On 28 Aug 2013, at 23:39, Andrej andrej.gro...@gmail.com wrote:
I would like f_ticks to write out a single line into syslog that
contains the inner and outer
identity of an authentication request, the station ID and MAC address.
In case of a successful authentication or rejection I'd like
Dear all,
1-2 years ago this topic was discussed and there was a patch by
Matthew Newton that was approved for the master branch.
I'm now facing the difficulty of accepting/rejecting requests based on
the contents of the TLS-Client-Cert for 2.1.12 which does not contain
this patch. This is done
On 29/08/13 13:21, Axel Thimm wrote:
The reason I'm not simply applying the patch is that this system is
covered by support by Red Hat and replacing the vendor shipped
freeradius (2.1.12) with a self-compiled one voids the support. So any
other solution that would allow me to keep the system
Andrej wrote:
This brings me back to my earlier question: what values are available
where, and when,
via which mechanism?
This was asked and answered. I suggest reading responses to your
messages.
Asking what values are available is wrong. There are no magic
values in the server. There
On Thu, Aug 29, 2013 at 02:12:35PM +0100, Phil Mayers wrote:
Otherwise, you could look at the verify { } stanza of the tls {
} block in eap.conf; this allows you to run an external script once
you've got the client cert, and there you can write any code you
want to access the various
I'm trying to do a proxy from the inner-tunnel over to another radius server.
The primary reason for this is that we need to strip off the realm before
passing to the proxy.
I'm getting an EAP error response from the other server about it not liking the
id number
Supplicant sent
On 29/08/13 14:25, Axel Thimm wrote:
On Thu, Aug 29, 2013 at 02:12:35PM +0100, Phil Mayers wrote:
Otherwise, you could look at the verify { } stanza of the tls {
} block in eap.conf; this allows you to run an external script once
you've got the client cert, and there you can write any code you
On 29/08/13 14:35, Robert Roll wrote:
I'm trying to do a proxy from the inner-tunnel over to another radius server.
The primary reason for this is that we need to strip off the realm before
passing to the proxy.
I'm getting an EAP error response from the other server about it not liking
On Thu, Aug 29, 2013 at 02:48:59PM +0100, Phil Mayers wrote:
Or you could abandon the prejudice against upgrading because it's
supported (support you're not taking advantage of, I might add,
since you're asking here) and upgrade to 2.2.0 which, IIRC, has
those patches in.
I don't think it's
On Thu, Aug 29, 2013 at 01:35:25PM +, Robert Roll wrote:
I'm getting an EAP error response from the other server about it not liking
the
id number
Supplicant sent unmatched EAP response packet identifier
EAP Response identifier sent by the client has to match EAP Request
Agreed on the support contract thing. If something is apparently
unsupported when it's broken, just run the supported version on a
test system, reproduce the problem, and go from there. If you know the
problem is to do with the newer features, forget the paid support and
ask here like you
On 29/08/13 15:09, Matthew Newton wrote:
On Thu, Aug 29, 2013 at 02:48:59PM +0100, Phil Mayers wrote:
Or you could abandon the prejudice against upgrading because it's
supported (support you're not taking advantage of, I might add,
since you're asking here) and upgrade to 2.2.0 which, IIRC, has
I guess I assumed the id: in the TCP dump below was the EAP Response
Identifier maybe not ? Is there a different
EAP response identifier ?
I actually have been running with debug radius -X. Obviously a lot longer
output than just the TCP dump.
That is why I first tried just the TCP
Hi All,
Is there a way if I had 10 clients in my home lab and all the certs expire
tomorrow, that rather than re-provide all the certs to my clients, I can frigg
the radius server time, to still accpet them.
Im guessing this is a no, but from what I see, the client cert is presented, and
check
On Thu, Aug 29, 2013 at 02:48:59PM +0100, Phil Mayers wrote:
On 29/08/13 14:25, Axel Thimm wrote:
On Thu, Aug 29, 2013 at 02:12:35PM +0100, Phil Mayers wrote:
Otherwise, you could look at the verify { } stanza of the tls {
} block in eap.conf; this allows you to run an external script once
On Thu, Aug 29, 2013 at 02:56:44PM +, Robert Roll wrote:
I guess I assumed the id: in the TCP dump below was the EAP Response
Identifier maybe not ? Is there a different
EAP response identifier ?
That is the id of the radius packet. EAP lives insided radius packet AVPs
called
On 29/08/13 15:49, stefan.pae...@diamond.ac.uk wrote:
That said, I commiserate with the original poster that yes, when the
policy is that you're only allowed to use vendor packages, you're
limited in what you can and cannot do.
Failing to direct these queries towards your paid support option
On 29/08/13 15:56, Robert Roll wrote:
I guess I assumed the id: in the TCP dump below was the EAP Response
Identifier maybe not ? Is there a different
EAP response identifier ?
Yes, in the EAP-Message attribute (EAP packet)
I actually have been running with debug radius -X.
On Thu, Aug 29, 2013 at 02:49:17PM +, stefan.pae...@diamond.ac.uk wrote:
Agreed on the support contract thing. If something is apparently
unsupported when it's broken, just run the supported version on a
test system, reproduce the problem, and go from there. If you know the
problem is
Ok, Below is the TCP dump. I have attached the Freeradius Debug output beginning
near the start of the proxy..
WC-- is the wirless controller (155.99.193.24)
FR-2.10 -- Freeradius 2.10 (155.97.182.175)
ISE-proxy -- ISE proxy server (155.97.185.76)
Again, any help would be much
I installed FreeRADIUS Version 2.1.12 on a centos 6.4 and configured the
ldap module for authentication of my users.
Also configured my users files with 2 specific groups where only the
users who are in these groups can authenticate.
Until there alright.
What I need your help and the
Ok, I've tried this with 2.2 and still get the same behavior..
If I actually look at the proxy-inner-tunnel I see the following for
post-proxy..
post-proxy {
#
# This is necessary for LEAP, or if you set:
#
# proxy_tunneled_request_as_eap = no
#
On 29/08/13 17:01, Robert Roll wrote:
Ok, Below is the TCP dump. I have attached the Freeradius Debug output beginning
near the start of the proxy..
The problem here is pretty straightforward, but not obvious from the
debugs since FR is just proxying.
Basically, the client sends the inner
Phil Mayers wrote:
[peap] Got tunneled request
EAP-Message = 0x02090006031a
0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?)
That's EAP-MSCHAP-v2.
...which the proxy server then rejects:
rad_recv: Access-Reject packet from host 155.97.185.76 port 1812, id=71,
length=49
Robert Roll wrote:
If I actually look at the proxy-inner-tunnel I see the following for
post-proxy..
The post-proxy stage has NOTHING to do with the home server. If the
home server rejects the request, the issue is WAY before the
post-process stage.
I see that eap needs be invoked if
Luiz Alberto Avelino wrote:
There are two groups in Active Directory: CISCO and WIRELESS.
I'm using freeradius to authenticate my switches and my wireless network
with these groups.
All users in the group CISCO will authenticate in my swiths
ALL users in the group WIRELESS will authenticate
On 29/08/13 18:16, Alan DeKok wrote:
Phil Mayers wrote:
[peap] Got tunneled request
EAP-Message = 0x02090006031a
0x03 == 3 = NAK, 0x1a == 26 == MS-EAP (SoH, I think?)
That's EAP-MSCHAP-v2.
Doh, yes, brain fade. TBH this page could be clearer:
On 29/08/13 18:16, Alan DeKok wrote:
i.e. set proxy_tunneled_request_as_eap = no
Although IIRC that *definitely* had issues in 2.1.10, right?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
If you wanted to do mac authentication, is there a way to add a range of
mac addresses to the users list. eg:
#Normal mac username:
002710de63a4 Cleartext-Password := 002710de63a4
e806882925ce Cleartext-Password := e806882925ce
#Range of mac addresses:
94ebcd** Cleartext-Password :=
Phil Mayers wrote:
On 29/08/13 18:16, Alan DeKok wrote:
i.e. set proxy_tunneled_request_as_eap = no
Although IIRC that *definitely* had issues in 2.1.10, right?
I don't recall... that was a long time ago, and I'm trying to get 3.0
out the door.
Alan DeKok.
-
List
On 29 Aug 2013, at 23:13, Dan Letkeman danletke...@gmail.com wrote:
If you wanted to do mac authentication, is there a way to add a range of mac
addresses to the users list. eg:
#Normal mac username:
002710de63a4 Cleartext-Password := 002710de63a4
e806882925ce Cleartext-Password :=
On Thu, Aug 29, 2013 at 05:13:54PM -0500, Dan Letkeman wrote:
#Range of mac addresses:
94ebcd** Cleartext-Password := 94ebcd**
If you're using PAP (which I guess is most likely if it's MAC
auth), you should be able to do something like
DEFAULT User-Name =~ ^94ebcd, User-Password =~
( cc-ing you directly since it seems you have trouble receiving mails from
the list )
Apologies! My comcast.net account was bouncing mail from the list for
reasons unknown. I saw the bounce rating jump from 1 to 3 over the course
of this week, so I resubscribed with a proper e-mail address.
Excellent. Thank you.
On Thu, Aug 29, 2013 at 5:32 PM, Arran Cudbard-Bell
a.cudba...@freeradius.org wrote:
On 29 Aug 2013, at 23:13, Dan Letkeman danletke...@gmail.com wrote:
If you wanted to do mac authentication, is there a way to add a range of
mac addresses to the users list. eg:
Did you read Phil's excellent reply?
http://lists.freeradius.org/pipermail/freeradius-users/2013-August/067991.html
After Fajar kindly forwarding the link to me, I was able to see the reply.
Thanks you, Fajar, and Dan as well.
s/Dan/Phil/
Please place my head in a vice and crank it shut
35 matches
Mail list logo