Hi SangLee,
In my experience, the ability to do WEP and WPA simultaneously is a
function of the Access Point rather than any other device in the
network. If your AP vendor has implemented in such a way that you
cannot run WEP and WPA simultaneously, then push them to fix this.
Note, however, tha
.
Rgds,
Guy
>
> - Original Message
> From: Guy Davies <[EMAIL PROTECTED]>
> To: FreeRadius users mailing list
> Sent: Tuesday, May 20, 2008 10:35:40 PM
> Subject: Re: Java client for Radius
>
> Hi Avihai,
>
> I use the client that comes with the jradius ser
Hi Avihai,
I use the client that comes with the jradius server on my Mac and it's
great. I don't use a particularly wide range of the features, I'm
sure I barely scratch the surface, if I'm honest, but it does what I
need (and it works flawlessly on my Mac :-)
I've not tried radius-client so I c
2008/4/29 Arran Cudbard-Bell <[EMAIL PROTECTED]>:
> Alan DeKok wrote:
>
> > Guy Davies wrote:
> >
[..snip..]
> > > You need to tell us which EAP method you plan to use. If you are
> > > using local users, you can take your pick from EAP-TTLS/PAP or
&g
Hi Alan,
Erm... I'm using WPA2/AES that uses 802.1x to authenticate the user
:-) WPA2/TKIP is a strange choice (if not technically invalid).
Normally, folks go for WPA/TKIP or WPA2/AES.
Anyway, back to Miguel's question...
I have not used Trapeze kit for a couple of years but I have used it
in
2008/4/25 Phil Mayers <[EMAIL PROTECTED]>:
> Mike Perdide wrote:
>
> > Hello,
> >
> > I'm working on VLAN assignement with FreeRadius, with windows XP users.
> > The FreeRadius server is using openLdap, and works overs EAP-TTLS.
> > The goal of my work is for the users to be on different Vlans depe
Hi Mauro,
VSA means Vendor Specific Attribute. Vendors can provide 'private'
attribute value pairs (AVPs) that are only understood by their
equipment so that you can send them information that is not supported
natively by the standard RADIUS protocol.
If the vendor of your device that would actu
Mauro,
On 28/02/2008, mauro <[EMAIL PROTECTED]> wrote:
>
> please have a look inline thanks
>
> > Normally in a mobile services there's no specification into the header
> > about connection type.
> *Which header? You are assuming that everyone here is familiar with 3g
> *terminology. You were al
On 27/02/2008, Alan DeKok <[EMAIL PROTECTED]> wrote:
> mauro wrote:
> > Hi all
> > i would like to know if freeradius can help to enrich the user header
> > for that mobile services that needs some particular params as for
> > connection type ( 3g, gprs...).
>
>
> What does that mean?
>
> I
Hi David,
Have you tried putting "\n" to see if that puts a line break into the
response? Whether the RADIUS client will barf on that is another
matter ;-)
Rgds,
Guy
On 20/02/2008, David W Bell <[EMAIL PROTECTED]> wrote:
> David W Bell wrote:
> > Thanks for the info so far.
> >
> > Is there
I was wondering the same thing :-)
On the subject of getting the attributes from LDAP, the Cisco AV pairs
are just another AV Pair. Sure, Cisco have broken their AVs up with
sub-AVs, but it's still just passing a value back from LDAP and
manipulating the format so that it is placed correctly into
Joakim
You could certainly do this with EAP-TTLS/PAP. I know because I've
done it myself in a previous job.
It's quite simple really. You have the outer authentication using one
realm (possibly the null realm and using the name 'anonymous'). In
the inner authentication, you use another realm t
Hi Stefan,
It may be primarily Cisco that pushes TACACS+ because ACS is a much
better TACACS+ server than it is a RADIUS server. However, there are
many vendors that offer some degree of support for TACACS+ just to
avoid one of the barriers to entering the many Cisco only networks.
:-)
Rgds,
Gu
Ajay,
This is not a feature of RADIUS but it can be implemented for some
vendors' kit using VSAs. So, it depends very much on the kit you're
using whether there is *no* way to do this or a non-standard way to do
this :-(
Rgds,
Guy
On 14/12/2007, Gaurav Sabharwal <[EMAIL PROTECTED]> wrote:
> Aj
No, the tunnel is between the authentication server and the
supplicant. The authenticator (the AP or switch) cannot see into the
tunnel.
Rgds,
Guy
On 05/12/2007, Sergio Belkin <[EMAIL PROTECTED]> wrote:
> When using EAP-TTLS the tunnel is between Access Point and client only?
>
> I mean: Is it
Hi Alan,
The supplicant is the software on the device trying to connect, rather
than the server. Unless FreeRADIUS has moved in a totally different
direction from when I was using it frequently, it is purely a RADIUS
server (the authentication server in the 802.1x process).
FreeRADIUS will certa
Or, if you're using an Enterprise CA with a self signed cert, then
make sure that the CA's cert is installed on your Mac. I do this at
home and it's fine once you've installed the CA's cert.
Rgds,
Guy
On 30/04/07, Peter Nixon <[EMAIL PROTECTED]> wrote:
> On Mon 30 Apr 2007, Eshun Benjamin wrote
Hi Tim,
Erm, yes, they're all critical to getting dial-up to work :-)
I think you could use a DEFAULT user in the users file that says
something like...
DEFAULT auth-type := system
Fall-Through = yes
DEFAULT service-type == framed, framed-protocol == ppp
service-type = framed,
framed-protoc
Hi Tim,
This sounds more like a routing problem. Does the FreeRADIUS server
allocate addresses from the same pool as the old Lucent server? If
not, it's possible that your router to the Internet doesn't have a
route back to the host addresses via the 3Com TC box.
If that's not it, then you mig
Hi Mahesh,
This is *totally* independent of the authentication process. You
don't need to do anything to the RADIUS server to do this.
You need a DHCP server. When your client (the PC) is attached to a
particular subnet, it will request a DHCP address by sending a
broadcast to find a DHCP serv
This is probably best achieved using DHCP rather than RADIUS. Once
RADIUS has authenticated the user and the device is connected to the
subnet, you'll normally obtain a dynamic IP address via DHCP. DHCP
can be configured to give a fixed IP address to a particular MAC
address.
Rgds,
Guy
On 26/
Hi Eric,
If you just want a test client, then you can either use the radclient,
which is bundled with freeradius (or radtest which provides a front
end to radclient). Alternatively, if you want to use a windows pc to
test from, there are various options. Just put radius test client
into google
Hi Giuseppe,
In general, you can upgrade straight from one version to the next by
doing a configure; make; make install if you used that method to
install in the first place (rather than an RPM or other package
manager).
If you have any custom dictionaries, be sure to backup
/usr/local/share/fre
I don't think you should be setting the Auth-Type. Just let
FreeRADIUS work that out. What are you doing with your Cisco AP? Are
you doing PEAP/MS-CHAPv2? If so, then you must have a User-Password
== "foo" in your user database and you *must not* set Auth-Type :=
EAP.
You should do as Sergio s
Hi Antonio,
If you're using the Cisco-AVPair as a check item, it *must* be on the
first line of the user entry. e.g.
user1Auth-Type := EAP, Cisco-AVPair := "ssid=SSID1"
... reply items here, one per line...
If you want to configure it as a reply item, it should be...
Cisco-AVPair = "ssid=SS
The Cisco-AVPair mechanism is a mutation of the standard VSA mechanism. Cisco
uses a single Vendor ID but wanted to use many VSAs. The limit with a
single Vendor ID is 255 (IIRC).
So, Cisco's Vendor Specific Attribute number 1 is "Cisco-AVPair".
They then create "sub-VSAs" within that VSA using
Yes, just use the Cisco AV Pair to say
user1 Auth-Type := EAP, Cisco-AVPair := "SSID=SSID1"
user2 Auth-Type := EAP, Cisco-AVPair := "SSID=SSID2"
That would force user1 to only associate to SSID1 and user2 to only
associate to SSID2.
You *may* need to change them from being check attributes to
Hi Alan,
I am not sure if this is even remotely relevant but rlm_x99_token has
been renamed to rlm_otp, I think. Try --without-rlm_otp and see if
that helps.
I've also been unable to compile FR 1.1.1 using the same parameters as
I used in 1.1.0 but my problems appear to be similar to those with
Hi Josh,
So long as the user is a valid user, it can be used to do the bind,
AFAIK. I used to do this at the office. Our AD Admins created a
special account with a non-expiring password but no other special
privileges to authenticate the search/bind and that worked fine.
We used to use EAP-TTLS
Of course it has meaning. If your host is on a /23 subnet, then the
middle .255 and .0 are perfectly valid hosts.
Rgds,
Guy
On 14/02/06, DilipSimha.N.M <[EMAIL PROTECTED]> wrote:
> hi,
>
> why does FREERADIUS accept the client ip-address as:
> aaa.aaa.aaa.255/32 ??? (in clients.conf)
>
> this d
A stale session in radacct could happen simply due to the loss of a
udp packet with the accounting information in it. RADIUS is totally
stateless and has no reliable mechanism for deciding if a user is
present or not.
If simultaneous use relies entirely upon the contents of radacct, it's
very vul
Hi Romao,What are you using to view the packet? Many packet analysis and RADIUS check tools require their own dictionary (e.g. NTRadPing). If this is the case and you've not updated the dictionary for that tool, then that's exactly what I'd expect you to see.
Rgds,GuyOn 26/01/06, Romao Izumi Ito
r. I'd also have to specifically identify the CA Certificate that the client should use to authenticate the RADIUS server's certificate. So I don't consider that an extra cost.
Rgds,
Guy
On 22/12/05, Phil Mayers <[EMAIL PROTECTED]> wrote:
Guy Davies wrote:> The other alternati
The other alternative is to use a third party 802.1x supplicant with a decent GINA module. This behaves *exactly* as you want. It accepts the users' credentials at the windows login, stops the windows login process, logs the user into the network, then returns control to windows to login the user
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Nicolas Baradakis
Sent: 07 December 2005 13:18
To: FreeRadius users mailing list
Subject: Re: question on ldap_escape_func in rlm_ldap.c
Qin Zhen wrote:
> so in lastest version (1.0.5), a username 'jam\'
does the filter value work if you use
it in a 'users' file syntax?
Also, what version of FreeRADIUS?
-Chris
On Nov 23, 2005, at 9:45 AM, Guy Davies wrote:
> Why would FreeRADIUS return Ascend VSAs to a Cisco AS5800? I would
> only expect it to return values that are eit
Why would FreeRADIUS return Ascend VSAs to a Cisco AS5800? I would only
expect it to return values that are either RFC attributes or Cisco VSAs.
Rgds,
Guy
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Matt
Sent: 23 November 2005 15:12
To: freeradius-
Hi Hamid,
What CA did you use to create the client certs? If it was OpenSSL, did
you ensure that you included the special attributes that the MS
supplicant expects? There are a few HOWTO's around and they pretty much
all reference this special value.
If you used the M$ Certificate Services, it
You could do this on IOS based APs by creating multiple SSIDs. You can
have a secured SSID that connects to your protected VLAN. Then, you
could have an appropriately named SSID (NEWUSERSSTARTHERE ? :-) that is
unencrypted and unauthenticated. It is associated with a walled garden
VLAN with some
Is your AP configured to send accounting information? Many don't do
this by default. You will have to set it and tell it to use the same
RADIUS server for accounting.
Rgds,
Guy
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
Simone
Sent: 09 November 2
Which Vendor Specific Attributes are implemented by a
Vendor are, as the name suggests, specific to the vendor and totally up to them
to choose. I would not be surprised if DLink implement *NO* VSAs.
Given the market into which they're pitching their kit, I doubt very much that
their kit w
In what format does your NAS send the
calling-station-id? Mine uses 00-00-00-00-00-00. Maybe you're simply
not matching the format?
Rgds,
Guy
From:
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of kdr
akmSent: 28 October 2005 15:16To:
freeradius-users@lists.freeradius.orgSu
Which VSAs are you sending in the accounting packet?
Are they correctly enumerated in a dictionary file? Is the dictionary
file referenced in the main dictionary file?
Can you send us the accounting packet you're seeing?
Rgds,
Guy
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[E
If you're doing 802.1x authentication, then it will be the MAC. The
supplicant may not even have an IP address when it communicates with the
NAS (the ethernet switch) if it is configured for DHCP.
If you're logging into the CLI of a device configured to authenticate
using RADIUS, then I would not
Well, did you look at /usr/local/etc/dictionary? It generally points to
/usr/local/share/freeradius/dictionary. If so (and it certainly appears
to be so) then go look in /usr/local/share/freeradius/dictionary. It
would appear that there is an error (or it did not get installed when
you installed
Title: RE: one question
Hi Richie,
Simply look in the /usr/local/share/freeradius/dictionary file. It includes a load of $INCLUDE lines pointing to each of the dictionary.foo files. All you need to do is add $INCLUDE dictionary.fortinet to that file and make sure that the file dictionary.f
Title: RE: Some questions about freeRADIUS implementation,PLEASE HELP ME!!
Here my doubt:
I am using EAP-TLS
I generated a client Certificate with CN "redes"
then I add at LDAP database a user with these
atributes
cn: redes
uid: redes
radiusGroupName: academicos
..others Attributes
but wit
Hi Alfonso,
See inline...
>-Original Message-
>We decide to use freeRADIUS as Radius Server on a Big
>wireless Network (in a university )
>with about five hundred APs, but there are some
>questions (maybe basic questions)
>I need from your help to understand them better.
>
>1. About c
Hi Jeremy,
Unfortunately, the windows supplicant won't let you do that. Various third
party supplicants can do it but not the one included by MS.
Again, I know that the Funk Odyssey client can do this because I've done it
myself (before I got GINA working). My main area of dissatisfaction wit
GINA module ? aegis ? secureW2
?Regards,Jeremy[EMAIL PROTECTED]
a écrit :
Date: Thu, 1 Sep 2005 17:10:14 +0100
From: "Guy Davies" <[EMAIL PROTECTED]>
Subject: RE: Windows Client Authentification bevore Domain logon
To: "FreeRadius users mailing list"
Mess
Hi Marc,
The only way to do this with the supplicant included with XP is to use machine
auth. This must use the same method used by the individual (i.e. EAP-TLS or
PEAP/MS-CHAPv2).
There is a checkbox that says something like "Use machine credentials if
available". Check that and the machine
Are you sure that the Linksys AP supports LEAP. LEAP is a somewhat
proprietary Cisco method that places unusual requirements on the AP
(unlike other EAP methods that are simply converted from EAP in EAPOL to
EAP in RADIUS by the AP). I know that Linksys is now owned by Cisco but
I am not sure tha
You should not edit the main dictionary file. You should create this as
a separate file (called dictionary.colubris) with all the other
dictionary.foo files (normally in /usr/local/share/freeradius/). Then
look in the file called dictionary in the same directory and make sure
(as it says in the c
> > The best method is to have individual clients listed with *unique*
> > keys per client (yes, I know this is a real pain but if you want
> > security this is about the best you can do with the limited
> security
> > afforded by the shared key).
>
> I know how things work, I was just wonderi
Hi Marcin,
You can create a subnet in clients.conf (e.g. 10.10.10.0/24) that can
use the same key. I think that doing 0.0.0.0/0 would be a very bad plan
since it only requires that an attacker know the shared key to be able
to send valid requests. Since all your devices are matched by a single
e
Hi Stefan,
I also saw this. The escape character is \.
Special characters I would think of are !, #, *, ?, ^, $, &, % and
(obviously) \. There may well be others.
Rgds,
Guy
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Stefan Nehlsen
> Se
Title: Message
Ready to process requests.rad_recv: Access-Request packet from host
10.1.2.254:32773, id=8, length=113Ignoring request from unknown client
10.1.2.254:32773--- Walking the entire request list ---Nothing to
do. Sleeping until we see a request.rad_recv: Access-Request packet
fro
Hi Ken,
[..snip..]
>
> Below are the ntlm_auth section of radiusd.conf and the
> radtest string used and the debug output from the other window.
>
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --domain=%{mschap:NT-Domain} --challen
Upgrade to win2k SP4. Before that, the M$ supplicant was broken.
If you're doing PEAP, I'm assuming you're doing PEAP/MS-CHAPv2. If so,
why do you need a client cert? You only need a client cert if you're
doing EAP/TLS. PEAP/MS-CHAPv2 uses MS-CHAPv2 to exchange a user's
credentials based on a
Hi Mark,
AFAIK, there's no standard way to specify it individually. You can
specify the Called-Station-Id in the format XX-XX-XX-XX-XX-XX:SSID to
select a particular SSID associated with a particular AP. If your
server allows the wildcarding of match criteria, you could specify
*:SSID for Called
Of Maqbool Hashim
> Sent: 19 May 2005 17:16
> To: freeradius-users@lists.freeradius.org
> Subject: Re: x99 token authentication
>
>
> Thanks. Is there no way that you can get away from installing their
> software? I suppose you have to install the software if you want to
&g
Hi Maqbool,
It's easier to use PAP and simply proxy the requests to the (very
trivial) RADIUS frontend on the CRYPTOCard server. I've got that
working with EAP-TTLS/PAP. The inner PAP auth carries the username/otp
generated from the CRYPTOCard EUS.
Rgds,
Guy
> -Original Message-
> Fro
Hi,
This is entirely dependent upon the NAS. Some vendors' NASes provide
great flexibility in per-user authorization while others provide very
limited functionality beyond a simple permit/reject. IIRC, the Cisco
Aironet 1200 relies (or at least used to rely) on the SSID selected by
the user to i
This sounds like an issue with the supplicant. If the RADIUS server
sets the session-timeout to 10 minutes, then the supplicant will have to
reauthenticate every 10 minutes but, as you say, this would normally be
invisible to the user. The supplicant should cache the password (unless
it's been to
Another way to achieve this is to use an 802.1x client with a GINA
module. Immediately after you enter your credentials in the Windows
login screen, the GINA module takes control and pauses the windows login
process. It uses the user's windows credentials to connect the user to
the network and, o
The format of the dictionary file is implementation specific (see the
query a few days ago regarding a dictionary supplied in SBR format, to
which I replied). Several implementers have chosen to use the same
format but it's not mandated in any RFC AFAIK.
Rgds,
Guy
> -Original Message-
>
Hi,
No, you can't simply drop that in. You'd need to create a
dictionary.waverider that looks like the dictionaries in
/usr/local/share/freeradius. Cut and paste the section below in to a
file of that name and then add the line
$INCLUDE dictionary.waverider
In the file /usr/local/share/freerad
If you use a 3rd party supplicant, you should be able to do EAP-TTLS/PAP
and have the PAP authentication use the users file. You will be
transmitting the password in the clear but it will be transmitted
through an encrypted tunnel between your PC and the RADIUS server so, in
effect, it's encrypted
It depends on the Authenticator. If you have a Hotspot gateway model
with unauthenticated association, then yes, two wireless users could use
your infrastructure to talk to each other without first authenticating.
Some switch vendors (wireless and wired) offer web based authentication
that requir
Same way you would to any other process.
$ kill -HUP
Guy
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Murali Krishna G
> Sent: 02 March 2005 09:53
> To: freeradius-users
> Subject: How to send SIGHUP signal to server ( radiusd )
>
>
> Hi,
Hi Payam,
'CLID' should appear in Calling-Station-Id in the accounting packet. Is
that what you meant?
Rgds,
Guy
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of shabanip
> Sent: 25 February 2005 08:18
> To: freeradius-users@lists.freeradius.o
s
rm -f .libs/radiusdS.o
gmake[4]: *** [radiusd] Error 1
gmake[4]: Leaving directory
`/usr/local/src/freeradius-snapshot-20050211/src/main'
gmake[3]: *** [common] Error 1
gmake[3]: Leaving directory
`/usr/local/src/freeradius-snapshot-20050211/src'
gmake[2]: *** [all] Error 2
gmake[2]: Le
Hi Francisco,
Are you authenticating the RADIUS server or just ignoring the validity (or
otherwise) of the certificate it sends? If you are trying to authenticate the
RADIUS server and it's either sending an invalid (or self signed) certificate
or the root certificate authority that signed the
/local/src/freeradius-snapshot-20041215/src'
gmake: *** [common] Error 1
*** Error code 2
Stop in /usr/local/src/freeradius-snapshot-20041215.
buddhist#
Regards,
Guy
---
Guy Davies Telindus Ltd
IP ArchitectHatchwood Place, Farnham Road
> session_resume = yes
> phase2_type = pap
>
> pap {
> username = bob
> password = hello
>
> }
> }
> }
>
> Regards
> Preethi
>
>
> On Wed, 15 Dec 2004 10:13:41 -, Guy Davies
&g
Hi Preethi,
If you use a standard radius client to send a PAP request, does it work?
Get that working and PAP as the inner authentication should work fine.
Are you using local passwords (configured in the users file) or are you
referencing another data store (/etc/passwd, ldap, sql, etc)? I've us
gt; Tim Winders
> Associate Dean of Information Technology
> South Plains College
> Levelland, TX 79336
>
> On Mon, 13 Dec 2004, Guy Davies wrote:
>
> > Hi Tim,
> >
> > You can't authenticate to the /etc/passwd file using
> PEAP/MS-CHAPv2.
> >
Hi Tim,
You can't authenticate to the /etc/passwd file using PEAP/MS-CHAPv2.
Any CHAP based authentication mechanism requires the server to have
access to the *clear text* passwords.
If you want to use PEAP/MS-CHAPv2, then you'll need to create
definitions of your users either in a local (or othe
Change your scratchcards to contain a username/PIN pair :-) The
username can also be randomly generated gibberish. So long as you
simply match the correct username and PIN in your RADIUS database. Once
they're used up, you can remove the spent username/PIN from your
database and create a whole n
Hi Mathias,
Yep, build from source and configure with the --disable-shared option.
Regards,
Guy
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Mathias Röhl
> Sent: 13 December 2004 16:13
> To: [EMAIL PROTECTED]
> Subject: EAP/TLS Problem
>
>
Hi Tim,
I believe that MS made changes to the format of the EAP packets in XP
SP2! This breaks PEAP with a number of (but apparently not all) non-MS
RADIUS servers. They have a Hotfix for this. Checkout KB 885453.
I'm not *sure* that this is your problem. However, it *may* be
relevant.
Note
Title: Message
Hi Manel,
This is exactly what I have at home but with an AP340. I'm using
FreeRADIUS 1.0.1, isc dhcpd and Funk Odyssey client doing EAP/TLS. Works a
treat. Have you checked if a wired dhcp client on the same vlan gets an IP
address? If not, then it's either a problem wit
> The assumption made here is that the authenticator is the AP.
> I believe things would be much easier and still safe if one
> authenticator would control a group of APs and not just be
> one itself. This group of APs could be a subnet or a smaller
> group, but at least within this group the h
It is possible to reduce the number of messages for reauthentication by
implementing what is variously known as Fast Roaming, Fast
Reauthentication and Session Resumption. This doesn't have any impact
on the initial authentication exchange. However, once both parties
(supplicant and authenticator
Hi Werner,
Are the clients attempting to setup the second connection? Is the Max
sending RADIUS requests for those users? What is in those requests?
What, if anything, is in the responses? You'll probably need a snuffer
to capture this info.
Regards,
Guy
> -Original Message-
> From:
Is your Ascend Max correctly configured to permit multilink? Are the
clients correctly configured to use multilink?
Regards,
Guy
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Werner Detter
> Sent: 12 November 2004 11:18
> To: [EMAIL PROTECTE
That would certainly be what I'd try. I hold up my hands and say openly
that I'm far from an expert but, given that PPP is the only valid VALUE
for Framed-Protocol that seems relevant and that simultaneous-use allows
a single user to login multiple times (or controls how many times they
can login)
Hi Werner,
MPP is not a valid VALUE for Framed-Protocol. Check out the dictionary.
I would guess that the behaviour you want could be configured simply by
using Framed-Protocol = PPP and allowing simultaneous-use. That way,
the users are permitted to open multiple PPP sessions based simply on
l
Hi Hugo,
You *can't* use SYSTEM passwords to authenticate using MS-CHAPv2.
MS-CHAPv2 requires the AAA server to be able to obtain the clear text
password (from a local file or some other source) or a password in
NT-Password format. If it cannot get them, then it is unable to check
that performing
Hi Jon,
You *must* create a certificate for the RADIUS server. That is the
certificate about which it is complaining. You need to use something
like OpenSSL (on the box running RADIUS?) or Microsoft's Certificate
Services (on a Windows Server 2000/2003 box). Once you've created it
and placed it
Title: Message
Hi
Jon,
You
haven't configured EAP-TLS despite the fact that it clearly says in the
notes in the PEAP section that for PEAP to work EAP-TLS must be enabled
even if you don't plan to use EAP-TLS specifically. Uncomment the tls
section and configure it with your server's cer
That places too great a reliance upon the user to maintain a strong
password. The strength of the protection should be separated, as far as
is technically possible, from the strength of the password.
If more resilient mechanisms exist and are implemented just as trivially
then it is foolish to us
Hi Adam,
If any other alternative exists, then LEAP should not be used. As
you've pointed out, LEAP is vulnerable to known published attacks. Even
Cisco recommends (their version of ;-) PEAP. Given the requirements
placed upon the AP, LEAP is also effectively constrained to Cisco APs.
For Micr
Is it the cable modem or the CMTS that would be the RADIUS client? I
would have thought the latter. Either way, if they are standards
compliant RADIUS clients, then yes, FreeRADIUS can help. Depending upon
the vendor of your CMTS/Cable Modems, you may have to write a vendor
dictionary but that's
d treat the Access-Accept as an Access-Reject.
This is important when you're trying to use the same credentials to
authenticate users via multiple NAS types (WLAN, dialup, VPN, etc).
Regards,
Guy
>
> regards,
>
> L.
>
> - Original Message -
> From: "Guy
Hi Leonard,
I'm afraid you don't. Wireless LANs are exactly like wired LANs in this
respect. The mechanism used to assign IP addresses to hosts (other than
static assignment) is DHCP. It is entirely possible to assign a static
address to a host using DHCP. You simply create a mapping between t
Hi Mike,
I use an ancient AP340 at home and I've had an iPAQ 5550 with Funk
Odyssey doing EAP-TLS, EAP-TTLS and PEAP/MS-CHAPv2 against a FreeRADIUS
server. Unless you already have PKI all sorted and running, I'd not
recommend EAP-TLS because it's administratively hard work. If you're in
a primar
> > Wireless authentication CANNOT assign IP addresses.
> > You have to use RADIUS to authenticte the wireless user,
> and DHCP to
> > assign the user an IP address.
>
> So if I understand:
> - user wireless user authentification and client IP address are two
> independent problems.
Most
> > You're trying to use a PPP mechanism over an "ethernet" media.
> > Wireless clients use DHCP for the acquisition of IP addresses (and
> > other parameters), not Framed-IP-Address. Remove the IP-pool info
> > from your RADIUS server (unless you're also using dialup NASes) and
> > put it on
You're trying to use a PPP mechanism over an "ethernet" media. Wireless
clients use DHCP for the acquisition of IP addresses (and other
parameters), not Framed-IP-Address. Remove the IP-pool info from your
RADIUS server (unless you're also using dialup NASes) and put it onto a
server running DHCP
1 - 100 of 105 matches
Mail list logo
