Hi, I spent some time trying to put working together FR+AD and presently i'm
using ntlm to authenticate users through mschap against the AD. It is
working.
Next step is try to allow access only to specific users belonging to a Group
from the AD, but it is not working.
I post here the important i
Hi all,
What RADIUS attribute would suit to account expiration?
the context:
- prepaid users must regularily add credit to his account
- big credit -> big validity extension
- small credit -> small validity extension
- no account removal, just auth reject if validity date passed
Credit adding
Hi, I spent some time trying to put working together FR+AD and presently i'm
using ntlm to authenticate users through mschap against the AD. It is
working.
Next step is try to allow access only to specific users belonging to a Group
from the AD, but it is not working.
I post here the important i
> Hi, I spent some time trying to put working together FR+AD and presently
> i'm
> using ntlm to authenticate users through mschap against the AD. It is
> working.
>
> Next step is try to allow access only to specific users belonging to a
> Group
> from the AD, but it is not working.
>
> I post her
> What RADIUS attribute would suit to account expiration?
Expiration.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
I decided to install free radius 2.1.6-2 to test it and then to upgrade
my existing versions in my servers. I configured my free radius to use ldap.
When I tried to authenticate from the new radius it gave me the following
message "from radius -X".
Replacing User-Password in config items w
>I decided to install free radius 2.1.6-2 to test it and then to upgrade
> my existing versions in my servers. I configured my free radius to use
> ldap.
> When I tried to authenticate from the new radius it gave me the following
> message "from radius -X".
>
> Replacing User-Password in confi
Thanks Ivan for your reply. Here is the ldap configuration section:
ldap {
server = "x.x.x.x"
identity = "cn=username"
password = password
basedn = "ou=email,o=data,c=eg"
filter = "(uid=%{Stripped-User-Name:-%{User-Name}})"
password_header = "{CRYPT}"
ldap_connections_number = 100
timeout = 15
tim
Hi,
Since lower_user doesn't exist anymore in FR2, I was thinking of doing the
following in FR2 to mimic the behaviour, which seems to be working correctly:
In "hints" file:
DEFAULT User-Name !~ /^$/
User-Name := `%{exec:/opt/tolower %{User-Name}}`,
Fall-Through = Yes
DEFAULT S
wessam seleem wrote:
...
> [pap] login attempt with password "123456"
> [pap] Using clear text password "&^%$%$%JGjgjg(&%%^njahjahs"
Your shared secret is wrong. Fix it.
See the FAQ for more details.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.h
Hi,
I tried to get this working also and I found that if you let the ldap module
*not* check the password_header, then the password incl. the header is put in
the User-Password attribute.
If you then use auto_header = yes for the pap module, it should figure out
automatically to do crypt... unl
what I can see that Radius couldn't encrypt clear text password. For example
when I send the password in clear text like "123456" it rejects me but when
I send it encrypted like "&^%$%$%JGjgjg(&%%^njahjahs" I was able to login
without any problems. Note that I changed my real password and its
encry
> what I can see that Radius couldn't encrypt clear text password. For
> example
> when I send the password in clear text like "123456" it rejects me but
> when
> I send it encrypted like "&^%$%$%JGjgjg(&%%^njahjahs" I was able to login
> without any problems. Note that I changed my real password a
Thor Spruyt wrote:
> Is there any reason why I should not do this or why it's not recommended?
> The servers on which I want to do this is not heavily loaded (<1req/s).
1 packet/s? That's fine...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
09/24/2009 04:12 PM, wessam seleem::
Note that I changed my real password
and its encryption to secure my data.
By the way, As far as I know (And I might know nothing),
encryption _is_ because guessing the password from it's encrypted
hash is _not_ possible.
--
Architecte Informatique ch
I tried to upgrade freeradius-server-2.1.6 to freeradius-server-2.1.7 and it
worked well (in localhost) without ldap.Then I tried to use the old version
(2.1.6) but it doesn't work anymore:
*Thu Sep 24 13:32:16 2009 : Error:
/usr/local/freeradius-server-2.1.6//etc/raddb/
modules/ldap[29]: Failed to
Hello,
Is there a way to send back certain name servers as Reply
attribute? For some users it will be one set of name
server, for other users it will be another set of name
servers.
Thank you for your help in advance.
Irina
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/
Not quite, now it sends Session-Timeout correctly, but still refuses
to update count more than once.
rlm_counter: Packet Unique ID = '06c10afe9bf618b5'
rlm_counter: Searching the database for key 'Dick'
rlm_counter: Key found.
rlm_counter: Counter Unique ID = '06c10afe9bf618b5'
rlm_counter: Unique
Alan DeKok wrote:
Joe Maimon wrote:
Would that be this freeradius internal attribute?
Home-Server-Pool
It's used to proxy requests to a home server pool, without involving
realms.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It doesnt
09/24/2009 04:54 PM, José Johnny RANDRIAMAMPIONONA:
I rebuild it and ( ./configure --prefix=/usr/local/freeradius-server.2.1.6/)
and it seems that there is
library problem(I had this kind of problem in the past, but I forgot
what I did to fix it).
What packages are installed? Didn't you miss t
Thor Spruyt wrote:
>
> Since lower_user doesn't exist anymore in FR2, I was thinking of doing
> the following in FR2 to mimic the behaviour, which seems to be working
> correctly:
>
> In "hints" file:
>
> DEFAULT User-Name !~ /^$/
>User-Name := `%{exec:/opt/tolower %{User-Name}}`,
>
Am 24.09.2009 um 15:54 schrieb José Johnny RANDRIAMAMPIONONA:
I tried to upgrade freeradius-server-2.1.6 to freeradius-
server-2.1.7 and it worked well (in localhost) without ldap.Then I
tried to use the old version (2.1.6) but it doesn't work anymore:
Thu Sep 24 13:32:16 2009 : Error: /usr/l
Joe Maimon wrote:
> It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm.
Hmm... what does that mean? If you put the "update" section inside of
an "if" statement that never matches... it won't work.
The Home-Server-Pool code *should* work in 2.1.7. I can double-check
i
Alan DeKok wrote:
Joe Maimon wrote:
It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm.
Hmm... what does that mean? If you put the "update" section inside of
an "if" statement that never matches... it won't work.
The if matches just fine and updates with rlm_poli
ldconfig -v | grep radius doesn't give any output
--- I think that installing libldap library may be the solution ...but I
can' t find it in any packages ...
--- Is there any way to configure it (./config) during the installation to
install the missing library ...
Plz ...need help.
2009/9
Joe Maimon wrote:
> The if matches just fine and updates with rlm_policy, but I couldnt get
> something reasonable in unlang to parse successfully. I would appreciate
> some tips.
To do...?
> So I should try regex =~ ".*" ?
To do... ?
> That didnt work either.
And... what does the debug
Irina wrote:
> Is there a way to send back certain name servers as Reply attribute?
RADIUS doesn't normally do DNS assignment. If your NAS supports it,
see your NAS documentation for how to configure it.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users
Alan DeKok wrote:
Joe Maimon wrote:
It doesnt work with Home-Server-Pool, but it does work with Proxy-To-Realm.
Hmm... what does that mean? If you put the "update" section inside of
an "if" statement that never matches... it won't work.
The Home-Server-Pool code *should* work in 2.1.7.
Hi,
Irina wrote:
>
> Is there a way to send back certain name servers as Reply
> attribute? For some users it will be one set of name
> server, for other users it will be another set of name
> servers.
>
Sounds like you are setting up a sandpit. Usually this would be handed
with VLAN's bu
Alan DeKok wrote:
Joe Maimon wrote:
The if matches just fine and updates with rlm_policy, but I couldnt get
something reasonable in unlang to parse successfully. I would appreciate
some tips.
Here is what I am doing with rlm_policy
if (request:Class =* "" ) {
if (re
Joe Maimon wrote:
> Here is what I am doing with rlm_policy
>
>
> if (request:Class =* "" ) {
And what does that mean? I haven't looked at the policy code in years...
> if (request:Client-Short-Name == "noc03rt07") {
> control .= {
>
Alan DeKok wrote:
Joe Maimon wrote:
Here is what I am doing with rlm_policy
if (request:Class =* "" ) {
And what does that mean? I haven't looked at the policy code in years...
And it still works nicely.
If Class exists in the request.
See "man unlang" the "CONDITIONS"
Irina wrote:
Is there a way to send back certain name servers as Reply attribute?
For some users it will be one set of name server, for other users it
will be another set of name servers.
For Cisco NASes:
Cisco-AVPair += ip:dns-servers#=83.174.192.227 83.174.192.22
Best regards,
Denis V
33 matches
Mail list logo