Matthieu Lazaro a écrit :
Hello list,
I have a little question about hints and EAP.
Trying to set up machine authentification, I have been able to rewrite
my user-name to match my requirements in my Open ldap: get rid of the
host/ and add $ ( host/machinename -- machinename$) using hints
Ivan Kalik a écrit :
Trying to set up machine authentification, I have been able to rewrite
my user-name to match my requirements in my Open ldap: get rid of the
host/ and add $ ( host/machinename -- machinename$) using hints.
But it ends up with this error after ldap authorisation:
[eap]
Hello list,
I have a little question about hints and EAP.
Trying to set up machine authentification, I have been able to rewrite
my user-name to match my requirements in my Open ldap: get rid of the
host/ and add $ ( host/machinename -- machinename$) using hints.
But it ends up with this error
Ivan Kalik a écrit :
I tried to put this in the users file:
Unlang goes into virtual server configuration, not users file.
if ( %{User-Name} =~ 00030BCA[0-9A-F]+ ) {
update control {
Cleartext-Password == %{User-Name}
}
Hello list,
I need some help on some unlang portion (if this is the right solution).
Here is context: I need to do 802.1x on Ethernet switch for dynamic VLAN
assignment for PCs .
The problem is I have some phones connected between the PC and the switch.
I don't want the users to login 802.1X
---BeginMessage---
Hello,
Just to inform that I have solved the problem.
Some parts of the ldap were not indexed properly so it cause some
troubles with freeradius.
Matthew
Ivan Kalik a écrit :
I fixed the SSL issue, restarted the server and the group check was
working until now: *no
: SSL_read failed inside of TLS (-1), TLS session fails.
I a bit confused as I can't see the group membership errors in debug as
it doesn't occur. I guess the TLS alert is ome client with a wrong CA.
Any help, suggestion will be really appreciated.
Matthew
Matthieu Lazaro a écrit :
Hello
Ivan Kalik a écrit :
I stop the server and put it in debug mode: it works flawlessly!!!
I stop the debug and restart freeradius, it works a while, then it
starts failing again And I have nothing more in the logs than:
Error: TLS Alert read:fatal:access denied
Fix that. It works in
Hello,
I'm still having the issue.
It all works ok when I restart freeradius or when I run the debug then
it starts failing a while later.
I tried to increase the time out on ldap connexions.This did nothing.
Any idea is welcome.
Thanks,
Matthew
Ivan Kalik a écrit :
I don't see anything
---BeginMessage---
Ivan Kalik a écrit :
Ivan Kalik a écrit :
I am having an issue with the groups again.
WIFINAS-Identifier == accessPoint-Manager
Ldap-Group == wireless,
Ldap-Group == wireless2,
When I have the attribute wireless
Ivan Kalik a écrit :
Content of my huntgroup file.
WIFINAS-Identifier == accessPoint-Manager
Ldap-Group == wireless,
Ldap-Group == wireless2,
REM NAS-IP-Address == 10.44.12.2
Ldap-Group == REM
OK.
Ivan Kalik a écrit :
I am having an issue with the groups again.
WIFINAS-Identifier == accessPoint-Manager
Ldap-Group == wireless,
Ldap-Group == wireless2,
When I have the attribute wireless it works without a flaw, if I have
both, it's ok,
kissg a écrit :
It really is an AP issue. Using another AP (SMC WEBT-G) with the same
Radius config works... Both Windows XP and Ubuntu connects
successfully, no matter if I set certificate validation on or off...
Anyway, there are two EAP setting which is supported by the Cisco AP:
Open
Any idea?
Logwatch's mailing list seems not very busy, so no answers yet...
Matt
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hello forum,
Just wondering if someone found or had written perl scripts for logwatch
so that we can send the logs all tidy??
Asking this in case I missed something or if someone had this in it's
drawer!
I'm going to post this as well to the logwatch mailing.
Best regards,
Matt
-
List
Hello list,
I'm having an issue with the group check (ldap_groupcmp).
Everything is fine until the request is tunnelled, and I can't find out
why my user is rejected there
It seems that he ends in this section during this phase:
DEFAULT Ldap-Group == BANNED , Auth-Type := Reject
Ivan Kalik a écrit :
I'm having an issue with the group check (ldap_groupcmp).
Everything is fine until the request is tunnelled, and I can't find out
why my user is rejected there
It seems that he ends in this section during this phase:
DEFAULT Ldap-Group == BANNED , Auth-Type := Reject
t...@kalik.net a écrit :
I am now trying to figure how to have the replyItem in my accept-accept
message.
Just map appropriate attributes in ldap.attrmap as replyItem. I can see
tunnel attributes in default ldap.attrmap in stable branch now, so that
will be there in future. For PEAP
Alan DeKok a écrit :
Matthieu Lazaro wrote:
rlm_ldap manual covers the options to use with the ldap module like
server , tls binding, basic filters, etc... not how to use extended
ldap attributes based on the content of the RADIUS-LDAPv3.schema.
Exactly. It describes how
Alan DeKok a écrit :
Matthieu Lazaro wrote:
OK, so tell me where to implement complex policies?
I've been trying.
You need to write down what you have (in RADIUS packets, LDAP, etc.).
You need to write down what you want (contents of reply packets,
behaviors, etc.). You
t...@kalik.net a écrit :
I try to ask my questions more precisely:
* what are the radius ldap attributes meant for? Is only for accounting
or can we use them for something else?
They can be used for authorization as well. You put them in your
Access-Accept packet (reply) and if your
Alan DeKok a écrit :
Matthieu Lazaro wrote:
It all happens as if the if () { ... } else { ... } is completely
ignored
(and thus it defaults to check if the uid exists)
Yes.
(ie: neither filter1 nor filter2 appears when debugging.
But when we only put filter, it appears
Alan DeKok a écrit :
Matthieu Lazaro wrote:
For example: filtering with more than on attribute in checkval ( MAC /
TUNNEL TYPE), sending orders to the NAS to change VLAN depending on the
user, etc...
Write down the policies, and then implement them in the policy language
Alan DeKok a écrit :
Your examples are pretty close to do stuff when I see stuff. It's a
grammatically correct English sentence, but nearly meaningless.
Alan DeKok.
-
Ok, So I will try to make myself clear.
Here is one policy that I wish to make work.
1- a client connects to a
t...@kalik.net a écrit :
Here is one policy that I wish to make work.
1- a client connects to a 802.1x protected VLAN ID 10 ( per port basis
configuration on the switch)
-- this client has some of the following LDAP attributes:
uid = bobalice
radiusTunnelPrivateGroupID
Alan DeKok a écrit :
Matthieu Lazaro wrote:
Here is the content of a packet received by radiusd:
Weird, but OK.
Futhermore, to reply to Alan about the radiusUserCategory, it is given
with the radius.schema for ldap. Is it a useless attribute then?
Yes.
I'll
Alan DeKok a écrit :
Matthieu Lazaro wrote:
The thing is, it is just READING the ldap content and not comparing
to what the NAS is sending.
Yes.. because you (or the defaults) configured those LDAP attributes
in ldap.attrmap as replyItems. This means that they are read from
Hello,
My freeRadius setup works very well using PEAP/TLS binding on the ldap
using only one filter.
Now I have two very different types of NAS and I need to filter users
that may have access to one NAS or the other or both.
My idea was to use the unlang in the ldap module to write my policy,
28 matches
Mail list logo