Hi Alan, Thanks for the reply .But I am still getting the same errors.I have put the lines as follows. I did not put any balnk lines in between . the editor in the mail is shoing like that. DEFAULT EAP-Sim-Rand1 = 0x89abcbeef9abcdef89abcdef89abcdef EAP-Sim-Rand2 = 0x9abcdef89abcdef89abcdef89abcdef8, EAP-Sim-Rand3 = 0xabcdef89abcdef89abcdef89abcdef89, EAP-Sim-SRES1 = 0x1234abcd, EAP-Sim-SRES2 = 0x234abcd1, EAP-Sim-SRES3 = 0x34abcd12, EAP-Sim-KC1 = 0x0011223344556677, EAP-Sim-KC2 = 0x1021324354657687, EAP-Sim-KC3 = 0x30415263748596a7 I am getting the following errors [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-Rand2" found in reply item list for user "DEFAULT". This attribute MUST go on the first line with the other check items [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-Rand3" found in reply item list for user "DEFAULT". This attribute MUST go on the first line with the other check items [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-SRES1" found in reply item list for user "DEFAULT". This attribute MUST go on the first line with the other check items [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-SRES2" found in reply item list for user "DEFAULT". This attribute MUST go on the first line with the other check items [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-SRES3" found in reply item list for user "DEFAULT". This attribute MUST go on the first line with the other check items [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-KC1" found in reply item list for user "DEFAULT". This attribute MUST go on the first line with the other check items [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-KC2" found in reply item list for user "DEFAULT". This attribute MUST go on the first line with the other check items [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-KC3" found in reply item list for user "DEFAULT". This attribute MUST go on the first line with the other check items Module: Checking session {...} for more modules to load Regards, Kalyani -----Original Message----- From: freeradius-users-bounces+kagarigi=cisco.com@lists.freeradius.org [mailto:freeradius-users-bounces+kagarigi=cisco.com@lists.freeradius.org ] On Behalf Of freeradius-users-request@lists.freeradius.org Sent: Monday, May 26, 2008 3:30 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 37, Issue 125 Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: radius x509 authentication + LDAP ? [SEC=UNCLASSIFIED] (Riccardo Veraldi) 2. chap for ldap (Zahra Bahar) 3. Re: need info on EAP-SIM (A.L.M.Buxey@lboro.ac.uk) ---------------------------------------------------------------------- Message: 1 Date: Mon, 26 May 2008 11:26:26 +0200 From: Riccardo Veraldi <Riccardo.Veraldi@cnaf.infn.it> Subject: Re: radius x509 authentication + LDAP ? [SEC=UNCLASSIFIED] To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <483A8242.3030708@cnaf.infn.it> Content-Type: text/plain; charset=ISO-8859-1; format=flowed I wrote a rule in users file to reject login for users being in a certain grup, but still access is given DEFAULT Ldap-Group == "cn=rjgroup", Auth-Type := Reject Reply-Message = "Sorry, you are not allowed to have dialup access" user can authenticate succesfully with EAP-TLS. User is found in LDAP tree, user is part of ldap group rjgroup, but still is not being rejected. What am I missing ? thanks Riccardo Alan DeKok ha scritto:
Riccardo Veraldi wrote:
Not all the people having a certificate should authenticate on my WiFi infrastructure. These certificates are for general purpose, so also for EAP-TLS,
Then your PKI system is wrong. You should NOT issue certificates for multiple purposes.
You should issue RADIUS (EAP-TLS) certificates ONLY to the people who are allowed to use EAP-TLS.
but some user in my case should not be authenticated. To select which are the users to be authenticated and which are not, I wanted to use LDAP properties. If a user is in the LDAP directory it should pass, if it is not, it should be refused, but at the end, I am unable to do it.
Did you read my statement about using LDAP groups? Do you know what an LDAP group is?
Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
------------------------------ Message: 2 Date: Mon, 26 May 2008 14:02:15 +0330 (IRST) From: Zahra Bahar <zahra_bahar@ec.iut.ac.ir> Subject: chap for ldap To: freeradius-users@lists.freeradius.org Message-ID: <30958651.75851211797935796.JavaMail.root@mta.iut.ac.ir> Content-Type: text/plain; charset=utf-8 Hi, we have freeradius using ldap for authorization and authentication. can we have chap for security between NAS and radius and then pap between radius and ldap server? ------------------------------ Message: 3 Date: Mon, 26 May 2008 10:44:09 +0100 From: A.L.M.Buxey@lboro.ac.uk Subject: Re: need info on EAP-SIM To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <20080526094409.GA8435@lboro.ac.uk> Content-Type: text/plain; charset=us-ascii hi, put the first check on the same line as DEFAULT and remove all those blank lines from between each check alan ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 37, Issue 125 *************************************************