Jonathan Hutchins wrote:
Looking carefully through the log, I saw that I had disabled mppe when I was
testing without the domain (?). Renabled it.
Yes. You broke the configuration by disabling use_mppe.
You have been sending *many* messages trying to get the server to
work. This is
Good day,
I'm trying to figure out why my servers continue to be marked zombie, even
though they continue to handle traffic. There appears to be no impact, just
seemingly erroneous - or at least unexplained - log entries.
I have three 2.1.8 servers that feeds accounting to a 4th server (via
Hi,
Given that those boxes were last upgraded prior to 2000, I wonder how
many people are really in the situation where they can't upgrade, and
are likely to be using FreeRadius 2.2?
It's not something I have much of an opinion on though - we binned them
years ago!
It may be worth
Difan Zhao wrote:
You have to send some attributes to the switch. I am using Cisco
switches and here are the attributes that I need to send to the switch
to switch the port to VLAN 3:
bob Cleartext-Password := test
Tunnel-Type:0 = VLAN,
Tunnel-Medium-Type:0 = IEEE-802,
--- On Tue, 4/20/10, Alan DeKok al...@deployingradius.com wrote:
Make the NAS send accounting packets.
Actually my NAS is sending accounting packets.
FreeRADIUS can't log information it doesn't have.
After digging into it turned out that something in my SQL schema was missing.
hi,
I want to deploy radius for proxy Server authentication. Please suggest how
can i do that...
Regards,
John Raja
Network Engineer
IP Extn : 500092
On Tue, Apr 20, 2010 at 03:49:59PM -0500, Jonathan Hutchins wrote:
I really appreciate the help and patience:
On Tuesday 20 April 2010 03:38:53 pm Alan Buxey wrote:
see your logs, it says
++[unix] returns notfound
[files] users: Matched entry DEFAULT at line 172
That worries me a
On Tue, Apr 20, 2010 at 12:27:18PM -0500, Jonathan Hutchins wrote:
Progress, of a sort!
In additition to the instructions in the PopTop doc, I have enabled ntdomain
on lines 119 and 345 of /etc/freeradius/sites-enabled/default, and I have
enabled nt_domainhack on line 37 of
Crap.
Nathan Van Fleet
-Original Message-
From: freeradius-users-
bounces+nmcdavit=alcor.concordia...@lists.freeradius.org
[mailto:freeradius-users-
bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of
Gary Gatten
Sent: Tuesday, April 20, 2010 5:11 PM
To:
On Tue, Apr 20, 2010 at 10:59:04PM -0800, Benjamin Marvin wrote:
The radius.log file for the primary servers show they are marking the 4th
and Cisco (upstream) servers as zombie quite regularly (but not
simultaneously);
I've set the response_window to as high as 60 seconds in the
Can someone maybe describe exactly what's happening internally? From my
understanding it should be checking files as per the setup in
inner-tunnel which is what mschap uses. I made sure that files appeared
before mschap in inner-tunnel but it has no effect; ntlm_auths still work
and files aren't.
On Wednesday 21 April 2010 01:43:19 am Alan DeKok wrote:
Honestly. I don't see what additional documentation we need to write,
when people won't read the existing docs.
As I said before, the documentation is an excellent reference for a FreeRADIUS
expert who knows how the system works and
Nathan,
From what little understanding I've gained during this ordeal, it should be
possible to use two different authentication methods, and in fact to have one
fail through to the next using the Fall-Through = Yes parameter.
I'm having trouble locating it again this morning, but there was a
Jonathan Hutchins wrote:
On Wednesday 21 April 2010 01:43:19 am Alan DeKok wrote:
Honestly. I don't see what additional documentation we need to write,
when people won't read the existing docs.
As I said before, the documentation is an excellent reference for a
FreeRADIUS
expert who
Nathan McDavit-Van Fleet wrote:
Can someone maybe describe exactly what's happening internally?
The debug output shows exactly what it is doing, and often also shows why.
From my
understanding it should be checking files as per the setup in
inner-tunnel which is what mschap uses. I made
Josip Rodin wrote:
On Tue, Apr 20, 2010 at 10:59:04PM -0800, Benjamin Marvin wrote:
I've also turned off the status_check feature as 1.1.7 and Cisco ACS do
not appear to support it.
You can configure a fake username password for status checks.
This *is* documented in raddb/proxy.conf.
I have a users file with name and password. I would like Freeradius to check
if there is a good username/password in the users file before failing using
ntlm_auth.
As I said I currently have a good working copy of Freeradius with ntlm_auth
configuration. However, when I have ntlm_auth in
Hi,
As an introductory guide for someone who doesn't know which pieces are
necessary among the many, many options, it is clear as mud.
though surely as bad/good as apache2 with its sites-enabled/ and random
billion modules?
alan
PS dont CC someone who is on the list
-
List
Nathan McDavit-Van Fleet wrote:
I have a users file with name and password. I would like Freeradius to check
if there is a good username/password in the users file before failing using
ntlm_auth.
That's not quite it... the users file *sets* the known good
password in the authorize stage of
Hi,
Yup. It's not that 2.x is bad without status checks, it's that there
is *no way* for anyone to do the right thing without status checks.
agreed - I'm behind status-checks all the way - either native
sattus-check or a user who gets rejected. both work fine for testing
upstream
Hi Alan,
I followed the configuration off of deployingfreeradius.com
http://deployingradius.com/documents/configuration/active_directory.html
I diff'ed my configuration with the original files. And the only changes
I've made is adding ntlm_auth to authenticate of both default and
inner-tunnel
Nathan McDavit-Van Fleet wrote:
I followed the configuration off of deployingfreeradius.com
http://deployingradius.com/documents/configuration/active_directory.html
That's a good start. :)
I diff'ed my configuration with the original files. And the only changes
I've made is adding
Thank you both for your thoughts. I will implement the status_check =
request option (in proxy.conf, sorry I mis-remembered it as
client.conf) per your recommendations. I've also balanced out the
response_window and max_request_time.
Any other suggestions on where I should look to see why the
Actually I found these attributes from Cisco switch configuration manual
and I just pasted them in and they worked...
However I just did a search again and I found the attribute is in this
dictionary file:
dictionary.rfc3580:VALUETunnel-TypeVLAN 13
BTW I also got a
You sir, are awesome Alan DeKok.
Nathan Van Fleet
-Original Message-
From: freeradius-users-
bounces+nmcdavit=alcor.concordia...@lists.freeradius.org
[mailto:freeradius-users-
bounces+nmcdavit=alcor.concordia...@lists.freeradius.org] On Behalf Of
Alan DeKok
Sent: Wednesday, April
Hi,
Any other suggestions on where I should look to see why the servers
are marking the upstream servers as Zombie? I failed to mention that
the servers are marking only the accounting port on those servers as
Zombie. Please let me know if you want the 9MB debug or if you have
Difan Zhao wrote:
BTW I also got a question for you. It has a :0 following the
Tunnel-Type. What is it for? I just removed it and it still works.
However in the Radius -X debug it still has the :0 appending the
attribute name. Any idea??
It's a tag. You can define up to 31 Tunnel-Type
Hi,
I thought that my Access-Point is able to handle VLAN-Attributes like my
Switch but I was wrong.
I don't want to tell the whole story.
Is there an attribute which returns the authenticator IP-Address?
For instance: The Access-Point has the IP-Adress 192.168.10.254 and the
default rule in
What are you trying to do?
For our implementation we have this in the inner-tunnel inside authorize. It
enables that LDAP query only when the NAS (in your case that is your AP if
it contacts FR directly) is of the IP address of 127.0.0.1.
if (outer.NAS-IP-Address == 127.0.0.1) {
usually because the remote server is not listening on its accounting
port or not configured for accounting - the proxy in the middle
doesn't get a response so cant respond to you - hence zombie.
I don't believe this is my problem. The debug and packet captures
show all of the accounting
I configured 2 SSIDs on my AccessPoint one for normal members and one for
administrators each is on a different VLAN.
Now to the problem, i have 2 DEFAULT rules in my users-file , for the
administrators i use the ldap-group thing that no normal member will be put
in the administrator VLAN but
31 matches
Mail list logo
