On 30/03/12 10:38, Fajar A. Nugraha wrote:
How easy is it to crack
such a password? An authentification wouldn't have happened but the
attacker would have had the encrypted usernames and passwords.
They won't.
Not immediately. But MSCHAP is a complex (and old) algorithm, and it is
On 30/03/12 10:54, Heinrich, Sebastian wrote:
Now I am totally confused. Fajar says that it is not so easy to crack
the passwords and Phil says the opposite. I am not a hacker. Can
anybody say that this would be easy to do or not:
I didn't say it was easy. I said it was *possible*.
And you're
On 30/03/12 11:58, Morris, Andi wrote:
Hi Ricardo, Sorry it was a brief answer but I'm also unsure of where
to turn next with this, especially as you are seeing the same issue
with different network hardware.
Well, you guys need to debug your network hardware (and Ricardo needs to
use a
On 30/03/12 12:51, Heinrich, Sebastian wrote:
I apologize for bothering you. I thought that somewhere might be a how-to to
solve this.
Unfortunately there's nothing to solve. This is just how PEAP/MSCHAP
works; there is a server cert, and for it to be secure, you must
validate it.
There
On 29/03/12 11:46, Heilz wrote:
Hi,
I'm fairly new to the topic but I got the assignment to find out if the fact
that the shared secrets for user logins are in plain-text could be a problem
security-wise.
Do you really mean shared secrets? This is a term normally applied to
the RADIUS secret
On 29/03/12 13:24, Heinrich, Sebastian wrote:
Hello Everybody,
I have two questions for my understanding. I set up FreeRADIUS to
authenticate against our Active Directory. I read in the readme that
this couldn´t be done with the ldap module, so I did it with SAMBA. It
works fine for MSCHAPv2.
On 27/03/12 23:38, Brian De Wolf wrote:
On Mon, 26 Mar 2012 11:46:22 -0700
Scott McLane Gardnersgar...@uark.edu wrote:
If I can't use if statements in a load balance block, can anyone
suggest another way to go about accomplishing what I want to do here?
After reading this thread and
On 28/03/12 15:05, Sebastijan Šilec wrote:
I'm upgrading FreeRadius form version 1.x to 2.x and transfered the
configs.
I have a problem with definig authrize and authenticate sections.
I've defined 2 ldap modules (ldap and ldap1) connecting to same LDAP
servers but to different OU's
The old
On 27/03/12 15:07, Scott McLane Gardner wrote:
I'd be surprised if using Ldap-Group in the user's file
resulted in load balancing of the group membership
queries to the LDAP servers. Does it?
It does, actually. Or at least it appears to. The first time it used ldap2
and the second time it
On 27/03/12 16:17, Khapare Joshi wrote:
And in /var/log/radius/radius.log -- i get nothing
Tue Mar 27 13:29:13 2012 : Info: Loaded virtual server default
Tue Mar 27 13:29:13 2012 : Info: Ready to process requests.
Tue Mar 27 14:23:53 2012 : Info: Exiting normally.
Tue Mar 27 14:23:53 2012 :
On 03/26/2012 10:01 AM, Glen Harris wrote:
Server: Debian 6 (Squeeze) 2.6.32-5-amd64
FreeRadius: 2.1.10 (Debian package)
Client: HP E-MSM460 AP (MSCHAPv2, Use message authenticator)
Authentication methods for the MSM460 are: MSCHAPv2, MSCHAP, CHAP, EAP
MD5 and PAP.
I'm trying to set up a
On 03/24/2012 10:26 PM, Brian Julin wrote:
Can you explain what threat model you think this addresses?
It limits the exposed fuzzable surface. Any vulnerabilities present or
introduced
in the low level RADIUS packet processing compromise only the external
server. The packets that reach the
On 03/25/2012 12:09 PM, Fajar A. Nugraha wrote:
On Sun, Mar 25, 2012 at 4:47 PM, dhanushka ranasinghe
parakrama1...@gmail.com wrote:
Hi..
we changed Auth-Type := Accept to Auth-Type := PAP , then it starts to work
You shouldn't need to do that. A cleaner way would be to read
On 03/23/2012 02:12 PM, mark.le...@stfc.ac.uk wrote:
isn’t possible, do I have any other options? Would a solution be to make
the virtual servers listen on two different IP addresses, and configure
the NAS to use a different RADIUS server IP address for each SSID?
That is the common solution,
On 03/23/2012 04:16 PM, Javier Ruiz Escalante wrote:
Hello,
Despite taht my user is authenticated, I don't get the data in RADACCT
table, my output is this one. Can anybody help me?
Your NAS didn't send any accounting packets. So no accounting packets
were logged to the database.
-
List
On 03/23/2012 11:07 PM, Javier Ruiz Escalante wrote:
I have realized that my radius system does not record the logging
information in my radius Data base, in radacct table, but nevertheless
creates a folder in /var/log/freeradius for every NAS which is called
“radacct” inside this folder there
On 03/24/2012 05:51 AM, dhanushka ranasinghe wrote:
Hi guys,
im using freeradius with LDAP , and its authentication works fine when
i use following configuration.
server = ldap.home.com
identity = cn=admin,dc=home,dc=com
password = home
basedn =
On 22/03/12 15:27, PENZ Robert wrote:
Hi!
Thx for the fast response!
But how to I execute the SQL authorize_reply_query query after I did
a EAP authentication? I don't do that currently in post-auth. I just
have the sql modul activated in authorize.
Like this:
post-auth {
if
On 21/03/12 10:07, Stefan Winter wrote:
Hi,
in some weird business case, I would like to generate a one-time use
token for later consumption in post-auth. So when the user is accepted,
trigger an
{sql:INSERT randomvalue INTO someplace}
The value should be new for every Access-Accept. I wonder
On 21/03/12 10:49, Matthew Newton wrote:
On Wed, Mar 21, 2012 at 11:07:16AM +0100, Stefan Winter wrote:
The value should be new for every Access-Accept. I wonder how to
generate such a random value with unlang. Is there some {%rand} or
anything like that?
On 03/15/2012 12:36 PM, Altaf Husain wrote:
Hi,
We are using FreeRadius ver 2.1.12, I had query regarding EAP-AKA
support in eap2 module, its mentioned in FreeRadius website that
This module is experimental, and may not be ready for use in a
production environment, Is it
On 14/03/12 19:04, ryuukuu wrote:
Hello All,
I've got a question about the settings for limiting access/authenticating to
a specific LDAP group. I have setup a group on my OpenLDAP called RADIUS
and I want the users in there to be the only ones that have access. The
problem I am having is with
On 16/03/12 16:14, pamela pomary wrote:
I read online,it is not possible to do md5 with MS-CHAP. I don't want to
This is correct.
save users passwords in clear text. How can I achieve encrypting user's
passwords in MySQL database. I have Freeradius2.1.12 installed. Please I
will be grateful
On 16/03/12 16:57, fulvio fabiani wrote:
Hi all,
i’ve a problem with concurrent accounting requests with free radius 2.1.11.
Upgrade to 2.1.12 and try again.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 03/15/2012 07:38 AM, Christiaan Rademan wrote:
Can you please advice me on anything I should watch out for or plan for?
I'm sure others will chip in, but basically: don't worry about
FreeRADIUS, worry about your SQL database.
FreeRADIUS itself can handle a truly enormous rate of
On 03/15/2012 09:11 PM, Aidan Rowe wrote:
Any possible updates on this? It seems at some point the man pages
changed from using INSERTs and UPDATEs to only using INSERTS.
I'm guessing here, but I suspect the problem with doing UPDATEs is that
they noop if the row isn't present. This can
On 03/13/2012 06:07 AM, Morteza Milani wrote:
Hi,
I don't know what's wrong with freeradius. It's running but does not
handle authentication requests. After restarting, it works fine but
after a while it goes to sleep;)
Which version are you running?
What sort of config do you have - do you
On 13/03/12 09:50, Mohamed Lrhazi wrote:
Hello,
My LDAP server has the passwords stored in MD4 encoded format, which I
am suspecting is the same as NT format...
Is there a way to tell freeradius to treat {MD4} as it it was {NT} ?
You could change the source code. Or re-write the attribute:
On 12/03/12 15:44, u...@3.am wrote:
DEFAULT Group == FOO, Pool-Name :=FOO_pool
Group is probably empty. I can't remember what module, if any, fills
it out.
What do you *think* Group will contain? It won't contain LDAP groups.
-
List info/subscribe/unsubscribe? See
On 12/03/12 18:23, u...@3.am wrote:
...and you just hit on something that solved the problem. It seems that FR was
getting the group info from LDAP indirectly, through the PAM module, which was
Actually, probably not.
It probably gets the groups via nss_ldap, through nssswitch.
-
List
On 03/08/2012 04:44 PM, Morris, Andi wrote:
I’m trying to trace an access attempt that occurred today so that I can
categorically say to a user that you were successfully connected to our
network, or not, whatever the case maybe. However I’m struggling to
create a chain of events by going
On 03/08/2012 05:09 PM, Andres Septer wrote:
Check the winbind log files,
Did that already. Nothing interesting there, only lines like
[2012/03/08 14:32:17.115991, 3]
winbindd/winbindd_misc.c:417(winbindd_priv_pipe_dir)
[25675]: request location of privileged pipe
[2012/03/08
On Fri, Mar 09, 2012 at 10:59:46AM -0500, u...@3.am wrote:
authorize {
preprocess
redundant LDAP{
ldap1
ldap2
}
# The ldap module will set Auth-Type to LDAP if it has not
# already
On 08/03/12 11:56, Andres Septer wrote:
--nt-response=13e96b497efab1bd69bfdcb845393f54e1cd4d71aa7e604a
Thu Mar 8 13:42:03 2012 : Debug: Exec-Program output: Reading winbind
reply failed! (0xc001)
Weird. It looks a bit like ntlm_auth failed completely here.
Check for permissions, SELinux
On 03/06/2012 02:10 AM, u...@3.am wrote:
On 28/02/12 21:16, u...@3.am wrote:
However, we just noticed that password expiry isn't working. I suspect this is
because we are still using all the original POSIX attributes and none of them
look
like good for mapping to the ones supplied by
On 05/03/12 09:38, Stefano Zanmarchi wrote:
Hi,
my first post here, a newbie question, thanks for your help.
I'm going to set up two freeradius servers (2.1.7 on RHEL 5.5).
ServerB will be connected to an AP and I want it to proxy all EAP
requests to serverA (TTLS-PAP
will be the only method
On 05/03/12 12:56, Stefano Zanmarchi wrote:
Thanks a lot Phil for your kind answer.
Could you please tell me which is the weird part of the configuration?
Do you mean the use of ttls-pap with openldap or the fact that serverB
is there only
to proxy requests to serverA?
The latter. I'm sure you
On 05/03/12 13:55, Javier Ruiz Escalante wrote:
Good afternoon,
I'm new in Radius and I have no clue what happens, can anybody help me?
from the server in the command line works fine, from the wireless client
get this one.
Mon Mar 5 12:36:33 2012 : Debug: WARNING: Unprintable characters in
On 05/03/12 15:05, Brian Gold wrote:
We've been using SecureW2's client with our Freeradius server using
EAP-TTLS/PAP authentication. From doing some very preliminary testing
with the Windows 8 consumer preview, I've noticed that MS is now
including EAP-TTLS support directly in windows.
On 05/03/12 16:16, Morris, Andi wrote:
Hi all,
Apologies for being slightly off topic.
Does anyone else get a problem with Windows 7 clients prompting for the
radius credentials 2 or 3 times before finally accepting them? No errors
are shown on the radius side, and I’ve read that this is a
On 03/05/2012 06:31 PM, Brian Gold wrote:
I've uploaded the radius -X output to http://pastebin.com/Fgr60hXr since it was
pretty long.
Weird; that all looks good to me. I guess the problem must be on the
Windows side, but I'm not super familiar with TTLS so am not sure what
it might be.
-
On 03/05/2012 07:39 PM, Wenjuan Lin wrote:
Hello,
I just had a freeradius server (2.1.12, prebuilt for
x86_64-redhat-linux-gnu) setup for development testing purpose.
However I couldn’t configure this server for TCP connection. By the
email thread dated back 09/2009, freeradius should have TCP
Mon Mar 5 14:45:55 2012 : Debug: Exec-Program-Wait: plaintext: winbind
client not authorized to use winbindd_pam_auth_crap. Ensure permissions
on
/var/run/samba/winbindd_privileged are set correctly. (0xc022)
Did you spot this?
--
Sent from my phone. Please excuse brevity and typos.
-
On 01/03/12 18:25, whopeman wrote:
Hi,
I am fairly new to FreeRADIUS, so pelase bear with me a bit. I have
searched the forums and websites to find an implementation that allows me to
configure my server to process BOTH PEAP MSCHAP and PEAP/EAP-GTC (v0 and
v1). I have not found anyone
On 01/03/12 10:16, Anto wrote:
Hello
In the coming days I will set up a freeradius server for access
control and accounting. I've been looking for information on
freeradius and high availability, since my idea is to have two servers
in case one fails, continue to operate with the other, but I
On 28/02/12 21:16, u...@3.am wrote:
Hi:
We've been running various versions of FreeRadius for years, currently 2.1.10 in
this application. A while ago, we switched from PAM (unix) auth to LDAP auth.
Everything worked fine after the switch...POSIX attributes for group membership
correctly
On 02/28/2012 07:54 AM, Mohit Aron wrote:
TLS_accept: failed in SSLv3 read client certificate A
rlm_eap: SSL error error:14094418:SSL routines:SSL3_READ_BYTES:tlsv1 alert
unknown ca
SSL: SSL_read failed inside of TLS (-1), TLS session fails.
You have failed to setup the required certs on
On 02/24/2012 05:10 PM, Jesse Crayston wrote:
Trying to get my users to have the same password on a radius server, as
they do on the google apps domain.
That might be tricky.
Since you can't read the passwords from an apps domain, the only thing
you could possibly do is use it as an oracle
On 02/24/2012 07:38 AM, Alan DeKok wrote:
TTLS doesn't generate it. My guess is that Cisco has invented
something themselves which defines EAP-Key-Name. Find out what that is,
and we can implement it in FreeRADIUS.
FWIW, a bit more digging shows section 1.4.1 of RFC 5247 is relevant,
On 24/02/12 15:43, Jesse Crayston wrote:
Hello,
I'm wondering if I could get help, or find documentation(even just a
draft) on setting up Oauth2 on a freeradius server(omniauth?). I'm
looking to use my google apps domain user database, to manage users, and
control access through an Untangle
On 23/02/12 16:26, Matija Levec wrote:
What should be configured for radius to also send EAP-Key-Name AVP?
AFAIK that is not implemented yet.
I've only skimmed them, but AFAIK most AAA servers and EAP methods don't
generate EAP-Key-Name yet. I'm not sure what the correct value for this
On 02/21/2012 11:04 PM, Tim White wrote:
Following on from my previous email, I've checked an x86 machine as
well, and get the same behaviour.
I should hope so; SQL is not architecture specific!
Your original solution was correct as far as I could see; if there's any
chance a column might be
On 02/16/2012 09:35 AM, Morris, Andi wrote:
Hi all,
I’m trying to configure my freeradius server to prompt the user to
retype their credentials if they mistype the username or password so
that they can be authenticated via dot1x.
Does your NAS support this attribute? You are sending it just
On 14/02/12 10:27, justi...@mac.com wrote:
Hi all,
we are using freeradius with mysql.
Accounting works fine, but we discovered that the server is doing
accounting for users which don't exist at all in our system. They are
probably local users but accounting information is sent to our
servers.
On 14/02/12 10:59, justi...@mac.com wrote:
Thanks, i haven't used preacct before, in what module is this, can
you send detailed solution? Sorry, i am only a beginner in writing
customized things for freeradius.
This is a section in the standard virtual server config. If you look in
On 14/02/12 11:18, justi...@mac.com wrote:
NAS are set up by partner companies all around the world. We can tell
them to fix the NAS but maybe it can take weeks and we don't want to
allow misconfigured NAS in the accounting at all.
Freeradius can perform arbitrary processing, to ignore or
On 02/10/2012 05:46 PM, Alan Buxey wrote:
Hmmm.
Don't update user-name. Set or update stripped-user-name instead and use
that in the mschap auth
The mschap module doesn't honour Stripped-User-Name anywhere. The only
place it would work would be in the ntlm_auth command line xlat, and
he's
On 02/10/2012 05:53 PM, Luis Písco wrote:
But the My-Group==2 is not evaluated.
It is not possible to assign a value to an item and use it later on the
users file?
No.
The example you show sets My-Group on the *reply*. The users file can
match on request items only.
It is possible get
On 02/10/2012 09:09 PM, NdK wrote:
Can't create users in AD. Just machine accounts. Maybe it's possible
to use the (or a dedicated) *machine* account credentials?
rlm_ldap just needs a bind DN. Any ldap DN with permissions to bind to
the directory and execute the searches you need will
On 02/09/2012 07:55 PM, Francois Gaudreault wrote:
Doing the MS-CHAP-User-Name change got me this error :
mschapv2] # Executing group from file
/etc/raddb/sites-enabled/packetfence-tunnel
[mschapv2] +- entering group MS-CHAP {...}
[mschap] Found NT-Password
[mschap] ERROR: User-Name
On 02/09/2012 11:56 PM, Rami AlZaid wrote:
rlm_eap: No EAP Start, assuming it's an on-going EAP conversation
I know nothing about EAP-SIM, but I don't think this message matters;
you see it all the time in debugs, and I think you can ignore it.
-
List info/subscribe/unsubscribe? See
On 10/02/12 11:33, Riccardo Veraldi wrote:
Hello,
I have a radius infrastructure with multiple ESSID.
in particular I have the eduroam ESSID and another local ESSID.
They are managed by my freeradius2 server with 2 virtual-server
instances, one for eduroam and the other for my local ESSID.
Both
I Cannot have two separate users file, the users file is common to both
virtual servers.
Is there a way to have a users file for eac hvirtual server ?
I did not find it is possibile from documentation.
Ricdk
Yes you can. This is a core feature of the server. You need to look at the docs
more
On 10/02/12 14:36, Francois Gaudreault wrote:
Hi Phil,
Still no go. Now EAP complains :
[eap] Identity does not match User-Name, setting from EAP Identity.
Oh dear...
I'll need to test this, but I have a horrible feeling you're between a
rock hard place here - EAP identity check is
On 10/02/12 14:38, NdK wrote:
Hello all.
Is it possible to bind to AD's LDAP using the Kerberos ticket obtained
at join time?
This question does not make sense. Joining a domain doesn't obtain a
kerberos ticket. It creates a machine account principal, and a shared
secret (password) that can
On 02/09/2012 02:18 AM, Fajar A. Nugraha wrote:
On Thu, Feb 9, 2012 at 7:49 AM, Will Richmondw...@bootit.com
wrote:
Does there exist an xlat: that NT-hashs new cleartext password,
deletes the change pass xtrl attribute in users file and then
writes the new pass there? or am I going about this
On 09/02/12 16:49, Francois Gaudreault wrote:
On 12-02-09 11:41 AM, Alan Buxey wrote:
hmm, with nt_domain_hack = yes and --username=%{%{mschap:User-Name}
used for
the auth attempt , things shoud work
By saying --username=%{mshcap:user-name} you refer to the ntlm_auth
line in the mschap module
On 09/02/12 17:02, Phil Mayers wrote:
On 09/02/12 16:49, Francois Gaudreault wrote:
On 12-02-09 11:41 AM, Alan Buxey wrote:
hmm, with nt_domain_hack = yes and --username=%{%{mschap:User-Name}
used for
the auth attempt , things shoud work
By saying --username=%{mshcap:user-name} you refer
On 09/02/12 16:42, Alan DeKok wrote:
The issue could be somewhere else. From what I recall, host
authentication is... weird. The name in the MS-CHAP blob might *not* be
the same as the User-Name field. If that happens, the calculated
response using the User-Name will be wrong.
Looking
On 09/02/12 15:49, Walter Gould wrote:
All,
I have FR vmps configured to query postgresql for a mac address and
return the vlan that is assigned to it. That is working well. However, I
would like to configure vmps to return a fallback or guest vlan for
cases when a mac address is not in the
On 08/02/12 15:56, John Doppke wrote:
Does someone know if freeradius can update an LDAP user attribute as part of
post processing?
As far as I'm aware, that's not currently possible via rlm_ldap.
You could use a wrapper script around ldapmodify, called via the
exec module.
-
List
On 06/02/12 15:53, Cornelius Kölbel wrote:
... but it seems that the ldap_groupcmp does not support pattern matching?
Am I right or does anybody has another idea?
Ldap-Group isn't a real attribute. It is a virtual attribute, that
triggers a search in the directory when you compare to it.
On 02/02/2012 05:33 PM, NdK wrote:
Il 02/02/2012 13:35, McNutt, Justin M. ha scritto:
Thoughts? Opinions? Better ways to accomplish any/all of this?
Briefly, there's probably not much you can do to improve this. If you
have such a complex domain environment, you're going to have to write
On 02/03/2012 12:27 AM, Dan Letkeman wrote:
This would be a nightmare to manage. We have 2000+ clients. I see
the advantage, if the certificate was compromised that this would be
important, but how in the world would you manage this?
Use the Microsoft CA, and use machine auto-enrollment.
On 02/03/2012 02:08 PM, Dan Letkeman wrote:
Ok, so there are two problems with these scenarios in our environment.
We do not run AD, we run eEdirectory, and the computers are not
assgined to the users, they are all shared computer labs. This is why
Ah.
This has come up on the list before. I
On 02/03/2012 04:56 PM, NdK wrote:
There must be a misunderstanding. I'm not asking advice about the query
itself (that would be OT here).*Given* that the query should (and that
'should' is not FR-related) return a 4-rows answer that I must translate
to a single row, how do I translate it to a
On 02/03/2012 05:23 PM, NdK wrote:
*or* win uses the username to calculate the response. Since users *can*
actually log in to their accounts using their mail address... Maybe win
caches (or looks up) the real username?
Sure. If the client uses the right values as input to the crypto hash,
On 02/02/2012 12:35 PM, McNutt, Justin M. wrote:
We just finished a many-year span trying to get users to understand
and use DOM\user. They don't get it, at least not consistently. A
Not unreasonably. It's a failure of the IT Industry to solve
credentials. Most attention gets paid to
On 02/02/2012 02:45 PM, Gilmour, Scott wrote:
Hi,
I was able to figure out my clock skew issue. I had to go to regedit on my
2008 Server and goto:
HKEY_LOCAL_MACHINESYSTEMCurrent Control SetservicesW32Time Parameters
Then select NTP Server to change the server address ip and change the Type
On 02/02/2012 04:19 PM, Gilmour, Scott wrote:
Hi,
I have a 2008 Server Certificate Authority. I want to use my 2008 Server
Certificates with my FreeRadius Server.
I have been searching online but haven't found anything that fully explains how
to accomplish this.
I know I will need to use
On 01/31/2012 03:32 PM, Gilmour, Scott wrote:
Hi,
I am following the FreeRadius Beginners Guide book on how to
join a domain. I keep on getting this error when running the command.
root@FreeRadius:/etc# net ads join -U Administrator
Enter Administrator's password:
Using short domain name --
On 01/28/2012 09:57 AM, Morteza Milani wrote:
Hi,
Our company is using freeradius as a VPN authentication
authorization system. In worse-case say we would have 1 Million users. Beside
scaling our market, we are going to develop an application to analyze
users with data mining algorithms.
On 01/26/2012 09:46 PM, Alan Buxey wrote:
Hi,
Everything works perfect except the conditional checking for
Client-Shortname. I tried using:
*if (Client-Shortname =~ /^localhost/) {*
thats wrong
Really? That's my fault then - I had the impression that
Client-Shortname was one of the
On 01/27/2012 12:29 AM, Christ Schlacta wrote:
I've attached android, windows 7, macosx, and ubuntu linux to an
eap-tls network using wpa2-eap-tls, which requires client and CA certs.
it's no issue once you know what you're doing. the hardest part is the
nearly complete lack of documentation
On 01/26/2012 10:27 AM, Alan Buxey wrote:
Hi,
I guess we have a winner:
setsebool -P radiusd_disable_trans=1
yes but as already said, RHEL SElinux policy should already be fine for this
It's been a while since I looked, but when I did the RHEL5 SELinux
policy was good for nothing except
On 01/26/2012 12:08 AM, McNutt, Justin M. wrote:
So I'm getting some pushback in my organization against using a
self-signed CA for signing my RADIUS server certs. To make a long
story short, I was asked to find out what other people were doing.
This has been discussed extensively on the
On 01/26/2012 01:43 AM, Matthew Newton wrote:
Public CA - easier as you don't have to distribute the CA cert.
You're open to spoofing attacks where someone can get another cert
from the same CA and put it on a rogue RADIUS server. These days
it seems anyone can get a public-CA certificate for
On 01/26/2012 09:36 AM, NdK wrote:
Since it seems I have to do EXACTLY the same mapping both in default
and inner-tunnel sites, I saved my if chain in unibo.map and used
$INCLUDE to insert it in both virtual servers, just after the opening
brace of authorize. Hope it's the correct thing to do
On 01/26/2012 02:41 PM, suggestme wrote:
## I tried using Called-Station-Id to check the condition; which is ok for
now for testing ; but which I guess is not feasible if there are thousands
of NAS devices. I don't know what would be best test condition for this.
There are many options. You
On 01/26/2012 04:42 PM, Phil Mayers wrote:
3. Run the LDAP module, then compare the attribute. Note - because
you've mapped the item to check/control lists, you can't use a users
file - you must use unlang, like so:
Damn, sorry, this should be:
authorize {
...
ldap
if (control:My
On 01/25/2012 08:27 AM, eric.chang wrote:
After disabled selinux, everything works fine.
Did you:
1. Disable SELinux for freeradius
2. Disable SELinux entirely
If you did number 2. I would STRONGLY advise against it. Instead, if you
must, do this:
setsebool -P radiusd_disable_trans=1
-
On 01/25/2012 10:37 AM, NdK wrote:
Hi all.
To let (most (*)) users login with their e-mail address, I'd need to
translate the realm part to a domain.
Why do you think this is true?
(*) Just 'most' users since I couldn't yet find a way to use the UPN, so
users whose UPN have been changed
On 01/25/2012 12:38 PM, Alan Buxey wrote:
Hi,
Did you:
1. Disable SELinux for freeradius
2. Disable SELinux entirely
...well, i'd say read up on SELinux and use the tools to make the correct
policy for FreeRADIUS to work on your system WITH SELinux running
That's certainly what *I*
On 01/25/2012 02:30 PM, NdK wrote:
Il 25/01/2012 13:32, Phil Mayers ha scritto:
To let (most (*)) users login with their e-mail address, I'd need to
translate the realm part to a domain.
Why do you think this is true?
'cause ntlm_auth won't authenticate user.n...@unibo.it or
user.name
On 01/25/2012 07:21 PM, NdK wrote:
That's not doable. If mail is in unibo.it, domain is not unibo.it but
PERSONALE. Same if mail is in esterni.unibo.it . But for studio.unibo.it
domain is STUDENTI.
Ok, so you've got 1 AD domain. Not terribly common, but it ought to
work with mapping as per
On 01/24/2012 08:53 PM, McSparin, Joe wrote:
When I connect a mobile phone or a tablet to my wireless network it
works fine even though they don't have a certificate installed. I am
checking the MAC address and putting them into a public vlan if it is
not found. However when I connect a windows
Mschap v1 doesn't validate the reply from server to client, which is what is
failing with eapol_test. Therefore you're not testing the same path.
Try using a local i.e. non samba user to test. I am sure the problem is with
your samba daemon.
--
Sent from my phone. Please excuse brevity and
Phil Mayers p.may...@imperial.ac.uk wrote:
Mschap v1 doesn't validate the reply from server to client, which is
what is failing with eapol_test. Therefore you're not testing the same
path.
Try using a local i.e. non samba user to test. I am sure the problem is
with your samba daemon.
--
Sent
On 01/20/2012 08:16 AM, Mark Holmes wrote:
Your problem is going to bedistributing the server cert to
theclients NOT distributing client
Maybe I've missed something here, but why will he need to distribute
a cert to clients?
If you're using a private CA for signing the radius server certs,
On 01/20/2012 01:08 AM, Matthew Newton wrote:
The 'normal' PEAP with MS-CHAPv2 works fine giving the SoH
details, but has to be user authentication on the client.
EAP-TLS works fine presenting the certificate to connect to the
network (Microsoft's so-called computer auth), but doesn't, as
far
601 - 700 of 1979 matches
Mail list logo