Hi,
2013/9/16
>
> we've had no problems with self-signed CA or with 3rd party CA and standard
> RADIUS certificate BUT the certificate must have CRLDP (CRL distribution
> point)
> URL defined. that can either be at CA level or RADIUS level - or both.
>
> eg
>
> crlDistributionPoints = URI:http:/
Hi list
While I've been quite successful in making preconfigured profiles and docs
for our students on how to make proper proper wireless configuration, I'm
encountering some issues with those (yet quite rare) people with Windows
Phone 8 (WP8) systems.
WP8 devices are yet able to connect without
Hi
While I generally chime in with Alan's later message, one important you
should start reading about and differentiating
is Authentication and Authorization (the later is Accounting of AAA with
RADIUS).
While you can do Authorization using LDAP with AD, you can't do the
Authentication part using
2013/9/12 Brian Julin
>
> > Trevor Jennings wrote:
>
> [...]
>
> > On OSX, the certificates are marked as valid, including the root,
> intermediate
> > and server, but still prompts the user to accept. Is there a way around
> this?
>
> About the only way I can think of is to install a profile (.m
Hi Matthew
2013/8/22 Matthew Ceroni
>
>
> I read that for FreeRadius just combine the cert with the intermediate
> cert into one file and then reference that in eap.conf:certificate_file.
>
> I have done that but clients are still failing certificate validation.
>
Honestly I also had some hassle
Hi
Could it be you are in a AD environment - your request looks like to what I
see in my environment.
If so: Domain-joined Windows machines (for what I have tested) have a
computer account in AD.
This can be used by the Windows (never tested with domain-joined Macs or
Linux machines)
client to aut
As a short update on this topic - I thought it might be worth sharing the
update
since I've been successfull in getting authorized via FR to privileged exec
mode
on a Netgear GSM7224P (F/W 1.0.1.21).
Netgear is based on Broadcom FASTPATH (MIBs tell so) - as do some Dell
PowerConnect's and fortunat
Hi Fernando
2013/7/10 Fernando Hammerli
> Got it now, as you said.
>
> Using the public CA certs on certificate_file (and related private key),
> and included the public CA
> chain on the CA_file (together with my own CA).
>
Yep mostly except that I put the private key not inside certificate_fi
Hi
As a possible hint since your question sounds similar to an issue I had:
I was looking to provide a server-side certificate to my clients from a
public CA
but only allow clients to authenticate via EAP-TLS when presenting a cert
from our
internal CA which avoids the misconfiguration to trust a
G'day
2013/7/10 Arran Cudbard-Bell
>
> On 10 Jul 2013, at 12:46, Mathieu Simon wrote:
>
> > FreeRADIUS doesn't have a dictionnary for Netgear stuff yet, I don't
> think Netgear
> > copied Cisco's own AVpair use, but in case they do have own AV pai
G'day list
I have been tinkering with some Netgear managed L2/L3 switching stuff and
got the
login working via freeradius (actually quite simple compared to EAP stuff
for wireless).
But when issuing "enable" after login, going into what they call
"Privileged EXEC" mode
it will - very similar to
Am 08.07.2013 16:30, schrieb Phil Mayers:
> On 08/07/13 14:59, Lovaas,Steven wrote:
>
>>
>> Exec-Program output: Reading winbind reply failed! (0xc001)
>
> Check the permissions on the winbind socket, which usually lives in
> either /var/cache/samba/winbindd_privileged or
> /var/lib/samba/winbi
G'day all
I've taken out a configuration from a earlier prototype that I used with
Samba/Winbind authentication but didn't use the rlm_ldap for authorization
back then. (Having some archives can be quite useful sometimes...) ;-)
Since ntlm_auth properly leads to Access-Rejects for disabled users
lags are checked by the "mschap" module, which I
> see is running before the LDAP lookup - try moving mschap after LDAP in
> "authorise"
>
> Second, I can't remember if mschap checks the acct control flags in
> "authorize" or "authenticate". If
G'day list
I've come across an issue with the ldap module parameter base_filter, and
I'm not yet sure whether
I'm hitting a bug (I guess: less likely) than I'm missing /
missunderstanding its correct use.
I'm running a Debian Squeeze derivative (Univention Corporate Server), FR
2.1.10 and OpenLDA
Hi
Am 11.04.2013 20:08, schrieb Alan DeKok:
>
>> The real-life example would be that people could use PEAP-MSCHAPv2 for
>> credential-based logins (server certificate being signed by a "trusted"
>> external CA)
> While that works, it's not recommended. It means that the client will
> trust *an
G'day
As a (hopefully) answer-able question to those experienced with EAP-TLS
that I've
been twisting my brain:
Usually I've seen example for EAP-TLS setups that used a server-side
certificate
issued from the same CA as the one it should allow EAP-TLS clients who
present
their certificate to FR.
Am 27.01.2013 21:52, schrieb a.l.m.bu...@lboro.ac.uk:
> Hi,
>
>> 2.1.10 is the version delivered by your distribution - and contains
>> backported security bugfixes released until 2.2.0. In terms of security,
>> your version is fine.
> why? why do that? why not simple release 2.2.0 - you are CONFUS
Hi
Am 27.01.2013 14:00, schrieb Tzvika Gelber:
> I have a working server running on version 2.1.10
> I just saw that there is version 2.2.0 and i would like to ask if an
> upgrade is a must
> and where can i fined the documentation about how to do such a thing?
>
> My FR us running on Ubuntu 12.04
Hi Tyler
Since I'm in a similar situation with AD but still learning, just
general experience with other Applications from the *nix world authenticating
against AD:
2013/1/9 John Dennis :
> On 01/09/2013 02:00 PM, Tyler Brady wrote:
>>
>> Can someone give more details on setting up LDAP groups? S
G'day Alan(s)
2013/1/5 :
> huh? this wasnt about authentication, it was about authorization - ie
> passing back details about what a user can do on some kit - that works fine
> 100% fine with LDAP and AD
Thank you both for pointing in the correct directions by pointing me
back at authenticatio
G'day all
2013/1/5 Alan DeKok :
[snip]
>
> Set up groups in LDAP. See the LDAP / AD documentation.
>
> Then, in FreeRADIUS, check them:
>
> #-- users file
> DEFAULT LDAP-Group == "foo", ...
> ...
>
> #---
(protest if this may sound like hijacking this thread...)
As short question sin
22 matches
Mail list logo
