Compiling rlm_perl on Solaris 10

2010-04-19 Thread Dean, Barry
I have been having problems compiling rlm_perl on Solaris 10 Intel and have spent days googling for an answer. Most answers say: use --without-rlm_perl, which is not much use when you actually *need* it! Here is what I did to solve it, hopefully this will save someone some pain: Firstly, my

When to ldap?

2010-05-12 Thread Dean, Barry
I am working on a new radius config and have been trying to avoid the lookup in LDAP I have been seeing for the outer identity. I have moved to 2.1.8 with the inner-tunnel virtual host enabled. I have an authorise section for the relevant virtual server that has: authorize {

Re: When to ldap?

2010-05-13 Thread Dean, Barry
On 13 May 2010, at 06:54, Alan DeKok wrote: Dean, Barry wrote: I am working on a new radius config and have been trying to avoid the lookup in LDAP I have been seeing for the outer identity. I have moved to 2.1.8 with the inner-tunnel virtual host enabled. I have an authorise section

Re: When to ldap?

2010-05-13 Thread Dean, Barry
On 13 May 2010, at 10:15, Alan DeKok wrote: Dean, Barry wrote: ... [ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with filter (sAMAccountName=user) [ldap] looking for check items in directory... [ldap] looking for reply items in directory... WARNING: No known good

unlang?

2008-01-18 Thread Dean, Barry
I am testing my current 1.1.7 config with version 2.0.0. I have 2 bits of config that are not quite right on 2.0.0 1) I have the line: filter = (cn=%{Stripped-User-Name:-%{User-Name}}) I am not sure why, I inherited this setup and I am still trying to understand it. The LDAP server is

RE: unlang? - reject unknown?

2008-01-24 Thread Dean, Barry
man unlang. Look for case-insensitive. In this case, you would delete that users file entry, and use unlang authorize { ... if (%{User-Name} =~ /special/i) { update reply { Reply-Message = Cannot use this user account

ClearText-Password?

2008-03-03 Thread Dean, Barry
I am migrating my RADIUS from: a) FreeBSD, FreeRADIUS 1.1.7, eDirectory lookups. to b) Solaris 10 x86, FreeRADIUS 2.0.1, Active Directory, winbindd etc. I stripped out all the LDAP stuff from the config, enabled ntlm_auth in the mschap module, changed the users file DEFAULT entry from LDAP to

RE: ClearText-Password?

2008-03-03 Thread Dean, Barry
Debug: == rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, length=49 User-Name = user User-Password = passwd NAS-IP-Address = 138.253.XXX.XXX +- entering group authorize ++[preprocess] returns ok ++? if (%{User-Name} =~

RE: ClearText-Password?

2008-03-05 Thread Dean, Barry
Hi, rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195, length=49 User-Name = user User-Password = passwd NAS-IP-Address = 138.253.XXX.XXX There. No MS-CHAP-Challenge. You are not supposed to process this packet with the rlm_mschap module. Why

ntlm_auth

2008-03-17 Thread Dean, Barry
I know this is not strictly a FreeRADIUS problem, but I am betting someone on this list has been here and got the tee shirt! I have joined my two RADIUS servers (FreeRADIUS 2.0.2, Solaris 10 x86, winbindd 3.0.25a) to our AD domain with the net join command. This worked (eventually!). Now when

RE: Freeradius and Active directory (An aside)

2008-05-20 Thread Dean, Barry
Alan DeKok said: It is impossible to use CHAP to authenticate to AD. You MUST use MS-CHAP, or PAP. When testing my Radius server with AD and XSupplicant I found that EAP-TTLS with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all failed. So you have explained why

1.1.7 to 2.0.2 config for Realms problem

2008-06-05 Thread Dean, Barry
I have a problem with a realm configuration that used to work with FR 1.1.7, but does not work at all with 2.0.2 and virtual servers. I have a virtual server defined in sites-available/janet-roaming thus: server jrsradius { listen { ipaddr = jrsradius2.liv.ac.uk

RE: 1.1.7 to 2.0.2 config for Realms problem

2008-06-05 Thread Dean, Barry
Of Alan DeKok Sent: 05 June 2008 12:17 To: FreeRadius users mailing list Subject: Re: 1.1.7 to 2.0.2 config for Realms problem Dean, Barry wrote: I have a problem with a realm configuration that used to work with FR 1.1.7, but does not work at all with 2.0.2 and virtual servers. I have a virtual

Realms and proxying

2008-08-19 Thread Dean, Barry
I currently have a realm defined: realm liv.ac.uk { type= radius authhost= LOCAL accthost= LOCAL } I now have one of my departments, which for various complex reasons, has been allowed to have its own user accounts. They have the subdomain

Re: Hash username or mac address to assign user to different vlan

2011-02-18 Thread Dean, Barry
I have been asked to do just this and I am working on the solution now. We wanted to use multiple pools of VLANs/Subnets and assign Staff to one pool and Students# to the other. Then to select a VLAN within the pool, use a hashing function and select a VLAN. One concern I have is when is

Re: Hash username or mac address to assign user to different vlan

2011-02-18 Thread Dean, Barry
On 18 Feb 2011, at 14:26, Phil Mayers wrote: On 18/02/11 14:16, Dean, Barry wrote: I have been asked to do just this and I am working on the solution now. We wanted to use multiple pools of VLANs/Subnets and assign Staff to one pool and Students# to the other. Then to select a VLAN

Re: global hash variable perl

2011-02-28 Thread Dean, Barry
Yes. Do something like this: { my %static_global_hash = (); sub post_auth { ... } ... } static_global_hash will then be available on each call to the subs so you can store some kind of state between requests that you handle. The trick is placing the whole lot into a {} block. Perl can be odd

Some users can't login after upgrade!

2007-11-08 Thread Dean, Barry
The configuration I had was FreeRADIUS 1.1.4 running on NetBSD_3.0 (STABLE) authenticating to Novell eDirectory using LDAP. All was fine... I upgraded to FreeRADIUS 1.1.7 and all seemed OK, until two of my users found they can no longer login to the Cisco VPN3000 which uses this RADIUS. The

RE: Some users can't login after upgrade!

2007-11-09 Thread Dean, Barry
PROTECTED] On Behalf Of Alan DeKok Sent: 08 November 2007 16:21 To: FreeRadius users mailing list Subject: Re: Some users can't login after upgrade! Dean, Barry wrote: We also use RADIUS with EZProxy. I used a spare EZProxy test box and asked the user to login using that, failed with 1.1.7 RADIUS

RE: Some users can't login after upgrade!

2007-11-13 Thread Dean, Barry
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 09 November 2007 15:11 To: FreeRadius users mailing list Subject: Re: Some users can't login after upgrade! Dean, Barry wrote: The debug output (private data masked) can be picked up from

RE: Some users can't login after upgrade!

2007-11-13 Thread Dean, Barry
This fixed the problem for these users. Thanks to the list, and special thanks to Alan for solving this. --- Barry Dean Networks Team -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean, Barry Sent: 13 November 2007 09:31 To: FreeRadius

RADIUSD amnesia!

2008-09-23 Thread Dean, Barry
I am somewhat confused. My RADIUS server forgot about some clients, all by itself, honest! Users stopped being able to authenticate (I say users, we had one!), using eduroam from Portugal, turns out that some time after September 5th, the RADIUS server stopped recognising the JANET roaming

RE: RADIUSD amnesia!

2008-09-23 Thread Dean, Barry
PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 23 September 2008 14:59 To: FreeRadius users mailing list Subject: Re: RADIUSD amnesia! Dean, Barry wrote: My RADIUS server forgot about some clients, all by itself, honest! Nope. You have clients listed as *hostnames* rather

Using multiple certificates

2009-09-07 Thread Dean, Barry
I have been asked it it possible to run two SSIDs on our wireless, lets call them A and B that authorise against a FreeRADIUS server running as two virtual servers radiusA and radiusB. What we want is to have radiusA use a different server certificate from radiusB. However, as I see it,

To proxy, or not to proxy, that is the question ...

2009-10-15 Thread Dean, Barry
I currently run two virtual servers, one for our local secure wireless and one for eduroam customers. The local one receives RADIUS packets from Bradford Campus Manager, which is responsible for Network Access Control and stamps Auth-OK replies with the VLAN for the user. What I want to do

Re: To proxy, or not to proxy, that is the question ...

2009-10-15 Thread Dean, Barry
Thanks for this, and thanks to Bob Franklin to. I have something working now by selecting on client name and re-writing the User-Name to append bcm, then proxying that alone to the NAC servers. This leaves all the config I had before for my existing domains alone. I might try the other

rlm_perl issue

2013-08-22 Thread Dean, Barry
An interesting one for the list ... We are installing a Palo Alto firewall and it has a way to pass Username/IP mappings from FreeRADIUS to a Windows User ID Agent, which is then queried by the firewall. The method employed is to use a Perl module (PAN::API), which has a simple API,

Username format

2013-10-14 Thread Dean, Barry
I think I know the answer to this question but I wanted to check with the Gurus! Does FreeRADIUS give a fig about what the username is? If it were all numeric, say 123456789 I guess it is happy with that? It's just a string to FreeRADIUS? If there was to be an issue, it would be the back end