On 28/06/11 15:16, adzhuma wrote:
Hello,
how it's possible change EAP-PEAP Accept-reject to Accept-Accept?
It's impossible. EAP is a challenge-response protocol. If the client
doesn't receive a valid response, which requires valid crypto and
therefore valid passwords, it will not connect.
On 28/06/11 16:22, Tiberiu Breana wrote:
Hello.
I'm using freeRADIUS to authenticate SIP requests and I'm having
problems processing the users.
In a request I receive a User-Name that isn't useful, and a Sip-URI-User
value which contains the real User-Name that I need.
I've tried
On 28/06/11 16:12, jan.gnep...@t-systems.com wrote:
Problem: radius is using always the same ldap server for group extends.
If this (one!) server fails, radius authentication is not possible.
Very bad, because we have redundancy configured, and expected to have zero
outage.
Sorry. The ldap
On 06/28/2011 08:15 PM, Alexander Clouter wrote:
I keep meaning to do this for the sql module (well, postgresql) but it
can be done for libldap too. Open the socket directly in freeradius,
using SOCK_NONBLOCK - connect() - SO_RCVTIMEO/SO_SNDTIMEO and then
pass that all to ldap_init_fd().
On 23/06/11 14:28, joanroldan wrote:
However, using users from another realms which have to be proxied do not. In
debug mode the request is proxied:
I assume you're using eduroam?
Sending Access-Request of id 113 to 84.88.0.19 port 1812
User-Name = proves_i...@cesca.cat
On 06/23/2011 08:24 PM, Brent Wilkinson wrote:
I unfortunately have a large amount of hotspots that are behind dynamic
ip’s. We have tried to get as many of them onto statics as possible but
are having issues with that. After having read through a few dozen
different threads and readmes does
On 06/21/2011 09:53 PM, g17jimmy wrote:
I've been looking at this for a day now and it seems like I'm close, but
something is not right. I have a freeradius server with an openldap backend
for MAC auth bypass. This system is just for test, but it is an essential
first step in my project.
The
On Wed, Jun 22, 2011 at 08:23:09AM -0700, g17jimmy wrote:
I guess I was too quick to call it, and it looks like the problem is still on
the NAS. You will see that the client first gets access using the MAC
address as the CSID, but at some point, the client or NAS decieded to
re-auth but this
On Wed, Jun 22, 2011 at 08:08:38AM -0600, Robert Roll wrote:
Ok, I seem to have found some information on the net ..
Is it as simple as changing the '=' to '+=' when
creating the ldap entry ?
i.e. from: cisco-avpair=tunnel-private-group-ID(#81)=noc
to:
On 06/18/2011 07:30 PM, Matthew George wrote:
Thanks you so much for your assistance p.mayers
In a nutshell, probably the easiest way to do what I'm trying to do is maybe
to use an attribute called Current-Time-Date
Ok, so you can do this:
raddb/dictionary:
ATTRIBUTE Current-Time-Date 3001
On 06/20/2011 10:53 AM, Phil Mayers wrote:
%S expands to an SQL time; e.g. a few minutes ago:
2011-06-20 10:48:49
...so in radcheck you can put:
Current-Time-Date = 2011-07-01 00:00:00
FYI, there is also:
%D
...which expands to:
20110701
...so you can use this to populate a Current
On 06/17/2011 11:50 PM, Matthew George wrote:
Using logintime I cannot specify a date and time, its uucp.
I need to be able to specify a date and time. I'm curious as to why the
Date attribute does not exist.
None the less, I still need to get this working even if it involves me
having to pay
On 06/17/2011 08:15 AM, Reg Emailster wrote:
Thanks Gerald for the reply.
Just to confirm, you are saying that at the partner's institution,
the user's client will set up an encrypted channel all the way back
to the client's home institution RADIUS server (determined using the
login realm), and
On 06/16/2011 07:28 AM, seb2020 wrote:
[ldap] looking for reply items in directory...
[ldap] mail - MailUser = seb.gir...@students.xxx.ch
MailUser != MailUtilisteur
Do you have a typo or duplicate in ldap.attrmap?
-
List info/subscribe/unsubscribe? See
On 06/15/2011 11:15 PM, cwfnetman wrote:
mac address filtering isn't my idea, so please refrain from questioning why.
It's not totally useless. We do it. MAC address is a quick, reasonable
proxy for the hardware and since it's the hardware/OS combo that gets
infected with malware etc. it's
On 16/06/11 11:45, Javier Lidó Fernandez wrote:
Hi Phil,
Thanks for the reply.
I needed another hour to find out I had to use
--username=%{Stripped-User-Name:-None} instead of
--username=%{mschap:User-Name:-None}
That will work, assuming you have the suffix realm module and the user
On 06/15/2011 03:20 AM, Angus JIANG Jian wrote:
Hi,
My radius version is .1.6, for redhat workstation 5 32bit
[root@npsradius ~]# radiusd -v
radiusd: FreeRADIUS Version 1.1.6, for host i686-pc-linux-gnu, built on Feb 5
2009 at 16:54:58
This is ancient.
Upgrade to 2.1.10. You will need to
On 06/14/2011 09:44 PM, Jimmy wrote:
I have Kerberos 1.6 configured to use OpenLDAP 2.3.43 as a back end. I
am trying to configure Freeradius 2.1.7 to authenticate to Kerberos.
My advice would be to investigate having FreeRADIUS pull the user info
(secrets etc.) direct from LDAP. It'll save
On 15/06/11 15:49, g17jimmy wrote:
d'oh! it was SElinux. I had disabled it temporarily, but didn't set it as
disabled in /etc/selinux/config so it was blocking the authentication.
Well, IMHO disabling it altogether is not a good idea. You might want to
consider just disabling it for
On 15/06/11 16:21, Javier Lidó Fernandez wrote:
Hi there,
I´ve installed FreeRADIUS with Active Directory Authentication
(ntlm_auth for mschap) and is working 100% correctly.
No probs with that. The only thing is that my users log in using their
windows account (username and password), but I
On 14/06/11 06:51, Angus JIANG Jian wrote:
Hi,
All authentication was stopped at 18:59:36 2011 : Error: TLS Alert
write:fatal:bad record mac
Which version of FreeRADIUS are you using?
If you aren't using 2.1.10, upgrade.
-
List info/subscribe/unsubscribe? See
On 13/06/11 14:44, Angus JIANG Jian wrote:
we found the following error messages in the RADIUS log Error:
rlm_ldap: All ldap connections are in use on redhat workstation 5
OS.
Error: Discarding duplicate request from client AP1840-4:1031 - ID:
72 due to unfinished request 1017 7:05pm - Tried to
On 06/10/2011 10:55 PM, ivaylosp wrote:
Hi there,
I have been trying to setup a freeradius server that will proxy the
authentication to another server if the User-Name starts with 1234. So for
instance a user logs in with username 1234XX then in section AUTHORIZE i
have a policy that checks
On 10/06/11 15:32, joanroldan wrote:
Hi everybody,
I have take a look to this post:
http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td2785146.html
The issue mentioned in that post was fixed in 2.1.10.
Are you running 2.1.10?
And I totally agree with the behaviours
On 07/06/11 10:56, Lorenzo wrote:
Hi guys!
I don't want to share the radius server secret whith determinate clients. So
I choose to configure a radius server as a proxy, to link to the original
server and the clients. The question is, the secret between the server and
the proxy, and the on
On 07/06/11 12:19, arpitha arpitha wrote:
which is the latest version of php_radius.dll and pls post a link to it.
This is not a FreeRADIUS question. This is a PHP question. Please ask it
on a PHP mailing list.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 06/06/2011 04:30 PM, Gerald Vogt wrote:
Hi!
I am trying to get fast session resumption with VLAN assignments to
work. I have tried the suggestion in this message:
http://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00381.html
However, it seems to me as if the post-auth
On 03/06/11 13:10, Paul Harris wrote:
On 02/06/11 14:47, Francois Gaudreault wrote:
Did you have a chance to look at it?
Ironically I'm having trouble finding a windows XP install CD...
I have a link to a torrent, just send me a email at pau...@mail.com
Or not.
I'm not downloading a
On 26/05/11 15:48, pcunha wrote:
Hi Everyone,
I tried to set up Mac Authentication per the the doc at freeradius.org.
Be specific. Which doc?
The doc on the wiki:
http://wiki.freeradius.org/Mac%20Auth
...contains several examples. Which are you following?
-
List
On 03/06/11 15:09, Johan Meiring wrote:
On 2011/06/03 02:15 PM, Phil Mayers wrote:
I'm not downloading a torrent of copyrighted software to fix someone
else's
problem.
As long as you dont get a key, it is legal.
This is getting farcical...
Not picking on any one specific person here
On 02/06/11 14:47, Francois Gaudreault wrote:
Did you have a chance to look at it?
Ironically I'm having trouble finding a windows XP install CD...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 02/06/11 16:17, DaveA wrote:
Alan DeKok wrote:
Proxying. Set up a minimal virtual server that proxies to others.
Okay, this makes sense, but I am still unclear as to where to make the
differentiation between NAS-Port-Types.
What I envision is something like:
If (NAS-Port-Type ==
On 06/02/2011 06:05 PM, DaveA wrote:
That looks great, thanks!
Last question...
Phil Mayers wrote:
authorize {
...
That is the authorize section from /sites-enabled/default, correct?
Well, whichever virtual server is receiving the packets. default
normally, yes,
-
List info
On 01/06/11 10:28, den2k wrote:
Hi to all,
what happened to the contents of the wiki? A lot of stuff is missing,
for example http://wiki.freeradius.org/Operators now has nothing more
than a few badly explained examples and the table of the operators is
missing. Also I couldn't find a lot of
I'm getting:
HTTP Error 500 (Internal Server Error): An unexpected condition was
encountered while the server was attempting to fulfil the request.
...when I try to log in using the GitHub referral/login thing; the error
is from this URL:
On 01/06/11 10:57, den2k wrote:
Example?
Right now the operators one. Also users and huntgroups were better
descripted before, now there is just some brief introduction and nothing
more. It was the lack of any explanation that I was referring to as lack
of material (I'm not an English
On 01/06/11 11:17, Phil Mayers wrote:
On 01/06/11 10:57, den2k wrote:
Example?
Right now the operators one. Also users and huntgroups were better
descripted before, now there is just some brief introduction and nothing
more. It was the lack of any explanation that I was referring to as lack
On 01/06/11 11:54, Johan Meiring wrote:
On 2011/06/01 12:17 PM, Phil Mayers wrote:
...in which the migration technique was discussed, and help was
requested to
reformat documents which had not migrated seamlessly.
-
Is the old wiki accessable anywhere so one can help to manually transfer
On 01/06/11 15:45, Simon L. wrote:
ok now i found this:
https://lists.freeradius.org/pipermail/freeradius-users/2011-April/msg00295.html
This means, i should download the latest freeradius from git master branch?
No, v2.1.x
Beware: I have since been informed that there is still a potential
On 06/01/2011 08:28 PM, Lubenski, Zeev [GCS] wrote:
We use EAP-TLS method, but in the Server Hello message don’t want to
send the certificate. How can it be disabled
It can't. EAP-TLS requires a server certificate and a client
certificate. Neither are optional, and neither can be disabled.
On 06/01/2011 07:32 PM, Alan DeKok wrote:
Phil Mayers wrote:
No, v2.1.x
Beware: I have since been informed that there is still a potential
segfault if the remote proxy returns an Access-Reject.
I haven't had time to test this yet.
I'd like to release 2.1.11 soon. Maybe next week?
Well
On 06/01/2011 09:07 PM, Lubenski, Zeev [GCS] wrote:
Paul
In the RFC 5216 I see:
The EAP server will then respond with an EAP-Request packet with
AP-Type=EAP-TLS. The data field of this packet will encapsulate one
or more TLS records.
These will contain a TLS server_hello handshake
message,
On 06/01/2011 09:00 PM, Phil Mayers wrote:
I'll try to test the Access-Reject thing tomorrow; I'm betting it'll be
a trivial fix.
Huh. It works just fine for me on v2.1.x HEAD. I'll try to dig out the
email where someone said it was faulty (IIRC they said they'd emailed
you also Alan). I
On 05/29/2011 03:10 PM, Francois Gaudreault wrote:
Hi Phil,
On 11-05-29 6:16 AM, Phil Mayers wrote:
Ok, so as before what we're seeing is that the host is sending
STIC08862\TechRMC
...in the EAP-Identity response, but:
TechRMC
...in the MSCHAP packet (the hex above decodes
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
There's no guarantee that STAFF\john and STUDENT\john at the same
person; you can't just ignore the fact that the client has changed
their username.
True. But I don't think it is possible to send a different Username in
On 05/28/2011 06:33 PM, Francois Gaudreault wrote:
Sending tunneled request
EAP-Message =
0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc09a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name
On 05/27/2011 09:04 PM, Francois Gaudreault wrote:
Hi,
I had a look at this issue with him since he is one of our client.
Machine authentications are working flawlessly, windows 7 authentication
as well (no hostname is sent with the username).
I honestly lost track of this issue; the guy had
On 05/28/2011 02:30 PM, e...@mixeduperic.com wrote:
[ldap] expand:
�??((sAMAccountName=%{Stripped-User-Name:-%{User-Name}}))�?? -
�??((sAMAccountName=TEC\5cuser1))�??
[ldap] expand: �??cn=users,dc=TEC,dc=local�?? -
�??cn=users,dc=TEC,dc=local�??
rlm_ldap: ldap_get_conn: Checking Id: 0
On 27/05/11 14:37, Shannon Ward wrote:
Can someone point me to docs or help me get my head around what changes
need to be done for IPv6 Accounting?
Looks like I may need to add some fields to radacct and update the
INSERT and UPDATE statements with IPv6 variables.
Assuming your NAS supports
On 27/05/11 12:30, Alan DeKok wrote:
The github Facebook logins will work, so it should be *much* easier
for people to contribute to the Wiki.
Are there any plans to let google accounts login - I happen to have a
github account now, but since Google have tentacles everywhere... ;o)
-
On 27/05/11 16:16, Lubenski, Zeev [GCS] wrote:
We do have a question
Is there anything in configuration that allows to turn off authentication
We are running EAP-TTLS and would like instead of sending challenge on
Access send Access accept always. (No authentication in fact)
No, can't be
On 27/05/11 16:31, Sergio Belkin wrote:
Hi,
I'd want to know if anyone there is using freeradius along with a xmpp server.
In what context? Be more specific.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 27/05/11 16:41, Fajar A. Nugraha wrote:
Phil, Zeev asked about EAP-TTLS, and you said you might be able to
just force-accept the inner auth, because that's usually just PAP (no
challenge / response). But before that you also said No, can't be
done. EAP is a challenge/response protocol.
Are
On 27/05/11 16:42, Lubenski, Zeev [GCS] wrote:
Phil
I am new to free radius, How can I change authentication type on the
server to something simple - like user id/password and than accept
always ?
Can you describe your setup in more detail? There are several possible
answers.
-
List
On 27/05/11 16:58, Sergio Belkin wrote:
I mean use a xmppserver as a NAS. I think that it provide more
flexibility to choose based on what attributes is performed the
authentication.
So, would the idea be that:
* client connects to XMPP server
* client sends username/password
* XMPP
On 27/05/11 17:05, Lubenski, Zeev [GCS] wrote:
Ok - EAP TLS it is, but this in g=fact can't work (our internal problems) so
the authentication fails
What we are trying to do is to accept the very first Access Request
Sorry, I don't think that's possible. If the WiMAX client is only
capable
On 27/05/11 16:59, Gary Gatten wrote:
Can one not override the ... not sure what it would be called...
Example; if I tell FR to use NTLM_AUTH to authenticate a request
against AD, and AD returns a reject, can I not override the reject
with and accept using update control or some similar
The Idea is:
* client connects to XMPP server
* client sends uid/radiusPassword (see below)
* XMPP server sends MSChapv2 request
* radius server replies with yes/no
Interesting. Since the client is sending user/password, why do you want
to translate that to an MSCHAP request?
On 26/05/11 12:06, Pedro Costa wrote:
But my issue is that i'm not able to authenticate (regardless of the
IMSI - No database query is required for this) and execute the SQL XLAT
being (the SQL SELECT that will get the IP Pool name for the specific IMSI).
Why not? Be specific. Tell us what
On 05/25/2011 10:06 PM, Luke Hammond wrote:
I have just installed FreeRADIUS 2.07 i think it is.. anyways. i
followed a tutorial on how to install in with MySQL on Centos 5 and when
i get to the part about testing the database using radtest.. it doesnt
work. radtest is not where it should be,
On 24/05/11 09:57, Alexandros Gougousoudis wrote:
Hi Phil,
I got the point and it works! Thank you!
BTW, any idea why this failes?
DOMAIN\username - username
The command:
radtest -t mschap VERWALTUNG\gougousoudis testpwd 127.0.0.1:1812 0
testing123
gives this output. It seems, that
On 24/05/11 08:35, Simon L. wrote:
Phil Mayers schrieb:
On 05/23/2011 06:53 PM, Simon L. wrote:
Please have a look at my new, attached debug log.
The server you are proxying to sends a reject. Fix that server.
-
Why accepts the home server a proxied request from radtest but not from
On 24/05/11 12:16, Martin Goldstone wrote:
Hello,
Just looking for a bit of advice here. I've been setting up freeradius
here recently, and whilst I'm mostly finished, there are a few points
that still need to be addressed. The main one is sending a (semi)
meaningful reply message when a user
On 24/05/11 13:44, Pedro Costa wrote:
Hi,
I'm new to Freeradius and i am trying to figure a way to use Freeradius
to Authenticate a user through a CISCO GGSN in where the GGSN will send
the IMSI to the Freeradius and the Freeradius will connect to a
Postgresql DB doing a SELECT on 2 tables and
On 24/05/11 15:23, Martin Goldstone wrote:
Yes, I have this in both the peap stanza and the ttls stanza. This
seems to be fine when access is accepted, for example if I set a
Reply-Message saying Welcome in the post-auth section of the
inner-tunnel config, I see this in the final access-accept
On 05/24/2011 05:03 PM, Alan Buxey wrote:
so, in inner-tunnel post-auth, set outer.reply to be whatever you want..
you can then, in the outer layer, query/check or use that reply.
Unfortunately, outer.reply is an Access-Challenge.
-
List info/subscribe/unsubscribe? See
Your email client is mangling the quoting, which makes it really hard to
read your replies. Please fix it!
So this is a full host/name.domain.com now - what did you change?
as per above i added the dns suffix to the computer (under name
change...more)
Just renaming the machine won't help.
On 05/24/2011 06:00 PM, Mark Jones wrote:
Here is the latest debug with termination on Aruba turned off:
FreeRADIUS Version 2.1.10, for host i686-pc-linux-gnu, built on Mar 23
Sending Access-Challenge of id 152 to 10.152.0.100 port 32819
EAP-Message =
On 05/23/2011 01:07 PM, Alexandros Gougousoudis wrote:
Hi,
I tried to change the ldap-searchfilter in the ldap module, to search
for a username user and user$ in LDAP, if user is given. This is
neccecary to authenticate my workstations and users via LDAP.
This is my filter definition in the
On 05/23/2011 06:53 PM, Simon L. wrote:
Please have a look at my new, attached debug log.
The server you are proxying to sends a reject. Fix that server.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 05/23/2011 08:46 PM, Alexandros Gougousoudis wrote:
Hi Phil,
filter =
(|(uid=%{%{Stripped-User-Name}:-%{User-Name}})(uid=%{%{Stripped-User-Name}:-%{User-Name}}\$))
Don't do that. Instead try:
filter = (uid=%{mschap:User-Name})
Hm, this is not working. I also don't get the point, why
On 05/20/2011 10:33 PM, Mark Jones wrote:
Here is the latest debug...Im not sure what to try next.
Latest debug... ok, what has changed?
rad_recv: Access-Request packet from host 10.152.0.100 port 32819,
id=186, length=216
NAS-IP-Address = 10.152.0.100
NAS-Port = 0
NAS-Port-Type =
On 05/19/2011 08:04 PM, John Douglass wrote:
Now, the actual ntlm_auth command within the $RADIUS/modules/mschap does
read:
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{%{Stripped-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
On 20/05/11 15:14, Doty, Seth wrote:
I must be doing something wrong in my filtering because it keeps dumping
me into unclassified instead of passing the group I assigned. I have
setup a security group specifically for this test and i am indeed in the
group.
I set it up like this in
On 20/05/11 16:27, Doty, Seth wrote:
I changed my baseDN to: basedn = ou=test,dc=AD,dc=ne,dc=gov and this
results in the same failure in the group section.
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
I cant remove the ou=test portion or authentication fails completely and
User-Name = host/TECH-11501
Machines which are in the domain normally have this as:
host/name.domain.com
i.e. there is a domain.com at the end of the name.
The absence of that suggests to me that the machine is not a domain
member. Is that the case? If so, it cannot do machine auth.
On 05/17/2011 06:25 PM, John Corps wrote:
this on both freeradius debug and also in my packet captures. On
server2 that is the exact same config of freeradius etc, the user
authenticates with the wifi ap, i can see the access-request in the
packet capture, on server2 running tcpdump i see the
On 18/05/11 16:26, Simon L. wrote:
Using WPA2-Enterprise results in Access-Rejects after one Request.
That is not normal. WPA2 should be the same as WPA at the radius level.
Using WPA-Enterprise results in about nine different Access-Challanges
and one final Access-Accept - that cant be
On 18/05/11 16:21, Doty, Seth wrote:
So far I have the ldap component querying AD correctly and I have the
ntlm_auth component doing the same and each individually passing from a
radtest. My question now revolves around passing the groups in our
setup and if this is even possible using the
On 18/05/11 16:50, Gary Gatten wrote:
I can't comment on your problem right now, but be aware there seem to
be MANY issues with Windows 7. Our config works PERFECT with XP,
Apple IOS, and other basic stuff. When we started testing Windows
7 (WPA2 Enterprise) we ran into all kinds of weirdness.
On 18/05/11 16:59, Gary Gatten wrote:
One point of clarification:
PEAP uses TLS. PEAP needs certs too.
Not *all* peap uses TLS and hence needs certs. The MS PEAP/MSCHAPv2 is a
common example.
Incorrect. PEAP *requires* a server certificate. The client does not
need one.
-
List
On 18/05/11 17:10, Gary Gatten wrote:
I would LOVE if W7 just worked! People here are blaming FR and I'm
trying to convince them it has nothing to do with it, but since the
MSCHAP challenges / responses are hashed I can't PROVE it to them.
I have FR debugs of a working auth and a rejected
On 18/05/11 17:22, Gary Gatten wrote:
If one has (just for example) 1000 groups, this is a lot of overhead
Sure (I did see your query the other day - I just haven't had a chance
to write up a reply, but see below)
- checking every group. Also, what if they belong to several groups?
On 18/05/11 17:10, Gary Gatten wrote:
I would LOVE if W7 just worked! People here are blaming FR and I'm
trying to convince them it has nothing to do with it, but since the
MSCHAP challenges / responses are hashed I can't PROVE it to them.
As per previous posts:
Your Aruba wireless equipment
On 18/05/11 17:35, Gary Gatten wrote:
That's what I was afraid of...
Can you expand on this:
You *can* check that a given response is valid for a given challenge, if
you know the password or nt hash.
At length, but I would be here all day ;o)
Basically, I've got a python script that
On 16/05/11 20:26, Alan DeKok wrote:
My $0.02 is that we should use github. They now support git-backed
Wikis, which use markdown. It's close enough, and has a lot of benefits.
I quite like Markdown.
We have some internal introduction to radius and introduction to
FreeRADIUS documents.
On 05/16/2011 01:03 AM, Mark Jones wrote:
Hi Phil thanks for answering. I am trying to authenticate the
machines on bootup. I have an edir backend and am following this cool
solutions article which is fairly old:
http://www.novell.com/coolsolutions/feature/17044.html In it they
talk about
On 16/05/11 13:32, Alexandros Gougousoudis wrote:
Hi,
I'am trying to make FR 2.1.10 on Squeeze work with my LDAP installation.
What I want to do is:
A host-based authentification for my workstations. All the names of the
workstations are in LDAP, the authentification itself should be done
with
On 16/05/11 15:37, d...@hotmail.com wrote:
Hello... This is probably a very silly issue. I have the following on my
default file:
update control {
Tmp-String-0 = %{sql:select a from paq where
CallingStationId='%{Calling-Station-Id}'
Tmp-String-5 = %{sql:select b from paq where
On 05/13/2011 11:21 PM, Mark Jones wrote:
That sounds good...where exactly do I put that in the config files?
Well, since you didn't explain why you wanted to rename it (for what
purpose) I can't say for sure.
Usually, a lot of what goes on in FreeRADIUS is done with string
expansions -
On 05/14/2011 07:37 AM, Raheel Itrat wrote:
Hi,
I have a Linux(Ubuntu) NMS server and I want it to be authenticated Via
Please don't hijack a thread.
Freeradius. So If I log into that NMS server it should send requests for
You will need to read the documentation for the NMS server.
Found Auth-Type = CHAP
+- entering group CHAP {...}
[chap] login attempt by sandra with CHAP password
[chap] Using clear text password sandra for user sandra authentication.
[chap] Password check failed
++[chap] returns reject
Nothing very dramatic here - the chap-challange is wrong, almost
On 05/14/2011 10:08 AM, stentofon wrote:
The users connect through a chillispot captive portal, via HTTP. HTTPS
causes too many problems with certificates, and the access point is
unencripted anyway, so security is not the issue.
I initally thought that the hotspot clients were simply making
On 05/14/2011 11:28 AM, sbcsgjm...@snkmail.com wrote:
Hi,
Using freeradius 1.1.3. Im trying to get freeradius to return a helpful
reply-message in access-rejects to the NAS but the reply-message seems
to get stripped from the access-reject packet. Ive configured the
reply-message as below in
On 05/12/2011 08:35 PM, Steve Staples wrote:
I understand that the query can get access to any variable, but what is
in the packet normally? or is there not a standard set of
attributes/elements in the packet?
No. It depends entirely on the NAS i.e. it's specific to you and your
On 05/13/2011 07:34 PM, Herbert Fischer wrote:
if (ldap_group-LDAP-Group != somegroup) {
You can't do this.
You can only test for group membership i.e.
if (ldap_group-LDAP-Group == somegroup) {
# do nothing
}
else {
# ...whatever
}
The != and other operators don't work for the virtual
On 05/13/2011 11:03 PM, Mark Jones wrote:
Hi all i have freeradius 2.1.10 setup on a SLES server. When the
workstation boots it sends an mschapv2 request in the form
host/machinename. What is the best way to convert this to machinename$ ?
Sorry if this has been asked before Im stumped and cannot
On 12/05/11 15:38, Steve Staples wrote:
I've been searching the docs/wiki, and can't seem to find an answer to
this...
what variables are available to store in the rad post auth?
The post-auth SQL query can access any variable in the packet. If you
want to store extra fields, just extend
On 12/05/11 15:55, Fajar A. Nugraha wrote:
http://wiki.freeradius.org/SQL_HOWTO mentions using group entry to
failover between sql servers.
How is it different compared using redundant unlang? Is there
additional documentation for group directive?
redundant is just a shortcut. See
On 10/05/11 15:14, googerdi wrote:
Hi
How can i configure FR if i have multiple FR Server and NAS. How can i tell
for example a specific user is for specific NAS.
You perform a lookup, with the key as:
User-Name, NAS-IP-Address
There are a very large number of ways you could do this. For
901 - 1000 of 1979 matches
Mail list logo
