Hi
I am facing strange issue while running radtest from remote IP and
radiusd running on other IP but on the same network.
My Radius server is not listening to any other client except localhost.
I've added all clients entries in clients.conf file.
What could be the issue?
Pls advise.
-Thanks
M
I'm using Freeradius with a Postgresql backend. Every two or three days,
Freeradius dies. These are the last lines from the log file:
Tue Feb 24 21:15:31 2009 : Auth: Login OK: [] (from client port 3 cli
)
Tue Feb 24 21:16:34 2009 : Auth: Login OK: [] (from client port 3
I have a wired 802.1x auth setup on cisco gear. I would like to
record the IP address of machines that connect and are authorized. Is
this possible?
I currently see NAS-IP-Address and Client-IP-Address as the IP of the
switch. The Calling-Station-Id is the correct mac address of the
authorized
to do. Sleeping until we see a request.
-----
Can someone help me with defining radius NOT to authenticate with
/etc/passwd
But with /etc/raddb/users file.
Tnx,
---
?,
?
??? ??
-- next p
Hi Shimon,
In the /usr/local/etc/raddb/sites-enabled/default file, comment out the unix
module.
#
# Pull crypt'd passwords from /etc/passwd or /etc/shadow,
# using the system API's to get the password. If you want
# to read /etc/passwd or /etc/shadow d
Hello,
My name is Shimon from the Open Univ. of Israel. I installed freeradius and I
want the
Users to authenticate with /etc/raddb/users file NOT /etc/passwd file.
Below is a printout of /usr/sbin/radius –X –y
--
rad_recv: Access-Request packet from host 127.0.0.1:54057, i
Hi Ivan,
Thanks a lot for the guidance. I rectified the problem. The debug mode
shows that it is receiving the request from the WAN IP of the IP
(192.168.104.xxx) , while the NAS-IP appeared to be the its LAN IP
(192.168.1.xxx). As a result, Radius Server was trying to send the
Access-Challen
>> Yes. There is no problem in composing Cleartext-Password "on the fly"
>> from users password and the token.It shouldn't be too difficult to
>> create a perl script that does that.
>
>Excellent! So the username and tokencode/password is passed from the
>NAS (ASA5500) to the FreeRADIUS server and
Hi Ivan,
t...@kalik.net wrote:
Scenario:
To pilot the SecurID product, we selected VPN access to a part of our
network, protected by a Cisco ASA5500 series device. We are in the
process of moving away from the MS IAS RADIUS solution to FreeRADIUS.
We know that MS IAS cannot do what we want to d
>Thanks for your attention. Yes, you are right, we should organize our system
>regarding the structure of freeradius. I have lots of questions to ask. I am
>going to coherently form them; would you please trace this thread?
I do hang around. This is what you should plan for:
- checks that need to
Ivan,
Thanks for your attention. Yes, you are right, we should organize our system
regarding the structure of freeradius. I have lots of questions to ask. I am
going to coherently form them; would you please trace this thread?
Kind Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe?
>I'm trying to figure out how to check to see if the auth type is
>mschap in the users file. I can find tons of help on setting the
>Auth-Type, but not a lot on how to compare it.
>
>Additional background info:
>I'm running 802.1x with two auth types, certificate based and mschap.
It's EAP-Type n
Hi,
I'm trying to figure out how to check to see if the auth type is
mschap in the users file. I can find tons of help on setting the
Auth-Type, but not a lot on how to compare it.
Additional background info:
I'm running 802.1x with two auth types, certificate based and mschap.
I have a default
>Thanks for your reply. The problem is time. We should find an immediate
>solution. Anyway, thanks again.
>
Immediate solution is *not* trying to invent a new kind of hole on the
flower pot. Don't use custom authentication script - use existing
server modules. Whatever additional checks you think
>But the server doesn't send the reply to the client (Timeout at clientside)
>
>rad_recv: Access-Request packet from host 10.0.1.131:57004, id=7, length=71
>User-Name = "radius"
>NAS-IP-Address = 10.0.1.131
>CHAP-Password = 0x7826d3a1143b969ddf5ea1599a9483574a
>CHAP-Challenge = 0x9899ee060e58b98648
The challenge is outputted to the user that triggered the challenge, expecting
that he can answer it. I have no idea if the productive system ever will send a
challenge and if how it will looks like. I just wanted to test out client, if
it can handle it.
-Ursprüngliche Nachricht-
Von:
Ivan,
Thanks for your reply. The problem is time. We should find an immediate
solution. Anyway, thanks again.
Kind Regards
Ali Majdzadeh Kohbanani
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>Thanks for reply. But the client that I use, only supports PAP and CHAP
>requests and neither of them initiates the server to send an Access Challenge.
So what is client going to do with the challenge when it gets it?
>That is why I tried to create the challenge with the help of the perl modul
Sorry for sending this message twice, but I forgot the debug output.
---
Thanks for reply. But the client that I use, only supports PAP and CHAP
requests and neither of them initiates the server to send an Access Challenge.
That is why I tried to create the challenge with the help of the perl mod
>Thanks for your reply. You are right and I do know that this is not the
>right way to get things done, but what we have got here is a sophisticated
>and feature-balloted AAA system which is totally based on external programs.
So what would be the problem in sorting out your "features" in
authoriz
Thanks for reply. But the client that I use, only supports PAP and CHAP
requests and neither of them initiates the server to send an Access Challenge.
That is why I tried to create the challenge with the help of the perl module.
Then I realized that freeradius.net unfortunatly doesn't include th
Hi Jouni,
Thanks for your reply. I understand your concern on wasting time when in a
failure condition. I agree it would be ideal for the code to continue
transfers, based on progress. We will try to validate the use case before
taking this further.
Regards,
Brian Smith
Ph. 602-436-6691
Ho
Alan,
Environment: SunOS 5.10 and FR 2.1.3 (stable)
I encountered the following problem when the server received an
Access-Challenge packet
from a proxy server. Any help in fixing this problem would be appreciated.
Thanks,
Chris
Waking up in 0.9 seconds.
rad_recv: Access-Challenge packet from
Ivan,
Hello
Thanks for your reply. You are right and I do know that this is not the
right way to get things done, but what we have got here is a sophisticated
and feature-balloted AAA system which is totally based on external programs.
As a mid-term solution we should try to respond to our numerous
Hi Alan,
Again, thanks for your great reply. If we wanted to pursue this
capability, what would be the process to get FreeRadius to support large
chains?
Regards,
Brian Smith
Ph. 602-436-6691
Honeywell
-Original Message-
From:
freeradius-users-bounces+brian.smith=honeywell@lists.fre
>Whats happening here? It's like the radius tries to send a request back to
>the supplicant, but gives up...
No. Client gives up - it didn't send client certificate.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sandra H. wrote:
> Whats happening here? It's like the radius tries to send a request back
> to the supplicant, but gives up...
> The supplicant is NAT'ed behind 192.168.0.1 could that be causing a
> issue? I have tried DMZ'ing the supplicant still with no success...
>
> Any ideas? Thanks for th
Whats happening here? It's like the radius tries to send a request back to
the supplicant, but gives up...
The supplicant is NAT'ed behind 192.168.0.1 could that be causing a issue?
I have tried DMZ'ing the supplicant still with no success...
Any ideas? Thanks for the help
rad_recv: Access-Re
>By the way, the authorization external program sets my customized Auth-Type
>so that in the authentication section, I can use it to authenticate clients
>using my authentication external program which is another instance of the
>rlm_exec module (the second one).
Why?
>The main problem is the way
Ivan,
Hello
Problem solved. I have mentioned my solution below, but now comes another
question, sorry :)
How is it possible to authenticate CHAP clients using an external program
and not the rlm_chap module?
I made two instances of the rlm_exec module. One as the authorization
external program and
>I've been trying to autheticate a Wireless Acess Point through a Radius
>Server for last 1 month, but things doesn't seem to be working for me.
>The Radius Server is authenticating when I test it with the radtest
>command. It also worked for a Cisco 2950 switch. But no luck when I use
>the Access
>The
>result is the same, with both attributes the CHAP module throws the same
>error. Any ideas?
>
Post the debug.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>Mon Feb 23 19:54:36 2009 : Info: [files] expand:
>(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))
>->
>(|(&(objectClass=GroupOfNames)(member=))(&(objectClass=GroupOfUniqueNames)(uniquemember=)))
Try %{control:Ldap-UserD
>Scenario:
>To pilot the SecurID product, we selected VPN access to a part of our
>network, protected by a Cisco ASA5500 series device. We are in the
>process of moving away from the MS IAS RADIUS solution to FreeRADIUS.
>We know that MS IAS cannot do what we want to do.
>
>What we want to do:
>Wh
Ivan,
Hello
Thanks for your attention, but I have tested what you had suggested. The
result is the same, with both attributes the CHAP module throws the same
error. Any ideas?
Kind Regards
Ali Majdzadeh Kohbanani
2009/2/24
> >I am using freeradius-1.1.7. In order to authenticate users using an
On Tue, Feb 24, 2009 at 10:36 AM, Alan DeKok wrote:
> Defining "progress" per EAP type may be difficult.
Indeed and that is why the hardcoded limit of round trips ended up
being there in the first place.. ;-) Anyway, the most common issue
case I've seen is where EAP server and peer end up sendi
Dear All,
I've been trying to autheticate a Wireless Acess Point through a Radius
Server for last 1 month, but things doesn't seem to be working for me.
The Radius Server is authenticating when I test it with the radtest
command. It also worked for a Cisco 2950 switch. But no luck when I use
Jouni Malinen wrote:
> The main (well, more or less, the only) reason for that limit on
> number of round trips is to work around issues where the EAP peer and
> server ended up in an infinite loop ACKing their messages. I would
> prefer to change that to be based on whether any real progress has
>
On Tue, Feb 24, 2009 at 9:20 AM, Alan DeKok wrote:
> No... they *do* support multiple round trips. But they have an upper
> limit on "too many" round trips. For example, WPA supplicant (the most
> widely used one) has a default limit of 50. This means it's *highly*
> unlikely that it will work
39 matches
Mail list logo