Are you sure the RADIUS secret is the right one?
On Wed, Oct 2, 2013 at 12:14 PM, JB wrote:
> Hi!
>
> We're proxying auth requests to another RADIUS service and encounter the
> following problem:
> The password seems to get changed somewhere along the way.
> In our case, a 9 character password
Didn't you make another fix afterward regarding AT_IDENTITY (commit
cfd61d24b99022eb613054bbf7e0da4fa3af1bde)? Not the patch from Microsoft.
I know I have to patch the 2.2.0 source in our RPMs with this commit otherwise
it fails ;)
On 2012-11-06, at 10:15 AM, Alan DeKok wrote:
> Phil Mayers wr
Hi,
>
>> -what should I configure to get more than 2 Access-Request
>
> You don't. The client is stopping because it thinks something is wrong.
> Upgrade to 2.2.0 and try again - if the same thing happens, you need to debug
> on the client.
You need to also add a patch that has been committed
On 2012-10-12 1:22 PM, Mike Diggins wrote:
Unable to read consumer identity
Because your RHN stuff appears to be broken.
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
Thank you very much!!
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
the HLR
using SS7 so the RAND comes from the HLR/AuC, and SRES/Kc is sent back
to the HLR to perform the authorization check :)
The only way to test it without having that kind of infra is to
pre-compute stuff to simulate the HLR calculations (offlist message).
Thanks!
--
Francois Gaudreault,
EAP-SIM.
Well you are probably right, but when providers will start pushing 3G/4G
offload for real (if they ever do), there are not many ways of doing
it... I think :P The reason of those tests on our side is to support
WISPr and/or NewGen hotspots with our product.
Thanks!
--
Francoi
o know what the supplicant is here, too?
I tested with an iPhone 3GS device running 5.0.1. I still need some
bytes to make it work and test with our Android (get the SRES/Kc from
the Micro-SIM).
I don't know if others on the list made it work with that patch on.
--
Francois Gaudreault, ing. jr
fg
faa637730ef396fe15b1
db33121f3c7923c35b8ad3d0c0a7cd3e7eb01a19 M src
Hope it helps :)
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www
ther question I have is, do I need more than 3 triplets line with 2.2.0?
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/u
file /usr/local/pf/raddb/sites-enabled/packetfence
+- entering group REJECT {...}
[attr_filter.access_reject] expand: %{User-Name} ->
i...@wlan.mnc720.mcc302.3gppnetwork.org
attr_filter: Matched entry DEFAULT at line 11
++[attr_filter.access_reject] returns updated
Delaying reject of reques
Tunnel-Type:0 = VLAN
Message-Authenticator = 0x0000
Tunnel-Private-Group-Id:0 = "10"
Tunnel-Medium-Type:0 = IEEE-802
User-Name = "i...@wlan.mnc720.mcc302.3gppnetwork.org"
MS-MPPE-Recv-Key =
0x6d540f94b0b70378232cb2
f7 - ID
000c - length
12 - EAP-SIM
0e - subtype 14 - client error
1601 - client error junk
Hmmm interesting. But how can it be working on 2.1.12 with the exact
same client and config? Maybe I can retry with 2.2.0 and see if I still
get this error on multiple retries. I'll get back t
Hi,
That's not nice. The module should return some kind of message.
If you say so :P
This looks like an issue for digging into the code.
Ok. Let me know if you need me to test anything, I will be glad to do so :)
Thanks!
--
Francois Gaudreault, ing. jr
fgaudrea...@inver
Hi,
On 2012-09-11 4:05 PM, Phil Mayers wrote:
On 09/11/2012 07:49 PM, Francois Gaudreault wrote:
Hi,
I am playing with EAP-SIM on 2.2.0, but I am facing an issue I cannot
even understand :S Not because I don't want to, but the error messages
are not talking much.
I did compute SRES/K
post-auth {...}
++[exec] returns noop
++[reply] returns noop
} # server packetfence
Sending Access-Accept of id 34 to 10.0.0.24 port 1051
Thanks!
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu
Thanks Alan. We will rework our use case then :)
On 2012-08-22 1:46 AM, Alan DeKok wrote:
Francois Gaudreault wrote:
On each requests, we want to proxy it to a primary server, if it's
succeeding, move on, but if the authentication fails, we need to proxy
to a secondary server. It'
s, we need to proxy
to a secondary server. It's not fail-over we are looking for.
Thanks!
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List
e the Samba configuration?
In a quick test, with the server in domain1, I ran ntlm_auth and specified
domain2, which failed to authenticate the user.
Thanks,
Dave A.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Francois Gaudreault, ing. jr
fga
from one strings worth of data.
This problem requires a real programming language. Use Perl.
Will do. I was just trying to avoid external scripting for that.
Thanks.
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders
roup2,dc=inverse,dc=local"
Right now, the Ldap-Group will only contain the first group of the list.
Thanks!
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfen
ec
file to include the patch you find in the above fedora build.
Instructions on how to build an RPM from an SRPM can be found here:
http://wiki.freeradius.org/Red_Hat_FAQ
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Lead
/lib/libpthread.so.0
#16 0x00b7645e in clone () from /lib/libc.so.6
(gdb) quit
I am not aware of the issue for other CentOS 5 version, or CentOS 6.
Thanks.
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SO
a bit of syslog into
a nice syslogNG server with DB backend would do just as well (and be more
usuable
by other systems - IMHO) )
I see. Well I will try to do something on my side then. I believe it
is not that complicated using their perl framework.
Thanks!
--
Francois Gaudreault, ing. jr
acketFence (long term project).
Thanks!
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
act records and databases are updated to
reflect this change.* Further information can be found on the website
here. <http://www3.uwic.ac.uk/English/News/Pages/UWIC-Name-Change.aspx>
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Francois Gaudreault
urns invalid
Failed to authenticate the user.
I tried to put the blob before eap in authorize or after, but the result
is the same. It breaks when entering the authenticate section.
On 12-02-10 4:52 AM, Phil Mayers wrote:
On 02/09/2012 07:55 PM, Francois Gaudreault wrote:
Doing the MS-CHAP-U
-dahport$) from EAP-MSCHAPv2
On 12-02-09 12:32 PM, Francois Gaudreault wrote:
Interesting. Let me give it a shot and see how it goes.
Thanks!
On 12-02-09 12:19 PM, Phil Mayers wrote:
On 09/02/12 16:42, Alan DeKok wrote:
The issue could be somewhere else. From what I recall, host
authentication
and it's not impossible something would break, or
some security hole be opened up...
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Lead
ing AD, we are
using LDAP populating the NT-Password field, we don't need this
ntlm_auth line in the mschap module do we? Like I said, it's working
well with user authentication.
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inv
assword are
properly handled when we do user auth, and the printout in debug is also
in a 0xsomething format.
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
urns reject
My MSCHAP Config :
mschap {
use_mppe = yes
require_encryption = yes
require_strong = yes
with_ntdomain_hack = yes
}
Any thoughts?
Thanks!
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Invers
scribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
e contact the sender by reply email and destroy all copies of
the original message and any attachments.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Francois Gaudrea
appreciated.
Thanks in advance
Hitesh Vinzoda
Network Administrator
+91-9924117399
www.vinzoda.in
"There are 10 types of people in this world.
One who can understand binary and other's can't."
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
at it
doesn't support EAP, and the way it agglomerate the request results (ie.
<10s, <1s, etc), you can't tell the real response time.
--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/
.el6.x86_64
regards,
Fred MAISON
Le lundi 07 novembre 2011 à 13:23 -0500, Francois Gaudreault a écrit :
Hi,
It works for me on CentOS 6, I am using the same .spec (with only the
module name changed from freeradius2 to freeradius).
I am not an expert, but I guess the issue is with libtool, what
: Leaving directory
`/home/support/rpmbuild/BUILD/freeradius-server-2.1.12/src'
gmake[1]: *** [src] Error 2
gmake[1]: Leaving directory
`/home/support/rpmbuild/BUILD/freeradius-server-2.1.12'
make: *** [all] Error 2
erreur: Mauvais status de sortie pour /var/tmp/rpm-tmp.nHYNKs (%build)
Erreur
g(noreplace)
/etc/raddb/radrelay.conf
Best regards,
Fred MAISON
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://
o, if you can (unicast, if you want) show the "netsh lan show profile"
output from a command prompt please?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
Francois Ga
ed it works at *all*.
You bet. It was two controller from the same manufacturer, just
different model/firmware :S
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfenc
The problem seems to be that the .spec file is out of date and not naming
all files, as is required.
I don't use the bundled .spec file, so haven't looked at it in years. We
should probably just use the one that RedHat are using these days.
-
List info/subscribe/unsubscribe? See
http:
sues cause
> you to debug the CLIENT.
>
> If the server returns the wrong thing... you can fix the server. Fort
> pretty much everything else, blame the client.
>
> Alan DeKok.
> -
> List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List inf
are using these days.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfen
DHCP-Discover" section, which sub should I redefine in the perl script?
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/u
need to establish a different (basic for now) lease policy by
interface (ie. different network range). How can I know from which
interface the request came?
PS. By the way, if I don't set ipaddr = * , broadcast are not handled.
Normal?
--
Francois Gaudreault, ing. jr
fgaudrea...@inver
That's fine, I understand that.
On 11-09-20 1:56 PM, Phil Mayers wrote:
On 09/20/2011 06:15 PM, Francois Gaudreault wrote:
Hi Phil,
It's been a while since we did not receive feedbacks about that SoH and
DHCP enforcement. I am just wandering if you had some news about it.
Sorr
-Login-SourceSSH32
VALUESymbol-Login-SourceTelnet64
VALUESymbol-Login-SourceConsole128
VALUESymbol-Login-SourceAll240
--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
Hi Phil,
It's been a while since we did not receive feedbacks about that SoH and
DHCP enforcement. I am just wandering if you had some news about it.
Thanks!
On 11-07-20 2:36 PM, Phil Mayers wrote:
On 07/20/2011 06:07 PM, Francois Gaudreault wrote:
Hi,
I am trying to make th
--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hey Phil,
Any chance you have some developments about that DHCP SoH thing?
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe
rom 0.0.0.0:67 to 255.255.255.255:68
DHCP-Subnet-Mask = 255.255.255.0
DHCP-Router-Address = 10.0.0.1
DHCP-Domain-Name-Server = 4.2.2.2
DHCP-IP-Address-Lease-Time = 86400
DHCP-DHCP-Server-Identifier = 10.0.0.243
Finished request 1768.
--
Francois Gaudreault,
eap.stripped-user-name == mschap.username:
ok
reject
else:
reject
I will try to investigate this tomorrow when I get back to the office.
Aight. Keep us posted.
Did you have a chance to look at it?
Thanks!
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130
Hi,
On 11-05-30 9:55 AM, Phil Mayers wrote:
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
There's no guarantee that STAFF\john and STUDENT\john at the same
person; you can't just ignore the fact that the client has changed
their username.
True. But I don&
mething is broken at the supplicant
level. In windows 7, the OS is brilliant enough not to send the
machine name. However, mainly 80% of his machines are Windows XP.
--
Francois Gaudreault, ing. jr
fgaudrea...@inverse.ca :: +1.514.447.4918 (x130) :: www.inverse.ca
Inverse in
rname/password
as a domain user, then use "send username automatically"
We tried it, and the machine appears to be sending the machine name
anyway. It will work only if we don't send the credentials automatically.
Thanks!
--
Francois Gaudreault, ing. jr
Inverse inc. :: Le
id 8 length 38
[eap] Continuing tunnel setup.
++[eap] returns ok
Found Auth-Type = EAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/peap
[eap] processing type peap
[peap] processing EAP
uys, it is appreciated. I will get you the
debug information and the sites configuration as soon as I can.
Have a nice weekend.
--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe
ser-name in the LDAP filter and in the ntlm_auth line.
Again, we are *NOT* rewriting the User-Name.
We need other ideas here.
--
Francois Gaudreault, ing. jr
Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence
(www.packetfence.org)
-
List info/subscribe/unsubscribe? See http://www
59 matches
Mail list logo