Re: problem with rlm_ldap
W liście z śro, 02-04-2003, godz. 17:55, Alan DeKok pisze: > Kuba Leszewski <[EMAIL PROTECTED]> wrote: > > I try to use OpenLDAP to store user information. > > Eveything used to work, but now after few installations/deinstallations > > :-) I have the following problem: > ... > > radiusd: relocation error: /usr/local/lib/rlm_ldap-0.8.1.so: undefined > > symbol: ldap_enable_cache > > This was discussed on this list just a few days ago. > > Upgrade to the latest CVS snapshot. > Thanks a lot It works now Sorry I didn't check the archive first. It won't happen again :-) Regards Kuba - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ippool in 0.8.1
Umm, rlm_ippool is marked as really buggy in 0.8.1, but it doesn't seem to have changed significantly in last night's snapshot (apart from adding the netmask attribute insertion) What exactly is wrong with it? It looks fine on a first glance, but I'm sure there are non-obvious problems. (I've grabbed the ippool tool already and if the problem's something like 'missed accounting stops will leave IPs in limbo' then I can understand that and welcome suggestions for an automated way of noticing that... I don't think I can use checkrad{,.pl} sadly, but my dial-in provider apparently will limit simultaneous-use on all but one account for me, so that's not an issue for accounting.) -- = Paul "TBBle" Hampson Network Architect, Videohost Pty Ltd [EMAIL PROTECTED] --Nick Moffitt A: No. Q: Should I include quotations after my reply? - Random signature generator 3.0 by Paul "TBBle" Hampson = - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeRADIUS-0.5 exit on signal 11
I used freeRADIUS-0.5 with multi-thread mode on Linux, handling 10 requests per second, it runned for about 1 hour, then crashed, the "/usr/local/var/log/radius/radius.log" shows: Error: CHILD: exit on signal (11) When I use it on Solaris 7, the same thing happened, but this time the log shows: Error: MASTER: exit on signal (11) But when I runned it as "radiusd -X", it worked fine, and never crashed. I searched the source tree, in src/main/radiusd.c line 2229: radlog(L_ERR, "s exit on signal (d)", me, sig); I think this line wrote the log information above. Why? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check item problem
hi Alan, Thx for your help. but although i use radiusCheckItem: NAS-IP-Address == 202.14.68.51, it still have the problem. Brian - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, April 02, 2003 11:53 PM Subject: Re: check item problem > "Brian Leung" <[EMAIL PROTECTED]> wrote: > > i don't know whether it have a bug or not? > > when i used checkval module and radiusCalledStationid, it is prefer. > > But, when i used radiusCheckItem: NAS-IP-Address := 202.14.68.51 > > See the 'man' page for the 'users' file. That last line tells me > you're doing something wrong. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Gidecek Yerim Mi Var?
Title: SMSNET MELODI GRAFIK HABERLER 02 Nisan 2003www.melodilerim.com / www.grafiklerim.com Aþk Militaný - Ahmet Þafak Bu Akþam - Duman Dadaloðlu - Cem Karaca Dokunma Yanarsýn - Ahmet Kaya Eski Köprünün Altýnda - Duman Hasretinden Prangalar - Ahmet Kaya Kadýn Delisi - Esra Özmen Elif Dedim - Kurtlar Vadisi -Zara Gidecek Yerim Mi Var - Emre Altuð Ýlle de Türkiyemiz - Ahmet Þafak Kýskananlar Çatlasýn - Altay Küf Kokuyorum - Ahmet Kaya Lili Marleen Türküsü - Ahmet Kaya Ben Seni Sevmeyi Sevdim-Zerrin Özer Rosso Relativo - Tizziano Ferro Yorgun Demokrat - Ahmet Kaya Yeni Eklenen Melodiler için TIKLAYIN...GRAFIKLERIM.COM sitemize75 Yeni Logo 60 Yeni Resimli Mesaj 25 Yeni Extra Large Logo eklendi.Hareketli Resim uygulamamýzý çok daha fazla telefon marka ve modelini destekleyecek þekilde geliþtirdik. Artýk NOKIA 2100, 3330, 3410, 3510i, 3650, 5100, 5510, 6100, 6250, 6310i, 6610, 7210, 5210, 7650, 8910, 8910i, 9210i, MOTOROLA C336, T720i ve ERICSSON T68, T68i, T300, T310 modellerine de hareketli resim gönderebileceksiniz. Hareketli Resim göndermek için týklayýnýz...Servislerimize gönderim yapabileceðiniz yeni telefonlar ekledik: Resimli mesajlarýnýzý ERICSSON T100, T200, T300, T310 modellerine gönderebileceksiniz. Ayrýca Operatör logosu ve XLarge Logolarý ERICSSON T300 ve T310 model telefonlarýnýza gönderebilirsiniz.Sayfalarýmýzdaki yeniliklerimizi göremiyorsanýz, lütfen melodilerim.com sayfamýzý bir kaç kez üstüste yeniden yükleyiniz (Tazele / Refresh) ya da CTRL ve F5 tuþuna ayný anda basarak sayfamýzýn yeniden yüklenmesini saðlayýnýz.Melodi isteðinde bulunmak istiyorum!Resmimi telefonumda görmek istiyorum!Þifremi unuttumHaber listenizden çýkmak istiyorum Yardým hattýmýz: 0 312 2865891 (her gün 9.00 - 20.00 arasý) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Radius, DHCP, and Imagestreams
I need to set up 9 bandwidth rates on an Imagestream. I can only do it based on IP address or subnet. So, I decided to assign rate groups to subnets. Then I come up with the problem of sending the customer to the correct subnet when they authenticate. After reading much Radius documentation and numerous RFC documents, I have concluded that there must be some way for Radius to do what I want. Specifically, there is a section in the FAQ for freeRADIUS that talks about Framed-Filter-Id and ACLs with a CISCO router. Is there some Radius-based way that this (or something like it) can be used to tell a DHCP server (either under Linux or on the Imagestream router) what subnet to put the user into? Or is there some way that the Framed-IP-Address and Framed-IP-Netmask can be used to specify what subnet a DHCP server should put the user into? We don't want to use static IP addresses, even though that would make this part of the implimentation of the network much easier for us to set up. We are trying to make it easier on the end-user. And while I'm asking, does anyone know how to make sure that the user does NOT get access via a different subnet? We are setting up nine 21-bit networks. One for each level of service. We don't want them to have the ability to manually specify an IP address, gateway, and subnet mask in a different GoS subnet and have it actually work. Thanks in advance. Eliot Gable Great Lakes Internet Technical Support [EMAIL PROTECTED] 1-810-679-3395 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 0.8.1 crash with EAP-TLS bad packets
Frank Higgens <[EMAIL PROTECTED]> wrote: > I am running some EAP-TLS tests against our AP using > freeradius 0.8.1 as the authentication server. > > I ran into a crash running a EAP DoS attack that sent > a EAP TLS packet with flags 'c0' and with no TLS > message length or TLS message data. The tests are > part of qacafe's cdrouter test suite. Ok... do you have the values of the variables in the core dump? Knowing where it core dumped is nice, but to fix it, we need to know what it received, and why it did something wrong. > #0 0x4207c46c in memcpy () from /lib/i686/libc.so.6 > #1 0x400cbda4 in eaptls_extract (eap_ds=0x4213158c, > status=135226888) at eap_tls.c:474 So something goes wrong in memcpy, but since we don't have the arguments to memcpy, or the internal variables in eaptls_extract(), it's difficult to know how to fix the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 0.8.1 crash with EAP-TLS bad packets
MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii I am running some EAP-TLS tests against our AP using freeradius 0.8.1 as the authentication server. I ran into a crash running a EAP DoS attack that sent a EAP TLS packet with flags 'c0' and with no TLS message length or TLS message data. The tests are part of qacafe's cdrouter test suite. modcall: group authorize returns updated rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - tls rlm_eap: processing type tls rlm_eap_tls: More Fragments with length included Program received signal SIGSEGV, Segmentation fault. [Switching to Thread 8192 (LWP 19876)] 0x4207c46c in memcpy () from /lib/i686/libc.so.6 (gdb) where #0 0x4207c46c in memcpy () from /lib/i686/libc.so.6 #1 0x400cbda4 in eaptls_extract (eap_ds=0x4213158c, status=135226888) at eap_tls.c:474 #2 0x400cb66b in eaptls_authenticate (arg=0x80c32b0, handler=0x80f6608) at rlm_eap_tls.c:198 #3 0x400c2f30 in eaptype_call (eap_type=13, action=INITIATE, type_list=0x80b9e30, handler=0x80f6608) at eap.c:205 #4 0x400c3063 in eaptype_select (type_list=0x80b9e30, handler=0x80f6608, conftype=0x80b8060 "tls") at eap.c:280 #5 0x400c29f8 in eap_authenticate (instance=0x80c5910, request=0x80f5878) at rlm_eap.c:200 Frank. __ Do you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more http://tax.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: -OSX MySQL and freeRADIUS-
mark winkler <[EMAIL PROTECTED]> wrote: > What are the correct parameters for compiling MySQL along with > --disable-shared? You must have statically linked MySQL libraries, too. > I've been able to successfully compile on Mac OSX 10.2 > server, but am still unable to use the MySQL module. We are currently > running snapshot 20030131 and have also successfully compiled (sans MySQL) > ver 0.8.1..thanks to the list archive. The snapshot should be mostly OK for MACOSX. You *must* carefully read the output of './configure' and 'make'. If there are warning messages, they will be printed. Ignoring them means you may have been told why it won't work. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeBSD 4.7 stable + freeradius + sybase
On Wed, 2 Apr 2003, Vasili G. Yanov wrote: > It's possible to compile rlm_sql_sybase on FreeBSD without Linux > emulation? If you're trying to do AAA to a MSSQL server, you may want to try using rlm_sql_unixodbc. I've had a a lot of success with it. I'll try to duplicate your problem with rlm_sql_sybase on one of my 4.7-STABLE servers and see what I can find. Franklin -- Franklin Trumpy, NFA, MNGS, GSc | The wound of peace is surety, Sr. UNIX Systems Administrator | Surety secure; but modest doubt is called Lighthouse Communications | The beacon of the wise, the tent that searches [EMAIL PROTECTED] | To th' bottom of the worst. (515)244-1115 | (888)953-3278 |William Shakespeare http://www.lh.net |Troilus and Cressida (II, ii) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: -OSX MySQL and freeRADIUS-
> If the MySQL module wasn't built into the server, then you've got to > re-build it, to use MySQL. > Alan DeKok. What are the correct parameters for compiling MySQL along with --disable-shared? I've been able to successfully compile on Mac OSX 10.2 server, but am still unable to use the MySQL module. We are currently running snapshot 20030131 and have also successfully compiled (sans MySQL) ver 0.8.1..thanks to the list archive. Thanks, _Mark - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + PEAP
> hi > > > ok, now i know what was the problem with MD5. Windows XP after SP1 does > not support MD5 for wireless devices. however, i ask myself how you > could activate it because it is not available as a type for wireless > devices. > I've activated EAP-MD5 in a Windows XP PC (without SP1). This supplicant supports EAP-MD5. I've two differents clients with Windows XP. First has Windows XP with SP1, and second has Windows XP without SP1. > answering to your question: no, PEAP is not yet implemented in > freeradius. OK. > > > ciao > artur > > > > Windows XP 802.1x supplicant seems to support only EAP-TLS and PEAP(-MSCHAP) > > authentication methods. > > > > EAP-TLS is built in FreeRADIUS, and I've tested and it works fine. > > > > But, how about PEAP? It's supported by FreeRADIUS? > > > > If not, it's supported by another 'free' RADIUS system? > > -- > Artur Hecker > artur[at]hecker.info > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + EAP-MD5 +WindowsXP supplicant ERROR!
> hi > > summarizing: > > - freeradius authenticates the user > - windows XP "thinks that it is authenticated", so it has received the > EAP Success message > > right? then, except your AP implementation is broken or some > incompatible L2 features are activated on the two ends of your L2-link, > your L2 link should be established. thus, any further problems should be > L3 problems: incorrect address, dead DHCP, wrong routes, i don't know > what. > But client configuration is the same that works with EAP-TLS... only the XP supplicant configuration is different (MD5, not certificates). > anyway, make sure the above assumptions are true. windows sometimes > shows "connected" symbol although it DOES NOT "think" that it is > authenticated correclty. the status of the authentication can be found > in your Network device list. > > if the assumptions are true, then let me put it this way: > - EITHER your AP is broken or your link improperly configured > - OR your network/windows XP are not IP-configured correctly > > choose one... > The AP is a PC with Linux + HostAP, and it has FreeRADIUS + OpenSSL + OpenLDAP too. Is work fine without EAP and with EAP-TLS. The logs seems to be correct too... > for troubleshooting: can you connect without problems when no EAP is > activated? deactivate EAP on your access point *without touching > anything else* and see if you can connect with your windows. if not you > have identified your problem. > I can connect when I use EAP-TLS and when I don't use EAP at all. And the IP, routing, etc, configuration is the same in all cases. > it is difficult to deduce more from what we know so far... > > > ciao > artur > > > Israel Cardenas Romero wrote: > > > > Hi, > > > > i'm trying FreeRADIUS with HostAP and OpenLDAP to build a 'secure' AP. > > I've configured it to work with EAP-TLS and it work's fine with the Windows > > XP supplicant. > > But if I configure it to work with EAP-MD5, it seems not to work: > > - the Windows XP client is configured with EAP-MD5 > > - it takes login and password from user > > - FreeRADIUS seems to validate him correctly (here is the log): > > > > rad_recv: Access-Request packet from host 192.168.49.222:1029, id=3, > > length=231 > > User-Name = "Nombre2 Apellido2" > > NAS-IP-Address = 192.168.49.222 > > NAS-Port = 1 > > Called-Station-Id = "00-50-C2-10-92-82:SecureAP" > > Calling-Station-Id = "00-0B-46-26-1B-E2" > > Framed-MTU = 2304 > > NAS-Port-Type = Wireless-802.11 > > Connect-Info = "CONNECT 11Mbps 802.11b" > > EAP-Message = > > "\002\004\000'\004\020\226f\026\271\\\235\202\247\206~^\367\026pV\242Nombre2 > > Apellido2" > > State = > > 0x548fc174e88138adeecadde08ef4263f2e078b3ee6798cd2f2fd877659244ef7889a108c > > Message-Authenticator = 0x3da5ed71acd933e4d3f404747dae12ee > > modcall: entering group authorize > > modcall[authorize]: module "preprocess" returns ok > > rlm_ldap: - authorize > > rlm_ldap: performing user authorization for Nombre2 Apellido2 > > radius_xlat: '(uid=Nombre2 Apellido2)' > > radius_xlat: 'ou=Wireless,dc=sgi,dc=es' > > ldap_get_conn: Got Id: 0 > > rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter > > (uid=Nombre2 Apellido2) > > rlm_ldap: Added password izadisan in check items > > rlm_ldap: looking for check items in directory... > > rlm_ldap: Adding radiusExpiration as Expiration, value 11 & op=21 > > rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP & op=21 > > rlm_ldap: looking for reply items in directory... > > rlm_ldap: user Nombre2 Apellido2 authorized to use remote access > > ldap_release_conn: Release Id: 0 > > modcall[authorize]: module "ldap" returns ok > > modcall: group authorize returns ok > > rad_check_password: Found Auth-Type EAP > > auth: type "EAP" > > modcall: entering group authenticate > > rlm_eap: Request found, released from the list > > rlm_eap: EAP_TYPE - md5 > > rlm_eap: processing type md5 > > modcall[authenticate]: module "eap" returns ok > > modcall: group authenticate returns ok > > Sending Access-Accept of id 3 to 192.168.49.222:1029 > > EAP-Message = "\003\004\000\004" > > Message-Authenticator = 0x > > Finished request 30 > > Going to the next request > > Waking up in 6 seconds... > > > > - Windows XP client thinks itself it's authenticated, because don't try to > > login more > > - but the network is not accesible for the client... > > -- > Artur Hecker > artur[at]hecker.info > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + PEAP
hi ok, now i know what was the problem with MD5. Windows XP after SP1 does not support MD5 for wireless devices. however, i ask myself how you could activate it because it is not available as a type for wireless devices. answering to your question: no, PEAP is not yet implemented in freeradius. ciao artur > Windows XP 802.1x supplicant seems to support only EAP-TLS and PEAP(-MSCHAP) > authentication methods. > > EAP-TLS is built in FreeRADIUS, and I've tested and it works fine. > > But, how about PEAP? It's supported by FreeRADIUS? > > If not, it's supported by another 'free' RADIUS system? -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + EAP-MD5 +WindowsXP supplicant ERROR!
hi summarizing: - freeradius authenticates the user - windows XP "thinks that it is authenticated", so it has received the EAP Success message right? then, except your AP implementation is broken or some incompatible L2 features are activated on the two ends of your L2-link, your L2 link should be established. thus, any further problems should be L3 problems: incorrect address, dead DHCP, wrong routes, i don't know what. anyway, make sure the above assumptions are true. windows sometimes shows "connected" symbol although it DOES NOT "think" that it is authenticated correclty. the status of the authentication can be found in your Network device list. if the assumptions are true, then let me put it this way: - EITHER your AP is broken or your link improperly configured - OR your network/windows XP are not IP-configured correctly choose one... for troubleshooting: can you connect without problems when no EAP is activated? deactivate EAP on your access point *without touching anything else* and see if you can connect with your windows. if not you have identified your problem. it is difficult to deduce more from what we know so far... ciao artur Israel Cardenas Romero wrote: > > Hi, > > i'm trying FreeRADIUS with HostAP and OpenLDAP to build a 'secure' AP. > I've configured it to work with EAP-TLS and it work's fine with the Windows > XP supplicant. > But if I configure it to work with EAP-MD5, it seems not to work: > - the Windows XP client is configured with EAP-MD5 > - it takes login and password from user > - FreeRADIUS seems to validate him correctly (here is the log): > > rad_recv: Access-Request packet from host 192.168.49.222:1029, id=3, > length=231 > User-Name = "Nombre2 Apellido2" > NAS-IP-Address = 192.168.49.222 > NAS-Port = 1 > Called-Station-Id = "00-50-C2-10-92-82:SecureAP" > Calling-Station-Id = "00-0B-46-26-1B-E2" > Framed-MTU = 2304 > NAS-Port-Type = Wireless-802.11 > Connect-Info = "CONNECT 11Mbps 802.11b" > EAP-Message = > "\002\004\000'\004\020\226f\026\271\\\235\202\247\206~^\367\026pV\242Nombre2 > Apellido2" > State = > 0x548fc174e88138adeecadde08ef4263f2e078b3ee6798cd2f2fd877659244ef7889a108c > Message-Authenticator = 0x3da5ed71acd933e4d3f404747dae12ee > modcall: entering group authorize > modcall[authorize]: module "preprocess" returns ok > rlm_ldap: - authorize > rlm_ldap: performing user authorization for Nombre2 Apellido2 > radius_xlat: '(uid=Nombre2 Apellido2)' > radius_xlat: 'ou=Wireless,dc=sgi,dc=es' > ldap_get_conn: Got Id: 0 > rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter > (uid=Nombre2 Apellido2) > rlm_ldap: Added password izadisan in check items > rlm_ldap: looking for check items in directory... > rlm_ldap: Adding radiusExpiration as Expiration, value 11 & op=21 > rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP & op=21 > rlm_ldap: looking for reply items in directory... > rlm_ldap: user Nombre2 Apellido2 authorized to use remote access > ldap_release_conn: Release Id: 0 > modcall[authorize]: module "ldap" returns ok > modcall: group authorize returns ok > rad_check_password: Found Auth-Type EAP > auth: type "EAP" > modcall: entering group authenticate > rlm_eap: Request found, released from the list > rlm_eap: EAP_TYPE - md5 > rlm_eap: processing type md5 > modcall[authenticate]: module "eap" returns ok > modcall: group authenticate returns ok > Sending Access-Accept of id 3 to 192.168.49.222:1029 > EAP-Message = "\003\004\000\004" > Message-Authenticator = 0x > Finished request 30 > Going to the next request > Waking up in 6 seconds... > > - Windows XP client thinks itself it's authenticated, because don't try to > login more > - but the network is not accesible for the client... -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS + PEAP
"Israel Cardenas Romero" <[EMAIL PROTECTED]> wrote: > EAP-TLS is built in FreeRADIUS, and I've tested and it works fine. > > But, how about PEAP? It's supported by FreeRADIUS? No. > If not, it's supported by another 'free' RADIUS system? The other 'free' RADIUS systems don't even have EAP, from what I've seen. It would be easier to add PEAP to FreeRADIUS than to add EAP, and then PEAP to another server. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ RADIUS for WinXP
Artur Hecker <[EMAIL PROTECTED]> wrote: > :-) why is it crazy? It defines new attributes, which have encrypted values, and when the value is decrypted, you're supposed to unpack a series of *other* attributes from it. That's ugly as sin. It probably means that 802.11f support will be done in an module specifically for 802.11f, which will do all of that crazy packing/unpacking, so that the rest of the server can access the attributes in a sane manner. > i didn't take a look yet, but it seems to me that it's not the first > time you mention it :-) It scares me. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ RADIUS for WinXP
:-) why is it crazy? i didn't take a look yet, but it seems to me that it's not the first time you mention it :-) regards, artur Alan DeKok wrote: > > "Ian Pritchard" <[EMAIL PROTECTED]> wrote: > > Either way, it's good news for freeradius, right? If both WPA modes are on > > all APs, then you will be able to point any Wi-Fi certified AP at Freeradius > > and use EAP to authenticate. > > There's also 802.11f, which allows roaming between AP's, and > re-authentication. It's crazy, and it'll be painful to implement, > because of that. > > Alan DeKok. > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ RADIUS for WinXP
hi Ian > 1. Wi-Fi Alliance certified Access Points will very shortly be required to > be WPA-capable. yes, it's intended to include WPA in the verification process. > 2. You will be able to turn WPA on or off (at least initially). yes, plus mixed mode. > 3. When WPA is turned on, there will be two modes available: > i) Pre-Shared Key (PSK) mode for Home/Soho use with no RADIUS server. > ii) RADIUS mode with EAP. > > I can't see from the literature if being able to do *both* of these modes is > mandatory, or if there will be APs shipping with just the first one for the > SoHo market. What's your impression? well, the second comprises the first, so the real question is, will there be any hardware with SoHo only? i would say yes, since they can hardly dictate the implementation of RADIUS clients on all APs and, let's be honest, it's far too complicated for a home user... so, i think they will perhaps write something like "SoHo" under the logo or i don't know what. in the case of doubt, such hardware will be available without the WiFi logo... there is nothing to verify anyway: today, all 802.11 hardware is based above the same bunch of chipsets (3 or 4) which cooperate quite well. > Either way, it's good news for freeradius, right? If both WPA modes are on > all APs, then you will be able to point any Wi-Fi certified AP at Freeradius > and use EAP to authenticate. well, it improves the security. additionally, TKIP and all other WPA methods are implemented by some manufacturers since some time now... so, it's perhaps logical to define it and to test those one against another. i only hope, that it won't produce too much disorder (WEP/WPA/802.1X/802.11i - puhhh - you don't need to study in order to run a two nodes network, right?) for the corporate market though i think that 802.11i is still necessary. 802.11i is often seen as a too big deal but we shouldn't forget that the per packet usage of a stream cipher over unreliable media (RC4 in WEP) was probably one of the most misunderstood cryptographic proposals ever... it has to go away, sooner or later. ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeBSD 4.7 stable + freeradius + sybase
It's possible to compile rlm_sql_sybase on FreeBSD without Linux emulation? In the process of compilation I get error: /usr/libexec/elf/ld: cannot find -lnsl Thanks in advance. Vasili. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + PEAP
Hi, Windows XP 802.1x supplicant seems to support only EAP-TLS and PEAP(-MSCHAP) authentication methods. EAP-TLS is built in FreeRADIUS, and I've tested and it works fine. But, how about PEAP? It's supported by FreeRADIUS? If not, it's supported by another 'free' RADIUS system? Thanks, Israel Cárdenas Romero - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ RADIUS for WinXP
"Ian Pritchard" <[EMAIL PROTECTED]> wrote: > Either way, it's good news for freeradius, right? If both WPA modes are on > all APs, then you will be able to point any Wi-Fi certified AP at Freeradius > and use EAP to authenticate. There's also 802.11f, which allows roaming between AP's, and re-authentication. It's crazy, and it'll be painful to implement, because of that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ RADIUS for WinXP
Hi Artur, Thanks for taking the time to put these replies together and for trawling through the documentation as well. So, as I understand it: 1. Wi-Fi Alliance certified Access Points will very shortly be required to be WPA-capable. 2. You will be able to turn WPA on or off (at least initially). 3. When WPA is turned on, there will be two modes available: i) Pre-Shared Key (PSK) mode for Home/Soho use with no RADIUS server. ii) RADIUS mode with EAP. I can't see from the literature if being able to do *both* of these modes is mandatory, or if there will be APs shipping with just the first one for the SoHo market. What's your impression? Either way, it's good news for freeradius, right? If both WPA modes are on all APs, then you will be able to point any Wi-Fi certified AP at Freeradius and use EAP to authenticate. Thanks, Ian From: Artur Hecker <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: WPA w/ RADIUS for WinXP Date: Wed, 02 Apr 2003 16:48:57 +0200 [snipped for resource conservation] _ Add photos to your messages with MSN 8. Get 2 months FREE*. http://join.msn.com/?page=features/featuredemail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS + EAP-MD5 +WindowsXP supplicant ERROR!
Hi, i'm trying FreeRADIUS with HostAP and OpenLDAP to build a 'secure' AP. I've configured it to work with EAP-TLS and it work's fine with the Windows XP supplicant. But if I configure it to work with EAP-MD5, it seems not to work: - the Windows XP client is configured with EAP-MD5 - it takes login and password from user - FreeRADIUS seems to validate him correctly (here is the log): rad_recv: Access-Request packet from host 192.168.49.222:1029, id=3, length=231 User-Name = "Nombre2 Apellido2" NAS-IP-Address = 192.168.49.222 NAS-Port = 1 Called-Station-Id = "00-50-C2-10-92-82:SecureAP" Calling-Station-Id = "00-0B-46-26-1B-E2" Framed-MTU = 2304 NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 11Mbps 802.11b" EAP-Message = "\002\004\000'\004\020\226f\026\271\\\235\202\247\206~^\367\026pV\242Nombre2 Apellido2" State = 0x548fc174e88138adeecadde08ef4263f2e078b3ee6798cd2f2fd877659244ef7889a108c Message-Authenticator = 0x3da5ed71acd933e4d3f404747dae12ee modcall: entering group authorize modcall[authorize]: module "preprocess" returns ok rlm_ldap: - authorize rlm_ldap: performing user authorization for Nombre2 Apellido2 radius_xlat: '(uid=Nombre2 Apellido2)' radius_xlat: 'ou=Wireless,dc=sgi,dc=es' ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=Wireless,dc=sgi,dc=es, with filter (uid=Nombre2 Apellido2) rlm_ldap: Added password izadisan in check items rlm_ldap: looking for check items in directory... rlm_ldap: Adding radiusExpiration as Expiration, value 11 & op=21 rlm_ldap: Adding radiusAuthType as Auth-Type, value EAP & op=21 rlm_ldap: looking for reply items in directory... rlm_ldap: user Nombre2 Apellido2 authorized to use remote access ldap_release_conn: Release Id: 0 modcall[authorize]: module "ldap" returns ok modcall: group authorize returns ok rad_check_password: Found Auth-Type EAP auth: type "EAP" modcall: entering group authenticate rlm_eap: Request found, released from the list rlm_eap: EAP_TYPE - md5 rlm_eap: processing type md5 modcall[authenticate]: module "eap" returns ok modcall: group authenticate returns ok Sending Access-Accept of id 3 to 192.168.49.222:1029 EAP-Message = "\003\004\000\004" Message-Authenticator = 0x Finished request 30 Going to the next request Waking up in 6 seconds... - Windows XP client thinks itself it's authenticated, because don't try to login more - but the network is not accesible for the client... Which could be the problem ? Israel Cárdenas Romero - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: problem with rlm_ldap
My guess is you've just upgraded to openldap-2.1.16 and you're running your radius server on the same machine as your new ldap server or you've just upgraded your ldap libraries on the radius machine. If this is the case, then you should be able to download the new CVS version of freeradius which should have the ldap_enable_cache code removed, according to Kostas Kalevras. Mike -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Kuba Leszewski Sent: Wednesday, April 02, 2003 6:08 AM To: [EMAIL PROTECTED] Subject: problem with rlm_ldap Hi, I try to use OpenLDAP to store user information. Eveything used to work, but now after few installations/deinstallations :-) I have the following problem: I run radiusd -X I dumps a lot of logs... Matches a user... Connects to openldap, and then radiusd: relocation error: /usr/local/lib/rlm_ldap-0.8.1.so: undefined symbol: ldap_enable_cache ldd /usr/local/lib/rlm_ldap-0.8.1.so libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40017000) libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x400e7000) liblber.so.2 => /usr/local/lib/liblber.so.2 (0x40115000) libldap_r.so.2 => /usr/local/lib/libldap_r.so.2 (0x40123000) libnsl.so.1 => /lib/libnsl.so.1 (0x40164000) libresolv.so.2 => /lib/libresolv.so.2 (0x4017a000) libpthread.so.0 => /lib/libpthread.so.0 (0x4018b000) libc.so.6 => /lib/libc.so.6 (0x401a1000) libdl.so.2 => /lib/libdl.so.2 (0x402c9000) libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x402cd000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x8000) All of these files exist. One more thing. When I run radiusd -X the radiusd quits when this error appears. When I run without -X, then radiusd keeps running (does't work anyway ;-) Regards Kuba - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: problem with rlm_ldap
Kuba Leszewski <[EMAIL PROTECTED]> wrote: > I try to use OpenLDAP to store user information. > Eveything used to work, but now after few installations/deinstallations > :-) I have the following problem: ... > radiusd: relocation error: /usr/local/lib/rlm_ldap-0.8.1.so: undefined > symbol: ldap_enable_cache This was discussed on this list just a few days ago. Upgrade to the latest CVS snapshot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: check item problem
"Brian Leung" <[EMAIL PROTECTED]> wrote: > i don't know whether it have a bug or not? > when i used checkval module and radiusCalledStationid, it is prefer. > But, when i used radiusCheckItem: NAS-IP-Address := 202.14.68.51 See the 'man' page for the 'users' file. That last line tells me you're doing something wrong. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Status to client...
"Mike Cisar" <[EMAIL PROTECTED]> wrote: > Does anybody know if there are any "replacement" diallers or TCP/IP > stacks for windows that actually report back the error code output > by freeradius when a connection is denied. Not that I've heard of. > We've got a few customers that are becoming an increasing hassle > support-wise, who we could easily silence if there was a way we > could show them the "you've exceeded your time limit", etc. error > message when they are trying to dial in and get rejected. It may be easier to allow them in, and then point them to a web page with the appropriate text on it. (And filter out traffic to everywhere but that web page.) How this is done depends on your NAS. One generic alternative might be to give them a private IP (10.x), in a subnet which isn't routed anywhere. Put a transparent HTTP proxy on that subnet, and return a stock web page for all HTTP requests. It'll be annoying, but it might get the point across. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Regarding your StockOptions and 401K-Plan
...to be forwarded appreciated... ___ ___ While our fellow citizens fight in Iraq for the good, a consistent but accelerating danger lurks in the shadow, ready to overtake and turn upside down our values: Protect your privacy against false values, manifested continuously and accelerating through a form of reverse psychology, ravaging our collective consciousness and preparing a new way for us to jail our own minds and let us be ruled by tyrannists, dis-personified by a global bureaucratization, whose leading players are the corporations. Those corporations are the vehicle for the mass-mind-gaming, fear-and horror-producers of previous fascist regimes ! -- Regards Patty Crazon http://www.geocities.com/pattycrazon001
Re: WPA w/ RADIUS for WinXP
hi - replying to myself... i mentioned the whitepaper before but didn't say where it can be found. shame on me! so, update here. and another thing to think about: WPA defines a new "mixed mode", meaning that WEP and WPA can be used at the same AP simultaneously. please be concsious that in such case ALL hardware will run in the less secure classic WEP mode if only ONE device demands WEP. so, you have to upgrade EVERYTHING if you want to use WPA reasonably. so, here is the "whitepaper": http://www.wifialliance.com/OpenSection/pdf/Wi-Fi_Protected_Access_Overview.pdf it's a little bit commercial and sometimes even wrong but it's official :-) wrong is for example that: Enterprise-level User Authentication via 802.1x and EAP WEP has almost no user authentication mechanism. To strengthen user authentication, Wi-Fi Protected Access implements 802.1x and the Extensible Authentication Protocol (EAP). Together, these implementations provide a framework for strong user authentication. This framework utilizes a central authentication server, such as RADIUS, to authenticate each user on the network before they join it, and also employs mutual authentication so that the wireless user doesnt accidentally join a rogue network that might steal its network credentials. the 802.1X framework DOES NOT employ mutual authentication. in contrary, EAP methods *can* provide mutual authentication (like EAP/TLS does), but 802.1X itself is one-sided (client is authenticated) and has been much critisized for (client never sends Requests, only Responses). but well, be it... anyway, most important citation: Wi-Fi Protected Access and IEEE 802.11i Comparison Wi-Fi Protected Access will be forward-compatible with the IEEE 802.11i security specification currently under development by the IEEE. Wi-Fi Protected Access is a subset of the current 802.11i draft, taking certain pieces of the 802.11i draft that are ready to bring to market today, such as its implementation of 802.1x and TKIP. These features can also be enabled on most existing Wi-Fi CERTIFIED products as a software upgrade. The main pieces of the 802.11i draft that are not included in Wi-Fi Protected Access are secure IBSS, secure fast handoff, secure de-authentication and disassociation, as well as enhanced encryption protocols such as AES-CCMP. These features are either not yet ready for market or will require hardware upgrades to implement. The IEEE 802.11i specification is expected to be published at the end of 2003. so, as I said: no AES (despite what has been said on the list). more information can be found at http://www.wifialliance.com/OpenSection/secure.asp#resources ciao artur -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: db2 and freeradius
On 1:53pm, Isnel Cantarelo wrote: > It seems (because of settings) that's working in multithreaded mode > I don't know if it's necessary to use that mode in my installation, I'll > test it running radiusd in one single process > By the way, how can I recognize wich is the function that originate the main > thread? (to fix that situation in case I really need to use multithreaded > mode) main is always main :) I meant 'main thread' a thread which started with "main()" function. I've heard the 2.5 kernel got a normal pthread... Because existing is not thread at all. So - if it is a case, all connections to db2 has to be created in a thread which started with 'main()', then that stupid architecture let other 'child' thread inherit them... absolutelly as a parent process and children processes , and file descriptors (man fork)... in solaris I do a thread creation each time I need to get a new connection for any thread, and a thread can do something untill a new connection will be ready, it is like ibm suggested - n connections by m threads. Gregory G. V. --- Any opinions in this posting are my own and not those of my present or previous employers. According Isham Research's Devil's IT Dictionary mainframe is: "an obsolete device still used by thousands of obsolete companies serving billions of obsolete customers and making huge obsolete profits for their obsolete shareholders. And this year's run twice as fast as last year's." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
problem with rlm_ldap
Hi, I try to use OpenLDAP to store user information. Eveything used to work, but now after few installations/deinstallations :-) I have the following problem: I run radiusd -X I dumps a lot of logs... Matches a user... Connects to openldap, and then radiusd: relocation error: /usr/local/lib/rlm_ldap-0.8.1.so: undefined symbol: ldap_enable_cache ldd /usr/local/lib/rlm_ldap-0.8.1.so libcrypto.so.0.9.6 => /usr/lib/libcrypto.so.0.9.6 (0x40017000) libssl.so.0.9.6 => /usr/lib/libssl.so.0.9.6 (0x400e7000) liblber.so.2 => /usr/local/lib/liblber.so.2 (0x40115000) libldap_r.so.2 => /usr/local/lib/libldap_r.so.2 (0x40123000) libnsl.so.1 => /lib/libnsl.so.1 (0x40164000) libresolv.so.2 => /lib/libresolv.so.2 (0x4017a000) libpthread.so.0 => /lib/libpthread.so.0 (0x4018b000) libc.so.6 => /lib/libc.so.6 (0x401a1000) libdl.so.2 => /lib/libdl.so.2 (0x402c9000) libsasl2.so.2 => /usr/local/lib/libsasl2.so.2 (0x402cd000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x8000) All of these files exist. One more thing. When I run radiusd -X the radiusd quits when this error appears. When I run without -X, then radiusd keeps running (does't work anyway ;-) Regards Kuba - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: db2 and freeradius
It seems (because of settings) that's working in multithreaded mode. I don't know if it's necessary to use that mode in my installation, I'll test it running radiusd in one single process. By the way, how can I recognize wich is the function that originate the main thread? (to fix that situation in case I really need to use multithreaded mode). Thanks a lot. Isnel. From: "Gregory G. V." <[EMAIL PROTECTED]> Reply-To: [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: db2 and freeradius Date: Wed, 2 Apr 2003 16:23:39 +0300 (EEST) On 1:15pm, Isnel Cantarelo wrote: > > Hi everybody > > I´m running freeradius version 7 and db2 version 7.1 under linux, everyting > works fine while I'm debugging de code, but when I try to run radiusd in > daemon mode it connects to database whell but at first intent to run a sql > statement against database I always receive SQLERROR error code, and my > session get disconnected does freeradius work in multithread mode? does it create connection in a 'main' thread? I had a problem with linux in multithread program, if a connection was not created in a 'main' thread other threads could not use it. It's undestendable if to remember that the 'threads' in linux is not 'threads'... if you don't use multithreading, it is not your case. Gregory G. V. --- Any opinions in this posting are my own and not those of my present or previous employers. According Isham Research's Devil's IT Dictionary mainframe is: "an obsolete device still used by thousands of obsolete companies serving billions of obsolete customers and making huge obsolete profits for their obsolete shareholders. And this year's run twice as fast as last year's." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.yupimsn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ RADIUS for WinXP
hi ian WAP is a standard of the wifi consortium, trying to improve 802.11 security without hardware modifications. so, first of all, WEP is replaced by something slightly different but based on the same cryptographic bricks (so, answering to one of your questions: no, no AES so far). then, they added signed message integrity code (MIC) and 802.1X authentication (instead of WEP based authentication called SKA) and perhaps some other things i don't remember right now (you need to go to the consortium site and download the whitepaper, if interested). all that WPA stuff is a considerable improvement compared to the raw 802.11 methods and can be achieved in the most hardware on the market (and already sold out) by simple firmware updates. that's the deal. the "real" upgrade (including AES) is expected for the late summer 2003 and is called 802.11i. now, answering to the remaining questions: 802.1X doesn't prescribe any special EAP procedure, why should WPA - which simply integrates 802.1X - do so in your opinion? to give you one argument for this choice: just think that even EAP/MD5 is actually better than unhappy SKA... and if you want dynamic keys you will naturally need something different. in fact, the whole idea of 802.1X is based upon the assumption that it remains extensible by using EAP and does not imply the usage of whatsoever real auth method. the real and simple reason however is that the 802.1X-authentication does not need to be implemented in the WiFi hardware - i.e. neither in the wi-fi cards nor in the wifi access points, so it is completely out of scope of the WPA specification. hope this helps. greetings artur Ian Pritchard wrote: > > Hi, > > I saw the following announcement that Windows XP has a patch that will allow > it to support WPA: > > http://support.microsoft.com/?kbid=815485 > > As far as I understand it, WPA includes 802.1x. The document states: > > "For environments with a RADIUS infrastructure, Extensible Authentication > Protocol (EAP) and RADIUS is supported." > > It also says: > > "802.1x authentication is required in WPA" > > However, I can't find anything there or in the WPA documentation which > specifies which EAP flavours are required. Will EAP-TLS be mandatory, or > TTLS, MD5 or one of the other flavours? What about AES? > > Thanks, > > Ian > > _ > The new MSN 8: smart spam protection and 2 months FREE* > http://join.msn.com/?page=features/junkmail > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Artur Hecker artur[at]hecker.info - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to authenticate any user and any password with freeradius
I found the solution to my report in the mailing-list: DEFAULT Auth-Type := Accept Service-Type = Framed-User, Framed-Protocol = PPP Christian CS> I need to setup a radius server that authenticates any CS> user regardless of the login and password the user CS> has entered. CS> On an old commercial radius server I used a users CS> file with the following entry for this type of service: CS> DEFAULT Password = "ANY" CS> User-Service = Framed-User, CS> Framed-Protocol = PPP, CS> Framed-Netmask = 255.255.255.255, CS> Framed-MTU = 1500, CS> How can a setup like this be done with freeradius? CS> I am running freeradius 0.8.1 CS> thanks, CS> Christian CS> - CS> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: db2 and freeradius
On 1:15pm, Isnel Cantarelo wrote: > > Hi everybody > > I╢m running freeradius version 7 and db2 version 7.1 under linux, everyting > works fine while I'm debugging de code, but when I try to run radiusd in > daemon mode it connects to database whell but at first intent to run a sql > statement against database I always receive SQLERROR error code, and my > session get disconnected does freeradius work in multithread mode? does it create connection in a 'main' thread? I had a problem with linux in multithread program, if a connection was not created in a 'main' thread other threads could not use it. It's undestendable if to remember that the 'threads' in linux is not 'threads'... if you don't use multithreading, it is not your case. Gregory G. V. --- Any opinions in this posting are my own and not those of my present or previous employers. According Isham Research's Devil's IT Dictionary mainframe is: "an obsolete device still used by thousands of obsolete companies serving billions of obsolete customers and making huge obsolete profits for their obsolete shareholders. And this year's run twice as fast as last year's." - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
db2 and freeradius
Hi everybody. I´m running freeradius version 7 and db2 version 7.1 under linux, everyting works fine while I'm debugging de code, but when I try to run radiusd in daemon mode it connects to database whell but at first intent to run a sql statement against database I always receive SQLERROR error code, and my session get disconnected. Thanks in advance. Isnel. _ Charla con tus amigos en línea mediante MSN Messenger: http://messenger.yupimsn.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to authenticate any user and any password with freeradius
I need to setup a radius server that authenticates any user regardless of the login and password the user has entered. On an old commercial radius server I used a users file with the following entry for this type of service: DEFAULT Password = "ANY" User-Service = Framed-User, Framed-Protocol = PPP, Framed-Netmask = 255.255.255.255, Framed-MTU = 1500, How can a setup like this be done with freeradius? I am running freeradius 0.8.1 thanks, Christian - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Something strange about logging
Alan DeKok a écrit: Degrande_Samuel <[EMAIL PROTECTED]> wrote: Everything is working in debug mode (radiusd -X). but it coredumps in 'normal mode'. ... So at this point, radlog_dest is always RADLOG_FILES, and then it executes log.vradlog:94 fopen(mainconfig.log_file, "a") mainconfig is not yet been filled, so mainconfig.log_file = 0 and the fprintf() on line 95 coredumps. Hmm... that's bad. I'll commit a fix today, so the CVS snapshot tomorrow should be OK. I guess that Solaris's fprintf() in libc doesn't like getting NULL's passed to it.. That's not the only problem. You call fopen() with an empty file name, which returns an error on Solaris (that sounds reasonnable to me). So I wonder how it could ever have worked on Solaris... Does it mean that I'm the only one trying to use freeradius on Solaris ? :-( By the way, freeradius is a good job. thank you a lot. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and presence databases
Hello, I'm looking for information about implementing a presence database when using FreeRadius for accounting purposes in an access network. Actually I need to have access to the mapping between the framed-IP address and some other vendor specific attributes when a user is connected to the NAS. I thought about accessing the Radius log files, but on the long term I need to ensure the mapping information integrity. Ideally, I'd like to use an Oracle database or an LDAP server to store the mapping info. If anyone knows about such a development or some related project, I would be happy to be informed. Thanks, Alexandre - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA w/ RADIUS for WinXP
Hello Ian: Yes, WPA supports 802.1x standard alongwith it's own Information Element (IE) sent in the probe requests. The supplicant (client) and the Radius (authentication server) generate a master key during the authentication process. I'm sure EAP-TLS is one of the possibilities to achieve that but am unsure if that's the only one supported. AES is included in WPA, hence the Microsoft patch should include it as well... Regards, Nikhil. Ian Pritchard <[EMAIL PROTECTED]> wrote: Hi,I saw the following announcement that Windows XP has a patch that will allow it to support WPA:http://support.microsoft.com/?kbid=815485As far as I understand it, WPA includes 802.1x. The document states:"For environments with a RADIUS infrastructure, Extensible Authentication Protocol (EAP) and RADIUS is supported."It also says:"802.1x authentication is required in WPA"However, I can't find anything there or in the WPA documentation which specifies which EAP flavours are required. Will EAP-TLS be mandatory, or TTLS, MD5 or one of the other flavours? What about AES?Thanks,Ian_The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htmlDo you Yahoo!? Yahoo! Tax Center - File online, calculators, forms, and more
WPA w/ RADIUS for WinXP
Hi, I saw the following announcement that Windows XP has a patch that will allow it to support WPA: http://support.microsoft.com/?kbid=815485 As far as I understand it, WPA includes 802.1x. The document states: "For environments with a RADIUS infrastructure, Extensible Authentication Protocol (EAP) and RADIUS is supported." It also says: "802.1x authentication is required in WPA" However, I can't find anything there or in the WPA documentation which specifies which EAP flavours are required. Will EAP-TLS be mandatory, or TTLS, MD5 or one of the other flavours? What about AES? Thanks, Ian _ The new MSN 8: smart spam protection and 2 months FREE* http://join.msn.com/?page=features/junkmail - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html