Hi All,
Authentication takes more time when two ldap servers are configured ( for
redundancy ) and one is not reachable. I have configured the redundant ldap
module as specified in the doc.
authorize {
;;
;;
redundant {
ldap-server-1
ldap-server-2
}
}
authenticate {
;;
;;
Auth-Type ldap-server-1
But when I had a client in the nas table and I tried to auth, it didn't work
its like it didn't even check in there, are u sure the nas table is used?
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Alan DeKok
Sent: Saturday, 17 February 2007 1:36 p.m.
To:
When using EAP-TLS as the only method in freeradius, is there a way to
define a list of allowed users, perhaps by the CN on their client
certificate?
I want it so that not *everyone* who has a certificate signed by the CA list
can authenticate, but rather a select few (of which I know the CN of t
Sam Schultz wrote:
> According to my research, FreeRADIUS supposedly does work from
> behind an LVS load balancer. My current configuration works
> perfectly outside of the LVS, but once it is put behind the LVS it
> ceases to work. Connections seem to succeed even behind the LVS,
> until the
VeNoMouS wrote:
> I was just wondering why we have a nas table in mysql when it doesn't act
> like clients.conf ive tried putting nas details into the nas config with out
> any nas's in clients.conf but radius does not start so, what is the nas
> table actually for then?
Storing client informati
adnan khan wrote:
> i hope you are all fine , sir i don't found dictionary.tunnel file ,
> what can i do , because i have to add the users on the different vlan ,
> with out this file (dictionary.tunnel) can i add the users on different vlan
See dictionary.rfc2868. It was renamed.
Alan DeKok
Hi guys
I was just wondering why we have a nas table in mysql when it doesn't act
like clients.conf ive tried putting nas details into the nas config with out
any nas's in clients.conf but radius does not start so, what is the nas
table actually for then?
-
List info/subscribe/unsubscribe? S
Unfortunately, it isn't possible to use direct routing on this
network. I was thinking there may be some way to coerce FR into
thinking the load balancer is another radius server sending over
proxied requests, or something like that.
>Sam Schultz wrote:
>
>> From what little information I could
Sam Schultz wrote:
> From what little information I could find on this, it looks like
> the freeradius thinks these are proxied requests due to ip mangling
> done by the LVS load balancer (Basically, it's a 1:1 NAT).
>
> Has anyone come across anything like this? Any pointers for work-
> arounds
According to my research, FreeRADIUS supposedly does work from
behind an LVS load balancer. My current configuration works
perfectly outside of the LVS, but once it is put behind the LVS it
ceases to work. Connections seem to succeed even behind the LVS,
until they get to an access challenge,
hi sir ,
i hope you are all fine , sir i don't found dictionary.tunnel file , what can i
do , because i have to add the users on the different vlan , with out this file
(dictionary.tunnel) can i add the users on different vlan
looking forward to hear from you
regards
adnan
Frank DiGennaro wrote:
...
> as it should. My Cisco has this:
>
> radius-server host 192.168.3.1 auth-port 1812 acct-port 1813
Which is the port which packets are sent TO.
> as it should. /etc/services is also 1812. So I run radius –x and try to
> log into the Cisco. My radius server responds
If you look in sql.conf you should see:
# Safe characters list for sql queries. Everything else is replaced
# with their mime-encoded equivalents.
# The default list should be ok
safe-characters
= "@abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789.-_: /"
You can add $ to that list
[EMAIL PROTECTED] wrote:
> I am trying to authenticate Cisco enable password requests via freeradius
> (1.1.3.) on a mysql
> (5.0.26) database.
>
> As per http://wiki.freeradius.org/Cisco, the router tries to authenticate
> user $enab15$ but it
> doesn't get matched on mysql query because '$' ge
After removing the rlm_perl directory and rebuilding freeradius (no
errors), I am getting:
# radius.exe -X
...
Module: Library search path is /usr/local/lib
radiusd.conf[10] Failed to link to module 'rlm_sql': Permission denied
radiusd.conf[1850] Unknown module "sql".
radiusd.conf[1779] Failed to
OK. I have tried to get this to work but cannot figure out how to do
this. Could you point me in the right direction.
Thanks
-Original Message-
From:
[EMAIL PROTECTED]
g
[mailto:[EMAIL PROTECTED]
adius.org] On Behalf Of Alan DeKok
Sent: Wednesday, February 07, 2007 7:58 PM
To: FreeRadiu
I am trying to authenticate Cisco enable password requests via freeradius
(1.1.3.) on a mysql
(5.0.26) database.
As per http://wiki.freeradius.org/Cisco, the router tries to authenticate user
$enab15$ but it
doesn't get matched on mysql query because '$' gets escaped to '=24'
radius_xlat: '$en
Hello;
I installed freeradius v1.1.4 (standard build) to authenticate my Cisco
routers. Radius.h defines this:
#define PW_AUTH_UDP_PORT1812
as it should. My Cisco has this:
radius-server host 192.168.3.1 auth-port 1812 acct-port 1813
as it should. /etc/services i
On Fri 16 Feb 2007 13:27, Larin Denis wrote:
> The help is necessary.
> Is 2 RADIUS servers and 1 NAS, it is necessary if authorization has
> not passed on the first to be authorized on the second, what it is
> necessary for this purpose?
Most NAS support multiple radius servers.. Have a look at t
Alan DeKok wrote:
> Bjarni Hardarson wrote:
>> Thanks.
>>
>> Do you know when 1.1.5 will be released?
>
> Soon, I think. In the mean time, "branch_1_1" in CVS has the fix.
>
Thanks again, seems to be working :)
regards/mvh
Bjarni Hardarson
-
List info/subscribe/unsubscribe? See http://www.
Hi!
What does the TTY stand for when i do a "radwho"?
//Max
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> I have changed from freeradius 1.1.2 to freeradius 1.1.3 and now it
> works with the same configuration. I don't know the reason, but now it
> works.
..bit 1.1.4 is current release ;-)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Habegger Lukas, ERZ-AZD-AIL wrote:
> Because I have a perl script to switch between two different Samba-servers
> for authorization.
Which doesn't work too well. Samba isn't designed to do that.
> I had several problems with this setup because parallel requests cause that
> the wrong domain
This is documented in radiusd.conf in the "detail" section.
-Peter
On Fri 16 Feb 2007 06:46, Foo JH wrote:
> Thanks Peter and Alan for your replies.
>
> I don't mind recompiling, except that I need to run FreeRadius as a
> Windows service, and I don't know what it takes to enable mysql in the
> c
On Thu 15 Feb 2007 11:37, Max Jonborn wrote:
> Personally i'd recommend a distro with a functioning package handler, my
> suggestion is debian. Feels good when you update the whole system with
> the ease of one command. The wet dream of every admin.
Yep. Debian has "apt-get upgrade", SUSE has "rug
Because I have a perl script to switch between two different Samba-servers for
authorization.
I had several problems with this setup because parallel requests cause that the
wrong domain is
available (The domain-switch wouldn't be blocked for a request).
Is there an easier way to do the ntlm_au
El mar, 13-02-2007 a las 12:14 +0100, Angel L. Mateo escribió:
> Hello,
>
> More info about my problem... In the radius.log file I have a lot of
> entries of the form:
>
> Tue Feb 13 12:12:13 2007 : Error: rlm_radutmp: Logout for NAS ap port
> 1627, but no Login record
> Tue Feb 13 12:12:35
The help is necessary.
Is 2 RADIUS servers and 1 NAS, it is necessary if authorization has
not passed on the first to be authorized on the second, what it is necessary
for this purpose?
--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alan DeKok wrote:
>Walter Goulet wrote:
>
>
>>How does FreeRADIUS's rlm_eap module choose the cipher suite used for
>>EAP-TLS/TTLS sessions?
>>
>>
>
> It relies on OpenSSL to do the negotiation.
>
>
>
>>RFC 2246 for TLS states that the client presents the list of
>>ciphersuites supported
Bjarni Hardarson wrote:
> Alan DeKok wrote:
>> I've tested & committed a fix that will be in 1.1.5.
>>
> Thanks.
>
> Do you know when 1.1.5 will be released?
Soon, I think. In the mean time, "branch_1_1" in CVS has the fix.
Alan DeKok.
--
http://deployingradius.com - The web si
Hi All,
Authentication take more time when 2 ldap servers are configured and one is
not reachable. I have configured the redundant ldap module as specified in
the doc.
authorize {
;;
;;
redundant {
ldap-server-1
ldap-server-2
}
}
authenticate {
;;
;;
Auth-Type LDAP {
redundant {
Habegger Lukas, ERZ-AZD-AIL wrote:
> Hi
>
> Is it possible to do the ntlm_auth authorization used for PEAP with a
> perl-script over rlm_perl?
Why? The MSCHAP module already does this for you.
If you want to know how to re-do all of that work in the Perl module,
look at the code in the msc
Alan DeKok wrote:
> I've tested & committed a fix that will be in 1.1.5.
>
Thanks.
Do you know when 1.1.5 will be released?
regards/mvh
Bjarni Hardarson
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi
Is it possible to do the ntlm_auth authorization used for PEAP with a
perl-script over rlm_perl?
And if yes how?
Greetings
Lukas
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL
PROTECTED]
Gesendet: Donnerstag, 15. Februar 2007 16:00
Bjarni Hardarson wrote:
> Recently upgraded from 1.1.3 to 1.1.4 to support EAP-PEAP for Windows
> Vista clients. That works fine but now I got problems with missing reply
> attributes for Mac OSX clients using EAP-TTLS.
>
> FreeRADIUS sends an Access-Challenge with the correct attributes but
>
Hi!
Is it possible to implement such functionality with the usage of attr_rewrite
module that whenever a packet arives to freeradius module will check if
particular parameter exists in a request and if it doesn't, it will try to
create it from other set of packet parameters? Maybe it can be do
Alan DeKok wrote:
> Please try the attached patch. If it works, I'll add it to 1.1.5.
Never mind, it doesn't work. Give me a bit...
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/ - The blog
-
List info/subscribe/unsubscribe
Bjarni Hardarson wrote:
> Hi list!
>
> Recently upgraded from 1.1.3 to 1.1.4 to support EAP-PEAP for Windows
> Vista clients. That works fine but now I got problems with missing reply
> attributes for Mac OSX clients using EAP-TTLS.
>
> FreeRADIUS sends an Access-Challenge with the correct attr
38 matches
Mail list logo