On Jun 12, 2012, at 9:06 AM, akkouche wrote:
> how to put the parameters in which files, to set up the TTLS / PAP ?
greetings,
way to many options out there. keep reading.
use the Default FreeRadius + ldap module, ensure ssh is in order.
-j
smime.p7s
Description: S/MIME cryptographic signature
how to put the parameters in which files, to set up the TTLS / PAP ?
--
View this message in context:
http://freeradius.1045715.n5.nabble.com/EAP-TTLS-PAP-LDAP-tp2752336p5713663.html
Sent from the FreeRadius - User mailing list archive at Nabble.com.
-
List info/subscribe/unsubscribe? See http://
] On Behalf
Of Phil Mayers
Sent: July 15, 2006 8:09 AM
To: FreeRadius users mailing list
Subject: Re: EAP-TTLS-PAP-LDAP
Rohaizam Abu Bakar wrote:
Thanks Phil.. what a stupid move to paste all that passwd.. I've
changed it as soon as i get ur mail... thanks again...
cannot find any artic
Nope, it's in my authorize section which is:
Sure it is since the password is read from the LDAP authorize backend ;-)
My authenticate section (notice LDAP is commented out):
authenticate {
# Auth-Type LDAP {
# ldap
# }
}
The first line in my users file for my
"Matt Ashfield" <[EMAIL PROTECTED]> wrote:
> My authenticate section (notice LDAP is commented out):
...
> The first line in my users file for my Access Point is:
> DEFAULT Auth-Type = ldap
You configured the server to NOT do LDAP authentication, and then
told it to do LDAP authentication.
It
Matt Ashfield
Network Analyst
Integrated Technology Services
University of New Brunswick
(506) 447-3033
[EMAIL PROTECTED]
-Original Message-
From: Thibault Le Meur [mailto:[EMAIL PROTECTED]
Sent: July 18, 2006 1:00 PM
To: [EMAIL PROTECTED]; 'FreeRadius users mailing list'
Subject
> rad_check_password: Found Auth-Type ldap
> auth: type "LDAP"
> ERROR: Unknown value specified for Auth-Type. Cannot
Is the ldap module defined in your authenticate section ?
Regards,
Thibault
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
assumed was
correct:
pap {
encryption_scheme = sha1
}
Cheers
Matt Ashfield
[EMAIL PROTECTED]
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf
Of Phil Mayers
Sent: July 15, 2006 8:09 AM
To: FreeRadius users mailing list
Subject: Re: EAP-TTLS-PAP-LDAP
Rohaizam Abu Bakar wrote:
Thanks Phil.. what a stupid move to paste all that passwd.. I've
changed it as soon as i get ur mail... thanks again...
cannot find any article related to repeating LDAP query for EAP... pls
help..
You don't need to worry about the EAP. The EAP is working fine.
quire plain passwd.. When I change password to plain. with the
same setting.. it's working...
--haizam
- Original Message -
From: "Phil Mayers" <[EMAIL PROTECTED]>
To: "FreeRadius users mailing list"
Sent: Friday, July 14, 2006 5:26 PM
Subject: Re: EAP
quot;FreeRadius users mailing list"
Sent: Friday, July 14, 2006 11:28 PM
Subject: Re: EAP-TTLS-PAP-LDAP
"Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote:
No error detected (refer below debug logs)
Really?
auth: type Local
auth: user supplied User-Password does NOT match
"Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote:
> No error detected (refer below debug logs)
Really?
> auth: type Local
> auth: user supplied User-Password does NOT match local User-Password
> auth: Failed to validate the user.
Try using the correct password to log in.
Alan DeKok.
-
List
Rohaizam Abu Bakar wrote:
rlm_ldap: Added password {CRYPT}$1$ZRXMvi1s$zBQaHYkaxDjGi5zL2geNN0 in
That's your problem.
The CVS version of FreeRadius has auto_header which will detect the
{type} in the password, strip it and put the password in the right
place. Try that. Or, write an external s
request 9
rlm_ldap: - authorize
rlm_ldap: performing user authorization for jaroce2
radius_xlat: '(uid=jaroce2)'
radius_xlat: 'ou=OCE,ou=AAA,ou=People,dc=jaring,dc=my'
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in ou=O
"Rohaizam Abu Bakar" <[EMAIL PROTECTED]> wrote:
> Login incorrect: [EMAIL PROTECTED] (from client localhost port 0)
> TTLS: Got tunneled Access-Reject
So read the *previous* debug logs to see why it was rejected.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.
--- John Allman <[EMAIL PROTECTED]> wrote:
> Stefan Winter wrote:
> >> I'm searching through my dell wireless wlan card
> utility and i'm pretty sure
> >> i can't hide it. Are dell breaking any rfcs or
> other standards that i can
> >> take them up on?
> >
> > No. It's optional. If Dell doesn't
Hi,
> I'm very impressed. I installed this and all of my complaints and
> concerns are answered! Now, i'm assuming and hoping the linux wpa
> supplicant also supports this...
Sure thing :-) It's Free Open Source Software after all :-)
> > Uh. You should consider that you will have _no_ link-laye
Stefan Winter wrote:
>> I'm searching through my dell wireless wlan card utility and i'm pretty sure
>> i can't hide it. Are dell breaking any rfcs or other standards that i can
>> take them up on?
>
> No. It's optional. If Dell doesn't do it, bad luck. But you can always
> install
> a supplica
> "Most supplicants". So there's a chance that a supplicant might not do
> so?
Yes. It's implementation-specific. The Win XP built-in supplicant for example
does not do it.
> Is the Identity in the EAP-Message in the first packet always the
> same as the User-name i see in all packets?
Yes, t
Stefan Winter wrote:
>
> The thing about anonymous outer identity is that it doesn't matter what you
> put in there. If your real name is "iamcool" and your password
> is "evencooler" you can happily send "foobar" as Identity. Authentication
> will only depend on what's inside the tunneled PAP r
Hi!
> Hmmm. Well, in the first packet i see the Identity in the EAP-Message,
> but the User-name attribute is in every packet sent by the AP. How would
> i go about using an anonymous identity? Would that be up to the wireless
> client configuration? It would be quite important for me to hide this
[EMAIL PROTECTED] wrote:
>> The EAP-Message doesn't appear to be encrypted on the initial packet
>> from the ap to the server. Inside i see Type and Identity (containing my
>> username. The username is also in the User-Name attribute)
>>
>
> that'll be your outer identity... which, as it is pl
Hi,
> The EAP-Message doesn't appear to be encrypted on the initial packet
> from the ap to the server. Inside i see Type and Identity (containing my
> username. The username is also in the User-Name attribute)
that'll be your outer identity... which, as it is plain to see (pun definately
intend
[EMAIL PROTECTED] wrote:
> "captive portal" - there are several software tools that will do this...
> eg http://en.wikipedia.org/wiki/Captive_portal
>
> most people seem to be moving away from this method as it is riddled with
> possible security compromises.
>
Thanks for the heads-up. I'll tak
Stefan Winter wrote:
> You need to differentiate two parts of the link: a) the data that is passed
> between the client device and the RADIUS server and b) the backend
> communication between RADIUS server and LDAP.
>
> a) is encrypted when using EAP-TTLS
> b) may or may not be encrypted, depend
Hi,
> I'm using freeradius-1.1.2 on a freebsd server and i've compiled it
> against openldap-2.3.24 which all went well. I'm attempting to set up
> secure wireless with WPA2 using our ldap directory for authentication.
> We have a replica of our directory running on the freeradius server.
> Origin
> Quite new to radius and struggling to get my head around things so
> forgive me if my assumptions are wrong. I appear to have the setup
> working but i'm concerned it's not doing what it think it is. I don't
> think the authentication requests are actually going over an encrypted
> channel.
You
Vladimir Vuksan <[EMAIL PROTECTED]> wrote:
> I did not intend to mislead anyone. I didn't realize that client was
> forcing TTLS+MSCHAP.
Which is why you run the server in debugging mode. It tells you
exactly what the client is doing, which often goes a LONG way to
solving problems.
Alan De
Alan DeKok wrote:
1) The tunneled session is MS-CHAP, not PAP. The server is telling
you this in the debug messages! I don't understand why you are asking
about TTLS + PAP when you're using TTLS + MSCHAP. Please do not post
misleading messages to the list.
I did not intend to mislead anyone.
Vladimir Vuksan <[EMAIL PROTECTED]> wrote:
> Apparently I am missing something since it is not working. FreeRADIUS is
> 1.1.0-pre0 snapshot from 20050311. Client is Mac OS X laptop. I was able
> to get the client going with users file and plain text passwords.
Ok...
> I got following in radiu
Alan DeKok wrote:
Vladimir testuser <[EMAIL PROTECTED]> wrote:
Great. So how do I configure it :-) to use LDAP CRYPT or MD5 hashes.
Read the documentation and the sample configuration files.
TTLS + PAP is *REALLY* TTLS + PAP. Configure PAP, configure TTLS,
and TTLS + PAP will work.
Ap
Vladimir Vuksan <[EMAIL PROTECTED]> wrote:
> Great. So how do I configure it :-) to use LDAP CRYPT or MD5 hashes.
Read the documentation and the sample configuration files.
TTLS + PAP is *REALLY* TTLS + PAP. Configure PAP, configure TTLS,
and TTLS + PAP will work.
> It may be however that i
Alan DeKok wrote:
After that, configure a plain-text password. EAP-TTLS with tunneled
PAP, CHAP, MS-CHAP, EAP-MSCHAPv2, and EAP-GTC will work.
But shouldn't FreeRADIUS be able to extract username and password from
PAP packet and check those credentials by binding to LDAP ?
Yes.
Vladimir Vuksan <[EMAIL PROTECTED]> wrote:
> > After that, configure a plain-text password. EAP-TTLS with tunneled
> >PAP, CHAP, MS-CHAP, EAP-MSCHAPv2, and EAP-GTC will work.
>
> But shouldn't FreeRADIUS be able to extract username and password from
> PAP packet and check those credentials by b
Alan DeKok wrote:
Configure certificates for EAP-TLS. See raddb/eap.conf, eap{}
section, tls{} subsection. Also uncomment ttls{} section. Run
scripts/certs.sh (and read it).
After that, configure a plain-text password. EAP-TTLS with tunneled
PAP, CHAP, MS-CHAP, EAP-MSCHAPv2, and EAP-GTC will
Vladimir Vuksan <[EMAIL PROTECTED]> wrote:
> Hmm... We can do that already. Just use EAP-TTLS/PAP and have
> freeradius authenticate via an LDAP bind rather than a password compare.
> It works great for me.
>
> I would like to find out if someone actually has notes that they would
> b
36 matches
Mail list logo