restrict user for say eg - 10 days -- any options ???
Hi List,
Is there any configurable paramater to restrict a user for say upto 10
days and on the 11th day the user should be denied login.
Please help me in performing the above configuration and It will be
great if some one can help me out in the below mentioned multiple radius
server configurations.
Hopeing against hope for help :-(
Thanks,
Vasudevan.S
Hi,
Can some one respond to this issue, Its very critical for my project.
Please let me know if you (list users) need any additional information
on this.
Thanks,
Vasudevan.S
Hi,
Please find the output in the primary server log.
I don't understand why it try's to check with the system users when it
has to try with the secondry server.
rad_recv: Access-Request packet from host 192.168.112.77:58298, id=2,
length=90
Calling-Station-Id = "31"
User-Name = "[EMAIL PROTECTED]"
User-Password = "dummy"
NAS-Identifier = "vasus.india.adventnet.com"
Thu Apr 8 12:34:28 2004 : Debug: modcall: entering group authorize for
request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module
"preprocess" returns ok for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
chap (rlm_chap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "chap"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
eap (rlm_eap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "eap"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 0
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Looking up realm
"adventnet.com" for User-Name = "[EMAIL PROTECTED]"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Found realm "DEFAULT"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Adding
Stripped-User-Name = "dummy"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Proxying request from
user dummy to realm DEFAULT
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Adding Realm = "DEFAULT"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Authentication realm is
LOCAL.
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
suffix (rlm_realm) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "suffix"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 0
Thu Apr 8 12:34:28 2004 : Debug: users: Matched DEFAULT at 155
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
files (rlm_files) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "files"
returns ok for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "mschap"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall: group authorize returns ok
for request 0
Thu Apr 8 12:34:28 2004 : Debug: rad_check_password: Found Auth-Type
System
Thu Apr 8 12:34:28 2004 : Debug: auth: type "System"
Thu Apr 8 12:34:28 2004 : Debug: modcall: entering group authenticate
for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authenticate]: calling
unix (rlm_unix) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authenticate]: returned
from unix (rlm_unix) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authenticate]: module "unix"
returns notfound for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall: group authenticate returns
notfound for request 0
Thu Apr 8 12:34:28 2004 : Debug: auth: Failed to validate the user.
Thu Apr 8 12:34:28 2004 : Auth: Login incorrect: [dummy] (from client
vasus.adventnet.com port 0 cli 31)
Thu Apr 8 12:34:28 2004 : Debug: Delaying request 0 for 1 seconds
Thanks,
Vasudevan.S
Hi,
Can anyone help me in configuring the proxy servers for fail over.
Please find the proxy configuration I have done in the primary and
secondary radius servers.
Primary Server (proxy.conf)
realm DEFAULT{
type = radius
authhost = wifi-test3.adventnet.com:1812
accthost = wifi-test3.adventnet.com:1813
secret = xydsudysdiu
ldflag = fail_over
}
Secondry server (proxy.conf)
realm DEFAULT{
type = radius
authhost = vasus.adventnet.com:1812
accthost = va
RE: PPPOE+Freeradius+FreeBsd
> I have FreeBsd 5.1+Freeradius 0.93+Mysql installed. How do I get PPPOE' > users to authenticate in FreeRadius and Band Limit for user's group? Depends on what PPPoE access concentrator you use. Generally they will accept radius reply attributes of some sort. Jeremy - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PPPOE+Freeradius+FreeBsd
I have FreeBsd 5.1+Freeradius 0.93+Mysql installed. How do I get PPPOE'
users to authenticate in FreeRadius and Band Limit for user's group?
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi Alan,
>
> I suspect that Aoun is using xsupplicant. The format he's described is
> actually consistant with xsupplicant.conf for the latest CVS version.
>
> If I'm correct, then this configuration is actually on his laptop, not in
> radius.conf. If it is in radius.conf, then I've no idea what he's doing
;-)
>
> Regards,
>
> Guy
>
> > -Original Message-
> > From: Alan DeKok [mailto:[EMAIL PROTECTED]
> > Sent: 07 April 2004 19:30
> > To: [EMAIL PROTECTED]
> > Subject: Re: 802.1x port authentication with Freeradius
> >
> >
> > Aoun Shah <[EMAIL PROTECTED]> wrote:
> > > on the raduis server I have this entries in radius.conf file
> > >
> > > eap {
> > >
> > > md5 {
> > > username =
> > radiuser11
> > > password = radiuser11
> >
> > I don't see why you're putting a username & password into the md5
> > configuration. Nothing in the server leads you to believe that does
> > anything.
> >
> > > with the above all given entries I am able to get the
> > following result.
> > >
> > > 18:11:19.828169 129.69.1.50.radius >
> > testserv.rus.uni-stuttgart.de.radius: rad-access-req 104 [id
> > 49] Attr[ NAS_ipaddr{129.69.1.50} NAS_port_type{Async}
> > User{radiuser11} Service_type{Framed}
> > Framed_mtu{1500}(zero-length attribute)
> > >
> >
> > TCPdump is useless for debugging the servers configuration. See the
> > FAQ & README's for instructions on running in debugging mode.
> >
> > Alan Dekok.
> >
> > -
> > List info/subscribe/unsubscribe? See
> > http://www.freeradius.org/list/users.html
> >
>
> -BEGIN PGP SIGNATURE-
> Version: PGP 8.0
>
> iQA/AwUBQHRSS43dwu/Ss2PCEQKKZQCg4tAJKd5abkFmOShSfrFZ0spUyx0An2zc
> 6+0gxWwIltqbSHDzeHjyWE6p
> =cpTE
> -END PGP SIGNATURE-
>
> Visit us at InfoSecurity - The largest security fair in the world!
> 27th - 29th April 2004
> London Olympia
> Stand no. 130
>
> Get your free tickets on www.telindus.co.uk
>
> This e-mail is private and may be confidential and is for the intended
> recipient only. If misdirected, please notify us by telephone and confirm
> that it has been deleted from your system and any copies destroyed. If
you
> are not the intended recipient you are strictly prohibited from using,
> printing, copying, distributing or disseminating this e-mail or any
> information contained in it. We use reasonable endeavours to virus scan
all
> e-mails leaving the Company but no warranty is given that this e-mail and
> any attachments are virus free. You should undertake your own virus
> checking. The right to monitor e-mail communications through our network
is
> reserved by us.
>
>
>
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
>
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
On Thu, 2004-04-08 at 15:05, M.Bilal Fassy wrote: > Yes I understand its not a freeradius question. But has anyone done this > before. This is because im using freeradius for h323 records. Shouldn't top post. This is a forum for FreeRADIUS. If you know it is not a FreeRADIUS question, why post it here? Yes, I've done this before. If you understand what cron is and how to use mail on the command line (both of which are very basic unix operations), then this question is obvious. Hence "man cron", "man sendmail" is what you need. Hint, you will also need a pipe "|" (see "man bash") unless you use the MAILTO option that someone else mentioned. oh hell... 0 0 * * * cat /path/filename | mail [EMAIL PROTECTED] Now go read the docs so you know what everything does -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS: ARAP Config
Hi All, I am trying to get ARAP working under RADIUS (freeradius). If anyone could give an example of ARAP setup (preferably freeradius) or any reference link (not RFCs, actual config), I would really appreciate it. Cheers, Anshul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/MS-CHAPv2:: Wireless Authentication against WindowsAD as user profile storage
Nice finds... I didn't think to look under GSS. :) --Mike On Thu, 2004-04-08 at 04:29, Artur Hecker wrote: > also this one: > > http://www.drizzle.com/~aboba/IEEE/draft-ietf-cat-iakerb-09.txt > > Artur Hecker wrote: > > > > > hi :-) > > > > > > this is called EAP-GSS and it does exist: > > > > http://www.drizzle.com/~aboba/IEEE/draft-aboba-pppext-eapgss-12.txt > > > > > > there have been some troubles with standard kerberos detected by Thomas > > Wu... they also become important when used over EAP due to the > > potentially high number of reauthentications. anyway, the attacks are > > referenced more precisely in the draft which should also provide work > > arounds. > > > > > > ciao > > artur > > > > > > > > > > Tom Rixom wrote: > > > >> Mike, > >> > >> I have been following the Kerberos discussion for a while and this was > >> exactly wat I was thinking. > >> > >> But where to start? What is required for Kerberos authentication? > >> Tom > >> > >> > >>> -Original Message- > >>> From: Michael Griego [mailto:[EMAIL PROTECTED] > >>> Sent: Wednesday, April 07, 2004 8:02 PM > >>> To: [EMAIL PROTECTED] > >>> Subject: RE: PEAP w/MS-CHAPv2:: Wireless Authentication against > >>> WindowsAD as user profile storage > >>> > >>> > >>> On Wed, 2004-04-07 at 11:57, Steve OBrien wrote: > >>> > Does anyone know if you can use Kerberos for user authentication for > PEAP? > >>> > >>> > >>> Not unless there's an EAP-Kerberos (EAP-KRB?) to be used for the > >>> inside-tunnel authentication. I, however, never heard of any work being > >>> done on an EAP-Kerberos method. Perhaps you could start your own draft > >>> with the IETF? :) > >>> > >>> -- > >>> > >>> --Mike > >>> > >>> --- > >>> Michael Griego > >>> Wireless LAN Project Manager > >>> The University of Texas at Dallas > >>> > >>> > >>> > >>> - List info/subscribe/unsubscribe? See > >>> http://www.freeradius.org/list/users.html > >>> > >> > >> > >> - List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > > > > > > - List info/subscribe/unsubscribe? See > > http://www.freeradius.org/list/users.html > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Authorizing failed logins with filter
I have 2 radius servers, one is freeradius, which proxies out to the second. When authentication fails, I'd like a way to have freeradius to authorize users with a specific profile: DEFAULT Realm == "psknet.com", Auth-Type = Ascend-Data-Filter = "ip in drop dstip 63.171.251.9/32", Ascend-Data-Filter += "ip in forward dstip 63.171.251.0/24", Ascend-Data-Filter += "ip in drop", Ascend-Maximum-Call-Duration = 10 Is there a way to accomplish this? If custom code is required to make this work, I may be willing to pay. -- Troy Settle Pulaski Networks http://www.psknet.com 540.994.4254 ~ 866.477.5638 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP / external program
Gianfranco Ferrini <[EMAIL PROTECTED]> wrote:
> What I need is to port this mechanism into the authentication part of EAP:
> I would like to pick up the cleartext password for EAP from an external
> program.
Not exactly: You need to set User-Password from an external program.
>From there, any authentication mechanism can use it. EAP, MS-CHAP,
etc.
> I have seen from the list that this is possible with LDAP, but I don't know
> if (and how) it is possible from an external program.
Simple:
DEFAULT User-Password == `%{exec: /root/script-radius}`
Sets the User-Password attribute to have whatever value is printed
by the external program.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support Needed
Hi > > I still not get any support for the question i asked today. Please help me > with this . > > Hi, > > Could you tell me how I could use cron to send me a mail to me, > automatically every day at 12 midnight with the > > /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. > > > Thanks in advance. > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > Write a shell script that will cat the file you want to have mailed to you eg. #!/bin/bash cat /tmp/filnamexxx Then edit your crontab (crontab -e) to run the script nightly. Check to make sure that /etc/crontab has the MAILTO= set. If so any cronjob that runs will be mailed to this address. Alan Russell - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP
Steve OBrien <[EMAIL PROTECTED]> wrote: > Are the only user authentication methods available to PEAP local, as in > users typed into users file? You can't use PAM or any external user > databases? Do do PEAP (really EAP-MSCHAPv2) authentication, the server MUST have access to the clear-text password, OR the NT-Password for a user. Where that password comes from is irrelevant. PAM doesn't supply a password, so you can't do PEAP with PAM. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius+MySQL+prepaid
anyone here who can give advise on how to implement prepaid dial up internet service.. currently running freeradius, with MySQL under Fedora Core 1... any hints or advise would be greatly appreciated...thanks.. //milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
> The URL you had given bellow does not sate anything. > Yes, actually, it does. -- __ Mike Ockenga, CCNP [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
Yes I understand its not a freeradius question. But has anyone done this before. This is because im using freeradius for h323 records. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dennis Skinner Sent: Friday, April 09, 2004 12:59 AM To: [EMAIL PROTECTED] Subject: RE: Support Needed On Thu, 2004-04-08 at 14:41, M.Bilal Fassy wrote: > Hi > > I still not get any support for the question i asked today. Please help me > with this . Perhaps because this is not a FreeRADIUS question? man cron man sendmail man bash Any other work on your plate you need us to do for you? > Hi, > > Could you tell me how I could use cron to send me a mail to me, > automatically every day at 12 midnight with the > > /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. > > > Thanks in advance. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
Dear Troy, The URL you had given bellow does not sate anything. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Troy Winemiller Sent: Friday, April 09, 2004 12:50 AM To: [EMAIL PROTECTED] Subject: RE: Support Needed Not really a freeradius problem. Give this a look. http://www.linuxquestions.org/questions/showthread.php?s=&forumid=46&thr eadid=163805 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M.Bilal Fassy Sent: Thursday, April 08, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: Support Needed Hi I still not get any support for the question i asked today. Please help me with this . Hi, Could you tell me how I could use cron to send me a mail to me, automatically every day at 12 midnight with the /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
if, then, else with ldap attributes
Hello freeradius-users,
I need to differentiate users with their traffic limits, so i have
common traffic limit digit in LDAP in
cn=radprofile,dc=domain,dc=com, and for some users i have set their own
traffic limits in their own entries (like uid=lan,ou=users,dc=domain,dc=com).
So i need first of all look to user entry, and if there is no
traffic limit attribute - get value of a common limit attribute in
common entry.
In 'variables.txt' i found this:
==
2. %{Foo:-%{Bar}}
When attribute Foo is set: returns value of attribute Foo
When attribute Foo unset: returns value of attribute Bar (if any)
==
And i have this construction in 'users' file:
Traffic-Limit := `%{expr: %{ldap:...} - %{sql:...}}`
Can it work with ldap queries? I need something like this:
`%{expr: %{ldap:...:-%{ldap:...}} - %{sql:...}}`
or like this
`%{expr: %{%{ldap:...}:-%{ldap:...}}} - %{sql:...}}`
But with these constructions radiusd wont start:
"Parse error (reply) for entry DEFAULT: Expected end of line or
comma".
Or how can i make it at all?
--
Best regards,
Alexander mailto:[EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
On Thu, 2004-04-08 at 14:41, M.Bilal Fassy wrote: > Hi > > I still not get any support for the question i asked today. Please help me > with this . Perhaps because this is not a FreeRADIUS question? man cron man sendmail man bash Any other work on your plate you need us to do for you? > Hi, > > Could you tell me how I could use cron to send me a mail to me, > automatically every day at 12 midnight with the > > /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. > > > Thanks in advance. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
Not really a freeradius problem. Give this a look. http://www.linuxquestions.org/questions/showthread.php?s=&forumid=46&thr eadid=163805 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M.Bilal Fassy Sent: Thursday, April 08, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: Support Needed Hi I still not get any support for the question i asked today. Please help me with this . Hi, Could you tell me how I could use cron to send me a mail to me, automatically every day at 12 midnight with the /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
> Could you tell me how I could use cron to send me a mail to me, > automatically every day at 12 midnight with the > > /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x > file. > > > Thanks in advance. > That's not a question for the FreeRadius list as it isnt a problem with FreeRadius. You might try posting to a basic Unix Administration list. Jacob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
Hi I still not get any support for the question i asked today. Please help me with this . Hi, Could you tell me how I could use cron to send me a mail to me, automatically every day at 12 midnight with the /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP
On Thu, 2004-04-08 at 13:35, Steve OBrien wrote: > Are the only user authentication methods available to PEAP local, as > in users typed into users file? You can't use PAM or any external > user databases? doc/aaa.txt. Please read it and understand it. It contains all the information you need to answer this question (and many others you've posted to this list). -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP
Are the only user authentication methods available to PEAP local, as in users typed into users file? You can't use PAM or any external user databases? Steve
Re: EAP configurations
Could you post a copy of your radiusd.conf?Aoun Shah <[EMAIL PROTECTED]> wrote: Hi guys, While running in the debugging mode I have the following output of the radius server. I see only one message which say auth: Failed to validate the user. in this trace, I want to know why this message is coming. I hope that this is cause for rejection from radius server. Can any one tell by looking a the below traces what could be the reasons. rad_recv: Access-Request packet from host 129.69.1.50:1812, id=2, length=104 NAS-IP-Address = 129.69.1.50 NAS-Port-Type = Async User-Name = "testuser" Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = "00-e0-00-99-75-bd" EAP-Message = "\002\000\000\014\001radius1" Message-Authenticator = 0x0ba1ecf55dee6d6527f3b77fb9194de4modcall: entering group authorize modcall[authorize]: module "preprocess" returns okrlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "mschap" returns notfound modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched radius1 at 215 modcall[authorize]: module "files" returns okmodcall: group authorize returns updated rad_check_password: Found Auth-Type EAP/***/ auth: type "EAP"auth: Failed to validate the user. /**/Delaying request 0 for 1 secondsFinished request 0Going to the next request--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Sending Access-Reject of id 2 to 129.69.1.50:1812Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 0 ID 2 with timestamp 407562ad thanks in advance for ur help. Aoun Stuttgart Universitý. Do you Yahoo!?Yahoo! Finance Tax Center - File online. File on time.Julius IguguSouthWork Co. Ltd.234 (802) 320-7540Do you Yahoo!? Yahoo! Small Business $15K Web Design Giveaway - Enter today
Re: New "listen" directive
hello. is there anyone here who knows the error from radius that says user profile not found or deactive login name? milver - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP configurations
On Thu, 2004-04-08 at 09:42, Aoun Shah wrote: > auth: Failed to validate the user. in this trace, I want to know why > this message is coming. I hope that this is cause for rejection from > radius server. Can any one tell by looking a the below traces what > could be the reasons. What does your radiusd.conf file look like? Do you have "eap" listed in the "authenticate" section (as it is by default) or did you comment it out? -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ARAP-Security-Data
AG <[EMAIL PROTECTED]> wrote: > From the output of the server it looks like the Access is granted but > the web client complains with the following messages, Then you've got to figure out why the client doesn't like the answer. > I think the client-side script is looking for some additional > attribute. Is this configurable in freeradius? Yes. Add a "ARAP-Security-Data" attribute to the reply packet. See http://www.freeradius.org/rfc/attributes.html for a definition of the attribute, and what can be used as values for it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP configurations
Hi guys, While running in the debugging mode I have the following output of the radius server. I see only one message which say auth: Failed to validate the user. in this trace, I want to know why this message is coming. I hope that this is cause for rejection from radius server. Can any one tell by looking a the below traces what could be the reasons. rad_recv: Access-Request packet from host 129.69.1.50:1812, id=2, length=104 NAS-IP-Address = 129.69.1.50 NAS-Port-Type = Async User-Name = "testuser" Service-Type = Framed-User Framed-MTU = 1500 Calling-Station-Id = "00-e0-00-99-75-bd" EAP-Message = "\002\000\000\014\001radius1" Message-Authenticator = 0x0ba1ecf55dee6d6527f3b77fb9194de4modcall: entering group authorize modcall[authorize]: module "preprocess" returns okrlm_chap: Could not find proper Chap-Password attribute in request modcall[authorize]: module "chap" returns noop modcall[authorize]: module "mschap" returns notfound modcall[authorize]: module "eap" returns updated rlm_realm: No '@' in User-Name = "testuser", looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module "suffix" returns noop users: Matched radius1 at 215 modcall[authorize]: module "files" returns okmodcall: group authorize returns updated rad_check_password: Found Auth-Type EAP/***/ auth: type "EAP"auth: Failed to validate the user. /**/Delaying request 0 for 1 secondsFinished request 0Going to the next request--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Waking up in 1 seconds...--- Walking the entire request list ---Sending Access-Reject of id 2 to 129.69.1.50:1812Waking up in 4 seconds...--- Walking the entire request list ---Cleaning up request 0 ID 2 with timestamp 407562ad thanks in advance for ur help. Aoun Stuttgart Universitý.Do you Yahoo!? Yahoo! Finance Tax Center - File online. File on time.
Re: New "listen" directive
Dennis Skinner <[EMAIL PROTECTED]> wrote: > > e.g. You can make the server listen on 2 IP's of a machine, but not > > a third. > > What address will it send the reply packet on?www The one it came in on. The server opens a different socket for each "listen" directive. Any request received on a socket has the response sent out the same socket. > I've noticed that my > servers tend to respond on eth0 when bind=* even if the request came in > on eth0:1. That's what --with-udpfromto is for, when you set "bind_address=*" The new "listen" directive makes the --with-udpfromto less critical. > Is there an option like Bind's (DNS) "query-source address"? Nope. There's no need. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Technical Support.
Navid Sheik <[EMAIL PROTECTED]> wrote: > I apologize to the list for the commercial message I just sent, I sent > it by mistake to the list instead of the user who had requested it. It was a question on a public list. Responding to that question with a company name is OK. Posting ads or marketing text isn't. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
configure fail over -- docs please
Hi,
Can some one respond to this issue, Its very critical for my project.
Please let me know if you (list users) need any additional information
on this.
Thanks,
Vasudevan.S
Hi,
Please find the output in the primary server log.
I don't understand why it try's to check with the system users when it
has to try with the secondry server.
rad_recv: Access-Request packet from host 192.168.112.77:58298, id=2,
length=90
Calling-Station-Id = "31"
User-Name = "[EMAIL PROTECTED]"
User-Password = "dummy"
NAS-Identifier = "vasus.india.adventnet.com"
Thu Apr 8 12:34:28 2004 : Debug: modcall: entering group authorize for
request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling
preprocess (rlm_preprocess) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
preprocess (rlm_preprocess) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module
"preprocess" returns ok for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling chap
(rlm_chap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
chap (rlm_chap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "chap"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling eap
(rlm_eap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
eap (rlm_eap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "eap"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling suffix
(rlm_realm) for request 0
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Looking up realm
"adventnet.com" for User-Name = "[EMAIL PROTECTED]"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Found realm "DEFAULT"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Adding
Stripped-User-Name = "dummy"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Proxying request from
user dummy to realm DEFAULT
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Adding Realm = "DEFAULT"
Thu Apr 8 12:34:28 2004 : Debug: rlm_realm: Authentication realm is
LOCAL.
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
suffix (rlm_realm) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "suffix"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling files
(rlm_files) for request 0
Thu Apr 8 12:34:28 2004 : Debug: users: Matched DEFAULT at 155
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
files (rlm_files) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "files"
returns ok for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: calling mschap
(rlm_mschap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authorize]: returned from
mschap (rlm_mschap) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authorize]: module "mschap"
returns noop for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall: group authorize returns ok
for request 0
Thu Apr 8 12:34:28 2004 : Debug: rad_check_password: Found Auth-Type
System
Thu Apr 8 12:34:28 2004 : Debug: auth: type "System"
Thu Apr 8 12:34:28 2004 : Debug: modcall: entering group authenticate
for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authenticate]: calling
unix (rlm_unix) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modsingle[authenticate]: returned
from unix (rlm_unix) for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall[authenticate]: module "unix"
returns notfound for request 0
Thu Apr 8 12:34:28 2004 : Debug: modcall: group authenticate returns
notfound for request 0
Thu Apr 8 12:34:28 2004 : Debug: auth: Failed to validate the user.
Thu Apr 8 12:34:28 2004 : Auth: Login incorrect: [dummy] (from client
vasus.adventnet.com port 0 cli 31)
Thu Apr 8 12:34:28 2004 : Debug: Delaying request 0 for 1 seconds
Thanks,
Vasudevan.S
Hi,
Can anyone help me in configuring the proxy servers for fail over.
Please find the proxy configuration I have done in the primary and
secondary radius servers.
Primary Server (proxy.conf)
realm DEFAULT{
type = radius
authhost = wifi-test3.adventnet.com:1812
accthost = wifi-test3.adventnet.com:1813
secret = xydsudysdiu
ldflag = fail_over
}
Secondry server (proxy.conf)
realm DEFAULT{
type = radius
authhost = vasus.adventnet.com:1812
accthost = vasus.adventnet.com:1813
secret = xydsudysdiu
ldflag = fail_over
}
both are linux systems. I have added user in the secondary server and
trying to authenticate the user. But the primary server never sends the
request to the secondary server and try's to authenticate in the primary
server itself and rejects the authentication request.
EndC
Re: freeradius snap EAP//TLS problem
Alan DeKok wrote: > The debug messages do tell you what's going wrong: > >> rlm_eap_tls: Received unexpected tunneled data after successful >> handshake. rlm_eap: Handler failed in EAP/tls >> rlm_eap: Failed in EAP select >> modcall[authenticate]: module "eap" returns invalid for request 4 > > See the list archives for causes. It's generally a certificate > problem. In fact it was a certificate problem on the winxp supplicant. The certificates I had were not generated with the xpextensions, as I found on the archives I made new certificates and now everything works fine. Thanks a lot for the support Alan. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP w/MS-CHAPv2:: Wireless Authentication against WindowsAD as user profile storage
Has anyone developed a GSS module for Microsoft? > -Original Message- > From: Artur Hecker [mailto:[EMAIL PROTECTED] > Sent: Thursday, April 08, 2004 11:19 AM > To: [EMAIL PROTECTED] > Subject: Re: PEAP w/MS-CHAPv2:: Wireless Authentication against > WindowsAD as user profile storage > > > > hi :-) > > > this is called EAP-GSS and it does exist: > > http://www.drizzle.com/~aboba/IEEE/draft-aboba-pppext-eapgss-12.txt > > > there have been some troubles with standard kerberos detected > by Thomas > Wu... they also become important when used over EAP due to the > potentially high number of reauthentications. anyway, the attacks are > referenced more precisely in the draft which should also provide work > arounds. > > > ciao > artur > > > > > Tom Rixom wrote: > > Mike, > > > > I have been following the Kerberos discussion for a while and > > this was exactly wat I was thinking. > > > > But where to start? What is required for Kerberos authentication? > > > > Tom > > > > > >>-Original Message- > >>From: Michael Griego [mailto:[EMAIL PROTECTED] > >>Sent: Wednesday, April 07, 2004 8:02 PM > >>To: [EMAIL PROTECTED] > >>Subject: RE: PEAP w/MS-CHAPv2:: Wireless Authentication against > >>WindowsAD as user profile storage > >> > >> > >>On Wed, 2004-04-07 at 11:57, Steve OBrien wrote: > >> > >>>Does anyone know if you can use Kerberos for user > authentication for > >>>PEAP? > >> > >>Not unless there's an EAP-Kerberos (EAP-KRB?) to be used for the > >>inside-tunnel authentication. I, however, never heard of any > >>work being > >>done on an EAP-Kerberos method. Perhaps you could start your > >>own draft > >>with the IETF? :) > >> > >>-- > >> > >>--Mike > >> > >>--- > >>Michael Griego > >>Wireless LAN Project Manager > >>The University of Texas at Dallas > >> > >> > >> > >>- > >>List info/subscribe/unsubscribe? See > >>http://www.freeradius.org/list/users.html > >> > > > > > > - > > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Supported features
Hi, Does FreeRadius support all these features explained below? There are XP PC's connected to a Cisco Based LAN with 6500 and 3550EI switches. Users will authenticate using 802.1x to access LAN. Mac-address ; user-name verification... Automatic VLAN assignment... Automatic Access-Conrol List assignment. User database will be received from Windows Domain and will be kept up-to-date. Thanks, Have a nice day Bulent
ARAP-Security-Data
Hi All,
I am new to this group. Recently I have installed freeradius (0.9.3). I
have changed users and client.conf and everything else is default.
clients.conf###
client ip_addr_masked {
secret = xxx#same secret the client uses
shortname = web-client
login=xyz
passwd=xyz123
}
users
xyz Auth-Type := Local, User-Password == "xyz123"
#OUTPUT
Here is what I get (radiusd -xxyz),
rad_recv: Access-Request packet from host :3745,
id=252, length=65
Thread 2 assigned request 1
--- Walking the entire request list ---
Threads: total/active/spare threads = 5/1/4
Waking up in 5 seconds...
Thread 2 handling request 1, (1 handled so far)
NAS-Identifier = "localhost"
User-Name = "xyz"
User-Password = "xyz123"
Login-LAT-Node = "eDiylJbp"
modcall: entering group authorize for request 1
modcall[authorize]: module "preprocess" returns ok for request 1
modcall[authorize]: module "chap" returns noop for request 1
modcall[authorize]: module "eap" returns noop for request 1
rlm_realm: No '@' in User-Name = "xyz", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 1
users: Matched jobs at 90
modcall[authorize]: module "files" returns ok for request 1
modcall[authorize]: module "mschap" returns noop for request 1
modcall: group authorize returns ok for request 1
rad_check_password: Found Auth-Type Local
auth: type Local
auth: user supplied User-Password matches local User-Password
Sending Access-Accept of id 252 to :3745
Finished request 1
Going to the next request
Thread 2 waiting to be assigned a request
--
From the output of the server it looks like the Access is granted but
the web client complains with the following messages,
A problem occurred in a Python script. Here is the sequence of function
calls leading up to the error, in the order they occurred.
/usr/local/scripts/radius/cgi-bin/authen.py
27 reply=srv.SendPacket(req)
28
29 if reply['ARAP-Security-Data'][0] == randkey:
30 print open('sentence').read()
31
reply = {}, randkey = 'eDiylJbp'
/usr/local/lib/python2.2/site-packages/pyrad/packet.py in
__getitem__(self={}, key='ARAP-Security-Data')
156 return self.data[key]
157
158 values=self.data[self._EncodeKey(key)]
159 attr=self.dict.attributes[key]
160 res=[]
values undefined, self = {}, self.data = {}, self._EncodeKey = , key = 'ARAP-Security-Data'
KeyError: 74
__doc__ = 'Mapping key not found.'
__getitem__ = >
__init__ = >
__module__ = 'exceptions'
__str__ = >
args = (74,)
--
###END OF OUTPUT###
I think the client-side script is looking for some additional
attribute. Is this configurable in freeradius?
Any help would be greatly appreciated.
Cheers,
Anshul
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
mysql libraries
Hi People, I have freeradius.9.3 running in a Mandrake Distribution. Can someone send me a precompiled drivers to mysql? I need the files of /usr/local/lib/rlm_sql_mysql.* . Thanks _ Déjanos tu CV y recibe ofertas de trabajo en tu buzón. Multiplica tus oportunidades con MSN Empleo. http://www.msn.es/Empleo/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/MS-CHAPv2:: Wireless Authentication against WindowsAD as user profile storage
also this one: http://www.drizzle.com/~aboba/IEEE/draft-ietf-cat-iakerb-09.txt Artur Hecker wrote: hi :-) this is called EAP-GSS and it does exist: http://www.drizzle.com/~aboba/IEEE/draft-aboba-pppext-eapgss-12.txt there have been some troubles with standard kerberos detected by Thomas Wu... they also become important when used over EAP due to the potentially high number of reauthentications. anyway, the attacks are referenced more precisely in the draft which should also provide work arounds. ciao artur Tom Rixom wrote: Mike, I have been following the Kerberos discussion for a while and this was exactly wat I was thinking. But where to start? What is required for Kerberos authentication? Tom -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 8:02 PM To: [EMAIL PROTECTED] Subject: RE: PEAP w/MS-CHAPv2:: Wireless Authentication against WindowsAD as user profile storage On Wed, 2004-04-07 at 11:57, Steve OBrien wrote: Does anyone know if you can use Kerberos for user authentication for PEAP? Not unless there's an EAP-Kerberos (EAP-KRB?) to be used for the inside-tunnel authentication. I, however, never heard of any work being done on an EAP-Kerberos method. Perhaps you could start your own draft with the IETF? :) -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP w/MS-CHAPv2:: Wireless Authentication against WindowsAD as user profile storage
hi :-) this is called EAP-GSS and it does exist: http://www.drizzle.com/~aboba/IEEE/draft-aboba-pppext-eapgss-12.txt there have been some troubles with standard kerberos detected by Thomas Wu... they also become important when used over EAP due to the potentially high number of reauthentications. anyway, the attacks are referenced more precisely in the draft which should also provide work arounds. ciao artur Tom Rixom wrote: Mike, I have been following the Kerberos discussion for a while and this was exactly wat I was thinking. But where to start? What is required for Kerberos authentication? Tom -Original Message- From: Michael Griego [mailto:[EMAIL PROTECTED] Sent: Wednesday, April 07, 2004 8:02 PM To: [EMAIL PROTECTED] Subject: RE: PEAP w/MS-CHAPv2:: Wireless Authentication against WindowsAD as user profile storage On Wed, 2004-04-07 at 11:57, Steve OBrien wrote: Does anyone know if you can use Kerberos for user authentication for PEAP? Not unless there's an EAP-Kerberos (EAP-KRB?) to be used for the inside-tunnel authentication. I, however, never heard of any work being done on an EAP-Kerberos method. Perhaps you could start your own draft with the IETF? :) -- --Mike --- Michael Griego Wireless LAN Project Manager The University of Texas at Dallas - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re:Support Needed
Hi, Could you tell me how I could use cron to send me a mail to me, automatically every day at 12 midnight with the /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: 802.1x port authentication with Freeradius
Hi all,
You are right Guy, Aoun confused between supplicant and authenticator.
Yesterday I've given the EAP md5 conf for "xsupplicant.conf" wich is the
file config of the user and not the freeradius server, in freeradius for
the simplest config you can let the radiusd.conf as default, just edit
"users" file and "clients.conf" file.
I give the conf one more time and it works on my side:
Xsupplicant.conf, but I think all user soft need the same parameters
because the radius server wait for this informations :
mynetwork {
allow_types = eap_md5
identity = login #Identification
eap-md5 {
username = login # Authentication
password = password
}
}
Now, you need to configure your Freeradius "users" file :
radiustestorAuth-Type := EAP, User-Password == "password"
Service-Type = Framed-User.
Aoun, If you're switch is well configured, it works perfect, dont forget
the secret key in radius entry on your switch and in the clients.conf on
the radiusserver. If you have more questions, try to ask questions step by
step. User config/switch config/Freeradius server config.
Keep Hope
Fred
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Hi Alan,
>
> I suspect that Aoun is using xsupplicant. The format he's described is
> actually consistant with xsupplicant.conf for the latest CVS version.
>
> If I'm correct, then this configuration is actually on his laptop, not in
> radius.conf. If it is in radius.conf, then I've no idea what he's doing
> ;-)
>
> Regards,
>
> Guy
>
>> -Original Message-
>> From: Alan DeKok [mailto:[EMAIL PROTECTED]
>> Sent: 07 April 2004 19:30
>> To: [EMAIL PROTECTED]
>> Subject: Re: 802.1x port authentication with Freeradius
>>
>>
>> Aoun Shah <[EMAIL PROTECTED]> wrote:
>> > on the raduis server I have this entries in radius.conf file
>> >
>> > eap {
>> >
>> > md5 {
>> > username =
>> radiuser11
>> > password = radiuser11
>>
>> I don't see why you're putting a username & password into the md5
>> configuration. Nothing in the server leads you to believe that does
>> anything.
>>
>> > with the above all given entries I am able to get the
>> following result.
>> >
>> > 18:11:19.828169 129.69.1.50.radius >
>> testserv.rus.uni-stuttgart.de.radius: rad-access-req 104 [id
>> 49] Attr[ NAS_ipaddr{129.69.1.50} NAS_port_type{Async}
>> User{radiuser11} Service_type{Framed}
>> Framed_mtu{1500}(zero-length attribute)
>> >
>>
>> TCPdump is useless for debugging the servers configuration. See the
>> FAQ & README's for instructions on running in debugging mode.
>>
>> Alan Dekok.
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>
> -BEGIN PGP SIGNATURE-
> Version: PGP 8.0
>
> iQA/AwUBQHRSS43dwu/Ss2PCEQKKZQCg4tAJKd5abkFmOShSfrFZ0spUyx0An2zc
> 6+0gxWwIltqbSHDzeHjyWE6p
> =cpTE
> -END PGP SIGNATURE-
>
> Visit us at InfoSecurity - The largest security fair in the world!
> 27th - 29th April 2004
> London Olympia
> Stand no. 130
>
> Get your free tickets on www.telindus.co.uk
>
> This e-mail is private and may be confidential and is for the intended
> recipient only. If misdirected, please notify us by telephone and confirm
> that it has been deleted from your system and any copies destroyed. If
> you
> are not the intended recipient you are strictly prohibited from using,
> printing, copying, distributing or disseminating this e-mail or any
> information contained in it. We use reasonable endeavours to virus scan
> all
> e-mails leaving the Company but no warranty is given that this e-mail and
> any attachments are virus free. You should undertake your own virus
> checking. The right to monitor e-mail communications through our network
> is
> reserved by us.
>
>
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: PEAP w/MS-CHAPv2:: Wireless Authentication against WindowsAD as user profile storage
Mike, I have been following the Kerberos discussion for a while and this was exactly wat I was thinking. But where to start? What is required for Kerberos authentication? Tom > -Original Message- > From: Michael Griego [mailto:[EMAIL PROTECTED] > Sent: Wednesday, April 07, 2004 8:02 PM > To: [EMAIL PROTECTED] > Subject: RE: PEAP w/MS-CHAPv2:: Wireless Authentication against > WindowsAD as user profile storage > > > On Wed, 2004-04-07 at 11:57, Steve OBrien wrote: > > Does anyone know if you can use Kerberos for user authentication for > > PEAP? > > Not unless there's an EAP-Kerberos (EAP-KRB?) to be used for the > inside-tunnel authentication. I, however, never heard of any > work being > done on an EAP-Kerberos method. Perhaps you could start your > own draft > with the IETF? :) > > -- > > --Mike > > --- > Michael Griego > Wireless LAN Project Manager > The University of Texas at Dallas > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
