i am using Cisco ACS for authenticating my vpn users, now i thought of using
two factor auth in place against the direct authentication by ACS, on this
process one of the googling guided me to try proxying the ACS to Freeradius
and call some scripts to talk to the java application. now by making
also i am going thru the documentation part of jradius to imply? can anyone
of you suggest me whether i am in right direction?
sollunga wrote:
i am using Cisco ACS for authenticating my vpn users, now i thought of
using two factor auth in place against the direct authentication by ACS,
on
Alan DeKok wrote:
Alan DeKok wrote:
It's about time we have a formal testing process. I have some hosted
machines with spare cycles.
I'll install CruiseControl...
Nope.
After a quick review of continuous integration systems:
.
I think it's easier just to write a few
On Wed, 11 Mar 2009 23:51:50 +0200, t...@kalik.net wrote:
Hi. I have two types of nases: 1) hotspots 2) vpn servers. I need vpn
nases authorize only vpn users and hotspot nases authorize only hotspot
users. How can i divide users into several groups and reject vpn
accounts
to login through
also i am going thru the documentation part of jradius to imply? can anyone
of you suggest me whether i am in right direction?
If you want to use Java that is a good way.
now by
making the ACS to do proxying at network configuration, i can see the
request
Well, we don't. Post the debug
I use rlm_sql to store user attributes, but i thought sql groups it's
internal feature of rlm_sql and not related to radius server at all.
It is internal, but SQL-Group can be used in other modules too. If you
check SQL-Group in, lets say, users file, rlm_sql will be called and
value of
In my my inner-tunnel virtual server, authorize section, I have some
code like this, for sorting users into vlans:
update control {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id :=
And many requests later you ask about it:
++? if (control:Tmp-String-0 == ldap-student)
(Attribute control:Tmp-String-0 was not found)
.. and it's not there. Of course it's not, since it wasn't
set during processing of that Access-Request but much earlier
in the exchange.
Obvious
t...@kalik.net wrote:
In my my inner-tunnel virtual server, authorize section, I have some
code like this, for sorting users into vlans:
update control {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id :=
Hi,
Thanks for your reply, Ivan. So I don't need to update control to
place a user in a vlan? If I can safely remove this section, that's my
problem solved - thanks.
this sort of stuff needs to go into the RADIUS REPLY. you can use
eg PERL to do this, see the examples that come with the
In my my inner-tunnel virtual server, authorize section, I have some
code like this, for sorting users into vlans:
update control {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id :=
Thank you for help. I try to do as you say and put this to authorize
section after preprocess:
preprocess
# allow hotspot users only
if (SQL-Group != 'Spot') {
reject
}
Here debug on this action:
++? if (SQL-Group != 'Spot')
sql_groupcmp
Hi Ivan,
The Zinwell manual didn't say anything about enabling account. My Freeradius is
configured with default values, only things I changed was to use EAP/PEAP and
freeradius, at radius database I configured tables NAS, Usergroup, radcheck ang
groupreply(Auth-Type:=EAP).
Could you
Hi,
Thank you for help. I try to do as you say and put this to authorize
section after preprocess:
preprocess
# allow hotspot users only
if (SQL-Group != 'Spot') {
reject
}
if (SQL-Group != /Spot/) ?
alan
-
List
Dear Alan
You might consider to take a look on the mysql module on freeradius 2.1.4.
I have tried with Debian Lenny + mysql , error: mysql module not found. Same
machine with 2.1.3, no such issue.
Thanks
- Original Message
From: Johan Meiring jmeir...@pcservices.co.za
To:
Hi,
The Zinwell manual didn't say anything about enabling account. My Freeradius
is configured with default values, only things I changed was to use EAP/PEAP
and freeradius, at radius database I configured tables NAS, Usergroup,
radcheck ang groupreply(Auth-Type:=EAP).
if it doesnt
Thank you for help. I try to do as you say and put this to authorize
section after preprocess:
preprocess
# allow hotspot users only
if (SQL-Group != 'Spot') {
reject
}
Here debug on this action:
++? if (SQL-Group != 'Spot')
sql_groupcmp
piston wrote:
You might consider to take a look on the mysql module on freeradius 2.1.4.
I have tried with Debian Lenny + mysql , error: mysql module not found. Same
machine with 2.1.3, no such issue.
Is it so difficult to provide more information?
Like... configure logs, build logs,
Leonardo Mártyres wrote:
The Zinwell manual didn't say anything about enabling account.
Then it doesn't do accounting. Nothing you do to FreeRADIUS will make
the Zinwell machine send accounting packets.
Throw the Zinwell box in the garbage, and buy an access point that has
the features you
Alexander Solodukhin wrote:
Thank you for help. I try to do as you say and put this to authorize
section after preprocess:
preprocess
# allow hotspot users only
if (SQL-Group != 'Spot') {
That won't work... the SQL-Group attribute is a callback attribute.
i.e.
The Zinwell manual didn't say anything about enabling account.
Well, there is nothing you can do on the radius server to make AP send
accounting.
My Freeradius is configured with default values, only things I changed was to
use EAP/PEAP and freeradius, at radius database I configured tables
On Thu, 12 Mar 2009 14:30:07 +0200, Alan DeKok al...@deployingradius.com
wrote:
Alexander Solodukhin wrote:
Thank you for help. I try to do as you say and put this to authorize
section after preprocess:
preprocess
# allow hotspot users only
if (SQL-Group != 'Spot')
--
Message: 7
Date: Thu, 12 Mar 2009 12:17:56 +
From: a.l.m.bu...@lboro.ac.uk
Subject: Re: Re: No accounting Freeradius + EAP/PEAP/TLS
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID: 20090312121756.gd28...@lboro.ac.uk
On Thu, 12 Mar 2009 14:20:58 +0200, t...@kalik.net wrote:
Thank you for help. I try to do as you say and put this to authorize
section after preprocess:
preprocess
# allow hotspot users only
if (SQL-Group != 'Spot') {
reject
}
Here debug on
Freeradius 2.1.3
winbindd version 3.0.33-3.7.el5
RedHat Linux 5, release 2 fully patched
I know this isn't a FreeRadius issue, but is related. Has anyone running
FreeRadius with Winbindd for windows authentication, found a solution to
these error messages in the samba.log?
[r...@prad01
What will be
the configuration then?
DEFAULT Huntgroup-Name==testldap, Ldap-Group == employee, Auth-Type := Pam
Fall-Through = no
DEFAULT if (NAS-IP-Address z.z.z.z NAS-IP-Address y.y.y.y) {
Auth-Type:= Pam} else
{
Auth-Type := Reject
Reply-Message = Please call
sites-enabled/default
-
authorize
{
ldap
if (Ldap-Group == employee NAS-IP-Address ==
^131\.(220)\.(1)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)$)
{ok} else
if (Ldap-Group == student NAS-IP-Address ==
Hi,
I've set up a 2.1.4 server, and working pretty well with authentication
against LDAP alone. What I've noticed though is that if the LDAP server is
down on the same box then the LDAP module, rightfully, fails. However whilst
this leaves the service unable to authenticate the user, it still
Is the default_profile setting in modules/ldap supposed to expand
runtime variables?
I tried to set:
default_profile = cn=default,ou=%{Realm},ou=profiles,dc=mc,dc=com
but on the logs I see:
rlm_ldap: performing search in
cn=default,ou=%{Realm},ou=profiles,dc=mc,dc=com
rlm_ldap: object not
I've set up a 2.1.4 server, and working pretty well with authentication
against LDAP alone. What I've noticed though is that if the LDAP server is
down on the same box then the LDAP module, rightfully, fails. However whilst
this leaves the service unable to authenticate the user, it still replies
Hi,
Is there any way to force a logic whereby if the ldap module fails, it would
drop the RADIUS request on the floor, to make it look like a service failure
to the client? Kinda wrecks our resiliency model if not! We're only using a
single ldap server per box, but even if we were using other
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
My problem is that, I am not able to figure out, what wrong am I doing ? I
shall be highly thankful, if you can point me what part of config I need to
change?
Many Thanks,
JK
Jaswinder Kaur wrote:
I am using freeradius 2.1.1 on Suse 10 SP1. I
On Thu, Mar 12, 2009 at 4:33 PM, t...@kalik.net wrote:
I've set up a 2.1.4 server, and working pretty well with authentication
against LDAP alone. What I've noticed though is that if the LDAP server is
down on the same box then the LDAP module, rightfully, fails. However
whilst
this leaves
On Thu, Mar 12, 2009 at 5:07 PM, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Is there any way to force a logic whereby if the ldap module fails, it
would
drop the RADIUS request on the floor, to make it look like a service
failure
to the client? Kinda wrecks our resiliency model if not! We're
Jaswinder Kaur wrote:
My problem is that, I am not able to figure out, what wrong am I doing ? I
shall be highly thankful, if you can point me what part of config I need to
change?
Have you READ eap.conf? This is documented in all of the recent
versions of the server.
This is also in
You have two different versions of OpenSSL installed.
I'm really stumped by this. I'm replaced the default debian openssl libraries
(as per... ldconfig -v | grep ssl) with openssl 0.9.8.j and am still getting the
pesky error, radiusd: symbol lookup error: /usr/lib/rlm_eap_tls-2.1.3.so:
Hi,
Could someone suggest some NAS models to buy? I want to do account properly.
Thanks
_
Show them the way! Add maps and directions to your party invites.
http://www.microsoft.com/windows/windowslive/products/events.aspx-
Hi, Does an accounting server reply to a NAS's accounting message? How does an
NAS know that the accounting message is lost (due to accounting server
failure)? Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Have a radius box setup and am using ntlm_auth to authenticate peapv0
with mschapv2 in the inner tunnel off a samba pdc.
All normal users authenticate fine. When I try to authenticate using the
machine account I get this:
eap] Request found, released from the list
[eap] EAP/mschapv2
[eap]
rosect...@yahoo.com wrote:
Hi, Does an accounting server reply to a NAS's accounting message?
Yes.
How
does an NAS know that the accounting message is lost (due to accounting
server failure)? Thanks.
It doesn't receive a reply?
Alan DeKok.
-
List info/subscribe/unsubscribe? See
Peter Param wrote:
You have two different versions of OpenSSL installed.
I'm really stumped by this. I'm replaced the default debian openssl
libraries
(as per... ldconfig -v | grep ssl) with openssl 0.9.8.j and am still getting
the
pesky error, radiusd: symbol lookup error:
Giovanni Lovato wrote:
Is the default_profile setting in modules/ldap supposed to expand
runtime variables?
No.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
42 matches
Mail list logo