On Tue, Feb 24, 2009 at 9:20 AM, Alan DeKok al...@deployingradius.com wrote:
No... they *do* support multiple round trips. But they have an upper
limit on too many round trips. For example, WPA supplicant (the most
widely used one) has a default limit of 50. This means it's *highly*
Jouni Malinen wrote:
The main (well, more or less, the only) reason for that limit on
number of round trips is to work around issues where the EAP peer and
server ended up in an infinite loop ACKing their messages. I would
prefer to change that to be based on whether any real progress has
Dear All,
I've been trying to autheticate a Wireless Acess Point through a Radius
Server for last 1 month, but things doesn't seem to be working for me.
The Radius Server is authenticating when I test it with the radtest
command. It also worked for a Cisco 2950 switch. But no luck when I use
On Tue, Feb 24, 2009 at 10:36 AM, Alan DeKok al...@deployingradius.com wrote:
Defining progress per EAP type may be difficult.
Indeed and that is why the hardcoded limit of round trips ended up
being there in the first place.. ;-) Anyway, the most common issue
case I've seen is where EAP
Ivan,
Hello
Thanks for your attention, but I have tested what you had suggested. The
result is the same, with both attributes the CHAP module throws the same
error. Any ideas?
Kind Regards
Ali Majdzadeh Kohbanani
2009/2/24 t...@kalik.net
I am using freeradius-1.1.7. In order to authenticate
Scenario:
To pilot the SecurID product, we selected VPN access to a part of our
network, protected by a Cisco ASA5500 series device. We are in the
process of moving away from the MS IAS RADIUS solution to FreeRADIUS.
We know that MS IAS cannot do what we want to do.
What we want to do:
When a
Mon Feb 23 19:54:36 2009 : Info: [files] expand:
(|((objectClass=GroupOfNames)(member=%{Ldap-UserDn}))((objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
-
(|((objectClass=GroupOfNames)(member=))((objectClass=GroupOfUniqueNames)(uniquemember=)))
Try %{control:Ldap-UserDn} in
The
result is the same, with both attributes the CHAP module throws the same
error. Any ideas?
Post the debug.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I've been trying to autheticate a Wireless Acess Point through a Radius
Server for last 1 month, but things doesn't seem to be working for me.
The Radius Server is authenticating when I test it with the radtest
command. It also worked for a Cisco 2950 switch. But no luck when I use
the Access
Ivan,
Hello
Problem solved. I have mentioned my solution below, but now comes another
question, sorry :)
How is it possible to authenticate CHAP clients using an external program
and not the rlm_chap module?
I made two instances of the rlm_exec module. One as the authorization
external program and
By the way, the authorization external program sets my customized Auth-Type
so that in the authentication section, I can use it to authenticate clients
using my authentication external program which is another instance of the
rlm_exec module (the second one).
Why?
The main problem is the way
Whats happening here? It's like the radius tries to send a request back to
the supplicant, but gives up...
The supplicant is NAT'ed behind 192.168.0.1 could that be causing a issue?
I have tried DMZ'ing the supplicant still with no success...
Any ideas? Thanks for the help
rad_recv:
Sandra H. wrote:
Whats happening here? It's like the radius tries to send a request back
to the supplicant, but gives up...
The supplicant is NAT'ed behind 192.168.0.1 could that be causing a
issue? I have tried DMZ'ing the supplicant still with no success...
Any ideas? Thanks for the
Whats happening here? It's like the radius tries to send a request back to
the supplicant, but gives up...
No. Client gives up - it didn't send client certificate.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Alan,
Again, thanks for your great reply. If we wanted to pursue this
capability, what would be the process to get FreeRadius to support large
chains?
Regards,
Brian Smith
Ph. 602-436-6691
Honeywell
-Original Message-
From:
Ivan,
Hello
Thanks for your reply. You are right and I do know that this is not the
right way to get things done, but what we have got here is a sophisticated
and feature-balloted AAA system which is totally based on external programs.
As a mid-term solution we should try to respond to our
Alan,
Environment: SunOS 5.10 and FR 2.1.3 (stable)
I encountered the following problem when the server received an
Access-Challenge packet
from a proxy server. Any help in fixing this problem would be appreciated.
Thanks,
Chris
Waking up in 0.9 seconds.
rad_recv: Access-Challenge packet
Hi Jouni,
Thanks for your reply. I understand your concern on wasting time when in a
failure condition. I agree it would be ideal for the code to continue
transfers, based on progress. We will try to validate the use case before
taking this further.
Regards,
Brian Smith
Ph. 602-436-6691
Thanks for reply. But the client that I use, only supports PAP and CHAP
requests and neither of them initiates the server to send an Access Challenge.
That is why I tried to create the challenge with the help of the perl module.
Then I realized that freeradius.net unfortunatly doesn't include
Thanks for your reply. You are right and I do know that this is not the
right way to get things done, but what we have got here is a sophisticated
and feature-balloted AAA system which is totally based on external programs.
So what would be the problem in sorting out your features in
Sorry for sending this message twice, but I forgot the debug output.
---
Thanks for reply. But the client that I use, only supports PAP and CHAP
requests and neither of them initiates the server to send an Access Challenge.
That is why I tried to create the challenge with the help of the perl
Thanks for reply. But the client that I use, only supports PAP and CHAP
requests and neither of them initiates the server to send an Access Challenge.
So what is client going to do with the challenge when it gets it?
That is why I tried to create the challenge with the help of the perl module
Ivan,
Thanks for your reply. The problem is time. We should find an immediate
solution. Anyway, thanks again.
Kind Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The challenge is outputted to the user that triggered the challenge, expecting
that he can answer it. I have no idea if the productive system ever will send a
challenge and if how it will looks like. I just wanted to test out client, if
it can handle it.
-Ursprüngliche Nachricht-
Von:
But the server doesn't send the reply to the client (Timeout at clientside)
rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71
User-Name = radius
NAS-IP-Address = 10.0.1.131
CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a
CHAP-Challenge =
Thanks for your reply. The problem is time. We should find an immediate
solution. Anyway, thanks again.
Immediate solution is *not* trying to invent a new kind of hole on the
flower pot. Don't use custom authentication script - use existing
server modules. Whatever additional checks you think
Hi,
I'm trying to figure out how to check to see if the auth type is
mschap in the users file. I can find tons of help on setting the
Auth-Type, but not a lot on how to compare it.
Additional background info:
I'm running 802.1x with two auth types, certificate based and mschap.
I have a default
I'm trying to figure out how to check to see if the auth type is
mschap in the users file. I can find tons of help on setting the
Auth-Type, but not a lot on how to compare it.
Additional background info:
I'm running 802.1x with two auth types, certificate based and mschap.
It's EAP-Type not
Ivan,
Thanks for your attention. Yes, you are right, we should organize our system
regarding the structure of freeradius. I have lots of questions to ask. I am
going to coherently form them; would you please trace this thread?
Kind Regards
Ali Majdzadeh Kohbanani
-
List
Thanks for your attention. Yes, you are right, we should organize our system
regarding the structure of freeradius. I have lots of questions to ask. I am
going to coherently form them; would you please trace this thread?
I do hang around. This is what you should plan for:
- checks that need to
Hi Ivan,
t...@kalik.net wrote:
Scenario:
To pilot the SecurID product, we selected VPN access to a part of our
network, protected by a Cisco ASA5500 series device. We are in the
process of moving away from the MS IAS RADIUS solution to FreeRADIUS.
We know that MS IAS cannot do what we want to
Yes. There is no problem in composing Cleartext-Password on the fly
from users password and the token.It shouldn't be too difficult to
create a perl script that does that.
Excellent! So the username and tokencode/password is passed from the
NAS (ASA5500) to the FreeRADIUS server and we create
Hi Ivan,
Thanks a lot for the guidance. I rectified the problem. The debug mode
shows that it is receiving the request from the WAN IP of the IP
(192.168.104.xxx) , while the NAS-IP appeared to be the its LAN IP
(192.168.1.xxx). As a result, Radius Server was trying to send the
Hello,
My name is Shimon from the Open Univ. of Israel. I installed freeradius and I
want the
Users to authenticate with /etc/raddb/users file NOT /etc/passwd file.
Below is a printout of /usr/sbin/radius –X –y
--
rad_recv: Access-Request packet from host 127.0.0.1:54057,
Hi Shimon,
In the /usr/local/etc/raddb/sites-enabled/default file, comment out the unix
module.
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow
,
---
?,
?
??? ??
-- next part --
An HTML attachment was scrubbed...
URL:
https://lists.freeradius.org/pipermail/freeradius-users/attachments/20090224/f12e7f85/attachment.html
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have a wired 802.1x auth setup on cisco gear. I would like to
record the IP address of machines that connect and are authorized. Is
this possible?
I currently see NAS-IP-Address and Client-IP-Address as the IP of the
switch. The Calling-Station-Id is the correct mac address of the
authorized
I'm using Freeradius with a Postgresql backend. Every two or three days,
Freeradius dies. These are the last lines from the log file:
Tue Feb 24 21:15:31 2009 : Auth: Login OK: [] (from client port 3 cli
)
Tue Feb 24 21:16:34 2009 : Auth: Login OK: [] (from client port
Hi
I am facing strange issue while running radtest from remote IP and
radiusd running on other IP but on the same network.
My Radius server is not listening to any other client except localhost.
I've added all clients entries in clients.conf file.
What could be the issue?
Pls advise.
-Thanks
39 matches
Mail list logo