
Dear All,
I know a little about dynamic client, it may be used in virtual server;
But just as the mentioned subject,
is it possible to write client information into database other than
clients.conf in default virtual server?
thx all
WeiJingPeng
-
List info/subscribe/unsubscribe? See http
many thx
WeiJingPeng
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
魏景鹏 wrote:
is it possible to write client information into database other than
clients.conf in default virtual server?
Yes. Read raddb/sql.conf. Look for client. And see the NAS schema
shipped with the server.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
魏景鹏 wrote:
many thx
It's not possible.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
魏景鹏 wrote:
One side auth with pap method, but the other side needs chap auth
method, so I have to do some translating work.
chap-string = Packet-Id + Cleartext-Password + authenticator
chap-password = packet-id + md5(chap-string)
Is it possible to get packet id in pre-proxy section
with
DefaultGateway, NetworkMask and DNS server.
It's possible... but not really easy to do right now. Peter Nixon
apparently has some updates to the sql ippool module which makes this work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Este
Helo guys,
One side auth with pap method, but the other side needs chap auth
method, so I have to do some translating work.
chap-string = Packet-Id + Cleartext-Password + authenticator
chap-password = packet-id + md5(chap-string)
Is it possible to get packet id in pre-proxy section?
how can i
Rogelio Sevilla Fernandez wrote:
So, If the clients auths from AP1, i need freeradius send DHCP data to
my client using one dinamic IP Pool like 192.168.1.0/24 with
DefaultGateway, NetworkMask and DNS server.
It's possible... but not really easy to do right now. Peter Nixon
apparently has
auths from AP2, send DHCP data to the client using
another dinamic IP pool like 192.168.2.0/24 with DefaultGW, Netmask
and DNS server.
Is it possible to that?
Im working with DaloRadius...
--
Ing. Rogelio C. Sevilla Fernandez
Direccion de Desarrollo Telematico / Secretaria de Administracion
Hi experts,
I want to try another way to authenticate devices by their MAC addresses. I
don't really care about the security and just try to make the configuration
easy. Here is my configuration:
hints =
DEFAULT User-Name =~ 001422.*
Hint = STB
= users =
DEFAULT Hint
On 03/03/11 16:10, Difan Zhao wrote:
Hi experts,
I want to try another way to authenticate devices by their MAC
addresses. I don’t really care about the security and just try to make
the configuration easy. Here is my configuration:
hints =
DEFAULT User-Name =~ 001422.*
Hint = STB
@lists.freeradius.org]
On Behalf Of Phil Mayers
Sent: March-03-11 9:16 AM
To: FreeRadius users mailing list
Subject: Re: Cleartext-Password := %{User-Name} in the users file. Possible?
On 03/03/11 16:10, Difan Zhao wrote:
Hi experts,
I want to try another way to authenticate devices by their MAC
addresses. I
On 03/03/11 18:11, Difan Zhao wrote:
Thanks Phil! It works! It definitely fits what I need! However just be curious,
why my setting won't work?
I'm not sure. It should work; it seems like the expansion:
Cleartext-Password := %{User-Name}
...wasn't being acted on. Are you sure you didn't
Phil Mayers wrote:
I'm not sure. It should work; it seems like the expansion:
Cleartext-Password := %{User-Name}
...wasn't being acted on. Are you sure you didn't have a typo somewhere?
The control items aren't expanded in the hints or users file.
Use unlang.
Alan DeKok.
-
List
Bjørn Mork wrote:
DHCP-Keep=Alive-Garbage
^
I believe Alexander refers to this '=', which does look a tiny bit
suspicious
Ah... I'll go fix that. Blame it on small font or bad eyes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
if take a look on line 358 of share/dictionary.dhcp you may notice '=':
VALUE DHCP-Parameter-Request-List DHCP-Keep-Alive-Interval 38
VALUE DHCP-Parameter-Request-List DHCP-Keep=Alive-Garbage 39
Is it possible typo?
--
MINO-RIPE
-
List info/subscribe/unsubscribe? See http
Alexander Shikoff wrote:
if take a look on line 358 of share/dictionary.dhcp you may notice '=':
VALUE DHCP-Parameter-Request-List DHCP-Keep-Alive-Interval 38
VALUE DHCP-Parameter-Request-List DHCP-Keep=Alive-Garbage 39
Is it possible typo?
I have no idea what you mean
Is it possible typo?
I have no idea what you mean.
DHCP-Keep=Alive-Garbage
^
I believe Alexander refers to this '=', which does look a tiny bit
suspicious
Bjørn
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi experts,
I'm wondering if it's possible for the radius.log file to show the NAS IP
instead of the client name (which is IP range in my case).
Currently the log looks like:
Thu Jan 27 11:53:15 2011 : Auth: Login incorrect: [08000f513f60/08000f513f60]
(from client 10.143.115.0/24 port 50303
Difan Zhao wrote:
I’m wondering if it’s possible for the radius.log file to show the NAS
IP instead of the “client” name (which is IP range in my case).
Read radiusd.conf, look for msg_goodpass
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I noticed something in rlm_sql.c function rlm_sql_process_groups().
group_list is allocated at the top of the function, but
sql_grouplist_free(group_list) is only called at the end. All the various
error exits don't call it.
ISTM that's going to leak memory in event of errors, but perhaps I
Brian Candler wrote:
I noticed something in rlm_sql.c function rlm_sql_process_groups().
group_list is allocated at the top of the function, but
sql_grouplist_free(group_list) is only called at the end. All the various
error exits don't call it.
ISTM that's going to leak memory in event
Got the whole setup working. So basically if users sign on with
usern...@foo.edu with eap, they will be sent to ldap w/ ntpassword
authorization. If users sign on with username only with eap, they will
be sent to active directory w/ ntlm authentication.
configuration changes are the following:
We got ntlm_auth against AD working for PEAP, we also got separate
server for PEAP against ldap ntPassword hash.
in latest etc/raddb/modules/mschap
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells
schilling wrote:
We got ntlm_auth against AD working for PEAP, we also got separate
server for PEAP against ldap ntPassword hash.
...
Is there any way to have a virtual server(1812/1813) for
mschapv2-ntlm_auth-AD and another virtual server(1814/1815) for
mschapv2-ldap ntPassword hash?
Hi Alan,
Thanks for the hint.
Just to be sure. Both user(username and usern...@foo.edu) will use
eap, mschapv2 to authenticate. But there is only one mschap module in
etc/raddb/modules/?
Regards,
Schilling
On Tue, Dec 7, 2010 at 3:41 PM, Alan DeKok al...@deployingradius.com wrote:
schilling
schilling wrote:
Just to be sure. Both user(username and usern...@foo.edu) will use
eap, mschapv2 to authenticate. But there is only one mschap module in
etc/raddb/modules/?
So... configure another mschap module.
See raddb/modules/files for examples of configuring two instances of
the
James J J Hooper wrote:
The date (Time-Of-Death) seems a little odd. I poked around in the code
and got as far as the below, which looks possibly wrong, but I don't
understand C enough to work out what to do with it from the surrounding
code:
You're right. It's a pretty simple typo.
Hi Alan et al,
{Running FR from GIT upto commit b42665d4475835f38fe71ef749e39cd22587bcfa,
Sat Oct 9 17:52}
Doing:
/bin/echo Message-Authenticator = 0x00, FreeRADIUS-Statistics-Type = 131,
FreeRADIUS-Stats-Server-IP-Address = ., FreeRADIUS-Stats-Server-Port
= 1812 |
Difan Zhao wrote:
So I guess my first question is that, is it possible to have wildcard
(e.g. “*”) in the realm name?
Read raddb/proxy.conf. Look for regex
realm *~*.gtcorp.com* {
That isn't the correct syntax.
Go back and read the example in proxy.conf again.
Alan DeKok.
-
List
@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradi
us.org] On Behalf Of Alan DeKok
Sent: September-09-10 4:16 AM
To: FreeRadius users mailing list
Subject: Re: Wildcard in realm name? possible??
Difan Zhao wrote:
So I guess my first question
the username looks like when the Windows PC is doing PEAP
with use of the PC's name instead of the actual user's username. Don't
know why but seems to be strange!
So I guess my first question is that, is it possible to have wildcard
(e.g. *) in the realm name?
I did read all the docs I could possibly
Hi
at one auth request happen then
FR Act as like
{ first check remote1 radius Server
if fail
second chek remote 2 radius Server
if fail
third check local DB of file
fi
fi
}
is't a another multi auth check method?
Thaks!
-
List info/subscribe/unsubscribe? See
ziyen wrote:
Hi
at one auth request happen then
FR Act as like
{ first check remote1 radius Server
if fail
second chek remote 2 radius Server
See fail-over. This works only if the server is down.
You *cannot* re-proxy a request if the first server returned reject.
Alan
Pere Hospital wrote:
I have gone again through the SQL wiki. What I am not able to
find anywhere (and think that it is what we exactly need) is how to
emulate this behaviour of check/reply items that you can get via the
users file. i.e. from users file:
The SQL schema is intended to
-Identifier
= Z then return (via radreply) Framed-IP-Address=W --- otherwise
don't return a Framed-IP-Address
Is this possible somehow ?
Yes.
We are using SQL module in freeradius.
See the Wiki for how the SQL module works.
Though since these rules are NAS based and not user based, I
...). --- If NAS-Identifier = X
then return (via radreply) Framed-IP-Address=Y --- If
NAS-Identifier = Z then return (via radreply) Framed-IP-Address=W
--- otherwise don't return a Framed-IP-Address
Is this possible somehow ?
Yes.
We are using SQL module in freeradius.
See the Wiki
) Framed-IP-Address=Y --- If NAS-Identifier
= Z then return (via radreply) Framed-IP-Address=W --- otherwise
don't return a Framed-IP-Address
Is this possible somehow ?
We are using SQL module in freeradius.
Details :
Debian 5.0.4
freeradius 2.0.4+dfsg-6
Regards,
Pere
--
Pere Hospital, CISSP
to Radius Client.
Is it possible to reply attributes from LDAP using ntlm_auth ?
Best Regars
Pawel.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
that AD integration works before going on to the next step.
The same page describing to use ntlm_auth instead, But I cannot found how to
pass attributes from LDAP Database using ntlm_auth to Radius Client.
Is it possible to reply attributes from LDAP using ntlm_auth ?
No.
For PAP
On 2/17/10 9:24 PM, John L. Singleton wrote:
Hi All,
I am trying to set up a centralized SSH authentication server that allows
authentication via public keys. I can't find anything on the web about if
this is possible with FR. Is it? Basically all I need is for FR to allow
authentication
1 - 100 of 474 matches
Mail list logo