Re: question about freeradius
Hi, I am just wondering if I can use freeradius for hotspot and dial up accounts on same box or does it have to be separate box for hotspot and dial up accounts? that would depend on how you configured it and had each function isolated when not needing same resources etc. we use ours for 802.1X federated access, local 802.1X, captive portal, router/switch admin login, VLAN allocations via VMPS, VPN login etc - each function is undertaken by seperate virtual server definitions in sites-enabled (with different policies applied) and seperate module calls when different requirements for authentications are needed. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about freeradius
Hey Guys I am just wondering if I can use freeradius for hotspot and dial up accounts on same box or does it have to be separate box for hotspot and dial up accounts? Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius
El abr 28, 2013 10:13 p.m., Tim Reichhart t...@nwohiobb.com escribió: Hey Guys I am just wondering if I can use freeradius for hotspot and dial up accounts on same box or does it have to be separate box for hotspot and dial up accounts? Tim - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html In same box, with virtual seves. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: I have a question about freeradius-client-1.1.6.
Bryant wrote:1.6/src/radexample.c or run radlogin. #login:test #passoword:test This don't authorize successfully. When I see the server's display ,I find the password is encryped. What should I do? Read the debug output of the server. It is TELLING YOU what the problem is, and HOW TO FIX IT. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have a question about freeradius-client-1.1.6.
Hi, I download freeradius-client-1.1.6 from your website.Now,I have installed and configured the freeradius server 2.1.8 and freeradius-client-1.1.6 successfully. I use the mysql to store the user and I create a user whose username is test,Auth_Type is Local,Cleartext-Password is test. Then I run the command: #radtest test test lcoalhost 0 testing123 This can authorize successfully. But when I compile freeradius-client-1.1.6/src/radexample.c or run radlogin. #login:test #passoword:test This don't authorize successfully. When I see the server's display ,I find the password is encryped. What should I do? Thanks! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Major noob question about freeradius
Hi everyone maybe you can help me. I have a small network of about 10 windows XP machines. I need to set these machines up so that my users can log into any of these machines. For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. I was told that a Radius server could accomplish the same thing for me. Is this true? Basically I just need a way for my users to sit down at any of the windows XP workstations and log into it. I don't need anything special like roaming profiles and such. All I need is for a way for a windows user to sit down at any computer and type in a user name and password in order to gain access to use the computer. I saw the tutorials online but I don't think this is what I need. Something about setting up a VPN and adding certs and such. I need freeRadius to control access to user the computer not to gain access to a network resource. I have installed freeRadius and got it up and running on openSUSE but I am not really sure how to configure it according to what I need (if it can be done at all). Am I making sense or am I way off base? Does someone have a document I can follow that will tell me how to configure freeradius so that my windows users can authenticate against it? thanks _ Hotmail: Trusted email with powerful SPAM protection. http://clk.atdmt.com/GBL/go/196390707/direct/01/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 11:51:28AM -0700, Bryan Boone wrote: I have a small network of about 10 windows XP machines. I need to set these machines up so that my users can log into any of these machines. I was told that a Radius server could accomplish the same thing for me. Is this true? Basically I just need a way for my users to sit down at any of the windows XP workstations and log into it. I don't need anything special like roaming profiles and such. Yes, google for pGina -- 2. That which causes joy or happiness. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone bryan-bo...@msn.com wrote: I have a small network of about 10 windows XP machines. I need to set these machines up so that my users can log into any of these machines. For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. I was told that a Radius server could accomplish the same thing for me. Is this true? Bryan: I'm not the ultimate FreeRADIUS authority, but I think you'll find RADIUS is a poor solution for this, if indeed a solution at all. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. Check out http://samba.org/ for details on Samba. And for what it's worth I would lean toward using CentOS as the core platform (of course opinions vary on this point). The book Samba-3 by Example gives an excellent guide to the setup if you need one. It's available online at http://www.samba.org/samba/docs/man/Samba-Guide/ Good luck! E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
At 02:01 PM 1/18/2010, Eric Swanson wrote: On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone mailto:bryan-bo...@msn.combryan-bo...@msn.com wrote: For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. If there's a corporate restriction on installing a windows server, setting up a linux server to behave just like a windows server might also be a problem. and indeed if it's one the same network, you'll really need to get things right so that it doesn't screw anything up (such as becoming the master browser). Just be sure first :-) rick - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
On Mon, Jan 18, 2010 at 11:29 AM, freerad...@corwyn.net wrote: At 02:01 PM 1/18/2010, Eric Swanson wrote: On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone mailto: bryan-bo...@msn.combryan-bo...@msn.com wrote: For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. If there's a corporate restriction on installing a windows server, setting up a linux server to behave just like a windows server might also be a problem. and indeed if it's one the same network, you'll really need to get things right so that it doesn't screw anything up (such as becoming the master browser). Indeed. Just for the sake of clarity let me break it down one more notch: - If the policy that prevents you from installing a Windows server is something like a company-wide prohibition on using closed-source software, or on spending licensing money with Microsoft, and if your network stands on its own -- then Samba is probably a great approach. Good luck. - If, as Rick suggests, the policy comes from something like a central IT department that requires you to stay out of their realm of authority, then you've got a whole mess of constraints to navigate. Good luck. Speaking for myself, I'd say the pGina approach noted above by Josip makes sense only if you've already got RADIUS infrastructure. If you're building something from scratch, Samba is a much better fit, but if pGina lets you use existing RADIUS-centric stuff you just might be well-advised to go that way. Just be sure first :-) Indeed. Also, note that this is off-topic for the list. E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Major noob question about freeradius
Hi guys thanks for the info. The restrictions are licensing with a windows server. I didn't realize you could setup Samba to be a domain controller. thanks for the help. I think I will try the Samba route. thanks again. Date: Mon, 18 Jan 2010 11:39:00 -0800 Subject: Re: Major noob question about freeradius From: swan...@technologypartnerds.com To: freeradius-users@lists.freeradius.org On Mon, Jan 18, 2010 at 11:29 AM, freerad...@corwyn.net wrote: At 02:01 PM 1/18/2010, Eric Swanson wrote: On Mon, Jan 18, 2010 at 10:51 AM, Bryan Boone mailto:bryan-bo...@msn.combryan-bo...@msn.com wrote: For me the simplest solution to solve this would be a windows 2003 server domain controller. Unfortunately due to some corporate restrictions I cannot install a windows server. If you can't set up a Windows server to do this job, the best way to meet this need is to run Samba on a Linux machine. If you run it in domain control mode, it'll act very much like a Windows server for the purposes you're talking about. If there's a corporate restriction on installing a windows server, setting up a linux server to behave just like a windows server might also be a problem. and indeed if it's one the same network, you'll really need to get things right so that it doesn't screw anything up (such as becoming the master browser). Indeed. Just for the sake of clarity let me break it down one more notch: - If the policy that prevents you from installing a Windows server is something like a company-wide prohibition on using closed-source software, or on spending licensing money with Microsoft, and if your network stands on its own -- then Samba is probably a great approach. Good luck. - If, as Rick suggests, the policy comes from something like a central IT department that requires you to stay out of their realm of authority, then you've got a whole mess of constraints to navigate. Good luck. Speaking for myself, I'd say the pGina approach noted above by Josip makes sense only if you've already got RADIUS infrastructure. If you're building something from scratch, Samba is a much better fit, but if pGina lets you use existing RADIUS-centric stuff you just might be well-advised to go that way. Just be sure first :-) Indeed. Also, note that this is off-topic for the list. E. -- Eric Swanson, swan...@technologypartnerds.com Director of Marketing Sales / Senior Technical Staff Technology Partnerds 888-NERDS-55 _ Your E-mail and More On-the-Go. Get Windows Live Hotmail Free. http://clk.atdmt.com/GBL/go/196390709/direct/01/- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Major noob question about freeradius
Hi, I'm not the ultimate FreeRADIUS authority, but I think you'll find RADIUS is a poor solution for this, if indeed a solution at all. I'd say the same thing - SAMBA on a Linux box will easily do this in the 'windows way'. to use FreeRADIUS to control windows login (ie system login) you need to install extra Gina things - and pGina is the best of these (though no longer developed IIRC) FreeRADIUS is the main King when it comes to network login - either 802.1X on wired, wireless (WPA/WPA2 enterprise) or even backend system for captive portal alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius vs AA(ldap) and A(mysql)
My question is how can i change the usergroup, radgroupcheck, radgroupreply, tables into Ldap to authorization-authentication step, with more options to check like Calling-Station-Id, Called-Station-Id, Hint, Groupnames, etc etc??? Place user into a group in ldap and use Ldap-Group to check membership. You need users file/unlang entry for checking and replying with group specific attributes. And in the schema of freeradius into Ldap, i load scheme but when i try to add new attribute to user like (option in the radiusd.conf) access_attr = dialupAccess what i type in the value?? true/false Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about freeradius vs AA(ldap) and A(mysql)
hi, i have freeradius server over Debian Etch version FreeRADIUS Version 1.1.3 and making Accounting with MySQL radius DB. I want to make new form to authenticate my users to not have 2 password databases separated... so.. need auth ldap and account into mysql.. I test to make authorization + authentication with Ldap and keep going making Accounting into MySQL... and works but just basic mode. My question is how can i change the usergroup, radgroupcheck, radgroupreply, tables into Ldap to authorization-authentication step, with more options to check like Calling-Station-Id, Called-Station-Id, Hint, Groupnames, etc etc??? And in the schema of freeradius into Ldap, i load scheme but when i try to add new attribute to user like (option in the radiusd.conf) access_attr = dialupAccess what i type in the value?? .. just know string by the scheme explain but don't know that string exactly it is can help me any one..??? thanxs and regards and sorry by my english Tony signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius vs AA(ldap) and A(mysql)
ok i found this http://freeradius.org/radiusd/doc/ldap_howto.txt i guess to have many stuff to read and try my problem any way i can read more solutions to can make my trouble in fast way and short time. Regards again. Tony Tony P. escribió: hi, i have freeradius server over Debian Etch version FreeRADIUS Version 1.1.3 and making Accounting with MySQL radius DB. I want to make new form to authenticate my users to not have 2 password databases separated... so.. need auth ldap and account into mysql.. I test to make authorization + authentication with Ldap and keep going making Accounting into MySQL... and works but just basic mode. My question is how can i change the usergroup, radgroupcheck, radgroupreply, tables into Ldap to authorization-authentication step, with more options to check like Calling-Station-Id, Called-Station-Id, Hint, Groupnames, etc etc??? And in the schema of freeradius into Ldap, i load scheme but when i try to add new attribute to user like (option in the radiusd.conf) access_attr = dialupAccess what i type in the value?? .. just know string by the scheme explain but don't know that string exactly it is can help me any one..??? thanxs and regards and sorry by my english Tony - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html signature.asc Description: OpenPGP digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
question about freeradius, 802.1x with peap, auth via LDAP
Hi, I need help/advise with te following scenario: 1. I have a freeradius server, this server is not part of Active Directory Domain, server is able to perform ldapsearch for user account. 2. the workstation is a windows 2000 pc, need to be authenticated thru Cisco catalyst switch to the freeradius server with user's LAN username and password transparently (peap) my question is: what is the requirement for radius server, does the server needs to be part of the Active Directory Domain?, can you direct me to a how to link?, I have made several configurations but none were successful, please help, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius, 802.1x with peap, auth via LDAP
Windows 2000 is not supported, only windows XP On 4/4/07, wenny wang [EMAIL PROTECTED] wrote: Hi, I need help/advise with te following scenario: 1. I have a freeradius server, this server is not part of Active Directory Domain, server is able to perform ldapsearch for user account. 2. the workstation is a windows 2000 pc, need to be authenticated thru Cisco catalyst switch to the freeradius server with user's LAN username and password transparently (peap) my question is: what is the requirement for radius server, does the server needs to be part of the Active Directory Domain?, can you direct me to a how to link?, I have made several configurations but none were successful, please help, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius, 802.1x with peap, auth via LDAP
1) Microsoft LDAP isn't like normal ldap, you don't get access to the password. To have freeradius touch the password at any point, it needs to be on the domain and do a ntlm_auth instead of ldap. On 4/4/07, wenny wang [EMAIL PROTECTED] wrote: Hi, I need help/advise with te following scenario: 1. I have a freeradius server, this server is not part of Active Directory Domain, server is able to perform ldapsearch for user account. 2. the workstation is a windows 2000 pc, need to be authenticated thru Cisco catalyst switch to the freeradius server with user's LAN username and password transparently (peap) my question is: what is the requirement for radius server, does the server needs to be part of the Active Directory Domain?, can you direct me to a how to link?, I have made several configurations but none were successful, please help, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about freeradius and Cisco VoIP router
Hello AllI am writing a C program as an external program for freeradius to handle authentication requests recieved from a Cisco VoIP router.How can I pack attribute-value pairs and send them to the router? I can determine the attribute-value pairs transmitted by the router through environment variables, but I don't know how to send the attribute-value pairs which the router expects to recieve. Best RegardsAli - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about freeradius and Cisco VoIP router
Ali Majdzadeh [EMAIL PROTECTED] wrote: I am writing a C program as an external program for freeradius to handle authentication requests recieved from a Cisco VoIP router. How can I pack attribute-value pairs and send them to the router? scripts/exec-program-wait Just print the attributes to stdout. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius for mobile device authentication
Alan, Thanks for your reply and sorry for my sluggishness in getting back to you with more info... Alan DeKok [EMAIL PROTECTED] wrote: Yes. The server allows you nearly unlimited control over what to look for, and what to do when it finds data of interest. That is good to know :) Your description is useful, but still a little vague. You describe what you want, but not how the data is seen by the RADIUS server (i.e. attributes). Ok.. lets give this an other shot.. the setup I'm building is to authenticate/authorize and account mobile users. The user will specify his username (User-Name), his password (User-Password) and the NAS is also configured to send the MS-ISDN to the radius server which I'm told is send using Calling-Station-ID. Now the way I want this to work is that as soon as a request comes in from the NAS the radius server will check Calling-Station-ID against a list of known values and if no match is found it denies the request. If a match is found it will go on to check for a valid username and password combination. If none is found it should reject the session. If a match is found it should reply with the proper attributes. In an ideal situation I'd like to use realms and bind a group of known Calling-Station-ID's to a specific realm. If this is not possible than a generic list of Calling-Station-ID's for all users will also work but is the less preferred solution. So if I go thru the steps I get.. 1. Check realm a) no realm - reject b) realm found go to 2 2. Check Calling-Station-ID a) no match found for this realm - reject b) match - go to 3 3. Check user+pass a) no match - reject b) match - return attribs for user So in this situation: realm test1: - known cli's ,1112,1113 - known users [EMAIL PROTECTED] w/ pass moo realm test2: - known cli's ,2223,2224 - known users [EMAIL PROTECTED] w/ pass bla If [EMAIL PROTECTED] tries to login with pass of moo coming from cli -1113 he is allow - any other cli will not be allowed. I was the rlm_checkval module.. is this what I would use for this? A sample configuration and users file entry would be really appreciated. I hope this helps to clarify the issue, Thanks, - Jasper - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Freeradius for mobile device authentication
Hi, I've been asked to setup a platform for mobile device authentication. I'm looking into setting up Freeradius with a MySQL backend for this. The request that has been been is to verify users on three items: - msisdn - username - password My question is - can this authentication be done in different ways for different groups of users. Say group A wants the unique combination of msisdn, username, password to grant them access - however group B wants a pool of msisdns that are valid for all of their username + password combinations. If someone could be so kind as to maybe give an example of how to do this it would be greatly appreciated. Thanks, - Jasper - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius for mobile device authentication
Jasper Jans [EMAIL PROTECTED] wrote: My question is - can this authentication be done in different ways for different groups of users. Yes. The server allows you nearly unlimited control over what to look for, and what to do when it finds data of interest. If someone could be so kind as to maybe give an example of how to do this it would be greatly appreciated. Your description is useful, but still a little vague. You describe what you want, but not how the data is seen by the RADIUS server (i.e. attributes). Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius and LDAP
On Wed, 7 Jul 2004, Arthur EBEL wrote: Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? Here is my radiusd.conf about ldap ldap { server = server.utt.fr basedn = ou=people,ou=personnels,dc=utt,dc=fr filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_header = {crypt} password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } Thx Use two ldap module instances. Arthur EBEL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Kostas Kalevras Network Operations Center [EMAIL PROTECTED] National Technical University of Athens, Greece Work Phone: +30 210 7721861 'Go back to the shadow' Gandalf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question about Freeradius and LDAP
Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? Here is my radiusd.conf about ldap ldap { server = server.utt.fr basedn = ou=people,ou=personnels,dc=utt,dc=fr filter = (uid=%{Stripped-User-Name:-%{User-Name}}) start_tls = no dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 password_header = {crypt} password_attribute = userPassword timeout = 4 timelimit = 3 net_timeout = 1 } Thx Arthur EBEL - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius and LDAP
On Wed, Jul 07, 2004 at 09:00:00PM +0200, Arthur EBEL wrote: Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? AFAIK, rlm_ldap cannot work with multiple basedn's. However, you can use OpenLDAP own ACLs. E.g. in slapd.conf (assuming you have identity=cn=radius,ou=robots,dc=utt,dc=fr): access to dn ou=people,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to dn ou=students,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to * by dn=cn=radius,ou=robots,dc=utt,dc=fr none (I'm not sure this is totally correct so you should test it yourself.) Then you can safely use basedn=ou=personnels,dc=utt,dc=fr for radius. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Question about Freeradius and LDAP
how about setting up 2 ldap modules? ldap people { ... } ldap students { ... } Not sure if this would do it, just a suggestion. On Wed, 7 Jul 2004, Alexander M. Pravking wrote: On Wed, Jul 07, 2004 at 09:00:00PM +0200, Arthur EBEL wrote: Hi everybody, My freeradius operate very well with an openldap directory All ldap users stored in my basedn=ou=people,ou=personnels,dc=utt,dc=fr can be authenticated. I would like to add another basedn=ou=students,ou=personnels,dc=utt,dc=fr BUT I don't want to give an access to all my tree dc=utt,dc=fr How can I set up the LDAP module to do this ? AFAIK, rlm_ldap cannot work with multiple basedn's. However, you can use OpenLDAP own ACLs. E.g. in slapd.conf (assuming you have identity=cn=radius,ou=robots,dc=utt,dc=fr): access to dn ou=people,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to dn ou=students,ou=personnels,dc=utt,dc=fr ... by dn=cn=radius,ou=robots,dc=utt,dc=fr read access to * by dn=cn=radius,ou=robots,dc=utt,dc=fr none (I'm not sure this is totally correct so you should test it yourself.) Then you can safely use basedn=ou=personnels,dc=utt,dc=fr for radius. -- Fduch M. Pravking - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -Mike == Network Engineer Pathway Internet Services 616.774.3131 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html