Peter Param wrote:
> I did that and the SSL_CTX_ERROR message is now gone and radiusd runs
> successfully. However it won't accept encrypted authentication requests:
No... it can't set the right TLS settings to talk to LDAP. There are
no "encrypted authenticated requests".
> rlm_ldap: (re)co
Dave Sinclair wrote:
> sql.conf -> sql/mysql/dialup.conf
>
>
> postauth_query = "INSERT INTO ${authcheck_table} VALUES
> (NULL,'%{User-Name}','Password', '==',
> '%{User-Password:-Chap-Password}');"
> postauth_query = "INSERT INTO ${usergroup_table} values
> ('%{User-Name}','Dynam
Hi,
If your sql server allows that you can run a stored procedure here and
just pass all the required parameters there.
kind regards
Pshem
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Leese, MJ (Mark) wrote:
> In the authorize section FreeRADIUS anonymously binds to our LDAP server
> (Active Directory) and searches for the user identified in the
> Access-Request (in my case we change the default search filter to
> 'sAMAccountName' as our AD doesn't contain 'uid'). If a match is
>When Post-Auth-Type REJECT is executed I need to insert two or more
>rows into a SQL data base.
>
>here is what I have at present
>
>
>sites-enabled/default
>
>Post-Auth-Type REJECT {
>sql
>}
>
>sql.conf -> sql/mysql/dialup.conf
>
>
>postauth_query = "INSERT
also try with UNION ...
On Mon, Mar 16, 2009 at 10:39 AM, wrote:
> >When Post-Auth-Type REJECT is executed I need to insert two or more
> >rows into a SQL data base.
> >
> >here is what I have at present
> >
> >
> >sites-enabled/default
> >
> >Post-Auth-Type REJECT {
> >s
Hello,
Can i execute an external program when authentication, authorization and
accounting events occurs (different program in each case)?
Thanks.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>Can i execute an external program when authentication, authorization and
>accounting events occurs (different program in each case)?
>
Yes. Just create multiple instances and call the one you want in each
section. See raddb/modules/echo for the example.
Ivan Kalik
Kalik Informatika ISP
-
List i
I'm a relatively new freeradius user so I am not really an expert with it.
In our project, depending on a user's authentication/authorization by the
server, we need to send an "unlock/lock" byte to a microcontroller
(connected to /dev/ttyUSB0, by the way).
So where do I start with the solution? C
M K wrote:
> Can i execute an external program when authentication, authorization and
> accounting events occurs (different program in each case)?
In 2.1.x:
$ man unlang
It describes how to run external programs.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
Thanks for your feedback.
And what about 'acct_users' file? Can i use it for my purposes?
2009/3/16
> >Can i execute an external program when authentication, authorization and
> >accounting events occurs (different program in each case)?
> >
>
> Yes. Just create multiple instances and call the
Joeven Rex Dizon wrote:
> In our project, depending on a user's authentication/authorization by
> the server, we need to send an "unlock/lock" byte to a microcontroller
> (connected to /dev/ttyUSB0, by the way).
>
> So where do I start with the solution? Can I run a certain code/program
> automati
entering group authorize
{...}
Mon Mar 16 10:28:26 2009 : Info: ++[preprocess] returns ok
Mon Mar 16 10:28:26 2009 : Info: [auth_log] expand:
/var/log/radius/radacct/%{Client-IP-Address}/auth-detail-%Y%m%d ->
/var/log/radius/radacct/127.0.0.1/auth-detail-20090316
M
Leese, MJ (Mark) wrote:
> 1. Uncomment "set_auth_type = yes" in raddb/modules/ldap. This was
> already done but I think it's the default anyway :-)
Then it should work.
> 2. List "pap" as the last module in the "authorize" section. Sorry, I
> should have said that I'd also tried this. Here is
Hi All,
The old rlm_xlat function only supported SELECT statements, and threw up
errors on any others.
The patch Alan mentioned makes rlm_sql look for INSERT, DELETE and
UPDATE keywords at the beginning of SQL statements. If one of these
keywords is found and instead of expanding to the firs
> rad_recv: Access-Request packet from host 127.0.0.1 port 32772,
>id=96, length=27
> User-Name = "bill"
..
>
>The Access-Request contains a User-Name and plaintext User-Password.
Well, not on debug you posted.
>Is there anything else I can try?
Post the whole debug (server s
>And what about 'acct_users' file? Can i use it for my purposes?
>
It runs only on accounting packets. But, yes. You can start the
accounting script from that file.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi all.
This is probably a silly question but i can't solve it by myself. I
have a couple of WLANS (Proxim AP4000), works great with FR but im
having some accounting trouble (guessing), i get a lot of these in my
log:
Mon Mar 16 14:01:43 2009 : Error: rlm_radutmp: Logout entry for NAS
w
Piero Giobbi wrote:
> This is probably a silly question but i can't solve it by myself. I have
> a couple of WLANS (Proxim AP4000), works great with FR but im having
> some accounting trouble (guessing), i get a lot of these in my log:
The AP's don't do accounting "well".
> I tripplechecked the
Hi Arran,
Where might one find your patch ???
2009/3/16 Arran Cudbard-Bell :
> Hi All,
>
> The old rlm_xlat function only supported SELECT statements, and threw up
> errors on any others.
>
> The patch Alan mentioned makes rlm_sql look for INSERT, DELETE and UPDATE
> keywords at the beginning of
Hi
Tried this, but it tossed out errors at me :(
2009/3/16 :
>>When Post-Auth-Type REJECT is executed I need to insert two or more
>>rows into a SQL data base.
>>
>>here is what I have at present
>>
>>
>>sites-enabled/default
>>
>> Post-Auth-Type REJECT {
>> sql
>> }
On 16/3/09 14:14, Dave Sinclair wrote:
Hi Arran,
Where might one find your patch ???
In the git repository once Alan reads his email and checks it in :)
(hopefully soon).
--
Arran Cudbard-Bell (a.cudbard-b...@sussex.ac.uk),
Authentication, Authorisation and Accounting Officer,
Infrastructur
Hello, all.
It's a question to all members of freeradius community :) I'm going to use
freeradius in my billing system. That's why i'd like to know, what is the
maximum loading on the freeradius-server (average number of online users
during the day, total number of users, interval of alive packets
Hello all.
I have the need to log the return code from the LDAP authentication to
our database (I'm adding it to the postauth table scheme).
I've already modified the database scheme (ok), the attribute map, to
create a new attribute called "reason" (ok) and the insert queries (ok).
All of this i
Augusto G. Andreollo wrote:
> I have the need to log the return code from the LDAP authentication to
> our database (I'm adding it to the postauth table scheme).
I wouldn't suggest doing that for EVERY packet. Why do you think it's
necessary?
> I've already modified the database scheme (ok), t
M K wrote:
> It's a question to all members of freeradius community :) I'm going to
> use freeradius in my billing system. That's why i'd like to know, what
> is the maximum loading on the freeradius-server (average number of
> online users during the day, total number of users, interval of alive
>
>It's a question to all members of freeradius community :) I'm going to use
>freeradius in my billing system. That's why i'd like to know, what is the
>maximum loading on the freeradius-server (average number of online users
>during the day, total number of users, interval of alive packets etc.).
I configured what I thought were two identical FreeRadus 2.1.3 servers.
I'm attempting to do MS-CHAP2 authentication on both, one is working, the
other is not. For the life of me I can't find any difference in their
configuration.
On my client, I switch the host name between the two servers,
Hi,
>if (rejected) {
are you sure sucha return code is available and
comparable in such a way? looks like 'rejected'
got matched...possibly because the check went okay -
a value of 0 - rejected isnt defined...has a value of
0 too? just a guess!
>
hi,
the one that fails is failing at the mschap phase - ntml_auth
etc - so that server isnt configured the same as the other..
or if the config is the same, its not able to talk to the AD
as the other one can.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.htm
Hi everybody,
We are trying to develop a module to make possible to add extra information
to EAP Messages. We are employing rlm_perlo module. Up to now, we have been
able to add new EAP-Message attributes to the RADIUS response packets but we
cannot figure out how to modify the current EAP-Message
I want to make it so that users who use eap-peapv0 have to be in the
wireless group to logon. I have this set in the users file:
DEFAULTCalled-Station-Id =~ "CCISD-REMC1", Group != "wireless",
Auth-Type := Reject
This works great buuut I have successfully setup eap-tls. What is the
app
On Mon, 2009-03-16 at 16:13 +0100, Alan DeKok wrote:
> Augusto G. Andreollo wrote:
> >
> > My problem now is getting the return code into the variable, according
> > to the LDAP module results.
>
> It looks like it's working. What's the problem?
>
> > (and then it goes on to successfuly add t
On Mon, Mar 16, 2009 at 10:21 PM, wrote:
> I use buffered-sql virtual server to make accounting off-line. My
> billing application has to connect to 4 databases (radius, user details,
> account status and account history) so it was quite costly running it in
> real time at peak times.
Are you us
Hi all,
I recently set up a new freeradius installation for VPN authentication.
This is my first foray into using the LDAP module and, while I am
successfully authenticating, I want to make sure that my config is both
correct and streamlined. I am seeing a few failed authentications due
es on to insert "ok" on the database.
Now, on a bad user (wrong pass):
rlm_ldap: waiting for bind result ...
rlm_ldap: Bind failed with invalid credentials <<<< wrong pass
+++[ldap-malibu] returns reject
++- group redundant_ldap returns reject <<<< the group return
Enrique de la Hoz wrote:
> We are trying to develop a module to make possible to add extra
> information to EAP Messages.
Huh? Why would you ever do that?
The EAP protocol is well defined. Adding "extra" information to it is
like adding "extra" data to IP packets. It will be ignored... at
Well, it is not adding new fields but putting some data in the data fields
of those messages that allow to do that, e.g., put a certain value in the
EAP Type Data field:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Enrique de la Hoz wrote:
> Well, it is not adding new fields but putting some data in the data
> fields of those messages that allow to do that, e.g., put a certain
> value in the EAP Type Data field:
This is known as "writing a new EAP method". See
rlm_eap/types/rlm_eap_*/ for example code tha
Thank you very much Alan for your quick response.I do understand everything
you say and see that no new EAP method can be added just by a perl module.
Apologize for the inconveniences,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Enrique de la Hoz wrote:
> Thank you very much Alan for your quick response.I do understand
> everything you say and see that no new EAP method can be added just
> by a perl module.
Doesn't PEAPv0 allow you to insert arbitrary TLVs into the inner
tunn
Arran Cudbard-Bell wrote:
> Doesn't PEAPv0 allow you to insert arbitrary TLVs into the inner
> tunnel ? Isn't that how Microsoft do their NAC stuff ?
Sort of.
> I was pondering over this the other day, thinking how hard it would be
> to decode the TLVs included by the windows default supplicant
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Alan DeKok wrote:
> Arran Cudbard-Bell wrote:
>> Doesn't PEAPv0 allow you to insert arbitrary TLVs into the inner
>> tunnel ? Isn't that how Microsoft do their NAC stuff ?
>
> Sort of.
>
A magical check box appeared in the XP SP3 and Vista supplicant
Hi,
I have used an outside certificate authority and have few clients that
have the certicifates' subject similar to:
E = user-n...@domain.tld
CN = Some-constant-text
CN is constant on all certificates.
Freeradius gets the User-name attribute set to CN.
Any way to substitute the User-name attrib
Hi.
I have a endless proxy looping problem.
1. problem username format: use...@my-realm@other-realm
2. on the freeradius, i proxy (nostrip) suffix @other-realm to partner's
radiator radius server
3. on my partner then proxy back (nostrip) the same username base on @my-realm
to my freeradius
4.
45 matches
Mail list logo
