Hi Alan,
Alan DeKok schrieb:
Freeradius. Using Linux I can send whatever I want as the loginname.
If you know you can change the client, than change the client.
This is exactly what I want to do! Change the loginname, the clients
sends to the Authenticater. It's a Windows 802.1x
Hi Phil,
Phil Mayers schrieb:
I don't understand - you're saying that, for windows clients:
1. On wi-fi they send host/name.domain.com
2. On LAN, then send... something else?
Are you sure? We don't see that.
Exactly. On wifi they send
hostname
on LAN they send:
host/hostname
hostname
Hi,
Phil Mayers schrieb:
We don't see that behaviour. We consistently see host/. Check you
aren't mangling the hostnames in your FreeRADIUS config.
Strange, but thanks for watching. We're not mangeling anything in FR.
That's what I see, running FR in Debug-Mode. Maybe because we're running
Hi David,
David Mitton schrieb:
If the OP is observing such behavior, he needs to figure out why (what
turned it on, is it consistent or the same for all users) and work
with that.
It is consistent for all machines in the network. To figure out why this
happend, is exactly what I want to
Phil Mayers schrieb:
Is it possible your wireless networking equipment is mangling the
hostnames? Which vendor are you using?
Mhh, I can check that again, it's an old Linksys-AP. I'll see if that
happens also with the other more professional hardware we have.
Have you verified that you really
Hi,
we're using FR 2.0 for our machine authentication for XP to Win7 with
EAP-TLS. Everything is working so far, but I noticed a difference
between authenticating via WLAN and LAN, which starts to be a problem
for us now. If I make a auth via LAN the provided username ist
hostname, if I do
Hi Alan,
thanks for your reply!
Alan DeKok schrieb:
host/ as a realm for our Radsecproxy, I'd like to change the
behauviour for the authentication via LAN and add a string to the
hostname
Don't. You will break EAP.
That's not clear. Why would that break EAP if the workstations
Hi,
if I'am transmitting VLAN Information back to the supplicant, after an
Acces-Accept (see below), who does this information use? Is it an
information for the Switch, working an an Authenticator, to put the
switchport into VLAN 22 or is it for the Supplicant/Client to enable
VLAN tagging and
Hi Alan,
thanks for the quick answer!
It seems, the Linksys SRW switches support VLAN and RADIUS, but not an
dynamic assignment of VLAN via RADIUS.
That's all frustrating, why didn't I run a pedal boats shop on a greek
beach... :-)
bye
Alex
The switch. Maybe. It is free to ignore the
Hi,
I tried to change the ldap-searchfilter in the ldap module, to search
for a username user and user$ in LDAP, if user is given. This is
neccecary to authenticate my workstations and users via LDAP.
This is my filter definition in the ldap module:
filter =
Hi,
I tried to change the ldap-searchfilter in the ldap module, to search
for a username user and user$ in LDAP, if user is given. This is
neccecary to authenticate my workstations and users via LDAP.
This is my filter definition in the ldap module:
filter =
Hi Phil,
filter =
(|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(uid=%{%{Stripped-User-Name}:-%{User-Name}}\$))
Don't do that. Instead try:
filter = (uid=%{mschap:User-Name})
Hm, this is not working. I also don't get the point, why the username in
mschap is mangled to have a $ or not?
The
Hi,
I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation.
What I want to do is:
A host-based authentification for my workstations. All the names of the
workstations are in LDAP, the authentification itself should be done
with EAP-TLS. I would like to have a hint, how to
Hi Phil,
Phil Mayers schrieb:
You've broken the default configs by adding in modules you don't need
and don't understand.
Go back to the default configs. Then *just* configure LDAP, and things
will work.
Thats what I did right now, EAP starts (Ubuntu 10.04, with working cert
on FR 1.1)
Hi Alan,
Alan DeKok schrieb:
You're forcing Auth-Type, and using ntlm_auth for EAP-TLS. This is wrong.
Don't force Auth-Type.
I didn't want that, now after kicking out ntlm_auth things work, even
the cert has been accepted. I assume the problem I had was, that the
time of the
Hi,
just one other question, how is it possible to have (or control) more
than one filter in the ldap module? I use our LDAP to have access via
PEAP or EAP-TLS, this works, thanks to this list.
The problem now is, that workstations are stored as WORKSTATIONNAME$
(with a $ ath the end,
Hi Folks,
the question makes sense, I think I wrote it not understandible enough.
1. What I already do is:
1.1. Authenticating via EAP-TLS Computers/Workstations against my Switches
1.2. Users are authenticated with PEAP and Cleartext-Passwords in
$RADDB/users
2. What I want to do is:
2.1.
Hi Phil,
Phil Mayers schrieb:
Ah, good. If you have NT-Password, PEAP/MS-CHAP should work.
Great!
Yes. There are lots of ways to do this, depending on what key you want
to use for the lookup (machine account name, mac address, TLS cert
subject)
Thanks, I'll start to do this. Machine
Hi,
with my FR 1.x installation I'am authenticating via EAP-TLS Computers
against my Switches. User are authenticated with PEAP, all are held in
the users-textfile in $RADDB/users
But with rising number of PCs and Users the edit of the users file is a
bit uncomfortable. I want to upgrade
Alexandros Gougousoudis schrieb:
(after I went into the xmas holidays) the Radius-Auth stopped working.
I changed nothing at the Freeradius-Server. I suspect an MS-Update,
major-security updates are rolled out automatically here. But I don't
know which one.
Thanks for all replies
Hi,
I had a working FreeRadius 1.1.6 installation and running XP Pro SP3
with EAP/TLS on an Ethernet-Port. I use Linksys switches as
authenticators. I think since end December (after I went into the xmas
holidays) the Radius-Auth stopped working. I changed nothing at the
Freeradius-Server. I
Alan DeKok schrieb:
See if your certificate has expired.
Nope, that was the first I've checked. Server and client-cert are still
valid. It seems, that no XP client (even some old SP2 clients) can logon
anymore, Ubuntu can.
Is there some possibility to force a Login OK as a
Hi Phil,
Phil Mayers schrieb:
To be clear, all windows clients fail? But other clients succeed?
Exactly, Ubuntu can authenticate, all XP not.
It is possible a windows update has removed the intermediate
certificate from the client(s). IIRC Microsoft have done this in the
past, expecting the
Hi JDL,
that's a good point, I didn't think about that. But it's not my problem,
I have 4096 keylength. It should be ok.
thx
Alex
JDL schrieb:
December. My understanding was that this was only to affect new certificates,
however, since certificates are involved in the EAP process, you
Hi,
just to give an update on my efforts to make XP SP3 work with EAP-TLS.
Machine based EAP-TLS authentification works for WIRED connections fine,
as I wrote in the last mail. BUT that doesn't mean that it works for
wireless connections. :-) Before SP3 there wasn't a problem with that,
with
Hi Ivan,
Try signing client certificates with the ca certificate. I have included
modified Makefile for 2.1.3. I have added make caclient.pem to
produce client certificates and cleanca to remove them. Try
importing caclient.p12 created this way onto the user machine (along
with ca.der) and see
Hi Thiebault,
you saved me. AGAIN! :-) That was the clue, not including the Email in
the DN, just saying no in TinyCA was the first step to the solution. XP
SP3 took then the cert for auth.
@Ivan: Thanks for your reply, but it's not an TinyCA issue.
Second step was, that 2000/XP = SP2
Hi Ivan,
t...@kalik.net schrieb:
You should upgrade to the latest version. If that doesn't cure it, try
making client certificate signed by the CA and not server certificate.
I had 2.1.3 running a week ago, but it didn't work also. But I wasn't
sure about the configs. Unfortunately the
Hi Alan,
a.l.m.bu...@lboro.ac.uk schrieb:
if you had a working 1.1.0 system then you could upgrade quickly
to 1.1.7 - same config etc etc - and then spend 'offline-time' getting
I thought it's working, but it isn't. I upgraded to 1.1.6 from 1.1.0,
same setup, but XP SP3 doesn't authenticate
Hi,
I tried to compile the 1.1.7 OpenSUSE 10.1. But I get the following
error at the end:
Processing files: freeradius-dialupadmin-1.1.7-0.suse1010
Processing files: freeradius-devel-1.1.7-0.suse1010
Checking for unpackaged file(s): /usr/lib/rpm/check-files
/var/tmp/freeradius-1.1.7-build
Hi
solved it. Must be a bug in 1.1.7. I used 1.1.6 and all works fine
(inkl. XP SP3).
cu
Alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I have a lot of problems doing an EAP-TLS authentification with
Freeradius 2.1.3. We're doing a machine-based authentification with
certs, using EAP-TLS with 802.1x capable Linksys switches (cable based).
We had NO problems at all with Freeradius 1.1.0 and Windows 2000 SP4 and
XP SP2
Hi,
I'am having trouble to authenticate my linux workstations with
wpa_supplicant to Freeradius (1.1). The Windows Stations are working
fine, but linux is making trouble. The AP is a Linksys WLAN Accesspoint,
as said WPA Radius works, because all Windows Notebooks can login.
I'am doing a WPA
Hi,
sorry for the repost, I simply wanted to add, that I'am doing an
EAP-TLS conversation and have all certs installed.
TIA
Alex
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi me,
Alexandros Gougousoudis schrieb:
But there are two W2K clients which doesn't want to register over
radius, the radius server even doesn't get a request.
It seems the problem was, that the netbios name of the PC was to long
(16 characters). I took a short one and it worked immediately
have now
only the problem of one W2K Machine, not even asking the Radius-Server.
I assume it's some kind of inkompatibilty of drivers or NIC.
Thanks for your help:
Have that for your trouble: http://www.engelbraeu.de/images/bierkiste.gif
cu
Alex
--
ServiceCenter IT - Alexandros Gougousoudis
(like an WLAN-AP) and danger our net.
cu
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst
Busch.
Tel.: 030 / 477 05 - 444 * Fax.: 030
not, although I did the same procedure.
Thanks for your help
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst
Busch.
Tel.: 030 / 477 05 - 444
a W2K client connecting wihtout problems
and one with problems.
cu
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst
Busch.
Tel.: 030 / 477
) I can get
a Access-Accept Message. On the server I get the Access-Requests, create
a Access-Challenge and thats all. Theres nothing coming back from the
client.
Please help
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst
Busch.
Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
-
List info/subscribe/unsubscribe? See http
drivers, no effect. Put in an
older 3com NIC, no effect. It's like the AP doesn't forward the request
to the Freeradius server. With other W2K no problem, with XP no problem
with this AP.
Something I could do, beside throw the pc out of the window?
TIA
Alex
--
ServiceCenter IT - Alexandros
. Don't like Suse...
Thanks
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst
Busch.
Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
Hi Alan,
Alan DeKok schrieb:
They (and the main web page) point to EAP howto's on the main web
site, which include screenshots for configuring Windows for wireless,
Thats true, but as a beginner it is not clear what is important to set
up. Most people simply want to connect their notebook
that brake the cert?
TIA
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst
Busch.
Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
-
List
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst
Busch.
Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
-
List info/subscribe/unsubscribe? See http
only these clients, which
are in our domain.
Thanks for help
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst
Busch.
Tel.: 030 / 477 05 - 444
of the server. The
CN of the PC is the netbios-name. Both certs have their extenstion
(Webserver and Client). Maybe it's something else?
TIA
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik Hanns
how to
handle or shorten this. Maybe somebody has a good idea to handle that.
TIA Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst
Busch
with timestamp 44cbfc94
Nothing to do. Sleeping until we see a request.
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst
Busch.
Tel.: 030 / 477 05 - 444
this before?
thanks in advance
Alex
--
ServiceCenter IT - Alexandros Gougousoudis (Leiter)
Gemeinsame Einrichtung der Kunsthochschule Berlin-Weissensee, Hochschule
für Musik Hanns Eisler und der Hochschule für Schauspielkunst Ernst
Busch.
Tel.: 030 / 477 05 - 444 * Fax.: 030 / 477 05 - 445
51 matches
Mail list logo