need info on EAP-SIM

Nicolas Goutte nicolas.goutte at extragroup.de
Mon May 26 12:44:27 CEST 2008 

Am 26.05.2008 um 12:17 schrieb Kalyani Garigipati (kagarigi):

> Hi Alan,
>
> Thanks for the reply .But I am still getting the same errors.I have  
> put
> the lines as follows. I did not put any balnk lines in between . the
> editor in the mail is shoing like that.
>
> DEFAULT EAP-Sim-Rand1 = 0x89abcbeef9abcdef89abcdef89abcdef
>  EAP-Sim-Rand2 = 0x9abcdef89abcdef89abcdef89abcdef8,
>  EAP-Sim-Rand3 = 0xabcdef89abcdef89abcdef89abcdef89,
>  EAP-Sim-SRES1 = 0x1234abcd,
>  EAP-Sim-SRES2 = 0x234abcd1,
>  EAP-Sim-SRES3 = 0x34abcd12,
>  EAP-Sim-KC1 = 0x0011223344556677,
>  EAP-Sim-KC2 = 0x1021324354657687,
>  EAP-Sim-KC3 = 0x30415263748596a7
>
> I am getting the following errors
> [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-Rand2"
> found in reply item list for user "DEFAULT".    This attribute MUST go
> on the first line with the other check items
> [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-Rand3"
> found in reply item list for user "DEFAULT".    This attribute MUST go
> on the first line with the other check items
> [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-SRES1"
> found in reply item list for user "DEFAULT".    This attribute MUST go
> on the first line with the other check items
> [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-SRES2"
> found in reply item list for user "DEFAULT".    This attribute MUST go
> on the first line with the other check items
> [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-SRES3"
> found in reply item list for user "DEFAULT".    This attribute MUST go
> on the first line with the other check items
> [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-KC1"
> found in reply item list for user "DEFAULT".    This attribute MUST go
> on the first line with the other check items
> [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-KC2"
> found in reply item list for user "DEFAULT".    This attribute MUST go
> on the first line with the other check items
> [/usr/local/etc/raddb/users]:203 WARNING! Check item "EAP-Sim-KC3"
> found in reply item list for user "DEFAULT".    This attribute MUST go
> on the first line with the other check items
>  Module: Checking session {...} for more modules to load

Have you try to put *everything* in one line?

>
> Regards,
> Kalyani
>
> -----Original Message-----
> From: freeradius-users-bounces+kagarigi=cisco.com at lists.freeradius.org
> [mailto:freeradius-users-bounces 
> +kagarigi=cisco.com at lists.freeradius.org
> ] On Behalf Of freeradius-users-request at lists.freeradius.org
> Sent: Monday, May 26, 2008 3:30 PM
> To: freeradius-users at lists.freeradius.org
> Subject: Freeradius-Users Digest, Vol 37, Issue 125
>
> Send Freeradius-Users mailing list submissions to
> 	freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> 	http://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> 	freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> 	freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
>    1. Re: radius x509 authentication + LDAP ? [SEC=UNCLASSIFIED]
>       (Riccardo Veraldi)
>    2. chap for ldap (Zahra Bahar)
>    3. Re: need info on EAP-SIM (A.L.M.Buxey at lboro.ac.uk)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 26 May 2008 11:26:26 +0200
> From: Riccardo Veraldi <Riccardo.Veraldi at cnaf.infn.it>
> Subject: Re: radius x509 authentication + LDAP ? [SEC=UNCLASSIFIED]
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <483A8242.3030708 at cnaf.infn.it>
> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
>
> I wrote a rule in users file to reject login for users being in a
> certain grup, but still access is given
>
> DEFAULT Ldap-Group == "cn=rjgroup", Auth-Type := Reject
>         Reply-Message = "Sorry, you are not allowed to have dialup
> access"
>
> user can authenticate succesfully with EAP-TLS.
> User is found in LDAP tree, user is part of ldap group rjgroup, but
> still is not being rejected.
> What am I missing ?
>
> thanks
>
> Riccardo
>
>
> Alan DeKok ha scritto:
>> Riccardo Veraldi wrote:
>>
>>> Not all the people having a certificate should authenticate on my
> WiFi
>>> infrastructure.
>>> These certificates are for general purpose, so also for EAP-TLS,
>>>
>>
>>   Then your PKI system is wrong.  You should NOT issue certificates
> for
>> multiple purposes.
>>
>>   You should issue RADIUS (EAP-TLS) certificates ONLY to the people
> who
>> are allowed to use EAP-TLS.
>>
>>
>>> but some user in my case should not be authenticated.
>>> To select which are the users to be authenticated and which are not,
>>> I wanted to use LDAP properties. If a user is in the LDAP directory
>>> it should pass, if it is not, it should be refused, but at the  
>>> end, I
> am
>>> unable to do it.
>>>
>>
>>   Did you read my statement about using LDAP groups?  Do you know  
>> what
>> an LDAP group is?
>>
>>   Alan DeKok.
>> -
>> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 26 May 2008 14:02:15 +0330 (IRST)
> From: Zahra Bahar <zahra_bahar at ec.iut.ac.ir>
> Subject: chap for ldap
> To: freeradius-users at lists.freeradius.org
> Message-ID: <30958651.75851211797935796.JavaMail.root at mta.iut.ac.ir>
> Content-Type: text/plain; charset=utf-8
>
> Hi,
> we have freeradius using ldap for authorization and authentication.  
> can
> we have chap for security between NAS and radius and then pap between
> radius and ldap server?
>
>
> ------------------------------
>
> Message: 3
> Date: Mon, 26 May 2008 10:44:09 +0100
> From: A.L.M.Buxey at lboro.ac.uk
> Subject: Re: need info on EAP-SIM
> To: FreeRadius users mailing list
> 	<freeradius-users at lists.freeradius.org>
> Message-ID: <20080526094409.GA8435 at lboro.ac.uk>
> Content-Type: text/plain; charset=us-ascii
>
> hi,
>
> put the first check on the same line as DEFAULT and
> remove all those blank lines from between each check
>
> alan
>
>
> ------------------------------
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> End of Freeradius-Users Digest, Vol 37, Issue 125
> *************************************************
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/ 
> users.html

Nicolas Goutte


extragroup GmbH - Karlsruhe
Waldstr. 49
76133 Karlsruhe
Germany

Geschäftsführer: Stephan Mönninghoff, Hans Martin Kern, Tilman Haerdle
Registergericht: Amtsgericht Münster / HRB: 5624
Steuer Nr.: 337/5903/0421 / UstID: DE 204607841

More information about the Freeradius-Users mailing list