Re: Virtual Server
Thanks Phil. That worked great.
On Mar 10, 2011 10:53 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 10/03/11 16:46, Rob Yamry wrote:
Im running FreeRadius 2.1.8 to allow wireless access and that is working
great. I now want to have the vpn auth against the freeradius server for
access, but checking for a different ldap attribute on the user. I read
the virtual servers wiki and it says that all modules are global across
virtual servers. Do I need to set up another install of freeradius so I
can check for the other ldap attribute or is there a better way to get
this accomplished?
You can also setup a 2nd LDAP module e.g.
ldap ldap_vpn {
...ldap config items
}
...then:
server vpn {
authorize {
ldap_vpn
}
}
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Virtual Server
Im running FreeRadius 2.1.8 to allow wireless access and that is working great. I now want to have the vpn auth against the freeradius server for access, but checking for a different ldap attribute on the user. I read the virtual servers wiki and it says that all modules are global across virtual servers. Do I need to set up another install of freeradius so I can check for the other ldap attribute or is there a better way to get this accomplished? Thanks for your help. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with iPods/iTouches
Does this problem also happen with iOS 4.x devices other than the iPod Touch? Does the problem happen with non-Enterasys gear? (Do you have any that you can test with?) Additionally, what firmware version are you running on the Enterasys gear? Can you share your config (or at least the relevant pieces)? Hi Terry- The problem also happens with an iPad. Ive had a teacher report problems with his iPhone too, but I havent gotten my hands on it yet. We dont have any other wireless gear except for the Enterasys controller and APs. We updated the firmware to v7.31.03.0005 last week but we also had the problem on the previous version as well v7.31.2.10. A default config for FreeRadius 2.1.8 or 2.1.10 shows the problem. As for the controller, the settings on the SSID its set to use WPA v2 with AES enc. 802.1x for auth. The radius server config on the controller is using MSCHAPv2 by default. Is that what you were looking for? Thanks for your help- Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with iPods/iTouches
Hmm. Are you asking for a client cert with PEAP; your original trace has: [peap] TLS_accept: Need to read more data: SSLv3 read client certificate A In SSL Handshake Phase In SSL Accept mode [peap] eaptls_process returned 13 [peap] EAPTLS_HANDLED ++[eap] returns handled Sending Access-Challenge of id 66 to 10.1.1.1 port 38428 Those traces above are from a default installation, so I *think* it doesn't ask for client certs. But same goes for my production environment and I know we dont ask for client certs there. I can get this working perfectly with the WinXP laptop using the same certs and credentials. Works flawlessly. With the iPods...not so much. -Robb - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with iPods/iTouches
I have a very vague recollection we faced something similar to this, and dealt with it by (massively) increasing the EAPOL timeout on our wireless controllers. IIRC the problem is that you have to hit accept fast enough that the original EAP conversation is still in-play. This is a function of both FreeRadius (timeout of EAP conversations) as well as your wireless platform. But I might be mistaken - it's a very hazy recollection. I dont have a straight EAPOL timeout option on my controller (Enterasys HiPath C4110), so I set the Radius timeout to its max - 360 seconds. It still failsand does so fairly quickly. I tried putting on v2.1.10 and it still fails. I get this error: WARNING: !! WARNING: !! EAP session for state 0x918d31e1948b2881 did not finish! WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility WARNING: !! But I think it may be a bit of a generic error as Im using a total default config, including the certs that were generated with the bootstrap script. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem with iPods/iTouches
: What if the cert is trusted – does everything work OK? I’m assuming in your production config the devices will trust the cert, so why spend time troubleshooting a problem that may not exist in production mode? No it still wont work. In fact, I install both the ca cert and the server cert on the device. Both install fine and say they are trusted. But when I try to connect to the wireless again it says the cert is not verified (just as in the original case) and the connection fails. Same goes for the production environment. This problem is very frustrating! -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stop after mac auth
99% of my config authenticates against ldap. There are certain situations
(mainly authenticating our old phones) where I need to have mac auth as
well. Both methods are authenticating fine. The problem is that I would
like for freeradius to not search ldap when the if ((Service-Type ==
'Call-Check') || (User-Name =~ /^%{Calling-Station-ID}$/i)) comes back as
TRUE. As the config is now (output below), it runs the condition and
regardless of the outcome it performs a search against ldap for the mac,
which will always fail and causes unnecessary queries.
How can I accomplish this?
++[eap] returns noop
++[unix] returns notfound
++[files] returns noop
++? if ((Service-Type == 'Call-Check') || (User-Name =~
/^%{Calling-Station-ID}$/i))
?? Evaluating (Service-Type == 'Call-Check') - FALSE
expand: ^%{Calling-Station-ID}$ - ^00-24-d6-a6-ce-ce$
?? Evaluating (User-Name =~ /^%{Calling-Station-ID}$/i) - TRUE
++? if ((Service-Type == 'Call-Check') || (User-Name =~
/^%{Calling-Station-ID}$/i)) - TRUE
++- entering if ((Service-Type == 'Call-Check') || (User-Name =~
/^%{Calling-Station-ID}$/i)) {...}
+++[control] returns noop
++- if ((Service-Type == 'Call-Check') || (User-Name =~
/^%{Calling-Station-ID}$/i)) returns noop
++[chap] returns noop
[ldap] performing user authorization for 00-24-d6-a6-ce-ce
[ldap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - 00-24-d6-a6-ce-ce
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) -
(cn=00-24-d6-a6-ce-ce)
[ldap] expand: o=kasd - o=kasd
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap.company.com:389, authentication 0
[ldap] setting TLS CACert File to /etc/raddb/certs/CA.pem
[ldap] starting TLS
[ldap] bind as cn=radmin,o=org/password to ldpa.company.com:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in o=org, with filter (cn=00-24-d6-a6-ce-ce)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = CSID
+- entering group CSID {...}
++? if (Chap-Password)
? Evaluating (Chap-Password) - FALSE
++? if (Chap-Password) - FALSE
++- entering else else {...}
+++[ok] returns ok
++- else else returns ok
Login OK: [00-24-d6-a6-ce-ce] (from client kasd port 0 cli
00-24-d6-a6-ce-ce)
+- entering group post-auth {...}
++[ldap] returns noop
++[exec] returns noop
++? if (control:Auth-Type == 'CSID')
? Evaluating (control:Auth-Type == 'CSID') - TRUE
++? if (control:Auth-Type == 'CSID') - TRUE
++- entering if (control:Auth-Type == 'CSID') {...}
[authorized_macs] expand: %{Calling-Station-ID} - 00-24-d6-a6-ce-ce
[authorized_macs] users: Matched entry 00-24-d6-a6-ce-ce at line 1
+++[authorized_macs.authorize] returns ok
+++? if (!ok)
? Evaluating !(ok) - FALSE
+++? if (!ok) - FALSE
++- if (control:Auth-Type == 'CSID') returns ok
Sending Access-Accept of id 65 to 10.1.2.85 port 53168
Reply-Message = MyLaptop
Service-Type := Call-Check
Filter-Id = Students
Finished request 0.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Stop after mac auth
Perfect, thanks.
if((Service-Type == 'Call-Check') || (User-Name =~
/^%{Calling-Station-ID}$/i)){
update control {
Auth-Type := 'CSID'
}
}
else{
ldap
}
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR! Our request for peap was NAK'd with a request for peap
New firmware should have been out by now, try updating to latest version. Last I heard back in June was that it was being actively worked on and that a fix had been created. Im already running the latest firmware - v41.05. I guess Ill have to take a different approach to this to get it connected. Create a different SSID that doesnt require auth maybe... - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ERROR! Our request for peap was NAK'd with a request for peap
That's a little hard to believe. Most printers *don't* do EAP (i.e. 802.1X). Just use it like a printer, without doing 802.1X. Problem is, if the user can't figure how to turn off the 802.1X supplicant, it acts like an 802.1X-2004 supplicant and blocks inbound/outbound traffic if the printer fails to authenticate. Yeah, thats a real pain for testing too. I must have reset that card 20 times when trying to figure this out. Arran, any chance you could get a copy of that firmware? We have HP here and there, but nothing extraordinary. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ERROR! Our request for peap was NAK'd with a request for peap
I have a HP JetDirect 690n print server that Im trying to authenticate via
FreeRadius 2.1.8 for wireless clients to use. If I tell the 690 to use peap
then I get the error ERROR! Our request for peap was NAK'd with a request
for peap. If I tell it to use eap-tls I get the error ERROR! Our request
for tls was NAK'd with a request for tls. Also, I have a user setup in the
users file, but it still tries to search ldap for that user. I can login
fine with the local ktest user via radtest or ntradping. Debug log from a
peap request is here:
Ready to process requests.
rad_recv: Access-Request packet from host 10.1.1.1 port 47567, id=80,
length=283
User-Name = ktest
NAS-IP-Address = 10.1.1.1
NAS-Port = 150
Framed-MTU = 1400
Called-Station-Id = 00:1f:45:7f:83:fa
Calling-Station-Id = 00:1b:78:eb:c8:1d
NAS-Port-Type = Wireless-802.11
NAS-Identifier = TEST
Siemens-AP-Serial = 0500010143052305
Siemens-AP-Name = AP01
Siemens-VNS-Name = TEST
Siemens-BSSID = TEST
Siemens-BSS-MAC = 00:1f:45:7f:83:fa
Siemens-Policy = NonAuth
Siemens-Topology = Bridged at AP untagged
EAP-Message = 0x0201000a016b74657374
Message-Authenticator = 0xef83aea844bdbfb74c34110c7fafa33f
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = ktest, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 1 length 10
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[unix] returns notfound
[files] users: Matched entry ktest at line 209
++[files] returns ok
[ldap] performing user authorization for ktest
[ldap] WARNING: Deprecated conditional expansion :-. See man unlang for
details
[ldap] ... expanding second conditional
[ldap] expand: %{User-Name} - ktest
[ldap] expand: (cn=%{Stripped-User-Name:-%{User-Name}}) - (cn=ktest)
[ldap] expand: o=org - o=org
[ldap] ldap_get_conn: Checking Id: 0
[ldap] ldap_get_conn: Got Id: 0
[ldap] attempting LDAP reconnection
[ldap] (re)connect to ldap.company.com:389, authentication 0
[ldap] setting TLS CACert File to /etc/raddb/certs/ca.pem
[ldap] starting TLS
[ldap] bind as cn=radmin,o=org/password to ldap.company.com:389
[ldap] waiting for bind result ...
[ldap] Bind was successful
[ldap] performing search in o=org, with filter (cn=ktest)
[ldap] object not found
[ldap] search failed
[ldap] ldap_release_conn: Release Id: 0
++[ldap] returns notfound
++[expiration] returns noop
++[logintime] returns noop
[pap] Found existing Auth-Type, not changing it.
++[pap] returns noop
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] EAP Identity
[eap] processing type tls
[tls] Initiate
[tls] Start returned 1
++[eap] returns handled
Sending Access-Challenge of id 80 to 10.1.1.1 port 47567
Filter-Id = Students
EAP-Message = 0x010200061920
Message-Authenticator = 0x
State = 0xb21c3f23b21e261bc6f5440efd9d3572
Finished request 0.
Going to the next request
Waking up in 4.9 seconds.
rad_recv: Access-Request packet from host 10.1.1.1 port 47567, id=80,
length=361
Cleaning up request 0 ID 80 with timestamp +53
User-Name = ktest
NAS-IP-Address = 10.1.1.1
NAS-Port = 150
Framed-MTU = 1400
Called-Station-Id = 00:1f:45:7f:83:fa
Calling-Station-Id = 00:1b:78:eb:c8:1d
NAS-Port-Type = Wireless-802.11
NAS-Identifier = TEST
Siemens-AP-Serial = 0500010143052305
Siemens-AP-Name = AP01
Siemens-VNS-Name = TEST
Siemens-BSSID = TEST
Siemens-BSS-MAC = 00:1f:45:7f:83:fa
Siemens-Policy = NonAuth
Siemens-Topology = Bridged at AP untagged
EAP-Message =
0x020200461980003c160301003701330301000c2db78264c7293dabf829a390628548921ccd153f66aef981c50d964c0c0035000a002f0005000400090100
State = 0xb21c3f23b21e261bc6f5440efd9d3572
Message-Authenticator = 0x047a88b42dd297aff674849e11cc719b
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = ktest, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] EAP packet type response id 2 length 70
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP-TLS
TLS Length 60
[peap] Length Included
[peap] eaptls_verify returned 11
[peap] (other): before/accept initialization
[peap] TLS_accept: before/accept initialization
[peap] TLS 1.0 Handshake [length 0037], ClientHello
[peap] TLS_accept: SSLv3 read client hello A
[peap] TLS 1.0 Handshake [length 002a], ServerHello
[peap]
Re: ERROR! Our request for peap was NAK'd with a request for peap
It pretends to implement EAP, but it does not. Disable EAP for the printer. There isnt an option to disable eap on the printer. The protocols I have the option for on the printer are leap, peap and eap-tls. peap and eap-tls give me the above error. leap just kinda stops (i should probably disable leap anyways). Is there any workaround/update/enhancement to get this working (peap, that is...)? This is a wild guess, but maybe the printer doesn't have (or doesn't trust) your CA certificate, so it's terminating the PEAP (and presumably the TLS too) with a NAK. It *should* send an SSL alert over the PEAP link before doing that IMHO I have my CA imported to the printer. I also made the printer a client cert and imported that as well. The only thing I can think of here is that the printer asks for the server id which they define as *The Server ID must match the rightmost portion of the name provided by the authentication server*. Ive tried multiple names here including the hostname from the certs, radius hostname, NAS IP, just about everything that I can think of and nothing seems to matter. Something I could be missing maybe? have a user setup in the users file, but it still tries to search ldap So don't configure LDAP. I *need* ldap for the rest of my setup. The whole user base besides this printer auth's against ldap. Since this printer is an oddball situation, I created a local user in the users file for it. Regardless, even if I do make an ldap account for it, it still fails with the NAK msg. radtest does not do eap. Google for eapol_test for a CLI way to test the EAP setup. Eh, I have tested with eapol_test as well using the peap-mschapv2 and ttls-eap-mschapv2 and both work fine for that test user. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Ive changed that setting previously and it does not work for a client connection. However, I didnt have the eapol_test util before. If I test it with the eapol_test utility now with ttls-eap-mschapv2.conf config file it works. It passes it on Filter-Id in the Access-Accept. If I use the peap-mschapv2.conf config file, it doesnt work. It doesnt work with a client connecting to it either. So, its partly working. There must be some type of authentication that we need to force I tried setting default_eap_type = mschapv2 (instead of peap) but that doesnt work either. Maybe something to do with ttls? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Just figured it out. In eap.conf under the peap section 'use_tunneled_reply = yes' needs to be set there as well. I only had it set under the ttls section before. I just tested a client and its working fine now. Thanks for all your help Mikkal! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Hey Mikkal- Im not sure if my last few emails went through the list... I got a msg stating they were pending approval since they were too long. I kept digging into this and I came across the eapol_test utility: http://deployingradius.com/scripts/eapol_test/ I tried running that to take the client and NAS out of the process. As far as I can tell, it all looks like fine. Even with a default install of 2.1.10 (and another test using new certs with the required OIDs for XP clients: http://www.howtoforge.com/wifi-authentication-accounting-with-freeradius-on-centos5), I still get those 9 requests. Are you using EAP? Is anybody else following this that can/test verify that they get the same responses as I do. Thanks- Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Attribute not passing to NAS?
I have a Enterasys HiPath controller that Im trying to pass an attribute to throw the user into the correct policy upon authentication. I talked with their support and they say to set the Filter-Id attribute to the name of the policy set on the controller. I did, but it doenst seem to pass. In the debug for radius I get this: [peap] Got tunneled reply RADIUS code 2 Filter-Id = Faculty EAP-Message = 0x03080004 Message-Authenticator = 0x User-Name = ktest and it goes on to: Cleaning up request 18 ID 109 with timestamp +12 User-Name = ktest NAS-IP-Address = 127.0.4.1 NAS-Port = 222 Framed-MTU = 1400 Called-Station-Id = 00:1f:45:7f:83:fa Calling-Station-Id = 00:24:d6:a6:ce:ce NAS-Port-Type = Wireless-802.11 NAS-Identifier = TEST Siemens-AP-Serial = 0500010143052305 Siemens-AP-Name = AP09 Siemens-VNS-Name = TEST Siemens-BSSID = TEST Siemens-BSS-MAC = 00:1f:45:7f:83:fa Siemens-Policy = Students Siemens-Topology = TopoStudents Siemens-Ingress-Rate = Unlimited Siemens-Egress-Rate = Unlimited I use LDAP (via eDirectory) on the backend and authentication is working fine. It pulls the correct value for the Filter-Id attribute, but it doesnt seem to take effect. The Siemens-xxx attributes are coming from the controller and you can see based on the Siemens-Policy = Students attribute that the student policy is still applying - not the Faculty policy as is defined in the Filter-Id attribute. I have also tried to set the Siemens-Policy attribute on the user but that did not work either. Am I missing something in the config to have this value sent back to the NAS? FreeRadius 2.1.8 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Hi Mikal- Thanks for responding. I have it set up just like that...the policy on the controller is named Faculty. I even took LDAP out of it to make sure that the attribute was passing correctly. I have a user defined in the /etc/raddb/users ktest Cleartext-Password := password Filter-Id = Faculty When I authenticate with this user I get: Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID [TEST] from VNS [TEST] with username [ktest] has been successfully authenticated. Policy [Students] is applied. I get the same msg for an ldap user that has the Filter-Id set to Faculty as well. For comparison, on the controller my vns settings include: VNS Name: TEST WLAN Service: TESTWLAN Non-Auth policy: NonAuth Auth Policy: Students (support told me this doesnt matter what its set to...the Filter-Id will override this) Restrict policy set unchecked Enable checked I have another policy named Faculty that is assigned the AuthFaculty topology (which sets the tagged vlan). How does this compare to your setup? Do I need the restrict policy set option checked and config'd? -Rob On Thu, Dec 2, 2010 at 11:38 AM, mikal m...@atceast.com wrote: Rob, You need to ensure that the value of Filter-Id maps exactly to the value of the policy that you're trying to apply. So you need to have a policy defined on the controller named Faculty, not faculty or facultY, but Faculty. For instance, if I have a policy named NewmanN and I pass a Filter-Id=NewmanN then I get: Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC] from VNS [SMFC] with username [test.user11] with mu session timer [52549] has been successfully authenticated. Policy [NewmanN] is applied. The desired policy is applied. If I pass a Filter-Id=Newmann then I get: Client session MAC [00:22:6B:9A:2B:77] on AP [IRV-AP3620] with SSID [SMFC] from VNS [SMFC] with username [test.user11] with mu session timer [52201] has been successfully authenticated. Policy [SMFC Auth] is applied. The default policy for that VNS is applied because there was no policy matching Newmann. -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289720.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Attribute not passing to NAS?
Mikal- Yes, I have done a packet trace. The Filter-Id attribute is sent on the 2nd packet of the authentication attempt, during the first access-challenge. After that, Filter-Id isnt mentioned again until after the Access-Accept packet on the Accounting-Request. However, on the Accounting-Request packet its shown as Students, not Faculty. The whole authentication process is 20 packets, excluding the accounting packets. The only thing I noticed that may be out of the ordinary is that there are 10 access-request packets, with 9 of them being duplicates to the first request. The Filter-Id attribute is only sent on the first challenge response. Im not sure if this is normal or not as I dont have anything to compare to. Do you see something similar with your configuration? On Thu, Dec 2, 2010 at 1:01 PM, mikal m...@atceast.com wrote: Rob, You shouldn't need to check the restrict policy option. My setup is actually using a Captive Portal for the users to enter credentials. So I start them off with a non-auth policy that uses a Routed topology and then once authenticated uses a Bridge at AP topology. So the controller is serving up the CP page, and then I'm using freeradius with a MySQL backend. Did you capture a trace from the controller interface just to ensure that the attribute/value pair is appearing at the controller interface correctly? Wireless Controller-Utilities-Wireless Controller TCP Dump Management. So my VNS setup looks like: VNS Name: SMFC WLAN Service: SMFC Non-Auth policy: SMFC NonAuth Auth Policy: SMFC Auth (support is correct, this will be overwritten if the radius-accept contains a Filter-Id value that matches a configured policy) Restrict policy set unchecked Enable checked Under VNS Configuration-Policies I have a policy: named Policy Name:NewmanN. I throw a row in my MySQL radreply table to use a Filter-Id value of NewmanN for a particular user (test.user11 in this case) and I'm off and running. If I set the Filter-Id value in my MySQL row to Newmann, or newmanN, etc. then I get the default policy applied to test.user11. The same behavior that you're seeing. ktest Cleartext-Password := password Filter-Id = Faculty When I authenticate with this user I get: Client session MAC [00:24:D6:A6:CE:CE] on AP [JRG-1FL-AP09] with SSID [TEST] from VNS [TEST] with username [ktest] has been successfully authenticated. Policy [Students] is applied. I get the same msg for an ldap user that has the Filter-Id set to Faculty as well. For comparison, on the controller my vns settings include: VNS Name: TEST WLAN Service: TESTWLAN Non-Auth policy: NonAuth Auth Policy: Students (support told me this doesnt matter what its set to...the Filter-Id will override this) Restrict policy set unchecked Enable checked I have another policy named Faculty that is assigned the AuthFaculty topology (which sets the tagged vlan). How does this compare to your setup? Do I need the restrict policy set option checked and config'd? -- View this message in context: http://freeradius.1045715.n5.nabble.com/Attribute-not-passing-to-NAS-tp3289418p3289846.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
MAC Auth first, then User?
We are experiencing an issue where certain policies need to push down to laptops before the user enters their credentials to authenticate to the wireless network. We only have Radius/802.1x enabled on the wireless right now. Is it possible to authenticate the device based on MAC address so the initial connection is there (so the laptop is online) and then have the user authenticate via the Novell Client (with 802.1x) to login to the desktop? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to differeniate types of users
I have Radius v1.1.7 working great with eDirectory/LDAP, both running on SLES 10 SP3. Right now we use it to control access to our wireless in the district, but its sort an all-or-nothing approach right now. What we are trying to accomplish is to have two SSIDs - one for students and one for staff. As its setup now, anybody can connect to either one. How would I be able to differeniate the two users? I can use attributes and such, but how/where would that be defined? Thanks for your help! -Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to differeniate types of users
FreeRadius users mailing list freeradius-users@lists.freeradius.org writes: Hi, I have Radius v1.1.7 working great with eDirectory/LDAP, both running on SLES 10 SP3. Right now we use it to control access to our wireless in the district, but its sort an all-or-nothing approach right now. What we are trying to accomplish is to have two SSIDs - one for students and one for staff. As its setup now, anybody can connect to either one. How would I be able to differeniate the two users? I can use attributes and such, but how/where would that be defined? the NAS should send something that differentiates it...normally a VSA that has the SSID in it. you can then do a match comparison. i'd move to 2.1.8 if i were you - the unlang feature is priceless and makes this very easy to do. I'd also say...why 2 SSID's ? why pollute the airwaves and divide things up with extra broadcasts when all you need to do is check the type of person and use a VLAN to seperate them..if the kit supports that of course... alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Im not stuck on using two SSIDs...I just thought that would be the way to do it. If we can use one and use VLANs to get dynamically assigned to different groups of users Id be fine with that. Is there anything out there that you can direct me to that will get me going on this? Im new to radiusthis was my first install so my knowledge of it is limited on what I can find in docs and on search engines. Im a bit green to this stuff right now. Im using 1.1.7 as thats the one that was in the repo for SLES 10 SP3. Ill get on 2.x as thats seems to be the right move. Thanks- Rob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
