Will Booth wrote:
Is is possible to use TTLS with accounting messages after
authentication?
No. TTLS is an EAP method. EAP stands for Extensible Authentication
Protocol.
If you want the RADIUS packets to be encrypted, use IPSec.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Arran Cudbard-Bell wrote:
* In the default SQL accounting schemas %S is used over the
Event-Timestamp attribute included in the accounting packet. I guess
this is because of the potential drift between NAS, and it makes
correlation easier. Is this the real reason or is it just an omission ?
Hi i have problems again with authentication , i trying to use
freeradius and cisco 802.1x.
Windows said authentication error.
This is my users file:
Cleartext-Password := Pl
Service-Type = NAS-Prompt-User,
cisco-avpair = shell:priv-lvl=15
yyy User-Password
Hi,
Hi i have problems again with authentication , i trying to use
freeradius and cisco 802.1x.
Windows said authentication error.
This is my users file:
Cleartext-Password := Pl
Service-Type = NAS-Prompt-User,
cisco-avpair = shell:priv-lvl=15
yyy
On Fri, Apr 25, 2008 at 9:15 AM, [EMAIL PROTECTED] wrote:
this is for users to log into the admin interface of
the switch - or are you trying to configure the switch
such that end users need to 802.1X to get a network via
a switchport access interface on the switch?
I´m trying to
Hi,
I using MD5 challange on windows autentication, i need put NT-HASH on
users file?
Anyone has 802.1x configured with free radius?
yes - 2,000 edge ports and 360 APs. dealing with 2,100
concurrent users.
how are you doing MD5 challenge on windows authentication, 3rd party
supplicant?
Hi,
Cleartext-Password := Pl
Service-Type = NAS-Prompt-User,
cisco-avpair = shell:priv-lvl=15
^
this sort of stuff it for admin access to the switch
Sending Access-Challenge of id 60 to 172.29.11.1:21645
On Fri, Apr 25, 2008 at 9:45 AM, [EMAIL PROTECTED] wrote:
Hi,
I using MD5 challange on windows autentication, i need put NT-HASH on
users file?
Anyone has 802.1x configured with free radius?
yes - 2,000 edge ports and 360 APs. dealing with 2,100
concurrent users.
how are
Hi,
ignore my question about MD5 - too ealry int he day ;-) yes,
windows standard OS uspplicant will do MD5 on the wired as an EAP-Type.
though why you'd use MD5 is beyond me as its totally broken ;-)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Are you using certificates? or MD5 challenge ?
PEAPv0/EAP-MSCHAPv2
I think that you are using LDAP or MySQL to manage your users.
thanks for guessing. but no, we use Active Directory with ntlm_auth
What do you have in your users files.
very very little. and at this point in time your
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
* In the default SQL accounting schemas %S is used over the
Event-Timestamp attribute included in the accounting packet. I guess
this is because of the potential drift between NAS, and it makes
correlation easier. Is this the real reason or is it
Hello!I add a new eap type and I konw that there is a session key that needs
to be sent to the client through the AP.Do you know how to generate the
key?Where should I add the code,in the rlm_eap.c or rlm_eap_XXX?Thank you!
Xiningtom_1986-
List info/subscribe/unsubscribe? See
On Fri, Apr 25, 2008 at 9:51 AM, [EMAIL PROTECTED] wrote:
Hi,
Cleartext-Password := Pl
Service-Type = NAS-Prompt-User,
cisco-avpair = shell:priv-lvl=15
^
this sort of stuff it for admin access to the
xiningtom_1986 wrote:
Hello!I add a new eap type and I konw that there is a session key
that needs to be sent to the client through the AP.Do you know how to
generate the key?Where should I add the code,in the rlm_eap.c or
rlm_eap_XXX?Thank you!
In the new EAP type.
Alan DeKok.
-
List
Hi,
Mmmm is curious:
04-25-2008 10:27:16 Local7.Warning 172.29.11.1
67648: 070624: *Apr 14 13:06:59: %RADIUS-4-RADIUS_ALIVE: RADIUS
server 172.29.11.7:1812,1813 has returned.
04-25-2008 10:27:16 Local7.Warning 172.29.11.1
67647:
Dear all,
I need to perform some changes in our post-auth process.
We need to check a value in a sql database.
If value = XX , i need to add a reply item.
We already have links to the radius database for ip-pool but we
need to connect to an other database to achieve this.
Do you have
Hi,
Dear all,
I need to perform some changes in our post-auth process.
We need to check a value in a sql database.
If value = XX , i need to add a reply item.
We already have links to the radius database for ip-pool but we
need to connect to an other database to achieve this.
I'd have something like:
radius-server host 192.168.1.50 auth-port 1812 acct-port 1813 key
shared-secret
radius-server timeout 2
radius-server deadtime 1
radius-server vsa send authentication
!
aaa new-model
!
!
aaa group server radius RADIUS-SERVERS
server 192.168.1.50 auth-port 1812 acct-port
Arran Cudbard-Bell wrote:
Ok and it's expanded to the string form with the double quotation marks?
why ?
Bug. Some things have extra quotation marks. This is fix in 2.0.3,
or maybe CVS.
Indeed, I did something in unlang, but it'd be nice to have it in the
server core. Then I can update
Thought I would let you know about the Fashion Footwear SPRING Sale!
Men and Women Designer Shoes, Heels, Sandals and Boots, All Half-OFF,
Buy Direct, Forget Department Store Prices, Get Exclusive 2008 Gucci
Prada Chanel, Christian Dior, Dsquared, Versace DG, Uggs and More!
They Ship International
freeradius-users@lists.freeradius.org wrote:
Thought I would let you know about the Fashion Footwear SPRING Sale!
Men and Women Designer Shoes, Heels, Sandals and Boots, All Half-OFF,
Buy Direct, Forget Department Store Prices, Get Exclusive 2008 Gucci
Prada Chanel, Christian Dior, Dsquared,
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Ok and it's expanded to the string form with the double quotation marks?
why ?
Bug. Some things have extra quotation marks. This is fix in 2.0.3,
or maybe CVS.
Hmm running 2.0.3 must be CVS.
Indeed, I did something in unlang, but
On Fri, Apr 25, 2008 at 11:14 AM, [EMAIL PROTECTED] wrote:
very sparsewhat about eg
radius-server retransmit 2
radius-server timeout 2
radius-server deadtime 10
radius-server vsa send authentication
No with your AAA configs i don´t get %RADIUS-4-RADIUS_DEAD or any
other error on
Hi all,
I installed new version of openssl and built the radius with the following
command
./configure --with-openssl-includes=/usr/local/include/openssl \
--with-openssl-libraries=/usr/local/lib \
--prefix=/usr/local/radius
make
make install
the radtest and the radeapclient test was through,
Configuration changes do take effect on restart. It could of been made
days or weeks before but they kick in when you restart.
Ivan Kalik
Kalik Informatika ISP
Dana 25/4/2008, Mike O'Connor [EMAIL PROTECTED] piše:
Hi Ivan
Thanks for your response, my question why would it not work then just
Hello All,
I'm setupping my corporate wifi with freeradius as RADIUS
server. I want to implement WEP network with MAC Authentication thought
freeradius. I have three access point and I want to store mac database in
text file.
Here is an example:
jreubens wrote:
I installed new version of openssl and built the radius with the following
command
./configure --with-openssl-includes=/usr/local/include/openssl \
--with-openssl-libraries=/usr/local/lib \
Did it *find* the OpenSSL includes and libraries? The output of the
configure
Arran Cudbard-Bell wrote:
Hmm running 2.0.3 must be CVS.
Yes.
Did you have time to add the module return codes for authentication
success / failure messages ?
It should be there now.
Yep that seems like the most sensible/ flexible solution. So you just
specify a directory in the
Don't use the password.
00-22-de-4e-8f-1d Auth-Type:= Accept
You are lucky that they are all sending mac addresses in same format. One
could be using - for delimiter, another : and the third one no
delimiter. Then you would need to store usernames (mac addresses)
without delimiters and remove
Thanks for replay.
I adjusted all AP to send MAC in one format.
What about this question :
Another interesting point is: do I right understand that I need to restart
freeradius every time when I correct users file? Is is complicated for me,
what is other way? Maybe store MAC's in LDAP or SQL
Am 25.04.2008 um 13:45 schrieb jreubens:
Hi all,
I installed new version of openssl and built the radius with the
following
command
./configure --with-openssl-includes=/usr/local/include/openssl \
--with-openssl-libraries=/usr/local/lib \
--prefix=/usr/local/radius
make
make install
the
Another interesting point is: do I right understand that I need to restart
freeradius every time when I correct users file? Is is complicated for me,
what is other way? Maybe store MAC's in LDAP or SQL database?
Alexey
Yes, if you store details in users file you will need to restart for new
Hi alan,
i found some thing in the config.log file and i think the path is identified.
here with i am attaching a part of the config.log (i dont want to crowd the
mailling list). if you give me an hint that would highly appreciable. Thank you.
I am using linux (ubuntu 7.10), it has a pre
I see any detail-%Y%m%d log files but only auth-detail-%Y%m%d files.
What am I doing wrong?
My config files:
radiusd.conf:
prefix = /usr/local-2.0.2
exec_prefix = ${prefix}
sysconfdir = ${prefix}/etc
localstatedir = ${prefix}/var
sbindir = ${exec_prefix}/sbin
logdir =
Hi,
Here is my PATH contents
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
i have another doubt here, i have my check-rad, check-radiusd-config,
radiusd,radwatch, rc.radiusd everything at /usr/local/radius/sbin... does that
means that i have to change the
Hi,
Hi all,
I installed new version of openssl and built the radius with the following
command
./configure --with-openssl-includes=/usr/local/include/openssl \
--with-openssl-libraries=/usr/local/lib \
--prefix=/usr/local/radius
could you pipe that above command through gerp eg
Hi,
Before my original post i relied on the pre packed version of the openssl,
then when i wanted to use eapol_test, it asked for a openssl, then i
installed a new one.
After the first (eapol_test) test failed, you suggested to use the one that
come with the distribution... but i didnt
Greetings all..
Overview
Our local network folks have a FirePass VPN to allow external access to an
application.
We are needing to setup a Radius server to authenticate
to the FirePass VPN appliance.
Testing.
I have FreeRadius 1.1.7 set up on a zone on a Solaris 10 box and have begun
testing..
Am 25.04.2008 um 15:32 schrieb jennie susan:
Hi,
Here is my PATH contents
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/
usr/games
i have another doubt here, i have my check-rad, check-radiusd-
config, radiusd,radwatch, rc.radiusd everything at /usr/local/
Is your NAS sending accounting packets?
Ivan Kalik
Kalik Informatika ISP
Dana 25/4/2008, Sergio Belkin [EMAIL PROTECTED] piše:
I see any detail-%Y%m%d log files but only auth-detail-%Y%m%d files.
What am I doing wrong?
My config files:
radiusd.conf:
prefix = /usr/local-2.0.2
exec_prefix =
Am 25.04.2008 um 14:59 schrieb jennie susan:
Hi alan,
i found some thing in the config.log file and i think the path is
identified. here with i am attaching a part of the config.log (i
dont want to crowd the mailling list). if you give me an hint that
would highly appreciable. Thank
- Going through the output from /local/sbin/radiusd -X
You didn't post the output.
- Tested with
radtest test test localhost 0 testing123
One error - Although this might be normal
Output
Sending Access-Request of id 169 to 127.0.0.1 port 1812
User-Name = test
User-Password = test
I have not yet created the users file, just using the default one for
testing..
It is the standard client.conf (apologize if this is not what you are asking
for)
Some additional notes:
All user accounts /passwords will be on the Radius Server, FirePass just
talks to the Radius server.
Here is
Hello,
I'm working on VLAN assignement with FreeRadius, with windows XP users.
The FreeRadius server is using openLdap, and works overs EAP-TTLS.
The goal of my work is for the users to be on different Vlans depending on
their status.
The radius part is working fine, since the switch sets
Mike Perdide wrote:
Hello,
I'm working on VLAN assignement with FreeRadius, with windows XP users.
The FreeRadius server is using openLdap, and works overs EAP-TTLS.
The goal of my work is for the users to be on different Vlans depending on
their status.
The radius part is working fine,
Hello again to all.
I'm very happy why my FR it's working fine again and I have Vista support
too. Thank a lot of Alan Dekok, I was installed the 1.7 version. Later I
will try to upgrade, but at this moment it's all. FR is the best.
Now, , I have maybe a fool question but I need help again.
Gustavo Chavelas wrote:
When I try to add my FR at BOOT from my Linux with chkconfig, it's sends
and follow error:
# service radiusd does not support chkconfig
If I run manually # radiusd - alone or with -X -A, etc it work fine.
How can I to add FR at boot?
Manually add the links in
Phil Mayers wrote:
Is the windows machine a domain member?
No it's not. Only the users are.
I think you are asking is it possible for the client to do 802.1x with
the username/password typed into the login box and the answer is yes.
That's exactly my question, thanks ;).
1. Using the
2008/4/25 Phil Mayers [EMAIL PROTECTED]:
Mike Perdide wrote:
Hello,
I'm working on VLAN assignement with FreeRadius, with windows XP users.
The FreeRadius server is using openLdap, and works overs EAP-TTLS.
The goal of my work is for the users to be on different Vlans depending on
Good Point :D
Port 1813 is filtered, thanks Ivan I'll see if modifying that it works.
2008/4/25, Ivan Kalik [EMAIL PROTECTED]:
Is your NAS sending accounting packets?
Ivan Kalik
Kalik Informatika ISP
Dana 25/4/2008, Sergio Belkin [EMAIL PROTECTED] piše:
I see any detail-%Y%m%d log
more output
This came after the service was running a while..
---
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
modcall[authorize]: module preprocess returns ok for request 0
modcall[authorize]: module chap returns noop for request 0
Hi,
When I try to add my FR at BOOT from my Linux with chkconfig, it's sends and
follow error:
# service radiusd does not support chkconfig
have you put the radiusd init script into eg /etc/init.d/ ?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
more output
This came after the service was running a while..
in your users file you have a line like
DEFAULT auth-Type == System
if you dont use /etc/passwd etc for auth, remove it
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Mike Perdide wrote:
Phil Mayers wrote:
Is the windows machine a domain member?
No it's not. Only the users are.
?
When you sit at the login screen, and press ctrl+alt+del, are you
logging in with a username and password which is checked against the
domain controllers?
If so, then the
Phil Mayers wrote:
Is the windows machine a domain member?
No it's not. Only the users are.
?
When you sit at the login screen, and press ctrl+alt+del, are you
logging in with a username and password which is checked against the
domain controllers?
If so, then the machine *is* joined into
Hi,
Phil Mayers wrote:
Is the windows machine a domain member?
No it's not. Only the users are.
?
When you sit at the login screen, and press ctrl+alt+del, are you
logging in with a username and password which is checked against the
domain controllers?
If so, then the machine
Mike Perdide wrote:
Phil Mayers wrote:
Is the windows machine a domain member?
No it's not. Only the users are.
?
When you sit at the login screen, and press ctrl+alt+del, are you
logging in with a username and password which is checked against the
domain controllers?
If so, then the
Server needs a username and password stored somewhere in order to compare
with ones in the request. It doesn't work without it. Add entry for you
test user to users file and try again.
Ivan Kalik
Kalik informatika ISP
Dana 25/4/2008, thekat [EMAIL PROTECTED] piše:
I have not yet created the
I am still wading through the docs.. and trying to get my
head wrapped around the settings..
Also, still waiting on a response from F5 to see what type of
Radius Authentication is used by the FirePass appliance..
Hoping it is CHAP..
Appreciate the response..
Charles
2008/4/25 Ivan Kalik [EMAIL
Yes, radiusd its in /etc/init.d
-Mensaje original-
De: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
En nombre de [EMAIL PROTECTED]
Enviado el: Viernes, 25 de Abril de 2008 11:57 a.m.
Para: freeradius-users@lists.freeradius.org
Asunto: Freeradius-Users Digest, Vol 36, Issue 161
Message:
Hi,
Yes, radiusd its in /etc/init.d
from $src/scripts/rc.radiusd?
yes, i think i can see the issue. ensure that the
top of the radiusd file contains eg
#!/bin/sh
#
# chkconfig: - 88 10
# description: Start/Stop the RADIUS server daemon
alan
-
List info/subscribe/unsubscribe? See
For VPN it's usually mschapv2. Whatever it is (pap, chap, mschap) it
will work with cleartext passwords. Read instructions in users file.
That's all you will need - default configuration will work for those
protocols. Apart from that you only need to enter details of your VPN
server in
Ivan..
Much thanks for the reply and the very helpful recommendations..
We will only have about 100 users (very low utilization) so sql probably
won't be needed..
I will be working on this tomorrow..
Charles
2008/4/25 Ivan Kalik [EMAIL PROTECTED]:
For VPN it's usually mschapv2. Whatever it is
Hi,
I would like to know if its possible to deny/allow traffic between
clients or groups. I've already searched for a solution but I just
found out how to limit some ports for a user.
Thanks for you help.
bye
julian
-
List info/subscribe/unsubscribe? See
Hello!
Thank you for your reply!But do you know how to generate the key?Can I use the
fuction of LEAP that is used for generateing the key?
Xiningtom_1986-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello!
Do you know how I pass the session key to the AP? Does it in the EAP-SUCCESS
message or in some other special tunnel?
Xiningtom_1986-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Julian Stöver wrote:
Hi,
I would like to know if its possible to deny/allow traffic between
clients or groups. I've already searched for a solution but I just found
out how to limit some ports for a user.
i.e. firewall rules? See the NAS documentation for what kinds of
rules it supports.
[EMAIL PROTECTED] wrote:
Hello!
Thank you for your reply!But do you know how to generate the key?Can I
use the fuction of LEAP that is used for generateing the key?
Key generation methods are specific to each EAP type.
If you don't know how to generate a key, and you don't know in which
68 matches
Mail list logo