Re: mac authentication, log rejected device in radius.log

2013-10-18 Thread John Douglass
On 10/18/2013 11:00 AM, Alan DeKok wrote: Bertalan Voros wrote: I have one question, I would like to log a message in radius.log when a device is rejected based on its mac address. I would like to put a message saying that the device was unauthorised and the Calling-Station-Id into the radius.lo

Re: Cache for machine authentication

2013-10-04 Thread Alan DeKok
Garber, Neal wrote: > Can someone tell me if it is possible in FR to cache in memory (for a > short amount of time) Calling-Station-Id from successful machine > authentications so that subsequent user authentications can test whether > the user is connecting from an authorized device? This is a fe

Re: Cache for machine authentication

2013-10-04 Thread Matthew Newton
On Fri, Oct 04, 2013 at 09:54:29AM -0400, Garber, Neal wrote: > Can someone tell me if it is possible in FR to cache in memory > (for a short amount of time) Calling-Station-Id from successful rlm_cache ? http://wiki.freeradius.org/modules/Rlm_cache Matthew -- Matthew Newton, Ph.D. Systems

Re: Cache for machine authentication

2013-10-04 Thread Alan Buxey
Using EAP? use the EAP cache and populate the entry with whatever is needed. -- Sent from my Android device with K-9 Mail. Please excuse my brevity.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Cache for machine authentication

2013-10-04 Thread Garber, Neal
Can someone tell me if it is possible in FR to cache in memory (for a short amount of time) Calling-Station-Id from successful machine authentications so that subsequent user authentications can test whether the user is connecting from an authorized device? This is a feature that is available w

Re: Digest Authentication with a Cisco device

2013-10-02 Thread Alan DeKok
uot;testuser"" > that comes in as part of the Digest-Attributes and a password. You should be able to do that. > So in the users file I have "DEFAULT Cleartext-password := > "password"" That will allow ANY user to authenticate using ANY auth

Digest Authentication with a Cisco device

2013-10-02 Thread Philip Walenta
I'm trying to do what might be an odd configuration. I'm attempting to digest auth users without caring about their "User-name" attribute. So in other words I want to auth on the "Digest-User-Name = "testuser"" that comes in as part of the Digest-Attributes and a password. So in the users file I

RE: Active Directory authentication question

2013-09-25 Thread stefan.paetow
> But in the EAP-TLS section from eap.conf file, I don't see any > reference to MSCHAPv2and remember the NTLM authentication query is > set up in the MSCHAPv2 module EAP-TLS does not use MSCHAPv2. It uses certificates. I quote Alan DeKok's response to your quest

Re: Active Directory authentication question

2013-09-25 Thread Alan Buxey
Well.  There's no such thing as EAP-TLS/MSCHAPv2 . So I'd guess that your Android device is just doing PEAPv0/EAP-MSCHAPv2 or such and your config allows it to.  If you ran in full debug mode when connecting with the Android device you'd see exactly what's happening alan - List info/subscribe/

Re: Active Directory authentication question

2013-09-25 Thread Roberto Carna
But in the EAP-TLS section from eap.conf file, I don't see any reference to MSCHAPv2and remember the NTLM authentication query is set up in the MSCHAPv2 module 2013/9/25 : > Because your EAP-TLS process works? Remember, you set up EAP-TLS first (which > worked). > > Yo

RE: Active Directory authentication question

2013-09-25 Thread stefan.paetow
Because your EAP-TLS process works? Remember, you set up EAP-TLS first (which worked). You just configured EAP-TTLS with EAP-MSCHAPv2 as an additional authentication method. Since the default_eap_type is set to ttls, your server *prefers* using EAP-TTLS with EAP-MSCHAPv2, but it still

Re: Active Directory authentication question

2013-09-25 Thread Roberto Carna
ius.org >> [mailto:freeradius-users- >> bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of >> Roberto Carna >> Sent: 25 September 2013 14:27 >> To: FreeRadius users mailing list >> Subject: Re: Active Directory authentication question >> >&g

RE: Active Directory authentication question

2013-09-25 Thread stefan.paetow
; [mailto:freeradius-users- > bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of > Roberto Carna > Sent: 25 September 2013 14:27 > To: FreeRadius users mailing list > Subject: Re: Active Directory authentication question > > Dear Stephan, just the last question pl

Re: Active Directory authentication question

2013-09-25 Thread Roberto Carna
7 >> To: FreeRadius users mailing list >> Subject: Re: Active Directory authentication question >> >> Dear, I'm advancing in the Freeradius + AD authenticationjust a >> short question: when I want to make the eapol_test tool, I get this >> error: >> >&g

Re: pap always returns noop for windows dialup authentication [solved]

2013-09-24 Thread Alan DeKok
paul trader wrote: > hi alan - well, i did both. at first the $INCLUDE was put at the bottom > of the users file, and there was 1 entry in the included file, at line 1. Why do you have a $INCLUDE? You did NOT mention it in your other posts. The help here presumes that you accurately desc

Re: Active Directory authentication question

2013-09-24 Thread Alan Buxey
Or ask your distribution provider why they still provide wpa_supplicant package without eapol_test tool ;) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap always returns noop for windows dialup authentication [solved]

2013-09-24 Thread paul trader
On Tue, 24 Sep 2013 at 10:36, Alan DeKok opined: AD: It also contradicts your previous messages. You claimed you put the AD:"users" file entry at line one of the file. But now you talk about a AD:$INCLUDE statement. AD: AD: So... which is it? hi alan - well, i did both. at first the $INCLU

RE: Active Directory authentication question

2013-09-24 Thread stefan.paetow
etow=diamond.ac...@lists.freeradius.org] On Behalf Of > Roberto Carna > Sent: 24 September 2013 15:17 > To: FreeRadius users mailing list > Subject: Re: Active Directory authentication question > > Dear, I'm advancing in the Freeradius + AD authenticationjust a > short que

Re: Active Directory authentication question

2013-09-24 Thread John Dennis
On 09/24/2013 10:16 AM, Roberto Carna wrote: > Dear, I'm advancing in the Freeradius + AD authenticationjust a > short question: when I want to make the eapol_test tool, I get this > error: > > # make eapol_test > /usr/bin/ld: cannot find -lnl > collect2: error:

Re: Active Directory authentication question

2013-09-24 Thread Alan DeKok
Roberto Carna wrote: > Dear, I'm advancing in the Freeradius + AD authenticationjust a > short question: when I want to make the eapol_test tool, I get this > error: > > # make eapol_test > /usr/bin/ld: cannot find -lnl > collect2: error: ld returned 1 exit stat

Re: pap always returns noop for windows dialup authentication [solved]

2013-09-24 Thread Alan DeKok
paul trader wrote: > hi phil - thanks for the advice, i figured out that placement of the > $INCLUDE statement (and user info in general) in the users file is > important for windows authentication. strangely enough, it doesn't seem > to matter for a linux dialup, tho

Re: Active Directory authentication question

2013-09-24 Thread Roberto Carna
Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all th

Re: pap always returns noop for windows dialup authentication [solved]

2013-09-24 Thread paul trader
(and user info in general) in the users file is important for windows authentication. strangely enough, it doesn't seem to matter for a linux dialup, though. thanks to everyone for the help! regards, paul - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: EAP-TLS Authentication

2013-09-23 Thread Muhammad Nadeem
-->Please suggest any document which can help in better understanding on TLS Authentication. Arvind, I also faced the same issue at beginning , but I would suggest to read Freeradius own documentation. That is probably the best. On Mon, Sep 23, 2013 at 7:45 PM, arvind132 . wrote: > Hi,

Re: pap always returns noop for windows dialup authentication

2013-09-23 Thread Phil Mayers
On 23/09/2013 18:19, paul trader wrote: hi phil - ok, here's the full debug for a successful request: [files] users: Matched entry test at line 1 Versus and here's the full output of a failed request: [files] users: Matched entry DEFAULT at line 172 The two request look very similar, but

Re: pap always returns noop for windows dialup authentication

2013-09-23 Thread paul trader
from the authentication request shows the username to be "test" and there's clearly a user named "test" in the users file. every place in the debug output where it lists the username it's "test". there doesn't seem to be any domain prepended to it. wh

Re: pap always returns noop for windows dialup authentication

2013-09-23 Thread Alan DeKok
paul trader wrote: > i used a default v2 install and only changed the users and clients.conf > files. everything else was left alone. Well, there's no magic. If the "users" file entry doesn't match, it's because the User-Name isn't "test". Alan DeKok. - List info/subscribe/unsubscribe? Se

Re: pap always returns noop for windows dialup authentication

2013-09-23 Thread John Dennis
On 09/23/2013 02:07 PM, paul trader wrote: > On Mon, 23 Sep 2013 at 13:31, John Dennis opined: > > JD:You still haven't sent the full debug. > > hi john - thanks for your reply. i sent the output from running radiusd > -X, are you saying i need to run -Xxx and send that instead? No. It means a

EAP-TLS Authentication

2013-09-23 Thread arvind132 .
Hi, I am facing some issues with 802.1x EAP-TLS Authentication. Please suggest any document which can help in better understanding on TLS Authentication. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: pap always returns noop for windows dialup authentication

2013-09-23 Thread paul trader
noop ++[digest] returns noop [suffix] No '@' in User-Name = "test", looking up realm NULL [suffix] No such realm "NULL" ++[suffix] returns noop [eap] No EAP-Message, not doing EAP ++[eap] returns noop [files] users: Matched entry DEFAULT at line 172 ++[files] returns ok +

pap always returns noop for windows dialup authentication

2013-09-23 Thread paul trader
hi all - i've recently tried upgrading from v1 to v2. on a centos 6.4 box w/ all latest updates, i installed freeradius v2, added one username and password to /etc/raddb/users: test Cleartext-Password := "testing" and the radtest command-line authentication works. i then ad

Re: pap always returns noop for windows dialup authentication

2013-09-23 Thread John Dennis
On 09/23/2013 01:19 PM, paul trader wrote: > eOn Mon, 23 Sep 2013 at 17:52, Phil Mayers opined: > > PM:It's difficult to say, because the debug you sent has all the useful > PM:bits trimmed out - like the original packet, and the full module > PM:processing chain. You still haven't sent the ful

Re: pap always returns noop for windows dialup authentication

2013-09-23 Thread Phil Mayers
On 23/09/13 17:33, paul trader wrote: am i doing something glaringly wrong, or just going plain crazy? It's difficult to say, because the debug you sent has all the useful bits trimmed out - like the original packet, and the full module processing chain. Send a full debug, and odds are som

Re: pap always returns noop for windows dialup authentication

2013-09-23 Thread paul trader
On Mon, 23 Sep 2013 at 13:31, John Dennis opined: JD:You still haven't sent the full debug. hi john - thanks for your reply. i sent the output from running radiusd -X, are you saying i need to run -Xxx and send that instead? or are you looking for the startup output as well? i only included t

Re: Authentication

2013-09-23 Thread Michael Schwartzkopff
Am Montag, 23. September 2013, 13:53:14 schrieb ken.farrington: > Just also beware that the MAC and be spoofed also with lots of programs :) Yes: ip link dev ... set addr ... > > On 23 September 2013 at 13:46 Nikolaos Milas wrote: > > > > On 23/9/2013 3:14 μμ, Free-Radius wrote: > > > I wonder

Re: Facing Problem in Asterisk peer Authentication with Freeradius.

2013-09-23 Thread Alan DeKok
Husnain Taseer wrote: > In tcpdump asterisk not sending request to the freeradius can u tell > after configuring freeradius what configurations are needed to be done > in asterisk. You were told to ask this question on the asterisk mailing list. We are not asterisk, and we know nothing about

Re: Authentication

2013-09-23 Thread ken.farrington
Just also beware that the MAC and be spoofed also with lots of programs :) > On 23 September 2013 at 13:46 Nikolaos Milas wrote: > > On 23/9/2013 3:14 μμ, Free-Radius wrote: > > > > > I wonder if the Freeradius to authenticate a client by IP number, > > without using login and password, only the

Re: Authentication

2013-09-23 Thread Nikolaos Milas
On 23/9/2013 3:14 μμ, Free-Radius wrote: I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? You can authenticate a client based on MAC Address. See http://wiki.freeradius.org/guide/Mac-Auth for various sce

Authentication

2013-09-23 Thread Free-Radius
Dear, I wonder if the Freeradius to authenticate a client by IP number, without using login and password, only the IP. If possible, how to do? thank you --- Marcelo - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/user

Re: Facing Problem in Asterisk peer Authentication with Freeradius.

2013-09-23 Thread Husnain Taseer
In tcpdump asterisk not sending request to the freeradius can u tell after configuring freeradius what configurations are needed to be done in asterisk. Regards, Husnain Taseer On Mon, Sep 23, 2013 at 4:11 PM, Adam Bishop wrote: > On 23 Sep 2013, at 11:27, Husnain Taseer wrote: > > > Even I

Re: Facing Problem in Asterisk peer Authentication with Freeradius.

2013-09-23 Thread Adam Bishop
On 23 Sep 2013, at 11:27, Husnain Taseer wrote: > Even I don't get any request from asterisk server in radius logs. You're looking at the wrong layer for the problem. Fire up tcpdump. Do you see any radius traffic leaving the asterisk box? Does it reach the RADIUS server? If no traffic is l

Facing Problem in Asterisk peer Authentication with Freeradius.

2013-09-23 Thread Husnain Taseer
ister peer in asterisk the freeradius authentication doesn't work. Even I don't get any request from asterisk server in radius logs. My sip.conf configuration is : [1000] type=friend context=test auth_type=radius host=dynamic and user credentials are placed in /usr/local/etc/raddb/users

Re: Active Directory authentication question

2013-09-19 Thread Roberto Carna
Thanks Stepahn for all your important help. Regards, Roberto 2013/9/19 : >> What I mean is that EAP-TLS is easier to me than AD authentication at >> this point, because I've just put it to work...and if I want to use AD >> auth I have to take EAP-TLS out and sta

RE: Active Directory authentication question

2013-09-19 Thread stefan.paetow
> What I mean is that EAP-TLS is easier to me than AD authentication at > this point, because I've just put it to work...and if I want to use AD > auth I have to take EAP-TLS out and start again with NTLM / AD > authenticationis it OK ??? Roberto, you don't have to rem

Re: Active Directory authentication question

2013-09-18 Thread Alan DeKok
tabase. They store user information. They don't authenticate users. FreeRADIUS is an authentication server. Where necessary, it pulls user information from a database. It also returns user profiles to a WiFI AP. e.g. VLAN, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://

Re: Active Directory authentication question

2013-09-18 Thread Roberto Carna
Arran, I have a private CA and I've created the server and client certs of course...and I've generated the .p12 cert (includind the CA cert) to install in my Windows 7 clientsit works OK. What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I&#

Re: Active Directory authentication question

2013-09-18 Thread John Dennis
-TLS is easier to me than AD authentication at > this point, because I've just put it to work...and if I want to use AD > auth I have to take EAP-TLS out and start again with NTLM / AD > authenticationis it OK ??? I think you have a misconception. The client decides what type of aut

Re: Active Directory authentication question

2013-09-18 Thread Arran Cudbard-Bell
orm lookups based on fields in the cert presented, but it can't be used to store X.509 certificate data. > And finally, if I use EAP-TLS with X.509 certificates, do you mean I > don't need to use the authentication against the active directory > database ??? Maybe this is easi

Re: Active Directory authentication question

2013-09-18 Thread Roberto Carna
e they are checked against MySQL database (because I see the query in debug mode). Is this correct or not ??? And finally, if I use EAP-TLS with X.509 certificates, do you mean I don't need to use the authentication against the active directory database ??? Maybe this is easier to me because I&#x

Re: Active Directory authentication question

2013-09-18 Thread Alan DeKok
ave to change the authentication from MySQL to a remote Active > Directory on a Windows 2012 server. FreeRADIUS is an authentication server. MySQL is not. It's a database. Using the correct terminology menas it's easier to come up with a solution. Using the wrong terminology me

Active Directory authentication question

2013-09-18 Thread Roberto Carna
Dear, I have several Windows 7 clients over WiFi autheticating throug EAP-TLS to a Freeradius 2.1 service against a local MySQL database, it works OK. Now I have to change the authentication from MySQL to a remote Active Directory on a Windows 2012 server. Because I don't know so much

Re: differentiate authoriztion/ authentication in separate ldap modules

2013-09-04 Thread Arran Cudbard-Bell
On 4 Sep 2013, at 13:10, "Hachmer, Tobias" wrote: >>> How can I do this and how "magic" could I rewrite the DN? >>> The local ldap DIT and the AD DIT are totally different (different OU >>> structure). It is much more than rewrite the base DN. >>> When there's no way to determine the DN in AD

AW: differentiate authoriztion/ authentication in separate ldap modules

2013-09-04 Thread Hachmer, Tobias
>> How can I do this and how "magic" could I rewrite the DN? >> The local ldap DIT and the AD DIT are totally different (different OU >> structure). It is much more than rewrite the base DN. >> When there's no way to determine the DN in AD DIT again I think I can >> achieve this more easy using

Re: differentiate authoriztion/ authentication in separate ldap modules

2013-09-04 Thread Arran Cudbard-Bell
On 4 Sep 2013, at 06:54, "Hachmer, Tobias" wrote: > Hello Alan, > >>> Hachmer, Tobias wrote: >>> - Rewrite DN? >> You can rewrite the DN. That's why it's editable, as the LDAP-UserDn >> attribute. > > How can I do this and how "magic" could I rewrite the DN? > The local ldap DIT and t

AW: differentiate authoriztion/ authentication in separate ldap modules

2013-09-03 Thread Hachmer, Tobias
Hello Alan, >>Hachmer, Tobias wrote: >> - Rewrite DN? > You can rewrite the DN. That's why it's editable, as the LDAP-UserDn > attribute. How can I do this and how "magic" could I rewrite the DN? The local ldap DIT and the AD DIT are totally different (different OU structure). It is muc

Re: differentiate authoriztion/ authentication in separate ldap modules

2013-09-03 Thread Alan DeKok
Hachmer, Tobias wrote: > - Rewrite DN? You can rewrite the DN. That's why it's editable, as the LDAP-UserDn attribute. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

AW: differentiate authoriztion/ authentication in separate ldap modules

2013-09-03 Thread Hachmer, Tobias
> As far as I know it is not possible to use a ldap module to authenticate > agains AD. See this page for protocol compatibility: Thank you for the answer. But it is possible using simple bind via ldap. But that's not my problem. Regards, Tobias Hachmer - List info/subscribe/unsubscribe? S

Re: differentiate authoriztion/ authentication in separate ldap modules

2013-09-03 Thread Michael Schwartzkopff
22:51 > > - OpenLDAP: slapd 2.4.23 (Apr 29 2013 07:47:08) > > Here we use Microsoft Active Directory (not in our responsibility) for User > Authentication. I have set up an OpenLDAP Master/ Slave construct > (syncrepl) for RADIUS auth

differentiate authoriztion/ authentication in separate ldap modules

2013-09-03 Thread Hachmer, Tobias
responsibility) for User Authentication. I have set up an OpenLDAP Master/ Slave construct (syncrepl) for RADIUS authorization and (fallback) authentication, like: LDAP Master

Can't figure out Group Authentication

2013-08-08 Thread Jernej
Hi! i am kindly asking for help or pointing right way to solve this problem. Right now we are using LDAP for authentication to IBM products. Last thing we try to do is use Freeradius on same LDAP schema for wireless purposes (Cisco network). We didn't have problems with basic authentic

Re: Diffrent authentication based by SSID

2013-08-06 Thread Marcin
Thank You for reply Alan. I have working eap-tls for my staff and Dnia 5 sierpnia 2013 21:52 a.l.m.bu...@lboro.ac.uk napisał(a): Hi, > In that situation i need to have active, both sql and ldap, authorization > modules in inner-tunnel. So users, who should identify by login/pass in > guest SSID, ca

Re: Diffrent authentication based by SSID

2013-08-05 Thread A . L . M . Buxey
Hi, >In that situation i need to have active, both sql and ldap, authorization >modules in inner-tunnel. So users, who should identify by login/pass in >guest SSID, can be authenticate via inner-tunnel ldap module. I don't want >this. use whatever you want to use. what do you use

Re: Diffrent authentication based by SSID

2013-08-05 Thread Marcin
henticate > two groups of users. One group for local staff based on eap-tls, second > group to others based on OpenLdap authentication. My AP's have 2 SSID's > broadcasting. One for the staff, second for others. Is there a > possibility, to use one radius server to handle thi

Re: Freeradius -username for authentication is not picking from users file.

2013-08-05 Thread Matthew Newton
On Mon, Aug 05, 2013 at 12:50:20PM +0530, rajeev sr wrote: > I am trying to run the radtest on local machine which is CentOS 6.0. But am > getting the following error while sending the Access Request message from > client which is another machine. > > The user name is defined in users file under /

Re: Freeradius -username for authentication is not picking from users file.

2013-08-05 Thread A . L . M . Buxey
Hi, > User-Password = "\334a\004\305\355x\321\332G\306\362b\226~\355+" that lineand the following in the debug: >Fri Aug 2 16:45:38 2013 : Debug: WARNING: Unprintable characters in the >password. Double-check the shared secret on the server and the NAS! are quite clear.

Re: Freeradius -username for authentication is not picking from users file.

2013-08-05 Thread Arran Cudbard-Bell
On 5 Aug 2013, at 08:20, rajeev sr wrote: > Hello, > > > I am trying to run the radtest on local machine which is CentOS 6.0. But am > getting the following error while sending the Access Request message from > client which is another machine. > > > The user name is defined in users file

EAP-SIM authentication problem at 2nd stage

2013-07-30 Thread johan firdianto
dear guest, i have problem in eap-sim authentication. I'm using freeradius 2.2.0, blackberry 9220 here my simtripletsdat. file 1510012660372465,AF6876E748BD46bf853A99DC2032F0A7,95762655,449177635B92bc00 1510012660372465,A1A9AC744E8D49819D27A79B067BCA69,257b31c6,64ff9467DEa

Re: Authenticate against one module, if fail attempt authentication against another

2013-07-29 Thread A . L . M . Buxey
Hi, >If the user authenticates against to radius server and fails NTLM_AUTH, >the request will then be authenticated against PAM and if it still fails >it will be rejected. use a bit of the unlang construct with the failover method. http://wiki.freeradius.org/config/Fail%20over so,

Authenticate against one module, if fail attempt authentication against another

2013-07-29 Thread Ben Parker
I currently have two auth types (NTLM_AUTH and PAM) in my default site configuration (using FreeRadius version 2.1.12) - although I would like to achieve the following: If the user authenticates against to radius server and fails NTLM_AUTH, the request will then be authenticated against PAM and if

Re: Diffrent authentication based by SSID

2013-07-25 Thread Marcin
users. One group for local staff based on eap-tls, second > group to others based on OpenLdap authentication. My AP's have 2 SSID's > broadcasting. One for the staff, second for others. Is there a > possibility, to use one radius server to handle this scenario? Yes. Just update

Re: Diffrent authentication based by SSID

2013-07-25 Thread Alan DeKok
Marcin wrote: > I'm new with FreeRadius. I would like to use FreeRadius to authenticate > two groups of users. One group for local staff based on eap-tls, second > group to others based on OpenLdap authentication. My AP's have 2 SSID's > broadcasting. One for the staff,

Diffrent authentication based by SSID

2013-07-25 Thread Marcin
Hi.   I'm new with FreeRadius. I would like to use FreeRadius to authenticate two groups of users. One group for local staff based on eap-tls, second group to others based on OpenLdap authentication. My AP's have 2 SSID's broadcasting. One for the staff, second for oth

Re: MSCHAPv2 authentication failure

2013-07-23 Thread Alan DeKok
Tekán Dávid wrote: > Don't want to store cleartext password, so i created for every user an > NT-Password as well beyond the MD5-Password, and it appears in the sql > database as well (also checked the queries when it queries the > rad_check table, it's there in the response as well). You need t

MSCHAPv2 authentication failure

2013-07-23 Thread Tekán Dávid
NT-Password. [mschap] Creating challenge hash with username: tekan [mschap] Client is using MS-CHAPv2 for tekan, we need NT-Password [mschap] FAILED: No NT/LM-Password. Cannot perform authentication. [mschap] FAILED: MS-CHAP2-Response is incorrect (where tekan is my username) Thanks for all the help.

Re: authentication by hostname

2013-07-23 Thread Mathieu Simon
scribed by deployingradius.comyou can in authenticate computer accounts. - It required me to tweak the LDAP default config for group-based authorization, but In case this is what you are looking for, ping back and I can show you LDAP filters i use. If you are only into authentication, most likely the public pages wi

Re: LDAP authentication filter based on source SSID

2013-07-22 Thread Gustavo Vieira Oliveira
Yes it does. We found the solution by creating a rule that maps all the BSSID related to some SSID and then we do a specific filter to LDAP, so we did it for every SSID. Thanks for the help! Atenciosamente, Gustavo Vieira Oliveira GETIC - Gerência de Tecnologia da Informação SUSERV - Super

Re: authentication by hostname

2013-07-22 Thread Alan DeKok
Stefan Sticht wrote: > I want to change a FreeRadius server to authenticate a few hosts by their > hostnames. > The hostnames would be stored in a config file. That's not how RADIUS works. > How could I do this? You can't. > This is the authentication request:

authentication by hostname

2013-07-22 Thread Stefan Sticht
Hi, sorry, I am completely new to Radius … I want to change a FreeRadius server to authenticate a few hosts by their hostnames. The hostnames would be stored in a config file. How could I do this? This is the authentication request: rad_recv: Access-Request packet from host 10.10.10.21 port

Ignoring request to authentication IPv6address

2013-07-22 Thread Murali Krishnan
configuration in clients.conf. Client fd00:1:1:1::/63{ secret=mykey } But it throws the below error when I ran the radius in debug mode Ignoring request to authentication address :: port 1812 from unknown client fd00:1:1:1

Re: FreeRadius error LDAP Authentication

2013-07-19 Thread Peter Lambrechtsen
You shouldn't have quotes around your username or domain. You should use identity = "cn=user,ou=people,dc=domain,dc=it" On 19/07/2013 7:05 PM, "Marco Aresu" wrote: > Hi All, > i am new about FreeRadius. I am moving from Cisco ACS Tacacs to > FreeRadius. During LDAP configuration i am getting the

FreeRadius error LDAP Authentication

2013-07-19 Thread Marco Aresu
Hi All, i am new about FreeRadius. I am moving from Cisco ACS Tacacs to FreeRadius. During LDAP configuration i am getting the follow error : [ldap] bind as cn="User",ou=people,dc="domain",dc=it/"Password" to "ldapserver":636 [ldap] waiting for bind result ... [ldap] cn="user",ou=people,dc="

RE: FreeRadius Authentication against AD or AD LDS (LDAP)

2013-07-16 Thread stefan.paetow
Considering that LDS will still be running Active Directory, give your reception login(s) the permission to administer the Guest-Network OU (i.e. add/delete/edit users), and continue to use the NTLM authentication you use with the primary AD. Active Directory uses MS-CHAPv2, so using the

Re: FW: FreeRadius Authentication against AD or AD LDS (LDAP)

2013-07-16 Thread Alan DeKok
limacher david wrote: > I'm looking for a solution to realize a FreeRadius Server, which can > Authenticate against primary a AD and as second method against AD LDS > (Lightweight Directory from Windows). Follow this guide: http://deployingradius.com/documents/configuration/active_directory.htm

Re: FW: FreeRadius Authentication against AD or AD LDS (LDAP)

2013-07-15 Thread Fajar A. Nugraha
On Tue, Jul 16, 2013 at 1:02 PM, limacher david wrote: > Hello > > I'm looking for a solution to realize a FreeRadius Server, which can > Authenticate against primary a AD and as second method against AD LDS > (Lightweight Directory from Windows). > We want for our WLAN, that in the Guest-Network

Re: FreeRadius Authentication against AD or AD LDS (LDAP)

2013-07-15 Thread Alan Buxey
Hi Store the passwords in nt-hash format. Use guest usernames with a particular format so that you can use some simple unlang to select the right type of authentication rather than hitting each method and causing unnecessary load and delay alan - List info/subscribe/unsubscribe? See http

FW: FreeRadius Authentication against AD or AD LDS (LDAP)

2013-07-15 Thread limacher david
Hello I'm looking for a solution to realize a FreeRadius Server, which can Authenticate against primary a AD and as second method against AD LDS (Lightweight Directory from Windows). We want for our WLAN, that in the Guest-Network employees can use their AD-Login (I already implemented that wi

Re: LDAP authentication filter based on source SSID

2013-07-12 Thread Matthew Newton
On Fri, Jul 12, 2013 at 12:48:48PM -0300, Gustavo Vieira Oliveira wrote: > The problem is that we have to do it manually (the Controller > doesn't support it) in the AP, so when it reboots for some reason it > cannot authenticate cause the RADIUS doesn't receive the SSID. So, > we need an alternat

Re: LDAP authentication filter based on source SSID

2013-07-12 Thread Gustavo Vieira Oliveira
We got it working, the AP is sending the SSID with the calling station ID but only setting "radius-server vsa send" in the Access-point. The problem is that we have to do it manually (the Controller doesn't support it) in the AP, so when it reboots for some reason it cannot authenticate cause

Re: LDAP authentication filter based on source SSID

2013-07-12 Thread Alan Buxey
Look at the requests coming from your AP in debug mode. You should see information there that can be used eg called station id with SSID appended or a VSA with the SSID name or number in it. Use that with your policy alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/u

Re: LDAP authentication filter based on source SSID

2013-07-12 Thread Gustavo Vieira Oliveira
Olivier, You don't need to set "radius-server vsa send" in the AP so it sends the SSID in the authentication request? Atenciosamente, Gustavo Vieira Oliveira GETIC - Gerência de Tecnologia da Informação SUSERV - Superintendência de Serviços Compartilhados Sistema FIESC Rod

Re: LDAP authentication filter based on source SSID

2013-07-12 Thread Gustavo Vieira Oliveira
- SC Fone (48) 32314699 - Ramal 44699 http://www.sistemafiesc.com.br Em 12/07/2013 12:14, Olivier Beytrison escreveu: On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote: I need some help with RADIUS regarding Wireless authentication with RADIUS + LDAP. Hello. which version of freeradius are you

Re: LDAP authentication filter based on source SSID

2013-07-12 Thread Olivier Beytrison
On 12.07.2013 17:03, Gustavo Vieira Oliveira wrote: > I need some help with RADIUS regarding Wireless authentication with > RADIUS + LDAP. Hello. which version of freeradius are you running ? > I need to check if the user has permission to connect to a specific > SSID, so we

LDAP authentication filter based on source SSID

2013-07-12 Thread Gustavo Vieira Oliveira
Hello! I need some help with RADIUS regarding Wireless authentication with RADIUS + LDAP. I need to check if the user has permission to connect to a specific SSID, so we check a LDAP attribute for that. By that, we need to know from which SSID the authentication is being requested so we

Re: freeRADIUS for switch authentication

2013-07-09 Thread Gab Quidilla
Good day, I have a problem wherein daloradius doesn't read the freeradius log file. Do I need to chown or chmod anything? Am using CentOS 6.4, and log file is located in /var/log/radius/radius.log. I already chmod'ded 777 the log file and it still wouldn't open thru daloradius interface. I can ope

Re: freeRADIUS for switch authentication

2013-07-08 Thread A . L . M . Buxey
Hi, >(Sorry if this is OT) As I understand, I couldn't use 802.1x >authentication on just the switches themselves? Since a client must have >certificates to authenticate to a server. What i just wanted to accomplish >is to authenticate the switches only on the

Re: freeRADIUS for switch authentication

2013-07-08 Thread Gab Quidilla
Hi, thanks for the reply. (Sorry if this is OT) As I understand, I couldn't use 802.1x authentication on just the switches themselves? Since a client must have certificates to authenticate to a server. What i just wanted to accomplish is to authenticate the switches only on the radius serve

Re: freeRADIUS for switch authentication

2013-07-08 Thread A . L . M . Buxey
Hi, >Sending Access-Accept of id 0 to 10.141.1.129 port 49154 ^^ Access-Accept sent from the server. the RADIUS server has done its thing. if the NAS isnt working then you have missed some configuration option on the NAS alan - Li

Re: freeRADIUS for switch authentication

2013-07-08 Thread A . L . M . Buxey
Hi, >Ready to process requests. >rad_recv: Accounting-Request packet from host 10.141.1.129 port 49154, >id=0, length=84 thats an accounting packet alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Re: freeRADIUS for switch authentication

2013-07-08 Thread Gab Quidilla
Sorry for not including it in the first post, freeradius version used is the latest in CentOS repo. The output on the first post is for the web-based login, I forgot that I only configured it on console login Here is the output: Ready to process requests. rad_recv: Access-Request packet from h

Re: Problem with CISCO WIRELESS CONTROLLER and RADIUS Authentication

2013-07-04 Thread Alan Buxey
Those are VSA that you are getting from the NAS. You're WiFi kit is centrally managed so config is pushed from the controller alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

  1   2   3   4   5   6   7   8   9   10   >