Jevos, Peter wrote:
Hi Alan, , thanks , I’ve read it but it’s too complicated and I’m
missing more examples of configurations
The raddb directory *does* come with examples.
If anybody help me with the syntax and code location with this issue:
Sorry, but:
1) the unlang documentation
Thank you phill, that's great help, but it still doesn't work as it
should.
Now I don't know how should I adjust the users file : )
I used
if ((NAS-IP-Address == 1.1.1.1) %{mschap:NT-Domain} =
vipdomainuser)) {
update control {
Auth-Type := ntlm_auth_vip
Jevos, Peter wrote:
Thank you phill, that's great help, but it still doesn't work as it
should.
Now I don't know how should I adjust the users file : )
You don't. The messages on this list should make it *very* clear that
updating the authorize section is all that is necessary.
With this
As a hint, if you don't implement a rule for a different NT-Domain,
then the rules for that different NT-Domain won't be applied. Because
they don't exist.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you Alan , it makes sense. But it
Jevos, Peter wrote:
Thank you Alan , it makes sense. But it doesn't solve my problem
(1) Edit your responses. It shows consideration for other people
(2) pick one problem at a time. Changing the problem midway in a
conversation makes it look like you don't care about the solution to the
Jevos, Peter wrote:
Fall-through attribute doesn’t work in this case, cause it is “falling”
all the time ( even though it matches the condition )
You're not getting what I'm saying. The users file does *not* run
during the authenticate phase. So it makes no sense to ask about
modifying the
Jevos, Peter wrote:
First, edit your posts to delete unneeded text. Repeating all of the
message you're replying to is unfriendly.
I agree with you , regarding the logic when the packet looks like X, choose
A. When it looks like Y, choose B
I sit possible to apply it ? Which files should
See man unlang. Put the logic into raddb/sites-available/default,
the authorize section.
Uh... read the debug output, and look at the files in the raddb
directory. The directory has more than *one* file. This should be a
hint that the users file doesn't solve everything.
Alan
On 11/11/10 15:49, Jevos, Peter wrote:
See man unlang. Put the logic into raddb/sites-available/default,
the authorize section.
Uh... read the debug output, and look at the files in the raddb
directory. The directory has more than *one* file. This should be a
hint that the users file
Jevos, Peter wrote:
How can I skip to the second DEFAULT if the first DEFAULT doesn’t pass ?
Use the Fall-Through attribute. See comments in the default users
file.
So if request comes from the 10.1.1.2 and user doesn’t pass through
authentication, it should be forwarded to another DEFAULT
Jevos, Peter wrote:
How can I skip to the second DEFAULT if the first DEFAULT doesn’t pass ?
Use the Fall-Through attribute. See comments in the default users
file.
So if request comes from the 10.1.1.2 and user doesn’t pass through
authentication, it should be forwarded to
Jevos, Peter wrote:
Fall-through attribute doesn’t work in this case, cause it is “falling”
all the time ( even though it matches the condition )
You're not getting what I'm saying. The users file does *not* run
during the authenticate phase. So it makes no sense to ask about
modifying the
Hi
How can I skip to the second DEFAULT if the first DEFAULT doesn't pass ?
So if request comes from the 10.1.1.2 and user doesn't pass through
authentication, it should be forwarded to another DEFAULT ( with the
vpn_auth_name authentication).
Now it stops at the first DEFAULT
DEFAULT
Hi , I tried to setup configuration from different sources from the
web, but it's not easy
I have cisco vpn access server where are more IPSEC proflles ( groups ).
They should be authenticated against Freeradius.
One profile called Group1 should be authenticated against ntlm_auth_vpn
(
On 04/11/10 10:41, Jevos, Peter wrote:
However this config doesn’t work, debug lokks strange ( takes only first
Cisco Avpair attribute ), probably something wrong In the config
Send the full debug output, as asked frequently on this list.
-
List info/subscribe/unsubscribe? See
On 04/11/10 10:41, Jevos, Peter wrote:
DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252
Tunnel-Type = ESP,
Tunnel-Private-Group-ID = Group1,
Tunnel-Password = cisco,
Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7,
Cisco-Avpair=ipsec:addr-pool=vpn_pool,
This wrong; you want:
On 04/11/10 10:41, Jevos, Peter wrote:
DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252
Tunnel-Type = ESP,
Tunnel-Private-Group-ID = Group1,
Tunnel-Password = cisco,
Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7,
Cisco-Avpair=ipsec:addr-pool=vpn_pool,
This wrong; you
On 04/11/10 15:25, Jevos, Peter wrote:
On 04/11/10 10:41, Jevos, Peter wrote:
DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252
Tunnel-Type = ESP,
Tunnel-Private-Group-ID = Group1,
Tunnel-Password = cisco,
Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7,
Cisco-AVpair += 2nd:attribute
This is documented in the manpage and docs.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thank you, it helped but it still doesn't work as I wished:
All I need is:
When request comes from 10.1.1.252 and
On 04/11/10 15:52, Jevos, Peter wrote:
Dear Phil , thank you ,
I removed Fall through parameter, it works partially, when user comes
from the address 10.1.1.252 and Tunnel-Private-Group-ID is not Group1,
it takes the Auth-Type := ntlm_auth_vpn ( which is wrong ), and not
Auth-Type :=
On 04/11/10 15:52, Jevos, Peter wrote:
Dear Phil , thank you ,
I removed Fall through parameter, it works partially, when user
comes
from the address 10.1.1.252 and Tunnel-Private-Group-ID is not Group1,
it takes the Auth-Type := ntlm_auth_vpn ( which is wrong ), and not
Auth-Type :=
On 04/11/10 16:15, Jevos, Peter wrote:
Thank fo your reply, hoever as you can see from my previous posts, I did
it:
Frankly I find your posts confusing; your email client doesn't quote
properly and mangles the text wrapping, so I had no way to be sure.
Post full debug output of a failing
On 04/11/10 16:15, Jevos, Peter wrote:
Thank fo your reply, hoever as you can see from my previous posts, I
did
it:
Frankly I find your posts confusing; your email client doesn't quote
properly and mangles the text wrapping, so I had no way to be sure.
Post full debug output of a failing
23 matches
Mail list logo