Raphael Brüngel wrote:
radiusd: Opening IP addresses and Ports
listen {
type = proxy
ipaddr = 192.168.1.80
port = 1812
That's... wrong in so many ways.
You said that the proxy port is 1814 but the authentication port 1812 is
not used by the proxy, correct?
How do you expect
Yeah. That's kind of my rescue solution. To create a que that is processed
on a daily basis. But I thought that since there is an expire attribute that
it might be a start as well. It would obviously take less effort to just add
that kind of attribute instead of adding a que and some kind of
I use eap-tsl for the registration record of computer. It is necessary
to open access to the network to pressure of Ctrl+Alt+Del.
I will not understand what is the matter:
..
radius_xlat: 'host/cit44'
rlm_eap_tls: checking certificate CN (cit44) with xlat'ed value
Alan DeKok wrote:
BADAOUI Nasr-Eddine (P) wrote:
I've seen that to authenticate successfully, the login id has to be
defined locally on client Linux machines.
In summary, is it mandatory to have the login id defined in the client
linux machine ?
other solutions ?
That's the
Or create all you need and add Auth Type Reject in radcheck table for that
user and delete this entry on start date with cron script
On Thu, Oct 9, 2008 at 8:06 AM, Bladan2000 [EMAIL PROTECTED] wrote:
Yeah. That's kind of my rescue solution. To create a que that is
processed
on a daily
Alan DeKok wrote:
Peter Eriksson wrote:
The default setting seems to be less than optimal since if a remote site
have problems with their home RADIUS servers then we risk having our
local servers mark the upstream servers as dead since it's not
receiving answers for a specific 'realm'...
You can always add your own.
http://freeradius.org/radiusd/man/dictionary.html
Ivan Kalik
Kalik Informatika ISP
Dana 9/10/2008, Bladan2000 [EMAIL PROTECTED] piše:
Yeah. That's kind of my rescue solution. To create a que that is processed
on a daily basis. But I thought that since there is an
Thanks, now it works :)
Now the last step: How can I test it? What tool/program etc. can/should I use
to test it?
The radclient cannot currently be used to send this request, unfortunately,
which makes testing a little difficult If everything goes well, you should see
the server returning
So to understand you right:
Every user that should be authenticated has to be an entry in the users file?
Isn't it possible to add an forwarding for every user so that all requests are
just forwarded and checked?
If not I must add all users from the AD to the users file, mustn't I?
Von:
OK, I have tested it with radtest MyUser MyPassword localhost 0 testing123
and this is what the server gave back:
..
++[files] returns noop
So, where is the user file entry setting Auth-Type ntlm_auth? It didn't
match. Something is wrong with it.
Ivan Kalik
Kalik Informatika ISP
-
List
Is is possible to use only one freeRADIUS server (the just configured one) for
a bunch of different domains
in my active directory network?
How?
F. Niedernolte
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL
PROTECTED]
Gesendet:
OK, thanks.
Now it works.
Is this the way it should look right?
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=97, length=59
User-Name = MyUser
User-Password = MyPassword
NAS-IP-Address = IP.ADDRESS.OF.SERVER
NAS-Port
And also don't remove ntlm_auth from authenticate section of both default
and inner-tunnel files.
On Thu, Oct 9, 2008 at 1:12 PM, Syed Anwarul Hasan
[EMAIL PROTECTED] wrote:
Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is
Bind as User. That is USer Entry is added in
You (or whoever makes these certificates) have set up certificate
creation that way. Change it so that CN is equal to User-Name.
Ivan Kalik
Kalik Informatika ISP
Dana 9/10/2008, Guk Victor [EMAIL PROTECTED] piše:
I use eap-tsl for the registration record of computer. It is
I have finished all steps till user Auth-Type := ntlm_auth from
http://deployingradius.com/documents/configuration/active_directory.html
.
With this command I get this error message at the end of
/usr/sbin/freeradius -X:
/etc/freeradius/users[1]: Parse error (check) for entry MyUser:
Ok, Where are USER CREDENTIALS stored, the one descibed in the Manual is
Bind as User. That is USer Entry is added in Users file and after using
ntlm_auth, it is checked against a Active Directory or LDAP server backend
using NT Lan manager Authentication Protocol.
For example:
Users file:
User
That was example,to check with different Users,DEFAULT should be used as
rightly said by Ivan.
On Thu, Oct 9, 2008 at 1:22 PM, [EMAIL PROTECTED] wrote:
So to understand you right:
Every user that should be authenticated has to be an entry in the users
file?
Isn't it possible to add an
Every user that should be authenticated has to be an entry in the users file?
Isn't it possible to add an forwarding for every user so that all requests are
just forwarded and checked?
If not I must add all users from the AD to the users file, mustn't I?
DEFAULT Auth-Type := ntlm_auth
Ivan
Hi Frederik,
1) Put User entry on *TOP* of users file.
2) In default file, in authenticate section, add *ntlm_auth. *Don't set
using Auth-Type.
3) Also in Sites-enabled/inner-tunnel which is Virtual Server Inner Tunnel.
Add *ntlm_auth* in Authenticate Section.
I hope it will solve your problem.
I've achieved the following:
- A user with a username which contains a realm logs in.
- Freeradius checks some radius request values like calling-station-id
etc.
- Freeradius will give a reject or accept depending on the above query.
What I cannot achieve is:
-
And how can I do that?
I cannot find something like that via Google :(
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok
Gesendet: Donnerstag, 9. Oktober 2008 14:59
An: FreeRadius users mailing list
Betreff: Re: AW: AW: AW: Problem with
[EMAIL PROTECTED] wrote:
And how can I do that?
I cannot find something like that via Google :(
See the Samba documentation?
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HEY PAL
CHEK THIS OUT
thanks to everyone in the list
o yes!! in user file i added
users Auth-Type := ntlm_auth
an also
DEFAULT Auth-Type := ntlm_auth
and restart freeradius
and in the output
istening on authentication address * port 1812
Listening on accounting address * port 1813
On Thu, Oct 9, 2008 at 10:46 AM, Alan DeKok [EMAIL PROTECTED]wrote:
[EMAIL PROTECTED] wrote:
And how can I do that?
I cannot find something like that via Google :(
Ask the Samba people?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
There are too many pages to check.
Perhaps you can give me a specific link?
I want to do it on my own but with no information it is impossible.
F. Niedernolte
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Alan DeKok
Gesendet: Donnerstag, 9.
What I cannot achieve is:
- Freeradius must proxy to request to a token server but only when it
authenticated the user successfully.
No. Your client should send another request to token server once it gets
Access-Accept from radius server.
Ivan Kalik
Kalik Informatika ISP
-
List
OK, thanks.
Now it works.
Is this the way it should look right?
Yes. that's OK.
..
[files] users: Matched entry DEFAULT at line 2
++[files] returns ok
Entry setting Auth-Type.
..
[pap] WARNING! No known good password found for the user. Authentication
may fail because of this.
That's
Oh, you would like us to read the documentation for you!?! Sorry, no can
do!
Samba also has a support list. Ask there.
Ivan Kalik
Kalik Informatika ISP
Dana 9/10/2008, [EMAIL PROTECTED]
[EMAIL PROTECTED] piše:
There are too many pages to check.
Perhaps you can give me a specific link?
I want
OK, I have tested it with radtest MyUser MyPassword localhost 0 testing123
and this is what the server gave back:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1 port 32793, id=92, length=58
User-Name = MyUser
User-Password = MyPassword
I didn't mean that.
I thought you would know a link or site for this but if noone knows I will ask
the samba people.
Thanks.
Frederik Niedernolte
-Ursprüngliche Nachricht-
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von [EMAIL
PROTECTED]
Gesendet: Donnerstag, 9. Oktober
Arran Cudbard-Bell wrote:
Really in an system of chained proxy servers like EDUROAM you only want
to be testing first hop connectivity.
Exactly.
Alan, do you think it might be a good idea to provide an option to
disregard failures from standard authentication requests, and instead
use
Hi,
You can use radtest tool to check with the Server.The Server will return
accept-accept message.
Other tool includes JRadius Simulator as IVAN told. bu I have not used it.
Otherwise If you have a Native PEAP or TTLS client, you can sent MSCHAP
requests to use ntlm_auth with Active DIRECTORY or
Peter Eriksson wrote:
I wonder how low I can set things to lessen this issue. Perhaps set
zombie_period and check_interval to one second...
That's not a good idea. It means that the server will be marked dead
MORE quickly.
Best would probably be if FreeRadius kept a
separate timeout for
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alan DeKok wrote:
Arran Cudbard-Bell wrote:
Really in an system of chained proxy servers like EDUROAM you only want
to be testing first hop connectivity.
Exactly.
Alan, do you think it might be a good idea to provide an option to
disregard
Hi Ivan,
Thanks for the reply. After changing the operator += I am still seeing all
the VARRAY in the reply. It should reply back only
Sending Access-Accept of id 65 to 216.121.193.1 port 49266
rEntitlements += WIFILOC1
rAttribute1 = 1
rCidx = 1
and not as
You have misunderstood what this list is about. This is a support list
for Freeradius users. You will be provided the details of basic
configuration for other projects/devices (Open Source/Cisco/Microsoft
etc.) wich will enable server to cooperate with them in some common
applications. If you need
Thanks for the reply. After changing the operator += I am still seeing all
the VARRAY in the reply. It should reply back only
Sending Access-Accept of id 65 to 216.121.193.1 port 49266
rEntitlements += WIFILOC1
rAttribute1 = 1
rCidx = 1
and not as it is
[EMAIL PROTECTED] wrote:
There are too many pages to check.
Maybe I should go read the pages, and point you to specific ones?
Perhaps you can give me a specific link?
This isn't a Samba help list. We are not Samba experts.
I suggest asking on the Samba list how to configure Samba for
Hi Ivan,
I agree with you. But I am reading those attributes from LDAP. In LDAP
entitlements attribute is defined as Multivalue (array). I can't not change
the existing LDAP structure.
I am mapping entitlements attribute from LDAP with the radius attribute
rEntitlements in the ldap.attrmap
Arran Cudbard-Bell wrote:
That'd work. So when a server is marked as a Zombie Access-Requests
still sent to it until the Zombie period has expired?
Yes. I also noticed that the current code doesn't send Status-Server
packets until check_interval time AFTER it's marked dead. So we
have
Hi,
This still means that requests will be sent to that home server,even
if they're for an upstream realm that's dead. If there are multiple
paths to the upstream realm, then those other paths won't be discovered.
But there is no RADIUS routing protocol[1]. So that's that.
s'funny
I agree with you. But I am reading those attributes from LDAP. In LDAP
entitlements attribute is defined as Multivalue (array).
Which is of no use to you.
I can't not change the existing LDAP structure.
Are you a developer or not? If you are, then you say what LDAP structure
should look
Hello
I have ldap working to authencate users to a cisci switch. I now want to
limit it to group membership. Any help would be great.
Here is what I have in my ldap config for the groups.
# Group membership checking. Disabled by default.
#
groupname_attribute = cn
groupmembership_filter =
(|((objectClass=GroupOfNames)(member=%{control:Ldap-UserDn}))((object
Class=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
It should aso be control:Ldap-UserDn for uniquemember. Hope that helps.
Ivan Kalik
Kalik Informatika ISP
-
List
Ivan,
I told the management but looks like no go.
is there any way I can change the rlm_ldap.c?
I am not proficient in c, so might need additional help.
Or there are any other options.
Let me know.
Thanks in advance.
--- On Thu, 10/9/08, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote:
From:
Hello all
I have made the change uniquemember=%{control:Ldap-UserDn}
But I still have the issue. Any other ideas or other information I can
provide. Any configs I could look at.
Thanks,
Bert
-Original Message-
From:
[EMAIL PROTECTED]
.org
[mailto:[EMAIL PROTECTED]
eeradius.org] On
Any suggestions for this topic guys?
thanks!!!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
[EMAIL PROTECTED] wrote:
But there is no RADIUS routing protocol[1]. So that's that.
s'funny that you should mention that - what with a hierarchical system.
I thought it would be neat if a downstream system could notify the upstream
about what realms it could deal with and - via a trusted
is there any way I can change the rlm_ldap.c?
I am not proficient in c, so might need additional help.
Or there are any other options.
Well, before resorting to source code alterations try using unlang. Have
a look at update reply with -= operator. You can't use regex with that
operator so you
You should read the list. I gave the workable solution to somebody else
yesterday.
Ivan Kalik
Kalik Informatika ISP
Dana 9/10/2008, Martin Silvero [EMAIL PROTECTED] piše:
Any suggestions for this topic guys?
thanks!!!
-
List info/subscribe/unsubscribe? See
Hi,
This will happen. There is sufficient buy-in from large telcos that
it's necessary.
cool. it wasnt just me toking on the crack pipe too many times 8-)
Stefan, you hearing this? and you be thinking I crazy :-)
alan
-
List info/subscribe/unsubscribe? See
Is this the issue that you say?:
Re: CA.all and CA.certs in Freeradius
2.xhttps://lists.freeradius.org/pipermail/freeradius-users/2008-October/msg00248.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello All,
I have a cisco vpn concentrator and in the past have had it pointed to a
Windows IAS Server. I have now switched to Freeradius and have discovered
that when a user needs to Change password on next logon the cisco vpn
client does not prompt for a password change. Prior to moving to
That's it.
Ivan Kalik
Kalik Informatika ISP
Dana 9/10/2008, Martin Silvero [EMAIL PROTECTED] piše:
Is this the issue that you say?:
Re: CA.all and CA.certs in Freeradius
2.xhttps://lists.freeradius.org/pipermail/freeradius-users/2008-October/msg00248.html
-
List
Hi all,
After an EAP authentication which supports key derivation (MSK)
how does freeradius transport the MSK to an NAS(authenticator)? I.e., what
kind of attribute is used?
(I am assuming that the EAP Server (freeradius) is a separate entity to the
NAS; NAS talks to freeradius
using RADIUS and
Thanks Ivan.
Not sure which file should I add the update reply? Getting familiar with unlang
so pardon my dumb questions.
I added in ldap.attrmap.
update reply {
rEntitlements -= entitlements
}
replyItem rEntitlements entitlements +=
is that right? Also you
56 matches
Mail list logo