Re: [Help] Is there a way to differentiate devices using Radius?
Sorry for this beginner question. I have read the man_rlm password but dont see example how to add the mac address. can some of you showed to me an example of it? I assume its as simple as key in the MAC address into some file in Radius conf file or something? Thanks Danny On Wed, Mar 13, 2013 at 9:13 AM, Danny Kurniawan < danny.kurnia...@fairchildsemi.com> wrote: > Noted. I guess using the AP to do the MAC filtering is the best options > for me > > On Tue, Mar 12, 2013 at 9:19 PM, Alan DeKok wrote: > >> Danny Kurniawan wrote: >> > Is that means we have to manually added the client MAC into radius one >> > by one? >> >> You need *some* method to separate known devices from unknown ones. >> >> How you do it is up to you. >> >> Alan DeKok. >> - >> List info/subscribe/unsubscribe? See >> http://www.freeradius.org/list/users.html >> > > > > -- > Best Regards, > Danny > -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Noted. I guess using the AP to do the MAC filtering is the best options for me On Tue, Mar 12, 2013 at 9:19 PM, Alan DeKok wrote: > Danny Kurniawan wrote: > > Is that means we have to manually added the client MAC into radius one > > by one? > > You need *some* method to separate known devices from unknown ones. > > How you do it is up to you. > > Alan DeKok. > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > -- Best Regards, Danny - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest failed; IP not found
Thanks! Added line to /etc/hosts: 192.168.1.106 linux-vdis.site linux-vdis and then radtest works. /Staffan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default user authentication
Alright, I will start researching that. Never heard of huntgroups. On Tue, Mar 12, 2013 at 10:51 AM, wrote: > Hi, > > >As I use FreeRadius for my WLAN and LAN I don't want to apply this > policy > >for the wired network. So, using the users file, can I create a > default > >user and attributes that apply only for a certain Calling Station/NAS > ID? > > sure - you could use huntgroups for that policy...or you could use > a different virtual-server for that NAS so that it uses different policies > > alan > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Default user authentication
Hi, >As I use FreeRadius for my WLAN and LAN I don't want to apply this policy >for the wired network. So, using the users file, can I create a default >user and attributes that apply only for a certain Calling Station/NAS ID? sure - you could use huntgroups for that policy...or you could use a different virtual-server for that NAS so that it uses different policies alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_yubikey
What is Yubikey?
---
It's another OTP solution.
Why use it?
* smsotp is rediculously insecure
* otp clients on mobile phones can be compromised
* RSA tokens suck.
I'll expand on the RSA stuff a bit. Here's why RSA sucks:
* You need to install and maintain a special RSA Appliance just to try out the
system.
* RSA tokens have a limited lifespan, once the battery runs out the token is
useless, you need to get it replaced by RSA.
* RSA tokens use pre-generated token seeds. These become cryptographically
useless if either your servers or RSA servers are compromised
[http://arstechnica.com/security/2011/06/rsa-finally-comes-clean-securid-is-compromised/].
* They're not user friendly. Users have to transcribe the numbers and complete
authentication before the code changes (something that a suprising number of
users seem to find impossible).
* The tokens often get out of sync with the RSA server.
* The tokens get scratched to the point you can't read the numbers off the
screen.
The yubikey guys came up with a different solution:
* You still have physical token, but its powered by the USB port.
* You set the encryption keys (write only), and instead of forcing users to
type in a number, it just acts as a HID. When you tap the little button on the
face, it enters the OTP string for you.
* Instead of using a seed and mutating it synchronously on the token and
server, it uses a fixed encryption key to encrypt validation data in the
password string. The encrypted data includes replay counters to stop tokens
being reused.
Although the tokens are kinda expensive $15-$25 if you need a really secure OTP
system probably worth giving them a trial.
Why am I going on about Yubikey ?
---
Just finished an rlm_yubikey implementation.
I know there were a couple of implementations on the net already, but they were
pretty poor.
There was a C one:
https://code.google.com/p/freeradius-yubikey-module/
But... Well... asside the code... in general... it used its own weird config
system for recording keys, values and replay data, so couldn't integrate with
any of the dynamic language modules, sql or ldap.
There's also a perl one floating around somewhere, but eww, perl.
Here's the config for the new one.
The yubikey authorize method acts like PAP, but is more diserning and will only
set Auth-Type if it finds a User-Password value which is very likely to be
yubikey OTP data.
For basic testing:
authorize {
update control {
Yubikey-Key := "0x45a9405b05e956c10257c58dd149c6c4" (the secret
key that you set on the token)
}
yubikey
}
authenticate {
Auth-Type yubikey {
yubikey
}
}
You need to handle storing counter values, but it's not exactly hard if you
understand what's going on, and pretty site specific anyway. The module will
look for a Yubikey-Counter value in the control list, and make sure it's less
than the current counter value.
Anyway, here's the default config. I'll probably add some sqlite stuff at some
point to allow basic replay detection (or if anyone else wants to do that, it'd
be appreciated).
This is available in FreeRADIUS 3.0 only.
https://github.com/FreeRADIUS/freeradius-server/blob/master/src/modules/rlm_yubikey/rlm_yubikey.c
-Arran
#
# This module decrypts and validates Yubikey static and dynamic
# OTP tokens.
#
# The module itself does not provide persistent storage as this
# would be duplicative of functionality already in the server.
#
# Yubikey authentication needs two control attributes
# retrieved from persistent storage:
#* Yubikey-Key - The AES key use to decrypt the OTP data.
#The Yubikey-Public-Id and/or User-Name
#attrubutes may be used to retrieve the key.
#* Yubikey-Counter - This is compared with the counter in the OTP
#data and used to prevent replay attacks.
#This attribute will also be available in
#the request list after successfull
#decryption.
#
# Yubikey-Counter isn't strictly required, but the server will
# generate warnings if it's not present when Yubikey.authenticate
# is called.
#
# These attributes are available after authorization:
#* Yubikey-Public-ID - The public portion of the OTP string
#
# These attributes are available after authentication (if successfull):
#* Yubikey-Private-ID - The encrypted ID included in OTP data,
# must be verified if tokens share keys.
#* Yubikey-Counter- The last counter value (should be recorded).
#* Yubikey-Timestamp - Token's internal clock (mainly useful for
debugging).
#* Yubikey-Random - Randomly generated value from the token.
#* Yubikey-Trigger- How the Yubikey was triggered
# ('k
Re: radtest failed; IP not found
On 12.03.2013 18:08, Staffan Meijer wrote: > I uncommented the eth0 line in the configuration file when radtest did > not work with the original. > > Using the original configuration file I get; > Listening on authentication address * port 1812 > > and > > linux-vdis:/etc/raddb # radtest testing password localhost 0 testing123 > radclient:: Failed to find IP address for linux-vdis.site > radclient: Nothing to send. your server's name resolution configuration is somewhere wrong. if you replace localhost by 127.0.0.1 it should work. fix your /etc/host, but this is beyond the scope of this list. Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest failed; IP not found
Le mardi 12 mars 2013 à 18:08 +0100, Staffan Meijer a écrit : > I uncommented the eth0 line in the configuration file when radtest did > not work with the original. > > Using the original configuration file I get; > Listening on authentication address * port 1812 > > > and > > > linux-vdis:/etc/raddb # radtest testing password localhost 0 > testing123 > radclient:: Failed to find IP address for linux-vdis.site That's a DNS issue, not a Freeradius issue. > radclient: Nothing to send. > > > > /Staffan > > > > > -- > > Olivier Beytrison > Network & Security Engineer, HES-SO Fribourg > Mail: oliv...@heliosnet.org > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > > > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest failed; IP not found
I uncommented the eth0 line in the configuration file when radtest did not work with the original. Using the original configuration file I get; Listening on authentication address * port 1812 and linux-vdis:/etc/raddb # radtest testing password localhost 0 testing123 radclient:: Failed to find IP address for linux-vdis.site radclient: Nothing to send. /Staffan > > > > > -- > > Olivier Beytrison > Network & Security Engineer, HES-SO Fribourg > Mail: oliv...@heliosnet.org > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Default user authentication
I am using FreeRadius for 802.1x on my wireless LAN (cisco WLC device). This is an older device and as such doesn't allow for guest or restricted VLANs like a physical switch does. One solution I saw online in a Cisco forum is to have a default user that returns the guest VLAN attribute for any failed authentications (so essentially never fail, just always return ACCEPT-ACCEPT for the default user). As I use FreeRadius for my WLAN and LAN I don't want to apply this policy for the wired network. So, using the users file, can I create a default user and attributes that apply only for a certain Calling Station/NAS ID? Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: radtest failed; IP not found
On 12.03.2013 17:05, Staffan Meijer wrote: > Listening on authentication interface eth0 address * port 1812 > Listening on accounting address * port 1813 > Listening on command file /var/run/radiusd/radiusd.sock > Listening on authentication address 127.0.0.1 port 18120 as server > inner-tunnel > Listening on proxy address * port 1814 freeradius is listening on eth0 port 1812, not on all interfaces. so sending packets to localhost won't work. netstat -puln | grep radius will show exactly where freeradius is listening if really. Fix your listen section and it should work Olivier -- Olivier Beytrison Network & Security Engineer, HES-SO Fribourg Mail: oliv...@heliosnet.org - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radtest failed; IP not found
Hi,
I am using
FreeRadius Version 2.1.12 on OpenSuse 12.2.
I have looked at several posting about the same type of problem without
finding the answer to my failure.
Problem described below.
First use of radiusd -X resulted in /var/run/radiusd not found.
Created : mkdir /var/run/radiusd
Now radiusd -X seems to work; see attachment "radiusd.txt" for the output.
First line in "/etc/raddb/users" is: testing Cleartext-Password :=
"password"
Using radtest failed:
linux-vdis:/etc/raddb # radtest testing password localhost 0 testing123
radclient:: Failed to find IP address for linux-vdis.site
radclient: Nothing to send.
Pinging localhost works:
linux-vdis:/etc/raddb # ping localhost
PING localhost (127.0.0.1) 56(84) bytes of data.
64 bytes from localhost (127.0.0.1): icmp_seq=1 ttl=64 time=0.065 ms
Is the missing /var/run/radiusd an indication that the installation is
incorrect?
FreeRadius was installed using Yast2 software manager.
/Staffan
FreeRADIUS Version 2.1.12, for host i586-suse-linux-gnu, built on Jan 9 2013
at 12:21
Copyright (C) 1999-2009 The FreeRADIUS server project and contributors.
There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A
PARTICULAR PURPOSE.
You may redistribute copies of FreeRADIUS under the terms of the
GNU General Public License v2.
Starting - reading configuration files ...
including configuration file /etc/raddb/radiusd.conf
including configuration file /etc/raddb/proxy.conf
including configuration file /etc/raddb/clients.conf
including files in directory /etc/raddb/modules/
including configuration file /etc/raddb/modules/rediswho
including configuration file /etc/raddb/modules/sqlcounter_expire_on_login
including configuration file /etc/raddb/modules/dynamic_clients
including configuration file /etc/raddb/modules/checkval
including configuration file /etc/raddb/modules/chap
including configuration file /etc/raddb/modules/expr
including configuration file /etc/raddb/modules/files
including configuration file /etc/raddb/modules/replicate
including configuration file /etc/raddb/modules/krb5
including configuration file /etc/raddb/modules/inner-eap
including configuration file /etc/raddb/modules/mschap
including configuration file /etc/raddb/modules/pap
including configuration file /etc/raddb/modules/smsotp
including configuration file /etc/raddb/modules/passwd
including configuration file /etc/raddb/modules/cui
including configuration file /etc/raddb/modules/perl
including configuration file /etc/raddb/modules/exec
including configuration file /etc/raddb/modules/sradutmp
including configuration file /etc/raddb/modules/mac2ip
including configuration file /etc/raddb/modules/wimax
including configuration file /etc/raddb/modules/soh
including configuration file /etc/raddb/modules/smbpasswd
including configuration file /etc/raddb/modules/detail.log
including configuration file /etc/raddb/modules/sql_log
including configuration file /etc/raddb/modules/ldap
including configuration file /etc/raddb/modules/always
including configuration file /etc/raddb/modules/etc_group
including configuration file /etc/raddb/modules/pam
including configuration file /etc/raddb/modules/otp
including configuration file /etc/raddb/modules/mac2vlan
including configuration file /etc/raddb/modules/policy
including configuration file /etc/raddb/modules/attr_filter
including configuration file /etc/raddb/modules/digest
including configuration file /etc/raddb/modules/unix
including configuration file /etc/raddb/modules/realm
including configuration file /etc/raddb/modules/linelog
including configuration file /etc/raddb/modules/echo
including configuration file /etc/raddb/modules/expiration
including configuration file /etc/raddb/modules/opendirectory
including configuration file /etc/raddb/modules/detail
including configuration file /etc/raddb/modules/logintime
including configuration file /etc/raddb/modules/preprocess
including configuration file /etc/raddb/modules/ippool
including configuration file /etc/raddb/modules/acct_unique
including configuration file /etc/raddb/modules/ntlm_auth
including configuration file /etc/raddb/modules/radutmp
including configuration file /etc/raddb/modules/redis
including configuration file /etc/raddb/modules/counter
including configuration file /etc/raddb/modules/attr_rewrite
including configuration file /etc/raddb/modules/detail.example.com
including configuration file /etc/raddb/eap.conf
including configuration file /etc/raddb/policy.conf
including files in directory /etc/raddb/sites-enabled/
including configuration file /etc/raddb/sites-enabled/control-socket-bu
including configuration file /etc/raddb/sites-enabled/inner-tunnel
including configuration file /etc/raddb/sites-enabled/default
main {
user = "radiusd"
group = "radiusd"
allow_core_dumps = no
}
including dictionary file /etc/raddb/dictionary
main {
name = "radiusd"
prefix = "/usr"
localstatedir = "/var"
sbindir = "/usr/sbin"
Re: troubles with eap-peap mschapv2
On 12/03/13 14:23, Bertrand Poulet wrote:
Tue Mar 12 15:10:20 2013 : Info: # Executing section authorize from file
When you make debug output, please just use:
radiusd -X
Don't use the other arguments; they just create noise and volume
(timestamps) that are basically irrelevant.
Tue Mar 12 15:10:20 2013 : Info: +- entering group authenticate {...}
Tue Mar 12 15:10:20 2013 : Info: [eap] EAP Identity
Tue Mar 12 15:10:20 2013 : Info: [eap] processing type tls
Tue Mar 12 15:10:20 2013 : Info: [tls] Initiate
Tue Mar 12 15:10:20 2013 : Info: [tls] Start returned 1
Tue Mar 12 15:10:20 2013 : Info: ++[eap] returns handled
Sending Access-Challenge of id 247 to 172.20.100.53 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0x131466f213177f9f58f8ed5fb507e76c
Tue Mar 12 15:10:20 2013 : Info: Finished request 0.
Tue Mar 12 15:10:20 2013 : Debug: Going to the next request
Tue Mar 12 15:10:20 2013 : Debug: Waking up in 4.9 seconds.
Tue Mar 12 15:10:25 2013 : Info: Cleaning up request 0 ID 247 with
timestamp +8
Tue Mar 12 15:10:25 2013 : Debug: WARNING:
!!
Tue Mar 12 15:10:25 2013 : Debug: WARNING: !! EAP session for state
0x131466f213177f9f did not finish!
This fails really REALLY early in the EAP setup. The certs haven't even
been exchanged yet.
Start checking other things - check the network path, firewalls, MTU,
etc. because it doesn't look like you're receiving the PEAP start - just
the initial EAP identity.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: troubles with eap-peap mschapv2
Bertrand Poulet wrote: > I've copied old "certs" directory to the new server. > It's still not good. See http://deployingradius.com/ There is detailed documentation for debugging EAP. As in 10-15 pages, with screen shots, instructions for what to do, comments as to what typically goes wrong, and how to fix it. > The supplicant can not connect; > there is like a loop between ra_recv and sending-access-challenge. > the problem is with certs or could it be something else ? The problem is likely the certificates. Debugging it is not hard. Just tedious. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: troubles with eap-peap mschapv2
Le 11/03/2013 , freeradius-users-requ...@lists.freeradius.org a écrit :
> Date: Mon, 11 Mar 2013 11:50:17 -0400
> From: Alan DeKok
> To: FreeRadius users mailing list
>
> Subject: Re: troubles with eap-peap mschapv2
> Message-ID: <513dfd39.90...@deployingradius.com>
> Content-Type: text/plain; charset=ISO-8859-1
>
> Bertrand Poulet wrote:
>> i try to migrate from FreeRADIUS 1.1.6 (Mandrake)
>> to FreeRADIUS 2.2.0 (from source) on ubuntu12.04.
> That should be easy.
I thought so (from what i read on documentation).
>
>> The same supplicant and same AP with old FR is ok,
>> but not with new FR 2.2.0.
>>
>> What i've done :
>>
>> I've installed with ./configure; make; make install
>> root@myhost:/usr/local/etc/raddb/certs# make
>> openssl dhparam -out dh 1024
> Well... that's the problem. You didn't copy the old certificates
> over. Instead, you created new ones.
>
> Don't do that. Use the old certs. It will work.
I've copied old "certs" directory to the new server.
It's still not good.
The supplicant can not connect;
there is like a loop between ra_recv and sending-access-challenge.
the problem is with certs or could it be something else ?
Thanks.
the ouput is :
rad_recv: Access-Request packet from host 172.20.100.53 port 1645,
id=247, length=172
User-Name = "bertrand"
Framed-MTU = 1400
Called-Station-Id = "0014.1bb6.4be0"
Calling-Station-Id = "844b.f5b8.d423"
Cisco-AVPair = "ssid=ipl_dsi"
Service-Type = Login-User
Message-Authenticator = 0x508e5e0ee37be030c0d4c6e4002d5b60
EAP-Message = 0x0202000d016265727472616e64
NAS-Port-Type = Wireless-802.11
Cisco-NAS-Port = "642"
NAS-Port = 642
NAS-IP-Address = 172.20.100.53
NAS-Identifier = "net-ap-A1-1-53"
Tue Mar 12 15:10:20 2013 : Info: # Executing section authorize from file
/usr/local/etc/raddb/sites-enabled/default
Tue Mar 12 15:10:20 2013 : Info: +- entering group authorize {...}
Tue Mar 12 15:10:20 2013 : Info: ++[preprocess] returns ok
Tue Mar 12 15:10:20 2013 : Info: ++[chap] returns noop
Tue Mar 12 15:10:20 2013 : Info: ++[mschap] returns noop
Tue Mar 12 15:10:20 2013 : Info: ++[digest] returns noop
Tue Mar 12 15:10:20 2013 : Info: [suffix] No '@' in User-Name =
"bertrand", looking up realm NULL
Tue Mar 12 15:10:20 2013 : Info: [suffix] No such realm "NULL"
Tue Mar 12 15:10:20 2013 : Info: ++[suffix] returns noop
Tue Mar 12 15:10:20 2013 : Info: [eap] EAP packet type response id 2
length 13
Tue Mar 12 15:10:20 2013 : Info: [eap] No EAP Start, assuming it's an
on-going EAP conversation
Tue Mar 12 15:10:20 2013 : Info: ++[eap] returns updated
Tue Mar 12 15:10:20 2013 : Debug: WARNING: Found User-Password == "...".
Tue Mar 12 15:10:20 2013 : Debug: WARNING: Are you sure you don't mean
Cleartext-Password?
Tue Mar 12 15:10:20 2013 : Debug: WARNING: See "man rlm_pap" for more
information.
Tue Mar 12 15:10:20 2013 : Info: [files] users: Matched entry bertrand
at line 207
Tue Mar 12 15:10:20 2013 : Info: ++[files] returns ok
Tue Mar 12 15:10:20 2013 : Info: ++[expiration] returns noop
Tue Mar 12 15:10:20 2013 : Info: ++[logintime] returns noop
Tue Mar 12 15:10:20 2013 : Info: [pap] WARNING! No "known good" password
found for the user. Authentication may fail because of this.
Tue Mar 12 15:10:20 2013 : Info: ++[pap] returns noop
Tue Mar 12 15:10:20 2013 : Info: Found Auth-Type = EAP
Tue Mar 12 15:10:20 2013 : Info: # Executing group from file
/usr/local/etc/raddb/sites-enabled/default
Tue Mar 12 15:10:20 2013 : Info: +- entering group authenticate {...}
Tue Mar 12 15:10:20 2013 : Info: [eap] EAP Identity
Tue Mar 12 15:10:20 2013 : Info: [eap] processing type tls
Tue Mar 12 15:10:20 2013 : Info: [tls] Initiate
Tue Mar 12 15:10:20 2013 : Info: [tls] Start returned 1
Tue Mar 12 15:10:20 2013 : Info: ++[eap] returns handled
Sending Access-Challenge of id 247 to 172.20.100.53 port 1645
EAP-Message = 0x010300061920
Message-Authenticator = 0x
State = 0x131466f213177f9f58f8ed5fb507e76c
Tue Mar 12 15:10:20 2013 : Info: Finished request 0.
Tue Mar 12 15:10:20 2013 : Debug: Going to the next request
Tue Mar 12 15:10:20 2013 : Debug: Waking up in 4.9 seconds.
Tue Mar 12 15:10:25 2013 : Info: Cleaning up request 0 ID 247 with
timestamp +8
Tue Mar 12 15:10:25 2013 : Debug: WARNING:
!!
Tue Mar 12 15:10:25 2013 : Debug: WARNING: !! EAP session for state
0x131466f213177f9f did not finish!
Tue Mar 12 15:10:25 2013 : Debug: WARNING: !! Please read
http://wiki.freeradius.org/Certificate_Compatibility
Tue Mar 12 15:10:25 2013 : Debug: WARNING:
!!
Tue Mar 12 15:10:25 2013 : Info: Ready to process requests.
rad_recv: Access-Request packet from host 172.20.100.53 port 1645,
id=247, length=172
User-Name = "bertrand"
Framed-MTU = 1400
Called-Station-I
Re: [Help] Is there a way to differentiate devices using Radius?
Danny Kurniawan wrote: > Is that means we have to manually added the client MAC into radius one > by one? You need *some* method to separate known devices from unknown ones. How you do it is up to you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR Login-Time Vs Unix-Time-Based-Login
Hi, Please mind my mistake 1.) "Unix-Time-Based-Login" using unlang rather than "Login-Time" FR attribute. On Tue, Mar 12, 2013 at 11:06 AM, Russell Mike wrote: > Hi Freeradius List, > > Why someone will use "Unix-Time-Based-Login" why not "Login-Time" FR > attribute? Does it offer more flexibility or control over each other. > > Actually, we want to implement login based on time. i am reading mail > archives since yesterday to understand basic functionality of the > model. And have also come across where people are talking about both > techniques. But unable to know what is better way to go with. > > Thanks for attending to this material > > Thanks / Regards > RM -- > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR Login-Time Vs Unix-Time-Based-Login
Hi Freeradius List, Why someone will use "Unix-Time-Based-Login" why not "Login-Time" FR attribute? Does it offer more flexibility or control over each other. Actually, we want to implement login based on time. i am reading mail archives since yesterday to understand basic functionality of the model. And have also come across where people are talking about both techniques. But unable to know what is better way to go with. Thanks for attending to this material Thanks / Regards RM -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
On 03/12/2013 01:46 AM, Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? RADIUS can only act on RADIUS attributes. There's no RADIUS attribute that says: Device-Type = "Bosses iPad" Most NASes send username and network address of the client (MAC or IP) and that's about it for optional (non-authentication) stuff. In other words, RADIUS can't differentiate devices - *you* have to do that, by supplying data and policy. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [Help] Is there a way to differentiate devices using Radius?
Hi, >Is that means we have to manually added the client MAC into radius one by >one? well, you want to restrict it to known devicesso ONE way is to add the allowed MACs to a DB - they could be added to some other lookup table. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
