gives freeradius-2.1.12-4.el6_3.x86_64
the auth fails however when i try conencting from my windows8 client.
i need to mention that i am sure i'm inputting correct passwords.
this is the log from radiusd -X
rad_recv: Access-Request packet from host 127.0.0.1 port 49338,
id=12, length=152
and it's populated.
rpm -q freeradius gives freeradius-2.1.12-4.el6_3.x86_64
the auth fails however when i try conencting from my windows8 client.
i need to mention that i am sure i'm inputting correct passwords.
I you are *really* sure of this (have you created a test user with a
simple
Horatiu Nimigean wrote:
the auth fails however when i try conencting from my windows8 client.
i need to mention that i am sure i'm inputting correct passwords.
No, you're not.
[mschap] Found NT-Password
[mschap] Creating challenge hash with username: testuser1
[mschap] Told
the auth fails however when i try conencting from my windows8 client.
i need to mention that i am sure i'm inputting correct passwords.
I you are *really* sure of this (have you created a test user with a
simple password?), then it might be the PAP module helpfully
fiddling with the password
are NOT updated.
Apologies.
upon editing with apache directory studio it auths perfectly. both from
win8 client as well as radtest.
thanks for strongly pointing out that indeed there s a problem with the
damn hashes.
Cheers.
On 8/6/2013 6:36 PM, Alan DeKok wrote:
Horatiu Nimigean wrote:
the auth fails
Hello out there,
I'm testing the FreeRADIUS Version 2.1.12 Modul with AD Integration
following the deployingradius.com Guide.
Installed winbind and samba Version 3.6.3 and ntlm_auth tests are fine.
Now i'm testing with radtest while running radius in Debug mod.
The following line has been added
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]expand: %{Stripped-User-Name} -
[mschap]... expanding second conditional
[mschap]expand: %{mschap:User-Name:-None} -
Auftrag von Andres Septer
Gesendet: Mittwoch, 4. April 2012 14:14
An: FreeRadius users mailing list
Betreff: RE: MSCHAP Auth fails
# Executing group from file /etc/raddb/sites-enabled/packetfence
+- entering group MS-CHAP {...}
[mschap] Told to do MS-CHAPv1 with NT-Password
[mschap]expand
Just looked at this line in my config there is a --ntresponse instead
of #ntresponse
[mschap]expand: #ntresponse=%{mschap:NT-Response:-00} -
#ntresponse=f7b8cd66af90b5791fb4b09421dbbf2cbed180e7e72304b5
Exec-Program output: Logon failure (0xc06d)
Exec-Program-Wait: plaintext: Logon
Weber, Felix wrote:
Just looked at this line in my config there is a --ntresponse instead
of #ntresponse
That's bad.
In my mschap module the ntresponse parameter is written with --, so
why is radtest interpreting it with an # ??
Because it's written with a '#' in the mschap module.
Alan DeKok
Gesendet: Mittwoch, 4. April 2012 18:43
An: FreeRadius users mailing list
Betreff: Re: AW: MSCHAP Auth fails
Go back and ensure that there is only ONE mschap module in the modules
directory.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Dear Alan!
I am beginner in RADIUS. I guessed you talked about
sites-available/default
because Cisco does not use any realms when sends its packets to the RADIUS.
I think it's needed expanding of my task boundaries :-) I want to make
Cisco
devices authenticate users when ther enter the
Яцко Эллад Геннадьевич (ngs) wrote:
I am beginner in RADIUS. I guessed you talked about
sites-available/default
because Cisco does not use any realms when sends its packets to the RADIUS.
I talked about realms because I wanted to talk about realms.
I think it's needed expanding of my task
Are we in a bad mood?
Date: Tue, 11 Oct 2011 08:46:28 +0200
From: al...@deployingradius.com
To: freeradius-users@lists.freeradius.org
Subject: Re: Local Auth if Proxy Auth fails ---OR--- Proxy Auth if Local Auth
fails
Яцко Эллад Геннадьевич (ngs) wrote:
I am beginner in RADIUS. I
Am I ?! :-)
I've just asked some questions.. Maybe stupid (I repeat again I am
beginner in RADIUS)..
And I still out of knowledge what to-do... Or more exactly: how does
it work?...
Kind regards,
Ellad Yatsko
Are we in a bad mood?
-
List info/subscribe/unsubscribe? See
Яцко Эллад Геннадьевич (ngs) wrote:
I've just asked some questions.. Maybe stupid (I repeat again I am
beginner in RADIUS)..
And I still out of knowledge what to-do... Or more exactly: how does
it work?...
My original answer explained what to do.
Follow instructions, or don't ask
Dear Alan!
I ask you to be more indulgent, I didn't want to anger you. :-)
Would you explain how will it work? I really need to understand
what is happening, cause I want to do any thing sensibly.
Suppose I have perform all your recommendations. Cisco sends
Access-Acepts to RADIUS, It receives
Яцко Эллад Геннадьевич (ngs) wrote:
Would you explain how will it work? I really need to understand
what is happening, cause I want to do any thing sensibly.
My original message explained what was going on.
Suppose I have perform all your recommendations. Cisco sends
Access-Acepts to
Hello!
Is it possuble to use another Auth-mechanism if primary Auth failed?
The below is what I meant:
1) NAS - FreeRADIUS: User/Password
2) FreeRADIUS - Does User exist in Local DB?
3) If yes - Access-Acept!
4) If no - Are any Proxies configured? FreeRADIUS - Proxy: User/Password
5) Proxy
Яцко Эллад Геннадьевич (ngs) wrote:
1) NAS - FreeRADIUS: User/Password
2) FreeRADIUS - Does User exist in Local DB?
authorize {
...
ldap
if (!notfound) {
update control {
Proxy-To-Realm := realm
}
}
Hello everyone,
Im trying to use plain mac auth (
http://wiki.freeradius.org/Mac%20Auth#Plain+Mac-Auth) and at the radius
server says Login Ok , Acceptin user , but at the client says auth fails
(w7) here is the output of it :
Does any1 knows what might be the problem ?
Thanks ,
*rad_recv
Paulo Maia wrote:
Im trying to use plain mac auth
No, you're not.
(http://wiki.freeradius.org/Mac%20Auth#Plain+Mac-Auth) and at the radius
server says Login Ok , Acceptin user , but at the client says auth
fails (w7) here is the output of it :
Does any1 knows what might be the problem
/Mac%20Auth#Plain+Mac-Auth) and at the radius
server says Login Ok , Acceptin user , but at the client says auth
fails (w7) here is the output of it :
Does any1 knows what might be the problem ?
Thanks ,
rad_recv: Access-Request packet from host 172.20.0.11 port 1645, id=28,
length=139
On 08/07/11 16:30, Paulo Maia wrote:
Ow i cannot authenticate just the mac-address ? i must have user
and pass ?
Yes. EAP is a challenge/response protocol. You must send correct
responses, and this means you must know the password.
-
List info/subscribe/unsubscribe? See
Brett Littrell wrote:
Not sure if your just having issues with the OID or something else,
but I found the thread really helped to fix cert issues I had.
http://lists.cistron.nl/pipermail/freeradius-users/2006-October/msg00515.htm
l
I used the MS cert server as described in this listing as
On 02/08/2011 06:16 AM, Domenico Viggiani wrote:
Thanks but I think that recent versions of Freeradius contains a certs
generation script that provide test certificates with all OIDs needed.
Or am I wrong?
I'm currently still unable to authenticate a XP SP3 client to FR by Active
Directory.
I
I do not recall FR 2.11 default working with Windows so I followed the
instructions from the link I posted and it started to work after that; of
course I am using a LDAP back end not AD directly. I can and do authenticate
Windows XP SP3 no problem against FR, but as I said it is with an LDAP
Hi,
} # server inner-tunnel
[peap] Got tunneled reply code 11
EAP-Message =
0x010a00331a0309002e533d4341303635413435333430423234384542433237433546463731
3133303545423545354633383131
Message-Authenticator = 0x
State =
..this is where it ends - an access challenge never gets responded to.
do you have the
CA of the RADIUS server installed on the client?
No but I disabled Validate Server Certificate on the client. Is it not
enough?
Thanks again for quick reply
--
DV
-
List info/subscribe/unsubscribe? See
Hi,
..this is where it ends - an access challenge never gets responded to.
do you have the
CA of the RADIUS server installed on the client?
No but I disabled Validate Server Certificate on the client. Is it not
enough?
add the CA
alan
-
List info/subscribe/unsubscribe? See
..this is where it ends - an access challenge never gets responded
to.
do you have the
CA of the RADIUS server installed on the client?
No but I disabled Validate Server Certificate on the client. Is it
not
enough?
add the CA
Done but same problem. I read certs/README file with
Domenico Viggiani wrote:
Done but same problem. I read certs/README file with MANY other caveats
about Windows:
http://deployingradius.com has *complete* and *detailed* instructions
for getting EAP to work with Windows.
I'm forced to abandone this project and resort to M$'NAP server :(
I'm forced to abandone this project and resort to M$'NAP server :(
If it works with NAP, you can get it to work with FreeRADIUS.
There are 10's of 1000's of sites using Windows clients with
FreeRADIUS. There is *every* reason to believe that it works.
Of course. Sorry for my previous
Hi,
I'm forced to abandone this project and resort to M$'NAP server :(
if you do, then its your loss and you'll be limited for the future of your
infrastructure.
use freeRADIUS - after all, at least it will give you information and debug
detailed informationwhen NPS goes wrong...well,
if you do, then its your loss and you'll be limited for the future of
your infrastructure.
use freeRADIUS - after all, at least it will give you information and
debug
detailed informationwhen NPS goes wrong...well, good luck.
I understand very well: I used older M$'IAS and it offered NO
Hi,
service (installed from Red Hat official RPM package, not compiled).
What else can I do? A client PC with an OS different from XP?
for initial testing/verification, use a client that isnt stupid or fussy.
I'd say start with basic reference system - eg Linux with wpa_supplicant
(eg
Hi
Not sure if your just having issues with the OID or something else, but I
found the thread really helped to fix cert issues I had.
http://lists.cistron.nl/pipermail/freeradius-users/2006-October/msg00515.html .
I used the MS cert server as described in this listing as well as used
matthew zeier wrote:
Can you post the errors?
I haven't used 1.0.1 in *years*, so I have no idea what may or may not
work when upgrading from 1.0.1 to 1.1.6.
Should have mentioned that that's what RHEL4 ships.
I've seen that with other projects, too. RedHat has a tendency to
include
With nearly the same config files as I had working on 1.0.1, I'm having
problems with 1.1.6 authenticating WPA users.
Probably something to do with this:
rlm_mschap: No User-Password configured. Cannot create LM-Password.
rlm_mschap: No User-Password configured. Cannot create
matthew zeier wrote:
With nearly the same config files as I had working on 1.0.1, I'm having
problems with 1.1.6 authenticating WPA users.
See man rlm_pap in 1.1.6. That might help.
If there are other relevant files, let me know. Box is more or less a
stock RHEL4.
Debug output?
Alan DeKok wrote:
matthew zeier wrote:
With nearly the same config files as I had working on 1.0.1, I'm having
problems with 1.1.6 authenticating WPA users.
See man rlm_pap in 1.1.6. That might help.
If there are other relevant files, let me know. Box is more or less a
stock
matthew zeier wrote:
I pasted all of 'radiusd -X' to http://pastebin.mozilla.org/10251. Is
that enough debug ?
Yes.
In 1.0.1, where are the passwords obtained from? LDAP? users file?
LDAP.
The debug output doesn't reference LDAP. i.e. you moved only part of
your configuration
Alan DeKok wrote:
matthew zeier wrote:
I pasted all of 'radiusd -X' to http://pastebin.mozilla.org/10251. Is
that enough debug ?
Yes.
In 1.0.1, where are the passwords obtained from? LDAP? users file?
LDAP.
The debug output doesn't reference LDAP. i.e. you moved only part
Can you post the errors?
I haven't used 1.0.1 in *years*, so I have no idea what may or may not
work when upgrading from 1.0.1 to 1.1.6.
Should have mentioned that that's what RHEL4 ships.
--
matthew zeier | Network Engineer | Mozilla Corp. | (650)903-0800 x219
-
List
In a nutshell: I'd like to like to proxy authentication requests to a
Microsoft IAS server only if the attempt to first handle them locally has
returned a REJECT.
Details: I have IAS properly configured to authenticate AD users.
FreeRADIUS (1.0.1) is running on a Linux (Debian, kernel 2.4.26)
Woods, Bryan [EMAIL PROTECTED] wrote:
In a nutshell: I'd like to like to proxy authentication requests to a
Microsoft IAS server only if the attempt to first handle them locally has
returned a REJECT.
It requires a bit of code changes, but it's possible.
Hmm... edit
46 matches
Mail list logo