On 10/11/2010 10:14 PM, James J J Hooper wrote:
Hi Phil, Alan,
http://msdn.microsoft.com/en-us/library/cc251376%28v=PROT.10%29.aspx
-> Independent of the above states, the last bit of the third byte of the
AU ClientStatusCode can take the value of 1 if the AU settings on the
client are contr
Did anyone ever managed to establish a radius proxy between FR and another
Radius server, such as NPS or ACS?
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/FR-proxy-to-ACS-and-NPS-with-MS-CHAP-v2-tp2778983p3208535.html
Sent from the FreeRadius - User mailing list arch
Hi,
> Did anyone ever managed to establish a radius proxy between FR and another
> Radius server, such as NPS or ACS?
yes - just dealt with them as remote RADIUS servers...they follow the basic
RADIUS
RFCs fairly well - whats your issue?
alan
-
List info/subscribe/unsubscribe? See http://www.fr
Hi,
> So I did, I deleted everything in / etc / raddb and I configuration, again
> depending on the requirements there.
check that the raddb directory is the right onw - I seem to recall that one
of your logs showed it was /usr/local/etc/raddb/
the default configuration works for basic tests etc
OK,
Just to recap, I'm working on setting Freeradius up to authenticate users to
our wireless network. We want to use PEAP-MSCHAPv2 and authenticate against
Active Directory. I'm using samba and ntlm_auth.
Versions:freeradius2-2.1.7-7.el5 and samba3.0.33-3.29
Needless to say it's failing.
I
Here it is installed :
radiusd: Loading Virtual Servers
server { # from file /usr/local/etc/raddb/radiusd.conf
And this is the error :
rad_recv: Access-Request packet from host 127.0.0.1 port 57115, id=255,
length=115
Service-Type = Framed-User
Framed-Protocol = PPP
If I want to upload schema.sql same bug as here:
http://www.mail-archive.com/freeradius-users@
lists.freeradius.org/msg61853.html
- Original Message -
From: "Alan Buxey"
To: "FreeRadius users mailing list"
Sent: Tuesday, October 12, 2010 11:20 AM
Subject: Re: SQL query error; rejec
That's not a bug, that is someone trying to use the MS SQL schema on a MySQL
server. Obviously those files will only work for the database server they were
written for.
-Original Message-
From: freeradius-users-bounces+marius=mindspring.co...@lists.freeradius.org
[mailto:freeradius-user
Hello.
I have freeradius 2.1.6 with rlm_sql_oracle. There is a plenty of users in
radcheck table and several of them are a members of a group. As stated in
comments in the dialup.conf all other users are a members of the group DEFAULT
if I understood it right. I put the fields DEFAULT Auth-Type
I agree with what you say, but anyone can solve for mysql Ver 14.12 Distrib
5.0.51a
- Original Message -
From: "Marius Pesé"
To: "FreeRadius users mailing list"
Sent: Tuesday, October 12, 2010 11:50 AM
Subject: RE: SQL query error; rejecting user
That's not a bug, that is someone
Hi,
> If I want to upload schema.sql same bug as here:
> http://www.mail-archive.com/freeradius-users@
> lists.freeradius.org/msg61853.html
which DB system are you using? please note my answer in the thread that you've
highlighted - that user was trying to throw the MSSQL schema over their MySQL
Daniel Sandulescu wrote:
> Here it is installed :
>
> radiusd: Loading Virtual Servers
> server { # from file /usr/local/etc/raddb/radiusd.conf
>
> And this is the error :
Which is the same as before. The solution is the same as before:
ensure you have the default configuration file
Hi,
> I've pasted my debug output into the web tool and it picks out the following
> in red
>
> security {
> max_attributes = 200
> reject_delay = 1 (This line in red)
> status_server = yes
> }
>
>
> (all in red)
> Module: Instantiating attr_filter.access_reject
> at
Hi,
> radiusd: Loading Virtual Servers
> server { # from file /usr/local/etc/raddb/radiusd.conf
^
look. thats where your config is living. delete it all and reinstall
> WARNING: Empty authorize section. Using default return va
Hi,
> I have freeradius 2.1.6 with rlm_sql_oracle. There is a plenty of users in
> radcheck table and several of them are a members of a group. As stated in
> comments in the dialup.conf all other users are a members of the group
> DEFAULT if I understood it right. I put the fields DEFAULT Auth
Phil Mayers wrote:
> Yeah - that's in 0004-*.patch (I noticed it when using the excellent
> raddebug to test that the SoH stuff appeared)
OK... the patch doesn't apply, and adding/deleting the "\n" is
awkward. I'll make a few simple changes today, and push them to
git.freeradius.org.
Please
Alan,
Thanks for your reply.
>how are you testing this - a real client, command line tool etc? when you run
>it in full
>debug mode - and you arent helping yourself by failing to post that here
I'm testing with a real client and access point.
OK - I wasn't sure posting the whole debug would b
Hi,
>PLease find below the complete server dump,facing some mschapv2 error
no, its not the complete server dump...its the bit you've decided
to send to us - which starts with the line "ad_recv: Access-Request packet from
host"
and not the whole output.
server inner-tunnel
files returns no
On 12/10/10 11:11, Alan DeKok wrote:
Phil Mayers wrote:
Yeah - that's in 0004-*.patch (I noticed it when using the excellent
raddebug to test that the SoH stuff appeared)
OK... the patch doesn't apply, and adding/deleting the "\n" is
Rats. Sorry about that.
awkward. I'll make a few sim
Ah - I think I see the issue - the ntlm auth line in modules/mschap is after
the } so presumably not being read...
-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.freeradius.org
[mailto:freeradius-users-bounces+mark.holmes=nuffield.ox.ac...@lists.fr
HI Alan,
Thank you for you reply , i have user ctc and clartext passowrd mentioned in
user files.I have the complete log at office i will send you once i reach
office tomorrow morning
On Tue, Oct 12, 2010 at 3:55 PM, Alan Buxey wrote:
> Hi,
>
> >PLease find below the complete server dump,fa
Dears,
Can I disconnect connected user or session form freeradius
and Wichorus ASN-GW (WIMAX)? If yes how?
Am trying to send disconnect request as follow: (Note: I
changed all the following values as needed)
# echo "Acct-Se
Moayad Mohammad wrote:
> Can I disconnect connected user or session form
> freeradius and Wichorus ASN-GW (WIMAX)? If yes how?
You have the FreeRADIUS portion working. The only question is what
you need to put into the Disconnect-Request packet so that the Wichorus
ASN-GW return
Hello.
12.10.2010, в 13:54, Alan Buxey написал(а):
>> I have freeradius 2.1.6 with rlm_sql_oracle. There is a plenty of users in
>> radcheck table and several of them are a members of a group. As stated in
>> comments in the dialup.conf all other users are a members of the group
>> DEFAULT if
Hi Alan
The issue is that the MS CHAP v2 authentication fails. it succeeds when the
2nd Radius is FR and fails with MS NPS.
Sniffer traces show tha the dialog between the MS CHAP v2 FR and the DC is
different then the one between the NPS and the DC.
Thnks
Sagi
--
View this message in context:
Try the following:
update disconnect {
User-Name = "%{User-Name}"
Calling-Station-Id = "%{Calling-Station-Id}"
WiMAX-AAA-Session-Id = "%{WiMAX-AAA-Session-Id}" (same as that
returned during network entry)
WiMAX-DM-Action-Code = Deregister-MS
}
I know this works. I se
Hi,
> The issue is that the MS CHAP v2 authentication fails. it succeeds when the
> 2nd Radius is FR and fails with MS NPS.
> Sniffer traces show tha the dialog between the MS CHAP v2 FR and the DC is
> different then the one between the NPS and the DC.
I manage a system that involves several h
My question was more of where that configuration should live. I can see that
you can do attribute checks in the users file, but I am not sure the realm
is being set to any attribute...
I can see in the debug messages:
rad_recv: Access-Request packet from host 127.0.0.1 port 53888, id=132,
length=
OK, getting somewhere, but still won't let me connect. I can't see in the
debug output why it fails.
I'm trying to authenticate against AD, using PEAP-MSCHAPv2
I have checked ntlm_auth is working by
ntlm_auth --request-nt-key --domain=MYDOMAIN --username=testuser
--password=password
and I ge
sbaror wrote:
> Hi Alan
> The issue is that the MS CHAP v2 authentication fails. it succeeds when the
> 2nd Radius is FR and fails with MS NPS.
> Sniffer traces show tha the dialog between the MS CHAP v2 FR and the DC is
> different then the one between the NPS and the DC.
Yes. NPS uses magic
Thnks Alan. The challenge is that it doesn't work although it is all NTLM
std.
you mention Samba ad NTLM Auth.
In our design we don't use Samba because the server which performs auth with
the AD is the NPS. Are you suggesting that the FR server needs to have
Samaba when doing the MS CHAP v2 prox
Just checking but you did see the problem I the following line of config
right?
>exec ntlm_auth {
> wait = yes
>program = ***"/PATH/TO/NTLM_AUTH *** --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name}
-->password=%{User-Password}"
>}
I understand
Hi,
> my /modules/ntlm_auth looks like this:-
>
> exec ntlm_auth {
> wait = yes
> program = "/path/to/ntlm_auth --request-nt-key
> --domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
> }
I'd hope it doesnt look like that- fix the
Stephen,
Thanks for this.
Actually I messed up - my ntlm_auth looks like this (which I think is correct)
exec ntlm_auth {
wait = yes
program = "/usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN --username=%{mschap:User-Name} --password=%{User-Password}"
sbaror wrote:
> In our design we don't use Samba because the server which performs auth with
> the AD is the NPS.
OK.
> Are you suggesting that the FR server needs to have
> Samaba when doing the MS CHAP v2 proxy to NPS?
No.
> Our design:
> 1) Protocol is EAP-TTLS with inner MA CHAP v2
>
Mathew Rowley wrote:
> My question was more of where that configuration should live. I can see
> that you can do attribute checks in the users file, but I am not sure
> the realm is being set to any attribute...
Read the debug output. The realm isn't being set because you didn't
define one.
>
Hi,
> Our design:
> 1) Protocol is EAP-TTLS with inner MA CHAP v2
> 2) FR server authenticate the TLS part
> 3) FR proxies the MS CHAP Authentication to NPS
> 4) NPS performs the MS CHAP v2 auth.
yes, this is feasible
note this will break when clients start to check the end of the tunnel is th
OK... see "git". I've moved src/lib/soh.c -> src/main/soh.c, and done
minimal updates to get it to compile.
If you can redo the debug patches, I'll put them in. Or maybe I
should just give you direct "git" access...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.
Alan,
Well spotted! - yes there was a bit missing from the end of that line in mschap
- response=%(mschap:NT-Response:-00}" Twas indeed a cut-and-paste error.
Thanks very much - it now works!
Cheers,
Mark
-Original Message-
From:
freeradius-users-bounces+mark.holmes=nuffield.ox.ac.
Hi all,
Currently when users connect to our WLAN they enter their username thus:-
firstname.lastn...@mydomain.ox.ac.uk
Is there a way I can strip everything after the @ out (ie the domain) - so they
are forced to authenticate against the domain I specify.
At the moment in my test environment,
Ah, I was misunderstanding the proxy functionality. I thought it was only
used for proxying radius requests to other radius servers.
I was having a problem with configuring the users file. Why will this set
Auth-Type:
DEFAULT Realm == "realm", Auth-Type := Kerberos
And this will not:
DEFAULT R
Hi,
> Hi all,
>
> Currently when users connect to our WLAN they enter their username thus:-
> firstname.lastn...@mydomain.ox.ac.uk
>
> Is there a way I can strip everything after the @ out (ie the domain) - so
> they are forced to authenticate against the domain I specify.
>
> At the moment in
On 12/10/10 16:31, Mathew Rowley wrote:
Ah, I was misunderstanding the proxy functionality. I thought it was
only used for proxying radius requests to other radius servers.
I was having a problem with configuring the users file. Why will this
set Auth-Type:
DEFAULT Realm == "realm", Auth-Type :
On 12/10/10 16:06, Mark Holmes wrote:
Hi all,
Currently when users connect to our WLAN they enter their username thus:-
firstname.lastn...@mydomain.ox.ac.uk
Is there a way I can strip everything after the @ out (ie the domain) - so they
are forced to authenticate against the domain I specify.
Jean F. Mousinho wrote:
> So this message, the Access-Challenge messages are not logged, although
> the Access-Accept are logged.
>
> I should have said I want to log Access-Challenge messages, would be
> more correct.
That's a bit harder. Put this in the "authenticate" section, to
replace the
Hi,
> authorize {
> if (User-Name =~ /^(.*)@(.*)/) {
> update request {
> User-Name := "%{1}"
> Realm := "%{2}"
> }
> if (Realm !~ /mydomain\.ox\.ac\.uk/i) {
> # invalid
> reject
> }
> }
> }
beware of blank outerid as per the RFC - i
On 12/10/10 15:29, Alan DeKok wrote:
OK... see "git". I've moved src/lib/soh.c -> src/main/soh.c, and done
minimal updates to get it to compile.
Ok, "aefe73e885198b5735fad6fbd59d63a9116912b7" looks good; patch against
that attached - it's nothing complex, but seems to work for me.
(Is t
Hi,
you know...some sicko side of me things it'd be great if
stats on SoH could be output via access with radmin or the Server-Status
packet...
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi All,
I'm following along with the docs for Autz-Type in freeradius-2.1.8,
specifically the section about selecting between multiple instances of a
module.
In users.conf I have:
DEFAULT Realm == "siteone.edu", Autz-Type := siteone_ldap, Auth-Type :=
siteone_ldap
In sites-enabled/default I have
Mark Holmes wrote:
>
> At the moment in my test environment, as long as I DONT specify the
> domain it works - so I'm looking to strip out the domain name if they
> DO specify it.
>
As a hint for the record, in production for 'eduroam, you must reject
when there is no domain otherwise:
a) yo
Phil Mayers wrote:
>>
>> Currently when users connect to our WLAN they enter their username
>> thus:- firstname.lastn...@mydomain.ox.ac.uk
>>
>> Is there a way I can strip everything after the @ out (ie the domain)
>> - so they are forced to authenticate against the domain I specify.
>
> Sure,
On Oct 12, 2010, at 10:29 AM, Alexander Clouter wrote:
> Mark Holmes wrote:
>>
>> At the moment in my test environment, as long as I DONT specify the
>> domain it works - so I'm looking to strip out the domain name if they
>> DO specify it.
>>
> As a hint for the record, in production for 'e
Alan Buxey wrote:
> Hi,
>
> you know...some sicko side of me things it'd be great if
> stats on SoH could be output via access with radmin or the Server-Status
> packet...
That's the kind of information which belongs in a DB, I think. It's
not RADIUS related (packets sent / received), and it's
Harry Hoffman wrote:
> I'm following along with the docs for Autz-Type in freeradius-2.1.8,
> specifically the section about selecting between multiple instances of a
> module.
In 2.x, there are better ways to do this. See "man unlang" for
conditionally calling a module.
> In users.conf I have
Vendor-26928-Attr-1 = 0x
# Executing section preacct from file /usr/local/etc/raddb/sites-enabled/default
+- entering group preacct {...}
++[preprocess] returns ok
[acct_unique] Hashing 'NAS-Port = 0,Client-IP-Address =
192.168.19.12,NAS-IP-Address = 192.168.19.12,Acct-Session-Id =
Phil Mayers wrote:
> Ok, "aefe73e885198b5735fad6fbd59d63a9116912b7" looks good; patch against
> that attached - it's nothing complex, but seems to work for me.
Pushed, thanks.
> (Is there an equivalent of "debug_pair_list" outputting via
> request->radlog?)
No, sorry.
Alan DeKok.
-
List i
Terry Simons wrote:
> I'm running into an issue where FreeRADIUS allows an invalid certificate (one
> not signed by my configured CA) to successfully authenticate to EAP-TLS.
Well... the code which prints the error "verify error:num=20:" is in
the "verify certificate callback" function. It's r
57 matches
Mail list logo
