Alan,
Being a moderator does NOT give you moral license to treat people like
children. You're a rude man. Please ban me.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Bill Isaacs wrote:
> Here is the telling part of the freeradius -X output that I ran earlier
> this morning and printed out to use as a reference in my inquiries:
>
> [accessperiod] expand: %{sql:SELECT
> IF(COUNT(radacctid>=1),(UNIX_TIMESTAMP() -
> IFNULL(UNIX_TIMESTAMP(AcctStartTime),0)),0)
Bill Isaacs wrote:
> Again Alan, read between the lines. I've been scanning these emails
> from this group for about year through google searches.
> What I've learned from this mailing list is that you routinely castigate
> people who ask questions on here. That's rude. Your tone is arrogant.
Again Alan, read between the lines. I've been scanning these emails
from this group for about year through google searches.
What I've learned from this mailing list is that you routinely castigate
people who ask questions on here. That's rude. Your tone is arrogant.
And that's rude.
Yes, I'm
Bill Isaacs wrote:
> Alan, you're so much more fun when you're not being myopic. lol Of
> course it's getting the answer from the radius server. You really think
> I don't know that?
I can only read what you write. You asked *twice* why radclient had
that Session-Timeout. The second time,
On 02/08/2013 09:50 AM, Alan DeKok wrote:
Bill Isaacs wrote:
Ok so the question then is: where the hell is radclient getting the
notion that the account has 2366393 seconds left?
From the RADIUS server. This isn't magic. radclient doesn't invent
attributes in reply packets. It receives th
Quoting Alan DeKok :
No. You can't turn off EAP. The client is sending EAP to the server.
You need to change the client. And likely you can't, because it
*needs* to do EAP.
Indeed, the key_mgmt attribute in my wpa_supplicant.conf is set to
WPA-EAP and it looks like that's my only option.
Jaap Winius wrote:
> That sounds like important information! To turn off EAP, I commented out
> all of the lines related to EAP in /etc/freeradius/sites-enabled/default
> and in
> /etc/freeradius/sites-enabled/inner-tunnel.
No. You can't turn off EAP. The client is sending EAP to the server.
Quoting Alan DeKok :
You can't use PAM and EAP-MD5 together. It's impossible.
That sounds like important information! To turn off EAP, I commented
out all of the lines related to EAP in
/etc/freeradius/sites-enabled/default and in
/etc/freeradius/sites-enabled/inner-tunnel. Unfortunatel
Quoting Deepti kulkarni :
Try by adding
jwinius Auth-Type = pam
Cleartext-Password := xxx
Thanks for your reply, but that makes virtually no difference. The
result is the same and freeradius' debug output only changes slightly:
Jaap Winius wrote:
...
> [eap] processing type md5
> rlm_eap_md5: Cleartext-Password is required for EAP-MD5 authentication
You can't use PAM and EAP-MD5 together. It's impossible.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Deepti kulkarni wrote:
> Sorry about the incomplete previous email,
>
> Try by adding
> jwinius Auth-Type = pam
> Cleartext-Password := xxx
That won't work.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Sorry about the incomplete previous email,
Try by adding
jwinius Auth-Type = pam
Cleartext-Password := xxx
Deepti
On Fri, Feb 8, 2013 at 12:31 PM, Deepti kulkarni wrote:
> Try by adding
> jwinius Cleartext-Password := xxx
>
>
>
> On Fri, Feb 8, 2013 at 11:41 AM, Jaap Wini
Try by adding
jwinius Cleartext-Password := xxx
On Fri, Feb 8, 2013 at 11:41 AM, Jaap Winius wrote:
> Hi folks,
>
> Having managed to get freeradius 2.10 to run on Debian squeeze with a
> username and password defined in /etc/freeradius/users, I was hoping to
> take a step forward by getting i
Hi folks,
Having managed to get freeradius 2.10 to run on Debian squeeze with a
username and password defined in /etc/freeradius/users, I was hoping
to take a step forward by getting it to authenticate users through
PAM. But, that's not working out as I had hoped.
Could sombody please tel
On 08/02/13 17:14, Alex Sharaz wrote:
Aruba now say they only support eap-tls and eap-peap when you offload
eap onto their mobility controllers.
Well, don't do offload - it's a pretty bad idea anyway, and vendors have
a history of mangling it.
-
List info/subscribe/unsubscribe? See http://www
Hi,
> Think I just had senior moment.
>
> The server runs 2.2 code compiled from source but I copied all the configs
> over from the UKERNA freeradius sample and then amended them to run against
> our AD service. The UKERNA control-socket config does have the text.
> My fault
who is UKERNA?
Hi,
> |$ radmin -e "hup passwd"
> |
>
> And from the control-socket code
>
> #
> # Control socket interface.
> #
> # HIGHLY experimental! It should NOT be used in production
> # environments.
> #
> The servers are in a production environment. I'd really like to try just
> rel
Hi,
> Anyone else seen serve crashes on a reload?
dont HUP, do a restart. its clean and it pretty much just as quick.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> * there is one problem that FreeRADIUS doesn't return the inner ID into the
> outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is
> nothing Aruba-specific and probably a configuration error in FreeRADIUS on
> our part.
stick something like this into your 'inner-tunn
Hi,
> At a recent Aruba training course in amongst the documentation supplied to us
> were a couple of presentation slides showing different types of eap
> authentication against recommended RADIUS servers for use with Aruba
> equipment (Just to be sure the slide heading said Aruba RADIUS
> Co
Think I just had senior moment.
The server runs 2.2 code compiled from source but I copied all the configs over
from the UKERNA freeradius sample and then amended them to run against our AD
service. The UKERNA control-socket config does have the text.
My fault
Rgds
Alex
On 8 Feb 2013, at 17:
>
> * there is one problem that FreeRADIUS doesn't return the inner ID into the
> outer one when using EAP-TTLS (but does when using EAP-PEAP), but this is
> nothing Aruba-specific and probably a configuration error in FreeRADIUS on
> our part.
I've got a strange thing here as well. In the in
I have to say that in their defence, the eap offloading is switched off by
default and you do actually have to switch it on.
A
On 8 Feb 2013, at 17:27, Alan DeKok wrote:
> Alex Sharaz wrote:
>> Aruba now say they only support eap-tls and eap-peap when you offload
>> eap onto their mobility contr
Alex Sharaz wrote:
> And from the control-socket code
In older versions of the software. Version 2.2.0 does *not* have that
text.
> The servers are in a production environment. I'd really like to try just
> reloading the passwd module to see if it makes any difference to the server
> stabili
Alex Sharaz wrote:
> Aruba now say they only support eap-tls and eap-peap when you offload
> eap onto their mobility controllers.
That is a stupid response from them.
If they follow the specs, they should pass EAP straight through to the
RADIUS server. If they do anything else, they are *int
authentification for a client
>>> through a certificate ?
>>> I succeed setting up. But , i notice that freeradius matches client
>>> login with certificate CNAME.
>>> Is it possible to change it in order to match email instead of CNAME ?
>>
>> Yes.
>&g
On 8 Feb 2013, at 16:31, Phil Mayers wrote:
> Was it Aruba who we had all the issues with terminating PEAP/TTLS locally on
> the controller, then transforming the inner EAP-MSCHAPv2 to plain MSCHAPv2
> and mangling it? I seem to recall a flurry of posts to the list that were
> solved by turnin
Aruba now say they only support eap-tls and eap-peap when you offload eap onto
their mobility controllers.
Rgds
Alex
On 8 Feb 2013, at 16:46, freeradius-users-requ...@lists.freeradius.org wrote:
> Re: Any interoperability issues with Aruba and Freeradius
-
List info/subscribe/unsubscribe? See h
> Alex Sharaz wrote:
>> Anyone else seen serve crashes on a reload?
>
> Unfortunately I've seen this before. I haven't seen enough
> information to track it down and fix it, though.
|One workaround is to just do a restart instead of a reload. It's
|not likely to make much of a difference.
:-)
here is the output :
Evaluating ("%{TLS-Client-Cert-Subject}" =~//) -> TRUE
++? if ("%{TLS-Client-Cert-Subject}" =~ /\/xx\// ) -> TRUE
++- entering if ("%{TLS-Client-Cert-Subject}" =~ /\/O=\// ) {...}
+++? if ("%{TLS-Client-Cert-Subject}" =~ /\/OU=\// )
On Fri, Feb 08, 2013 at 10:10:05AM -0500, Alan DeKok wrote:
> Alex Sharaz wrote:
> > Anyone else seen serve crashes on a reload?
>
> Unfortunately I've seen this before. I haven't seen enough
> information to track it down and fix it, though.
One workaround is to just do a restart instead of a
a client
>>> through a certificate ?
>>> I succeed setting up. But , i notice that freeradius matches client
>>> login with certificate CNAME.
>>> Is it possible to change it in order to match email instead of CNAME ?
>>
>> Yes.
>>
>
On 08/02/13 16:19, Alan DeKok wrote:
If it requires tweaking for Aruba, then Aruba has failed to implement
the standards correctly.
Was it Aruba who we had all the issues with terminating PEAP/TTLS
locally on the controller, then transforming the inner EAP-MSCHAPv2 to
plain MSCHAPv2 and m
On 08/02/13 16:09, Tunde Ogedengbe wrote:
Ok. Can you pls help with procedure for configuring pre-login on Windows
for 802.1x? Windows is sending packets to RADIUS as
host/machine-name.domain. I would like to have a dedicated
userid/password configured on windows for pre-login machine authenticat
As already said, post output of radiusd -X
(that will clearly show the logic taken)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Alex Sharaz wrote:
> At a recent Aruba training course in amongst the documentation supplied to us
> were a couple of presentation slides showing different types of eap
> authentication against recommended RADIUS servers for use with Aruba
> equipment (Just to be sure the slide heading said Arub
Ok. Can you pls help with procedure for configuring pre-login on Windows
for 802.1x? Windows is sending packets to RADIUS as
host/machine-name.domain. I would like to have a dedicated userid/password
configured on windows for pre-login machine authentication.
'Tunde Ogedengbe
On 8 Feb 2013 13:18,
Hi All,
I'm sure the answer to this is nope, but ...
At a recent Aruba training course in amongst the documentation supplied to us
were a couple of presentation slides showing different types of eap
authentication against recommended RADIUS servers for use with Aruba equipment
(Just to be sure
Bill Isaacs wrote:
> Ok so the question then is: where the hell is radclient getting the
> notion that the account has 2366393 seconds left?
From the RADIUS server. This isn't magic. radclient doesn't invent
attributes in reply packets. It receives them from the RADIUS server.
> Alan, take a
Ok so the question then is: where the hell is radclient getting the
notion that the account has 2366393 seconds left?
That is *entirely* the wrong question. It's why you haven't solved
the problem yet.
Look at the *radius server* debug output. It's the one sending the
Session-Timeout.
i begin setting up configuration. bit i got two problems :
client with good certificate can be authenticated even if they're not in
"users" file.
I assume it's due to my code. Here is under authenticate section of default :
Auth-Type eap {
eap
if ( "%{TLS-Client-Cert-S
Alex Sharaz wrote:
> Firstly the 2.1 servers
Upgrade.
> password files are updated every 15 mins and are followed by a "service
> freeradius reload" command to bring them on line.
See the changelog for 2.2.0. The "passwd" module had issues with
older versions of the server.
You can a
Bill Isaacs wrote:
> Here is an example of one such account, a development test account which
> I created for debugging purposes. It's value is 30 days (2592000 seconds)
>
> Radclient result:
> ===
> # echo User-Name="cgitest",User-Password="cgitest" | radclient -c 1 -n 3
> -r 3 -t 3 -
Hi all,
I've inherited a pair of Freeradius servers running Vsn 2.10 and have build a
new server around the 2.2 source code. All of these servers exhibit the same
problem in that after a SIGHUP to reload their configuration files the
sometimes crash.
Firstly the 2.1 servers
We have 2 of them
Hello all,
I'm researching this anomaly myself in all the documentation, but
thought it would also be helpful both to me and to others to post the
problem here.
SYMPTOM: Some "Access-Period" accounts (accounts which have X number of
seconds to continue logging in and out starting from the ve
On 08/02/13 12:52, Tunde Ogedengbe wrote:
see from the log that the MAC addresses is checked and OK. But there is
an [eap] returns reject just after the mac address was successfully
checked. I guess I need a way to get radius to force an EAP accept
after successful checking of the MAC addresse
I am setting up our Freeradius to do authentication for MAC address for
windows PC. This is to enable PCs to connect to the AD to access Domain
information just before Windows User Logon Screen. The PC is already
connected to a Cisco switch port which has been configured 802.1x.
I have stored
Hi,
>In ma accounting table there are many records with the same radacctid for
>one username.
as Phil says - and can be seen, different called-station-id - and different
(NAS id) IP address - what are your accounting statements ?
alan
-
List info/subscribe/unsubscribe? See http://www.f
On 02/08/2013 09:04 AM, Hocine M wrote:
nobody?
The only thing that stands out is the Called-Station-Id is different.
This suggests to me that something about the accounting packets changes
as the client moves around (associates to different APs) and that the
accounting SQL queries you are u
nobody?
Le 07/02/2013 13:25, Hocine M a écrit :
hello,
In ma accounting table there are many records with the same radacctid
for one username.
In this case
| 23547 | SESS-50639-54b752-237134-642 | t...@univ-rouen.fr |
univ-rouen.fr| 2013-02-07 12:38:54 | NULL|
192.168.
51 matches
Mail list logo