Arran Cudbard-Bell wrote:
> Hmm RFC 5080 expounds a bit more on Clients and attribute processing:
>
>In general, it is best for a RADIUS client to err on the side of
>caution. On receiving an Access-Accept including an attribute of
>known Type for an unimplemented service, a RADIUS cl
Paul Stewart wrote:
> I will roll a ticket with Juniper as their MX series in my testing does
> **not** ignore additional VSA’s – I just proved it out in our lab.
What does it do?
I suppose I shouldn't be surprised at the crazy things people do to
break RADIUS.
Alan DeKok.
-
List info/subs
Thanks so much for that info. I did roll a ticket with Juniper and will
follow up with them. If anything of substance comes out of this I'll be
sure to share back to the list for other Juniper users to benefit from ;)
Paul
From: freeradius-users-bounces+paul=paulstewart@lists.freera
This is basically what we've decided. Assuming there are no more issues with
management, we're going to set up a separate CA for RADIUS that only signs the
server certs for the RADIUS servers.
Thanks to all for the replies. Very useful!
--J
From: Christ Schlacta mailto:li...@aarcane.org>>
Re
Thanks to all for the responses so far. I'm still reading through them.
In my case, guests are given a WEP key (which just keeps the "Automatically
Connect to Open Networks" devices away) and allowed to connect to a guest SSID
which has a separate Internet drain, policies, limitations, etc. To
Hello all,
I recently went through a problem concerning
Acct-Interim-Interval that, for some reason, was not been set for some of my
clients. The result was catastrophic inside my network. Hopefully and been
helped by Fajar A. Nugraha (which I thank for the time spe
Hmm RFC 5080 expounds a bit more on Clients and attribute processing:
In general, it is best for a RADIUS client to err on the side of
caution. On receiving an Access-Accept including an attribute of
known Type for an unimplemented service, a RADIUS client MUST treat
it as an Access-R
Hi Paul,
Just double checked and found this is actually only a 'must' requirement for
servers, unfortunately the requirements for clients are that they 'should'
ignore unknown VSAs and attributes of an unknown type. I'm not entirely sure
why that is, seems pretty dumb to me to reject a user if
Fajar,
I found the problem... It's Acct-Interim-Time that is not set for
some groups and I can't find why... I am solving the problem now... Thank
you for your help!
--
> -Mensagem original-
> De: freeradius-users-bounces+listas.nata=cnett.com...@lists.freeradius.org
>
Thank you for answering that question 100% - much appreciated.
I will roll a ticket with Juniper as their MX series in my testing does
*not* ignore additional VSA's - I just proved it out in our lab. Their ERX
series in particular does ignore additional VSA's and a Cisco 7206VXR I just
tested a
>
> So far I have tested this on a Juniper ERX and it simply ignores the Cisco
> attributes, which was what I’m hoping for.
>
It has to according to RFC 2865, if it doesn't open a support call with Juniper.
> I plan to float some Juniper attributes towards some Cisco gear at some point
>
Hi there.
Thank you to those folks to helped me recently understanding the Juniper
attributes etc - much appreciated.
What is the practical issues with a users file entry that is mixing vendor
attributes? Ie.
pstewart-stat Auth-Type = System
Service-Type = Framed,
F
Fajar wrote:
>
> In FR-2.x you should be able to use
>
> DEFAULT Client-Shortname == ap-2000-cd6, Auth-type := reject,
> Fall-Through = yes
Turns out the guest network is on a separate wireless VLAN, not on separate
access points as first thought.
Based on the debug output down below, c
Just make your user radcheck sql query return:
User-Name = "scott"
Auth-Type := Accept
That should be enough.
Le 30/01/2012 13:51, Mika a écrit :
Hello.
Running 2.1.10 with virtual-servers configured with many port
configurations, sql modules loaded and working.
The idea for this new port is:
On Mon, Jan 30, 2012 at 8:47 PM, Nataniel Klug wrote:
>> And what does freeradius debug log say?
>
> [Nataniel Klug] This is a production server and I can't run it in debug mode
> (-X) and as it's not been a common problem it appear just once or twice
> during a day I can't be monitoring it all th
> And what does freeradius debug log say?
>
> --
> Fajar
[Nataniel Klug] I've set my debug_level to 2 and now it's recording in
radius.log. I will look into it when the problem appears.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello.
Running 2.1.10 with virtual-servers configured with many port
configurations, sql modules loaded and working.
The idea for this new port is:
Users authenticating with smartcards that get checked outside the FreeRadius
and we want to permit/deny access if the user-name does or does not exist
Hello Fajar,
Thank you for your reply. I will answer bellow:
> So you have ONLY one instance of sqlipool, backed by postgresql?
>
> If you don't use mysql for sqlpipool then it's not relevant for this
discussion.
> Focus on what you use for sqlippool
[Nataniel Klug] It's true, I
On Mon, Jan 30, 2012 at 7:43 PM, Nataniel Klug wrote:
> I’ve been using Freeradius for a long time and about 5 months
> ago I made a change in my default layout so I could use Freeradius SQL-IPPool
> running over PostgreSQL.
So you have ONLY one instance of sqlipool, backed by p
19 matches
Mail list logo