On May 16, 2008, at 9:49 AM, Phil Mayers wrote:
...with any luck, the toolchain will get fixed - it's clearly not a
FreeRadius bug, and I wonder what else it's broken...
After discovering what the problem was, I immediately wondered the
same thing myself.
--Mike
-
List
I did a little looking into this this evening. This assessment looks
to be correct as it looks to be related to compiler optimizations.
With the optimizations disabled in Make.inc, FreeRADIUS will start up
on the correct port. For the fr_socket function, gcc appears to be
optimizing the
You'll have to set up two instances of the EAP module. The first
instance will have the TLS submodule set up with the information for
Cert1.pem (and the appropriate key and CA cert). The second instance
will have its TLS submodule set with the info for Cert2.pem. It will
look something
Why exactly do you want to do this instead of using standardized EAP-
TLS? You'll have to write your own code upates to FreeRADIUS, and I
know of *no* supplicants that will operate in this fashion. Seems
like a lot more trouble than using what's already there, especially
when you get into
Hmm... hadn't looked at the actual code. I just looked to see if
there were any log entries after mine for the branch, and I didn't
see any. Interesting. I guess that's not it.
--Mike
On Feb 17, 2007, at 2:24 AM, Alan DeKok wrote:
Michael Griego wrote:
Revision 1.79 to src/main
Revision 1.79 to src/main/request_list.c
--Mike
On Feb 14, 2007, at 3:46 AM, Alan DeKok wrote:
Michael Griego wrote:
The fix for this is in the CVS HEAD and probably should be backported
to the latest release branch. There was a race condition in the code
where the server could clean up
On Feb 14, 2007, at 2:05 PM, Matt Ashfield wrote:
During a pap conversation, the radius server ends up with the
username/password passed to it from the client. It then encrypts the
password to match the encryption of the stored password in ldap (or
other
directory) and tries a bind.
The fix for this is in the CVS HEAD and probably should be backported
to the latest release branch. There was a race condition in the code
where the server could clean up an accounting request before a thread
actually got to it to process it.
--Mike
On Feb 13, 2007, at 1:36 PM, Phil
Where you put it all depends on your local configuration. If you put
it in the users file, it might look something like this:
DEFAULT Calling-Station-Id =~ ^(00-0D-93-|00-03-93-|00-05-02-),
Proxy-To-Realm := ReamToProxyTo
--Mike
On Feb 2, 2007, at 7:47 PM, King, Michael wrote:
I'll take another look a little later to see if there's something
else you have to do. It's been a while since I did this.
--Mike
On Feb 2, 2007, at 9:00 AM, King, Michael wrote:
-Original Message-
On your Mac (as root), create the
directory /var/log/ eapolclient, then retry
You don't *really* need to match the whole string. The following
would work just as well and be much more readable:
Calling-Station-Id =~ ^(00-0D-93-|00-03-93-|00-05-02-)
And as to where it goes, anywhere a check expression goes: users
file, SQL radcheck table, etc. As long as the server
Yes, it looks like your Mac may not like the MSCHAPv2 response for
some reason. On your Mac (as root), create the directory /var/log/
eapolclient, then retry your authentication. The EAP client is OS X
should write out debugging information for the EAP session into that
directory and
No, not currently. Doing so will require a level of caching and
connection of the TLS session information with the RADIUS attributes
that currently is not in place. This kind of checking is to insure
that a user is not able to authenticate with is credentials, then,
say, simply change
The code that handles SQL groups individually may still only exist in
the CVS HEAD.
--Mike
On Jan 8, 2007, at 1:38 PM, Phil Mayers wrote:
I've been looking at using rlm_sql to replace a fairly complex set
of Autz-Type and rlm_passwd maps. Primarily this is to speed up
updates when e.g.
Cool deal. I have also been able to confirm that adding the
SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS option to the CTX makes Vista
work. This is good news for us since we have a volume license deal
and now have release copies beginning to be installed. :)
--Mike
On Nov 29, 2006, at 5:00 PM,
I'm not sure 1.0.4 had that fix in the rlm_mschap module. If you
need to use 1.0.4 for some reason, you may have to backport the patch
from a later version of the module.
--Mike
On Oct 30, 2006, at 5:10 PM, King, Michael wrote:
I had this working before, and I can't figure out what I'm
__LINE__ is an unsigned int... its being referenced in the patch as a
string (%s as opposed to %u).
--Mike
On Oct 19, 2006, at 10:30 AM, King, Michael wrote:
It seg faults when I do -X (or -sxx. But not with -x)
Here is the gdb log
rad2:/home/mking/freeradius-1.1.3/doc# more
What version of the server are you using and do you have any debug
output?
--Mike
On Aug 7, 2006, at 8:28 AM, Duane Cox wrote:
reposting
I've got
mssql.conf
read_groups = yes
but the rlm_sql module does not process the groups.
The user is found in radcheck and the check items
Something is different between your test ntlm_auth and the ntlm_auth
you're running under FreeRADIUS. Your test may return OK, but under
FreeRADIUS, its returning NO SUCH USER.
In any case, since you're doing cleartext authentication in this
case, you could use LDAP authentication against
By default, OpenSSL uses PEM format, so if you didn't specify a
certificate format of DER, then its a PEM encoded cert. If you look
at the cert in a text viewer/editor, you'll see lines that have ---
BEGIN CERTIFICATE--- and ---END CERTIFICATE--- if its PEM encoded.
--Mike
On Jun 28,
Are you sure your certificate isn't already in PEM format?
--Mike
On Jun 27, 2006, at 4:32 PM, VannMann32 . wrote:
Hi !
You also need to specify -outform PEM.
# openssl x509 -in somecertificate.cer -inform DER -out
somecertificate.pem -outform PEM
unable to load certificate
If you're using AD, plaintext (PAP) authentication, and are wanting
to restrict the users to a certain OU, you should probably use the
rlm_ldap module. That way you can set the base search DN to your
Cisco Admins OU. It'll probably be a little easier to use and set
up, too, than the
I assume by PEAP, you mean the most-often-seen PEAP/EAP-MSCHAPv2. In
this case, MD5 is not involved anywhere. The passwords are hashed
differently. As such, you must either have an NT hashed password
(which is actually a unicode-encoded MD4 hash of the password) or a
cleartext password
What Michael said is correct. By default, the Windows XP supplicant
will verify the certificate against its list of known trusted root
CAs. Without specifying both a trusted CA and the certificate CN
(usually a hostname), then an attacker could get a cert from another
trusted CA or one
Search through the list archives for PEAP Machine Authentication.
--Mike
On May 18, 2006, at 6:41 PM, Jérémy Cluzel wrote:
Hello,
I try to secure my wireless LAN with freeradius.
I managed to do PEAP (with auth_ntlm) against a windows 2003 server
AD.
Both machines and users auth work.
These aren't lists to my knowledge. Each takes a single filename. If
you need multiple CA certificates, you can concatenate each of the PEM
files into a single file and use that as your CA_file.
--Mike
Sochacki, Kevin wrote:
Hi All,
In eap.conf under the tls section the comments for
I'm not sure I understand your question. You have or haven't gotten
user auth working? You have or haven't gotten machine auth working?
If you're having troubles with machine auth, have you checked the
list archives? There are previous messages going back a couple of
months on how to
I'm very curious about the outcome of this as well. The AP is
*supposed* to block all traffic except for EAP traffic pending the
required EAP-Success from the Authentication Server. If the AP is
allowing non-EAP traffic through, and, given that the client-AP traffic
occurs unencrypted until
In this case, if you happen to be using Samba as your PDC with an LDAP
backend, you should actually be able to use rlm_ldap to lookup the NTLM
hashes from the same LDAP tree that your Samba PDC uses. Once you have
those hashes, you can do MSCHAPv2 without having to use ntlm_auth.
--Mike
The Samba team has recently released Samba version 3.0.21rc2. The
3.0.21 releases include the necessary fixes to Samba to allow for PEAP
machine authentication, so those versions of Samba can be used without
requiring the patches previously posted to the list.
--Mike
-
List
Your problem lies here:
modcall: entering group Auth-Type for request 6
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for USERNAME with NT-Password
rlm_mschap: FAILED:
Actually, that's not completely true. Using /dev/random as the file
argument for RAND_load_file when seeding the PRNG is recommended
practice on systems that have it. The RAND_load_file call in the
eap_tls code will only read at max 1048567 (1024 * 1024) bytes from the
file, so it won't read
Make sure you used the rlm_MSchap module from the snapshot, not the
rlm_chap module. They're different.
--Mike
Jamie Crawford wrote:
Hi,
I am trying to get machine authentication working with freeradius. I
have patched the samba code and freeradius code. But am getting this
error when the
Joe Maimon wrote:
Apparently freeradius developers have managed to build a system
comparable to one that just sold for $122 M
Is that the take away?
Not exactly... Funk also developed a number of supplicants for various
platforms. I think the point is the heightened interest in 802.1x
Luca Corti wrote:
Here is my ntlm_auth configuration:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username={Stripped-User-Name:-%{User-Name:-None}}
--challenge={mschap:Challenge:-00}
--nt-response={mschap:NT-Response:-00}
IIRC, with the changes to the xlat stuff a while back for module
It's a configuration issue. You didn't configure the rlm_exec module,
which is called to execute ntlm_auth.
--Mike
Luca Corti wrote:
Hello,
I'm using Freeradius from CVS (checked out today) to do WPA-EAP+Radius
+PEAP+ntlm_auth because I can't get rlm_eap_peap from 1.0.5 to build on
debian.
Nicolas Baradakis wrote:
I think it was working in version 1.0.x without rlm_exec module
instantiated. Moreover, I'm not sure if the linker is able to find
the missing symbol in a different module on all systems...
It was working with 1.0.x and in CVS until the changes you mentioned.
In my
Is your machine truly a member of your AD domain? If so, it's not
sending a fully qualified domain name for some reason. Therefore the
code is setting the domain to the same as the machine name. I've only
ever seen Windows send *just* the machine name without the domain name
when the
Another possibility for linking between modules without truly linking
would be to change rlm_mschap to use radius_xlat with the %{exec:...}
xlat. Just depends on what others thing. I'm not opposed to moving
exec.c back into the server core.
-Mike
Alan DeKok wrote:
Nicolas Baradakis
Ben Walding wrote:
We've found in testing that the XP supplicant (with certain patches)
will read the certificate and send a User-Name that is constructed
from the certificate CN (host/ + cert CN); thus rendering the whole
checking the CN process fairly pointless for XP supplicants.
This
The second function is the one you want to change...
rpccli_netlogon_sam_network_logon.
On line 803, change it from:
0, /* param_ctrl */
to:
0x800, /* param_ctrl */
--Mike
Jérémy Cluzel wrote:
Hi,
I looked in the samba 3.0.20 source code and I only found 2 calls to
the init_id_info2()
See the list postings from earlier in the day... If you grab the latest
CVS snapshot, you don't have to use the Perl wrapper as the rlm_mschap
module will do the name rewriting for you.
--Mike
Roy Hooper wrote:
After spending a fair bit of time searching list archives and google results,
Try a fresh CVS checkout or tonight's CVS snapshot and see if this
corrects your problems. Looks like there was a byte ordering problem
when sanitizing the client entry based on the netmask. This would only
have affected people with little-endian machines.
--Mike
Alan DeKok wrote:
/etc/shadow files and PEAP/MSCHAPv2 are mutually exclusive. You can
store the NT hashed passwords in the users file if you'd like, but,
other than that, you'll have to use plaintext passwords. It's just the
nature of the beast.
--Mike
James Taylor wrote:
Hi,
I am trying to secure my
Hey, Michael,
From my recollection, implementing WPS would require first implementing
PEAPv2, and there hasn't been any movement there yet.
--Mike
King, Michael wrote:
Has any thought been given on adding the WPS (Wireless Provisioning
Service) Protocol to FreeRADIUS?
There has been some reworking of the clients code recently in CVS. I
haven't looked at it much yet as it was done by Alan, but, as with all
of the CVS tree, it's still considered unstable code.
--Mike
dev_null wrote:
Hello,
I tried what you said but the server ignored both localhost
I have a hunch...
How many clients are in your clients.conf file? Is it just those two or
do you have any more? Are those the *first* two clients?
If you only have two clients, and its the two you listed there, try
putting the localhost (127.0.0.1) client declaration in first followed
by
I was gonna do that as part of my updates, but if you want to do this,
be my guest. :)
--Mike
Alan DeKok wrote:
Michael Griego [EMAIL PROTECTED] wrote:
Also, you can use the Packet-Dst-IP-Address attribute if you're certain
that the clients are split up by interface. You can match up
that act as an override of sorts, or am I way off?
thanks!
- Original Message -
From: Michael Griego [EMAIL PROTECTED]
Date: Monday, August 8, 2005 5:53 pm
Subject: Re: different eap/tls config for different interfaces
By its Client-IP-Address attribute or NAS-IP-Address attribute
After I'm done with the rlm_eap_tls rewrites and rlm_eap updates, there
will be functionality to have multiple EAP submodules of the same type
with different configurations. With this, you'll be able to force the
use of a specific EAP type instance by its instance name.
In the meantime, if
Is it a self-signed certificate? If not, did you create the CA cert?
If so, did *it* expire?
--Mike
Albrecht, Robert-Manfred wrote:
Hello,
I'm using a freeradius to secure my wlan. I`m using PEAP Authentification.
The certificate was created at 28.06.2004 with a validity-time of two
Did you install the zlib-devel package too? I think not...
--Mike
[EMAIL PROTECTED] wrote:
PH On Fri, Jun 24, 2005 at 02:58:14PM +0600, [EMAIL PROTECTED] wrote:
make faild with this error...
gcc -shared sql_mysql.lo -L/usr/lib -L/usr/lib/mysql
/usr/lib/libmysqlclient.so -lz
.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
rashad wrote:
/var/run/mysqld/mysqld.sock is the usual location of that socket. Every
program that wants to connect to mysqld through socket will per default
use that one. I
You can't do RADIUS-assigned VLANs unless you're doing EAP
authentication. It won't work with MAC authentication.
--Mike
Matthew Sweet wrote:
Hello,
I am looking at setting up a group of Proxim AP-4000 wireless gateways. I
want to be able to authenticate via the MAC address of each user's
Lorel hardy wrote:
Maybe I've found a solution but I don't know how doing it...
It would run without an AD server if freeradius reply an EAP-Accept
when a special string (like domain/*) is sent in EAP-Access without
asking anymore ? so could I make it efficient and how ?
What do you think
Are you sure your key and certificate files are PEM encoded? Based on
the errors, it looks like they might be DER encoded.
--Mike
Tom Tim wrote:
Hi,
i am a newbie at freeradius.
I have a working installtion of freeradius.
After i have created certs using the CA.all script i can start
Whoops. Didn't read the whole message before sending that last one.
--Mike
Tom Tim wrote:
Hi,
i am a newbie at freeradius.
I have a working installtion of freeradius.
After i have created certs using the CA.all script i can start radius.
My Microsoft Wlan client can authenticate on the
There are no crl_dir and crl configuration options recognized by the
server. You must have added those. The correct way to do this is to
add the PEM encoded CRL to the end of your PEM encoded CA certificate,
referenced by the CA_file configuation option, then set check_crl = yes.
--Mike
Luis Daniel Lucio Quiroz wrote:
May do this with just a cat cacert.pem crl.pem ca.pem comand?
Yes. Then set CA_file = ca.pem
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See http
What you're likely seeing is something that has already been fixed in
the CVS snapshots. Previously, if one of the worker threads died, it
could go into a segfault loop that would block the server and send the
CPU to near 100%. That was fixed a while back in CVS. I'm not sure if
it's
You're making this more complicated than it is (and please don't talk
about me like I'm not here).
To authenticate plain credentials against AD is no different than
authenticating against any other LDAP server except for the fact that
your uid attribute is different. So, read the docs for the
ntlm_auth is really only useful for people who must do an MSCHAP
authentication against a Windows domain. If you are doing a straight
User-Password authentication (as you show below in your example), then
it might be just as well to set up LDAP authentication against AD as
that will work in
This will all be fixed shortly. I'm getting close to finishing up the
move to libeaptls to fix these inter-module linking problems.
--Mike
Hans-Peter Fuchs wrote:
Hello all,
I try to build freeradius-snapshot-20050424 under rehat 3.2.3-47
(Kernel: 2.4.21-27.0.2.EL).
Install gives the
Stephan Jaeger wrote:
For rejecting every user that has no matching group profile i guess my
best bet is now to use a DEFAULT profile with Auth-Type := Reject in
the db?
Yes, that should work.
--Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
It will break inside the EAP code, since the EAP code does a sanity
check to make sure the EAP Identity matches the User-Name sent by the NAS.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Luis Daniel Lucio Quiroz wrote
If your NAS supports sending the MAC address, you will see it show up as
the Calling-Station-Id attribute. Your NAS must be sending this
attribute, though.
--Mike
Marc-Henri Boisis-Delavaud wrote:
How can I have the user mac adress in accounting files ?
Marc
- List info/subscribe/unsubscribe?
. I
don't think the new SQL code has made into the stable releases yet.
Anyway, if you are, grab tomorrow's snapshot or grab the updated
rlm_sql.c file directly from CVS and try that out.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas
of FreeRADIUS.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
King, Michael wrote:
Has anyone figured a way to authenticate the computer account in Active
Directory? Other than pGina. I don't have the option of changing
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Talk to your NAS vendor. That's completely insane for a NAS to rewrite
the User-Name, not to mention a violation of RFC 3579.
--Mike
Israel Fabio Alves wrote:
Hi,
I need help to solve a problem.
My configuration work 100% with Switch Cisco 2950.
Now I need use Switch from Extreme Networks
Hey, Michael,
I'm betting your ntlm_auth command, where it uses the username, looks
like this:
--username=%{Stripped-User-Name:-%{User-Name:-None}}
This is the default. Try changing your ntlm_auth line in your
radiusd.conf to something like this:
ntlm_auth --request-nt-key
Not yet.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Bilal Shahid wrote:
Does FreeRADIUS v1.0.1 support session resumption (fast reconnect during
reauthentication) for TLS, TTLS and PEAP?
Thanks,
Bilal
You just need to make sure that your MySQL headers and libraries are in
the standard include/linker paths. If you installed MySQL from the
RPMs, then this should be true as long as you have the mysql-devel rpm
installed as well.
--Mike
---
Michael Griego
I'd like to be included in this as well.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Alan DeKok wrote:
Willem Eradus [EMAIL PROTECTED] wrote:
I'll do some more tracing and debugging. Do you want me to post it to
list
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create NT-Password.
rlm_mschap: Told to do MS-CHAPv2 for jseymour with NT-Password
rlm_mschap: FAILED: No NT/LM-Password. Cannot perform authentication.
rlm_mschap:
in your smbpasswd file.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Jim Seymour wrote:
Michael Griego [EMAIL PROTECTED] wrote:
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User
Dagoberto Luiz Schonardie wrote:
Is it possible to authenticate the Windows XP computer account in this
environment ?
Not currently.
--Mike
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Stripped-User-Name is created either by using realms or in the hints
file used by the preprocess module.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Kevin Jeoung wrote:
You didn't get a Stripped-User-Name. You need
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Manuel Schmitz wrote:
Hello,
as far as I have understood, the check_cert_cn switch in raddb/eap.conf
forces the certificate's Common Name to be in the raddb/users file.
Otherwise
That's what CRLs are for. There is support for CRLs in FreeRADIUS now,
so you can revoke the certs you no longer want used.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Manuel Schmitz wrote:
Thank you very much. :-)
I
Use the SQL-Group attribute, so your check line would look like this:
DEFAULT Service-Type == Framed-User, SQL-Group == MySQLGroupName
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
[EMAIL PROTECTED] wrote:
Hi
Just
Try running with LD_ASSUME_KERNEL=2.4.19. This will force runtime
linking against the standard libc libs instead of the thread-local
storage (tls) libs. So, on the command line, run
LD_ASSUME_KERNEL=2.4.19 radiusd -X and see if that segfaults.
--Mike
Alan DeKok wrote:
Daniel J McDonald
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Jacques VUVANT wrote:
Hi all
I've installed and use freeradius 1.0.1 for EAP/TLS auntentication. It
work well without CRL. But each time I want to active check_crl = yes
on eap.conf
I'm guessing you're using the Windows XP supplicant? This looks like a
classic case of your CA certificate not being present on the client machine.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
ealatalo wrote:
Quoting
Wow. The EAP messages does indeed decode to an EAP Response/Identity
with a value of AMS\mcapelle. I've never seen a EAP-aware NAS rewrite
the User-Name. That violates RFC2869, which states that the NAS must
*copy* the contents of the identity into the User-Name. The only thing
I can
When you're using EAP, it's not always that simple. HUPping a server or
taking it offline is something you'd rather avoid if possible as it
becomes noticible to the end users when you do it. We do indeed have
redundant servers. If one fails, then yes, the other picks up the load,
but it's
we're actively deploying wireless APs, we can bring up several new NASes
each day.
I'll probably be working on this pretty soon, but that's on hold at the
moment while I attempt to track down a memory leak/heap corruption problem.
--Mike
---
Michael Griego
Wireless
Actually, what you should be sending in the --username option is:
--username=%{mschap:User-Name}
This will automatically stip the domain portion (if it exists) from the
username before sending it to the DC.
--Mike
---
Michael Griego
Wireless LAN Project Manager
Is your Extreme Networks equipment truly performing EAP authentication?
Do you have an example of radiusd -X output with an auth attempt from
this piece of equipment? If it's true that this piece of equipment is
truly rewriting the User-Name attribute so that it isn't the same as the
EAP
Create two instances of the LDAP module, ie ldap1 and ldap2. In
instance ldap1, have one attrmap (perhaps called ldap1.attrmap) with the
LDAP attribute mapped one way and with intance ldap2, have a different
attrmap (perhaps called ldap2.attrmap) with the LDAP attribute mapped a
different
You're running a pretty old version. Give the latest stable release a try.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
Hennie Vaatstra wrote:
I'm running a freeradius server (FreeRADIUS Version
0.9.3, for host s390x-ibm
/unsubscribe? See http://www.freeradius.org/list/users.html
--
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
The AP must support 802.11i. For Enterprise 802.11i, you must use
802.1x, which FreeRADIUS supports.
--Mike
On Mon, 2004-12-13 at 22:46, Bilal Shahid wrote:
Hi,
Does FreeRADIUS support 802.11i?
On a more general level; in the wireless environment, does the RADIUS Server
(any RADIUS
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
You haven't generated the certificate files for EAP-TLS. If you're
using EAP-TLS, either run the scripts/certs.sh script as it says in the
config file or manually generate your own certificates. If you are not
going to be using EAP-TLS or any of its sub-types, then you can comment
out the
Peter,
All I have to say is that your attitude normally determines the response
you get. You came in here telling many people who have worked with
RADIUS for a long time how the specs are wrong and how you are much
better than they. This is a fatally flawed approach when trying to
learn
On Sat, 2004-12-04 at 21:16, Peter T. Breuer wrote:
No I haven't. I'm sure radius is fine. OTOH I'm quite sure the rfc is
probably a load of badly written rubbish, because they normally are.
So? Is there something new? Have you read a rfc lately? I certainly
haven't! ;)
Yes, I have. As such,
obtained from Michael
Griego, who published the patch. Curently I'm using FreeRadius version
1.0.1, and I was expecting to find the code from the patch there, but it
wasn't. So I added the patch file again. Without that patch file,
Digest-MD5 authentication doesn't work.
That's odd
, as FreeRADIUS
is out of the game at that point, and will need to be taken up with the
manufacturer of your AP.
--
--Mike
---
Michael Griego
Wireless LAN Project Manager
The University of Texas at Dallas
-
List info/subscribe/unsubscribe? See http://www.freeradius.org
1 - 100 of 201 matches
Mail list logo