Hi.
Sorry for some errors in former mails. "Yes" parameter is the right one.
Once i set this i obtain what i want: it works!
I had misunderstood what parameter yes/no would have changed on setting.
I already attach log file with *yes* setting. *So problem has been solved!
:-)*
Anyway . . .
I see s
Stefan Winter wrote:
> we're trying to get IKEv2 under Windows 7 going. It can use among others
> "EAP-MSCHAPv2"; notably with EAP wrapper but without TLS.
OK. That's getting to be a more common.
> I noticed that rlm_mschap can be configured to calculate and send MPPE
> keys, while rlm_eap/typ
Alan DeKok wrote:
> src/modules/rlm_eap/types/rlm_eap_mschap.c, line ~340, there
> are 4 calls to "pairdelete" remove the MPPE keys from the reply.
>
> if (handler->request->parent) {
It's slightly more complicated than that... a better fix is in git,
branch v2.1.x.
Alan DeKok.
-
Hi,
> It's slightly more complicated than that... a better fix is in git,
> branch v2.1.x.
>
The git fix works like a charm! Thanks a for a fix with a time-to-fix
of <1 hour :-)
Stefan
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nat
Andreas Hartmann wrote:
> That's right. But:
>
> 1. There could be a security issue with parallel handled users during
> initial login, because they probably have all the same empty session
> id's at the same time.
Well... that's an OpenSSL bug. We can check for it and try to avoid
the issue.
Hi,
> User-Name = "cactus"
> User-Password = "barilotto"
> NAS-IP-Address = 172.16.68.10
this is the address that the NAS is coming from - you say the devices
are all accessed via VPN? what is the end point of the VPN? looks like
its the windows box thats also running MQSL and WinRADIUS?
Josip Rodin wrote:
> Then again, there is no clear indication to users which part of the large
> debug output is important and which part is ignorable, so even if they don't
> ignore it, it may still actually be too complicated for them to handle.
The alternative is to run a system that you don'
Hi. Thank you for reply.
I thought same thing could be possible, so i created an other user on mysql
server.
I connected directly to USG on the Public IP of its (no VPNs now)
I performed radiusd -X . . .
User-Name = "vito"
User-Password = "catozzo"
NAS-IP-Address = 172.
Hello Alan, all
See bellow...
> -Original Message-
> From: freeradius-users-
> bounces+panos=comp.lancs.ac...@lists.freeradius.org [mailto:freeradius-
> users-bounces+panos=comp.lancs.ac...@lists.freeradius.org] On Behalf Of
> Alan DeKok
> Sent: 06 June 2010 09:27
> To: FreeRadiu
Hi,
> I thought same thing could be possible, so i created an other user on mysql
> server.
> I connected directly to USG on the Public IP of its (no VPNs now)
> I performed radiusd -X . . .
and what does eg wireshark or tcpdump show - run it, listening on udp port
1812, when
you perform the au
I am observing that some of the user’s sessions are accounting a wrong update
which is very strange. The send/receive byte updated value for such sessions is
always 4294967296 KB (4096GB). So if you aggregate both in/out it is 4096+4096
for a single session. It's really very strange why radi
Hi all,
I've recently found a problem authenticating some users in AD (2003) when
the user's Distinguish Names have one or more of the following characters:
" ' ` (double quotes, apostrophe or grave accent), using freeradius 2.0.2
and 2.1.9 versions:
"...
[ldap] login attempt by "johndoe" with
Good One wrote:
>
> I am observing that some of the user’s sessions are accounting a wrong
> update which is very strange. The send/receive byte updated value for
> such sessions is always 4294967296 KB (4096GB).
This is what the NAS is sending to the RADIUS server.
> So if you aggregate both
Sorry, the problem occurs only with the " (double quotes) character and not
to the other two characters.
2010/6/7 Nelson Vale
> Hi all,
>
>
> I've recently found a problem authenticating some users in AD (2003) when
> the user's Distinguish Names have one or more of the following characters:
>
Has anyone else seen a problem with this? This is starting to happen more
commonly with me. I'm having to reboot the server that Freeradius runs on to
get the authentication working again. I'm using AD auth through
WinbindHere is the debug...
Machine authentication is properly configured. When
On Mon, Jun 07, 2010 at 10:49:01AM +0200, Alan DeKok wrote:
> Josip Rodin wrote:
> > Then again, there is no clear indication to users which part of the large
> > debug output is important and which part is ignorable, so even if they don't
> > ignore it, it may still actually be too complicated for
Hello list,
Is freeradius able to validate certificates using OCSP protocol for EAP-TLS
clients ?
If yes - where can I find relevant config example?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 06/07/2010 10:33 AM, Nikita Koshikov wrote:
Hello list,
Is freeradius able to validate certificates using OCSP protocol for EAP-TLS
clients ?
No. Patches welcome.
--
John Dennis
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
-
List info/subscribe/unsubscribe? See http://ww
suffix] No '@' in User-Name = "joe.bobuser", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
++[files] returns noop
+- entering group accounting {...}
[detail] expand:
/var/log/radius/radacct/%{Client-IP-Address}/detail-%Y%m%d ->
Hi,
>
> rad_recv: Accounting-Request packet from host x.x.x.120 port 51637, id=50,
> length=95
> Acct-Status-Type = Interim-Update
> Acct-Session-Id = "C2594B9A71DB"
> Acct-Delay-Time = 0
> User-Name = "joe.bobuser"
> NAS-Identifier = "M20"
> Junip
Thanks for the help Alan,
I see what you mean now. I guess I assumed that the radacct database was
more than a recording of session start and end times. Is there another
table that I should be seeing user activity in? In other words I was
thinking that user activity (ie. the commands they ente
dius/2.1.9/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
->
/usr/local/radius/2.1.9/var/log/radius/radacct/10.10.0.23/pre-proxy-detail-20100607
[pre_proxy_log]
/usr/local/radius/2.1.9/var/log/radius/radacct/%{Client-IP-Address}/pre-proxy-detail-%Y%m%d
expands to
/usr/local/ra
Hi, I have been unable to find any examples - if the facility exists - of being
able to process a username prior to forwarding it. For example, I may wish to
take a username such as joe_bloggs and convert it into joe.bloggs prior to
passing it on to the authentication oracle.
Furthermore, is it
On Jun 7, 2010, at 11:35 AM, Greg Malewski wrote:
> Hi, I have been unable to find any examples - if the facility exists - of
> being able to process a username prior to forwarding it. For example, I may
> wish to take a username such as joe_bloggs and convert it into joe.bloggs
> prior to pas
On 06/03/2010 01:57 PM, Panagiotis Georgopoulos wrote:
Hello all,
I am trying to use radtest to test my freeradius configuration over
IPv6. I have configured IPv6 on my freeradius server and a client
machine from which I am firing radtest. However when I issue “radtest
We also just discovered
Hi,
I'm running Freeradius 2.1+Postgresql 8.4.4+OpenVPN on Ubuntu 9.10 x86. It
runs smoothly now, however, I want to know that if there is any way to limit
per user's traffic, like 10G/month, and disconnect/reject their connection
when the limitation has reached.
It seems the the column AcctInp
Hello!
Problem is fixed! Your missing a ssl-option when setting up SSL. Since
SSL version 0.9.8j, openssl supports stateless session resumption. This
means, no session_id is created in the server, if both, client and
server, support it.
I'm using on both sides openssl 0.9.8k, the server generates
RaidenII wrote:
> I'm running Freeradius 2.1+Postgresql 8.4.4+OpenVPN on Ubuntu 9.10 x86. It
> runs smoothly now, however, I want to know that if there is any way to limit
> per user's traffic, like 10G/month, and disconnect/reject their connection
> when the limitation has reached.
That is usu
Andreas Hartmann wrote:
> Problem is fixed! Your missing a ssl-option when setting up SSL. Since
> SSL version 0.9.8j, openssl supports stateless session resumption. This
> means, no session_id is created in the server, if both, client and
> server, support it.
>
> I'm using on both sides openssl
Martin Merkel wrote:
> Hi,
>
> I'm currently working on a test setup for a study thesis. The goal is to
> use wired 802.1X and EAP-TTLS with a local AAA server which proxies the
> tunneled requests to the appropriate home servers. My problem right now
> is that I can't get freeradius to proxy the
John Dennis wrote:
> We also just discovered a bug with IPv6 usage in radclient (and
> radtest), you may want to take a look at these two bugzilla's:
>
> https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=80
The better fix is to take unknown options starting with "-", and pass
them directly t
Am 07.06.2010 23:28, schrieb Alan DeKok:
>
> See the 'v2.1.x' branch on git.freeradius.org for a fix.
>
Thank you, Alan, for your quick reply and fix. I compiled the latest
version with your modifications, but unfortunately it still doesn't work.
The error message changed to:
WARNING: No prev
I am not using a NAS actually. It is an ordinary x86 server.
Alan DeKok-2 wrote:
>
> That is usually the function of the NAS.
>
> In 2.1.9, you can configure a CoA packet in the server, *if* the NAS
> supports CoA. i.e. check for limit in the "accounting" section, and
> send a CoA packet
NAS is nearly analogous to RADIUS client. basically, it depends on the
thing that is talking to Freeradius to say how to configure kicking
someone off in real time.
You could stick a script before authentication happens to check
whether or not a user has exceeded his bandwidth and then either allo
On 06/07/2010 05:33 PM, Alan DeKok wrote:
John Dennis wrote:
We also just discovered a bug with IPv6 usage in radclient (and
radtest), you may want to take a look at these two bugzilla's:
https://bugs.freeradius.org/bugzilla/show_bug.cgi?id=80
The better fix is to take unknown options star
John Dennis wrote:
> All you should need to do is create a bugzilla login, no different than
> the FreeRADIUS bugzilla, but no problem, I attached the patch to the the
> FreeRADIUS bug, should be easy to see now.
Tried, still the same error. Oh well.
>>From what I can tell, the issue is th
36 matches
Mail list logo
