Hello list,
suppose I want to authenticate a device capable of using PEAP with
EAP-MS-CHAP v2 or EAP-GTC and TTLS with EAP-MS-CHAP v2 or MS-CHAPv2 and
I have user password stored in LDAP (linux) with the crypt scheme and
freeradius server 2.1.9.
Is there any mechanism to successfully
matteo wrote:
Hello list,
suppose I want to authenticate a device capable of using PEAP with
EAP-MS-CHAP v2 or EAP-GTC and TTLS with EAP-MS-CHAP v2 or MS-CHAPv2 and
I have user password stored in LDAP (linux) with the crypt scheme and
freeradius server 2.1.9.
Is there any mechanism to
John Baldwin wrote:
I’m trying to configure freeradius on a Centos server to authenticate my
logins on Cisco devices. I can see in the log file that my request is
hitting the server. I’m advised to just add a username and password in
the users file so I’ve done that, I’ve used the steve
Hello all
I'm trying to configure freeradius on a Centos server to authenticate my logins
on Cisco devices. I can see in the log file that my request is hitting the
server. I'm advised to just add a username and password in the users file so
I've done that, I've used the steve login and
Phil Mayers wrote:
I am suggesting that in some sense (and obviously, it's only my opinion,
and as I say it's only doable to an extent with newer FR versions) the
following is better:
authenticate {
Auth-Type PAP {
krb5
}
}
That is, that the Auth-Type be set to reflect the
George C. Kaplan wrote:
I don't think I understand your examples. A NAS is sending a User-Name
and User-Password, and somehow I have to tell radiusd, Use Kerberos to
authenticate these users. I don't see how I can do that except by
setting 'Auth-Type = Kerberos' *somewhere*.
I am
On Friday 17 March 2006 19:21, George C. Kaplan wrote:
Phil Mayers wrote:
Sort of. AFAIK nothing else sets Autz-Type. But quite a few modules set
Auth-Type based on the incoming requests e.g. the mschap modules sets
Auth-Type=MS-CHAP if the mschap attributes are in the request. Ditto the
Boian Jordanov [EMAIL PROTECTED] wrote:
So, why were %RAD_CHECK and %RAD_REQUEST
made read-only?
Because perl hashes are not ordered.
The only requirement is that attributes of the same name be ordered.
This may change the way the module works (I haven't looked), but if
On Mar 18, 2006, at 7:13 AM, Alan DeKok wrote:
Boian Jordanov [EMAIL PROTECTED] wrote:
So, why were %RAD_CHECK and %RAD_REQUEST
made read-only?
Because perl hashes are not ordered.
The only requirement is that attributes of the same name be ordered.
This may change the way the
On Saturday 18 March 2006 21:40, George C. Kaplan wrote:
On Mar 18, 2006, at 7:13 AM, Alan DeKok wrote:
Boian Jordanov [EMAIL PROTECTED] wrote:
So, why were %RAD_CHECK and %RAD_REQUEST
made read-only?
Because perl hashes are not ordered.
The only requirement is that attributes
On Mar 17, 2006, at 5:45 PM, Phil Mayers wrote:
George C. Kaplan wrote:
Or you're using an authentication method (Kerberos, in my case) that
isn't one of the standard methods assocated with the authorization
module. (As Alan points out, you have to know what you're doing
to make
this
Hi,
1.) in the users-file, I can only check for attributes provided by the
request - correct?
2.) in the users-file, if an entry matches all check-attributes, I can
specify an Auth/Autz-Type - correct?
3.) in the users-file, if I do not specify the Auth/Autz-Type the
radius is taken the
Florian Prester wrote:
Hi,
1.) in the users-file, I can only check for attributes provided by the
request - correct?
I think so
2.) in the users-file, if an entry matches all check-attributes, I can
specify an Auth/Autz-Type - correct?
yes
3.) in the users-file, if I do not specify the
Thank you for your answer,
I try to specify my problem mor clearly.
Phil Mayers wrote:
Florian Prester wrote:
Hi,
1.) in the users-file, I can only check for attributes provided by
the request - correct?
I think so
ok
2.) in the users-file, if an entry matches all
Florian Prester wrote:
Now the big question:
If I have an user who is authenticate, meaning correct username +
password whereas the password is stored in LDAP.
I want to replay attributes according th some other information
stored in LDAP - how can I do such a thing, like:
IF
Phil Mayers wrote:
Sort of. AFAIK nothing else sets Autz-Type. But quite a few modules set
Auth-Type based on the incoming requests e.g. the mschap modules sets
Auth-Type=MS-CHAP if the mschap attributes are in the request. Ditto the
chap and eap modules. pap is a bit more complex and has
Alan DeKok wrote:
5.) Authorization is even if a password is correct, the user may not
use/do something - correct?
Yes.
Strictly speaking, during the authorisation section of the FR config,
you haven't determined the password is correct yet. You don't need me to
tell you this of course
George C. Kaplan [EMAIL PROTECTED] wrote:
I've been wondering about this, in relation to the rlm_perl module. We
see Don't set Auth-Type in the users file all over the place, but with
rlm_perl, the %RAD_CHECK hash is read-only. So if I'm using perl for
authorization, I *have to* set the
Florian Prester wrote:
so, AFAIK authorization is retreiving user-information from a source?
Yes, however see Alan's reply - his yes and my no are not as
contradictory as they might seem (it's purely semantics). See below.
ok, lets assume a user can authenticate because he/she supplys a
George C. Kaplan wrote:
Phil Mayers wrote:
Sort of. AFAIK nothing else sets Autz-Type. But quite a few modules set
Auth-Type based on the incoming requests e.g. the mschap modules sets
Auth-Type=MS-CHAP if the mschap attributes are in the request. Ditto the
chap and eap modules. pap is a bit
Phil Mayers wrote:
George C. Kaplan wrote:
I've been wondering about this, in relation to the rlm_perl module. We
see Don't set Auth-Type in the users file all over the place, but with
rlm_perl, the %RAD_CHECK hash is read-only. So if I'm using perl for
authorization, I *have to* set the
George C. Kaplan wrote:
Or you're using an authentication method (Kerberos, in my case) that
isn't one of the standard methods assocated with the authorization
module. (As Alan points out, you have to know what you're doing to make
this work).
Hmm. PAP seems to be the big problem area in
I'm trying to understand how to send dynamic replies based on user.
If I authenticate via LDAP or some other mechanism, I can authorize via
the sql tables?
Is that right?
-Bob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Robert Myers [EMAIL PROTECTED] wrote:
If I authenticate via LDAP or some other mechanism, I can authorize via
the sql tables?
Yes. All of the modules are completely independent of each other.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
So let me ask you this, this allows me to set specific replies for each
user.
How would I go about setting replies for groups of users, when I don't
know the specific usernames? Like if I'd want to assign a specific
reply based on an LDAP group?
-Bob
Alan DeKok wrote:
Robert Myers [EMAIL
Robert Myers [EMAIL PROTECTED] wrote:
How would I go about setting replies for groups of users, when I don't
know the specific usernames? Like if I'd want to assign a specific
reply based on an LDAP group?
You would read the documentation for the LDAP module, and see how to
use LDAP
The documentation is how I found out what questions to ask. :)
Thanks for the point in the right direction.
-Bob
Alan DeKok wrote:
Robert Myers [EMAIL PROTECTED] wrote:
How would I go about setting replies for groups of users, when I don't
know the specific usernames? Like if I'd want to
27 matches
Mail list logo