Charles Price wrote:
I'm having some trouble asking my freeRADIUS-2.1.10 server (Linux, x86_64) to
correctly proxy CoA and Disconnect-Request packets.
OK. The fix should be in 2.1.11, and in the v2.1.x branch on
git.freeradius.org.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Nathan McDavit-Van Fleet wrote:
I won’t show the pool config for the “DEFAULT” realm. But suffice to say
that’s working. Also, our legacy users who are authenticating with no
realm are working as well. What isn’t working are local connections
using our local real (u...@concordia.ca) and
On Thu, Feb 17, 2011 at 02:37:58PM +, Brian Candler wrote:
I wonder if anyone has implemented anything like the following, and if so,
if they can share their experiences of how they did it.
[..]
Some of the existing logic I work with makes use of the source IP address of
the packet (i.e.
On 17/02/11 14:37, Brian Candler wrote:
I can think of a few ways of implementing this:
* Using bpf (like radsniff) to capture the live requests and responses.
Forward a copy of the request to a second process, which would somehow
be jailed to a loopback interface, and then compare the
On 18/02/11 01:03, Jaikanth Krishnaswamy wrote:
Hi All,
I am a newbie to freeradius world.
I am using freeradius 2.1.10 for authorization and authentication.
My authorization works
Sending Access-Request of id 58 to X.X.X.X port Y
User-Name = test
User-Password = test
NAS-IP-Address = X.X.X.X
I managed to fix this, my mistake was downloading the Radius_Auth V1.10
helper separately. When I compiled the Radius_Auth included in the squid
package, it worked perfectly.
A related question, is there a way to put two radius servers in the
config file or do I need to call the radius_auth
Robert Dunkley wrote:
A related question, is there a way to put two radius servers in the
config file or do I need to call the radius_auth helper twice pointing
to two different config files?
Ask the squid people how to use their software.
Alan DeKok.
-
List info/subscribe/unsubscribe?
This is only going to work for the simpler authentication mechanisms - PAP
and so forth.
It won't work for EAP, because the server challenge state incorporates
random numbers.
Absolutely. This is for a broadband aggregation environment with CHAP.
Honestly, I think you are better off
Hello.
I'm puzzled about eap ttls accounting, namely with interim-updates.
My setup: freeradius 2.1.10 on debian squeeze, mikrotik RouterOs version
3.13 as NAS.
On the NAS I enabled eap accounting; on the freeradius I set
copy_request_to_tunnel = yes
use_tunneled_reply = yes
update
On 18/02/11 11:46, 1...@uniurb.it wrote:
Looks like the radius honours the request to send out the inner
identity, but the nas get rid of and continue to use ‘anonymous’.
It’s that, is a NAS’s problem or maybe could be something I
misconfigured on freeradius ?
It's a NAS problem, and a common
Sorry,
I thought I was emailing the squid lists.
Rob
-Original Message-
From: freeradius-users-bounces+robert=saq.co...@lists.freeradius.org
[mailto:freeradius-users-bounces+robert=saq.co...@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: 18 February 2011 11:43
To: FreeRadius
I configured both default and inner-tunnel during the tutorial. I will
check into testing MS-CHAP. Just want to verify if this is how it should
look in the enabled sites:
Auth-Type NTLM_AUTH {
ntlm_auth
}
On 02/18/2011 12:45 AM, Alan DeKok wrote:
Raymond Norton
sigh *Another* PAM module has decided that the password is wrong,
and has over-written it. This prevents any other PAM module from
letting the user in.
Or maybe it's SSH doing it.
Yeah, figured that; just trying to figure out why.
and yes, it's sshd:
# strings /usr/sbin/sshd | grep
Thanks to everyone for the pointers.
I'm just wondering, but is there an issue for my local concordia.ca realm
because sometimes it's local and sometimes it is coming from Eduroam?
I've seen many configs where realms are given secrets, which seems somewhat
strange to me because I imagined
I have been asked to do just this and I am working on the solution now.
We wanted to use multiple pools of VLANs/Subnets and assign Staff to one pool
and Students# to the other. Then to select a VLAN within the pool, use a
hashing function and select a VLAN.
One concern I have is when is
On 18/02/11 14:16, Dean, Barry wrote:
I have been asked to do just this and I am working on the solution
now.
We wanted to use multiple pools of VLANs/Subnets and assign Staff
to one pool and Students# to the other. Then to select a VLAN
within the pool, use a hashing function and select a
Could you share your configuration and perl script? So I can learn from it?
I am thinking of use ldap status to decide the pool, then hashing mac
address of the client to get different VLAN.
This is actually similar to how some vendor VLAN pool works, except we
are not trying to get same result
what's your biggest subnet for the wireless? How do you deal with
excessive broadcast protocols?
Thanks,
Schilling
On Fri, Feb 18, 2011 at 9:26 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 18/02/11 14:16, Dean, Barry wrote:
I have been asked to do just this and I am working on the
On 18/02/11 14:02, Nathan McDavit-Van Fleet wrote:
Thanks to everyone for the pointers.
I'm just wondering, but is there an issue for my local concordia.ca
realm because sometimes it's local and sometimes it is coming from
Eduroam?
Eduroam logically consists of two separate functions:
1.
On 18/02/11 14:29, schilling wrote:
Could you share your configuration and perl script? So I can learn from it?
I am thinking of use ldap status to decide the pool, then hashing mac
address of the client to get different VLAN.
It seems like a lot of people are suddenly wanting to do this.
Can
Just curious if the hyphen is supposed to be in front of the domain
name on this line:
ntlm_auth = */path/to/ntlm_auth* --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-*MYDOMAIN*}
--challenge=%{mschap:Challenge:-00}
On 18/02/11 14:34, schilling wrote:
what's your biggest subnet for the wireless?
Our entire wireless network is one /19, but our wireless system is a
Cisco lightweight that does clever things with broadcast, DHCP and ARP
traffic.
However, we have lots of wired subnets which are /21, some
Lol, probably. If these are large 802.11x nets, typically deployments of that
scale use dumb WAPs and smart controllers that handle the load sharing. If
they're wired nets, doesn't make any sense to me.
- Original Message -
From: Phil Mayers [mailto:p.may...@imperial.ac.uk]
Sent:
I can explain my environment.
We are migrating from traditional captive portal to new 802.1x
WPA2-Enterprise, from fat AP to controller based wireless
architecture, Wireless mobility comes into play too. At the same
time, how to maintain the traditional source-based IP ACL/Firewall? We
already
On Fri, Feb 18, 2011 at 02:16:25PM +, Dean, Barry wrote:
I have been asked to do just this and I am working on the solution now.
We wanted to use multiple pools of VLANs/Subnets and assign Staff to one
pool and Students# to the other. Then to select a VLAN within the pool, use
a
On 18/02/11 14:52, schilling wrote:
I can explain my environment.
This is getting OT for the list, and will be my last post.
We are migrating from traditional captive portal to new 802.1x
WPA2-Enterprise, from fat AP to controller based wireless
architecture, Wireless mobility comes into
On Fri, Feb 18, 2011 at 02:36:55PM +, Phil Mayers wrote:
On 18/02/11 14:29, schilling wrote:
Could you share your configuration and perl script? So I can learn from
it?
I am thinking of use ldap status to decide the pool, then hashing mac
address of the client to get different VLAN.
It
On 18 Feb 2011, at 14:26, Phil Mayers wrote:
On 18/02/11 14:16, Dean, Barry wrote:
I have been asked to do just this and I am working on the solution
now.
We wanted to use multiple pools of VLANs/Subnets and assign Staff
to one pool and Students# to the other. Then to select a VLAN
On Fri, Feb 18, 2011 at 03:00:48PM +, Phil Mayers wrote:
On 18/02/11 14:52, schilling wrote:
I can explain my environment.
This is getting OT for the list, and will be my last post.
We are migrating from traditional captive portal to new 802.1x
WPA2-Enterprise, from fat AP to controller
On Fri, Feb 18, 2011 at 03:02:49PM +, Dean, Barry wrote:
On 18 Feb 2011, at 14:26, Phil Mayers wrote:
On 18/02/11 14:16, Dean, Barry wrote:
I have been asked to do just this and I am working on the solution
now.
We wanted to use multiple pools of VLANs/Subnets and assign Staff
Yep, I was referring to the entries I see in my logs for
Interim-Update, which is of course an Accounting record, and I had
always assumed this went with an Auth as well, but have never looked
in detail to see! So I am most likely talking rubbish!
No, that's accounting, which is completely
Raymond Norton wrote:
Just curious if the hyphen is supposed to be in front of the domain
name on this line:
Yes. man unlang. Look for :-
ntlm_auth = */path/to/ntlm_auth* --request-nt-key
--username=%{mschap:User-Name:-None}
--domain=%{%{mschap:NT-Domain}:-*MYDOMAIN*}
hi,
i would like to implement dhcp over radius! is there any mysql support?
my dhcp config looks like this!
=== snip ==
shared-network X {
if substring(option vendor-class-identifier, 0, 2) = SN {
next-server X.X.X.X;
filename = concat(/inalp/, option vendor-class-identifier, _,
Got things working...yeah!
started with fresh user, ntlm_auth and mschap files, edited according to
tutorial. I then got the following error:
winbind client not authorized to use winbindd_pam_auth_crap
I had already changed permissions yesterday, but did it again.
I was able to login using
Phil Mayers p.may...@imperial.ac.uk wrote:
How do you deal with excessive broadcast protocols?
We do nothing. We used to be very worried about this, but in practice
we've found it's a non-existent problem. The world isn't
10Mbit/half-duplex ethernet any more ;o)
...it supposedly nukes
OK. The fix should be in 2.1.11, and in the v2.1.x branch on
git.freeradius.org.
Many thanks, Alan.
I checked out the latest version from git this afternoon - all works
perfectly.
Regards,
Charlie
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/127.0.0.1/auth-detail-20110218
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/127.0.0.1/auth-detail-20110218http://127.0.0.1/auth-detail-20110218
[auth_log] /var/log/radius/radacct/%{Client-IP-Address}/auth
= somepass
NAS-IP-Address = 64.126.127.208
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
[auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radius/radacct/127.0.0.1/auth-detail-20110218
[auth_log
39 matches
Mail list logo
