Gary Gatten wrote:
> I can’t find where this conditional processing is happing. I have two
> FR servers with “nearly” the same config. Auth works on one, but not
> the other:
Posting 2-3 lines of debug output doesn't help.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freera
john.hayw...@wheaton.edu wrote:
> 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
>a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was
>a response sent back to the client but there was no message in the
>response.
It's more complicated. T
> > root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564
> > --password=Pa$$w0rd
> > NT_STATUS_OK: Success (0x0)
> > root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6
> > --password=Pa$$w0rd
> > NT_STATUS_OK: Success (0x0)
> > root@FREERADIUS:/etc/freeradius# ntlm_aut
--On 04 March 2011 12:34 -0500 John Douglass
wrote:
Group,
Recently, my AD servers were patched by another support group and this
caused a (small but noticeable) service outage for our WPA radius
services (Radius 2.1.9)
I can think of two things to investigate:
* Recent Samba can do winb
Try ../sites_enabled/default; or if *eap requests it would be inner-tunnel, - I
think...
From: Paulo Maia [mailto:phc.m...@gmail.com]
Sent: Friday, March 04, 2011 06:43 PM
To: FreeRadius users mailing list
Subject: Re: Freeraidus 2
Compilou o instalou via yum ? Geralmente fica em $RADIUSDIR/m
On 03/05/2011 12:21 AM, Gary Gatten wrote:
I kinda like your caching idea, but not sure of any security
implications.
It's not a workable idea. MSCHAP responses are specific to the 8-byte
random challenge, which is different every time. You can't cache them.
I have (2) FR servers (each point
Compilou o instalou via yum ? Geralmente fica em $RADIUSDIR/modules/ldap
Abs,
2011/3/4 Usuário do Sistema
> Hello everyone, I'm Maicon from Brazil.
>
> I'm in a project with Freeradius. I want to deployment authentication with
> certificate from my wireless users EAP-TLS but I'm finding some
I kinda like your caching idea, but not sure of any security implications.
I have (2) FR servers (each pointing to different DC) and my NAS's are
configured to use both. But, iirc if AD is down on the backend FR still
replies (with something) so the NAS never rolls over to the other FR server.
I can't find where this conditional processing is happing. I have two FR
servers with "nearly" the same config. Auth works on one, but not the other:
Both servers set auth type to MS-CHAP:
"[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok"
Everything is
See comments below - johnh...
Phil Mayers wrote:
On 04/03/11 09:46, Alan DeKok wrote:
Isn't that what this code does in rlm_eap_mschapv2.c:
It's *supposed* to add the error message. But so far as I can see,
it's never called when the PW_MSCHAP_ERROR is used.
Perhaps I'm mis-reading it?
Felix Sanchez wrote:
> Hi,
>
> I trying to write some unlang code inside the authorize section inside
> the radiusd.conf but i keep receive "Line is not in 'Attribute = value'
> format
>
> if (Called-Station-Id == "rlmA")
> {
The parser isn't that smart.
if (Called-Station-Id == "rlm
Thanks for the pointers. Freeradius is working fine now against OD.
How would I disable the old radius start up script and enable the new
one instead?
On 03/04/2011 10:35 AM, Alan DeKok wrote:
Raymond Norton wrote:
Thanks. I understood that. It seems there was an old version of
freeradi
Group,
Recently, my AD servers were patched by another support group and this
caused a (small but noticeable) service outage for our WPA radius
services (Radius 2.1.9)
I am curious how others who are using AD as their backends have either
configured smb.conf/winbind/radius in order to do hig
Hi,
I trying to write some unlang code inside the authorize section inside the
radiusd.conf but i keep receive "Line is not in 'Attribute = value' format
if (Called-Station-Id == "rlmA")
{
.
}
Basicly i need to proxy the request using the Called-Station-Id to another
radius server, any sug
Raymond Norton wrote:
> Thanks. I understood that. It seems there was an old version of
> freeradius installed on the server by default. I'm no mac head, and am
> trying to figure out how to remove it.
$ rm ...
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/u
Thanks. I understood that. It seems there was an old version of
freeradius installed on the server by default. I'm no mac head, and am
trying to figure out how to remove it.
On 03/04/2011 10:10 AM, Alan Buxey wrote:
Hi,
tls: dh_file = "/private/etc/raddb/certs/dh"
tls: random_file =
Hi,
> tls: dh_file = "/private/etc/raddb/certs/dh"
> tls: random_file = "/private/etc/raddb/certs/random"
> tls: fragment_size = 1024
> tls: include_length = yes
> tls: check_crl = no
> tls: check_cert_cn = "(null)"
> tls: cipher_list = "(null)"
> tls: check_cert_issuer = "(null)"
>
It seems freeradius 1.3 was already installed automatically when the
server was first setup. and I just installed version 2.1.1 from source.
Do you know off hand how to uninstall the old version?
Not finding how to do that.
On 03/04/2011 09:33 AM, Alan DeKok wrote:
Raymond Norton wrote:
Raymond Norton wrote:
> I have a tendency to over complicate things with freeradius, so I will
> just post my error on my first start up:
>
> I understand the dummy certs are created when launching radiusd -X, but
> not sure how to fix the missing dh file without creating new ones. Is
> the unkno
I have a tendency to over complicate things with freeradius, so I will
just post my error on my first start up:
I understand the dummy certs are created when launching radiusd -X, but
not sure how to fix the missing dh file without creating new ones. Is
the unknown module "eap" error because
Hi Alan Dekok or anyone,
I haven't got a reply on this one yet... I was able to do it before but not
anymore... I'm really curious to know why...
Thank you!
Difan
From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-us
James J J Hooper wrote:
...
> *** With a locked out user it does:
>
> server eduroamlocal-inner {
> Exec-Program output: Account locked out (0xc234)
> Exec-Program-Wait: plaintext: Account locked out (0xc234)
> Exec-Program: returned: 1
> rlm_eap_mschapv2: No MS-CHAPv2-Success or MS-CHAP-
Hi Alan,
I did try and re-use the config files. That's how I got the PEAP and
MD5 protocols working.
I'm running the same client on a different box and the updated
freeradius version on another box as well. That's all that changed.
I'm testing a product which is acting as the authenticator and
--On Friday, March 04, 2011 13:32:35 +0100 Alan DeKok
wrote:
Alan DeKok wrote:
James J J Hooper wrote:
rlm_eap_mschapv2.c: In function `mschapv2_authenticate':
rlm_eap_mschapv2.c:658: error: called object is not a function
rlm_eap_mschapv2.c:658: error: too few arguments to function
`pair
Alan thank you so much for your helps not only on this one but all others as
well!
-Original Message-
From: freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org
[mailto:freeradius-users-bounces+difan.zhao=guest-tek@lists.freeradius.org]
On Behalf Of Alan DeKok
Sen
Hello everyone, I'm Maicon from Brazil.
I'm in a project with Freeradius. I want to deployment authentication with
certificate from my wireless users EAP-TLS but I'm finding some difficult.
there is a good how to for version 2 ?? I've started with version 1.x but
decided to change for version 2 an
Alan DeKok wrote:
> James J J Hooper wrote:
>>> rlm_eap_mschapv2.c: In function `mschapv2_authenticate':
>>> rlm_eap_mschapv2.c:658: error: called object is not a function
>>> rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2'
>> I've added the missing comma, and it's building
Phil Mayers wrote:
> On 04/03/11 09:46, Alan DeKok wrote:
> Isn't that what this code does in rlm_eap_mschapv2.c:
It's *supposed* to add the error message. But so far as I can see,
it's never called when the PW_MSCHAP_ERROR is used.
> Perhaps I'm mis-reading it?
Nope. It's just never used.
James J J Hooper wrote:
>> rlm_eap_mschapv2.c: In function `mschapv2_authenticate':
>> rlm_eap_mschapv2.c:658: error: called object is not a function
>> rlm_eap_mschapv2.c:658: error: too few arguments to function `pairmove2'
>
> I've added the missing comma, and it's building now :-)
Then
On 04/03/11 09:46, Alan DeKok wrote:
Phil Mayers wrote:
The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message:
E=691 R=0
Really? I don't see that.
Isn't that what this code does in rlm_eap_mschapv2.c:
static int eapmschapv2_compose(EAP_HANDLER *handler, VALUE_PAIR *r
--On Friday, March 04, 2011 12:04:51 + James J J Hooper
wrote:
--On Friday, March 04, 2011 11:49:50 +0100 Alan DeKok
wrote:
James J J Hooper wrote:
That could be fixed for 2.1.11, I guess. If someone can test it...
Yes please, and will do.
Try this patch. You should see
--On Friday, March 04, 2011 11:49:50 +0100 Alan DeKok
wrote:
James J J Hooper wrote:
That could be fixed for 2.1.11, I guess. If someone can test it...
Yes please, and will do.
Try this patch. You should see "MSCHAP Failure" in the debug log,
where it wasn't there before.
Try
James J J Hooper wrote:
>> That could be fixed for 2.1.11, I guess. If someone can test it...
>
> Yes please, and will do.
Try this patch. You should see "MSCHAP Failure" in the debug log,
where it wasn't there before.
Try it for normal && accounts which are locked out (SMB-Account-Ctrl
Hi,
> home_server localhost {
> ipaddr = 127.0.0.1
> port = 1812
> type = "auth"
> secret = "testing123"
> response_window = 20
> max_outstanding = 65536
> require_message_authenticator = no
> ...
>
> Is this secret what is being used by th
--On 04 March 2011 10:46 +0100 Alan DeKok wrote:
Phil Mayers wrote:
The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message:
E=691 R=0
Really? I don't see that.
What I do see is that it doesn't copy the MS-CHAP-Error into the TLS
tunnel.
That could be fixed for 2
Phil Mayers wrote:
> The FreeRadius EAP-MSCHAP (rlm_eap_mschap) has a hardcoded error message:
>
> E=691 R=0
Really? I don't see that.
What I do see is that it doesn't copy the MS-CHAP-Error into the TLS
tunnel.
That could be fixed for 2.1.11, I guess. If someone can test it...
Alan
I am asking that it be configurable as to how many retries are allowed
(eg how many E=691 R=1) before a no retries failed authentication
message (E=691 R=0) is sent.
Ah gotcha. Thanks for the detail!
As Alan has suggested in his other email, you can change the
"MS-CHAP-Error" in the post-au
On 03/04/2011 01:32 AM, robert22 wrote:
Phil Mayers wrote:
Are you sure the mschap client is using the right password, and matches
the password in the domain?
Can you do a plaintext auth with the password you expect it to be?
ntlm_auth --username= --password=
Works fine with plaintext aut
robert22 wrote:
> Interestingly, when I launch freeradius -X for debug mode, I see the
> following in the startup info:
...
> Is this secret what is being used by the freeradius?? As I have no idea
> where this is coming from as I have replaced all instances of the
> "testing123" in all of the conf
Tim McNabb wrote:
>
> Hi there! I'm running FreeRADIUS 2.1.7, I was wondering if it is
> possible to forward accounting packets to another server while also
> keeping the packets on the local machine. I'm working on integrating a
> Netsweeper appliance and the company is saying that I need to
Difan Zhao wrote:
> Another quick question: Can I group users in the “users” file and assign
> the group reply attributes instead of to each individual user?
No. See "man rlm_passwd" for examples of creating server-side groups.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.fr
Tim McNabb wrote:
> Hi there! I’m running FreeRADIUS 2.1.7, I was wondering if it is
> possible to forward accounting packets to another server while also
> keeping the packets on the local machine.
raddb/sites-available/copy-acct-to-home-server
This is documented.
Alan DeKok.
-
List info/
Difan Zhao wrote:
> Anyway I need to proxy some requests to remote home server. I also need
> to assign the users to specific VLANs (with some attributes) if they are
> successfully authenticated by the remote home server. When I was using
> the SQL Alan told me to uncomment “sql.authorize” in the
john.hayw...@wheaton.edu wrote:
> I am asking that it be configurable as to how many retries are allowed
> (eg how many E=691 R=1) before a no retries failed authentication
> message (E=691 R=0) is sent.
The answer here is to use a database. FreeRADIUS doesn't keep track
of any long-term data.
44 matches
Mail list logo