So what you're saying is that even though the users are using anonymous outerid
and want anonymity you want to release their id to the site they are at?
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.-
List info/subscribe/unsubscribe? See
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Why are you so keen for 2.2.2 release? The delay is down to an issue which
needs identifying and testing. people who download the HEAD of 2.2.x and test
help at this point.
alan
- --
Sent from my Android device with K-9 Mail. Please excuse my
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi.
Wondering what authentication method you are using as maybe looking at wrong
ntlm check the mschap module for its ntlm_auth incantation. Also, if you
have doubts about the AD account used to bind them follow that up. Get it
bound in
Using EAP? use the EAP cache and populate the entry with whatever is needed.
--
Sent from my Android device with K-9 Mail. Please excuse my brevity.-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Some things started acting differently in 2.2.1 compared to previous releases
of 2.x
2.2.2 should revert that so things behave the same - so far that seems to be
true but we are still seeing stalled module in core messages that we did not
see
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
I really wouldn't recommend running in full debug mode on a production server
full time... its only single threaded so if you have to service lots of
requests you have an immediate bottleneck.
What sort of weird problems are you facing? You know
hi,
pretty definitive. incorrect shared secret - are you SURE that you havent got
any white spaces
etc lurking around? keep the shared secret in quotes if in doubt
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well. There's no such thing as EAP-TLS/MSCHAPv2 . So I'd guess that your
Android device is just doing PEAPv0/EAP-MSCHAPv2 or such and your config allows
it to. If you ran in full debug mode when connecting with the Android device
you'd see exactly what's happening
alan
-
List
As the msg says. Your preacct {} and accounting {} sections in your server are
not configured to do anything. Add active modules to them eg a database call
and things will be different.
alan-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Or ask your distribution provider why they still provide wpa_supplicant package
without eapol_test tool ;)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
No problem with radiusd at this point. It's not received a single packet.
You've got a problem with your local network environment on the host. Care to
share /etc/hosts?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The default install comes with a few accounting virtual servers that you can
use. I'd strongly advise one of the or of band asynchronous ones.
If you use UDP syslog is not blocking. .. it is fire and forget. .. so if you
might lose packets if you have congested links or a disruption between
But if you'd installed the debian/Ubuntu package version then it is
'freeradius' ;)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Your reference is wrong/unknown which means that there's a noop. This means no
operation which means no fticks output
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
TLS in PEAP. Yes I've seen it. And EAP-MSCHAPV2 in PEAP
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Think about the login time ... If you create an account for the future then if
it has a start validity date. ..
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If your NAS can't send accounting then there's nothing you can do at the
freeradius end to make it do accounting
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi
That's just an authentication request accounting packets is what you need.
Is your kit configured to send accounting to this RADIUS server?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi
How are you generating the certs and what format are they in?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I assume that's the freeradius2 package rather than freeradius as 1.x doesn't
have unlang
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
now i can logon into the switch but i can with all USERS.
Yes. Because that's how you have configured it. You've set the DEFAULT to
have those abilities. I would recommend reading freeradius resources and buy a
book to discover/understand policies, groups etc
alan
-
List
Freeradius does not build from source.
Yes. It does. But you are compiling some random external flavour. Download
the source from freeradius.org and report what happens
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm sure there was some late in the day ios updates for 1130 series AP this
stuff works with capwap/lwapp 1131 anyway, if MBSSID is not supported with
dynamic vlan assignment so don't use mbssid, use guest mode instead.
alan
-
List info/subscribe/unsubscribe? See
Hi
Don't you have freeradius-utils already. .. which contains radtest etc which is
very useful for admins
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi
Store the passwords in nt-hash format. Use guest usernames with a particular
format so that you can use some simple unlang to select the right type of
authentication rather than hitting each method and causing unnecessary load and
delay
alan
-
List info/subscribe/unsubscribe? See
Look at the requests coming from your AP in debug mode. You should see
information there that can be used eg called station id with SSID appended or a
VSA with the SSID name or number in it. Use that with your policy
alan
-
List info/subscribe/unsubscribe? See
User a deployment tool as then things like CN checks are done
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Read the compatability matrix. Check what EAP method your clients are using
versus the password storage method you are using.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
What the hurry? Are you actually using the pre release? I ask because we may
find some other hitherto unknown bug
alan
Original message
From: David Peterson dav...@wirelessconnections.net
Date: 09/07/2013 16:33 (GMT+00:00)
To: FreeRadius users mailing list
Yes, issues can appear in new code as well as get fixed. Known problems in
2.2.0 will be solved in 2.2.1 which is near/ready for release
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Those are VSA that you are getting from the NAS. You're WiFi kit is centrally
managed so config is pushed from the controller
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi
I'll see if I can send through some dictionary file entries later today
Alan
This smartphone uses eduroam which gives me free WiFi around the world. Now
thats what I call smart!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Don't do such authorization checks on the outer id
if EAP dont run ldap in the outer the current default config is set up in
such a way
alan
Original message
From: val john valjohn1...@gmail.com
Date: 27/06/2013 04:58 (GMT+00:00)
To: FreeRadius users mailing list
Hi
Always start simple. Run radtest on the RADIUS server box using 127.0.0.1 ...
THEN move to running against it from other systems once you've verified all
authentication etc is working
Note that it is port 1812 UDP
alan
-
List info/subscribe/unsubscribe? See
The security depends on the configuration of your clients and the certificate
chosen for your radius server
alan
This smartphone uses eduroam for free WiFi access around the world. Now that's
what I call smart.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
For switches, ensure that your are sending accounting and ensure on the radius
server that you are recording sick packets. ... but what switches are you
running as eg Cisco switches use Tacacs+ for sending details of all commands
run. ..
alan
-
List info/subscribe/unsubscribe? See
Compiled without required ssl environment being present? The debug output will
have printed or more information regarding the error
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Looks like a client with incorrect settings. Why would you want to add that ca
to your server? Your radius server isn't signed by it.
alan
This smartphone uses eduroam for free WiFi access around the world. Now that's
what I call smart.
-
List info/subscribe/unsubscribe? See
Show us the radius server debug
alan
--
This smartphone uses eduroam for free WiFi access around the world. Now that's
what I call smart.
Original message
From: Matthew Melbourne m...@melbourne.org.uk
Date: 24/05/2013 17:10 (GMT+00:00)
To:
Controlled by the NAS and/or the RADIUS server depending on NAS settings. ie
you should be able to set session-timeout on the NAS and then override/update
the value on the RADIUS server depending on your chosen policies...eg for
particular users/clients etc...and if proxying you may have
...have a little test/dev server. Copy your current config onto it and run the
new version in full debug mode, see what it might complain about
Alternatively, compare your config against vanilla config and then just start
from vanilla making required changes...this can really help to clean up
Do your NAS send connect-info? Do tour other RADIUS servers even note or use
it? Freeradius is more verbose so you will notice this and the provided sql
schemas are very generic , one size won't fit all, you may find that you have
to edit the config files your purpose.
Are you using the
Use any one of the clients.conf methods that were mentioned yesterday with some
unlang and this would be working already. I seem to recall that huntgroups
might be going the way if the dodo(?) It doesn't do regex methods because its
older... pre 1.0 code
alan
-
List
If your NAS can take such a value then it can be assigned. Either via eg users
file and huntgroup or via eg unlang
if(%{NAS-Ip-Address} == 192.168.1.1) {
update reply {
Attribute = XYZ
}
}
..'man unlang' for more info
alan
-
List info/subscribe/unsubscribe? See
A self-signed is real. It's just that you are the CA...which actually gives you
greater security and keeps your authentication under your own destiny control.
If you believe that having a RADIUS server signed by a CA that is in the OS of
your clients is the way you want to go, then simply go
What you are doing is actually okay (its one of those exceptions where
auth-type needs to be present as the server has no idea to use krb5). I wonder
if your server has been built with kerberos support?
alan
--
This smartphone uses free WiFi around the world with eduroam, now that's what I
All that stuff is on by default to ensure that people who want more than a
really dumb and minimal server can get up and running without having to try to
find what combination of stuff needs to be enabled.
So, eg proxying is enabled ..whats the issue? Unless you have actually edited
proxy.conf
Blah blah. But you don't say what the issue is with the documentation...in fact
your issue was with the default config and your requirements...which are
actually both fully documented in the config. I don't see why you've dropped in
from nowhere, thrown your ego around and then claim to be
Do you need RPM? Can you not just build and install from the source?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This is the freeradius list, not the jradius list. If you want help and advice
then use the appropriate list
Many thanks
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
As Fajar says, some distros split up the functions into separate packages (so
you don't need to install loads of things just to have a basic server) use your
package manager to find/install the sub packages
alan
--
This smartphone uses free WiFi around the world with eduroam, now that's what
This is the freeradius list, not the jradius list. If you want help and advice
then use the appropriate list
Which bit wasn't clear?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have you tried the latest 2.2 GIT release? Many code updates
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2. Check fig.9 and fig-10 .. looks like there is an option to cache user
information and to 'not prompt user to ...' that I think (cmiiw) will give
proper solution.
It will stop pop-ups for future connections but not remove pop-ups for initial
connection...which is what the requester wants.
Do YOU need a primary key?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If request is from UCS then reply with the required UCS reply attribute, else
send back your old reply attribute.
This can be done by either using the client-identifier attribute and unlang, or
by using a new virtual-server instance... well, it can actually be done by at
least another 3 ways
Escape quotes around the CA path? \
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
or use a local symlink that doesn't have spaces in it ;)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Read the docs. Really, start from the beginning! In this case, this is the
second hurdle ..getting another device to talk to your server.
Add that system to your clients.conf file with a correct/matching shared
secret. This isn't rocket science but you must read the documentation in the
first
First, check that centos doesn't have the security issue backported
For upgrade, backup your current configuration directory eg
cp -R /etc/raddb /etc/raddb.backup
Then install the new version
2.1.10 and 2.2.0 are config compatible apart from one single option which isn't
set by default (check
As already said, post output of radiusd -X
(that will clearly show the logic taken)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Huh? How are the 2 related? What have you done to get onto thus state?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
? It's all on disk.
And if that's changed since the server was run then radiusd -X won't help. You
know you can run a check/verify instance...? And that using radmin you can
check the configuration of particular modules in the current running instance?
alan
-
List info/subscribe/unsubscribe?
Really? Hmm, the rest of eduroam are using operator-name. Will check about
prevalence if the wispr attribute
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So you went from a working system and then changed everything for the switch
authentication. Why? Why didn't you just keep the same AAA backend?
Either way, if you want to use 2 different certs and CAs then you'll need 2
instances or proxy the other ones off to eg microsd NPS server..but
Yes. You could do it simply with users file, use unlang in post-auth or add it
to LDAP as 3 places to start with (just one way is enough!) And you'll need to
ensure tour NAS kit follow/honours the value you provide. If you are proxying a
la eduroam then the remote site providing the service
Forget the user-password. You are not using it, you are trying to kludge it.
Just use the variable you have, or the facsimile you are making.
This is freeradius, there are at least a dozen ways of doing what you want,
Alan has given you a fine method
alan
-
List info/subscribe/unsubscribe?
...and then you did comment . And added more. It's open source and the
documentation and Wikipedia is there for everyone.e to contribute. Don't like
it? Feel free to show the world how you think it should look, or add the
missing bits you have discovered.
Unfortunately , what we get is
Switch config issue? Ensure your switch is configured to authorize over RADIUS
as well as to authenticate over RADIUS.
(sounds like its doing the latter but not the former)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The certs resulting from a make install and initial run of 'radiusd -X' are
valid and will work.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Are you running as root?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Ummm, if you are using those scripts then you have local certs which are
different on each server...and thus the client wouldnt match. If you require
both servers to be used by the same client then you need to use the same CA on
both server installs. Likewise, only one server/CA should be
That's just your/redhat view of the structure. Some might also say /opt is the
place for things if only there was a standard that wasn't LSB ;)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
This fails without fail every Sunday? In that case check what happens... eg if
that HUP'ING of the freeradius is a weekly crontab then investigate what else
is going on at that time ...eg there appear to be mysql errors - ate you using
mysql? If so, its not good having errors with that module
Use expiration . Once a user has logged in for the first time then set the
expiration for that account to the required valueor set it when the counter
is reached. Et voila, next time they try to login they can't (then you can do
fancy extra stuff like telling them that their account has
Hmm, having run FR with AD authentication using winbindd and samba for many
many years I am interested in what problems with those daemons you were having
... why need the frequent restarts etc. eduroam certainly wouldn't have had
the high take-up we've seen in eg Europe if all sites had to
Hi,
Seems that the first thing you need to fix is your routing and access ACLs to
Google ;)
how to read Berkeley DB files
Is pretty much a Google-whack. Might want to check out the db-utils package eg
http://amath.colorado.edu/computing/spamtrack/bdb/
alan
-
List info/subscribe/unsubscribe?
Yes. All clients will have a place where the shared secret is configured EVEN
if the target is the locahost (that doesn't change the spec!) Check the seagull
docs and XML profile
Alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You can sort out the host key file if you want. PAP gives a warning because it
hasnt been given a plain text password to test/verifythat's okay as you
don't need it...and it does tell you things MAY fail.
Alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
in perl, i could write some new attributes in RAD_CHECK ??, then
authenticate() will access them.
in python, attributes are read only, so i cannot use them to pass information
to authenticate().
A simple database, like redis, could be a solution by adding info with the id
of the
Hi,
I wanted to ping the Eduroam people about EAP over WAN links. Are there
considerations that can cause connectivity issues that I should be
examining?
depends on how fast your authentication backend is and what your NAS timers are
set to.
if your backend takes around 1 second
Hi,
I am using all of the defaults from a freeradius install. [1]example.com
Phils point was that a computer/machine authentication wont be sent with a
realm,
it will be of the form host/name.domain - where name is the hostname of the
computer
and domain will be its AD domain...
alan
-
Hi,
[eap] Identity does not match User-Name, setting from EAP Identity.
EAP doesnt like the user-name being played around withensure that you
'nostrip'
in your proxy.conf for the realm you are handlingor use 'stripped-user-name'
for the checks/handlers.
alan
-
List
Hi,
I have added 'nostrip' to the realm [1]example.com and it looks like it
has problems with that. Possibly some sort of loop?
looks like it, just
realm example.com {
nostrip
}
should do - ie take this request locally/directly
alan
-
List info/subscribe/unsubscribe? See
Hi,
This looks like something I should be doing but I have no idea where
to insert this section. Is it in proxy.conf or somewhere else? And
in the authorize section of your virtual server, straight after the
preprocess/suffix/realm
module calls (ie before any real authorization action)
With
Hi,
SOLVED. Modified my proxy.conf file as per another list post. You cannot
just add the 'nostrip' option to the realm. You must remove the
home_server and home_server_pool, but keep the options from the
home_server and put them under the realm.
or do as I said in my post
Hi,
you probably want to set peap as your default EAP type in eap.conf to save s
couple of packets and a NAK.
I don't see the ntlm_auth being called, have you edited the mschap module?
The host name is rather shortare you sure this host is bound into an AD?
alan
-
List
Hi,
I have a valid current subscription and yum reports no updates for
my freeradius install, so I'm assuming it's okay. I didn't want to
dwell on the version though as I just upgraded from a much older
release which didn't help with my problem.
2.1.12-4 appears to have the required TLS fix
Hi,
home_server_pool EDUROAM-FTLR {
type= fail-over
home_server = proxy1
home_server = proxy2
}
I would use:
type = client-port-balance
to balance between the 2. (that method ensures the EAP goes to one remote
server)
In the first instance, upgrade. There is a major security problem with 2.1.x
release. Get 2.2.x onto your system asap.
What are your NAS (cisco controllers) timeouts? Is this box a pure proxy or
does it do authentication too? Have you enabled ciscos status-check system so
it knows the RADIUS
Hi,
I wonder if a better option wouldn't be something like
rlm_unixsocket which passes the request down a unix socket in a
standard format, and takes the reply in the same way. Then the
various interpreters could run out-of-process.
I was thinking about the same thing the other day after the
Hi,
This is the RedHat RPM which I believe are maintained by RedHat.
Hopefully they've back ported any major security issues!
got the changelog for the 2.1.12 RPM release you are running?
It does both autentication and proxy and I do have status-check
enabled. On the contraller I increased
You were already given an answer. AP shouldn't be sending a RADIUS
access-accept to the server. Either a misconfiguration, software bug or
misreading of the issue
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Found Auth-Type = Accept
Auth-Type = Accept, accepting the user
RADIUS all okay
I followed the plain mac auth guide to get this far, and the system sort
of works, but not quite. So the configs must be out of whack somehow, but
since radius doesn't give any debug info
Hi,
I want a pony, and a cessna and to eat sushi off a cute mexican girl dressed
in a combination pikachu/nurses outfit.
...I want a way of wiping that reply from my memory...the images, the images!
;-)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Have you guys hear about SecureW2 ?
People from Cloudpath Networks said they can make it work MD5 hash
passwords on 802.1x with TTLS-PAP.
They said i can make it work aswell with EAP-TLS via certificates and PKI.
Is that correct ? Have anyone tested that before ?
i'll
Hi,
So would you recommend ? Your opinion above looks like you wouldnt do
that, since it may not work. Kinda complicated, since we are an
university, and need to work with everyone.
we are a university and we avoid using any extra programs/utils to perform such
duties
(especially as
Hi,
Most times you will be able to get the native supplicant working given enough
prodding, but prodding on a large scale is unfeasable without some kind of
automated tool, because students are really really bad at following
instructions.
oh yes, I agree with that - configuration
Hi,
But when using this method through a proxy way, wher eis data encryption ?
the TLS tunnel is set up with the remote server - the traffic being passed
through all the interim proxies. so the client only trusts the remote server (ie
the server they authenticate against) - all the traffic is
Hi,
Well, lets say its not possible... since we are an university, with
something about 600 conections every night, with lots of O.S working (70%
we are a university with around 6500 concurrent wireless users and 5000
concurrent
wired connections in the student residential network.
1 - 100 of 1488 matches
Mail list logo