Hello everyone, I've Installed by yum freeradius2-2.1.7-7.el5 but I'm can't found the ldap dirctory under /etc/raddb/.. I have creta it or install more any package ??
thank! 2011/3/5 <freeradius-users-requ...@lists.freeradius.org> > Send Freeradius-Users mailing list submissions to > freeradius-users@lists.freeradius.org > > To subscribe or unsubscribe via the World Wide Web, visit > http://lists.freeradius.org/mailman/listinfo/freeradius-users > or, via email, send a message with subject or body 'help' to > freeradius-users-requ...@lists.freeradius.org > > You can reach the person managing the list at > freeradius-users-ow...@lists.freeradius.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Freeradius-Users digest..." > > > Today's Topics: > > 1. Re: Caching techniques with ntlm_auth usage? > (EAP-PEAP-MSchapV2) (Phil Mayers) > 2. Re: Freeraidus 2 (Gary Gatten) > 3. Re: Caching techniques with ntlm_auth usage? > (EAP-PEAP-MSchapV2) (James J J Hooper) > 4. RE: mschap with ntlm_auth and Active Directory (McNutt, Justin M.) > 5. Re: MS-CHAP-V2 with no retry (Alan DeKok) > 6. Re: Hopefully quick question: conditional processing sneaking > in and setting Auth-Type (Alan DeKok) > 7. Re: Freeraidus 2 (Alan Buxey) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 05 Mar 2011 00:45:43 +0000 > From: Phil Mayers <p.may...@imperial.ac.uk> > Subject: Re: Caching techniques with ntlm_auth usage? > (EAP-PEAP-MSchapV2) > To: freeradius-users@lists.freeradius.org > Message-ID: <4d7187b7.5000...@imperial.ac.uk> > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > > On 03/05/2011 12:21 AM, Gary Gatten wrote: > > I kinda like your caching idea, but not sure of any security > > implications. > > It's not a workable idea. MSCHAP responses are specific to the 8-byte > random challenge, which is different every time. You can't cache them. > > > > > I have (2) FR servers (each pointing to different DC) and my NAS's > > are configured to use both. But, iirc if AD is down on the backend > > FR still replies (with something) so the NAS never rolls over to the > > other FR server. > > Yes, this is a bad idea. > > Just configure samba to autodiscover the AD controllers. Winbind will > cache connections and open new ones when the old ones go away. > > > > > So, I thought about some script that would use ntlm_auth every...n > > seconds, if it fails kill FR process (or use FR policy to act dead). > > When it starts working again, restart FR. This should make the NAS > > roll to the next FR server. > > That might work, but it seems like a sledgehammer to crack a nut. > > > > > What about OpenLDAP on the FR server that's "refreshed" / sync'd to > > the winblows/AD? I've never tried this but assume it's doable. > > It's not possible. AD controllers will only sync to other AD controllers. > > At some point in the future, Samba 4 might be able to slave the LDAP > database of an AD controller, but it's purely theoretical at the moment > I think. > > > ------------------------------ > > Message: 2 > Date: Fri, 4 Mar 2011 18:54:44 -0600 > From: Gary Gatten <ggat...@waddell.com> > Subject: Re: Freeraidus 2 > To: "'freeradius-users@lists.freeradius.org'" > <freeradius-users@lists.freeradius.org> > Message-ID: > < > 27487_1299286485_4d7189d5_27487_3768_1_d9b37353831173459fdaa836d3b43499bd354...@wadpmbxv0.waddell.com > > > > Content-Type: text/plain; charset="utf-8" > > Try ../sites_enabled/default; or if *eap requests it would be inner-tunnel, > - I think... > > From: Paulo Maia [mailto:phc.m...@gmail.com] > Sent: Friday, March 04, 2011 06:43 PM > To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> > Subject: Re: Freeraidus 2 > > Compilou o instalou via yum ? Geralmente fica em $RADIUSDIR/modules/ldap > > Abs, > > > 2011/3/4 Usu?rio do Sistema <maico...@ig.com.br<mailto:maico...@ig.com.br > >> > Hello everyone, I'm Maicon from Brazil. > > I'm in a project with Freeradius. I want to deployment authentication with > certificate from my wireless users EAP-TLS but I'm finding some difficult. > there is a good how to for version 2 ?? I've started with version 1.x but > decided to change for version 2 and I'm not finding where I set the LDAP > conection. at the older version it was inside radiusd.conf. anybody help me > ?? > > > thank! > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > > > > > <font size="1"> > <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in > 0in 1.0pt 0in'> > </div> > "This email is intended to be reviewed by only the intended recipient > and may contain information that is privileged and/or confidential. > If you are not the intended recipient, you are hereby notified that > any review, use, dissemination, disclosure or copying of this email > and its attachments, if any, is strictly prohibited. If you have > received this email in error, please immediately notify the sender by > return email and delete this email from your system." > </font> > > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://lists.freeradius.org/pipermail/freeradius-users/attachments/20110304/3cfd97ca/attachment.html > > > > ------------------------------ > > Message: 3 > Date: Sat, 05 Mar 2011 01:17:54 +0000 > From: James J J Hooper <jjj.hoo...@bristol.ac.uk> > Subject: Re: Caching techniques with ntlm_auth usage? > (EAP-PEAP-MSchapV2) > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <403FF343B2CCD5B162F64B80@[172.16.13.237]> > Content-Type: text/plain; charset=us-ascii; format=flowed > > > > --On 04 March 2011 12:34 -0500 John Douglass <john.dougl...@oit.gatech.edu > > > wrote: > > > Group, > > > > Recently, my AD servers were patched by another support group and this > > caused a (small but noticeable) service outage for our WPA radius > > services (Radius 2.1.9) > > I can think of two things to investigate: > * Recent Samba can do winbind credential caching IIRC - I haven't > experimented with this so I'm not sure if it will work for this > application. > > * Enable Fast Session Resumption: > < > https://github.com/alandekok/freeradius-server/blob/master/raddb/modules/eap#L312 > > > > ... We dropped the hits on our DCs by > 40% by doing this. N.B Resumed > sessions will not touch your inner-tunnel config, so you have to make sure > that you pay attention when (re-)assigning VLANs / other returned > attributes based on username. > > -James > > -- > James J J Hooper > Network Specialist, University of Bristol > http://www.wireless.bristol.ac.uk > -- > > > > > ------------------------------ > > Message: 4 > Date: Fri, 4 Mar 2011 21:05:46 -0600 > From: "McNutt, Justin M." <mcnu...@missouri.edu> > Subject: RE: mschap with ntlm_auth and Active Directory > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: > < > 0a99e1da688c7a4796a68b3bc4f74b793ce60e7...@um-email04.um.umsystem.edu> > > Content-Type: text/plain; charset="us-ascii" > > > > root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 > > > --password=Pa$$w0rd > > > NT_STATUS_OK: Success (0x0) > > > root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6 > > > --password=Pa$$w0rd > > > NT_STATUS_OK: Success (0x0) > > > root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 > > > --password=Pa$$w0rd > > > NT_STATUS_OK: Success (0x0) > > > > > > The password Pa$$w0rd is set in the Wireless Controller, if > > thats what you > > > mean by mschap client? > > May I suggest two things: > > 1) I'm assuming that the password is not actually 'Pa$$w0rd', but that > string reminds me that certain special characters - the dollar sign is a > notable one - are not always handled correctly in password strings. Even if > FreeRADIUS is handling it correctly, AD may not, and the wireless controller > may not. I suggest setting the password to something simpler. If your > password policy requires special characters, use dash, equals, underscore, > or dot. I have used passwords with these characters successfully when > authenticating via EAP/PEAP through FreeRADIUS and then on through MSCHAPv2 > to AD via ntlm_auth. (Same chain as you.) > > 2) Even if you are confident that your real password's characters are not > a problem, re-enter it on the wireless controller, MANUALLY. You may have > accidentally entered an unprintable character or a space or some similar > thing that causes the password to APPEAR to be correct, when in fact it > doesn't match. > > --J > > > ------------------------------ > > Message: 5 > Date: Sat, 05 Mar 2011 07:23:54 +0100 > From: Alan DeKok <al...@deployingradius.com> > Subject: Re: MS-CHAP-V2 with no retry > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <4d71d6fa.7030...@deployingradius.com> > Content-Type: text/plain; charset=ISO-8859-1 > > john.hayw...@wheaton.edu wrote: > > 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was > > a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was > > a response sent back to the client but there was no message in the > > response. > > It's more complicated. The server would send EAP-Failure, and nothing > else. > > > 2) The patch given resolves that problem - giving the message > > of the rlm_mschap.c module of E=691 R=1 > > On closer inspection, the patch doesn't resolve anything. It still > sends an EAP-Failure. It should instead send an EAP-Response with > EAP-MSCHAPv2-Failure, and the "E=691 R=1" failure code. After the > client has ACKed that, it should *then* send EAP-Failure. > > i.e. fixing it is likely a fair bit more work. > > > 3) It is possible to configure in radius.conf the message on failure by: > > No. That sends back an MS-CHAP-Error. The code has to package that > MS-CHAP-Error into an EAP sub-type, and send it back to the client in an > *additional* request/response round trip, before finally sending > EAP-Failure. > > Alan DeKok. > > > ------------------------------ > > Message: 6 > Date: Sat, 05 Mar 2011 07:38:15 +0100 > From: Alan DeKok <al...@deployingradius.com> > Subject: Re: Hopefully quick question: conditional processing sneaking > in and setting Auth-Type > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <4d71da57.5080...@deployingradius.com> > Content-Type: text/plain; charset=UTF-8 > > Gary Gatten wrote: > > I can?t find where this conditional processing is happing. I have two > > FR servers with ?nearly? the same config. Auth works on one, but not > > the other: > > Posting 2-3 lines of debug output doesn't help. > > Alan DeKok. > > > ------------------------------ > > Message: 7 > Date: Sat, 5 Mar 2011 09:44:15 +0000 > From: Alan Buxey <a.l.m.bu...@lboro.ac.uk> > Subject: Re: Freeraidus 2 > To: FreeRadius users mailing list > <freeradius-users@lists.freeradius.org> > Message-ID: <20110305094415.ga20...@lboro.ac.uk> > Content-Type: text/plain; charset=us-ascii > > hi, > > th details for your LDAP in 2.x go into $RADDB/modules/ldap > > in 2.x most of the stuff was broken out of radiusd.conf > and put into either modules/* or sites-available/* > > if you want a particular feature, then configure the > module file , configure the sites-available file, > > module files are pulled in by default, but to activate a 'site' > you need to ensure its in the sites-enabled/ directory > (a few 'sites' files are symlinked there by default... eg > default, inner-tunnel .....) > > alan > > > ------------------------------ > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > End of Freeradius-Users Digest, Vol 71, Issue 32 > ************************************************ >
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html