-BEGIN PGP SIGNED MESSAGE-
> "Bill" == Bill <[EMAIL PROTECTED]> writes:
Bill> I recently switched from Cistron to FreeRadius 0.9.1 I just
Bill> noticed
Bill> that FreeRadius is periodically rejecting customer's passwords when
Bill> the
It sounds like fre
Hi,
I have a situation that I need to configure.
I did not find in archives, thus hoping some one
could shed some light.
I need to configure 2 realms.
Two of them need to use TTLS with different LDAP
servers
that use TLS for communication.
Any tips how to configure this ?
Any samples ?
Thank y
"Javier Santos" <[EMAIL PROTECTED]> wrote:
> I have permited tcp/udp 1812/1813 ports in iptables rules.
>
> are there more ports that i must to permit?
No. And RADIUS doesn't use TCP, so you can block TCP 1812/1813.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.
Hello,
I have freeraius running on my linux server.
users who telnet to my router cisco are authenticated with RADIUS.
In order to protect the Server I am running iptables rules.
when i start iptables, i can not telnet into a router cisco (access denied).
I have permited tcp/udp 1812/1813 ports
Hello,
I am running freeradius on my linux server. And i am authenticating users of
my cisco router on RADIUS.
i have firewall to my lunux server whit iptables.
When iptables is started the radius authentication i have problem with
autentication (i can not telnet into a router, access denied).
What would the syntax look like to prevent the outer tunnel from
Calling post-auth ? they both have the same realm.
How about just preventing an anonymous user ?
> -Original Message-
> From: Alan DeKok [mailto:[EMAIL PROTECTED]
> Sent: Friday, October 24, 2003 2:54 PM
> To: [EMAIL PROTEC
"Ron Wahler" <[EMAIL PROTECTED]> wrote:
> It looks like the inner tunnel calls
>
> rp_default_postauth (rlm_exec) for request 30
For the tunneled version of the request.
> then it is called again
> calling rp_default_postauth (rlm_exec) for request 30
For the outer version of the request.
>
It looks like the inner tunnel calls
rp_default_postauth (rlm_exec) for request 30
then it is called again
calling rp_default_postauth (rlm_exec) for request 30
when the Access-Accept is sent back to the AP.
Is that expected behavior?
Thanks,
Ron.
TTLS: Got tunneled reply RADIUS code
Yea that was it, a bad MSCHAPv2 password. It does
Work to a local user. Thanks!
there still is another problem with TTLS
It looks like the post-auth module ie exec-program is called twice.
Once with the correct user name, then again with the anonymous user
name.
Ron.
Fri Oct 24 10:36:14
Hi,
I have looked into Archives, but did not locate
information.
Just wanted to if FreeRadius supports:
a) Customized log formats for Accounting.
What are other formats supported ?
b) In REPLY: Access-Accept/Reject: an option to
turn on/off encapsulation for AV pairs.
I understand some
[EMAIL PROTECTED] wrote:
> SSL is 0.9.7c, FreeRadius is a CVS snapshot downloaded this morning
It appears that you have multiple versions of OpenSSL installed, and
the server is compiled using one, but is using another when you run
it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http
"Ron Wahler" <[EMAIL PROTECTED]> wrote:
> This is the line that is failing. The status is
> PEAP_STATUS_SENT_TLV_FAILURE. How does this get set ?
It appears that the client is sending this to the server. It means
that the client didn't like the server's EAP-MSCHAPv2 response.
> How can we c
> I know that vpn (in my situation I use AES in esp and ike) is a
> perfect (about) solution.
> In my infrastructure vpn authenticates machines/computer/box
> (network card) and radius authenticates users.
Is this a wireless environment? How are you using Radius? The user
typically never sees
> Which version of OpenSSL are you running against, and which version was
> the server compiled against?
SSL is 0.9.7c, FreeRadius is a CVS snapshot downloaded this morning
Silvio
> files: acctusersfile = "/usr/local/etc/raddb/acct_users"
> > files: preproxy_usersfile = "/usr/local/etc/raddb/preproxy_users"
> > files: compat = "no"
> > Module: Instantiated files (files)
> > Module: Loaded Acct-Unique-Session-Id
> >
When the AP is restarted, the clients will have to reassociate. During
the association phase is when a client MAC auth is performed. Since the
clients have to do this anyway to regain access, there shouldn't be an
issue there. I've never seen this sort of behavior with my AP-2Ks. New
RADIUS req
This is the line that is failing. The status is
PEAP_STATUS_SENT_TLV_FAILURE. How does this get set ?
How can we check versions of PEAP ?
Ron.
Peap.c
} else if (t->status == PEAP_STATUS_SENT_TLV_FAILURE) {
DEBUG2(" rlm_eap_peap: RML_MODULE_REJECT 2");
return RLM_MODULE_RE
<[EMAIL PROTECTED]> wrote:
> Could it be that there is something wrong with my certificates?
It's a possibility.
> I used "standard" OpenSSL certs. Where can I find more Information
> what exactly freeradius wants for private_key_file,
> certificate_file, CA_file, dh_file (especially CA_file).
/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d"
> detail: detailperm = 384
> detail: dirperm = 493
> detail: locking = no
> Module: Instantiated detail (detail)
> Module: Loaded radutmp
> radutmp: filename = "/usr/local/var/log/radius/radutmp"
> radutmp: username
"Ron Wahler" <[EMAIL PROTECTED]> wrote:
> Here's the line of code, type 25 is PEAP, but no handler
Yes... it's clear as to what line of the source prints the message.
What's not clear is *why* the PEAP module is failing.
The debug output SHOULD contain information which lets you track
do
Here's the line of code, type 25 is PEAP, but no handler
if (eaptype_call(inst->types[eaptype->type],
handler) == 0) {
DEBUG2(" rlm_eap: Handler failed in EAP type %d",
eaptype->type);
return EAP_INVALID
I am testing with Windows XP/peap, through a Cisco 350 AP to FreeRadius.
Ron.
> -Original Message-
> From: Ron Wahler
> Sent: Friday, October 24, 2003 10:20 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Peap Testing problem
>
> Ok, I had a bad config, I fixed that. So here is the debug for
Ok, I had a bad config, I fixed that. So here is the debug for PEAP.
Still failing on
Fri Oct 24 08:33:52 2003 : Debug: rlm_eap_peap: Tunneled data is
valid.
Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Handler failed in EAP type
25
Fri Oct 24 08:33:52 2003 : Debug: rlm_eap: Failed in EAP sel
I didn't change so much at all I think...
However I changed back to the radiusd.conf from the installation.
I changed the following lines:
# diff radiusd.conf.orig radiusd.conf
615c615
< default_eap_type = md5
---
> default_eap_type = ttls
660c660,665
<
"Ron Wahler" <[EMAIL PROTECTED]> wrote:
> With the 10/24 snapshot TTLS and PEAP are not working. I can't even
> Get as far in the eap protocol as I did with the 10/22 snapshot.
...
> Fri Oct 24 07:37:00 2003 : Debug: rlm_eap: EAP packet type response id
> 7 length 28
> Fri Oct 24 07:37:00 2003 :
With the 10/24 snapshot TTLS and PEAP are not working. I can't even
Get as far in the eap protocol as I did with the 10/22 snapshot.
Ron.
rad_recv: Access-Request packet from host 10.0.0.57:1119, id=81,
length=180
User-Name = "[EMAIL PROTECTED]"
Cisco-AVPair = "ssid=mariner"
<[EMAIL PROTECTED]> wrote:
>I am trying to set up FreeRadius with PEAP. However FreeRadius is not
>starting. I already configured LEAP some time ago and it worked fine. I
>cannot find where I made a failure:
It looks like you've drastically hacked your radiusd.conf file:
> eap
quot;
Fri Oct 24 16:41:45 2003 : Debug: tls: random_file = "/dev/random"
Fri Oct 24 16:41:45 2003 : Debug: tls: fragment_size = 1024
Fri Oct 24 16:41:45 2003 : Debug: tls: include_length = yes
Fri Oct 24 16:41:45 2003 : Debug: tls: check_crl = no
FreeRadius doesn't come up. It stopps ri
Greetings,
I have just replaced my old radius server with FreeRadius & dialup
admin. The authorization works perfectly and everyone can log in but
however I cant see any statistics about the persons that are logged in.
The Statistics page of the dialup admin returns the correct number of
session
"Ron Wahler" <[EMAIL PROTECTED]> wrote:
> Is there a list on the website for each build that specifies which
> features/modules are Experimental and need to be configured with
> --with-experimental-modules ?
The list of stable modules is in 'src/modules/stable'
Or, the modules which aren't bu
Johan,
LEAP does not work with SHA passwords. It requires either clear-text or
NT-style (MD4) passwords.
# Cisco LEAP
#
# Cisco LEAP uses the MS-CHAP algorithm (but not
# the MS-CHAP attributes) to perform it's authentication.
#
# As a result, LEAP *requires* access to the plain
Yes it is.
Ron.
> -Original Message-
> From: Rick Whitley [mailto:[EMAIL PROTECTED]
> Sent: Friday, October 24, 2003 8:32 AM
> To: <
> Subject: ldap inside ttls
>
> Is it possible to have ldap authentication within ttls?
>
>
> rick...
> Rom.5:8
>
> -
> List info/subscribe/unsubscribe?
"[EMAIL PROTECTED]" <[EMAIL PROTECTED]> wrote:
> I have been reading all the related topics in the mail archive but I
> cannot find the solution.
>
> I would like to know:
> 1) is it possible to use ldap sha-encrypted passwords for leap authentication?
Read 'radiusd.conf', and the configuratio
Is it possible to have ldap authentication within ttls?
rick...
Rom.5:8
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
"Lai Fu Keung" <[EMAIL PROTECTED]> wrote:
> We are heading to have Single Sign On for all services. Having a
> plain text password on a machine is considered insecure and loss of
> privacy.
Nonsense.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.h
"Christoph Hubmann" <[EMAIL PROTECTED]> wrote:
> we want to setup a freeradius server to authenticate remote users with =
> the opie 2.4 system.
That's nice.
> please send me example to setup on a linux redhat 9 system.
Why?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.
Is there a list on the website for each build that specifies which
features/modules are Experimental and need to be configured with
--with-experimental-modules ?
Thanks,
Ron.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi All,
I am trying to setup freeradius in such a way that a client pc can authenticate with
LEAP via a CISCO aironet AP 1200 using an account in LDAP.
I am so far that my freeradius adds my password (the header {SHA} is removed
succesfully) to the "check items", but when doing the "get values"
Hi!
i'm trying authorize MAC adress into access point AP2000 (Orinoco)
- all work fine, but when i restart my access point, all users are
not-authorised until the client is restarted. I think that this bug is
in firmware of AP.
Have somebody the same problem?
Thanks, Marian
--
Hi Alan,
i solve my problem: i don't know why, but when i make RPM, radius
don't start (due to error with huntgroups), but when i try install from
tgz (with compilation and installation) all works fine!
Thaks, bye Marian
Alan DeKok napsal(a):
Marian Rychtecky <[EMAIL PROTECTED]> wrote
Brian Johnson wrote:
You prolly have a permissions issue on your logging directory.
Yes.
Did you have to manually create the log file to get it to log the first
time?
Before i use logrotate the detail file was still fine logging.
regards,
Adam
-
List info/subscribe/unsubscribe? See http://www.f
> What settings do we have to add to the configuration file for TTLS?
If you want to reset the configuration to the distribution default, make
sure you remove the //etc/raddb/radiusd.conf file before running
"make install". Otherwise, the install script will detect that you
already have a configu
You prolly have a permissions issue on your logging directory.
Did you have to manually create the log file to get it to log the first
time?
- Brian J.
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of
> Adam Jendrosek
> Sent: Friday, October 24,
Nick Davis wrote:
Well there are a couple of things.
1. After logrotate completes you need to restart radiusd so it will use the
new log file.
Yes that's right, but freeradius don't create a new log file.
regards,
Adam
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.
hello all
we want to setup a freeradius server to
authenticate remote users with the opie 2.4 system.
please send me example to setup on a linux redhat 9
system.
christoph
Well there are a couple of things.
1. After logrotate completes you need to restart radiusd so it will use the
new log file.
2. If you search the freeradius list archives there are several instructions
to make radius log to a different file every day/week/month etc.. You just
modify this line
On Fri, 24 Oct 2003, CW wrote:
> Is it possible to have ONE radius server query TWO databases in the same
> server for requests for different realms?
>
> For example if I had two realms
>
>
> dialup.someisp.net
> adsl.someisp.net
>
> and both realms came into the same radius server, and I had tw
Hello,
after using logrotate for rotating the detail file, now the radiusd
aren't logging.
Here are some lines from the radiusd.conf:
detail detail1 {
# Note that we do NOT use NAS-IP-Address here, as that
# attribute MAY BE from the originating NAS, and NOT
# from the
OK, thanks Alan. I'll Point that out to them!
Regards,
Alan
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] Behalf Of Alan DeKok
> Sent: 23 October 2003 17:38
> To: [EMAIL PROTECTED]
> Subject: Re: FreeRADIUS with SNOM4S
>
>
> "Alan Litster" <[EMAIL PROTECTED]>
On Wed, 22 Oct 2003, apellido jr., wilfredo p wrote:
> Good day Mr. Kalevras. statistics, user's statistics
> and online users doesnt show anything in latest
> dialup_admin cvsup. here's my config
Doesn't show anything meaning a blank page or no accounting data?
Make sure that you are using the
Hi everybody,
with the last snapshot we finally did it in compiling the server and having it correctly installed :-)
now our issue is that the configuration is not delivered within the snapshot, and so we still have the one from the stable release... that does not feature TTLS.
What settings do w
On Fri, 24 Oct 2003, Lai Fu Keung wrote:
> On 23 Oct 2003 at 11:20, Alan DeKok wrote:
>
> > > My problem is that both MS_CHAP and PAP authentications will look up
> > > the plain text password. But I want PAP to look up the crypted
> > > userPassword.
> >
> > Again, why?
>
> We are heading to ha
On Wed, 22 Oct 2003, Lai Fu Keung wrote:
>
> > Well it seems that the bind operation is failing. If your encrypted password is
> > not the userpassword attribute then the ldap server will _not_ use that in the
> > bind operation and as a result the bind operation will fail. So make sure you
> > ar
On 23 Oct 2003 at 11:20, Alan DeKok wrote:
> > My problem is that both MS_CHAP and PAP authentications will look up
> > the plain text password. But I want PAP to look up the crypted
> > userPassword.
>
> Again, why?
We are heading to have Single Sign On for all services. Having a
plain tex
54 matches
Mail list logo