>> Did you read rlm_passwd man page?
>
>Of course
>
I have posted the link to man unlang as well. It does say which quotes to
use to expand the variable, which lists exist ...
>update reply {
> Class := %{My-Group-Name},
> Class += %{passwd:My-Group-Name},
> Class += %{Group}
>}
Markus Wernig wrote:
>> In a new version of the server.
>
> Yes, indeed. I'm on 2.1.0 now, and no trick whatsoever will make it
> populate the Group or Group-Name attribute. doh
It doesn't populate the Group attribute. One user may be in 10 or
more groups. Maybe 100. That gets difficult to
t...@kalik.net wrote:
Did you read rlm_passwd man page?
Of course
So I put
filename "/etc/group" {
format = "My-Group-Name:::*,User-Name"
}
into /etc/freeradius/modules/passwd
and
ATTRIBUTE My-Group-Name 3000 string
into /etc/freeradius/dictionary
(btw. can't put in "Group-Name"
>>
>>> Are you planing improve CRL support in version 2.0 in some near future?
>>
What do you mean by better support? Are you asking for a way to
update CRLs without a bounce of freeradius?
--
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>> In a new version of the server.
>
>Yes, indeed. I'm on 2.1.0 now, and no trick whatsoever will make it
>populate the Group or Group-Name attribute. doh
Did you read rlm_passwd man page?
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/us
Alan DeKok wrote:
In a new version of the server.
Yes, indeed. I'm on 2.1.0 now, and no trick whatsoever will make it
populate the Group or Group-Name attribute. doh
/m
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Markus Wernig wrote:
> 1.1.7 (comes with ubuntu 8.04). I see that 2.1.3 is released, which
> seems quite a large difference.
>
>> Use unlang afer unix in authorize.
>
> What do you mean by "after unix"?
>
> So I've put the following in radiusd.conf:
>
> authorize {
> ...
> unix
> update "reply"
t...@kalik.net wrote:
Yes, that's where it is in 2.x. I had a look at the unix module and it
doesn't populate Group attribute (for some years now as it turnes out).
What a pity.
I found this in modules/etc_group:
"The Group-Name attribute is automatically created by the Unix module,
and does
>> Use unlang afer unix in authorize.
>Sorry, I don't understand that.
Reading man pages helps with that:
http://freeradius.org/radiusd/man/unlang.html
>There is an authorize section in /etc/freeradius/sites-enabled/default.
Yes, that's where it is in 2.x. I had a look at the unix module and it
t...@kalik.net wrote:
Are you using some ancient version?
1.1.7 (comes with ubuntu 8.04). I see that 2.1.3 is released, which
seems quite a large difference.
Use unlang afer unix in authorize.
What do you mean by "after unix"?
So I've put the following in radiusd.conf:
authorize {
...
t...@kalik.net wrote:
Are you using some ancient version?
I was using 1.1.7 first, but have upgraded to 2.1.0 now.
Still the same behaviour.
So, afaict, the group attribute doesn't make it into the reply.
Where should I put that line? Do I need to echo it?
Use unlang afer unix in authoriz
a.l.m.bu...@lboro.ac.uk wrote:
Hi,
I do see the "Exec-Program output: Must change password (0xc224)"
which to me means the computer account password has expired? I tried
removing and re-adding the computer to the domain but get the same error.
you are right - the password needs
>Unfortunately I don't know where to put that line.
>If I put it into the users file, in the DEFAULT section like this:
>
>DEFAULT Auth-Type = System
> Class := "%{Group}",
> Fall-Through = 1
>
>
Are you using some ancient version?
>The reply looks like this (at least in the logfi
Hi Ivan, thanks for your help
Unfortunately I don't know where to put that line.
If I put it into the users file, in the DEFAULT section like this:
DEFAULT Auth-Type = System
Class := "%{Group}",
Fall-Through = 1
...
The reply looks like this (at least in the logfile):
Packet-T
Hi,
Could someone suggest some AP models to buy? I want to do account properly with
freeradius.
Thanks
_
Invite your mail contacts to join your friends list with Windows Live Spaces.
It's easy!
http://spaces.live.com/spaces
On Fri, Mar 13, 2009 at 1:43 PM, Alan DeKok wrote:
> Chris Phillips wrote:
> > We're close, I can really feel it, but that packet is still hitting the
> > wire.
>
> Hmm... then I think the functionality will need someone to write a bit
> more code
Thanks, frustrating this, maybe I'll need to r
Chris Phillips wrote:
> We're close, I can really feel it, but that packet is still hitting the
> wire.
Hmm... then I think the functionality will need someone to write a bit
more code.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
> >Response-Packet-Type = Do-Not-Respond
>
> Try changing that to Tmp-String-0 := "silent"
>
> And than add to Post-Auth-Type REJECT:
>
> if(control:Tmp-String-0 == "silent") {
> update control {
> Response-Packet-Type := 256
> }
> }
>
> Ivan Kali
leopold wrote:
> A year passed. Did you change your roadmap?
Roadmaps always change.
> Do you have plans to implement this feature and make rlm_eap
> RLM_TYPE_HUP_SAFE?
There are no plans to do this right now.
> I understand this is not an easy fix since it should handle ongoing EAP-TLS
> c
>
> > Fri Mar 13 09:57:22 2009 : Info: No authenticate method (Auth-Type)
> > configuration found for the request: Rejecting the user
>
> Ok. Change the "update" block to:
>
>update control {
>Response-Packet-Type = Do-Not-Respond
> Auth-Type := Accept
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Hi Alan,
I have found the problem with my radius authentication. My CA certificate had
expired, which was the root of the issue.
But its been sorted now.
Cheers,
JK
-BEGIN PGP SIGNATURE-
Version: PGP Universal 2.9.0 (Build 472)
Charset:
Alan,
A year passed. Did you change your roadmap?
Do you have plans to implement this feature and make rlm_eap
RLM_TYPE_HUP_SAFE?
I understand this is not an easy fix since it should handle ongoing EAP-TLS
conversations
Thanks.
Leopold
Alan DeKok-2 wrote:
>
> Jan Tomasek wrote:
>> I understand
>So, the question is: How do I make freeradius return the users' group as
>a "class" attribute in the authentication reply?
>
Like every other: Class:= whatever. In your case Class := "%{Group}".
Read man unlang.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www
Hello all
I found some hint on how the VPN gateway expects the group information
from the RADIUS server to be presented:
--- QUOTE ---
To use RADIUS groups, you must define a return attribute on the RADIUS
Server, in the RADIUS user profile. This RADIUS attribute is returned to
the VPN gatew
Chris Phillips wrote:
> Fri Mar 13 09:57:22 2009 : Info: +++[ldap] returns fail
> Fri Mar 13 09:57:22 2009 : Info: +++- entering group {...}
> Fri Mar 13 09:57:22 2009 : Info: [control] returns fail
> Fri Mar 13 09:57:22 2009 : Info: [ok] returns ok
> Fri Mar 13 09:57:22 2009 : Info: +++-
>Thanks Alan, here's where I've ended up so far...
>
>Fri Mar 13 09:57:22 2009 : Error: rlm_ldap: (re)connection attempt failed
>Fri Mar 13 09:57:22 2009 : Info: [ldap] search failed
>Fri Mar 13 09:57:22 2009 : Debug: rlm_ldap: ldap_release_conn: Release Id: 0
>
>Fri Mar 13 09:57:22 2009 : Info: ++
On Fri, Mar 13, 2009 at 8:13 AM, Alan DeKok wrote:
> Chris Phillips wrote:
> > I've set up a 2.1.4 server, and working pretty well with authentication
> > against LDAP alone. What I've noticed though is that if the LDAP server
> > is down on the same box then the LDAP module, rightfully, fails. Ho
>thanks Ivan Kalik will go thru the cisco documentation and get backto you,
>meantime, still i am wondering howto post the information from freeradius to
>java application, iam confused with jradius document.
>
Configuration file for jradius module is included in the source
(src/modules/rlm_jrad
Hello all
I'm terribly new to RADIUS, so please excuse my ignorance.
What I'm looking for (and can't find in neither man nor wiki nor google)
is how to send back the group an authenticated user is in together with
the authentication result.
I have a VPN gateway that authenticates users again
Hi,
> I do see the "Exec-Program output: Must change password (0xc224)"
> which to me means the computer account password has expired? I tried
> removing and re-adding the computer to the domain but get the same error.
you are right - the password needs changing - this is MS proprietary c
thanks Ivan Kalik will go thru the cisco documentation and get backto you,
meantime, still i am wondering howto post the information from freeradius to
java application, iam confused with jradius document.
From: "t...@kalik.net"
To: FreeRadius users mailing
Chris Phillips wrote:
> I've set up a 2.1.4 server, and working pretty well with authentication
> against LDAP alone. What I've noticed though is that if the LDAP server
> is down on the same box then the LDAP module, rightfully, fails. However
> whilst this leaves the service unable to authenticat
32 matches
Mail list logo
