ID's internally some allow n to 1 and 1 to n
relationships, others like your d-links only allow a direct mapping.
Basically it sounds like you are limited by the constraints of you NAS.
Joe Vieira
UNIX Systems Administrator
Clark University
Joel MBA OYONE wrote:
Alan,
I possess a device from D-L
Hi,
this is a weird one for ya'll.
windows clients (xp sp2 and what not) can be configured to pass there
credentials along to wireless when they authenticate to the computer(to
the AD domain). that seems to work fine.
then randomly it seems to stop working and their login seems to be wrong.
Hi,
I currently have the server in debug and am waiting to see if it fails with an
actual error. In the mean time this is what i am seeing.
rhel5-64bit freeradius 1.1.7 after about a day and a half one of the threads
decides to use 100% of the CPU it's on, and nothing is logged in the normal
Sorry, i am running 1.1.6 not 7.
Joe
From: [EMAIL PROTECTED] [EMAIL PROTECTED] On Behalf Of Joe Vieira [EMAIL
PROTECTED]
Sent: Tuesday, November 06, 2007 6:22 AM
To: FreeRadius users mailing list
Subject: radius 1.1.7 hangs 100% cpu
Hi,
I currently
Joe Vieira wrote:
>> before this started happening i changed max request time up to 60 cleanup
>> delay to 6 max requests to 64 as well as increased the min number of
>> servers to 8. i thought those changes would be pretty harmless, should i
>> have been more care
before this started happening i changed max request time up to 60 cleanup delay
to 6 max requests to 64 as well as increased the min number of servers to
8. i thought those changes would be pretty harmless, should i have been more
careful with them
maybe max_requests is too high as wel
> It looks like a threading issue. Other than that, I haven't seen
>anyone else run into that with 1.1.7.
sorry i made a mistake originally (i sent a correction but it prolly got lost
in the mix of all the messages to this list) i am running 1.1.6. are there any
issues with 1.1.6 and threadi
file? could someone give me a
general example of how they would try to do it?
I was thinking in the ldap mapping file of adding a check item vpngroup
(or whatever) and then using the users file to match off of that to set
a reply of what i am looking for
Joe Vieira
UNIX Systems Adminis
0004
...
so i see it set the check item VPNGroupName to testing, but it never
matches in the users file, can anyone point to what i am doing wrong?
--
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I created the attribute, and i don't get any dictionary errors
[EMAIL PROTECTED] raddb]# cat dictionary | grep VPN
ATTRIBUTE VPNGroupName3001string
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
[EMAIL PROTECTED] wrote:
Attribute is most likely VPN-
...so clearly i am doing something VERY
wrong, is anyone able to send me in the right direction?
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
Joe Vieira wrote:
I created the attribute, and i don't get any dictionary errors
[EMAIL PROTECTED] raddb]# cat dictionary | grep
>I suggest you investigate the user of LDAP groups.
thanks for the suggestion, I did that last night and it worked well for me.
Joe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ap:User-Name} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
make sure you nake a dictionary attribute for "domain" as well.
Joe Vieira
UNIX Systems Administrator
Clark University
On Tuesday 11 December 2007 9:29:46 am Dave Gibelli wrote:
> Hi
>
> I a
currently) i could actually imagine going an hour or
even two without any authentication attempts.
--
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> Since we have no idea what the problem is, the answer is likely "no".
totally fair =)
> If malloc() is core dumping, then something else is going wrong. i.e.
>some other part of the server is over-writing memory.
when you say "the server" i assume you mean freeradius not another app.??
>
I've been trying to pin down a rather elusive segfault for over 2 months now.
and i finally got it to happen inside of gdb.
this is freeradius 1.1.6, on rhel5 x86-64
if this problem is fixed in 2.0 or 1.1.7 please let me know.
Starting program: /usr/sbin/radiusd -X
[Thread debugging using libt
no - i'd read that as some other part of your 64bit x86 box is trashing
the memory.
hmm, the box itself is totally stable, nothing else has been an issue...
hyperthreading on?
no they are true dualcore Xeon's w/ no hyperthreading.
Joe
-
List info/subscribe/unsubscribe? See http://www.freeradi
that's why i sent my second email telling you to make sure $_incdir is
defined in your .rpmmacros file. =)
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
Andrew Long wrote:
Well, not so lucky after all. Looks like the build get 99% completed
and we get an error:
+ RADDB
also make sure $_incdir is defined in your .rpmmacros
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
Joe Vieira wrote:
you'll need to either rename everything in the spec file to be
"freeradius-server"
or just open the tar.gz rename the directory INSIDE IT
Andrew Long wrote:
OK, can you give me the explicit code here. Here is the file as it exists:
$ cat .rpmmacros
%_topdir %(echo $HOME)/rpmbuild
yea, add this line.
%_incdir /usr/include
or whatever directory you want ...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/
you'll need to either rename everything in the spec file to be
"freeradius-server"
or just open the tar.gz rename the directory INSIDE IT (which is also
freeradius-server) to freeradius-2.0.1... then zip it all back up and
run your spec again and it will work.
Joe Viei
session fails.
could someone help me figure out what that means exactly?
thanks,
--
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Joe Vieira wrote:
Wed Feb 6 10:43:44 2008 : Error: TLS Alert write:fatal:bad record mac
Wed Feb 6 10:43:44 2008 : Error: rlm_eap: SSL error error:1408F119:SSL
routines:SSL3_GET_RECORD:decryption failed or bad record mac
Wed Feb 6 10:43:44 2008 : Error: rlm_eap_tls: SSL_read failed in a
f78 in request_handler_thread (arg=out>) at threads.c:488
#6 0x003da1c062f7 in start_thread () from /lib64/libpthread.so.0
#7 0x003da0cce85d in clone () from /lib64/libc.so.6
(gdb) print vals
$1 = (char **) 0xffffb00020e0
(gdb) print vals[0]
Cannot access memory at address 0xfff
if that's the case, why do you think it seems to work fine single threaded?
I dunno...
=(
i am adding a ton of debugging stuff to the function so hopefully it
might give some more insight...
joe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1319 of rlm_ldap.c , gdb debugging shows me that vals[0] is not a valid
memory location. (always 0xb00020e0)
Try running it without the LDAP module. If it works, then the ldap
module, or the LDAP libraries it uses aren't 64-bit clean.
if that's the case, why do you think
I am consistently getting a segfault (~every 45minutes or so) from line
1319 of rlm_ldap.c , gdb debugging shows me that vals[0] is not a valid
memory location. (always 0xb00020e0)
Try running it without the LDAP module. If it works, then the ldap
module, or the LDAP libraries
model name : Intel(R) Celeron(R) CPU 2.40GHz
Doesn't sound like a 64-bit machine. Dang...
they did make the "celeron d" line that had a 2.4 that was 64
bitlike around 2006 or so i think... so it could be still..
-
List info/subscribe/unsubscribe? See http://www.freeradiu
Norbert Wegener wrote:
The complete log is at http:// www.wegener-net.de/freeradius/ (url
destroyed)
In line 116518 a client gets a reject, in 119715 the same client an accept.
...
State = 0x00030d00
...
...
All I can guess is that the code generat
Joe Vieira wrote:
Joe Vieira wrote:
if that's the case, why do you think it seems to work fine single threaded?
I dunno...
so, even tho LDAP_DEPRECATED was set as a cflag in
rlm_ldap/configure.in, it never shows up as a gcc option durring
compilation for some reason...
Joe Vieira wrote:
if that's the case, why do you think it seems to work fine single threaded?
I dunno...
So, more or less at this point threading seems to ruin this somehow.
which is really weird.
this same server was running freeradius 1.1.6, then i installed th
seemingly thus far...
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
[EMAIL PROTECTED] wrote:
Hi,
else you can get into a situation where the compiler assumed the function
(in this case ldap_get_values) returns an int (32bit), but it actually
returns a pointer (64bit on 64
Hey Alan,
is the LDAP_DEPRECATED stuff all fixed in 2.0.2? just wanna double
check before i compile it and don't pass that option myself...
Thanks,
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
Norbert Wegener wrote:
With 2.0.2 I tried a performance test wit
.
the rlm_ldap docs should be most of what you need...
In addition,
I'd like to know if anyone out there has this kind of configuration in
place, and working.
I have it working, I do authorization based on openLDAP ( with groups )
and i do authentication off active directories.
Joe Vieira
>> But there are multiple domains in active-directory. How to configure
>> freeRADIUS or samba can let it support multiple domains?
> FreeRADIUS just used Samba to do authentication with AD. The winbind
>&& ntlm_auth API used in Samba cannot authenticate to multiple domains.
that's not entirely
JUST my ldap authorization section, i don't
want to mess with it anywhere else...
--
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
#x27;t want..
ideas?
Joe Vieira
UNIX Systems Administrator
Clark University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok wrote:
> joe vieira wrote:
>
>> i have eap-peap authentication working against our ad domain. peachy
>> keen. what i would like to be able to do is, in our openldap
>> environment, store attributes for retrieval by radius, cisco stuff/
>> etc.
Sam Schultz wrote:
> On Thu, 15 Mar 2007 10:57:29 -0500 joe vieira <[EMAIL PROTECTED]>
> wrote:
>
>> Alan DeKok wrote:
>>
>>> joe vieira wrote:
>>>
>>>
>>>> i have eap-peap authentication working against ou
Sam Schultz wrote:
>>> DEFAULT
>>> Autz-Type := ,
>>> Auth-Type :=
>>>
>
>
>> so i did what you recommended, which makes sense to do... i have
>> Autz-type := eap, and in debug mode i get this clearly an access-
>>
> reject
>
>> follows.
>>
>> auth
Erico Augusto wrote:
> Hi,
>
> I would like to send clear-text password at post-auth using eap-ttls.
> is there a way?
> I'm avoiding to write a lot of details about the question. Just using
> post-auth I got to send User-password attribute, but it's cyphered at
> destination(Yes, there is all t
Sérgio Kojima wrote:
> Hello all.
>
> My freeradius1.1.5 is configured to work with openldap and samba PDC,
> resume, it works fine when i login with username/password/domain, but
> this user already logon one time on domain, that is, the user is on
> cache in this windows machine (XP and W2kPR
Erico Augusto wrote:
> Hi,
>
> I'm using EAP-TTLS to supplicant authentication.
>
> to authenticate the users at freeradius, I'm using users file to match
> user's password:
>
> user User-Password == "test"
> Reply-Message = "success"
>
> Is there a way, using DEFAULT
Hey,
Weird question:
I am running freeradius 1.1.5, with samba 3.0.24. configured using
EAP-PEAP, works, when I use a windows XP client and DO NOT do
"automatically connect with my domain login name and password", it works
like a charm. However when i DO configure it to "auto login" i
Sérgio Kojima wrote:
> Hello all.
>
> My freeradius1.1.5 is configured to work with openldap and samba PDC,
> resume, it works fine when i login with username/password/domain, but
> this user already logon one time on domain, that is, the user is on
> cache in this windows machine (XP and W2kPR
A B wrote:
> I've installed freeradius 1.1.5 and am able to run radtest
> successfully on the machine that freeradius is installed on. However,
> when I try to run radtest (or NTRadPing or radius test client) it is
> unable to connect to the server. Does anyone have any ideas? I do have
> the
tion *:1812
> Listening on accounting *:1813
> Ready to process requests.
>
That doesn't mean that you can access those ports from off of the
box...did you check your firewall configuration to make sure those ports
are accessible?
easy test is to nmap -sU "whatever your freerad
Hi,
Using freeradius 1.1.5 samba 3.0.24...i have an interesting problem,
and was curious what methods other people would take to solve it.
I am setting up radius for our new wpa2 wireless network, which
means that windows machine auth should work so that people can LOGIN to
their lapto
>
> well, you can use regexp/attr_filter to look for these systems
> and then just chop off the activedirectorydomain.domain.domain. part
> thus allowing the AD REALM to be forced by yourselves.
>
>
I tried something similar i used attr_rewrite to replace the bad parts
of User-Name with the mo
ah! you really cannot play with User-Name - as you have found, the client
> doesnt like that to be changed. what you want to do is copy User-Name
> to Stripped-User-Name and then play with Stripped-User-Name - and
> use that in the rest of the stages.
>
how do i copy User-Name to something else?
. I've gone thru the same frustration, blame Microsoft.
Joe Vieira
UNIX Systems Administrator
Clark University
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>no. if it worked with XP then the certs are fine - the server needs to be
>upgraded to support Vista.
I assumed since he was using the IBM supplicant stuff in XP, that worked around
the cert issues.
Joe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in my experience, i have seen the hosts PASS their name as
host/HOST$.domain.domain.domain what version of samba are you using?
Christian Hohmann wrote:
> Hi members,
>
> I have a problem with the name of hosts. Here is the situation:
> I have an LDAP Directory which is filled by samba-Deamon, f
Hi,
i've got freeradius 1.1.6 running on rhel5. when i goto do an ldap auth. i
get this
Listening on authentication 10.5.5.11:1812
Ready to process requests.
rad_recv: Access-Request packet from host 10.5.5.11:32769, id=76, length=59
User-Name = "jvieira"
User-Password = "te
attached is my gdb log, looks like something happens with the ldap_set_option()
function. thanks for having a lot
Joe
-Original Message-
From: [EMAIL PROTECTED] on behalf of Alan Dekok
Sent: Wed 6/13/2007 3:33 AM
To: FreeRadius users mailing list
Subject: Re: seg fault
Joe Vieira
Found the issue, i added -DLDAP_DEPRECATED to the CFLAGS.
Joe
Joe Vieira wrote:
> Hi,
>i've got freeradius 1.1.6 running on rhel5. when i goto do an ldap auth.
> i get this
...
> Segmentation fault
See doc/bugs
Alan DeKok.
--
http://deployingradius.com
You need to compile with ldap depricated option.
Joe
-Original Message-
From: "Robert E. Toense" <[EMAIL PROTECTED]>
To: "freeradius-users@lists.freeradius.org"
Sent: 6/25/2007 6:03 PM
Subject: FreeRadius 1.1.6 Segmentation Fault with LDAP
I am attempting to setup FreeRadius 1.1.6 to d
ould you elaborate? Is this a "configure"
option to FreeRadius? If so, I don't see it.
Thanks,
Robert
Joe Vieira wrote:
> You need to compile with ldap depricated option.
> Joe
>
> -Original Message-
> From: "Robert E. Toense" <[EMAIL P
Is it possible to have radius listen on multiple (but not all) ip's /
interfaces on a server?
Joe Vieira
UNIX Systems Administrator
Clark University - ITS
508.793.7287
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Joe Vieira wrote:
> Is it possible to have radius listen on multiple (but not all) ip's /
> interfaces on a server?
>> Yes. Use multiple "listen" directives.
thanks
Joe
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
I am curious about the methodology for using one authorization module
for one type of service and another for a different type of service.
basically we have wireless and VPN that is being authorized and
authenticated through our radius box. i would like to be able to control
authorization t
Nevermind, i figured it out.
Joe Vieira wrote:
> Hello,
>
> I am curious about the methodology for using one authorization module
> for one type of service and another for a different type of service.
> basically we have wireless and VPN that is being authorized and
> authent
t it working via the command line
you'll have a MUCH better chance of it working in freeradius.
hints are kinit -> get that working also get wbinfo -u listing your
domain users
Joe Vieira
UNIX Systems Administrator
Clark University
-
List info/subscribe/unsubscribe? See http://www
-B2-48) <- freaky line
now, that looks like extended unicode to me in the username...obviously
we don't have a user named that, or even a domain named 'RUN', moreover
it doesn't seem like that "username" should even have been authorized
thru the ldap rules
--
Joe
64 matches
Mail list logo