[EMAIL PROTECTED] wrote on 11/21/2003 01:04:25 PM:
> [EMAIL PROTECTED] wrote:
> > >$ cp ./raddb/dictionary /etc/raddb/dictionary
> >
> > But that note seems to contradict itself. It _seems_ as though it
should
> > say "please ensure that $prefix/etc/raddb/dictionary is the same as
> >
I was still running FR 0.8, and because of yesterday's events, decided to
go up to 0.93. I did the ./configure, make, make install dance. FR
bombed when I tried to run radius, so I put it in debug mode, and saw
messages about problems with the dictionary.
Perused the INSTALL file, and saw thi
[EMAIL PROTECTED] wrote on 11/20/2003 02:51:13 PM:
> Bug reports are nice. Lack of notification is stupid.
>
> With that said, 0.9.3 has been released. It's in the normal places:
>
> ftp://ftp.freeradius.org/pub/radius/freeradius-0.9.3.tar.gz
>
> With PGP signature at:
>
> ftp:
Just goes to show that paid support isn't all that it's cracked up to be.
I opened a Cisco TAC case on this kind of issue over a year ago, and had
Cisco TAC swear up and DOWN it wasn't possible to authenticate to the http
server w/o using TACACS.
I didn't believe them at the time,but I didn't
1, you're sending formatted text to a mailing list. I know you think that
blue color is pretty, but _don't_ do that.
2, you haven't run the server in debug mode to see what it's trying to do
(...or not do)
3, you haven't provided any snippet of a configuration. "It doesn't work"
is a pretty br
Would someone please add "GroupShield for Exchange" into the spam filter?
This is getting a little annoying. (assanine.com. :) )
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"A four-year-old will very quickly g
It's in the documentation, 'cuz I figured out how to do it. Anyway,
here's an example from my users file:
"crapuser" Auth-Type := Local, Password == "this_password_sucks"
Reply-Message = "Hello, your password sucks, by the way.",
cisco-avpair = "shell:priv-l
[EMAIL PROTECTED] wrote on 08/27/2003 05:34:18 AM:
> whilst its nice to see what virus checkers certain companies use, could
> virus-ridden/infected Windows users on this list PLEASE sort out
> your machines.
Want to ask for tomorrow's winning lottery numbers while you're at it? :)
Vincent Gio
[EMAIL PROTECTED] wrote on 08/19/2003 04:21:20 AM:
> > If you need paid support ("It's busted and I need it fixed RIGHT
NOW!!"),
> > then you're obviously SOL running freeradius. (Don't misinterpret
this;
> > the FR team does a bang up job. BUT they're NOT obligated to do
> > _anything_ if
[EMAIL PROTECTED] wrote on 08/19/2003 03:02:17 AM:
> I would agree. Cisco makes two products for Radius. One that is
> expensive and the other that is even more expensive. Neither one has
> all the same features as Freeradius AND neither one works as well.
>
> Gene Parks
> VIP Direct
That's a
Not sure how you'd send this via radius attributes (never tried to do
that), but if you want to protect your users from getting infected, apply
this list outbound to their interface. If you want to prevent them from
infecting others (along with doing any MS mapping of drives, or tftp'ing,
etc.
[EMAIL PROTECTED] wrote on 08/08/2003 07:07:11 PM:
> First, I apologize for my naiveness. I thought I could get this
> working fairly easily, but that was three days ago; I'm becoming a
> little desperate now.
>
> If someone could point me to either a How To or FAQ on configuring the
> Cisco Airo
I've used a toaster with radius. (a VSA determines how brown, cow now...
:) ) Other items I've seen using radius are a waffle iron, high quality
golf clubs, an electric train set, a disposable shaver, a gumball machine,
a satellite television receiver, a box of facial tissues and a foam dome.
(
[EMAIL PROTECTED] wrote on 07/28/2003 07:55:54 AM:
> Is there any way a user file can be edited and new users can be
> accepted as valid logins without having to restart radiusd?
Nope. To do that, you need to use an authentication mechanism that
doesn't use the users file, such as LDAP or SQL.
[EMAIL PROTECTED] wrote on 07/14/2003 03:21:46 PM:
> Hi Vincent if I understood the problem continues ... If I'm mistaken
> please tell me what did you do.
> Did you do the upgrade ?
It was a bug in the release version of 0.5. A CVS snapshot fixed it, but
if you want to go the least distance fr
[EMAIL PROTECTED] wrote on 07/14/2003 01:04:37 PM:
> I think the problem is the AP configuration too, but since it is on
> service right now, and it is set for MAC address authentication, it is
> suppossed to send the request to the FR when the MAC is not found in its
> database.
Casually perusin
[EMAIL PROTECTED] wrote on 07/14/2003 12:04:30 PM:
> Hi, I have a problem using Freeradius 0.5. The Radius server is
> working ok, but when the authentication occurs in the radius log
> file I see UNKNOWN NAS. The login occurs OK … Ex: Auth: Login OK:
> [login/password] (from nas UNKNOWN-NAS p
[EMAIL PROTECTED] wrote on 07/14/2003 10:30:23 AM:
> The AP is configured in that way that unknown MAC addresses are
> authenticated by the Radius server (right now the AP is on service and
> is the one authenticating right now) and the port used is set to 1812.
It would appear that something is
[EMAIL PROTECTED] wrote on 07/14/2003 10:02:37 AM:
> I have a linux server with Freeradius. The access point (AP) is a Cisco
> AP350 Series.
>
> I configured all the files, and seems to be working using radtest.
>
> When I use my laptop to try to reach the network, the AP drops a warning
> messa
[EMAIL PROTECTED] wrote on 07/08/2003 11:09:31 AM:
> [EMAIL PROTECTED] wrote:
> > > How are you determining that it only launches one thread?
> >
> > ps -aef (tsunami is currently running working system, tidalwave is
the
> > rebuilt system...)
>
> You are aware that on newer Linux kernels,
[EMAIL PROTECTED] wrote on 07/08/2003 02:42:28 PM:
> At 02:23 PM 7/8/2003 -0500, [EMAIL PROTECTED] wrote:
> >Then I copied over my existing config files (clients.conf, and users...
> >pretty simple config, eh??) to the new machine, and started up radiusd.
It
> >runs and authenticates, but for som
Correction -- we're moving to RedHat 9, not RedHat 8.
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"Dereferencing the .NET pointer reveals its value to be NULL."
-- TheRegister.co.uk
[EMAIL PROTECTED]
Sent b
I have two production freeradius 0.8.1 boxes running under redhat 7. We've
decided to upgrade the freeradius servers to new hardware and redhat 8.
I downloaded fr 0.8.1 to the new machines, did a ./configure
--with-snmp=no --with-threads=yes --prefix=(some directory on the
machine), then a mak
Is anyone keeping track of buggy NASes, possibly for a "known issues"
list?
If not, here's one for the archives in case anyone else bumps into it...
Device: Cisco 3550 switch
OS: IOS 12.1(11)EA1
Problem: Switch was reconfigured to a different IP address, then reports
original IP address a
[EMAIL PROTECTED] wrote on 06/12/2003 09:53:20 AM:
> In a nutshell, can a Cisco Aironet 350 Access Point accept a per-
> user WEP key from Freeradius (and can Freeradius serve it one)?
Well, you're trying to re-invent EAP without actually using EAP. Can't
get there from here; if you want the se
[EMAIL PROTECTED] wrote on 06/02/2003 12:27:58 PM:
> Dear sir
>
> When I try to start the radius service, the message:
>
> radiusd -f
> Mon Jun 2 12:33:30 2003 : Info: Starting - reading configuration files
> ...
> File size limit exceeded
>
> is showing; does anyone can tell what does it mean
When I had my terminal servers misconfigured (in my case, they were
looking for XON/OFF flow control that wasn't there), I had nearly the same
results. Check your terminal server config.
If you want to test it, how about unplugging your terminal servers for a
while and seeing if radius stops
Yes, it does.
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"So for the IT Manager Role, you want someone who's absolute crap, looks
reasonable on paper, and won't cause too much trouble. ... Well I don't
have any MC
Start by READING THE DOCUMENTATION THAT COMES WITH IT. (wow, tough
answer!)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"So for the IT Manager Role, you want someone who's absolute crap, looks
reasonable on paper,
So (and I'm reading in between the lines here), it seems as if you already
have two servers, A and B, configured using some sort of clustering so
that if A fails, B picks up A's address virtually, and vice-versa.
If so, then I think you're making the problem harder than it is.
Typically, most s
It sounds as though the configuration on the terminal server isn't quite
right. I had similar loads of crap show up in my logs when I was figuring
out how to wire mine up. :)
Off the top of my head, make sure the device and the terminal server agree
on connection parameters (CTS/DTS, XON/XOFF
Most load balancers (ex: foundry and extreme switches) have various
methods of hashing whether a connection goes to machine A or B (or C or D
or ...). I was originally going to suggest changing the default hashing
algorithm to something other than the default. Many load balancers'
(except Ci
You wouldn't happen to have that router's console port connected to some
sort of terminal server, would you? If so, it's possible that the
terminal server is resetting that port (for _whatever_ reason), and then
things are going haywire from there. (Just a thought.)
Also would help to know a
Unfortunately, no, there is no plug in so that freeradius can directly
authenticate against an ACE server.
I have been in contact with RSA on this issue. RSA's response was
basically, 'We've never heard of freeradius, so piss off.' I even offered
to write the freeradius plug in. RSA's reply
Actually, that you _can_ do. I personally detest the radius server that
is built into ACE and refuse to use it in any manner, either as the target
of a proxy or as the direct client target. But there's no reason why you
_couldn't_ do exactly what you describe with FR and and an ACE server.
Vi
No, it does not. (Unfortunately.)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"So for the IT Manager Role, you want someone who's absolute crap, looks
reasonable on paper, and won't cause too much trouble. ... Well
That _would_ explain why he's unsubscribing. :)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"So for the IT Manager Role, you want someone who's absolute crap, looks
reasonable on paper, and won't cause too much trou
I got one too, and it "appeared" to come from inside my domain also.
Apparently, the machine that is receiving the mail appends its address.
(i.e. @rush.edu was not appended, but the machine's full name was
appended.)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Well, don't know if there's a list, but here's a reference. :) We are
using Freeradius, along with NavisRadius. FR pretty much walks all over
Navis, just cant get rid of Navis.
(The one thing Navis does that FR doesn't is securID authentication.
Otherwise, Navis pretty much sucks donkey. A
I'm not disputing anything; I'm trying to provide information. I have
freeradius set up to _always_ send reply messages, and I have NASes that
show the string to the user on login, and NASes that completely ignore it.
Nothing more, nothing less.
Vincent Giovannone
Network Infrastructure Group
You do NOT need to use a database to cause freeradius to re-read its users
file. You simply have to sigHUP it.
Also, the "reply-message" packet is not guaranteed. Well, let me say that
better. It's guaranteed that Freeradius will send it if you specify it.
It is NOT guaranteed what the NAS w
Looks like you're trying to bring over a users file from a different
radius server. Here's what a working entry looks like:
"someuser" Auth-Type := Local, Password == "userpassword",
NAS-IP-Address==127.0.0.3
Reply-Message = "[myserver] Howdy!",
cisco-avpair =
We could always send a bunch of actual swears to [EMAIL PROTECTED] and
see what happens. :)
That has to be the first filter I've seen that considers "freeradius" a
dirty word. Figures, it's a MS product.
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Pres
Unfortunately, I've actually looked at the radius server built in, and
it's _really_ scary. (I'd _almost_ rather run no authentication than that
radius server!)
It's very similar to their "support" of LDAP They import the whole
ldap tree once, and wow! they support LDAP! No, not really..
I know it's been mentioned before that SecurIDs could be used as an
external (to freeradius) authenticator. Is anyone out there currently
running this kind of config? (I'd rather not reinvent the wheel if
someone has gone through the pain.)
Thanks!
Vincent Giovannone
Network Infrastructure G
Yeah, run the server in debug mode and read the output. Always should be
step #1 when experiencing problems.
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"So for the IT Manager Role, you want someone who's absolute c
Two possible scenarios:
1) You don't have this client defined in your clients.conf file.
2) Someone is sending you radius requests you don't know about. Go whack
'em.
(Note that 1 doesn't preclude 2 from happening. :) )
Vincent Giovannone
Network Infrastructure Group
Information Services
RADIUS is an authentication mechanism. It doesn't know (or care about)
the type of link (LAN/WAN/MAN) it travels across.
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
Pinball is a way of life. My way!
Bala <[EM
This might be a dumb question, but... I'd like to buy the book and have
my company pay for it. (Read: fill out a PO, go through the whole
purchasing thing, blah blah blah...) Any way for FR to get the kickback
then? (I'd imagine not, but figured I'd ask anyway.)
Vincent Giovannone
Networ
>Do you have to configure the Radius server before you run the deamon?
Nah; you can run the daemon any old time. Don't bother configuring it or
reading the config or documentation files. They're there just to pad the
download. You don't even have to bother compiling or untaring it to disk;
My naslist file is also empty. (Well, not _empty_, it's just at the
default, which has everything commented out.)
Is it now required that NASes be defined in two places, the clients.conf
and naslist ? (If so, I'm curious... why?)
What is very odd is that not ALL of my NASes are coming up as u
Note: certain parts of this email have been munged for confidentiality
reasons. (i.e. IP addresses, login names, and passwords have been
scrambled.)
I recently upgraded my primary RADIUS server from freeradius 0.3 to 0.5.
Now, however, I'm getting strange entries in my radius.log file:
Tue Ma
It's been a while, almost three months. Think it's time for a non-CVS
release? :)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
(312) 942-4242
"Monday" is the term used to signify the eighth day of my work week.
" The attribute names are sorted alphabetically, and are
cross-referenced to the RFC's. It should not be possible to quickly
discover what an attribute means, what it does, and where it's
defined."
Well, if it's not possible, why'd you bring it to our attention? :)
[Yes, fully aware of the t
Great, now I have to go kavetch at the linux folks. :)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
(312) 942-4242
"Monday" is the term used to signify the eighth day of my work week.
"Tarquin Douglass \(Astr
You have to wonder how original his product will be when he rips off the signature of someone on the same group lock, stock, and barrel, even including the quotes!
I'll shut up now... :)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's
Yeah, I'm having that problem with the list also. (receiving double messages all of a sudden.) Although, as I write this, it _seems_ to have stopped. seems. :)
Vincent Giovannone
Network Infrastructure Group
Information Services Division
Rush - Presbyterian St. Luke's Medical Center
"Monday"
Can we PLEASE switch this list so that only registered user can post to it? It's clear that the mailing list's address has been sold out to the spam establishment, and rejecting messages from non-subscribers is the only way (IMHO) to prevent this from becoming a spam-relay group. Sure it's not b
If you're paranoid, disconnect the machines' (client & server) primary interface from the internet. (Can't hack something you can't get to!)
If you're really paranoid? Install second NIC in both the server and the client, run a crossover cable between the two, and use a private IP address space
This request seems a bit absurd to me. If you don't want to check the
passwords, then why are you running any access control at all? Take off
all access control and you'll achieve what you want. (NOT a good idea, but
seems to be what you're going after here.)
Not only that, but it's the Radiu
>> I'm not able to find explicit documentation that the password attribute
>> must be on the first line.
The examples all do it that way, but there
>> wasn't anything I could find that explicitly said that was required.
>
> 'man users' explains this, but it doesn't specificially mention
What you're trying to do should work; I have several users set up that way (not
in shadow or passwd, but only in the freeradius users file). They don't have
any shells defined either.
Try running freeradius in debug ( /X ) mode; that should give lots of hints as
to what's going wrong.
Vincent
I had the same problem when I first fired up freeradius. I was authenticating
off of the local shadow file. The problem turned out to be that the username (
/ group) listed in the radiusd.conf file did not have permissions to read the
shadow password file. (Note that freeradius does NOT launc
You seem to be confusing authorization with authentication. What you're trying
to do is control when people can telnet to your NAS; that's authentication.
You want something that looks (something) like this... (written on IOS 12,
YMMV)
aaa new-model
aaa authentication login default line
64 matches
Mail list logo