Hi,
>Does FreeRADIUS give a fig about what the username is? If it were all
>numeric, say 123456789 I guess it is happy with that? It's just a string
>to FreeRADIUS?
FreeRADIUS is just a RADIUS serverand hence any decisions made by it are
all down to defined policies. so if you hav
Hi,
> Ah... a fix wasn't pulled over from v3.0.x to master. I've just done
> that now.
server now starts with such switch/case config present. cheers!
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
this error is also present with 3.1.0 when using the provided
orginate-coa virtual-server - so its reproducable with a minimally
adjusted configuration (just drop originate-coa from sites-available
to sites-enabled)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/u
hi,
you must ensure you 'sign out' of the AD before you clone as otherwise
both objects are the same...and, as you have found, doing something
with the cloen breaks the first server. or just dont bind to the AD before
cloning.
to fix, you need to ensure that both machines have their own identity
Hi,
> Samba 4 is lurvely... apparently 100% compatible with existing AD
> installations, although, as always, it's a bit finicky and info is a bit thin
> on the ground (and I've not written up a guide when I set my test environment
> up that uses an S4 server for EAP-MSCHAPv2). But at least it
Hi,
> Any chance you can point me in the direction of these?
heres one:
http://support.microsoft.com/kb/2688798
> Semi-related, but to my annoyance we're seeing rather less SSL
> resumption than I would expect, given that iOS and Android both do
> it by default.
Cisco wireless problem?
there
Hi,
> Thu Oct 10 11:52:16 2013 : Info: WARNING: Module rlm_eap became
> unblocked for request 47516341
>
> ...since the return of our students this year.
>
> I am 99% sure this is ntlm_auth being slow, and I have a strong
> suspicion this is related to some changes in our AD infrastructure
> ove
Hi,
>I'e installed oracle instant client from rpm packages (basic + devel)
okay. if you've done this rather than manually installing from Oracle then
its most likely that the paths are different...you will need to check where
your Oracle files have been installed and use those paths instead
Hi,
> It appears the debugging switches don't work quite as I'd expect in
> FreeRADIUS 3 when RadSec is configured.
>
> # radiusd -fxx -l stdout
yep. if you try 'radiusd -X' it will tell you to run it like that.
> # radiusd -fXx -l stdout
> # ./sbin/radiusd -Cfxx -l stdout
single thread
Hi,
> Just got a wee bit of trouble linking in the talloc libraries, but I'm sure
> its not insurmountable
Alan uses OSX so I'm *SURE* it compiles fine with the right support stuff
present - you
should have been compiling it before the official release ;-)
alan
-
List info/subscribe/unsubscr
Hi,
> Well you want the probes to go through and hit your backed authentication
> servers,
> and your databases, and any external resource.
..and get a valid user with access accept? bad. you are better off just
semding a reject -
just like RADIUS status server probes. it would be nice if th
Hi,
> We're finding these nuggets of code as we dig deeper into James's
> legacy config. If the Access-Accept response is not required, then
> presumably I can ditch that entire code block and let the
> wisms-testing auth attempt go through the system as any other user.
yesbut you'd be better
Hi,
> If everyone's in favor, I'll release 2.2.2 on Monday.
hold request
now its monday AM and the load has gone back to higher levels
the server is freaking out and freezing witht he last message in
the log being
Mon Oct 7 07:50:28 2013 : Error: [event.c:2318] Internal sanity check faile
Hi,
> >if (Service-Type == "NAS-Prompt-User") {
> > if (NAS-IP-Address =~ /^172\.17\.107\./) {
> > if (User-Name =~ /^wisms\-testing/) {
> >update control {
> > Auth-Type := Accept
> >}
ouch do you realise how dangerous that is? there
should be no need to send an access accept
Hi,
> More debug output would help. The last patch came from output sent by
> Stefan. The patch seems to help. But there's an underlying issue which is
> harder to debug. It looks like a Linux specific IPv6 problem. I don't see
> any issue with v4.
interesting..the culprit may have b
Hi
early report :(
2.2.2 HEAD still showing:
Fri Oct 4 13:20:43 2013 : Info: WARNING: Child is hung for request 3767589 in
component module .
Fri Oct 4 13:20:45 2013 : Info: WARNING: Child is hung for request 3767589 in
component module .
Fri Oct 4 13:20:47 2013 : Info: WARNING: Child is
Hi,
> If I asked particularly nicely, and promised you a beer at the next
> networkshop
> we were both in attendance at, would you be willing to try git head?
I'll take the beer - am running HEAD since last night on one server :-)
(as I said to Alan, i'll report at end of day)
alan
-
List info/
Hi,
a couple of logic issues that meant case/switch and if() worked different
to 2.x - thats been fixed. ..and an issue if your server does a lot of proxying
work - in which worker threads arent dealt with properly - your log file
will be full of and messages if you are being hit. this *MIGHT*
b
Hi,
> I am not blaming, I am just wanting to get the radwho command to work. I
> have now turned on accounting info to be sent from the StrongSwan server to
> the FreeRadius server. For I can see the accounting info in
> /var/log/radius/radacct//detail-20131003 file. However I am
> still ge
Hi,
this is FreeRADIUS list, not general Linux lsit - I'd suggest looking at some
guides for
the EXACT thing you need eg
http://www.cyberciti.biz/faq/linux-unix-formatting-dates-for-display/
(and ensure your escape quotes are the right way around)
alan
-
List info/subscribe/unsubscribe? See ht
Hi,
> I would like to display the active Radius connections. When I run radwho I
> get the following results (showing nothing but the titles) even though I know
> I have an active connection:
using the utmp/wtmp modules? what does your FreeRADIUS debug show when
someone logging in?
alan
-
Lis
Hi,
> Thanks for your reply. However, I have already changed the instances of the
> password "testing123" in the following files:
if you are dealing with a shared secret between a NAS and the FreeRADIUS
server, there are only
2 thigns to configure
1) the shared secret on the NAS - I would gue
Hi,
> A simple thing:
>
>
>
> update control {
> Tmp-String-0 := "stop"
> }
> ...
>
>
>
>
> if (Tmp-String-0 != "stop") {
>
> }
>
> That should work. Ugly, but functional.
this is pretty much what I was going to suggest
Hi,
> Is there any way to prevent FreeRadius from showing the password in
> logs (debug logs) when authentication is done via LDAP?
dont run in debug mode. debug mode is there for a reason - to debug
problems. verify if things like passwords are correct. look at the mailing list
archive - this q
Hi,
> Sep 30 12:56:36 newdvlanb radiusd[10152]: rlm_eap: No EAP session
> matching the State variable.
> Sep 30 12:00:21 dvlanc radiusd[16053]: WARNING: Child is hung for
> request 782076 in component authenticate module peap.
> Sep 30 12:57:08 newdvlanb radiusd[10152]: Discarding duplicate
> requ
Hi,
> Sep 16 09:57:56 newdvlanb radiusd[15211]: rlm_eap: No EAP session
> matching the State variable.
turn on full debug for just a single User-Name or Calling-Station-Id
(check radmin docs). whats your authentication clean-up/tidy up times -
as if the clients dont respond then the session is cl
Hi,
>Could not authenticate user Username%Password with plaintext password
>challenge/response password authentication succeeded
thats okay. means you couldnt do PAP and only MSCHAPv2 worked. expected for
that command.
>In this Step, i must edit the following line with this text in
Hi,
..so many new features... thought 3.x was where the new features and dev work
was going into ;-)
PS has anyone tested it with MariaDB? Wondering if its 100% drop-in compatible?
(I'm postgres myself but looks like MySQL is dying)
alan
-
List info/subscribe/unsubscribe? See http://www.freerad
Hi,
>encountering some issues with those (yet quite rare) people with Windows
>Phone 8 (WP8) systems.
>WP8 devices are yet able to connect without (any) CA or common name
>verification, but seem
>to fail when I let them check the CA by choosing it from the device' CA
>stor
Hi,
> no. I guess we should do something with it to make it FIPS compliant but it's
> not a big priority. You're welcome to submit a patch.
..you mean sniffable by NSA? it passes that requirement already ;-)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
>i am getting a problem on Freeradius installed on CentOS. When i set the
>service Radiusd in debug mode and send an access request (default type
>PAP) through Radtest the debug show the password in cleartext.
>Is there an option to do not show the fiedl User-Password in cleart
Hi,
>NEVER
agreed. still a useful reference.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> > mv raddb raddb-noinst
> > mkdir raddb
> > touch raddb/all.mk
> > make install
do 'mkdir raddb/mods-config'
you've 'messed around' with the configuration directory which assumes
that mods-config exists... i guess that could be fixed to make dir
directory first if it doesnt exist.
alan
Hi,
> If you think that sucks, wait till you see the horrible things you have to do
> to generate a .mobileconfig without access to an OSX server license.
what, download the iPhone Configuration Utility? yes, quite horrible ;-)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.o
hi,
yes, it was receivedover a bank holiday weekend. not surprised
you didnt get an answer...we were all enjoying the break.
the DB seems to be loading up and being connected to (and you can
check this with loggin on the pgsql server...) however, THIS bit
is your problems
rlm_sql (sql): Res
hi,
check permissions/owner etc of /etc/freeradius and the contents
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> Initially FreeRadius would not start and I did get an error indicating
> that the "remote_secret_reject" module failed to load. There was no reason
> given even with -XXX. I found since then that I was missing a brace.
>
> Now I can get FreeRadius to start. I still seem to be missing someth
Hi,
>I'm trying to setup a very basic test server using FreeRADIUS (running on
>Ubuntu 12.04) that uses PEAP with the example certificates generated by
>FreeRADIUS.
out of the box, freeRADIUS works - you just need, for testing
to add your user/pass to the 'users' file and your NAS to
One other thing with multiple interfaces: RHEL 6 comes with some anti-spoofing
features in the kernel enabled by default. I'm afraid I forget exactly what
they are, but the idea is this: If the kernel gets a packet from HostA on
eth1, but the routing table says that the return path to HostA i
Also don't forget to disable (or modify) SELinux. If memory serves, RHEL 6
comes with that enabled by default as well.
--J
-Original Message-
From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org
[mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.
>
> You could move "files" above "eap" but IMO it's better (cleaner, more
> obvious) to run this in post-auth like so:
>
> authorize {
>...
>eap {
> ok = return
>}
>...
> }
> post-auth {
>...
>files
>...
> }
>
> Note that you'll need to set the "postauth_usersfile"
Hi,
> Thanks for this. So you're saying that there can only be one policy
> {} section in the whole server, and if I wish to load two sets of
> policies I will have to merge the two files?
each policy has its own name/tag - in FR 3, there is a policy.d directory
in which policy files get put...ea
Hi,
I'm in the process of attempting to move our 802.1x services off of an aging
freeRADIUS (v1) server onto a newly built server running freeRADIUS v2.2
Tests so far with wireless clients using 802.1x PEAP/MS-CHAPv2 are working ok.
Clients can authenticate (against AD) and be assigned the diff
Hi,
>peap {
> default_eap_type = mschapv2
> proxy_tunneled_request_as_eap = yes
> copy_request_to_tunnel = no
> use_tunneled_reply = yes
> tls = eduroam-eap-tls
>}
okay
> Any request that tries to go to the proxy causes this to happen:
> Wed Aug 7 11:57:35 20
Hi,
>My password is encrypted with MD5 but it can be seen in the debug screen.
>Is there any way to disallow or masquerade the use's password in debug
>mode ???
its debug mode. the entire purpose is to ensure that things are
what they appear to be and silly things like, 'its doesnt wo
Hi,
> Is there any other flag/function that would indicate that an
> Access-Challenge packet was received from the NAS?
dont know..I have the following on a 2.2.0 box in the authenticate section:
if (handled && (Response-Packet-Type == Access-Challenge)) {
Hi,
> I forgot to mention that I am using freeradius-2.2.0-2.el6.x86_64.
> Should this version support it or not?
no, it wont support it. you need the latest code from the GIT to use that
feature.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
>Hi, I would like to store freeradius session information like
>Acct-Session-Id, Acct-Start-Time, Acct-Stop-Time, Acct-Input-Octets,
>Acct-Output-Octets, Framed-IP-Address, NAS-IP-Address in external
>database.
the defauly config does this - you just need to edit the SQL modul
Hi,
>I was thinking this should be easy, but it's been two weeks and I give
>up...
well, depends how you do itif you do it easy it is easy, no?
users file
abc Cleartext-Password := "xyz", NAS-Identifier = "staff"
Reply-Message "Welcome on-board staff member"
dont forget, i
Hi,
>In that situation i need to have active, both sql and ldap, authorization
>modules in inner-tunnel. So users, who should identify by login/pass in
>guest SSID, can be authenticate via inner-tunnel ldap module. I don't want
>this.
use whatever you want to use. what do you use
Hi,
>Does freeradius support RFC 6614 for the same?
'tls' virtual server in HEAD version of FreeRADIUS (currently version 3 in beta)
if you NEED to tick to FreeRADIUS 2.x (as you 'need' to secure) - then
RADSECProxy can be put in as a brudge between your remote and the FR instance
alan
-
Lis
Hi,
>We have a a supplicant that is our own box doing client 802.1x
>authentication using freeradius. We do not establish a TLS/IPSec
>connection between the supplicant and freeradius. We need to establish a
>secure channel between the supplicant and freeradius.
NAS or supplicant?
Hi,
> Here comes:
>
> rlm_ldap::ldap_groupcmp: User found in group
radiusd -X
its what the docs say. for a reason
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> It was my mistake, when i was testing.
>
> Corrected DEFAULT Ldap-Group == "", Huntgroup-Name == ""
> Still not working as i want.
output?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> file users:
>
> DEFAULT Ldap-Group == ""
>Huntgroup-Name == ""
multiple lines? the first line is CHECK items. other lines are REPY items
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> User-Password = "\334a\004\305\355x\321\332G\306\362b\226~\355+"
that lineand the following in the debug:
>Fri Aug 2 16:45:38 2013 : Debug: WARNING: Unprintable characters in the
>password. Double-check the shared secret on the server and the NAS!
are quite clear.
Hi,
>If the user authenticates against to radius server and fails NTLM_AUTH,
>the request will then be authenticated against PAM and if it still fails
>it will be rejected.
use a bit of the unlang construct with the failover method.
http://wiki.freeradius.org/config/Fail%20over
so,
Hi,
> Feel free to add your own feature requests :)
number of UDP packets - i.e. is/was the datagram fragmented?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
>Sorry, I've been unclear. What I meant was that I strongly suspect
>nas->radius comms will either be v4 or v6 for a given pairing at any one
>time, for periods of minutes or hours. Hence treating the addresses as
>separately should be fine
hmm, yes, we treat each as a seperat
Hi,
> Your previous answer gives an example using the unlang regex syntax,
> including the case-insensitive operator at the end. But I was hoping to find
> an elegant way to do case-insensitive matching in proxy.conf, where the
> comments admit that the syntax breaks the rules of unlang regex m
Hi,
> My guess is dual-stack NAS->RADIUS is going to be rare.
ummm. take a hold on that assertion. the joy of dual-stack deployment
is that you need to ensure your servers are ready on IPv4 and IPv6 -
and as part of that, you need to ensure that your using both methods
in case either your IPv4
Hi,
> > Still... maybe for a later version... if the input looks like an IP
> > address, guessing the address family isn't all that hard.
unlike your using IPv4 in its IPv6 incantation
> What if the NAS started just using the SRC IPv6 address in packets, and
> source IP protection was enabl
Hi,
>Is there a way to tell radius to not do something based on the User-Name
>containing a "$" ? I am doing dynamic VLAN assignment and I'd like to skip
>that for computer logins. I looked at unlang and I didn't see a way to
>check for a character in a username.
use unlang regex c
Hi,
> While trying that I also build a 3.0 GIT HEAD and there were a few
> problems, I trippeled about:
>
> - HINTS does not work the way it did before. Especially this no
> longer works for me:
>
> DEFAULT User-Name =~ "^v104([^@]+)"
> User-Name := "%{1}@V104.GMVL.DE"
Hi,
> I put the FreeRadius list on CC because I get technical solution from
> here.
the version from freeradius.org works - you need to contact Debian to get them
to fix
their packages.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> Here you can download the (almost complete) debug log. Near the end I added a
> text to make evident when I disconnected.
>
> http://webshare.icgeb.org//data/public/ce2e2ee9fbd84c362fd49b10805b36c8.php?lang=en
please dont ask me to visit random web sites that require to to click on things
Hi,
> The specific configuration works fine I remove the following line from users
> file:
> Tunnel-Type := VLAN, Tunnel-Medium-Type := IEEE-802, Tunnel-Private-
> Group-ID := 218
Tunnel-Type = VLAN,
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-ID =
Hi,
> I am configuring my freeradius to be integrated in the EDUROAM federation.
> It works when the VLAN (as configured in the accesspoint) is statically
> assigned.
there are hundreds of sites using this sort of configuration for eduroam - so
its perfectly possible and fine (and standard!) so
Hi,
> But it DID appear in earlier versions of freeradius with default settings for
> logging.
>
> And I don´t see the difference to something logging Erros like
>
> Error: Ignoring request to authentication address * port 1812 from unknown
> client x.x.x.x port 1092
>
> regarding the mentioned
Hi,
> I´m wondering, if I miss something or why do Info-Messages about
> Invalid-Message-Authenticator not appear
> in the default radius.log anymore? Even can´t get it with
such messages only appear in debug mode as logging to file could be a DoS
alan
-
List info/subscribe/unsubsc
Hi,
>I am trying to configure eap with some customized certificates, I have
>configured eap.config correctly.
>But I am getting the error of "certificate expired". Although i have the
>latest certificates.
certificate has expired. FreeRADIUS has no reason to lie.
check the start
Hi,
> To get by the work of those kittens I set up a remote login to run radmin
> commands and parse the output so it is suitable for mrtg. It has worked well
> for me.
I use the munin plugin to graph auths/accts
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.h
Hi,
>Thank you Arran, that's what I suspected but hoped that there would be
>another way to find out.
>I'll see if Netgear is willing to approve existence of AV pairs (and if
>theyre willing to share them).
on some kit you can run a command to see the VSA list/desc
most vendors w
Hi,
> Currently we have 1000´s of users self-signed certificates (EAP-TLS),
> and we´re planning to move our main authentication method to PEAP, but
> keeping the certificates in use while valid.
>
> To avoid the need of installing our CA certificate on every Windows
> machine, we´ll buy the serv
Hi,
>(Sorry if this is OT) As I understand, I couldn't use 802.1x
>authentication on just the switches themselves? Since a client must have
>certificates to authenticate to a server. What i just wanted to accomplish
>is to authenticate the switches only on the radius server, so thi
Hi,
>Sending Access-Accept of id 0 to 10.141.1.129 port 49154
^^
Access-Accept sent from the server. the RADIUS server has done
its thing. if the NAS isnt working then you have missed some
configuration option on the NAS
alan
-
Li
Hi,
>Ready to process requests.
>rad_recv: Accounting-Request packet from host 10.141.1.129 port 49154,
>id=0, length=84
thats an accounting packet
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
>waits a long time until timing out waiting for user input. I'd like to
>also discover how other NAS's behave using this and have found the timeout
>on a particular cisco 1131 access point to be quite short.
most NAS devices have configurable options for their RADIUS/EAP timers. n
Hi,
>We'd like to simplify our configuration and use the same port for both.
the default configuration does that
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> We have a generic VPN profile that we'd like to allow *all* users to
> login to - this works well.
>
> When users login to the "secret" profile, then the following VPN
> attribute is included in the request:
>
> Vendor-3076-Attr-146 = 0x554d44
use/load the dictionary.cisoc.vpn3000 diction
Hi,
> and this is the output from radius (ran as radiusd -X)
> http://pastebin.com/MT0txW2c
please post to the list - avoids more work at this end.
the output shows this:
Found Auth-Type = LDAP
# Executing group from file /etc/raddb/sites-enabled/default
+- entering group LDAP {...}
[ldap] logi
Hi,
>Alc-IPsec-Interface: Unknown attribute "" requires a hex string, not
>"private_ipsec"
so give it a hex string then
private_ipsec is 707269766174655f6970736563
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
>Am trying to have my users' credentials or attributes change say a when a
>user hits their expiry date, their profile drops to one that does not
>expire but can only get to a certain page, requesting them to renew their
>account, Some kind of redirection, but after account has
Hi,
> I had it wide open. Someone suggested I add the tcp above.
who suggested that? standard basic old fashioned RADIUS uses
UDP ports 1812,1813 and 1814 - even older versions pre IANA adjustments
would have used UDP 1645 and 1646
> I get that. What I want the RADIUS server to do i
Hi,
>But when i comment the attributes the radtest is successful
did you check my other statement:
> 3) ensure that these attributes that you are using are in a dictionary
> file and that the dictionary file is being read by the server when it
> starts
well?
alan
-
List info
Hi,
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> ACCEPT tcp -- 0.0.0.0/00.0.0.0/0tcp
> dpt:1812
you see this - TCP
read a little about RADIUS it uses UDP
change your rule to allow UDP port 1812
> # radtest evergr...@plumgr
Hi,
> > Always start simple. Run radtest on the RADIUS server box
> > using 127.0.0.1 ... THEN move to running against it from other
> > systems once you've verified all authentication etc is working
>
> Works on localhost.
>
> Trying to get radius to authenticate against an ldap
>
Hi,
>I am creating attributes for the user using the scripts below but on
>running the radtest i get the failure attributes ; which seems to have
>changed. I am using Freeradius 2.1.0 .
>
>"user1test" Auth-Type := Local, User-Password == "testpassword"
>
>Fram
Hi,
>I'm now sure that the best way for us is MAC Address filtering.
thats a way of doing the 'host' part. the user can then be authenticated
by an EAP method.
ie authorization stage can check the calling-station-id (MAC address) and,
if not known, just reject. then, if known carry on to t
Hi,
>
> On 21 Jun 2013, at 20:18, Divyesh Raithatha
> wrote:
>
> > Hello,
> >
> > Has anyone successfully built RPM's from the main branch 3.x?
> >
> > I am trying to build one but keep on running into errors. Similar to the
> > ones I saw with the version 2.x.x branch (regarding version
Hi,
>With user administrator not worked. look log file
>
>[ldap] performing user authorization for test
>[ldap] expand: (&(objectClass=user)(sAMAccountName=%{User-Name})) ->
>(&(objectClass=user)(sAMAccountName=test))
>[ldap] expand: dc=batlab,dc=corp -> dc=batlab,dc=corp
>
Hi,
> freeradius silently drop packets from unknown client.
unless run in debug mode at which point it'll clearly print out
Ignoring request to blahblah from unknown client x.x.x.x port
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
> I`m not able to debug, what does macro RAUTH do :(. Coudl you please help me,
> thx.
ah. just noticed this is actually with 3.x - yes, the older releases logged but
current
version doesnt. I'll have to help you out with this as I need logging on that
platform :-)
alan
Hi,
>) ENGINE=MyISAM DEFAULT CHARSET=latin1;
urgh. i'll have to agree with others here MyISAM should have died many years
ago..its a plague on any bust MySQL box. use at least InnoDB - which is
supported
by MySQL natively for many a year. and before any complaints about users
who ca
Hi,
> He he he... if I recall correctly I came up with something like:
yes, thats the one. quoted as 'most evil unlang ever' if I recall
have used it on many occasions...does the job well
> ...as the EAP module was updated to return "ok" on identity/mschap
> responses. Yet another reason to upgr
Hi,
> >This *is* proxying the inner tunnel; the inner tunnel auth is also EAP, and
> >you're sending it to the remote server.
>
> Thanks, this is NOT what I want to do. I want to send the inner message, not
> the tunnel and do PAP on the remote server.
okay. so you need to start by terminating
Hi,
> Some other comments -
>
> Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
> 2.2.x.
>
> Save yourself some round trip packets by setting default_eap_type
> = ttls in eap.conf
>
> Save yourself some LDAP lookups by removing ldap from the outer.
..and save some more hits to L
Hi,
> I will make it short and easy.
>
> You can't do LDAP authentication with 802.1x. EAP needs the password of
> the user in cleartext. if it's not in your ldap, you're screwed.
..EAP-TTLS/PAP ? ;-)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi,
>I have managed to setup a simple test using eapol_test as per
>
> http://www.openlogic.com/wazi/bid/188089/Authenticating-Wi-Fi-Users-with-FreeRADIUS
thats a rather old...and random URL. why not look at official docs?
>and it all works as described except that I have to use ca.p
Hi,
have you run in 'radiusd -X' mode yet at all?
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1 - 100 of 1949 matches
Mail list logo
