I have a working RADIUS server for localhost lookup, but when I try and
authenticate with my HP Procurve 420 Wireless Access Point using these wireless
connection methods with Ubuntu 10.04LTS:
Wireless Security: WPA & WPA2 Enterprise
Authentication: Tunneled TLS | Protected EAP (PEAP)
Anony
On 03/30/2012 05:46 PM, Stefan Winter wrote:
Please don't write private mail to me with FreeRADIUS questions.
Forwarding to freeradius-users.
Original Message
Subject:ldap-radius integration
Date: Fri, 30 Mar 2012 12:35:53 -0700
From: exu...@gmail.com
To: stefan
>
> could you give me some refrence material or the steps involved in integrating
> radius and ldap?
> Iam stuck with the error
> [ldap] bind as
> cn=Manager,ou=radius,dc=example,dc=com/{SSHA}N0HDoA07iBXb/qW6JmhxnkUeTkVex1mN
> to 127.0.0.1:389
> [ldap] waiting for bind result ...
> [ldap] L
Please don't write private mail to me with FreeRADIUS questions.
Forwarding to freeradius-users.
Original Message
Subject:ldap-radius integration
Date: Fri, 30 Mar 2012 12:35:53 -0700
From: exu...@gmail.com
To: stefan.win...@restena.lu
could you give me some re
On Fri, Mar 30, 2012 at 1:46 PM, Alan Buxey wrote:
> Hi,
>
>> I have about 500 radius clients that are authenticating against 2
>> radius servers 192.168.1.10 and 192.168.2.10.
>>
>> We have a need to use new radius servers that are on different network
>> 10.0.1.10 and 10.0.2.10.
>>
>> How do I f
Hi,
> I have about 500 radius clients that are authenticating against 2
> radius servers 192.168.1.10 and 192.168.2.10.
>
> We have a need to use new radius servers that are on different network
> 10.0.1.10 and 10.0.2.10.
>
> How do I force the radius clients to authenticate against the new
> ra
I have about 500 radius clients that are authenticating against 2
radius servers 192.168.1.10 and 192.168.2.10.
We have a need to use new radius servers that are on different network
10.0.1.10 and 10.0.2.10.
How do I force the radius clients to authenticate against the new
radius servers short fr
Hello Alan,
> Any idea what freeradius does different here?
the only difference I see here is that radius has a hex number in the
state field while the propietary has digits. I assume that is why my
propiertary client chokes.
I'll try to configure freeradius to produce digits as well and retry a
Hallo Alan,
here is the nordic edge radius server pcap:
http://upload.glanzmann.de/radius.pcap
here is the freeradius server pcap:
http://upload.glanzmann.de/freeradius.pcap
What I don't get is, when I compare the two 'Access-Challenges' they look very
similar to me. However my propiertary radiu
Hello Alan,
> PAP. And only PAP. And sometimes not even there.
I now installed a commercial radius server (Nordic Edge) which supports
it and I sniffed a successful exchange. You can find it here:
http://upload.glanzmann.de/radius.pcap
Could you please let me know if it is possible to confi
On Fri, Mar 30, 2012 at 7:37 PM, mimir
wrote:
> Hi Fajar,
>
> I also think that option. But, I can not configure it.
>
> I set up realms same in proxy.conf. But, how can we point it to
> sites-available/copy-acct-to-home-server ?
Basically you need to configure sites-available/default to write to
Fajar A. Nugraha-2 wrote
>
> On Fri, Mar 30, 2012 at 6:12 PM, IVB wrote:
>
>> Agent-Circuit-Id = 0x000403fc0001
>
> let's start with that one.
>
>> ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ),
>
> Does that work?
>
No. And this is the problem.
Fajar A. Nugra
I forgot to add.
preacct also worked :)
Thanks.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/Proxy-copy-accounting-to-passive-home-server-tp5598491p5606585.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? Se
Hi Fajar,
I also think that option. But, I can not configure it.
I set up realms same in proxy.conf. But, how can we point it to
sites-available/copy-acct-to-home-server ?
How can we configure it? I can only see explanation of config file comments.
Thanks,
--
View this message in context:
htt
Hi,
> I apologize for bothering you. I thought that somewhere might be a how-to to
> solve this.
yes, there are plenty of HOW-TOs - they all say to check the RADIUS server cert
and configure the client properly - you are asking why. why?
alan
-
List info/subscribe/unsubscribe? See http://www.f
On 30/03/12 12:51, Heinrich, Sebastian wrote:
I apologize for bothering you. I thought that somewhere might be a how-to to
solve this.
Unfortunately there's nothing to "solve". This is just how PEAP/MSCHAP
works; there is a server cert, and for it to be secure, you must
validate it.
There
Hi,
> thanks for the brief reply.
> I also think that the problem is that the NAS is asking the supplicant for
> the password several times, before finally receiving the user's entry and
> sending to radius.
> I would like to solve the problem but since nobody yet find an answer. I
> don't know wh
On Fri, Mar 30, 2012 at 6:12 PM, IVB wrote:
> Agent-Circuit-Id = 0x000403fc0001
let's start with that one.
> ( '00:12:23:56:78:9A', 'Agent-Circuit-ID', x'000403fc0001', '==' ),
Does that work? Shouldn't it be something like
( '00:12:23:56:78:9A', 'Agent-Circuit-ID', 0x000403fc0001, '==' ),
Hi,
> We don't want to install certificates on the clients, but the problem
in that case, just get your RADIUS server signed by a CA that is already
on the clientssomething like Thawte, Verisign etc. ie spend some money.
if you dont want to spend some money, use your own self-signed CA (clos
I apologize for bothering you. I thought that somewhere might be a how-to to
solve this.
Thank you for help.
I wish you nice weekend.
Best Regards from Germany
Sebastian Heinrich
Techn. DV
Aluminium Oxid Stade GmbH
Johann-Rathje-Köser-Straße
21683 Stade
email s.heinr...@aos-stade.de
web
On Fri, Mar 30, 2012 at 5:40 PM, mimir
wrote:
> Hello,
>
> I added same definition to acct_users
>
> DEFAULT Replicate-To-Realm := TEST1,Replicate-To-Realm +=
> TEST2,Replicate-To-Realm += TEST3
>
> and it worked :)
The earlier error is is probably my fault then. It might need to go on
preacct se
Debug mode help me nothing.
When I try to connect without Agent-* attributes in DB, I see in debug
output 'User found in radcheck table' after performing "check" SQL. And
finally I login successfully.
When I try to connect with Agent-* attributes in DB, I don't see message
'User found in radcheck
On Fri, Mar 30, 2012 at 5:23 PM, Phil Mayers wrote:
> However: I'm sure everyone will agree with me when I say:
>
> YOU SHOULD CONFIGURE YOUR CLIENTS TO CHECK THE CERTIFICATE.
Exactly :)
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 30/03/12 11:58, Morris, Andi wrote:
Hi Ricardo, Sorry it was a brief answer but I'm also unsure of where
to turn next with this, especially as you are seeing the same issue
with different network hardware.
Well, you guys need to debug your network hardware (and Ricardo needs to
use a thread
Fajar A. Nugraha-2 wrote
>
> On Fri, Mar 30, 2012 at 4:29 PM, IVB wrote:
>> I need help.
>>
>> Software: FreeRADIUS v2.1.11, MySQL v5.1.61.
>> Hardware: RB SE100 under SEOS-6.4.1.4-Release
>>
>> BRAS sends Opt-82 related attributes in following format:
>>
>
> What format?
>
Agent-Remote
Hi Ricardo,
Sorry it was a brief answer but I'm also unsure of where to turn next with
this, especially as you are seeing the same issue with different network
hardware.
Cheers,
Andi
-Original Message-
From: freeradius-users-bounces+amorris=cardiffmet.ac...@lists.freeradius.org
[mailto
Hi Andy,
thanks for the brief reply.
I also think that the problem is that the NAS is asking the supplicant for
the password several times, before finally receiving the user's entry and
sending to radius.
I would like to solve the problem but since nobody yet find an answer. I
don't know what to do
Hello,
I added same definition to acct_users
DEFAULT Replicate-To-Realm := TEST1,Replicate-To-Realm +=
TEST2,Replicate-To-Realm += TEST3
and it worked :)
I can send 3 servers same accounting messages.
I wonder another thing. Is it possible to get log/error or sth else if one
of the replicated
Hi,
Sorry, I wrote wrong in my previous post, I am trying to apply
Replicate-To-Realm to send accounting messages to 20 servers from my radius
server.
I added as below in /sites-available/default
accounting {
update control {
Replicate-To-Realm := TEST1
Replicate
On 30/03/12 10:54, Heinrich, Sebastian wrote:
Now I am totally confused. Fajar says that it is not so easy to crack
the passwords and Phil says the opposite. I am not a hacker. Can
anybody say that this would be easy to do or not:
I didn't say it was easy. I said it was *possible*.
And you're
This ties in with what I was saying, that the NAS (switch/access point) is
asking the supplicant for the password several times, before finally receiving
the user's entry and sending it onto the radius to be accepted or denied,
whichever the case may be.
I still think the problem is supplicant/
On 30/03/12 10:38, Fajar A. Nugraha wrote:
How easy is it to crack
such a password? An authentification wouldn't have happened but the
attacker would have had the encrypted usernames and passwords.
They won't.
Not immediately. But MSCHAP is a complex (and old) algorithm, and it is
possible
Now I am totally confused. Fajar says that it is not so easy to crack the
passwords and Phil says the opposite. I am not a hacker. Can anybody say that
this would be easy to do or not:
"A CA certificate must be used at each client to authenticate the server to
each client before the client subm
Hi Alan DeKok,
thanks for your reply.
I think you don’t understand what my problem is. My main problem is to
understand why when the user is asked to enter his credentials more than one
time nothing reaches my freeradius server, the only communication requests
remains between the Access Point and
On Fri, Mar 30, 2012 at 4:29 PM, IVB wrote:
> I need help.
>
> Software: FreeRADIUS v2.1.11, MySQL v5.1.61.
> Hardware: RB SE100 under SEOS-6.4.1.4-Release
>
> BRAS sends Opt-82 related attributes in following format:
>
What format?
>
> Attributes Agent-* described in radius dictionary as 'octet
On 30/03/12 10:18, Heinrich, Sebastian wrote:
We don't want to install certificates on the clients, but the problem
that is given in wikipedia is that anybody can install an access point
with the same ssid and a client that would connect with it would give
him his MSCHAP encrypted username and pa
On Fri, Mar 30, 2012 at 4:18 PM, Heinrich, Sebastian
wrote:
> We don't want to install certificates on the clients, but the problem
> that is given in wikipedia is that anybody can install an access point
> with the same ssid and a client that would connect with it would give
> him his MSCHAP encr
I need help.
Software: FreeRADIUS v2.1.11, MySQL v5.1.61.
Hardware: RB SE100 under SEOS-6.4.1.4-Release
BRAS sends Opt-82 related attributes in following format:
Attributes Agent-* described in radius dictionary as 'octets'. Attributes
ADSL-Agent-* described in radius dictionary as 'string'.
I
We don't want to install certificates on the clients, but the problem
that is given in wikipedia is that anybody can install an access point
with the same ssid and a client that would connect with it would give
him his MSCHAP encrypted username and password. How easy is it to crack
such a password?
On Fri, Mar 30, 2012 at 4:01 PM, mimir
wrote:
> Hi,
>
> I installed latest version of freeradius and verified replicate module is
> existing.
>
> I can run replication via editing proxy.conf and acct_user. ( but I can
> replicate to only one server for now)
> I need to copy accountings to 20 serve
Hi,
I installed latest version of freeradius and verified replicate module is
existing.
I can run replication via editing proxy.conf and acct_user. ( but I can
replicate to only one server for now)
I need to copy accountings to 20 servers.
DEFAULT Proxy-To-Realm := TEST1 ( how can I add others
Ricardo89 wrote:
> Yes Alan, I see each request request hitting my LDAP server at least three
> times.
So... run the server in debug mode to see WHY it's hitting the LDAP
server three times. Then, look at the debug log, and change the LDAP
queries so that it only hits the LDAP server once.
Hi Alan,
thanks for your reply.
Yes Alan, I see each request request hitting my LDAP server at least three
times.
When that problem of the user needs to enter their credentials more than one
time, as I said in the previous post nothing gets to the Ldap server, in the
best cases only at the third t
On Fri, Mar 30, 2012 at 2:46 PM, Heinrich, Sebastian
wrote:
> Creating new certificates is only a security improveness when checking them?
No
> Is there any security improveness of creating new certificates and don't
> checking them?
Yes. See what I wrote earlier.
I gave you my answers. If yo
Heinrich, Sebastian wrote:
> But a TLS tunnel can be established with the standard certificates given in
> the certs subdirectory. Creating new certificates is only a security
> improveness when checking them?
Yes.
> Is there any security improveness of creating new certificates and don't
>
Actually the existing certificates in the certs subdirectory could
be
>> deleted but the authentification would work?
>>
>>> It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2,
>>> then
>> you don't need certificates.
>>
>> But it would work with the standard certificates
On Fri, Mar 30, 2012 at 2:21 PM, Heinrich, Sebastian
wrote:
>>> Actually the existing certificates in the certs subdirectory could be
> deleted but the authentification would work?
>
>> It would, if you DON'T use PEAP. If you ONLY use PAP or MSCHAPv2, then
> you don't need certificates.
>
> But it
> From wikipedia, "PEAP is a protocol that encapsulates the Extensible
Authentication Protocol (EAP) within an encrypted and authenticated
Transport Layer Security (TLS) tunnel."
> TLS always need a certificate.
>> There is nothing checked if you don't check the checkbox 'check
certificate'.
> I
Jens Weibler wrote:
> The problem is: debian ist still using the version 2.1.10 - even in
> sid... Is there a way to get this backported in the old version?
No.
You can build your own packages. That's why there's a "debian"
directory in the source.
Alan DeKok.
-
List info/subscribe/unsubs
49 matches
Mail list logo