Hi Fernando
2013/7/10 Fernando Hammerli fhamme...@puc-rio.br
Got it now, as you said.
Using the public CA certs on certificate_file (and related private key),
and included the public CA
chain on the CA_file (together with my own CA).
Yep mostly except that I put the private key not inside
Fernando Hammerli wrote:
To avoid the need of installing our CA certificate on every Windows
machine, we´ll buy the server certificate from a public CA.
Can Freeradius allow me to have both methods at the same time, ie, the
PEAP with the public CA and certificate users with our 'self-signed'
On 10 Jul 2013, at 13:38, Alan DeKok al...@deployingradius.com wrote:
Fernando Hammerli wrote:
To avoid the need of installing our CA certificate on every Windows
machine, we´ll buy the server certificate from a public CA.
Can Freeradius allow me to have both methods at the same time, ie,
Hi,
Currently we have 1000´s of users self-signed certificates (EAP-TLS),
and we´re planning to move our main authentication method to PEAP, but
keeping the certificates in use while valid.
To avoid the need of installing our CA certificate on every Windows
machine, we´ll buy the server
Hi
As a possible hint since your question sounds similar to an issue I had:
I was looking to provide a server-side certificate to my clients from a
public CA
but only allow clients to authenticate via EAP-TLS when presenting a cert
from our
internal CA which avoids the misconfiguration to trust
Hello,
To avoid the need of installing our CA certificate on every Windows
machine, we´ll buy the server certificate from a public CA.
Having the CA cert installed only does half of the job; for EAP
configuration purposes, the CA must explicitly marked as trusted /for
this EAP identity/.
So
Hi, thanks for you reply (extensive to the others),
Just put both CAs in the directory pointed to by CA_path.
Curently my CA_path is where my users certificates are stored.
I thought I had to offer a different server certificate to the user. I
was able to make it work (PEAP only, not the TLS)
User a deployment tool as then things like CN checks are done
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi Mathieu, thanks for your reply.
It´s not clear to me what exactly has to be done.
So, I´ll place both server certificates inside the certificate_file,
correct? Do I declare it only under the 'tls' section (not on the peap)?
How does FR knows which certificate for each method?
How do I declare
Got it now, as you said.
Using the public CA certs on certificate_file (and related private key),
and included the public CA chain on the CA_file (together with my own
CA). Still needs more testing (in more enviroments), but seems to be
working.
Thanks!
Check the difference of CA_file
Hello again!
Forgiveness for having reached this situation, the result of several
unfortunate
events.
Thank you for reply and your time
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
UEX Ana Gallardo Gómez wrote:
This was asked many, many, times. And answered.
Go read the responses to your messages.
If you're not going to read the list, then don't post questions here.
And stop posting this question.
Alan DeKok.
-
List info/subscribe/unsubscribe? See
On 06/09/12 10:52, Alan DeKok wrote:
UEX Ana Gallardo Gómez wrote:
This was asked many, many, times. And answered.
Go read the responses to your messages.
If you're not going to read the list, then don't post questions here.
I almost wonder if he is not getting list mail somehow!
This was asked many, many, times. And answered.
Ok, sorry to ask about that one more time.
I though that if I can work with Codigo-Reject attribute in Post-Auth
type Reject for EAP-TTLS-PAP and EAP-TTLS-MsCHAPv2, I would do the same in
PEAP.
I read
Ana Gallardo Gómez wrote:
I though that if I can work with Codigo-Reject attribute in Post-Auth
type Reject for EAP-TTLS-PAP and EAP-TTLS-MsCHAPv2, I would do the same
in PEAP.
No.
All, EAP-TTLS-PAP, EAP-TTLS-MsCHAPv2 and PEAP are EAP methods...
Really? I didn't know that.
Go
Ana Gallardo Gómez wrote:
I would like to return diferent values of a personal atribute
(Codigo-Reject) in a Access-Reject. I would like to do this in PEAPv0,
EAP-TTLS-PAP and EAP-TTLS-MsCHAPv2
With my configuration I can return Codigo-Reject in EAP-TTLS-PAP and
EAP-TTLS-MsCHAPv2 but I
Hi David,
If your domains have trust configured (which I hope), use REALMS
(proxy.conf). Add the --domain %{Realm} to your ntlm_auth line, and you
should be OK.
If you domains doesn't have a trust, then you are in trouble. You can
only join the server to 1 domain, so ntlm_auth will always
Hi,
redundant {
mschap.domain1
mschap.domain2
}
thats just redundancyso if the first one answers...then thats that.
you need fail-through eg something like
Auth-Type MS-CHAP {
group {
mschap.domain1 {
On 16/07/12 16:12, David Aldwinckle wrote:
Hello,
I currently use PEAP and the mschap module to call ntlm_auth and authenticate
against Active Directory. The FreeRadius server is currently joined to domain1.
It may come about in the near future that I need to query two different domains
Hi,
Thanks for the response.
Unfortunately, these particular users don't have realms in their usernames, so
I think I will still need to go with multiple mschap modules, like Alan
suggested. I just confirmed that there is a two way trust, so I think I should
be able to figure it out from
On 13 Jul 2012, at 18:26, Carl Pierre wrote:
Hello:
I would like to have FreeRADIUS check the user's submitted credentials
before it even allows the Tunnel to even be set up.
Is this a possibility?
No. The point of the tunnel is to secure the credentials.
Thanks
Scott Armitage
On 13 Jul 2012, at 18:37, Scott Armitage wrote:
On 13 Jul 2012, at 18:26, Carl Pierre wrote:
Hello:
I would like to have FreeRADIUS check the user's submitted credentials
before it even allows the Tunnel to even be set up.
Is this a possibility?
No. The point of the tunnel
No
(i'm not even going to ask 'why would you want to do that?')
alan
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
My lack of understanding I think, is due in part because of a
wpa_supplicant-based client I am using with PEAP/EAP-GTC.
The client asks for a username and password, sets up the tunnel and then
challenges for a Password again for the GTC stuff.
FreeRADIUS rightfully ignores the first password,
Hi Carl,
I personally have used EAP-TTLS/EAP-GTC with Nokia S60 phone. Nokia S60
supplicant display EAP-GTC prompt. This prompt is set in raddb/eap.conf
gtc{} subsection and defaults to Password: string.
EAP-GTC is thoroughly documented by RFC 3748. Typical EAP-GTC message
exchange is
Carl Pierre wrote:
Are there any clients that actually display the EAP-GTC challenge?
No idea. Try it and see.
Essentially, I am trying to use EAP-GTC similarly to how PAP
Access-Challenge works:
Client: ---User/PassServer
Client: --Challenge Message-Server
Hi,
Are there any clients that actually display the EAP-GTC challenge?
Essentially, I am trying to use EAP-GTC similarly to how PAP
Access-Challenge works:
have you tried wpa_supplicant or eapol_test ?
In addition, are there any resources that thoroughly documents EAP-GTC?
Hi,
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log messages for EAP auth
failures; I
On 05/19/2012 12:37 PM, alan buxey wrote:
Hi,
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log
For my installations I've disabled the EAP cache to make things work better.
Only a few users noticed. Does anyone know if the same thing happens In the 3.0
branch? I was planning to put one of my production servers on the 3.0 code this
Summer.
Alan DeKok al...@deployingradius.com wrote:
Phil
Bruce Nunn ironr...@yahoo.com wrote:
For my installations I've disabled the EAP cache to make things work
better. Only a few users noticed. Does anyone know if the same thing
happens In the 3.0 branch? I was planning to put one of my production
servers on the 3.0 code this Summer.
Alan DeKok
Phil Mayers wrote:
Am I being dumb / getting something wrong or does the post-auth session
not get called if PEAP/MSCHAP returns a reject?
It seems to run for successful auths, but not failures.
That is the case.
This is in the context of us not seeing log messages for EAP auth
-
From:
freeradius-users-bounces+kevin_elliott=ci.juneau.ak.us@lists.f
reeradius.org
[mailto:freeradius-users-bounces+kevin_elliott=ci.juneau.ak.us
@lists.freeradius.org] On Behalf Of alan buxey
Sent: Wednesday, April 25, 2012 2:53 PM
To: FreeRadius users mailing list
Subject: Re: PEAP/MSCHAPv2
On Wed, Apr 25, 2012 at 11:52:15AM -0800, Kevin Elliott wrote:
Currently FreeRadius will send back Access-Accepts for *both*
user and machine/host accounts (in the Active Directory context
of those terms). I would like to configure FreeRadius to ignore
or reject authentication requests using
Hi,
Currently FreeRadius will send back Access-Accepts for *both* user and
machine/host accounts (in the Active Directory context of those terms). I
would like to configure FreeRadius to ignore or reject authentication
requests using the user creditionals. I spent the better part of
hi,
Matthew, I would say the check is a little sparseand assumes
nothing else is in play...such as realms/proxying for what if
my username was
host\u...@other.realm.com
its quite likely that this user would get proxied back to their
home site.hence better to ensure the regex pattern
Hi
On Wed, Apr 25, 2012 at 11:58:06PM +0100, alan buxey wrote:
Matthew, I would say the check is a little sparseand assumes
Yeah, good idea checking the RHS of the username - hadn't thought
of that (scuttles off to implement it :) )
oh. actually, yes, you should ignore that i said add it
-bounces+difan.zhao=guest-tek@lists.freeradius.org]
On Behalf Of Alan DeKok
Sent: November-19-11 1:37 AM
To: FreeRadius users mailing list
Subject: Re: PEAP Inner-tunnel can't match a user in the users file with some
check attributes
Difan Zhao wrote:
I have an issue that whenever I have check
Difan Zhao wrote:
I have an issue that whenever I have check attributes such as
NAS-IP-Address or NAS-Port-Type, my PEAP fails…
Read raddb/eap.conf. Look for copy_request_to_tunnel
Everything works once I removed *NAS-IP-Address == 10.143.115.14*.
However I do need to check against from
Kemal YILDIRIM wrote:
Hello all,
I've just able to implemented Wired 802.1x system with PEAP/mschapv2
authentication against opendirectory which is running on MacOSX server
10.6.8 Leopard.
At the end I have a working setup, but I like to learn more to fix my
faults.
What is going wrong?
The weird thing is that I didn't see that popup
On Wed, Oct 26, 2011 at 5:07 PM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 10/26/2011 07:53 PM, Francois Gaudreault wrote:
Correct me if I am wrong, but that should not be needed when you are not
validating server certificate.
There are a
On 27/10/11 13:12, Bonald wrote:
The weird thing is that I didn't see that popup
That is very odd.
I just tried this again; purged the CA from the User Machine lists,
deleted the wired 802.1x profile and re-connected. 1st time - no joy
because the CA is unknown. Import the CA retry and I
Exactly, I have a GPO that's pushing some wireless profiles. When
disabling this GPO I see the popup.
On Thu, Oct 27, 2011 at 9:37 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 27/10/11 13:12, Bonald wrote:
The weird thing is that I didn't see that popup
That is very odd.
I just tried
On 27/10/11 15:18, Bonald wrote:
Exactly, I have a GPO that's pushing some wireless profiles. When
disabling this GPO I see the popup.
Sigh.
I hate windows.
I'm glad you've got it sorted out. If you find time to write some docs
in the wiki that describe which GPO objects caused what
On 26/10/11 13:49, Bonald wrote:
WARNING: !! EAP session for state 0xd4ade9e4d6a8f086 did not finish!
WARNING: !! Please read http://wiki.freeradius.org/Certificate_Compatibility
Did you follow the link? Did you read it?
Most likely, you need to ensure your certificate CA is trusted by the
Yes i've read it.
Yes the certificate is trusted on the machine and the user store.
It must be something else, using USER auth it's working. MACHINE auth
is failling.
On Wed, Oct 26, 2011 at 10:14 AM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 26/10/11 13:49, Bonald wrote:
WARNING: !! EAP
On 26/10/11 14:24, Bonald wrote:
Yes i've read it.
Yes the certificate is trusted on the machine and the user store.
It must be something else, using USER auth it's working. MACHINE auth
is failling.
Well, I guess it's just broken then. Oh well.
Seriously - it's important to understand that
Phil Mayers wrote:
Seriously - it's important to understand that the CLIENT stops
responding. FreeRADIUS can't do anything more in this case - the client
has stopped sending EAPOL packets, so the client must think that
something is wrong.
That's the main issue people have with RADIUS. The
To: freeradius-users@lists.freeradius.org
Subject: RE: PEAP with Machine auth
This kind of QA thing helps no one here! Many people are reporting the same
issue on different platforms! I don't think the problem is either with the
client or the certificates since I conducted some testing using the same client
Francois Gaudreault wrote:
Even more weird, we have had the same issue lately with one controller
model, and not the other. We were using the same config on the client,
on the server, and the same certs.
Ouch. The whole EAP ecosystem is fragile to the point of insanity.
There are times
Even more weird, we have had the same issue lately with one controller
model, and not the other. We were using the same config on the client,
on the server, and the same certs.
Ouch. The whole EAP ecosystem is fragile to the point of insanity.
There are times when I'm surprised it
On 26/10/11 14:58, Phil Mayers wrote:
On 26/10/11 14:47, Sergio NNX wrote:
This kind of QA thing helps no one here! Many people are reporting the
same issue on different platforms! I don't think the problem is either
with the client or the certificates since I conducted some testing using
the
On 26/10/11 16:14, Phil Mayers wrote:
Sorry, this is long.
tl;dr version - under Windows 7, if you import the CA certificate into
the Trusted Root Certification Authorities hierarchy in the MMC
Certificates snap-in, Windows 7 user- and machine-auth work just fine
against an out-of-the-box
If you are using the default config then your eap.conf must have
default_eap_type = md5
Try with peap.
On Wed, Oct 26, 2011 at 12:14 PM, Phil Mayers p.may...@imperial.ac.uk wrote:
On 26/10/11 14:58, Phil Mayers wrote:
On 26/10/11 14:47, Sergio NNX wrote:
This kind of QA thing helps no one
On 26/10/11 16:54, Bonald wrote:
If you are using the default config then your eap.conf must have
default_eap_type = md5
Yes. The client NAKs the EAP-MD5 and asks for PEAP.
Try with peap.
Just to placate you, I have done so. It made no difference, except save
one round-trip. User- and
On 26/10/11 14:24, Bonald wrote:
Yes i've read it.
Yes the certificate is trusted on the machine and the user store.
It must be something else, using USER auth it's working. MACHINE auth
is failling.
What is the client operating system and version, including service pack?
Are you using the
On 26/10/11 17:15, Phil Mayers wrote:
On 26/10/11 14:24, Bonald wrote:
Yes i've read it.
Yes the certificate is trusted on the machine and the user store.
It must be something else, using USER auth it's working. MACHINE auth
is failling.
What is the client operating system and version,
Client is Windows7 w/SP1. Using Cisco PEAP it's working. When using
Microsoft PEAP it's failing for machine auth.
I am on WLAN
netsh wlan show profile just shows my SSID
That fixed my problem. I needed to check the correct CA in the
protected PEAP properties.
Correct me if I am wrong, but that should not be needed when you are not
validating server certificate.
That would mean windows is trying to validate server cert when doing
machine auth even if the profile says otherwise??
On 11-10-26 2:36 PM, Bonald wrote:
Client is Windows7 w/SP1. Using
On 10/26/2011 07:53 PM, Francois Gaudreault wrote:
Correct me if I am wrong, but that should not be needed when you are not
validating server certificate.
There are a few issues; let me try to lay them out.
First: it seems you MUST install the CA on the client (in one or both of
the user or
On 13/10/2011 21:16, Kevin Chan wrote:
Hi all,
hopefully i got to the right group of people.
We are trying to use Freeradius to do PEAP/MSCHAPv2
authentication against Active Directory (2003). Our realm is
abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has
to use
On 13/10/2011 21:35, James J J Hooper wrote:
On 13/10/2011 21:16, Kevin Chan wrote:
Hi all,
hopefully i got to the right group of people.
We are trying to use Freeradius to do PEAP/MSCHAPv2
authentication against Active Directory (2003). Our realm is
abc.acme.edu, but since Eduroam doesn't
Hi,
We are trying to use Freeradius to do PEAP/MSCHAPv2
authentication against Active Directory (2003). Our realm is
abc.acme.edu, but since Eduroam doesn't allow subdomain, end user has
to use b...@acme.edu instead b...@abc.acme.edu as username.
you shouldnt send your own sub domains
Anyone have any thoughts on where I need to poke at this thing? I'm about at
the limits of my ability to figure out what's going wrong.
- Jacob
On 29 Aug 2011, at 17:28, Jacob Dawson wrote:
We're having an odd problem here, and I just can't pin down quite where to
look to fix it. We use
On 05/09/2011 10:55 PM, Gary Gatten wrote:
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure (0xc06d)
Exec-Program: returned: 1
[mschap] External script failed.
[mschap] FAILED: MS-CHAP2-Response is incorrect
++[mschap] returns reject
You've
@lists.freeradius.org
Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: PEAP/MSCHAPv2 failing with Windows 7
On 05/09/2011 10:55 PM, Gary Gatten wrote:
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure
, May 10, 2011 06:40 AM
To: FreeRadius users mailing list freeradius-users@lists.freeradius.org
Subject: Re: PEAP/MSCHAPv2 failing with Windows 7
Check some basic stuff too. Make sure your radius user can run ntlm_auth.
Sent from Verizon Wireless
-Original Message-
From: Phil Mayers p.may
, May 10, 2011 03:55 AM
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: Re: PEAP/MSCHAPv2 failing with Windows 7
On 05/09/2011 10:55 PM, Gary Gatten wrote:
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon failure
On 05/10/2011 01:20 PM, Gary Gatten wrote:
Sorry, I trimmed because everything is the same between success and failure up until
the exec program output...
Well, unfortunately the same didn't trigger my crystal ball, so I have
no idea what it was, regardless of whether it's the same.
I want
:34 AM
To: freeradius-users@lists.freeradius.org
freeradius-users@lists.freeradius.org
Subject: Re: PEAP/MSCHAPv2 failing with Windows 7
On 05/10/2011 01:20 PM, Gary Gatten wrote:
Sorry, I trimmed because everything is the same between success and failure
up until the exec program output...
Well
In the PEAP properties, EAP-MSCHAP v2, if you DISABLE
automatically use my windows logon name and password and
instead enter the credentials manually it works.
What version of FR are you running? If it's 2.1.10, try it with 2.1.10.
-
List info/subscribe/unsubscribe? See
To: 'FreeRadius users mailing list' freeradius-users@lists.freeradius.org
Subject: RE: PEAP/MSCHAPv2 failing with Windows 7
In the PEAP properties, EAP-MSCHAP v2, if you DISABLE
automatically use my windows logon name and password and
instead enter the credentials manually it works.
What version of FR
In the PEAP properties, EAP-MSCHAP v2, if you DISABLE
automatically use my windows logon name and password and
instead enter the credentials manually it works.
Look at:
http://freeradius.1045715.n5.nabble.com/MSCHAP-Authentication-Issue-td2785146.html
to see if this is your problem (look
I can/will upgrade, but the symptoms lead me to believe its a windows
thing. What leads you to believe an FR upgrade would fix it?
I sent another response with more info. The issue I'm thinking of is one we
talked about quite a while ago (I asked if you could test it). It's the one
where
On 05/10/2011 03:00 PM, Garber, Neal wrote:
In the PEAP properties, EAP-MSCHAP v2, if you DISABLE
automatically use my windows logon name and password and instead
enter the credentials manually it works.
Look at:
One additional note: the fixes that went into 2.1.10 extract (verbatim)
the client username from the EAP-MSCHAPv2 response, and pass that
through to the rlm_mschap module as an extra attribute.
You're right Phil. It's been too long since I wrote that patch.
Gary: Forget what I said about
Hi,
I should note, it appears the Aruba gear is terminating the PEAP – FR only
sees an MSCHAP request.
I would change that behaviour with a quick reconfig - its possible because we
have
sites in the UK using Aruba kit with 'eduroam' - and 'eduroam' would break if
the
remote client was
Looking at the output, things become clearer. The conversation ends
when the server tries to send the first Access-Challenge packet to the
client. It seems like that packet never gets there - and so the client
retransmits the same Request over and over again. The server then
repeatedly tries to
Am 05.04.2011 07:31, schrieb Stefan Winter:
Hi,
The solution to the problem is simple. The answer is in front of
you.
Alan DeKok.
Looks like i'm blind...please give me a hint ;-)
Dude... supplicants are typically configured to trust only the exact one
certificate that is in the
Hi,
The complete certification path is installed on the client. The client
don't have an extra client certificate, server certificate check is
turned off in wireless settings.
Turned off? Thanks, that's a new piece of info! That would hint towards
a different problem indeed.
Original radius
Jürgen Stader wrote:
OK, once again; i have cloned a radius-server vm, the new radius-server
has a new DNS-Entry, IP and a new certificate.
Well, that's likely the problem. Have you tried using the *working*
certificate in the new machine?
The wlan-ssid is
different from that one wich is
Hello,
rad_recv: Access-Request packet from host ... port 32769, id=219,
length=159
User-Name = xy
[...]
EAP-Message = 0x0202000b01737461646572
It would also help not to mangle the debug output by hand, if that's
what happened here. The EAP-Message's EAP-Response/Identity
Hi,
No, the machines are indetical, only changed IP, hostname and
certificates.
No updates or something.
Okay...
I put the debug output in appendix.
Sorry i had to remove passwords and IPs because of security reasons, i
think you will understand ;-)
That part of mangling is okay :-)
If
Hi,
PEAP can work with or without client certs. Both run through the tls
instance; that is no error. The problem is much rather here:
Sending Access-Challenge of id 219 to ... port 32769
Waking up in 2.0 seconds.
Cleaning up request 0 ID 219 with timestamp +3
WARNING:
Hi,
thanks for your reply.
Am 04.04.2011 16:27, schrieb Stefan Winter:
Hi,
PEAP can work with or without client certs. Both run through the tls
instance; that is no error. The problem is much rather here:
Sending Access-Challenge of id 219 to ... port 32769
Waking up in 2.0 seconds.
Jürgen Stader wrote:
When you cloned your RADIUS server, did you give the clone a different
certificate afterwards?
Since you didn't answer that question directly, it looks like a yes.
The original radius has a trusted certificate, signed by our CA. The
clone has also a trusted certificate
Am 04.04.2011 18:02, schrieb Alan DeKok:
Jürgen Stader wrote:
When you cloned your RADIUS server, did you give the clone a different
certificate afterwards?
Since you didn't answer that question directly, it looks like a yes.
You' re right, but you can read this out of the lines. The two
Hi,
The solution to the problem is simple. The answer is in front of
you.
Alan DeKok.
Looks like i'm blind...please give me a hint ;-)
Dude... supplicants are typically configured to trust only the exact one
certificate that is in the RADIUS Server (CN=... is in the supplicant
conf).
Gil Mazor wrote:
I can successfully do it with each one of the IAS servers below
individually, however if one of the serves goes down and request is forward
to the second servers on the list I get an error :
Error receiving packet: Connection reset by peer
Please post the *full* debug
@lists.freeradius.org
Sent: Sunday, March 27, 2011 7:47:07 PM
Subject: Re: peap termination issue when using fault tolerance
Gil Mazor wrote:
I can successfully do it with each one of the IAS servers below
individually, however if one of the serves goes down and request is forward
to the second
Gil Mazor wrote:
Yes , the error do cause a problem, as once it occurs , I must restart
Radiusd.
I attach two logs, first one is with the failure and the second one is a
success , when the second IAS is commented in proxy.conf
Log of the problem:
FreeRADIUS Version 2.1.10, for host
Hi Again,
Is it possible to use different proxy technique than realms ,for instance if
I use home servers in combination with (DEFAULT FreeRADIUS-Proxied-To ==
127.0.0.1, Proxy-To-Realm := mydomain.com )
will it work for this topology? what are the necessary configurations to
accomplish it?
--
Thanks, Alan - got it fixed now.
On 8 Feb 2011, at 21:15, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
Hi,
Entered bob as username, testing123 as password
I get No such realm 'NULL'
So added
-
realm test {
authhost = LOCAL
accthost = LOCAL
}
realm LOCAL {
}
Hi,
Entered bob as username, testing123 as password
I get No such realm 'NULL'
So added
-
realm test {
authhost = LOCAL
accthost = LOCAL
}
realm LOCAL {
}
realm NULL {
}
Now I get rejected - the following from the debug output looks relevant
what is your
mgmitch wrote:
OK, upgraded to 2.1.10 as suggested. Thanks. However, I have a different
issue now -- seems that the passcode is not being proxied over to the home
server. I only see a username, nas IP address and proxy state being proxied
in the access-request packet but no user-password.
OK, upgraded to 2.1.10 as suggested. Thanks. However, I have a different
issue now -- seems that the passcode is not being proxied over to the home
server. I only see a username, nas IP address and proxy state being proxied
in the access-request packet but no user-password. Also get a
mgmitch wrote:
ERROR: Failed to create a new socket for proxying requests.
Upgrade to 2.1.10. This was *exactly* the same message posted only a
day or so ago.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rdeboer wrote:
I already enabled said option, the only problem is that this doesn't enforce
the use of PEAP with a client certificate, as the TLS module is enabled and
configured, it allows you to log in with just a client certificate using
TLS. What I want is to enforce the use of not just
So a few weeks later and still not much further..
Has anyone got an idea how I could force PEAP sessions to supply client a
client certificate?
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/PEAP-TTLS-and-Client-certificates-tp3238845p3289077.html
Sent from the
rdeboer wrote:
So a few weeks later and still not much further..
Has anyone got an idea how I could force PEAP sessions to supply client a
client certificate?
Read raddb/eap.conf. Look for client cert
Alan DeKok.
-
List info/subscribe/unsubscribe? See
1 - 100 of 532 matches
Mail list logo
