Re: Radius reply multivalue VSA question.

Thanks Ivan. Not sure which file should I add the update reply? Getting familiar with unlang so pardon my dumb questions. I added in ldap.attrmap. update reply {     rEntitlements -= entitlements } replyItem   rEntitlements   entitlements  += is that right? Also you men

EAP MSK: how is it transported between server and authenticator

Hi all, After an EAP authentication which supports key derivation (MSK) how does freeradius transport the MSK to an NAS(authenticator)? I.e., what kind of attribute is used? (I am assuming that the EAP Server (freeradius) is a separate entity to the NAS; NAS talks to freeradius using RADIUS and ac

Re: Error in the negotiations

That's it. Ivan Kalik Kalik Informatika ISP Dana 9/10/2008, "Martin Silvero" <[EMAIL PROTECTED]> piše: >Is this the issue that you say?: > > > > >Re: CA.all and CA.certs in Freeradius >2.x > > - List info/subsc

Cisco VPN Radius with expiry & Windows domain password expiration

Hello All, I have a cisco vpn concentrator and in the past have had it pointed to a Windows IAS Server. I have now switched to Freeradius and have discovered that when a user needs to "Change password on next logon" the cisco vpn client does not prompt for a password change. Prior to moving to

Error in the negotiations

Is this the issue that you say?: Re: CA.all and CA.certs in Freeradius 2.x - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRADIUS and EDUROAM timeout issues

Hi, > This will happen. There is sufficient buy-in from large telcos that > it's necessary. cool. it wasnt just me toking on the crack pipe too many times 8-) Stefan, you hearing this? and you be thinking I crazy :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/

Re: Error in the negotiations

You should read the list. I gave the workable solution to somebody else yesterday. Ivan Kalik Kalik Informatika ISP Dana 9/10/2008, "Martin Silvero" <[EMAIL PROTECTED]> piše: >Any suggestions for this topic guys? > >thanks!!! > > - List info/subscribe/unsubscribe? See http://www.freeradius.org

Re: Radius reply multivalue VSA question.

>is there any way I can change the rlm_ldap.c? > >I am not proficient in c, so might need additional help. > >Or there are any other options. > Well, before resorting to source code alterations try using unlang. Have a look at update reply with -= operator. You can't use regex with that operator s

Re: FreeRADIUS and EDUROAM timeout issues

[EMAIL PROTECTED] wrote: >> But there is no RADIUS "routing protocol"[1]. So that's that. > > s'funny that you should mention that - what with a hierarchical system. > I thought it would be neat if a downstream system could notify the upstream > about what realms it could deal with and - via a

Error in the negotiations

Any suggestions for this topic guys? thanks!!! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

RE: Ldap group

Hello all I have made the change uniquemember=%{control:Ldap-UserDn} But I still have the issue. Any other ideas or other information I can provide. Any configs I could look at. Thanks, Bert -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On B

Re: Radius reply multivalue VSA question.

Ivan,    I told the management but looks like no go. is there any way I can change the rlm_ldap.c? I am not proficient in c, so might need additional help. Or there are any other options. Let me know. Thanks in advance. --- On Thu, 10/9/08, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: From: [E

Re: Ldap group

> groupmembership_filter = >"(|(&(objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))(&(object >Class=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))" It should aso be control:Ldap-UserDn for uniquemember. Hope that helps. Ivan Kalik Kalik Informatika ISP - List info/subscribe/u

Ldap group

Hello I have ldap working to authencate users to a cisci switch. I now want to limit it to group membership. Any help would be great. Here is what I have in my ldap config for the groups. # Group membership checking. Disabled by default. # groupname_attribute = "cn"

Re: Radius reply multivalue VSA question.

>   I agree with you. But I am reading those attributes from LDAP. In LDAP >"entitlements" attribute is defined as Multivalue (array). Which is of no use to you. >I can't not change the existing LDAP structure. > Are you a developer or not? If you are, then you say what LDAP structure should lo

Re: FreeRADIUS and EDUROAM timeout issues

Hi, > This still means that requests will be sent to that home server,even > if they're for an upstream realm that's dead. If there are multiple > paths to the upstream realm, then those other paths won't be discovered. > > But there is no RADIUS "routing protocol"[1]. So that's that. s'fu

Re: FreeRADIUS and EDUROAM timeout issues

Arran Cudbard-Bell wrote: > That'd work. So when a server is marked as a Zombie Access-Requests > still sent to it until the Zombie period has expired? Yes. I also noticed that the current code doesn't send Status-Server packets until "check_interval" time AFTER it's marked "dead". So we have

Re: Radius reply multivalue VSA question.

Hi Ivan,    I agree with you. But I am reading those attributes from LDAP. In LDAP "entitlements" attribute is defined as Multivalue (array). I can't not change the existing LDAP structure. I am mapping "entitlements" attribute from LDAP with the radius attribute rEntitlements in the ldap.attrm

Re: AW: AW: AW: AW: AW: Problem with ntlm_auth

[EMAIL PROTECTED] wrote: > There are too many pages to check. Maybe I should go read the pages, and point you to specific ones? > Perhaps you can give me a specific link? This isn't a Samba help list. We are not Samba experts. I suggest asking on the Samba list how to configure Samba for

Re: Radius reply multivalue VSA question.

>  Thanks for the reply. After changing the operator += I am still seeing all >the VARRAY in the reply. It should reply back only >Sending Access-Accept of id 65 to 216.121.193.1 port 49266 > >    rEntitlements += "WIFILOC1" > >    rAttribute1 = "1" > >    rCidx = "1" > >and n

Re: AW: AW: AW: AW: AW: AW: Problem with ntlm_auth

You have misunderstood what this list is about. This is a support list for Freeradius users. You will be provided the details of basic configuration for other projects/devices (Open Source/Cisco/Microsoft etc.) wich will enable server to cooperate with them in some common applications. If you need

Re: Radius reply multivalue VSA question.

Hi Ivan,   Thanks for the reply. After changing the operator += I am still seeing all the VARRAY in the reply. It should reply back only Sending Access-Accept of id 65 to 216.121.193.1 port 49266     rEntitlements += "WIFILOC1"     rAttribute1 = "1"     rCidx = "1" and not

Re: FreeRADIUS and EDUROAM timeout issues

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Alan DeKok wrote: > Arran Cudbard-Bell wrote: >> Really in an system of chained proxy servers like EDUROAM you only want >> to be testing first hop connectivity. > > Exactly. > >> Alan, do you think it might be a good idea to provide an option to >

AW: AW: AW: AW: AW: AW: Problem with ntlm_auth

I didn't mean that. I thought you would know a link or site for this but if noone knows I will ask the samba people. Thanks. Frederik Niedernolte -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Donnerstag, 9. Oktober

Re: AW: AW: AW: AW: AW: Problem with ntlm_auth

Oh, you would like us to read the documentation for you!?! Sorry, no can do! Samba also has a support list. Ask there. Ivan Kalik Kalik Informatika ISP Dana 9/10/2008, "[EMAIL PROTECTED]" <[EMAIL PROTECTED]> piše: >There are too many pages to check. >Perhaps you can give me a specific link? >I

Re: Proxy when database value is set

>What I cannot achieve is: > > >- Freeradius must proxy to request to a token server but only when it >authenticated the user successfully. > No. Your client should send another request to token server once it gets Access-Accept from radius server. Ivan Kalik Kalik Informatika ISP - Li

AW: AW: AW: AW: AW: Problem with ntlm_auth

There are too many pages to check. Perhaps you can give me a specific link? I want to do it on my own but with no information it is impossible. F. Niedernolte -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Donnerstag, 9. Okt

Re: AW: AW: AW: AW: Problem with ntlm_auth

On Thu, Oct 9, 2008 at 10:46 AM, Alan DeKok <[EMAIL PROTECTED]>wrote: > [EMAIL PROTECTED] wrote: > > And how can I do that? > > I cannot find something like that via Google :( > Ask the Samba people? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: AW: Problem with ntlm_auth Solved and SURPRISED ME !!

HEY PAL CHEK THIS OUT thanks to everyone in the list o yes!! in user file i added users Auth-Type := ntlm_auth an also DEFAULT Auth-Type := ntlm_auth and restart freeradius and in the output istening on authentication address * port 1812 Listening on accounting address * port 1813

Re: AW: AW: AW: AW: Problem with ntlm_auth

[EMAIL PROTECTED] wrote: > And how can I do that? > I cannot find something like that via Google :( See the Samba documentation? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: AW: AW: AW: Problem with ntlm_auth

And how can I do that? I cannot find something like that via Google :( -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok Gesendet: Donnerstag, 9. Oktober 2008 14:59 An: FreeRadius users mailing list Betreff: Re: AW: AW: AW: Problem with n

Proxy when database value is set

I've achieved the following: - A user with a username which contains a realm logs in. - Freeradius checks some radius request values like calling-station-id etc. - Freeradius will give a reject or accept depending on the above query. What I cannot achieve is: -

Re: AW: AW: AW: Problem with ntlm_auth

[EMAIL PROTECTED] wrote: > Is is possible to use only one freeRADIUS server (the just configured one) > for a bunch of different domains > in my active directory network? Configure Samba to join all of the domains. Point FreeRADIUS at Samba, via ntlm_auth. Alan DeKok. - List info/subscribe/

AW: AW: AW: Problem with ntlm_auth

Is is possible to use only one freeRADIUS server (the just configured one) for a bunch of different domains in my active directory network? How? F. Niedernolte -Ursprüngliche Nachricht- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL PROTECTED] Gesendet: Donnerst

Re: FreeRADIUS and EDUROAM timeout issues

Peter Eriksson wrote: > I wonder how low I can set things to lessen this issue. Perhaps set > zombie_period and check_interval to one second... That's not a good idea. It means that the server will be marked dead MORE quickly. >>> Best would probably be if FreeRadius kept a >>> separate timeou

Re: FreeRADIUS and EDUROAM timeout issues

Arran Cudbard-Bell wrote: > Really in an system of chained proxy servers like EDUROAM you only want > to be testing first hop connectivity. Exactly. > Alan, do you think it might be a good idea to provide an option to > disregard failures from standard authentication requests, and instead > use

Re: AW: AW: Problem with ntlm_auth

>OK, thanks. >Now it works. >Is this the way it should look right? > Yes. that's OK. .. >[files] users: Matched entry DEFAULT at line 2 >++[files] returns ok Entry setting Auth-Type. .. >[pap] WARNING! No "known good" password found for the user. Authentication >may fail because of this. Tha

AW: AW: Problem with ntlm_auth

OK, thanks. Now it works. Is this the way it should look right? Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=97, length=59 User-Name = "MyUser" User-Password = "MyPassword" NAS-IP-Address = IP.ADDRESS.OF.SERVER NAS-Po

Re: Problem with ntlm_auth

That was example,to check with different Users,DEFAULT should be used as rightly said by Ivan. On Thu, Oct 9, 2008 at 1:22 PM, <[EMAIL PROTECTED]> wrote: > So to understand you right: > > Every user that should be authenticated has to be an entry in the users > file? > > Isn't it possible to ad

Re: AW: Problem with ntlm_auth

>Every user that should be authenticated has to be an entry in the users file? > >Isn't it possible to add an forwarding for every user so that all requests are >just forwarded and checked? > >If not I must add all users from the AD to the users file, mustn't I? > DEFAULT Auth-Type := ntlm_auth

Re: AW: Problem with ntlm_auth

>OK, I have tested it with "radtest MyUser MyPassword localhost 0 testing123" >and this is what the server gave back: > .. > >++[files] returns noop > So, where is the user file entry setting Auth-Type ntlm_auth? It didn't match. Something is wrong with it. Ivan Kalik Kalik Informatika ISP - Li

AW: Problem with ntlm_auth

So to understand you right: Every user that should be authenticated has to be an entry in the users file? Isn't it possible to add an forwarding for every user so that all requests are just forwarded and checked? If not I must add all users from the AD to the users file, mustn't I? Von:

Re: Problem with ntlm_auth

And also don't remove ntlm_auth from authenticate section of both default and inner-tunnel files. On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan < [EMAIL PROTECTED]> wrote: > Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is > Bind as User. That is USer Entry is added i

Re: Problem with ntlm_auth

Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is Bind as User. That is USer Entry is added in Users file and after using ntlm_auth, it is checked against a Active Directory or LDAP server backend using NT Lan manager Authentication Protocol. For example: Users file: User

AW: Problem with ntlm_auth

OK, I have tested it with "radtest MyUser MyPassword localhost 0 testing123" and this is what the server gave back: Ready to process requests. rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58 User-Name = "MyUser" User-Password = "MyPassword"

RE: EAP-TLS & computer account(not user)

You (or whoever makes these certificates) have set up certificate creation that way. Change it so that CN is equal to User-Name. Ivan Kalik Kalik Informatika ISP Dana 9/10/2008, "Guk Victor" <[EMAIL PROTECTED]> piše: > > > > > > > > > I use eap-tsl for the registration record of computer.

Re: Problem with ntlm_auth

Hi, You can use radtest tool to check with the Server.The Server will return accept-accept message. Other tool includes JRadius Simulator as IVAN told. bu I have not used it. Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP requests to use ntlm_auth with Active DIRECTORY or L

AW: Problem with ntlm_auth

Thanks, now it works :) Now the last step: How can I test it? What tool/program etc. can/should I use to test it? "The radclient cannot currently be used to send this request, unfortunately, which makes testing a little difficult If everything goes well, you should see the server returning

Re: Startdate for sessions in FreeRadius with MySql?

You can always add your own. http://freeradius.org/radiusd/man/dictionary.html Ivan Kalik Kalik Informatika ISP Dana 9/10/2008, "Bladan2000" <[EMAIL PROTECTED]> piše: > >Yeah. That's kind of my "rescue" solution. To create a que that is processed >on a daily basis. But I thought that since ther

Re: Problem with ntlm_auth

Hi Frederik, 1) Put User entry on *TOP* of users file. 2) In default file, in authenticate section, add *ntlm_auth. *Don't set using Auth-Type. 3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel. Add *ntlm_auth* in Authenticate Section. I hope it will solve your problem. S

Re: FreeRADIUS and EDUROAM timeout issues

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Peter Eriksson wrote: > > Alan DeKok wrote: >> Peter Eriksson wrote: >>> The default setting seems to be less than optimal since if a remote site >>> have problems with their home RADIUS servers then we risk having our >>> local servers mark the upstr

Problem with ntlm_auth

I have finished all steps till "user Auth-Type := ntlm_auth" from http://deployingradius.com/documents/configuration/active_directory.html . With this command I get this error message at the end of "/usr/sbin/freeradius -X": /etc/freeradius/users[1]: Parse error (check) for entry MyUser: U

Re: FreeRADIUS and EDUROAM timeout issues

Alan DeKok wrote: > Peter Eriksson wrote: >> The default setting seems to be less than optimal since if a remote site >> have problems with their home RADIUS servers then we risk having our >> local servers mark the upstream servers as "dead" since it's not >> receiving answers for a specific 're

Re: Startdate for sessions in FreeRadius with MySql?

Or create all you need and add Auth Type Reject in radcheck table for that user and delete this entry on start date with cron script On Thu, Oct 9, 2008 at 8:06 AM, Bladan2000 <[EMAIL PROTECTED]> wrote: > > Yeah. That's kind of my "rescue" solution. To create a que that is > processed > on a dail