matteo wrote:
> Hello list,
> suppose I want to authenticate a device capable of using PEAP with
> EAP-MS-CHAP v2 or EAP-GTC and TTLS with EAP-MS-CHAP v2 or MS-CHAPv2 and
> I have user password stored in LDAP (linux) with the crypt scheme and
> freeradius server 2.1.9.
> Is there any mechanism to s
Hello list,
suppose I want to authenticate a device capable of using PEAP with
EAP-MS-CHAP v2 or EAP-GTC and TTLS with EAP-MS-CHAP v2 or MS-CHAPv2 and
I have user password stored in LDAP (linux) with the crypt scheme and
freeradius server 2.1.9.
Is there any mechanism to successfully authentica
John Baldwin wrote:
> I’m trying to configure freeradius on a Centos server to authenticate my
> logins on Cisco devices. I can see in the log file that my request is
> hitting the server. I’m advised to just add a username and password in
> the users file so I’ve done that, I’ve used the steve l
Hello all
I'm trying to configure freeradius on a Centos server to authenticate my logins
on Cisco devices. I can see in the log file that my request is hitting the
server. I'm advised to just add a username and password in the users file so
I've done that, I've used the steve login and passw
Phil Mayers wrote:
> I am suggesting that in some sense (and obviously, it's only my opinion,
> and as I say it's only doable to an extent with newer FR versions) the
> following is better:
>
> authenticate {
> Auth-Type PAP {
> krb5
> }
> }
>
> That is, that the Auth-Type be set to refl
George C. Kaplan wrote:
I don't think I understand your examples. A NAS is sending a User-Name
and User-Password, and somehow I have to tell radiusd, "Use Kerberos to
authenticate these users." I don't see how I can do that except by
setting 'Auth-Type = Kerberos' *somewhere*.
I am suggest
On Mar 17, 2006, at 5:45 PM, Phil Mayers wrote:
George C. Kaplan wrote:
Or you're using an authentication method (Kerberos, in my case) that
isn't one of the standard methods assocated with the authorization
module. (As Alan points out, you have to know what you're doing
to make
this work)
On Saturday 18 March 2006 21:40, George C. Kaplan wrote:
> On Mar 18, 2006, at 7:13 AM, Alan DeKok wrote:
> > Boian Jordanov <[EMAIL PROTECTED]> wrote:
> >> So, why were %RAD_CHECK and %RAD_REQUEST
> >>
> >>> made read-only?
> >>
> >> Because perl hashes are not ordered.
> >
> > The only requirem
On Mar 18, 2006, at 7:13 AM, Alan DeKok wrote:
Boian Jordanov <[EMAIL PROTECTED]> wrote:
So, why were %RAD_CHECK and %RAD_REQUEST
made read-only?
Because perl hashes are not ordered.
The only requirement is that attributes of the same name be ordered.
This may change the way the modu
Boian Jordanov <[EMAIL PROTECTED]> wrote:
> So, why were %RAD_CHECK and %RAD_REQUEST
> > made read-only?
>
> Because perl hashes are not ordered.
The only requirement is that attributes of the same name be ordered.
This may change the way the module works (I haven't looked), but if
${RAD_REQ
On Friday 17 March 2006 19:21, George C. Kaplan wrote:
> Phil Mayers wrote:
> > Sort of. AFAIK nothing else sets Autz-Type. But quite a few modules set
> > Auth-Type based on the incoming requests e.g. the "mschap" modules sets
> > Auth-Type=MS-CHAP if the mschap attributes are in the request. Ditt
George C. Kaplan wrote:
Or you're using an authentication method (Kerberos, in my case) that
isn't one of the standard methods assocated with the authorization
module. (As Alan points out, you have to know what you're doing to make
this work).
Hmm. PAP seems to be the big problem area in thes
Phil Mayers wrote:
> George C. Kaplan wrote:
>> I've been wondering about this, in relation to the rlm_perl module. We
>> see "Don't set Auth-Type in the users file" all over the place, but with
>> rlm_perl, the %RAD_CHECK hash is read-only. So if I'm using perl for
>> authorization, I *have to*
George C. Kaplan wrote:
Phil Mayers wrote:
Sort of. AFAIK nothing else sets Autz-Type. But quite a few modules set
Auth-Type based on the incoming requests e.g. the "mschap" modules sets
Auth-Type=MS-CHAP if the mschap attributes are in the request. Ditto the
"chap" and "eap" modules. "pap" is a
Florian Prester wrote:
>> so, AFAIK authorization is retreiving user-information from a source?
Yes, however see Alan's reply - his "yes" and my "no" are not as
contradictory as they might seem (it's purely semantics). See below.
ok, lets assume a user can authenticate because he/she suppl
"George C. Kaplan" <[EMAIL PROTECTED]> wrote:
> I've been wondering about this, in relation to the rlm_perl module. We
> see "Don't set Auth-Type in the users file" all over the place, but with
> rlm_perl, the %RAD_CHECK hash is read-only. So if I'm using perl for
> authorization, I *have to* set
Alan DeKok wrote:
5.) Authorization is even if a password is correct, the user may not
use/do something - correct?
Yes.
Strictly speaking, during the authorisation section of the FR config,
you haven't determined the password is correct yet. You don't need me to
tell you this of course -
Phil Mayers wrote:
> Sort of. AFAIK nothing else sets Autz-Type. But quite a few modules set
> Auth-Type based on the incoming requests e.g. the "mschap" modules sets
> Auth-Type=MS-CHAP if the mschap attributes are in the request. Ditto the
> "chap" and "eap" modules. "pap" is a bit more complex a
Florian Prester wrote:
>>> Now the big question:
>>> If I have an user who is authenticate, meaning correct username +
>>> password whereas the password is stored in LDAP.
>>> I want to replay attributes according th some other information
>>> stored in LDAP - how can I do such a thing, like:
>>>
Florian Prester <[EMAIL PROTECTED]> wrote:
> 1.) in the users-file, I can only check for attributes provided by the
> request - correct?
Yes.
> 2.) in the users-file, if an entry matches all check-attributes, I can
> specify an Auth/Autz-Type - correct?
Yes.
> 3.) in the users-file, if
Thank you for your answer,
I try to specify my problem mor clearly.
Phil Mayers wrote:
Florian Prester wrote:
Hi,
1.) in the users-file, I can only check for attributes provided by
the request - correct?
I think so
ok
2.) in the users-file, if an entry matches all check-attributes
Florian Prester wrote:
Hi,
1.) in the users-file, I can only check for attributes provided by the
request - correct?
I think so
2.) in the users-file, if an entry matches all check-attributes, I can
specify an Auth/Autz-Type - correct?
yes
3.) in the users-file, if I do not specify the A
Hi,
1.) in the users-file, I can only check for attributes provided by the
request - correct?
2.) in the users-file, if an entry matches all check-attributes, I can
specify an Auth/Autz-Type - correct?
3.) in the users-file, if I do not specify the Auth/Autz-Type the
radius is taken the reques
The documentation is how I found out what questions to ask. :)
Thanks for the point in the right direction.
-Bob
Alan DeKok wrote:
Robert Myers <[EMAIL PROTECTED]> wrote:
How would I go about setting replies for groups of users, when I don't
know the specific usernames? Like if I'd want t
Robert Myers <[EMAIL PROTECTED]> wrote:
> How would I go about setting replies for groups of users, when I don't
> know the specific usernames? Like if I'd want to assign a specific
> reply based on an LDAP group?
You would read the documentation for the LDAP module, and see how to
use LDAP g
So let me ask you this, this allows me to set specific replies for each
user.
How would I go about setting replies for groups of users, when I don't
know the specific usernames? Like if I'd want to assign a specific
reply based on an LDAP group?
-Bob
Alan DeKok wrote:
Robert Myers <[EMAIL
Robert Myers <[EMAIL PROTECTED]> wrote:
> If I authenticate via LDAP or some other mechanism, I can authorize via
> the sql tables?
Yes. All of the modules are completely independent of each other.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I'm trying to understand how to send dynamic replies based on user.
If I authenticate via LDAP or some other mechanism, I can authorize via
the sql tables?
Is that right?
-Bob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
28 matches
Mail list logo