Re: Pre release of 2.1.12
It is running on one of my production servers. So far no problems, but it has only run for q few hours. Sent from Verizon Wireless - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LEAP Authentication?
Aeronet 350. I pity you and your users. Sent from Verizon Wireless -Original Message- From: pesho pesho.tmp.m...@gmail.com Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Wed, 29 Jun 2011 15:05:17 To: freeradius-users@lists.freeradius.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: LEAP Authentication? It does. It is a Aironet 350 device and it has internal RADIUS as well, which we are able to authenticate against(using LEAP). -- View this message in context: http://freeradius.1045715.n5.nabble.com/LEAP-Authentication-tp4475314p4536908.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Error: User-Name is not the same as MS-CHAP name
In my shop I see a mix of domain and non domain machines. Each type will send machine or user\localmachine for user's name depending on the configuration of the windows suplicant. Avoid having users logon to domain machines with local user accounts unless you have configured the windows suplicant from the default. Do the same with non domain machines. Here I check for the form \full.windows.domain.name. If this is present, I use ntlm-auth. If it is not, I strip off the \host part in the inner tunnel and use that as a user in an ldap store which has mschap password hashes. In most cases this works for domain machines where users are logging in with local accounts or logging in locally with cached user credentials. The rest show up at the help desk. I am excited about the mschap patches talked about in recent posts. Sent from Verizon Wireless -Original Message- From: Phil Mayers p.may...@imperial.ac.uk Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Mon, 30 May 2011 14:55:03 To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: Error: User-Name is not the same as MS-CHAP name On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote: There's no guarantee that STAFF\john and STUDENT\john at the same person; you can't just ignore the fact that the client has changed their username. True. But I don't think it is possible to send a different Username in EAP-Identity and MSChap Username in the same EAP session since the second is derived from the first. I have seen such setup where you have two domain, RADIUS would use the Realm to differentiates the two. For a legit client, yes. A malicious client can send anything it wants. Is there a way we could work around this hard-coded check since in our case, we only have one john? Sure; the check is just one line; grep the source code for it and comment it out. What I really want to understand is, whether the check is too strict and FreeRADIUS should be fixed, or whether Windows XP is just buggy. I will try to check this tomorrow. e.g. maybe the check should be: if eap.username == mschap.username: ok elif not mschap.domain: if eap.stripped-user-name == mschap.username: ok reject else: reject I will try to investigate this tomorrow when I get back to the office. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PEAP/MSCHAPv2 failing with Windows 7
Check some basic stuff too. Make sure your radius user can run ntlm_auth. Sent from Verizon Wireless -Original Message- From: Phil Mayers p.may...@imperial.ac.uk Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org Date: Tue, 10 May 2011 09:55:54 To: freeradius-users@lists.freeradius.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: Re: PEAP/MSCHAPv2 failing with Windows 7 On 05/09/2011 10:55 PM, Gary Gatten wrote: Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] FAILED: MS-CHAP2-Response is incorrect ++[mschap] returns reject You've trimmed the debug output, so we can't see what the problem is. Don't do that. In the PEAP properties, EAP-MSCHAP v2, if you DISABLE “automatically use my windows logon name and password” and instead enter the credentials manually it works. Are the machines domain members? I should note, it appears the Aruba gear is terminating the PEAP – FR only sees an MSCHAP request. DEFINITELY don't do that! Is it passing the PEAP inner as EAP-MSCHAPv2 or plain MS-CHAPv2? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRADIUS exiting with Signal 11 on FreeBSD
It started for me at FreeBSD 7.2 and has continued through 8.1 for both Freeradius 2 from the ports collection and from the official tar file source distribution. My server is lightly loaded and not really a production system so I've not run it under gdb. I use the standard kernel scheduler. The user I run freeradius as has a default login class. The parent process will always die with this message just after a successful authentication is logged. Sent from Verizon Wireless - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: configure output summary
But newcomers aren't that trained yet. Perhaps you should change your course material? Sent from Verizon Wireless - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: convert mac adresses to lower case
I beieve there is a lower() function you can use in the sql statement.
Sent from Verizon Wireless
-Original Message-
From: PENZ Robert robert.p...@tirol.gv.at
Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org
Date: Mon, 20 Sep 2010 14:11:14
To: FreeRadius users mailing listfreeradius-users@lists.freeradius.org
Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: convert mac adresses to lower case
Hi!
I'm running
# rpm -qa | grep radius
freeradius2-mysql-2.1.7-7.el5
freeradius2-2.1.7-7.el5
freeradius2-python-2.1.7-7.el5
freeradius2-utils-2.1.7-7.el5
and I've different switch types. Some send the MAC address lower case the
others upper case. For switches which send it lower it case it works (as the
macs are stored lower case in the db). How can I convert them all in the clear
text password attribute to lower case? The attr_rewrite module looks good, but
the only way I see is to have 6 rewrite rules each replacing one letter, but
that seems inefficient. The matching in the SQL Database works case insensitive
and returns a row but the pap check logs following:
rlm_sql (sql): Released sql socket id: 1
+++[sql] returns ok
++- policy redundant returns ok
++[expiration] returns noop
++[logintime] returns noop
++[pap] returns updated
Found Auth-Type = PAP
+- entering group PAP {...}
[pap] login attempt with password 0025B3A013AA
[pap] Using clear text password 0025b3a013aa
[pap] Passwords don't match
++[pap] returns reject
Failed to authenticate the user.
I tried to remove pap but then I get following
+++[sql] returns ok
++- policy redundant returns ok
++[expiration] returns noop
++[logintime] returns noop
WARNING: Please update your configuration, and remove 'Auth-Type = Local'
WARNING: Use the PAP or CHAP modules instead.
User-Password in the request does NOT match known good password.
Failed to authenticate the user.
Hope someone can help me. Thx!
Mit freundlichen Grüßen
Robert Penz
Dipl. Inf. Robert Penz
DVT-Daten-Verarbeitung-Tirol GmbH
Adamgasse 22, 6020 Innsbruck
Tel: +43 512 508 3334 / Fax: +43 512 508 3355
eMail: robert.p...@tirol.gv.at
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
