>From what you're saying I believe
>I need to put in the LDAP config for our eDirectory and uncomment any LDAP
>authorisation/authentication entries. Anything else?
>
>Then I can use radtest to test the authentication?
Yes. First test with user file entry, then with entry in the directory.
>
>How
Mike Richardson wrote:
> I've been making changes for 8 hours a day for over a week so it might
> differ from the original.
Which is a bit of a problem in and of itself.
> However I been back to the defaults twice. As of
> tomorrow I'll reinstall and try it again. From what you're saying I beli
On Tue, Mar 04, 2008 at 07:33:09AM +0100, Alan DeKok wrote:
> Mike Richardson wrote:
> > I've been making changes for 8 hours a day for over a week so it might
> > differ from the original.
>
> Which is a bit of a problem in and of itself.
I posted the configs in the original email - was there
es to understand and
> configure and I wouldn't be confident in my ability to support it campus
> wide if I'd only spend 10 mins on it. I don't believe in asking for help
> without doing as thorough as job as I can in experimenting and learning.
Sure. But the default config
Looks like something odd is going on. I've removed freeradius and
reinstalled it. I added the LDAP config and uncommented the various 'ldap'
lines,
see config.
Defintiely uncommented:
Auth-Type LDAP {
uni_ldap
}
This line still there:
rlm_ldap: Over-riding set
Mike Richardson wrote:
> Looks like something odd is going on. I've removed freeradius and
> reinstalled it. I added the LDAP config and uncommented the various 'ldap'
> lines,
> see config.
You did a bit more than that. That additional effort is where the
problem is coming from.
> Defintiel
I don't know anything about eDirectory, but could this be a problem for
retrieving password and other attributes:
>rlm_ldap: No default NMAS login sequence
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On Tue, Mar 04, 2008 at 10:45:37AM +0100, Alan DeKok wrote:
> Um... no. When I said "uncomment and configure the ldap module", it
> did NOT mean "re-name the existing ldap module, and add a new one with a
> different name".
>
> The extra work you're doing is breaking the server. Stop it. Ju
rlm_ldap: ldap_release_conn: Release Id: 0
modcall[authorize]: module "ldap" returns ok for request 0
rlm_pap: WARNING! No "known good" password found for the user. Authentication
may fail because of this.
modcall[authorize]: module "pap" returns noop for request 0
The ldap module didn't f
Mike Richardson wrote:
...
> rlm_ldap: performing search in c=uk, with filter (uid=raduser1)
> rlm_ldap: No default NMAS login sequence
> rlm_ldap: looking for check items in directory...
That needs to be fixed. See Novell's documentation for how.
> rad_check_password: Found Auth-Type Syste
On Tue, Mar 04, 2008 at 10:35:29AM +, Phil Mayers wrote:
> >rlm_ldap: ldap_release_conn: Release Id: 0
> > modcall[authorize]: module "ldap" returns ok for request 0
> >rlm_pap: WARNING! No "known good" password found for the user.
> >Authentication may fail because of this.
> > modcall[aut
On Tue, Mar 04, 2008 at 11:48:41AM +0100, Alan DeKok wrote:
> Mike Richardson wrote:
> ...
> > rlm_ldap: performing search in c=uk, with filter (uid=raduser1)
> > rlm_ldap: No default NMAS login sequence
> > rlm_ldap: looking for check items in directory...
>
> That needs to be fixed. See Novel
can be authenticated by
rlm_ldap, using simple bind against the LDAP server - that's the
authenticate {
Auth-Type LDAP {
ldap
}
}
...stuff, but you should avoid doing that if at all possible. In
particular it won't support PEAP/MS-CHAP, the only really useful EAP
type suppo
Mike Richardson wrote:
> Any idea what it means? I get the same message when using openldap:
Ask Novell. Unfortunately, no one else knows...
> rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with
> filter (&(uid=example)(objectclass=radiusprofile))
> rlm_ldap: No default
On Tue, Mar 04, 2008 at 01:13:49PM +0100, Alan DeKok wrote:
> Mike Richardson wrote:
> > Any idea what it means? I get the same message when using openldap:
>
> Ask Novell. Unfortunately, no one else knows...
>
> > rlm_ldap: performing search in ou=users,ou=radius,dc=mydomain,dc=com, with
> >
ticated by
> rlm_ldap, using simple bind against the LDAP server - that's the
>
> authenticate {
> Auth-Type LDAP {
> ldap
> }
> }
>
> ...stuff, but you should avoid doing that if at all possible. In
> particular it won't support PEAP/MS-CHAP, the onl
: Tuesday, March 04, 2008 5:19 AM
To: freeradius-users@lists.freeradius.org
Subject: Re: 802.1x, EAP and LDAP
Mike Richardson wrote:
> On Tue, Mar 04, 2008 at 10:35:29AM +, Phil Mayers wrote:
>>> rlm_ldap: ldap_release_conn: Release Id: 0
>>> modcall[authorize]: module "ld
Mike Richardson wrote:
> The suggestions made so far have been to uncomment this authenticate entry.
> Once working should I be looking at commenting it out again and getting EAP
> to work without the above bind?
No. If you're using TTLS + PAP, it's fine. For PEAP, it's impossible...
> Ah, a
Solved
I can authenticate in radius with my ldap user account...
But now... i would like to know.. if there is any way to check the
Group that the user is.
I would like to configure to accept all users from the group "Users".
How can i do it?
Regards.
On Mon, Mar 17, 2008 at 4:50 PM, Fab
>But now... i would like to know.. if there is any way to check the
>Group that the user is.
>
>I would like to configure to accept all users from the group "Users".
Regardless of the passwords?
>
>How can i do it?
>
DEFAULT Ldap-Group == "Users", Auth-Type := Accept
Ivan Kalik
Kalik Informa
Heya,
i'm a bit stuck. My xp box should auth with ssl cert - works ok so
far. But how to assign vlan?
When doing this with user, i put my user + pass into users file -
works. But for ssl cert?
I want my xp box authentificated by ssl cert and after that, my user
should logon to "his" vlan.
So that
List,
Our institution (a 4 yr. state college) is planning on implementing a
802.1X wireless network in the coming months. We have a test network in
place now and all seems to be working well. We have two FreeRADIUS
servers. We followed the "FreeRADIUS Active Directory Integration
radiusd -X
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, "Dr.Peer-Joachim Koch" <[EMAIL PROTECTED]> piše:
>Hi,
>
>we are using one radius server for external users to get
>access to a 802.1x WLAN.
>The radius server is configured to look for the domain
>and
Hi,
enclose the output from radiusd -X
first using radtest, the switching on the WLAN with the
same useranme and password:
=radiusd -X out
rad_recv: Access-Request packet from host 141.5.16.151:2234, id=228,
length=68
User-Name = "[
This is the debug from the proxy not home server. You need a debug from
the home server to see why is first one accepted and second one rejected.
Since first one was pap request and second mschap usual problem is that
password stored on home server is encrypted.
Ivan Kalik
Kalik Informatika ISP
Hi Ivan,
thanks, but I don't have access to this server.
I'll can only do anything on our proxy.
Your are right, the WLAN is configured with wpa2 TKIP PEAP
and ms-chap-V2.
Is there anything else I can do ?
Bye, Peer
Ivan Kalik schrieb:
This is the debug from the proxy not home server. You ne
Install SecureW2 and try EAP-TTLS/PAP. If that works then passwords are
encrypted and PEAP won't work.
Ivan Kalik
Kalik Informatika ISP
Dana 23/4/2008, "Dr.Peer-Joachim Koch" <[EMAIL PROTECTED]> piše:
>Hi Ivan,
>
>thanks, but I don't have access to this server.
>I'll can only do anything on our
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
nfirm what EAP type is your supplicant trying to do (in that complete
debug).
Ivan Kalik
Kalik Informatika ISP
Dana 18/7/2007, "Aydin KOÇAK" <[EMAIL PROTECTED]> piše:
>
>Hello;
>I implemented 802.1x on 3com 4500 switch but i receive an error on my
>FreeRadius serv
Hello;
I could solve my problem with change Auth-Type attribute to EAP in LDAP an
everything is ok.
Thank you for your relation.
Best Regards,
Aydin Kocak.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Aydın KOÇAK wrote:
> Hello;
> I could solve my problem with change Auth-Type attribute to EAP in LDAP an
> everything is ok.
Don't do that.
If anyone is reading the archive of this list, don't do that.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/user
Hi Jamie,
Marco from BBC in london.
I have read your message
(http://lists.cistron.nl/pipermail/freeradius-users/2005-November/048576
.html
related to the error when the radius is trying to authenticate in AD and
I am getting exactly the same message.
"No logon workstation trust account (0xc
Hi folks,
I have a problem in my freeradius setup and I'm looking for some hints
about that.
Scenario:
1) GNU/Linux client w/ WPA supplicant configured to request access through
EAP-TLS using a certificate (in order to achieve 802.1x ethernet
authentication)
2) 802.1x enabled switch
uld I be able to talk to the
ldap server before I sucessfully authenticated against Radius? For sure
I do miss something, would be great if somebody could enlighten me. :)
If you want to use the login credentials to speak 802.1x, it can't be
done currently, as far as I know; you would need
mean,
isn't that a chicken egg problem? How would I be able to talk to the
ldap server before I sucessfully authenticated against Radius? For sure
I do miss something, would be great if somebody could enlighten me. :)
If you want to use the login credentials to speak 802.1x, it can'
I use the login
credentials to login to the network with 802.1x" - is this correct?
Neither pam_radius_auth nor pam_ldap will do that.
This can be done under Windows.
Alternatively, you could just use a "machine-specific" account to
perform 802.1x. This can be done today wit
ss" I assumed you meant "how can I use the
login credentials to login to the network with 802.1x" - is this
correct?
Neither pam_radius_auth nor pam_ldap will do that.
Ok, I should be more precise. Let's try it again. Let's say I have a
FreeRadius server with LDAP back
a backend for 802.1x access as well as
authentication server for logins based on pam_ldap.
With LDAP only I should have a PAM config like this:
...
auth sufficient pam_ldap.so ...
...
In a 802.1x I won't have network access before my local supplicant sends
proper login credentials to a NAS
Thorsten Scherf wrote:
> Ok, I should be more precise. Let's try it again. Let's say I have a
> FreeRadius server with LDAP backend. The LDAP backend contains user and
> machine objects with RADIUS and POSIX specific attributes. I now want to
> use that LDAP box to act a
On [Tue, 03.01.2012 14:21], Phil Mayers wrote:
Currently, Linux systems do not integrate the 802.1x authentication
with the PAM login system. What you want to do can't be done.
Ok, great, that's what I wanted to hear. I haven't worked with
pam_radius_auth, it was just my ass
On [Tue, 03.01.2012 09:28], Alan DeKok wrote:
Thorsten Scherf wrote:
thus
another action has to take place to authenticate using 802.1x.
I have no idea what that means.
Well, what I meant was, before I can talk to LDAP via IP using
pam_ldap, another action has to be performed BEFORE to get
On 14/09/12 14:46, Tyller D wrote:
Hi all,
I would like to use FreeRadius to do 802.1x EAP-PEAP for wireless users.
I have everything configured and working when I disabled "validate
server Certificate" on windows.
I have a wildcard certificate purchased from godaddy.com
<http:
Tyller D wrote:
> I have everything configured and working when I disabled "validate
> server Certificate" on windows.
> I have a wildcard certificate purchased from godaddy.com.
I'm not sure that will work.
> I had a problem when using it with apache as I had to add the
> intermediate chain in
On Fri, Sep 14, 2012 at 4:07 PM, Alan DeKok wrote:
> Tyller D wrote:
> > I have everything configured and working when I disabled "validate
> > server Certificate" on windows.
> > I have a wildcard certificate purchased from godaddy.com.
>
> I'm not sure that will work.
>
Is there a reason for
On 14/09/12 15:38, Tyller D wrote:
On Fri, Sep 14, 2012 at 4:07 PM, Alan DeKok mailto:al...@deployingradius.com>> wrote:
Tyller D wrote:
> I have everything configured and working when I disabled "validate
> server Certificate" on windows.
> I have a wildcard certificate pur
Tyller D wrote:
> Is there a reason for that? Godaddy is in the list of servers to
> validate against?
Because Windows has certain magical requirements on certificates. If
the godaddy cert doesn't have them, authentication will fail.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://
You have three possible issues.
1). You need to chain all of the certs into one file.
2). MS requires that the cert have a "special purpose". This is documented
and needs to be included in the CSR. BS, but that's MS for you.
3). MS might not like wild cards. Not sure about this but it may be
Hi all
We have deployed FreeRADIUS on OS X before, but our configuration was rather
ugly. What we would do is authenticate users locally, having the machine
attached to our OpenDirectory server directly using the Connect Network Account
Server functionality provided by OS X.
I have seen this q
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi folks,
I've deployed FR2 to service 802.1X wireless authentication (Cisco LWAPP
infrastructure), and it's working splendidly from the users'
perspective. Accounting, however, is acting weirdly, and I have yet to
determine why.
phil lemelin wrote:
> I have been reading about FreeRadius, 802.1x, EAP/TLS and XSupplicant. I
> came accross a link that doesnt work in the freeradius wiki about
> exactly those subject but I found something on the linux documentation
> project ( http://tldp.org/HOWTO/html_single
> I have been reading about FreeRadius, 802.1x, EAP/TLS and XSupplicant. I
> > came accross a link that doesnt work in the freeradius wiki about
> > exactly those subject but I found something on the linux documentation
> > project ( http://tldp.org/HOWTO/html_single/8021X
elin wrote:
>
>
> > I have been reading about FreeRadius, 802.1x, EAP/TLS and XSupplicant. I
>> > came accross a link that doesnt work in the freeradius wiki about
>> > exactly those subject but I found something on the linux documentation
>> > project ( http:
Good morning freeradius users,
Using the documents Alan linked here, I managed to configure everything to
use EAP-TTLS.
I have a question, which might not be related to freeradius directly, but
more to EAP-TTLS.
Why is the username sent in clear over the network ?
-
List info/subscribe/unsubscri
phil lemelin wrote:
> I have a question, which might not be related to freeradius directly,
> but more to EAP-TTLS.
>
> Why is the username sent in clear over the network ?
That's the default in your supplicant. If you want it changed, use
one name for the "outer" identity, and a different one
Following on my adventure with freeradius, I decided to enable mysql and use
EAP-TTLS. Having my passwords in SQL, I now want to encrypt them ( MD5 ) and
use them to authenticate my user.
After reading the protocols compatibility matrix ,I saw that with EAP-TTLS,
with tunneled PAP, I should be abl
phil lemelin wrote:
> 1- What do I set the "attribute" field to in the radcheck table to use
> MD5 passwords ?
Crypt-Password
> 2- What do I set the "attribute" field to in the radgroupcheck IF I have
> too ( I should'nt have right ? decided by user unless I want to lock
> them out of a method
>
> > 1- What do I set the "attribute" field to in the radcheck table to use
> > MD5 passwords ?
>
> Crypt-Password
In which scenario should MD5-Password be used ?
> 3- Is there a good reference to setup the mysql database to use
> > authentication ? Frankly, the ammount of questions and conflic
Okay.
Generating my password with :
htpasswd -nd plemelin ( crypt )
and setting the attribute to crypt-password in mysql did the trick.
Generating the password with :
htpasswd -nm plemelin ( md5 )
and setting the attribute to MD5-password doesnt work.
I think i did enough radius for the we
Looks like I can't get enough radius.
I started testing with different users today and noticed something I can't
explain.
Let's say my user is : phil
Let's say the pass is : unpassword
If I enter the following password : punpassword
I get the following in radiusd -X :
[pap] login attempt with
>Let's say my user is : phil
>Let's say the pass is : unpassword
>
>If I enter the following password : punpassword
>I get the following in radiusd -X :
>
>[pap] login attempt with password "punpassword"
>[pap] Using CRYPT encryption.
>[pap] Passwords don't match
>
>
>If I enter the following pass
Hello,
Sorry for this off-topic message, I have a question about 802.1x deployment
and don't know where to ask. As freeradius is one of the element I think of,
maybe someone here can help me find the solution ?
My Goals :
1) authenticate access to the network from Open Public Access Ca
Hello,
I'm trying to figure out the necessary steps and configs to make the
following happen. 2 groups of users, one residing in ldap with
samba/ntlm hashes and another in AD, need to authenticate through Radius
servers for 802.1x wireless. At this point, I have the Radius server
success
Hi!
I'm implementing 802.1x EAP-TLS and EAP-PEAP with postgresql. All works
fine, but I need to generate three groups of users: red, yellow and
green... the green group is for guests (no have any certificate) who
only have permission to web browsing in intranet servers, the yellow
grou
hello,
I'm trying to set up a configuration with an Alcatel Omniswitch 6600-24 and
Freeradius 1.0.1. 802.1x client is either native XP or open1x (EAP-MD5).
Communication seem to go between the switch and Freeradius but authentication
fails.
Did someone succeded with the same ki
Hi all,
I am new to WPA/802.11i and I have a few doubts. I hope you can help me.
What is not clear to me is how often a supplicant needs to authenticate to
the server...is it everytime the supplicant performs a L2 handoff? It
seems like if the supplicant does not authenticate it does not get an IP
Hi Brandon
>Is this Mandatory?
No, it is not
>I'm just looking for the most basic way of making a username/password
>required to be able to connect wirelessly to the AP/linux box and gain
access >to the network.
In my opinion you should use PEAP
Take a glance at http://tldp.org/HOWTO/html_single/80
I have never used EAP-TTLS, I do not know if it is better than PEAP, I
just suggested you what I know and worked. Now you have to decide between
them!!
Victoria
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
EAP-TTLS is basically the same thing as PEAP. Server certificate,
client uses username and pass to authenticate.
On Wed, 12 Jan 2005 16:22:33 -0600 (CST), [EMAIL PROTECTED]
<[EMAIL PROTECTED]> wrote:
> Hi Brandon
> >Is this Mandatory?
> No, it is not
> >I'm just looking for the most basic way of
@lists.freeradius.org
Subject: 802.1x, PEAP, and AD
Hi all,
I'm having an issue doing PEAP against AD. I have most of it working,
except for this. If I use the ntlm_auth line "ntlm_auth =
"/usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-Non
: Thursday, January 20, 2005 10:54 AM
To: freeradius-users@lists.freeradius.org
Subject: 802.1x, PEAP, and AD
I have the with_ntdomain_hack = yes option set under the MSCHAP section.
Where is the ntdomain option?
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
Did you try just
--username=%{Stripped-User-Name:-None}
Ron.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, January 20, 2005 9:39 AM
To: freeradius-users@lists.freeradius.org
Subject: 802.1x, PEAP, and AD
Hi all,
I&#
Actually, what you should be sending in the --username option is:
--username=%{mschap:User-Name}
This will automatically stip the domain portion (if it exists) from the
username before sending it to the DC.
--Mike
---
Michael Griego
Wireless LAN Project Manager
The
TECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Thursday, January 20, 2005 11:14 AM
To: freeradius-users@lists.freeradius.org
Subject: 802.1x, PEAP, and AD
I have that as well as the ntdomain lines from the authorize and
accounting
sections uncommented, still no dice. Any other ideas?
Thanks,
Mark Capelle
Yes I did =). That yields:
Thu Jan 20 01:02:02 2005 : Debug: modsingle[authenticate]: calling mschap
(rlm_mschap) for request 6
Thu Jan 20 01:02:02 2005 : Debug: rlm_mschap: No User-Password
configured. Cannot create LM-Password.
Thu Jan 20 01:02:02 2005 : Debug: rlm_mschap: No User-Passwo
Eureka!
Michael was correct. I had a typo (ntlm_atuh). Fixed that and it works!
Thanks to Ron, Michael, and Kurt for all the help, you guys are great!
[EMAIL PROTECTED]
Tried that and I end up with -
Thu Jan 20 00:51:30 2005 : Debug: modcall: entering group Auth-Type for
request 6
Thu Jan 20
Hi all,
I currently have Windows XP SP1 ,HP switch, 802.1x, PEAP, and Active
Directory working flawlessly. Now I have run up against a new issue with
my Extreme Networks equipment. Here is the issue. When using the HP
switch, I get the User-Name attribute from the switch as &quo
I want to set up a secure wlan using EAP-PEAP as
authentication method and Radius as a authentication
server, in the AP I choose TKIP encryption, but I
think TKIP needs to renew the keys used, and I think
is the Radius server the one that has to create the
keys and pass them to the AP, is this true
FreeRADIUS+LDAP(SSHA) and i wanna add 802.1x port base
> authentication, what do i use?
a) Fix your database to store clear-text or NT-hashed passwords.
b) Live without 802.1X.
Pick one.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
proceed further with my investigation, what are my options
really? :D
i was thinking at the following:
to do the normal user authentication in LDAP, based on the provided realm, and
if no realm present authenticate the users in users file.
Users which use 802.1x will be saved in clear-text in users
> i was thinking at the following:
> to do the normal user authentication in LDAP, based on the provided realm,
> and if no realm present authenticate the users in users file.
> Users which use 802.1x will be saved in clear-text in users file
> and users used for authentication
Hi Ivan,
my problem was that in LDAP i have the passwords save as SSHA, so i cant do
802.1x with EAP/PEAP/mschap
as i dont wanna change my LDAP configuration to store the passwords in
clear-text, or to use samba.scheme and to use NT hash. The only option
remaining from my view point was to
the provided realm,
> and if no realm present authenticate the users in users file.
> Users which use 802.1x will be saved in clear-text in users file
> and users used for authentication for other stuff, will be checked in LDAP
> (@mydomain.com)
>
>
> or can i switch this ar
> my problem was that in LDAP i have the passwords save as SSHA, so i cant
> do 802.1x with EAP/PEAP/mschap
>
> as i dont wanna change my LDAP configuration to store the passwords in
> clear-text, or to use samba.scheme and to use NT hash. The only option
> remaining from my vie
in my system.
i could go to use only clear-text for 802.1x users, have a exception for this
kid of users.
thats why im thinking to try some filtering... based on the NAS-ID or NAS-IP i
might authenticate the users in users file or LDAP, right? :D
thank you again for your thoughts on this
Too bad. If your security system forbids clear-text passwords && NT
hashed passwords, then it forbids EAP.
That's what the web page says. If it's not clear, go read it again.
> i could go to use only clear-text for 802.1x users, have a exception for this
> kid of users.
-ID or
NAS-IP, where to check for the 802.1x users (in users file), right?
ill do tomorrow some tests with this solutions and see if i have some problems
thanks again for your patience and clear answers,
Best Regards,
Caius Pargar
--- On Thu, 11/12/09, Alan DeKok wrote:
> From: Alan De
h Ivan, i could make some rules, based on the NAS-ID or
> NAS-IP, where to check for the 802.1x users (in users file), right?
I never said that was a good idea ;-) On the contrary, I pointed out
serious security flaws in that approach. If you are adamant that you want
to keep encrypted password
I am attempting to configure freeradius to terminate an 802.1x EAP-TTLS
authentication, but forward/proxy the user/pass to another radius server. I
can get it to standard proxy, and I can get it to function as a standalone
radius server with EAP-TTLS, but can't seem to find any
Greetings!
I am at a road block here. I know setting up WPA2 Enterprise
PEAPv0/EAP-MSCHAPv2 / 802.1X should be simple. It just isn't working!
Perhaps I am suffering from green screen syndrome :)
I have followed directions from: http://tldp.org/HOWTO/html_single/8021X-HOWTO/
Aside
Rosario Lumia wrote:
> Hi to all,
>
> my question is if it's possible to log the end of a 802.1x session.
What does that mean?
> I
> need this log for legal reason.
> I need the start session log which i can get by a mysql query in
> post-auth session.
> For t
2010/4/9 Alan DeKok
> Rosario Lumia wrote:
> > Hi to all,
> >
> > my question is if it's possible to log the end of a 802.1x session.
>
> What does that mean?
>
>
Sorry for my (very) bad english. Only for clearness: I'd want to know if
there is a way
On Fri, Apr 9, 2010 at 8:46 AM, Rosario Lumia wrote:
> Sorry for my (very) bad english. Only for clearness: I'd want to know if
> there is a way to log the end of a 802.1x session. I mean: a client turn off
> his wireless card and (I think) AP can (??) send a message to freeradius
>From what I've read, supplicants can send an EAPOL-Logoff message to
If the requirement is to determine when the user disconnects, isn't this best
handled by accounting data? That is, if the authenticator supports sending
Accounting-Request packets to RADIUS, then when the user disconnects, it
Rosario Lumia wrote:
> Sorry for my (very) bad english. Only for clearness: I'd want to know if
> there is a way to log the end of a 802.1x session. I mean: a client turn
> off his wireless card and (I think) AP can (??) send a message to
> freeradius because the association betw
nticator supports sending
> Accounting-Request packets to RADIUS, then when the user disconnects, it
> should send an Acct-Status-Type=stop request.
Absolutely. While I've not played with 802.1X + accounting personally,
it looks like there is decent support in Cisco kit:
http://www-europe.cisco.
This isn't a comment on FreeRadius, but in our recent experiences with 802.1x
and Windows XP clients it was a total waste of time. The built-in XP dot1x
client is not up to the job. We had contractors in trying to make it work and
everything was perfect on the network setup. In the end, Wi
Hi,
Is it fine to do some jugglery with the user-name and convert it to a format
which can be proxied to home server ?
Thanks,
Chidanand
On Wed, Oct 20, 2010 at 4:52 PM, Chidanand Gangur <
chidanand.gan...@gmail.com> wrote:
> Hi,
>
> I have following setup
>
> where windows host is connected t
On 20/10/10 12:22, Chidanand Gangur wrote:
Hi,
I have following setup
where windows host is connected to Cisco 2960 which is connected to
Microsoft AD via RADIUS proxy
Windows host (XP SP3) -> Cisco 2960 -> freeRADIUS proxy (2.1.10) ->
Microsoft AD (2003)
In the above setup user authenticat
Thanks Phil.
I am still not clear.. I just want to proxy the host authentication request
to the actual RADIUS server which is Microsoft AD. In such cases what
configuration is required on proxy server? Can it be done?
Well I mentioned realm type as IPASS as IPASS type is of format
realm/username
On 10/21/2010 08:55 AM, Chidanand Gangur wrote:
I have collected logs for full session of host authentication, log is
pasted below.
As mentioned in my previous mail I just want to proxy the host
authentication request to the home server, is it possible?
You didn't mention that in your origina
201 - 300 of 1021 matches
Mail list logo
