Hi,
I have a problem with MAC Authentication on an Alvarion Wimax base station.
I use freeradius 1.1.7 with Radius Manager 3.6. Currently I am running pppoe
authentication with a Mikrotik router at the backend of the Alvarion Wimax
and its working fine but I need to change to MAC authentication.
Because I do an update into radgroupreply but now I'm doing a select
and save the result into a variable, like this:
REPLY_MESSAGE=$(mysql -Ns -h$HOST -u$USER -p$PASS -e SELECT Value FROM
radgroupreply WHERE Attribute='Reply-Message' AND
GroupName='$GROUP_NAME' $BD)
Butt this varibale I
bLn wrote:
Because I do an update into radgroupreply but now I'm doing a select
and save the result into a variable, like this:
REPLY_MESSAGE=$(mysql -Ns -h$HOST -u$USER -p$PASS -e SELECT Value FROM
radgroupreply WHERE Attribute='Reply-Message' AND
GroupName='$GROUP_NAME' $BD)
That won't
I will be glad, if anyone can direct me to whare The log below is the part
of the debug for the new test freeradius server 2.1.6 am testing with.
However, the hotspotlogin,cgi is able to pass the param username to the
radius but when the query is run against the database the Tue Jun 9
14:59:48
2009/6/11 Matthieu Lazaro matthieu.laz...@eservglobal.com
!
eap profile Profile Name
method mschapv2
!
I don't have the lines above in my config. Does this have any influence on
the way the AP proxies radius packets? I think, this is only relevant if the
AP authenticates using its own
I have a problem with MAC Authentication on an Alvarion Wimax base
station.
I use freeradius 1.1.7 with Radius Manager 3.6. Currently I am running
pppoe
authentication with a Mikrotik router at the backend of the Alvarion Wimax
and its working fine but I need to change to MAC authentication.
I have never done MAC authentication and I need to know if anyone has
managed to do it. Is it possible to do MAC authentication on a Alvarion Base
Station with freeradius 1.1.7 and if possible how do I set it up.
Thanks in advance
-Original Message-
From:
However, the hotspotlogin,cgi is able to pass the param username to the
radius
Sort of.
rad_recv: Access-Request packet from host 127.0.0.1 port 44600, id=0,
length=189
ChilliSpot-Max-Input-Octets = 0x32333435363738393031
ChilliSpot-Max-Output-Octets = 0
I have never done MAC authentication and I need to know if anyone has
managed to do it. Is it possible to do MAC authentication on a Alvarion
Base
Station with freeradius 1.1.7 and if possible how do I set it up.
Yes, mac auth is just a pap request where mac address is sent as username.
Is it
Good luck doing that ..
I've been working with alvarion equipment and trying to integrate with
freeradius for several months now .. the alvarion support has been
total sh.. uhh, poor.
Let me know if you get anything working though .. I'd be interested.
Hi,
I would like to have a profil administrator on my openldap wich allows
administrator to authenticate on cisco and foundry equipment and enters
directly in Privileged EXEC level. So I read VSA attribute in
dictionary.foundry and dictionary.cisco. I created my profile in OpenLDAP and I
am
I got the below info from some guys who support Alvarion Wimax and they say
all is ready on the Alverion staff only left with changes on the radius
server. I have to have the string below ready(still don't know how to come
up with such a string).
Yes, mac auth is just a pap request where mac
I don't succeed to give good value for each attribute with OpenLDAP,
ldapattrmap, radiusVSA ... In addition, I can't to have two radiusVSA
attributes with the same value in OpenLDAP.
So I woul like to know if it is possible to have just one profil with
several attributes for different
Fail {...}
[detail.example.com]expand:
/usr/local/var/log/radius/radacct/detail.example.com/detail-%Y%m%d:%H -
/usr/local/var/log/radius/radacct/detail.example.com/detail-20090612:11
[detail.example.com]
/usr/local/var/log/radius/radacct/detail.example.com/detail-%Y%m%d:%H expands
to /usr
I got the below info from some guys who support Alvarion Wimax and they
say
all is ready on the Alverion staff only left with changes on the radius
server. I have to have the string below ready(still don't know how to come
up with such a string).
There is nothing to change on the radius
I do not have any Vlans, I am working with only one subnet for all my
connections...
.
I got the below info from some guys who support Alvarion Wimax and they
say
all is ready on the
François Mehault wrote:
+ in ldap.attrmap I add
replyItem Cisco-AVPair
radiusVSA
replyItem Foundry-Privilege-Level radiusVSA
replyItem Foundry-INM-PrivilegeradiusVSA
You can't do that.
Ok. It's working...thanks a lot!!
If I execute my script in wait-program-exec then all it's right and I
can get out the variable but if I call an external script in exec
module, no. Although I put the same sentence to get my goal...thanks for
the lesson...curious :-)
Alan DeKok escribió:
Thanks Ivan,
i have discovered that and i removed the chillispot dictionary that i
included and after that i was able to do the authentication. however, it is
now complaining about my check-item pair as not being okay.
How will i create the check-item value pair?
i have appended the ATTRIBUTE
Hello.
I am trying to replace an old Cisco Secure ACS with Freeradius.
My idea is to use PostgreSQL as a database where all information is added
(users, nases etc), but instead of passwords i want Freeradius to ask a
backend One-Time Password system (safeword) if a users profile contains a
value.
I do not have any Vlans, I am working with only one subnet for all my
connections...
So? There is nothing to list and you should turn off all the features
since you can't use any.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
Chris Howley wrote:
I doubled the value of cleanup delay in radiusd.conf. This change didn't fix
the problem (see below).
Grab a copy of the server from http://git.freeradius.org/pre/
I've added some debug messages which might help explain what's going on.
Alan DeKok.
-
List
mikoi wrote:
I am trying to replace an old Cisco Secure ACS with Freeradius.
That's always a good idea.
My idea is to use PostgreSQL as a database where all information is added
(users, nases etc), but instead of passwords i want Freeradius to ask a
backend One-Time Password system
Hello.
I´m still in the designphase of this and new to Freeradius.
Freeradius and postgresql installed on the same box. Connection through
sql.conf was my thought.
Tables in the database:
users
usergroups
Authentication-server (proxy-to server)
naslist
huntgroups (for combining aaa-clients)
For
I´m still in the designphase of this and new to Freeradius.
Freeradius and postgresql installed on the same box. Connection through
sql.conf was my thought.
The question was how does freeradius talk to authentication database.
What does it send to it and what does it get back?
Ivan Kalik
On Fri, 12 Jun 2009, Alan DeKok wrote:
Charles Gregory wrote:
But CentOS is supposedly still a 'supported' OS, so I think it's fair
to ask simple 'how to' questions for that environment.
Centos supports their OS. This list answers questions about FreeRADIUS.
Quite right. CentOS supports
Charles Gregory wrote:
Why do you LET RedHat use the old version if it is so unsupported?
There appears to be a fundamental misconception in that sentence:
We don't control RedHat.
So... RedHat does whatever the heck makes them happy. And it makes
them happy to keep their
Thanks Alan Dekok and Ivan Kalik, I will try the two way you sent me in my labo.
-Message d'origine-
De : freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org
[mailto:freeradius-users-bounces+francois.mehault=netplus...@lists.freeradius.org]
De la part de Alan DeKok
On 06/12/2009 01:23 AM, Alan DeKok wrote:
Charles Gregory wrote:
But CentOS is
supposedly still a 'supported' OS, so I think it's fair to ask simple
'how to' questions for that environment.
Centos supports their OS. This list answers questions about FreeRADIUS.
Let's clarify something,
John Dennis wrote:
Let's clarify something, calling CentOS a supported OS is a little
misleading.
The CentOS people answer questions about CentOS on the CentOS mailing
list. That is the limit of their support.
Similarly, the FreeRADIUS people answer questions about FreeRADIUS on
the
The question was how does freeradius talk to authentication database.
What does it send to it and what does it get back?
I´ll do my best to explain.
Access-Request packet from NAS/AAA-client contains:
User-Name
User-Password (One-Time-Password)
NAS-IP-Address
FreeRadius checks with SQL:
Is
mikoi wrote:
The question was how does freeradius talk to authentication database.
What does it send to it and what does it get back?
No. *Your* question was about using Safeword authentication with
FreeRADIUS. When we asked you how FreeRADIUS talked to the Safeword
system, you responded
The question was how does freeradius talk to authentication database.
What does it send to it and what does it get back?
I´ll do my best to explain.
Access-Request packet from NAS/AAA-client contains:
User-Name
User-Password (One-Time-Password)
NAS-IP-Address
FreeRadius checks with
On Fri, 12 Jun 2009, John Dennis wrote:
BTW, the philosophy of RHEL (why it's older), the philosophy of Fedora (why
it's bleeding edge) and CentOS is explained on the FreeRadius FAQ under Red
Hat (http://wiki.freeradius.org/Red_Hat_FAQ). It's incumbent upon you when
selecting an OS to install
So if I have any legitimate complaint against the FreeRADIUS team it is
only that with versions so 'close together' in time, there really should
either be a repository of documents applying to 1.x
Documentation is included with the server. Read comments in configuration
files you are
On Fri, 12 Jun 2009, Alan DeKok wrote:
The CentOS people answer questions about CentOS on the CentOS mailing
list. That is the limit of their support.
Similarly, the FreeRADIUS people answer questions about FreeRADIUS on
the freeradius-users list.
What do you mean by people? What *I* mean
I have a check to verify that a user is allowed to use radius at all,
simply
by checking if they are in the radius group.
DEFAULT Group != radius, Auth-Type == Reject
Reply-Message == Not in radius group
I would like to expand this to check against TWO groups. If
Charles Gregory wrote:
On Fri, 12 Jun 2009, Alan DeKok wrote:
The CentOS people answer questions about CentOS on the CentOS mailing
list. That is the limit of their support.
Similarly, the FreeRADIUS people answer questions about FreeRADIUS on
the freeradius-users list.
What do you mean
-Type
server home.example.com {
+- entering group Fail {...}
[detail.example.com]expand:
/usr/local/var/log/radius/radacct/detail.example.com/detail-%Y%m%d:%H -
/usr/local/var/log/radius/radacct/detail.example.com/detail-20090612:17
[detail.example.com]
/usr/local/var/log/radius/radacct
Charles Gregory wrote:
...there really
should either be a repository of documents applying to 1.x (similar to
how Apache mainatains its separate document trees for 1.x and 2x),
Sure. Apache has 1000 times as many installations as FreeRADIUS, and
probably 1000 times as much funding, and
Donnelly, Michael (OFT) wrote:
I would like to expand this to check against TWO groups. If user is in
either one then pass ,
if user is in neither then generate the Reply-Message == Not in
radius group(s)
See man unlang in 2.x. It's trivial to do there.
Alan DeKok.
-
List
I have a check to verify that a user is allowed to use radius at all, simply
by checking if they are in the radius group.
DEFAULT Group != radius, Auth-Type == Reject
Reply-Message == Not in radius group
I would like to expand this to check against TWO groups. If user is
OK, it took a server reboot for FR to see the change in the users file. Case
does count. Brain dead, thanks for giving me the nudge... it's all good now,
onto MySQL and Daloradius...
- Original Message -
From: Kenneth Grady k...@lanl.gov
To: FreeRadius users mailing list
Thank you Ivan and Alan for the excellent guidance.
#
DEFAULT Group != radius, Group != radius1, Auth-Type == Reject
Reply-Message == Not in radius group
You better believe that if I 'work
it out for myself' I will be coming back to this list with a howto and
examples for any other 1.x user who runs into the same situation that I
have.
Work what out?
Your problem has nothing to do with freeradius vesrion. exec module hasn't
changed in years.
Hello All,
I am not able able to successfully get a port authorized via dot1x
(wired connection). I am using SecureW2 suite as a client. I get the
following message in the debug output of freeradius: rlm_eap: SSL
error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return a
I am not able able to successfully get a port authorized via dot1x
(wired connection). I am using SecureW2 suite as a client. I get the
following message in the debug output of freeradius: rlm_eap: SSL
error error:140890C7:SSL routines:SSL3_GET_CLIENT_CERTIFICATE:peer did
not return a
On Fri, 12 Jun 2009, Ivan Kalik wrote:
Work what out?
Finally got my 1.x Session-Time script working (as an exec module). The
really strange thing is that it is working *exactly* as I first thought
I should be doing it!!! (see below) I can only guess that somewhere along
the way I had a
Sure. We'll wait.
Alan DeKok.
(smile)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Fri, Jun 12, 2009 at 11:54 AM, Ivan Kalikt...@kalik.net wrote:
I am not able able to successfully get a port authorized via dot1x
(wired connection). I am using SecureW2 suite as a client. I get the
following message in the debug output of freeradius: rlm_eap: SSL
error error:140890C7:SSL
All,
I know this is an old(ish) issue, but one I have been playing with a
lot lately. I have a Vista Ultimate box that works perfectly, but an XP
SP3 box that stopped working after SP3 was applied. What I am seeing is
the inital challenge come in from the XP box, the freeRadius box
Charles Gregory wrote:
I did try to follow the oft-quoted (almost shoved down my throat)
example, right from the comments within the config file
postauth {
Session-Timeout := `%{exec:/usr/local/etc/timecalc %{User-Name}}`
}
No... that won't work. The examples given to you weren't
john wrote:
I did that because I wanted the server to validate the client by
certificate. Am I taking the wrong approach?
Did you give the client a certificate? Apparently not.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Seann Clark wrote:
All,
I know this is an old(ish) issue, but one I have been playing with a
lot lately. I have a Vista Ultimate box that works perfectly, but an XP
SP3 box that stopped working after SP3 was applied.
Ah... IIRC, there were issues with XP SP3 that broke PEAP. I think
Well, keeping in mind that this is now a philosphical discussion...
On Fri, 12 Jun 2009, Alan DeKok wrote:
Charles Gregory wrote:
I did try to follow the oft-quoted (almost shoved down my throat)
example, right from the comments within the config file
postauth {
Session-Timeout :=
Well, firstly, no one *gave* me 'examples',
Nothing to give. You already have it in scripts/exec-program-wait. It's
included in the distribution. Should be in same place in your version too.
they said just to look in my
radiusd.conf, and secondly, yes, it's exactly 'like that':
#
Thanks Ivan and Alan,
The same problem happens when I use the native MS PEAP client on XP/sp2.
I did indeed give the client a cert however it looks like I didn't
managed to generate it correctly. When I look in the Control
PanelInternet PropertiesCertificates Section I see that it has a
red X
The same problem happens when I use the native MS PEAP client on XP/sp2.
I did indeed give the client a cert however it looks like I didn't
managed to generate it correctly. When I look in the Control
PanelInternet PropertiesCertificates Section I see that it has a
red X next to it and it
On Fri, 12 Jun 2009, Ivan Kalik wrote:
Nothing to give. You already have it in scripts/exec-program-wait.
I do not have a directory named 'scripts'. And the only reference to
'exec-program-wait' is in the comments of 'experimental.conf' as something
that a 'perl' rlm can 'replace'. I'm really
Hi Ivan,
I used the Makefile to generate the certs. I then exported ca.der and
client.p12 and installed them on the XP box. Did I get the wrong
files?
Thanks!
John
On 6/12/09, Ivan Kalik t...@kalik.net wrote:
The same problem happens when I use the native MS PEAP client on XP/sp2.
I did
60 matches
Mail list logo
