Deepti kulkarni wrote:
> I have a windows client trying to set up L2TP tunnel with my linux
> router. The linux router talks with the RADIUS server. The
> authentication is failing because the request is using MS-CHAP and my
> server cannot handle MS-CHAP. I am not sure what is miss
I have a windows client trying to set up L2TP tunnel with my linux router.
The linux router talks with the RADIUS server. The authentication is
failing because the request is using MS-CHAP and my server cannot handle
MS-CHAP. I am not sure what is missing from the configuration on the
server. I
On 01/11/12 11:22, Gokhan Gunyol wrote:
Hi;
We upgraded our radius to Freeradius 2.1.10 version on Ubuntu 32bit
from an old version
Which old version.
Our problem is windows xp clients cant login to wireless and radius has
“User-Name (machine\user) is not the same as MS-CHAP Name (user
On 23/10/12 10:52, Daniel Ekman wrote:
the send_error was added to version 2.1.11 as a bug fix "Allow
EAP-MSCHAPv2 to send error message to client. This change allows some
clients to prompt the user for a new password. See raddb/eap.conf,
mschapv2 section, "send_error"."
I know that. I mean "l
Thanks for replying and sorry if I'm being vague, I'll try and be more specific.
On Tue, Oct 23, 2012 at 10:59 AM, Phil Mayers wrote:
> On 10/22/2012 09:13 AM, Daniel Ekman wrote:
>>
>> Hi list,
>>
>> I have a fairly large user base doing WPA2-enterprise from various
>> OS'es and smartphones, ou
On 10/22/2012 09:13 AM, Daniel Ekman wrote:
Hi list,
I have a fairly large user base doing WPA2-enterprise from various
OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is
authenticating via LDAP and things are running pretty well, only snag
I have currently with this is when peopl
Hi list,
I have a fairly large user base doing WPA2-enterprise from various
OS'es and smartphones, our FreeRADIUS is running v.2.1.12 and is
authenticating via LDAP and things are running pretty well, only snag
I have currently with this is when people change their password. I
realize this has be
ists.freeradius.org
[mailto:freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org]
On Behalf Of Alan Buxey
Sent: 17 October 2011 09:21
To: FreeRadius users mailing list
Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
Hi,
> Thanks for that.
> I had left some pre
Hi,
> Thanks for that.
> I had left some previous versions of files in the modules directory not
> knowing that they are still active.
> Moving them to another location progressed me to the following error:
yes, FreeRADIUS will read ALL files in sites-enabled/ and ALL files in modules/
directory
us.org
[mailto:freeradius-users-bounces+martin.ubank=uwe.ac...@lists.freeradius.org]
On Behalf Of James J J Hooper
Sent: 14 October 2011 18:29
To: freeradius-users@lists.freeradius.org
Subject: Re: Configuring FreeRADIUS to use ntlm_auth for MS-CHAP
On 14/10/2011 16:13, Martin Ubank wrote:
> Here’s the
On 14/10/2011 16:13, Martin Ubank wrote:
Here’s the full output from ‘radiusd –X’:
The bit at the top that tells us what radiusd has read from the config
files is missing.
It's not executing ntlm_auth by the looks of what you posted, so you need
to look at why. The first bit of radiusd -X w
>
> I can see from the 'radiusd -X' output that FreeRadius is not using MS-CHAP
> correctly:
>
>
> [eap] processing type mschapv2
> [mschapv2] +- entering group MS-CHAP {...}
> [mschap] No Cleartext-Password configured. Cannot create LM-Password.
> [msc
started to configure FreeRadius with AD and successfully tested it to use
ntlm_auth.
I've got to the final stage "Configuring FreeRADIUS to use ntlm_auth for
MS-CHAP" in the deployment process.
This stage says:
1) "... delete the testing entry used above from the users f
Hi,
I seem to have the same issue as described in this thread, I also have
XP/Novell legacy clients, and I want to move to AD from eDir.
Re: Error: User-Name is not the same as MS-CHAP
name<https://lists.freeradius.org/pipermail/freeradius-users/2011-June/msg00070.html>
The last mention
... that's it.
I was blind while searching for a FreeRADIUS issue.
I'm sorry for the lost time, anyway thank you for the answers.
Le 11/07/2011 14:22, Alan DeKok a écrit :
Bastien Semene wrote:
I express myself very badly, sorry.
The configuration I put in my first mail is the current configu
Bastien Semene wrote:
> I express myself very badly, sorry.
>
> The configuration I put in my first mail is the current configuration,
> running, after restart.
> The debug and commands output are from the current - reloaded -
> configuration.
> There's only 1 entry in the radcheck table, and it's
s
"blabla".
The three error outputs are relative to the logs. This means that the
three cases are different :
old password => working (and should not at all)
current password "blabla" => [mschap] Told to do MS-CHAPv1 with
NT-Password \n [mschap] MS-CHAP-Response is
11.07.2011 15:18 пользователь "Alan DeKok"
написал:
>
> Users have one password. You can't authenticate with any one of three
> passwords. The authentication protocols just don't work that way.
>
Think Bastien means this:
1. Start server, user has password "password123".
2. Authentication succe
Alexey Shildyakov wrote:
> I think he mean that only first password is worked. The second and third
> version of tye password for the same user aren't worked.
Users have one password. You can't authenticate with any one of three
passwords. The authentication protocols just don't work that way.
11.07.2011 15:06 пользователь "Alan DeKok"
написал:
>
> Bastien Semene wrote:
> > I'm currently - trying to - set up a radius server.
> > The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8
> >
> > During my tests, for the same user I used "test" password, then "blabla"
> > passwor
Bastien Semene wrote:
> I'm currently - trying to - set up a radius server.
> The backend used is MySQL. I'm using FreeRADIUS 2.1.11 on FreeBSD 8
>
> During my tests, for the same user I used "test" password, then "blabla"
> password.
> Now, I use "blabla" and it's not working. instead "test" is s
an no
reboot).
How can this happen ?
radtest commands :
# radtest -t mschap bsemene test 10.1.8.4 0 testing123
Sending Access-Request of id 166 to 10.1.8.4 port 1812
User-Name = "bsemene"
NAS-IP-Address = 10.1.8.4
On 03/06/11 15:09, Johan Meiring wrote:
On 2011/06/03 02:15 PM, Phil Mayers wrote:
I'm not downloading a torrent of copyrighted software to fix someone
else's
problem.
As long as you dont get a key, it is legal.
This is getting farcical...
Not picking on any one specific person here, but
Johan Meiring wrote:
> As long as you dont get a key, it is legal.
No.
This list is not the place to discuss non-FreeRADIUS software.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 2011/06/03 02:15 PM, Phil Mayers wrote:
I'm not downloading a torrent of copyrighted software to fix someone else's
problem.
As long as you dont get a key, it is legal.
--
Johan Meiring
Cape PC Services CC
Tel: (021) 883-8271
Fax: (021) 886-7782
Before acting on thi
On 03/06/11 13:10, Paul Harris wrote:
On 02/06/11 14:47, Francois Gaudreault wrote:
Did you have a chance to look at it?
Ironically I'm having trouble finding a windows XP install CD...
I have a link to a torrent, just send me a email at pau...@mail.com
Or not.
I'm not downloading a
On 02/06/11 14:47, Francois Gaudreault wrote:
>>>
>> Did you have a chance to look at it?
>Ironically I'm having trouble finding a windows XP install CD...
I have a link to a torrent, just send me a email at pau...@mail.com
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/li
On 06/02/2011 10:39 PM, Fajar A. Nugraha wrote:
On Thu, Jun 2, 2011 at 9:01 PM, Phil Mayers wrote:
On 02/06/11 14:47, Francois Gaudreault wrote:
Did you have a chance to look at it?
Ironically I'm having trouble finding a windows XP install CD...
This might help:
Not really.
-
List in
On Thu, Jun 2, 2011 at 9:01 PM, Phil Mayers wrote:
> On 02/06/11 14:47, Francois Gaudreault wrote:
>
>>>
>> Did you have a chance to look at it?
>
> Ironically I'm having trouble finding a windows XP install CD...
This might help:
http://www.microsoft.com/downloads/en/details.aspx?FamilyID=21eabb
On 02/06/11 14:47, Francois Gaudreault wrote:
Did you have a chance to look at it?
Ironically I'm having trouble finding a windows XP install CD...
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Phil,
What I really want to understand is, whether the check is too strict
and FreeRADIUS should be fixed, or whether Windows XP is just buggy.
I will try to check this tomorrow.
e.g. maybe the check should be:
if eap.username == mschap.username:
ok
elif not mschap.domain:
if eap.stri
Hi,
On 11-05-30 9:55 AM, Phil Mayers wrote:
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
There's no guarantee that STAFF\john and STUDENT\john at the same
person; you can't just ignore the fact that the client has changed
their username.
True. But I don't think it
ss
-Original Message-
From: Phil Mayers
Sender: freeradius-users-bounces+ironrake=yahoo@lists.freeradius.org
Date: Mon, 30 May 2011 14:55:03
To: FreeRadius users mailing list
Reply-To: FreeRadius users mailing list
Subject: Re: Error: User-Name is not the same as MS-CHAP name
On Mon, M
On Mon, May 30, 2011 at 07:54:01AM -0400, Francois Gaudreault wrote:
There's no guarantee that STAFF\john and STUDENT\john at the same
person; you can't just ignore the fact that the client has changed
their username.
True. But I don't think it is possible to send a different Username in
E
Hi Phil,
Forget about all that. Adding Realm's and fiddling with the packet
won't help; the check is hard-coded into the mschap module as a fairly
obvious security measure.
For example - suppose I have an environment with two separate domains:
STAFF
STUDENTS
...if the mschap module did *not
On 05/29/2011 03:10 PM, Francois Gaudreault wrote:
Hi Phil,
On 11-05-29 6:16 AM, Phil Mayers wrote:
Ok, so as before what we're seeing is that the host is sending
STIC08862\TechRMC
...in the EAP-Identity response, but:
TechRMC
...in the MSCHAP packet (the hex above decodes to that)
This is
Hi Phil,
On 11-05-29 6:16 AM, Phil Mayers wrote:
Ok, so as before what we're seeing is that the host is sending
STIC08862\TechRMC
...in the EAP-Identity response, but:
TechRMC
...in the MSCHAP packet (the hex above decodes to that)
This is obviously broken, but here's where I get confused:
On 05/28/2011 06:33 PM, Francois Gaudreault wrote:
Sending tunneled request
EAP-Message =
0x020700421a0207003d3187ddf68b18fb1dce4cdd5b001c06abc09a7812e4d4a1f425347de951e68fac50054fd8ff32d403fa0054656368524d43
FreeRADIUS-Proxied-To = 127.0.0.1
User-Name
LSE
[eap] EAP packet type response id 7 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
[ldap] performing user authorization for STIC08862\TechRMC
[ldap] expand: (uid=%{mschap:User-Name}) -> (uid=TechRMC)
[ldap] expand: o=CSPI -> o=CSPI
authorization
will work properly, but the authentication will fail even if the
Cleartext-Password attribute is set by the LDAP module. It will throw
that MS-CHAP error. We also ensure that everything that comes from
something that is not matching host/something will use the
MS-CHAP-NTLM-Auth
On 05/27/2011 09:04 PM, Francois Gaudreault wrote:
Hi,
I had a look at this issue with him since he is one of our client.
Machine authentications are working flawlessly, windows 7 authentication
as well (no hostname is sent with the username).
I honestly lost track of this issue; the guy had s
Francois Gaudreault wrote:
> We are using mschap:user-name in the LDAP filter and in the ntlm_auth
> line. Again, we are *NOT* rewriting the User-Name.
>
> We need other ideas here.
Post the debug output.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/user
unnel.
*Why* are you re-writing them? What do you expect to do with the
names? Why isn't there another way to achieve the same goal?
We do not rewrite anything. LDAP authorization passes properly, but when EAP
authentication kicks in, we have this MS-CHAP error.
We are using mschap:u
Robert Mc Cready wrote:
> The host name are not domain names, there are computers account name, and we
> have hundreds of them . We only use the MS Domain to authenticate the
> computers account, not the users.
Well... re-writing the names in the "inner-tunnel" server is breaking
authentication.
type response id 19 length 66
[eap] No EAP Start, assuming it's an on-going EAP conversation
++[eap] returns updated
++[files] returns noop
[ldap] performing user authorization for CAD08862\ldapuser
[ldap] expand: %{Stripped-User-Name} -> ldapuser
[ldap] expand: (uid=%{%{Stripped-Use
s.org
[mailto:freeradius-users-bounces+robert-mccready=cspi.qc.ca@lists.freeradius
.org] De la part de Alan DeKok
Envoyé : 10 mai 2011 10:49
À : FreeRadius users mailing list
Objet : Re: Error: User-Name is not the same as MS-CHAP name
Robert Mc Cready wrote:
> If the User-Name is being rewritten i
Robert Mc Cready wrote:
> If the User-Name is being rewritten it is not intentional.
Well... it's obviously someone you've changed, because it doesn't
happen in the default configuration.
> Now, I reinstalled from scratch, save the default configuration, join the
> server to the domain, modifie
On 05/10/2011 03:35 PM, Robert Mc Cready wrote:
If the User-Name is being rewritten it is not intentional.
Now, I reinstalled from scratch, save the default configuration, join the
server to the domain, modified clients.conf, attr_rewrite, ldap, mschap and
inner-tunnel and ran diff. I can see in
ed-User-Name}:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
freeradius:/etc # diff raddb/sites-available/inner-tunnel
raddefault/sites-av
Robert Mc Cready wrote:
> I do not rewrite the User-name attribute I rewrite only the
> Stripped-User-Name attribute with these:
No. Go READ the debug log you posted. The "inner-tunnel" virtual
server gets:
Sending tunneled request
EAP-Message = 0x020800421a0208003d314cc241739d871a4cb33b63386
te:attribute = Stripped-User-Name
modules/ldap: filter = "(uid=%{%{Stripped-User-Name}:-%{User-Name}})"
The User-Name attribute is untouch.
[mschap] ERROR: User-Name (CAD08862\ldapuser) is not the same as MS-CHAP
Name (ldapuser) from EAP-MSCHAPv2
As I mentionned be
On 05/07/2011 07:50 PM, Robert Mc Cready wrote:
The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one
problem with Windows XP clients, I get a " [mschap] ERROR: User-Name
(CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
EAP-MSCHAPv2". Users
W dniu 2011-05-07 20:50, Robert Mc Cready pisze:
The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one
problem with Windows XP clients, I get a " [mschap] ERROR: User-Name
(CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
EAP-MSCHAPv2".
The "MS-CHAP-Use-NTLM-Auth := no" did the job but I still have one problem
with Windows XP clients, I get a " [mschap] ERROR: User-Name
(CAD08862\ldapuser) is not the same as MS-CHAP Name (ldapuser) from
EAP-MSCHAPv2". Users log on locally, the host name is not a domain nam
change patches
> o a simpler two patch solution which does not do passwords - the
> challenge patch and a rearrangement patch which detects responses to
> retry challenges?
I'd like the changes to be split logically.
(1) changes to allow retry for EAP-MSCHAPv2
(2) MS-CHAP password
ny thing I can do to help get this accomplished?
johnh...
On Tue, 26 Apr 2011, Alan DeKok wrote:
Date: Tue, 26 Apr 2011 07:57:09
From: Alan DeKok
Reply-To: FreeRadius users mailing list
To: FreeRadius users mailing list
Subject: Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote:
john.hayw...@wheaton.edu wrote:
> Just a brief update.
>
> In addition to Windows-7 behavior on Windows-XP, Macs and Iphones are as
> expected with this retry patch - user is presented with a password
> dialog box and the connection is not aborted - user only needs to enter
> the correct password
On 04/22/2011 11:22 AM, Alan Buxey wrote:
Hi,
Do we know if the password change (and adjustments to retry which make
it work) will be included in 2.1.11?
If enough people test it and say it works.
do we have a direct single known patch now for application to a 2.1.10
source? (theres bee
Hi,
> > Do we know if the password change (and adjustments to retry which make
> > it work) will be included in 2.1.11?
>
> If enough people test it and say it works.
do we have a direct single known patch now for application to a 2.1.10
source? (theres been a lot of subtle updates flying aro
On 04/22/2011 09:56 AM, Alan DeKok wrote:
If enough people test it and say it works.
2.1.11 is a "stable" release, so breaking things is very, very, bad.
Agreed. It's an extensive change, and needs extensive testing.
Personally I'd be inclined to say don't delay 2.1.11.
I hope to be a
john.hayw...@wheaton.edu wrote:
> I like your changes better. It allows to in the future add a retry max
> so each failure could be counted and send a R=0 after a certain number
> of failures.
The EAP module already does *some* checking of this. If there are
more than ~40 or so round trips, it
list
To: freeradius-users@lists.freeradius.org
Subject: Re: MS-CHAP-V2 with no retry
On 04/21/2011 04:03 PM, john.hayw...@wheaton.edu wrote:
Thanks again for your work on this facility.
I built and installed with the new patches.
Unfortunately things did not quite work - however with a small
On 04/21/2011 04:03 PM, john.hayw...@wheaton.edu wrote:
Thanks again for your work on this facility.
I built and installed with the new patches.
Unfortunately things did not quite work - however with a small change I
could get the retry to work properly on a windows7 machine.
The problem is th
t
Subject: Re: MS-CHAP-V2 with no retry
Thanks again for your work on this facility.
I built and installed with the new patches.
Unfortunately things did not quite work - however with a small change I could
get the retry to work properly on a windows7 machine.
The problem is that when we do
+
684 + DEBUG2(" MSCHAP-Error: %s", response->vp_strvalue);
685 +
686 + /*
687 + * parse the new challenge out of the MS-CHAP-Error, so if the client
688 + * issues a re-try, we'll know the challenge value they used
689 + */
690 + n = sscanf(respons
Phil Mayers wrote:
> rlm_mschap doesn't implement a HUP handler AFAICT. It probably wouldn't
> be terribly hard to write one - the module is fairly stateless. It's
> probably best to just restart the server though.
I think it's safe just to mark the module HUP-safe. It wasn't marked
that way be
1 17:53:42
From: Phil Mayers
Reply-To: FreeRadius users mailing list
To: freeradius-users@lists.freeradius.org
Subject: Re: MS-CHAP-V2 with no retry
On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote:
I have been able to do some testing with the adjustments for MS-CHAP-V2
related to
On 04/20/2011 11:14 PM, john.hayw...@wheaton.edu wrote:
I have been able to do some testing with the adjustments for MS-CHAP-V2
related to error and retires.
There are two items I observed with testing:
1) If I sent a HUP signal to the server it appears to re-read the
configuration files but
I have been able to do some testing with the adjustments for MS-CHAP-V2
related to error and retires.
There are two items I observed with testing:
1) If I sent a HUP signal to the server it appears to re-read the
configuration files but for some reason does not re-read the mschap module
- so
Phil Mayers wrote:
> The attached patch seems to fix it.
Added, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 14/04/11 12:07, Phil Mayers wrote:
On 13/04/11 16:22, Alan DeKok wrote:
Phil Mayers wrote:
Actually, I was just testing this and proxying the inner EAP-MSCHAPv2 as
plain MS-CHAPv2 seems to be broken, at least in my testing. It doesn't
crash the server, but equally it doesn't pass the S=XXX s
57e39ecc46f35
MS-MPPE-Send-Key = 0x6342361df2ade968d8f02a297f16025b
MS-CHAP2-Success = ...
+- entering group post-proxy {...}
[eap] Doing post-proxy callback
[eap] Passing reply from proxy back into the tunnel.
server inner-tunnel {
[eap] Passing reply back for EAP-MS-CHAP-V2
+- enter
john.hayw...@wheaton.edu wrote:
> Can someone point me to exactly what I need to "git" to get the current
> version of freeradius with the patches so I can do some testing at our
> site?
http://git.freeradius.org
Grab the v2.1.x branch. Read raddb/modules/mschap, and
raddb/eap.conf, the "msc
GE_LEN);
It's actually a bit more complex; the new challenge is being generated
inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2
needs to know it, so that it can add it to the fake request which it
then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.
This
Phil Mayers wrote:
> With "send_error = yes", the client just hangs (and in fact crashed my
> phone several times)
Nice to know!
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 11/04/11 14:45, Phil Mayers wrote:
I'll spin up an SSID and give it a try with real clients later today.
Regrettably I can report that this does not work with Symbian.
With "send_error = no", incorrect username/password reports "EAP/PEAP
authentication failed"
With "send_error = yes",
actually a bit more complex; the new challenge is being generated
inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2
needs to know it, so that it can add it to the fake request which it
then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.
This would also get us part
is being generated
inside rlm_mschap as part of the error, but AFACIT rlm_eap_mschapv2
needs to know it, so that it can add it to the fake request which it
then passes *back* into rlm_mschap as an MS-CHAP-Challenge attribute.
This would also get us part of the way there to password change
On 10/04/2011 12:57, James J J Hooper wrote:
On 10/04/2011 12:39, James J J Hooper wrote:
On 10/04/2011 12:16, James J J Hooper wrote:
On 10/04/2011 07:03, Alan DeKok wrote:
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, s
; rlm_eap_mschapv2: Unexpected response received << ***
Ah... it's supposed to try the MS-CHAP stuff again. Nice!
I'm travelling to networkshop soon, but I'll see if I poke at it this
week. If I'm right, the fix should be pretty simple. But it will need
to be te
James J J Hooper wrote:
> Also, args to pairmove2 are wrong way around, as attached.
Applied, thanks.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
On 10/04/2011 12:39, James J J Hooper wrote:
On 10/04/2011 12:16, James J J Hooper wrote:
On 10/04/2011 07:03, Alan DeKok wrote:
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, should be an EAP *request* (currently it's E
On 10/04/2011 12:16, James J J Hooper wrote:
On 10/04/2011 07:03, Alan DeKok wrote:
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, should be an EAP *request* (currently it's EAP failure)??
Yes, thanks.
Also, args to
On 10/04/2011 07:03, Alan DeKok wrote:
James J J Hooper wrote:
I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, should be an EAP *request* (currently it's EAP failure)??
Yes, thanks.
Also, args to pairmove2 are wrong way around, as attache
have mis-understood the code, but I think the EAP MS-CHAP-v2
Failure packet, should be an EAP *request* (currently it's EAP failure)??
http://tools.ietf.org/html/draft-kamath-pppext-eap-mschapv2-01#page-12
All,
People might find this helpful; if you send an invalid password for an
ot
James J J Hooper wrote:
> I've may have mis-understood the code, but I think the EAP MS-CHAP-v2
> Failure packet, should be an EAP *request* (currently it's EAP failure)??
Yes, thanks.
I've deleted the setting of the EAP code. It's set in the "compose"
;ve just pushed some changes to the git "v2.1.x" branch. See:
raddb/modules/mschap
- allow_retry
- retry_msg
raddb/eap.socn
- send_error
The default is no change. See the documentation for how to test the
new features.
Hi Alan,
I've may have mis-u
...
From: freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org
[freeradius-users-bounces+john.hayward=wheaton@lists.freeradius.org] on
behalf of Alan DeKok [al...@deployingradius.com]
Sent: Friday, April 08, 2011 2:54 AM
To: FreeRadius users mailing list
Subject: Re: MS-CHAP
Phil Mayers wrote:
> +1 - In my experience it's necessary to cater for windows' weirdness
> *first*. Most other clients have sane behaviours. I'm concerned about
> the "we didn't do much windows testing" line...
Yup.
I've just pushed some changes to the git "v2.1.x" branch. See:
raddb/modul
On 04/08/2011 08:26 AM, Alan DeKok wrote:
James J J Hooper wrote:
It works on Mac OS and iOS, but I havn't been able to get it to work
as expected on XP or Win7:
* Win7 does as it did before
That's not all bad.
* XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate'
me
James J J Hooper wrote:
> It works on Mac OS and iOS, but I havn't been able to get it to work
> as expected on XP or Win7:
> * Win7 does as it did before
That's not all bad.
> * XP: The [builtin] supplicant gets stuck at the 'tryng to authenticate'
> message.
That's not good.
> Could you
On 07/04/2011 13:33, James J J Hooper wrote:
--On Wednesday, April 06, 2011 15:42:11 -0500 john.hayw...@wheaton.edu wrote:
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
I don't know if this should be sent to the developers list instead.
=== Background ===
Wh
hi,
this would be great to get into 2.1.11 release if possible if not 2.1.12 or
2.2.x
as it solves one of our current problems of devices configured for our roaming
SSID continually trying to authenticate to the system even if the user no
longer exists
- currently they just keep on and on a
--On Thursday, April 07, 2011 13:33:33 +0100 James J J Hooper
wrote:
Attached are the two 'git diff' that I ended up with.
gzipped so they don't get messed up.
-James
p1.txt.gz
Description: Binary data
p2.txt.gz
Description: Binary data
-
List info/subscribe/unsubscribe? See http://
password");
+
mschap_add_reply(request, &request->reply->vps,
*response->vp_octets,
- "MS-CHAP-Error", "E=691 R=1", 9);
+"MS-CHAP-Error", msg, strl
On Wed, 9 Mar 2011, Alan DeKok wrote:
Date: Wed, 9 Mar 2011 01:25:10
From: Alan DeKok
Reply-To: FreeRadius users mailing list
To: FreeRadius users mailing list
Subject: Re: MS-CHAP-V2 with no retry
John Hayward wrote:
Any idea of the time frame?
A long time.
Should I spend my time
John Hayward wrote:
> Any idea of the time frame?
A long time.
> Should I spend my time looking at the code and proposing a patch?
Sure.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
behalf of Alan DeKok [al...@deployingradius.com]
Sent: Saturday, March 05, 2011 12:23 AM
To: FreeRadius users mailing list
Subject: Re: MS-CHAP-V2 with no retry
john.hayw...@wheaton.edu wrote:
> 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was
>a bug in that when
ad send an EAP-Response with
EAP-MSCHAPv2-Failure, and the "E=691 R=1" failure code. After the
client has ACKed that, it should *then* send EAP-Failure.
i.e. fixing it is likely a fair bit more work.
> 3) It is possible to configure in radius.conf the message on failure by:
No
x27;m mis-reading it?
Nope. It's just never used.
Anyways, due to that (and other) issues, I've attached a new patch.
That *should* just re-use the MS-CHAP-Error string from the MS-CHAP
module, without over-writing it with a fixed error.
Is this a proper statement of the summary of w
1 - 100 of 429 matches
Mail list logo