Alan DeKok wrote:
http://www.juniper.net/company/presscenter/pr/2005/pr-051114.html
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Apparently freeradius developers have managed to build a system
comparable to one that just sold for $122
hi ::
Ahthat why but all the NAS are using the same port ! I understand
that session index is based on NAS port . Any chance for it to be
based on session id ? Is there a patch for it ??
Thanks again !
On 11/15/05, Alan DeKok <[EMAIL PROTECTED]> wrote:
> TK Lew <[EMAIL PROTECTED]> wrote:
> >
Hi Christopher,
I do something like this (YMMV as I've made changes to the code to support
stuff I want to do, this could have been one of those changes? ;-) )
In acct_users:
DEFAULT Acct-Status-Type == Alive, Acct-Type := ACK
And in radiusd.conf:
modules {
...
always handl
Several NAS's we lease, whose configurations we cannot change,
authenticate through our freeradius server. The Alive packets we are
receiving from these machines are filling up our hard drive. Is there
any way to deny just these Alive type packets and continue to accept
Start and Stop packets
I already started to write it.
Thanks,
Kevin,
Alan DeKok wrote:
kevin <[EMAIL PROTECTED]> wrote:
Well, I want to return different attributes for
-password-mismatched users
-authenticated but Calling-Station-Id is in my-block-list
-authenticated and Calling-Station-Id is not in my
kevin <[EMAIL PROTECTED]> wrote:
> Well, I want to return different attributes for
> -password-mismatched users
> -authenticated but Calling-Station-Id is in my-block-list
> -authenticated and Calling-Station-Id is not in my-block-list.
I want people to state their requirements up front, rat
http://www.juniper.net/company/presscenter/pr/2005/pr-051114.html
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Well, I want to return different attributes for
-password-mismatched users
-authenticated but Calling-Station-Id is in my-block-list
-authenticated and Calling-Station-Id is not in my-block-list.
I cannot use "users".
Kevin
Alan DeKok wrote:
kevin <[EMAIL PROTECTED]> wrote:
The
On Mon, 14 Nov 2005, Alan DeKok wrote:
> Kristina Pfaff-Harris <[EMAIL PROTECTED]> wrote:
> > But seriously, folks. We can deal with that -- a little more load on the
> > tech support folks, but not huge. On the other hand, I don't suppose you
> > have any suggestions for a better way to do a simi
Kristina Pfaff-Harris <[EMAIL PROTECTED]> wrote:
> But seriously, folks. We can deal with that -- a little more load on the
> tech support folks, but not huge. On the other hand, I don't suppose you
> have any suggestions for a better way to do a similar thing?
rlm_policy. It's more generic tha
kevin <[EMAIL PROTECTED]> wrote:
> The reason that I want to put it to post-auth is that it should be done
> only for authenticated users.
> That's why I cannot use "users".
If the user is rejected, all attributes are stripped from the
response.
You *can* use "users". Everyone else does.
On Mon, 14 Nov 2005, Alan DeKok wrote:
> The whole "nospace_user" stuff is a *terrible* hack.
Heh. Fair enough.
> If that works, fine. But this functionality will *not* be in 1.1 or
> later.
Gads. You mean users will have to type their usernames and passwords
correctly? Eek! :-)
But seri
The reason that I want to put it to post-auth is that it should be done
only for authenticated users.
That's why I cannot use "users".
Kevin
Alan DeKok wrote:
kevin <[EMAIL PROTECTED]> wrote:
I want to do it in post-auth and post-proxy which cannot be done by
"users". I thought
Kristina Pfaff-Harris <[EMAIL PROTECTED]> wrote:
> Hi, again. Another strangeness I noticed: we have "nospace_user = after"
> in radiusd.conf, but since switching to 1.0.5, this doesn't appear to act
> the same way as it did in 0.8.1. Using a username like "username " keeps
> rejecting the user i
kevin <[EMAIL PROTECTED]> wrote:
> I want to do it in post-auth and post-proxy which cannot be done by
> "users". I thought that's why we use rewrite_filter/attr. No?
You can put the checks in the "authorize" section, and it will work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See ht
kevin wrote:
Alan DeKok wrote:
kevin <[EMAIL PROTECTED]> wrote:
What I want to do is something like
if (Calling-Station-ID == 5045551234) then add some filters to the
DEFAULT reply attributes.
The "users" file can do this. Use it.
I want to do i
Alan DeKok wrote:
kevin <[EMAIL PROTECTED]> wrote:
What I want to do is something like
if (Calling-Station-ID == 5045551234) then add some filters to the
DEFAULT reply attributes.
The "users" file can do this. Use it.
I want to do it in post-auth and post-proxy w
kevin <[EMAIL PROTECTED]> wrote:
> What I want to do is something like
> if (Calling-Station-ID == 5045551234) then add some filters to the
> DEFAULT reply attributes.
The "users" file can do this. Use it.
> It seems that rewrite_filter cannot add some attributes to DEFAULT and
> rewrite_att
Hi Nan0,
The authorize section of radiusd.conf is actually run twice when an
Access-Request is received by the server.
The first time, Autz-Type is not set. During the first run through the
authorize section, one of the modules may set Autz-Type, for example, a
module may set Autz-Type to MY_AUTZ
Hi, I'm trying to use the next exec module:
radius.conf ---
modules {
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{Autz-Type}"
input_p
us_xlat: '/home/fbrito/Radius/acct//auth-detail-20051114'
rlm_detail: /home/fbrito/Radius/acct/%{Client-IP-Address}/auth-detail-%Y
%m%d expands to /home/fbrito/Radius/acct//auth-detail-20051114
modcall[authorize]: module "auth_log" returns ok for request 0
modcall: group author
But, I want to use rlm_rewrite_attr or
rewrite_filter.
Look at my comments below.
Nicolas Baradakis wrote:
kevin wrote:
I want to get some idea about how to manipulate attributes before we
respond to NAS.
For example, before I send Access-Accept packet to the NAS, I want to
add t
On Mon, 2005-11-14 at 12:49 -0700, Scott Langley wrote:
> Before I write one, I wonder if anyone already has a script or module for
> counting the number of ports on a NAS that were in use at a given point of
> time?
>
> I know this can be done by collecting the SNMP data sent from the NAS, but
On Sun, 2005-11-13 at 12:20 +, [EMAIL PROTECTED] wrote:
> Could I use the Counter module to count the number of times a user gets
> their password wrong?
AFAIK the counter module was not designed to count this type of things.
The idea is to count let's say the total amount of time a user has
Hi NanO,
You may want something like this. (there are probably other ways of
detecting the realm, but it will depend of which modules you are using in
authorize, and which order)..
In users:
DEFAULT User-Name =~ "", Autz-Type := AUTZ_SQL1
DEFAULT User-Name =~ "", Autz-Type := AUTZ_SQL2
Hi, again. Another strangeness I noticed: we have "nospace_user = after"
in radiusd.conf, but since switching to 1.0.5, this doesn't appear to act
the same way as it did in 0.8.1. Using a username like "username " keeps
rejecting the user instead of stripping spaces and trying again.
"nospace_u
Luca Corti wrote:
> On Mon, 2005-11-14 at 11:09 -0600, Michael Griego wrote:
> > It's a configuration issue. You didn't configure the rlm_exec module,
> > which is called to execute ntlm_auth.
>
> Is anything else needed besides
>
> exec {
> wait = yes
>
Title: Nachricht
Le lun 14/11/2005 à 12:13, [EMAIL PROTECTED] a écrit :
Send Freeradius-Users mailing list submissions to
freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via ema
Before I write one, I wonder if anyone already has a script or module for
counting the number of ports on a NAS that were in use at a given point of
time?
I know this can be done by collecting the SNMP data sent from the NAS, but I
would rather do this by querying the radacct table in a SQL da
"Andres Pazos" <[EMAIL PROTECTED]> wrote:
> great!. can u tell me how (if yes, please tell me how)?. i need to know
> where to start. thanks!.
The documentation?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok wrote:
> > The possible solutions are:
> > 1. Reverse previous changes and move the file exec.c back to src/main.
>
> Maybe. If other modules need it, that's where it should go.
I've moved this file because it isn't used by the server core anymore,
but I didn't noticed the module rl
Another possibility for "linking" between modules without truly linking
would be to change rlm_mschap to use radius_xlat with the %{exec:...}
xlat. Just depends on what others thing. I'm not opposed to moving
exec.c back into the server core.
-Mike
Alan DeKok wrote:
Nicolas Baradakis <[EM
great!. can u tell me how (if yes, please tell me how)?. i need to know where
to start. thanks!.
-Original Message-
From: [EMAIL PROTECTED] on behalf of Alan DeKok
Sent: Mon 11/14/2005 3:10 PM
To: FreeRadius users mailing list
Subject: Re: Can mysql and mssql being used at the same ti
Is your machine truly a member of your AD domain? If so, it's not
sending a fully qualified domain name for some reason. Therefore the
code is setting the domain to the same as the machine name. I've only
ever seen Windows send *just* the machine name without the domain name
when the machine
Hi,
I'm trying to set a PEAP Authentication with the rlm_mschap.c /
cli_netlogon.c hacks provided by M. Griego.
The user auth still working (as before), but the computer still not...
(a copy of the debug log. is in attachement)
According to the log, the rlm_mschap seems to be effective, but i
On Mon, 2005-11-14 at 11:09 -0600, Michael Griego wrote:
> It's a configuration issue. You didn't configure the rlm_exec module,
> which is called to execute ntlm_auth.
Is anything else needed besides
exec {
wait = yes
input_pairs = request
}
an
"Andres Pazos" <[EMAIL PROTECTED]> wrote:
> Is it possible to have [EMAIL PROTECTED] authenticated against MSsql and
> [EMAIL PROTECTED] authenticated against MySql?
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EMAIL PROTECTED] wrote:
> Ok, I skimmed through the mailing list notes last night (mostly via
> Google) and found a number of notes that said it was only possible
> to do EAP authentications against an LDAP server if the server has
> either cleartext passwords or NT hashes in it. Some of those
=?iso-8859-1?Q?V=F6lker=2C_Christian?= <[EMAIL PROTECTED]> wrote:
> My freeradius (1.0.1-1.RHEL3) authenticates again our ActiveDirectory
> (on 2003 Server). Without ntlm_auth!
This is done via simple LDAP bind, which AD supports.
It works for PAP authentication. It doesn't work for CHAP, MS
TK Lew <[EMAIL PROTECTED]> wrote:
> I have a weird problem. If I am not mistaken sessions are logged and
> remove on accouting-start and accouting-stop but I have encountered
> where an active session for a particular users have been deleted from
> the session database without the corresponding acc
Rajeshwari Krishnappa <[EMAIL PROTECTED]> wrote:
> Can some one please tell me if the current version of
> free radius supports EAP-AKA?
No.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Nicolas Baradakis <[EMAIL PROTECTED]> wrote:
> The possible solutions are:
> 1. Reverse previous changes and move the file exec.c back to src/main.
Maybe. If other modules need it, that's where it should go.
> 2. Copy the file exec.c into src/modules/rlm_mschap, too.
No.
> 3. In rlm_mschap
On Fri, 11 Nov 2005, Alan DeKok wrote:
> Are the attributes being received by the proxy? If so, which module
> is deleting them?
>
> Debug mode should tell you more...
Okey doke. I dunno why I didn't see this before, but I did some more
testing in debug mode and found that [EMAIL PROTECTED
Nicolas Baradakis wrote:
I think it was working in version 1.0.x without rlm_exec module
instantiated. Moreover, I'm not sure if the linker is able to find
the missing symbol in a different module on all systems...
It was working with 1.0.x and in CVS until the changes you mentioned.
In my cas
when a radius client ask my freeradius, if the Realm is "" I want to
autorize him with the first SQL server and if the Realm is "" with
the second one.
I already have two diferent sql configuration files, sql1.conf and
sql2.conf, with instance name SQL1 and SQL2.
I had been trying to do
Michael Griego wrote:
> It's a configuration issue. You didn't configure the rlm_exec module,
> which is called to execute ntlm_auth.
I think it was working in version 1.0.x without rlm_exec module
instantiated. Moreover, I'm not sure if the linker is able to find
the missing symbol in a differ
Is it possible to have [EMAIL PROTECTED] authenticated against MSsql and [EMAIL
PROTECTED] authenticated against MySql?
thanks in advance.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Luca Corti wrote:
> When trying to authenticate everything seems to be fine, but fails when
> executing ntlm_auth.
[...]
> error: /usr/lib/freeradius/rlm_mschap-1.1.0-pre0.so: undefined symbol:
> radius_exec_program
>
> Is this a configuration issue or a bug?
It's a bug. It seems I removed too
It's a configuration issue. You didn't configure the rlm_exec module,
which is called to execute ntlm_auth.
--Mike
Luca Corti wrote:
Hello,
I'm using Freeradius from CVS (checked out today) to do WPA-EAP+Radius
+PEAP+ntlm_auth because I can't get rlm_eap_peap from 1.0.5 to build on
debian.
Mark,
You are now able to pass authorization strings to the Netscreen
successfully? Are you still using the formats <(NS-Admin-Privilege =
"Read-Only-Admin") (NS-Admin-Privilege = "Read-Write-Admin")>? For some
reason, all of my authentications fail once I enable remote
authorization on the
Hello,
I'm using Freeradius from CVS (checked out today) to do WPA-EAP+Radius
+PEAP+ntlm_auth because I can't get rlm_eap_peap from 1.0.5 to build on
debian.
When trying to authenticate everything seems to be fine, but fails when
executing ntlm_auth.
Here's the debugging log.
Processing the
Ok, I skimmed through the mailing list notes last night (mostly via
Google) and found a number of notes that said it was only possible
to do EAP authentications against an LDAP server if the server has
either cleartext passwords or NT hashes in it. Some of those notes
were very old and the ldap_
Hi, my version of FreeRadius is 1.0.5 and what I'm trying to do is that
when a radius client ask my freeradius, if the Realm is "" I want to
autorize him with the first SQL server and if the Realm is "" with
the second one.
I already have two diferent sql configuration files, sql1.conf and
i found another weired thing:
the account log file "/var/log/radius/radacct/192.168.10.2./detail-20051114"
does contain the correct username entries, in the mysql table raddact the
account start logging is missing:
+++ /var/log/radius/radacct/192.168.10.2./detail-20051114:
Mon Nov 1
This is a good string to start. We are likely to commit to MobileIP in the
near future. I would like to better understand how to implement in a
freereadius environment
-- Original Message --
From: "Stefan A." <[EMAIL PROTECTED]>
Reply-To: FreeRadius use
I really appreciate that the FreeRADIUS developers actually take their
time to do end user support on this list. I am impressed by the work
you all do. Getting two(!) working solutions to a problem in a couple
of hours during the weekend, is a level of support that I think you
can't buy from any
Garrett's hint :
https://list.xs4all.nl/pipermail/freeradius-users/2005-November/048278.html
solved this problem ...
I've used:
CLFAGS="-I../include -I/usr/sfw/include/openssl" ./configure
--prefix=/usr/local/freeradius --localstatedir=/var/ --sysconfdir=/etc
and "make && make install" finish
Pedro Marcolino wrote:
> Hi Nicolas,
>
> I'm sorry to bother you again, but even after apllying the patch i
> get the same problem. Are you sure this patch will resolve this
> problem?
Next time please send messages to freeradius-users@lists.freeradius.org
and not my personal e-mail address.
Th
Well, it seems to have been an issue with the setuid part of the
helper app. I changed it from:
if (!(initsetuid(1)))
exit(1);
to
if (!(initsetuid(0)))
exit(1);
and it now seems to work. Strange that it worked before switching
hardware, but at least it is work
Yohoo!
>> I hope, I could help some people trying to use AD for radius.
>there is another way - use the krb module to authenticate against AD
Are there any advantages/ disadvantages ldap <-> krb5?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Date: Mon, 14 Nov 2005 01:31:24 -0500
From: "Alan DeKok" <[EMAIL PROTECTED]>
Subject: Re: radiusd error AFTER ok
To: FreeRadius users mailing list
Message-ID: <[EMAIL PROTECTED]>
"Drew S. Dupont" <[EMAIL PROTECTED]> wrote:
This app used to work just fine before my recent HD and MoBo cr
Thanks Nicolas,
It works fine.
Just for info, the attributes to use in the mssql.conf file are
"postauth_table" and "postauth_query"
With the following radius configuration :
post-auth {
Post-Auth-Type REJECT {
sql
}
}
Regards,
Thierry.
>Thierry Hoferli
Hi,
> Are there any advantages/ disadvantages ldap <-> krb5?
LDAP advantage is that you can get more information out of
the AD...which is what io believe is the desire in this case
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yohoo!
> What about the password?
Which password? The User-Password? Or the shared secret?
The Password for the Proxy-User is written down in the radiusd.conf.
> I thought this was a kerberos one and didn't reside into the ldap itself?
Kerberos ist installed, but I don't use it (I think so! ;-)
Title: Nachricht
What about the password?
I thought this was a
kerberos one and didn’t reside into the ldap itself?
--
Jonathan De Graeve
Network/System Administrator
Imelda vzw
Informatica Dienst
015/50.52.98
[EMAIL PROTECTED]
-
Always read the manual for the correct way
Title: Nachricht
Yohoo!
Yes! I did it!
;)
My freeradius
(1.0.1-1.RHEL3) authenticates again our ActiveDirectory (on 2003 Server).
Without ntlm_auth!
Below I have added a
short summary how I realized it here.
But now I have a
question and I can't solve it for myself. I want to ret
Hi,
> I hope, I could help some people trying to use AD for radius.
there is another way - use the krb module to authenticate against AD
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yohoo!
>LDAP advantage is that you can get more information out of
>the AD...which is what io believe is the desire in this case
Gotcha! :)
My google-searches hat driven me into the direction to use _only_ ntlm_auth for
authentication vs. AD.
Meanwhile I had also triggered out the needed groups
Am Montag, 14. November 2005 13:07 schrieb Christian:
> Yohoo!
(...)
> Works fine here. Is there the need of a short howto for the doc/ ?
Definitely yes !
--
Dr. Michael Schwartzkopff
MultiNET Services GmbH
Bretonischer Ring 7
85630 Grasbrunn
Tel: (+49 89) 456 911 - 0
Fax: (+49 89) 456 911 - 21
hi all ::
I have a weird problem. If I am not mistaken sessions are logged and
remove on accouting-start and accouting-stop but I have encountered
where an active session for a particular users have been deleted from
the session database without the corresponding accounting stop packet.
I am runni
"Alan DeKok" <[EMAIL PROTECTED]> writes:
> =?iso-8859-1?Q?Bj=F8rn_Mork?= <[EMAIL PROTECTED]> wrote:
>> We don't really _know_ that rlm_perl is the cause, though...
>
> Try grabbing revision 1.19 of rlm_perl from CVS.
Thanks!
Looks very good so far. I also got a tip from Boyan Jordanov on how
Hi all,
Can some one please tell me if the current version of
free radius supports EAP-AKA? If so, how can we set it
up to work with x-supplicant on Linux?
Thanks
Rajeshwari
__
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection
Title: Nachricht
All,
is
Mobile IP a Subject for Freeradius?
Has
anybody a running Mobile IP environment to talk about the configuration of the
RADIUS server and possibly about other topics of Mobile IP?
Thanks.
Stefan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
73 matches
Mail list logo