>-Authentication through LDAP
YES. Using it currently !
>-Authorization through LDAP
YES. See above :)
>-Accounting through MySQL
YES. Doing traffic accounting.
>I have multiple Cisco and Foundry devices on my network. The RADIUS server
>will primarily be used for AAA for Telnet/SSH logins
Hello,
I have been
researching the use of FreeRADIUS on my network for the past few days. I'm
not sure if FreeRADIUS can do what I want. Here is a list of my
requirements:
-Authentication
through LDAP
-Authorization
through LDAP
-Accounting through
MySQL
I have multiple
Cisco and Fo
running: Redhat Enterprise Linux version 4
Openvpn 2.0.7 (server)
freeradius pam_radius-1.3.16 (client)
Using the above the Openvpn server will authenticate an Openvpn
client using a radius server on a remote machine.
The above ONLY works when the username supplied by the Openv
Hi,
We use FreeRadius with unixODBC and the rlm_sql to connect to a
Microsoft SQL database. All works great... except if the SQL database
goes down, firewall has the translate table, someone trips over a
network cable anything that causes the connection between the
radius and SQL to be distur
AHHHA! I did *not* use with-udpfromto... DOH!
On 6/15/06, Kevin Bonner <[EMAIL PROTECTED]> wrote:
On Thursday 15 June 2006 13:20, Matt wrote:
> I have freeradius running on a machine with 2 IPs. I have it binding
> to all available IPs.
>
> xxx.xxx.xxx.44 is the main IP of the machine
> xxx.x
On Thursday 15 June 2006 13:20, Matt wrote:
> I have freeradius running on a machine with 2 IPs. I have it binding
> to all available IPs.
>
> xxx.xxx.xxx.44 is the main IP of the machine
> xxx.xxx.xxx.26 is the secondary IP. (eth0:1)
>
> When a request comes in on .26 freeradius processes it and
Matt wrote:
> I have freeradius running on a machine with 2 IPs. I have it binding
> to all available IPs.
>
> xxx.xxx.xxx.44 is the main IP of the machine
> xxx.xxx.xxx.26 is the secondary IP. (eth0:1)
>
> When a request comes in on .26 freeradius processes it and THEN sends
> the reply out .44!
That fixed it, thank you Alan
Tavis, could you please fill a 1.4.2 paragraph in the wiki that
describes your FR setup with an SQL backend?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have freeradius running on a machine with 2 IPs. I have it binding
to all available IPs.
xxx.xxx.xxx.44 is the main IP of the machine
xxx.xxx.xxx.26 is the secondary IP. (eth0:1)
When a request comes in on .26 freeradius processes it and THEN sends
the reply out .44! Is this the way it is
Alan DeKok wrote:
> Tavis P <[EMAIL PROTECTED]> wrote:
>
>> mysql> SELECT id,UserName,Attribute,Value,op FROM radius_check WHERE
>> Username = '200110005339' ORDER BY id;
>> ++--+--+--++
>> | id | UserName | Attribute| Value
[EMAIL PROTECTED] wrote:
> By itself, this works and no zombies are left behind, as expected. However,
> when used with FreeRadius, zombies are left behind.
FreeRADIUS has a wrapper around fork() that modules are expected to
use. The reason is that the server is threaded, and some modules want
On Thu, Jun 15, 2006 at 05:42:45PM +0200, [EMAIL PROTECTED] said:
> Greetings,
>
> I have FreeRadius 1.1.0 working on Debian 3.1 on an Intel box.
>
> When using rlm_perl, the authenticate() sub does its job and, eventually,
> calls a method to send an email to a certain address before returning O
Greetings,
I have FreeRadius 1.1.0 working on Debian 3.1 on an Intel box.
When using rlm_perl, the authenticate() sub does its job and, eventually,
calls a method to send an email to a certain address before returning OK.
The problem is that this SMTP connection can take longer than wished,
ther
Nicolas Baradakis <[EMAIL PROTECTED]> wrote:
> I think the fixes are in CVS head but they were never included in any
> stable release.
Whoops, that's a bug. It should be fixed in both rlm_Detail &
radrelay.
Alan DEKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/u
=?iso-8859-1?Q?Bj=F8rn_Mork?= <[EMAIL PROTECTED]> wrote:
> Stripping NULs off the end of a string is interpreting them as string
> terminators. The RFC forbids this.
No, it doesn't. And even if it did, who cares?
> It demands that implementations deal with embedded NULs. If
> FreeRADIUS str
"Robles Rodriguez,Alejandro" <[EMAIL PROTECTED]> wrote:
> That would be the case if I only had one single radiusd running, however as
> already mentioned this solution encompasses a number of radius servers each
> with its
> own mysql server adn the same storage (NDB cluster) behind the scenes i
> So I must do source-level hacks to be able to send a 1-octet \000
> attribute, with current FreeRADIUS? Have I understood you correctly?
No. Use the "octets" type, and set the value to 0x00.
The problem comes because you're either using "string" type, or
you're using "octets", but assignin
Hello,
I had open a subject, where I explained a problem with the function proxy of FreeRadius.
http://lists.freeradius.org/mailman/htdig/freeradius-users/2006-May/053544.html
So, I have try to install on an other computer ... And I have always the problem ...
It's possible that the problem is in
Great, thanks. Then my guess is that xlat (which is invoked in radiusd to
mangle strings) strips the value, while things work good on the client side,
which doesn't use xlat. I think xlat also isn't involved with Proxy-State and
friends, so these are untouched.
But this is getting beyond my kno
Stefan Winter <[EMAIL PROTECTED]> writes:
>> Notice the MS-CHAP-Challenge. That's why I said "as long as the
>> attribute is of type "octets"".
>>
>> Calling-Station-Id is truncated at the first NUL.
>>
>> MS-CHAP-Challenge is transmitted, even if it contains just a single
>> NUL octet
>
> Okay,
"Alan DeKok" <[EMAIL PROTECTED]> wrote:
> A simple solution would be to go to the bottom of rlm_sqlippool.c,
>and change it from RLM_TYPE_THREAD_SAFE to RLM_TYPE_THREAD_UNSAFE.
>Then re-compile & re-install.
That would be the case if I only had one single radiusd running, however as
already men
> Notice the MS-CHAP-Challenge. That's why I said "as long as the
> attribute is of type "octets"".
>
> Calling-Station-Id is truncated at the first NUL.
>
> MS-CHAP-Challenge is transmitted, even if it contains just a single
> NUL octet
Okay, could you try to put 0x00 into the Calling-Station-Id
Stefan Winter <[EMAIL PROTECTED]> writes:
>> Seems to work here, as long as the attribute is of type "octets".
>
> Hm, what exactly do you mean?
>
>> Calling-Station-Id =\000
>>
>> results in:
>>
>> Calling-Station-Id = ""
>
> This is the behaviour I described as fine (the \000 is kicked
Erik Bolsø <[EMAIL PROTECTED]> writes:
> On 2006-06-15 14:00, Bjørn Mork <[EMAIL PROTECTED]> wrote:
>
>> Seems to work here, as long as the attribute is of type "octets".
>> Calling-Station-Id is a FreeRADIUS "string", not to be confused with
>> a RFC2865 "string". MS-CHAP-Challenge is a FreeRADIU
Hi,
> Seems to work here, as long as the attribute is of type "octets".
Hm, what exactly do you mean?
> Calling-Station-Id =\000
>
> results in:
>
> Calling-Station-Id = ""
This is the behaviour I described as fine (the \000 is kicked since it is the
last character, and what remains i
the problem is that my wifi card (Cisco Aironet) doesn't support the TTLS i'll try to find one which support it .
About TTLS is it that kind of EAP authentification with :
Step 1 : TLS handshake , 1 certificat on radius server and 1 certificate on supplicant ?
Step 2 : Kerberos or any other kind o
On 2006-06-15 14:00, Bjørn Mork <[EMAIL PROTECTED]> wrote:
> Erik Bolsø <[EMAIL PROTECTED]> writes:
>
> > So I must do source-level hacks to be able to send a 1-octet \000
> > attribute, with current FreeRADIUS? Have I understood you correctly?
>
> Seems to work here, as long as the attribute is
Erik Bolsø <[EMAIL PROTECTED]> writes:
> So I must do source-level hacks to be able to send a 1-octet \000
> attribute, with current FreeRADIUS? Have I understood you correctly?
Seems to work here, as long as the attribute is of type "octets".
This test file:
[EMAIL PROTECTED]:/usr/local/test$ c
Hi,
> So I must do source-level hacks to be able to send a 1-octet \000
> attribute, with current FreeRADIUS? Have I understood you correctly?
At least, a more pragmatic reply. :-) Yes, in my understanding of the FR code,
this would need source code modifications. Still my opinion is to instead
Stefan Winter <[EMAIL PROTECTED]> writes:
>> Nothing forbidding a NUL here... "servers and clients MUST be able to
>> deal with embedded nulls". A 1-byte string containing just \000 seems
>> perfectly valid to me.
>
> Did you read what I wrote about "embedded" vs "terminating"? I'm closing this
>
On 2006-06-15 12:05, Stefan Winter <[EMAIL PROTECTED]> wrote:
> Hi,
>
> > > Then you are supposed to use the "integer" type, not "octets"
> >
> > No, that would be 4 octets. A 1-octet attribute allowing any value
> > must be of type "string" (in RFC language, "octets" in FreeRADIUS).
>
> Ah. The
Stefan Winter <[EMAIL PROTECTED]> writes:
>> RFC 2865 says
>>
>> "Note that none of the types in RADIUS terminate with a NUL (hex
>> 00). In particular, types "text" and "string" in RADIUS do not
>> terminate with a NUL (hex 00). The Attribute has a length field
>> and doe
thomas hahusseau wrote:
Hello,
I would like to set up that kind of configuration :
EAP-PEAP(Mschapv2) Request ---> AP ---> Freeradius > Kerberos
authentication to an Active Directory
This isn't possible - EAP-PEAP requires access to the plaintext password
or NTLM hash.
You should be a
Hi,
> > this is again an example where a RadSec extension would come in extremely
> > handy. Short wrapup: RadSec establishes connections via TCP and TLS and
> > transports the RADIUS payload over it, so clients can be identified by
> > their TLS certificate; IPs and shred secrets become obsolete.
> Nothing forbidding a NUL here... "servers and clients MUST be able to
> deal with embedded nulls". A 1-byte string containing just \000 seems
> perfectly valid to me.
Did you read what I wrote about "embedded" vs "terminating"? I'm closing this
incredibly pointless discussion, don't expect to h
Michael Chernyakhovsky wrote:
> i use radrelay
> there are errors in log from rlm_detail like
> Error: rlm_detail: Couldn't open file /var/log/radius/radacct/detail-relay:
> Bad file descriptor
>
> [...]
>
> Bad file description error appear because radrelay
> can remove detail file while rad_d
Hi,
> > Then you are supposed to use the "integer" type, not "octets"
>
> No, that would be 4 octets. A 1-octet attribute allowing any value
> must be of type "string" (in RFC language, "octets" in FreeRADIUS).
Ah. Then you are in the unlucky position that you are not allowed to send a
\000 to
Hi,
> Mean I dont want any CA or client certificate right even if I use my ownca
> by Openssl ?
sorry, I was unable to parse your question. As in: the sentence does not make
sense to me. What exactly do you want to know? I'll try my best to give a
generic answer...
The server needs one certif
> RFC 2865 says
>
> "Note that none of the types in RADIUS terminate with a NUL (hex
> 00). In particular, types "text" and "string" in RADIUS do not
> terminate with a NUL (hex 00). The Attribute has a length field
> and does not use a terminator. Text contains UTF-8 enco
On 2006-06-15 11:09, Stefan Winter <[EMAIL PROTECTED]> wrote:
> > Essentially, the vendor-specific attribute value is a 1-byte
> > unsigned
> > integer, not a string. Haven't done a live test yet, so I do not
> > know
> > how it handles the empty value. Perhaps all goes well. I'll let you
> > know.
Hello,
I would like to set up that kind of configuration :
EAP-PEAP(Mschapv2) Request ---> AP ---> Freeradius > Kerberos authentication to an Active Directory
In fact i would like to use Kerberos (wich is supported by Active
Directory) instead of ntlm_auth, in freeradius features list avalai
Stefan Winter <[EMAIL PROTECTED]> writes:
>> Essentially, the vendor-specific attribute value is a 1-byte unsigned
>> integer, not a string. Haven't done a live test yet, so I do not know
>> how it handles the empty value. Perhaps all goes well. I'll let you
>> know.
>
> Then you are supposed to u
Mean I dont want any CA or client certificate right even if I use my ownca
by Openssl ?
-Original Message-
From: Stefan Winter [mailto:[EMAIL PROTECTED]
Sent: Thursday, June 15, 2006 5:11 PM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re: PEAP
Hi
(sorry, I'm not Alan
Stefan Winter <[EMAIL PROTECTED]> writes:
>> I'm having a curious problem with a vendor-specific single-byte
>> "octets"-attribute and attr_rewrite.
>>
>> Essentially, I'm trying to rewrite an ascii "0" to a single-byte 0x00
>> value. But after this rewrite rule, a zero-byte value is returned
>> i
Hi
(sorry, I'm not Alan, hope you don't mind)
> I just want to configure freeradius with PEAP ( MS-Chap V2) . iam new to
> freeradius and certificates. I just want to clear from experts here that
> does I need any certificate in client side if I use my ownca with open SSL
> ?
No. PEAP can do wit
> Essentially, the vendor-specific attribute value is a 1-byte unsigned
> integer, not a string. Haven't done a live test yet, so I do not know
> how it handles the empty value. Perhaps all goes well. I'll let you
> know.
Then you are supposed to use the "integer" type, not "octets" (then, you don
Hi All,
I just want to configure freeradius with PEAP ( MS-Chap V2)
. iam new to freeradius and certificates. I just want to clear from experts
here that does I need any certificate in client side if I use my ownca with
open SSL ?
Thanks for help
Regards
Naveen
-
List in
On 2006-06-15 07:50, Stefan Winter <[EMAIL PROTECTED]> wrote:
> Hi,
> > I'm having a curious problem with a vendor-specific single-byte
> > "octets"-attribute and attr_rewrite.
> >
> > Essentially, I'm trying to rewrite an ascii "0" to a single-byte
> > 0x00
> > value. But after this rewrite rule,
48 matches
Mail list logo
