Re: Controlling access to my Wireless network.
Hi, The document you gave is good, except for the client certificate part. I don't want to have to give certificates out to everyone on my wireless network. Is there a way to get around this? err no. EAP-TLS uses client and server certificates. if you want to use just the server cert then EAP-PEAP or EAP-TTLS is your way. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network.
Hi, network, mac xp. I wouldn't mind using plain text passwords if that could be forced. The only configurations that get close to working get as far as machapv2, then fail because of no nt/lm password. If I could use the password from my ldap connection which seems to be working nicely, then I would be thrilled. Could you give me the eap.conf that would do that? Thanks a million it wouldnt be in your eap.conf for a start - if you want to use PEAP against your LDAP then you'll most likely need to put the NT hash of their password into your LDAP directory and point to that instead in your LDAP checks. a lot (a LOT) of people do this and are present on this list. if you want to use plain test password checks then EAP-TTLS with PAP inner is one of the only ways - but for that you'll need to install extra software on the WinXP machines alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP testing without AP?
Thanks for all advice. Result of testing using eapol_test is okay, except error OpenSSL: tls_connection_handshake - Failed to read possible Application Data error::lib(0):func(0):reason(0) is found: --- cut here --- [snipped] SSL: SSL_connect:SSLv3 read finished A SSL: (where=0x20 ret=0x1) SSL: (where=0x1002 ret=0x1) SSL: 0 bytes pending from ssl_out OpenSSL: tls_connection_handshake - Failed to read possible Application Data error::lib(0):func(0):reason(0) SSL: No data to be sent out EAP-TTLS: TLS done, proceed to Phase 2 [snipped] --- cut here --- However, the rest of debug message seems to be normal. I've no idea about the cause of this message. Would anyone pls help? Besides, I only see radius messages if tcpdump is used during testing. Seems TLS packets are encapsulated in EAP message, which is encapsulated in radius packets. Is it correct? Thanks a lot. /ST Wong -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, September 17, 2007 7:46 PM To: FreeRadius users mailing list Subject: Re: EAP testing without AP? ST Wong (ITSC) wrote: I'm new to EAP and want to setup freeradius with EAP-TTLS support. After some struggling with 802.1x doc and terms, the radiusd is up. However, as my testing AP is not ready now, I've no way to test my setup. I wonder if it's possible to test the authentication server-authenticator-supplicant setup under an 'simulated' environment without AP since I only want to test the authentication setting. wpa_supplicant contains a program eapol_test, which does exactly this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP testing without AP?
On Wed, 2007-09-19 at 16:40 +0800, ST Wong (ITSC) wrote: Thanks for all advice. Result of testing using eapol_test is okay, except error OpenSSL: tls_connection_handshake - Failed to read possible Application Data error::lib(0):func(0):reason(0) is found: --- cut here --- [snipped] SSL: SSL_connect:SSLv3 read finished A SSL: (where=0x20 ret=0x1) SSL: (where=0x1002 ret=0x1) SSL: 0 bytes pending from ssl_out OpenSSL: tls_connection_handshake - Failed to read possible Application Data error::lib(0):func(0):reason(0) SSL: No data to be sent out EAP-TTLS: TLS done, proceed to Phase 2 [snipped] --- cut here --- However, the rest of debug message seems to be normal. I've no idea about the cause of this message. Would anyone pls help? The cause is OpenSSL is rubbish. Ignore it. Besides, I only see radius messages if tcpdump is used during testing. Seems TLS packets are encapsulated in EAP message, which is encapsulated in radius packets. Is it correct? Yes - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Denying user from authentication
That won't work with EAP-TLS. As you found out. Ivan Kalik Kalik Informatika ISP Dana 19/9/2007, [EMAIL PROTECTED] [EMAIL PROTECTED] piše: HI Thank you for the response.But as per users file configuration it should deny the user if i include that user name-reject file.Do i need to do any config for this to work. Regards Anoop Message: 3 Date: Tue, 18 Sep 2007 11:30:53 +0100 From: [EMAIL PROTECTED] Subject: Re: Denying user from authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Revoke the certificate. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi I am using EAP_TLS authentication with free radius 1.1.7 .The authentication is a certificate based one. I want to reject one user .I have done config in users file anoop07Auth-Type := Reject Reply-Message = \Your account has been disabled.\ Stll the user autheticates.How can i prevent user like this? Regards Anoop -- Message: 4 Date: Tue, 18 Sep 2007 14:12:50 +0200 From: inverse [EMAIL PROTECTED] Subject: Re: Denying user from authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1 and make sure to use check_crl = yes in eap.conf On 9/18/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Revoke the certificate. -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit users traffic quota via radius
This is not correct. You may use SNMP, or you may use a RADIUS Change of Authority/Packet of Disconnect request... Regards Peter On Wed 19 Sep 2007, Willie Yeo wrote: You need SNMP to disconnect the link, not Radius. The only other way I can think of is that, if you can use an external program/script to check the quota from your accounting records, and then if that quota is reached, then send the program sends to SNMP to disconnect the user. On 18/09/2007, at 6:34 PM, Massimiliano Macrì wrote: I'm trying to close the connection of a pre-paid mobile user, after he reached a limited amount of traffic (ie. 100 megabytes), the network device is a Cisco router. I've found may way to rate-limit the traffic bandwidth but not one to do this. Is radius the correct way to achieve this goal? It'all about vsa? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy server config with PAP or CHAP
Amit Jain wrote: Now the above configuration works when I have PAP as authentication method. Now I need to have EAP MD5 auth between user and free radius server and PAP or CHAP between free radius server and Radius server. Converting EAP-MD5 to PAP is impossible. Converting EAP-MD5 to CHAP is possible. Write the code. Please let me know, what I need to configure. There is no code to do this, so there is nothing to configure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP testing without AP?
ST Wong (ITSC) wrote: Thanks for all advice. Result of testing using eapol_test is okay, except error OpenSSL: tls_connection_handshake - Failed to read possible Application Data error::lib(0):func(0):reason(0) is found: ... However, the rest of debug message seems to be normal. I've no idea about the cause of this message. Would anyone pls help? Don't use an old version of the server. Version 1.1.7 doesn't print this message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Denying user from authentication
Hi Please explain brief about certificate revocation process as i am new to it.I have used openssl for creating certificates, Regards Anoop Message: 3 Date: Wed, 19 Sep 2007 10:36:18 +0100 From: [EMAIL PROTECTED] Subject: Re: Denying user from authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 That won\'t work with EAP-TLS. As you found out. Ivan Kalik Kalik Informatika ISP Dana 19/9/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: HI Thank you for the response.But as per users file configuration it should deny the user if i include that user name-reject file.Do i need to do any config for this to work. Regards Anoop Message: 3 Date: Tue, 18 Sep 2007 11:30:53 +0100 From: [EMAIL PROTECTED] Subject: Re: Denying user from authentication To: \FreeRadius users mailing list\ freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-2 Revoke the certificate. Ivan Kalik Kalik Informatika ISP Dana 18/9/2007, \[EMAIL PROTECTED] [EMAIL PROTECTED] pi?e: Hi I am using EAP_TLS authentication with free radius 1.1.7 .The authentication is a certificate based one. I want to reject one user .I have done config in users file anoop07Auth-Type := Reject Reply-Message = \Your account has been disabled.\ Stll the user autheticates.How can i prevent user like this? Regards Anoop - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RFC 3579 and Access-Accepts
Hello, it seems that FreeRADIUS is sending an EAP-Message fragment along with its Access-Accepts, as in: Packet-Type = Access-Accept Wed Sep 19 11:59:25 2007 MS-MPPE-Recv-Key = stuff MS-MPPE-Send-Key = morestuff EAP-Message = 0x03070004 Message-Authenticator = 0x593773a711f50bd8b4ce98434a7e1590 User-Name = [EMAIL PROTECTED] Proxy-State = 0x323039 Whereas RFC 3579 , chapter 2.6.5 says: An EAP-Message/EAP-Request/Notification SHOULD NOT be included within an Access-Accept or Access-Reject packet. This is now the second RADIUS implementation I see that behaves like that - is there a reason for the EAP-Message and something wrong with 3579, or is that SHOULD NOT just ignored by most? Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 signature.asc Description: This is a digitally signed message part. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Denying user from authentication
[EMAIL PROTECTED] wrote: Hi Please explain brief about certificate revocation process as i am new to it.I have used openssl for creating certificates, Go read the OpenSSL pages. They document it quite nicely. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
odd user authenticated...
Hello, Here is the run down on my set up. RHEL5 64bit - freeradius 1.1.6, samba 3.0.23c-2, using peap(ms-chapv2)/ ntlm_auth for authentication and ldap for authorization. so I have ntlm_auth configured and working correctly. everytime a specific user logs in, i see this directly after his login success. 80986-Tue Sep 18 17:10:37 2007 : Auth: Login OK: [students\\USER/no User-Password attribute] (from client UNKNOWN-CLIENT port 0) - user auth line. 80987:Tue Sep 18 17:10:37 2007 : Auth: Login OK: [RUN\\\305\355\277\255/no User-Password attribute] (from client wism2 port 29 cli 00-1B-77-27-B2-48) - freaky line now, that looks like extended unicode to me in the username...obviously we don't have a user named that, or even a domain named 'RUN', moreover it doesn't seem like that username should even have been authorized thru the ldap rules -- Joe Vieira UNIX Systems Administrator Clark University - ITS - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: RFC 3579 and Access-Accepts
Hi Stefan, Whereas RFC 3579 , chapter 2.6.5 says: An EAP-Message/EAP-Request/Notification SHOULD NOT be included within an Access-Accept or Access-Reject packet. I think this is a case of mis-reading the (confusing?) notation used by the RFC. What the RFC is saying is that you are not permitted to include a Notification within an EAP-Request within an EAP-Message within an Access-Accept. It's not saying you're not allowed to include an EAP-Message attribute _per se_. FWIW, I don't think it would be possible to implement a compliant EAP method without including an EAP-Message in the Access-Acccept; you need to return an EAP-Success or EAP-Failure, and IIRC you can't do that in an Access-Challenge. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Proxy server config with PAP or CHAP
Thanks for the reply. But it was a surprise to me as, I thought when I forward to request to another radius server, I should be able to choose the authentication method. I thought some thing to configure by Auth-Type configuration ??? Regards, Amit Jain -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, September 19, 2007 3:51 PM To: FreeRadius users mailing list Subject: Re: Proxy server config with PAP or CHAP Amit Jain wrote: Now the above configuration works when I have PAP as authentication method. Now I need to have EAP MD5 auth between user and free radius server and PAP or CHAP between free radius server and Radius server. Converting EAP-MD5 to PAP is impossible. Converting EAP-MD5 to CHAP is possible. Write the code. Please let me know, what I need to configure. There is no code to do this, so there is nothing to configure. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius +MS Win XP (EAP) problems
2007/9/19, Alan DeKok [EMAIL PROTECTED]: Sergio Belkin wrote: I want to configure freeradius (Linux) in order to authenticate and authorize MS Windows XP clients (people connect to Access Point Linksys). I am using EAP-PEAP and MSCHAP fron Windows. If I perform radtest from linux clients (using wired network) I have no problem to access, but I cannot from Windows XP, this is the messages when I run usinf radiusd -X: ... Sending Access-Challenge of id 66 to 10.30.1.151:1032 EAP-Message = 0x010500061900 Message-Authenticator = 0x State = 0x06bc31779a10f85cd934953e650bc051 Finished request 55 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 52 ID 63 with timestamp 46f01fd7 This is in the FAQ and comments in the eap.conf distributed with 1.1.7. Please read the existing documentation. Alan DeKok. - Thanks Alan for the advice, but please fix me if I'm wrong, if I'm using ttls (not tls) is needed client certificate too? Thanks in advance! -- -- Sergio Belkin - - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Limit users traffic quota via radius
Hi, so basically all I need is a RFC 3576-compliant radius server and the correct vsa specific of cisco device? What I do not understand is if : )the radius check the quota (but how and how often?) and then push the disconnect to the device, or )the device, once the user is authenticathed, get a profile and then it checks with an internal specific process (specified by a vsa), the quota, with the action after the threshold. I'm a bit confused, as snmp/script solution implies that a machine should login/check the virtual interface status and then issue a command like shutdown correct? Is thi the only way to accomplish a QoS task!? Thanks for your help, Massimiliano Peter Nixon wrote: This is not correct. You may use SNMP, or you may use a RADIUS Change of Authority/Packet of Disconnect request... Regards Peter On Wed 19 Sep 2007, Willie Yeo wrote: You need SNMP to disconnect the link, not Radius. The only other way I can think of is that, if you can use an external program/script to check the quota from your accounting records, and then if that quota is reached, then send the program sends to SNMP to disconnect the user. On 18/09/2007, at 6:34 PM, Massimiliano Macrì wrote: I'm trying to close the connection of a pre-paid mobile user, after he reached a limited amount of traffic (ie. 100 megabytes), the network device is a Cisco router. I've found may way to rate-limit the traffic bandwidth but not one to do this. Is radius the correct way to achieve this goal? It'all about vsa? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Controlling access to my Wireless network
network, mac xp. I wouldn't mind using plain text passwords if that could be forced. The only configurations that get close to working get as far as machapv2, then fail because of no nt/lm password. If I could use the password from my ldap connection which seems to be working nicely, then I would be thrilled. Could you give me the eap.conf that would do that? Thanks a million it wouldnt be in your eap.conf for a start - if you want to use PEAP against your LDAP then you'll most likely need to put the NT hash of their password into your LDAP directory and point to that instead in your LDAP checks. a lot (a LOT) of people do this and are present on this list. if you want to use plain test password checks then EAP-TTLS with PAP inner is one of the only ways - but for that you'll need to install extra software on the WinXP machines securew2 is free and enables winxp to recognize ttls-pap packets. arjuna begin:vcard fn:Arjuna Scagnetto n:Scagnetto;Arjuna org:Universita' degli Studi di Trieste;Dipartimento Fisica Teorica adr:ICTP Main Building Office Number 222;;Via Strada Costiera 11;Trieste;TS;34100;Italy email;internet:[EMAIL PROTECTED] title:Co-System Administrator tel;work:+390402240 288 note;quoted-printable:-BEGIN PGP PUBLIC KEY BLOCK-=0D=0A= Version: GnuPG v1.4.6 (MingW32)=0D=0A= =0D=0A= mQGiBEWVcvERBACcPQOh85PwZDa9NOLVV1y4mUdN3h4Fgt+YsWmd02JVL+y+2/Zg=0D=0A= 2AqvNVX8s/jp/jjhRYdpLCCOv3/3V6BkasBnFCxA56i1S2BLfcMR1YuDuqOJOi93=0D=0A= JzlkA4+Hok6HKMfXInJeATRvhYF6y/NdTFSq5YQLFry88bXQblYodLW8ZwCgtewA=0D=0A= 1AbK6o8/LFAYGbmRZCzfLtcD/0ufAx+vGtBgw6zwCzLYSx9bhi8rh7k0PeSS51WT=0D=0A= 1Gs+V79yLsTPehj2g1FKwufSIdEAguyFfK/VWj1CCYtYtc2nnhRfveTjKsqVau2E=0D=0A= cWAQJALdJQgycZM+rFqzkinIgN7xjCVnVVR7hB4aJ9/6xTnQAFdtaADIDF2miLo8=0D=0A= jJbBA/9ZT+hBW628jKLiJMr0tldSNbPPdn9mGql1AhNSZRXKyq8wL1RORaT5elWN=0D=0A= pskirYRksBGUmL2sadvUx7QYeDUvtnqIbTD/PZH0bFQF2O0HKbRkTyKoR7/h1hw0=0D=0A= y7uaYYX5bXEfwoWReIVmLVYewnCNDKt+a/pqal/jdJmbuTpFvbQlbXlOYW1lIChj=0D=0A= b21tZW50KSA8bXllbWFpbEBhZGRyZXNzLml0PohmBBMRAgAmBQJFlXLxAhsDBQkB=0D=0A= 4TOABgsJCAcDAgQVAggDBBYCAwECHgECF4AACgkQaWpNBkqM0mREEwCfSLbikTLs=0D=0A= xeJrEZruZHbAaBcRzl8AoJnp8BCmuKaUfqYM8sNqxCTG5EA+uQENBEWVcvIQBACH=0D=0A= Bq9xYHqZvDE1jqK63amQAPvxIih9R0+1JGhm1LNKmpTX/JiRcnjc/PvYdjXLcmkL=0D=0A= f96SMArWU0jOMZP4ncebxGQ/DxjRw2ZHMvKQKJLTXd3emFv0pQeACFbyByzndBsX=0D=0A= BRpbxJQ7S2N2FJ35MtDYFUN8P29A+9MZSpF7KShpMwADBQP+K8xS2hOM3B36Sli8=0D=0A= alq4XpJdRZTTjb7mBYgK4os9knqoFMRgPZlxzQA/LDlvfUNzXpGH82dl6YY7E60G=0D=0A= 4AhA2nYesldbCSKUXWGsB1suo++5DCYk0giWHxlLI8D1QIv+x0petiY66GjxfoK7=0D=0A= KVe/7chBMSVX1M+q3fA4hXs3o2GITwQYEQIADwUCRZVy8gIbDAUJAeEzgAAKCRBp=0D=0A= ak0GSozSZKY/AJ4+Kbp6k/99jb5tsYCreT04AEhclwCgg+gvqapWTC5EI/g66tVh=0D=0A= pYCNowM=3D=0D=0A= =3DaATJ=0D=0A= -END PGP PUBLIC KEY BLOCK-=0D=0A= x-mozilla-html:FALSE url:http://www-dft.ts.infn.it/~arjuna version:2.1 end:vcard - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius +MS Win XP (EAP) problems
Sergio Belkin wrote: Thanks Alan for the advice, but please fix me if I'm wrong, if I'm using ttls (not tls) is needed client certificate too? TTLS doesn't need client certificates. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RFC 3579 and Access-Accepts
Stefan Winter wrote: it seems that FreeRADIUS is sending an EAP-Message fragment along with its Access-Accepts, as in: ... Whereas RFC 3579 , chapter 2.6.5 says: An EAP-Message/EAP-Request/Notification SHOULD NOT be included within an Access-Accept or Access-Reject packet. See Appendix A. They clearly show EAP-Success in an Access-Accept. See also Section 2.6.3: Access-Accept packets SHOULD have only one EAP-Message attribute in them, containing EAP Success; similarly, Access-Reject packets SHOULD have only one EAP-Message attribute in them, containing EAP Failure. This is now the second RADIUS implementation I see that behaves like that - is there a reason for the EAP-Message and something wrong with 3579, or is that SHOULD NOT just ignored by most? I'm curious as to which implementations *don't* send EAP-Success in Access-Accept. If they don't do that, then what the heck is in the Access-Accept? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius and Windows Vista
I am running FR version 1.1.7 along with OpenSSL 0.9.8c on Debian. Authentication from XP works flawlessly and from what I have been able to tell from, with these versions I should be able to have Vista do PEAP/MSChapv2 authentication via Freeradius. However, it still seems that Vista stops the authentication process before the ntlm_auth call is made. Am I missing something obvious here? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAM authenticacion and groups
Hi, I have freeradius configured to authenticate users with PAM working fine. Now I want to add group membership checking. I have the followind users entry: DEFAULT Auth-type = PAM, Group-name == netadmin Service-Type = Login-User, Cisco-AVPair = shell:priv-lvl=15, Fall-Through = 0 That doesn't work. I test with Group attribute too. The user that I use in radtest is member of netadmin group. One thing, the group membership must be queryed via nsswitch (getgrnam()), because the users are not local, they are in a LDAP server (I can't user the rlm_ldap now, we are in transition). What am I missing? regards, diegows -- --- Diego Woitasen --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Windows Vista
Neal Bullins wrote: I am running FR version 1.1.7 along with OpenSSL 0.9.8c on Debian. Authentication from XP works flawlessly and from what I have been able to tell from, with these versions I should be able to have Vista do PEAP/MSChapv2 authentication via Freeradius. However, it still seems that Vista stops the authentication process before the ntlm_auth call is made. Am I missing something obvious here? Nope. Vista *should* work, other people have it working with similar configurations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New dictionary for huawei-3com
Hello, 3Com is now also using #25506 (H3C - huawei-3com) vendor attribute in a new firmware (3.3.0) for 3c5500G switches. This patch adds appropriate dictionary and also moves hp to be properly sorted. Best regards, Krzysztof Olędzki diff -Nur freeradius-1.1.7-orig/share/dictionary freeradius-1.1.7/share/dictionary --- freeradius-1.1.7-orig/share/dictionary 2007-04-08 16:42:06.0 +0200 +++ freeradius-1.1.7/share/dictionary 2007-09-19 18:11:17.0 +0200 @@ -111,6 +111,8 @@ $INCLUDE dictionary.foundry $INCLUDE dictionary.gandalf $INCLUDE dictionary.gemtek +$INCLUDE dictionary.h3c +$INCLUDE dictionary.hp $INCLUDE dictionary.issanni $INCLUDE dictionary.itk $INCLUDE dictionary.ipunplugged @@ -119,7 +121,6 @@ $INCLUDE dictionary.livingston $INCLUDE dictionary.localweb $INCLUDE dictionary.lucent -$INCLUDE dictionary.hp $INCLUDE dictionary.microsoft $INCLUDE dictionary.mikrotik $INCLUDE dictionary.navini diff -Nur freeradius-1.1.7-orig/share/dictionary.h3c freeradius-1.1.7/share/dictionary.h3c --- freeradius-1.1.7-orig/share/dictionary.h3c 1970-01-01 01:00:00.0 +0100 +++ freeradius-1.1.7/share/dictionary.h3c 2007-09-19 18:14:58.0 +0200 @@ -0,0 +1,18 @@ +# -*- text -*- +# +# Dictionary for Huawei-3Com +# http://www.h3c.com +# +# $Id: dictionary.h3c,v 0.1 2007/09/19 18:10:00 ole Exp $ +# + +VENDOR H3C 25506 + +BEGIN-VENDOR H3C + +ATTRIBUTE H3C-Connect_Id 26 integer +ATTRIBUTE H3C-NAS-Startup-Timestamp 59 integer +ATTRIBUTE H3C-Ip-Host-Addr60 string +ATTRIBUTE H3C-Product-ID 255 string + +END-VENDOR H3C - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius and Windows Vista
Make sure you're using a recent version of samba. Many distros still shib with older versions that won't work. josh. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: 19 September 2007 17:09 To: FreeRadius users mailing list Subject: Re: Freeradius and Windows Vista Neal Bullins wrote: I am running FR version 1.1.7 along with OpenSSL 0.9.8c on Debian. Authentication from XP works flawlessly and from what I have been able to tell from, with these versions I should be able to have Vista do PEAP/MSChapv2 authentication via Freeradius. However, it still seems that Vista stops the authentication process before the ntlm_auth call is made. Am I missing something obvious here? Nope. Vista *should* work, other people have it working with similar configurations. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
2007/9/19, Alan DeKok [EMAIL PROTECTED]: Diego Woitasen wrote: ... That doesn't work. And what do you mean by that? See the FAQ. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html That entry/configuration I read the FAQ and I can't see nothing interesting. The question is, radius uses nsswitch to check group membership using PAM authenticacion? -- --- Diego Woitasen --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
Diego Woitasen wrote: That entry/configuration I read the FAQ and I can't see nothing interesting. The question is, radius uses nsswitch to check group membership using PAM authenticacion? Q: Hi I tried to do stuff, but it didn't work. Why? A: WTF? It's difficult to help you if you don't say what you expected to happen, AND what actually happened. It's frustrating to have people post configurations and ask why doesn't this work? The documentation and FAQ cover how to ask questions on the list, and what information we need to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Configuring FreeRADIUS to use ntlm_auth
Alan: Great ... you have reason ... My NAS was configured to send only PAP request. I reconfigured it to accept MS-CHAP and my FreeRadius works well. Best Regards. Charles. Alan DeKok [EMAIL PROTECTED] Enviado Por: [EMAIL PROTECTED] 17/09/2007 16:28 Favor responder a FreeRadius users mailing list Para: FreeRadius users mailing list freeradius-users@lists.freeradius.org cc: cco:Charles Alcantara Borba/COPEL Assunto:Re: Configuring FreeRADIUS to use ntlm_auth [EMAIL PROTECTED] wrote: 3) Configuring FreeRADIUS to use ntlm_auth for MS-CHAP - It didn´t work ... I don´t know what is wrong ... My output FreeRadius presents the same messages that previously: You're not sending it an MS-CHAP request. Perhaps that's part of the problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Esta mensagem e seus anexos foram verificados por software anti-vírus. Recomenda-se que não sejam abertos e/ou executados anexos de mensagens de conteúdo ou remetente duvidoso. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
2007/9/19, Alan DeKok [EMAIL PROTECTED]: Diego Woitasen wrote: That entry/configuration I read the FAQ and I can't see nothing interesting. The question is, radius uses nsswitch to check group membership using PAM authenticacion? Q: Hi I tried to do stuff, but it didn't work. Why? A: WTF? It's difficult to help you if you don't say what you expected to happen, AND what actually happened. It's frustrating to have people post configurations and ask why doesn't this work? The documentation and FAQ cover how to ask questions on the list, and what information we need to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think the question is simple to give more detail. I rewrite the question: Can I use PAM for authentication and LDAP for group checking? or PAM for authentication and group checking with nsswitch? -- --- Diego Woitasen --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Limit users traffic quota via radius
You can tell the NAS to send accounting updates every so often (every hour for example with: aaa accounting update periodic 60 on Cisco) and calculate the amount of traffic each user has consumed with an SQL query in the Radius database. Another option is to query the NAS with SNMP. Check this to reset the user's interface with packet of disconnect: http://wiki.freeradius.org/Packet_of_Disconnect I wrote some articles about this on http://www.netexpertise.eu/en/FreeRadius/index.html A small script in shell would do what you want... David Rozé http://www.netexpertise.eu -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Massimiliano Macrì Sent: 19 September 2007 15:09 To: FreeRadius users mailing list Subject: Re: Limit users traffic quota via radius Hi, so basically all I need is a RFC 3576-compliant radius server and the correct vsa specific of cisco device? What I do not understand is if : )the radius check the quota (but how and how often?) and then push the disconnect to the device, or )the device, once the user is authenticathed, get a profile and then it checks with an internal specific process (specified by a vsa), the quota, with the action after the threshold. I'm a bit confused, as snmp/script solution implies that a machine should login/check the virtual interface status and then issue a command like shutdown correct? Is thi the only way to accomplish a QoS task!? Thanks for your help, Massimiliano Peter Nixon wrote: This is not correct. You may use SNMP, or you may use a RADIUS Change of Authority/Packet of Disconnect request... Regards Peter On Wed 19 Sep 2007, Willie Yeo wrote: You need SNMP to disconnect the link, not Radius. The only other way I can think of is that, if you can use an external program/script to check the quota from your accounting records, and then if that quota is reached, then send the program sends to SNMP to disconnect the user. On 18/09/2007, at 6:34 PM, Massimiliano Macrì wrote: I'm trying to close the connection of a pre-paid mobile user, after he reached a limited amount of traffic (ie. 100 megabytes), the network device is a Cisco router. I've found may way to rate-limit the traffic bandwidth but not one to do this. Is radius the correct way to achieve this goal? It'all about vsa? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FreeRADIUS and iODBC
You must use a DSN of 'radius' in odbc.ini when using the iodbc SQL module. You can't use any other name. I have this working against MSSQL. josh. JANET(UK) is a trading name of The JNT Association, a company limited by guarantee which is registered in England under No. 2881024 and whose Registered Office is at Lumen House, Library Avenue, Harwell Science and Innovation Campus, Didcot, Oxon OX11 0SG - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius and Windows Vista
Hi, I am running FR version 1.1.7 along with OpenSSL 0.9.8c on Debian. Authentication from XP works flawlessly and from what I have been able to tell from, with these versions I should be able to have Vista do PEAP/MSChapv2 authentication via Freeradius. However, it still seems that Vista stops the authentication process before the ntlm_auth call is made. Am I missing something obvious here? 1.1.7 works fine with Vista here - though as pointed out elsewhere might be an issue with samba 3.0.23c and higher here... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAM authenticacion and groups
Groups are a part of authorization so there is no conflict with any authentication method. You can use ldap (Ldap-Group), sql(Sql-Group), unix (Group) ... Ivan Kalik Kalik Informatika ISP Dana 19/9/2007, Diego Woitasen [EMAIL PROTECTED] piše: 2007/9/19, Alan DeKok [EMAIL PROTECTED]: Diego Woitasen wrote: That entry/configuration I read the FAQ and I can't see nothing interesting. The question is, radius uses nsswitch to check group membership using PAM authenticacion? Q: Hi I tried to do stuff, but it didn't work. Why? A: WTF? It's difficult to help you if you don't say what you expected to happen, AND what actually happened. It's frustrating to have people post configurations and ask why doesn't this work? The documentation and FAQ cover how to ask questions on the list, and what information we need to help you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html I think the question is simple to give more detail. I rewrite the question: Can I use PAM for authentication and LDAP for group checking? or PAM for authentication and group checking with nsswitch? -- --- Diego Woitasen --- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: EAP testing without AP?
I'm running freeradius 1.1.7 and wpa_supplicant 0.5.8. Seems the message was printed by tls_openssl.c in wpa_supplicant.Thanks. /ST -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Wednesday, September 19, 2007 6:19 PM To: FreeRadius users mailing list Subject: Re: EAP testing without AP? ST Wong (ITSC) wrote: Thanks for all advice. Result of testing using eapol_test is okay, except error OpenSSL: tls_connection_handshake - Failed to read possible Application Data error::lib(0):func(0):reason(0) is found: ... However, the rest of debug message seems to be normal. I've no idea about the cause of this message. Would anyone pls help? Don't use an old version of the server. Version 1.1.7 doesn't print this message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: odd user authenticated...
Joe Vieira wrote: Hello, Here is the run down on my set up. RHEL5 64bit - freeradius 1.1.6, samba 3.0.23c-2, using peap(ms-chapv2)/ ntlm_auth for authentication and ldap for authorization. so I have ntlm_auth configured and working correctly. everytime a specific user logs in, i see this directly after his login success. Are you sure he's not trying to do anything nefarious? 80986-Tue Sep 18 17:10:37 2007 : Auth: Login OK: [students\\USER/no User-Password attribute] (from client UNKNOWN-CLIENT port 0) - user auth line. 80987:Tue Sep 18 17:10:37 2007 : Auth: Login OK: [RUN\\\305\355\277\255/no User-Password attribute] (from client wism2 port 29 cli 00-1B-77-27-B2-48) - freaky line now, that looks like extended unicode to me in the username...obviously we don't have a user named that, or even a domain named 'RUN', moreover it doesn't seem like that username should even have been authorized thru the ldap rules So... run in debugging mode to see what's going on. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Proxy server config with PAP or CHAP
Amit Jain wrote: Thanks for the reply. But it was a surprise to me as, I thought when I forward to request to another radius server, I should be able to choose the authentication method. What gave you that idea? I thought some thing to configure by Auth-Type configuration ??? No, that tells the *current* server how to authenticate the user. The server can authenticate the user itself, OR proxy the request to another server. It CANNOT modify the authentication protocol as it is proxying. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Do we like the same books?
I just joined Shelfari to connect with other book lovers. Come see the books I love and see if we have any in common. Then pick my next book so I can keep on reading. Click below to join my group of friends on Shelfari! http://www.shelfari.com/Register.aspx?ActivityId=16229756InvitationCode=dae2bf68-74e4-445c-a478-daa266b19077 voipexpert Shelfari is a free site that lets you share book ratings and reviews with friends and meet people who have similar tastes in books. It also lets you build an online bookshelf, join book clubs, and get good book recommendations from friends. You should check it out. You have received this email because voipexpert ([EMAIL PROTECTED]) directly invited you to join his/her community on Shelfari. It is against Shelfari's policies to invite people who you don't know directly. Follow this link (http://www.shelfari.com/actions/[EMAIL PROTECTED]activityid=16229756) to prevent future invitations to this address. If you believe you do not know this person, you may view (http://www.shelfari.com/voipexpert) his/her Shelfari page or report him/her in our feedback (http://www.shelfari.com/Feedback.aspx) section. Shelfari, 616 1st Ave #300, Seattle, WA 98104 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html