Thomas Glanzmann wrote:
I wonder if the radius encryption between radius client and radius is
secure enough if you choose a decent password like the following:
No one knows.
The method RADIUS uses isn't encryption. It's more technically called
obfuscation in the crypto world. The reason
Hello Jason,
The passwords are weakly encrypted using a mechanism that is basically
an XOR of the password and an MD5 hash of the request authenticator
and the shared secret.
thanks for the thorough explanation, I'll go with IPSEC or openvpn. I
recall reading in Bruce Schneiers book 'Secret
Thomas Glanzmann wrote:
thanks for the thorough explanation, I'll go with IPSEC or openvpn. I
recall reading in Bruce Schneiers book 'Secret and lies' that xor is
only secure if you use the key only once, so it is very easy to break it
if you see enough traffic, probably also with different
Alan Batie wrote:
I've been using freeradius for quite a while now, but never really
grokked the config file. There is lots of documentation that gives you
a narrow peep hole into the specific section it's concerned with and how
to do common basic things, but there's nothing I've found that
Glen Harris wrote:
Can you paste the debug log? I'm guessing that the request to the
inner tunnel probably don't have Calling-Station-Id attribute.
Here it is:
Did you read it? There's a lot of stuff, but it's pretty obvious
what's going on:
[sql] expand: %{User-Name} - user01
[sql]
Hi,
mysql select * from radcheck;
++--+++---+
| id | username | attribute | op | value |
++--+++---+
| 1 | user01 | Cleartext-Password | := | pass01|
|
On Wed, Apr 4, 2012 at 3:27 PM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
so, there is no user01 in the radusergroup SQL table. so it fails. so if you
dont
need the sqlusergroup, turn it off.
Shouldn't it work even without radusergroup?
@Glen, can you try testing with simple PAP? This is to
On 04/04/12 18:27, Alan Buxey wrote:
Hi,
mysql select * from radcheck;
++--+++---+
| id | username | attribute | op | value |
++--+++---+
| 1 | user01 |
On Wed, Apr 4, 2012 at 3:41 PM, Glen Harris ast...@iamnota.org wrote:
Just so I understand completely, why does authentication work when there is
only the Cleartext-Password row in the radcheck table?
If the condition in == doesn't match, the check item with := (i.e.
cleartext-password) will
On 04/04/12 18:00, Alan DeKok wrote:
Glen Harris wrote:
Can you paste the debug log? I'm guessing that the request to the
inner tunnel probably don't have Calling-Station-Id attribute.
Here it is:
Did you read it? There's a lot of stuff, but it's pretty obvious
what's going on:
[sql]
Hello list,
I set up a testing environment with an virtual Windows Server 2008 R2
server with Active Directory Role and a virtual freeradius server
(v2.1.12).
For the authentication I use ntlm_auth (followed instructions on
- Original Message -
From: Matthew Newton m...@leicester.ac.uk
Sent: Tue, 3.4.2012 13:01
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: MSSCHAP auth + LDAP authorizaton
[SNIP]
The LDAP module can be configured for group lookups - look about
half way
[snip]
Why it fails on freeradius,
I found the mistake exactly after sending last mail. There are some magical
configuration directives for AD.
A.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I set up a testing environment with an virtual Windows Server 2008 R2
server with Active Directory Role and a virtual freeradius server
(v2.1.12).
For the authentication I use ntlm_auth (followed instructions on
http://deployingradius.com/documents/configuration/active_directory.html)
OK, I achieved my goal to get freeradius authenticate via mschap
challenge-response and authorize via LDAP search.
I's working, though, I'm not sure, that I'm doing it right. This solution
works only with one group (my example, VPNusers). I think it is not expandable
to the scenario like:
Stick unlang wrapper around the call to ldap
ie
if(request from VPN){
ldap
}
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello,
I am trying to add custom attribute to accounting packet and proxy to them
to different servers
by using ldap_xlat. But, although I query the ldap successfully and see the
correct value in debug logs,
attributes values are wrong, and changed.
What is the cause? Do you have any comment.
hi list,
i want to authenticate windows 7 computers with tls certificates.
the certs have the special windows OIDs, but i still get the error from below.
on the website http://wiki.freeradius.org/Certificate_Compatibility there is
only winxp mentioned.
is there maybe any difference with windows
Hello out there,
I'm testing the FreeRADIUS Version 2.1.12 Modul with AD Integration
following the deployingradius.com Guide.
Installed winbind and samba Version 3.6.3 and ntlm_auth tests are fine.
Now i'm testing with radtest while running radius in Debug mod.
The following line has been added
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]expand: %{Stripped-User-Name} -
[mschap]... expanding second conditional
[mschap]expand: %{mschap:User-Name:-None} -
Tested both at radtest USER@DOMAIN and DOMAIN\\USER, nothing worked.
Configured krb5.conf and smb.conf with domain and local ntlm_auth works fine on
the machine.
And in mschap module this line has beed added:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name:-None}
Am 04.04.2012 12:30, schrieb Andres Septer:
I (sort of) solved exactly the same problem. I will post my solution
in
MSSCHAP auth + LDAP authorizaton shortly. Stay tuned.
# Note to Andres Septer:
Thanks for your reply, but I fixed my problem by now without giving the
ldap bind user any
Just looked at this line in my config there is a --ntresponse instead
of #ntresponse
[mschap]expand: #ntresponse=%{mschap:NT-Response:-00} -
#ntresponse=f7b8cd66af90b5791fb4b09421dbbf2cbed180e7e72304b5
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon
issue is resolved. It was about type of ldap columns.
we set attribute and ldap columns both to string, and it worked.
Thanks.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/xlat-errors-filter-logs-tp5614816p5617794.html
Sent from the FreeRadius - User mailing list
issue is resolved. It was about type of ldap columns.
we set attribute and ldap columns both to string, and it worked.
Thanks.
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/adding-custom-attribute-with-ldap-xlat-tp5617491p5617800.html
Sent from the FreeRadius - User
Good morning, you can authenticatetheUserand passwordsamba infreeradius?
Marlos
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi
On Wed, Apr 04, 2012 at 01:47:54PM +0200, Christian Bösch wrote:
the certs have the special windows OIDs, but i still get the error from below.
The oids are only one reason for that error, but it is a very
common reason for this issue. The basic problem is that, for some
reason, Windows gave
Hi.
Is it possible to create a counter which limits the single session of a user?
I'd like to create a generic temporary access, and a session should last for
few minutes max.
thanks
--
Lorenzo Milesi - lorenzo.mil...@yetopen.it
GPG/PGP Key-Id: 0xE704E230 - http://keyserver.linux.it
-
List
Hi,
i need to configure a freeradius server to :
1. check expiration date
1.1 if account is expired - change back to auth-type = accept and assign
some private ip address.
is it possible , i could not find anything :(
--
View this message in context:
Lorenzo Milesi wrote:
Hi.
Is it possible to create a counter which limits the single session of a user?
See the counter module.
I'd like to create a generic temporary access, and a session should last for
few minutes max.
That will be hard. Many NASes will support a minimum of 10 min
Weber, Felix wrote:
Just looked at this line in my config there is a --ntresponse instead
of #ntresponse
That's bad.
In my mschap module the ntresponse parameter is written with --, so
why is radtest interpreting it with an # ??
Because it's written with a '#' in the mschap module.
On Wed, Apr 04, 2012 at 05:50:01PM +0200, Lorenzo Milesi wrote:
Is it possible to create a counter which limits the single session of a user?
I'd like to create a generic temporary access, and a session should last for
few minutes max.
Assuming your NAS supports it, you should be able to do
Freeradius experts,
I am running Freeradius 2.1.10 on two different Redhat 6.2 systems. Both
of them work fine. We are using ldap back end and we have no problem with
client connections on either server. The problem I have is that one of my
servers (64 bit on vmware) won’t give me
I am trying to implement two of the Nomadix VSA's, Nomadix-BW-Up and
Nomadix-BW-Down. They are included in the dictionary.nomadix that
shipped with my installed version, 2.1.8 running on CentOS.
I am using a MySQL backend and have tried adding the attributes in
radgroupreply (for user group) and
On 04/04/12 18:34, Fajar A. Nugraha wrote:
@Glen, can you try testing with simple PAP? This is to isolate
EAP-related problem.
You probably need to use radclient to manually add Calling-Station-Id
attribute to the request. Look at the end of radtest program (which
is a shell script) to see an
Hi,
On Wed, Apr 04, 2012 at 04:26:44PM -0500, Tim Tyler wrote:
The problem I have is that one of my servers (64 bit on vmware)
won’t give me accounting records for client connections in the
radacct directory. The log directory is /var/log/radius/radacct.
Nothing gets written in it.
Check
I am trying to implement two of the Nomadix VSA's, Nomadix-BW-Up and
Nomadix-BW-Down. They are included in the dictionary.nomadix that
shipped with my installed version, 2.1.8 running on CentOS.
I am using a MySQL backend and have tried adding the attributes in
radgroupreply (for user group)
So, to try and re-phrase my question at this point: Why would
freeradius stop processing after radusergroup and radgroupcheck,
without ever doing the query on radgroupreply to see if there are
items there?
The user is a member of only one group, and this is the only
user/group relationship I see
Deleted my mschap.bak and rpmfiles in the modules directory
and now it works! Thanks for that hint!
-Ursprüngliche Nachricht-
Von: freeradius-users-bounces+felix.weber=swmr...@lists.freeradius.org
[mailto:freeradius-users-bounces+felix.weber=swmr...@lists.freeradius.org] Im
Auftrag von
39 matches
Mail list logo