Re: the termination of Lost-Carrier
but this kind of termination make he unable to login... but a day later, he can login again... have you met such situation>? On Sat, Jul 3, 2010 at 6:43 PM, Alan Buxey wrote: > Hi, > > > but what does lost-carrier means? I can't find in freeradius's wiki, but > I saw this status in Daloradius > > and when will the termination be Lost-Carrier? and the user whose > termination is Lost-Carrier can't login the next day, the the next next day, > he can login again, I don't know why? can somebody figure this out? > > the session went without proper goodbyes etc - eg phoine line dropped or > wifi link went. > those are 2 quick and basic examples. > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Spacelee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
AW: mschap/peap question
I installed samba 3..4.8 and it produces the same errors as the previous version. Should the only workaround really be downgrading back to samba/winbind 3.0.30. as suggested in https://bugzilla.samba.org/show_bug.cgi?id=6563 ? It is hard to believe that the only way to use peap/mschap in this context requires that old versions of samba :-( Norbert Wegener ... Hi, > Using the users file it works. So samba can be blamed even in the current > version 3.4.7 :-( I've had several reports that 3.4.8 works - which isnt even the latest version (thats 3.5.4!) 3.4.x is old but I personally have no experience of whether any 3.5.x works alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 with EAP-TLS and LDAP authorization
For starting it should be enough but what I am not able to do is to set up the correct sequence. First I need to extract the CN field (which can be done and I Already did and I can set up a list of allowed CN in hte users file), and after I need to do an LDAP query to check for authorization. How can I do the following in this exact order ? LDAP authorization is tryed first then comes authentication or am I wrong ? What I'd need is to extract the CN and check it against LDAP attributes... How might I do it ? thank you Riccardo Alan DeKok wrote: Edgar Fuß wrote: I don't understand. rlm_eap's check_cert_cn must be able to extract the CN from the user certificate in order to check it against User-Name (or whatever). Yes... Or at least, with check_cert_cn = %{User-Name}, you can substitute User-Name for an extracted CN for whatever additional lookup you need. Yes. Or am I getting it wrong? No. But there's no code to extract other fields from the cert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: how to encrypting accounting?
Fabio Dive wrote: > I am looking for a way to TLS encrypt accounting messages between > Freeswitch and remote Freeradius, > actually I can do only clear text accounting with simple shared key auth. Install a VPN. > Is there a way using configurations files to setup TLS accounting? No. > Do I need to code a bit with freeradius-client library? You will need to add a *lot* of code. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 with EAP-TLS and LDAP authorization
Edgar Fuß wrote: > I don't understand. rlm_eap's check_cert_cn must be able to extract the CN > from the user certificate in order to check it against User-Name (or > whatever). Yes... > Or at least, with check_cert_cn = %{User-Name}, you can substitute User-Name > for an extracted CN for whatever additional lookup you need. Yes. > Or am I getting it wrong? No. But there's no code to extract other fields from the cert. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 with EAP-TLS and LDAP authorization
RV> but if I wanted to extract the emailAddress or CN field from the RV> X509 certificate and authorize it against my LDAP tree AdK> The limitation isn't the users file. AdK> It's that extracting the fields from the certificate is hard. I don't understand. rlm_eap's check_cert_cn must be able to extract the CN from the user certificate in order to check it against User-Name (or whatever). Or at least, with check_cert_cn = %{User-Name}, you can substitute User-Name for an extracted CN for whatever additional lookup you need. Or am I getting it wrong? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
how to encrypting accounting?
Hello, yesterday I successful installed freeswitch 1.0.6 with mod_radius_cdr accounting on a remote freeradius 2.1.9 server, freeswitch use freeradius-client 1.1.6 library. I am looking for a way to TLS encrypt accounting messages between Freeswitch and remote Freeradius, actually I can do only clear text accounting with simple shared key auth. Is there a way using configurations files to setup TLS accounting? Do I need to code a bit with freeradius-client library? I keep trying, for the moment many thanks, cheers, Fabio - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: > Thank you alan, > yes i can check the man page ( to be honest, that was i afraid of : ),but i > was looking for the examples Please also edit your replies. There is no need to leave the original message at the top of your reply. > As i wrote in my first email, cisco is configured and working well with the > IAS radius server. > I was solving the freeradius againts the cisco. To be honest, i still cannot > understand what should contain users file, and other files. > One example how to configure the users file and other files would be enough The "users" file contains documentation and *many* examples. There's no need to me to cut & paste those examples on this list. You already have them in front of you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Matthew P wrote: > I forgot to mention that I need the "user" portion of "u...@mydomain.com" for > sql too. > "u...@mydomain.com" only needs to be sent to the home server (in case the > user doesn't have "@mydomain.com" or "@mydomain2.com"). In another words, > both AD and DB contain usernames, without any realms. > I've been reading http://freeradius.org/radiusd/man/unlang.html, and can't > seem to figure out how to make the logic - "take everything before @ as a > username". So please help. See "man regex" for the regex format. > In a general regexp language, I guess that could be done with > ([\w.-]+)(?...@.*). Most regexes don't support \w, or (?... constructs. Keep it simple: if (User-Name =~ /^(.*)@(.*)$/) { # name = %{1} # realm = %{2} } Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius + AD + Realms
Thanks for your help Alan, it really makes a difference when learning about Freeradius configuration. > So... decode the user-name using a regex. You can then use that in > the LDAP configuration. The LDAP user search is configurable for a > *reason*. I forgot to mention that I need the "user" portion of "u...@mydomain.com" for sql too. "u...@mydomain.com" only needs to be sent to the home server (in case the user doesn't have "@mydomain.com" or "@mydomain2.com"). In another words, both AD and DB contain usernames, without any realms. I've been reading http://freeradius.org/radiusd/man/unlang.html, and can't seem to figure out how to make the logic - "take everything before @ as a username". So please help. In a general regexp language, I guess that could be done with ([\w.-]+)(?...@.*). > It's an option, but not the only way to do it. > > if (User-Name =~ /@mydomain.com/) { > ldap > } > elsif (User-Name =~ /@mydomain2.com/) { > sql > } > else { > update control { > Proxy-To-Realm := "other" > } > } Works nicely, thanks for this hint. Matthew _ Hotmail: Trusted email with powerful SPAM protection. https://signup.live.com/signup.aspx?id=60969 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschap/peap question
Hi, > Using the users file it works. So samba can be blamed even in the current > version 3.4.7 :-( I've had several reports that 3.4.8 works - which isnt even the latest version (thats 3.5.4!) 3.4.x is old but I personally have no experience of whether any 3.5.x works alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: the termination of Lost-Carrier
Hi, > but what does lost-carrier means? I can't find in freeradius's wiki, but I > saw this status in Daloradius > and when will the termination be Lost-Carrier? and the user whose termination > is Lost-Carrier can't login the next day, the the next next day, he can login > again, I don't know why? can somebody figure this out? the session went without proper goodbyes etc - eg phoine line dropped or wifi link went. those are 2 quick and basic examples. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: > However I was not able to find in these links anything about the > --require-membership-of See the "man" page for ntlm_auth. It is just a Unix command that can be run, like anything else. > and the vpn cisco client example > (also find on these pages found nothing :) That's a Cisco issue, for Cisco documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: > However I was not able to find in these links anything about the > --require-membership-of See the "man" page for ntlm_auth. It is just a Unix command that can be run, like anything else. > and the vpn cisco client example > (also find on these pages found nothing :) That's a Cisco issue, for Cisco documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you alan, yes i can check the man page ( to be honest, that was i afraid of : ),but i was looking for the examples As i wrote in my first email, cisco is configured and working well with the IAS radius server. I was solving the freeradius againts the cisco. To be honest, i still cannot understand what should contain users file, and other files. One example how to configure the users file and other files would be enough <>- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Freeradius + AD + Cisco authetication
Jevos, Peter wrote: > How should look like the ntlm_auth file ? How should look like mschap module ? > How should look like parameter --require-membership-of in these files ? > > How should look like users file ? > These answers I was not able to find in any documentation Read the URLs from the previous message. This *is* documented. If you can't find it, read the documentation again. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Thank you for your answer Alan However I was not able to find in these links anything about the --require-membership-of and the vpn cisco client example (also find on these pages found nothing :) Anyway I will follow your advice and read the documentation on these links again Thank you - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius2 with EAP-TLS and LDAP authorization ?
Riccardo Veraldi wrote: > Hello, > is it possible in some way to use EAP-TLS X509 authentication together > with LDAP authorization in freeradius2 ? Yes. You can look the username up in LDAP, and reject the request if the user doesn't exist. > Actually freeradius2 allows EAP-TLS authentication, but if I wanted to > extract the emailAddress or CN field > from the X509 certificate and authorize it against my LDAP tree > information to allow or disallow WiFi access, > is it possible ?? Not really, no. > Or the only way to authorize a EAP-TLS X509 user is only thru > freeradius2 users file ? The limitation isn't the users file. It's that extracting the fields from the certificate is hard. Patches are welcome. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html