xia sihua wrote:
...
> CA_file = ${cadir}/ca.pem
>
>
> The supplicant I use TeraDot1x Tester from Spirent communication.
> ...
> Configuration:
...
> Root Certificate Filename: server.pem
I think that should be "ca.pem".
> rlm_eap_tls: <<< TLS 1.0 Alert [length 0002], fatal unknown_ca
Michael Torrie wrote:
> Yet I still have the problem where after the Access-Challenge is sent,
> the Vista clients just silently drop things and the connection fails.
> This is the behavior that I know I would get if I don't have the
> required OID in the certificate. Yet it is there! I ran 'ope
Chris wrote:
> When trying to compile freebsd port of 2.0.3 on 6.3 with the
> postgresql83 library (also from ports), I get the following:
>
> .libs/exec.o(.text+0x536): In function `radius_exec_program':
> : undefined reference to `closefrom'
...
> I'm not familiar with "closefrom" Which library
> Hi again,
>
>
>
> I want to know what I making wrong. I have an MSSQL database and it's
> working great. Now I want to tweak my setup with including some
> attribute in group. But it's seems that rlm_sql didn't go see groupcheck
> or groupreply. I also put read_groups = yes in mssql.conf
Hi! At
Hi,
I am using 2.0.3 version. When I generate certificate using those
files ca.cnf, server.cnf, client.cnf xpextensions Makefile which are
in the directory ../raddb/certs/. Then I use "make server.vrfy" verify
the server certificate, is OK. "make client.vrfy" also ok.
I use EAP-TLS authentica
Alan DeKok wrote:
>Ramm-Ericson, Johannes wrote:
>>>From what I understand the current Freeradius code interprets the RFC
>> statement so that if the NAS-Port attribute is not sent then the
access
>> request is not processed and subsequently denied (in rlm_radutmp.c -
>> line 404).
>
> No.
>
> Th
Hi,
> When i connect with unix/localuser via telnet on my baystack switch i
> received message (Access Denied from Radius server)
you are getting an authenticate...and access accept...but what
about an authorization. what return attributes must you return
to your kit for a successful telnet into
When trying to compile freebsd port of 2.0.3 on 6.3 with the
postgresql83 library (also from ports), I get the following:
.libs/exec.o(.text+0x536): In function `radius_exec_program':
: undefined reference to `closefrom'
.libs/session.o(.text+0x4fa): In function `rad_check_ts':
: undefined refe
It work well!
Thanks all for your answer!
Francis Provencher
Ministère de la Sécurité publique du Québec
Direction des technologies de l'information
Division de la sécurité informatique
Tél: 1 418 646-3258
BlackBery; 1 418 473 6419
Courriel: [EMAIL PROTECTED]
CEH - Certified Ethical Hackers
S
DEFAULT Calling-Station_Id == whatever, Auth-Type := Accept
Put that in users file. You don't need exec program.
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, "rsg" <[EMAIL PROTECTED]> piše:
>Hi,
>
>While bypassing password Authentication based on the
>Calling-Station-Id, is there a way to
Arran Cudbard-Bell wrote:
> Comments, suggestions and corrections welcome.
>
> http://www.ja.net/documents/services/janet-roaming/sussex-freeradius-case-study.pdf
Very nice. It's always interesting to see what people do with the server.
> I'll also be around at Networkshop 36, so hope to see
You need Service-Type = Administrative-User in reply as well. Add that to
user entry.
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, "FRANCIS PROVENCHER" <[EMAIL PROTECTED]>
piše:
>Hi all,
>
>I'm sorry if i'm double posting (Im not sure if the first message was
>sent correctly..Sorry if it's t
FRANCIS PROVENCHER wrote:
> When i connect with unix/localuser via telnet on my baystack switch i
> received message (Access Denied from Radius server)
Because the Access-Accept is empty. The switch likely needs some
attributes in the Access-Accept in order to allow access. See the
switch docu
Hi again,
I want to know what I making wrong. I have an MSSQL database and it's
working great. Now I want to tweak my setup with including some
attribute in group. But it's seems that rlm_sql didn't go see groupcheck
or groupreply. I also put read_groups = yes in mssql.conf
Here is my datab
Hi all,
I'm sorry if i'm double posting (Im not sure if the first message was
sent correctly..Sorry if it's the second time you received this
message..)
When i connect with unix/localuser via telnet on my baystack switch i
received message (Access Denied from Radius server)
I take a look on log'
2008/4/4 Ivan Kalik <[EMAIL PROTECTED]>:
> OK. I can see it instantiated. But you would need unlang to call it as
> there is nothing to set the Auth-Type.
>
> There is another way in dealing with pap requests to AD avoiding
> ntlm_auth. Uncomment Auth-Type {ldap} in authenticate section and chan
Hi.
I have to take the /certs/*.* from old version and put this in new version,
but, I have same problem.
I have made all. For example, I have copied the radius.conf and eap.conf,
and clients.conf, and users from old version to new version, but I have the
same problem.
My clients can't connect. I
Hi,
> Alan, the certificates that i need to take from my old version are the
> /certs/*.* ?
yes. and then make sure they are called correctly in eap.conf
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Jakob Hirsch wrote:
Quoting Phil Mayers:
Basically, this works in "hints":
DEFAULT NAS-Port-Id =~ "(.+):(.+)", NAS-Port !* ANY
NAS-Port = `%{expr:1000*%{1} + %{2}}`,
Fall-Through = Yes
...but this does not:
DEFAULT NAS-Port !* ANY, NAS-Port-Id =~ "(.+):(.+)"
NAS-Port
Hi all,
I dont know why i can't login into the switch from Unix local user,
Here the log from radius server... (The auth seem to be Successfully
like the log tell.)
rad_recv: Access-Request packet from host 192.168.1.210 port 2048,
id=13, length=59
NAS-IP-Address = 192.168.1.210
Alan, the certificates that i need to take from my old version are the
/certs/*.* ?
Thanks.
--
Message: 3
Date: Fri, 4 Apr 2008 09:13:47 +0100
From: [EMAIL PROTECTED]
Subject: Re: Users cant connect Freeradius 2.0.2
To: FreeRadius users mailing list
Message
Quoting Phil Mayers:
Basically, this works in "hints":
DEFAULT NAS-Port-Id =~ "(.+):(.+)", NAS-Port !* ANY
NAS-Port = `%{expr:1000*%{1} + %{2}}`,
Fall-Through = Yes
...but this does not:
DEFAULT NAS-Port !* ANY, NAS-Port-Id =~ "(.+):(.+)"
NAS-Port = `%{expr:1000*%{1} +
Hi,
While bypassing password Authentication based on the
Calling-Station-Id, is there a way to still the Authentication to be
handled by rlm_pap and rlm_chap ?
When "Exec-Program-Wait" is used, PAP/CHAP based authentication can
still be performed by an external perl script. But that is not what
I've read through the list archives about people's problems with Vista
and FreeRadius, including the recent messages on this list in January,
and a couple of exchanges back in 2006 and 2007. I am running
FreeRadius 1.1.7 on a RHEL 4 box, compiled from Fedora 8's FreeRadius
SRPM. According to the
Hi All,
The University of Sussex recently completed a case study for JANET UK
focusing on implementing the eduroam service using FreeRADIUS. It's not
quite at the same level as the official eduroam cook book, but should
provide FreeRADIUS 2 users wishing to implement eduroam (visited / home)
Nortel:
http://www116.nortel.com/docs/bvdoc/ene_tech_pubs/2008_03_26_Authentication_Authorization_and_Accounting_for_ERS_and_ES_TCG_NN48500558.pdf
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, "FRANCIS PROVENCHER" <[EMAIL PROTECTED]>
piše:
>Hi all im pretty new to Freeradius,
>
>We want to c
Basically, this works in "hints":
DEFAULT NAS-Port-Id =~ "(.+):(.+)", NAS-Port !* ANY
NAS-Port = `%{expr:1000*%{1} + %{2}}`,
Fall-Through = Yes
...but this does not:
DEFAULT NAS-Port !* ANY, NAS-Port-Id =~ "(.+):(.+)"
NAS-Port = `%{expr:1000*%{1} + %{2}}`,
Fall-T
Hi all im pretty new to Freeradius,
We want to centralize authentification in our envirronement.
I have search on google but i did'nt find any "how to" about the
configuration of FreeRadius server Vs Nortel Baystack switch's. Some one
can point me in good direction for documentation to set this up
>> If in the radius.conf mschap section module I insert the same ntlm_auth
>> line of the exec. The sql don’t work but AD work. If I put nothing in
>> mschap section. The SQL works but not AD. So what I did make wrong
> 1) Do not create your own "ntlm_auth" module.
> 2) configure ntlm_auth in t
SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id
1 4732[EMAIL PROTECTED] Cleartext-Password
EBLAImXtaUidLnSa:=
SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id
1
Hi,
> Yes, I do it. But the my problem is still persent.
have you tried running exactly the same query that FreeRADIUS
runs - as seen in your log - manually? do you get to see
the same happy result?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Yes, a'm fix it.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ivan Kalik
Sent: Friday, April 04, 2008 4:57 PM
To: freeradius-users@lists.freeradius.org
Subject: RE: Why my schema is not working?
And the warning about using User-Password is now gone
And the warning about using User-Password is now gone from the debug?
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, "Dmitry A. Sysoev" <[EMAIL PROTECTED]> piše:
>SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
>'[EMAIL PROTECTED]' ORDER BY id
>
>1 4732[EMAIL PROT
SELECT id,UserName,Attribute,Value,op FROM radcheck WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id
1 4732[EMAIL PROTECTED] Cleartext-Password
EBLAImXtaUidLnSa:=
SELECT id,UserName,Attribute,Value,op FROM radreply WHERE Username =
'[EMAIL PROTECTED]' ORDER BY id
1
What happens when you copy and paste the query from the debug? Can you
post the result?
I would doubt that the code is "alergic" to that particular group and
works for others. "blackholed" doesn't look like a reserved word.
Queries are executed by mysql not radius server.
Ivan Kalik
Kalik Informa
:)) no, I'm restarted service :)
Upgrade was 28.03.2008 and from this date
My blackholed group is not working :(
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ivan Kalik
Sent: Friday, April 04, 2008 4:00 PM
To: freeradius-users@lists.freeradius.org
S
Or you haven't restarted the server after making configuration changes?
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, "Dmitry A. Sysoev" <[EMAIL PROTECTED]> piše:
>
>I just and did by debug.
>It seems to me, that there is any mistake in processing these
>quiries in source codes freeradius.
>
I just and did by debug.
It seems to me, that there is any mistake in processing these
quiries in source codes freeradius.
Sql.conf is _not_ changing in upgrade freeradius and
the database is _not_ changing too.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Be
3. blackholed in radgroupcheck an blackholed in usergroup are not the
same. There is space or some character in that field in usergroup table
so GroupName.radgroupcheck doesn't match GroupName.usergroup. Copy the
radgroupcheck statement from the debug and see if that returns anything.
Ivan Kalik
K
Am Freitag, 4. April 2008 09:17 schrieb Michael Schwartzkopff:
> Hi,
>
> I have a problem configuring wireless 802.1x authentication with FR and a
> Windows client. I use version FR 2.0.3 and think I configured everything
> quite well.
>
> FR sends out the Access-Challenge but my windows client doe
Alan DeKok wrote:
>Ramm-Ericson, Johannes wrote:
>> OK. However, access requests from that particular NAS are in effect
>> not processed the way I expect because of the lacking NAS-Port which
>> still leaves me with a problem I need to understand and fix.
>
> There is likely nothing that you ca
Yes, I do it. But the my problem is still persent.
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Sent: Friday, April 04, 2008 2:20 PM
To: [EMAIL PROTECTED]; FreeRadius users mailing list
Subject: Re: Why my schema is not working?
Hi,
> WARNING: Found User-Passw
When you do sample manually sql chooses all correctly. Why the radius does
not fulfil it? Why it does not find, what auth-type is reject?
In 1.1.7 all works fine.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Ivan Kalik
Sent: Friday, April 04, 2008 2:
1. That entry wasn't there whe server looked.
2. You are not looking into the same database as the server.
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, "Dmitry A. Sysoev" <[EMAIL PROTECTED]> piše:
>
>Hmm... And why:
>select * from usergroup where
>username='[EMAIL PROTECTED]';
>1 17652
Hi,
> WARNING: Found User-Password == "...".
> WARNING: Are you sure you don't mean Cleartext-Password?
> WARNING: See "man rlm_pap" for more information.
lets start getting rid of your errors and warnings. update your 1.1.x
data so that operator is := and attribute is Cleartext-Password, not
radcheck? EAP-TLS is certificate based authentication. What is it reading
from users file? Reply attributes? They should be in radreply table.
This would be so much easier if you would provide relevant information:
user file entry that you want to store in sql; sql data for that user;
radiusd -X o
Hmm... And why:
select * from usergroup where
username='[EMAIL PROTECTED]';
1 17652 [EMAIL PROTECTED] blackholed
10
rad_recv: Access-Request packet from host 127.0.0.1 port 23905, id=127,
length=81
User-Name = "[EMAIL PROTECTED]"
User-Password = "EBLAImXtaUi
Hi Ivan
Im using EAP-TLS authentication.
Could you tell me the sql configuration to allow EAP-TLS to read radcheck
table instead of users.conf file
Thanks
-Devinder
On 04/04/2008, Ivan Kalik <[EMAIL PROTECTED]> wrote:
>
> Which EAP? TLS, PEAP, something else? Have you uncommented sql in
> au
>rlm_sql (sqlauth): User found in group mppc
He is a member of another group that has higher priority.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Good afternoon!
After upgrade 1.1.7 to 2.0.3+ freeradius
I have noticed, that that is brought in the table
has ceased to be processed
Select * from radgroupcheck where groupname='blackholed';
1 181 blackholed Auth-Type := Reject
2 182 blackholed Fall-Through = No
select * from usergroup whe
I tried.
Now my eap.conf > peap section is:
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
}
It works now.
Thank you
enrico
Ivan Kalik ha scritto:
eap.conf > pe
Which EAP? TLS, PEAP, something else? Have you uncommented sql in
authorize section? Debug would help.
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, "Devinder Singh" <[EMAIL PROTECTED]> piše:
>Hi Ivan Kalik
>
>When i set EAP turned on using 802.1x authentication i dont sem to get users
>authe
Hi,
I have a problem configuring wireless 802.1x authentication with FR and a
Windows client. I use version FR 2.0.3 and think I configured everything
quite well.
FR sends out the Access-Challenge but my windows client does not answer it. I
recreated the default certificates to be sure that th
Hi,
> Hi Alan.
>
> In old version I don't to create SSL certificates. Just to configure file
> radius.conf, eap.conf, users, clients.conf and when I run the program it
> work fine.
>
> With a new versions I make same configurations but not work.
>
> ¿I think that the SSL certificates can be crea
eap.conf > peap section >
copy_request_to_tunnel = no
change it to yes.
Ivan Kalik
Kalik Informatika ISP
Dana 4/4/2008, "Enrico Fanti" <[EMAIL PROTECTED]> piše:
>Hi.
>
>We have changed the query "authorize_check_query" to control the nas ip
> From where the client try to connect (AP Cisco).
OK. I can see it instantiated. But you would need unlang to call it as
there is nothing to set the Auth-Type.
There is another way in dealing with pap requests to AD avoiding
ntlm_auth. Uncomment Auth-Type {ldap} in authenticate section and change:
set_auth_type = no
to yes in ldap configuration
Hi
I want Free Radius to authenticate user in my Radcheck table using EAP-TLS
vai 802.1x authentication.
Currently it is authenticating users in users.conf file
Regards
Devinder
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan Kalik
When i set EAP turned on using 802.1x authentication i dont sem to get users
authenticated to the RADIUS Raccheck account table.
How do i enable EAP using 802.1x and allow users to get authenticated to the
RADIUS Server radcheck table which has the user name and login details
Thank
58 matches
Mail list logo