New job - I'll be back - hopefully
Unsubscribe
font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
Unsubscribe
font size=1
div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in
1.0pt 0in'
/div
This email is intended to be reviewed by only the intended recipient
and may contain information that is privileged and/or confidential.
If you are not the intended
: Bls: Unsubscribe
To Unsubscribe visit following link
http://lists.freeradius.org/mailman/listinfo/freeradius-users
brgds
es
Dari: Gary Gatten ggat...@waddell.com
Kepada: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org
Dikirim: Senin, 28
I agree with Jake, in that I *think* it would be possible to have a plugin or
whatever interface with LDAP/AD in the same manner ntlm_auth does. I don't
think one *needs* a cleartext password, but does need some way to compare
apples-to-apples. That said, I don't know the inner workings of
I'm just guessing, and could be WAY off, but may be an inner-tunnel vs.
outer-tunnel thing. I think there's an option to copy inner-tunnel attribs to
outer-tunnel attribs. Maybe start searching in those areas and wait for
someone that actually known something about FR to reply. I used to
There may be configure options in FreeRadius to ignore / not use mySQL - I
don't *think* it's required for a basic install. Or, maybe you simply need to
upgrade the version of mySQL on your system?
G
-Original Message-
From:
Yup. One could create a management / auth VLAN of sorts. Set the source port
for RADIUS/Auth/etc. to be said VLAN. In theory then you would need only a
single network entry in clients conf, and if you wish, reject traffic from any
other unauthorized nets / IP's.
We do something similar as
Are you talking about in the clients.conf file? It supports network based
secrets, such as 10.0.0.0 255.0.0.0 = mysecret.
I don't know if you can permit every IP with a single line, but it's possible
with several lines as noted above, especially if the first octet of the IP
doesn't change
Yup. Typically once something fails I consider it questionable / unstable
until it proves itself to me again. The routing / circuit analogy is a perfect
example.
Many HA things allow the user to configure preemption or not - such that once
the primary node fails and the secondary takes over,
The DVLAN is after a successful authentication, so I don't *think* it matters
how the password is stored and such. If you can authenticate ok, then you move
to the authorize section and do DVLAN through whatever means.
Note: I am a FR beginner myself, don't take my word for anything!
-
Let me TRY to address a couple points here.
1.) Admins logging in to network devices: telnet, ssh, etc.
The Network Device, if properly configured, sends a RADIUS request to the
RADIUS server. If you run FR in debug mode you'll see the request come in and
all the attributes thereof. FR,
Exec-Program output: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Exec-Program-Wait: plaintext: Exec-Program: FAILED to execute
/usr/local/etc/raddb/modules/ntlm_auth: Permission denied
Your path to ntlm auth is wrong. You need to specify the path to
( or \(, and,
?more?broadly, setting Stripped-User-Name) (Alexander Clouter)
3. RE: Error with AD/freeradius config (Gary Gatten)
--
Message: 1
Date: Fri, 15 Jul 2011 16:31:34 +0200
From: Arran Cudbard-Bell a.cudba...@freeradius.org
] On
Behalf Of Arran Cudbard-Bell
Sent: Thursday, July 14, 2011 10:34 AM
To: FreeRadius users mailing list
Subject: Re: Error with AD/freeradius config
On Jul 14, 2011, at 5:18 PM, Gary Gatten wrote:
I don't think you need braces and such, this is not as much an auth type as a
method
Try just
config (Phil Mayers)
2. Re: SoH - FR 2.1.11 (Phil Mayers)
3. RE: Error with AD/freeradius config (Gary Gatten)
--
Message: 1
Date: Thu, 14 Jul 2011 16:13:28 +0100
From: Phil Mayers p.may...@imperial.ac.uk
Subject: Re
RADIUS - Half the complexity of Diameter
Good one!
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Arran Cudbard-Bell
Sent: Tuesday, July 12, 2011 2:35
Welcome Arran! I'm hoping your responses will contain all the witty banter and
helpful criticism as Mr. DeKoks?
:)
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org]
MAC-Auth has its place, but I agree with some others this isn’t the best fit.
MAC spoofing = easy. User gets new NIC or computer = often.
“You” don’t need to do anything on the client. How about you set a default
VLAN with restrictions, a captive portal of sorts. They don’t need to “login”,
Fix it real quick before many download it, call it 2.1.11.1 - or 2.1.11a :)
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Alan DeKok
Sent: Monday, June
Snip
much like a big red button that says 'dont press' ;-)
Ah, I did that once just to see what would happen. I STRONGLY recommend
against it.
No I really didn't, but it is REALLY tempting some days!
font size=1
div style='border:none;border-bottom:double windowtext
Yup, maybe a M$ AD or MySQL forum? More likely someone there has a
replication - or at minimum a dump all script to take AD info and dump into
MySQL.
I SORTA like the idea though - could come in handy when AD Admins won't
cooperate with what you're trying to do. But this assumes they're give
Oh oh... I can already feel the pain - I've very empathetic... No, not
pathetic. Well, some would argue that point.
ANYWAY - If I were you I'd put the flame suit on cause it's almost a sure thing
you'll be getting toasty very soon :)
-Original Message-
From:
OK - I'll check with them. Don't hold your breath though! 1.) They're not
known to be the most responsive. 2.) I'll likely have to seek approval before
sharing the code, and that could take who knows how long... MAYBE I could
sanitize it and break it apart into ... blocks? And the post the
Huh? It sounds like you already have it reporting the NAS IP. Are you saying
you want it to report the client IP? Doesn't it already to that in
radiusd.log?
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
Yeah, that version may help ;). Lots has changed since then, if you can upgrade
I would. Else. If you run it in debug mode does it spew what info you want?
Maybe you can somehow wrap it with a tee process and then massage that output
as you wish.
From: Jason Frawley
Check out the command options of ntlm_auth: --require-membership-of. If group
name doesn't work, try the SID of the group.
G
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
The type of auth is determined by the client / NAS / Supplicant. FR just does
what it's told. Hence, you would need to implement changes on the devices
requesting auth.
G
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
Can one not override the ... not sure what it would be called... Example; if
I tell FR to use NTLM_AUTH to authenticate a request against AD, and AD returns
a reject, can I not override the reject with and accept using update
control or some similar function?
G
-Original Message-
FWIW the link below doesn't work - at leat for me.
Grit::GitRuby::Internal::LooseObjectError at /FAQ
size mismatch
file: loose.rb location: get_raw_object line: 59
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
Hey, a Q I may be able to answer! It may depend a bit on distro, but
typically: /usr/local/var/log/radius/radacct/%NAS-IP%/detail-mmdd. It is a
text file.
HTH
G
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
Yeah, not sure what Abooba does when it terminates PEAP, but it weirds things
out sometimes. Still doesn't explain why XP just worked but W7 had bunches of
issues, but I can attest that making the Abooba controllers pas *eap to FR
works better - maybe works 100%.
The only thing we noticed is,
I can't comment on your problem right now, but be aware there seem to be MANY
issues with Windows 7. Our config works PERFECT with XP, Apple IOS, and other
basic stuff. When we started testing Windows 7 (WPA2 Enterprise) we ran into
all kinds of weirdness. And just when we think we have a
One point of clarification:
PEAP uses TLS. PEAP needs certs too.
Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a
common example.
G
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
@lists.freeradius.org] On
Behalf Of Phil Mayers
Sent: Wednesday, May 18, 2011 11:01 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 16:50, Gary Gatten wrote:
I can't comment on your problem right now, but be aware there seem to
be MANY
If one has (just for example) 1000 groups, this is a lot of overhead - checking
every group. Also, what if they belong to several groups? The last group
checked would be the only one that matters - unless of course you account for
that somehow in your code.
Is there a way to reference the
with Win7 and WPA/WPA2 Enterprise
On 18/05/11 16:59, Gary Gatten wrote:
One point of clarification:
PEAP uses TLS. PEAP needs certs too.
Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a
common example.
Incorrect. PEAP *requires* a server certificate. The client
-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Phil Mayers
Sent: Wednesday, May 18, 2011 11:27 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 17:10, Gary Gatten wrote:
I would LOVE if W7 just worked
: Wednesday, May 18, 2011 12:29 PM
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: Re: Authentication issues with Win7 and WPA/WPA2 Enterprise
On 18/05/11 17:10, Gary Gatten wrote:
I would LOVE if W7 just worked! People here are blaming FR and I'm
trying
and use my windows credentials option.
Thanks!
Gary
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Gary Gatten
Sent: Wednesday, May 18, 2011 12:41 PM
If I knew more about it I would take my time to write some ... examples, use
cases, case studies, whatever. But, I can barely get by - each time I think I
understand something it turns out I really don't. I don't want to spread bad
info so I say nothing - usually :)
IMHO a good starting
(Was: Using LDAP with
EAP-TLS)
Gary Gatten wrote:
I will step up to the plate and offer up a standard format for a Recipe. I
will pick an easy deployment scenario - such as: How do I configure FR to
authenticate VTY access to my Cisco gear using AD on the backend, and users
must
Is 3.0 avail now to test, or should I find that string and implement said patch
on 2.1.10?
- Original Message -
From: Alan DeKok [mailto:al...@deployingradius.com]
Sent: Friday, May 13, 2011 12:09 AM
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re:
I just compiled / installed 2.1.10 on RHEL yesterday, zero problems. I don't
know about Chkconfig - I'm just testing it so launched it manually.
G
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
I just have a sec..
If you're taking the time to upgrade, maybe try 2.1.10? I think it's the
latest stable release?
Also, I've seen many times on this list to not simply copy config files from
one version to another. I would assume this is especially true when going from
FR 1.x to 2.x as
Good morning,
I'm wanting to upgrade to 2.1.10, however, I want to install *all* files to a
different location so I don't overwrite *any* 2.1.6 production files. Once
I've validated operation on 2.1.10 I'll install it to it's normal location.
So, if I specify -prefix=/devel/; will this work
]
Sent: Wednesday, May 11, 2011 11:16 AM
To: FreeRadius users mailing list
Cc: Gary Gatten
Subject: Re: Install new version (2.1.10) to completely different location
On 05/11/2011 12:04 PM, Gary Gatten wrote:
Good morning,
I'm wanting to upgrade to 2.1.10, however, I want to install **all
: John Dennis [mailto:jden...@redhat.com]
Sent: Wednesday, May 11, 2011 11:54 AM
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Cc: Gary Gatten
Subject: Re: Install new version (2.1.10) to completely different location
On 05/11/2011 12:24 PM, Gary Gatten wrote:
Thanks
...@deployingradius.com]
Sent: Wednesday, May 11, 2011 01:48 PM
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: Install new version (2.1.10) to completely different location
Gary Gatten wrote:
I’m wanting to upgrade to 2.1.10, however, I want to install **all**
files
Hello,
There are some minor diffs between the doc on deployingradius.com and the
embedded doc in the mschap module. Which one should I use? Specifically, what
is the correct ntlm_auth command string, and should I enable the
with_ntdomain_hack in the mschap module?
TIA!
Gary
font
PAP works, MSCHAP fails - specifically MSCHAPv2.
This is a fresh install of 2.1.10, built from source. I'm using ntlm_auth;
samba version 3.0.33-3.7.el5 I also have version 2.1.6 running on the same box
and it mostly works: seems to work with everything except Winblows7, hence I
installed
Yes, but I don't know what that means exactly. WHY is there no NT/LM
password? My 802.11 controller test auth function seems to work fine on
2.1.6; and I'm using the same user info.
My ignorance is getting in my way, hence my post. Several years ago I was
making headway, but I've forgotten
=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Phil Mayers
Sent: Wednesday, May 11, 2011 3:38 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: MSCHAP failing on new 2.1.10 install
On 05/11/2011 09:12 PM, Gary Gatten
] On
Behalf Of Phil Mayers
Sent: Wednesday, May 11, 2011 3:41 PM
To: freeradius-users@lists.freeradius.org
Subject: Re: MSCHAP failing on new 2.1.10 install
On 05/11/2011 09:29 PM, Gary Gatten wrote:
PS: I apparently have to leave the DEFAULT Auth-Type = ntlm_auth in
the users file or nothing works
=waddell@lists.freeradius.org] On
Behalf Of Gary Gatten
Sent: Wednesday, May 11, 2011 3:43 PM
To: 'FreeRadius users mailing list'
Subject: RE: MSCHAP failing on new 2.1.10 install
I told it to use ntlm_auth, I guess it's not listening. I followed docs AND
RTFM, guess I missed something
I
a LONG time for this one. Maybe I can/will
submit a feature request for such a thing...
Gary
-Original Message-
From: John Dennis [mailto:jden...@redhat.com]
Sent: Wednesday, May 11, 2011 4:17 PM
To: FreeRadius users mailing list
Cc: Gary Gatten
Subject: Re: MSCHAP failing on new 2.1.10
I ended up doing something similar, so yeah that will work. Lots of ways to do
it I guess. At minimum perhaps a BIG WARNING in the README's telling you to
not make file backups in the live directories. Or, maybe do something like
the sites directory for modules and others: modules-available
/09/2011 10:55 PM, Gary Gatten wrote:
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
You've
, May 10, 2011 03:55 AM
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: Re: PEAP/MSCHAPv2 failing with Windows 7
On 05/09/2011 10:55 PM, Gary Gatten wrote:
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure
:34 AM
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: Re: PEAP/MSCHAPv2 failing with Windows 7
On 05/10/2011 01:20 PM, Gary Gatten wrote:
Sorry, I trimmed because everything is the same between success and failure
up until the exec program output...
Well
I think its 2.1.6, maybe 2.1.7.
I can/will upgrade, but the symptoms lead me to believe its a windows thing.
What leads you to believe an FR upgrade would fix it?
- Original Message -
From: Garber, Neal [mailto:neal.gar...@iberdrolausa.com]
Sent: Tuesday, May 10, 2011 08:44 AM
To:
Hello,
We use Aruba Wireless gear. We're using 802.1x PEAP, MSCHAPv2, use windows
credentials. Everything is working great with this setup until we started
testing / trying Windows 7 clients. They fail with:
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon
Option 4.) Dump data from ACT to a real DB, then dump ACT completely? j/k -
sorta... Does ACT support triggers and / or stored procedures? If so it would
be relatively easy to keep a subset of the ACT DB in MySQL (or whatever) and
keep it synchronized.
If ACT is ODBC, I'm sure one could
Will you be using some backend database; LDAP, AD, eDirectory, etc.?
Typically RADIUS either permits or denies based on a query reply it receives
from the backend system. I don't *think* you would be allowed to change your
password via RADIUS (it typically only has RO access to the DB, and I'm
heeft Gary Gatten ggat...@waddell.com het volgende
geschreven:
Will you be using some backend database; LDAP, AD, eDirectory, etc.?
Typically RADIUS either permits or denies based on a query reply it
receives from the backend system. I don't *think* you would be allowed to
change your
Yup - I *think* the unix module (*nix) is enabled by default, so it should
just work. Perhaps check your radiusd.conf and $radius/sites-enabled/default
to ensure it's enabled. But, I guess it may depend on what type of
authentication requests you are speaking of.
Hmmm, I don't know how to set this (source code hack?), but what in the heck
are you doing that takes so long? I'd think your target should be less than 3
seconds and for SURE less than 10 seconds. I think the thread is tied to this
waiting, so you're gonna severely limit your throughput and
If some environment REALLY needs 10,000 tps, maybe you could write some sort of
replication/sync engine between LDAP and fast users? And of course there's
always mutiple methods of load balancing.
- Original Message -
From: Fajar A. Nugraha [mailto:l...@fajar.net]
Sent: Saturday, March
Dude, you are SO gonna get flamed - put your flame suit on! Hopefully Mr. DeKok
is in a good mood! ;-)
So you want some users to auth with username/passwd; and others with MAC or
some other means?
There's been numerous posts about similar requirements, plus:
Man unlang, man radiusd, etc.
I don't know about all your questions, but, during my testing I found that if I
start radiusd -X somefile.log and then run it in the background, I can
grep/tail somefile.log for stuff I need. Perhaps you could do something
similar to get the results of your query? I'm sure you could find
FBSD allows one to easily change the scheduler, MAYBE that would help?
-Original Message-
From: freeradius-users-bounces+ggatten=waddell@lists.freeradius.org
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Danial
Sent: Wednesday, March 09,
Good idea, but no help. It only returned default, which is one of the first
files I checked, double-checked, replicated, etc.
I'm wondering if I zip my raddb dir if you (or someone) would be willing to
test it on your system and see if you get similar results? It's not a huge
deal anymore
Gdb
From: McNutt, Justin M. [mailto:mcnu...@missouri.edu]
Sent: Tuesday, March 08, 2011 04:59 PM
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: FR 2.1.7 Exits for no reason
Hey all,
So the host-based auth stuff is working well now, but we've discovered
I'm pretty sure this is discussed, examples, etc in the doc: online and in FR
conf files. Sorry I don't have exact location handy, but I'm sure its there.
From: McNutt, Justin M. [mailto:mcnu...@missouri.edu]
Sent: Tuesday, March 08, 2011 05:02 PM
To: freeradius-users@lists.freeradius.org
figure out why something isn't working any more?
--J
From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On
Behalf Of Gary Gatten
Sent: Tuesday, March 08, 2011 5:06
pages of radiusd -X output from
both servers, but I captured and diff'd those and accounted for all diffs from
the startup process. As noted, I also replicated the most common conf files
that I probably tweaked. Weird...
Thanks!
Gary
-Original Message-
From: Gary Gatten
Sent
: Saturday, March 05, 2011 12:38 AM
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: Hopefully quick question: conditional processing sneaking in
and setting Auth-Type
Gary Gatten wrote:
I can’t find where this conditional processing is happing. I have
FR just does what its told. I think the settings need to be changed on your
wireless gear.
- Original Message -
From: Guy [mailto:g...@britewhite.net]
Sent: Saturday, March 05, 2011 10:46 AM
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject:
I can't find where this conditional processing is happing. I have two FR
servers with nearly the same config. Auth works on one, but not the other:
Both servers set auth type to MS-CHAP:
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
Everything is the
I kinda like your caching idea, but not sure of any security implications.
I have (2) FR servers (each pointing to different DC) and my NAS's are
configured to use both. But, iirc if AD is down on the backend FR still
replies (with something) so the NAS never rolls over to the other FR server.
Try ../sites_enabled/default; or if *eap requests it would be inner-tunnel, - I
think...
From: Paulo Maia [mailto:phc.m...@gmail.com]
Sent: Friday, March 04, 2011 06:43 PM
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: Freeraidus 2
Compilou o instalou via
First, is your last name really McNutt? And, have you ever been by the house
near MU that has camels and zebras in the front yard?
- Original Message -
From: McNutt, Justin M. [mailto:mcnu...@missouri.edu]
Sent: Monday, February 28, 2011 04:52 PM
To: FreeRadius users mailing list
has taken the kids there, but I have never
been.
--J
-Original Message-
From:
freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius
.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr
eeradius.org] On Behalf Of Gary Gatten
Sent: Monday, February 28, 2011 5
Read the doc on ntlm_auth. There's an option like require membership of.
I'll leave the other question to someone more knowledgable as I was/am in a
similar position.
- Original Message -
From: Moe, John [mailto:j...@hatch.com.au]
Sent: Monday, February 28, 2011 06:00 PM
To:
PS: you'll likely need to use the SID of the group, I could not get it working
with the group name - YMMV.
- Original Message -
From: Gary Gatten [mailto:ggat...@waddell.com]
Sent: Monday, February 28, 2011 06:14 PM
To: 'freeradius-users@lists.freeradius.org'
freeradius-users
I'm CERTAINLY no expert in this, but I can hopefully point you in the right
direction.
There is some doc within the FR install (and the Wiki I think) about writing
your own modules - I think this is what you want. Although, I think you can
do pretty much anything with rlm_perl and unlang, but
-users-bounces+tdimmig=impulse@lists.freeradius.org
[mailto:freeradius-users-bounces+tdimmig=impulse@lists.freeradius.org] On
Behalf Of Gary Gatten
Sent: Wednesday, February 23, 2011 3:24 PM
To: 'FreeRadius users mailing list'
Subject: RE: non-standard authentication
I'm CERTAINLY no expert
Lol, probably. If these are large 802.11x nets, typically deployments of that
scale use dumb WAPs and smart controllers that handle the load sharing. If
they're wired nets, doesn't make any sense to me.
- Original Message -
From: Phil Mayers [mailto:p.may...@imperial.ac.uk]
Sent:
If no one else pipes in I'll try to help, but I'm gone for the night.
From: E Rossiter [mailto:phe...@gmail.com]
Sent: Friday, February 18, 2011 06:11 PM
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: FR/AD integration
Trying to use FR to query AD as an
OT from OP question, but have you ever thought of PVLANs, VACLs, PACLs,
broadcast storm control, etc. Not sure how many users you're talking about,
and what apps, but with prudent configs many thousands of users can exist on
a single VLAN without concern.
- Original Message -
From:
Hi,
I thought this would be easy but now I'm wondering if it will be
possible at all. We are transitioning to a DMZ for all ssh logins.
During phase one, people will use a standard (but different than
internal) password which will be obtained either through LDAP or
the passwd module (we just
Hi,
I did eventually find a sorta fix. I had jumbo frames enabled,
disabling them fixed the problem temporarily. the problem has returned
in a different form now. the radius server doesn't even see the auth
requests now, and the client just won't even try to authenticate. I
think
I'm barely a novice with FR, so take this with a grain of salt:
You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play well
together. Remove the Auth Type LDAP - for now.
You almost never want to set the Auth-Type directly, FR figures it out from
the request. For testing
this freeradius 2.1 Added
Password-With-Header == userPassword to raddb / ldap.attrmap This Will
automaticallyconvert more passwords
[]'s
--
Vinicius Teixeira Coelho
Registered Linux User #469313
The Ubuntu Counter Project - user number # 21463
On Fri, Feb 11, 2011 at 3:37 PM, Gary Gatten
ggat
is using the ldap
[]'s
--
Vinicius Teixeira Coelho
Registered Linux User #469313
The Ubuntu Counter Project - user number # 21463
On Fri, Feb 11, 2011 at 4:35 PM, Gary Gatten
ggat...@waddell.commailto:ggat...@waddell.com wrote:
Yeah, but that’s SAMBA – not LDAP. (Added Password-With-Header
To: FreeRadius users mailing list
Subject: Re: Freeradius + LDAP for WPA-Enterprise
Gary Gatten wrote:
You forced ALL Authentication requests to use LDAP. EAP / LDAP don't play
well together. Remove the Auth Type LDAP - for now.
If I remove that the radtest failed for a LDAP-User. It returns
[mailto:freeradius-users-bounces+ggatten=waddell@lists.freeradius.org] On
Behalf Of Max Schröder
Sent: Friday, February 11, 2011 2:31 PM
To: FreeRadius users mailing list
Subject: Re: Freeradius + LDAP for WPA-Enterprise
Gary Gatten wrote:
You forced ALL Authentication requests to use LDAP. EAP
some help getting it to work.
Thanks,
Chris
Von:
freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org
[mailto:freeradius-users-bounces+chris.schaatsbergen=aleo-solar...@lists.freeradius.org]
Im Auftrag von Gary Gatten
Gesendet: Mittwoch, 9. Februar 2011 17:11
If no one else jumps in I can he'll you out in a couple hours.
- Original Message -
From: Schaatsbergen, Chris [mailto:chris.schaatsber...@aleo-solar.de]
Sent: Wednesday, February 09, 2011 09:24 AM
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject:
Authentication with ntlm-auth and require-membership-of works well for us.
Right now we simply authenticate the login/vty session with AD, and the secret
is authorized locally by the switch. So, each person gets the vty session
with their own unique credentials validated via ntlm-auth and AD.
Auftrag von *Gary Gatten
*Gesendet:* Mittwoch, 9. Februar 2011 17:11
*An:* 'FreeRadius users mailing list'
*Betreff:* RE: Authenticating SSH login on a Cisco IOS switch to AD
Authentication with ntlm-auth and require-membership-of works well for
us. Right now we simply authenticate the login/vty
1 - 100 of 178 matches
Mail list logo