Yes Ivan, I apologize for pasting an incomplete image command from my test machine. --- Walt Reynolds Principal Systems Security Development Engineer Information Technology Central Services University of Michigan (734) 615-9438
-----Original Message----- Date: Fri, 12 Oct 2007 15:26:50 +0100 From: <tnt@kalik.co.yu> Subject: RE: Freeradius-Users Digest, Vol 30, Issue 48 To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <n4B28c5h.1192199210.5441340.tnt@kalik.co.yu> Content-Type: text/plain; charset=ISO-8859-2
DEFAULT Freeradius-Proxied-To == 127.0.0.1 Fall-Through = Yes
That entry does nothing. I agree it does nothing for authentication, but this will be part of the solution to get accounting records based on the inner identity and not the outer with TTLS
Has something changes in recent code that makes this unnecessary?
No. You probably want: DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}` Ivan Kalik Kalik Informatika ISP
From: freeradius-users-bounces@lists.freeradius.org [mailto:freeradius- users-bounces@lists.freeradius.org] On Behalf Of freeradius-users- request@lists.freeradius.org Sent: Friday, October 12, 2007 12:34 PM To: freeradius-users@lists.freeradius.org Subject: Freeradius-Users Digest, Vol 30, Issue 51
Send Freeradius-Users mailing list submissions to freeradius-users@lists.freeradius.org
To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to freeradius-users-request@lists.freeradius.org
You can reach the person managing the list at freeradius-users-owner@lists.freeradius.org
When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: Freeradius-Users Digest, Vol 30, Issue 48 (Alan DeKok) 2. RE: Freeradius-Users Digest, Vol 30, Issue 48 (tnt@kalik.co.yu) 3. Re: rlm_realm doesn't strip the username (Tomasz Zieleniewski) 4. Re: FATAL: Thread create failed: Cannot allocate memory (A.L.M.Buxey@lboro.ac.uk) 5. Re: Darwin DirectoryServices (warnnings) (Alan DeKok) 6. Using freeradius and 802.1x for ssign VLAN X (lvizcardof@unsa.edu.pe) 7. Re: rlm_realm doesn't strip the username (tnt@kalik.co.yu)
----------------------------------------------------------------------
Message: 1 Date: Fri, 12 Oct 2007 16:23:33 +0200 From: Alan DeKok <aland@deployingradius.com> Subject: Re: Freeradius-Users Digest, Vol 30, Issue 48 To: FreeRadius users mailing list <freeradius-users@lists.freeradius.org> Message-ID: <470F8365.9050603@deployingradius.com> Content-Type: text/plain; charset=ISO-8859-1
Reynolds, Walter wrote: ...
DEFAULT Freeradius-Proxied-To == 127.0.0.1 Fall-Through = Yes That entry does nothing. I agree it does nothing for authentication, but this will be part of the solution to get accounting records based on the inner identity and not the outer with TTLS
I don't see why.
http://www.mail-archive.com/freeradius- users@lists.freeradius.org/msg02045.html
Which doesn't mention an entry like the one quoted above.
Has something changes in recent code that makes this unnecessary?
I would first like to know why that entry does anything. It certainly doesn't set the User-Name. So it doesn't have anything to do with fixing the anonymous accounting issue.
Alan DeKok.
------------------------------
Message: 2 Date: Fri, 12 Oct 2007 15:26:50 +0100 From: <tnt@kalik.co.yu> Subject: RE: Freeradius-Users Digest, Vol 30, Issue 48 To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID: <n4B28c5h.1192199210.5441340.tnt@kalik.co.yu> Content-Type: text/plain; charset=ISO-8859-2
DEFAULT Freeradius-Proxied-To == 127.0.0.1 Fall-Through = Yes
That entry does nothing. I agree it does nothing for authentication, but this will be part of the solution to get accounting records based on the inner identity and not the outer with TTLS
Has something changes in recent code that makes this unnecessary?
No. You probably want:
DEFAULT FreeRADIUS-Proxied-To == 127.0.0.1 User-Name = `%{User-Name}`
Ivan Kalik Kalik Informatika ISP
------------------------------
Message: 3 Date: Fri, 12 Oct 2007 16:51:49 +0200 From: "Tomasz Zieleniewski" <tzieleniewski@gmail.com> Subject: Re: rlm_realm doesn't strip the username To: freeradius-users@lists.freeradius.org Cc: aland@deployingradius.com Message-ID: <5fd52d7a0710120751s1eb4ba67x402a733a1a98f055@mail.gmail.com> Content-Type: text/plain; charset="iso-8859-1"
Thank you Alan
I updated to 2.0.0-pre2. But now I have some errors and I can' tcheck again:) Now when my NAS sends the Accounting request or I try to run 'radtest' tool, the verification fails. I didn't change anything in the configuration and in the database. I have the same NAS configuration. I get the following error in the debug mode:
Ignoring request to authentication address * 1812 from unknown client 127.0.0.1 port 37391
Please point me what do I missed:)
Best regards tomasz
Tomasz Zieleniewski wrote:
I am using radius version 2.0.0-pre0. I have the following problem that when I receive the Accounting- Request with the username whose domain part is not checked with any of my realm defined in the proxy.conf file. The username is not stripped. I use the suffix rule for domain: 'username@domain" in my realm module and I inoke it in preacct in radiusd.conf. I have the DEFAULT realm defined and it doesn't have the nostrip option activated. So I think when there is no domain match the username should also be stripped??
Likely, yes. What does debug mode say?
You could also try running CVS head, which has a number of fixes over 2.0-pre0.
Alan DeKok.
------------------------------
Message: 10 Date: Fri, 12 Oct 2007 10:16:43 -0300 From: "Sergio Belkin" <sebelk@gmail.com> Subject: Re: TLS fatal access_denied To: "FreeRadius users mailing list" <freeradius-users@lists.freeradius.org> Message-ID:
<8c6f7f450710120616t48014e18g8c02184fdaef6b97@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
2007/10/11, tnt@kalik.co.yu <tnt@kalik.co.yu>:
How sure are you that you are using EAP-TTLS?
rlm_eap: EAP NAK rlm_eap: EAP-NAK asked for EAP-Type/peap <==
Ivan Kalik Kalik Informatika ISP
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
I am pretty sure because I has default_eap_type = ttls. I've just fixed, it was a problem of certificates...
thanks-
-- -- Sergio Belkin -
------------------------------
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest, Vol 30, Issue 49 ************************************************