Actually, I don't think this will help since the wireless controller IP
that freeradius "sees" is *not* in the 192.168.100.* range. This
controller uses LWAPP, so the IP ranges that the wireless networks use are
totally contained within the wireless infrastructure, which means that the
NAS IP is a
It is a Cisco WLAN 4402. For reference, here is a log entry from a user
connecting from the Guest network:
Thu Mar 15 07:10:52 2007 : Auth: Login OK: [guestuser] (from client
PCMCWLANCTRLR1 port 0 cli 192.168.100.101)
And here is a log entry from someone connecting via 802.1x on another
netwo
I have a situation where I have a wireless controller that services
multiple wireless networks (vlans). When the controller contacts the
RADIUS server with an authentication request, it does so with the IP
address of the controller as the client address. The problem is I have a
guest network that
I have a need to proxy users based on either AD group membership or a substring in the username. I am currently using LDAP to AD .
AD group membership scenario: If user is in group "x" then proxy to radius server "y".
Substring scenario: If username contains string "x", then strip "x" and proxy
I am currently knee deep in an Active Directory domain collapse and need to figure out how to get FreeRADIUS to authenticate users as they are moved between domains. During the AD migration process users accounts are disabled in the source domain(where FreeRADIUS currently points) and enabled in
>Hello all! I would like to know if anyone has gotten freeradius to work
>with eDirectory (LDAP)? We are using freeradius 0.93 (ships with sles9)
>and want our wireless users to authenticate to the eDirectory box. I
>changed the radiusd.config file at the ldap entry. Clients file has not
>been touc
> NAS-IP-Address = 10.256.256.256
256 has never been a vaild octet in an IP address. Use a real IP address
and I suspect that your results will be much better.
Mark Capelle
CONFIDENTIALITY NOTICE: This e-mail may contain trade secrets or
privileged, undisclosed or otherwise confidential inform
I have been using 802.1x with PEAP/Windows XP/AD for a while. We now have
some walkup stations in place that are giving me trouble. Since the
machine does not have cached credentials of the user logging in, it cannot
get past the login screen to start the EAP auth and activate the port on my
swit
Jay,
Your problem is a typo at the least. Fix this and see if it works.
/usr/bin/ntlm_auth --request-nt-key --username=%{mschap-User-Name}
--domain=%{nschap:NT-Domain} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--domain=%{nschap:NT-Domain} should be --domain=
Since upgrading to 1.0.1 and making some changes to the config for PEAP, I
am seeing the following issue. When a user connects via iPass, they are
getting a password failure on the client for the initial authentication,
but then a success upon the rekeying the password. I have a redundant
configu
Hi all,
I am having a strange issue after upgrading my radius servers from
0.9.3 to 1.0.1. I am running on Redhat and as such have the following
init.d script:
-
#!/bin/sh
#
# radiusd Start the radius daemon.
#
#This program is free software; you can
Brandon,
You will never be able to do LDAP auth against AD when using EAP.
In the archives there are many discussions on the topic. The only way to
do EAP against AD is to use ntlm_auth.
Mark Capelle
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Here is the radiusd -Xxxx output from when the Extreme Networks switch
tries to auth the port:
Thu Jan 20 04:21:12 2005 : Debug: Listening on authentication *:1812
Thu Jan 20 04:21:12 2005 : Debug: Listening on accounting *:1813
Thu Jan 20 04:21:12 2005 : Debug: Listenin
Hi all,
I currently have Windows XP SP1 ,HP switch, 802.1x, PEAP, and Active
Directory working flawlessly. Now I have run up against a new issue with
my Extreme Networks equipment. Here is the issue. When using the HP
switch, I get the User-Name attribute from the switch as "AMS\\mcapelle
Eureka!
Michael was correct. I had a typo (ntlm_atuh). Fixed that and it works!
Thanks to Ron, Michael, and Kurt for all the help, you guys are great!
[EMAIL PROTECTED]
Tried that and I end up with -
Thu Jan 20 00:51:30 2005 : Debug: modcall: entering group Auth-Type for
request 6
Thu Jan 20
Yes I did =). That yields:
Thu Jan 20 01:02:02 2005 : Debug: modsingle[authenticate]: calling mschap
(rlm_mschap) for request 6
Thu Jan 20 01:02:02 2005 : Debug: rlm_mschap: No User-Password
configured. Cannot create LM-Password.
Thu Jan 20 01:02:02 2005 : Debug: rlm_mschap: No User-Passwo
Tried that and I end up with -
Thu Jan 20 00:51:30 2005 : Debug: modcall: entering group Auth-Type for
request 6
Thu Jan 20 00:51:30 2005 : Debug: modsingle[authenticate]: calling mschap
(rlm_mschap) for request 6
Thu Jan 20 00:51:30 2005 : Debug: rlm_mschap: No User-Password
configured. Cann
That is what I tried originally. It always ends up with the AMS\\mcapelle
as the User-Name. It acts like it is not populating the Stripped-User-Name
value.
>This is what I use
>ntlm_auth = "/usr/local/samba/bin/ntlm_auth --request-nt-key
>--username=%{Stripped-User-Name:-%{User-Name:-None}} --
I have that as well as the ntdomain lines from the authorize and accounting
sections uncommented, still no dice. Any other ideas?
Thanks,
Mark Capelle
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I have the with_ntdomain_hack = yes option set under the MSCHAP section.
Where is the ntdomain option?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi all,
I'm having an issue doing PEAP against AD. I have most of it working,
except for this. If I use the ntlm_auth line "ntlm_auth =
"/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response
I have a project to enable 802.1x on our HP ProCurve switches. The backend
DB will be Active Directory (read disease). The clients will be Windows
XP.
My project requires:
EAP - This comes from the ProCurve as I can use CHAP or EAP, and CHAP will
not work.
Windows XP workstations - we don't wan
Okay. Thanks.
Now my next question is would storing the CHAP passwords in AD using
reversible encryption help (I would guess not, since your other posts seem
to indicate the problem being that AD will not even give the RADIUS server
the password to manipulate). Also, would using NTLM_AUTH be a po
I have been running FreeRADIUS for over 3 years now and I can say that it
is hands down one of the best pieces of software out there. I have spent
the last few hours going through the archives, FAQ, etc. and think I know
the answer to this, but would appreciate it if someone can confirm this.
I h
Yes this is possible as I have been running this way for over a year now.
Mark Capelle
Message: 1
Date: Thu, 14 Oct 2004 10:36:50 -0400
From: Thomas Lasswell <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: FreeRADIUS + MAC Auth + AD Auth
Reply-To: [EMAIL PROTECTED]
Hey t
Bill,
Is your actual username "User\\, Asteroid"? That does not look
correct to me. I would assume that you are looking for
"CN=User\\,OU=Asteroid"... If the comma is indeed a part of the username,
you may want to try to remove it as commas have a special meaning in LDAP.
Also, make su
I currently have FreeRADIUS setup to authenticate users against Active
Directory and the local users file. Now I want to use it as the RADIUS
server for my Extreme network switches. My hope is to be able to use the
Active Directory accounts to authenticate the users to the switch via
FreeRADI
Frank Everitt <[EMAIL PROTECTED]> wrote:
>All...
>This may be a bizarre idea but if it will work I can save the purchase
>of some additional equipment. I'd like to know if it's possible to run
>two different radiusd process on the same server. Each would be set up
>to listen at different port p
28 matches
Mail list logo