I've attached android, windows 7, macosx, and ubuntu linux to an eap-tls
network using wpa2-eap-tls, which requires client and CA certs. it's no
issue once you know what you're doing. the hardest part is the nearly
complete lack of documentation for any OS except linux. you're limited
to wha
Self-signed provides stronger security in most cases. I'm using
self-signed here, and distributing a certificate to unmanaged user
devices is as easy as placing a p12 file on a USB drive and requiring
users to stop by ops before getting on wireless. If you're using a
public CA to sign certs,
My RHEL 5.7 is only a 30 days evaluation, there wont be any support. Just
trying it and doing some learning at home.
At work we use RHEL 5.6, when we do setup the new server and if the same
SELinux problem occur, i will try the support procedures.
Thanks
Eric
--
View this message in context:
ht
Hi,
> Everything works perfect except the conditional checking for
> Client-Shortname. I tried using:
>
> *if (Client-Shortname =~ /^localhost/) {*
thats wrong
> It didn't work saying Client-Shortname as unknown attribute.
>
> Again I tried using:
>
> * if ("%{client: shortname}" =~ /^localho
On Fri, Jan 27, 2012 at 12:49 AM, Ski Mountain
wrote:
> It was simply installed from the ubuntu repository with aptitiude.
>
> Does this mean that I should just try compiling a new version of freeradius
> from source,
Yes, if you know how to build from source.
Or take a look at https://launchpa
On Thu, Jan 26, 2012 at 10:14 PM, tonimanel
wrote:
> Hi guys,
>
> I have a problem with my freeradius service. I would like to get that
> freeradius sends to my NAS the session-timeout attribute. Can you tell my
> how could I get it?
Just put it it radreply :)
I think you meant this though: http
Thanks a lot again for showing me the direction.
Everything works perfect except the conditional checking for
Client-Shortname. I tried using:
*if (Client-Shortname =~ /^localhost/) {*
It didn't work saying Client-Shortname as unknown attribute.
Again I tried using:
* if ("%{client: shortname}
It was simply installed from the ubuntu repository with aptitiude.
Does this mean that I should just try compiling a new version of freeradius
from source, and if the source version does not work, compile it to enable core
dumps.
Thanks
- Original Message -
From: Alan DeKok
To: Sk
On 01/26/2012 04:42 PM, Phil Mayers wrote:
3. Run the LDAP module, then compare the attribute. Note - because
you've mapped the item to check/control lists, you can't use a "users"
file - you must use unlang, like so:
Damn, sorry, this should be:
authorize {
...
ldap
if (control:My-Ext
On 01/26/2012 02:41 PM, suggestme wrote:
## I tried using Called-Station-Id to check the condition; which is ok for
now for testing ; but which I guess is not feasible if there are thousands
of NAS devices. I don't know what would be best test condition for this.
There are many options. You co
On 01/26/2012 06:33 AM, Alan Buxey wrote:
Hi,
yes but as already said, RHEL SElinux policy should already be fine for this
It's been a while since I looked, but when I did the RHEL5 SELinux
policy was good for nothing except very, very basic FreeRADIUS usage.
Has that changed now? Using "ses
Ski Mountain wrote:
> I am testing out authentication with radtest. If I send the wrong group
> password I get "invalid Message-Authenticator" which is what I expect, the
> second I put in the correct password I get the "Segmentation fault"
>
> Is this a knows issue, or am I screwing something
I am testing out authentication with radtest. If I send the wrong group
password I get "invalid Message-Authenticator" which is what I expect, the
second I put in the correct password I get the "Segmentation fault"
This is on Ubuntu 10.04.3 LTS.
Is this a knows issue, or am I screwing so
Hello I´m using a perl script to authenticate in a web services. My scrpit
works with the web services but I want that with my scrpit authenticate in
a freeradius server. I don´t know wich files I must modify and what I must
modify to it works. Thaks for your answers.
--
Fabricio A. Flores G.
Egr
sorry, I found my mistake and was on the AP device. the "outer.reply" work
fine.
But still want understand how this work so , if somebody can share a link
that's explain how variables work in detail, it will be appreciate.
Thanks.
Gonzalo.
--
View this message in context:
http://freeradius.104
Hi guys,
I have a problem with my freeradius service. I would like to get that
freeradius sends to my NAS the session-timeout attribute. Can you tell my
how could I get it?
This is the output result:
FreeRADIUS Version 2.1.10, for host i486-pc-linux-gnu, built on Nov 14 2010
at 20:41:03
Copyrig
Hi,
I had implemented the idea given by Phil for authorizing the users of Active
directory to use VPN or Wifi or whatever for which they are for depending
upon the value of Active directory's "extensionAttribute10" attribute as:
## /usr/local/etc/raddb/modules/ldap:
filter =
"(&(extensionAttribu
NdK wrote:
> Been confused by the error: it pointed to the last line of the chain,
> not to the *first* closing brace followed by a keyword, forming an
> invalid entry. BTW, it stays unclear why the keyword can't be on the
> same line with the closing brace. Can't figure out unlang's grammar in EBN
Il 26/01/2012 12:24, Phil Mayers ha scritto:
> You can re-use bits of "unlang" as virtual modules. See "policy.conf".
> This is often a bit neater than $INCLUDE.
Perfect! Exactly what was needed.
> FreeRADIUS config is basically:
[...]
> "if", "elsif" are just blocks. Blocks need to start on thei
Hi,
> > yes but as already said, RHEL SElinux policy should already be fine for this
>
> It's been a while since I looked, but when I did the RHEL5 SELinux
> policy was good for nothing except very, very basic FreeRADIUS usage.
>
> Has that changed now? Using "sesearch" I don't for example see
On 01/26/2012 09:36 AM, NdK wrote:
Since it seems I have to do EXACTLY the same mapping both in "default"
and "inner-tunnel" sites, I saved my "if" chain in unibo.map and used
$INCLUDE to insert it in both virtual servers, just after the opening
brace of authorize. Hope it's the correct thing to
On 01/26/2012 01:43 AM, Matthew Newton wrote:
Public CA - easier as you don't have to distribute the CA cert.
You're open to spoofing attacks where someone can get another cert
from the same CA and put it on a rogue RADIUS server. These days
it seems anyone can get a public-CA certificate for a
On 01/26/2012 12:08 AM, McNutt, Justin M. wrote:
So I'm getting some pushback in my organization against using a
self-signed CA for signing my RADIUS server certs. To make a long
story short, I was asked to find out what other people were doing.
This has been discussed extensively on the list!
On 01/26/2012 10:27 AM, Alan Buxey wrote:
Hi,
I guess we have a winner:
setsebool -P radiusd_disable_trans=1
yes but as already said, RHEL SElinux policy should already be fine for this
It's been a while since I looked, but when I did the RHEL5 SELinux
policy was good for nothing except ve
Il 26/01/2012 10:40, Alan DeKok ha scritto:
> NdK wrote:
>> Too bad it seems unlang doesn't like :
>> if (cond) {
>> ...
>> } elsif (othercond) {
>
> Perhaps you could try reading "man unlang" to learn it's syntax.
Been confused by the error: it pointed to the last line of the chain,
not to the
i did some reading on SELinux... but there are pages and pages of info, and
with my limited linux skill... I hardly understand a thing...
Welcome if anyone have any instruction which I can try
Thanks
Eric
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Service-radiusd-S
Hi,
> I guess we have a winner:
> setsebool -P radiusd_disable_trans=1
yes but as already said, RHEL SElinux policy should already be fine for this
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
First I set SELinux back to enforcing
reboot & test (not working, fail to auth)
setsebool -P radiusd_disable_trans=1
reboot & test (everything works fine)
---lets try disable postgresql instead of radiusd
setsebool -P radiusd_disable_trans=0
setsebool -P postgresql_disable_trans=1
reboot &
NdK wrote:
> Too bad it seems unlang doesn't like :
> if (cond) {
> ...
> } elsif (othercond) {
Perhaps you could try reading "man unlang" to learn it's syntax.
> That seems quite a serious limit in the unlang grammar...
Sure. It can't parse Perl, Python, Ruby, C, or any other invented
gram
Il 25/01/2012 20:54, Phil Mayers ha scritto:
>> [...]
>> So I *can* insert unlang code there! Perfect!
> No. This is not "unlang". It's just a string expansion.
Yup. Sorry, I was referencing the cut part.
> Unlang is a processing "language" that is only valid inside the virtual
> server "authoriz
Hi,
>Is it possible to sort accounting attributes and values in a certain order
>under the detail files ?
you really might want to look at using SQL to store accounting
rather than using flat detail files if there is some sort/select
stuff you need to do with the records..
alan
-
List in
hi,
self-signed CA. the authentication is a closed-loop system. the only people
that need to trust your RADIUS server for authentication are your own
users (unlike eg a public web server). you have full control of your
own CA..and know its policies. With an external CA you are a slave to their
rep
i mean i did #2 disabled selinux entirely
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5432261.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://www.fre
Hi,
that's a discussion / holy war admins are fighting over for *years* in
the eduroam roaming consortium.
I agree with all what was said in the thread, regarding security vs.
convenience.
Just to add one thing to the mix: if you allow "bring your own device"
for your network, you'll have much l
I have did number 1 :(
Let me try number 2 now, and see what happen.
btw my setup is:
Red Hat Enterprise Linux Server 5.7
FreeRADIUS 2.1.7
PostgreSQL 9.1.2
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Service-radiusd-Start-vs-radiusd-tp5429517p5432257.html
Sent fro
35 matches
Mail list logo