Hi,
We are thinking about using radius authentification trough Internet.
Considering we use EAP-TTLS method for authenticating wifi users, is
there any way to intercept user passwords ?
Is EAP-TTLS as secure as https or smtps ?
BR,
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat
'X' mode - its single threaded so your
> performance goes through the floorand its printing out all that stuff
> to output which slows things further.
>
> alan
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
>
>
--
Emmanuel BIL
4, debug file debug.log and same way.
Any idea ?
Le 28/03/13, Olivier Beytrison a écrit :
> On 28.03.2013 10:31, Billot wrote:
> > Ok thanks but is it possible to have it permanently with a config item like
> >
> > raddbdir = ${sysconfdir}/raddb
> > radacctdir = ${
Ok thanks but is it possible to have it permanently with a config item like
raddbdir = ${sysconfdir}/raddb
radacctdir = ${logdir}/radacct
debug_level = 4
?
Le 28/03/13, Olivier Beytrison a écrit :
> On 28.03.2013 09:27, Billot wrote:
> > How can we have such detail logs in run
ven with debug = 2 set,
there is no such detailed log.
How can we have such detail logs in running mode ?
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Le 26/03/2013 15:05, Phil Mayers a écrit :
On 26/03/2013 13:52, Emmanuel BILLOT wrote:
authorize {
if (Called-Station-Id =~ /^.*:([-a-zA-Z]+)$/) {
update control {
Tmp-String-0 := "%{1}"
}
}
switch "%{Tmp-String-0}" {
That needs to be:
switch &
Le 26/03/2013 14:45, Matthew Newton a écrit :
On Tue, Mar 26, 2013 at 02:20:40PM +0100, Emmanuel BILLOT wrote:
How about hyphen SSID ? ex : WIFI-TEST
I failed in writing regex for it...
if (Calling-Station-Id =~ /^.*:([a-zA-Z-]+)$/) {
Matthew
Thanks it seems to be ok. Proxy should resent
Set up proxy.conf with entries for the right ports, then you
should be able to do something like (example, untested):
authorize {
if (Calling-Station-Id =~ /^.*:([a-zA-Z]+)$/) {
update control {
Tmp-String-0 := %{1}
}
}
switch "%{Tmp-String-0}" {
case 'TEST' {
Set up proxy.conf with entries for the right ports, then you
should be able to do something like (example, untested):
authorize {
if (Calling-Station-Id =~ /^.*:([a-zA-Z]+)$/) {
update control {
Tmp-String-0 := %{1}
}
}
switch "%{Tmp-String-0}" {
case 'TEST'
Hi,
We have a Freeradius server configured with 3 instances, each using
particular authorize, authenticate and accounting section.
Each server listen on a particular port.
Each server is used by a WLAN on access point.
Our problem is that many "basic" access point can only declare one
radius
Le 24/01/2013 14:03, Emmanuel BILLOT a écrit :
Hi,
In LDAP config module, we can find
filter =
"(|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}}))"
Users authenticate in freeradius with login like pierre.dupont@12345678
We want to use
Le 24/01/2013 14:03, Emmanuel BILLOT a écrit :
Hi,
In LDAP config module, we can find
filter =
"(|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(mail=%{%{Stripped-User-Name}:-%{User-Name}}))"
Users authenticate in freeradius with login like pierre.dupont@12345678
We want to use
.dupont is %{User-Name}
what should be the name of the variable for 12345678 ?
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
Is there anyway to have log format (radius.log) with any date for eah
line or section ?
BR,
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57
-
List info/subscribe/unsubscribe? See
Le 18/01/2013 15:31, Alan DeKok a écrit :
Emmanuel BILLOT wrote:
Ok, but i knew there was regular re-auth session to keep the connexion
alive, right ?
Maybe. It doesn't always happen.
I don't understand, i thought it was fixed either by the server or by
the client ?
When looki
to increase
interval between two checks ?
BR,
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Le 18/01/2013 12:26, Emmanuel BILLOT a écrit :
Hi,
We want to "force" Session-Timeout for all our users. Authorization
and authentication are made by LDAP.
Is it possible to add Session-Timeout in a file or config file to
apply it to all our users ?
BR,
More question about it :
Hi,
We want to "force" Session-Timeout for all our users. Authorization and
authentication are made by LDAP.
Is it possible to add Session-Timeout in a file or config file to apply
it to all our users ?
BR,
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie
Le 01/12/2012 23:10, Alan Buxey a écrit :
Hi,
But when using this method through a proxy way, wher eis data encryption ?
the TLS tunnel is set up with the remote server - the traffic being passed
through all the interim proxies. so the client only trusts the remote server (ie
the server they a
Hi,
Apologizes if this question is to "newbie", but i recently thought about
Radius security when using proxy.
Considering we are using an EAP-TTLS method, based on LDAP
authentication inside inner-tunnel (finally with PAP auth a the end).
When a client tries an auth, encryption is done by th
Le 12/09/2012 13:03, Arran Cudbard-Bell a écrit :
On 12 Sep 2012, at 11:43, BILLOT wrote:
Like any other module in the server, you instantiate multiple instances and
reference them in the different virtual servers.
eap {
}
Ok i did it but when trying to use instances, i get
Found Auth
Like any other module in the server, you instantiate multiple instances and
reference them in the different virtual servers.
eap {
}
Ok i did it but when trying to use instances, i get
Found Auth-Type = EAP
WARNING: Unknown value specified for Auth-Type. Cannot perform
requested action
Hi,
We have a config with 3 virtual servers, running on a different port.
Each virtual server must have a particular config (different LDAP
server, different SQL server). However, each one uses EAP auth and so
the inner-tunnel which is unique.
Thus in the inner-tunnel config, default modules
Le 29/08/2012 11:58, BILLOT a écrit :
Le 29/08/2012 11:16, Fajar A. Nugraha a écrit :
Here is an extract of data sent to radius
NAS-IP-Address = 172.21.175.129
NAS-Identifier = "hello"
NAS-Port = 0
Called-Station-Id = "2C-B0-5D-A4-52
Le 29/08/2012 11:16, Fajar A. Nugraha a écrit :
On Wed, Aug 29, 2012 at 3:22 PM, BILLOT
wrote:
Hi,
Is there any way to use virtual servs depending on client VLAN ?
I mean :
If packet arrive with VLAN1 then use virtual server 1
If packet arrive with VLAN2 then use virtual server 2
Just to
Le 29/08/2012 10:58, Alan DeKok a écrit :
BILLOT wrote:
Is there any way to use virtual servs depending on client VLAN ?
RADIUS is IP based, not VLAN based. Packets don't arrive on different
VLANs. They arrive on different IPs.
Thanks. I can also use different ports, i only need NAS
Le 29/08/2012 10:36, Fajar A. Nugraha a écrit :
(3) use the same virtual server, but do selective processing (with
unlang) based on some attributes that the NAS sends. e.g. if an
attribute has value A, call module sql1, while if the value is B, call
module sql2.
Actually i'm not sure that all
Hi,
Thanks for reply.
Depends.
One of the following should be applicable
(1) If the NAS is different (i.e. each VLAN has its own NAS), you can
take a look at raddb/sites-available/dynamic-clients. Basically it can
choose a virtual server based on Packet-Src-IP-Address attribute (i.e.
the NAS
Hi,
Is there any way to use virtual servs depending on client VLAN ?
I mean :
If packet arrive with VLAN1 then use virtual server 1
If packet arrive with VLAN2 then use virtual server 2
BR,
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Le 13/06/2012 15:48, Alan DeKok a écrit :
Emmanuel BILLOT wrote:
What module should i use to send MAC adresses to another radius server,
and getting back ok/nok before testing EAP ?
That WILL NOT work. The server cannot proxy and also authenticate users.
This is what a database is for
Le 13/06/2012 15:14, Alan DeKok a écrit :
Emmanuel BILLOT wrote:
Is it possible to split authorization step as follow :
- Considering we want to authorize user using EAP and MAC adresses
- http://wiki.freeradius.org/Mac-Auth works fine, but is it possible to
do EAP with one radius server and
Hi,
Is it possible to split authorization step as follow :
- Considering we want to authorize user using EAP and MAC adresses
- http://wiki.freeradius.org/Mac-Auth works fine, but is it possible to
do EAP with one radius server and MAC address auth with another one ?
BR,
--
Emmanuel BILLOT
ID 224 with timestamp +39
Cleaning up request 1 ID 225 with timestamp +39
Cleaning up request 2 ID 226 with timestamp +39
Cleaning up request 3 ID 227 with timestamp +39
Cleaning up request 4 ID 228 with timestamp +39
Waking up in 0.3 seconds.
Cleaning up request 5 ID 229 with timestamp +40
Cleaning up request 6 ID 230 with timestamp +40
Ready to process requests.
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
unnel : request -> authorize section -> Foudn type LDAP ->
LDAP working
Why is there an "authenticate section" for EAP and a direct use of LDAP
section for LDAP ?
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière -
Le 12/06/12, Alan DeKok a écrit :
> Emmanuel BILLOT wrote:
> > Could you explain what is the difference between the default file and
> > the inner-tunnel file in /etc/raddb/site-enabled ?
>
> This is documented in the comments at the top of the files.
>
> T
file
/etc/raddb/sites-enabled/inner-tunnel
Is there any docs about the complete processing of EAP authentication ?
BR,
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57
-
List info/subscribe/unsubscribe
file
/etc/raddb/sites-enabled/inner-tunnel
Is there any docs about the complete processing of EAP authentication ?
BR,
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57
-
List info/subscribe/unsubscribe
Hi,
I guess this question have already been posted, but i can't find any
"good" answer in any google search.
Is is possible or not to access samba share with and freeradius
authentition ? No answer found on samba site.
BR,
--
Emmanuel BILLOT
CATEL - Dpt. Système et R
Le 21/05/2012 11:04, Alan DeKok a écrit :
Emmanuel BILLOT wrote:
So you mean that NAS (indeed access point for us) have to understand
attributes. Any RFC that NAS doc may refer to ?
Lots. But that doesn't matter. The NAS documentation describes what
attributes the NAS understands.
Le 21/05/2012 10:47, Alan DeKok a écrit :
Emmanuel BILLOT wrote:
Hi,
Thanks for your answers.
So you mean that NAS (indeed access point for us) have to understand
attributes. Any RFC that NAS doc may refer to ?
If there isn't any doc or attribut, do you know any way to managed
ptive portal, and attributes
can be managed in portal configuration. Is it possible with EAP access
(native client or secure w2 like ?)
BR,
--
Emmanuel BILLOT
CATEL - Dpt. Système et Réseaux
Rectorat - Académie d'Orléans-Tours
10, rue Molière - 45000 Orléans
Tél : 02 38 79 45 57
-
41 matches
Mail list logo