If I remember correctly the development package for MySQL that comes from sunfreeware
(Bputs the files in the wrong location for freeradius to look for them. You can specify
(Bthe location of the files or you can download the source and install from that.
(BSolaris 8 and 9 fixed the location
Hello,
I want to use EAP/MD5 and Ldap. EAP/MD5 config
is ok, but ldap config is not Ok.
Have you got example of radiusd.conf, users for
EAP/MD5 and Ldap.
Thanks,
Thanks to Jeson.
The MYSQL package is downloaded from sunfreeware and installed directly by pkgadd
command.
I am sure there are development header and lib included. Files in the lib directory
are as follows:
libdbug.a libmygcc.a libmysqlclient.a libmysqlclient_r.a
Nathan Kufner wrote:
I was under the impression that SMUX/SNMP was integral to the radius
server.
It can be :)
I am still unsure as to what functionality I just turned off.
What does having SNMP (dis|en)abled on freeRadius mean for the radius
server? What kind of functionality do I gain or lose
Hi.
code from rlm_preprocess.c:
if ((vp->attribute & 0x) == 1) {
char *p;
DICT_ATTR *dattr;
p = vp->strvalue;
getword(&p, newattr, sizeof(newattr));
Hi there!
I am trying to set up radiusd to authenticate against kerberos (Windows
2003 AD). The rlm_krb5 module didn't compile from 0.8.1, but i got it now
as i upgraded my radiusd to a cvs snapshot.
What configuration options should be passed to rlm_krb5 in modules
-section? Now it is there w
Hi:
I''m trying to test EAPOL-Key(4-way and group key handshaking) exchange inbetween the AP and the STA (Win XP-SP1-WPA).
I'm able to do 802.1X authentication, but when I send the 1st EAPOL-Key message(as defined in WPA/11i drafts) from the AP to the STA, the STA doesn't respond back with any
Hi,
Please make sure you have the MySQL development package, FreeRADIUS compile the
rlm_sql_mysql module need the include file from MySQL development package.
Enjoy it!
Jeson
Welcome to: http://www.zyxel.com
[EMAIL PROTECTED]
2003-06-04
=== 2003-06-04 15:57:0
Hi,all
I want to use freeradius with mysql support under Solaris sparc 2.7. I meet
the same
problem as many newbies when I start radiusd:
rlm_sql (sql): Could not link driver rlm_sql_mysql: file not found
rlm_sql (sql): Make sure it (and all its dependent libraries!) are
Title: Multiple attributes
I am using freeradius snapshot 20030603 and the server comes up fine and will authenticate. The problem I have is now the server will not return multiple values for one attribute. I have 3 other servers running 0.8.1 and they will return the attributes correctly.
Hi Dan,
Excellent! It is great to know that you are using Squid with Freeradius,
that's exactly what I want to do too. I want Squid to authenticate the http
requests using Freeradius and I also want Squid to perform transparent
proxying so that users from another network do not have to change their
That is, if Squid receives a http request from a client, it first verifies
this client with a Radius Server to make sure that this client is a valid user
before servicing the http request and fetching the requested web page for the
client.
>>> [EMAIL PROTECTED] 06/04/03 10:55AM >>>
What do you mea
I'm using lastest version of freeradius with solaris 9 It seem to worked
find but radwho doesn't show anything, and radutmp siezed is zero , I
enable snmp at Cisco NAS already I don't how to solve this problem somebody
can help ?
thank for advance
Chaidan Mingmuang
-
We're using squid with freeradius as the authentication "engine". As
far as I know, you can't have a transparent + authenticating proxy. If
it's authenticating, then it has to be non-transparent.
It's actually very easy. You just need to set up the Squid ACL's right
(so that it requires auth
Sn is not stored correctly in LDAP for a userpassword. Why would you
want it to be sn anyway? If you are looking for a clear text password
then store it as chappassword. LDAP will store it correctly.
Userpassword needs to be userpassword.
Gene Parks
VIP Direct
-Original Message-
From:
What do you mean by "authenticate http requests" ?
Navid
On 2003.06.03 21:32, Wei Ming Long wrote:
Hi everyone,
I would like to use the proxy server Squid to perform transparent
proxying
and to authenticate http requests with Freeradius and was wondering if
anyone
has done it and would appreciate
Hi everyone,
I would like to use the proxy server Squid to perform transparent proxying
and to authenticate http requests with Freeradius and was wondering if anyone
has done it and would appreciate it if you could provide details(configuration
files) of how to setup Squid and Freeradius to do just
On Mon, Jun 02, 2003 at 07:51:56AM -0700, Sepp Rudel wrote:
> Hi,
>
> I've configured FreeRADIUS 0.8.1+OpenSSL 0.9.7b, Cisco
> AP 350 and a laptop with Linux+xsupplicant and
> WinXP+SP1.. With Linux+xsupplicant everything works
> like a charm but with WinXPSP1 after radiusd sends
> Access-Accept W
hi Pascal
as Alan already advised you, try to read the EAP/MD5 faq. what you keep
on posting is NOT an error. there CAN'T be any user-password attribute
with EAP/MD5 or CHAP methodes.
thanks,
artur
Pascal PELONI wrote:
>
> My mistake : this is the good extract of the log file :
>
>
Then you don't have it set up correctly to use MySql. My users
file is empty. All my users are in MySql, as I suspect is the
case with most people who use it.
There are lots of questions about MySql in the archives and
lots of info in the docs to get it going.
Tim
> -Original Message-
Yes.
If you put "sql" in your "authorize" section of radius.conf there should be no
need to have users in the users file. Provided your sql.conf is setup
correctly.
Just make sure you comment out the "files" entry in your authorize section or
put "sql" before "files".
One you are correctly us
I am using mysql to populate my users list but I still have to insert each
user name into the users file in order for radius to recognize it. It there
a way to set up a table in mysql and change a config setting so that I can
insert users dynamically without having to use the users file at all?
Th
And pick up a copy of the Radius book.
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Steve
> Fulton
> Sent: Tuesday, June 03, 2003 4:30 PM
> To: [EMAIL PROTECTED]
> Subject: Re: How do I dynamically insert and delete users?
>
>
> > How do I dynamical
> How do I dynamically insert and delete users that the radius server will
> use? Modifying raddb/users each time is too cumbersome, isn't it?
SQL or LDAP with a front-end of some sort. Check the archives, there has
been plenty of discussion about it.
-- Steve.
-
List info/subscribe/unsubscri
Hi,
How do I dynamically insert and delete users that the radius server will use?
Modifying raddb/users each time is too cumbersome, isn't it? For my purpose the user
list is large and it changes very frequently.
Please suggest a solution. Thanks.
Regards,
Brian
--
___
I'm running an LDAPs server using a self-signed certificate. For my
purposes, that's OK. FreeRadius is telling me that it can't connect
to the LDAP server because there's a self-signed certificate in the chain.
I haven't been able to find the option to tell it that it's OK to accept
a self-signed
Hi,
I'm pretty new to FreeRadius, but I've at least got my implementation
partially working (radtest could authenticate and fail to authenticate
under correct circumstances gainst my LDAP server).
My next step is to set it up to authenticate XAUTH users on my
Netscreen for VPN purpo
Chris,
Thank you very much. I configured --with-snmp=no, make, make install
and I got the server up and running right away.
I was under the impression that SMUX/SNMP was integral to the radius
server. I am still unsure as to what functionality I just turned off.
What does having SNMP (dis|
If you don't need snmp support you can disable it in radius.cfg:
snmp= no
Otherwise you need to configure your snmpd for smux. Smux is used to
pass information to your snmp daemon.
In /etc/raddb/snmp.conf:
smux_password = your_secret
In /etc/snmp/snmpd.conf:
smuxpeer .1.3.6.1.4.1.3317.1.
On Tue, Jun 03, 2003 at 12:14:58PM -0500, Chris Parker wrote:
> At 09:05 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
> >> There is no 'wrong' or 'right'. They simply do it different ways.
> >
> >So is it possible to make freeradius determine both?
>
> For what purpose? What do you want Freer
On Tue, Jun 03, 2003 at 02:04:26PM -0400, Puneet B wrote:
> Accounting Requests are slightly different if your NAS includes the attribute
> Acct-Delay-Time. This needs to be updated in each retransmit, and since now the
> contents of the packet change, a new Identifier is needed.
> Here is the re
> > It's not a dupe because it is different, that's the point. It is not
> > the same set of a/v pairs that was originally sent. I don't see anything
> > violating the RFC here.
>
> Hmm... Maybe I'm wrong here, assuming that NAS should re-send
> packet with the same id. But then what the "duplicat
Alan DeKok wrote:
Mark Lavi <[EMAIL PROTECTED]> wrote:
So long as the list of RADIUS attributes don't get sent out in the
HTTP response. That's my biggest worry with the use of HTTP headers,
and with Apache.
I'm not sure what response you mean, the web browser/client's response
to the H
At 09:05 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
On Tue, Jun 03, 2003 at 11:53:48AM -0500, Chris Parker wrote:
> At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
> >On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote:
> >> Hmm... Maybe I'm wrong here, assuming that
On Tue, Jun 03, 2003 at 11:53:48AM -0500, Chris Parker wrote:
> At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
> >On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote:
> >> Hmm... Maybe I'm wrong here, assuming that NAS should re-send
> >> packet with the same id.
> >
> >
You can't apply your criteria without considering the device. If you
want a NAS that
delivers accounting reliably. Your reading of the RFC is correct but the
RFC does not
specify what a NAS does once it reaches the end of its attempt to
deliver the Accounting. It
does not even give guidance as t
At 08:38 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote:
> Hmm... Maybe I'm wrong here, assuming that NAS should re-send
> packet with the same id.
I think I'm not. Here's the PortMaster 2 example:
There is no 'wrong' or 'right'
Dear Steven Fries,
128-bit encryption is possible, because it's implemented in a way it
works, not in a way RFC says to do. RFC authors acknowledged problem in
RFC.
--Tuesday, June 3, 2003, 9:54:47 PM, you wrote to [EMAIL PROTECTED]:
SF> After reading one of the files that is in the docs/ d
After reading one of the files that is in the docs/ directory, it says 128-bit
encryption with mppe is not possible because of some confusion with the Cisco
RFCIs this true? And if so, are there any current versions beyond 0.8.1?
I'm trying to use Radius to validate VPN PPTP users and am
On Tue, Jun 03, 2003 at 08:16:52PM +0400, Alexander M. Pravking wrote:
> Hmm... Maybe I'm wrong here, assuming that NAS should re-send
> packet with the same id.
I think I'm not. Here's the PortMaster 2 example:
rad_recv: Accounting-Request packet from host pm2:1026, id=168, length=129
Sun Jun 1
On Tue, Jun 03, 2003 at 10:52:45AM -0500, Chris Parker wrote:
> At 07:45 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
> It's not a dupe because it is different, that's the point. It is not
> the same set of a/v pairs that was originally sent. I don't see anything
> violating the RFC here.
Hmm
Using Ascend gear here is what works at our site:
Service-Type = Framed-User,
Framed-Protocol = PPP,
Ascend-Bridge = Bridge-Yes,
Ascend-DHCP-Reply = DHCP-Reply-Yes,
Ascend-DHCP-Pool-Number = 3,
Ascend-Assign-IP-Pool = 3,
Framed-Netmask = 255.255.255.255,
Ascend-Link
My mistake : this is the good extract of the log file :
Auth: Login incorrect: [tst1/]
At 17:24 03/06/2003 +0200, you wrote:
I forget to say that :
1. the authentication works well with radtest !
$ radtest tst1 pp 127.0.0.1 1 test
Sending Access-Request of id 68 to 127.0
At 07:45 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
On Tue, Jun 03, 2003 at 09:14:01AM -0500, Chris Parker wrote:
> At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
> >I discovered that our Cisco 5200 resends acct-requests (not sure about
> >auth-requests) with different request identi
On Tue, Jun 03, 2003 at 07:06:38AM -0700, Jim Underwood wrote:
> That's what those acct-session-ids are for...
Don't think developers will hack radius for this very Cisco's bug :)
--
Fduch M. Pravking
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hola:
It depends on which hardware you use. We have Ascend MAX 6x/TNTs and
these attributes seem to work (not using them currently, but did
in the past):
[EMAIL PROTECTED] radius]# grep DNS /etc/raddb/dictionary.ascend
ATTRIBUTE X-Ascend-Client-Primary-DNS 135 ipaddr
ATTRIBU
On Tue, Jun 03, 2003 at 09:14:01AM -0500, Chris Parker wrote:
> At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
> >I discovered that our Cisco 5200 resends acct-requests (not sure about
> >auth-requests) with different request identifiers, which violates
> >RFC 2866. Here is sample debug o
I forget to say that :
1. the authentication works well with radtest !
$ radtest tst1 pp 127.0.0.1 1 test
Sending Access-Request of id 68 to 127.0.0.1:1812
User-Name = "tst1"
User-Password =
"\323\366\273\363\371Z\250]\231(w\265?\346G\253"
Having this basic user configuration
linus Auth-Type = Local, Password = 'password'
Service-Type = Framed-User,
Framed-Protocol = PPP,
Framed-IP-Address = 192.168.28.152,
Framed-IP-Netmask = 255.255.255.255,
Framed-Routing = Broadcast-Listen,
Framed-M
If configured correctly the "Simultaneous-Use =1" parameter will limit
simultaneous logins into THAT RADIUS server to 1. If you have 1 or
fifty NAS devices pointed at the same RADIUS server with
Simultaneous-Use = 1 set for a user, that user will only be allowed to
login once no matter which N
Hey Alex,
Try using "aaa accounting delay-start"... This may help.
I use it on our 5800 to get accounting IP addresses correctly from the NAS.
Mike
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alexander M. Pravking
Sent: Tuesday, June 03, 2003 8:53 AM
T
I've already read the FAQ and the README's, but it still doesn't work.
Here is part of my config :
radiusd.conf
modules {
eap {
default_eap_type = md5
md5 {
}
}
}
authorize {
eap
}
authenticate {
eap
}
cl
On Thu, 8 May 2003, Alan DeKok wrote:
> [EMAIL PROTECTED] wrote:
> > support multiple Replicate-To-Realm attributes in the acct_users file? Can
> > I do something like this in acct_users and is it supported?:
>
> The server no longer supports Replicate-To-Realm. Similar
> functionality can be a
Thanks for the information. I am not sure what version I am using. It was
the latest and greatest compile from the web site.
I can modify the radtest to manually enter more attributes. That might work.
Does anyone know how to configure the radtest script (or create a new one)
to do LEAP authentica
excellent! cheers very much!
Rob.
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Michael
> Hardrick
> Sent: 03 June 2003 14:44
> To: [EMAIL PROTECTED]
> Subject: RE: dynamic ip addresses
>
>
> Change these two.
>
> Framed-IP-Address = 255.255.255.2
Q: I have 4 usrhipers setup for dial in. If customer A dials into arc 1
and then dials in again and gets a modem on arc 2, will they be denied
access if the Simultaneous-Use is set to 1. Or will it only check if
they are attempting to connect to the same arc as the original
connection?
Jeff
-
L
The City of Greater Sudbury has detected virus W32/[EMAIL PROTECTED] in an attachment
movie.pif from <[EMAIL PROTECTED]> to
<[EMAIL PROTECTED]> . Please be advised that the e-mail did not get forwarded to the
recipient(s)
listed above. The City of Greater Sudbury does not accept infected mail onto
At 05:53 PM 6/3/2003 +0400, Alexander M. Pravking wrote:
I discovered that our Cisco 5200 resends acct-requests (not sure about
auth-requests) with different request identifiers, which violates
RFC 2866. Here is sample debug output (note the id's!):
Acct-Delay-Time has changed. It is not the same
That's what those acct-session-ids are for...
Alexander M. Pravking wrote:
I discovered that our Cisco 5200 resends acct-requests (not sure about
auth-requests) with different request identifiers, which violates
RFC 2866. Here is sample debug output (note the id's!):
rad_recv: Accounting-Request
Hello all,
I have tried to search for this problem in the lists and with google,
but to no avail :( Anyway I am setting up freeRadius for the first time
and when I start it I get:
[snip]
SMUX connect try 1
SMUX open oid: 1.3.6.1.4.1.3317.1.3.1
SMUX open progname: radiusd
SMUX open password:
I discovered that our Cisco 5200 resends acct-requests (not sure about
auth-requests) with different request identifiers, which violates
RFC 2866. Here is sample debug output (note the id's!):
rad_recv: Accounting-Request packet from host cisco-5200:1646, id=205, length=119
Sun Jun 1 13:57:15 200
61 matches
Mail list logo