login to domain with EAP-TLS
hi everyone, how to make XP make connection to the ap so it can logon to the samba pdc? it seems that xp make wireless connection after a user login to the box if using eap-tls. is there a way to solve this? I read about something using machine auth or machine certificate. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: failed login accounting with dialup admin
update to my fault because not RTFM first.
I add another sql to the sql.conf
sql sql_failed_reject {
driver = "rlm_sql_mysql"
server = "localhost"
login = "xxx"
password = "xxx"
radius_db = "radius"
postauth_table = "radpostauth"
authcheck_table = "radcheck"
authreply_table = "radreply"
groupcheck_table = "radgroupcheck"
groupreply_table = "radgroupreply"
usergroup_table = "usergroup"
nas_table = "nas"
safe-characters =
"@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
acct_table1 = "radacct"
num_sql_socks = 3
connect_failure_retry_delay = 60
postauth_query = "INSERT into ${acct_table1} (radacctid,
username, nasipaddress, nasportid, acctterminatecause, acctstarttime,
acctstoptime, callingstationid, servicetype, framedprotocol,
framedipaddress,acctauthentic) values ('', '%{User-Name}', '%{NAS-IP-
Address}', '%{NAS-PORT}', '%{reply:Packet-Type}', DATE_SUB('%S',
INTERVAL (%{Acct-Session-Time:-0} + %{Acct-Delay-Time:-0}) SECOND), '%
S', '%{Calling-Station-Id}', '%{Service-Type}', '%{Framed-Protocol}', '%
{Framed-IP-Address}', '%{Acct-Authentic}')"
}
then I put sql_failed_reject to the postauth section in radiusd.conf
post-auth {
# Get an address from the IP Pool.
# main_pool
reply_log
sql
# sql_log
# ldap
Post-Auth-Type REJECT {
#insert-module-name-here
#sql
sql_failed_reject
}
}
modify dialup admin failed login page to check for Access Reject.
that's it, now I can see failed user in dialup admin
thanks for freeradius
===
On Wed, 2007-01-31 at 19:42 +0700, kemas wrote:
> I have a small accounting problem with freeradius and dialup admin which
> I can't find a way to solve it.
>
> I've set freeradius to authenticate EAP-TLS, I want to log people who
> failed to authenticate to mysql with rlm_sql, which will show in dialup
> admin failed login page.
>
> I put in radiusd.con post-auth section the sql module:
> Post-Auth-Type REJECT {
> #insert-module-name-here
> sql
> }
>
> the post-auth query in sql.conf:
> postauth_query = "INSERT into ${postauth_table} (id, user, pass,
> reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-
> Password}', '%{reply:Packet-Type}', NOW())"
>
>
> the sql query runs well, it put the failed login to the radpostauth
> table but the dialup admin failed login page is searching to the radacct
> table for the failed user which will never find it.
>
> am I doing the right way to put the sql module inside the post-auth? or
> should I put it in other section?
>
> I don't want to change the postauth_query but is there any way to add
> another query to put the data to radacct table?
>
> thanks in advance
>
>
>
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
failed login accounting with dialup admin
I have a small accounting problem with freeradius and dialup admin which
I can't find a way to solve it.
I've set freeradius to authenticate EAP-TLS, I want to log people who
failed to authenticate to mysql with rlm_sql, which will show in dialup
admin failed login page.
I put in radiusd.con post-auth section the sql module:
Post-Auth-Type REJECT {
#insert-module-name-here
sql
}
the post-auth query in sql.conf:
postauth_query = "INSERT into ${postauth_table} (id, user, pass,
reply, date) values ('', '%{User-Name}', '%{User-Password:-Chap-
Password}', '%{reply:Packet-Type}', NOW())"
the sql query runs well, it put the failed login to the radpostauth
table but the dialup admin failed login page is searching to the radacct
table for the failed user which will never find it.
am I doing the right way to put the sql module inside the post-auth? or
should I put it in other section?
I don't want to change the postauth_query but is there any way to add
another query to put the data to radacct table?
thanks in advance
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: EAP-TLS certificate question
On Wed, 2007-01-17 at 13:36 +0100, Alan DeKok wrote: > kemas wrote: > > Hi all, > > > > I've install freeradius-1.1.3,use it with AP Aironet 1100 doing EAP-TLS > > and works very well. > > I still confuse about certificate, is all client certificate created > > under 1 root ca, can be authenticated against freeradius that started > > with different server certificate? > > I haven't tried it, but it's possible, yes. > is there any howto or link about it? maybe someone would share the light thanks > Alan DeKok. > -- > http://deployingradius.com - The web site of the book > http://deployingradius.com/blog/ - The blog > - > List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TLS certificate question
Hi all, I've install freeradius-1.1.3,use it with AP Aironet 1100 doing EAP-TLS and works very well. I still confuse about certificate, is all client certificate created under 1 root ca, can be authenticated against freeradius that started with different server certificate? is it possible to set things like this root ca / | \ / |\ / | \ server1 server2 server3 --- --- --- | | | | | | client1 client2 client3 I don't want client1 to be authenticated against server2 or server3. thanks - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
