Radius+LDAP for TACACS alternative
Hi People, I am a newbie to Radius, picking up slowly with Radius. Can I use Radius for TACACS replacement ? We have users/groups and Tacacs server provides authentication/authorization for router cmds to these user/groups. Can I achive this using Radius, if yes, please send some links to start. Regards, -Manish __ Check out the New Yahoo! Mail - Fire up a more powerful email and get things done faster. (http://advision.webevents.yahoo.com/mailbeta) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proxy + rlm_perl question
Hi list, I have 2 questions: 1/ I'll have to proxy auth requests to a client's home radius. He is just allowed to check the user's username/password. I know how to filter attributes using attrs and the post-proxy section of radiusd.conf. But I don't know how to ADD attributes, like Framed-IP-Address for example. User-Name isn't sent back from the home radius to the proxy radius in the Access-Accept, thus I can't make any sql query (I use mysql backend) based on the username to get the Framed-IP-Address I want to assign to the users. I could do a sql query in the pre-proxy section (don't know if it's ok, because you can't use the sql module in post-proxy) but I don't want to send anything else than UserName and Password to the client's home radius. Any idea how I could do that ? 2/ when I try to use example.pl in the post-proxy section I get the following error: Can't load '/usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.8/XSLoader.pm line 68. at /usr/lib/perl/5.8/Data/Dumper.pm line 27 Compilation failed in require at /usr/local/libexec/post-proxy.pl line 31. BEGIN failed--compilation aborted at /usr/local/libexec/post-proxy.pl line 31. Doesn't look that there's any problem with the perl script (the script doesn't do anything actually, it's just for testing purpose): [EMAIL PROTECTED] :/etc/freeradius#/usr/local/libexec/post-proxy.pl [EMAIL PROTECTED] :/etc/freeradius# I'm a real *dick* a perl programming, I guess the problem might be a pebcak, but maybe it's not. I'm using FR 1.1.2 with Debian Sarge. Thanks for any hint. regards, Fox. signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
I'm not sure that how will RADIUS server know to check password against LDAP server while EAP is in place? It doesn't. Does this mean that EAP plugin only checks users file to authenticate users with their passwords? Mustafa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
It's not so much EAP in general, but the PEAP (i.e. MSCHAPv2 part). However search this list's archive, see documentation etc. and the pertinent parts of the server's debug output you still chose not to provide here. regards K. Hoercher Is there a way to get clear password after PEAP plugin has processed EAP message and gained password to check against users file? Mustafa - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius+LDAP for TACACS alternative
Arya, Manish Kumar wrote: Hi People, I am a newbie to Radius, picking up slowly with Radius. Can I use Radius for TACACS replacement ? We have users/groups and Tacacs server provides authentication/authorization for router cmds to these user/groups. Can I achive this using Radius, if yes, please send some links to start. Regards, -Manish Hi Manish, I believe http://www-128.ibm.com/developerworks/linux/library/l-radius/ should cover most of your questions. Note however that you cannot perform command-level audit logging with RADIUS as with TACACS. If this is not important to you, then you're pretty much all set. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP and accounting
El vie, 20-10-2006 a las 09:24 -0400, King, Michael escribió: Yes. It's possible. Look in eap.conf In each EAP section (TTLS and PEAP) this code snippet exists # The reply attributes sent to the NAS are # usually based on the name of the user # 'outside' of the tunnel (usually # 'anonymous'). If you want to send the # reply attributes based on the user name # inside of the tunnel, then set this # configuration entry to 'yes', and the reply # to the NAS will be taken from the reply to # the tunneled request. # # allowed values: {no, yes} use_tunneled_reply = no Hello, I have this attribute set to yes. With this, the reply my freeradius server sent to the client is based in the user inside the EAP tunnel, but the accounting logs are still registered with username anonymous instead the username inside the tunneled request. -- Angel L. Mateo Martínez Sección de Telemática Área de Tecnologías de la Información _o) y las Comunicaciones Aplicadas (ATICA) / \\ http://www.um.es/atica_(___V Tfo: 968367590 Fax: 968398337 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RADIUS AUTHENTICATOR---need HELP using MSCHAP and NTPASSWORD
I use Squid and RADIUS.Squid use Squid_radius_authenticator to authenticate a client and write a log in which there is the username and the http request.THE PROBLEM IS:In the radcheck table i put a value: AUTH-TYPE and set MS-CHAP for the user. his password is stored in NT-HASH format. when the authenticator try to authenticate the user, this is the output...rad_check_password: Found Auth-Type MS-CHAPauth: type MS-CHAP Processing the authenticate section of radiusd.confmodcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Found NT-Password rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module mschap returns reject for request 6modcall: leaving group MS-CHAP (returns reject) for request 6auth: Failed to validate the user.Login incorrect:[username/password] can anybody help me? please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RADIUS AUTHENTICATOR---need HELP using MSCHAP and NTPASSWORD
This pretty much sums up the problem: rlm_mschap: No MS-CHAP-Challenge in the request This is not a valid MS-CHAP request. You might want to look at the actual attributes passed to see if this is really an MS-CHAP request. It will contain Microsoft VSAs containing a MS-CHAP-Challenge and a MS-CHAP-Response. ego seek wrote: I use Squid and RADIUS. Squid use Squid_radius_authenticator to authenticate a client and write a log in which there is the username and the http request. THE PROBLEM IS: In the radcheck table i put a value: AUTH-TYPE and set MS-CHAP for the user. his password is stored in NT-HASH format. when the authenticator try to authenticate the user, this is the output ... rad_check_password: Found Auth-Type MS-CHAP auth: type MS-CHAP Processing the authenticate section of radiusd.conf modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: Found NT-Password rlm_mschap: No MS-CHAP-Challenge in the request modcall[authenticate]: module mschap returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 auth: Failed to validate the user. Login incorrect:[username/password] can anybody help me? please. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Want to test against variable-value
Hello helpful friends, I am using freeradius 1.1.3 I want to accept users only if the they are members of a sql-Group which name eqals the Huntgroup-Name. I try: DEFAULT Auth-Type := Accept, Sql-Group == MAC, Sql-Group == %{Huntgroup-Name} this gives the error (radiusd -X): module: Loaded files files: usersfile = /usr/local/etc/raddb/users files: acctusersfile = /usr/local/etc/raddb/acct_users files: preproxy_usersfile = /usr/local/etc/raddb/preproxy_users files: compat = no /usr/local/etc/raddb/users[161]: Parse error (check) for entry DEFAULT: Expected end of line or comma Errors reading /usr/local/etc/raddb/users radiusd.conf[398]: files: Module instantiation failed. radiusd.conf[828] Unknown module files. radiusd.conf[742] Failed to parse authorize section. Thank you for any hint. Grüße Hans-Peter Fuchs Hans-Peter Fuchs - RRZK Zimmer 20 Zentrum für angewandte Informatik - Universitätsweiter Service RRZK Universität zu Köln - Tel: 0221-470-6972 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Want to test against variable-value
Hans-Peter Fuchs [EMAIL PROTECTED] wrote: DEFAULT Auth-Type := Accept, Sql-Group == MAC, Sql-Group == %{Huntgroup-Name} this gives the error (radiusd -X): You need to use back-ticks. SQL-Group == `%{...}` Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy + rlm_perl question
On Monday 30 October 2006 12:52, Francois-Xavier GAILLARD wrote: Hi list, I have 2 questions: 1/ I'll have to proxy auth requests to a client's home radius. He is just allowed to check the user's username/password. I know how to filter attributes using attrs and the post-proxy section of radiusd.conf. But I don't know how to ADD attributes, like Framed-IP-Address for example. To add attribute you have to put it in hash %RAD_REQUEST_PROXY_REPLY for example to return IP address say $RAD_REQUEST_PROXY_REPLY{'Framed-IP-Address' = 10.10.10.1; User-Name isn't sent back from the home radius to the proxy radius in the Access-Accept, thus I can't make any sql query (I use mysql backend) based on the username to get the Framed-IP-Address I want to assign to the users. I could do a sql query in the pre-proxy section (don't know if it's ok, because you can't use the sql module in post-proxy) but I don't want to send anything else than UserName and Password to the client's home radius. Any idea how I could do that ? 2/ when I try to use example.pl in the post-proxy section I get the following error: Can't load '/usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.8/XSLoader.pm line 68. at /usr/lib/perl/5.8/Data/Dumper.pm line 27 Compilation failed in require at /usr/local/libexec/post-proxy.pl line 31. BEGIN failed--compilation aborted at /usr/local/libexec/post-proxy.pl line 31. Look at here http://bugs.freeradius.org/show_bug.cgi?id=236 Doesn't look that there's any problem with the perl script (the script doesn't do anything actually, it's just for testing purpose): [EMAIL PROTECTED] :/etc/freeradius#/usr/local/libexec/post-proxy.pl [EMAIL PROTECTED] :/etc/freeradius# I'm a real *dick* a perl programming, I guess the problem might be a pebcak, but maybe it's not. I'm using FR 1.1.2 with Debian Sarge. Thanks for any hint. regards, Fox. -- Best Regards, Boian Jordanov SNE Orbitel - Next Generation Telecom tel. +359 2 4004 723 tel. +359 2 4004 002 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Realm Error or Realm dead ??
Rio Yang [EMAIL PROTECTED] wrote: Or abc.com deaded and the freeradius assign [EMAIL PROTECTED] to new realm (default) ??? Yes. See radius.log, it will contain messages about abc.com being dead. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Cisco AP, FreeRADIUS and Fedora Directory Server
=?ISO-8859-2?Q?Mustafa_=AAenay?= [EMAIL PROTECTED] wrote: Does this mean that EAP plugin only checks users file to authenticate users with their passwords? No. It means that EAP doesn't supply a password, so it doesn't exist, and can't be checked against LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius+LDAP for TACACS alternative
James Wakefield [EMAIL PROTECTED] wrote: Note however that you cannot perform command-level audit logging with RADIUS as with TACACS. If this is not important to you, then you're pretty much all set. There's a preliminary tacacs to radius gateway on bugs.freeradius.org. It should really be extended to do authorization/authentication, and added to the server source. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP and accounting
Angel L. Mateo [EMAIL PROTECTED] wrote: I have this attribute set to yes. With this, the reply my freeradius server sent to the client is based in the user inside the EAP tunnel, but the accounting logs are still registered with username anonymous instead the username inside the tunneled request. Because that's the only user name that the NAS sees. Use the Class attribute to set a per-session ID for the user. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: proxy + rlm_perl question
Le Mon, Oct 30, 2006 at 03:00:08PM +0200, Boian Jordanov ecrivait: On Monday 30 October 2006 12:52, Francois-Xavier GAILLARD wrote: Hi list, I have 2 questions: 1/ I'll have to proxy auth requests to a client's home radius. He is just allowed to check the user's username/password. I know how to filter attributes using attrs and the post-proxy section of radiusd.conf. But I don't know how to ADD attributes, like Framed-IP-Address for example. To add attribute you have to put it in hash %RAD_REQUEST_PROXY_REPLY for example to return IP address say $RAD_REQUEST_PROXY_REPLY{'Framed-IP-Address' = 10.10.10.1; This is for static values. I need to execute an SQL query based on the User-Name attribute. In fact I just discovered post_proxy_authorize in proxy.conf and it should do the job. Can't load '/usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so' for module Data::Dumper: /usr/lib/perl/5.8/auto/Data/Dumper/Dumper.so: undefined symbol: Perl_sv_cmp at /usr/lib/perl/5.8/XSLoader.pm line 68. at /usr/lib/perl/5.8/Data/Dumper.pm line 27 Compilation failed in require at /usr/local/libexec/post-proxy.pl line 31. BEGIN failed--compilation aborted at /usr/local/libexec/post-proxy.pl line 31. Look at here http://bugs.freeradius.org/show_bug.cgi?id=236 Great, thanks a lot for this information. Regards, Fox. signature.asc Description: Digital signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AP and radius attributes
Hello all, does anybody knows if the linksys wrt54g AP support any radius attribute, such as Session-Timeout. Anyway, can anybody tell me which APs applies the radius attributes sent by the freeradius server after a successful authentication? Thanks in advance. -- - Manuel Sanchez Cuenca Departamento de Ingenieria de la Informacion y las Comunicaciones Facultad de Informatica. Universidad de Murcia Campus de Espinardo - 30080 Murcia (SPAIN) Tel.: +34-968-364644Fax: +34-968-364151 email: [EMAIL PROTECTED] | [EMAIL PROTECTED] url: http://libra.inf.um.es/~lolo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP and NIS
Is there a way to use NIS to authenticate users with their passwords when I am using EAP-TLS? Thanks, Pedro Mazzoni - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Wiki
Zitat von King, Michael [EMAIL PROTECTED]: Anyone else having trouble getting to the Wiki right now? yes, does not work here ... (munich ;-) markus -- Markus Krause email: [EMAIL PROTECTED] Mogli-Soft: Support for Mac OS X, Webmail/Horde, LDAP, RADIUS by order of the Computing Center of the Max-Planck-Institute of Biochemistry Tel.: 089 - 89 40 85 99 Fax.: 089 - 89 40 85 98 This message was sent using IMP, the Internet Messaging Program. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Survey Results are in.
It's been a few weeks since the survey was started. Thanks to everyone who entered their data. The results are still coming in at about 25 per day, so I expect that these numbers will change over time. So far, we have a bit over 500 responses, which makes the data very useful. I won't get into a detailed explanation of the results, but I will hilight the numbers. I'll see if I can put some graphs on freeradius.org in a few days, too. We have the most interesting result first: == Total number of users who are authenticated via FreeRADIUS: 100,000,000 That's impressive. The top 30 sites alone have over 75 million users who are using RADIUS for authentication. With those numbers, it looks like 10% or more of people on the net are authenticated via FreeRADIUS. If we assume that a number of large sites haven't entered their data on the survey, then the percentage is probably much higher, like 25%. FreeRADIUS looks like it's the server of choice for the Internet. Maybe we'll make that the new slogan... == Total number of RADIUS servers Many sites (70%) only have 1-2, with 95% of sites having 10 or fewer servers. About 1% has 50-100 servers, though, which is impressive. == Databases MySQL is the clear winner at 30%. Next comes the users file at 10%, OpenLDAP at 17%, and Active Directory at 14%. == Password hashes 40% of passwords are stored as cleartext, 25% as Crypt, 20% as MD5, and 13% as NT hash. == Authentication Protocols PAP and CHAP are paired at about 20%. But PEAP, EAP-TLS, and TTLS are each about 10%, too. == Configuration updates 75% of sites change their configuration monthly to never. That statistic goes a long way to explaining why so few people need official support. :) == Other RADIUS servers ACS and IAS are tied at about 25% each. Cistron and OpenRADIUS are at about 10%, and Funk Radiator are just under 10%. It looks like FreeRADIUS isn't in the top 5 of RADIUS servers, it's in the top 3, and maybe is even number one! And a large number of people have *never* used a server other than FreeRADIUS. I'm glad to see it's well received. == Why FreeRADIUS? Open source, cost, and feature set all came in at about 20% each. == What do you need most from FreeRADIUS? Something called documentation beat out the next nearest response by nearly 2:1. We'll see if we can work on that. Anyways, thanks for all of the response. We'll use the information to target development for future releases. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine Accounts against AD
I'm not sure 1.0.4 had that fix in the rlm_mschap module. If you need to use 1.0.4 for some reason, you may have to backport the patch from a later version of the module. --Mike On Oct 30, 2006, at 5:10 PM, King, Michael wrote: I had this working before, and I can't figure out what I'm missing to get it working on this server. Samba Version 3.0.23b FreeRADIUS version 1.0.4 Users successfully authenticate with the domain, Machine accounts do not however. My ntlm_auth line is: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=% {mschap:User-Name} --challenge=%{mschap:Challenge} --nt-response=% {mschap:NT-Response} I have: with_ntdomain_hack = yes in the mschap section. The debug is below The only thing that looks different than last time is it looks like the host/ isn't getting stripped off. Should it? rad_recv: Access-Request packet from host 10.0.1.22:32769, id=171, length=324 User-Name = host/boytel2883.campus.bridgew.edu Calling-Station-Id = 00-90-96-F4-2A-BB Called-Station-Id = 00-0B-85-5B-55-A0:test NAS-Port = 29 NAS-IP-Address = 10.0.1.22 NAS-Identifier = BUWISM2-2 Vendor-14179-Attr-1 = 0x0007 Service-Type = Framed-User Framed-MTU = 1300 NAS-Port-Type = Wireless-802.11 Tunnel-Type:0 = VLAN Tunnel-Medium-Type:0 = IEEE-802 Tunnel-Private-Group-Id:0 = 4000 EAP-Message = 0x0207007419001703010069fad4edfbbed6d8fb51dcf6cb01ead274ca25439081be39 55bfd614a066335309bfcc72d0f20a0891d43fd085e948c3a635622fcd52658bdc8179 70b87e859a66ec970d7433349e6cbd2d19184182eb762ea246e13202349e8c32c8acd5 e5c322df88f7fd45aa24e13f State = 0xdfdc87766140b541e2ac318d7ce82e0f Message-Authenticator = 0x42318a374d505be3af9ffa7af0c39484 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module preprocess returns ok for request 19 modcall[authorize]: module chap returns noop for request 19 modcall[authorize]: module mschap returns noop for request 19 rlm_realm: No '@' in User-Name = host/ boytel2883.campus.bridgew.edu, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 19 rlm_eap: EAP packet type response id 7 length 116 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 19 users: Matched entry DEFAULT at line 152 users: Matched entry DEFAULT at line 171 modcall[authorize]: module files returns ok for request 19 modcall: group authorize returns updated for request 19 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: EAP type mschapv2 rlm_eap_peap: Tunneled data is valid. PEAP: Setting User-Name to host/boytel2883.campus.bridgew.edu PEAP: Adding old state with f4 4b Processing the authorize section of radiusd.conf modcall: entering group authorize for request 19 modcall[authorize]: module preprocess returns ok for request 19 modcall[authorize]: module chap returns noop for request 19 modcall[authorize]: module mschap returns noop for request 19 rlm_realm: No '@' in User-Name = host/ boytel2883.campus.bridgew.edu, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 19 rlm_eap: EAP packet type response id 7 length 93 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 19 users: Matched entry DEFAULT at line 152 modcall[authorize]: module files returns ok for request 19 modcall: group authorize returns updated for request 19 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 19 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 Processing the authenticate section of radiusd.conf modcall: entering group Auth-Type for request 19 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/ boytel2883.campus.bridgew.edu with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: Running registered xlat function of module mschap for string 'Challenge'
Re: Wiki
On Mon 30 Oct 2006 21:14, Markus Krause wrote: Zitat von King, Michael [EMAIL PROTECTED]: Anyone else having trouble getting to the Wiki right now? yes, does not work here ... (munich ;-) It has moved to a new server and we are still waiting for the DNS host to update it. In the mean time you can get it at http://radiuswiki.suntel.com.tr Sorry for the inconvenience :-( -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: AP and radius attributes
On Mon 30 Oct 2006 19:32, Manuel Sánchez Cuenca wrote: Hello all, does anybody knows if the linksys wrt54g AP support any radius attribute, such as Session-Timeout. Anyway, can anybody tell me which APs applies the radius attributes sent by the freeradius server after a successful authentication? You need to check your APs documentation for this. If you wish you can start a list in the wiki. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Realm Error or Realm dead ??
Hi Alan,Do you mean if the realm abc.com have been marked dead by freeradius, then the following packets that proxy to abc.com will use the default realm???Thanks.Rio2006/10/30, Alan DeKok [EMAIL PROTECTED] :Rio Yang [EMAIL PROTECTED] wrote: Or abc.com deaded and the freeradius assign [EMAIL PROTECTED] to new realm (default) ???Yes.See radius.log, it will contain messages about abc.com being dead.Alan DeKok.--http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog-List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy Realm Error or Realm dead ??
Rio Yang [EMAIL PROTECTED] wrote: Do you mean if the realm abc.com have been marked dead by freeradius, then the following packets that proxy to abc.com will use the default realm??? Yes. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius with Comindico
Im configuring freeradius 1.0.4-1.FC4.1 for the first time in an attempt to interface with Comindicos system. Comindico are totally unhelpful hese days with most support issues other than suggesting I buy a copy of radiator as thats all they apparently know. Anyway I have configured freeradius to use mysql for authentication and accounting. Has anyone done a step by step config or able to assist me in understanding this process better. NTRadping confirms authentication and accounting packets are functional but I cannot find any information to support commindicos process I have most of my dialup services through comindico. Thanks in advance Cory - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRadius slower than SBR
Hi, I'm proposing a FreeRadius solution for 802.1x authentication of Wired client based on Client certificates, a CRL lookup, and vlan assoociation from Active Directory. The IT department, who usuall buy Steel Belted Radius from Juniper, are saying FreeRadius is just too slow, and could not handle the traffic. The SBR: http://www.juniper.net/products/aaa/sbr/ Now, I don't see the basis for these assertions and I would imagine the bottlenext being the CRL lookups and AD requests. I estimate the number of authentication sper sec to reach about 60 to 100 for this project. However I'd like to humbly ask the list what they think of such assertions, is there something in SBR that would make them much more scalable or faster? Where would the bottlenecks be? How many client cert auths/sec could FR handle, on say an entry level single CPU server HW? Thanks in advance, Sean - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius with Comindico
Cory Robson wrote: I’m configuring freeradius 1.0.4-1.FC4.1 for the first time in an attempt to interface with Comindico’s system. Comindico are totally unhelpful hese days with most support issues other than suggesting I buy a copy of radiator as that’s all they apparently know. Anyway I have configured freeradius to use mysql for authentication and accounting. Has anyone done a step by step config or able to assist me in understanding this process better. NTRadping confirms authentication and accounting packets are functional but I cannot find any information to support commindico’s process I have most of my dialup services through comindico. G'day Cory, If Comindico can give you a dictionary of attributes they send and expect to receive, the authentication protocols they support, timeouts, UDP port numbers, and NAS/RADIUS proxy IPs, that should be all you need. If you really have to, ask for their suggested Radiator config, then transpose to freeradius, which I'm willing to give you a hand with if you like. You may also find it useful to subscribe and post to the AusNOG (http://www.ausnog.net/mailman/listinfo/ausnog) and isp-australia (mailto:[EMAIL PROTECTED]) in the hope that your posting is brought to the attention of clueful Comindico people. Cheers, -- James Wakefield, Unix Administrator, Information Technology Services Division Deakin University, Geelong, Victoria 3217 Australia. Phone: 03 5227 8690 International: +61 3 5227 8690 Fax: 03 5227 8866 International: +61 3 5227 8866 E-mail: [EMAIL PROTECTED] Website: http://www.deakin.edu.au - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html