I think I know the answer to this question but I wanted to check with the Gurus!
Does FreeRADIUS give a fig about what the username is? If it were all numeric,
say 123456789 I guess it is happy with that? It's just a string to FreeRADIUS?
If there was to be an issue, it would be the back end aut
An interesting one for the list ...
We are installing a Palo Alto firewall and it has a way to pass Username/IP
mappings from FreeRADIUS to a Windows "User ID Agent", which is then queried by
the firewall.
The method employed is to use a Perl module (PAN::API), which has a simple API,
basicall
Yes. Do something like this:
{
my %static_global_hash = ();
sub post_auth {
...
}
...
}
static_global_hash will then be available on each call to the subs so you can
store some kind of state between requests that you handle.
The trick is placing the whole lot into a {} block. Perl can be odd a
On 18 Feb 2011, at 14:26, Phil Mayers wrote:
> On 18/02/11 14:16, Dean, Barry wrote:
>> I have been asked to do just this and I am working on the solution
>> now.
>>
>> We wanted to use multiple pools of VLANs/Subnets and assign "Staff"
>> to one
I have been asked to do just this and I am working on the solution now.
We wanted to use multiple pools of VLANs/Subnets and assign "Staff" to one pool
and "Students"# to the other. Then to select a VLAN within the pool, use a
hashing function and select a VLAN.
One concern I have is when is po
On 13 May 2010, at 10:15, Alan DeKok wrote:
> Dean, Barry wrote:
> ...
>> [ldap] performing search in OU=UOL,DC=adserer,DC=liv,DC=ac,DC=uk, with
>> filter (sAMAccountName=user)
>> [ldap] looking for check items in directory...
>> [ldap] looking for reply items
On 13 May 2010, at 06:54, Alan DeKok wrote:
> Dean, Barry wrote:
>> I am working on a new radius config and have been trying to avoid the lookup
>> in LDAP I have been seeing for the outer identity.
>>
>> I have moved to 2.1.8 with the inner-tunnel virtual hos
I am working on a new radius config and have been trying to avoid the lookup in
LDAP I have been seeing for the outer identity.
I have moved to 2.1.8 with the inner-tunnel virtual host enabled.
I have an authorise section for the relevant virtual server that has:
authorize {
I have been having problems compiling rlm_perl on Solaris 10 Intel and have
spent days googling for an answer.
Most answers say: "use --without-rlm_perl", which is not much use when you
actually *need* it!
Here is what I did to solve it, hopefully this will save someone some pain:
Firstly, my
Thanks for this, and thanks to Bob Franklin to. I have something
working now by selecting on client name and re-writing the User-Name
to append "bcm", then proxying that alone to the NAC servers. This
leaves all the config I had before for my existing domains alone.
I might try the other vir
I currently run two virtual servers, one for our local secure wireless
and one for eduroam customers.
The local one receives RADIUS packets from Bradford Campus Manager,
which is responsible for Network Access Control and stamps Auth-OK
replies with the VLAN for the user.
What I want to do
I have been asked it it possible to run two SSIDs on our wireless,
lets call them A and B that authorise against a FreeRADIUS server
running as two virtual servers radiusA and radiusB.
What we want is to have radiusA use a different server certificate
from radiusB.
However, as I see it, thi
PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: 23 September 2008 14:59
To: FreeRadius users mailing list
Subject: Re: RADIUSD amnesia!
Dean, Barry wrote:
> My RADIUS server forgot about some clients, all by itself, honest!
Nope. You have clients listed as *hostnames* rat
I am somewhat confused.
My RADIUS server forgot about some clients, all by itself, honest!
Users stopped being able to authenticate (I say users, we had one!), using
eduroam from Portugal, turns out that some time after September 5th, the RADIUS
server stopped recognising the JANET roaming RADI
I currently have a realm defined:
realm liv.ac.uk {
type= radius
authhost= LOCAL
accthost= LOCAL
}
I now have one of my departments, which for various complex reasons, has been
allowed to have its own user accounts.
They have the subdomain name
Alan DeKok
Sent: 05 June 2008 12:17
To: FreeRadius users mailing list
Subject: Re: 1.1.7 to 2.0.2 config for Realms problem
Dean, Barry wrote:
> I have a problem with a realm configuration that used to work with FR 1.1.7,
> but does not work at all with 2.0.2 and virtual servers.
>
&
I have a problem with a realm configuration that used to work with FR 1.1.7,
but does not work at all with 2.0.2 and virtual servers.
I have a virtual server defined in sites-available/janet-roaming thus:
server jrsradius {
listen {
ipaddr = jrsradius2.liv.ac.uk
Alan DeKok said:
> It is impossible to use CHAP to authenticate to AD. You MUST use
> MS-CHAP, or PAP.
When testing my Radius server with AD and XSupplicant I found that EAP-TTLS
with MD5 inner auth and EAP-MD5 as well as EAP-TTLS with CHAP inner auth all
failed.
So you have explained why EA
I know this is not strictly a FreeRADIUS problem, but I am betting someone on
this list has been here and got the tee shirt!
I have joined my two RADIUS servers (FreeRADIUS 2.0.2, Solaris 10 x86, winbindd
3.0.25a) to our AD domain with the "net join" command. This worked
(eventually!).
Now whe
> Hi,
>
>> rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032,
>> id=195, length=49 User-Name = "user"
>> User-Password = "passwd"
>> NAS-IP-Address = 138.253.XXX.XXX
>There. No MS-CHAP-Challenge. You are not supposed to process this packet with
>the rlm_mschap
Debug:
==
rad_recv: Access-Request packet from host 138.253.XXX.XXX port 47032, id=195,
length=49
User-Name = "user"
User-Password = "passwd"
NAS-IP-Address = 138.253.XXX.XXX
+- entering group authorize
++[preprocess] returns ok
++? if ("%{User-Name}" =~ /barre
I am migrating my RADIUS from:
a) FreeBSD, FreeRADIUS 1.1.7, eDirectory lookups.
to
b) Solaris 10 x86, FreeRADIUS 2.0.1, Active Directory, winbindd etc.
I stripped out all the LDAP stuff from the config, enabled ntlm_auth in the
mschap module, changed the users file DEFAULT entry from LDAP to
> "man unlang". Look for "case-insensitive". In this case, you would
> delete that "users" file entry, and use "unlang"
> authorize {
> ...
> if ("%{User-Name}" =~ /special/i) {
> update reply {
> Reply-Message = "Cannot use this user account"
>
I am testing my current 1.1.7 config with version 2.0.0.
I have 2 bits of config that are not quite right on 2.0.0
1) I have the line:
filter = "(cn=%{Stripped-User-Name:-%{User-Name}})"
I am not sure why, I inherited this setup and I am still trying to understand
it. The LDAP server i
This fixed the problem for these users. Thanks to the list, and special thanks
to Alan for solving this.
---
Barry Dean
Networks Team
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Dean, Barry
Sent: 13 November 2007 09:31
To: FreeRadius
-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: 09 November 2007 15:11
To: FreeRadius users mailing list
Subject: Re: Some users can't login after upgrade!
Dean, Barry wrote:
> The debug output (private data masked) can be picked
CTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alan DeKok
Sent: 08 November 2007 16:21
To: FreeRadius users mailing list
Subject: Re: Some users can't login after upgrade!
Dean, Barry wrote:
> We also use RADIUS with EZProxy. I used a spare EZProxy test box and asked
> the user to logi
The configuration I had was FreeRADIUS 1.1.4 running on NetBSD_3.0 (STABLE)
authenticating to Novell eDirectory using LDAP.
All was fine...
I upgraded to FreeRADIUS 1.1.7 and all seemed OK, until two of my users found
they can no longer login to the Cisco VPN3000 which uses this RADIUS. The log
28 matches
Mail list logo