Re: freeradius using pam_oath doesn't return otp challenge

On 06/15/2013 06:20 PM, Martin Kraus wrote: Hi. I'd like to have freeradius authenticate users using their password (for simplicity I'm using /etc/shadow now) and TOTP through liboath. I was hoping to use freeradius to centralize this. PAM looked like the easiest way. rlm_pam only supports pl

Re: initial accept, but then fails

On 06/16/2013 01:15 AM, geebs wrote: On Fri, Jun 14, 2013 at 3:33 PM, Iliya Peregoudov mailto:iperegu...@cboss.ru>> wrote: On 14.06.2013 5:56, geebs wrote: rad_recv: Access-Request packet from host 10.8.13.254 port 1645, id=6, length=220 User-Name =

Re: Freeradius 3.0 build process different from 2.0?

On 14/06/13 15:35, stefan.pae...@diamond.ac.uk wrote: Hi, I have more a development question for Arran/Alan D about the build process for FR 3.0... has it changed significantly compared to v2.2.0? Yes, enormously so but it's all behind the scenes. The reason I ask is that I would like to ge

Re: evaluating unlang IF with sql results

On 14/06/13 13:29, Bill Schoolfield wrote: Actually this particular issue was the parenthesis around the number. I had added them in the expression to make sure the math occurred before the logical comparison. Without them though, unlang's IF seems to evaluate the first expression (a subtraction

Re: Exec problems in FR3.0

On 06/14/2013 07:39 AM, Franks Andy (RLZ) IT Systems Engineer wrote: Hi Do I need to file a bug report or something? No, the issue was raised on -devel You can revert: https://github.com/FreeRADIUS/freeradius-server/commit/4c3030db2743e682c58a0fba30b43d066f22beb0 ...until a proper fix is ava

Re: Exec problems in FR3.0

On 13/06/13 16:24, Franks Andy (RLZ) IT Systems Engineer wrote: Sorry to send yet more emails with issues. I’ve moved to FR3 to test SQL stuff and am having some problems with getting exec modules I previously used to work. I know I could rewrite these in perl, but they worked before in FR2.2.1 a

Re: unlang and update section

On 13/06/13 16:26, Phil Mayers wrote: The documentation is authoritative. It should need to be confirmed. Shouldn't. Sigh. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: unlang and update section

On 13/06/13 16:07, Bill Schoolfield wrote: Can update sections contain if conditions? I get the following error: No. /etc/raddb/sites-enabled/default[573]: "update" sections cannot have subsections /etc/raddb/sites-enabled/default[465]: Errors parsing post-auth section. The documentation sa

Re: Working around broken EAP client

On 11/06/13 15:11, Gordon Ross wrote: On 11 Jun 2013, at 14:32, Alan DeKok wrote: Gordon Ross wrote: In the meantime, is there anything I can do to accept these requests ? Set the User-Name to be the same as the MS-CHAP identity. How and where do I do that ? In the inner part by some

Re: buffered-sql, radsqlrelay and fault resilience

On 11/06/13 13:12, Yann Belin wrote: We then have a detail reader (see "copy-acct-to-home-server" virtual server) that reads this file and relays it to the management RADIUS server for centralised logging. If the management server goes down, the files on disc just grow until it comes back again

Re: Working around broken EAP client

Gordon Ross wrote: >I'm using Freeradius 2.1.10 as supplied with Ubuntu 12.04 > >I'm wanting to use Freeradius to authenticate 802.1x clients. However, >one client I need to authenticate I believe is "broken", in that it's >stripping the suffix on the inner identity. > >From running freeradius -X

Re: EAP post auth reject and access-challenge

On 10/06/13 17:29, Franks Andy (RLZ) IT Systems Engineer wrote: I'm also doing some stuff in the authorization section which can reject a user based on some ldap information. I thought I could perhaps just update the default tunnel post-auth reject section to not do a linelog if auth-type has be

Re: buffered-sql, radsqlrelay and fault resilience

On 10/06/13 16:14, Yann Belin wrote: On many aspects method #1 is better, but I would like to find a way to make the connection to management server optional at start-up, as I in my case accounting is secondary and should not be interfering with auth. Which version are you on? This might be b

Re: EAP post auth reject and access-challenge

On 10/06/13 15:45, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Just wondered if someone could explain the reason why, on rejection of EAP authentication, an access challenge request is sent out to the NAS, and whether it’s something we can control or not? I assume you're referring to t

Re: How to get the output of Oracle PL/SQL query in table format

On 10/06/13 08:54, manjunath uthappa ponnachana wrote: HI, I am using oracle database in free Radius while using sql module. Have to Write a stored procedure which requires the output in table format. How to get this output in table format in free radius. The SQL module only supports processin

Re: How to define free radius attribute as output

On 10/06/13 10:43, manjunath uthappa ponnachana wrote: Hi, How to define free radius attribute as output when used as a variable in SQL statement. The SQL module doesn't support that kind of use case. At the moment, you need to make your stored procedure return a single value, and split it i

Re: module-failure-message in exec module

On 07/06/13 14:05, stefan.pae...@diamond.ac.uk wrote: Andy, You may want to try and set it in inner-tunnel's post-auth section: if (Module-Failure-Message) { update outer.reply { Module-Failure-Message := "%{Module-Failure-Message}" } } That way the response is

Re: module-failure-message in exec module

On 07/06/13 13:15, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, Ok so I've played about and can get a decent failure reply from a script based solution. Moving on to those NAS clients that actually do PEAP/MSCHAP .. I would like to get a response when a failure occurs from them, but it see

Re: module-failure-message in exec module

On 06/06/13 16:48, Franks Andy (RLZ) IT Systems Engineer wrote: Questions are – does the exec module return to the Module-Failure-Message variable or another I can use, and why doesn’t No, sorry. "mschap" does when it does the internal "exec", but the "exec" module does not. You might be able

Re: AW: AW: AW: Override EAP invalid result in authentication section

On 05/06/13 15:23, PENZ Robert wrote: Hi! I need to send devices with expired or revoked certificates to a remediation vlan, but my reject vlan is for guest access. Both checks happen at the end of the EAP process where the switch expects a reject or accept packet. I need now to change the rejec

Re: EAP-SIM Authentication

On 06/05/2013 04:45 AM, Kranthi K wrote: Hi All, I am Newbie to free radius. I installed freeradius version 2.2.0. i want to configure the EAP-SIM Authentication. Can anyone tell me the steps how to implement it. What's with the sudden interest in EAP-SIM? Is there a school project running s

Re: AW: AW: Override EAP invalid result in authentication section

On 04/06/13 08:55, PENZ Robert wrote: Hi Phil! do you need something additional from me? I'm not really sure what the question is. You've setup FreeRADIUS to reject certain certificates, using the "verify" callout config option. If you don't want to reject those certs, change the callout to

Re: talloc.h not found but libtalloc-dev is installed

On 31/05/13 12:31, Бен Томпсон wrote: Thanks Phil, and Alan Here is a snippet from config.log :- configure:7744: checking for talloc.h configure:7758: gcc -c -g3 -Wall -D_GNU_SOURCE -Qunused-arguments -D_REENTRANT -D_POSIX_PTHREAD_SEMANTICS -Wdocumentation -Wshadow -Wpointer-arith -Wcast-qual -

Re: talloc.h not found but libtalloc-dev is installed

On 31/05/13 11:38, Бен Томпсон wrote: I have tried the packages from squeeze (2.0.1) and wheezy (2.0.7+git20120207). Maybe have a look in "config.log" and related, see what the gcc command line(s) that fail are and try to run them manually. - List info/subscribe/unsubscribe? See http://www.fr

Re: eap sim authorization problem

On 30/05/13 08:22, EasyHorpak.com wrote: On 30/05/2556 13:44, raptor raptor wrote: [pap] WARNING! No "known good" password found for the user.Authentication may fail because of this. ++[pap] returns noop Found Auth-Type = EAP [pap] WARNING! No "known good" password found for the user.Authe

Re: eap sim authorization problem

On 30/05/13 08:16, Iliya Peregoudov wrote: You should designate realm wlan.mnc001.mcc510.3gppnetwork.org as locally served in raddb/proxy.conf: Better yet, don't use the "suffix" module; look for the realm and strip it yourself: authorize { if (User-Name =~ /^(.*)@(.+)$/) { update requ

Re: Freeradius with Protobuf

On 30/05/13 09:13, Navodit Bhardwaj wrote: Hi I want to use the Google Protobuf for encoding/decoding of FreeRadius request/response. Can someone guide me, how to get it working. Get *what* working? FreeRADIUS doesn't come with built-in protobuf support, so you must be using some external cod

Re: AW: Override EAP invalid result in authentication section

On 05/28/2013 09:06 AM, PENZ Robert wrote: But I can't change a Reject to Accept in Post-Auth .. at least that's what I read. Can you show me what I should to? I don't need to change VLANs .. just need an accept, the VLAN is already correct (set in authorize already as it's the same as for MAC

Re: Auth-Type = Reject not being obeyed

On 24/05/13 17:19, Alan Buxey wrote: The only difference I can see is that the first example uses a plain-text password, and the RADIUS on the LNS is using CHAP? The backend database has "=" in the 'op' field (and not ":="), so the returned attribute is "Auth-Type = Reject" and not "Auth-Type :

Re: AES-GCM

On 24/05/13 12:47, Pieter Hulshoff wrote: I guess that if we want to use AEAD cyphers we'll need to find another TLS library or adapt/contribute to OpenSSL? I think they're supported as of OpenSSL 1.0.1, so merely compiling against that should be sufficient, but both ends then need to use TLS

Re: AES-GCM

On 24/05/13 11:44, Pieter Hulshoff wrote: Hello all, Does FreeRADIUS support AES-GCM in EAP-TLS? I couldn't find the term in the documentation, the wiki or the mailinglist archives, but perhaps I'm looking in the wrong place? Typically this is down the TLS libraries; it's not usually the case

Re: EAP-TLS and TLS record protocol

On 05/24/2013 09:12 AM, Pieter Hulshoff wrote: Hello all, I'm new to the list, relatively new to authentication, and I'm trying to figure out some details regarding the RFCs. I was hoping some of you might be able and willing to help me out here. As I understand it, using TLS you can authentica

Re: Failure authenticate using IPv6

On 05/24/2013 05:18 AM, Stefan Winter wrote: simply isn't an IPv6 address Very true. "fe80::215:17ff:fed0:d278%eth0" is the valid address. I don't know if the FreeRADIUS address parser is prepared to handle such interface-scoped addresses. There's not much use case for this. Not sure I co

Re: Global variables

On 05/23/2013 07:43 PM, Franks Andy (RLZ) IT Systems Engineer wrote: Seems a bit excessive to do it each request. I know it’s not something likely to changegidoften but would like to not have to update itat all should it change. We have an “over zealous” AD administrator.. But primary group is

Re: New design/deployment of freeradius

On 05/22/2013 12:58 AM, Tena Gore wrote: I'd like to verify that I'm on the right track here with setting up the protocols and types to use. See: http://deployingradius.com/documents/protocols/compatibility.html We have to use PAP because of not having clear text passwords? Well, you said

Re: Help with chap

On 05/21/2013 07:55 AM, Franks Andy (RLZ) IT Systems Engineer wrote: Can I just use the authorize section to set the password to be the same as the username, i.e. the mac address, after checking some basics like whether the user exists in ldap and perhaps the useraccountcontrol value, then in th

Re: using unlang to call a stored procedure

On 20/05/13 16:55, Alex Sharaz wrote: In this case I've got Tmp-String-0 := "%{sql:call get_vlan_id('%{NAS-IP-Address}','%{User-Name}')}" get_vlan_id accepts two varchar arguments. Which, when I run radiusd -X -d /etc/freeradius gives me /etc/freeradius/sites-enabled/default[248]: U

Re: Limit ADSL speed using radius?

On 20/05/13 12:47, Cooper, Tom wrote: Hi all, How can one limit the ADSL speed on a per customer basis using freeradius? I have been trying a radiusReplyItem: Microtik-Rate-Limit += 512k/1024k, which people recommend, but it does not look like it is working. Ok, and what does that mean. "It is

Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

On 20/05/13 10:59, stefan.pae...@diamond.ac.uk wrote: Ahhh. According to this conversation: That's a really old conversation. See instead the link I posted in my other email. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

On 20/05/13 09:02, Robert wrote: Hi I use freeradius v2.1.10 in Debian Squeeze 6.0.1. I want to know if freeradius supports the following methods : See here: http://notes.asd.me.uk/2012/01/20/freeradius-with-peap-eap-tls-for-microsoft-soh/ - List info/subscribe/unsubscribe? See http://www.fr

Re: Does freeradius support EAP PEAP/TLS or EAP PEAP/EAP-TLS ?

On 20/05/13 10:25, stefan.pae...@diamond.ac.uk wrote: It supports EAP with TTLS, TLS and PEAP, yes. Look at EAP.conf – you can configure all supported options in there. Not sure you've understood what he's asking there; he wants to know if you can to PEAP with EAP-TLS as an inner. The main a

Re: Any One-Time password system.

On 16/05/13 15:45, Sergii Bieliaievskyi wrote: 2013/5/16 Phil Mayers mailto:p.may...@imperial.ac.uk>> No. MPPE requires encryption keys. These can be generated by whatever auth method. If you use plain MSCHAP, MSCHAP generates them. Can you provide more informati

Re: Any One-Time password system.

On 16/05/13 14:27, Sergii Bieliaievskyi wrote: 2013/5/16 Alan DeKok mailto:al...@deployingradius.com>> Sergii Bieliaievskyi wrote: > This is so frustrating :( > How it can be possible to do strong security using reliable passwords > and to have no encryption in the same time.

Re: Any One-Time password system.

On 16/05/13 13:44, Sergii Bieliaievskyi wrote: This is so frustrating :( How it can be possible to do strong security using reliable passwords and to have no encryption in the same time. Because the protocols are old, and badly designed, but are widely deployed because the vendor (Microsoft) h

Re: Inner tunnel post auth question

On 10/05/13 13:53, Franks Andy (RLZ) IT Systems Engineer wrote: Hi, This may have come up before but I can’t find any solutions : I’m using a NAS which alwaysperformsEAP/MSCHAP2authentication, so I’ve stripped the sites-enabled/default right down to pretty much just include the eap stuff for

Re: Bug in CUI generation? Is this a known issue?

On 10/05/13 12:12, Matthew Newton wrote: Hi, On Fri, May 10, 2013 at 09:49:14AM +, stefan.pae...@diamond.ac.uk wrote: As you can see, the expand: bit shows an empty value. Then I changed my cui_hash_key to "01234567890abcdef01234567890abcdef" and it did the same. However, when I set cui_has

Re: how to get linelog() see see packet-types other than access-request

On 08/05/2013 20:09, Jeff Smith wrote: Hello, I've got a freeradius server 2.2.0 configured to process requests, and now I'd like to add some logging that would look something like this: Wed May 8 14:53:16 2013 Access-Request for a...@purdue.edu from MAC address (Calli

Re: Need help with making RPM from v2.x.x branch

On 05/08/2013 08:19 AM, Fajar A. Nugraha wrote: %{_libdir}/freeradius/rlm_acct_unique-*.so FWIW this is the approach we usually take when packaging things; it seems pointless to me to embed version numbers into %files macros. I'm aware this is probably frowned on by some packaging guidelines

Re: redundant-load-balance for AD ntlmauth

On 06/05/13 17:51, John Douglass wrote: I don't just call ntlm_auth Because I want to simulate the entire EAP request (as if it is another of my wireless controllers) and get regular logs from radius that the server is responding. If some (although it hasn't happened!) piece of my radius stack ha

Re: redundant-load-balance for AD ntlmauth

On 06/05/2013 14:40, John Douglass wrote: ntlm_auth talks to winbind. Winbind maintains a single long-lived connection to a single AD controller. It can take anything up to 60 seconds for winbind to realise this connection has gone down, during which time all ntlm_auth will hang or fail. This h

Re: multiply Cisco-AVPair request attribute process by regular expression

On 04/28/2013 09:14 PM, Mehdi Ravanbakhsh wrote: i have tow Cisco-AVPair attribute in request and i need to process one of them that being started by 'circuit-id-tag=' so i use this : if (Cisco-AVpair =~ /^circuit-id-tag=(.*)$/) { update request {

Re: redundant-load-balance for AD ntlmauth

On 04/29/2013 11:03 PM, FreeRadius List wrote: Thank you I'll check with the samba people and get a better understanding of how ntlm_auth works.# (Sorry for the late reply) The short version here is: badly. ntlm_auth talks to winbind. Winbind maintains a single long-lived connection to a sin

Re: Normalising the User-Name AVP in an Access-Accept

On 18/04/13 16:59, Nick Lowe wrote: That's a very fair point. A problem with anonymous identities though also comes where you have features at the edge that 'do things' based on the identity. Often you will just want an anonymised unique identity for each discrete user, but not necessarily their

Re: Normalising the User-Name AVP in an Access-Accept

On 18/04/13 16:29, Nick Lowe wrote: I would have thought that it is perfectly reasonable to return the identity back in the case you have roaming federations as long as it was an agreed requirement beforehand. Maybe, maybe not. If the home site were in a jurisdiction with data protection legis

Re: Normalising the User-Name AVP in an Access-Accept

On 18/04/13 16:06, Nick Lowe wrote: Thanks, Alan! I have got a feature request with Aerohive, our wireless vendor, to support treating the User-Name AVP as being authoritative which they are being pretty receptive and responsive to. (I think RADIUS clients need to stop treating the outer identi

Re: Trimming character of variables within configuration files

On 17/04/13 14:25, P. Manton wrote: OK, So I see there is a preprocess module that says you can manipulate attributes: # The preprocess module takes care of sanitizing some bizarre # attributes in the request, and turning them into attributes # which are more standard. so I added the follo

Re: Trimming character of variables within configuration files

On 17/04/13 13:00, P. Manton wrote: Although it complains in the debug (radiusd -XXX) about the following: Wed Apr 17 12:47:23 2013 : Debug: including configuration file /etc/freeradius/sites-enabled/default Wed Apr 17 12:47:23 2013 : Error: /etc/freeradius/sites-enabled/default[216]: Too many

Re: Trimming character of variables within configuration files

On 17/04/13 11:45, P. Manton wrote: Is there a way I could trim a variable (such as a password variable) within a configuration file. I saw a few examples manipulating variables using unlang here: http://freeradius.org/radiusd/man/unlang.html#lbAB but could not find anything about trimming variab

Re: perl examples

On 08/04/13 14:47, Alex Sharaz wrote: On 8 Apr 2013, at 14:24, a.l.m.bu...@lboro.ac.uk wrote: Hi, In post-auth I want to extract the nas-ip address and calling station-id of the client device open a db connection and perform a query that'll let me decide what vlan-id to send back in the acc

Re: Groupname is not written in the table radacct

That's not how it works. Sql-group is a virtual attribute that only exists when you're checking it, and is multi-valued. You can't record it in accounting packets - that doesn't make sense. What you *can* do is copy a matching group to an attribute that is recorded in accounting, such as "Cla

Re: disconected after one second

On 04/04/13 16:57, Łukasz Kopiszka wrote: Moore debug "show log fac aaa": Please take the Cisco debugging somewhere else, like a Cisco list (or to private emails). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: disconected after one second

On 04/04/13 14:17, Łukasz Kopiszka wrote: Everything was working great until I change something but I don't remember what was it :) That's unfortunate. I suggest you look into using version control for your configs. Anyway, the NAS is the one doing the disconnect - you should debug this o

Re: Real server certificate for PEAP

On 04/03/2013 05:32 AM, Muhammad Nuzaihan Kamal Luddin wrote: Hi, You will need to purchase a Unified Communications certificate from a CA. They don't all call it the same thing. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Real server certificate for PEAP

On 02/04/2013 15:22, Rudolf Henze wrote: Hi, Iam using freeradius 2.1.10 with a self-signed certificate with PEAP and mschapv2 and LDAP-authentification. Ive copied my CA-Certificate to all clients to be sure that Iam using really the right network and not a fake SSID. But this is a little incon

Re: Don't log user pass to database

On 04/02/2013 11:09 AM, Dmitry Korzhevin wrote: Hi, Guys, please tell - how prevent freeradius to log pass to radpostauth mysql (MariaDB) table? I have modified /etc/freeradius/modules section to: Post-Auth = "INSERT INTO ${postauth_table} \ (username, reply, authdate) VALUE

Re: Auth-Type krb5 not recognized by v2.1.12

On 27/03/13 13:55, Jaap Winius wrote: Quoting Alan Buxey : ... I wonder if your server has been built with kerberos support? Indeed it has. The machine in question not only runs Freeradius, but also the Kerberos KDC, kadmin server and Kerberos client software. That all works, and it still wor

Re: definitive info on authenticating to AD via NTLMv2

On 26/03/2013 18:03, a.l.m.bu...@lboro.ac.uk wrote: Hi, o.k. many thanks for this phil. I'll probably have a bash at this but, as I've done it before, just setting up radiator as something that just says yes/no sounds a lot easier :-)) RADIATOR on Windows can use which is a direct access t

Re: How can I change proxy based on username?

On 26/03/2013 15:12, John Horne wrote: What is the upstream proxy? Microsoft domain controller (DC). As in, Microsoft NPS running on a DC? Can you explain why you want to do this? Obviously it's possible to manipulate the packet in many ways, but your goal may be best accomplished via

Re: definitive info on authenticating to AD via NTLMv2

On 26/03/2013 15:09, Phil Mayers wrote: On 26/03/2013 15:00, Phil Mayers wrote: You should ask on the Samba lists - if a windows domain member can do it, there must be a newer API/RPC which Samba could implement. In fact, a couple of minutes with google gives me this thread: https

Re: definitive info on authenticating to AD via NTLMv2

On 26/03/2013 15:00, Phil Mayers wrote: You should ask on the Samba lists - if a windows domain member can do it, there must be a newer API/RPC which Samba could implement. In fact, a couple of minutes with google gives me this thread: https://lists.samba.org/archive/samba/2012-March/166440

Re: definitive info on authenticating to AD via NTLMv2

On 26/03/2013 14:21, Alex Sharaz wrote: Hi., I've been running ntlm_auth to authenticate our 802.1x users against AD for a number of months without problems…… until this morning when our Systems group tightened up auth requirements to only use NTLMv2. and my ntlm_auth module started failing As

Re: How can I change proxy based on username?

On 26/03/2013 12:50, John Horne wrote: Hello, Using Freeradius 2.1.10 I have been trying to see if I can proxy a request to a remote server but using a different User-Name attribute based on the original request User-Name attribute. You can do this, but it might break things because you're usi

Re: Server switch

On 26/03/2013 13:52, Emmanuel BILLOT wrote: authorize { if (Called-Station-Id =~ /^.*:([-a-zA-Z]+)$/) { update control { Tmp-String-0 := "%{1}" } } switch "%{Tmp-String-0}" { That needs to be: switch "%{control:Tmp-String-0}" { - List info/subscribe/unsubscribe? Se

Re: Getting clients from a mysql table

On 03/26/2013 12:52 PM, Peter Kaagman wrote: Try adding the SQL module to the jnstantiate section of radiusd.conf From the radiusd -X output: including configuration file /etc/raddb/modules-enabled/logintime including configuration file /etc/raddb/eap.conf including configuration file /et

Re: Auth-Type krb5 not recognized by v2.1.12

On 03/25/2013 11:42 PM, Jaap Winius wrote: Is this new behavior intentional, or is it simply a bug? In either case, is there a workaround or a code fix for this, or should I continue to use 2.1.10? Actually neither - you should be using 2.2.0 or 2.2.1 when it's release, as the 2.1.10/11/12 re

Re: change Access-Reject output of module with unlang

On 25/03/13 11:16, Mehdi Ravanbakhsh wrote: You means that if modules such as SQL module in session section return reject i can not change that to accept and then update some control attribute ? I don't think so. and can i change sql module ?( i know SQL.conf but in that file i just can c

Re: change Access-Reject output of module with unlang

On 03/25/2013 09:14 AM, Mehdi Ravanbakhsh wrote: Dear ALL How change Access-Reject output of module with unlang in sites-enable to Access-Accept and do some update control ? I don't think you can. And as AlanB says, it probably won't work anyway - you can't "force" accept on challenge/respon

Re: how to access CallingStationId and CalledStationId propertes in diaup.conf (sql.conf) in a SQL query

On 03/23/2013 10:31 AM, Mehdi Ravanbakhsh wrote: Dear ALL I use this query by calling stored procedure in database : simul_count_query = "SELECT findout_cuncurrent_sessions_for_a_user('%{User-Name}','%{NAS-IP-Address}','%{CalledStationId}','%{CallingStationId}')" but I can not access to the va

Re: require_message_authenticator when sending

On 19/03/13 10:18, Stefan Winter wrote: Of course I'm fixing my config by making the yes explicit - but maybe adapting the defaults in realms.c might be a little more consistent behaviour. I believe Message-Authenticator is now always sent in 3.0, unconditionally. - List info/subscribe/unsubsc

Re: string up CUI for visiting eduroam users

On 03/19/2013 10:11 AM, Alex Sharaz wrote: /etc/freeradius/policy.conf[185]: "SQL" modules aren't allowed in 'post-proxy' sections -- they have no such method. /etc/freeradius/policy.conf[185]: Failed to parse "cui" entry. /etc/freeradius/policy.conf[184]: Failed to parse "if" subsection. /etc/

Re: How to Change radius.log format messages

On 18/03/13 13:28, Luís Cláudio Veiga wrote: Hello everybody, i'm trying to find a way to modify radiusd.conf to change radius.log bellow messages: You can't. They're hard-coded. Instead, define an instance of the "linelog" module and set the format you want. - List info/subscribe/unsubscr

Re: Proxy.conf realms

On 03/15/2013 10:47 PM, Matthew Ceroni wrote: Well I found something that appears to work. I used the hints file. And it correctly stripped off the host/ and domain.local. However now I get the error [eap] Identity does not match User-Name, setting from EAP Identity [eap] Failed in handler Mo

Re: post-auth not being entered in inner-tunnel

On 03/14/2013 09:36 AM, Alex Sharaz wrote: so is that done as in post-auth in the inner-tunnel now works? Should be. Please "git pull" and recompile and confirm. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Add LDAP groups as extra attributes

On 03/13/2013 07:45 PM, Robin Helgelin wrote: First problem is that I need to rewrite the output from ldap to something the radius-client finds useful. But there are radius modules for rewriting things right? Yes, though TBH manipulating LDAP DNs in unlang/attr_rewrite is going to be a pain.

Re: Add LDAP groups as extra attributes

On 13/03/13 15:11, Arran Cudbard-Bell wrote: Phili is correct, but this will only work for something like AD, where you have memberOf attributes which link a user account to a group. Good point, got to watch that - my LDAP is getting very AD-centric :o( - List info/subscribe/unsubscribe? See h

Re: Add LDAP groups as extra attributes

On 13/03/13 14:44, Robin Helgelin wrote: Hi! I want to add the LDAP-users current groups as extra attributes to the authentication reply. Is it possible? I'm having a hard time finding documentation about this. Yes. Edit the ldap.attrmap to map the LDAP group attribute to a RADIUS attribute,

Re: troubles with eap-peap mschapv2

On 12/03/13 14:23, Bertrand Poulet wrote: Tue Mar 12 15:10:20 2013 : Info: # Executing section authorize from file When you make debug output, please just use: radiusd -X Don't use the other arguments; they just create noise and volume (timestamps) that are basically irrelevant. Tue Mar

Re: [Help] Is there a way to differentiate devices using Radius?

On 03/12/2013 01:46 AM, Danny Kurniawan wrote: Is that means we have to manually added the client MAC into radius one by one? RADIUS can only act on RADIUS attributes. There's no RADIUS attribute that says: Device-Type = "Bosses iPad" Most NASes send username and network address of the cli

Re: EAP-TLS testing, occasional errors

On 07/03/13 16:01, Bertalan Voros wrote: Has anyone seen this before? I see all kinds of weirdness from clients. Fundamentally, the problem is at the client - it didn't send a certificate - so you need to troubleshoot it there. - List info/subscribe/unsubscribe? See http://www.freeradius.or

Re: mschap module vs ntlm_auth module

On 06/03/13 15:31, Óscar Remírez de Ganuza Satrústegui wrote: Good afternoon, As I said some days ago in this list, we have configured our freeradius server to use ntlm_auth for autentication following the document: http://deployingradius.com/documents/configuration/active_directory.html If yo

Re: overlapping cisco avpairs (UCS+IOS)

On 06/03/13 11:28, Øystein Gyland wrote: On 03/06/2013 03:21 AM, Jimmy Stewpot wrote: Hello, We have always had the Cisco-AVPAIR of "shell:priv-lvl=15" which has been working for some time. With the Cisco UCS platform we need to introduce an additional shell: variable which looks like this "she

Re: [Help] How to eliminate client certificate popup

On 05/03/13 09:56, Danny Kurniawan wrote: Hi All, Thanks for all your reply. Yes i do understand the solution is to deploy the network profile, but just curious at first who knows any of you have an idea how to eliminate it wthout touching the client. You can't. It's impossible by design - all

Re: UnLang SQL query vs Perl SQL query

On 03/04/2013 10:29 PM, Mehdi Ravanbakhsh wrote: Many thanks for your replay. How i can call stored procedure in unlang ? It's just an SQL query. Use an SQL xlat: "{%sql:select myproc('%{Arg1}')}" - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: [Help] How to eliminate client certificate popup

On 03/05/2013 01:58 AM, Danny Kurniawan wrote: Hello, We are using 802.1x wireless connection from Meraki and using PEAP-MSCHAPv2 for authentication with our LDAP. Everything works fine, it just we want to eliminate this pop-up at the 1st time people connect to it : How can i do that? We are us

Re: DHCP relay IP and gateway IP, possible bad logic?

On 03/04/2013 08:59 PM, Alan DeKok wrote: Phil Mayers wrote: Second, "reply to giaddr" is mandated in the DHCP spec; are you *sure* you have "other DHCP servers" which "reply to source ip"? Which servers? The issue is that giaddr serves two purposes. In the

Re: DHCP relay IP and gateway IP, possible bad logic?

On 03/04/2013 07:05 PM, Igor Smitran wrote: As you can see CMTS will relay all requests from CM's and CPE's over primary interface address (private_ip/255.255.192.0) radius will get all requests from that IP. all offers need to go back to that same ip, no matter what giaddr is sent to client.

Re: Problem Using GoDaddy Wildcard Certificate

Try with a private ca first, it'll save cash Thomas Simmons wrote: >On Sun, Mar 3, 2013 at 6:41 AM, Phil Mayers >wrote: > >> When you enable "validate...", what are you entering as the server >name? >> I'm not sure wildcard certs work with eap unde

Re: Problem Using GoDaddy Wildcard Certificate

When you enable "validate...", what are you entering as the server name? I'm not sure wildcard certs work with eap under windows. Thomas Simmons wrote: >Hello All, > >I'm trying to get my setup working with a GoDaddy-issued wildcard >certificate (I understand self-signed is recommended). I don

Re: DHCP sqlippool reply values

On 28/02/13 13:36, Igor Smitran wrote: I've added two new fields into radippool table that i am using for DHCP dynamic pools. `gateway` varchar(15) NOT NULL DEFAULT '', `netmask` varchar(15) NOT NULL DEFAULT '', in ippool-dhcp.conf i've added new fields: allocate-find = "SELECT framedipa

Re: SSL V3 client certificate error

This is the client telling you it doesn't trust your server ca. Setup the client correctly. Danny Kurniawan wrote: >Hi All, > >I have some intermittent issue with our Radius auth. >OS : SLES 11 >Radius 2.1.1 > >We get the cert from GlobalSign and use it at the 2 Radius server. So >Server A and

<    1   2   3   4   5   6   7   8   9   10   >