Ivan Kalik a écrit :
>>> Trying to set up machine authentification, I have been able to rewrite
>>> my user-name to match my requirements in my Open ldap: get rid of the
>>> host/ and add $ ( host/machinename --> machinename$) using hints.
>>> But it ends up with this error after ldap authorisation
Matthieu Lazaro a écrit :
> Hello list,
>
> I have a little question about hints and EAP.
>
> Trying to set up machine authentification, I have been able to rewrite
> my user-name to match my requirements in my Open ldap: get rid of the
> host/ and add $ ( host/machinename --
Hello list,
I have a little question about hints and EAP.
Trying to set up machine authentification, I have been able to rewrite
my user-name to match my requirements in my Open ldap: get rid of the
host/ and add $ ( host/machinename --> machinename$) using hints.
But it ends up with this error a
Hello,
In your LDAP config in radius, groupmembership_attribute = should
correspond to the attribute name in your LDAP where you specify the
group "it".
And groupname_attribute should match in a standard config radiusGroupName.
This is how it works on my config.
Regards,
Matt
Michael March a écr
Ivan Kalik a écrit :
>> I tried to put this in the users file:
>>
>
> Unlang goes into virtual server configuration, not users file.
>
>
>> if ( "%{User-Name}" =~ "00030BCA[0-9A-F]+" ) {
>>
> update control {
> Cleartext-Password == "%{User-Name}"
>
>
Hello list,
I need some help on some unlang portion (if this is the right solution).
Here is context: I need to do 802.1x on Ethernet switch for dynamic VLAN
assignment for PCs .
The problem is I have some phones connected between the PC and the switch.
I don't want the users to login 802.1X with
--- Begin Message ---
Hello,
Just to inform that I have solved the problem.
Some parts of the ldap were not indexed properly so it cause some
troubles with freeradius.
Matthew
Ivan Kalik a écrit :
>> I fixed the SSL issue, restarted the server and the group check was
>> working until now:
Ivan Kalik a écrit :
>> I stop the server and put it in debug mode: it works flawlessly!!!
>> I stop the debug and restart freeradius, it works a while, then it
>> starts failing again And I have nothing more in the logs than:
>>
>> Error: TLS Alert read:fatal:access denied
>>
>
> Fix that
nied
Error: SSL: SSL_read failed inside of TLS (-1), TLS session fails.
I a bit confused as I can't see the group membership errors in debug as
it doesn't occur. I guess the TLS alert is ome client with a wrong CA.
Any help, suggestion will be really appreciated.
Matthew
Matthieu
Hello,
I'm still having the issue.
It all works ok when I restart freeradius or when I run the debug then
it starts failing a while later.
I tried to increase the time out on ldap connexions.This did nothing.
Any idea is welcome.
Thanks,
Matthew
Ivan Kalik a écrit :
>
> I don't see anything w
--- Begin Message ---
Ivan Kalik a écrit :
>> Ivan Kalik a écrit :
>>
I am having an issue with the groups again.
WIFINAS-Identifier == "accessPoint-Manager"
Ldap-Group == wireless,
Ldap-Group == wireless2,
Ivan Kalik a écrit :
>> I am having an issue with the groups again.
>>
>> WIFINAS-Identifier == "accessPoint-Manager"
>> Ldap-Group == wireless,
>> Ldap-Group == wireless2,
>>
>> When I have the attribute wireless it works without a flaw, if I have
Ivan Kalik a écrit :
>> Content of my huntgroup file.
>> WIFINAS-Identifier == "accessPoint-Manager"
>> Ldap-Group == wireless,
>> Ldap-Group == wireless2,
>> REM NAS-IP-Address == 10.44.12.2
>> Ldap-Group == REM
>>
>>
>
kissg a écrit :
>
>
> It really is an AP issue. Using another AP (SMC WEBT-G) with the same
> Radius config works... Both Windows XP and Ubuntu connects
> successfully, no matter if I set certificate validation on or off...
> Anyway, there are two EAP setting which is supported by the Cisco AP:
>
Any idea?
Logwatch's mailing list seems not very busy, so no answers yet...
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello forum,
Just wondering if someone found or had written perl scripts for logwatch
so that we can send the logs all tidy??
Asking this in case I missed something or if someone had this in it's
drawer!
I'm going to post this as well to the logwatch mailing.
Best regards,
Matt
-
List info/subs
Ivan Kalik a écrit :
>> I'm having an issue with the group check (ldap_groupcmp).
>>
>> Everything is fine until the request is tunnelled, and I can't find out
>> why my user is rejected there
>> It seems that he ends in this section during this phase:
>> DEFAULT Ldap-Group == BANNED , Auth-Typ
Hello list,
I'm having an issue with the group check (ldap_groupcmp).
Everything is fine until the request is tunnelled, and I can't find out
why my user is rejected there
It seems that he ends in this section during this phase:
DEFAULT Ldap-Group == BANNED , Auth-Type := Reject
Reply
t...@kalik.net a écrit :
>> I am now trying to figure how to have the replyItem in my accept-accept
>> message.
>>
>>
>
> Just map appropriate attributes in ldap.attrmap as replyItem. I can see
> tunnel attributes in default ldap.attrmap in stable branch now, so that
> will be there in future.
t...@kalik.net a écrit :
>> I try to ask my questions more precisely:
>> * what are the radius ldap attributes meant for? Is only for accounting
>> or can we use them for something else?
>>
>
> They can be used for authorization as well. You put them in your
> Access-Accept packet (reply) and
Alan DeKok a écrit :
> Matthieu Lazaro wrote:
>
>> OK, so tell me where to implement complex policies?
>>
>
> I've been trying.
>
> You need to write down what you have (in RADIUS packets, LDAP, etc.).
> You need to write down what you want (conte
Alan DeKok a écrit :
> Matthieu Lazaro wrote:
>
>
>> rlm_ldap manual covers the options to use with the ldap module like
>> server , tls binding, basic filters, etc... not " how to use extended
>> ldap attributes based on the content of the RADIUS-LDAPv3.sch
Alan DeKok a écrit :
> Matthieu Lazaro wrote:
>
>> The thing is, it is just READING the ldap content and not comparing
>> to what the NAS is sending.
>>
>
> Yes.. because you (or the defaults) configured those LDAP attributes
> in ldap.attrmap as &q
Alan DeKok a écrit :
> Matthieu Lazaro wrote:
>
>
>> Here is the content of a packet received by radiusd:
>>
>
> Weird, but OK.
>
>
>> Futhermore, to reply to Alan about the radiusUserCategory, it is given
>> with the radius.sc
t...@kalik.net a écrit :
>> Here is one policy that I wish to make work.
>>
>> 1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis
>> configuration on the switch)
>> --> this client has some of the following LDAP attributes:
>> uid = bobalice
>> radiusTunnelP
Alan DeKok a écrit :
> Your examples are pretty close to "do stuff when I see stuff". It's a
> grammatically correct English sentence, but nearly meaningless.
>
> Alan DeKok.
>
> -
>
Ok, So I will try to make myself clear.
Here is one policy that I wish to make work.
1- a client connects
Alan DeKok a écrit :
> Matthieu Lazaro wrote:
>
>> For example: filtering with more than on attribute in checkval ( MAC /
>> TUNNEL TYPE), sending orders to the NAS to change VLAN depending on the
>> user, etc...
>>
>
> Write down the policies, a
Alan DeKok a écrit :
> Matthieu Lazaro wrote:
>
>> It all happens as if the "if () { ... } else { ... } " is completely
>> ignored
>> (and thus it defaults to check if the uid exists)
>>
>
> Yes.
>
>
>> (ie: neither filter1 no
Hello,
My freeRadius setup works very well using PEAP/TLS binding on the ldap
using only one filter.
Now I have two very different types of NAS and I need to filter users
that may have access to one NAS or the other or both.
My idea was to use the unlang in the ldap module to write my policy, but
29 matches
Mail list logo
