FreeRadius Server + Arch. Thoughts?

My motel has multiple buildings across 2 acres of land with 5 routers linked to the main router. For my next project I'm thinking of connecting a radius server(on arch) to my router w/ ddwrt. Since I'm new to freeradius and wifi hot spot verification/control, is this the best solution? More specifically, the core problem is controlling download speed. If a guest starts a torrent or downloads a file or streams video, there are no controls to limit his bandwidth. Anything I should know before the adventure begins? Tips?
This isn't about how to install/setup but more of, am I going down the right path and what are the pitfalls, if any? Thanks in advance.

radius is generally used for user logins/authentication so I guess you are running some form of voucher based system already from within a "Captive Portal"
I know freeradius does have bandwidth control features but whether your captive portal can understand the messages it receives from freeradius is a different story & I would use my captive portal to control bandwidth & just keep freeradius for user control/info
If not then I would advise you look into that aswell as most will give you a way to limit the bandwith of those going through the portal + give you the ability to tie it in to a radius server for user authentication
Last edited by t0m5k1 (2013-03-07 15:54:09)

Similar Messages

WLC 7.6.120.0 Radius problems with FreeRadius server

Hi there
we have 3 WLC 5508 with version 7.6.120.0 and 2 FreeRadius servers. In the WLC log we see a lot of "radius auth-server unavailable" messages and some users can not authenticate against our dot1x (PEAP).
The problems occur most of the time, when there are a lot of WLAN clients trying to connect to the SSID at the same time.
Does anybody have the same problems or are there any known bug for this phenomena?
Thanks in advance and best regards
Anna

Hi Anna
your problems seems to be this bug here: https://tools.cisco.com/bugsearch/bug/CSCuo96366
Symptom:
Clients are not able to Authenticate at Peak loads when using FreeRadius.
Conditions:
Using Freed radius (most susceptible), we observe at high auth rate and if Radius server is not responding to all Radius packets in seq order or if the server is slow, WLC when wraps around 0-255 Radius ID's, it does not do a check when posting new packet.
So essentially you have 2 packets with same ID being presented to AAA server.
Workaround:
Recover's when load is reduced.
Further Problem Description:
So far, issue has not been brought to notice while using ISE/ACS/NPS.
There are two possible solutions I see:
1. Downgrade to an earlier WLC version <7.6 (e.g. 7.4.121.0)
2. Try to have another radius server in between (radius proxy, e.g. Cisco ACS or Microsoft NPS)
Best regards
Dominic

FreeRadius and Cisco 2600 Terminal Server [IOS 12.1(3)T]

Hi Cisco People
I'm using FreeRadius 2 and Cisco 2600 Terminal server to coordinate access to cisco routers based on time‏ ranges.
Basically we are an education/training environment where we have some students accessing the routers and switches for practise, terminal server are used to consolidate the console access, and these terminal servers authenticate the users through a Radius server (as shown in the following figure). Additionally, the students are categorized into few groups. We want to implement policy on the radius server so that only a certain group can access the resources in a given duration of time (the user should be dropped from the terminal when the subscribed time is reached and cannot access thereafter .)
+++++++++++++++ +++++++++++++++++ +++++++++++++
+ User +++++++++++++++++++++++ Cisco 2600 +++++++++++++++++++++ Network +
+ + + Terminal Serv + + Devices +
+++++++++++++++ +++++++++++++++++ +++++++++++++
(NAS)
+
+
+++++++++++++++
+ FreeRadius +
+++++++++++++++
Right now I'm able to do the "hello-world" setup with the following users and clients.conf. On the terminal server side, aaa new-model is enabled on the cisco terminal server to communicate with this radius server.
users
=============
cisco Auth-Type := System
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15"
clients.conf
==============
client 192.168.1.1 {
secret = SECRET_KEY
shortname = termserver
nastype = cisco
A typical transaction would be :
Access-Request
=======
NAS-IP-Address = 192.168.1.1
NAS-Port = 35
NAS-Port-Type = Async
User-Name = "cisco"
Calling-Station-Id = "1.1.1.1"
  User-Password = "cisco"
Access-Accept
=======
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
This works fine but doesn't provide any timing limitations. So I have modified the FreeRadius config to be :
users
=============
cisco Auth-Type := System
Service-Type = NAS-Prompt-User,
cisco-avpair = "shell:priv-lvl=15",
Session-Timeout = 20
Cisco Terminal Server
==============
aaa new-model
aaa authentication login default group radius local none
aaa authorization exec default group radius if-authenticated
aaa accounting exec default start-stop group radius
aaa accounting network default start-stop group radius
aaa accounting connection default start-stop group radius
After this, I am able to see that the terminal server actually receives an Access-Accept including the Session-Timeout attributes like the following :
Service-Type = NAS-Prompt-User
Cisco-AVPair = "shell:priv-lvl=15"
Session-Timeout = 20
But the problem is that it doesn't really terminate the session after the 20 seconds are reached . My questions is that :
1. Is the terminal server really able to enforce such time limit after receiving the attribute ?
2. Is the 2600 terminal server  with [IOS 12.1(3)T] compliant with RFC 2865?
3. What can I do so that the terminal server forces the user to be logged out after the session time limit is reached ?
Thanks
Frank

Frank,
I think you should use the login time s well:
Login-Time
Login-Time is a very powerful internal check AVP. It allows flexible authorization and its value is used by the logintime (rlm_logintime) module to determine if a person is allowed to authenticate to the FreeRADIUS server or not. This value is also used to calculate the Session-Timeout reply value. Session-Timeout is subsequently used by the NAS to limit access time.
The following line will grant Alice access only between 08:00 and 18:00 each day.
"alice" Cleartext-Password := "passme", Login-Time := 'Al0800-1800'
The logintime module will calculate the reply value of Session-Timeout if Alice has logged in within the permitted timeslots to inform the NAS how long she is allowed to stay connected. If Alice tries to access the network when she is not permitted, the request will be rejected.
http://www.packtpub.com/article/getting-started-with-freeradius
http://wiki.freeradius.org/config/Users
yes, the terminal server is RFC 2865 compliant.
Rate if Useful :)
Sharing knowledge makes you Immortal.
Regards,
Ed

JAAS LoginModule for SunOne Directory Server?

I have a customer who is using SunOne Directory Server for LDAP.
I have test code that uses the JAAS's com.sun.security.auth.module.JndiLoginModule to do authentication against an OpenLDAP test server.
The test code won't work at the customer site because they need to use a special userid/pw along with the subject userid/pw in order to do an authentication. I assume this is LDAP v3 stuff, but the customer is unsure. Unfortunately I have no direct access to the customer's LDAP admin folk. Typical bureaucracy stuff.
The customer was able to write java code that authenticates to his LDAP server using example code from http://java.sun.com/products/jndi/tutorial/ldap/security/ldap.html which uses the JNDI API and specifies the access userid/pw using Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS.
So thats great, however my application uses JAAS, and therfore only indirectly uses JNDI. The JndiLoginModule provided by JAAS does not appear to support the Context.SECURITY_PRINCIPAL and Context.SECURITY_CREDENTIALS parameters.
A custom JAAS LoginModule could be written which interfaces to the JNDI LDAP stuff, however considering that JAAS and the SunOne Directory server are both Sun products, I thought perhaps SunOne Directory comes with a JAAS compatible LoginModule that my customer does not know about? I've looked at online docs, but haven't found any such thing yet.

Hey dav,
Sorry that I am not posting to give you a solution - it is more to ask for some guidance.
I am implementing a client-server arch system which has a lot of 'privileged' actions to be managed. I have thus succesfully integrated the basics of JAAS in to the system... but I am now desparately looking for away to have client-side policies distributed at runtime from the server.
I do not want to get involved with any web/application server stuff more than I need to; unfortunately one of the system requirements is for client-server comms to be facilitated by SOAP over HTTP, and thus probably JAX-RPC - but it is no problem. I have a developed a database backed Policy and (JAAS) Config which constitute parts of the server component. Now it is just a case of getting the policy to the client at client start-up and subsequently the configuration forJAAS authentication. The aim is that this data will be transfered once during login, and anytime that the the policy is requested to be refreshed.
Since reading you post, I'm wondering what services LDAP or JNDI can offer me?
Also, is JNDI an appropriate option for data persistence? is it better to go with JDO or some other object store abstraction.
Kind regards,
Darren B

Freeradius & edirectory

Hi,
We want to create a wireless network. W'd like to authenticate the
accounts against a radius server, so we thought setting up a freeradius
server running on open enterprise server (linux).
I installed an open enterprise server and deselected all Novell products.
So NO edirectory, eguide, ifolder, etc.... Also I choose to skip CA
creation. We already have multiple edirectory 8.7.3.7 servers, where one
of these servers is the Master CA.
I assume we can also use this CA server? Anyone for proper documentation
about this?
I installed the radius npm on a netware server running Imanager 2.5 and
tried to extend the schema. This does not go well, because of a
conflicting class. I get the following error message :
Schema conflict detected. Conflict details: [ ObjectClass Name(OID):
rADIUSProfile(2.16.840.1.113719.1.39.42.2.0.10) Conflicts with Freeradius
Objectclass : radiusprofile(1.3.6.1.4.1.3317.4.3.2.1) ]
Would you like to continue extending the rest of the class(es) and
Attribute(s) ?
I do not want to delete the current 'RADIUS:Profile' class, but I still
want to use freeradius & eDirectory to integrate. What can be done about
this? Why is Novell using both classes, knowing that the freeradius schema
extension always conflicts with a current edirectory/nmas combination?
I hope someone can help me out. I can not find anything about this,
besides deleting classes, which we can't in our setup.
regards,
Fred Radon

I could be daft but I'm in the process of setting up freeradius on an
OES Suse 9 server which I integrated into our tree after a lot of
research. My impression was that in order for freeradius to authenticate
into the edirectory tree it needed to be installed on a
Linux(SuSe/Redhat) server that had eDirectory, OpenSSL and OpenLDAP
installed.
http://www.novell.com/documentation/...y.html#btuadmy
I had previously attempted to find a way to just authenticate against
NLDAP or integrate a linux box as a BDC into my PDC on my Netware 6.5
box. However, each of these attempts ended when I found documentation
saying that neither was possible.
Novell's site has a lot of documentation on integrating edirectory with
freeradius. I've listed one main document above but there are TIDs that
cover other details. If you find that it is possible to set up a Linux
server without having it integrated into the edirectory tree and
authenticate users against eidirectory please let me know.
If you don't need edit authentication take a look at Zeroshell which is
a bootable radius server based on freeradius with a simple web interface
for administration.
Thanks,
-Nyle
[email protected] wrote:
> Hi,
>
> We want to create a wireless network. W'd like to authenticate the
> accounts against a radius server, so we thought setting up a freeradius
> server running on open enterprise server (linux).
>
> I installed an open enterprise server and deselected all Novell products.
> So NO edirectory, eguide, ifolder, etc.... Also I choose to skip CA
> creation. We already have multiple edirectory 8.7.3.7 servers, where one
> of these servers is the Master CA.
> I assume we can also use this CA server? Anyone for proper documentation
> about this?
>
>
> I installed the radius npm on a netware server running Imanager 2.5 and
> tried to extend the schema. This does not go well, because of a
> conflicting class. I get the following error message :
>
> Schema conflict detected. Conflict details: [ ObjectClass Name(OID):
> rADIUSProfile(2.16.840.1.113719.1.39.42.2.0.10) Conflicts with Freeradius
> Objectclass : radiusprofile(1.3.6.1.4.1.3317.4.3.2.1) ]
> Would you like to continue extending the rest of the class(es) and
> Attribute(s) ?
>
> I do not want to delete the current 'RADIUS:Profile' class, but I still
> want to use freeradius & eDirectory to integrate. What can be done about
> this? Why is Novell using both classes, knowing that the freeradius schema
> extension always conflicts with a current edirectory/nmas combination?
>
> I hope someone can help me out. I can not find anything about this,
> besides deleting classes, which we can't in our setup.
>
> regards,
> Fred Radon
>
>
>

Automatically updating files on local testing Server

I'm using EasyPHP-5.3.5.0 as a testing server on my local machine (I've use EasyPHP for several years). I set up the Site Definition in DW8 using the testing server root folder (www) as the development area; however, this caused problems when I attempted to upload from within DW to the Remote (production) server. I then modified the Site Definition to use a local folder. other then the Testing Server folder, for development which solved the upload problem. Then in the Site Definition I setup the Testing Server using the "PHP MySQL" model with "Local/Network" access. The Testing Server folder was set to "C:\Program Files\EasyPHP-5.3.5.0\" and the "Refresh Testing file list automatically" box was checked. The URL prefex was set to "http://127.0.0.1:8888/" as defined in the EasyPHP instructions. My problem is that Dreamweaver is not updating the files on the testing server when I save a file in the development folder. The development folder and the Testing Server reside on the same computer. If I copy and paste a file to the testing server everything works fine. I would like the testing server files to be automatically updated when I save a file in the development folder which is what the Site Definition seems to indicate should happen. Any thoughts on what the problem is and how to fix it would be appreciated.

> UPS tools that will only accept POST data coming from an
https page
Oh - I see. I think this will be hard to do. You'd need to
get a local
certificate and all - not sure how to go about that....
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com
- Template Triage!
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
==================
"(_seb_)" <[email protected]> wrote in message
news:ev39uo$pm3$[email protected]..
> Murray *ACE* wrote:
>> Why do you want to do this?
>>
>
> to test locally?... I've been able to test everything
locally so far on my
> virtual testing server, and thought it'd be nice if I
could test the
> shopping cart locally as well. But it uses third party
UPS tools that will
> only accept POST data coming from an https page.
> And yes, I'm pretty sure it's a stupid idea... But as I
said, maybe
> there's a trick I'm not aware of...
>
> --
> seb ( [email protected])
>
http://webtrans1.com | high-end web
design
>
> An Ingenious WebSite Builder:
http://sitelander.com

Https (secure connection) on local testing server??

Hi all
I am building a shopping cart, which will use an https
connection.
Is there a way to setup an https connection on my local
testing server (Apache, PHP, Mac OSX)?
My guess is that it's not possible, but I might not know some
special trick...?
seb ( [email protected])
http://webtrans1.com | high-end web
design
An Ingenious WebSite Builder:
http://sitelander.com

> UPS tools that will only accept POST data coming from an
https page
Oh - I see. I think this will be hard to do. You'd need to
get a local
certificate and all - not sure how to go about that....
Murray --- ICQ 71997575
Adobe Community Expert
(If you *MUST* email me, don't LAUGH when you do so!)
==================
http://www.dreamweavermx-templates.com
- Template Triage!
http://www.projectseven.com/go
- DW FAQs, Tutorials & Resources
http://www.dwfaq.com - DW FAQs,
Tutorials & Resources
http://www.macromedia.com/support/search/
- Macromedia (MM) Technotes
==================
"(_seb_)" <[email protected]> wrote in message
news:ev39uo$pm3$[email protected]..
> Murray *ACE* wrote:
>> Why do you want to do this?
>>
>
> to test locally?... I've been able to test everything
locally so far on my
> virtual testing server, and thought it'd be nice if I
could test the
> shopping cart locally as well. But it uses third party
UPS tools that will
> only accept POST data coming from an https page.
> And yes, I'm pretty sure it's a stupid idea... But as I
said, maybe
> there's a trick I'm not aware of...
>
> --
> seb ( [email protected])
>
http://webtrans1.com | high-end web
design
>
> An Ingenious WebSite Builder:
http://sitelander.com

Client-Server - SOA.... Is it really a transition or a big development ?

Hi,
In all sources related to SOA/ESA by SAP, it is said that, transitioning from Client-Server Arch(CSA) to SOA is the same as transitioning from Mainframe systems to Client-Server Arch.
If we think about Mainframe and CSA, it is obvious that there had been big differences in that transition. Such as, the INTELLIGENT CLIENT concept had appeared to replace the DUMMY CLIENTS, so this had changed the way of IT Business. There would be a main application providing several functionalities(server) and other applications which want to use those functionalities (clients) would connect to the server using some functionalities on its own (that means a client appliction should also have some functionalities in order to at least connect to the server, so that made them different from the DUMMY clients of the mainframe era)
Now, when I look at the differences between SOA and CSA, I cannot see that incompareble differences.Why ? Let me explain :
- One of the most important differences between SOA and CSA is, SOA is vendor and platform independent, so that any application can call any applications functionality as long as they are using Web Services. That is true. But the question arises here : It is still the case that someone is calling some others' functionalities (services), so there is still a client/server mentality, isn't there and We will still be using several client/server programming languages in order to realize the main functionality of the web services but this will be transparent to the user and the integration. The main difference is, SOA is vendor and platform independent. But I don't think this can be commented as a missing feature of CSA. Because the aim of CSA was to make the clients more intelligent and not to make them vendor/platform independent. And also architectures like CORBA and DCOM have also tried to achieve that independency (even though they have restrictions compared to Web Services, one of the main reasons for this is using Web as a transport/communication protocol) but they are still treated as some extensions on top of CSA because they are using CSA beneath. But if we compare Mainframes and CSA, even though I haven't seen manframe ages, I think it is clear that CSA does not use any architectural functionality of Mainframes. They are completely different.. But is SOA and CSA completely different ?
I agree with all reasons why today business needs sth more agile, more flexible and it is becoming clearer day by day that SOA and Web Services provides this environment, BUT, I still cannot make it clear, WHY it is accepted as a transition from CSA and why it is not treated as a big development over CSA while using the main features of it.
Any comments will be appreciated.
Regards
Ahmet Engin Tekin

Good point..Actually those are the things clearly known but it becomes a bit confusing to build clear sentences when it comes to declare the differences. Anyway, here are my additions :
- Mainframes were centralized systems which had their own hardware architecture as well. All processes/applications were running on 1 central DB/system and everyone in the company had to use the same functionality and interface.
- In time, as a result of business demand, people needed different functionalities/applications regarding different business needs. This could either be done by extending the higly-costed big mainframe systems/softwares OR a new approach had to be developed in order to solve those problems. At this point, (thanks to IBM,Macintosh and Xerox) PC and ethernet concepts had emerged. That was a completely different hardware architecture which allowed less costly systems and also distributing the process load and/or applications to different systems in one landscape (app servers, intelligent clients - 2 tier, 3- tier arch.). Thus, while those were happening on harware side, new communication and programming models/languages emerged on software side. As a result, people started using different applications on different systems according to their needs and thus an efficient solution had been provided to the business need (described above).
To criticise, this was really a big transition. Not only software concepts but also hardware concepts are also changed drastically. Actually, it is not wrong if we say, developments on the hardware side, allowed changes on the software side
- What happened next ? Companies started using so many different applications by different vendors with different business logic and programming models (thanks to CSA). But in times, this has emerged the biggest problem of the CSA era : Integration.
We all know the rest. "Web Services" concept emerged with SOA as well. So that, the boundaries between the systems began to disappear.
So, is this a transition ? Well, yes it is.. The point that made it confusing (at least for me) is that this time there is no hardware transition (yet) but only a transition in software side. But I still insist that the IT transition during Mainframe->CSA was like a revolution (forget what you've left behind) but from CSA to SOA; it is more likely to be an evolution (the next best thing)
Anyone have more comments ?
Regards,
Ahmet

Windows home server 2011

is still possible to purchase windows home server? we were given an old server we thought it would work great as a file sharing server but I can't seem to purchase windows home server 2011 any longer, I found used copies on Amazon but I'm afraid
I won't be able to activate it.

Hi
You can look at Windows Server 2012 foundation or Essentials. Maximum 15 and 25 users respectively.
Hope this helps. Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

Cannot connect to SQL Server 2008 R2 Express

I have a database application that connects to the Northwind sample db in MS Access and lets the user perform CRUD operations.
Now I want to add the same for MS SQL Server, however, I have trouble connecting to it using this connection string:
I changed the server properties in SQL Server Management Studio to allow windows and SQL Server authentication, yet, I still get this exception when trying to open the connection:
A network-related or instance-specific error occurred while establishing a connection to SQL Server. The server was not found or was not accessible. Verify that the instance name is correct and that SQL Server is configured to allow remote connections.
(provider: Named Pipes Provider, error: 40 - Could not open a connection to SQL Server)
I thought it might be because the server is not allowing remote connections and followed this guide to allow remote connections:
http://www.linglom.com/2009/03/28/enable-remote-connection-on-sql-server-2008-express/
But the SQL Server windows service won't start. The Browser works fine, but the server doesn't do anything.
When trying to start it I get this error:
The request failed or the service did not respond in a timely fashion. Consult the event log or other applicable error logs for details.
The event log says:
2011-07-07 17:02:55.35 spid51 Starting up database 'Northwind'.
2011-07-07 17:02:59.98 spid51 Starting up database 'Northwind'.
2011-07-07 17:03:03.68 spid53 Starting up database 'Northwind'.
2011-07-07 17:03:07.01 spid55 Attempting to load library 'xpstar.dll' into memory. This is an informational message only. No user action is required.
2011-07-07 17:03:07.30 spid55 Using 'xpstar.dll' version '2009.100.1600' to execute extended stored procedure 'xp_instance_regread'. This is an informational message only; no user action is required.
2011-07-07 17:03:07.76 spid55 Starting up database 'pubs'.
2011-07-07 17:03:08.89 spid55 Starting up database 'pubs'.
2011-07-07 17:03:09.30 spid55 Starting up database 'pubs'.
2011-07-07 17:04:11.37 spid55 Starting up database 'pubs'.
2011-07-07 17:08:17.28 spid52 Attempting to load library 'xplog70.dll' into memory. This is an informational message only. No user action is required.
2011-07-07 17:08:17.35 spid52 Using 'xplog70.dll' version '2009.100.1600' to execute extended stored procedure 'xp_msver'. This is an informational message only; no user action is required.
However, when starting SQL Server Management Studio, I can normally work with the databases, perform CRUD operations, etc.
I was wondering if it might be a connection string issue.
I'm using this string:
@"Server=lolcalhost;Database=Northwind;User ID=BEN-A350C47E32F;Password=;Trusted_Connection=False;";
I added the Northwind database as data source to the project and the connection string is in the app.config:
<connectionStrings>
<add name="NwindConnectionString" connectionString="Provider=Microsoft.Jet.OLEDB.4.0;Data Source=|DataDirectory|\Nwind.mdb" providerName="System.Data.OleDb"/>
</connectionStrings>
using this code to access it:
constringServer = ConfigurationManager.ConnectionStrings["NwindConnectionString"].ToString();
but when using this string I get an ArgumentException:
Keyword not supported: 'provider'.
I'd appreciate any help that would let me connect to the server from a program.

Here is an active Sql connection string we use currently from our app.config file:
<connectionStrings>
<clear/>
<add name="ServerConnectionString" connectionString="Data Source=SqlBox;Initial Catalog=YourCatalog;User Id=Username; Password=password;" providerName="System.Data.SqlClient"/><br/> </connectionStrings>
here is one for Sql Express:
<add name="LocalConnectionString" connectionString="Data Source=MachineName\SqlExpress;Initial Catalog=YourCatalog;Integrated Security= true;" providerName="System.Data.SqlClient"/>

Using Lion Server Radius for authenticating "other" clients

Hi I've been trying to get the Radius service in Lion Server to authenticate users of my SQUID web proxy. I have followed the squid wiki's instructions to configure the squid server as a radius client and pass authentication requests to the Lion Server Radius (I hope). However I'm trying to configure and test the Lion Server Radius. As Lions Server Admin GUI for radius only lets to add Airport Basestations, I've been trying to dig around for what underlying config files to edit. I have tried 2 methods of adding the client details to radius:
1. By editing the /etc/raddb/client.conf, and adding/changing (for example):
client localhost {
     secret     = mysecretpassphrase
client 192.168.0.0/24 {
     secret              = mysecretpassphrase
     shortname       = local-lan-clients
and restarting squid. Nothing seems to get mentioned in the radius log file! So I'm not completely convinced that the Lion Radius took any notice of this!
2. Instead of above, added the same client info using radiusconfig:
$ sudo radiusconfig -addclient 192.168.0.0/24 local-lan-clients other <return>
- then it prompts for the secret. With this command I notice the entry/event is recognised in the radius log file, and also looks like some SQL activity. If I dont specify "other" for the nas-type, it defaults to "Aiport Base Station" or similar.
OK, so forgetting about SQUID for a minute, I can't even get that far as I'm just trying to test the config using the "radclient" utility from the Lion Server and the squid server:
$ sudo radclient localhost auth mysecretpassphrase <return>
and... no response, just hangs, nothing in radius log either.
The Lion Firewall allows TCP and UDP requests into the Radius authentication port.
Any ideas what else I need to do? Scratching my head, I'm wondering if it is anything to do with SSL? e.g. do I need to make the authentication using the self-signed certificate that Open Directory has? I presume any Airport Base Stations added to radius will use this certificate to establish a secure connection for authentication.

The RADIUS server in OS X Server is a standard FreeRADIUS implementation with Apple's own custom GUI frontend for configuring it and which only allows adding AirPort base-stations. In Mountain Lion Server it is even limited to a specific configuration for the AirPort base-station.
However if you follow the normal command-line instructions and steps for configuring FreeRADIUS then it will be possible to add any type of RADIUS client.
While as far as I can see by manually configuring the FreeRADIUS server in OS X Server should enable you to do what you want, most people chose to configure Squid to use either a PAM or the LDAP modules for Squid to in this case authenticate directly to Open Directory (which is of course based on LDAP).
I myself have used a PAM in the past with Squid to successfully configure Squid to authenticate users via Open Directory. I was even able to specific an Open Directory group and only allow members of that group access via the Squid Proxy Server. I then went a bit OTT and set up another open-source tool (which was discontinued and I had to fix to get working) to process the Squid logs and store them in MySQL, and then setup FileMaker Pro to connect to the MySQL database via ODBC to allow producing reports.
Unfortunately the AFP458 website had a major redesign a while ago and many previous technical articles on it are now hard to find. I had used two articles on that site to guide me through setting up Squid and the PAM on a Mac server. I believe the two articles I used are the ones listed below.
http://afp548.com/2004/09/08/using-os-x-open-directory-to-authenticate-squid-pro xy-server/
http://afp548.com/2004/12/13/squid-server-using-ldap-authentication/

How do I install WebSockets functionality on 10.6.7 Server?

I'd like to play around with adding WebSockets functionality to my website. The particular problem I'm trying to solve is communication from a client side Java applet that does not get blocked by firewalls. I can find a number of tutorials on WebSockets (i.e., setting up a simple chat), but not much in the way of how to get a functioning Apache2 http server cooperating with a functioning WebSockets server on Snow Leopard Server.
Before hosing my server, I thought I'd see if there are any particular recommendations or (even better) step-by-step tutorials. My first preference would be a Java solution (as the client side will be Java), but I'm open to other languages.
Thanks in advance.

Hi Billy,
I would suggest that you give Kaazing's WebSocket platform a try. It's Java-based and comes with Java WebSocket libraries, including JMS over Websocket if that is of interest. There are several tutorials and the free download comes with tutorial like demos.
http://www.kaazing.com/developers
http://demo.kaazing.com/demo/jms/javascript/ (there are links on the side for other client technologies)
Good luck,
JonteWS

Initial setup on mac mini server without monitor?

I have bought a mac mini lion server today. I do not have desktops in home, so no monitors.
How can I setup/login into it? I tried Server Admin Tools, but I do not have root password (tried blank and serial number).

I have a MBA late 2010. So, no thunderbolt.
I was hoping connect to it using ssh to execute initial setup to be abble to use remote admin tool.
The problem is that ssh do not accept root connection.
Since I do not have any display at all, the idea would be to turn the server on and setup it. Since it is a server I thought I could do this without any issue.
Linc. In your idea. How should I start mac mini in disk mode and how can I boot the MBA using mini internal drive?
Any ideas?

An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP).

Hello everyone:
I know this question have been asked in these forums quite a few times. I apologize if it is a repeat telecast but I was not able to find a suitable solution pertaining to my problem.
I have a AP/SM setup that is configured to get EAP-PEAP authentication from Windows 2012 Server. I have setup everything and have verified that the EAP-PEAP authentication works fine on AP/SM by getting authentication from FreeRADIUS server. Now, when I try
to get authentication from Windows Server, I am getting a reject. The Event log shows this generic message:
Reason Code: 23
Reason:
An error occurred during the Network Policy Server use of the Extensible Authentication Protocol (EAP). Check EAP log files for EAP errors.
There is nothing in the EAP logs that is obvious too:
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1
07/11/2014 00:05:57 4927",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4927",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1
07/11/2014 00:05:57 4928",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,11,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,5,"PEAP_TEST",0,"311 1 10.120.133.1 07/11/2014 00:05:57 4928",30,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,1,"SANDBOX\test","SANDBOX\test",,,,,,"10.120.133.10",5,0,"10.120.133.10","Canopy_AP",,,18,,,,11,"PEAP_TEST",0,"311 1 10.120.133.1
07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
"USIL01PMPTST01","IAS",07/11/2014,11:59:44,3,,"SANDBOX\test",,,,,,,,0,"10.120.133.10","Canopy_AP",,,,,,,11,"PEAP_TEST",23,"311 1 10.120.133.1 07/11/2014 00:05:57 4929",,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,"PEAP_TEST_CONNECTION",1,,,,
So, basically, the sequence is this:
request , challenge, request , challenge, request, reject
Any idea what might be happening?
Thank you.

Hi,
Have you installed certificates on the NPS server properly? Have you selected the proper certificate in the properties of PEAP?
Here is an article about the Certificate requirements of PEAP,
Certificate requirements when you use EAP-TLS or PEAP with EAP-TLS
http://support.microsoft.com/kb/814394
If your certificate matches the requirement, you may try to reinstall the certificate by export and import.
To export a certificate, please follow the steps below,
Open the Certificates snap-in for a user, computer, or service.
In the console tree under the logical store that contains the certificate to export, click
Certificates.
In the details pane, click the certificate that you want to export.
On the Action menu, point to
All Tasks, and then click Export.
In the Certificate Export Wizard, click No, do not export the private key. (This option will appear only if the private key is marked as exportable and you have access to the private key.)
Provide the following information in the Certificate Export Wizard:
Click the file format that you want to use to store the exported certificate: a DER-encoded file, a Base64-encoded file, or a PKCS #7 file.
If you are exporting the certificate to a PKCS #7 file, you also have the option to include all certificates in the certification path.
If required, in Password, type a password to encrypt the private key you are exporting. In
Confirm password, type the same password again, and then click
Next.
In File name, type a file name and path for the PKCS #7 file that will store the exported certificate and private key. Click
Next, and then click Finish.
To import a certificate, please follow the steps below,
Open the Certificates snap-in for a user, computer, or service.
In the console tree, click the logical store where you want to import the certificate.
On the Action menu, point to
All Tasks, and then click Import to start the Certificate Import Wizard.
Type the file name containing the certificate to be imported. (You can also click
Browse and navigate to the file.)
If it is a PKCS #12 file, do the following:
Type the password used to encrypt the private key.
(Optional) If you want to be able to use strong private key protection, select the
Enable strong private key protection check box.
(Optional) If you want to back up or transport your keys at a later time, select the
Mark key as exportable check box.
Do one of the following:
If the certificate should be automatically placed in a certificate store based on the type of certificate, click
Automatically select the certificate store based on the type of certificate.
If you want to specify where the certificate is stored, select
Place all certificates in the following store, click
Browse, and choose the certificate store to use.
If issue persists, you may try to re-issue the certificate.
For detailed procedure, you may refer to the similar threads below,
Having issues getting PEAP with EAP-MSCHAP v2 working on Windows 2008 R2
http://social.technet.microsoft.com/Forums/windowsserver/en-US/c66cf0a8-24dd-4ccd-b5bb-16bd28ad8d4c/having-issues-getting-peap-with-eapmschap-v2-working-on-windows-2008-r2?forum=winserverNAP
Hope this helps.
Steven Lee
TechNet Community Support

Apple TV as movie server?

I am looking for a solution for my dvd movie collection.
I backup my movies and burn dvds, but these can get scratched and I'm looking for a better option.
I have read that some people use a mac mini as a movie server, but thought that might be overkill for what I need, and too expensive.
here are my requirements:
1-play movies, probably from a 1TB external hard drive.
2-I'd prefer having these files saved at a high enough quality to burn a dvd backup, a single 4.7gb back up disc is sufficient per movie.
Is this a viable option?

atv will mirror everything in the itunes lib
it's set to sync so it's already in your itunes lib
where you can burn a dvd if itunes support that
otherwise some other program does i'd asume
but if you delete it from itunes to save space on your
hd atv will also delete it
unless you just delete the file itself
and keep the itunes ref
but then you cant get the media back from the atv
best way if you want to do it is to hook up a ext hd and keep the media on that
and just have links to it in itunes
and computers which are just set to stream with atv cant really do anything with the atv but the atv can access the media in the stream computer while it's on

FreeRadius Server + Arch. Thoughts?

Similar Messages

Maybe you are looking for