hi all
i have a code like this in auth-post section :
if (condition) {
allocate from pool_1
}
else {
allocate from pool_2
}
I write this code but it dose not work :
if (condition) {
update reply {
Pool-Name : = pool_1
}
}
else {
Danny Paul wrote:
> My management would like a way to force authorization to
> succeed even if EAP has actually failed.
This is impossible. It is *designed* to be impossible. If it was
possible, malicious networks could tell users that "authentication
succeeded", and then attack the users.
Hy all
I would like to use the name of the group a user is member of to update
the check item list.
I though using unlang to do so, and an update directive but icannot find
the variable name (if any) to use for the name of the group.
I have "%{Group}" "%{Group-Name}" "%{SQL-GROUP}" but no success:
Try authorize queries from mysql/dialup.conf. Perhaps mssql/dialup.conf
hasn't been updated. They look like 1.1.x to me.
Ivan Kalik
Kalik Informatika ISP
Dana 17/10/2008, "Xiaochen Jing" <[EMAIL PROTECTED]> piše:
>Hello Ivan,
>
>I cannot find out where to configure group_membership_query. Shoul
Hello Ivan,
I cannot find out where to configure group_membership_query. Should I see
group check table being read in debug?
Thanks in advance
XJ
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]
On Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 17, 2008 11:23 AM
Leave server alone (ie. remove comment from default_eap-type). Supplicant
is on your laptop or whatever you are trying to connect with. Stop
messing with freeradius - it is working fine.
Ivan Kalik
Kalik Informatika ISP
Dana 17/10/2008, "Martin Silvero" <[EMAIL PROTECTED]> piše:
>and that I did
On Fri, Oct 17, 2008 at 4:00 PM, Martin Silvero <[EMAIL PROTECTED]>wrote:
> and that I did when I run radiusd-X I get an error in the inicializacion
> modules:
>
>
>
>
> eap.conf:
>
>
How about the output from radiusd -X?
You commented out md5 from eap.conf, but you are likely still trying to
ins
There was no error (on the server). Server doesn't choose which
authentication protocol are you going to use (so disabling things on the
server is poitless and likely contra-productive). You set the
supplicant. If you want to use tls choose using certificate based
authentication (not md5).
Ivan Ka
I'm getting ready to implement EAP-TLS for 802.1x port authentication.
Everything works great in my testing environment and I'm very happy with it.
However, before we roll it out into production, I must write a set of recovery
procedures. In these procedures I need to include a section on the (a
In that case, disable the module md5 because I just want to use tls?
Why does the error that I showed you? certificates?
thanks!
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>Only the NAS need to speak FR, the rest of the system can talk
>directly to the data store, correct?
Yes, user administration is totally separate from radius stuff. Only
changes made to freeradius files (users file, etc.) would require server
restart to take effect.
Ivan Kalik
Kalik Informatika
>>I follow. The project we are investigating is web service based. Was
>>thinking of an web service api rather than the sql schemas.
>>
>
> And web service is getting information from ... You can make a
> perl/php/whatever client for the web service and get the data that way.
> But why don't you ma
>Fri Oct 17 10:47:33 2008 : Debug: rlm_eap: processing type md5
>Fri Oct 17 10:47:33 2008 : Debug: rlm_eap_md5: Issuing Challenge
..
>a question:
>
>this certificate I'm going to install on multiple computers, can I generate
>problems that?
>
eap-md5 doesn't use certificates.
Ivan Kalik
Kalik I
Good day mate.
Well, finally understood what I recomendastes and I did, I created a package
with server.pem ca.pem and then convert it to. der, the amount to the
notebook but this time gave an error with the validation of the server:
rad_recv: Access-Request packet from host 10.0.31.40 port 1645
>In /mssql/dialup.conf, I edit two queries for authorized_check_query and
>authorize_group_check_query, instead of using the default ones. Doing this
>is easy for our database programming.
>
>
>
>authorize_check_query = "RADIUS_authorize_check_query
>'%{SQL-User-Name}'"
>
>
>
>autho
Matt Bernstein wrote:
> By this point we've correctly walked from default -> dcs -> dcs-inner.
> But.. as dcs-inner invokes rlm_ldap, it's using the wrong ldap instance:
...
> rlm_ldap: Entering ldap_groupcmp()
> [dcs-inner-files] expand: dc=maths,dc=qmul,dc=ac,dc=uk ->
> dc=maths,dc=qmul,dc=ac
Oguzhan Kayhan wrote:
> What i want is to learn if the virtual domain configuration is similar to
> apache's virtual domain.As we can use names instead of IPs.
The configuration files and README's contain documentation on what the
virtual servers are, and what they do.
> As, on freeradius if i
>>I just wonder if i can use radtest command as testing from a different
>>client?
>>Such as,
>>Assume i have a client conf for 1.1.1.1 ip add. in my
>> freeradius(2.2.2.2)
>>server.
>>And from 3.3.3.3 client(lets call client3) i am trying to test the
>>connection.like
>>radtest user pass 2.2.2.2
At 14:19 +0200 Alan DeKok wrote:
I have run into another bug: if I instantiate rlm_ldap in my servers
"dcs-inner" and "maths-inner", it seems to use the base DN for
"maths-inner" (instantiated second) for queries from "dcs-inner".
As always, debug mode.
By this point we've correctly walked
>I created the certificates in the way as explained in the readme file. But
>when I try to open or import the ca.der in the XP machine, it say that "the
>file type is not recognized.
>What wrong am I doing here?
>
Your XP is broken. Mine knows what .der file is. Go to Control
Panel/Folders/File Ty
>Im confused - where can I set ldap module to set auth type itself.
>
Find set_auth_type in ldap configuration.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
My Freeradius seems only to read radcheck table, not to read radgroupcheck
table from MS SQL.
Here is my settings:
In /mssql/dialup.conf, I edit two queries for authorized_check_query and
authorize_group_check_query, instead of using the default ones. Doing this
is easy for ou
Figured it out by looking at an old radius.confhad to change user-name to
mschap-user-name
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Casartello,
Thomas
Sent: Friday, October 17, 2008 9:42 AM
To: 'FreeRadius users mailing list'
Subject: RE: Mach
Hi,
the username needs to have a $ - use unlang, for example
to stiick a $ into stripped user name and use stripped user
name for authentication
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I created the certificates in the way as explained in the readme file. But
when I try to open or import the ca.der in the XP machine, it say that "the
file type is not recognized.
What wrong am I doing here?
Jas
tnt-4 wrote:
>
> So you haven't used xpextensions and your certificates are useles
At 14:19 +0200 Alan DeKok wrote:
Matt Bernstein wrote:
We will have multiple server certificates; our departments are rather
independent here.
Ugh. There's not really any good reason for this. If the
departmental certs are signed by a university CA, then you can still get
away with one ser
About changing it to User-Name?
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]
Sent: Friday, October 17, 2008 9:37 AM
To: FreeRadius users mailing list
Subject: Re: Machine Authentication
Did you try what is suggested in mschap module j
Martin MacLeod-Brown wrote:
> File: /etc/freeradius/users
>
> Find:
>
> DEFAULT Auth-Type = System
> Fall-Through = 1
>
> Replace with:
>
> DEFAULT Auth-Type = LDAP
Don't do that. Just delete that entry.
> Now when I try to test I get the following error
>
> radclient: no response
Ok, after a bit of googling and some feedback from the mailing list -
here is my new sanity check
In radius.conf
ldap {
server = "ldap-master.london.edu"
identity = "cn=NetworkAuth,ou=People,o=london.edu,o=lbs"
password = *
Did you try what is suggested in mschap module just above the ntlm_auth
line?
Ivan Kalik
Kalik Informatika ISP
Dana 17/10/2008, "Casartello, Thomas" <[EMAIL PROTECTED]> piše:
>I've tried to find something on the past posts on this list about this. I
>think I found what the problem is but was u
I've tried to find something on the past posts on this list about this. I think
I found what the problem is but was unable to find a solution. I'm trying to
make it so I can authenticate machines using the computer name. I know I need
to set the ntlm_auth command correctly but I couldn't find to
Matt Bernstein wrote:
> We will have multiple server certificates; our departments are rather
> independent here.
Ugh. There's not really any good reason for this. If the
departmental certs are signed by a university CA, then you can still get
away with one server instance.
>> update
saini_jas16 wrote:
> Can you please guide me in this regard. What guidlines shall I follow?
eap.conf, for one.
If you're going to edit the configuration files, it might be prudent
to *read* them.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Oct 15 Alan DeKok wrote:
Matt Bernstein wrote:
So saith FreeRADIUS 2.1.1, but I wasn't trying to do multiple levels of
TLS nesting. I'm trying to use virtual servers so that a single radiusd
can terminate TTLS/PEAP for multiple subrealms, _and_ use the
inner-tunnel trick, keeping the configs
Can you please guide me in this regard. What guidlines shall I follow?
Many Thanks,
Jas
A.L.M.Buxey wrote:
>
> Hi,
>>
>> I made them myself. Following were the commands I used.
>>
>> openssl genrsa -des3 -out ca.key 4096
>> openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
>> openssl
Hi,
>
> I made them myself. Following were the commands I used.
>
> openssl genrsa -des3 -out ca.key 4096
> openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
> openssl genrsa -des3 -out server.key 4096
> openssl req -new -key server.key -out server.csr
> openssl x509 -req -days 3650 -in s
So you haven't used xpextensions and your certificates are useless for
connecting XP clients. Use certificate creation provided with the server:
raddb/certs/README
Ivan Kalik
Kalik Informatika ISP
Dana 17/10/2008, "saini_jas16" <[EMAIL PROTECTED]> piše:
>
>I made them myself. Following were the
tnt-4 wrote:
>
>>I don't use authentication.
>
> I hope this means "I don't use radius authentication."
>
>>I'll give you the full description of my system and maybe you think of a
>>solution without modifying the source code:
>>A client sends only Accounting Start Requests(the same request f
Hi
The version is 0.9.8a - 18.15 - i586
Jas
A.L.M.Buxey wrote:
>
> Hi,
>
>> [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
>> TLS Alert read:fatal:access denied
>> [peap] WARNING: No data inside of the tunnel.
>> [peap] eaptls_process returned 7
>> [peap] EAPTLS_OK
>> [peap] S
I made them myself. Following were the commands I used.
openssl genrsa -des3 -out ca.key 4096
openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 3650 -in server.csr -CA ca.crt
Hi,
> [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
> TLS Alert read:fatal:access denied
> [peap] WARNING: No data inside of the tunnel.
> [peap] eaptls_process returned 7
> [peap] EAPTLS_OK
> [peap] Session established. Decoding tunneled attributes.
> [peap] Tunneled data is invali
>My certificate generation went really well, no errors at all. I generated the
>certificates with openssl.
Did you use Makefile provided in raddb/certs directory? Or did you make
them yourself?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list
Hello list
I want to let authenticate the computer-account to radius - naturaly
only computers who are in my samba-domain and also stored in my
openldap-db like
a laptop :
uid=inf-lap-1$,ou=samba-computers,dc=sb-brixen,dc=it
but from radius i get an error that this laptop was not found - is
My certificate generation went really well, no errors at all. I generated the
certificates with openssl. My windowsd is also upto date. One thing I would
like to drew your attention is, which even myself has just noticed, that it
is going through an ongoing EAP conversation, I do not know what thi
>DEFAULT Auth-Type = LDAP
>Fall-Through :=1
>
Don't do that. You can configure ldap module to set auth type itself.
>Putting the server into debug mode I get
>
>[EMAIL PROTECTED]:/etc/freeradius# radiusd -X
>The program 'radiusd' can be found in the following packages:
> * radiusd-livings
>>> [peap] eaptls_verify returned 11
>>> [peap] <<< TLS 1.0 Alert [length 0002], fatal access_denied
>>> TLS Alert read:fatal:access denied
>>> [peap] WARNING: No data inside of the tunnel.
Something is badly broken here. XP rejected CA certificate. It tends to
do that if certificate doesn't have
>I follow. The project we are investigating is web service based. Was
>thinking of an web service api rather than the sql schemas.
>
And web service is getting information from ... You can make a
perl/php/whatever client for the web service and get the data that way.
But why don't you make it avai
Hello,
I am sure it works well with Users file as well. I remember doing it in the
university. But I do not know y its not working this time. I will be
integrating this freeradius with Novell's edirectory in few days time, but I
wanted to test if its working or not before integrating with edirect
Hi there,
Im trying to get a basic radius set-up working and could do with
a sanity check as it is not working?
Steps taken so far
1) Default radius install on Unbuntu server (apt-get install freeradius
freeradius-ldap)
2) In radiusd.conf - configure LDAP server properties in the modules
Hi,
PEAP MSCHAPv2 works well with Active Directory Backend. I am not sure of its
Authentication Process with users file.
Try with EAP MD5, it works well with Users file.
SYED
On Thu, Oct 16, 2008 at 5:21 PM, saini_jas16 <
[EMAIL PROTECTED]> wrote:
>
> Hello All,
>
> I am trying to authenticate a
Alan, thanks.
>> * Is there an OS API or does all the direction come through the data store?
>
> ? OS API for... what? The server comes with a policy language that
> lets you pull information from custom SQL schemas.
I follow. The project we are investigating is web service based. Was
thinking o
Tom D. Davidson wrote:
> Hello, I have some usage questions about FreeRADIUS that I am not
> finding answers for on the wiki.
>
> Can FR:
FreeRADIUS can put anything into any RADIUS packet. The rest of your
questions are best answered by pointing to general RADIUS concepts:
http://dep
52 matches
Mail list logo
