date:20130311

Re: [Help] Is there a way to differentiate devices using Radius?

2013-03-11 Thread Danny Kurniawan

Is that means we have to manually added the client MAC into radius one by
one?

-Danny

On Fri, Mar 8, 2013 at 11:00 PM, Alan DeKok wrote:

> Danny Kurniawan wrote:
> > We have successfully deploy Meraki Wireless with Radius 2.1.1 connect to
> > eDir LDAP. Everything works just fine. Now my company want to explore
> > whether we are able to restrict a devices, that only company devices can
> > connect to our wifi ssid. Is that possible using Radius? Like using cert
> > etc? Or it has to be done from the AP end?
>
>   The simplest way is via MAC address filtering.  Allow known MACs,
> disallow all others.  See "man rlm_passwd" for examples.
>
>   Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>



-- 
Best Regards,
Danny
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Old message abou LDAP

2013-03-11 Thread Alan DeKok

On 2013-03-11, at 1:38 PM, Andres Septer  wrote:

> 
>   I'm always amazed when people search google and click on random pages,
> instead of going to the FreeRADIUS documentation.  Is it really that
> novel to look at a Wiki?
> 
> I found that too. It's quite brief actually. I was searching for something 
> more detailed.

  Like what?

  You're trying hard to *not* give any useful information. Stop it. 

  Learn how to ask good questions. What are you trying to do?  What information 
are you looking for?  What do you expect to see?

  Alan DeKok.

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Old message abou LDAP

2013-03-11 Thread Andres Septer

  I'm always amazed when people search google and click on random pages,

> instead of going to the FreeRADIUS documentation.  Is it really that
> novel to look at a Wiki?


I found that too. It's quite brief actually. I was searching for something
more detailed.

A.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Old message abou LDAP

2013-03-11 Thread Alan DeKok

Andres Septer wrote:
> When one searches google for freeradius and ldap groups  there is a LOT
> of messages that all point to this message. Freeradius and LDAP groups
> how to make it work:
...
> Unfortunately this old archive is unavailable. 404
> Is there any other good howto about freeradius + LDAP + groups -- ho to
> make them wor together?

  The server comes with documentation.  What's the issue?

http://wiki.freeradius.org

  Type "ldap group" into the search page.

  There's one link.

  Click on it.

  Read it.

  There's a subsection entitled "Group Support"

  I'm always amazed when people search google and click on random pages,
instead of going to the FreeRADIUS documentation.  Is it really that
novel to look at a Wiki?

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Old message abou LDAP

2013-03-11 Thread Olivier Beytrison

On 11.03.2013 17:14, Andres Septer wrote:
> When one searches google for freeradius and ldap groups  there is a LOT
> of messages that all point to this message. Freeradius and LDAP groups
> how to make it work:
> 
> http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html
> 
> Unfortunately this old archive is unavailable. 404
> Is there any other good howto about freeradius + LDAP + groups -- ho to
> make them wor together?
everything is in the wiki
http://wiki.freeradius.org/modules/Rlm_ldap#Group-Support


-- 

 Olivier Beytrison
 Network & Security Engineer, HES-SO Fribourg
 Mail: oliv...@heliosnet.org
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Old message abou LDAP

2013-03-11 Thread Andres Septer

When one searches google for freeradius and ldap groups  there is a LOT of
messages that all point to this message. Freeradius and LDAP groups how to
make it work:

http://lists.freeradius.org/mailman/htdig/freeradius-users/2009-November/msg1.html

Unfortunately this old archive is unavailable. 404
Is there any other good howto about freeradius + LDAP + groups -- ho to
make them wor together?

Andres
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: troubles with eap-peap mschapv2

2013-03-11 Thread A . L . M . Buxey

Hi,

why not use the same certs from your old server?  

alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: troubles with eap-peap mschapv2

2013-03-11 Thread Alan DeKok

Bertrand Poulet wrote:
> i try to migrate from  FreeRADIUS 1.1.6 (Mandrake)
> to   FreeRADIUS 2.2.0 (from source) on ubuntu12.04.

  That should be easy.

> The same supplicant and same AP with old FR is ok,
> but not with  new FR 2.2.0.
>
> What i've done :
> 
> I've installed with ./configure; make; make install
> root@myhost:/usr/local/etc/raddb/certs# make
> openssl dhparam -out dh 1024

  Well... that's the problem.  You didn't copy the old certificates
over.  Instead, you created new ones.

  Don't do that.  Use the old certs.  It will work.

  Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

troubles with eap-peap mschapv2

2013-03-11 Thread Bertrand Poulet


Hi all ,


i try to migrate from  FreeRADIUS 1.1.6 (Mandrake)
to   FreeRADIUS 2.2.0 (from source) on ubuntu12.04.

The same supplicant and same AP with old FR is ok,
but not with  new FR 2.2.0.


What i've done :

I've installed with ./configure; make; make install
root@myhost:/usr/local/etc/raddb/certs# make
openssl dhparam -out dh 1024
Generating DH parameters, 1024 bit long safe prime, generator 2
This is going to take a long time
...+.+++...+.+...+...+...++*++*++*
openssl req -new  -out server.csr -keyout server.key -config ./server.cnf
Generating a 2048 bit RSA private key
..+++
..+++
writing new private key to 'server.key'
-
openssl req -new -x509 -keyout ca.key -out ca.pem \
-days `grep default_days ca.cnf | sed 's/.*=//;s/^ *//'`
-config ./ca.cnf
Generating a 2048 bit RSA private key
.+++
.+++
writing new private key to 'ca.key'
-
openssl ca -batch -keyfile ca.key -cert ca.pem -in server.csr  -key
`grep output_password ca.cnf | sed 's/.*=//;s/^ *//'` -out server.crt
-extensions xpserver_ext -extfile xpextensions -config ./server.cnf
Using configuration from ./server.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 1 (0x1)
Validity
Not Before: Mar 11 13:18:05 2013 GMT
Not After : Mar 11 13:18:05 2014 GMT
Subject:
countryName   = FR
stateOrProvinceName   = Radius
organizationName  = Example Inc.
commonName= Example Server Certificate
emailAddress  = ad...@example.com
X509v3 extensions:
X509v3 Extended Key Usage:
TLS Web Server Authentication
Certificate is to be certified until Mar 11 13:18:05 2014 GMT (365 days)

Write out database with 1 new entries
Data Base Updated
openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 
-passin pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
-passout pass:`grep output_password server.cnf | sed 's/.*=//;s/^ *//'`
openssl pkcs12 -in server.p12 -out server.pem -passin pass:`grep
output_password server.cnf | sed 's/.*=//;s/^ *//'` -passout pass:`grep
output_password server.cnf | sed 's/.*=//;s/^ *//'`
MAC verified OK
openssl verify -CAfile ca.pem server.pem
server.pem: OK
openssl x509 -inform PEM -outform DER -in ca.pem -out ca.der
root@myhost:/usr/local/etc/raddb/certs# ll -tr
total 116
drwxr-xr-x 8 root root 4096 mars  11 14:10 ../
-rwxr-x--- 1 root root 2693 mars  11 14:10 bootstrap*
-rw-r- 1 root root 4287 mars  11 14:10 Makefile
-rw-r- 1 root root 7847 mars  11 14:10 README
-rw-r- 1 root root  578 mars  11 14:10 xpextensions
-rw-r- 1 root root 1289 mars  11 14:10 ca.cnf
-rw-r- 1 root root 1124 mars  11 14:10 server.cnf
-rw-r- 1 root root 1102 mars  11 14:10 client.cnf
-rw-r--r-- 1 root root3 mars  11 14:18 serial.old
-rw-r--r-- 1 root root0 mars  11 14:18 index.txt.old
-rw-r--r-- 1 root root  245 mars  11 14:18 dh
-rw-r--r-- 1 root root 5120 mars  11 14:18 random
-rw-r--r-- 1 root root 1834 mars  11 14:18 server.key
-rw-r--r-- 1 root root 1062 mars  11 14:18 server.csr
-rw-r--r-- 1 root root 1675 mars  11 14:18 ca.pem
-rw-r--r-- 1 root root 1834 mars  11 14:18 ca.key
-rw-r--r-- 1 root root 4212 mars  11 14:18 server.crt
-rw-r--r-- 1 root root3 mars  11 14:18 serial
-rw-r--r-- 1 root root   21 mars  11 14:18 index.txt.attr
-rw-r--r-- 1 root root  120 mars  11 14:18 index.txt
-rw-r--r-- 1 root root 4212 mars  11 14:18 01.pem
-rw-r--r-- 1 root root 2533 mars  11 14:18 server.p12
-rw-r--r-- 1 root root 3586 mars  11 14:18 server.pem
-rw-r--r-- 1 root root 1195 mars  11 14:18 ca.der
drwxr-x--- 2 root root 4096 mars  11 14:18 ./



i got this known problem of certificates (default).
freeradius -XXX

Mon Mar 11 16:35:47 2013 : Debug:  Module: Instantiating eap-tls
Mon Mar 11 16:35:47 2013 : Debug:tls {
Mon Mar 11 16:35:47 2013 : Debug:   rsa_key_exchange = no
Mon Mar 11 16:35:47 2013 : Debug:   dh_key_exchange = yes
Mon Mar 11 16:35:47 2013 : Debug:   rsa_key_length = 512
Mon Mar 11 16:35:47 2013 : Debug:   dh_key_length = 512
Mon Mar 11 16:35:47 2013 : Debug:   verify_depth = 0
Mon Mar 11 16:35:47 2013 : Debug:   CA_path =
"/usr/local/etc/raddb/certs"
Mon Mar 11 16:35:47 2013 : Debug:   pem_file_type = yes
Mon Mar 11 16:35:47 2013 : Debug:   private_key_file =
"/u

Re: [Help] Is there a way to differentiate devices using Radius?

Re: Old message abou LDAP

Re: Old message abou LDAP

Re: Old message abou LDAP

Re: Old message abou LDAP

Old message abou LDAP

Re: troubles with eap-peap mschapv2

Re: troubles with eap-peap mschapv2

troubles with eap-peap mschapv2

9 matches

Site Navigation

Mail list logo

Footer information