On Thu, 20 Nov 2003, Bill Thompson wrote:
> On Wed, 19 Nov 2003 16:49:22 -0500
> "Dan Didier" <[EMAIL PROTECTED]> wrote:
>
> > Do you use group functions, or is everyone in the base group?
> >
> > Thanks,
> > Dan
> >
>
> I am using FreeRadius with the VPN 3000. I have groups authenticating in
> th
On Wed, 19 Nov 2003, Dan Didier wrote:
> Hi list,
>
> I was wondering what peoples experiences have been with using FreeRadius
> with the cisco VPN 3000 concentrator.
>
> Are there any documents outlining this?
>
> Thanks,
> Dan
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.
On Wed, 19 Nov 2003, David Blood wrote:
> For some reason mysql is not being update with the interim accouting
> updates. Below is one of the accounting requests sent to free radius and
> you can see that it does not send the bytes and up time information to
> mysql.
> Anyone know why?
>
>
> r
>
>
> On Tue, 18 Nov 2003, John A. Hengstler wrote:
>
> > Greetings.
> > I have an Cisco as5300 that I am using for Dial customers.
> > The customer connects, the authentication comes through, but then at the
> > "authorization" level the connection gets dropped by the nas..
> > Are there any sugg
On Tue, 18 Nov 2003, John A. Hengstler wrote:
> Greetings.
> I have an Cisco as5300 that I am using for Dial customers.
> The customer connects, the authentication comes through, but then at the
> "authorization" level the connection gets dropped by the nas..
> Are there any suggested attributes
n the module.
-Dustin Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, 28 Oct 2003, Jean-Paul Chapalain wrote:
> I 've tried with "Fall-Through = no" but it's the same thing.
>
> You can read in the 5.2 question in FAQ, "It doesn't
> need a Fall-Through" !!!
>
I guess not. Sorry, was hoping that was an easy one, seemed like it
needed it since its finding
On Mon, 27 Oct 2003, Jean-Paul Chapalain wrote:
> Hi,
>
> I want reject a user only on a particular Nas.
> This have to connect on other Nas.
>
> So i code user's file with a entry Auth-Type := Reject.
> In spite of this, the user continue to be accept on this Nas (@ip :
> 10.154.100.15).
>
> Tw
that use TLS for communication.
>
> Any tips how to configure this ?
> Any samples ?
>
>
> Thank you,
>
>
Setup two ldap entries in radiusd.conf each with your specific needs.
Then check out doc/Autz-Type to find out how to send each realm to the
specific ldap entry.
-Dust
On Fri, 24 Oct 2003, CW wrote:
> Is it possible to have ONE radius server query TWO databases in the same
> server for requests for different realms?
>
> For example if I had two realms
>
>
> dialup.someisp.net
> adsl.someisp.net
>
> and both realms came into the same radius server, and I had tw
On Thu, 9 Oct 2003, seth666 666 wrote:
> Thank You for your answers.
> But I can't understand why rlm_ldap ask me for User-Password attribute. What
> do I have to do for rlm_ldap doesn't stop the authentication process because
> it doen't have a User-Password attribut ?
>
> in my case, rlm_ldap
om
objectclass: radiusprofile
uid: test
radiusgroupname: isdn
radiussimultaneoususe: 2
Make sure you've got this in ldap.attrmap
checkItem Simultaneous-UseradiusSimultaneousUse
> - Original Message -
> From: "Dustin Doris" <[EMAIL PR
it will fall through to Reject.
The same with the isdn users when they connect.
If the users are able to have access to both, then include both
radiusGroupName entries.
ie.
dn: uid=test2,ou=users,ou=radius,dc=mydomain,dc=com
objectclass: radiusprofile
uid: test
radiusgroupname: isdn
radiu
on. Basically we will be
correcting this packet for the people that are sending these incorrectly.
Thanks for any suggestions.
Dustin Doris
On Wed, 3 Sep 2003, Dustin Doris wrote:
> Hello,
>
> We are currently getting some interesting accounting packets that are
> coming in with
a valid User-Name
rlm_attr_rewrite: Changed value for attribute User-Name from 'a' to
'ihavenoname'
modcall[accounting]: module "nodomain" returns ok
This was sending an accounting packet with User-Name of a.
Any ideas of anything else we could try, or perhaps a recent cvs snapshot?
Thanks
Dustin Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
027\300\014\237\261\225A\332\3042U"
> NAS-IP-Address = azteca.prism.uvsq.fr
> NAS-Port = 1
> rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=79,
> length=20
> rad_decode: Received Access-Reject packet from 127.0.0.1 with invalid
> signature!
> [
Nevermind, about the octaviosecret part. Still getting my coffe.
But just to be sure, is cn=Manager,dc=prism,dc=fr with the password of
secret correct?
It says protocol error. What version of openldap are you running?
On Tue, 12 Aug 2003, Dustin Doris wrote:
> On Tue, 12 Aug 2003, Octa
On Tue, 12 Aug 2003, Octavio Ramirez Rojas wrote:
> Hi,
>
> I running radius in mode debug (radiusd -X -A)
>
> I have one LDAP database (*.dbm), that contiens:
>
> dn: cn=octavio,ou=MemberGroupA,dc=prism,dc=fr
> cn: octavio
> sn: Ramirez
> ou: MemberGroupA
> userpassword: octaviosecret
>
> --
> Se
On Wed, 13 Aug 2003, Octavio Ramirez Rojas wrote:
> >
> > It says protocol error. What version of openldap are you running?
>
> openldap-2.1.21
>
> The database for LDAP works with Berkeley, therefore i have an *.dbd
> file for the users.
>
> You think that i must re-make the instalation/configur
> Hello,
>
> In FreeRADIUS, authorization is done before authentication. Is that a
> proper sequence regarding the standard RADIUS concept?
>
> For example, when a user mistypes the password, FreeRADIUS still send
> out the attributes to RADIUS client. Would that be an issue (ie,
> security, loadin
On Thu, 7 Aug 2003, Josh Whitver wrote:
> Hello! Thanks for everyone's help earlier with getting the latest
> FreeRadius up and running on Mac OS X; it's all good now.
>
> My current problem is that I have next to no experience with this product
> (or any Radius product), and I need to get it ta
On Wed, 6 Aug 2003, Octavio Ramirez Rojas wrote:
> I made the modifications, but i continous with the same "Access Reject"
>
> ideas?
Since you posted only a small part of your radiusd.conf file, then this is
just a guess.
Take a look at your authorization and authentication section of
radiusd
preprocess
suffix
files
ldap {
notfound = return
}
}
authenticate {
Auth-Type LDAP {
ldap
}
}
>
> *** THE SINTAX IS CORRECT FOR RADTEST???
>
> i send you radiusd.conf file.
Did you attach it? I didn&
On Fri, 8 Aug 2003, Josh Whitver wrote:
> Cool; any hints on configuring Radius itself? Specifically, for talking
> to LDAP? Thanks!
>
if you have the source, check out /doc/rlm_ldap
> --
> Josh Whitver
> [EMAIL PROTECTED] / [EMAIL PROTECTED]
>
>
> [EMAIL PROTECTED] writes:
> >> Hello! Th
> Hi,
>
> On 30.07.2003 15:37, Dustin Doris wrote:
> >
> > Check out NULL in proxy.conf
> >
>
> I know about NULL.
>
> "This realm is for requests which don't have an explicit realm
> prefix or suffix. User names like "bob" wi
write when they authenticate, just overlooked
that. Looks like you will have to generate the packet and send it over.
>
>
> > -Original Message-
> > From: Dustin Doris [mailto:[EMAIL PROTECTED]
> > Sent: Wednesday, July 30, 2003 10:55 AM
> > To: [EMAIL PROTECTED]
&g
On Wed, 30 Jul 2003, Ron Wahler wrote:
>
> Is there another way to generate an accounting message from Freeradius
> to
> another radius server when a user authenticates?
its called radrelay. check doc/radrelay
>
> One idea was to call radclient in a shell program to generate the
> packet.
>
>
On Wed, 30 Jul 2003, Luca Benassi wrote:
> On Wed, 30 Jul 2003, Alan DeKok wrote:
> > Luca Benassi <[EMAIL PROTECTED]> wrote:
> > > eap-tls works fine but I need to use LDAP.
> >
> > For what? Are you willing to say what you're trying to do, and why?
>
> No problem ... :)
>
> I want to secure a
>
> Hi,
> is it possible and what should I do to forward (proxy) a specified username (without
> realm) to the specified radius server?
>
Check out NULL in proxy.conf
> I tried adding "" as the realm delimiter which didn't work. It would be simple
> solution to
> my problem.
>
> Can I somehow s
> I have an entry in a ldap database with an attribute radiusVSA.
>
> In file ldap.attrmap, I have this line
> -> replyItem Vendor-Specific radiusVSA
>
> In user file, I have this line
> -> sqdqFS
> Autz-Type:=CISCO-ACCESS,Auth-Type:=CISCO-ACCESS
>
to be parsed. You'd have another default under that one that specified
what actions for users that are not disabled.
Hope that helps.
Dustin Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
in users file
DEFAULT NAS-IP-Address == 10.10.10.1
Attribute = Value
DEFAULT NAS-IP-Address == 10.10.10.2
Attribute = Value
man 5 users for more info
On Wed, 2 Jul 2003, Jeff Green wrote:
> Hi Everyone,
>
>
> I'm using FreeRadius 0.8.1 with MySql backend and everything
They are radius attributes, check out
http://www.freeradius.org/rfc/rfc2865.html
Read the RFC, it will tell you about those attributes as well as explain
what radius does.
On Tue, 17 Jun 2003, [iso-8859-1] Sylvain MASNADA wrote:
> Hi all,
> I'd like to know where I could find a good doc on the
>
> I have started a new job in Linux.
> I have been involved quite a lot into daily system admin functions in Linux
> as well as Solaris
> Now the requirement for this job are to set up a RADIUS server with LDAP and
> mysql database.
> This is for a small ISP which will be used for Wireless access
> Hi Dustin,
>
> Thanks for the reply...
> Here are a few sample lines from the log using -xx
>
>
>
> radius_xlat: '^[a-z0-9_-]+'
> radius_xlat: '@imaginet.co.za'
> rlm_attr_rewrite: Changed value for attribute User-Name from 'rob' to
> '[EMAIL PROTECTED]'
>
>
Whoops, guess I didn't read throu
king, or is it that you are really trying to change the
username from name to [EMAIL PROTECTED]
Maybe you could paste some radiusd -X output and let us know where it
seems to be breaking.
-Dustin Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
> I have FreeRADIUS setup to authenticate directly against LDAP. However,
> I need to setup a blacklist of users while at the same time keeping my
> hands entirely off of the LDAP server.
I can tell you an easy way to do it with ldap. Let me know if you want
that suggestion, understanding that's
You could use radrelay to forward the accounting data to the other server.
http://www.freeradius.org/radiusd/doc/radrelay
On Sun, 8 Jun 2003, Ossama Suleiman wrote:
> hi all,
>
> is it possible to proxy the data to more than 1 server??
>
> proxying from server-a to server-b is working just
> If not, then you could try setting up a realm for each user in proxy.conf
should read
... setting up each realm in proxy.conf
just didn't want to add any confusion
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
d you do find something else that works for you,
let us
know.
I'm at least interested in what you did do to make it work,
as I may be required to do something like that in the future.
Dustin Doris
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes you can do that now. In your users file put.
DEFAULT NAS-IP-Address == "1.1.1.1", Autz-Type := sql1
DEFAULT NAS-IP-Address == "2.2.2.2", Autz-Type := sql2
Then you can setup two different sql types. Then in authorization in
radius.conf add
autztype sql1 {
sql1
}
Do you see how the Called-Station-Id is not coming in with the auth
request?
> The following is the whole debug when i used "compare_check_items",
>
> Listening on IP address *, ports 1645/udp and 1646/udp, with proxy on
> 1647/udp.
> Ready to process requests.
> rad_recv: Access-Request packet fr
Thanks. What would be the advantage of using that over
compare_check_items?
On Mon, 31 Mar 2003, Kostas Kalevras wrote:
> On Mon, 31 Mar 2003, Dustin Doris wrote:
>
> >
> >
> > On Mon, 31 Mar 2003, Kostas Kalevras wrote:
> >
> > > On Mon, 31 Mar 2003,
On Mon, 31 Mar 2003, Kostas Kalevras wrote:
> On Mon, 31 Mar 2003, Brian Leung wrote:
>
> > hi all,
> > did anyone know how to use the
> > radiusCheckItem and radiusReplyItem in the user's ldif file?
> >
> > If i want to restrict user who just can use nas 192.168.0.1, i should use
> > radiusChec
> the ldap.attrmap is :
> checkItem $GENERIC$ radiusCheckItem
> replyItem $GENERIC$ radiusReplyItem
>
> checkItem Auth-Type radiusAuthType
> checkItem Simultaneous-UseradiusSimultaneousUse
>
you could show a debug with the attributes that come in and a copy
of your ldap.attrmap file.
On Mon, 31 Mar 2003, Dustin Doris wrote:
>
>
> On Mon, 31 Mar 2003, Brian Leung wrote:
>
> > hi all,
> > i wanna to add some rules in freeradius so the user just can access t
On Mon, 31 Mar 2003, Brian Leung wrote:
> hi all,
> i wanna to add some rules in freeradius so the user just can access the system from
> the Calledstationid 123456, for example
> my ldif is like that:
>
add it in the users file.
example,
user User-Password == "password", Called-Station-ID
For more info.
Here is the RFC on authentication
http://www.freeradius.org/radiusd/doc/rfc/rfc2865.txt
Here is the RFC on accounting
http://www.freeradius.org/radiusd/doc/rfc/rfc2866.txt
Hope that helps.
-Dustin Doris
On Thu, 27 Mar 2003, freeradius mailing list wrote:
>
> Try addi
48 matches
Mail list logo