Freeradius-Users Digest, Vol 30, Issue 107

Maribel Hernandez mhernandezl at yahoo.com
Tue Oct 30 18:57:32 CET 2007


Hola: 

freeradius-users-request at lists.freeradius.org wrote:  Send Freeradius-Users mailing list submissions to
freeradius-users at lists.freeradius.org

To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
freeradius-users-request at lists.freeradius.org

You can reach the person managing the list at
freeradius-users-owner at lists.freeradius.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."


Today's Topics:

1. Cisco sslvpn authentication with freeradius (satish patel)
2. freeRADIUS with Active-derectory (Hangjun He)
3. Re: freeRADIUS with Active-derectory (Alan DeKok)
4. Re: SSL certificate problems (Alan DeKok)
5. Re: Class attribute in accounting record. (Alan DeKok)
6. Re: web based admin (satish patel)


----------------------------------------------------------------------

Message: 1
Date: Tue, 30 Oct 2007 05:41:30 +0000 (GMT)
From: satish patel 

Subject: Cisco sslvpn authentication with freeradius
To: freeradius-users 
Message-ID: <47025.12580.qm at web8405.mail.in.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"

Dear all

I have cisco SSLVPN gateway and i want to authenticate user freeradius authentication server but i need more input from community what type of control i can done with it ?? Is it possible to control some user session or number of time to control is there anybody have done it ??/




$ cat ~/satish/url.txt 

http://www.linuxbug.org
_____________________________________________________________________________________________________


---------------------------------
5, 50, 500, 5000 - Store N number of mails in your inbox. Click here.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

------------------------------

Message: 2
Date: Tue, 30 Oct 2007 14:25:24 +0800 (CST)
From: Hangjun He 
Subject: freeRADIUS with Active-derectory
To: FreeRadius users mailing list

Message-ID: <138552.33288.qm at web15101.mail.cnb.yahoo.com>
Content-Type: text/plain; charset="gb2312"

Hi,
I have configured ntlm_auth in freeRADIUS talk to AD(user store). And It works well.
Now I want to use ldap to get attribute from AD, It failed.

It seems ldapsearch will search user's display name. And ntlm_auth will search user's user logon name.

If I set display name same with user logon name, It can work. Is there a way let ldapsearch to search user logon name too??


relate configure in radiusd.conf:
authorize { 
mschap   suffix eap files ldap 
}   
  
authenticate { 
Auth-Type MS-CHAP { 
mschap 
} 
eap 
ldap 
} 


---------------------------------
?????????? 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

------------------------------

Message: 3
Date: Tue, 30 Oct 2007 07:38:59 +0100
From: Alan DeKok 
Subject: Re: freeRADIUS with Active-derectory
To: FreeRadius users mailing list

Message-ID: <4726D183.4080104 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Hangjun He wrote:
> I have configured ntlm_auth in freeRADIUS talk to AD(user store). And
> It works well.
> Now I want to use ldap to get attribute from AD, It failed.
> 
> It seems ldapsearch will search user's *display name*. And ntlm_auth
> will search user's *user logon name.*
> 
> If I set display name same with user logon name, It can work. Is
> there a way let ldapsearch to search user logon name too??

The LDAP search strings are editable in radiusd.conf.

Alan DeKok.


------------------------------

Message: 4
Date: Tue, 30 Oct 2007 07:40:24 +0100
From: Alan DeKok 
Subject: Re: SSL certificate problems
To: FreeRadius users mailing list

Message-ID: <4726D1D8.5020702 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Walter Gould wrote:
> Sorry to bother you guys again - I created new SSL certificates per
> your above instructions... After the certs were created, I then:
> 
> 1. copied them to the /etc/raddb/certs directory
> 2. updated /etc/raddb/eap.conf with the certificate names & private key
> password
> 3. copied and installed the new certificate (server.pem) onto my XP
> laptop and
> 4. started radiusd in debug mode, below is the output
> 
> It is acting as you describe in the FAQ -

You didn't add the root certificate to the XP machine. See the
EAP-TLS "howto's" on the web site.

> So, I am wondering will I need to install the hotfix as listed in the
> FAQ - and, will this have to be done on ALL Windows machines? I am
> thinking that I still do not have something configured right on my
> side. If I uncheck the "validate server certs" box on the XP client, I
> can connect and authenticate successfully.

Yup. "Ignore that we have no idea where this certificate came from,
and do PEAP anyways".

Alan DeKok.


------------------------------

Message: 5
Date: Tue, 30 Oct 2007 07:41:38 +0100
From: Alan DeKok 
Subject: Re: Class attribute in accounting record.
To: mje at posix.co.za, FreeRadius users mailing list

Message-ID: <4726D222.4010003 at deployingradius.com>
Content-Type: text/plain; charset=ISO-8859-1

Mark Elkins wrote:
> .. which keeps personal changes to one place (sql.conf and files
> in /etc/raddb) and saves me from upsetting Alan DeKok's karma* - a bad
> thing to do.


The files are editable for a reason. If all you see is ASCII
"Class" attributes, add the following to the bottom of raddb/dictionary:

ATTRIBUTE Class 25 string

Alan DeKok.


------------------------------

Message: 6
Date: Tue, 30 Oct 2007 09:01:19 +0000 (GMT)
From: satish patel 

Subject: Re: web based admin
To: FreeRadius users mailing list

Message-ID: <653821.58006.qm at web8403.mail.in.yahoo.com>
Content-Type: text/plain; charset="iso-8859-1"

Dear 

i need also this kind of setup i want to replace AAA ACS with freeradius but i dont know how accouning work in this case and authorization of cisco LEVEL base can u provide me doucment of URL for this setup 

"Hawkins, Michael" wrote: Hi all,

I am very familiar with Cisco Secure ACS for AAA of Cisco devices. I am
considering using FreeRadius at another customer site instead of Cisco
Secure ACS.

Will I still be able to control command execution (authorization) etc
via FreeRadius? Or would I be restricted to authentication only?

What do people recommend I use as a web front end for FreeRadius when
managing AAA on a Cisco network via FreeRadius?

I've seen daloradius but that is geared to wireless hotspots. I've taken
a quick look at phpRADmin and also ASN but I'm not sure which one is
more mature and would like to know other peoples thoughts. Or is
dailupadmin itself good enough?

Any advice given is very much appreciated.

Mike Hawkins
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
The information contained in this email is confidential and may also contain privileged information. Sender does not waive confidentiality or legal privilege. If you are not the intended recipient please notify the sender immediately; you should not retain this message or disclose its content to anyone.
Internet communications are not secure or error free and the sender does not accept any liability for the content of the email. Although emails are routinely screened for viruses, the sender does not accept responsibility for any damage caused. Replies to this email may be monitored.
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html



$ cat ~/satish/url.txt 

http://www.linuxbug.org
_____________________________________________________________________________________________________


---------------------------------
Unlimited freedom, unlimited storage. Get it now
-------------- next part --------------
An HTML attachment was scrubbed...
URL: 

------------------------------

-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html


End of Freeradius-Users Digest, Vol 30, Issue 107
*************************************************



               CON CARIÑO
MARIBEL HERNÁNDEZ LÓPEZ
                             

 __________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20071030/1c535cfe/attachment.html>


More information about the Freeradius-Users mailing list