subject:"Re\: how to configure"

Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

2013-04-19 Thread pramod kulkarni

Thanks for the reply.

I am new to FreeRadius and doing analysis on how to remove The identity
and password attributes of LDAP module in radiusd.config and still be
able to authenticate and authorize LDAP users.

Is there any other option/configuration to avoid usernames and plain
text passwords in the module ldap of radiusd.conf for authenticating and
authorizing users of LDAP database ?

I tried EAP-TLS method but didn't get proper result,can I use LDAP as
database for EAP-TLS method,as one of forum answers is no

http://freeradius.1045715.n5.nabble.com/EAP-TLS-LDAP-tt2750042.html#a2750045

 I would like to use a certificate (admin) to bind to the LDAP database
using FreeRadius because admin has the authority to traverse the LDAP tree.

 After binding using certificate i would like to  Authenticate different
users of LDAP using radclient.exe -d ..\etc\raddb -f radtest.txt -x -s
127.0.0.1 auth testing1

if as per replies only LDAP simpile bind is possible ,how to compile
OpenLDAP+SASL+FreeRadius on Windows only through cygwin ? or any other
option

 please advice me I am wrong.
Waiting for your inputs.

Regards,
Pramod






On Wed, Apr 10, 2013 at 8:34 PM, Arran Cudbard-Bell 
a.cudba...@freeradius.org wrote:

  There are other ways to establish the trust between radiusd and LDAP
 beside simple binds which do not involve passwords. All of these use SASL
 in some form. Unfortunately rlm_ldap does not support them. I know Alan
 rewrote rlm_ldap recently for the upcoming 3.0 version,
  I don't know if SASL support was added or not. In any event this is an
 open source project and if you want this functionality then the usual
 mantra Patches Welcome applies.

 No it wasn't.

 -Arran



 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

2013-04-19 Thread Olivier Beytrison

On 19.04.2013 10:35, pramod kulkarni wrote:
 Thanks for the reply.
  
 I am new to FreeRadius and doing analysis on how to remove The
 identity and password attributes of LDAP module in
 radiusd.config and still be able to authenticate and authorize LDAP users.

Is that really an issue for you ? set restrictive permission on the file
so that only root and freeradius can read the admin credentials for the
ldap server. And do not let people log as root. Everyone do that. It
works fine.

 Is there any other option/configuration to avoid usernames and plain
 text passwords in the module ldap of radiusd.conf for authenticating and
 authorizing users of LDAP database ?

Afaik no

 I tried EAP-TLS method but didn't get proper result,can I use LDAP as
 database for EAP-TLS method,as one of forum answers is no
  http://freeradius.1045715.n5.nabble.com/EAP-TLS-LDAP-tt2750042.html#a2750045

That's something else. EAP-TLS is how the user authenticate to the
radius server. Not how the radius server bind to the ldap server.

BUT you could do EAP-TLS without user/password (for the user) and check
the validity of the certificate against an LDAP server that allows to
retrieve those information anonymously (removing the need to have
credentials written in the ldap module). But then it's your ldap server
who can leak informations.

  I would like to use a certificate (admin) to bind to the LDAP database
 using FreeRadius because admin has the authority to traverse the LDAP tree.

Not supported at the moment.

  After binding using certificate i would like to  Authenticate different
 users of LDAP using radclient.exe -d ..\etc\raddb -f radtest.txt -x -s
 127.0.0.1 auth testing1

This will work with radclient which do PAP. This won't work with
wireless client who does EAP.

 if as per replies only LDAP simpile bind is possible ,how to compile
 OpenLDAP+SASL+FreeRadius on Windows only through cygwin ? or any other
 option

If you do PAP and want to authenticate against your ldap, the only
option is simple-bind at the moment. As usual, Patches Welcome.
As for compiling on cygwin, I can't tell you if that's supported nor
working.

On a final note, people have been using ldap with credentials in a file
for ages. It's down to the security of the server and the filesystem
permission to ensure that only authorized users can access this file.

Olivier
-- 

 Olivier Beytrison
 Network  Security Engineer, HES-SO Fribourg
 Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure RADIUS +LDAP using SASL/Certificate based binding instead of usernames and passwords

2013-04-10 Thread Arran Cudbard-Bell

 There are other ways to establish the trust between radiusd and LDAP beside 
 simple binds which do not involve passwords. All of these use SASL in some 
 form. Unfortunately rlm_ldap does not support them. I know Alan rewrote 
 rlm_ldap recently for the upcoming 3.0 version,
 I don't know if SASL support was added or not. In any event this is an open 
 source project and if you want this functionality then the usual mantra 
 Patches Welcome applies.

No it wasn't.

-Arran



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure Solaris 10 Radius Authentication client.

2012-06-04 Thread Alan DeKok

Alek Barsky wrote:
 There is one problem – the only way I can receive login shell on this
 box – if user already exists.

  That's how PAM works.

  It makes PAM rather a lot less useful.  But that's PAM for you.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure Solaris 10 Radius Authentication client.

2012-06-04 Thread Michael Hocke

-BEGIN PGP SIGNED MESSAGE-


On Jun 4, 2012, at 2:06 PM, Alek Barsky wrote:

 I need to configure bunch of Solaris servers to use RADIUS PAM for 
 Authentication/Authorization.

PAM only does authentication. After all, it stands for Pluggable Authentication 
Modules.

 I followed instructions in http://freeradius.org/pam_radius_auth/ and was 
 able to configure Authentication portion of this task.
 There is one problem – the only way I can receive login shell on this box – 
 if user already exists.

That's because in addition to PAM you still need some kind of directory to hold 
all the other user information like user id, group id, home directory, gecos 
field and preferred shell. /etc/nsswitch.conf determines where that information 
can be retrieved from (files, NIS, LDAP, DNS, etc.). I am not aware of a 
solution that lets you use RADIUS as a directory service for Solaris.

- - Michael


-BEGIN PGP SIGNATURE-
Version: PGP Desktop 10.0.3 (Build 1)
Charset: windows-1252

wsBVAwUBT80NGZbfnpCg64TVAQHd4ggArN/0myf0kzlm1eSp+uMZuUl/s4Zi2Ua3
2nhocQZ6psuKwsDXphEkZqOeR5ZOjms8I3HiljLs8Cg6W7iE6ykFU0TRK8miG301
HQLWqHczFA/X4bDsHa8UH6do9Bvt9Nd6uDYn4ksrKJFCQabhTaVocECmOmXFLpUo
JSWXqpoaLgS9HJOlb613PqJQa5P5B5poQs+5bN4CPVuyAqKHMjIGquZlswwbl63R
hGM5JvlMhxiL7/U7XDqxZNAeo3vz01nVkYE4C6Ml+imYyVWJmBR60MdrehzpsN+s
dsJ2LK93Pv1y9r6CbvzhmNnRKxAOy+srk751FcmFEyg5unMZhgbizA==
=qg2E
-END PGP SIGNATURE-
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure COA in freeRadius

2012-04-06 Thread Alan DeKok

ulislam.raihan wrote:
 If NAS and  Freeradius server is in same PC . Then freeradius will send COA
 request to NAS in which port?

  This is documented.  You were told which file to read.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure COA in freeRadius

2012-04-06 Thread ulislam.raihan

Hi Alan ,
The document says 
/The default destination of a CoA packet is the NAS (or client)
#  the sent the original Access-Request or Accounting-Request./

So in the Access-Request it is mentioned as shown in below

rad_recv: Access-Request packet from host 127.0.0.1 port 57378, id=1,
length=59 
User-Name = testing 
NAS-IP-Address = 127.0.0.1 
NAS-Port = 4200 
User-Password = password 

But then why it is showing Unknown destination.  The log from the  radiusd
shows below.
Thu Apr  5 13:49:52 2012 : Info: WARNING: Unknown destination 127.0.0.1:4200
for CoA request. 
Thu Apr  5 13:49:52 2012 : Info: Do CoA Fail handler here 

I have check with the netstat command in the OS  that a java program is
listening to the port 4200.

Do i have to configure the NAS client IP and port in home_server section of
originate-coa file ?

Thanks for your pa·tience
Best Reagards
Raihan

Alan DeKok-2 wrote
 
 ulislam.raihan wrote:
 If NAS and  Freeradius server is in same PC . Then freeradius will send
 COA
 request to NAS in which port?
 
   This is documented.  You were told which file to read.
 
   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622351.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure COA in freeRadius

2012-04-06 Thread ulislam.raihan

Hi Alan ,

Just want to add Current configuration in originate-coa  file is below . It
is the default configuration i did not change it.

home_server localhost-coa {
type = coa

#
#  Note that a home server of type coa MUST be a real NAS,
#  with an ipaddr or ipv6addr.  It CANNOT point to a virtual
#  server.
#
ipaddr = 127.0.0.1
port = 3799

#  This secret SHOULD NOT be the same as the shared
#  secret in a client section.
secret = testing1234

#  CoA specific parameters.  See raddb/proxy.conf for details.
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}

And in the clients.conf i did not enable the # coa_server = coa. Because i
did not want the freeradius server recieve the COA Request. I hope my
understanding is right.

Thanks for your patience
Best Reagards
Raihan

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622373.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure COA in freeRadius

2012-04-06 Thread Alan DeKok

ulislam.raihan wrote:
 Hi Alan ,
 The document says 
 /The default destination of a CoA packet is the NAS (or client)
 #  the sent the original Access-Request or Accounting-Request./

  Yes.  To the *IP* of the NAS.  But which port?

 So in the Access-Request it is mentioned as shown in below
 
 rad_recv: Access-Request packet from host 127.0.0.1 port 57378, id=1,
 length=59 
 User-Name = testing 
 NAS-IP-Address = 127.0.0.1 
 NAS-Port = 4200 

  The NAS-Port is *not* the CoA port.

 User-Password = password 
 
 But then why it is showing Unknown destination.  The log from the  radiusd
 shows below.
 Thu Apr  5 13:49:52 2012 : Info: WARNING: Unknown destination 127.0.0.1:4200
 for CoA request. 

  Yes... because you didn't configure the shared secret for CoA.

 I have check with the netstat command in the OS  that a java program is
 listening to the port 4200.

  That doesn't matter.

 Do i have to configure the NAS client IP and port in home_server section of
 originate-coa file ?

  That's what the documentation says.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure COA in freeRadius

2012-04-06 Thread ulislam.raihan


Alan DeKok-2 wrote
 
 ulislam.raihan wrote:
 Hi Alan ,
 The document says 
 /The default destination of a CoA packet is the NAS (or client)
 #  the sent the original Access-Request or Accounting-Request./
 
   Yes.  To the *IP* of the NAS.  But which port?
 To Alan That was my question in previous mail. So i have to mention the
 CoA port in home_server section of originate-coa file . If my
 understanding is right
 
 So in the Access-Request it is mentioned as shown in below
 
 rad_recv: Access-Request packet from host 127.0.0.1 port 57378, id=1,
 length=59 
 User-Name = testing 
 NAS-IP-Address = 127.0.0.1 
 NAS-Port = 4200 
 
   The NAS-Port is *not* the CoA port.
 
 User-Password = password 
 
 But then why it is showing Unknown destination.  The log from the 
 radiusd
 shows below.
 Thu Apr  5 13:49:52 2012 : Info: WARNING: Unknown destination
 127.0.0.1:4200
 for CoA request. 
 
   Yes... because you didn't configure the shared secret for CoA.
 To Alan where i configure the secret for CoA? I hope in clients.conf.
 Then it will look like this 
 client 127.0.01 {
   secret  = testing123-2
   shortname   = private-network-2
 coa_server = localhost-coa 
 }
 
 and in originate-coa  the configuration will be
 home_server localhost-coa {
   type = coa
 
   #
   #  Note that a home server of type coa MUST be a real NAS,
   #  with an ipaddr or ipv6addr.  It CANNOT point to a virtual
   #  server.
   #
   ipaddr = 127.0.0.1
   port = 4200
 
   #  This secret SHOULD NOT be the same as the shared
   #  secret in a client section.
   secret = testing1234
 
   #  CoA specific parameters.  See raddb/proxy.conf for details.
   coa {
   irt = 2
   mrt = 16
   mrc = 5
   mrd = 30
   }
 }
 
 I have check with the netstat command in the OS  that a java program is
 listening to the port 4200.
 
   That doesn't matter.
 
 Do i have to configure the NAS client IP and port in home_server section
 of
 originate-coa file ?
 
   That's what the documentation says.
 
   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 
Quoted from: 
http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622396.html

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622416.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure COA in freeRadius

2012-04-06 Thread ulislam.raihan

Hi Alan ,

That was my question in second post. So i have to mention the CoA port in
home_server section of originate-coa file . If my understanding is right

Where i configure the secret for CoA? I hope in clients.conf. Then it will
look like this 
client 127.0.01 {
secret  = testing123-2
shortname   = private-network-2
coa_server = localhost-coa 
}

and in originate-coa  the configuration will be
home_server localhost-coa {
type = coa

#
#  Note that a home server of type coa MUST be a real NAS,
#  with an ipaddr or ipv6addr.  It CANNOT point to a virtual
#  server.
#
ipaddr = 127.0.0.1
port = 4200

#  This secret SHOULD NOT be the same as the shared
#  secret in a client section.
secret = testing1234

#  CoA specific parameters.  See raddb/proxy.conf for details.
coa {
irt = 2
mrt = 16
mrc = 5
mrd = 30
}
}

Thanks again..

Best regards 
Raihan

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622423.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure COA in freeRadius

2012-04-06 Thread Alan DeKok

ulislam.raihan wrote:
 Quoted from: 
 http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5622396.html

  If you're going to insist on being obtuse, you can be unsubscribed and
banned.

  You either didn't read the configuration you posted, or you didn't
understand it.

  You're sending packets to port 4200, but the default configuration
uses 3799.  Perhaps this could be a problem?

  What *additional* documentation do we need to write so that you will
understand destination port means destination port, and not magical
thing I'm supposed to not touch?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure COA in freeRadius

2012-04-06 Thread ulislam.raihan

Hi Alan,

Thanks for your advice. I was actually confused with home server. Does it
refer to virtual server or NAS ?
Its now clear and i have solved the problem  i added the originate-coa in
the radiusd.conf. Now freeradius is sending the request to port.

Thanks
Raihan

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5623347.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure COA in freeRadius

2012-04-05 Thread Alan DeKok

ulislam.raihan wrote:
 I have put the following COA list in authorization section of default file.
 The default file is /etc/freeradius/sits-available to enable the COA
 request.
 update coa{
   User-Name=%{User-Name}
   Acct-Session-Id=%Acct-Session-Id
   NAS-IP-Address=%NAS-IP-Address
   Packet-Dst-Port=4200
 }
 
 I am sending Access-Request from my java program and listening to port 4200.
 I am getting success Access-Accept . but i am not getting any COA request
 instead i have seen following error Info: WARNING: Unknown destination
 127.0.0.1:4200 for CoA request.

  read raddb/sites-available/originate-coa

  This is documented.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure COA in freeRadius

2012-04-05 Thread ulislam.raihan

Hi Alan,

I must be very dumb ..i have read that document several times. But can you
clear me one thing for the freeradius to sent COA request to other client
one need to configure a virtual server

Thanks
raihan


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5620476.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure COA in freeRadius

2012-04-05 Thread Alan DeKok

ulislam.raihan wrote:
 I must be very dumb ..i have read that document several times. But can you
 clear me one thing for the freeradius to sent COA request to other client
 one need to configure a virtual server

  If you're going to use CoA, it would be a good idea to follow the
existing examples.

  Perhasp you could try using the originate-coa example, rather than
ignoring it?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure COA in freeRadius

2012-04-05 Thread ulislam.raihan

If NAS and  Freeradius server is in same PC . Then freeradius will send COA
request to NAS in which port?

Thanks
Raihan



--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/How-to-configure-COA-in-freeRadius-tp5620185p5621170.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius as Captive Portal

2012-03-14 Thread Tim White


On 13/03/12 21:41, Fabricio Flores wrote:
Hello... I Have a question... Which captive portal is the best? I 
tried to configure in CentOS coovachilli and is very hard to install 
and configuring... Grase Hotspot is easier?


Grase Hotspot uses Coova Chilli internally, but does the work of setting 
everything up for you. It uses Debian/Ubuntu based distributions as it 
makes use of packaging features to do all the hard configuration work. 
The admin interface is (in my biased opinion) nice and easy to use.


Tim
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius as Captive Portal

2012-03-13 Thread ulislam.raihan

Hi Tim

Thanks for your advice. I will try with the Grase Hotspot. It seems very
interesting

Thanks
Raihan


--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/How-to-configure-FreeRadius-as-Captive-Portal-tp5559073p5560331.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius as Captive Portal

2012-03-13 Thread Fabricio Flores

Hello... I Have a question... Which captive portal is the best? I tried to
configure in CentOS coovachilli and is very hard to install and
configuring... Grase Hotspot is easier?

El 13 de marzo de 2012 03:42, ulislam.raihan raihan1...@gmail.comescribió:

 Hi Tim

 Thanks for your advice. I will try with the Grase Hotspot. It seems very
 interesting

 Thanks
 Raihan


 --
 View this message in context:
 http://freeradius.1045715.n5.nabble.com/How-to-configure-FreeRadius-as-Captive-Portal-tp5559073p5560331.html
 Sent from the FreeRadius - User mailing list archive at Nabble.com.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html




-- 
Fabricio A. Flores G.
Egresado en Ingeniería en Sistemas

MSN: fabri_flor...@hotmail.com
Google: fabriflor...@gmail.com
Twitter: fabricioflores
Skype: fabriciofloresgallardo

Blog Personal http://fabricioflores.wordpress.com/
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius as Captive Portal

2012-03-12 Thread Alan Buxey

Hi,

 I am a new person using freeRadius server. I have a wireless access point
 with WPA authentication option. It does not have any support for 802.1x or
 configuring Radius server.But i want to implement some central security
 using Radius server.Is it possible to configure the FreeRadius server in
 such a way so that i can setup an captive portal. Any suggestion will be
 highly appreciated.

yes - but you say you want some central security - and security doesnt go with 
captive portal
so suggest you change the AP to one that can do 802.1X

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius as Captive Portal

2012-03-12 Thread ulislam.raihan

Hi Alan,

Thanks for your advice. Is it possible  to configure the DHCP module in
freeRadius in such a way that  at first the DHCP will gave ip address of 
from one subnet like 192.168.1.X and afterwards after authentication is done
then DHCP will force to change the IP address to different IP subnet like
192.168.2.X. I am planing to write a small module in Java . Whn a device
attached to  Access Point. It will get IP from192.168.1.X and all the
request from this ip range will go to the java  program. It will get the
user name and password from the user and then do the authentication with the
Radius server. Afrer  authentication is done then the DHCP server will
change IP address of the that device.

May be i am making it more complex. 
Thanks
Raihan

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/How-to-configure-FreeRadius-as-Captive-Portal-tp5559073p5559220.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius as Captive Portal

2012-03-12 Thread Tim White


On 13/03/12 07:33, ulislam.raihan wrote:

192.168.2.X. I am planing to write a small module in Java . Whn a device
attached to  Access Point. It will get IP from192.168.1.X and all the
request from this ip range will go to the java  program. It will get the
user name and password from the user and then do the authentication with the
Radius server. Afrer  authentication is done then the DHCP server will
change IP address of the that device.

Hi Raihan.

I suggest you look at something like Coova Chilli. It uses a Radius 
server to authenticate users, but does the captive portal. You can use 
any access point with it, and it'll run fine on the same machine as 
Freeradius. I don't suggest reinventing the wheel if you can avoid it.
If you are totally new to radius/captive portals etc, I suggest checking 
out the Grase Hotspot project, all you need is a machine with 2 network 
cards, install a base debian or ubuntu distro, and then install the 
Grase Hotspot packages on top. It'll setup the Freeradius for you, with 
Coova Chilli and a nice admin interface.


Tim

Dislaimer: The Grase Hotspot is my project, there are other hotspot 
systems out there with Freeradius and Coova Chilli, but some are hard to 
setup.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure redundant radius?

2011-12-30 Thread Alan DeKok

Christ Schlacta wrote:
 I've got a number of devices all of which only have the option for one
 radius IP address (not hostname!) to be configured.  How can I configure
 this type of device for failover (and optionally balance)?  is there
 some PROPER way to do this? or am I limited to only being able to have
 one fr server configured for these particular devices?

  If the devices only allow one IP for the RADIUS server, you can only
have one RADIUS server.

  You need to make sure the server is running.  See various HA systems
for redundancy.  But if you have less than 10K users, it's probably not
worth it.  Just monitor the system to be sure it doesn't go down.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure redundant radius?

2011-12-30 Thread Christ Schlacta

I have about 8 users, with on average 2.2 systems per, for a total of 
about 20 clients, but I'm setting up redundency because I've got 
basically two systems, both of which have fairly low uptime by 
enterprise standards, and downtime is met with much headache and 
griping.  Is there no other way to coerce these single-ip devices to 
work with a pair or more of radius servers, or no other way to configure 
reliable failover ?


On 12/30/2011 11:37, Alan DeKok wrote:

Christ Schlacta wrote:

I've got a number of devices all of which only have the option for one
radius IP address (not hostname!) to be configured.  How can I configure
this type of device for failover (and optionally balance)?  is there
some PROPER way to do this? or am I limited to only being able to have
one fr server configured for these particular devices?

   If the devices only allow one IP for the RADIUS server, you can only
have one RADIUS server.

   You need to make sure the server is running.  See various HA systems
for redundancy.  But if you have less than 10K users, it's probably not
worth it.  Just monitor the system to be sure it doesn't go down.

   Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure redundant radius?

2011-12-30 Thread Толик Шавловский

hi,

u can build oracle solaris cluster ( two servers are in cluster with same IP)
or u can use brodhop device to use one IP for two different servers.

anatolii


30 декабря 2011, 23:02 от Christ Schlacta li...@aarcane.org:
 I've got a number of devices all of which only have the option for one
 radius IP address (not hostname!) to be configured.  How can I configure
 this type of device for failover (and optionally balance)?  is there
 some PROPER way to do this? or am I limited to only being able to have
 one fr server configured for these particular devices?
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure redundant radius?

2011-12-30 Thread Alan DeKok

Christ Schlacta wrote:
 I have about 8 users, with on average 2.2 systems per, for a total of
 about 20 clients, but I'm setting up redundency because I've got
 basically two systems, both of which have fairly low uptime by
 enterprise standards, and downtime is met with much headache and
 griping.

  Maybe you should concentrate on fixing those systems rather than
trying to add complexity.

  Is there no other way to coerce these single-ip devices to
 work with a pair or more of radius servers, or no other way to configure
 reliable failover ?

  Magic.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure proxy server to send a copy of acct to remote/home server

2011-10-27 Thread tonimanel

Have you got this configuration? How have you done it? I can't get to sync
accountin data to remote server with same set of information (acctstarttime
and acctstoptime have got differents times - I think that this is because
servers catching its local time at the moment on recieve the packets). 

Any idea?

--
View this message in context: 
http://freeradius.1045715.n5.nabble.com/How-to-configure-proxy-server-to-send-a-copy-of-acct-to-remote-home-server-tp2843198p4942508.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure radius based on the isakmp group profile

2011-07-27 Thread Arran Cudbard-Bell

You're assuming FreeRADIUS will magically strip off the 'isakmp-group-id=' part 
of the value... AVPairs are Ciscos own invention they are not part of the 
RADIUS standard.

It's difficult to do because the order of AVPairs sometimes changes and the == 
operator will only check the first instance of the attribute.

If you care about it being reliable between Cisco NAS upgrade to 3.0x and i'll 
send you some unlang policies that deal with Cisco-AVPairs properly. If you 
don't, you can use the following...

authorize {
# Comment out files
# files
# Insert at the end of the authorize section
update request {
Auth-Type := %{control:Auth-Type}
}
}

post-auth {
# Add 
files.authorize
}

In the users file change

Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair ==  
CiscoGroup 

to

Auth-Type == ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, Cisco-AVPair == 
isakmp-group-id=CiscoGroup

-Arran

On 27 Jul 2011, at 09:52, Jevos, Peter wrote:

 Hi ,
 My cisco sends to radius it’s ip address, and isakmp-group-id ( or profile 
 name )
 Debug from radius –X :
  
 Cisco-AVPair = isakmp-group-id=CiscoGroup
  Acct-Session-Id = 61286
 User-Name = domain\\user
 Cisco-AVPair = connect-progress=No Progress
 Acct-Authentic = Local
 Acct-Status-Type = Start
 NAS-Port-Type = Virtual
 NAS-Port = 20
 NAS-IP-Address = 10.1.1.1
  
 How should I configure freeradius to accept request for this group 
 (isakmp-group-id=CiscoGroup ) only for users, that are authenticated against 
 Auth-Type := ntlm_auth_vpn_osw ( already used and working ) ?
 However other groups ( or profiles ) should be authenticated against 
 Auth-Type := vpn_auth_name
 I tried this settings in the Users file  but It doesn’t work
  
 DEFAULT  Auth-Type := ntlm_auth_vpn_osw, NAS-IP-Address == 10.1.1.1, 
 Cisco-AVPair ==  CiscoGroup 
 Service-Type = Framed-User,
Framed-Protocol = PPP,
  
 DEFAULT  Auth-Type := vpn_auth_name
Service-Type = Framed-User,
   Framed-Protocol = PPP,
  
 Thanks
  
 pet
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Arran Cudbard-Bell
a.cudba...@freeradius.org

RADIUS - Half the complexity of Diameter

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure freeradius client?

2011-05-06 Thread Alan DeKok

Meyer Jerome wrote:
 # radiusd -v

  What about radiusd -X, as suggested in the FAQ, README, man page,
web pages, and daily on this list?

 radclient: no response from server for ID 120 socket 3
 
 1)  I don’t know what’s the NAS-IP-Address?
 
 2)  I don’t find any right document about „how to configure the client“?

  See raddb/clients.conf.

 3)  How should I configure the client? Should some deamon to be start?

  This is documented.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure freeradius client?

2011-05-06 Thread YvesDM

On Fri, May 6, 2011 at 5:01 PM, Meyer Jerome jerome.me...@iwbtelekom.chwrote:


 Thanks for reply!



 Meyer Jerome wrote:
  # radiusd -v

   What about radiusd -X, as suggested in the FAQ, README, man page,
 web pages, and daily on this list?

 Should the client start the radiusd daemon too?

  radclient: no response from server for ID 120 socket 3
 
  1)  I don’t know what’s the NAS-IP-Address?
 
  2)  I don’t find any right document about „how to configure the
 client“?

   See raddb/clients.conf.

 This file it is on the server to check which clients will be connected! Is
 it on the client too?
 Because the client should connect to the server and not the reverse!

  3)  How should I configure the client? Should some deamon to be
 start?

   This is documented.

 You means on the MAN pages?

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html

 Jérôme Meyer



Jérome,

Please, before alan freaks out :-), read the documentation. (the wiki is a
nice place to start)
The things you're saying clearly show that you don't understand the concept
at all.

Kind regards
Y
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure freeradius client?

2011-05-06 Thread Fajar A. Nugraha

On Fri, May 6, 2011 at 10:01 PM, Meyer Jerome
jerome.me...@iwbtelekom.ch wrote:

 Should the client start the radiusd daemon too?

  radclient: no response from server for ID 120 socket 3
 
  1)      I don’t know what’s the NAS-IP-Address?
 
  2)      I don’t find any right document about „how to configure the 
  client“?

   See raddb/clients.conf.

 This file it is on the server to check which clients will be connected! Is it 
 on the client too?
 Because the client should connect to the server and not the reverse!


Let's try a different approach, to see if you can understand this better.

You said you use freeradius to authenticate some Network Equipment,
wie Router, Switches, usw.. and all run well!. So I assume you KNOW
what to do when you need to add a new router/switch/whatever to use
radius authentication, right?  One of the proces includes configuring
freeradius to recognize the new switch/whatever as a valid radius
client (i.e. NAS).

From freeradius perspective, the radtest program (or whatever
mechanism your nagios will use to test radius functionality) is just
another NAS. And you need to configure the server to recognize the new
NAS just like you usually do if you add another switch/whatever.

Does this make sense so far?

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure proxy server to send a copy of acct to remote/home server

2010-09-17 Thread Alan DeKok

Difan Zhao wrote:
 I configured my switch to send accounting information to the proxy
 server. The proxy server is using MySQL to store the acct info. This
 part works fine too.  
 
 However I’m requested to also send a copy of the acct info to the remote
 server…

  Configure the proxy to proxy the accounting packets.  Also configure
it to store packets locall.

 I’m still checking my switch (Cisco) and see if it can send two copies
 of acct info to two different servers at the same time. However, is it
 possible to make FreeRadius to automatically forward a copy to the
 remote server??

  Yes.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure a proxy radius server but the username doesn't have any realm ?

2010-08-09 Thread Alan DeKok

freddychu wrote:
 Hi,
I want to configure a proxy radius server and the username doesn't have
 any realm, just like 'tom'.
So I configure realm NULL section in proxy.conf file, but it doesn't
 work, the error message in radiusd terminal when redius server received the
 accounting message: 
Proxying request 0 to home server 218.83.175.155 port 1813
The message can't be proxy to myProxyPool_1, I don't understand why the
 home server become 218.83.175.155. 

  The server does not invent random IP addresses for home servers.

  If that IP address shows up, it is because you put it into a
configuration file.  Go find that address, and fix the configuration.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: how to configure Cisco vpn clients againts freeradius

2010-07-16 Thread Jevos, Peter

 
 ntlm_auth2 = /usr/bin/ntlm_auth --request-nt-key
 --domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name}
 --challenge=%{mschap:Challenge:-00}
 --nt-response=%{mschap:NT-Response:-00} --require-membership-of=
 S-1-5-21-853024553-185696384-3473746203-512

  Err... no.  That won't work.

 But the vpn cisco clients are authenticated through
domainname\username
 and password

  Then you don't need to edit the mschap configuration.

 
 Is this ntlm_auth2 in the mschap ok ? or should I remove
 --domain=%{%{mschap:NT-Domain}:} ?

  Delete the ntlm_auth2 line from the mschap config.  It does nothing.

 I also changed users to :
 
 DEFAULT  Auth-Type := ntlm_auth2,Huntgroup-Name == vpn

  That should work.

  Alan DeKok.

Hello Alan, 
One more question . Why shoud I delete the ntlm_auth2 line from the
mschap file ?
I thought that it is necessary. I have ntlm_auth file and ntlm_auth2
file 9 with the diferrent commands ), but only one cpmmand ntlm_auth in
the mschap file
What is the connection between command in the modules/ntlm_authx file,
and the command ntlm_auth in the mschap.
Thanks

pet

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure Cisco vpn clients againts freeradius

2010-07-16 Thread Alan DeKok

Jevos, Peter wrote:
 One more question . Why shoud I delete the ntlm_auth2 line from the
 mschap file ?

  Does the mschap module documentation/comments say it will understand
an ntlm_auth2 line?

 I thought that it is necessary. I have ntlm_auth file and ntlm_auth2
 file 9 with the diferrent commands ), but only one cpmmand ntlm_auth in
 the mschap file

  Did you read my previous message explaining why you didn't need an
ntlm_auth2 configuration for mschap?

 What is the connection between command in the modules/ntlm_authx file,
 and the command ntlm_auth in the mschap.

  Nothing.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: how to configure Cisco vpn clients againts freeradius

2010-07-15 Thread Jevos, Peter

Jevos, Peter wrote:
 Thank you for your answer, but I don't understand

  The documentation  debug mode is clear.  Do you have a *specific*
question?

 I took it from the mailing list:

http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-February
 /msg00046.html

  I see.  You'll believe some random post on the list, but not the
documentation, debug mode, or the main author?

 I'd like to authenticate all cisco vpn clients that match the proper
 domain name and password. I already have the ntlm_auth command, but I
 don't know how should look like the Users file

  You were told what the users file should look like.  The Auth-Type
text goes on the FIRST line of the entry.  See man users, and the
examples in the default users file.  NONE of the examples in the
default users file have Auth-Type on the second line of an entry.

  Alan DeKok.
-
Dear Alan, thank you for your answer

Actually debug says : Unknown value ntlm_auth2 for attribute Auth-Type

I've changed it as you adviced and I put the Auth-Type on the first
place. However in the man page there is no example how to use Auth-Type
and HUntgorup together.
So my config is:

ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:-MYDOMAIN}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}

ntlm_auth2 = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{%{mschap:NT-Domain}:}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of='DOMAIN+vpn users'

And the user file is:

userAuth-Type := ntlm_auth
Service-Type = NAS-Prompt-User,
cisco-avpair = shell:priv-lvl=15

DEFAULT  Auth-Type := ntlm_auth2
 Huntgroup-Name == vpn

Of course, I would prefer direct post how it should looks like, cause
the documentation has lack of examples and the only source is examples
from mailing list.

Please,  does anybody has example how to combine two ntlm_auth ?
Thanks a lot

pet 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure Cisco vpn clients againts freeradius

2010-07-15 Thread Alan DeKok

Jevos, Peter wrote:
 Actually debug says : Unknown value ntlm_auth2 for attribute Auth-Type

  Which means you didn't list ntlm_auth2 in the authenticate section.

 I've changed it as you adviced and I put the Auth-Type on the first
 place. However in the man page there is no example how to use Auth-Type
 and HUntgorup together.

  No.  There's no documentation on how to use Filter-Id and User-Name
together, either.  Documenting all possible combinations of all
attributes would require thousands of pages of text.

  Instead, the *concepts* are documented, and it is expected that people
understand, and apply those concepts.

 DEFAULT  Auth-Type := ntlm_auth2
  Huntgroup-Name == vpn

  Were you told to move the Huntrgoup-Name line?

  No.

  So why did you move it?

 Of course, I would prefer direct post how it should looks like, cause
 the documentation has lack of examples and the only source is examples
 from mailing list.

  No.  It doesn't help anyone to give you the exact solution.  Doing
that would mean that you don't need to think for yourself.

 Please,  does anybody has example how to combine two ntlm_auth ?

  Configure ntlm_auth.  Then, duplicate  edit the configuration,
including all refefences to ntlm_auth, for the ntlm_auth2 module.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: how to configure Cisco vpn clients againts freeradius

2010-07-15 Thread Jevos, Peter

  Dear Alan, thank you , I'm moving slowly forward : )

So now, I have created second ntlm_auth2 file in the modules directory,
with this command:
exec ntlm_auth2 {
wait = yes
   program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
--password=%{User-Password}
--require-membership-of=S-1-5-21-853024553-185696384-3473746203-512
}

I also added new authentication method ntlm_auth2 into
sites-available/inner-tunnel and default

I tested with radtest USER PASSWORD localhost 0 testing123 and the
test passed : )

So I have created another line in the modules/mschap that looks like:

ntlm_auth2 = /usr/bin/ntlm_auth --request-nt-key
--domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} --require-membership-of=
S-1-5-21-853024553-185696384-3473746203-512

But the vpn cisco clients are authenticated through domainname\username
and password


Is this ntlm_auth2 in the mschap ok ? or should I remove
--domain=%{%{mschap:NT-Domain}:} ?

I also changed users to :

DEFAULT  Auth-Type := ntlm_auth2,Huntgroup-Name == vpn

Thanks

pet

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure Cisco vpn clients againts freeradius

2010-07-15 Thread Alan DeKok

Jevos, Peter wrote:
 So now, I have created second ntlm_auth2 file in the modules directory,
 with this command:

  Good.

 I also added new authentication method ntlm_auth2 into
 sites-available/inner-tunnel and default

  Good.

 I tested with radtest USER PASSWORD localhost 0 testing123 and the
 test passed : )

  Very good!

 So I have created another line in the modules/mschap that looks like:
 
 ntlm_auth2 = /usr/bin/ntlm_auth --request-nt-key
 --domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name}
 --challenge=%{mschap:Challenge:-00}
 --nt-response=%{mschap:NT-Response:-00} --require-membership-of=
 S-1-5-21-853024553-185696384-3473746203-512

  Err... no.  That won't work.

 But the vpn cisco clients are authenticated through domainname\username
 and password

  Then you don't need to edit the mschap configuration.

 
 Is this ntlm_auth2 in the mschap ok ? or should I remove
 --domain=%{%{mschap:NT-Domain}:} ?

  Delete the ntlm_auth2 line from the mschap config.  It does nothing.

 I also changed users to :
 
 DEFAULT  Auth-Type := ntlm_auth2,Huntgroup-Name == vpn

  That should work.

  Alan DeKok.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: how to configure Cisco vpn clients againts freeradius

2010-07-15 Thread Jevos, Peter


  Err... no.  That won't work.

 But the vpn cisco clients are authenticated through
domainname\username
 and password

  Then you don't need to edit the mschap configuration.

 
 Is this ntlm_auth2 in the mschap ok ? or should I remove
 --domain=%{%{mschap:NT-Domain}:} ?

  Delete the ntlm_auth2 line from the mschap config.  It does nothing.

 I also changed users to :
 
 DEFAULT  Auth-Type := ntlm_auth2,Huntgroup-Name == vpn

  That should work.

  Dear Alan

Yest , it'working, but I had to change the users file, cause it falled
down always into ntlm_auth2, when I wante to authenticate with my
username
Now it looks like:

DEFAULT Auth-Type := ntlm_auth2,Huntgroup-Name == vpn
Fall-Through = Yes

username   Auth-Type := ntlm_auth
   Service-Type = NAS-Prompt-User,
   cisco-avpair = shell:priv-lvl=15

And this works, but only with one domain. I need to check how it works
with more domains

BY for now thanks a lot, I will let you know

Pet

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure Cisco vpn clients againts freeradius

2010-07-14 Thread Alan DeKok

Jevos, Peter wrote:
 user   Auth-Type := ntlm_auth
 Service-Type = NAS-Prompt-User,
 cisco-avpair = shell:priv-lvl=15
...
 And I added this lines into users file:
 DEFAULT Huntgroup-Name == vpn
 Auth-Type := ntlm_auth2

  What is Auth-Type on the first line for user, and on the second
for DEFAULT?

  See man users

  Run the server in debugging mode.  It WILL complain about the
Auth-Type being on the second line.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: how to configure Cisco vpn clients againts freeradius

2010-07-14 Thread Jevos, Peter


Jevos, Peter wrote:
 user   Auth-Type := ntlm_auth
 Service-Type = NAS-Prompt-User,
 cisco-avpair = shell:priv-lvl=15
...
 And I added this lines into users file:
 DEFAULT Huntgroup-Name == vpn
 Auth-Type := ntlm_auth2

  What is Auth-Type on the first line for user, and on the second
for DEFAULT?

  See man users

  Run the server in debugging mode.  It WILL complain about the
Auth-Type being on the second line.

  Alan DeKok.
-
HI alan

Thank you for your answer, but I don't understand

I took it from the mailing list:
http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-February
/msg00046.html

I'd like to authenticate all cisco vpn clients that match the proper
domain name and password. I already have the ntlm_auth command, but I
don't know how should look like the Users file

My ntlm_auth is:
ntlm_auth2 = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain:}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of='SOMEDOMAIN+domain users'

I'm using ntlm_auth2 because ntlm_auth is already used ( for the router
access )

Thanks

pet 

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure Cisco vpn clients againts freeradius

2010-07-14 Thread Alan DeKok

Jevos, Peter wrote:
 Thank you for your answer, but I don't understand

  The documentation  debug mode is clear.  Do you have a *specific*
question?

 I took it from the mailing list:
 http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-February
 /msg00046.html

  I see.  You'll believe some random post on the list, but not the
documentation, debug mode, or the main author?

 I'd like to authenticate all cisco vpn clients that match the proper
 domain name and password. I already have the ntlm_auth command, but I
 don't know how should look like the Users file

  You were told what the users file should look like.  The Auth-Type
text goes on the FIRST line of the entry.  See man users, and the
examples in the default users file.  NONE of the examples in the
default users file have Auth-Type on the second line of an entry.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure radius for EAP-AKA authentication

2010-04-15 Thread Alan DeKok

you_shunxing wrote:
 I would like to test EAP-AKA authentication. So, how to configure radius
 server for EAP-AKA authentication?

  If you look at the configuration, you will see it doesn't support AKA.

  There's a patch somewhere for this functionality, but it's based on an
old version of the server.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure EAP PEAPv0/EAP-MSCHAPv2 in freeradius 2.10 Ubuntu linux 9.04

2010-02-17 Thread Alan DeKok

Dilip Patel wrote:
 I am using FreeRADIUS Version 2.1.0 in Ubuntu linux 9.04.

  Don't.  Install 2.1.8.  See:

http://wiki.freeradius.org/Build#Building_Debian_packages

 How do I configure Free Radius to use EAP PEAPv0/EAP-MSCHAPv2?

  Install 2.1.8.  Add a user/password in the users file.

Then, as root do:

$ freeradiusd -X

  (or radiusd -X)

  Try PEAP.  It will work.

  See also my web site: http://deployingradius.com/ for more detailed
instructions on getting EAP methods to work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure EAP PEAPv0/EAP-MSCHAPv2 in freeradius 2.10,

2010-02-17 Thread Dilip Patel

Thanks Alan for your suggestion. I tried to install freeradius2.1.8, but 
ran into following error:


patel...@pateldil-desktop:~/freeradius-server-2.1.8[17:00:07]$ sudo dpkg 
-i ../freeradius_2.1.8+git_amd64.deb

Selecting previously deselected package freeradius.
(Reading database ... 179982 files and directories currently installed.)
Unpacking freeradius (from .../freeradius_2.1.8+git_amd64.deb) ...
dpkg: dependency problems prevent configuration of freeradius:
freeradius depends on libfreeradius2 (= 2.1.8+git); however:
 Version of libfreeradius2 on system is 2.1.0+dfsg-0ubuntu4.1.
dpkg: error processing freeradius (--install):
dependency problems - leaving unconfigured
Errors were encountered while processing:
freeradius


Can't figure out an easy way to install libfreeradius2 (= 2.1.8+git.).

Anyways, thanks for your suggestion.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure EAP PEAPv0/EAP-MSCHAPv2 in freeradius 2.10,

2010-02-17 Thread Fajar A. Nugraha

On Thu, Feb 18, 2010 at 5:04 AM, Dilip Patel dilip.pa...@hp.com wrote:
 patel...@pateldil-desktop:~/freeradius-server-2.1.8[17:00:07]$ sudo dpkg -i
 ../freeradius_2.1.8+git_amd64.deb

 dpkg: dependency problems prevent configuration of freeradius:
  freeradius depends on libfreeradius2 (= 2.1.8+git); however:
   Version of libfreeradius2 on system is 2.1.0+dfsg-0ubuntu4.1.

 Can't figure out an easy way to install libfreeradius2 (= 2.1.8+git.).

The error pretty much speaks for itself. Update libfreeradius2 as
well. It should be available from wherever you got
freeradius_2.1.8+git_amd64.deb from.

-- 
Fajar

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure realm in freeradius

2009-11-19 Thread tnt

 sample configurations for realm in freeradius 2.1.6

See proxy.conf.

Ivan Kalik

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure Wrong Message-Authenticator in Free-radius server response

2009-10-19 Thread Alan DeKok

Venseen wrote:
 Hi, I have to insert cooked Message-authenticator in Free-radius srver
 Message,

  You will need to edit the source code to do this.  FreeRADIUS does
*not* generate invalid Message-Authenticators.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure 2 wimax qos profiles for the user in users file

2009-07-08 Thread Ivan Kalik

 I am trying to configure the two wimax qos profiles for the single user as
 one for uplink and another for downlink.
 If i configure the same attributes two times, in the Access-Accept message
 the first configured wimax attribute value only is sending but its not
 sending the same attribute again which has different value. is there any
 way
 to do this and make it work?

http://wiki.freeradius.org/Operators

+=

Ivan Kalik
Kalik Informatika ISP

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure RADIUS on 2 IP address Server

2008-12-11 Thread Alan DeKok

Pongsak Tawankanjanachot wrote:
I started installing, ,setting, running ./radiusd -X with default
 configuration.

  No.  You've configured the server to proxy requests to itself.  This
is wrong.

 Sending Access-Accept of id 102 to* 192.168.2.45 *
 port 36272
 Framed-MTU = 1400
 NAS-IP-Address = 192.168.25.77 
 NAS-Port = 15
 Finished request 5.
 Going to the next request
 Waking up in 4.9 seconds.
 rad_recv: Access-Accept packet from host 192.168.2.45
  port 1812, id=102, length=38

  You have configured it to proxy requests to itself.  Don't do that.

 My question is why the Access-Accept is to 192.168.2.45
  (It should be 192.168.25.254?

  Because:

  1) you have 2 interfaces
  2) you haven't used the listen type = proxy configuration to set
 the proxying IP address
  3) You haven't enabled UDPFROMTO in configure
  4) The OS picks a source IP address

  and, you've configured the server to proxy requests to itself.  Don't
do that.

 radiusd:  Opening IP addresses and Ports 
 Listening on authentication address 192.168.25.254
 port 1812
 Listening on accounting address 192.168.25.254
 port 1813
 Listening on proxy address 192.168.25.254 port 1814
 Ready to process requests.

 Seems like RADIUS is listening on 192.168.25.254. :D

  Yes...

 ==
   On Server terminal, I test with radtest test test localhost 0 testing123

 Sending Access-Request of id 103 to 127.0.0.1  port 1812
 User-Name = test
 User-Password = test
 NAS-IP-Address = 127.0.1.1
 NAS-Port = 0

 /There is no response at all/

  Do you understand what IP addresses are?  The server is listening on
192.168.25.254, while you're sending packets to 127.0.0.1.  And you're
*surprised* that the server doesn't respond?  Why?

  It replies!! Seems like it is listening at eth0 192.168.25.254
 BUT when I use RTRadPing Test Utility from local computer-WinXP SP3
 (192.168.25.142 ) asking Authentication Request
 to 192.168.25.254 
 RTRadPing says no response from server, timeout.

  Look at the DEBUG output of the SERVER, not the client.

 What should I do next??
 Somebody can suggest me?
 I think this is just the first step, then I need to install OpenSSL and
 testa long way to go..

  I would stop trying to configure the server, and start by
understanding how networks work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius so that clients don't have to be changed?

2008-07-16 Thread Alan DeKok

DaSilva wrote:
 I want to set up a FreeRadius server for WLAN authentification without the
 need to change anything on client PCs (because we have so much clients that
 this would be to much work).
 Is that possible?

  No.

  It's like asking how do I make the PC be a web server... but I don't
want to install a web server.

  You have to configure WLAN authentication on the clients in order for
WLAN authentication to work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius so that clients don't have to be changed?

2008-07-16 Thread DaSilva



Alan DeKok-4 wrote:
 
 DaSilva wrote:
 I want to set up a FreeRadius server for WLAN authentification without
 the
 need to change anything on client PCs (because we have so much clients
 that
 this would be to much work).
 Is that possible?
 
   No.
 
   It's like asking how do I make the PC be a web server... but I don't
 want to install a web server.
 
   You have to configure WLAN authentication on the clients in order for
 WLAN authentication to work.
 
   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 
 

And is it possible to do this automatically via remote or something else?
-- 
View this message in context: 
http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-have-to-be-changed--tp18482025p18483881.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius so that clients don't have to be changed?

2008-07-16 Thread Alan DeKok

DaSilva wrote:
 And is it possible to do this automatically via remote or something else?

  Is it possible to remotely install programs, and edit registry entries
on the PC?

  In some cases, yes.  But this has nothing to do with FreeRADIUS.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius so that clients don't have to be changed?

2008-07-16 Thread Paul Bartell

I take it that you mean, is it possible to make it transparent to the
user, in which, the answer is yes. Depending on your access points,
you may be able to do MAC address authentication, which anyone will
tell you is insanely insecure, but it prevents people from driving up
and accessing your network (unless they are technically inclined to
use a packet capturing program and spoof a mac address). So insecure,
yes. But practical so long as you dont have a bunch of crackers living
around wherever you are setting up authentication. Mac OSX as well as
many Linux distros have 802.1x authentication/WPA enterprise built in,
so it is not much of a problem. Im not sure about the current state of
windows in this department (havent used it in a while... could someone
chime in)

On Wed, Jul 16, 2008 at 12:37 PM, DaSilva
[EMAIL PROTECTED] wrote:

Alan DeKok-4 wrote:

DaSilva wrote:
I want to set up a FreeRadius server for WLAN authentification without
the
need to change anything on client PCs (because we have so much clients
that
this would be to much work).
Is that possible?

No.

It's like asking how do I make the PC be a web server... but I don't
want to install a web server.

You have to configure WLAN authentication on the clients in order for
WLAN authentication to work.

Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

And is it possible to do this automatically via remote or something else?
--
View this message in context:
http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-have-to-be-changed--tp18482025p18483881.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

--
Random quote of the week/month/whenever i get to updating it: Like an
unchecked cancer, hate corrodes the personality and eats away its
vital unity. Hate destroys a man's sense of values and his
objectivity. It causes him to describe the beautiful as ugly and the
ugly as beautiful, and to confuse the true with the false and the
false with the true. - Martin Luther King Jr.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius so that clients don't have to be changed?

2008-07-16 Thread DaSilva

On Wed, Jul 16, 2008 at 12:37 PM, DaSilva
[EMAIL PROTECTED] wrote:

Alan DeKok-4 wrote:

No.

It's like asking how do I make the PC be a web server... but I don't
want to install a web server.

You have to configure WLAN authentication on the clients in order for
WLAN authentication to work.

Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

I believe you misunderstood me. We have many APs which all have their own
access list, MAC addresses etc. and we want to use a RADIUS server to do
this for all APs. So that we have a global station where we can change
something for all APs in our AD. I don't mean authentification via WPA and
TLS or something like this. So how can I do this or where can I find a
tutorial / howto for this?
--
View this message in context:
http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-have-to-be-changed--tp18482025p18485110.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to configure FreeRadius so that clients don't have to bechanged?

2008-07-16 Thread Jester

On Wed, Jul 16, 2008 at 12:37 PM, DaSilva
[EMAIL PROTECTED] wrote:


 Alan DeKok-4 wrote:

 DaSilva wrote:
 I want to set up a FreeRadius server for WLAN authentification without
 the
 need to change anything on client PCs (because we have so much clients
 that
 this would be to much work).
 Is that possible?

   No.

   It's like asking how do I make the PC be a web server... but I don't
 want to install a web server.

   You have to configure WLAN authentication on the clients in order for
 WLAN authentication to work.

   Alan DeKok.
 -
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html



 And is it possible to do this automatically via remote or something else?
 --
 View this message in context:

http://www.nabble.com/How-to-configure-FreeRadius-so-that-clients-don%27t-ha
ve-to-be-changed--tp18482025p18483881.html



I believe you misunderstood me. We have many APs which all have their own
access list, MAC addresses etc. and we want to use a RADIUS server to do
this for all APs. So that we have a global station where we can change
something for all APs in our AD. I don't mean authentification via WPA and
TLS or something like this. So how can I do this or where can I find a
tutorial / howto for this?
-- 

Just another option, and this may be a useless suggestion, but I'll throw it
out there anyway.  Some AP's support a walled garden feature which takes
the ignores the original request and forces the client to a login page (like
at airports, $tarbucks etc).  Once the client goes there and enters their
credentials, RADIUS is used to authenticate them, and they are allowed or
denied at that time.  It allows you to deploy one configuration to all your
points, and use a RADIUS backend (and AD, mysql, text files whatever you use
to drive that) to centralize configuration at that point.  The glitch is,
you have to have AP's that support walled garden, but if you do, it's handy.

That said, it sounds like you are already using access lists with MAC
addresses for authentication, so the security problems that Alan Dekok noted
are already present in your system and MAC authentication might be what you
want after all.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius so that clients don't have to bechanged?

2008-07-16 Thread Ivan Kalik

In your AP user manual.

You will still need to set up radius secret, switch local to radius
authentication etc. on every AP. It can be done remotely (telnet, ssh,
some even have web control panels).

Ivan Kalik
Kalik Informatika ISP

Dana 16/7/2008, DaSilva [EMAIL PROTECTED] piše:

On Wed, Jul 16, 2008 at 12:37 PM, DaSilva
[EMAIL PROTECTED] wrote:

Alan DeKok-4 wrote:

No.

It's like asking how do I make the PC be a web server... but I don't
want to install a web server.

You have to configure WLAN authentication on the clients in order for
WLAN authentication to work.

Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius so that clients don't have to be changed?

2008-07-16 Thread Alan DeKok

DaSilva wrote:
 I believe you misunderstood me. We have many APs which all have their own
 access list, MAC addresses etc. and we want to use a RADIUS server to do
 this for all APs.

  This is called MAC address authentication, not WLAN authentication.

 So that we have a global station where we can change
 something for all APs in our AD. I don't mean authentification via WPA and
 TLS or something like this. So how can I do this or where can I find a
 tutorial / howto for this?

  Put the MAC addresses into a database, just like user names 
passwords.  There's no need for a howto.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure radius server

2008-07-15 Thread Nicolas Goutte



Am 15.07.2008 um 08:37 schrieb Sandeep:


Hi, all members of free radius..

I install fras fedora9 and want to make radius server but i am new  
in this field is any body help me to do this. first of all please  
provide me step to step tutorials so that i can read it and install  
configure my server .. with testing


I am not sure that step-to-step tutorials exist, especially as you do  
not state in which context you want to use freeradius.


See the general documentation at http://wiki.freeradius.org . See the  
comments in the default configuration files, especially radiusd.conf




PLEASE HELP ME


You do not need to shout; it will not bring you more help.




Sandeep rohilla
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
users.html



Have a nice day!

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure radius server

2008-07-15 Thread Maciej Drobniuch


http://wiki.freeradius.org/HOWTO
http://www.google.com

It also depends on what do you want to bind with freeradius and what auth.
mech. do you want to use.
Just use uncle google ;]

On 15 Jul 2008 06:37:18 -, Sandeep 
[EMAIL PROTECTED] wrote:
 Hi, all members of free radius..I install fras fedora9 and want to make
 radius server but i am new in this field is any body help me to do this.
 first of all please provide me step to step tutorials so that i can read
it
 and install configure my server .. with testing PLEASE HELP ME Sandeep
 rohilla
-- 

Maciej Drobniuch

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure radius server

2008-07-15 Thread Ivan Kalik

Start by reading the README files included with the server. There is one
for every module. Installation:

http://wiki.freeradius.org/Build

Ivan Kalik
Kalik Informatika ISP


Dana 15/7/2008, Sandeep  [EMAIL PROTECTED] piše:

Hi, all members of free radius..I install fras fedora9 and want to make radius 
server but i am new in this field is any body help me to do this. first of all 
please provide me step to step tutorials so that i can read it and install 
configure my server .. with testing PLEASE HELP ME Sandeep rohilla


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure RADIUS server to test EAP-SIM

2007-12-20 Thread Raghavendra. S

Hi,

 I have gone through document that u have sent understood few things,
still one doubt is there?

In my above mail..in users file i have following line

eapsim Auth-Type := EAP, EAP-Type := SIM

Will you plz tell me what is this eapsim stands for? I mean in my
case whether I should use IMSI number or something else instead of
eapsim.

-Raghu.

On 12/11/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
 http://wiki.freeradius.org/index.php/Rlm_eap

 Configure clients.conf and users file. EAP-SIM will work with default
 radiusd and eap settings.

 Ivan Kalik
 Kalik Informatika ISP


 Dana 11/12/2007, Raghavendra. S [EMAIL PROTECTED] piše:

 Hi All,
 
I want to use RADIUS server to test EAP-SIM. I would like to know how to
 configure eap.conf, users, radiusd.conf and clients.conf to support EAP-SIM.
 Also plz let me know if I have to configure some more files.
 
   Actually I want to test wpa supplicant for EAP-SIM. So I need to configure
 RADIUS server. I am working on snapshot of freeradius, that is *
 freeradius-snapshot-20051130*. radiusd(after) version-1.1.0.
 
 --
 Regards  Thanks
 Raghavendra. S
 
 

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
Regards  Thanks
Raghavendra. S

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure RADIUS server to test EAP-SIM

2007-12-18 Thread Raghavendra. S

Hi,

   I added following lines in eap.conf inside eap block.
   sim {
   }


   I added following lines to users file.

eapsim Auth-Type := EAP, EAP-Type := SIM
EAP-Sim-Rand1 = 0xabcd1234abcd1234abcd1234abcd1234,
EAP-Sim-SRES1 = 0x1234abcd,
EAP-Sim-KC1 = 0x0011223344556677,
EAP-Sim-Rand2 = 0xbcd1234abcd1234abcd1234abcd1234a,
EAP-Sim-SRES2 = 0x234abcd1,
EAP-Sim-KC2 = 0x1021324354657687,
EAP-Sim-Rand3 = 0xcd1234abcd1234abcd1234abcd1234ab,
EAP-Sim-SRES3 = 0x34abcd12,
EAP-Sim-KC3 = 0x30415263748596a7


In src/tests/eapsim-03 there is one extra parameter, Autz-Type:=EAP,
for which I am getting some error while enabling radiusd. So I removed
Autz-Type:=EAP from first line. Is that OK?

 I want to know how I to get above Hex values?


On 12/11/07, Alan DeKok [EMAIL PROTECTED] wrote:
 Raghavendra. S wrote:
 I want to use RADIUS server to test EAP-SIM. I would like to know how
  to configure eap.conf, users, radiusd.conf and clients.conf to support
  EAP-SIM. Also plz let me know if I have to configure some more files.

  Look in src/tests/eapsim*

Actually I want to test wpa supplicant for EAP-SIM. So I need to
  configure RADIUS server. I am working on snapshot of freeradius, that is
  *freeradius-snapshot-20051130*. radiusd(after) version-1.1.0 .

  Why would you ever use a version of the server that is more than two
 years old?

  Alan DeKok.

 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



-- 
Regards  Thanks
Raghavendra. S
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure freeradius to support, EAP-TTLS, CHAP/PAP

2007-12-17 Thread Alan DeKok

Raghavendra. S wrote:
   I was able to get authenticated using radius server for
 EAP-TTLS/EAP-MD5, by having following configuration
...
 Modified users file as below
 
 raghu User-Password == whatever

  Use Clear-text-Password := ...

  It's in the FAQ.

 Modified clients.conf as
 
 10.89.49.1 {

  That won't work.  It's not the documented format,

 Can anybody tell me how to support, EAP-TTLS, CHAP/PAP... I mean
 second level protocol inside TTLS should be chap/pap/mschap/mschapv2.

  Nothing more needs to be done.  All you have to do is test it, and it
will work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure RADIUS server to test EAP-SIM

2007-12-11 Thread Alan DeKok

Raghavendra. S wrote:
I want to use RADIUS server to test EAP-SIM. I would like to know how
 to configure eap.conf, users, radiusd.conf and clients.conf to support
 EAP-SIM. Also plz let me know if I have to configure some more files.

  Look in src/tests/eapsim*

   Actually I want to test wpa supplicant for EAP-SIM. So I need to
 configure RADIUS server. I am working on snapshot of freeradius, that is
 *freeradius-snapshot-20051130*. radiusd(after) version-1.1.0 .

  Why would you ever use a version of the server that is more than two
years old?

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure RADIUS server to test EAP-SIM

2007-12-11 Thread tnt

http://wiki.freeradius.org/index.php/Rlm_eap

Configure clients.conf and users file. EAP-SIM will work with default
radiusd and eap settings.

Ivan Kalik
Kalik Informatika ISP


Dana 11/12/2007, Raghavendra. S [EMAIL PROTECTED] piše:

Hi All,

   I want to use RADIUS server to test EAP-SIM. I would like to know how to
configure eap.conf, users, radiusd.conf and clients.conf to support EAP-SIM.
Also plz let me know if I have to configure some more files.

  Actually I want to test wpa supplicant for EAP-SIM. So I need to configure
RADIUS server. I am working on snapshot of freeradius, that is *
freeradius-snapshot-20051130*. radiusd(after) version-1.1.0.

--
Regards  Thanks
Raghavendra. S



-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure EAP Identity in 1.1.3

2007-07-17 Thread Alan DeKok

Govardhana K N wrote:
 If that is the case, How can I add the WiMAX support in Free Radius?

  Send a patch, or pay someone to do the work.

 What are the changes I should make in order to have WiMAX support?

  Read the WiMAX specifications, and read the code to FreeRADIUS.  do
the work to figure out what has to be done.

  So far, no one has done that, so there's no WiMAX support.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure EAP Identity in 1.1.3

2007-07-17 Thread tnt

rlm_eap_md5: Issuing Challenge
  modcall[authenticate]: module eap returns handled for request 1
modcall: leaving group authenticate (returns handled) for request 1
Sending Access-Challenge of id 60 to 127.0.0.1 port 32825
CUI = jrccui
Class = 0x6a7263636c617373
State = 0x6a72637374617465
Framed-MTU = 1400
Framed-IP-Address = 1.2.3.4
Service-Type = Framed-User
Session-Timeout = 30
MS-MPPE-Send-Key = 0x6a72636d736b
MS-MPPE-Recv-Key = 0x6a7263726563766d736b
AAA-Session-Id = jrcmultisessionid
HA-IP-MIP4 = 1.1.1.1
DHCPv4-Server = 2.2.2.2
MN-HA-MIP4-KEY = jrcmipkey
MN-HA-MIP4-SPI = jrcmipspi
DHCP-RK = jrcdhcprk
DHCP-RK-KEY-ID = jrcdhcpkey
DHCP-RK-LIFETIME = 20
EAP-Message = 0x01d300160410e0ccb378852f7a673815379d2f819db1
Message-Authenticator = 0x
State = 0x8343fbb52835fa0fb7fb84cab7f7a0db
Finished request 1
Going to the next request
--- Walking the entire request list ---
Waking up in 6 seconds...
rad_recv: Access-Request packet from host 127.0.0.1:32825, id=61, length=155
User-Name = jrc
User-Password = jrc
NAS-Identifier = jrcnas
NAS-Port-Type = Ethernet
CUI = 0
Service-Type = Framed-User
Framed-MTU = 1400
Calling-Station-Id = 1:1:1:1:1:1
Message-Authenticator = 0x8dc52d59961b5eb7d8789f7cb4dbea5a
State = 0x6a72637374617465
State = 0x8343fbb52835fa0fb7fb84cab7f7a0db
EAP-Message = 0x02d300160410d3ab9cde585da0c10b343d38433fa0db

Something is wrong with your client. There are two State entries in this
reply. The one that doesn't match the Challenge is breaking EAP
conversation.

Ivan Kalik
Kalik Informatika ISP

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re : How to configure EAP Identity in 1.1.3

2007-07-16 Thread Eshun Benjamin

You have misconfigured the Nas-Identifier 

 govardhana  Nas-Identifier == nas, Nas-Port-Type == 15

You haveNAS-Identifier = jrcnas 
== 
Benjamin K. Eshun

- Message d'origine 
De : Govardhana K N [EMAIL PROTECTED]
À : FreeRadius freeradius-users@lists.freeradius.org
Envoyé le : Lundi, 16 Juillet 2007, 12h24mn 09s
Objet : How to configure EAP Identity in 1.1.3

Hi,

 

I was trying to configure FreeRadius server with EAP authentication. AS 
mentioned in eap.conf, I didn't change the Auth-Type, but I was sending a EAP 
message, and Message-Authenticator attributes in Access-Request. When i tried 
sending an Access-Request with EAP-Message, I got the following error rlm_eap: 
Identity Unknown, authentication failed.


 

How to configure the Identity for EAP?

 

debug log from server:

-

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/snmp.conf

Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
 main: prefix = /usr
 main: localstatedir = /var
 main: logdir = /var/log/freeradius

 main: libdir = /usr/lib/freeradius
 main: radacctdir = /var/log/freeradius/radacct
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024

 main: delete_blocked_requests = 0
 main: port = 1812
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = /var/log/freeradius/radius.log
 main: log_auth = no
 main: log_auth_badpass = no

 main: log_auth_goodpass = no
 main: pidfile = /var/run/freeradius/freeradius.pid
 main: bind_address = 127.0.0.1 IP address [127.0.0.1]

 main: user = freerad
 main: group = freerad
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no

 main: checkrad = /usr/sbin/checkrad
 main: proxy_requests = no
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120

 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary

read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup

Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
 exec: wait = no
 exec: program = (null)
 exec: input_pairs = request
 exec: output_pairs = (null)

 exec: packet_type = (null)
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = crypt
Module: Instantiated pap (pap)

Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = (null)

 mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = /etc/passwd
 unix: shadow = /etc/shadow
 unix: group = /etc/group

 unix: radwtmp = /var/log/freeradius/radwtmp
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = md5
 eap: timer_expire = 60

 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = Password: 
 gtc: auth_type = PAP

rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = /etc/freeradius/huntgroups

 preprocess: hints = /etc/freeradius/hints
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no

 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = suffix
 realm: delimiter = @

 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = /etc/freeradius/users
 files: acctusersfile = /etc/freeradius/acct_users

 files: preproxy_usersfile = /etc/freeradius/preproxy_users
 files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address, 
Client-IP-Address, NAS-Port

Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail

Re: How to configure EAP Identity in 1.1.3

2007-07-16 Thread tnt

Add EAP-Type-Identity to radeapclient attributes.

Ivan Kalik
Kalik Informatika ISP


Dana 16/7/2007, Govardhana K N [EMAIL PROTECTED] piše:

Hi,

I was trying to configure FreeRadius server with EAP authentication. AS
mentioned in eap.conf, I didn't change the Auth-Type, but I was sending a
EAP message, and Message-Authenticator attributes in Access-Request. When i
tried sending an Access-Request with EAP-Message, I got the following error
rlm_eap: Identity Unknown, authentication failed.

How to configure the Identity for EAP?

debug log from server:
-

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/snmp.conf
Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
 main: prefix = /usr
 main: localstatedir = /var
 main: logdir = /var/log/freeradius
 main: libdir = /usr/lib/freeradius
 main: radacctdir = /var/log/freeradius/radacct
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024
 main: delete_blocked_requests = 0
 main: port = 1812
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = /var/log/freeradius/radius.log
 main: log_auth = no
 main: log_auth_badpass = no
 main: log_auth_goodpass = no
 main: pidfile = /var/run/freeradius/freeradius.pid
 main: bind_address = 127.0.0.1 IP address [127.0.0.1]
 main: user = freerad
 main: group = freerad
 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no
 main: checkrad = /usr/sbin/checkrad
 main: proxy_requests = no
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no
 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.
read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
 exec: wait = no
 exec: program = (null)
 exec: input_pairs = request
 exec: output_pairs = (null)
 exec: packet_type = (null)
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
 pap: encryption_scheme = crypt
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no
 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = (null)
 mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System
 unix: cache = no
 unix: passwd = /etc/passwd
 unix: shadow = /etc/shadow
 unix: group = /etc/group
 unix: radwtmp = /var/log/freeradius/radwtmp
 unix: usegroup = no
 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = md5
 eap: timer_expire = 60
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = Password: 
 gtc: auth_type = PAP
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no
rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = /etc/freeradius/huntgroups
 preprocess: hints = /etc/freeradius/hints
 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no
 preprocess: with_cisco_vsa_hack = no
 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = suffix
 realm: delimiter = @
 realm: ignore_default = no
 realm: ignore_null = no
Module: Instantiated realm (suffix)
Module: Loaded files
 files: usersfile = /etc/freeradius/users
 files: acctusersfile = /etc/freeradius/acct_users
 files: preproxy_usersfile = /etc/freeradius/preproxy_users
 files: compat = no
Module: Instantiated files (files)
Module: Loaded Acct-Unique-Session-Id
 acct_unique: key = User-Name, Acct-Session-Id, NAS-IP-Address,
Client-IP-Address, NAS-Port
Module: Instantiated acct_unique (acct_unique)
Module: Loaded detail
 detail: detailfile =
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d
 detail: detailperm = 384
 detail: dirperm = 493
 detail: locking = no
Module: Instantiated detail (detail)
Module: Loaded radutmp
 radutmp: filename = /var/log/freeradius/radutmp
 radutmp: username = %{User-Name}
 radutmp:

Re : How to configure EAP Identity in 1.1.3

2007-07-16 Thread Eshun Benjamin

Check on your AP, client.conf and naslist
 
== 
Benjamin K. Eshun

- Message d'origine 
De : Govardhana K N [EMAIL PROTECTED]
À : FreeRadius users mailing list freeradius-users@lists.freeradius.org
Envoyé le : Lundi, 16 Juillet 2007, 13h28mn 28s
Objet : How to configure EAP Identity in 1.1.3

I changed it but the same error is still coming.


On 7/16/07, Eshun Benjamin [EMAIL PROTECTED] wrote:


You have misconfigured the Nas-Identifier 

 govardhana  Nas-Identifier == nas, Nas-Port-Type == 15

You haveNAS-Identifier = jrcnas 
 
== 
 

Benjamin K. Eshun 



- Message d'origine 
De : Govardhana K N 
[EMAIL PROTECTED]
À : FreeRadius freeradius-users@lists.freeradius.org

Envoyé le : Lundi, 16 Juillet 2007, 12h24mn 09s
Objet : How to configure EAP Identity in 1.1.3 



Hi,

 

I was trying to configure FreeRadius server with EAP authentication. AS 
mentioned in eap.conf, I didn't change the Auth-Type, but I was sending a EAP 
message, and Message-Authenticator attributes in Access-Request. When i tried 
sending an Access-Request with EAP-Message, I got the following error rlm_eap: 
Identity Unknown, authentication failed. 


 

How to configure the Identity for EAP?

 

debug log from server:

-

Starting - reading configuration files ...
reread_config:  reading radiusd.conf
Config:   including file: /etc/freeradius/proxy.conf
Config:   including file: /etc/freeradius/clients.conf
Config:   including file: /etc/freeradius/snmp.conf 

Config:   including file: /etc/freeradius/eap.conf
Config:   including file: /etc/freeradius/sql.conf
 main: prefix = /usr
 main: localstatedir = /var
 main: logdir = /var/log/freeradius 

 main: libdir = /usr/lib/freeradius
 main: radacctdir = /var/log/freeradius/radacct
 main: hostname_lookups = no
 main: max_request_time = 30
 main: cleanup_delay = 5
 main: max_requests = 1024 

 main: delete_blocked_requests = 0
 main: port = 1812
 main: allow_core_dumps = no
 main: log_stripped_names = yes
 main: log_file = /var/log/freeradius/radius.log
 main: log_auth = no
 main: log_auth_badpass = no 

 main: log_auth_goodpass = no
 main: pidfile = /var/run/freeradius/freeradius.pid
 main: bind_address = 
127.0.0.1 IP address [127.0.0.1]
 main: user = freerad
 main: group = freerad

 main: usercollide = no
 main: lower_user = no
 main: lower_pass = no
 main: nospace_user = no
 main: nospace_pass = no 
 main: checkrad = /usr/sbin/checkrad

 main: proxy_requests = no
 proxy: retry_delay = 5
 proxy: retry_count = 3
 proxy: synchronous = no
 proxy: default_fallback = yes
 proxy: dead_time = 120 
 proxy: post_proxy_authorize = no
 proxy: wake_all_if_all_dead = no

 security: max_attributes = 200
 security: reject_delay = 1
 security: status_server = no
 main: debug_level = 0
read_config_files:  reading dictionary 
read_config_files:  reading naslist
Using deprecated naslist file.  Support for this will go away soon.

read_config_files:  reading clients
read_config_files:  reading realms
radiusd:  entering modules setup 
Module: Library search path is /usr/lib/freeradius
Module: Loaded exec
 exec: wait = no
 exec: program = (null)

 exec: input_pairs = request
 exec: output_pairs = (null) 
 exec: packet_type = (null)
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)

Module: Loaded PAP
 pap: encryption_scheme = crypt
Module: Instantiated pap (pap) 
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
 mschap: use_mppe = yes
 mschap: require_encryption = no

 mschap: require_strong = no
 mschap: with_ntdomain_hack = no
 mschap: passwd = (null) 
 mschap: ntlm_auth = (null)
Module: Instantiated mschap (mschap)
Module: Loaded System

 unix: cache = no
 unix: passwd = /etc/passwd
 unix: shadow = /etc/shadow
 unix: group = /etc/group 
 unix: radwtmp = /var/log/freeradius/radwtmp
 unix: usegroup = no

 unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
 eap: default_eap_type = md5
 eap: timer_expire = 60 
 eap: ignore_unknown_eap_types = no
 eap: cisco_accounting_username_bug = no

rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
 gtc: challenge = Password: 
 gtc: auth_type = PAP 
rlm_eap: Loaded and initialized type gtc
 mschapv2: with_ntdomain_hack = no

rlm_eap: Loaded and initialized type mschapv2
Module: Instantiated eap (eap)
Module: Loaded preprocess
 preprocess: huntgroups = /etc/freeradius/huntgroups 
 preprocess: hints = /etc/freeradius/hints

 preprocess: with_ascend_hack = no
 preprocess: ascend_channels_per_line = 23
 preprocess: with_ntdomain_hack = no
 preprocess: with_specialix_jetstream_hack = no 
 preprocess: with_cisco_vsa_hack = no

 preprocess: with_alvarion_vsa_hack = no
Module: Instantiated preprocess (preprocess)
Module: Loaded realm
 realm: format = suffix
 realm: delimiter = @ 
 realm: ignore_default = no

Re: How to configure EAP Identity in 1.1.3

2007-07-16 Thread Alan DeKok

Govardhana K N wrote
 I have got an Access-Challenge response from the server, and the
 Access-Request sent in response to this challenge is failing
 (Access-Reject is sent by the server). Below i have given the debug log
 from the server,

  Are you writing a 802.1x supplicant?  It looks like it.

  Also, note that the server does NOT support WiMAX attributes.  You can
create a WiMAX dictionary, but the attributes in the packet will NOT be
in the WiMAX format.  Also, many of the WiMAX attributes have
sub-attributes, and those are definitely not supported.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure EAP Identity in 1.1.3

2007-07-16 Thread Govardhana K N


If that is the case, How can I add the WiMAX support in Free Radius? What
are the changes I should make in order to have WiMAX support?

On 7/17/07, Alan DeKok [EMAIL PROTECTED] wrote:


Govardhana K N wrote
 I have got an Access-Challenge response from the server, and the
 Access-Request sent in response to this challenge is failing
 (Access-Reject is sent by the server). Below i have given the debug log
 from the server,

Are you writing a 802.1x supplicant?  It looks like it.

Also, note that the server does NOT support WiMAX attributes.  You can
create a WiMAX dictionary, but the attributes in the packet will NOT be
in the WiMAX format.  Also, many of the WiMAX attributes have
sub-attributes, and those are definitely not supported.

Alan DeKok.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html





--
With Regards,
Govardhana K N
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure multiple LDAPs with different DN's ?

2007-05-08 Thread Eric Martell

I will be really appreciated if someone points me to
the right direction or archive of the thread.

Thanks in advance.
Regards.



__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure multiple LDAPs with different DN's ?

2007-05-08 Thread Jacob Jarick

It will be postauth that you need. Unfortunately Im still learning
that part myself (when I have spare time).

On 5/8/07, Eric Martell [EMAIL PROTECTED] wrote:
 I will be really appreciated if someone points me to
 the right direction or archive of the thread.

 Thanks in advance.
 Regards.



 __
 Do You Yahoo!?
 Tired of spam?  Yahoo! Mail has the best spam protection around
 http://mail.yahoo.com
 -
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure

2007-04-19 Thread Stefan Winter

 i need to configure my freeradius server in proxy server to use it with
 windows IAS! i want the configuration of the files of freeradius which can
 permit me to do that!

We all want lots of things. Asking a bit more polite might help.

 my last coonfiguration  of these files is:

 radiusd.conf
 proxy_request = yes

 proxy.conf
 realm gie.local {
 type =  radius
 authhost =  LOCAL
 accthost  =  LOCAL
 }

 realm DEFAULT {
   type =  radius
   authhost =  araignee.gie.local:1812
   accthost  =  araignee.gie.local:1813
   secret =  parfait
   nostrip
   }

 Clients.conf
 client 192.168.0.2 {
secret = parfait
shortname  = araignee.gie.local
}

This snippet of config looks good, under the assumption that 
araignee.gie.local is resolvable on your DNS server and resolves to IP 
192.168.0.2.

Now, configure your FreeRADIUS server as a client on the IAS box so that IAS 
accepts the proxied requests, and, if appliable open the required firewall 
ports.

BTW: do you actually have a _problem_? Nothing in your mail tells us where 
things don't work. The general, several-years-old and well-documented rule 
here is: post the debug output of radiusd -X if you hae a problem. It will 
help people here figure out the problem.

Stefan

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473


pgpYSrwpoRsxS.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure

2007-04-19 Thread parfait nda


it's true! i had configure my FreeRADIUS server as a client on the IAS box, 
but my server freeradius which i need it toi be server proxy don't transmit 
the request of my switch. when i learned freeradius, i begun it by 
configurate it with users file, and after with MySQL database.  then i want 
to configure it to proxy server which can retransmit request to IAS on 
windows server 2003.
i don't want my freeradius do authentication, i want it proxy server.
i have find some informations on that not be true. for the commande radiusd 
-X  he wrote ready to process requests, and when i do my test my freeradius 
reject the packets.
i need configurations files(radiusd.conf, proxy.conf, clients.conf ...) to 
tranformate it at proxy server.
i use freeradius with eap-MD5, Switch cysco catalyst 2950, and windows 
server 2003.
thanks for your help!

From: Stefan Winter [EMAIL PROTECTED]
Reply-To: FreeRadius users mailing list 
freeradius-users@lists.freeradius.org
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: how to configure
Date: Thu, 19 Apr 2007 10:54:38 +0200

  i need to configure my freeradius server in proxy server to use it with
  windows IAS! i want the configuration of the files of freeradius which 
can
  permit me to do that!

We all want lots of things. Asking a bit more polite might help.

  my last coonfiguration  of these files is:
 
  radiusd.conf
  proxy_request = yes
 
  proxy.conf
  realm gie.local {
  type =  radius
  authhost =  LOCAL
  accthost  =  LOCAL
  }
 
  realm DEFAULT {
type =  radius
authhost =  araignee.gie.local:1812
accthost  =  araignee.gie.local:1813
secret =  parfait
nostrip
}
 
  Clients.conf
  client 192.168.0.2 {
 secret = parfait
 shortname  = araignee.gie.local
 }

This snippet of config looks good, under the assumption that
araignee.gie.local is resolvable on your DNS server and resolves to IP
192.168.0.2.

Now, configure your FreeRADIUS server as a client on the IAS box so that 
IAS
accepts the proxied requests, and, if appliable open the required firewall
ports.

BTW: do you actually have a _problem_? Nothing in your mail tells us where
things don't work. The general, several-years-old and well-documented rule
here is: post the debug output of radiusd -X if you hae a problem. It will
help people here figure out the problem.

Stefan

--
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail:  Tel.: +352 424409-1
http://www.restena.luFax:  +352 422473


 attach4 




-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

_
Windows Live Spaces : créez votre blog à votre image ! 
http://www.windowslive.fr/spaces

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure

2007-04-19 Thread tnt

You already have those files. What you need to do (if you really want
help on this list) is to paste the output from radiusd -X so people can
see what has gone wrong and tell you how to fix it. freeradius reject
the packets can mean loads of things.

Ivan Kalik
Kalik Informatika ISP


Dana 19/4/2007, parfait nda [EMAIL PROTECTED] piše:


it's true! i had configure my FreeRADIUS server as a client on the IAS box, 
but my server freeradius which i need it toi be server proxy don't transmit 
the request of my switch. when i learned freeradius, i begun it by 
configurate it with users file, and after with MySQL database.  then i want 
to configure it to proxy server which can retransmit request to IAS on 
windows server 2003.
i don't want my freeradius do authentication, i want it proxy server.
i have find some informations on that not be true. for the commande radiusd 
-X  he wrote ready to process requests, and when i do my test my freeradius 
reject the packets.
i need configurations files(radiusd.conf, proxy.conf, clients.conf ...) to 
tranformate it at proxy server.
i use freeradius with eap-MD5, Switch cysco catalyst 2950, and windows 
server 2003.
thanks for your help!

From: Stefan Winter [EMAIL PROTECTED]
Reply-To: FreeRadius users mailing list 
freeradius-users@lists.freeradius.org
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: how to configure
Date: Thu, 19 Apr 2007 10:54:38 +0200

  i need to configure my freeradius server in proxy server to use it with
  windows IAS! i want the configuration of the files of freeradius which 
can
  permit me to do that!

We all want lots of things. Asking a bit more polite might help.

  my last coonfiguration  of these files is:
 
  radiusd.conf
  proxy_request = yes
 
  proxy.conf
  realm gie.local {
  type =  radius
  authhost =  LOCAL
  accthost  =  LOCAL
  }
 
  realm DEFAULT {
type =  radius
authhost =  araignee.gie.local:1812
accthost  =  araignee.gie.local:1813
secret =  parfait
nostrip
}
 
  Clients.conf
  client 192.168.0.2 {
 secret = parfait
 shortname  = araignee.gie.local
 }

This snippet of config looks good, under the assumption that
araignee.gie.local is resolvable on your DNS server and resolves to IP
192.168.0.2.

Now, configure your FreeRADIUS server as a client on the IAS box so that 
IAS
accepts the proxied requests, and, if appliable open the required firewall
ports.

BTW: do you actually have a _problem_? Nothing in your mail tells us where
things don't work. The general, several-years-old and well-documented rule
here is: post the debug output of radiusd -X if you hae a problem. It will
help people here figure out the problem.

Stefan

--
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail:  Tel.: +352 424409-1
http://www.restena.luFax:  +352 422473


 attach4 




-
List info/subscribe/unsubscribe? See 
http://www.freeradius.org/list/users.html

_
Windows Live Spaces : créez votre blog ŕ votre image ! 
http://www.windowslive.fr/spaces

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure USERS file to assign the VLAN ID according toLDAP group name?

2006-11-01 Thread richard Bai

Hi Alan,

Ichanged Group to Ldap-Group in users file, however, Freeradius can not find the group name I specify in users file. I think the reason is the basedn
(ou=people,dc=richard,dc=com)I set in radiusd.conf is for user only, the group is binded with a different basedn (ou=group,dc=richard,dc=com). So, ldap_groupcmp() can not find the group in the
basedn (ou=people,dc=richard,dc=com). Since I don't want to authenticate the groupmembership, just want to get the name of the grouptowhich the user is belong, I don't think I need to configure any group authentication for LDAP.

The result isthe user is authenticated, but the Tunnel-Private-Group-ID is not assigned in theAccess-Accept message because no group name matches.
When I changed it back, it works fine. I am not sure what Group represents in Freeradius. I only configured group 1 and group 10 in LDAP. I did test as follow.
I changed name of group 10 to group 20 in LDAP, and keep all other configurations. When the user who was in group 10 before and in group 20 now tried to be authenticated, it is successful except no
Tunnel-Private-Group-ID assigned since there is no group 20 in users file. So, I assume the Group does have something to do with ldap group.
I am using SuSE enterprise server 10 and the OpenLDAP integrated with it. Do you think the groups configured in LDAP has some relationship with the Unix group you mentioned?

Richard
On 10/31/06, Alan DeKok [EMAIL PROTECTED] wrote:
Richard [EMAIL PROTECTED] wrote: Right now the situation is the RADIUS can authenticate the user in
LDAP. But the group attribute does work.As I said before, Group is for Unix groups.If you want to checkLDAP groups, you should use the LDAP-Group attribute.Alan DeKok.--
http://deployingradius.com - The web site of the bookhttp://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure USERS file to assign the VLAN ID according toLDAP group name?

2006-10-31 Thread Richard

Hi, Alan,

Thanks for reply.

Right now the situation is the RADIUS can authenticate the user in LDAP. But 
the group attribute does work. So, the vlan ID can not be assigned. Could you 
tell me what should be correct configuration in users file.

Richard
- Original Message - 
From: Alan DeKok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Tuesday, October 31, 2006 6:19 PM
Subject: Re: How to configure USERS file to assign the VLAN ID according toLDAP 
group name? 


 richard Bai [EMAIL PROTECTED] wrote:
 This is my *users* file configuration:
 *DEFAULT  Group == 1*
 
  Why put asterisks around every line?
 
 * Auth-Type = LDAP,*
 
  1) Auth-Type belongs on the first line, radiusd -X will tell you that
  2) Setting Auth-Type = LDAP is probably wrong.
 
 Now, it works fine except I have to add more lines manual once I add one
 more group in LDAP.
 
  Except the Group attribute is for Unix groups, not LDAP groups.
 
  Either your system *doesn't* work at all, or the users file
 entries you included above are *not* what you're using.
 
 Such as programming:
*Tunnel-Private-Group-ID = Group *
 
  See doc/variables.txt.  It explains how to copy the contents of one
 attribute to another attribute.
 
  Alan DeKok.
 --
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure USERS file to assign the VLAN ID according toLDAP group name?

2006-10-31 Thread Alan DeKok

Richard [EMAIL PROTECTED] wrote:
 Right now the situation is the RADIUS can authenticate the user in
 LDAP. But the group attribute does work.

  As I said before, Group is for Unix groups.  If you want to check
LDAP groups, you should use the LDAP-Group attribute.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure/store NAS clients in LDAP instead of clients.conf

2006-10-27 Thread Alan DeKok

Lenir Santiago [EMAIL PROTECTED] wrote:
 I've been looking for the past two days all over the web regarding
 this subject. Sorry if this question has been posted before. With
 rlm_sql im able to store NAS clients on a SQL table. I want to do
 the same but with ldap.

  It's not possible.  If it was possible, it would have been documented.

  Alan DeKok.
--
  http://deployingradius.com   - The web site of the book
  http://deployingradius.com/blog/ - The blog
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure multi nas

2006-10-18 Thread Peter Nixon

On Wed 18 Oct 2006 12:19, Enkhbat.N wrote:
 Hi All



 I have those problems. Please help to solve the problems



 1.How to configure many NASes on one RADIUS?
 2.How to setting user's connection NAS.

 Example Special users are connected on Primary NAS and other users are
 connected on Secondary NAS.

Please read the documentation (http://wiki.freeradius.org/ is a good place to 
start). If you still can't figure it out youself then ask for help on the 
users list.. NOT this list.

Cheers
-- 

Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc


pgpGJZbDmAVol.pgp
Description: PGP signature
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure free radius to make it listen to different udp ports?

2006-08-30 Thread James Wakefield

On Thu, 2006-08-31 at 10:34 +0530, Shankar Ganesh C wrote:
 Hi,
  
 How can i make freeradius listen to different UDP ports? 
  
 Thanks and regards
 Shankar ganesh
 - 
 List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

http://wiki.freeradius.org/index.php/Radiusd.conf

look for the listen { } section.

-- 
James Wakefield,
Unix Administrator, Information Technology Services Division
Deakin University, Geelong, Victoria 3217 Australia.

Phone: 03 5227 8690 International: +61 3 5227 8690
Fax:   03 5227 8866 International: +61 3 5227 8866
E-mail:   [EMAIL PROTECTED]
Website:  http://www.deakin.edu.au

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: How to configure free radius to make it listen to different udpports?

2006-08-30 Thread Mike Mitchell

Shankar Ganesh wrote:

   How can i make freeradius listen to different UDP ports? 
 

Hi Shankar,
 
This is very clearly explained in the radiusd.conf configuration file.
Search for listen
 
regards,
Mike

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure NAI realms routing table

2006-06-22 Thread Stefan Winter

 Any links to documentation on
 how to achieve this with freeradius
 would be appreciated.

? Have you taken a look at proxy.conf? Should all be there...

Stefan

-- 
Stefan WINTER

Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche - Ingénieur de recherche

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg


- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure my scenario

2006-02-23 Thread Peter Manckok


 --- Phil Mayers [EMAIL PROTECTED] escribió:

 Peter Manckok wrote:
  
  authenticate {
 ..
 Auth-Type LDAP1 {
  interface1
 }
 Auth-Type LDAP2 {
  interface2
 }
 Auth-Type LDAP3 {
  interface3
 }
 
  }
  
  In my authorize section I have:
  authorize{
  
  files
  ...
  }
  
  In my users file I have:
  DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type
 :=LDAP1
  DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type
  :=LDAP2
  DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type
  :=LDAP3
  
 
 
 Provided there's nothing after the files in
 authorize that might be 
 (re)setting Auth-Type, that should work. 

Thanks for the warning

 Don't snip
 bits out - what is 
 the full contents of the authorize and authenticate
 sections? What does 
 the radius server say when you run it in debug mode
 (with -X)?
 - 

Hy Phil,

My problem is how to select the correct authorize
method of an instance depending on the NAS-IP-Address
of the Access-Request packet. For example, if the
NAS-IP-Address is a.b.c.d I would like to use the
authorize method of interface1 (and NOT the authorize
method of interface2 or interface3) 

I haven´t tested it yet, I am not in my company now 

In the authorize section I have:

authorize{
   preprocess
   suffix
   files
   ??? --- how can I discriminate between the
differents authorize methods of interface1,
interface2, interface3 depending on the source
NAS-IP-Address?
}

In the authenticate section:

authenticate {

Auth-Type LDAP1 {
 interface1
}
  Auth-Type LDAP2 {
interface2
   }
   Auth-Type LDAP3 {
   interface3
   }
  unix
}


Thanks again

Any hint is very appreciated

Peter

 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 




__ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
http://es.voice.yahoo.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure my scenario

2006-02-23 Thread Rafael Roldán

- Original Message - 
From: Peter Manckok [EMAIL PROTECTED]
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Sent: Thursday, February 23, 2006 11:52 AM
Subject: Re: how to configure my scenario

  --- Phil Mayers [EMAIL PROTECTED] escribió:

  Peter Manckok wrote:

   authenticate {
  ..
  Auth-Type LDAP1 {
   interface1
  }
  Auth-Type LDAP2 {
   interface2
  }
  Auth-Type LDAP3 {
   interface3
  }

   }

   In my authorize section I have:
   authorize{

   files
   ...
   }

   In my users file I have:
   DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type
  :=LDAP1
   DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type
   :=LDAP2
   DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type
   :=LDAP3

  Provided there's nothing after the files in
  authorize that might be
  (re)setting Auth-Type, that should work.

 Thanks for the warning

  Don't snip
  bits out - what is
  the full contents of the authorize and authenticate
  sections? What does
  the radius server say when you run it in debug mode
  (with -X)?
  -

 Hy Phil,

 My problem is how to select the correct authorize
 method of an instance depending on the NAS-IP-Address
 of the Access-Request packet. For example, if the
 NAS-IP-Address is a.b.c.d I would like to use the
 authorize method of interface1 (and NOT the authorize
 method of interface2 or interface3)

 I haven´t tested it yet, I am not in my company now

 In the authorize section I have:

 authorize{
preprocess
suffix
files
??? --- how can I discriminate between the
 differents authorize methods of interface1,
 interface2, interface3 depending on the source
 NAS-IP-Address?
 }

 In the authenticate section:

 authenticate {

 Auth-Type LDAP1 {
  interface1
 }
   Auth-Type LDAP2 {
 interface2
}
Auth-Type LDAP3 {
interface3
}
   unix
 }

 Thanks again

 Any hint is very appreciated

 Peter

Use Autz-Type to select between authorization methods

  List info/subscribe/unsubscribe? See
  http://www.freeradius.org/list/users.html

 __
 LLama Gratis a cualquier PC del Mundo.
 Llamadas a fijos y móviles desde 1 céntimo por minuto.
 http://es.voice.yahoo.com
 -
 List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure my scenario

2006-02-23 Thread Stefan Winter

Hi,

 My problem is how to select the correct authorize
 method of an instance depending on the NAS-IP-Address
 of the Access-Request packet. For example, if the
 NAS-IP-Address is a.b.c.d I would like to use the
 authorize method of interface1 (and NOT the authorize
 method of interface2 or interface3)


to seperate within the authorize section, you have set Autz-Type as well. That 
would be

DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type :=LDAP1, Autz-Type := LDAP1
DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type :=LDAP2, Autz-Type := LDAP2
DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type :=LDAP3, Autz-Type := LDAP3

(just always make sure that files is before the interfaceX bits, to ensure 
that Autz-Type is already set. You can then do

 authorize{
preprocess
suffix
files
Autz-Type LDAP1 {
   interface1
   }
   Autz-Type LDAP2 {
   interface2
   }
   Autz-Type LDAP3 {
   interface3
   }
 }

That should work, I did a very similar thing just last week :-)

Greetings,

Stefan Winter

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure my scenario

2006-02-23 Thread Peter Manckok


 --- Stefan Winter [EMAIL PROTECTED]
escribió:

 Hi,
 
  My problem is how to select the correct authorize
  method of an instance depending on the
 NAS-IP-Address
  of the Access-Request packet. For example, if the
  NAS-IP-Address is a.b.c.d I would like to use the
  authorize method of interface1 (and NOT the
 authorize
  method of interface2 or interface3)
 
 
 to seperate within the authorize section, you have
 set Autz-Type as well. That 
 would be
 
 DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type
 :=LDAP1, Autz-Type := LDAP1
 DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type
 :=LDAP2, Autz-Type := LDAP2
 DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type
 :=LDAP3, Autz-Type := LDAP3
 
 (just always make sure that files is before the
 interfaceX bits, to ensure 
 that Autz-Type is already set. You can then do
 
  authorize{
 preprocess
 suffix
 files
 Autz-Type LDAP1 {
  interface1
}
Autz-Type LDAP2 {
  interface2
}
Autz-Type LDAP3 {
  interface3
}
  }



One question Stefan, in the Autz-Type file I read that
the order should look like that:

authorize{
preprocess
suffix
Autz-Type LDAP1 {
   interface1
}
Autz-Type LDAP2 {
   interface2
 }
Autz-Type LDAP3 {
   interface3
 }
 files
 }


files is before or after Autz-Type lines in the
authorize section?

Thank you very much
Peter


 That should work, I did a very similar thing just
 last week :-)
 
 Greetings,
 
 Stefan Winter
 
 -- 
 Stefan WINTER
 
 Stiftung RESTENA - Réseau Téléinformatique de
 l'Education Nationale et de 
 la Recherche
 Ingenieur Forschung  Entwicklung
 
 6, rue Richard Coudenhove-Kalergi
 L-1359 Luxembourg
 E-Mail: [EMAIL PROTECTED]     Tel.:     +352
 424409-1
 http://www.restena.lu                Fax:      +352
 422473
 
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 




__ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
http://es.voice.yahoo.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure my scenario

2006-02-23 Thread Stefan Winter

Hi,

 One question Stefan, in the Autz-Type file I read that
 the order should look like that:

 authorize{
 preprocess
 suffix
 Autz-Type LDAP1 {
  interface1
 }
 Autz-Type LDAP2 {
  interface2
  }
 Autz-Type LDAP3 {
  interface3
  }
  files
  }


 files is before or after Autz-Type lines in the
 authorize section?

Now that I think of it... I think I set Autz-Type already during preprocess, 
so files could be behind the Autz-Type stanzas. But it should work the other 
way around as well.

-- 
Stefan WINTER

Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de 
la Recherche
Ingenieur Forschung  Entwicklung

6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
E-Mail: [EMAIL PROTECTED]     Tel.:     +352 424409-1
http://www.restena.lu                Fax:      +352 422473

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: how to configure my scenario

2006-02-22 Thread Peter Manckok

I will try to explain it better

In my modules section I have:
modules {
...

   ldap2  interface1 {
  server = 10.x.y.a
   ...
   }

   ldap2   interface2 {
 server = 10.x.y.b
  ...
   }

   ldap2   interface3 {
 server = 10.x.y.c
  ...
   }

...
}


In the authenticate section I have:

authenticate {
   ..
   Auth-Type LDAP1 {
interface1
   }
   Auth-Type LDAP2 {
interface2
   }
   Auth-Type LDAP3 {
interface3
   }
   
}

In my authorize section I have:
authorize{

files
...
}

In my users file I have:
DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type :=LDAP1
DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type
:=LDAP2
DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type
:=LDAP3

How can I say to FreeRadius in the authorize section
(after processing files module) which authorize method
to use(depending on the NAS-IP-Address of the
Access-Request packet)? 
For example, in my case, if the NAS-IP-Address is
a.b.c.d I would like to use the authorize method of
the interface1 module. If the NAS-IP-Address is
a2.b2.c2.d2 I would like to use the authorize method
of the interface2 module...

Thanks a lot :-)

 --- Peter Manckok [EMAIL PROTECTED] escribió:

 Hy all,
 
 I am not sure how to configure my scenario.
 
 I explain it to you:
 
 We have 3 LDAP servers running. We authenticate
 against one or other depending the type of access
 (GPRS, Callback...).
 
 I am going to create three instances of the ldap
 module. But I dont know how and where to say which
 is
 the instance to use for the authorization and
 authentication in each case.
 For example, if I have a GPRS access I would like to
 authenticate against my first LDAP server (instance
 ldap1). How can I say to the FreeRadius server to
 use
 the authenticate method of the l1 instance?
 
 Thanks
 Regards,
 Peter
 
 
   
 __ 
 LLama Gratis a cualquier PC del Mundo. 
 Llamadas a fijos y móviles desde 1 céntimo por
 minuto. 
 http://es.voice.yahoo.com
 - 
 List info/subscribe/unsubscribe? See
 http://www.freeradius.org/list/users.html
 






__ 
LLama Gratis a cualquier PC del Mundo. 
Llamadas a fijos y móviles desde 1 céntimo por minuto. 
http://es.voice.yahoo.com
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure my scenario

2006-02-22 Thread Alan DeKok

Peter Manckok [EMAIL PROTECTED] wrote:
 For example, if I have a GPRS access I would like to
 authenticate against my first LDAP server (instance
 ldap1). How can I say to the FreeRadius server to use
 the authenticate method of the l1 instance?

  In 1.1.0, once you select an LDAP module during the authorization
phase, it will cause itself to be run during the authenticate phase,
too.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure my scenario

2006-02-22 Thread Phil Mayers


Peter Manckok wrote:


authenticate {
   ..
   Auth-Type LDAP1 {
interface1
   }
   Auth-Type LDAP2 {
interface2
   }
   Auth-Type LDAP3 {
interface3
   }
   
}

In my authorize section I have:
authorize{

files
...
}

In my users file I have:
DEFAULT NAS-IP-Address == a.b.c.d, Auth-Type :=LDAP1
DEFAULT NAS-IP-Address == a2.b2.c2.d2, Auth-Type
:=LDAP2
DEFAULT NAS-IP-Address == a3.b3.c3.d3, Auth-Type
:=LDAP3




Provided there's nothing after the files in authorize that might be 
(re)setting Auth-Type, that should work. Don't snip bits out - what is 
the full contents of the authorize and authenticate sections? What does 
the radius server say when you run it in debug mode (with -X)?
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure my scenario

2006-02-22 Thread George C. Kaplan

Alan DeKok wrote:
 Peter Manckok [EMAIL PROTECTED] wrote:
 
For example, if I have a GPRS access I would like to
authenticate against my first LDAP server (instance
ldap1). How can I say to the FreeRadius server to use
the authenticate method of the l1 instance?
 
 
   In 1.1.0, once you select an LDAP module during the authorization
 phase, it will cause itself to be run during the authenticate phase,
 too.

I assume we can still override this (or example, to authorize with LDAP,
but authenticate with kerberos) as we're doing with 1.0.5.

Is this correct?

-- 
George C. Kaplan[EMAIL PROTECTED]
Communication  Network Services510-643-0496
University of California at Berkeley
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: how to configure my scenario

2006-02-22 Thread Alan DeKok

George C. Kaplan [EMAIL PROTECTED] wrote:
 I assume we can still override this (or example, to authorize with LDAP,
 but authenticate with kerberos) as we're doing with 1.0.5.

  Yes.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure FreeRadius to proxy out a PoD packet to a NAS

2006-01-14 Thread Alan DeKok

Suparna Kumar [EMAIL PROTECTED] wrote:
 2. Sending the PoD Packets to FreeRadius (which port should I send it
 to, port 1812 reports Unknown packet code 40 )

  FreeRADIUS doesn't support proxying this packet.

  Alan DeKok.
- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: How to configure freeradius to answer on two IP addresses

2005-08-30 Thread Nicolas Baradakis

Stefan A. wrote:

 How may I advice freeradius, to bind to two IP addresses?
 I tried the Listen option and the bind_address by separating my ip addresses
 with an whitespace, a colon or a semicolon...

Delete bind_address and port from radiusd.conf, and use multiple
listen {} stanzas for each IP address.

-- 
Nicolas Baradakis

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

1 2 >

1 - 100 of 104 matches

Mail list logo