Phil Mayers wrote:
Isn't there a problem with that approach though? Namely, that the TLS-*
attributes aren't available in the authorize section (because the eap
module, and all the EAP methods, do their with in authenticate).
Yes.
But
in post-auth, turning an accept into a reject is
Graham Leggett wrote:
When using client certificates in EAP-TLS, the check_cert_cn option exists
that allows you to check that the username matches the CN. Is there a
corresponding option somewhere that will allow you to verify the User-Name
against the subjectAltName instead?
In the
On 08 Jan 2012, at 5:01 PM, Alan DeKok wrote:
When using client certificates in EAP-TLS, the check_cert_cn option exists
that allows you to check that the username matches the CN. Is there a
corresponding option somewhere that will allow you to verify the User-Name
against the
Graham Leggett wrote:
That wasn't quite what I was after, but rather a generic way to ensure the
User-Name matches either dnsName or rfc822Name in the subjectAltName,
depending on whether the peer was a host or a person.
Turned out the patch to implement this was simple, for
On 01/08/2012 08:28 PM, Alan DeKok wrote:
Turned out the patch to implement this was simple, for freeradius-server-master:
I'd prefer a patch which creates an attribute, just like the
TLS-Cert-* attributes. The reason is that policies can be created by
the administrator. A hard-coded
Schaatsbergen, Chris wrote:
A slightly different question, does the support from http://networkradius.com
come from the active users of this mailing list? I.e. if I buy a support
contract there, do the Alans get a part of that? I am missing a donate
button on the freeradius website and I
Hi,
A slightly different question, does the support from
http://networkradius.com come from the active users of this mailing list?
I.e. if I buy a support contract there, do the Alans get a part of that?
I am missing a donate button on the freeradius website and I hope/expect we
do
On Tue, Feb 15, 2011 at 4:45 AM, Alan Buxey a.l.m.bu...@lboro.ac.uk wrote:
please think about networkradius.com if you want to have a solid support for
the product -
it will ensure that you have a good FreeRADIUS deployment and you wont get Mr
Random in management
bearing down on you with
To clarify :
I'm using free radius 2.1.9 as a client to connect to a
distant server (not freeradius).
I'm using API for client access not the freeradius as a server
We are facing a problem for Tunnel-Server-Endpoint
attribute :
RFC http://www.ietf.org/rfc/rfc2868.txt
indicates for
Naoufel wrote:
To clarify :
I'm using free radius 2.1.9 as a client to connect to a
distant server (not freeradius).
I'm using API for client access not the freeradius as a server
I have no idea what that means.
So, there is no explicit prohibition of use of 0x00 as a Tag value.
Naoufel wrote:
Hi,
I'm using free radius 2.1.9 as a client to connect to a distant server (not
freeradius).
We are facing a problem for Tunnel-Server-Endpoint attribute :
RFC http://www.ietf.org/rfc/rfc2868.txt indicates for Tunnel-Server-Endpoint :
...
So, there is no explicit
Alan DeKok pisze:
Maja Wolniewicz wrote:
According to RFC4372 CUI attribute in request can include a single NUL
character, then your test
if (%{Chargeable-User-Identifier}) {
update reply {
Chargeable-User-Identifier =
}
}
evaluates to false.
I've fixed this in CVS
Maja Wolniewicz wrote:
I'm now running freeradius from CVS
FreeRADIUS Version 2.0.1-pre
in post-auth I have:
if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) {
if (%{Chargeable-User-Identity}) {
Please fix this. Putting double quotes around *everything* was never
necessary, and is much less
Alan DeKok pisze:
Maja Wolniewicz wrote:
I'm now running freeradius from CVS
FreeRADIUS Version 2.0.1-pre
in post-auth I have:
if (%{FreeRADIUS-Proxied-To} == 127.0.0.1) {
if (%{Chargeable-User-Identity}) {
Please fix this. Putting double quotes around *everything* was never
necessary,
Maja Wolniewicz wrote:
Thanks. Now it works.
That's good to hear.
Yes, I want to add current realm to reply attribute
Chargeable-User-Identity which comes form LDAP.
When Chargeable-User-Identity attribute isn't present in request I want
to remove Chargeable-User-Identity from reply.
Alan DeKok pisze:
Maja Wolniewicz wrote:
Thanks. Now it works.
That's good to hear.
Yes, I want to add current realm to reply attribute
Chargeable-User-Identity which comes form LDAP.
When Chargeable-User-Identity attribute isn't present in request I want
to remove
Maja Wolniewicz wrote:
According to RFC4372 CUI attribute in request can include a single NUL
character, then your test
if (%{Chargeable-User-Identifier}) {
update reply {
Chargeable-User-Identifier =
}
}
evaluates to false.
I've fixed this in CVS head
Stefan Winter wrote:
is that implemented in FR, be it 1.1 or 2.0? According to
http://wiki.freeradius.org/RFC it shouldn't be.
It's in the dictionaries...
From my reading of the RFC, defining it by hand in radreply is not
considered good enough, because it has a specific logic behind
Can you please send steps, I am also trying to so the same.
Rakesh
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of rick
wiltshire
Sent: Sunday, September 23, 2007 4:48 PM
To: freeradius-users@lists.freeradius.org
Subject: Support for SSO
rick wiltshire wrote:
All Clients are using WinXP supplicant. I managed to implement
PEAPMS-CHAP with this setup however with users who have cached
credentials on their PCs. If the user logs on the PC for the first time,
he fails to reach the active directory to authenticate since the
On Thu 19 Jul 2007, ashish verma wrote:
Hi all,
I am trying to configure free radius for some Cisco devices.
till now i am able to authenticate using the radius server and i am
getting into user level or privilege level depending on the attribute i am
defining. Now what i am looking for is
I thought it was:
cisco-avpair = shell:priv-lvl=levelnumber
If not, we need to fix the wiki.
Cheers
Peter
On Thu 19 Jul 2007, [EMAIL PROTECTED] wrote:
Use proper format:
Cisco-AVPair = priv-lvl=levelnumber
Ivan Kalik
Kalik Informatika ISP
Dana 19/7/2007, ashish verma [EMAIL
Sorry, my mistake. It is shell:priv-lvl=levelnumber
Ivan Kalik
Kalik Informatika ISP
Dana 19/7/2007, Peter Nixon [EMAIL PROTECTED] piše:
I thought it was:
cisco-avpair = shell:priv-lvl=levelnumber
If not, we need to fix the wiki.
Cheers
Peter
On Thu 19 Jul 2007, [EMAIL PROTECTED] wrote:
Use proper format:
Cisco-AVPair = priv-lvl=levelnumber
Ivan Kalik
Kalik Informatika ISP
Dana 19/7/2007, ashish verma [EMAIL PROTECTED] piše:
Hi all,
I am trying to configure free radius for some Cisco devices.
till now i am able to authenticate using the radius server and i am getting
into
Nitin Naveen wrote:
Hi I am Nitin Naveen working with HUGHES SYSTIQUE. We have been working to
enhance freeradius to support WiMAX VSA (as per WiMAX NWG forum). WiMAX
VSA are not the typical type-length-value rather they have
type-length-controlinfo-value.
Yes..
We have enhanced the
Walter Goulet wrote:
Question on your planned contribution to FreeRADIUS: Does your module
support the key generation algorithms for the WiMAX mobility keys?
Specifically, is your module able to correctly generate the
MN-HA-MIP4-KEY and related key material from the EMSK derived as part
of
Hi Nitin,
Question on your planned contribution to FreeRADIUS: Does your module
support the key generation algorithms for the WiMAX mobility keys?
Specifically, is your module able to correctly generate the
MN-HA-MIP4-KEY and related key material from the EMSK derived as part
of the EAP exchange?
, 18 Jul 2007 22:57:37 -0500
From: Walter Goulet [EMAIL PROTECTED]
Subject: Re: Support for WiMAX VSA
To: FreeRadius users mailing list
freeradius-users@lists.freeradius.org
Message-ID:
[EMAIL PROTECTED]
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hi Nitin
Colleen C. Morrissey wrote:
Hi,
Why? If you have the clear-text password on the server, you can just
compare the two. There's no need to configure rlm_pap to do the NT hash.
I don't have the clear text password. Your original reply said this
would work with clear text
Colleen C. Morrissey wrote:
I don't have the clear text password. Your original reply said this
would work with clear text password or nt hash. I have the NT hash
and/or I can get the SHA1 base 64 encoded password (which was working
with gtc by itself). Can I get pap/gtc to work with the
That worked. Thank you!
Alan DeKok wrote:
Colleen C. Morrissey wrote:
I don't have the clear text password. Your original reply said this
would work with clear text password or nt hash. I have the NT hash
and/or I can get the SHA1 base 64 encoded password (which was working
with gtc by
I spoke too soon. This works ok for a user/password in users file, but
not via LDAP. Via ldap mschap works but not gtc. Below is snippet of
output when it is failing. Any advice on how to fix would be appreciated:
[EMAIL PROTECTED] raddb]# more gtc_info
modcall: entering group authenticate
Colleen C. Morrissey wrote:
I spoke too soon. This works ok for a user/password in users file, but
not via LDAP. Via ldap mschap works but not gtc. Below is snippet of
output when it is failing. Any advice on how to fix would be appreciated:
[EMAIL PROTECTED] raddb]# more gtc_info
Hi,
Why? If you have the clear-text password on the server, you can just
compare the two. There's no need to configure rlm_pap to do the NT hash.
I don't have the clear text password. Your original reply said this
would work with clear text password or nt hash. I have the NT hash
Colleen C. Morrissey wrote:
My question is can I somehow support both simultaneously with the same
freeradius daemon (I know I can simply run a second daemon on different
port supporting the other but that will require me to do lots of work on
infrastructure/ssids to point to different
Thanks! I had ldap returning Password-with-Header for GTC deployment
and then added NT-Password for ms-chapv2. Commenting out the
password-with-header for userpassword in ldap.attrmap seems to allow
both to work. Which makes my life much easier :)
Alan Dekok wrote:
Colleen C. Morrissey
Gunther wrote:
Will there be support for MySQL Stored Procedures in 2.0?
FreeRADIUS 2.0.0-pre1 does not yet support SP in MySQL.
The idea is to put the patch in 1.1.7 and 2.0.0.
Alan DeKok.
--
http://deployingradius.com - The web site of the book
http://deployingradius.com/blog/
Hi,
This */etc/freeradius/users* file works with Cisco Aironet:
(used for authentication on access points, a ssh connection gives enable
access directly)
normaluser Auth-Type := Local, User-Password == normaluser
superuser Auth-Type := Local, User-Password == superuser
Cisco-AVPair =
Hi,
I am using Freeradius version 1.1.3 for EAP-TTLS testing. I am testing for
EAP-TTLS with tunneled authentication type as MSCHAPV2.
I suspect it fails, bcos it sends back Access-Accept instead of sending
back the MS-CHAP2-Success encrypted over TLS protocol. please find the trace
Hi,
Please find the eap.conf attached with this Email. This is file which
i am using for testing MS-CHAPV2 over TTLS.
I am not sure what is wrong with this configuration.
Thanks in advance.
[EMAIL PROTECTED] wrote:
Hi,
I am using Freeradius version 1.1.3 for EAP-TTLS testing.
Santhosh Thodupunoori [EMAIL PROTECTED] wrote:
Does Freeradius have support for Sub-TLVs inside VSA TLVs today?
No.
If Freeradius does not currently support sub-attributes, is there a plan to
support this in future?
Sure. Send in a patch.
Alan DeKok.
--
http://deployingradius.com
Shankar Ganesh C [EMAIL PROTECTED] wrote:
Can any body help me how to add the support for disconnect request and ack
in freeradius ?
This is more a question for the freeradius-devel list.
And my suggestion is to first get familiar with the server. The
code is reasonably well organised, so
Scott J. Wolke [EMAIL PROTECTED] wrote:
I'm trying to get away from Steel Belted Radius and after realizing
that Freeradius can't auth against LDAP using EAP
FreeRADIUS can obtain user passwords from an LDAP database, and use
those passwords to perform EAP authentication.
No RADIUS
Gil Shai [EMAIL PROTECTED] wrote:
I've noticed that freeradius 1.0 supports MS-CHAP but when I looked at
the code, I didn't find any trace of an option to periodically change
the password using MS-CHAP.
FreeRADIUS doesn't implement RADIUS change password packets,
either.
Does anyone know
chance that FreeRADIUS will support it in the near future?
Thanks,
Gil Shai
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alan
DeKok
Sent: Monday, September 20, 2004 5:22 PM
To: [EMAIL PROTECTED]
Subject: Re: Support of MS-CHAP
Gil Shai [EMAIL
Gil Shai [EMAIL PROTECTED] wrote:
Is there any chance that FreeRADIUS will support it in the near future?
Sure, supply a patch.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi
I still not get any support for the question i asked today. Please help me
with this .
Hi,
Could you tell me how I could use cron to send me a mail to me,
automatically every day at 12 midnight with the
/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file.
Thanks in
Could you tell me how I could use cron to send me a mail to me,
automatically every day at 12 midnight with the
/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x
file.
Thanks in advance.
That's not a question for the FreeRadius list as it isnt a problem with
PROTECTED]
Subject: RE: Support Needed
Hi
I still not get any support for the question i asked today. Please help
me with this .
Hi,
Could you tell me how I could use cron to send me a mail to me,
automatically every day at 12 midnight with the
/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx
On Thu, 2004-04-08 at 14:41, M.Bilal Fassy wrote:
Hi
I still not get any support for the question i asked today. Please help me
with this .
Perhaps because this is not a FreeRADIUS question?
man cron
man sendmail
man bash
Any other work on your plate you need us to do for you?
Hi,
Dear Troy,
The URL you had given bellow does not sate anything.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Troy
Winemiller
Sent: Friday, April 09, 2004 12:50 AM
To: [EMAIL PROTECTED]
Subject: RE: Support Needed
Not really a freeradius problem.
Give
]
Subject: RE: Support Needed
On Thu, 2004-04-08 at 14:41, M.Bilal Fassy wrote:
Hi
I still not get any support for the question i asked today. Please help me
with this .
Perhaps because this is not a FreeRADIUS question?
man cron
man sendmail
man bash
Any other work on your plate you need us
The URL you had given bellow does not sate anything.
Yes, actually, it does.
--
__
Mike Ockenga, CCNP [EMAIL PROTECTED]
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Hi
I still not get any support for the question i asked today. Please help me
with this .
Hi,
Could you tell me how I could use cron to send me a mail to me,
automatically every day at 12 midnight with the
/usr/local/var/log/radius/radacct/xxx.xxx.xxx.xxx/detail-2004x file.
54 matches
Mail list logo