David Hláčik wrote:
Great , but it was not the case of freeradius 1.x which i was using and
discussing about all the time.
Then download 2.0, and run the bootstrap script from the source
directory. Then, copy the certificates to your 1.x directory.
You do NOT need to build or install 2.0.
jennie susan wrote:
Thank you alan for your time,
As i mentioned before i am new to linux too. I had installed openssl
already and the libraries are in /usr/local/lib folder.
As I said, you *also* need the development header files. Install those.
i dont know how to enable this (path) in
[EMAIL PROTECTED] wrote:
What I would like to do next is have the PrimaryGroupID or the gidNumber
in Opendirectory for that particular user passed back to, in this case an
Aruba Controller, so that the Aruba Controller can authorize the user
based on the group membership.
One system is doing this:
# radtest cjl 'password' 127.0.0.1 1 secret
Sending Access-Request of id 188 to 127.0.0.1 port 1812
User-Name = cjl
User-Password = password
NAS-IP-Address = 192.168.1.1
NAS-Port = 1
rad_recv: Access-Accept packet from host 127.0.0.1 port
Phil Mayers wrote:
...
rad_recv: Access-Reject packet from host 192.168.29.34:1812, id=7,
length=46
Proxy-State = 0x3633
MS-CHAP-Error = \000E=648 R=0 V=3
...however FreeRadius obeys the RFCs, and doesn't proxy the
MS-CHAP-Error packet back to the radius client (pppd
Chris wrote:
Should I expect something like this to do the right thing?
No. The configuration for modules cannot use unlang. unlang is
used *only* for processing packets.
Basically, I want to set certain ldap variables based on the
Huntgroup-Name. Without defining a bunch of different
Chris wrote:
One system is doing this:
...
The other is doing this:
It's an issue that shows up sometimes in 2.0.3. CVS head has a fix.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Any other dynamic expansions? server = ? filter = ?
On Apr 24, 2008, at 12:17 AM, Alan DeKok wrote:
Chris wrote:
Should I expect something like this to do the right thing?
No. The configuration for modules cannot use unlang. unlang is
used *only* for processing packets.
Basically, I
2008/4/23 Ivan Kalik [EMAIL PROTECTED]:
No idea. That check must have some purpose.
Usual workaround for this is to rewrite (update in freeradius speak)
NAS-Port attribute with the value of Calling-Station-Id (in unlang,
perl, ...). That sorts out missing NAS-Port in the request.
Yes,
On Apr 24, 2008, at 12:17 AM, Alan DeKok wrote:
The basedn is dynamically expanded. You can do something like:
modules {
ldap {
basedn = %{Tmp-String-1}
}
}
and then use unlang (or anything else) to set the value of
TMP-String-1 to whatever DN you want.
I think that's the right way. If the configuration has settings to use
either NAS-Port and Calling-Station-Id and the code doesn't support the
second option ... Code needs fixing.
Ivan Kalik
Kalik Informatika ISP
Dana 24/4/2008, rsg [EMAIL PROTECTED] piše:
2008/4/23 Ivan Kalik [EMAIL
rlm_realm: Looking up realm xxx.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm xxx.com
rlm_realm: Proxying request from user nyp2inter to realm xxx.com
rlm_realm: Adding Realm = xxx.com
rlm_realm: Authentication realm is LOCAL.
modcall[authorize]: module suffix
Chris wrote:
And what would the unlang syntax be for setting the value of an
arbitrarily-named variable like that?
$ man unlang
It's not an arbitrarily named variable, it's defined in the private
FreeRADIUS dictionary. It's a string attribute, just like anything else.
Nothing I've tried
Hi List,
I am looking for a tacacs radius solution. For some reason I can't
find that much information about freeradius-tacacs. My complete
setup needs to be database driven. (ldap/ad) I want to be able to log
every command a users executes, limit users into groups, limit groups
into commands
On Apr 24, 2008, at 1:41 AM, Alan DeKok wrote:
Chris wrote:
And what would the unlang syntax be for setting the value of an
arbitrarily-named variable like that?
$ man unlang
I have. Several times. Maybe I'm just an idiot.
It's not an arbitrarily named variable, it's defined in the
Please read the basics and then ask questions:
http://www.cisco.com/warp/public/480/10.html
Ivan Kalik
Kalik Informatika ISP
Dana 24/4/2008, Hof Wesley [EMAIL PROTECTED] piše:
Hi List,
I am looking for a tacacs radius solution. For some reason I can't
find that much information about
Is there a method to do NAS based RADIUS proxying?
It would be handy to have some server side control like this.
Thanks for your thoughts
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Is there a method to do NAS based RADIUS proxying?
It would be handy to have some server side control like this.
yes. you act on the NAS-IP-Address value - either in
unlang or with some PERL or python etc. then update
the control attribute to set its proxy realm internally
then let
DEFAULT NAS-IP-Address == a.b.c.d, Proxy-To-Realm := whatever
Ivan Kalik
Kalik Informatika ISP
Dana 24/4/2008, rsg [EMAIL PROTECTED] piše:
Is there a method to do NAS based RADIUS proxying?
It would be handy to have some server side control like this.
Thanks for your thoughts
-
List
Hi i have some problems with authentication in Freeradius with Cisco
Catalyst 3560 and 802.1x configuration.
Freeradius -X -A tell me:
Listening on authentication *:1812
Listening on accounting *:1813
Listening on proxy *:1814
Ready to process requests.
rad_recv: Access-Request packet from host
Hi,
Hi i have some problems with authentication in Freeradius with Cisco
Catalyst 3560 and 802.1x configuration.
Freeradius -X -A tell me:
Ignoring request from unknown client 172.29.11.1:21645
so it doesnt know about the client. but there is an entry in the clients.conf
file - did you
Chris wrote:
gets me closer, but I have quoting issues:
expand: %{control:Tmp-String-1} - ou\3daccounts\2cdc\3dviptalk\2cdc\3dnet
Hmm... OK, to fix that you'll have to update the LDAP module. Or,
ensure that the *dynamic* portions of the basedn don't contain '='.
I couldn't get anything
Omar Lopez Limonta wrote:
Hi i have some problems with authentication in Freeradius with Cisco
Catalyst 3560 and 802.1x configuration.
...
rad_recv: Access-Request packet from host 172.29.11.1:21645, id=26, length=123
Ignoring request from unknown client 172.29.11.1:21645
...
My clients.conf
Hof Wesley wrote:
I am looking for a tacacs radius solution. For some reason I can't
find that much information about freeradius-tacacs.
It doesn't exist (yet).
My complete
setup needs to be database driven. (ldap/ad) I want to be able to log
every command a users executes, limit users
On Thu, Apr 24, 2008 at 1:11 PM, [EMAIL PROTECTED] wrote:
Ignoring request from unknown client 172.29.11.1:21645
so it doesnt know about the client. but there is an entry in the clients.conf
file - did you restart the freeradius process after adding that client?
Yes have i restarted
Hi,
Yes have i restarted service when i change my clients.conf
which clients.conf did you edit? /etc/freeradius/clients.conf ?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Thu, Apr 24, 2008 at 1:55 PM, [EMAIL PROTECTED] wrote:
Hi,
Yes have i restarted service when i change my clients.conf
which clients.conf did you edit? /etc/freeradius/clients.conf ?
Yes and i put on radiusd.conf:
$INCLUDE /etc/freeradius/clients.conf
To force it to get this file
Phil Mayers wrote:
Could you point me towards the place in the FR2 source code that does
the RFC cleaning? I can't seem to find it.
raddb/attrs.access_reject seems to be the place.
There's code in src/main/auth.c to remove all reply attributes on too
many logins, but that's different.
[EMAIL PROTECTED] wrote:
The radiusd.conf on the 10.5 server has this entry.
opendirectory {
authtype = opendirectory
}
The OpenDirectory module takes no configuration. It does what Apple
wants...
Do I need to comment the above opendirectory module out in order to
You have mutiple freeradius instalations. radiusd.conf you are editing is
not the one installation you are running is using. You most likely have
one lot in /usr/local/etc/raddb/ and one somewhere else. You also have
two radiusd instances in sbin and it's subfolders. Find out which one
do you need
Alan DeKok wrote:
Phil Mayers wrote:
Could you point me towards the place in the FR2 source code that does
the RFC cleaning? I can't seem to find it.
raddb/attrs.access_reject seems to be the place.
Ahh. The light dawns - I assumed it was hard-coded in like the
rfc_clean() function in
Sorry about posting the default config.
If I understand correctly, I need to configure the ldap config for my
network and then use the attrmap to request the correct ldap attribute
from the ldap server.
Is this correct?
Thanks,
Aaron
FreeRadius users mailing list
[EMAIL PROTECTED] wrote:
If I understand correctly, I need to configure the ldap config for my
network and then use the attrmap to request the correct ldap attribute
from the ldap server.
Yes.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
2008/4/24 Ivan Kalik [EMAIL PROTECTED]:
You have mutiple freeradius instalations. radiusd.conf you are editing is
not the one installation you are running is using. You most likely have
one lot in /usr/local/etc/raddb/ and one somewhere else. You also have
two radiusd instances in sbin and
: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d -
/var/log/radacct/192.168.0.229/auth-detail-20080424
rlm_detail: /var/log/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d expands
to /var/log/radacct/192.168.0.229/auth-detail-20080424
expand: %t - Thu Apr 24 10:18:40 2008
++[auth_log
ls -la /etc/freeradius
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am 24.04.2008 um 16:21 schrieb Omar Lopez Limonta:
2008/4/24 Ivan Kalik [EMAIL PROTECTED]:
You have mutiple freeradius instalations. radiusd.conf you are
editing is
not the one installation you are running is using. You most
likely have
one lot in /usr/local/etc/raddb/ and one somewhere
On Thu, Apr 24, 2008 at 4:35 PM, [EMAIL PROTECTED] wrote:
ls -la /etc/freeradius
alan
In clients.conf i put a 744 permsions.
[EMAIL PROTECTED]:/etc/freeradius# ls -la
total 236
drwxr-s--- 3 root freerad 4096 Apr 24 16:38 .
drwxr-xr-x 86 root root 4096 Apr 24 12:10 ..
-rw-r- 1
hi,
I'm wondering why you are doing all of that
attr rewriting when various of the modules will
do the donkey work for you - ntdomain, prefix etc
and provide the real user-name you want. a much
cleaner few lines of unlang would also do the job
in FR 2.x
we've managed to remove 3 of our
bmccorkle wrote:
I have an issue and haven't been able to find any online help. I thought
I had freeradius working correctly but discovered yesterday that if a user's
name starts with 'r' then they can't login. I setup an unlang if statement
(in the default sites available) to handle
hi,
just a wild stab in the dark.
172.29.11.1 {
secret = mecago
shortname = cisco3560
nastype = other
}
change that to
172.29.11.1/32 {
secret = mecago
shortname = cisco3560
nastype = other
}
or
172.29.11.1/0 {
secret = mecago
On Thu, Apr 24, 2008 at 5:07 PM, [EMAIL PROTECTED] wrote:
hi,
just a wild stab in the dark.
172.29.11.1 {
secret = mecago
shortname = cisco3560
nastype = other
}
change that to
172.29.11.1/32 {
secret = mecago
shortname =
On Thu, Apr 24, 2008 at 5:23 PM, Omar Lopez Limonta
[EMAIL PROTECTED] wrote:
Alan , yes is a very wild stab in the dark, i test with
172.29.11.1/0
172.29.11.1/32
172.29.11.0/24
0.0.0.0/0
I´m thinking that it don´t open clients.conf is there any way to put
clients on radiusd.conf
[EMAIL PROTECTED] wrote:
just a wild stab in the dark.
172.29.11.1 {
?
client 172.29.11.1 {
...
}
Naming a section by the IP address won't do anything useful. You have
to label it a client section.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
On Thu, Apr 24, 2008 at 5:36 PM, Alan DeKok [EMAIL PROTECTED] wrote:
[EMAIL PROTECTED] wrote:
just a wild stab in the dark.
172.29.11.1 {
?
client 172.29.11.1 {
...
}
Naming a section by the IP address won't do anything useful. You have
to label it a client
Has anyone tried using an external radius server with Motorolas Canopy?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Apr 24, 2008, at 4:21 AM, Alan DeKok wrote:
Chris wrote:
gets me closer, but I have quoting issues:
expand: %{control:Tmp-String-1} - ou\3daccounts\2cdc\3dviptalk\2cdc
\3dnet
Hmm... OK, to fix that you'll have to update the LDAP module. Or,
ensure that the *dynamic* portions of the
Working on that right now actually. I have the basic framework set up in my
Prizm config and in the radius database, plan on testing some stuff next
week.
Ben Wiechman
Network Admin
Wisper High Speed Internet
[EMAIL PROTECTED]
-Original Message-
From:
Is there any interesting articles and links about it ?
Ben Wiechman wrote:
Working on that right now actually. I have the basic framework set up in my
Prizm config and in the radius database, plan on testing some stuff next
week.
Ben Wiechman
Network Admin
Wisper High Speed Internet
[EMAIL
Chris wrote:
I guess the trick is fixing it (breaking it?) so this works without
opening up any vectors for injection attacks. Would it be safe to
exclude the control list from being escaped like this? It seems that
only attributes in the the request and proxy-request lists would be the
Hi,
Three questions:
* In the default SQL accounting schemas %S is used over the
Event-Timestamp attribute included in the accounting packet. I guess
this is because of the potential drift between NAS, and it makes
correlation easier. Is this the real reason or is it just an omission ?
*
On Apr 24, 2008, at 11:57 AM, Alan DeKok wrote:
Chris wrote:
I guess the trick is fixing it (breaking it?) so this works without
opening up any vectors for injection attacks. Would it be safe to
exclude the control list from being escaped like this? It seems
that
only attributes in the the
Is is possible to use TTLS with accounting messages after
authentication?
Will
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Ivan
Thanks for your response, my question why would it not work then just
work, no changes other than a restart between the two.
Its running freeradius 1.1.7
Mike
Mike
Ivan Kalik wrote:
rlm_realm: Looking up realm xxx.com for User-Name =
[EMAIL PROTECTED]
rlm_realm: Found realm
54 matches
Mail list logo