FreeRadius not sending access-deny

2008-08-29 Thread Ryan Kramer
Hello, I recently discovered that my Freeradius 1.1.7 install is no longer sending access-deny messages for bad passwords. This causes the device to mark the radius server as down and move on to the next one, or just marks it as down. I know its probably something I did in the config, but for

Re: FreeRadius not sending access-deny

2008-08-29 Thread Ryan Kramer
That setting was at the default of 1, I tried setting to zero, no affect. Here is the debug output with first a successful user followed by the same user with a bad pwd. --

Machine auth without cert - EAP-PEAP/MSCHAPV2

2008-02-25 Thread Ryan Kramer
I've been experimenting with machine auth without using a cert, but I seem to be stuck on the fact that FreeRadius will not authenticate a local user. I see the request come across through debugging with a username of host/mymachine.mydomain.com, and no password, and in my users file I have

Re: MSCHAP test client?

2007-07-12 Thread Ryan Kramer
JRadius simulator will do MSCHAPv2 very well... http://jradius.org/wiki/index.php/JRadiusSimulator On 7/12/07, Hugh Messenger [EMAIL PROTECTED] wrote: Phil Mayers said: On Thu, 2007-07-12 at 11:46 -0500, Hugh Messenger wrote: Has anyone ever come across a RADIUS test client which

Re: [meta] admin tools and utilities

2007-06-28 Thread Ryan Kramer
Haven't tried ntradping, but jradiussimulator does a great job of being a simulated radius client. http://jradius.org/wiki/index.php/JRadiusSimulator On 6/28/07, Hugh Messenger [EMAIL PROTECTED] wrote: Forgive me if meta-discussions are frowned upon. I was just wandering what tools and

Re: mschapv2 and users file

2007-06-20 Thread Ryan Kramer
I'm having the same problem on 1.1.6, but when I try the cobb Cleartext-Password := secret as below, i get this when starting... /etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown attribute Cleartext-password Errors reading /etc/raddb-test/users radiusd.conf[1052]: files:

Re: mschapv2 and users file

2007-06-20 Thread Ryan Kramer
Alan DeKok already hit it head on, I had an old version of the radius dictionary hanging around. -v doesn't list the version of the modules or dictionary file unfortunately. Swapped in the new one and it works Ryan On 6/20/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, I'm having the

Re: Frreradius PAP and CHAP

2007-06-19 Thread Ryan Kramer
Instead of using radclient/radtest, this program BY FAR is the best way to debug a radius box... http://jradius.org/wiki/index.php/JRadiusSimulator On 6/19/07, hao chen [EMAIL PROTECTED] wrote: Hi,Ivan I want to know how to test CHAP with radclient(I have no NAS). Could you give me

Help with Multiple AD/LDAP

2007-06-11 Thread Ryan Kramer
not get the WIFUSER group accept-accept, even though they are in it. Moving LDAP1 to the bottom would make it work. Any suggestions? Ryan Kramer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Help with Multiple AD/LDAP

2007-06-11 Thread Ryan Kramer
-Group == WIFIUSER Filter-ID = WIFIUSER, Fall-Through=0 DEFAULT LDAP3-Ldap-Group == WIFIUSER Filter-ID = WIFIUSER, Fall-Through=0 works perfectly... Ryan Kramer On 6/11/07, Ryan Kramer [EMAIL PROTECTED] wrote: Hello, I'm working on a new config to allow multiple

Re: Freeradius Auth via LDAP against Active Directory Server 2003

2007-06-05 Thread Ryan Kramer
Were you ever able to solve the issue of multipe OU's? I have about 100 OU's that have users under them, running without a specified OU doesn't work, and obviously once I drop into an OU it hits the users that live there, and no others. Ryan On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote:

Re: Freeradius and MS ActiveDirectory

2007-05-24 Thread Ryan Kramer
It is already built into FreeRadius in a number of ways... either NTLM or Ldap to AD. Ryan Kramer\ On 5/24/07, Ouahiba MACHANI [EMAIL PROTECTED] wrote: Hi, Is there any plug-in for Freeradius, that allow to interface with an Active Directory and authenticate users

Re: Freeradius Auth via LDAP against Active Directory Server 2003

2007-05-01 Thread Ryan Kramer
, Ryan Kramer [EMAIL PROTECTED] wrote: depending on the wifi auth method, you may want to also investigate a NTLM_AUTH method instead of straight ldap. This requires the freeradius machine to be a member of the domain, but once you do that it works great. On 4/29/07, Jacob Jarick [EMAIL

Re: Freeradius Auth via LDAP against Active Directory Server 2003

2007-04-30 Thread Ryan Kramer
depending on the wifi auth method, you may want to also investigate a NTLM_AUTH method instead of straight ldap. This requires the freeradius machine to be a member of the domain, but once you do that it works great. On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: OK tried with 1.1.4 and

LDAP changes between 1.01 and 1.1.5

2007-04-12 Thread Ryan Kramer
. Ryan Kramer 1.0.1 output rlm_ldap: performing search in ou=DIVISION,dc=state,dc=company, with filter ((cn=DIVISION-WIFI)(|((objectClass=group)(member=CN=Kramer\\, Ryan M.,OU=USERS,OU=DIVISION,DC=state,DC=company))((objectClass=GroupOfUniqueNames)(uniquemember=CN=Kramer\\, Ryan M.,OU=USERS,OU

Re: LDAP changes between 1.01 and 1.1.5

2007-04-12 Thread Ryan Kramer
No. It's part of the LDAP query. In order to avoid external users logging in with names that are valid LDAP queries, the untrusted user input is escaped before it is passed to the LDAP module. Apparently something in the ldap_escape_func is broken when talking to Microsoft AD. I

Re: LDAP changes between 1.01 and 1.1.5

2007-04-12 Thread Ryan Kramer
On 4/12/07, Alan DeKok [EMAIL PROTECTED] wrote: Ryan Kramer wrote: Apparently something in the ldap_escape_func is broken when talking to Microsoft AD. The code does not distinguish between Microsoft AD and other LDAP servers. Correct, it is very simple code and doesn't care. My guess

Re: question about freeradius, 802.1x with peap, auth via LDAP

2007-04-04 Thread Ryan Kramer
1) Microsoft LDAP isn't like normal ldap, you don't get access to the password. To have freeradius touch the password at any point, it needs to be on the domain and do a ntlm_auth instead of ldap. On 4/4/07, wenny wang [EMAIL PROTECTED] wrote: Hi, I need help/advise with te following

Re: Radius Packet Simulator

2007-04-02 Thread Ryan Kramer
jradius is about the best i've found. On 4/2/07, khursheed Ahmed [EMAIL PROTECTED] wrote: Hi All I need a RADIUS Packet simulator, which could simulate RADIUS packet for me, If is there any Plz tell me, As I needed it bcz I m developing a Translation Agent which could translate

802.1x-radius VLAN assignment

2007-03-08 Thread Ryan Kramer
the request field. Anyone have any thoughts? We know this is possible through the Microsoft radius solution, but are having a tough time of it without using that instead. Thanks! Ryan Kramer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html