RE: wpa2 freeradius peap rlm_perl
Hi. I have discovered that my goal is possible. However, I had to change the way I was thinking about the authentication. Essentially, the rlm_perl script does not perform the password comparison--it only retrieves the password and makes it available to the mschap module. Summary: Yes, you can authenticate Windows clients with WPA2 PEAP using a perl script. -- Ray Eads -Original Message- From: freeradius-users-bounces+reads=sno-isle@lists.freeradius.org [mailto:freeradius-users-bounces+reads=sno-isle@lists.freeradius.org] On Behalf Of Ray Eads Sent: Monday, December 05, 2011 14:30 To: 'freeradius-users@lists.freeradius.org' Subject: wpa2 freeradius peap rlm_perl Hi. I'm using freeradius-2.1.10-5.el6.x86_64 from RHEL 6. I'd like to use freeradius to accomplish a specific authentication goal, and haven't met with success yet. I'm assuming this is either because the configuration is difficult, or I'm trying to solve the problem the wrong way, or I don't understand the protocols, or a combination of all three. Essentially, I'd like to have an access point offer WPA2 Enterprise authentication to wireless devices of various makes and models. I'd like the user to submit for traditional username/password authentication to the radius server (without a client side certificate). I'm able to produce a yes/no answer with an rlm_perl script that functions as expected with a normal radius query. My problem is that I haven't been able to connect that rlm script properly when freeradius is contacted as part of an EAP message. >From what I can tell, my choice of Windows compatible EAP types is fairly >limited. I've used PEAP in the past, but only with the intended AD repository >of passwords. With this application, I'd like to use the rlm_perl script >instead of AD accounts as a source of usernames and passwords. Big picture-wise, am I on the right path, or is this fundamentally the wrong way? I'm imagining a PEAP -> rlm_perl configuration. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query regarding LEAP-authentication
LEAP is an older form of 802.1X authentication method...superseded by PEAP, TTLS etc. You need to define a RADIUS server and use WPA/enterprise or WPA2/enterprise, or the LEAP option if your kit supports it (its sometimes listed separately) WEP is not LEAP. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
Does the router send any accounting packets ? The accounting packets, if sent ate from the NAS and therefore won't be in any EAP tunnel the clients will be using 802.11i , hence EAP , hence the need to know and trust the server cert of the RADIUS server alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
Michel Bulgado wrote: > Excuse me everyone on the list for insisting so much with this issue, > I'm interested in solving this problem. Solving the problem means buying a NAS which works. Linksys ones are usually NOT good enough for what you want to do. > In conclusion what we discussed, my Linksys router when accounting > packets sent after authenticating my user, but not shown or at least are > suppressed by TTLS. is not so? I have no idea what that means. > So should I change the mechanism to use! If the NAS isn't doing accounting correctly, blame the NAS. This is *ALWAYS* the problem with RADIUS. The NAS is in control of *everything*. If something is going wrong, then BLAME THE NAS. No amount of poking FreeRADIUS or posting on this list will result in your NAS magically working. > Can you recommend any, that the process simple client-side that does not > involve installation of certificates in the client side. > > As simple as the user only have to put user and password to connect It's impossible. WiFi 802.1X doesn't work that way. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Query regarding LEAP-authentication
Ajay Garg wrote: > I am trying to connect to a network, via LEAP authentication. Don't. LEAP is insecure and SHOULD NOT be used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Query regarding LEAP-authentication
Hi all. I am trying to connect to a network, via LEAP authentication. When I open 192.168.1.1 (IP address of my router), and visit the "wireless" section, I see that there are four different options 1. Radius 2. WPA Enterprise 3. WPA2 Enterprise 4. WPA/WPA2 Enterprise 2., 3., 4. are obvious. I believe 1. indicates that the router (access point) supports LEAP authentication. (I ask this, because I have read at many places, that LEAP-authentication requires support from the access-point.) So, assuming the above is true, I proceed further. Now, at 192.168.1.1, besides the obvious settings for WPA/WPA2, there is also a setting for "WEP" keys (which I believe is requried for LEAP authentication). Fair enough. I have set a WEP key. Now, I try to connect through nm-applet. nm-applet asks me two parameters (besides the obvious ones, like SSID, etc.) : a. Username b. Password * Now, my query is, what do these two parameters correspond to ? (The most obvious answer is that they correspond to username-password, as set in "users" file for the freeradius server - the obvious pair that is used in TTLS, TLS and PEAP authentication. But then where does WEP keys come into picture ??)* Obviously, I ask all this because I am unable to connect via LEAP-authentication :-) Regards, Ajay - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
On 12/09/2011 10:49 AM, Alan DeKok wrote: Michel Bulgado wrote: So, i don't see accounting packet, could be supressed by the TTLS or Absolutely not. Linkys Router dont send that packet in stream? Yes. Alan DeKok. Alan Excuse me everyone on the list for insisting so much with this issue, I'm interested in solving this problem. In conclusion what we discussed, my Linksys router when accounting packets sent after authenticating my user, but not shown or at least are suppressed by TTLS. is not so? So should I change the mechanism to use! Can you recommend any, that the process simple client-side that does not involve installation of certificates in the client side. As simple as the user only have to put user and password to connect Regards Michel - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: semulteneius-use with cisco nas
tolik_shavlov...@mail.ru wrote: > i am really not experienced with freeradius and mysql. I made everything > with your website. > I kindly ask you for help. > > i made test in the following manner: > 1. connect 1st laptop via Ap (NAS) with user/user > 2. connect second laptop > > simult-use feature should block second one, as i understood. IF CERTAIN CONDITIONS ARE MET. > from your previuos emailing i understood that acounting is send if we > use database, so I configured authentication from mysql. > > in the debug i see Accounting-Request packet and Accounting-Response. > > can you describe what is not met?? Read doc/Simultaneous-Use, Section 3. It documents what happens for Simultaneous-Use to work. Go check it against the debug output. Run "radwho" after the first login to see if FreeRADIUS has recorded that the user has logged in. If that information isn't recorded, Simultaneous-Use won't work. Don't blame FreeRADIUS. Blame the NAS which is sending useless data. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: semulteneius-use with cisco nas
Alan, i am really not experienced with freeradius and mysql. I made everything with your website. I kindly ask you for help. i made test in the following manner: 1. connect 1st laptop via Ap (NAS) with user/user 2. connect second laptop simult-use feature should block second one, as i understood. from your previuos emailing i understood that acounting is send if we use database, so I configured authentication from mysql. in the debug i see Accounting-Request packet and Accounting-Response. can you describe what is not met?? thanks for help. 09 декабря 2011, 19:50 от "Alan DeKok-2 [via FreeRadius]" : [hidden email] wrote: > what can be an issue? As I said a few days ago: Simultaneous-Use checks are done if the server receives accounting packets, AND a user session is still open, AND that user tries to log in a second time from a different location. The debug log makes it clear that those conditions are NOT met. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/semulteneius-use-with-cisco-nas-tp5062116p5062175.html To unsubscribe from semulteneius-use with cisco nas, click here. NAML -- View this message in context: http://freeradius.1045715.n5.nabble.com/semulteneius-use-with-cisco-nas-tp5062116p5062201.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Linksys WIFI Authentication using freeradius?
Michel Bulgado wrote: > So, i don't see accounting packet, could be supressed by the TTLS or Absolutely not. > Linkys Router dont send that packet in stream? Yes. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: semulteneius-use with cisco nas
tolik_shavlov...@mail.ru wrote: > what can be an issue? As I said a few days ago: Simultaneous-Use checks are done if the server receives accounting packets, AND a user session is still open, AND that user tries to log in a second time from a different location. The debug log makes it clear that those conditions are NOT met. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
semulteneius-use with cisco nas
hi,
i continue configuring simulteneous-use with cisco NAS.
My configs:
mysql> select * from radcheck;
++--+++--+
| id | username | attribute | op | value
|
++--+++--+
| 11 | user | Cleartext-Password | := | user
|
| 3 | t...@wimax.com | Cleartext-Password | := | test
|
| 15 | KeepAliveUserNameAndPassword | Cleartext-Password | := |
KeepAliveUserNameAndPassword |
| 5 | te...@wimax.com | Cleartext-Password | := | test
|
| 10 | user | Simultaneous-Use | := | 1
|
| 14 | te...@wimax.com | Framed-Filter-Id | := |
SP=data:MSF=data;|
| 13 | t...@wimax.com | Framed-Filter-Id | := |
SP=data:MSF=data;|
++--+++--+
clients:
client 10.169.33.11/24 {
# require_message_authenticator = no
secret = "12345"
nastype = "cisco"
login = snmp
password= public
}
snmpget works:
freebsd# snmpget -v2c -c public 10.169.33.11 sysUpTime.0
DISMAN-EVENT-MIB::sysUpTimeInstance = Timeticks: (147940948) 17 days,
2:56:49.48
debug:
rad_recv: Access-Request packet from host 10.169.33.11 port 1645, id=104,
length=159
User-Name = "user"
Framed-MTU = 1400
Called-Station-Id = "0013.1a08.9340"
Calling-Station-Id = "001b.7770.9159"
Service-Type = Login-User
Message-Authenticator = 0x2e82883f159c894bdd80b8ec62351994
EAP-Message =
0x020b001d19001703010012b37fc2616cb987f684d4f8af1145e855c165
NAS-Port-Type = Wireless-802.11
NAS-Port = 13431
State = 0x526a475d5a615e1a09ba39034fe381ca
NAS-IP-Address = 10.169.33.11
NAS-Identifier = "ap"
Thu Dec 8 17:26:25 2011 : Info: (36) # Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/default
Thu Dec 8 17:26:25 2011 : Info: (36) group authorize {
Thu Dec 8 17:26:25 2011 : Info: (36) - entering group authorize {...}
Thu Dec 8 17:26:25 2011 : Info: (36) [preprocess] = ok
Thu Dec 8 17:26:25 2011 : Info: (36) [chap] = noop
Thu Dec 8 17:26:25 2011 : Info: (36) [mschap] = noop
Thu Dec 8 17:26:25 2011 : Info: (36) [digest] = noop
Thu Dec 8 17:26:25 2011 : Info: (36) suffix : No '@' in User-Name = "user",
looking up realm NULL
Thu Dec 8 17:26:25 2011 : Info: (36) suffix : No such realm "NULL"
Thu Dec 8 17:26:25 2011 : Info: (36) [suffix] = noop
Thu Dec 8 17:26:25 2011 : Info: (36) eap : EAP packet type response id 11
length 29
Thu Dec 8 17:26:25 2011 : Info: (36) eap : Continuing tunnel setup.
Thu Dec 8 17:26:25 2011 : Info: (36) [eap] = ok
Thu Dec 8 17:26:25 2011 : Info: (36) Found Auth-Type = ?
Thu Dec 8 17:26:25 2011 : Info: (36) # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Thu Dec 8 17:26:25 2011 : Info: (36) group authenticate {
Thu Dec 8 17:26:25 2011 : Info: (36) - entering group authenticate {...}
Thu Dec 8 17:26:25 2011 : Info: (36) eap : Request found, released from the
list
Thu Dec 8 17:26:25 2011 : Info: (36) eap : EAP/peap
Thu Dec 8 17:26:25 2011 : Info: (36) eap : processing type peap
Thu Dec 8 17:26:25 2011 : Info: (36) peap : processing EAP-TLS
Thu Dec 8 17:26:25 2011 : Info: (36) peap : eaptls_verify returned 7
Thu Dec 8 17:26:25 2011 : Info: (36) peap : Done initial handshake
Thu Dec 8 17:26:25 2011 : Info: (36) peap : eaptls_process returned 7
Thu Dec 8 17:26:25 2011 : Info: (36) peap : FR_TLS_OK
Thu Dec 8 17:26:25 2011 : Info: (36) peap : Session established. Decoding
tunneled attributes.
Thu Dec 8 17:26:25 2011 : Info: (36) peap : Peap state phase2
Thu Dec 8 17:26:25 2011 : Info: (36) peap : EAP type mschapv2
Thu Dec 8 17:26:25 2011 : Info: (36) peap : Got tunneled request
EAP-Message = 0x020b00061a03
server {
Thu Dec 8 17:26:25 2011 : Info: (36) peap : Setting User-Name to user
Sending tunneled request
EAP-Message = 0x020b00061a03
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name = "user"
State = 0xcb00ddfeca0bc7c30919b7db84ca14bd
Framed-MTU = 1400
Called-Station-Id = "0013.1a08.9340"
Calling-Station-Id = "001b.7770.9159"
Service-Type = Login-User
NAS-Port-Type = Wireless-802.11
NAS-Port = 13431
NAS-IP-Address = 10.169.33.11
NAS-Identifier = "ap"
server inner-tunnel {
Thu Dec 8 17:26:25 2011 : Info: (36) # Executing section authorize from
file /usr/local/etc/raddb/sites-enabled/inner-tunnel
Thu Dec 8 17:26:25 2011 : Info: (36) group authorize {
Thu Dec 8 17:26:25 2011 : Info: (36) - entering group authorize {...}
Thu Dec
Re: Linksys WIFI Authentication using freeradius?
R BY id -> SELECT id, username, attribute, value, op FROM
radreply WHERE username = 'michel' ORDER BY id
[sql] expand: SELECT groupname FROM radusergroup
WHERE username = '%{SQL-User-Name}' ORDER BY priority ->
SELECT groupname FROM radusergroup WHERE username =
'michel' ORDER BY priority
[sql] expand: SELECT id, groupname, attribute, Value,
op FROM radgroupcheck WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, Value, op FROM radgroupcheck
WHERE groupname = 'Computacion' ORDER BY id
[sql] User found in group Computacion
[sql] expand: SELECT id, groupname, attribute, value,
op FROM radgroupreply WHERE groupname =
'%{Sql-Group}' ORDER BY id -> SELECT id, groupname,
attribute, value, op FROM radgroupreply
WHERE groupname = 'Computacion' ORDER BY id
rlm_sql (sql): Released sql socket id: 2
++[sql] returns ok
[pap] Normalizing MD5-Password from hex encoding
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password "x"
[pap] Using MD5 encryption.
[pap] User authenticated successfully
++[pap] returns ok
+- entering group session {...}
++[sql] returns noop
WARNING: Empty section. Using default return values.
} # server inner-tunnel
[ttls] Got tunneled reply code 2
Framed-Compression := Van-Jacobson-TCP-IP
Framed-Protocol := PPP
Service-Type := Framed-User
Acct-Interim-Interval = 60
[ttls] Got tunneled Access-Accept
[eap] Freeing handler
++[eap] returns ok
+- entering group post-auth {...}
[reply_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d ->
/var/log/radius/radacct/192.168.25.15/reply-detail-20111209
[reply_log]
/var/log/radius/radacct/%{Client-IP-Address}/reply-detail-%Y%m%d expands
to /var/log/radius/radacct/192.168.25.15/reply-detail-20111209
[reply_log] expand: %t -> Fri Dec 9 10:08:20 2011
++[reply_log] returns ok
[sql] expand: %{User-Name} -> michel
[sql] sql_set_user escaped user --> 'michel'
[sql] expand: %{User-Password} ->
[sql] expand: %{Chap-Password} ->
[sql] expand: INSERT INTO radpostauth
(username, pass, reply, authdate) VALUES
( '%{User-Name}',
'%{%{User-Password}:-%{Chap-Password}}',
'%{reply:Packet-Type}', '%S') -> INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES (
'michel', '',
'Access-Accept', '2011-12-09 10:08:20')
rlm_sql (sql) in sql_postauth: query is INSERT INTO
radpostauth (username, pass, reply,
authdate) VALUES (
'michel', '',
'Access-Accept', '2011-12-09 10:08:20')
rlm_sql (sql): Reserving sql socket id: 1
rlm_sql (sql): Released sql socket id: 1
++[sql] returns ok
Sending Access-Accept of id 130 to 192.168.25.15 port 32771
MS-MPPE-Recv-Key =
0x1ea6c98931e212cac0d8115539d9f54a3b1a4b68b651e66da7c27b58c192dff5
MS-MPPE-Send-Key =
0x2e85032cb54145d7527d3c0c4e75d36e33d615fa73059ef62aa782dbdde687d9
EAP-Message = 0x03060004
Message-Authenticator = 0x
User-Name = "michel"
Finished request 5.
Going to the next request
Waking up in 4.7 seconds.
Cleaning up request 0 ID 125 with timestamp +5
Cleaning up request 1 ID 126 with timestamp +5
Cleaning up request 2 ID 127 with timestamp +5
Cleaning up request 3 ID 128 with timestamp +5
Waking up in 0.1 seconds.
Cleaning up request 4 ID 129 with timestamp +5
Cleaning up request 5 ID 130 with timestamp +5
Ready to process requests.
So, i don't see accounting packet, could be supressed by the TTLS or
Linkys Router dont send that packet in stream?
Regards
Michel
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
I'm sorry, Alan. I'm not very good at english. I want to check for group memberships in Active Directory for authentication through certificates Сергей Усов wrote: Here is an authentication request from the certificate: .. There is a user name. It can not be used to check via LDAP? Check WHAT via LDAP? Passwords? Of course not. You've been very careful to *not* say what you really want to do, and to *not* say what you've configured, and to *not* say what happens when the server receives EAP-TLS packets, and to *not* say what you expect to happen. You're asking vague and useless questions. So the answers are vague and useless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[3]: git timeout
it installed disabling the dhcp. thanks a lot 09 декабря 2011, 15:05 от "tolik_shavlov...@mail.ru" : hi, i made gmake. 09 декабря 2011, 14:33 от "Paul Thornton [via FreeRadius]" <[hidden email]>: On 09/12/2011 10:16, [hidden email] wrote: > > /usr/include/net/if_arp.h:88: error: field 'arp_pa' has incomplete type > /usr/include/net/if_arp.h:89: error: field 'arp_ha' has incomplete type > /usr/include/net/if_arp.h:115: error: expected specifier-qualifier-list > before 'u_long' > gmake[4]: *** [dhcp.lo] Error 1 > gmake[4]: Leaving directory `/tmp/freeradius-server/src/lib' > gmake[3]: *** [lib] Error 2 > gmake[3]: Leaving directory `/tmp/freeradius-server/src' > gmake[2]: *** [all] Error 2 > gmake[2]: Leaving directory `/tmp/freeradius-server/src' > gmake[1]: *** [src] Error 2 > gmake[1]: Leaving directory `/tmp/freeradius-server' > gmake: *** [all] Error 2 > > i downloaded from > > $ git clone git://git.freeradius.org/freeradius-server.git > $ cd freeradius-server > $ git fetch origin v2.1.x:v2.1.x > $ git checkout v2.1.x Rather than using 'make' on FreeBSD, try 'gmake'. That will run Gnu Make as Alan suggested. Paul. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/git-timeout-tp5058438p5061320.html To unsubscribe from git timeout, click here. NAML -- View this message in context: Re[2]: git timeout Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Сергей Усов wrote: > Here is an authentication request from the certificate: .. > There is a user name. It can not be used to check via LDAP? Check WHAT via LDAP? Passwords? Of course not. You've been very careful to *not* say what you really want to do, and to *not* say what you've configured, and to *not* say what happens when the server receives EAP-TLS packets, and to *not* say what you expect to happen. You're asking vague and useless questions. So the answers are vague and useless. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Here is an authentication request from the certificate: rad_recv: Access-Request packet from host 192.168.213.210 port 1390, id=8, length=224 Message-Authenticator = 0x6d9c4039c9d8b314ca0bb11bf518f5a0 Service-Type = Framed-User User-Name = "r...@pomorsu.ru" Framed-MTU = 1488 Called-Station-Id = "00-17-9A-D1-44-39:localnet1" Calling-Station-Id = "00-1F-3C-3D-DF-8C" NAS-Identifier = "D-Link Access Point" NAS-Port-Type = Wireless-802.11 Connect-Info = "CONNECT 54Mbps 802.11g" EAP-Message = 0x020800190175736f77735f61646d40706f6d6f7273752e7275 NAS-IP-Address = 192.168.213.210 NAS-Port = 1 NAS-Port-Id = "STA port # 1" There is a user name. It can not be used to check via LDAP? Сергей Усов wrote: It's work for peap authentification, but if I use certificate authentication, the module ldap do not work Exactly. When certificate authentication is used, you are NOT doing username/password authentication. That's what certificate authentication is for. And the ldap module does username/password checks. So.. the two are not really compatible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: git timeout
hi, i made gmake. 09 декабря 2011, 14:33 от "Paul Thornton [via FreeRadius]" : On 09/12/2011 10:16, [hidden email] wrote: > > /usr/include/net/if_arp.h:88: error: field 'arp_pa' has incomplete type > /usr/include/net/if_arp.h:89: error: field 'arp_ha' has incomplete type > /usr/include/net/if_arp.h:115: error: expected specifier-qualifier-list > before 'u_long' > gmake[4]: *** [dhcp.lo] Error 1 > gmake[4]: Leaving directory `/tmp/freeradius-server/src/lib' > gmake[3]: *** [lib] Error 2 > gmake[3]: Leaving directory `/tmp/freeradius-server/src' > gmake[2]: *** [all] Error 2 > gmake[2]: Leaving directory `/tmp/freeradius-server/src' > gmake[1]: *** [src] Error 2 > gmake[1]: Leaving directory `/tmp/freeradius-server' > gmake: *** [all] Error 2 > > i downloaded from > > $ git clone git://git.freeradius.org/freeradius-server.git > $ cd freeradius-server > $ git fetch origin v2.1.x:v2.1.x > $ git checkout v2.1.x Rather than using 'make' on FreeBSD, try 'gmake'. That will run Gnu Make as Alan suggested. Paul. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/git-timeout-tp5058438p5061320.html To unsubscribe from git timeout, click here. NAML -- View this message in context: http://freeradius.1045715.n5.nabble.com/git-timeout-tp5058438p5061405.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: git timeout
Hi, >/usr/include/net/if_arp.h:88: error: field 'arp_pa' has incomplete type >/usr/include/net/if_arp.h:89: error: field 'arp_ha' has incomplete type >/usr/include/net/if_arp.h:115: error: expected specifier-qualifier-list >before 'u_long' >gmake[4]: *** [dhcp.lo] Error 1 >gmake[4]: Leaving directory `/tmp/freeradius-server/src/lib' >gmake[3]: *** [lib] Error 2 >gmake[3]: Leaving directory `/tmp/freeradius-server/src' >gmake[2]: *** [all] Error 2 >gmake[2]: Leaving directory `/tmp/freeradius-server/src' >gmake[1]: *** [src] Error 2 >gmake[1]: Leaving directory `/tmp/freeradius-server' >gmake: *** [all] Error 2 do you want or need freeradius DHCPD functionality? IF not, just disable it at the ./configure stage - looks like the BSD System libs have a difference in ARP code alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: git timeout
On 09/12/2011 10:16, tolik_shavlov...@mail.ru wrote: > > /usr/include/net/if_arp.h:88: error: field 'arp_pa' has incomplete type > /usr/include/net/if_arp.h:89: error: field 'arp_ha' has incomplete type > /usr/include/net/if_arp.h:115: error: expected specifier-qualifier-list > before 'u_long' > gmake[4]: *** [dhcp.lo] Error 1 > gmake[4]: Leaving directory `/tmp/freeradius-server/src/lib' > gmake[3]: *** [lib] Error 2 > gmake[3]: Leaving directory `/tmp/freeradius-server/src' > gmake[2]: *** [all] Error 2 > gmake[2]: Leaving directory `/tmp/freeradius-server/src' > gmake[1]: *** [src] Error 2 > gmake[1]: Leaving directory `/tmp/freeradius-server' > gmake: *** [all] Error 2 > > i downloaded from > > $ git clone git://git.freeradius.org/freeradius-server.git > $ cd freeradius-server > $ git fetch origin v2.1.x:v2.1.x > $ git checkout v2.1.x Rather than using 'make' on FreeBSD, try 'gmake'. That will run Gnu Make as Alan suggested. Paul. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with accounting and sql
Hi Alan,
On 09/12/2011 01:57, Alan DeKok wrote:
> OK... the debug log shows you have a little more upgrading to do for
> it work "best" in 2.x, but that's OK.
Indeed - as I have my head in FreeRADIUS today, it may well be time to
clear out all those old User-Passwords!
> Except that the accounting is showing the "unix" module returning "fail".
Yes. And I'd been guilty of thinking of an accounting request as more
like a syslog/trap "fire and forget" message and hadn't really
appreciated that an accounting message can fail. Now suitably educated.
>> accounting {
> ...
>> # Update the wtmp file
>> #
>> # If you don't use "radlast", you can delete this line.
>> unix
>
> Delete that line, and it will probably start working.
And indeed it did. Its always the silly simple things, and of course
makes perfect sense what was broken now. Many thanks for the quick
response.
> Try using the debug form on http://networkradius.com/. It will
> highlight things which you should look at in more detail.
That looks good - I hadn't seen that before, thanks.
Paul.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: git timeout
tolik_shavlov...@mail.ru wrote: > /usr/include/net/if_arp.h:88: error: field 'arp_pa' has incomplete type > /usr/include/net/if_arp.h:89: error: field 'arp_ha' has incomplete type > /usr/include/net/if_arp.h:115: error: expected specifier-qualifier-list > before 'u_long' I don't run FreeBSD, and I don't expect to run it for a while. > $ git clone git://git.freeradius.org/freeradius-server.git > $ cd freeradius-server > $ git fetch origin v2.1.x:v2.1.x > $ git checkout v2.1.x And you did "./configure --with-dhcp", which is NOT the default. Use the defaults. Or, send us a patch to make the DHCP code work on FreeBSD. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Сергей Усов wrote: > It's work for peap authentification, but if I use certificate > authentication, the module ldap do not work Exactly. When certificate authentication is used, you are NOT doing username/password authentication. That's what certificate authentication is for. And the ldap module does username/password checks. So.. the two are not really compatible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[2]: git timeout
/usr/include/net/if_arp.h:88: error: field 'arp_pa' has incomplete type /usr/include/net/if_arp.h:89: error: field 'arp_ha' has incomplete type /usr/include/net/if_arp.h:115: error: expected specifier-qualifier-list before 'u_long' gmake[4]: *** [dhcp.lo] Error 1 gmake[4]: Leaving directory `/tmp/freeradius-server/src/lib' gmake[3]: *** [lib] Error 2 gmake[3]: Leaving directory `/tmp/freeradius-server/src' gmake[2]: *** [all] Error 2 gmake[2]: Leaving directory `/tmp/freeradius-server/src' gmake[1]: *** [src] Error 2 gmake[1]: Leaving directory `/tmp/freeradius-server' gmake: *** [all] Error 2i downloaded from $ git clone git://git.freeradius.org/freeradius-server.git $ cd freeradius-server $ git fetch origin v2.1.x:v2.1.x $ git checkout v2.1.x 09 декабря 2011, 12:23 от "Alan DeKok-2 [via FreeRadius]" : [hidden email] wrote: > but make fails(( > > freebsd# make Use Gnu make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/git-timeout-tp5058438p5061040.html To unsubscribe from git timeout, click here. NAML -- View this message in context: http://freeradius.1045715.n5.nabble.com/git-timeout-tp5058438p5061287.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Authentication via ntlm_auth with check the user group
Hi
I'm add into sites-enabled/inner-tunnel
authorize {
...
if (Ldap-Group == "%{AD-Group}") {
ok
}
else {
reject
}
}
It's work for peap authentification, but if I use certificate
authentication, the module ldap do not work
08.12.2011 20:34, Alan DeKok пишет:
Сергей Усов wrote:
Thanks, Alan, it works.
I have another question. Can I check the user's group for authentication
via TTLS?
Put any group checking into the "inner-tunnel" server. That's what
it's for.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: git timeout
tolik_shavlov...@mail.ru wrote: > but make fails(( > > freebsd# make Use Gnu make. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re[4]: git timeout
Hi, i made git from your new link: $ git clone https://github.com/alandekok/freeradius-server.git then, cd freeradius-server $ git fetch origin v2.1.x:v2.1.x $ git checkout v2.1.x./configure but make fails(( freebsd# make "Make.inc", line 84: Missing dependency operator "Make.inc", line 87: Need an operator "Make.inc", line 89: Missing dependency operator "Make.inc", line 92: Need an operator "Make.inc", line 94: Missing dependency operator "Make.inc", line 95: Missing dependency operator "Make.inc", line 96: Need an operator "Make.inc", line 97: Need an operator "Make.inc", line 99: Need an operator "Make.inc", line 100: Need an operator "Make.inc", line 106: Missing dependency operator "Make.inc", line 109: Need an operator "Makefile", line 70: Missing dependency operator "Makefile", line 71: Missing dependency operator "Makefile", line 88: Need an operator "Makefile", line 89: Need an operator make: fatal errors encountered -- cannot continue thanks for help. 09 декабря 2011, 11:52 от "Fajar A. Nugraha-2 [via FreeRadius]" : 2011/12/9 Толик Шавловский <[hidden email]>: > freebsd# ping git.freeradius.org > PING git.freeradius.org (88.190.25.44): 56 data bytes > 64 bytes from 88.190.25.44: icmp_seq=0 ttl=48 time=48.211 ms > 64 bytes from 88.190.25.44: icmp_seq=1 ttl=48 time=48.253 ms > 64 bytes from 88.190.25.44: icmp_seq=2 ttl=48 time=48.967 ms > ^C > --- git.freeradius.org ping statistics --- > 3 packets transmitted, 3 packets received, 0.0% packet loss > round-trip min/avg/max/stddev = 48.211/48.477/48.967/0.347 ms > freebsd# git clone git://git.freeradius.org/freeradius-server.git > Cloning into freeradius-server... > git.freeradius.org[0: 88.190.25.44]: errno=Operation timed out > fatal: unable to connect a socket (Operation timed out) > > > i have conectivity You DO know that testing connectivity is MORE than just PING, right? git uses TCP port 9418 by default, so try a simple test like this: $ telnet git.freeradius.org 9418 If that port is blocked (by your ISP, perhaps), try https://github.com/alandekok/freeradius-server/tree/v2.1.x (should work, since even the most restrictive ISPs usually allow https). You can clone it using $ git clone https://github.com/alandekok/freeradius-server.git -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/git-timeout-tp5058438p5060960.html To unsubscribe from git timeout, click here. NAML -- View this message in context: http://freeradius.1045715.n5.nabble.com/git-timeout-tp5058438p5061003.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
