On 03/01/2011 05:25 PM, McNutt, Justin M. wrote:
Now it matches, but something about the regex is still wrong (mainly,
the multi-character captures) because it's not expanding correctly.
Short version:
These look like MS-CHAP machine-auth usernames; have you considered using:
Have corrected line per your reply. Still getting same errors.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Multiple-modules-entries-tp3405254p3406428.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See
These look like MS-CHAP machine-auth usernames; have you
considered using:
%{mschap:User-Name}
%{mschap:NT-Domain}
The mschap module has special handling for host/ names, and
these will
expand:
host/name.domain.com
to:
name$
domain.com
The trailing dollar sign on the
McNutt, Justin M. wrote:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --domain=%{mschap:NT-Domain}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}
Note use of %{mschap:User-Name} and %{mschap:NT-Domain}. Despite this,
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the string printed by the server, and keep running it by
hand. Play with the various parameters until it works. Then, configure
the server to run it with those parameters.
I haven't, partly because it works
On Mar 1, 2011, at 6:05 PM, Vinh Nguyen wrote:
Failed binding to authentication address * port 1812: Address already in use
/usr/local/etc/raddb/radiusd.conf[240]: Error binding to port for 0.0.0.0
port 1812
Thats says everything. You already have an server running.
Best Regards,
Boian
On 02/03/11 12:09, McNutt, Justin M. wrote:
These look like MS-CHAP machine-auth usernames; have you considered
using:
%{mschap:User-Name} %{mschap:NT-Domain}
The mschap module has special handling for host/ names, and these
will expand:
host/name.domain.com
to:
name$ domain.com
The
Note use of %{mschap:User-Name} and
%{mschap:NT-Domain}. Despite this, host/computer.domain
login attempts always fail. Hence, trying to do the
translation manually via a regex and update clauses.
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the
On 02/03/11 12:32, McNutt, Justin M. wrote:
Note use of %{mschap:User-Name} and
%{mschap:NT-Domain}. Despite this, host/computer.domain
login attempts always fail. Hence, trying to do the
translation manually via a regex and update clauses.
And what happens when you try to run ntlm_auth
In the most recent debug I see you posted (16:36 yesterday)
it's failing
because:
[eap] Request is supposed to be proxied to Realm $2. Not doing EAP.
++[eap] returns noop
...
You tried to use a regexp to parse the username (usually a mistake IMHO)
and put the domain bit into the
Also, here is the 'mschap' section from a recent attempt.
I don't see anything. Did you forget an attachment?
Um... yeah. I'm doing a couple of things at once. Here it is.
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap]
Hi,
You tried to use a regexp to parse the username (usually a mistake IMHO)
and put the domain bit into the Proxy-To-Realm attribute but
Proxy-To-Realm instructs the server to do just that - which cancels
local authentiction.
which you resolve by putting the right entries into proxy.conf
which you resolve by putting the right entries into proxy.conf
eg
col.missouri.edu {
strip
}
Do you mean:
realm col.missouri.edu {
strip
}
?
--J
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 02/03/11 12:51, Alan Buxey wrote:
Hi,
You tried to use a regexp to parse the username (usually a mistake IMHO)
and put the domain bit into the Proxy-To-Realm attribute but
Proxy-To-Realm instructs the server to do just that - which cancels
local authentiction.
which you resolve by putting
On 02/03/11 12:41, McNutt, Justin M. wrote:
Also, here is the 'mschap' section from a recent attempt.
I don't see anything. Did you forget an attachment?
Um... yeah. I'm doing a couple of things at once. Here it is.
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request
Hi,
Found Auth-Type = EAP
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv2 for host/dnps-caplap-4.col.missouri.edu with
NT-Password
And what happens when you try to run ntlm_auth on the command-line?
i.e. take the string printed by the server, and keep running it by
hand. Play with the various parameters until it works.
Then, configure
the server to run it with those parameters.
I dug through the debug output
this output does not match with what you claim to have been using.
please ensure that your ntlm_auth configuration is correct
and the right one is being called.
(this one in debug is looking at %{Stripped-User-Name} etc -
you claimed to be using %{mschap:User-Name}
That's a test that I
[mschap]expand:
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}} -
--username=host/dnps-caplap-4.col.missouri.edu
That is not %{mschap:User-Name}. i.e. it's misconfigured
Actually, I tried it both ways, since the longer string shown above was the
default.
[mschap]
So, in /etc/raddb/modules/mschap, set (don't include the line
continuation \ I've added):
ntlm_auth = /path/to/ntlm_auth --request-nt-key \
--username=%{mschap:User-Name} --domain=YOURDOMAIN \
--challenge=... --nt-response=...
More good news (though expected): This change did not
McNutt, Justin M. wrote:
ntlm_auth --request-nt-key --username='dnps-caplap-4$'
--domain=col.missouri.edu --challenge=(pasted-from-debug)
--nt-response=(pasted-from-debug)
The result was: NT_KEY: (long hex string)
Exactly. Now that you know what works, the only problem is creating a
McNutt, Justin M. wrote:
ntlm_auth --request-nt-key --username='dnps-caplap-4$'
--domain=col.missouri.edu --challenge=(pasted-from-debug)
--nt-response=(pasted-from-debug)
The result was: NT_KEY: (long hex string)
Exactly. Now that you know what works, the only problem is
Login OK: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port
573 cli 00-90-4B-2F-80-B4)
+- entering group post-auth {...}
++[exec] returns noop
} # server campus-eap
Sending Access-Accept of id 179 to 128.206.131.253 port 20009
Cool.
Bad news:
I have a multi-domain
Hi experts,
Long time no talk!
I have another dilemma. For some reasons I want to try to use the hints file to
do Proxy (the normal way of configuring realm and proxy.conf file works). So
the following is my config:
=== hints ===
DEFAULT User-Name =~
Hi,
Does anyone have any experience of load balancing two or more FreeRADIUS
servers using the iptables CLUSTERIP target?
For those unaware, it allows a single IP address to be assigned to multiple
servers. A multicast MAC address is used so that the traffic is forwarded to
each server, then
%{mschap:NT-Domain} is not a real variable; it's a dynamic expansion.
There's no attribute you can set, so you'll need to use another
attribute (see my other email)
Gotcha. I'm looking into that now (based on your other e-mail). That's very
likely do-able.
I think it should be a flag -
I am trying to install freeradius-2.1.0 on a mac server (10.5.8). Make
runs fine, until it gets to the errors below. I am not a mac guy, so not
sure where to look for the cause of the error.
Making all in rlm_perl...
/usr/bin/make -C rlm_perl all
On 02/03/11 17:11, McNutt, Justin M. wrote:
%{mschap:NT-Domain} is not a real variable; it's a dynamic
expansion. There's no attribute you can set, so you'll need to
use another attribute (see my other email)
Gotcha. I'm looking into that now (based on your other e-mail).
That's very likely
Disjoint namespace is the term used if you have DNS names for windows
active directory members which are anything other than:
samaccountname.AD domain
So, if you give your hosts DNS hostnames of:
samaccountname.dept.AD domain
...this is a disjoint namespace. This is a supported
Randy Wilson randyedwil...@gmail.com wrote:
Does anyone have any experience of load balancing two or more FreeRADIUS
servers using the iptables CLUSTERIP target?
[snipped]
I have some production SMTP and FTP clusters that are load balanced in a
similar way, with Pacemaker handling the
Raymond Norton wrote:
I am trying to install freeradius-2.1.0 on a mac server (10.5.8). Make
runs fine, until it gets to the errors below. I am not a mac guy, so not
sure where to look for the cause of the error.
My main development machine is a Mac, so it should usually work.
ld warning:
Randy Wilson wrote:
I'm considering assigning a CLUSTERIP
to the servers so we can make full use of the resources. Does anyone see
any potential issues of using this with FreeRADIUS or know of any
caveats I should be aware of?
EAP won't work. It requires multi-packet round trips between
Hi,
That is brilliant! We are going to deploy a second domain this summer, I
was wondering exactly how I would make our FR server work with both. I am
definitely going to give this a try!
we just use the failover method. have 2 copies of the mschap
module - each with labels to mark
I think you'll have to do that. The tedious bit is matching
the domains in the regexps.
My advice would be to define a local, internal-only attribute in
/etc/raddb/dictionary:
ATTRIBUTE My-NT-Domain3003string
Done.
...then in your ntlm_auth helper, do:
ntlm_auth =
Holy crap, it works! I spent some time un-doing as many of the other changes
as I could find (that is, anything that deviates from the default and isn't
shown below). So what follows should be everything needed to make this work.
STEP 1: CUSTOM ATTRIBUTE
=
My advice
I'm trying to update my older radius to the new specs put out by our
upline provider. I need someone to do this for me. I'm not good with
Radius. Wish I was but am not.
This is a paying deal.
--
And I am the Iconoclast, an unconventional eccentric who marches
to a different drummer... but
Hi,
Hope someone can help me with this. I was successfully able to get
freeradius to work with Microsoft AD LDS (new version of ADAM) with PAP
and LDAP authentication. Now I'm working on getting freeradius to work
with AD LDS with MS-CHAP.Anybody know if this is possible and if you
do
Alan DeKok al...@deployingradius.com wrote:
Randy Wilson wrote:
I'm considering assigning a CLUSTERIP to the servers so we can make
full use of the resources. Does anyone see any potential issues of
using this with FreeRADIUS or know of any caveats I should be aware
of?
EAP won't work.
Hi Alan,
Document says that PDSN obtains the user attributes from RADIUS
authentication reply and PDSN then determines whether the user is an MIP
agent user through these attribute.
- hw_cdma_user_type
- hw_mipagent_mn_flags
- hw_mipagent_mn_lifetime
- hw_mipagent_ha_addr
-
Any attributes are supported by FreeRadius. They are vendor specified
attributes.
It sounds like you would need a backend database of some sort to manage this
all. But you would probably need the dictionary file from whoever the
vendor is, and figure out how you are going to issue the IP
I am trying to setup freeRadius to process requests from our Wireless
Controller. The controller uses the wireless devices MAC address as the
username, and a predefined password. These MAC addresses all excist in
Active Directory as user accounts, with the same password set. This works
fine with
Shreya Shah wrote:
Document says that PDSN obtains the user attributes from RADIUS
authentication reply and PDSN then determines whether the user is an MIP
agent user through these attribute.
sigh If you're not going to say which document, then you're wasting
our time.
Are these
robert22 wrote:
I am trying to setup freeRadius to process requests from our Wireless
Controller. The controller uses the wireless devices MAC address as the
username, and a predefined password. These MAC addresses all excist in
Active Directory as user accounts, with the same password set.
Liem Nguyen wrote:
Hope someone can help me with this. I was successfully able to get
freeradius to work with Microsoft AD LDS (new version of ADAM) with PAP
and LDAP authentication. Now I'm working on getting freeradius to work
with AD LDS with MS-CHAP.Anybody know if this is possible
44 matches
Mail list logo