Im after some documentation on setting up host authentication on
freeradius (or an example config).
This url here looks like what I need
http://support.novell.com/docs/Tids/Solutions/10100693.html but their
instructions are pretty lousy For machine-based authentication or
user based
I trigger machine logon attempt by booting the laptop or logging out
of an active session (both seem to work).
Near as I can tell the xp machine floods the radius server with
authentication attempts. All seem to fail but the last one but it has
no effect the machine does not connect to the
Hi Alan!
On 7/5/07, Alan DeKok [EMAIL PROTECTED] wrote:
George Beitis wrote:
... I will use a policy engine to do that
and i want to overwrite the final decision if the user is not authorized
based on my policy.
Is postauth the right place to do this?
Yes.
But you can't turn a
Hi,
This url here looks like what I need
http://support.novell.com/docs/Tids/Solutions/10100693.html but their
instructions are pretty lousy For machine-based authentication or
user based authentication, modify the RADIUSD.CONF file by adding the
following lines: doesnt say where or what
On 7/6/07, George Beitis [EMAIL PROTECTED] wrote:
you actually made a very good point :) I didn't realize there was an
authorize part in the work flow of freeradius. That would be before
postauth, are there any other steps after authorize and before post auth?
For (non-proxied)
for proxied ones would the last 2 remain the same?
regards
George
Tomas Hoger wrote:
On 7/6/07, George Beitis [EMAIL PROTECTED] wrote:
you actually made a very good point :) I didn't realize there was an
authorize part in the work flow of freeradius. That would be before
postauth, are
Hi all,
anybody has experience in setting up FR to support IP VRF for cisco equipments?
Can you point me to some clear and simple configuration guide for doing that?
TIA,
Francesco.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 7/6/07, George Beitis [EMAIL PROTECTED] wrote:
for proxied ones would the last 2 remain the same?
No.
authorize
pre-proxy
post-proxy
post-auth
th.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Lisa Casey wrote:
Hi,
I have a FreeBSD 5.3 machine that I want to install Freeradius on. The
Freeradius that was in the ports on this machine was FR 1.0.1 and that was
kind of old so I updated the ports collection and now the FR port that I
have is Freeradius 1.1.6
When I typed make, I
Jacob Jarick wrote:
This url here looks like what I need
http://support.novell.com/docs/Tids/Solutions/10100693.html but their
instructions are pretty lousy For machine-based authentication or
user based authentication, modify the RADIUSD.CONF file by adding the
following lines: doesnt say
config on client follows exactly what the howto reccomends with the 1
change of checking authenticate as computer when computer information
is available. Which as you can see does attempt to auth.
The cert options are set as in this picture:
Tomas Hoger wrote:
Isn't authorize better place for that? Even name suggests
authorization should be done there... ;)
No. authorize is run before authentication for historical reasons.
Policies should really be applied *after* a user authenticates, which
means post-auth.
Just wondering
quick question,
should machine authentication work if I follow the howto on a base
system or will I need to add attr_rewrite's as suggested in the novell
howto.
On 7/6/07, Jacob Jarick [EMAIL PROTECTED] wrote:
config on client follows exactly what the howto reccomends with the 1
change of
[EMAIL PROTECTED] wrote:
...
those parts can go pretty much anywhere in the main config file - eg
stick them at the end of the file.
Nope.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Francesco Cristofori schrieb:
Hi all,
anybody has experience in setting up FR to support IP VRF for cisco
equipments?
Can you point me to some clear and simple configuration guide for doing that?
Putting a User into a certain VRF is quite simple:
vrfuser User-Password == topsecret
Hi!
I have radius1 confiured as proxy radius to radius2. Users like
[EMAIL PROTECTED] are proxied to radius2 which authtenticate these
usernames.
Question 1:
Radius2 returns me the following reply packet if auth is succesfully:
Service-Type = Framed-User
Framed-Protocol =
The common order is authentication, then authorization. FreeRADIUS
mixes up the names for historical reasons.
It's a long shot, but: wouldn't it make sense to clear the wording for 2.0? I
know, it would break all existing configs out there, but manually working
through the config is needed
Hi,
quick question,
should machine authentication work if I follow the howto on a base
system or will I need to add attr_rewrite's as suggested in the novell
howto.
you will need to do the attr_rewrites or the host name wont be munged
properly
alan
-
List info/subscribe/unsubscribe? See
Only thing you need to set on Freeradius is cisco hack so it would deal
with av-pairs correctly. Than add av-pairs to user or group
configuration and they will work.
If you are looking for a Cisco guide how to set up VRF with Radius:
Hi,
those parts can go pretty much anywhere in the main config file - eg
stick them at the end of the file.
Nope.
sorry, yes - they must go into the config file BEFORE they are instantiated
before
a module. ie if you are calling them from authorize, then put them into the
config
Stefan Winter wrote:
It's a long shot, but: wouldn't it make sense to clear the wording for 2.0? I
know, it would break all existing configs out there, but manually working
through the config is needed anyways...
I know that this wording startled me quite a bit when I was new here...
It's
Alan DeKok wrote:
Tomas Hoger wrote:
Isn't authorize better place for that? Even name suggests
authorization should be done there... ;)
No. authorize is run before authentication for historical reasons.
Policies should really be applied *after* a user authenticates, which
Arran Cudbard-Bell wrote:
Btw Server appears to be leaking scary amounts of memory, i'm going to
try and track it down to something in the config...
That's not good.
After 50,000 pap authentications (running in parallel sets of 15) it had
leaked about 20mb , and was still increasing
Hi Alan!
On 7/6/07, Alan DeKok [EMAIL PROTECTED] wrote:
Isn't authorize better place for that? Even name suggests
authorization should be done there... ;)
No. authorize is run before authentication for historical reasons.
Yes I do understand authorize is run before authenticate and I
Tomas Hoger wrote:
Yes, authenticate, authorize is the order most commonly used. But I
think it may still be acceptable to apply policies before
authenticating user, e.g. if authentication if more expensive
(either in terms of time or CPU usage). Few examples:
Yes. I've had that
/freeradius/radacct/192.168.2.1/detail-20070706'
rlm_detail:
/var/log/freeradius/radacct/%{Client-IP-Address}/detail-%Y%m%d expands
to /var/log/freeradius/radacct/192.168.2.1/detail-20070706
modcall[accounting]: module detail returns ok for request 1
modcall[accounting]: module unix returns ok
[EMAIL PROTECTED] wrote:
The problem is that if I use nostrip directive in the proxy.conf of the
proxy server, all works fine.
But I need to store logins in the i2t.server.com without the realm name,
so I use this configuration from the proxy.conf in the proxy server:
You can't strip
Hi, All,
I've changed jobs this week, and am no longer working with freeRADIUS,
but wanted to thank the folks here for the help I've received and for
all the work that's gone into freeRADIUS. If I ever run into a need
for an AAA server, I'll be back, but probably not before 2.0.0 is
obsolete and
On 7/6/07, Alan DeKok [EMAIL PROTECTED] wrote:
Roy Walker wrote:
I've spent a fair amount of time looking into proper HUP handling. It
turns out *no one* does it well. Almost all daemons simply restart.
Alan DeKok.
talking again about it..
as you already know, my problem is CRL
I need machines to be able to authenticate so that when a user who has
never logged onto a computer can, by the machine have an active network
connection and pulling the credentials from the samba-ldap domain. I
have a realm setup to strip the domain/ part of the username which works
fine, but
Hi,
I need machines to be able to authenticate so that when a user who has
never logged onto a computer can, by the machine have an active network
connection and pulling the credentials from the samba-ldap domain. I
have a realm setup to strip the domain/ part of the username which works
inverse wrote:
talking again about it..
as you already know, my problem is CRL reloading.
Is it too bad if I modify the rlm_eap_tls code to reload the CRL/CA
cert when needed? (i.e. when there's an EAP TLS auth going on)?
I'm willing to give it at least a try with ver 1.1.6 which I'm
Can anyone direct me to an example eap.conf entry to use EAP-SIM? I
have looked but I don't see an example.
Cheers,
Garvin.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Peter Nixon [EMAIL PROTECTED] said:
And different pool names in each instance
Yup, although obviously the Pool-Name is set up independently of the
sqlippool instances. I have some unlang at the start of 'authorize' section
that sets the Pool-Name based on a mix of NAS IP and
I've about got it, but now I am getting an eap error about the username
isn't correct.
I added this about preprocess:
attr_rewrite add-dollar-sign {
attribute = User-Name
searchfor = ^host/(.*)
searchin = packet
new_attribute = no
On Fri 06 Jul 2007, Hugh Messenger wrote:
Peter Nixon [EMAIL PROTECTED] said:
And different pool names in each instance
Yup, although obviously the Pool-Name is set up independently of the
sqlippool instances. I have some unlang at the start of 'authorize'
section that sets the
Hi,
I've about got it, but now I am getting an eap error about the username
isn't correct.
I added this about preprocess:
attr_rewrite add-dollar-sign {
attribute = User-Name
searchfor = ^host/(.*)
searchin = packet
Alan DeKok wrote:
(1) The shared secret is wrong
(2) The code is buggy
There are no alternatives.
This is often due to broken MD5 libraries, or 32/64-bit issues. But
FreeRADIUS hasn't had those kind of bugs for *years*.
Yep, you were right, there must be some corruption or
Ok, did that, and the connection gets farther now. I don't quite
understand how to get the other modules to use the stripped-user-name now.
rlm_attr_rewrite: Added attribute Stripped-User-Name with value
'host/itf-toshiba-asd'
modcall[authorize]: module copy.user-name returns ok for request
I have played with this a bit and can't seem to get it working...
I need to add the NAS-Port = 0 attribute to an incoming request if it
is not set. This is currently breaking my sqlippool config and the
upstream partner making the requests is not giving me a NAS-Port
attribute.
It looks
Hi,
Is there any easy way to convert a freeradius clients file to a clients.conf
file? I have several dozen entries in my clients file and if I have to
convert this by hand it's going to be a lot of typing...
Lisa Casey
-
List info/subscribe/unsubscribe? See
Lisa Casey wrote:
Hi,
Is there any easy way to convert a freeradius clients file to a clients.conf
file? I have several dozen entries in my clients file and if I have to
convert this by hand it's going to be a lot of typing...
Lisa Casey
Attached are a couple of ugly Perl scripts I used
Added this to the hints file:
DEFAULT Suffix == , Strip-User-Name = No
Hint = GPRS,
NAS-Port = 0
Worked.
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
s.org] On Behalf Of Roy Walker
Sent: Friday, July 06, 2007 3:15 PM
To: FreeRadius users mailing list
Subject:
locate src/tests/eapsim
Ivan Kalik
Kalik Informatika ISP
Dana 6/7/2007, Garvin Haslett [EMAIL PROTECTED] piše:
Can anyone direct me to an example eap.conf entry to use EAP-SIM? I
have looked but I don't see an example.
Cheers,
Garvin.
-
List info/subscribe/unsubscribe? See
44 matches
Mail list logo