On 08.08.2013 19:16, Shaw, Colin M. wrote:
[peap] Using saved attributes from the original Access-Accept
User-Name = testx
[peap] Saving response in the cache
Your inner-tunnel virtual server returns only User-Name attribute in
Access-Accept. Configure your inner-tunnel virtual
You could move files above eap but IMO it's better (cleaner, more
obvious) to run this in post-auth like so:
authorize {
...
eap {
ok = return
}
...
}
post-auth {
...
files
...
}
Note that you'll need to set the postauth_usersfile on your files
Thank
Hi,
I'm in the process of attempting to move our 802.1x services off of an aging
freeRADIUS (v1) server onto a newly built server running freeRADIUS v2.2
Tests so far with wireless clients using 802.1x PEAP/MS-CHAPv2 are working ok.
Clients can authenticate (against AD) and be assigned
On 08/08/13 11:07, Shaw, Colin M. wrote:
difference. Lastly, for testing purposes, if I insert the required
attributes into the default post-auth then it all works and the wired
client is assigned the correct vlan, so again the switch side must be ok
and I also therefore presume all the
On 08/08/13 16:16, Shaw, Colin M. wrote:
Thanks for the reply Phil.
difference. Lastly, for testing purposes, if I insert the required
attributes into the default post-auth then it all works and the wired
client is assigned the correct vlan, so again the switch side must be
ok and I also
functionality provided by OS X.
I have seen this question getting asked a lot but still wasn't able to fill
my gap in understanding the whole process.
I will make it short and easy.
You can't do LDAP authentication with 802.1x. EAP needs the password of
the user in cleartext. if it's
Hi,
I will make it short and easy.
You can't do LDAP authentication with 802.1x. EAP needs the password of
the user in cleartext. if it's not in your ldap, you're screwed.
..EAP-TTLS/PAP ? ;-)
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 19/06/13 13:11, Marco Streich wrote:
When I run radtest from my laptop, the authentication is successful:
radtest does not send eap. Download the wpa_supplicant sources and
compile eapol_test to test EAP.
WARNING: No known good password was found in LDAP. Are you sure that the
user
server directly using the Connect Network
Account Server functionality provided by OS X.
I will make it short and easy.
You can't do LDAP authentication with 802.1x. EAP needs the password of
the user in cleartext. if it's not in your ldap, you're screwed.
Not entirely true.
With PAP
Hi,
Some other comments -
Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
2.2.x.
Save yourself some round trip packets by setting default_eap_type
= ttls in eap.conf
Save yourself some LDAP lookups by removing ldap from the outer.
..and save some more hits to LDAP by
On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Some other comments -
Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
2.2.x.
Save yourself some round trip packets by setting default_eap_type
= ttls in eap.conf
Save yourself some LDAP lookups by removing ldap from
On 19/06/13 15:32, Olivier Beytrison wrote:
On 19.06.2013 16:02, a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Some other comments -
Upgrade from 2.1.12 to 2.2.x, as there are security issues pre
2.2.x.
Save yourself some round trip packets by setting default_eap_type
= ttls in eap.conf
Save yourself
Hi,
He he he... if I recall correctly I came up with something like:
yes, thats the one. quoted as 'most evil unlang ever' if I recall
have used it on many occasions...does the job well
...as the EAP module was updated to return ok on identity/mschap
responses. Yet another reason to upgrade!
On 7/5/2013 2:37 μμ, Michael Schwartzkopff wrote:
http://vuksan.com/linux/dot1x/802-1x-LDAP.html
Thank you Michael for your valuable feedback, esp. the link above.
By the way, I've been pointed to: http://www.packetfence.org for a more
integrated system, which also supports 802.1x
for a more
integrated system, which also supports 802.1x and it looks nice and clean.
It works with freeRadius too.
Any experience with it? Any advice?
Thanks in advance,
Nick
Depending on your needs it might be a little bit oversized. It seems to
integrate everything that someone might ever
a network based mainly on Cisco 2950/2960 switches.
We are running a central LDAP Server (openldap) where we hold user
accounts, which are used for mail, ftp, web, Shibboleth access.
I guess we can enable 802.1x on switches and require authentication of
clients over freeradius.
Is there a suggested
LDAP Server (openldap) where we hold user
accounts, which are used for mail, ftp, web, Shibboleth access.
I guess we can enable 802.1x on switches and require authentication of
clients over freeradius.
Is there a suggested sample freeradius configuration for such use? Can
you please
ws 8 "auto-configuration" of it's 802.1x supplicant. In other words, if I manually add the network, selecting only "wpa2-enterprise", it works. It also works on OSX, Linux, Android and every other version of Windows, using 'autoconfiguration'...ie I do not need to manually configure t
settings). I believe it's failing b/c of: [mschap] FAILED:
MS-CHAP2-Response is incorrect
This only happens on Windows 8 auto-configuration of it's 802.1x supplicant.
In other words, if I manually add the network, selecting only
wpa2-enterprise, it works. It also works on OSX, Linux, Android
Hi,
First post and new to FreeRadius though have been using RADIUS in
the Windows world for many years. I have a small network with a
Linux server and a mix of Windows XP and Windows 7 laptops that I
am trying to run 802.1x authentication on. I only want to use
computer/machine auth (user
spartan1...@hushmail.com wrote:
802.1x appears to be working; any laptop with the certs/config is
able to access the wired and/or wireless network and any laptop
without is denied access. However, in my previous experience with
RADIUS (IAS/NPS in the Windows world), I am able to control
and are authorized (provided that
they are properly provisioned with certs, etc).
...but if not then ok I was simply trying to figure out if I was
able to control machine-only 802.1x authentication against
FreeRADIUS in a manner similar to how simple user authentication
appears to be done (via the users file
On 12/27/2012 02:32 PM, spartan1...@hushmail.com wrote:
I played around with the users file in FreeRADIUS but it didn't
seem to have any effect unless I put a DEFAULT Auth-Type Reject in
the file which blocked everyone regardless of what else I had in
the users file. I've Googled around a bit
On 12/27/2012 03:19 PM, spartan1...@hushmail.com wrote:
...but if not then ok I was simply trying to figure out if I was
able to control machine-only 802.1x authentication against
FreeRADIUS in a manner similar to how simple user authentication
appears to be done (via the users file). From your
@Phil,
Thanks for the info - appreciate the professional responseI'll
do some additional research.
On Thu, 27 Dec 2012 10:13:43 -0500 Phil Mayers
p.may...@imperial.ac.uk wrote:
On 12/27/2012 02:32 PM, spartan1...@hushmail.com wrote:
I played around with the users file in FreeRADIUS but
RADIUS. A database stores data.
...but if not then ok I was simply trying to figure out if I was
able to control machine-only 802.1x authentication against
FreeRADIUS in a manner similar to how simple user authentication
appears to be done (via the users file). From your response, it
appears
to ask sometimes though :)
Thanks again
On Thu, 27 Dec 2012 10:40:15 -0500 Phil Mayers
p.may...@imperial.ac.uk wrote:
On 12/27/2012 03:19 PM, spartan1...@hushmail.com wrote:
...but if not then ok I was simply trying to figure out if I was
able to control machine-only 802.1x authentication
/2012 03:19 PM, spartan1...@hushmail.com wrote:
...but if not then ok I was simply trying to figure out if I was
able to control machine-only 802.1x authentication against
FreeRADIUS in a manner similar to how simple user
authentication
appears to be done (via the users file). From your response
Have you guys hear about SecureW2 ?People from Cloudpath Networks said they can
make it work MD5 hash passwords on 802.1x with TTLS-PAP.They said i can make it
work aswell with EAP-TLS via certificates and PKI.Is that correct ? Have anyone
tested that before
On 03/12/12 16:04, Brekler Custodio wrote:
Have you guys hear about SecureW2 ?
Yes. It's a supplicant (or plugin? I can't remember) with support for
EAP-TTLS/PAP on older versions of windows.
People from Cloudpath Networks said they can make it work MD5 hash
passwords on 802.1x with TTLS
Hi,
Have you guys hear about SecureW2 ?
People from Cloudpath Networks said they can make it work MD5 hash
passwords on 802.1x with TTLS-PAP.
They said i can make it work aswell with EAP-TLS via certificates and PKI.
Is that correct ? Have anyone tested that before ?
i'll
On 3 Dec 2012, at 17:17, Brekler Custodio brekle...@hotmail.com wrote:
i'll repeat what was already said in this thread:
Old Windows systems need an extra supplicant to do other forms of EAP such
as EAP-TTLS/PAP - eg open1X or SecureW2 - Windows 8 now natively supports
such EAP
as the OSes now have 802.1X support natively. we were involved in
the
OpenSEA alliance a while back and helped evolve the open1x tool but until
theres a
must-have and compelling reason to go for such a tool (eg perhaps integrated
single
sign-on with applications via moonshot) then take the basic
using any extra programs/utils to perform
such duties
(especially as the OSes now have 802.1X support natively. we were involved
in the
OpenSEA alliance a while back and helped evolve the open1x tool but until
theres a
must-have and compelling reason to go for such a tool (eg perhaps
(Identity Engines
IIRC) - with
the opensea alliance just pretty much gone save for some google cached pages
and wayback engine
storage space. back in 2007 the 802.1X space was a different beast.
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 11/29/2012 10:44 PM, Brekler Custodio wrote:
rlm_sql_mysql: MYSQL check_error: 1054 received
rlm_sql_getvpdata: database query error
This should be clear. You've mangled the SQL queries or, more likely,
not setup the SQL database right.
-
List info/subscribe/unsubscribe? See
Is there any way a Microsoft Notebook authenticate using MD5 or PAP ?By default
is only EAP (PEAP) or card/certificate, i need to know if there is anything you
guys know that makes windows works on PAP or MD5...Im searching on internet
right now to see if i can find, anyways i leave the
Brekler Custodio wrote:
Is there any way a Microsoft Notebook authenticate using MD5 or PAP ?
For WiFi? No.
By default is only EAP (PEAP) or card/certificate, i need to know if
there is anything you guys know that makes windows works on PAP or MD5...
No.
Im searching on internet right
I haven't tested it, but I found XSupplicant
(http://open1x.sourceforge.net/), and it seems to enable 802.11x
authentication with PAP, even on e.g. Windows XP Home machines that
don't support 802.11x out of the box.
That's what they say anyway.
Le 30/11/2012 17:23, Brekler Custodio a écrit :
Is
just turned everything
to the original.Thanks a lot everyone, now 802.1x + freeradius is working
perfectly.Now i just need to tell them we need to duplicate our DB and do all
password again with cleartext or other supported by microsoft.
-
List info
Dear,
at the risk of falling in a known trap.
I've read enough statements that one can't do mschapv2 with openldap, unless
you store the passwords in clear-text. I know that
But those same sources also state that this isn't true when you have a (MS)
hash available for those users, like
Thanks Alan.On my research i found the same aswek as you said.
I found this link...http://support.microsoft.com/kb/922574/en-us
That teachs how to re-enable MD5, but didnt worked, so to solve the problem is
simple, change our DB.Thanks a lot guys!
-
On 30/11/12 16:39, Thomas Dupas wrote:
Dear,
at the risk of falling in a known trap.
I've read enough statements that one can't do mschapv2 with openldap,
unless you store the passwords in clear-text. I know that
That's not true.
You need the NT hash to perform mschapv2. Therefore, you
Subject: RE: 802.1x Issue
Date: Fri, 30 Nov 2012 16:23:46 +
Is there any way a Microsoft Notebook authenticate using MD5 or PAP ?By default
is only EAP (PEAP) or card/certificate, i need to know if there is anything you
guys know that makes windows works on PAP or MD5...Im searching
Well, lets say its not possible... since we are an university, with something
about 600 conections every night, with lots of O.S working (70% windows), it
would be kinda hard to configure every single computer with a software.Its
better to make a new DB with new passwords on EAP and use a
On Fri, Nov 30, 2012 at 09:18:13PM +, Brekler Custodio wrote:
Its better to make a new DB with new passwords on EAP and use a
.bat + xml profile to configure windows notebooks.
Rather than .bat + xml to do it, there are more user-friendly
front-ends available. The main eduroam one (but not
a student - puts them onto a
student VLAN. all basic 802.1X and AAA stuff.
we are also a member of eduroam - so visitors to our campus who are also from
eduroam
sites just get online - most without even realising as they have en eduroam
profile
on their smartphone or tablet. zero config 'open
Nice, but the thing is, our freeradius is working with a linux DB... IF it was
an AD would be much easyer, since everything on Microsoft works fine with other
Microsoft O.S.So we really need to make a new DB without MD5.But good to know
about what you guys did there.
configured a
802.1x connection here, then i used netsh to export the profile and save it
with a nice name.So the instructions for now are clear. put the file on C:\
and double click the wireless.bat So the wireless will delete any profile with
the same name and import the new profile. tested on a few
Hi again people, so a week ago i posted here a problem with 802.1x i had and it
turned to be all my users were MD5 password, so that was my problem.Today i
created a new DB on a test server, changed on sql.conf and tested.Im getting
this error, i tried to understand that, BUT im kinda a newbie
Hi everybody!!
I'm using Freeradius since 6 months ago, and It works great. I'm Using
freeradus + MySQL to store my users data in a database and authenticate it
with an user and a password.
Now I Have to attach to each user, 3 MAC-Address, so I'm editting my
database (radcheck table)
id
Andres Gomez Ruiz wrote:
I'm using Freeradius since 6 months ago, and It works great. I'm Using
freeradus + MySQL to store my users data in a database and authenticate
it with an user and a password.
Now I Have to attach to each user, 3 MAC-Address, so I'm editting my
database (radcheck
Problem with the query.
Run that query with mysql client and see what the output shows...and tell us
what that entry for user looks like in radcheck table.
Default sql configuration works
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Eric, sorry, but i didnt understand that very well...Let me see, the FR
should do what ?The guy that takes care of our database said all passwords
were generated in MD5 and i dont know how to convertBut the 802.1x on
microsoft windows works with MSCHAPv2Is there a solution
Am 21.11.2012 23:20, schrieb Brekler Custodio:
Hi Eric, sorry, but i didnt understand that very well...
Let me see, the FR should do what ?
The guy that takes care of our database said all passwords were
generated in MD5 and i dont know how to convert
But the 802.1x on microsoft windows works
Brekler Custodio wrote:
Hi Eric, sorry, but i didnt understand that very well...
Let me see, the FR should do what ?
The guy that takes care of our database said all passwords were
generated in MD5 and i dont know how to convert
You don't convert them. You can't.
But the 802.1x
Hi
on 20.11.2012 16:22, Brekler Custodio wrote:
Found Auth-Type = EAP
# Executing group from file /etc/freeradius/sites-enabled/inner-tunnel
+- entering group authenticate {...}
[eap] Request found, released from the list
[eap] EAP/mschapv2
[eap] processing type mschapv2
Please send plain text messages. There's no need to send HTML
messages with everything bold.
Brekler Custodio wrote:
*So i did the debug thing, and i couldnt find the error (im new on linux)*
You were told to read the comments at the top of
raddb/sites-available/inner-tunnel. It gives
Hi
on 20.11.2012 17:16, Brekler Custodio wrote:
So you mean that my MYSQL Server has a problem with my authentication ?
I don't think you use sql for authentication, follow the advice Alan
gave you and check your sites-enabled/inner-tunnel file.
cheers
Erich Titl
smime.p7s
Description:
Hi,
I did this question yesterday, but since im new i did a lot of wrong
things, like no subject, etc etc.
but you still got a couple of answers.
I dont know what is wrong, i THINK its our SQL BD that is not accepting
mschap.
I would appreciate that people dont answer like
Im sorry Alan, im learning how to use this forum.
So, i read everything there, BUT there is one thing you dont know, my native
language isnt english, so its not that easy to understand everything there.On
the Inner-tunnel i already put the SQL.
So, here is another question, how can i create an
hi,
..as there seems to be some doubts about how your system is actually working
for non-EAP methods (ie whether or not you actually use SQL at all.) it
would be best if you actually sent the 'radiusd -X' output for when a successful
authentication occurs.
alan
-
List
So you mean that my MYSQL Server has a problem with my authentication ?
Date: Tue, 20 Nov 2012 16:47:07 +0100
From: erich.t...@think.ch
To: freeradius-users@lists.freeradius.org
Subject: Re: Problems with 802.1x
Hi
looks like your authentication data is missing on the server side.
cheers
Brekler Custodio wrote:
So, i read everything there, BUT there is one thing you dont know, my
native language isnt english, so its not that easy to understand
everything there.
That's OK.
On the Inner-tunnel i already put the SQL.
Well, it didn't show up in the debug log. So you didn't
: Issuing Challenge
and thats your problem. 802.1X methods like PEAPv0/MSCHAPv2 (standard microsoft
PEAP)
DO NOT send the password to the server. instead, they use a challenge-response
method.
which means that you need to be able to KNOW the actual password - so you need
to
have a copy
Thanks a lot man!
We will test now, thats was my first tought, but i wasnt sure.And the guy that
is reponsable for the MYSQL BD doesnt have time to change it.He will test it
for me and i will have a response and give a feedback here.
-
List
Thanks everyone for the help.We will be looking for a solution.The guy that
take cares of our BD said that all our passwords are MD5 and he dont know how
to change to MSCHAPv2 or how to generate.And windows dont allow us to connect
on 802.1x with MD5
on 20.11.2012 19:21, Brekler Custodio wrote:
Thanks everyone for the help.
We will be looking for a solution.
The guy that take cares of our BD said that all our passwords are MD5
and he dont know how to change to MSCHAPv2 or how to generate.
And windows dont allow us to connect on 802.1x
Hi all,
I would like to use FreeRadius to do 802.1x EAP-PEAP for wireless users.
I have everything configured and working when I disabled validate server
Certificate on windows.
I have a wildcard certificate purchased from godaddy.com.
I had a problem when using it with apache as I had to add
On 14/09/12 14:46, Tyller D wrote:
Hi all,
I would like to use FreeRadius to do 802.1x EAP-PEAP for wireless users.
I have everything configured and working when I disabled validate
server Certificate on windows.
I have a wildcard certificate purchased from godaddy.com
http://godaddy.com
Tyller D wrote:
I have everything configured and working when I disabled validate
server Certificate on windows.
I have a wildcard certificate purchased from godaddy.com.
I'm not sure that will work.
I had a problem when using it with apache as I had to add the
intermediate chain in the
On Fri, Sep 14, 2012 at 4:07 PM, Alan DeKok al...@deployingradius.comwrote:
Tyller D wrote:
I have everything configured and working when I disabled validate
server Certificate on windows.
I have a wildcard certificate purchased from godaddy.com.
I'm not sure that will work.
Is there
On 14/09/12 15:38, Tyller D wrote:
On Fri, Sep 14, 2012 at 4:07 PM, Alan DeKok al...@deployingradius.com
mailto:al...@deployingradius.com wrote:
Tyller D wrote:
I have everything configured and working when I disabled validate
server Certificate on windows.
I have a
Tyller D wrote:
Is there a reason for that? Godaddy is in the list of servers to
validate against?
Because Windows has certain magical requirements on certificates. If
the godaddy cert doesn't have them, authentication will fail.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
You have three possible issues.
1). You need to chain all of the certs into one file.
2). MS requires that the cert have a special purpose. This is documented
and needs to be included in the CSR. BS, but that's MS for you.
3). MS might not like wild cards. Not sure about this but it may be
I'm playing around with 802.1x over the wire in a development environment at
work and it's pretty much functional with the Windows and OS X hosts I've been
testing with (OpenLDAP as backend userstore).
My next step is getting 802.1x working such that FreeRADIUS can authenticate
users
Jonathan L Ocab wrote:
My next step is getting 802.1x working such that FreeRADIUS can authenticate
users to different Active Directory user stores based on the domain provided.
That's not really how Active Directory works. The various domains
should all be accessible from one local AD
AD store.
-j
Date: Wed, 01 Aug 2012 10:19:25 -0700
From: Alan DeKok al...@deployingradius.com
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Subject: Re: FreeRADIUS, 802.1x, and multiple user stores
Message-ID: 5019651d.8060...@deployingradius.com
Content
Jonathan L Ocab wrote:
I believe you shed light onto the AD situation, but one item of note is that
my campus' primary user store is OpenLDAP and is what is used by our
production FreeRADIUS services.
Authenticating *only* to OpenLDAP is easy, and it works.
What I need to do is so our
like to protect ethernet network with 802.1x protocol. I am
stuck, because I don't have User-Password inside of the PEAP tunnel (I know
the reason why I don;t have that password there, no need to explain :))
which is needed for kerberos module.
Is there any other method to get it working ? I've
kerberos using DEFULT Auth-Type = Kerberos in users file:
Kerberos is incompatible with PEAP.
http://deployingradius.com/documents/protocols/compatibility.html
Now I would like to protect ethernet network with 802.1x protocol. I am
stuck, because I don't have User-Password inside of the PEAP
2012/6/18 Alan DeKok al...@deployingradius.com
Change the supplicant to use EAP-GTC. That might work.
Otherwise, it's impossible.
Thanks,
just found this:
http://fuhry.us/blog/2012/01/01/mschapv2-against-mit-kerberos-yes-you-can/
but that requires to patch kerberos which probably I
On 18/06/12 10:06, Adrian Czapek wrote:
2012/6/18 Alan DeKok al...@deployingradius.com
mailto:al...@deployingradius.com
Change the supplicant to use EAP-GTC. That might work.
Otherwise, it's impossible.
Thanks,
just found this:
Thanks Matthew, it's tested okay.
On Fri, May 18, 2012 at 5:44 PM, Matthew Newton m...@leicester.ac.ukwrote:
On Fri, May 18, 2012 at 11:35:39AM +0800, C.F. Yeung wrote:
Sorry to bother again, how should I rewrite the unlang for the condition
that if the Called-Station-Id contains eduroam?
On Fri, May 18, 2012 at 11:35:39AM +0800, C.F. Yeung wrote:
Sorry to bother again, how should I rewrite the unlang for the condition
that if the Called-Station-Id contains eduroam?
if (Called-Station-Id == xx-xx-xx-xx-xx-xx:eduroam) {
man unlang - look for regular expressions.
if
On 05/17/2012 05:07 AM, C.F. Yeung wrote:
I have added a new eap_new with the other cert in eap.conf and tried the
unlang policy. But, it still goes to my existing eap/cert. MAC address
and IP are masked by x.
+- entering group authorize {...}
++? if (Called-Station-Id ==
Thanks Phil, it's ok now.
On Thu, May 17, 2012 at 3:14 PM, Phil Mayers p.may...@imperial.ac.ukwrote:
On 05/17/2012 05:07 AM, C.F. Yeung wrote:
I have added a new eap_new with the other cert in eap.conf and tried the
unlang policy. But, it still goes to my existing eap/cert. MAC address
and
Hi,
Found Auth-Type = eap_new
Found Auth-Type = EAP
no no. you've got to have 2 totally different eap mpdules defined , and where
they
could be you need to ensure that you have 2 types of request configured. you
are
better off having a new virtual-server that you direct that request
Thanks Alan, it's fixed with the help by Phil. I want to add one more
condition to call the eap_new module based on Realm. The following elseif
condition is wrong. How should I write the correct unlang?
if(Called-Station-Id == xx-xx-xx-xx-xx-xx:duroam) {
eap_new {
Got it working as follow.
if (Called-Station-Id == xx-xx-xx-xx-xx-xx:eduroam) {
eap_new {
ok = return
}
}
if (Realm == newdomain.com) {
eap_new {
ok = return
}
Sorry to bother again, how should I rewrite the unlang for the condition
that if the Called-Station-Id contains eduroam?
if (Called-Station-Id == xx-xx-xx-xx-xx-xx:eduroam) {
On Fri, May 18, 2012 at 10:38 AM, C.F. Yeung yeun...@gmail.com wrote:
Got it working as follow.
if
We have 2 SSL Certs for two SSID (802.1x). How can my freeradius server
present wifi clients the cert based on SSID? Should I have two eap.conf?
Thanks,
CF
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 16/05/12 16:29, C.F. Yeung wrote:
We have 2 SSL Certs for two SSID (802.1x). How can my freeradius server
present wifi clients the cert based on SSID? Should I have two eap.conf?
Yes. Configure the two eap modules with different names e.g.
eap eap_cert1 {
...
}
eap eap_cert2
. Yeung wrote:
We have 2 SSL Certs for two SSID (802.1x). How can my freeradius server
present wifi clients the cert based on SSID? Should I have two eap.conf?
Yes. Configure the two eap modules with different names e.g.
eap eap_cert1 {
...
}
eap eap_cert2 {
...
}
...and then configure
Please read the mailing list archives, this very question and setup is often
mentioned
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Buxey a.l.m.bu...@lboro.ac.uk
Date: Friday, April 20, 2012 9:30 AM
To: Wassim Zaarour wassim.zaar...@navlink.com,
freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: Re: LDAP-FreeRadius-Cisco Switch-802.1x Fails.
Please read the mailing list archives, this very
On Fri, Apr 20, 2012 at 2:09 PM, Wassim Zaarour
wassim.zaar...@navlink.com wrote:
Hi Alan,
I went through the archives and did some changes but still getting the
error, appreciate of you can help me a bit here.
I think I read that the ldap request must be proxied to the inner tunnel for
it
On 4/20/12 10:15 AM, Fajar A. Nugraha l...@fajar.net wrote:
On Fri, Apr 20, 2012 at 2:09 PM, Wassim Zaarour
wassim.zaar...@navlink.com wrote:
Hi Alan,
I went through the archives and did some changes but still getting the
error, appreciate of you can help me a bit here.
I think I read
On Fri, Apr 20, 2012 at 2:22 PM, Wassim Zaarour
wassim.zaar...@navlink.com wrote:
On 4/20/12 10:15 AM, Fajar A. Nugraha l...@fajar.net wrote:
Long version:
MSCHAPv2 (which also means PEAP-MSCHAPv2) needs either:
- Cleartext-Password or NT-Hash available (in LDAP, sql, users file
whatever), OR
-
Hi Farja,
I just checked with the ldap admin and he told me passwords are stored
with SHA encryption and not cleartext. ( can't change them to clear text)
Does that means there is no way to make TTLS/PEAP/MSCHAPv2 work with it??
If I use TTLS/PAP from a Mac OS laptop, it works fine, but I'm
1 - 100 of 947 matches
Mail list logo
