/etc/raddb/certs was copied too! How to regenerate the certificates ?
In general, how to install a copy of a radius server to another box ?
For my SQL problem, any idea ?
Thanks all
AL
Le 13 août 2012 à 18:35, John Dennis a écrit :
> On 08/13/2012 11:41 AM, Aurélien Lafranchise wrote:
>> I hav
Hello Antonio,
rlm_sql does not wait for connection from connection pool to become
available. If all connections are busy the module just return fail.
You can avoid these spurious failures if you set num_sql_socks equal to
max_servers.
Antonio Modesto wrote:
Hi,
Here in the ISP which I
Thanks Alan.
I've reviewed the documentation and I'm not sure how to make it work.
The only attributes passed to the server config are related to the source
IP address, which is not enough information to determine which policy to
apply.
The use case is configuring FreeRADIUS to accept requests f
On Tue, Aug 14, 2012 at 8:40 PM, Diego Matute wrote:
> The use case is configuring FreeRADIUS to accept requests from unknown
> clients with different policies. By different policies I mean different
> authentication methods. I thought the secret key could be used to
> differentiate the calls and
"different authentication methods" I really mean different user data stores
and different methods like an optional second factor. I can wrap everything
is a custom auth module, however I will still need a way to know which data
store to use.
I could use NAS, but that would require the client to de
Diego Matute wrote:
> The only attributes passed to the server config are related to the
> source IP address, which is not enough information to determine which
> policy to apply.
I think you don't understand how RADIUS works.
Keying policies off of client IP is not always good. Keying polic
On Tue, Aug 14, 2012 at 9:06 PM, Diego Matute wrote:
> "different authentication methods" I really mean different user data stores
> and different methods like an optional second factor. I can wrap everything
> is a custom auth module, however I will still need a way to know which data
> store to
Diego Matute wrote:
> "different authentication methods" I really mean different user data
> stores and different methods like an optional second factor. I can wrap
> everything is a custom auth module, however I will still need a way to
> know which data store to use.
>
> I could use NAS, but that
I guess I misunderstand why knowing the client IP matters, if the shared
secret is passed isn't that enough. The IP address isn't secure either.
Shared secrets are for client-server pairs hence you can have multiple
shared secrets.
What I am trying to do is enable multiple unknown clients to conn
The attributes I've mentioned are either server domain or IP address.
On Tue, Aug 14, 2012 at 10:17 AM, Alan DeKok wrote:
> Diego Matute wrote:
> > "different authentication methods" I really mean different user data
> > stores and different methods like an optional second factor. I can wrap
> >
Ok I've re-read the docs.
I'm going to require the client IP. It doesn't look like this know-nothing
approach will work.
Thanks Alan and Fajar.
On Tue, Aug 14, 2012 at 10:37 AM, Diego Matute wrote:
> The attributes I've mentioned are either server domain or IP address.
>
> On Tue, Aug 14, 2012
We need to use a public certificate for PEAP b/c the majority of our clients
are not on our domain. However I do not want to allow EAP-TLS with any cert
signed by the 3rd party CA. Is it possible to prevent PEAP-TLS with a cert but
allow PEAP? If so, what config options do I need to add and wher
Shaun Lowry wrote:
> Is it possible to have a per-realm post-proxy section?
No. But you can have pre/post proxy sections for home server pools.
See proxy.conf.
> We need to add a
> couple of attributes to our Access-Accepts which vary in content
> depending on which realm we've proxied. Othe
On 14/08/12 15:57, Cotton, Jesse wrote:
We need to use a public certificate for PEAP b/c the majority of our
clients are not on our domain. However I do not want to allow EAP-TLS
with any cert signed by the 3^rd party CA. Is it possible to prevent
PEAP-TLS with a cert but allow PEAP? If so, what
Cotton, Jesse wrote:
> We need to use a public certificate for PEAP b/c the majority of our
> clients are not on our domain. However I do not want to allow EAP-TLS
> with any cert signed by the 3^rd party CA. Is it possible to prevent
> PEAP-TLS with a cert but allow PEAP? If so, what config option
That was a typo. I meant EAP-TLS.
Thanks for the quick reply.
-Original Message-
From: freeradius-users-bounces+jesse.cotton=stockton@lists.freeradius.org
[mailto:freeradius-users-bounces+jesse.cotton=stockton@lists.freeradius.org]
On Behalf Of Phil Mayers
Sent: Tuesday, August
Hi,
> That was a typo. I meant EAP-TLS.
this is easy to fix.
concatenate your RADIUS server and CA (and any intermediates) into
one file.
call that file in the
certificate_file =
line
then comment out
CA_file =
this is clearly documented:
# This parameter is used
Thanks alan. I tried that at some point but FR threw an error about the cert
not matching the private key. Tried again and switched the order of the certs
so the server cert is the first in the file and works like a champ.
-Original Message-
From: freeradius-users-bounces+jesse.cotton=st
Hi,
On Tue, Aug 14, 2012 at 04:09:01PM +0100, Phil Mayers wrote:
> On 14/08/12 15:57, Cotton, Jesse wrote:
> >I’ve read several posts about this and none have been helpful.
>
> In the current version of the server, I think this is hard.
As mentioned, comment out CA_file in eap.conf.
To reinforc
Hi Diego,
Am 14.08.2012 16:06, schrieb Diego Matute:
I could use NAS, but that would require the client to declare their IP
address.
From a FreeRADIUS server point of view the NAS is the _client_!
Could it be that you meant the supplicant (the user or machine which wants to be
authenticated) w
Klaus,
Yes I did mean the server sending the request, not the supplicant. I
misunderstood how to handle adding additional user stores off the same
RADIUS server. I will be requiring the IP of the connecting service.
On Tue, Aug 14, 2012 at 5:43 PM, Klaus Klein wrote:
> Hi Diego,
>
> Am 14.08.20
21 matches
Mail list logo
