Matija Levec wrote:
> What should be configured for radius to also send EAP-Key-Name AVP?
Nothing.
RFC 4072 says:
The EAP-Key-Name AVP (Radius Attribute Type 102) is of type
OctetString. It contains an opaque key identifier (name) generated
by the EAP method. Exactly how this name
On Thu, Feb 23, 2012 at 08:43:09PM +, vw5...@yahoo.no wrote:
> On Thu, Feb 23, 2012 at 02:09:50AM -0800, grub3r wrote:
> > 2. configured ttls/server cert password in eap.conf and everything worked
> > fine. Then I read somewhere that username/password authentication alone is
> > not secure as s
Frankly I have no idea. If I understand correctly EAP-Key-Name / MSK value
should be generated somewhere along EAP process when using EAP-TLS or PEAP...
I'm also aware that there are very few radius servers that already support
that. I was only hoping that FR is one of them. ;)
Kind regards,
M
- Original Message -
From: Matthew Newton
To: FreeRadius users mailing list
Cc:
Sent: Thursday, 23 February 2012, 11:49
Subject: Re: freeradius eap-ttls user/pass + cert
Hi,
On Thu, Feb 23, 2012 at 02:09:50AM -0800, grub3r wrote:
> 2. configured ttls/server cert password in eap.con
> Hi,
>
> > Is there a function within FR to schedule certain attributes to be
> > returned in the Access-Accept reply?
> >
> > Essentially we return a QoS VSA along with VLAN information on a
> > successful auth, however between certain times of day there is more
> > available bandwidth so to be
On 23/02/12 16:26, Matija Levec wrote:
What should be configured for radius to also send EAP-Key-Name AVP?
AFAIK that is not implemented yet.
I've only skimmed them, but AFAIK most AAA servers and EAP methods don't
generate EAP-Key-Name yet. I'm not sure what the correct value for this
att
I was set up the chili (Proxy) connected to the radius and then it was
attribute Colubris-AVPair := "max-input-rate=4096" and Colubris-AVPair +=
"max-output-rate=4096" so I cannot control bandwidth because my proxy accept
only WISPr-Bandwidth-Max-Down.
How to modify it.
The reason why radius re
Hello everyone,
I'm trying to configure MACsec (per
http://www.cisco.com/en/US/prod/collateral/iosswrel/ps6537/ps6586/ps6638/deploy_guide_c17-663760.pdf
) in a test lab using cisco supplicant & switch and freeradius 2.1.12.
Cisco docs say: "The CAK is delivered in the RADIUS vendor-specific att
Hi,
> Is there a function within FR to schedule certain attributes to be
> returned in the Access-Accept reply?
>
> Essentially we return a QoS VSA along with VLAN information on a
> successful auth, however between certain times of day there is more
> available bandwidth so to be kind to our use
Hello,
Is there a function within FR to schedule certain attributes to be
returned in the Access-Accept reply?
Essentially we return a QoS VSA along with VLAN information on a
successful auth, however between certain times of day there is more
available bandwidth so to be kind to our users we'd l
> -Original Message-
> From:
> freeradius-users-bounces+bjulin=clarku@lists.freeradius.or
> g
> [mailto:freeradius-users-bounces+bjulin=clarku.edu@lists.freer
> adius.org] On Behalf Of Alan DeKok
> Sent: Thursday, February 23, 2012 10:31 AM
> Subject: Re: RadSec FR3.0 to Radiator:
Brian Julin wrote:
> After merging this (and a bunch of other stuff that had built up) and
> rebuilding, this happens:
Oops. Do a "git pull", and I think it should be fixed.
Thanks for the GDB backtrace. That helped.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradi
Thanks for looking into this, Alan.
After merging this (and a bunch of other stuff that had built up) and
rebuilding, this happens:
Thu Feb 23 10:02:13 2012 : Debug: Opening new proxy (, 0) ->
home_server (XXX, 2083)
Thu Feb 23 10:02:13 2012 : Debug: Trying SSL to port 2083
T
On Thu, Feb 23, 2012 at 12:47 PM, Listas Angelo
wrote:
> Hello,
>
> I have a environment with this situation, follow my confs:
I don't think that just having the columns in the sql table is enough.
You probably have a custom setup of some sort ! :) Using == as
operator seems to have solved my iss
Hi,
On Thu, Feb 23, 2012 at 02:09:50AM -0800, grub3r wrote:
> 2. configured ttls/server cert password in eap.conf and everything worked
> fine. Then I read somewhere that username/password authentication alone is
> not secure as some information is passed in clear text?!
You need to decide what a
Hello,
I have a environment with this situation, follow my confs:
mysql> select * from radcheck WHERE `username` = 'joao';
++--+++-+---+-+--++
| id | username | attribute | op | value | macaddress
ok, this setting is in the users file right?
But I need to configure only there? The radius will fetch groups defined in the
users in my database?
Thank you,
De: freeradius-users-bounces+angelo-listas=prolinx.com...@lists.freeradius.org
[mailto:freeradius-users-bounces+angelo-listas=prolinx
Hi All,
Firstly I wanted to thank freeradius-devs for the tremendous job they are
doing.
And to the question itself:
I had been planning to configure freeradius to be able to authenticate users
by username/password from users-file.
1. I followed the readme-file under certs and made ca, server
> No. See "man unlang" for the meaning of the operators. You did NOT
> configure a check against a specific MAC. You used ":=" instead of "=="
Damn, thanks again, noted on my wiki so I won't forget the next time.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Brian Julin wrote:
> We're piloting RadSec as a federation server uplink. They use Radiator.
> When we first attempted to connect we'd get
> a "Received packet will be too large!" carp from main/tls.c. They checked on
> their end and say they have no fragment
> size option for RadSec TLS conn
Stefan Winter wrote:
> The RADIUS/TLS wrapper around those datagrams is not size-limited at all
The TLS protocol sends data in packets with headers. Those packets
can be up to 64K in length.
The TLS code in FreeRADIUS was originally based on the EAP-TLS code.
The EAP-TLS packets run over eth
S Adrian wrote:
> You'll notice that even though I added in radcheck Calling-Station-Id
> to be 11:22:33:44:55:66,
> trying with radclient got me accepted ( even though I specified
> 11:22:33:44:55:77 )
No. See "man unlang" for the meaning of the operators. You did NOT
configure a check agains
Alan Buxey wrote:
> interestinga RADSEC packet can be much bigger than that too - 2048 gives
> some room for a big
> certificate - but not if its double-chained with intermediate and its got a
> nice security size
> instead of being a little 512bit RSA one. typically EAP-TLS can be
> fragme
23 matches
Mail list logo