Re: Password Policy - Expired Password - mschap

2010-08-12 Thread Alan DeKok
Theparanoidone Theparanoidone wrote: > Password change is not part of RADIUS. > > I am new to radius, and although it is now clear that "expired passwords == > user > is blocked until they can authenticate from some other computer" ... I'm just > surprised. RADIUS is a protocol which co

Re: Password Policy - Expired Password - mschap

2010-08-12 Thread Theparanoidone Theparanoidone
Hi Alan~ Thank you for the reply; your response helps saves me some time. > 3) A long term solution; I don't believe password expirations are that >uncommon > anymore with all the security requirements (HIPPA, PCI, etc etc) that depend > upon this. Password change is not part of RADIUS.

Re: Password Policy - Expired Password - mschap

2010-08-12 Thread Alan DeKok
Theparanoidone Theparanoidone wrote: > We have successfully implemented a test patch. This test patch moves away > from > implementing mschapv2 in the client connection and specifying PAP. It > changes > the opendirectory response, and only requires two lines of code to change in > rlm_opend

Re: Password Policy - Expired Password - mschap

2010-08-12 Thread Theparanoidone Theparanoidone
>> If you want to change all REJECTs to ACCEPT so that >> authentication always succeeds, then you are effectively >> eliminating the requirement for 802.1x authentication for >> network connectivity. If it's not required, why not just turn >> off port security on your switches? >> If it i

Re: FreeRadius + Cisco VPDN with multiple VRFs not working

2010-08-12 Thread Jasper Jans
John, Thanks for pointing that out to me. I'll update it to this version tomorrow. I dont expect a whole lot of difference with regards to this issue though but it never hurts to run a more recent version of the software. - Jasper On Thu, Aug 12, 2010 at 5:08 PM, John Dennis wrote: > On 08/12

Re: Vendor Specific Attributes

2010-08-12 Thread Latha Krishnamurthi
  Thanks Alan. Will do that.   -Latha. --- On Thu, 8/12/10, Alan DeKok wrote: From: Alan DeKok Subject: Re: Vendor Specific Attributes To: "FreeRadius users mailing list" Date: Thursday, August 12, 2010, 12:40 PM Latha Krishnamurthi wrote: >  > Thanks for the prompt reply. I can defly do t

RE: Password Policy - Expired Password - mschap

2010-08-12 Thread Garber, Neal
> Understanding the security risks... is there an example of > setting Post-Auth-Type REJECT {...} to override the reject > force the response to Auth-Accept? If you want to change all REJECTs to ACCEPT so that authentication always succeeds, then you are effectively eliminating the requirem

Re: issues when compiling freeradius 2.1.9 on solaris 10 x86

2010-08-12 Thread Alan DeKok
maximatt wrote: > false cru .libs/libfreeradius-radius.a dict.o filters.o hash.o hmac.o "false" is not a valid linker. Install the correct tools which let you compile software. This is not a FreeRADIUS problem. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.or

Re: Vendor Specific Attributes

2010-08-12 Thread Alan DeKok
Latha Krishnamurthi wrote: > > Thanks for the prompt reply. I can defly do that, not an issue. I have a > module running in freeradius. > > Assuming my module already handles delivering vendor specific attribute > in the RADIUS response (this is available to me through some shared > memory) and

Re: FreeRadius and Redundant LDAP Problems

2010-08-12 Thread Kory Wheatley
Per your suggestions from the last email I checked and the: Un-comment the "unix" entry from the "authorize" section of raddb/sites-available/default Was un-commented and below is the output from trying to authenticate a user that is a member of the DialupFS group and does not have an account in

Freeradius 2.1.9 stop working

2010-08-12 Thread BELLIERE Eric
Ok Fine we made a RPM with The Git source and the radius is no more "crashing" so bug # 34 seems to be resolved. Thanks, Eric B. -Original Message- From: freeradius-users-bounces+eric.belliere=mail.mobistar...@lists.freeradius.org [mailto:freeradius-users-bounces+eric.belliere=mail.mobis

issues when compiling freeradius 2.1.9 on solaris 10 x86

2010-08-12 Thread maximatt
hi... i try to compile freeradius 2.1.9 on solaris 10, but i have some problems i install from freeware the following packages . gcc-3.4.6-sol10-x86-local and /libiconv-1.13.1-sol10-x86-local.gz and then i try to just have a simple compilation. # PATH=/usr/local/bin/:/usr/sfw/bin/:$PATH; e

Re: Vendor Specific Attributes

2010-08-12 Thread Latha Krishnamurthi
  Thanks for the prompt reply. I can defly do that, not an issue. I have a module running in freeradius.   Assuming my module already handles delivering vendor specific attribute in the RADIUS response (this is available to me through some shared memory) and tomorrow there is a new vendor, then

RE: Is Mikrotik-Rate-Limit used to limit users speed

2010-08-12 Thread Ben Wiechman
We use this every day for wifi hotspots off a Mikrotik. It works without issues. From: freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org [mailto:freeradius-users-bounces+wiechman.lists=gmail@lists.freeradius.org] On Behalf Of Spacelee Sent: Thursday, August 12, 2010

Re: Password Policy - Expired Password - mschap

2010-08-12 Thread Theparanoidone Theparanoidone
Greetings Alan~ > > Possible solutions: > --- > Solution 1) Edit the opendir.c module to simple detect error status -14161 > and > > -14162... and simply set the status to 0 instead. >> Absolutely not. Expired passwords are *not* OK. > Solution 2) Try and rig up s

Re: FreeRadius + Cisco VPDN with multiple VRFs not working

2010-08-12 Thread John Dennis
On 08/12/2010 11:01 AM, Jasper Jans wrote: Freeradius v1.1.3 (default that ships with CentOS 5.5) using MySQL as an backend. freeradius 2.1.7 ships with RHEL 5.5 under the package name freeradius2. -- John Dennis Looking to carve out IT costs? www.redhat.com/carveoutcosts/ - List info/subscri

Re: ldap fallback to local password

2010-08-12 Thread Aqdas Muneer
So i tried it with an condition and still devices are accessible with the local account even if ldap is running. so basically i can login to routers either using my AD account or the local account in the users file. how can i restrict this behavior to ldap failure only. below is my if statement in

Re: LDAP Check Item Issue

2010-08-12 Thread Asin Silva
I got this solved Attribute to be compared added to ldap.attrmap as an checkItem Kept compare_check_items as no in modules/ldap compare_check_items = no Created a checkval module to do the comparison. Then problem was no more. When I have "compare_check_items = yes" in modules/ldap it always gav

Re: Last call for 2.1.10

2010-08-12 Thread Stefan Winter
Hi, This was noted the other day. I committed a fix, and just pushed it back to the git repositories. Thanks. Re-pulled, compiled, installed, works with test requests. Stefan -- Stefan WINTER Ingenieur de Recherche Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et

Re: Last call for 2.1.10

2010-08-12 Thread Johan Meiring
On 2010/08/12 10:02 AM, Alan DeKok wrote: Stefan Winter wrote: libeap/.libs/libfreeradius-eap.so: undefined reference to `radius_pairmake' This was noted the other day. I committed a fix, and just pushed it back to the git repositories. I can confirm that it compiles on Debian Lenny now

Re: Vendor Specific Attributes

2010-08-12 Thread Alan DeKok
Latha Krishnamurthi wrote: > Is there a way to add vendor specific attributes to the RADIUS response > without adding the vendor to the dictionary. What's so hard about adding a dictionary entry for the attribute? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/li

Re: SqlCounter reload after initial authentication

2010-08-12 Thread Alan DeKok
tadi...@verizon.net wrote: > I'm using Freeradius + Chillispot+MySql for hotspot. Sqlcounter > noresetcounter works fine for prepaid access time, however the counter is > loaded only once when the user first authenticate. > This means that even if Max-All-Session changes after initial logon (as i

Re: ldap fallback to local password

2010-08-12 Thread Alan DeKok
Aqdas Muneer wrote: > i would like to configure freeradius so that it can failover to a local > password when the ldap server cannot be contacted. i was able to create > a admin account in the users file with cleartext password, but when i > enable it, it becomes accessible even when ldap is up and

Re: Password Policy - Expired Password - mschap

2010-08-12 Thread Alan DeKok
Theparanoidone Theparanoidone wrote: > We are working on a patch. Good, thanks. > We're of the opinion that Apple's version rlm_mschap / opendir included > with freeradius is missing something. > > It appears they were only considering someone entering a failed > login/password combo... not

Is Mikrotik-Rate-Limit used to limit users speed

2010-08-12 Thread Spacelee
PPTP+PPP+FreeRadius+MySQL It seems it doesn't work. -- Spacelee - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius Authentication

2010-08-12 Thread Alan DeKok
rrperez wrote: > I have configured a Freeradius2.1.7 with an openLDAP backend and I'm planning > to established a different type of authentication. > > The plan was to create one password for all the users. And the users are > checked by the Freeradius in the openLDAP directory. > > Is it possibl

Re: Last call for 2.1.10

2010-08-12 Thread Alan DeKok
Stefan Winter wrote: > libeap/.libs/libfreeradius-eap.so: undefined reference to `radius_pairmake' This was noted the other day. I committed a fix, and just pushed it back to the git repositories. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: FreeRadius and Redundant LDAP Problems

2010-08-12 Thread Alan Buxey
Hi, > I apologize for the inconvenience of sending the configuration files. I > thought sending more detail would help :-). The below steps you provided > still didn't work and ended with the same problem. Again I apologize. radiusd -X ? we cannot help without this information alan -

Re: Last call for 2.1.10

2010-08-12 Thread Johan Meiring
On 2010/08/12 09:36 AM, Stefan Winter wrote: /root/freeradius-server-2.1.10-pre/src/lib/.libs/libfreeradius-radius.so -lnsl -lresolv -lpthread -lssl -lcrypto -Wl,-rpath -Wl,/usr/local/freeradius/2.1.10-pre/lib libeap/.libs/libfreeradius-eap.so: undefined reference to `radius_pairmake' collect2: l

Why the"authhost"or"accthost"item's value in "real NULL" can't be a home_server_pool in proxy.conf ?

2010-08-12 Thread freddychu
Hi, I want to proxy requests which's User-Name hasn't realm domain to a home server pool, so I configure the realm NULL, but the radius server would proxy the request to a nonexistent IP address. Why the "authhost" or "accthost" item's value in "real NULL" can't be a home_server_pool in proxy.conf

Re: Last call for 2.1.10

2010-08-12 Thread Stefan Winter
Hi, I've just tried to compile with my usual set of configure flags, and got: /usr/bin/libtool --mode=link gcc -o radeapclient radeapclient.lo libeap/libfreeradius-eap.la -lnsl -lresolv -lpthread -lcrypto -lssl -lcrypto libtool: link: gcc -o .libs/radeapclient .libs/radeapclient.o libeap

SqlCounter reload after initial authentication

2010-08-12 Thread tadiguy
I'm using Freeradius + Chillispot+MySql for hotspot. Sqlcounter noresetcounter works fine for prepaid access time, however the counter is loaded only once when the user first authenticate. This means that even if Max-All-Session changes after initial logon (as it happens when the user adds more