ftp://ftp.freeradius.org/pub/freeradius/old/
On 11.02.12 03:32, Charles H. Fisher wrote:
> I have heavily patched version of freeradius-server-2.0.4 That I
> would like to migrate forward to the current version. This requires
> that I know what changes were made to the standard 2.0.4. I have not
I have heavily patched version of freeradius-server-2.0.4 That I would
like to migrate forward to the current version. This requires that I
know what changes were made to the standard 2.0.4. I have not been able
to find a copy of it on the internet, and the archives on this site do
not have an
If you are looking to assign users network permissions may I suggest you look
into the open source enterprise NAC called PacketFence, we are using it with
great success.
No use reinventing the wheel, especially when you can get a really tricked out
wheel for free : )
Jake Sallee
Godfather of B
Hello,
Im trying to minimize ldap queries to Active directory do to heavy load on
DC.
1º - Change query on LDAP module to not search group of group
Accomplish using on ldap:
filter = "(samaccountname=%{Stripped-User-Name})
NdK wrote:
> Can't create "users" in AD. Just machine accounts.
That's a local policy which can be changed.
AD is perfectly capable of creating read-only administrator accounts.
It's what everyone else does.
> Maybe it's possible
> to use the (or "a dedicated") *machine* account credentials
Il 10/02/2012 16:21, Phil Mayers ha scritto:
>> Is it possible to bind to AD's LDAP using the Kerberos ticket obtained
>> at join time?
> This question does not make sense. Joining a domain doesn't "obtain a
> kerberos ticket". It creates a machine account principal, and a shared
> secret (passwor
On 02/09/2012 11:40 AM, Phil Mayers wrote:
On 09/02/12 15:49, Walter Gould wrote:
All,
I have FR vmps configured to query postgresql for a mac address and
return the vlan that is assigned to it. That is working well. However, I
would like to configure vmps to return a "fallback" or guest vlan f
Yes. Perfectly possible...just need to make copies of the 'files' module file,
then give it is name (as per docs), then out a different users file in the
second copy. In the virtual server you can then call the copy of the files
module that uses that different file.
Personally I'd just use one
Hmmm.
Don't update user-name. Set or update stripped-user-name instead and use that
in the mschap auth
actually I'm sure by default the system understands these user names so as long
as you use %{mschap:user-name} you'll be using the correct value in that
place we do machine auth to multip
Having got a working FREERADIUS + MySQL setup working, with usernames and MD5
password hashes being held in the radcheck SQL table. Now, I'm wondering if
there is any neat, GUI admin tool to allow our sysadmins to be able to add
users, update passwords etc with have to key sql statements?
Thanks
On 10/02/12 14:38, NdK wrote:
Hello all.
Is it possible to bind to AD's LDAP using the Kerberos ticket obtained
at join time?
This question does not make sense. Joining a domain doesn't "obtain a
kerberos ticket". It creates a machine account principal, and a shared
secret (password) that ca
NdK wrote:
> Is it possible to bind to AD's LDAP using the Kerberos ticket obtained
> at join time?
No. The LDAP API doesn't support that.
> That would allow to search for group membership without spawning more
> processes...
Huh? You can configure AD as an LDAP server, and do group member
On 10/02/12 14:36, Francois Gaudreault wrote:
Hi Phil,
Still no go. Now EAP complains :
[eap] Identity does not match User-Name, setting from EAP Identity.
Oh dear...
I'll need to test this, but I have a horrible feeling you're between a
rock & hard place here - EAP identity check is des
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
complex policies OR mandate your users always use the correct "DOM\user"
format.
Or make 'em
From: Phil Mayers mailto:p.may...@imperial.ac.uk>>
Reply-To: FreeRadius users mailing list
mailto:freeradius-users@lists.freeradius.org>>
Date: Thu, 2 Feb 2012 14:09:30 +
To:
mailto:freeradius-users@lists.freeradius.org>>
Subject: Re: Multi-domain AD and Users Who Aren't So Bright
On 02/02
Hello all.
Is it possible to bind to AD's LDAP using the Kerberos ticket obtained
at join time?
That would allow to search for group membership without spawning more
processes...
Tks,
Diego.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Phil,
Still no go. Now EAP complains :
pap] Config already contains "known good" password. Ignoring
Password-With-Header
[pap] Normalizing NT-Password from hex encoding
[pap] WARNING: Auth-Type already set. Not setting to PAP
++[pap] returns noop
++? if (User-Name =~ /^host\/([^.]+)/)
?
>I Cannot have two separate users file, the users file is common to both
>
>virtual servers.
>Is there a way to have a users file for eac hvirtual server ?
>I did not find it is possibile from documentation.
>
>
>Ricdk
Yes you can. This is a core feature of the server. You need to look at the doc
On 2/10/12 12:57 PM, Phil Mayers wrote:
On 10/02/12 11:33, Riccardo Veraldi wrote:
Hello,
I have a radius infrastructure with multiple ESSID.
in particular I have the eduroam ESSID and another local ESSID.
They are managed by my freeradius2 server with 2 virtual-server
instances, one for eduroam
On 10/02/12 11:33, Riccardo Veraldi wrote:
Hello,
I have a radius infrastructure with multiple ESSID.
in particular I have the eduroam ESSID and another local ESSID.
They are managed by my freeradius2 server with 2 virtual-server
instances, one for eduroam and the other for my local ESSID.
Both a
Hello,
I have a radius infrastructure with multiple ESSID.
in particular I have the eduroam ESSID and another local ESSID.
They are managed by my freeradius2 server with 2 virtual-server
instances, one for eduroam and the other for my local ESSID.
Both are 802.1x infrastructures.
I have always
On 02/09/2012 11:56 PM, Rami AlZaid wrote:
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
I know nothing about EAP-SIM, but I don't think this message matters;
you see it all the time in debugs, and I think you can ignore it.
-
List info/subscribe/unsubscribe? See http://
On 02/09/2012 07:55 PM, Francois Gaudreault wrote:
Doing the MS-CHAP-User-Name change got me this error :
mschapv2] # Executing group from file
/etc/raddb/sites-enabled/packetfence-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Found NT-Password
[mschap] ERROR: User-Name (host/dti-da
23 matches
Mail list logo
