Re: Fedora DS

2005-10-06 Thread Vladimir Vuksan
K. Suresh wrote: Has anyone tried FedoraDS with FreeRadius? It's a LDAP directory. It should work. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: Freeradius - Where to start and where to get the right answer

2005-10-01 Thread Vladimir Vuksan
Alan DeKok wrote: "Gunther" <[EMAIL PROTECTED]> wrote: I could imaging that a wiki site, updated from quite a bunch of people, could solve a lot of problems. I'll see if I can get one set up. I recommend DokuWiki http://wiki.splitbrain.org/wiki:dokuwiki It is simple to install

Re: WPA with freeradius

2005-09-22 Thread Vladimir Vuksan
[EMAIL PROTECTED] wrote: i want to configure freeradius with hardware adsl router ... could you sugest me some? i've got linksys wag54g which doesnt support pure radius but WPA radius.. is it posible to make them work together with my freeradius server? Yes. WPA RADIUS is so called WPA Ent

Re: freeradius EAP/PEAP and LDAP

2005-09-20 Thread Vladimir Vuksan
François Dagorn wrote: I'm trying to configure a secured Wireless network, so I want to use EAP/PEAP/LDAP for authentication and then try WPA to crypt sessions. As a beginner, I'm doing that step by step. So I've done the following : - set up a freeradius server and test it with a simple ra

Re: [PEAP] Authenticate aigainst OpenLDAP Directory with NT Hashes

2005-09-04 Thread Vladimir Vuksan
Sebastian Mauer wrote: Is it really not possible to do PEAP (w. MSCHAPv2) when I have NT-Hashes in the Directory? My target is to use LDAP as authentication source for my UNIX Workstations (trough pam_ldap), my Windows Workstations (trough Samba accessing LDAP, therefor I have the NT-Hashes in t

Re: radius LDAP problem ?

2005-08-29 Thread Vladimir Vuksan
Frank Bonnet wrote: Thanks for your answer, how to tell freeradius no to use this attribute do I have to set it to NULL ? do I have to comment the line ? You can simply put uid for the accessattribute so as long as the user has a uid they'll be allowed access. Vladimir - List info/subscri

Re: 802.1x and LDAP

2005-08-21 Thread Vladimir Vuksan
Cian Phillips wrote: rlm_ldap: performing search in cn=users,dc=cca,dc=edu, with filter (uid=cian) rlm_ldap: checking if remote access for cian is allowed by uidNumber rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user cian author

Re: Debian 802.1x LDAP

2005-08-17 Thread Vladimir Vuksan
Cian Phillips wrote: If you have any tips or good links for up to date information on how to set freeradius up to talk to a Cisco WAP I could use the help. I have a howto on LDAP and FreeRADIUS at http://vuksan.com/linux/dot1x/802-1x-LDAP.html I have successfully used it for WPA with Links

Re: freeradius and oracle LDAP

2005-08-11 Thread Vladimir Vuksan
Allan Borman wrote: Hi Valdimir, Thanks for the reply. Would it help if I send you the debug info on the RADIUS. If you are interested let me know. I don't think that would help any. First of all you have to make sure that LDAP is providing the right information before you try to get it g

Re: freeradius and oracle LDAP

2005-08-11 Thread Vladimir Vuksan
Allan Borman wrote: I have put together a freeradius server to authenticate users existing on our oracle LDAP directory. The issue that I have is getting the passowrd from oracle. I can probe the LDAP, get a user authorized and fallback to the default for the passowrd check which is the "sys

Re: eap-ttls + PAP using Crypt-Password obtained by ldap

2005-08-11 Thread Vladimir Vuksan
Florian Prester wrote: ist it possible to authenticate an user with eap-ttls using PAP with an Crypt-Password? The Crypt-Password is obtained by an LDAP-Server. I can do eap-ttls using MD5/PAP with an cleartext Password. Yes you can, however you have to configure your clients to use TTLS+PAP

Re: rlm_ldap: Attribute "User-Password" isrequired forauthentication

2005-07-27 Thread Vladimir Vuksan
melvin wrote: rad_recv: Access-Request packet from host 192.168.84.11:2048, id=0, length=125 User-Name = "melvin" NAS-IP-Address = 192.168.84.11 Called-Station-Id = "000f66005feb" Calling-Station-Id = "0012f075e7b3" NAS-Identifier = "000f66005feb" NAS-P

Re: Does Linksys WRT54G wireless router supports FreeRadius with EAP-TTLS?

2005-07-27 Thread Vladimir Vuksan
melvin wrote: Does anyone knows if Linksys WRT54G wireless router supports FreeRadius with EAP-TTLS? Yes it does. It supports both EAP-TTLS and PEAP. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: rlm_ldap: Attribute "User-Password" is required forauthentication

2005-07-26 Thread Vladimir Vuksan
melvin wrote: LDAP does provide some authentication -- through the 'BIND' statement. Incidentally, this is how the FreeRadius rlm_ldap module chooses to authenticate against an LDAP entry... it attempts to 'bind' to it, passing the username and password to LDAP. I have successfully integrated

Re: 802.1X Port Authentication using unix user/pass

2005-07-26 Thread Vladimir Vuksan
[EMAIL PROTECTED] wrote: To make life easy... I want WPA-EAP authentication working, but I want the authentication be against the Linux username and its password. Is this possible? Guides and tips welcome It is possible however only with EAP-TTLS and PAP inner tunnel authentication. Set up

Re: LDAP authentication

2005-07-12 Thread Vladimir Vuksan
Florin Andrei wrote: To be more precise, authentication happens during the LDAP Bind request. Subsequent searches are irrelevant. Can freeradius do the same? I.e., wait for a username / password request from a client, bind to the LDAP server using the supplied password (and passing the username

Re: problems authenticating

2005-07-11 Thread Vladimir Vuksan
[EMAIL PROTECTED] wrote: When using NT-Password, I was noticing that the sql authorization phase would not return OK. Switching it to User-Password seemed to fix that (albeit not correctly). I have switched radcheck back to using Attributes of NT-Password. Make sure you have both NT-Password

Re: problems authenticating

2005-07-11 Thread Vladimir Vuksan
[EMAIL PROTECTED] wrote: I am trying to do EAP-PEAP, using FreeRadius 1.0.4. Here are the debug logs, at the breaking points: It doesn't appear you are sending the whole log. There should be another section where the user is being authorized against the SQL database. It appears your pass

Re: Problems authenticating and assigning DHCP addresses

2005-07-10 Thread Vladimir Vuksan
[EMAIL PROTECTED] wrote: My problem with TTLS, is that for what I can tell, Microsoft has no native support for TTLS. Only PEAP. If someone can tell me of another method for doing a TLS tunnel, with no client certificate neeed, and use Crypt passwords, I would be very happy! That is correct

Re: Can do EAP/TLS, but not EAP/MD5

2005-07-07 Thread Vladimir Vuksan
Jefri bin Dahari wrote: I have Freeradius running where wireless users authenticate using EAP/TLS. Now, I would like to use the same server to authenticate wired users using EAP/MD5 on Cisco switch 3750 but it doesn't work. The log shows it doesn't do EAP authentication as shown below. Attach

Re: LAN clients?

2005-07-05 Thread Vladimir Vuksan
Galát Bence wrote: I have a simple question. Can I use Freeradius to authenticate Lan clients (Windows/Linux) ? The clients connected to an AP over Lan, that's in client mode, and this AP is connected by another AP (set in normal AP mode) to the Freeradius server. Is it possible? You should

Re: Problem TTLS-LDAP

2005-06-15 Thread Vladimir Vuksan
alfonso celestino wrote: Thanks very much Alan, Now, I have a doubt. I am using EAP-TTLS to authenticate users 802.11, I need to add my users in the users file like that: "User1" User-Password == "passwd1" "User2" User-Password == "passwd2" But instead of storing in users file I would like

Re: eDirectory backend with FreeRadius

2005-06-12 Thread Vladimir Vuksan
Fahim wrote: Having spent whole last fortnight trying to configure Freeradius module given here with LDAP Agent running on my eDir8.7.3.6 on Netware 5.1, using iManager 2.5, I am almost there but seemingly stuck with something vital. Ihave done everything as mentioned by Novell Admin guide po

Re: Authenticate to eDirectory

2005-06-01 Thread Vladimir Vuksan
[EMAIL PROTECTED] wrote: Hello all! I would like to know if anyone has gotten freeradius to work with eDirectory (LDAP)? We are using freeradius 0.93 (ships with sles9) and want our wireless users to authenticate to the eDirectory box. I changed the radiusd.config file at the ldap entry. Clients

Re: radius + peap + wifi + mac os x

2005-05-31 Thread Vladimir Vuksan
Vittore Zen wrote: I'm using freeradius (+mysql) in a wireless infrastructure with a dozen of linksys WAP54G access point (using AES). Authentication is PEAP with mschapv2. All go right when use Windows clients but no response using Mac Os X clients. Any ideas? Someone says me that MacOsX use

Re: Authenticate against Mac OS X Open Directory

2005-05-31 Thread Vladimir Vuksan
Ekkehard Burkon wrote: did anyone successfully authenticate against a Mac OS X servers Open Directory? I need it for 802.1x/WPA. Are there any docs on the web? OpenDirectory is an OpenLDAP hack so OpenLDAP docs should work. Please check out http://vuksan.com/linux/dot1x/802-1x-LDAP.html

Re: Wireless Authentication

2005-05-30 Thread Vladimir Vuksan
Radius wrote: Does anyone have any links or on-line examples that show how to use FreeRadius to do 802.1x authentication? Go to www.freeradius.org and first page shows a link for 802.1x HOWTO http://www.gnist.org/~lars/courses/04thales/8021X-HOWTO.html Vladimir - List info/subscribe/unsubsc

Re: Cisco 3550/3750 802.1x

2005-05-23 Thread Vladimir Vuksan
Schoggins, George wrote: I cannot get the 802.1x to work on the cisco. It works for local management but will not send a request when doing 802.1x. Does anyone have the config I should use on the cisco and the radius to make this work? Thanks in advance Please read http://vuksan.com/linux/

Re: WinXP 802.1X/Radius/eDir (LDAP)

2005-05-19 Thread Vladimir Vuksan
Matt McFarlane wrote: Totally new to radius. I've installed freeradius 1.02 --with-edir on Suse 9. Attempting to use 802.1X auth from wireless user behind HP 420 AP using WinXP to an eDir tree via LDAP. When I use radtest the bind is successful. However when using the 802.1X supplicant I get th

Re: RADIUS LDAP Problem

2005-05-15 Thread Vladimir Vuksan
Christian Zawada wrote: password_attribute = userPassword Set up seems right. You could try commenting out the line above and making sure you have following line in ldap.attrmap file checkItem User-Password userPassword That works for me. Vladimir - List info/subsc

Re: RADIUS LDAP Problem

2005-05-14 Thread Vladimir Vuksan
Christian Zawada wrote: here is the error logfile: rlm_ldap: checking if remote access for test1 is allowed by dialupAccess rlm_ldap: Password header not found in password test1 for user test1 rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ld

Re: ACL on LDAP

2005-05-14 Thread Vladimir Vuksan
Chan Min Wai wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm working with freeradius that running EAP auth, the account info is with LDAP server. Just want to know what kind of Right did the freeradius need to have on the LDAP server so that the ACL on the LDAP server can be control. Also,

Re: peap (ms-chap v2) + ldap bind

2005-05-12 Thread Vladimir Vuksan
I would like to know if anyone has a work around to support PEAP (ms chap v2) client access authenticate against a LDAP server with bind operation. Currently, retrieving clear text password from LDAP is not an option. This is how I got it going http://vuksan.com/linux/dot1x/802-1x-LDAP.html

Re: peap (ms-chap v2) + ldap bind

2005-05-12 Thread Vladimir Vuksan
CHui wrote: I would like to know if anyone has a work around to support PEAP (ms chap v2) client access authenticate against a LDAP server with bind operation. Currently, retrieving clear text password from LDAP is not an option. No this is not possible. Only way you can authenticate via

Re: Apple Airport Extreme with EAP-TTLS...

2005-05-12 Thread Vladimir Vuksan
Achim Friedland wrote: I configured my iBook for the airport the same way like for the CISCO AP, so I don't think it's a problem at the client. I'm using freeradius-1.0.2 on debian unstable from tarball because of the strange tls-bindings in the offical debian package... When I try to authentic

Re: OpenLDAP / FreeRADIUS / Cisco 5350 problem

2005-05-11 Thread Vladimir Vuksan
Douglas G. Phillips wrote: Here is a sample of the password that is being passed: User-Password = "\240d\351E\3737\025\022\0227,(rest removed)" This may imply that your shared secret is incorrect. Please verify that RADIUS shared secret on Cisco 5350 and shared secret for that particular IP in

Re: problems with 802.1x - EAP-TLS

2005-05-10 Thread Vladimir Vuksan
Galvao Rezende wrote: eaptls_process returned 7 rlm_eap_tls: Received unexpected tunneled data after successful handshake. You need to investigate following. You may want to re-do certificates. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: problems with 802.1x - EAP-TLS

2005-05-10 Thread Vladimir Vuksan
Galvao Rezende wrote: problems with 802.1x - EAP-TLS I'm having trouble at authentication using radius, openssl and EAP-TLS, using AP CISCO 350 Series. Look at radius output. It doesn't appear that is the whole output. There is no Reject message that I can see. Vladimir - List info/subscribe

Re: "peap "-> works but "peap + ldap" ->doesn't works

2005-05-09 Thread Vladimir Vuksan
dssd dsfdsfdsf wrote: good morning i hope you can resolve my problem peap works without ldap but when i use ldap whith peap, it doesn' work!! in the file users for peap (when i don't use ldap) robert Auth-Type:=EAP, User-Password =="azertyui" in the file users i replace this line by robert Auth-Typ

Re: EAp/TSL authorization problem

2005-05-02 Thread Vladimir Vuksan
Sergey Guriev wrote: В сообщении от 3 Май 2005 09:48 Vladimir Vuksan написал: I believe this should be User-Password == "" I made it and User-Password and Password - no change The log contains something peculiar ie. rad_recv: Access-Request packet from host 80.243.64.30

Re: EAp/TSL authorization problem

2005-05-02 Thread Vladimir Vuksan
Sergey Guriev wrote: Im' using freeradius 1.02 (under linux), Cisco AiroNet 1230B and PC-station under Win-XP. And I have some problem with authorization. Here parts of my configs: users: - ttt Password == "" I believe this should be User-Password == "" Vladimir -

Re: WPA Auth w/users file

2005-05-02 Thread Vladimir Vuksan
Homer Parker wrote: I have the same problem as: Running Freeradius 1.0.1. I've made the changes listed in that thread, but.. I'm using the raddb/users file (only 7 entries), and am not finding a way to auth a

Logging/accounting regardless whether Accounting-Request packet sent

2005-05-02 Thread Vladimir Vuksan
I have a set up with LDAP backend and a Chillispot run unencrypted network and WPA running off a WRT54G wireless router. Accounting works like a champ coming from the Chillispot network however it doesn't work at all coming from WRT54G. I look through the debug logs and I notice that Chillispot

OpenLDAP + 802.1x / WPA setup

2005-04-22 Thread Vladimir Vuksan
I have updated my HOWTO on using OpenLDAP as a authentication backend for FreeRADIUS. New additions are * ChilliSpot setup * Using wpa_supplicant for 802.1x wired authentication * Dynamically assigning VLANs on Cisco switches * Other minor things Please check out http://vuksan.com/lin

Re: Freeradius + Wireless Users (802.X)

2005-04-11 Thread Vladimir Vuksan
Victor M. Polukcht wrote: Is there any ability to authentificate Wireless Users with login and password using Freeradius? I use freeradius now for dialup and voip users. But now also need somehow to auth wireless users (we have some hotspots). As i got i need to configure PEAP. May be there is

Re: Beginner question: Trying to secure a wlan

2005-04-11 Thread Vladimir Vuksan
Tim Boneko wrote: That still doesn't tell us whether you configured SoftAP to use the RADIUS server ? SoftAP is only the AP piece but not the RADIUS server itself. You have to point to FreeRADIUS instance you are using. That seems to be the part i am missing. How do i do that? Is it a settin

Re: Beginner question: Trying to secure a wlan

2005-04-10 Thread Vladimir Vuksan
Tim Boneko wrote: A silly question, perhaps, but you *did* configure you wireless AP to actually *use* the RADIUS server, did you not? OW! Damn, i forgot to mention that the AP _is_ the Radius server... sorry, my fault. It?s a SoftAP. That still doesn't tell us whether you configured SoftAP

Re: PEAP-{GTC,MSCHAPv2} against OpenLDAP

2005-04-08 Thread Vladimir Vuksan
Sebastian Mauer wrote: Thanks for that answer, but lately I found out some more. The Password *is *as clear/plain-text in the LDAP and the authentication works when using EAP-TTLS with GTC or MSCHAPv2 for example. It's only not working when using PEAP as EAP-flavour and this is what's confusing me

Configuring Mac OS X client to use TTLS+PAP

2005-03-20 Thread Vladimir Vuksan
I have written up a short HOWTO on using OS X to connect via TTLS+PAP. You can find the necessary client config at http://vuksan.com/linux/dot1x/os-x-ttls-pap.html Configuration on the RADIUS side is similar to http://vuksan.com/linux/dot1x/802-1x-LDAP.html Just make sure you have TLS and TTLS se

Re: EAP-TTLS/PAP - LDAP bind rather than a password compare

2005-03-18 Thread Vladimir Vuksan
Alan DeKok wrote: 1) The tunneled session is MS-CHAP, not PAP. The server is telling you this in the debug messages! I don't understand why you are asking about TTLS + PAP when you're using TTLS + MSCHAP. Please do not post misleading messages to the list. I did not intend to mislead anyone.

Re: EAP-TTLS/PAP - LDAP bind rather than a password compare

2005-03-18 Thread Vladimir Vuksan
Alan DeKok wrote: Vladimir testuser <[EMAIL PROTECTED]> wrote: Great. So how do I configure it :-) to use LDAP CRYPT or MD5 hashes. Read the documentation and the sample configuration files. TTLS + PAP is *REALLY* TTLS + PAP. Configure PAP, configure TTLS, and TTLS + PAP will work. Ap

Re: EAP-TTLS/PAP - LDAP bind rather than a password compare

2005-03-17 Thread Vladimir Vuksan
Alan DeKok wrote: After that, configure a plain-text password. EAP-TTLS with tunneled PAP, CHAP, MS-CHAP, EAP-MSCHAPv2, and EAP-GTC will work. But shouldn't FreeRADIUS be able to extract username and password from PAP packet and check those credentials by binding to LDAP ? Yes.

Re: EAP-TTLS/PAP - LDAP bind rather than a password compare

2005-03-17 Thread Vladimir Vuksan
Alan DeKok wrote: Configure certificates for EAP-TLS. See raddb/eap.conf, eap{} section, tls{} subsection. Also uncomment ttls{} section. Run scripts/certs.sh (and read it). After that, configure a plain-text password. EAP-TTLS with tunneled PAP, CHAP, MS-CHAP, EAP-MSCHAPv2, and EAP-GTC will

EAP-TTLS/PAP - LDAP bind rather than a password compare

2005-03-17 Thread Vladimir Vuksan
In one of the old messages David Hart said http://lists.cistron.nl/pipermail/freeradius-users/2004-September/036112.html Hmm... We can do that already. Just use EAP-TTLS/PAP and have freeradius authenticate via an LDAP bind rather than a password compare. It works great for me. I would l

WPA EAP-PEAP and OS X client problem

2005-03-11 Thread Vladimir Vuksan
I have set up FreeRADIUS with PEAP. I tried logging in with a Mac OS X client however it keeps telling me eapolclient[4468]: eapmschapv2_success_request: invalid server auth response What is confusing is that rlm_eap_peap returns SUCCESS. modcall: group authenticate returns ok for request 15 P

Re: Using freeradius and 802.1x for dynamic VLAN on Cisco 2950

2005-03-11 Thread Vladimir Vuksan
Michael Schwartzkopff wrote: Thanks for help but my switch doesn't know this command. Is it possible that the IOS 12.1(11)EA VLAN Assignment with 802.1x not supported? Yes. Be careful with the IOS versions. Older versions do not have this feature implemented. You have to install a quite new I

Re: EAP-TTLS - FreeRadius - Ldap - Edirectory -Enterasys - 802.1x

2005-03-09 Thread Vladimir Vuksan
TAYLAN KIRAN wrote: We are trying to auhtenticate our XP users with EAP-TTLS. we enabled EAP-TTLS support with securew2 product. our users are on Edirectory via ldap. We have enterasys switches. when switches authenticate users they should receive the following string to set port policy. Filter-

Re: 802.1X Port-Based Authentication HOWTO

2005-03-06 Thread Vladimir Vuksan
micki wrote: Hello i am trying to execute 802.1X Port-Based Authentication HOWTO aftwer change all the configuration file of the server i get an error message when i type radiusd -X 4422:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expecting: CERTIFICATE 4422:error:020010

802.1x/EAP-MD5 against OpenLDAP HOWTO

2005-03-04 Thread Vladimir Vuksan
I promised I would write a HOWTO to 802.1x/EAP-MD5 authentication using LDAP. Here it is :-) http://vuksan.com/linux/dot1x/802-1x-LDAP.html Let me know if you have corrections or additions. Vladimir - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-MD5 + LDAP problem

2005-03-01 Thread Vladimir Vuksan
Chan Min Wai wrote: Vladimir wrote: I am trying to get 802.1x authentication going for wired clients on our LAN. I have been successul in using local password database to authenticate 802.1x users however I haven't been able to get it going with LDAP. Version of FreeRadius is Debian packaged 1.0