freerad...@corwyn.net wrote:
no it does not. FYI I believe 1813 is actually TCP (empirically working
through my firewalls that way).
1813 is RADIUS accounting. It's currently over UDP.
RADIUS over TCP is coming, too.
1814 only necessary if you're using proxy I think.
1814, *and* any
freerad...@corwyn.net wrote:
Having just followed all of those instructions to build out my
production systems, I have a few tweaks to fix all those little things
that drive one insane when following someone's instructions because they
never tested them.
Thanks. Here's a short review.
At 04:33 AM 12/4/2009, Alan DeKok wrote:
freerad...@corwyn.net wrote:
Note that the configuring of SAMBA, kerberos, and adding to the domain
should already be done as part of the default Linux install, see
h:\is\operating system\Linux\Guide_linux.doc
This file is... ?
Heh, part of our
freerad...@corwyn.net wrote:
Update max_requests to # users * 256
That isn't necessary. It should be no more than max request/s *
max_request_time.
Well the docs say:
# max_requests: The maximum number of requests which the server keeps
# track of. This should be 256 multiplied by
At 11:00 AM 12/4/2009, Alan DeKok wrote:
freerad...@corwyn.net wrote:
Update max_requests to # users * 256
That isn't necessary. It should be no more than max request/s *
max_request_time.
Well the docs say:
# max_requests: The maximum number of requests which the server keeps
#
Having just followed all of those instructions to
build out my production systems, I have a few
tweaks to fix all those little things that drive
one insane when following someone's instructions
because they never tested them.
Using FreeRADIUS2
Rick Steeves 091203
freeradi...@corwyn.net
Hi,
Install freeradius2:
yum clean all
yum install freeradius2 freeradius2-utils freeradius2-ldap
note, there are other packages should you need eg SQL support
Exec-Program output: winbind client not
authorized to use winbindd_pam_auth_crap. Ensure
permissions on
At 05:27 PM 12/3/2009, Alan Buxey wrote:
note, there are other packages should you need eg SQL support
Not if you're not using SQL support (which I'm not). You'd them also
need a lot of instructions on setting up SQL :-)
you didnt note if you were SELinux enabled and any issues that
might
On 12/01/2009 06:31 PM, freerad...@corwyn.net wrote:
Well, thanks to an inordinate amount of help, I've got my RADIUS server
up and running exactly how I want it to.
As part of my business process, I've got a detailed doc on how the
server is/was constructed. I'd like to contribute that to
At 02:39 AM 12/1/2009, Alan DeKok wrote:
Because you've forced the ntlm_auth module to be run. That module
ONLY checks clear-text passwords, and there is NO clear-text password in
the request.
Change the line having
... Auth-Type := ntlm_auth, ...
to
... Auth-Type =
DEFAULT Huntgroup-Name == VPN_Huntgroup, Auth-Type=ntlm_auth,
Ldap-Group == VPN_Users
It runs the LDAP group check, but still lets the user log in even
when he's not in the VPN_Users group:
Use unlang for better control of what happens:
if(Huntrgroup-Name == VPN_Huntgroup) {
At 01:03 PM 12/1/2009, t...@kalik.net wrote:
Use unlang for better control of what happens:
if(Huntrgroup-Name == VPN_Huntgroup) {
if(Ldap-Group == VPN_Users) {
if(!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth
}
If I understand correctly, I don't need to worry about ntlm_auth at
all in this case (because with MSCHAP I don't have a cleartext
password, and thus ntlm_auth won't do me any good), so I probably
don't need to update the Auth-Type?
If you are sure that all requests will be mschap. That if
At 01:29 PM 12/1/2009, t...@kalik.net wrote:
So I think what I need is:
if(Huntgroup-Name == VPN_Huntgroup) {
if(Ldap-Group == VPN_Users) {
Put just ok in there. It might not like empty brackets.
}
else {
reject
}
}
That did it! Thanks! I think that gets
Well, thanks to an inordinate amount of help,
I've got my RADIUS server up and running exactly how I want it to.
As part of my business process, I've got a
detailed doc on how the server is/was
constructed. I'd like to contribute that to the
wiki, but I don't see that I can create an
There's a piece of RADIUS that I'm not understanding.
If I have an entry in my ./users file
DEFAULT Auth-Type:=Accept,Ldap-Group == Group1
Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv-lvl=15
And another entry
DEFAULT Auth-Type:=Accept,Ldap-Group ==
=networkradius@lists.freeradius.org
[mailto:freeradius-users-
bounces+tim.sylvester=networkradius@lists.freeradius.org] On Behalf
Of freerad...@corwyn.net
Sent: Monday, November 30, 2009 11:54 AM
To: FreeRadius users mailing list
Subject: separating Users?
There's a piece of RADIUS
On 11/30/2009 02:54 PM, freerad...@corwyn.net wrote:
There's a piece of RADIUS that I'm not understanding.
If I have an entry in my ./users file
DEFAULT Auth-Type:=Accept,Ldap-Group == Group1
Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv-lvl=15
And another entry
DEFAULT
freerad...@corwyn.net wrote:
There's a piece of RADIUS that I'm not understanding.
If I have an entry in my ./users file
DEFAULT Auth-Type:=Accept,Ldap-Group == Group1
Service-Type=NAS-Prompt-User,cisco-avpair=shell:priv-lvl=15
And another entry
DEFAULT
At 03:27 PM 11/30/2009, David Mitchell wrote:
1) Don't specify the Auth-Type. You still want to check the password I
assume. I think your config will let in any user who is in group
Group1 irrespective of the supplied password.
Sigh. Here I was all excited that I had everything working, and
On 11/30/2009 05:07 PM, freerad...@corwyn.net wrote:
At 03:27 PM 11/30/2009, David Mitchell wrote:
1) Don't specify the Auth-Type. You still want to check the password I
assume. I think your config will let in any user who is in group
Group1 irrespective of the supplied password.
Sigh. Here I
On 11/30/2009 05:07 PM, freerad...@corwyn.net wrote:
At 03:27 PM 11/30/2009, David Mitchell wrote:
1) Don't specify the Auth-Type. You still want to check the password I
assume. I think your config will let in any user who is in group
Group1 irrespective of the supplied password.
Sigh. Here
At 06:12 PM 11/30/2009, t...@kalik.net wrote:
You need to set fall-through so that you still do per user processing.
This is documented in the raddb/users file and you should also read
doc/processing_users_file
Or just add Auth-Type := ntlm_auth to the first line (ie. instead of
Accept).
What I think is my final problem. I'm now working to authenticate
VPN users in the same scenario, using the l2tp client in
windows. Looks like everything automatically picks up that it's a
MSCHAP request.
Using a similar logic:
DEFAULT Huntgroup-Name == VPN_Huntgroup, Ldap-Group
At 09:41 PM 11/30/2009, you wrote:
Yes, if that DEFAULT entry doesn't match - it will get ignored. If you
want authentication to fail if such conditions are not met you need to add
Auth-Type to it. If there is no Fall-Through to DEFAULT forcing ntlm_auth,
Auth-Type won't be set and
freerad...@corwyn.net wrote:
so if ./users:
DEFAULT Huntgroup-Name == Cisco_Huntgroup, Auth-Type:=ntlm_auth,
Ldap-Group == Infrastructure
Service-Type:=NAS-Prompt-User,cisco-avpair:=shell:priv-lvl=15,
DEFAULT Huntgroup-Name == VPN_Huntgroup,
26 matches
Mail list logo