Re: Support for check_cert_subjectAltName?
Phil Mayers wrote: Isn't there a problem with that approach though? Namely, that the TLS-* attributes aren't available in the authorize section (because the eap module, and all the EAP methods, do their with in authenticate). Yes. But in post-auth, turning an accept into a reject is fraught, and bad practice? The certs can be checked in the authenticate section, too. This comes up occasionally when people want to check the TLS-* attributes and act on them (as opposed to logging them). The rlm_eap code could be modified to look up the handler in the authorize section. If found, the certs could be added to the request. It's probably not a lot of code, and could be useful for 3.0. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for check_cert_subjectAltName?
Graham Leggett wrote: When using client certificates in EAP-TLS, the check_cert_cn option exists that allows you to check that the username matches the CN. Is there a corresponding option somewhere that will allow you to verify the User-Name against the subjectAltName instead? In the latest version of the server, see raddb/sites-available/default. Look for TLS-Cert Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for check_cert_subjectAltName?
On 08 Jan 2012, at 5:01 PM, Alan DeKok wrote: When using client certificates in EAP-TLS, the check_cert_cn option exists that allows you to check that the username matches the CN. Is there a corresponding option somewhere that will allow you to verify the User-Name against the subjectAltName instead? In the latest version of the server, see raddb/sites-available/default. Look for TLS-Cert That wasn't quite what I was after, but rather a generic way to ensure the User-Name matches either dnsName or rfc822Name in the subjectAltName, depending on whether the peer was a host or a person. Turned out the patch to implement this was simple, for freeradius-server-master: freeradius-master-check_cert_san.patch Description: Binary data And this is the same patch, backported to v2.1.x: freeradius-check_cert_san.patch Description: Binary data It adds a check_user_san option, which some googling showed past people have asked about. Regards, Graham -- smime.p7s Description: S/MIME cryptographic signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for check_cert_subjectAltName?
Graham Leggett wrote: That wasn't quite what I was after, but rather a generic way to ensure the User-Name matches either dnsName or rfc822Name in the subjectAltName, depending on whether the peer was a host or a person. Turned out the patch to implement this was simple, for freeradius-server-master: I'd prefer a patch which creates an attribute, just like the TLS-Cert-* attributes. The reason is that policies can be created by the administrator. A hard-coded check is likely more code and less flexible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for check_cert_subjectAltName?
On 01/08/2012 08:28 PM, Alan DeKok wrote: Turned out the patch to implement this was simple, for freeradius-server-master: I'd prefer a patch which creates an attribute, just like the TLS-Cert-* attributes. The reason is that policies can be created by the administrator. A hard-coded check is likely more code and less flexible. Isn't there a problem with that approach though? Namely, that the TLS-* attributes aren't available in the authorize section (because the eap module, and all the EAP methods, do their with in authenticate). But in post-auth, turning an accept into a reject is fraught, and bad practice? This comes up occasionally when people want to check the TLS-* attributes and act on them (as opposed to logging them). Or am I missing something? We don't use EAP-TLS so it's entirely possible. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support
Schaatsbergen, Chris wrote: A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do the Alans get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running. Network RADIUS is a for-profit company which does FreeRADIUS support, development, consulting, etc. No one on this list is asked to work for free. I run the company, and while I'm not getting rich, the proceeds from it have kept me off of the streets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support
Hi, A slightly different question, does the support from http://networkradius.com come from the active users of this mailing list? I.e. if I buy a support contract there, do the Alans get a part of that? I am missing a donate button on the freeradius website and I hope/expect we do not need that much support once this server is up and running. Network RADIUS is a for-profit company which does FreeRADIUS support, development, consulting, etc. No one on this list is asked to work for free. I run the company, and while I'm not getting rich, the proceeds from it have kept me off of the streets. :-) I use FreeRADIUS in anger (well, sometimes I'm happy too) in a major environment and within a national level. as such I am very interested in seeing issues that people have with it and seeign what other people do to achieve results. I have learnt quite a lot from this list...and helping people out is just my altruistic streak that occasionally comes through (heck, I really want them to use FreeRADIUS rather than waste money on NPS or ACS etc ;-) ). I already have a salaried position but I do have an amazon wishlist that some kind people have looked at after I've got them out of a pickle or done their work for them! ;-) (many thanks to those people..I've enjoyed the books and games). please think about networkradius.com if you want to have a solid support for the product - it will ensure that you have a good FreeRADIUS deployment and you wont get Mr Random in management bearing down on you with money being thrown at some limited commercial platform whilst there are good people on this list, I'd state you should never rely on a public mailing list for support of critical systems!! - we're here when we have the time to be :-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support
On Tue, Feb 15, 2011 at 4:45 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote: please think about networkradius.com if you want to have a solid support for the product - it will ensure that you have a good FreeRADIUS deployment and you wont get Mr Random in management bearing down on you with money being thrown at some limited commercial platform or worse, throwing money for some limited commercial platform's LICENSE but not bothering spending anything on SUPPORT, leaving you high-and-dry when you need help the most. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support of Tag 0x00 for Tunnel-Server-Endpoint
To clarify : I'm using free radius 2.1.9 as a client to connect to a distant server (not freeradius). I'm using API for client access not the freeradius as a server We are facing a problem for Tunnel-Server-Endpoint attribute : RFC http://www.ietf.org/rfc/rfc2868.txt indicates for Tunnel-Server-Endpoint : Tag The Tag field is one octet in length and is intended to provide a means of grouping attributes in the same packet which refer to the same tunnel. If the value of the Tag field is greater than 0x00 and less than or equal to 0x1F, it SHOULD be interpreted as indicating which tunnel (of several alternatives) this attribute pertains. If the Tag field is greater than 0x1F, it SHOULD be interpreted as the first byte of the following String field. So, there is no explicit prohibition of use of 0x00 as a Tag value. What we see in freeradius is that this values makes as ignore the value of the atrtribute. This means : - if we receive a Tunnel-Server-Endpoint with a Tag 0x01 value and that contains an IP@, the IP is taken into consideration and its value is returned by the API. Applicative layer uses it. - But if we receive a Tunnel-Server-Endpoint with a Tag 0x00 value and that contains an IP@, the IP is just ignored, its value is not returned by the API. The call to recv_one_paquet returns an empty Tunnel-Server-Endpoint value The no tag, is may be whell managed at server part, but misused by client part ? Is there some other RFCs that show explicitely that the 0x00 tag should lead to this behavior ? Is it a freeradius bug ? Any help about where is it managed in the code ? Thanks for help - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support of Tag 0x00 for Tunnel-Server-Endpoint
Naoufel wrote: To clarify : I'm using free radius 2.1.9 as a client to connect to a distant server (not freeradius). I'm using API for client access not the freeradius as a server I have no idea what that means. So, there is no explicit prohibition of use of 0x00 as a Tag value. There's also no way of knowing what the *right* behavior is. What we see in freeradius is that this values makes as ignore the value of the atrtribute. This means : - if we receive a Tunnel-Server-Endpoint with a Tag 0x01 value and that contains an IP@, the IP is taken into consideration and its value is returned by the API. Applicative layer uses it. - But if we receive a Tunnel-Server-Endpoint with a Tag 0x00 value and that contains an IP@, the IP is just ignored, its value is not returned by the API. The call to recv_one_paquet returns an empty Tunnel-Server-Endpoint value That looks like what the code is doing. The no tag, is may be whell managed at server part, but misused by client part ? I have no idea what that means. If the client is sending a tag of 0x00 for IP addresses, it's broken. Fix the client. No other client in the world does this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support of Tag 0x00 for Tunnel-Server-Endpoint
Naoufel wrote: Hi, I'm using free radius 2.1.9 as a client to connect to a distant server (not freeradius). We are facing a problem for Tunnel-Server-Endpoint attribute : RFC http://www.ietf.org/rfc/rfc2868.txt indicates for Tunnel-Server-Endpoint : ... So, there is no explicit prohibition of use of 0x00 as a Tag value. Yup. But who bothers reading the specs? sigh What we see in freeradius is that this values makes as ignore the value of the atrtribute. What does that mean? Is there some other RFCs that show explicitely that the 0x00 tag should lead to this behavior ? Is it a freeradius bug ? Any help about where is it managed in the code ? The tag 0x00 could be treated as no tag. The server does this when sending packets. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Alan DeKok pisze:
Maja Wolniewicz wrote:
According to RFC4372 CUI attribute in request can include a single NUL
character, then your test
if (%{Chargeable-User-Identifier}) {
update reply {
Chargeable-User-Identifier =
}
}
evaluates to false.
I've fixed this in CVS head (2.0.1-pre), added better type-checking,
and removed the requirement to always convert everything to strings:
if (Chargeable-User-Identifier == ) {
...
if (Framed-IP-Address 127.0.0.1) {
...
~200 lines of code: big administrator happiness. :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm now running freeradius from CVS
FreeRADIUS Version 2.0.1-pre
in post-auth I have:
if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) {
if (%{Chargeable-User-Identity}) {
update reply {
Chargeable-User-Identity:=%{reply:[EMAIL PROTECTED]
}
}
else {
update reply {
Chargeable-User-Identity-=%{reply:Chargeable-User-Identity}
}
}
}
and it still doesn't work for me:
when Chargeable-User-Identity in request has a nul value, I'm getting:
++? if (%{FreeRADIUS-Proxied-To} == 127.0.0.1)
expand: %{FreeRADIUS-Proxied-To} - 127.0.0.1
? Evaluating (%{FreeRADIUS-Proxied-To} == 127.0.0.1) - TRUE
++? if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) - TRUE
++- entering if (%{FreeRADIUS-Proxied-To} == 127.0.0.1)
+++? if (%{Chargeable-User-Identity})
expand: %{Chargeable-User-Identity} -
? Evaluating (%{Chargeable-User-Identity}) - FALSE
+++? if (%{Chargeable-User-Identity}) - FALSE
+++- entering else else
expand: %{reply:Chargeable-User-Identity} -
when Chargeable-User-Identity in request is AAA
++? if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) - TRUE
++- entering if (%{FreeRADIUS-Proxied-To} == 127.0.0.1)
+++? if (%{Chargeable-User-Identity})
expand: %{Chargeable-User-Identity} - AAA
? Evaluating (%{Chargeable-User-Identity}) - TRUE
+++? if (%{Chargeable-User-Identity}) - TRUE
+++- entering if (%{Chargeable-User-Identity})
expand: %{reply:[EMAIL PROTECTED] - [EMAIL PROTECTED]
Maja
--
Maja Gorecka-Wolniewicz [EMAIL PROTECTED]
http://www.umk.pl/~mgw
PGP key: http://www.umk.pl/~mgw/pgp_pub_key.asc
Uczelniane Centrum Information Communication
InformatyczneTechnology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University
Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Maja Wolniewicz wrote:
I'm now running freeradius from CVS
FreeRADIUS Version 2.0.1-pre
in post-auth I have:
if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) {
if (%{Chargeable-User-Identity}) {
Please fix this. Putting double quotes around *everything* was never
necessary, and is much less necessary in 2.0.1. See the examples from
my original message, and in man unlang.
What you want is:
if (FreeRADIUS-Proxied-To == 127.0.01) {
...
if (Chargeable-User-Identity) {
...
update reply {
Chargeable-User-Identity:=%{reply:[EMAIL PROTECTED]
}
Huh? You're updating the reply attribute with the reply attribute?
What do you think this is doing?
and it still doesn't work for me:
Perhaps you could explain why you think it should do *anything* useful.
when Chargeable-User-Identity in request has a nul value, I'm getting:
...
expand: %{Chargeable-User-Identity} -
? Evaluating (%{Chargeable-User-Identity}) - FALSE
Update this to use my example above. See also man unlang:
If the word ’foo’ is not a quoted string, then it can be taken
as a reference to a named attribute. See Referencing attribute
lists, below, for examples of attribute references. The condi‐
tion evaluates to true if the named attribute exists.
This *is* documented. I *did* say I had updated the documentation.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Alan DeKok pisze:
Maja Wolniewicz wrote:
I'm now running freeradius from CVS
FreeRADIUS Version 2.0.1-pre
in post-auth I have:
if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) {
if (%{Chargeable-User-Identity}) {
Please fix this. Putting double quotes around *everything* was never
necessary, and is much less necessary in 2.0.1. See the examples from
my original message, and in man unlang.
Thanks. Now it works.
What you want is:
if (FreeRADIUS-Proxied-To == 127.0.01) {
...
if (Chargeable-User-Identity) {
...
update reply {
Chargeable-User-Identity:=%{reply:[EMAIL PROTECTED]
}
Huh? You're updating the reply attribute with the reply attribute?
What do you think this is doing?
Yes, I want to add current realm to reply attribute
Chargeable-User-Identity which comes form LDAP.
When Chargeable-User-Identity attribute isn't present in request I want
to remove Chargeable-User-Identity from reply.
if (Chargeable-User-Identity) {
update reply {
Chargeable-User-Identity:=%{reply:[EMAIL PROTECTED]
}
}
else {
update reply {
Chargeable-User-Identity-=%{reply:Chargeable-User-Identity}
}
}
What is wrong in it?
Maja
and it still doesn't work for me:
Perhaps you could explain why you think it should do *anything* useful.
when Chargeable-User-Identity in request has a nul value, I'm getting:
...
expand: %{Chargeable-User-Identity} -
? Evaluating (%{Chargeable-User-Identity}) - FALSE
Update this to use my example above. See also man unlang:
If the word 'foo' is not a quoted string, then it can be taken
as a reference to a named attribute. See Referencing attribute
lists, below, for examples of attribute references. The condi-
tion evaluates to true if the named attribute exists.
This *is* documented. I *did* say I had updated the documentation.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Maja Gorecka-Wolniewicz [EMAIL PROTECTED]
http://www.umk.pl/~mgw
PGP key: http://www.umk.pl/~mgw/pgp_pub_key.asc
Uczelniane Centrum Information Communication
InformatyczneTechnology Centre
Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University
Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland
tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574
smime.p7s
Description: S/MIME Cryptographic Signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Maja Wolniewicz wrote: Thanks. Now it works. That's good to hear. Yes, I want to add current realm to reply attribute Chargeable-User-Identity which comes form LDAP. When Chargeable-User-Identity attribute isn't present in request I want to remove Chargeable-User-Identity from reply. There's a simple answer: don't add something if it's not needed. Adding it and then deleted it is complicated, and prone to errors. Instead, add it *only* if it's necessary. This may involve update the LDAP maps to use a temporary attribute. e.g. map the LDAP data to My-Chargeable-User-Identity, and then map that to Chargeable-User-Identity only when necessary. See raddb/dictionary for how to define local attributes like this. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Alan DeKok pisze: Maja Wolniewicz wrote: Thanks. Now it works. That's good to hear. Yes, I want to add current realm to reply attribute Chargeable-User-Identity which comes form LDAP. When Chargeable-User-Identity attribute isn't present in request I want to remove Chargeable-User-Identity from reply. There's a simple answer: don't add something if it's not needed. Adding it and then deleted it is complicated, and prone to errors. Instead, add it *only* if it's necessary. This may involve update the LDAP maps to use a temporary attribute. e.g. map the LDAP data to My-Chargeable-User-Identity, and then map that to Chargeable-User-Identity only when necessary. See raddb/dictionary for how to define local attributes like this. That's right. Thanks for help, Maja Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Maja Gorecka-Wolniewicz [EMAIL PROTECTED] http://www.umk.pl/~mgw PGP key: http://www.umk.pl/~mgw/pgp_pub_key.asc Uczelniane Centrum Information Communication InformatyczneTechnology Centre Uniwersytet Mikolaja Kopernika Nicolaus Copernicus University Coll. Maximum, pl. Rapackiego 1, 87-100 Torun, Poland tel.: +48 56-611-27-40 fax: +48 56-622-18-50 tel. kom.: +48-693032574 smime.p7s Description: S/MIME Cryptographic Signature - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Maja Wolniewicz wrote:
According to RFC4372 CUI attribute in request can include a single NUL
character, then your test
if (%{Chargeable-User-Identifier}) {
update reply {
Chargeable-User-Identifier =
}
}
evaluates to false.
I've fixed this in CVS head (2.0.1-pre), added better type-checking,
and removed the requirement to always convert everything to strings:
if (Chargeable-User-Identifier == ) {
...
if (Framed-IP-Address 127.0.0.1) {
...
~200 lines of code: big administrator happiness. :)
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for RFC4372 (Chargeable User Identity)
Stefan Winter wrote:
is that implemented in FR, be it 1.1 or 2.0? According to
http://wiki.freeradius.org/RFC it shouldn't be.
It's in the dictionaries...
From my reading of the RFC, defining it by hand in radreply is not
considered good enough, because it has a specific logic behind it:
(2.1)
If a home RADIUS server that supports the CUI attribute receives an
Access-Request packet containing a CUI (set to nul or otherwise), it
MUST include the CUI attribute in the Access-Accept packet.
That can be done via policy logic in unlang.
if (%{Chargeable-User-Identifier}) {
update reply {
Chargeable-User-Identifier =
}
}
So, always sending it via radreply would ignore the SHOULD NOT. Not defining
it at all though makes it difficult for the server to maintain a persistent
yet anonymous handle. So something like defining it by hand but only
including it if it was asked for would be needed. Is that logic present in
FR?
Nope. It's 4 lines of text, as above.
The only complexity is *creating* it, and mapping it to a known user.
This can be done via additional logic, and stored in SQL, for example.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support for SSO Active Directory PEAP-MS-CHAP-v2
Can you please send steps, I am also trying to so the same. Rakesh From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of rick wiltshire Sent: Sunday, September 23, 2007 4:48 PM To: freeradius-users@lists.freeradius.org Subject: Support for SSO Active Directory PEAP-MS-CHAP-v2 Dear All, I need help with dot1x implementation in an Enterprise LAN. Our target is to authenticate and authorize users based on their identities (domain user names) as well as applying GPOs on users. Our authentication Backend is: Active Directory Our Authorization Accounting is done by: freeRADIUS Authorization Attributes control VLAN assignment (hence, IP address pool) Required Authentication EAP-Type : PEAP MS-CHAP All Clients are using WinXP supplicant. I managed to implement PEAPMS-CHAP with this setup however with users who have cached credentials on their PCs. If the user logs on the PC for the first time, he fails to reach the active directory to authenticate since the connection is not yet authorized. So what I need is get the computer authenticated and assigned an IP address and then authenticate the user in a following phase while the connection is up. Any clues with authenticating domain machines using freeradius and active directory implementation? Attention: Any non-official business related views, opinions and other information presented in this electronic mail are solely those of the sender/author. Burgan Bank does not endorse or accept responsibility for their opinions. If you are not the addressed indicated in this mail or responsible for delivering this message to the intended, you should delete this message and notify the sender immediately. --- Burgan Bank S.A.K www.burgan.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for SSO Active Directory PEAP-MS-CHAP-v2
rick wiltshire wrote: All Clients are using WinXP supplicant. I managed to implement PEAPMS-CHAP with this setup however with users who have cached credentials on their PCs. If the user logs on the PC for the first time, he fails to reach the active directory to authenticate since the connection is not yet authorized. So what I need is get the computer authenticated and assigned an IP address and then authenticate the user in a following phase while the connection is up. That is machine authentication. The machine will need to be authenticated, separately from the user. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Cisco
On Thu 19 Jul 2007, ashish verma wrote: Hi all, I am trying to configure free radius for some Cisco devices. till now i am able to authenticate using the radius server and i am getting into user level or privilege level depending on the attribute i am defining. Now what i am looking for is authorization. There is something called Cisco-AV priv attribute through which one can define privilege level from 1 to 15. But i am not able to define it in users file. Can anyone tell me how to define this or whether we can define this kind of attribute in freeradius or not? http://wiki.freeradius.org/Cisco#Per_User_Privilege_Level -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Cisco
I thought it was: cisco-avpair = shell:priv-lvl=levelnumber If not, we need to fix the wiki. Cheers Peter On Thu 19 Jul 2007, [EMAIL PROTECTED] wrote: Use proper format: Cisco-AVPair = priv-lvl=levelnumber Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, ashish verma [EMAIL PROTECTED] piše: Hi all, I am trying to configure free radius for some Cisco devices. till now i am able to authenticate using the radius server and i am getting into user level or privilege level depending on the attribute i am defining. Now what i am looking for is authorization. There is something called Cisco-AV priv attribute through which one can define privilege level from 1 to 15. But i am not able to define it in users file. Can anyone tell me how to define this or whether we can define this kind of attribute in freeradius or not? Thanks in advance, Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Cisco
Sorry, my mistake. It is shell:priv-lvl=levelnumber Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, Peter Nixon [EMAIL PROTECTED] piše: I thought it was: cisco-avpair = shell:priv-lvl=levelnumber If not, we need to fix the wiki. Cheers Peter On Thu 19 Jul 2007, [EMAIL PROTECTED] wrote: Use proper format: Cisco-AVPair = priv-lvl=levelnumber Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, ashish verma [EMAIL PROTECTED] piše: Hi all, I am trying to configure free radius for some Cisco devices. till now i am able to authenticate using the radius server and i am getting into user level or privilege level depending on the attribute i am defining. Now what i am looking for is authorization. There is something called Cisco-AV priv attribute through which one can define privilege level from 1 to 15. But i am not able to define it in users file. Can anyone tell me how to define this or whether we can define this kind of attribute in freeradius or not? Thanks in advance, Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- Peter Nixon http://peternixon.net/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Cisco
Use proper format: Cisco-AVPair = priv-lvl=levelnumber Ivan Kalik Kalik Informatika ISP Dana 19/7/2007, ashish verma [EMAIL PROTECTED] piše: Hi all, I am trying to configure free radius for some Cisco devices. till now i am able to authenticate using the radius server and i am getting into user level or privilege level depending on the attribute i am defining. Now what i am looking for is authorization. There is something called Cisco-AV priv attribute through which one can define privilege level from 1 to 15. But i am not able to define it in users file. Can anyone tell me how to define this or whether we can define this kind of attribute in freeradius or not? Thanks in advance, Ashish - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for WiMAX VSA
Nitin Naveen wrote: Hi I am Nitin Naveen working with HUGHES SYSTIQUE. We have been working to enhance freeradius to support WiMAX VSA (as per WiMAX NWG forum). WiMAX VSA are not the typical type-length-value rather they have type-length-controlinfo-value. Yes.. We have enhanced the dictionary but we were not able to generate the attributes as per the WiMAX NWG format. For now we have developed our own rlm_hsc_wimax module. We like to contribute to freeradius so that the WiMAX VSA are supported as part of the standard distribution. To this end we can share our code. But before that we would like to follow the correct procedure for releasing the code. Submit a feature request on bugs.freeradius.org. Add the patch as an attachment. Make sure that the code has the GPL license in it. The FreeRADIUS code currently does this. Copyright can remain with you. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for WiMAX VSA
Walter Goulet wrote: Question on your planned contribution to FreeRADIUS: Does your module support the key generation algorithms for the WiMAX mobility keys? Specifically, is your module able to correctly generate the MN-HA-MIP4-KEY and related key material from the EMSK derived as part of the EAP exchange? Personally this was seen as the biggest challenge towards building NWG compliance into FreeRADIUS as opposed to VSA format. If there is sufficient interest in getting the work done, there are ways of getting the work done. My goal (if it wasn't obvious by now) is to make FreeRADIUS the default WiMAX AAA server. If we add MIP4 and MIP6 support, I won't complain. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for WiMAX VSA
Hi Nitin, Question on your planned contribution to FreeRADIUS: Does your module support the key generation algorithms for the WiMAX mobility keys? Specifically, is your module able to correctly generate the MN-HA-MIP4-KEY and related key material from the EMSK derived as part of the EAP exchange? Personally this was seen as the biggest challenge towards building NWG compliance into FreeRADIUS as opposed to VSA format. Thanks, Walter On 7/18/07, Nitin Naveen [EMAIL PROTECTED] wrote: Hello All, Hi I am Nitin Naveen working with HUGHES SYSTIQUE. We have been working to enhance freeradius to support WiMAX VSA (as per WiMAX NWG forum). WiMAX VSA are not the typical type-length-value rather they have type-length-controlinfo-value. We have enhanced the dictionary but we were not able to generate the attributes as per the WiMAX NWG format. For now we have developed our own rlm_hsc_wimax module. We like to contribute to freeradius so that the WiMAX VSA are supported as part of the standard distribution. To this end we can share our code. But before that we would like to follow the correct procedure for releasing the code. Your inputs and suggestion are awaited. Regards Nitin Naveen Principal Engineer HUGHES SYSTIQUE D-8, Infocity-11 Sector-33, Gugaon Haryana, India tel: +91-124-3045400 fax: +91-124-4039301 [EMAIL PROTECTED] www.hsc.com *DISCLAIMER* This message and/or attachment(s) contained here are confidential, proprietary to HUGHES SYSTIQUE and its customers. Contents may be privileged or otherwise protected by law. The information is solely intended for the entity it is addressed to. If you are not the intended recipient of this message, it is strictly prohibited to read, forward, print, retain, copy or disseminate this message or any part of it. If you have received this e-mail in error, please notify the sender immediately and delete the message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for WiMAX VSA
to HUGHES SYSTIQUE and its customers. Contents may be privileged or otherwise protected by law. The information is solely intended for the entity it is addressed to. If you are not the intended recipient of this message, it is strictly prohibited to read, forward, print, retain, copy or disseminate this message or any part of it. If you have received this e-mail in error, please notify the sender immediately and delete the message. -- next part -- An HTML attachment was scrubbed... URL: https://lists.freeradius.org/pipermail/freeradius-users/attachments/20070719/1e34d8ef/attachment-0001.html -- Message: 9 Date: Wed, 18 Jul 2007 22:57:37 -0500 From: Walter Goulet [EMAIL PROTECTED] Subject: Re: Support for WiMAX VSA To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Message-ID: [EMAIL PROTECTED] Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hi Nitin, Question on your planned contribution to FreeRADIUS: Does your module support the key generation algorithms for the WiMAX mobility keys? Specifically, is your module able to correctly generate the MN-HA-MIP4-KEY and related key material from the EMSK derived as part of the EAP exchange? Personally this was seen as the biggest challenge towards building NWG compliance into FreeRADIUS as opposed to VSA format. Thanks, Walter On 7/18/07, Nitin Naveen [EMAIL PROTECTED] wrote: Hello All, Hi I am Nitin Naveen working with HUGHES SYSTIQUE. We have been working to enhance freeradius to support WiMAX VSA (as per WiMAX NWG forum). WiMAX VSA are not the typical type-length-value rather they have type-length-controlinfo-value. We have enhanced the dictionary but we were not able to generate the attributes as per the WiMAX NWG format. For now we have developed our own rlm_hsc_wimax module. We like to contribute to freeradius so that the WiMAX VSA are supported as part of the standard distribution. To this end we can share our code. But before that we would like to follow the correct procedure for releasing the code. Your inputs and suggestion are awaited. Regards Nitin Naveen Principal Engineer HUGHES SYSTIQUE D-8, Infocity-11 Sector-33, Gugaon Haryana, India tel: +91-124-3045400 fax: +91-124-4039301 [EMAIL PROTECTED] www.hsc.com *DISCLAIMER* This message and/or attachment(s) contained here are confidential, proprietary to HUGHES SYSTIQUE and its customers. Contents may be privileged or otherwise protected by law. The information is solely intended for the entity it is addressed to. If you are not the intended recipient of this message, it is strictly prohibited to read, forward, print, retain, copy or disseminate this message or any part of it. If you have received this e-mail in error, please notify the sender immediately and delete the message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 27, Issue 114 * *DISCLAIMER* This message and/or attachment(s) contained here are confidential, proprietary to HUGHES SYSTIQUE and its customers. Contents may be privileged or otherwise protected by law. The information is solely intended for the entity it is addressed to. If you are not the intended recipient of this message, it is strictly prohibited to read, forward, print, retain, copy or disseminate this message or any part of it. If you have received this e-mail in error, please notify the sender immediately and delete the message. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Colleen C. Morrissey wrote: Hi, Why? If you have the clear-text password on the server, you can just compare the two. There's no need to configure rlm_pap to do the NT hash. I don't have the clear text password. Your original reply said this would work with clear text password or nt hash. I have the NT hash and/or I can get the SHA1 base 64 encoded password (which was working with gtc by itself). Can I get pap/gtc to work with the NT hash password? I don't manage the ldap service so getting the clear text password will not be easy and may not be possible organizationally. Thanks. I know SHA1 will definitely work, as will NT but you will have to use the PAP module. The nt hash should be written into the check item NT-Password, I think sha is SHA-Password. If your using LDAP just enable auto header and it'll figure it out for you :) , if you do use NT password be sure the FreeRADIUS - LDAP nt hash password attribute mapping is correct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Colleen C. Morrissey wrote: I don't have the clear text password. Your original reply said this would work with clear text password or nt hash. I have the NT hash and/or I can get the SHA1 base 64 encoded password (which was working with gtc by itself). Can I get pap/gtc to work with the NT hash password? I don't manage the ldap service so getting the clear text password will not be easy and may not be possible organizationally. Thanks. Hmm.. OK. In that case your best bet may be to grab the current code from CVS. See the web page for how to do CVS logins, etc. Then, $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r branch_1_1 -d freeradius-1.1.7pre radiusd And the freeradius-1.1.7pre directory will contain a version that fixes the issue you're seeing in the mschap module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
That worked. Thank you! Alan DeKok wrote: Colleen C. Morrissey wrote: I don't have the clear text password. Your original reply said this would work with clear text password or nt hash. I have the NT hash and/or I can get the SHA1 base 64 encoded password (which was working with gtc by itself). Can I get pap/gtc to work with the NT hash password? I don't manage the ldap service so getting the clear text password will not be easy and may not be possible organizationally. Thanks. Hmm.. OK. In that case your best bet may be to grab the current code from CVS. See the web page for how to do CVS logins, etc. Then, $ cvs -d :pserver:[EMAIL PROTECTED]:/source checkout -r branch_1_1 -d freeradius-1.1.7pre radiusd And the freeradius-1.1.7pre directory will contain a version that fixes the issue you're seeing in the mschap module. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
I spoke too soon. This works ok for a user/password in users file, but not via LDAP. Via ldap mschap works but not gtc. Below is snippet of output when it is failing. Any advice on how to fix would be appreciated: [EMAIL PROTECTED] raddb]# more gtc_info modcall: entering group authenticate for request 502 rlm_eap: Request found, released from the list rlm_eap: EAP/gtc rlm_eap: processing type gtc Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 502 rlm_pap: login attempt with password blah rlm_pap: Using NT encryption. radius_xlat: Running registered xlat function of module mschap for string 'NT-Hash blah' rlm_mschap: Unknown expansion string NT-Hash blah radius_xlat: '' rlm_pap: mschap xlat failed rlm_pap: Passwords don't match Colleen C. Morrissey wrote: Thanks! I had ldap returning Password-with-Header for GTC deployment and then added NT-Password for ms-chapv2. Commenting out the password-with-header for userpassword in ldap.attrmap seems to allow both to work. Which makes my life much easier :) Alan Dekok wrote: Colleen C. Morrissey wrote: My question is can I somehow support both simultaneously with the same freeradius daemon (I know I can simply run a second daemon on different port supporting the other but that will require me to do lots of work on infrastructure/ssids to point to different servers)? Does anybody happen to have this working and be willing to post config? Or any other ideas? Yes. If you configure the server to know about the users clear-text password or NT-hashed password, then PEAP/GTC should just work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Colleen C. Morrissey wrote: I spoke too soon. This works ok for a user/password in users file, but not via LDAP. Via ldap mschap works but not gtc. Below is snippet of output when it is failing. Any advice on how to fix would be appreciated: [EMAIL PROTECTED] raddb]# more gtc_info modcall: entering group authenticate for request 502 rlm_eap: Request found, released from the list rlm_eap: EAP/gtc rlm_eap: processing type gtc ... which sends the clear-text password to the server. Processing the authenticate section of radiusd.conf modcall: entering group PAP for request 502 rlm_pap: login attempt with password blah rlm_pap: Using NT encryption. Why? If you have the clear-text password on the server, you can just compare the two. There's no need to configure rlm_pap to do the NT hash. radius_xlat: Running registered xlat function of module mschap for string 'NT-Hash blah' rlm_mschap: Unknown expansion string NT-Hash blah radius_xlat: '' That's a bug which will be fixed in 1.1.7, but it shouldn't affect you... Alan Dekok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Hi, Why? If you have the clear-text password on the server, you can just compare the two. There's no need to configure rlm_pap to do the NT hash. I don't have the clear text password. Your original reply said this would work with clear text password or nt hash. I have the NT hash and/or I can get the SHA1 base 64 encoded password (which was working with gtc by itself). Can I get pap/gtc to work with the NT hash password? I don't manage the ldap service so getting the clear text password will not be easy and may not be possible organizationally. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Colleen C. Morrissey wrote: My question is can I somehow support both simultaneously with the same freeradius daemon (I know I can simply run a second daemon on different port supporting the other but that will require me to do lots of work on infrastructure/ssids to point to different servers)? Does anybody happen to have this working and be willing to post config? Or any other ideas? Yes. If you configure the server to know about the users clear-text password or NT-hashed password, then PEAP/GTC should just work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for PEAP-Mschapv2 and PEAP-GTC simultaneously?
Thanks! I had ldap returning Password-with-Header for GTC deployment and then added NT-Password for ms-chapv2. Commenting out the password-with-header for userpassword in ldap.attrmap seems to allow both to work. Which makes my life much easier :) Alan Dekok wrote: Colleen C. Morrissey wrote: My question is can I somehow support both simultaneously with the same freeradius daemon (I know I can simply run a second daemon on different port supporting the other but that will require me to do lots of work on infrastructure/ssids to point to different servers)? Does anybody happen to have this working and be willing to post config? Or any other ideas? Yes. If you configure the server to know about the users clear-text password or NT-hashed password, then PEAP/GTC should just work. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for MySQL Stored Procedures in FreeRADIUS 2.0?
Gunther wrote: Will there be support for MySQL Stored Procedures in 2.0? FreeRADIUS 2.0.0-pre1 does not yet support SP in MySQL. The idea is to put the patch in 1.1.7 and 2.0.0. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for Cisco PIX
Hi, This */etc/freeradius/users* file works with Cisco Aironet: (used for authentication on access points, a ssh connection gives enable access directly) normaluser Auth-Type := Local, User-Password == normaluser superuser Auth-Type := Local, User-Password == superuser Cisco-AVPair = shell:priv-lvl=15, Service-Type = Administrative-User Perhaps it also works with Pix... Regards, Ludo Hi, Does FreeRADIUS support Level 15 authentication for Cisco PIX? Regards, Norman Zhang - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support of MSCHAPV2 over EAP-TTLS
Hi, I am using Freeradius version 1.1.3 for EAP-TTLS testing. I am testing for EAP-TTLS with tunneled authentication type as MSCHAPV2. I suspect it fails, bcos it sends back Access-Accept instead of sending back the MS-CHAP2-Success encrypted over TLS protocol. please find the trace below. we've had no problem with EAP-TTLS with MSCHAPv2 - you cant play with User-Name etc - just ensure you are allowing the reply to be tunneled in eap.conf. however, if you try changing reply attributes (eg VLAN) then it doesnt work - should be fixed in 1.1.5 alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support of MSCHAPV2 over EAP-TTLS
Hi,
Please find the eap.conf attached with this Email. This is file which
i am using for testing MS-CHAPV2 over TTLS.
I am not sure what is wrong with this configuration.
Thanks in advance.
[EMAIL PROTECTED] wrote:
Hi,
I am using Freeradius version 1.1.3 for EAP-TTLS testing. I am testing for
EAP-TTLS with tunneled authentication type as MSCHAPV2.
I suspect it fails, bcos it sends back Access-Accept instead of sending back
the MS-CHAP2-Success encrypted over TLS protocol. please find the trace below.
we've had no problem with EAP-TTLS with MSCHAPv2 - you cant play with
User-Name etc - just ensure you are allowing the reply to be tunneled
in eap.conf.
however, if you try changing reply attributes (eg VLAN) then it doesnt
work - should be fixed in 1.1.5
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-
Everyone is raving about the all-new Yahoo! Mail beta.# -*- text -*-
#
# Whatever you do, do NOT set 'Auth-Type := EAP'. The server
# is smart enough to figure this out on its own. The most
# common side effect of setting 'Auth-Type := EAP' is that the
# users then cannot use ANY other authentication method.
#
# $Id: eap.conf,v 1.4.4.3 2006/04/28 18:25:03 aland Exp $
#
eap {
# Invoke the default supported EAP type when
# EAP-Identity response is received.
#
# The incoming EAP messages DO NOT specify which EAP
# type they will be using, so it MUST be set here.
#
# For now, only one default EAP type may be used at a time.
#
# If the EAP-Type attribute is set by another module,
# then that EAP type takes precedence over the
# default type configured here.
#
#default_eap_type = md5
default_eap_type = ttls
#default_eap_type = peap
# A list is maintained to correlate EAP-Response
# packets with EAP-Request packets. After a
# configurable length of time, entries in the list
# expire, and are deleted.
#
timer_expire = 60
# There are many EAP types, but the server has support
# for only a limited subset. If the server receives
# a request for an EAP type it does not support, then
# it normally rejects the request. By setting this
# configuration to yes, you can tell the server to
# instead keep processing the request. Another module
# MUST then be configured to proxy the request to
# another RADIUS server which supports that EAP type.
#
# If another module is NOT configured to handle the
# request, then the request will still end up being
# rejected.
ignore_unknown_eap_types = no
# Cisco AP1230B firmware 12.2(13)JA1 has a bug. When given
# a User-Name attribute in an Access-Accept, it copies one
# more byte than it should.
#
# We can work around it by configurably adding an extra
# zero byte.
cisco_accounting_username_bug = no
# Supported EAP-types
#
# We do NOT recommend using EAP-MD5 authentication
# for wireless connections. It is insecure, and does
# not provide for dynamic WEP keys.
#
md5 {
}
# Cisco LEAP
#
# We do not recommend using LEAP in new deployments. See:
# http://www.securiteam.com/tools/5TP012ACKE.html
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain-text
# User-Password, or the NT-Password attributes.
# 'System' authentication is impossible with LEAP.
#
leap {
}
# Generic Token Card.
#
# Currently, this is only permitted inside of EAP-TTLS,
# or EAP-PEAP. The module challenges the user with
# text, and the response from the user is taken to be
# the User-Password.
#
# Proxying the tunneled EAP-GTC session is a bad idea,
# the users password will go over the wire in plain-text,
# for anyone to see.
#
gtc {
#
Re: Support for Sub-TLVs within VSA TLVs
Santhosh Thodupunoori [EMAIL PROTECTED] wrote: Does Freeradius have support for Sub-TLVs inside VSA TLVs today? No. If Freeradius does not currently support sub-attributes, is there a plan to support this in future? Sure. Send in a patch. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for disconnect request and ACK messages
Shankar Ganesh C [EMAIL PROTECTED] wrote: Can any body help me how to add the support for disconnect request and ack in freeradius ? This is more a question for the freeradius-devel list. And my suggestion is to first get familiar with the server. The code is reasonably well organised, so if you have *specific* questions about what to do, they may be answered. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support for EAP and LDAP?
Scott J. Wolke [EMAIL PROTECTED] wrote: I'm trying to get away from Steel Belted Radius and after realizing that Freeradius can't auth against LDAP using EAP FreeRADIUS can obtain user passwords from an LDAP database, and use those passwords to perform EAP authentication. No RADIUS server in the world can send EAP requests to an LDAP database, and have the LDAP database authenticate the user. This is because no LDAP database in the world supports EAP. does anyone have a idea if this is going to be supported in the futureand if yesdo you have an idea of when? Not looking for an exact datejust an idea. It will be supported in FreeRADIUS once an LDAP server supports EAP. That is, probably never. There are many sites deployed today which are using FreeRADIUS to implement EAP authentication, and storing passwords in an LDAP database. It's easy. Just list ldap in the authorize section, where it's currently commented out, and ensure that the LDAP database contains clear-text passwords for the users. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support of MS-CHAP
Gil Shai [EMAIL PROTECTED] wrote: I've noticed that freeradius 1.0 supports MS-CHAP but when I looked at the code, I didn't find any trace of an option to periodically change the password using MS-CHAP. FreeRADIUS doesn't implement RADIUS change password packets, either. Does anyone know why this option is not supported in freeradius? There are simply too many security problems with obtaining the users new password over a network connection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support of MS-CHAP
Hi Thanks for the reply. I've read about the security related problems of changing a password over MS-CHAP and MS-CHAP v2 and saw that there are servers which are not supporting the change password packet. However, some access servers (Cisco) and RADIUS servers(IAS) do support it. Is there any chance that FreeRADIUS will support it in the near future? Thanks, Gil Shai -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok Sent: Monday, September 20, 2004 5:22 PM To: [EMAIL PROTECTED] Subject: Re: Support of MS-CHAP Gil Shai [EMAIL PROTECTED] wrote: I've noticed that freeradius 1.0 supports MS-CHAP but when I looked at the code, I didn't find any trace of an option to periodically change the password using MS-CHAP. FreeRADIUS doesn't implement RADIUS change password packets, either. Does anyone know why this option is not supported in freeradius? There are simply too many security problems with obtaining the users new password over a network connection. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support of MS-CHAP
Gil Shai [EMAIL PROTECTED] wrote: Is there any chance that FreeRADIUS will support it in the near future? Sure, supply a patch. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
Hi I still not get any support for the question i asked today. Please help me with this . Hi, Could you tell me how I could use cron to send me a mail to me, automatically every day at 12 midnight with the /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
Could you tell me how I could use cron to send me a mail to me, automatically every day at 12 midnight with the /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. Thanks in advance. That's not a question for the FreeRadius list as it isnt a problem with FreeRadius. You might try posting to a basic Unix Administration list. Jacob - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
Not really a freeradius problem. Give this a look. http://www.linuxquestions.org/questions/showthread.php?s=forumid=46thr eadid=163805 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M.Bilal Fassy Sent: Thursday, April 08, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: Support Needed Hi I still not get any support for the question i asked today. Please help me with this . Hi, Could you tell me how I could use cron to send me a mail to me, automatically every day at 12 midnight with the /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
On Thu, 2004-04-08 at 14:41, M.Bilal Fassy wrote: Hi I still not get any support for the question i asked today. Please help me with this . Perhaps because this is not a FreeRADIUS question? man cron man sendmail man bash Any other work on your plate you need us to do for you? Hi, Could you tell me how I could use cron to send me a mail to me, automatically every day at 12 midnight with the /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. Thanks in advance. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
Dear Troy, The URL you had given bellow does not sate anything. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Troy Winemiller Sent: Friday, April 09, 2004 12:50 AM To: [EMAIL PROTECTED] Subject: RE: Support Needed Not really a freeradius problem. Give this a look. http://www.linuxquestions.org/questions/showthread.php?s=forumid=46thr eadid=163805 -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of M.Bilal Fassy Sent: Thursday, April 08, 2004 2:41 PM To: [EMAIL PROTECTED] Subject: RE: Support Needed Hi I still not get any support for the question i asked today. Please help me with this . Hi, Could you tell me how I could use cron to send me a mail to me, automatically every day at 12 midnight with the /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
Yes I understand its not a freeradius question. But has anyone done this before. This is because im using freeradius for h323 records. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Dennis Skinner Sent: Friday, April 09, 2004 12:59 AM To: [EMAIL PROTECTED] Subject: RE: Support Needed On Thu, 2004-04-08 at 14:41, M.Bilal Fassy wrote: Hi I still not get any support for the question i asked today. Please help me with this . Perhaps because this is not a FreeRADIUS question? man cron man sendmail man bash Any other work on your plate you need us to do for you? Hi, Could you tell me how I could use cron to send me a mail to me, automatically every day at 12 midnight with the /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. Thanks in advance. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Support Needed
The URL you had given bellow does not sate anything. Yes, actually, it does. -- __ Mike Ockenga, CCNP [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Support Needed
Hi I still not get any support for the question i asked today. Please help me with this . Hi, Could you tell me how I could use cron to send me a mail to me, automatically every day at 12 midnight with the /usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Write a shell script that will cat the file you want to have mailed to you eg. #!/bin/bash cat /tmp/filnamexxx Then edit your crontab (crontab -e) to run the script nightly. Check to make sure that /etc/crontab has the MAILTO= set. If so any cronjob that runs will be mailed to this address. Alan Russell - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
