Hi,
I am using a LDAP-Directory as Information-DB for authorisation.
Now my question is:
I want to grant access, if a user fullfills a LDAP-attribute, for example:
users-file:
...
test LDAP-Group == "test"
Service-Type = "Administrative-User",
cisco-avpair= "shell:priv-lvl=15"
..
Hi,
1.) in the users-file, I can only check for attributes provided by the
request - correct?
2.) in the users-file, if an entry matches all check-attributes, I can
specify an Auth/Autz-Type - correct?
3.) in the users-file, if I do not specify the Auth/Autz-Type the
radius is taken the reques
Hi all,
I am new in FreeRadius and I hope someone can kindly help me. I have several
questions:
Q1) I just setup a FreeRadius server and I want to set it as a Radius Proxy
server. I know Realm can do it but I found that to use Realm, the user needs
to append the domain @xxx.com (i.e. [EMAIL PROT
Tony Spencer wrote:
I'm using a Cisco 7204VXR to do the authentication.
It seems it doesn't pass these attributes.
Debugging radius and AAA authentication shows all the other attributes it's
passing.
Anyone using a Cisco to do radius authentication and assign DNS servers?
Yes
Primar
Alan DeKok escribió:
=?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= <[EMAIL PROTECTED]> wrote:
That's not my point. I'm not trying to say that you should do that but
rather to print some kind of message showing that the server has read
the module instantiation.
Why? It doesn't, in fact,
I have just run pppoe server with
freeradius
pppeo user radius.so and radattr.so
modules
It works ok, but clients gets 'random' IP
addreses... I need static IP (like that in /etc/ppp/chap-secrets last
column).
I try to add 1 record to my mysql, so I
have:
mysql> SELECT id, UserName, Attri
Dovelet wrote:
Hi all,
I am new in FreeRadius and I hope someone can kindly help me. I have several
questions:
Q1) I just setup a FreeRadius server and I want to set it as a Radius Proxy
server. I know Realm can do it but I found that to use Realm, the user needs
to append the domain @xxx.com (
Florian Prester wrote:
Hi,
1.) in the users-file, I can only check for attributes provided by the
request - correct?
I think so
2.) in the users-file, if an entry matches all check-attributes, I can
specify an Auth/Autz-Type - correct?
yes
3.) in the users-file, if I do not specify the A
My mistake on the working. I had checked the clients.conf and it was
correct.
Does the login user need to have an account on the local radius server?
In other words, do I need to create a user in mysql and link it to the
radius database and ALSO complete a useradd statement on the Fedora box?
N
Thank you for your answer,
I try to specify my problem mor clearly.
Phil Mayers wrote:
Florian Prester wrote:
Hi,
1.) in the users-file, I can only check for attributes provided by
the request - correct?
I think so
ok
2.) in the users-file, if an entry matches all check-attributes
Florian Prester <[EMAIL PROTECTED]> wrote:
> 1.) in the users-file, I can only check for attributes provided by the
> request - correct?
Yes.
> 2.) in the users-file, if an entry matches all check-attributes, I can
> specify an Auth/Autz-Type - correct?
Yes.
> 3.) in the users-file, if
=?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= <[EMAIL PROTECTED]> wrote:
> I mean a message saying something like:
> *WARNING: module _blabla_ instantiated but not used, radiusd will ignore it*
Perhaps you didn't read my response. The module is *not*
instantiated, because it's not used.
> No offen
"Norbert Grochal" <[EMAIL PROTECTED]> wrote:
> | 77 | norbert | User-Password | | == |
...
> CHAP-Challenge = 0x4aaccdf7f520730e84f58bc4018c04217b97
> CHAP-Password = 0xb6fe48120b0aed82ffdb4d782f3b51cd6a
There is no User-Password in the packet, so using '==' f
Hello group,
I have FR configured for EAP/TLS for wireless but I
ran into an interesting problem.
When a user connectes, they are presented with a login
box (username, password and domain name) if they put a
domain name in the domain field, radius can't
authenticate them and gives that error mess
Florian Prester wrote:
>>> Now the big question:
>>> If I have an user who is authenticate, meaning correct username +
>>> password whereas the password is stored in LDAP.
>>> I want to replay attributes according th some other information
>>> stored in LDAP - how can I do such a thing, like:
>>>
On Thu, 2006-16-03 at 10:45 +0100, KNO wrote:
> On 3/16/06, Alan DeKok <[EMAIL PROTECTED]> wrote:
> > "Fabiano Rodrigo Boscatto" <[EMAIL PROTECTED]> wrote:
> > > Hi there, i have freeradius working fine with mysql authentication. The
> > > problem is that the User-Password is stored in mysql table
Hi folks, I have freebsd 4.10-RELEASE and
freeradius version 1.0.1 and radiusd -x give me this
error:
The Debug:
Module: Loaded SQL rlm_sql (sql): Driver
rlm_sql_mysql (module rlm_sql_mysql) loaded and linkedrlm_sql (sql):
Attempting to connect to [EMAIL PROTECTED]:/radiusrlm_sql
(sql):
> > | 77 | norbert | User-Password | | == |
> ...
> > CHAP-Challenge = 0x4aaccdf7f520730e84f58bc4018c04217b97
> > CHAP-Password = 0xb6fe48120b0aed82ffdb4d782f3b51cd6a
>
> There is no User-Password in the packet, so using '==' for comarison
> will never result i
Phil Mayers wrote:
> Sort of. AFAIK nothing else sets Autz-Type. But quite a few modules set
> Auth-Type based on the incoming requests e.g. the "mschap" modules sets
> Auth-Type=MS-CHAP if the mschap attributes are in the request. Ditto the
> "chap" and "eap" modules. "pap" is a bit more complex a
Agent Smith <[EMAIL PROTECTED]> wrote:
> When a user connectes, they are presented with a login
> box (username, password and domain name) if they put a
> domain name in the domain field, radius can't
> authenticate them and gives that error message. when
> the domain field is left empty, it works
Dovelet <[EMAIL PROTECTED]> wrote:
> Q1) I just setup a FreeRadius server and I want to set it as a Radius Proxy
> server. I know Realm can do it but I found that to use Realm, the user needs
> to append the domain @xxx.com (i.e. [EMAIL PROTECTED]) at the end. Is it true?
No. You can have defau
"Atkins, Dwane P" <[EMAIL PROTECTED]> wrote:
> Does the login user need to have an account on the local radius server?
> In other words, do I need to create a user in mysql and link it to the
> radius database and ALSO complete a useradd statement on the Fedora box?
No. You do not need local us
Hi,
> My mistake on the working. I had checked the clients.conf and it was
> correct.
>
> Does the login user need to have an account on the local radius server?
> In other words, do I need to create a user in mysql and link it to the
> radius database and ALSO complete a useradd statement on
Hi,
> When a user connectes, they are presented with a login
> box (username, password and domain name) if they put a
> domain name in the domain field, radius can't
> authenticate them and gives that error message. when
> the domain field is left empty, it works fine.
>
> I read some posting tha
Hi,
I have two radius servers one primary and one backup one, on different
ip addresses. They both have a mysql backend which runs on the same
physical machine. I need the sql database and radius configuration
files to be synchronised periodically (probably every 24hours). I guess
this is
Alan DeKok escribió:
=?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= <[EMAIL PROTECTED]> wrote:
I mean a message saying something like:
*WARNING: module _blabla_ instantiated but not used, radiusd will ignore it*
Perhaps you didn't read my response. The module is *not*
instantiated, becau
Alan DeKok wrote:
5.) Authorization is even if a password is correct, the user may not
use/do something - correct?
Yes.
Strictly speaking, during the authorisation section of the FR config,
you haven't determined the password is correct yet. You don't need me to
tell you this of course -
"George C. Kaplan" <[EMAIL PROTECTED]> wrote:
> I've been wondering about this, in relation to the rlm_perl module. We
> see "Don't set Auth-Type in the users file" all over the place, but with
> rlm_perl, the %RAD_CHECK hash is read-only. So if I'm using perl for
> authorization, I *have to* set
Florian Prester wrote:
>> so, AFAIK authorization is retreiving user-information from a source?
Yes, however see Alan's reply - his "yes" and my "no" are not as
contradictory as they might seem (it's purely semantics). See below.
ok, lets assume a user can authenticate because he/she suppl
George C. Kaplan wrote:
Phil Mayers wrote:
Sort of. AFAIK nothing else sets Autz-Type. But quite a few modules set
Auth-Type based on the incoming requests e.g. the "mschap" modules sets
Auth-Type=MS-CHAP if the mschap attributes are in the request. Ditto the
"chap" and "eap" modules. "pap" is a
Hi,
I have two radius servers one primary and one backup one, on different
ip addresses. They both have a mysql backend which runs on the same
physical machine. I need the sql database and radius configuration
files to be synchronised periodically (probably every 24hours). I guess
this is
Hi,
Currently my Freeradius server writes new accounting detail files each day.
In radiusd.conf if I were to change
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d
to
detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m
Would it then write one detail file for each month?
This was taken from radiusd -X, and then I logged in
with a username,password and domain name too.
Ideally I'd like to make it so that it works either
way but for now I'll settle with ability to login when
the domainname was supplied.
Thanks,
rad_recv: Access-Request packet from host
192.168
"Norbert Grochal" <[EMAIL PROTECTED]> wrote:
> > There is no User-Password in the packet, so using '==' for comarison
> > will never result in a match.
>
> but it still works with '==', why?
You didn't post debug logs showing it working. I suspect it doesn't.
As for your original question
Maqbool Hashim <[EMAIL PROTECTED]> wrote:
> I have two radius servers one primary and one backup one, on different
> ip addresses. They both have a mysql backend which runs on the same
> physical machine. I need the sql database and radius configuration
> files to be synchronised periodically
=?ISO-8859-1?Q?=22Tom=E1s_A=2E_Rossi=22?= <[EMAIL PROTECTED]> wrote:
> I wish I could do that but I'm not that familiarized with FreeRADIUS
> yet. No complains at all, just concede me the point and do not deny it
> by comparing it with other commercial and worst-documented software, please.
So
Florian Prester <[EMAIL PROTECTED]> wrote:
> I want to grant access, if a user fullfills a LDAP-attribute, for example:
>
> users-file:
> ...
> test LDAP-Group == "test"
...
> ldap.attrmap:
> ...
> checkItem LDAP-Group Userid
No. Do NOT add that entry to ldap.attr
"Terry Zarelli" <[EMAIL PROTECTED]> wrote:
> A list is maintained to correlate EAP-Response
> packets with EAP-Request packets. After a
> configurable length of time, entries in the list
> expire, and are deleted.
>
> timer_expire =3D 60
An EAP conversation spans multiple RADIUS packe
I setup MySQL one-way replication between the two MySQL servers. That means
both DB's are
always in sync, with the 2nd (and 3rd...) DB updated from the master.
As soon as you add another row into the db only in the secondary db, the
replication will stop updating
the secondary db.
I have two RADIU
When configuring your backend authentication and authorization system how
does the retry option work. What I want to know is when connecting
to the backend server and if it fails to connect given a specified time
does freeradius cache the IP address after the first DNS lookup of the.
server DNS na
Alan & Alan,
Here is excerpts from the clients.conf file:
client 127.0.0.1 {
secret = testing123
shortname = localhost
nastype = other # localhost isn't usually a NAS...
Users
atkinsd Auth-Type := Local, User-Password == "cisco123"
Hi,
I sent this email a couple of hours ago but it hasn't appeared on the list
yet so I'm resending it. If it comes through twice, accept my apologies.
Currently my Freeradius server writes new accounting detail files each day.
In radiusd.conf, if I were to change
detailfile = ${radacctdir
Hello,
I have a question about a configuration entry in the eap.conf file. What does the following entry mean:
A list is maintained to correlate EAP-Response
packets with EAP-Request packets. After a
configurable length of time, entries in the list
expire, and are deleted.
timer_expire
Maqbool Hashim wrote:
> Hi,
>
> I have two radius servers one primary and one backup one, on different
> ip addresses. They both have a mysql backend which runs on the same
> physical machine. I need the sql database and radius configuration
> files to be synchronised periodically (probably ever
Agent Smith <[EMAIL PROTECTED]> wrote:
> rad_recv: Access-Request packet from host
> 192.168.3.44:1645, id=139, length=139
> User-Name = "UPG\\test"
...
> EAP-Message = 0x0202000f123d4544566a726176616c
...
> rlm_realm: Found realm "NULL"
> rlm_realm: Adding Stripped-User-Nam
Phil Mayers wrote:
> George C. Kaplan wrote:
>> I've been wondering about this, in relation to the rlm_perl module. We
>> see "Don't set Auth-Type in the users file" all over the place, but with
>> rlm_perl, the %RAD_CHECK hash is read-only. So if I'm using perl for
>> authorization, I *have to*
]: module "preprocess" returns ok for request 9453
radius_xlat:
'/usr/local/var/log/radius/radacct/10.10.10.120/auth-detail-20060317'
rlm_detail:
/usr/local/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d
expands to
/usr/local/var/log/radius/radacct/10
"Atkins, Dwane P" <[EMAIL PROTECTED]> wrote:
> This is from radiusd -X
...
> rlm_sql_mysql: Mysql error 'Access denied for user 'atkinsd'@'localhost'
> (using password: YES)'
You do realize that this has nothing to do with shared secrets?
You've mistyped the password in sql.conf.
Alan DeKok.
"Craig T. Hancock" <[EMAIL PROTECTED]> wrote:
> Or does it attempt to do a DNS lookup on the server IP address on
> each retry.
It does does DNS lookups only when it starts, or receives a HUP.
> I am trying to investigate the possibility of load balancing my
> authentication
> backend through
I sent this earlier but it doesn't look like it made it, so here it goes again.This is the output from radiusd -Xrad_recv: Access-Request packet from host 192.168.3.44:1645, id=139, length=139 User-Name = "UPG\\test" Framed-MTU = 1400 Called-Station-Id = "0013.8032.40d1"
This may seem off topic, but here it is:
I am currently using Freeradius 1.1.0 on Solaris 9 to authenticate WPA enabled clients using EAP-TLS. I am using Cisco 1130 AG access points controlled by a Cisco/Airespace 2000 Wireless Controller using the LWAPP protocol. I have just recently instal
On Fri, 2006-17-03 at 16:15 -0500, Lisa Casey wrote:
> Hi,
>
> I sent this email a couple of hours ago but it hasn't appeared on the list
> yet so I'm resending it. If it comes through twice, accept my apologies.
>
>
> Currently my Freeradius server writes new accounting detail files each day.
Terry Zarelli wrote:
Hello,
I have a question about a configuration entry in the eap.conf file.
Why did you think posting the same identical question twice, 24 hours
apart, would help?
See Alans reply. Leave it alone.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
George C. Kaplan wrote:
Or you're using an authentication method (Kerberos, in my case) that
isn't one of the standard methods assocated with the authorization
module. (As Alan points out, you have to know what you're doing to make
this work).
Hmm. PAP seems to be the big problem area in thes
I apologize, it appeared that my first post did not show up on the list. Sorry
On 3/17/06, Phil Mayers <[EMAIL PROTECTED]> wrote:
Terry Zarelli wrote:> Hello,>> I have a question about a configuration entry in the eap.conf
file.Why did you think posting the same identical question twice, 24 hours
Hi,
This is a fresh install on a new server. I tried the source and the debian
unstable deb with the same result. I carefully rm -rf'd the libraries etc in
question and reinstalled.
Specifically these are the duplicate entries. running "freeradius -yzX"
/usr/share/freeradius/dictionary.asce
Grahame Jordan <[EMAIL PROTECTED]> wrote:
> Specifically these are the duplicate entries. running "freeradius -yzX"
>
> /usr/share/freeradius/dictionary.ascend[1233]: dict_addvalue: Duplicate
> value
> name Route-IPX-No for attribute X-Ascend-Route-IPX
You're on a 64-bit machine. Version 1.
57 matches
Mail list logo
