RE: Windows Pre-Login Auth
-Original Message-
From: freeradius-users-
bounces+scott=renshawauto@lists.freeradius.org [mailto:freeradius-
users-bounces+scott=renshawauto@lists.freeradius.org] On Behalf Of
Commonn Systems
Sent: Friday, September 09, 2011 4:54 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: Windows Pre-Login Auth
Once you have Samba and AD talking via winbind, it is pretty
straightforward.
You can configure all the machines via Group Policy I have used this post,
pretty much to the T:
http://lists.cistron.nl/pipermail/freeradius-users/2009-
March/msg00231.html
Good luck
I am running into an issue attempting to make FreeRadius authenticate via
AD. I am using FreeRadius version: 2.1.7, for host x86_64-redhat-linux-gnu
and I am using the following version for Samba/Winbind: 3.5.4-0.70.el5_6.1
I can join the domain and get a list of users, and complete the ntlm_auth
step successfully.
However, when I attempt to use a real AD username and password I get an
Access-Reject.
Here is the command I am sending to the FreeRadius server:
radtest scott kjsdfh7823 localhost 0 testing123
---
Here is what the Radius -X output shows:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 49689, id=38,
length=57
User-Name = scott
User-Password = kjsdfh7823
NAS-IP-Address = 10.119.189.35
NAS-Port = 0
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
++[mschap] returns noop
[suffix] No '@' in User-Name = scott, looking up realm NULL
[suffix] No such realm NULL
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 206
++[files] returns ok
++[expiration] returns noop
++[logintime] returns noop
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
++[pap] returns noop
Found Auth-Type = MSCHAP
+- entering group MS-CHAP {...}
[mschap] No MS-CHAP-Challenge in the request
++[mschap] returns reject
Failed to authenticate the user.
Using Post-Auth-Type Reject
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} - scott
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of request 0 for 1 seconds
Going to the next request
Waking up in 0.9 seconds.
Sending delayed reject for request 0
Sending Access-Reject of id 38 to 127.0.0.1 port 49689
Waking up in 4.9 seconds.
Cleaning up request 0 ID 38 with timestamp +17
Ready to process requests.
--
I think the line above (in the radius -X output) that reads, [mschap] No
MS-CHAP-Challenge in the request may be causing the issue (i.e. - not
testing it properly for MS-Chap - sending a cleartext username and password
instead of what the MS-Chap module expects?).
Any assistance would be greatly appreciated. I have and am continuing to
scour the internet for anything that might fix this issue.
Thanks,
Scott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Pre-Login Auth
-Original Message- From: Arran Cudbard-Bell [mailto:a.cudba...@freeradius.org] Sent: Saturday, September 10, 2011 11:36 AM To: sc...@renshawauto.net; FreeRadius users mailing list Subject: Re: Windows Pre-Login Auth I think the line above (in the radius -X output) that reads, [mschap] No MS-CHAP-Challenge in the request may be causing the issue (i.e. - not testing it properly for MS-Chap - sending a cleartext username and password instead of what the MS-Chap module expects?). You hardcoded Auth-Type := MS-CHAP didn't you? You know how the wiki and the users file and numerous posts on the mailing list say that setting Auth-Type manually is wrong? You might want to follow their advice... Any assistance would be greatly appreciated. I have and am continuing to scour the internet for anything that might fix this issue. http://wiki.freeradius.org/NTLM-Auth-with-PAP-HOWTO -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Waging war on ignorance and apathy one Access-Challenge at a time. Thank you for the reply Arran. Yes, I did hard code the Auth-Type as instructed for test purposes. I commented the hard-coding out and still have the same results as above. Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Pre-Login Auth
-Original Message- From: Alan T DeKok [mailto:al...@freeradius.org] Sent: Saturday, September 10, 2011 12:22 PM To: sc...@renshawauto.net; FreeRadius users mailing list Subject: Re: Windows Pre-Login Auth Scott Hughes wrote: Thank you for the reply Arran. Yes, I did hard code the Auth-Type as instructed for test purposes. I commented the hard-coding out and still have the same results as above. See the Wiki for examples of how to configure AD login with FreeRADIUS. See also my web page: http://deployingradius.com This is documented, and it works. Alan DeKok. Will do. Thanks Alan. Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Windows Pre-Login Auth
Hello all, I have been using FreeRadius for several years now and am stuck trying to make our Windows based wireless system authenticate PRIOR to user login. I have searched the FreeRadius and Deploying FreeRadius sites as well as Google, but no luck. Here is a brief over-view of my FreeRadius setup: 1) Clients: Windows XP Windows 7 (Professional in both cases - NO VISTA!) 2) Currently running FreeRadius version 2.0.5 3) Currently authenticating users via TLS/PEAP with computer name/username I'm not sure what else (if anything) you might need. I am also looking at changing the FreeRadius setup to authenticate against our Windows 2008r2 Active Directory servers. We have one main location and two remote sites. Currently we have only one FreeRadius server at the main site. If the VPN connection between the main site and either / both of the remote sites goes down, the remote sites can't authenticate. My thought was to have three FreeRadius servers that would authenticate to the local copy of the AD. Having said all of this, I do not want to get to many things going at one time. I much prefer to tackle on issue at a time. Thanks in advance for any insight you may have on either/both of these issues. Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Pre-Login Auth
-Original Message- From: freeradius-users-bounces+scott=renshawauto@lists.freeradius.org [mailto:freeradius-users-bounces+scott=renshawauto@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, September 09, 2011 9:21 AM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth On 09/09/2011 03:00 PM, Scott Hughes wrote: Hello all, I have been using FreeRadius for several years now and am stuck trying to make our Windows based wireless system authenticate PRIOR to user login. I have searched the FreeRadius and Deploying FreeRadius sites as well as Google, but no luck. Here is a brief over-view of my FreeRadius setup: 1) Clients: Windows XP Windows 7 (Professional in both cases - NO VISTA!) 2) Currently running FreeRadius version 2.0.5 3) Currently authenticating users via TLS/PEAP with computer name/username I'm not sure what you're asking here. Pre-login auth is entirely client side. As long as FreeRADIUS can authenticate the users, it'll just work. Have you tried it? I assume you are using Samba/ntlm_auth to verify the PEAP/MSCHAP against your domain? - My apologies for not being clear. Please ignore the second part of my post. I simply wanted to be complete in my posting as to where I currently am (authenticating via the users file) and where I would like to go in case it is relevant (authenticating via Active Domain). I am attempting to authenticate the computer name using certificates prior to the user logging in. I have configured the certificates but I am still not able to login. I've tried client certificates for user name and several variations of the computer name, but again, it did not work. I am changing the common name in the client certificate which is what it seems to key off of. Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Pre-Login Auth
-Original Message- From: freeradius-users-bounces+scott=renshawauto@lists.freeradius.org [mailto:freeradius-users-bounces+scott=renshawauto@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, September 09, 2011 9:31 AM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth On 09/09/2011 03:21 PM, nf-vale wrote: On Windows 7 you can configure pre-login authentication (wireless connection properties - Advanced settings) both for computer and user. On XP (with native windows client), I don't think that it is possible to do that. This is possible in XP SP3. I can't remember if the UI is exposed, but you can definitely do it with group policy or netsh/XML profiles. I am using group policy to create the profile for everyone (currently just me) in the 'Wireless' group. Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Pre-Login Auth
-Original Message- From: Michael Holstein [mailto:michael.holst...@csuohio.edu] Sent: Friday, September 09, 2011 10:23 AM To: FreeRadius users mailing list Cc: sc...@renshawauto.net Subject: Re: Windows Pre-Login Auth On Windows 7 you can configure pre-login authentication (wireless connection properties - Advanced settings) both for computer and user. On XP (with native windows client), I don't think that it is possible to do that. Yes it is .. just check the box for authenticate as computer account in the wireless properties (in XP). IIRC this was introduced when they finally fixed the supplicant in sp2. The credentials come across as COMPUTERNAME$ Regards, Michael Holstein Cleveland State University Thanks for the response. What I get in my radius.log is: Auth: Login incorrect: [host/COMPUTERNAME.ad-domain.local/via Auth-Type = EAP] (from client AP port 5136 cli mac address here) Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Pre-Login Auth
-Original Message- From: Michael Holstein [mailto:michael.holst...@csuohio.edu] Sent: Friday, September 09, 2011 10:23 AM To: FreeRadius users mailing list Cc: sc...@renshawauto.net Subject: Re: Windows Pre-Login Auth On Windows 7 you can configure pre-login authentication (wireless connection properties - Advanced settings) both for computer and user. On XP (with native windows client), I don't think that it is possible to do that. Yes it is .. just check the box for authenticate as computer account in the wireless properties (in XP). IIRC this was introduced when they finally fixed the supplicant in sp2. The credentials come across as COMPUTERNAME$ Regards, Michael Holstein Cleveland State University Also, would it be better to get the AD authentication working BEFORE I attempt to authenticate prior to login or is it the same either way? Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: LDAP Authentication bind as user issue
-Original Message-
From: freeradius-users-bounces+scott=renshawauto@lists.freeradius.org
[mailto:freeradius-users-bounces+scott=renshawauto@lists.freeradius.org]
On Behalf Of Michael Holstein
Sent: Friday, September 09, 2011 10:30 AM
To: FreeRadius users mailing list
Subject: Re: LDAP Authentication bind as user issue
This way it binds anonymously, and then fails to do an ldapsearch
because of insufficient privs. Giving * read to all seems silly, and I
would rather not go that route.
If anyone has suggestions or comments they would be greatly appreciated.
How I did it (assuming your using AD as the backend) .. is just create a
user account to bind with to do the search (to locate the DN). It does not
need to be an admin user, unless you have torqued down the permissions
inside AD. This allows bind as the defined user (to search for the DN of the
striped-user-name) and then rebind as that DN.
ldap {
server = mydc.foocorp.com
identity = CN=LDAP Account,OU=whatever,OU=Domain
Users,DC=foocorp,DC=com
password = imnotgoingtotellyou
basedn = dc=foocorp,dc=com
filter =
((objectCategory=person)(sAMAccountName=%{%{Stripped-User-Name}:-%{User-Na
me}}))
..
}
Cheers,
Michael Holstein
Cleveland State University
-
Michael,
Would this work if my AD users were in different OU's? I have my users
broken out into respective location and department OU's. Such as user FOO
is in both an OU of KY-Sales AND an OU of KY. They are not under the normal
'users' area.
Thanks,
Scott
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Pre-Login Auth
-Original Message- From: freeradius-users- bounces+scott=renshawauto@lists.freeradius.org [mailto:freeradius- users-bounces+scott=renshawauto@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, September 09, 2011 10:39 AM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth On 09/09/2011 04:23 PM, Scott Hughes wrote: Also, would it be better to get the AD authentication working BEFORE I attempt to authenticate prior to login or is it the same either way? AD auth is a pre-requisite for machine auth. So yes, it would be better to do that first! (Please make your email client quote in the standard way!) - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Better on the quoting? Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Windows Pre-Login Auth
-Original Message- From: freeradius-users- bounces+scott=renshawauto@lists.freeradius.org [mailto:freeradius- users-bounces+scott=renshawauto@lists.freeradius.org] On Behalf Of Commonn Systems Sent: Friday, September 09, 2011 4:54 PM To: freeradius-users@lists.freeradius.org Subject: Re: Windows Pre-Login Auth Once you have Samba and AD talking via winbind, it is pretty straightforward. You can configure all the machines via Group Policy I have used this post, pretty much to the T: http://lists.cistron.nl/pipermail/freeradius-users/2009- March/msg00231.html Good luck Thanks!! Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: New Server Build
Alan, The only thing in the database is the userid and password. I put nothing else in. I believe it has to do with my Default Auth-Type setting in the Users file. Thank you, Scott --- Original Message --- From: Alan DeKok[mailto:[EMAIL PROTECTED] Sent: 3/23/2007 1:39:03 AM To : [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Cc : Subject : RE: Re: New Server Build Scott Hughes wrote: .. The DB structure is: 8 tables as follows: nas, radacct, radcheck, radgroupcheck, radgroupreply, radpostauth, radreply, usergroup. Yes... but what's *in* the DB? What attributes, operators, and values are there, that you expect to match? Alan DeKok. -- http://deployingradius.com- The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: New Server Build
Alan, Found the problem. The database was saving the password in some kind of hash instead of clear-text. Once I manually changed the password to clear-text, it I got an Auth-Accept response from the server. Now onto the EAP-TTLS client configurations. Thanks again Alan. Scott --- Original Message --- From: Alan DeKok[mailto:[EMAIL PROTECTED] Sent: 3/23/2007 1:39:03 AM To : [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Cc : Subject : RE: Re: New Server Build Scott Hughes wrote: .. The DB structure is: 8 tables as follows: nas, radacct, radcheck, radgroupcheck, radgroupreply, radpostauth, radreply, usergroup. Yes... but what's *in* the DB? What attributes, operators, and values are there, that you expect to match? Alan DeKok. -- http://deployingradius.com- The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New Server Build
Alan, Thanks for the reply. I am using the 'radtest' utility. The actual command I am typing (from the command line of the server itself is: radtest test1 test1 192.168.1.5:1812 0 testing123. I am attempting to make sure everything is okay on the server itself, before attempting to connect to the server with a client. The DB structure is: 8 tables as follows: nas, radacct, radcheck, radgroupcheck, radgroupreply, radpostauth, radreply, usergroup. Scott Scott Hughes wrote: When I run the radtest utility that comes with FR, I get an access-reject, even though the user is in the radius database. Running FR with the -X parameter, it does appear to be check the database. Am I testing correctly for this type of FR MySQL setup? Likely, yes. What's in the DB, and what kinds of packets are you sending for tests? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New Server Build
Hello All, I am attempting to build a new and different FR server than I currently use. The new one is running the latest FR release and MySql. I am also running the dialup admin software. Before I attach a bunch of logs and eat up bandwidth, I want to make sure that I am testing correctly. When I run the radtest utility that comes with FR, I get an access-reject, even though the user is in the radius database. Running FR with the -X parameter, it does appear to be check the database. Am I testing correctly for this type of FR MySQL setup? Thanks in advance, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: version 2
Tease!! ;) -Original Message- From: Alan DeKok [EMAIL PROTECTED] Date: Sat, 17 Mar 2007 17:46:18 To:FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: version 2 Norbert Wegener wrote: On http://wiki.freeradius.org/Fail-over I find an interesting feature, that would be very useful in some configurations: ... As mentioned there, it is available in version 2 of the server. Is it already foreseeable, when approximately the version 2 of freeradius will be available? Soon. I know I've been saying that for a while (too long now), but it looks pretty good. I have some code that has cleaned up a lot of the odd things in the server core, so I'm much more comfortable releasing a 2.0. So far, the features look like: - if/then/else in radiusd.conf - full IPv6 support - much more stable handling of home servers - separation of realms from home servers - addition of home server pools, for failover load balancing - magic feature 1 - magic feature 2 - :) I won't say what the magic features are. One will cause mild surprise. The other will cause great surprise. My plan right now is to test the code privately with a few early adopters who are sworn to secrecy. Once it looks like it works, the code will be made public, and a 2.0-pre0 will be announced. From my research on Google, the features will quadruple FreeRADIUS's potential install base. The features will also enable network administrators to do things that are currently impossible to do with open source software. And it looks like it's only 3k-4k lines of code. :) Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Simple security
Thanks Jeremy. I've been doing various searches for practical examples of 802.1x in a LAN setting and haven't found anything yet. Have you? -Original Message- From: Gaddis, Jeremy L. [EMAIL PROTECTED] Date: Thu, 15 Feb 2007 00:07:42 To:FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Simple security On Wed, 14 Feb 2007, Scott Hughes wrote: I have friend that want some light security on the small network they have (15-25 PCs). What is the best way to secure his network so that someone can't just plug in his laptop and be on the network? He would prefer to make this seamless to his users. 802.1X -- Jeremy L. Gaddis, MCP, GCWN [EMAIL PROTECTED] LinuxWiz Consulting http://linuxwiz.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Simple security
I have friend that want some light security on the small network they have (15-25 PCs). What is the best way to secure his network so that someone can't just plug in his laptop and be on the network? He would prefer to make this seamless to his users. Thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New Setup
I am looking to change my freeradius setup. I would like to use EAP-TTLS, MySQL, and dialup-admin. All of these are installed and functioning. Is there a HOWTO, web page, etc that will guide me on this. Thanks, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
(no subject)
Greetings: Are there any open source wireless clients for Windows based (2000 XP) machines, rather than using what comes with the wireless hardware? Thank you, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: (no subject)
Thanks for the link Stefan. I am having a problem with our wireless clients re-authenticating (non-radius issue I believe) anywhere from a few seconds, to four minutes, to a few hours. The client is NOT moving. This is a simple design of Cisco 1231 APs and laptop/desktop clients. Strange. Also, I am under the understanding that EAP-TLS does NOT require a client side cert, and EAP-TTLS DOES require a client side cert. Is this correct or is my thinking backwards. I am only interested in a server side cert. Scott -Original Message- From: Stefan Winter [mailto:[EMAIL PROTECTED] Sent: Friday, December 01, 2006 9:54 AM To: [EMAIL PROTECTED]; FreeRadius users mailing list Subject: Re: (no subject) Hi, Are there any open source wireless clients for Windows based (2000 XP) machines, rather than using what comes with the wireless hardware? Several. My favourite is at http://www.securew2.com. . Stefan -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP questions
Alan, I have tested the signal strength possibility and that is not the issue. Either the client or the AP is causing the disconnect / reconnect. This quite frequently results in the user being disconnected from various applications (but not always). Scott -Original Message- From: Alan DeKok [EMAIL PROTECTED] Date: Fri, 01 Dec 2006 09:50:21 To:[EMAIL PROTECTED], FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: EAP questions Scott Hughes wrote: I am having a problem with our wireless clients re-authenticating (non-radius issue I believe) anywhere from a few seconds, to four minutes, to a few hours. The client is NOT moving. This is a simple design of Cisco 1231 APs and laptop/desktop clients. Strange. They may be losing connectivity to the NAS (i.e. wireless problems). When that happens, they re-authenticate. Also, I am under the understanding that EAP-TLS does NOT require a client side cert, and EAP-TTLS DOES require a client side cert. Is this correct or is my thinking backwards. I am only interested in a server side cert. Then use TTLS. TLS requires a client cert. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Question
Ive searched around for a few weeks now and cant seem to find a clear answer to this question: Does Freeradius have the ability to use multiple nodes in similar fashion to name servers? An example of this would be a situation when the master freeradius server is down for some reason, but the slave freeradius server(s) continue to grant deny access but do not receive any updates until the master is back up. Also, if there are any HOWTO or example configurations of this type of setup, those would be very helpful. Thanks in advance, Scott - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Question
Thanks for the great answers. To clarify the updates part of my original message, I was referring to when a new user was added. In other words, like a DNS structure, when a new entry into a domain is added (i.e. new mail server), the admin would add it to the master server, then that master server would send the update to the slave servers. Stefan actually answered that question when he made the following comment: Just setup the server twice (ideally both using _one_ authentication backend, e.g. a mySQL db on a different host that both can access) and tell your client devices about it. Thanks again! Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dennis Skinner Sent: Tuesday, August 08, 2006 12:58 PM To: FreeRadius users mailing list Subject: Re: Question Scott Hughes wrote: Does Freeradius have the ability to use multiple nodes in similar fashion to name servers? An example of this would be a situation when the master freeradius server is down for some reason, but the slave freeradius server(s) continue to grant deny access but do not receive any updates until the master is back up. Yes, radius does this, but it is done on the client end which is why you can't find any docs for it. Clients are generally setup with primary and secondary radius servers that they talk to. When they don't hear from one within a set time, they try the other. Radius servers can also proxy to other radius servers (ie act as client) so have a look at the proxy.conf file. That may answer some of your questions. Not sure what you mean by updatesdo you mean accounting requests? See the proxy.conf. You can send accounting requests wherever you want. Generally they go to the same server as the auth requests and fail over to secondary just like auth. Keep in mind that radius accounting is not guaranteed. We are talking UDP and while there is some checking, accounting requests can get lost. So if the primary server is the only one to accept accounting requests, if that server goes down, you will have missing data. The client won't store them and wait for the primary to come back. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Re: PEAP Auth
The exact error is: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. The entire startup log is here: Starting - reading configuration files ... Using deprecated naslist file. Support for this will go away soon. Module: Loaded exec rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP Module: Instantiated mschap (mschap) Module: Loaded System Module: Instantiated unix (unix) Module: Loaded eap rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap rlm_eap: Loaded and initialized type gtc rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed. Thanks, Scott --- Original Message --- From: Stefan Winter[mailto:[EMAIL PROTECTED] Sent: 6/22/2006 12:51:54 AM To : [EMAIL PROTECTED]; freeradius-users@lists.freeradius.org Cc : Subject : RE: Re: PEAP Auth Hi, Freeradius. I still get the same error message on startup regarding no file for TLS. I have searched the Debian site, the Freeradius site, and the web in general and cannot seem to find out how to fix this. Does anyone know? How should we? You don't even tell us what the error is. OMG, an error! is not enough to effectively help you. Please stick to the common, well-documented process of posting your log files. Greetings, Stefan Winter -- Stefan WINTER Stiftung RESTENA - Réseau Téléinformatique de l'Education Nationale et de la Recherche Ingenieur Forschung Entwicklung 6, rue Richard Coudenhove-Kalergi L-1359 Luxembourg E-Mail: [EMAIL PROTECTED] Tel.: +352 424409-1 http://www.restena.lu Fax: +352 422473 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Debian TLS support
Hello, I think in my last reqest to the list I wasn't quite clear as to the information I was trying to find. I'll try again and sorry for any toes that were stepped on. When I install Freeradius (after installing OpenSSL) I get this message when starting Freeradius: rlm_eap: Failed to link EAP-Type/tls: rlm_eap_tls.so: cannot open shared object file: No such file or directory radiusd.conf[9]: eap: Module instantiation failed I have tried downloading and compiling the Freeradius source (Freeradius-1.1.2.tar.gz) and have the same error. I understand why this is (licensing issues) and I have searched this list AND the web for any information as to how to make Freeradius work with Debian using TLS. I found a lot of discussion about it, but nothing concrete for someone like myself who is not deeply familiar with Linux. Is there a HOWTO for example on how a person can do whatI am trying to do? Do I need to move off of Debian and onto something else? Thanks in advance for any links and/or information that anyone can provide. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PEAP Auth
Title: Message Hello, I am attempting to use the latest Debian build with Freeradius and cannot seem to get PEAP/TLS/TTLS to work. I have even gone as far as reloading the box fresh and installing the sources of OpenSSL and then Freeradius. I still get the same error message on startup regarding no file for TLS. I have searched the Debian site, the Freeradius site, and the web in general and cannot seem to find out how to fix this. Does anyone know? Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
