Radius+LDAP for TACACS alternative
Hi People, I am a newbie to Radius, picking up slowly with Radius. Can I use Radius for TACACS replacement ? We have users/groups and Tacacs server provides authentication/authorization for router cmds to these user/groups. Can I achive this using Radius, if yes, please send some links to start. Regards, -Manish __ Check out the New Yahoo! Mail - Fire up a more powerful email and get things done faster. (http://advision.webevents.yahoo.com/mailbeta) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy + rlm_perl question
Hi list, I have 2 questions: 1/ I'll have to proxy auth requests to a client's home radius. He is just allowed to check the user's username/password. I know how to filter attributes using attrs and the post-proxy section of radiusd.conf. But I don't know how to ADD attributes, like Framed-IP-Address for example. User-Name isn't sent back from the home radius to the proxy radius in the Access-Accept, thus I can't make any sql query (I use mysql backend) based on the username to get the Framed-IP-Address I want to assign to the users. I could do a sql query in the pre-proxy section (don't know if it's ok, because you can't use the sql module in post-proxy) but I don't want to send anything else than UserName and Password to the client's home radius. Any idea how I could do that ? 2/ when I try to use example.pl in the post-proxy section I get the following error: Can't load '/usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.8/XSLoader.pm line 68. at /usr/lib/perl/5.8/Data/Dumper.pm line 27 Compilation failed in require at /usr/local/libexec/post-proxy.pl line 31. BEGIN failed--compilation aborted at /usr/local/libexec/post-proxy.pl line 31. Doesn't look that there's any problem with the perl script (the script doesn't do anything actually, it's just for testing purpose): [EMAIL PROTECTED] :/etc/freeradius#/usr/local/libexec/post-proxy.pl [EMAIL PROTECTED] :/etc/freeradius# I'm a real *dick* a perl programming, I guess the problem might be a pebcak, but maybe it's not. I'm using FR 1.1.2 with Debian Sarge. Thanks for any hint. regards, Fox. signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
I'm not sure that how will RADIUS server know to check password against LDAP server while EAP is in place? It doesn't. Does this mean that EAP plugin only checks users file to authenticate users with their passwords? Mustafa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
It's not so much EAP in general, but the PEAP (i.e. MSCHAPv2 part). However search this list's archive, see documentation etc. and the pertinent parts of the server's debug output you still chose not to provide here. regards K. Hoercher Is there a way to get clear password after PEAP plugin has processed EAP message and gained password to check against users file? Mustafa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius+LDAP for TACACS alternative
Arya, Manish Kumar wrote: Hi People, I am a newbie to Radius, picking up slowly with Radius. Can I use Radius for TACACS replacement ? We have users/groups and Tacacs server provides authentication/authorization for router cmds to these user/groups. Can I achive this using Radius, if yes, please send some links to start. Regards, -Manish Hi Manish, I believe http://www-128.ibm.com/developerworks/linux/library/l-radius/ should cover most of your questions. Note however that you cannot perform command-level audit logging with RADIUS as with TACACS. If this is not important to you, then you're pretty much all set. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and accounting
El vie, 20-10-2006 a las 09:24 -0400, King, Michael escribió:
Yes. It's possible.
Look in eap.conf In each EAP section (TTLS and PEAP) this code snippet exists
# The reply attributes sent to the NAS are
# usually based on the name of the user
# 'outside' of the tunnel (usually
# 'anonymous'). If you want to send the
# reply attributes based on the user name
# inside of the tunnel, then set this
# configuration entry to 'yes', and the reply
# to the NAS will be taken from the reply to
# the tunneled request.
#
# allowed values: {no, yes}
use_tunneled_reply = no
Hello,
I have this attribute set to yes. With this, the reply my freeradius
server sent to the client is based in the user inside the EAP tunnel,
but the accounting logs are still registered with username anonymous
instead the username inside the tunneled request.
--
Angel L. Mateo Martínez
Sección de Telemática
Área de Tecnologías de la Información _o)
y las Comunicaciones Aplicadas (ATICA) / \\
http://www.um.es/atica_(___V
Tfo: 968367590
Fax: 968398337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS AUTHENTICATOR---need HELP using MSCHAP and NTPASSWORD
I use Squid and RADIUS.Squid use Squid_radius_authenticator to authenticate a client and write a log in which there is the username and the http request.THE PROBLEM IS:In the radcheck table i put a value: AUTH-TYPE and set MS-CHAP for the user. his password is stored in NT-HASH format. when the authenticator try to authenticate the user, this is the output...rad_check_password: Found Auth-Type MS-CHAPauth: type MS-CHAP Processing the authenticate section of radiusd.confmodcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Found NT-Password rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module mschap returns reject for request 6modcall: leaving group MS-CHAP (returns reject) for request 6auth: Failed to validate the user.Login incorrect:[username/password] can anybody help me? please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS AUTHENTICATOR---need HELP using MSCHAP and NTPASSWORD
This pretty much sums up the problem: rlm_mschap: No MS-CHAP-Challenge in the request This is not a valid MS-CHAP request. You might want to look at the actual attributes passed to see if this is really an MS-CHAP request. It will contain Microsoft VSAs containing a MS-CHAP-Challenge and a MS-CHAP-Response. ego seek wrote: I use Squid and RADIUS. Squid use Squid_radius_authenticator to authenticate a client and write a log in which there is the username and the http request. THE PROBLEM IS: In the radcheck table i put a value: AUTH-TYPE and set MS-CHAP for the user. his password is stored in NT-HASH format. when the authenticator try to authenticate the user, this is the output ... rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Found NT-Password rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module mschap returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 auth: Failed to validate the user. Login incorrect:[username/password] can anybody help me? please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Want to test against variable-value
Hello helpful friends,
I am using freeradius 1.1.3
I want to accept users only if the they are members of a sql-Group which name
eqals the
Huntgroup-Name.
I try:
DEFAULT Auth-Type := Accept, Sql-Group == MAC, Sql-Group ==
%{Huntgroup-Name}
this gives the error (radiusd -X):
module: Loaded files
files: usersfile = /usr/local/etc/raddb/users
files: acctusersfile = /usr/local/etc/raddb/acct_users
files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users
files: compat = no
/usr/local/etc/raddb/users[161]: Parse error (check) for entry DEFAULT: Expected
end of line or comma
Errors reading /usr/local/etc/raddb/users
radiusd.conf[398]: files: Module instantiation failed.
radiusd.conf[828] Unknown module files.
radiusd.conf[742] Failed to parse authorize section.
Thank you for any hint.
Grüße
Hans-Peter Fuchs
Hans-Peter Fuchs - RRZK Zimmer 20
Zentrum für angewandte Informatik - Universitätsweiter Service RRZK
Universität zu Köln - Tel: 0221-470-6972
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Want to test against variable-value
Hans-Peter Fuchs [EMAIL PROTECTED] wrote:
DEFAULT Auth-Type := Accept, Sql-Group == MAC, Sql-Group ==
%{Huntgroup-Name}
this gives the error (radiusd -X):
You need to use back-ticks. SQL-Group == `%{...}`
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy + rlm_perl question
On Monday 30 October 2006 12:52, Francois-Xavier GAILLARD wrote:
Hi list,
I have 2 questions:
1/ I'll have to proxy auth requests to a client's home radius. He is just
allowed to check the user's username/password.
I know how to filter attributes using attrs and the post-proxy section of
radiusd.conf. But I don't know how to ADD attributes, like
Framed-IP-Address for example.
To add attribute you have to put it in hash %RAD_REQUEST_PROXY_REPLY
for example to return IP address say
$RAD_REQUEST_PROXY_REPLY{'Framed-IP-Address' = 10.10.10.1;
User-Name isn't sent back from the home radius to the proxy radius in
the Access-Accept, thus I can't make any sql query (I use mysql backend)
based on the username to get the Framed-IP-Address I want to assign to
the users.
I could do a sql query in the pre-proxy section (don't know if it's ok,
because you can't use the sql module in post-proxy) but I don't want to
send anything else than UserName and Password to the client's home
radius.
Any idea how I could do that ?
2/ when I try to use example.pl in the post-proxy section I get the
following error:
Can't load '/usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so' for module
Data::Dumper: /usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so: undefined
symbol: Perl_sv_cmp at /usr/lib/perl/5.8/XSLoader.pm line 68. at
/usr/lib/perl/5.8/Data/Dumper.pm line 27
Compilation failed in require at /usr/local/libexec/post-proxy.pl line 31.
BEGIN failed--compilation aborted at /usr/local/libexec/post-proxy.pl line
31.
Look at here http://bugs.freeradius.org/show_bug.cgi?id=236
Doesn't look that there's any problem with the perl script (the script
doesn't do anything actually, it's just for testing purpose):
[EMAIL PROTECTED] :/etc/freeradius#/usr/local/libexec/post-proxy.pl
[EMAIL PROTECTED] :/etc/freeradius#
I'm a real *dick* a perl programming, I guess the problem might be a
pebcak, but maybe it's not.
I'm using FR 1.1.2 with Debian Sarge.
Thanks for any hint.
regards,
Fox.
--
Best Regards,
Boian Jordanov
SNE
Orbitel - Next Generation Telecom
tel. +359 2 4004 723
tel. +359 2 4004 002
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Realm Error or Realm dead ??
Rio Yang [EMAIL PROTECTED] wrote: Or abc.com deaded and the freeradius assign [EMAIL PROTECTED] to new realm (default) ??? Yes. See radius.log, it will contain messages about abc.com being dead. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
=?ISO-8859-2?Q?Mustafa_=AAenay?= [EMAIL PROTECTED] wrote: Does this mean that EAP plugin only checks users file to authenticate users with their passwords? No. It means that EAP doesn't supply a password, so it doesn't exist, and can't be checked against LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius+LDAP for TACACS alternative
James Wakefield [EMAIL PROTECTED] wrote: Note however that you cannot perform command-level audit logging with RADIUS as with TACACS. If this is not important to you, then you're pretty much all set. There's a preliminary tacacs to radius gateway on bugs.freeradius.org. It should really be extended to do authorization/authentication, and added to the server source. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and accounting
Angel L. Mateo [EMAIL PROTECTED] wrote: I have this attribute set to yes. With this, the reply my freeradius server sent to the client is based in the user inside the EAP tunnel, but the accounting logs are still registered with username anonymous instead the username inside the tunneled request. Because that's the only user name that the NAS sees. Use the Class attribute to set a per-session ID for the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy + rlm_perl question
Le Mon, Oct 30, 2006 at 03:00:08PM +0200, Boian Jordanov ecrivait:
On Monday 30 October 2006 12:52, Francois-Xavier GAILLARD wrote:
Hi list,
I have 2 questions:
1/ I'll have to proxy auth requests to a client's home radius. He is just
allowed to check the user's username/password.
I know how to filter attributes using attrs and the post-proxy section of
radiusd.conf. But I don't know how to ADD attributes, like
Framed-IP-Address for example.
To add attribute you have to put it in hash %RAD_REQUEST_PROXY_REPLY
for example to return IP address say
$RAD_REQUEST_PROXY_REPLY{'Framed-IP-Address' = 10.10.10.1;
This is for static values. I need to execute an SQL query based on the
User-Name attribute. In fact I just discovered post_proxy_authorize in
proxy.conf and it should do the job.
Can't load '/usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so' for module
Data::Dumper: /usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so: undefined
symbol: Perl_sv_cmp at /usr/lib/perl/5.8/XSLoader.pm line 68. at
/usr/lib/perl/5.8/Data/Dumper.pm line 27
Compilation failed in require at /usr/local/libexec/post-proxy.pl line 31.
BEGIN failed--compilation aborted at /usr/local/libexec/post-proxy.pl line
31.
Look at here http://bugs.freeradius.org/show_bug.cgi?id=236
Great, thanks a lot for this information.
Regards,
Fox.
signature.asc
Description: Digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AP and radius attributes
Hello all, does anybody knows if the linksys wrt54g AP support any radius attribute, such as Session-Timeout. Anyway, can anybody tell me which APs applies the radius attributes sent by the freeradius server after a successful authentication? Thanks in advance. -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and NIS
Is there a way to use NIS to authenticate users with their passwords when I am using EAP-TLS? Thanks, Pedro Mazzoni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
Zitat von King, Michael [EMAIL PROTECTED]: Anyone else having trouble getting to the Wiki right now? yes, does not work here ... (munich ;-) markus -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 This message was sent using IMP, the Internet Messaging Program. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Survey Results are in.
It's been a few weeks since the survey was started. Thanks to everyone who entered their data. The results are still coming in at about 25 per day, so I expect that these numbers will change over time. So far, we have a bit over 500 responses, which makes the data very useful. I won't get into a detailed explanation of the results, but I will hilight the numbers. I'll see if I can put some graphs on freeradius.org in a few days, too. We have the most interesting result first: == Total number of users who are authenticated via FreeRADIUS: 100,000,000 That's impressive. The top 30 sites alone have over 75 million users who are using RADIUS for authentication. With those numbers, it looks like 10% or more of people on the net are authenticated via FreeRADIUS. If we assume that a number of large sites haven't entered their data on the survey, then the percentage is probably much higher, like 25%. FreeRADIUS looks like it's the server of choice for the Internet. Maybe we'll make that the new slogan... == Total number of RADIUS servers Many sites (70%) only have 1-2, with 95% of sites having 10 or fewer servers. About 1% has 50-100 servers, though, which is impressive. == Databases MySQL is the clear winner at 30%. Next comes the users file at 10%, OpenLDAP at 17%, and Active Directory at 14%. == Password hashes 40% of passwords are stored as cleartext, 25% as Crypt, 20% as MD5, and 13% as NT hash. == Authentication Protocols PAP and CHAP are paired at about 20%. But PEAP, EAP-TLS, and TTLS are each about 10%, too. == Configuration updates 75% of sites change their configuration monthly to never. That statistic goes a long way to explaining why so few people need official support. :) == Other RADIUS servers ACS and IAS are tied at about 25% each. Cistron and OpenRADIUS are at about 10%, and Funk Radiator are just under 10%. It looks like FreeRADIUS isn't in the top 5 of RADIUS servers, it's in the top 3, and maybe is even number one! And a large number of people have *never* used a server other than FreeRADIUS. I'm glad to see it's well received. == Why FreeRADIUS? Open source, cost, and feature set all came in at about 20% each. == What do you need most from FreeRADIUS? Something called documentation beat out the next nearest response by nearly 2:1. We'll see if we can work on that. Anyways, thanks for all of the response. We'll use the information to target development for future releases. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Accounts against AD
I'm not sure 1.0.4 had that fix in the rlm_mschap module. If you
need to use 1.0.4 for some reason, you may have to backport the patch
from a later version of the module.
--Mike
On Oct 30, 2006, at 5:10 PM, King, Michael wrote:
I had this working before, and I can't figure out what I'm missing
to get it working on this server.
Samba Version 3.0.23b
FreeRADIUS version 1.0.4
Users successfully authenticate with the domain, Machine accounts
do not however.
My ntlm_auth line is:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%
{mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=%
{mschap:NT-Response}
I have:
with_ntdomain_hack = yes
in the mschap section.
The debug is below
The only thing that looks different than last time is it looks like
the host/ isn't getting stripped off. Should it?
rad_recv: Access-Request packet from host 10.0.1.22:32769, id=171,
length=324
User-Name = host/boytel2883.campus.bridgew.edu
Calling-Station-Id = 00-90-96-F4-2A-BB
Called-Station-Id = 00-0B-85-5B-55-A0:test
NAS-Port = 29
NAS-IP-Address = 10.0.1.22
NAS-Identifier = BUWISM2-2
Vendor-14179-Attr-1 = 0x0007
Service-Type = Framed-User
Framed-MTU = 1300
NAS-Port-Type = Wireless-802.11
Tunnel-Type:0 = VLAN
Tunnel-Medium-Type:0 = IEEE-802
Tunnel-Private-Group-Id:0 = 4000
EAP-Message =
0x0207007419001703010069fad4edfbbed6d8fb51dcf6cb01ead274ca25439081be39
55bfd614a066335309bfcc72d0f20a0891d43fd085e948c3a635622fcd52658bdc8179
70b87e859a66ec970d7433349e6cbd2d19184182eb762ea246e13202349e8c32c8acd5
e5c322df88f7fd45aa24e13f
State = 0xdfdc87766140b541e2ac318d7ce82e0f
Message-Authenticator = 0x42318a374d505be3af9ffa7af0c39484
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
modcall[authorize]: module preprocess returns ok for request 19
modcall[authorize]: module chap returns noop for request 19
modcall[authorize]: module mschap returns noop for request 19
rlm_realm: No '@' in User-Name = host/
boytel2883.campus.bridgew.edu, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 19
rlm_eap: EAP packet type response id 7 length 116
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 19
users: Matched entry DEFAULT at line 152
users: Matched entry DEFAULT at line 171
modcall[authorize]: module files returns ok for request 19
modcall: group authorize returns updated for request 19
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
rlm_eap: Request found, released from the list
rlm_eap: EAP/peap
rlm_eap: processing type peap
rlm_eap_peap: Authenticate
rlm_eap_tls: processing TLS
eaptls_verify returned 7
rlm_eap_tls: Done initial handshake
eaptls_process returned 7
rlm_eap_peap: EAPTLS_OK
rlm_eap_peap: Session established. Decoding tunneled attributes.
rlm_eap_peap: EAP type mschapv2
rlm_eap_peap: Tunneled data is valid.
PEAP: Setting User-Name to host/boytel2883.campus.bridgew.edu
PEAP: Adding old state with f4 4b
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 19
modcall[authorize]: module preprocess returns ok for request 19
modcall[authorize]: module chap returns noop for request 19
modcall[authorize]: module mschap returns noop for request 19
rlm_realm: No '@' in User-Name = host/
boytel2883.campus.bridgew.edu, looking up realm NULL
rlm_realm: No such realm NULL
modcall[authorize]: module suffix returns noop for request 19
rlm_eap: EAP packet type response id 7 length 93
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
modcall[authorize]: module eap returns updated for request 19
users: Matched entry DEFAULT at line 152
modcall[authorize]: module files returns ok for request 19
modcall: group authorize returns updated for request 19
rad_check_password: Found Auth-Type EAP
auth: type EAP
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 19
rlm_eap: Request found, released from the list
rlm_eap: EAP/mschapv2
rlm_eap: processing type mschapv2
Processing the authenticate section of radiusd.conf
modcall: entering group Auth-Type for request 19
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for host/
boytel2883.campus.bridgew.edu with NT-Password
radius_xlat: Running registered xlat function of module mschap for
string 'User-Name'
radius_xlat: Running registered xlat function of module mschap for
string 'Challenge'
Re: Wiki
On Mon 30 Oct 2006 21:14, Markus Krause wrote: Zitat von King, Michael [EMAIL PROTECTED]: Anyone else having trouble getting to the Wiki right now? yes, does not work here ... (munich ;-) It has moved to a new server and we are still waiting for the DNS host to update it. In the mean time you can get it at http://radiuswiki.suntel.com.tr Sorry for the inconvenience :-( -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP and radius attributes
On Mon 30 Oct 2006 19:32, Manuel Sánchez Cuenca wrote: Hello all, does anybody knows if the linksys wrt54g AP support any radius attribute, such as Session-Timeout. Anyway, can anybody tell me which APs applies the radius attributes sent by the freeradius server after a successful authentication? You need to check your APs documentation for this. If you wish you can start a list in the wiki. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Realm Error or Realm dead ??
Hi Alan,Do you mean if the realm abc.com have been marked dead by freeradius, then the following packets that proxy to abc.com will use the default realm???Thanks.Rio2006/10/30, Alan DeKok [EMAIL PROTECTED] :Rio Yang [EMAIL PROTECTED] wrote: Or abc.com deaded and the freeradius assign [EMAIL PROTECTED] to new realm (default) ???Yes.See radius.log, it will contain messages about abc.com being dead.Alan DeKok.--http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Realm Error or Realm dead ??
Rio Yang [EMAIL PROTECTED] wrote: Do you mean if the realm abc.com have been marked dead by freeradius, then the following packets that proxy to abc.com will use the default realm??? Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with Comindico
Im configuring freeradius 1.0.4-1.FC4.1 for the first time in an attempt to interface with Comindicos system. Comindico are totally unhelpful hese days with most support issues other than suggesting I buy a copy of radiator as thats all they apparently know. Anyway I have configured freeradius to use mysql for authentication and accounting. Has anyone done a step by step config or able to assist me in understanding this process better. NTRadping confirms authentication and accounting packets are functional but I cannot find any information to support commindicos process I have most of my dialup services through comindico. Thanks in advance Cory - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius slower than SBR
Hi, I'm proposing a FreeRadius solution for 802.1x authentication of Wired client based on Client certificates, a CRL lookup, and vlan assoociation from Active Directory. The IT department, who usuall buy Steel Belted Radius from Juniper, are saying FreeRadius is just too slow, and could not handle the traffic. The SBR: http://www.juniper.net/products/aaa/sbr/ Now, I don't see the basis for these assertions and I would imagine the bottlenext being the CRL lookups and AD requests. I estimate the number of authentication sper sec to reach about 60 to 100 for this project. However I'd like to humbly ask the list what they think of such assertions, is there something in SBR that would make them much more scalable or faster? Where would the bottlenecks be? How many client cert auths/sec could FR handle, on say an entry level single CPU server HW? Thanks in advance, Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Comindico
Cory Robson wrote: I’m configuring freeradius 1.0.4-1.FC4.1 for the first time in an attempt to interface with Comindico’s system. Comindico are totally unhelpful hese days with most support issues other than suggesting I buy a copy of radiator as that’s all they apparently know. Anyway I have configured freeradius to use mysql for authentication and accounting. Has anyone done a step by step config or able to assist me in understanding this process better. NTRadping confirms authentication and accounting packets are functional but I cannot find any information to support commindico’s process I have most of my dialup services through comindico. G'day Cory, If Comindico can give you a dictionary of attributes they send and expect to receive, the authentication protocols they support, timeouts, UDP port numbers, and NAS/RADIUS proxy IPs, that should be all you need. If you really have to, ask for their suggested Radiator config, then transpose to freeradius, which I'm willing to give you a hand with if you like. You may also find it useful to subscribe and post to the AusNOG (http://www.ausnog.net/mailman/listinfo/ausnog) and isp-australia (mailto:[EMAIL PROTECTED]) in the hope that your posting is brought to the attention of clueful Comindico people. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
