FW: FreeRadius Authentication against AD or AD LDS (LDAP)
Hello I'm looking for a solution to realize a FreeRadius Server, which can Authenticate against primary a AD and as second method against AD LDS (Lightweight Directory from Windows). We want for our WLAN, that in the Guest-Network employees can use their AD-Login (I already implemented that with ntlm_auth and it works) and also guests can use this network but their login should be in a AD LDS (LDAP), which can be edited by our reception. I would prefer not to store the password for the guests as Cleartext. Is this possible? How could I realize that with FreeRadius? Thanks in advance Dave - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Hi,
If you are planning on deploying 3.0 and have an existing 2.x.x configuration
you were planning to migrate when the 3.0 is released, now would be a good
time to try that, and to report any issues or problematic behaviour changes
you notice.
Here's another thing that worked in 2.x, should continue to according to
man 5 unlang, but doesn't:
(0) ? if ( User-Name == cyrus )
(0) expand: cyrus - 'cyrus'
(0) ? if ( User-Name == cyrus ) - FALSE
(0) ? elsif ( %{#User-Password} == 96 )
(0) expand: 96 - '96'
(0) ERROR: %{#User-Password}
(0) ERROR: ^ Unknown attribute
(0) ERROR: Evaluation of condition failed for some reason.
(0)else else {
(0) - entering else else {...}
Earlier, this would yield the number of characters in the incoming
request's User-Password attribute, and see if it's exactly 96 Bytes.
I don't know why the # triggers an unknown attribute? Looks like a bug
to me...
Greetings,
Stefan Winter
--
Stefan WINTER
Ingenieur de Recherche
Fondation RESTENA - Réseau Téléinformatique de l'Education Nationale et
de la Recherche
6, rue Richard Coudenhove-Kalergi
L-1359 Luxembourg
Tel: +352 424409 1
Fax: +352 422473
signature.asc
Description: OpenPGP digital signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius Authentication against AD or AD LDS (LDAP)
Hi Store the passwords in nt-hash format. Use guest usernames with a particular format so that you can use some simple unlang to select the right type of authentication rather than hitting each method and causing unnecessary load and delay alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: FreeRadius Authentication against AD or AD LDS (LDAP)
On Tue, Jul 16, 2013 at 1:02 PM, limacher david limache...@hotmail.comwrote: Hello I'm looking for a solution to realize a FreeRadius Server, which can Authenticate against primary a AD and as second method against AD LDS (Lightweight Directory from Windows). We want for our WLAN, that in the Guest-Network employees can use their AD-Login (I already implemented that with ntlm_auth and it works) and also guests can use this network but their login should be in a AD LDS (LDAP), which can be edited by our reception. I would prefer not to store the password for the guests as Cleartext. Is this possible? How could I realize that with FreeRadius? If you're asking how can I store encrypted password in LDAP that is usable by MSCHAPv2, then you should be able to use nt-hash. One way to generate the password is to use FR's smbencrypt command line tool. -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Stefan Winter wrote: Earlier, this would yield the number of characters in the incoming request's User-Password attribute, and see if it's exactly 96 Bytes. I don't know why the # triggers an unknown attribute? Looks like a bug to me... I'll take a look. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FW: FreeRadius Authentication against AD or AD LDS (LDAP)
limacher david wrote: I'm looking for a solution to realize a FreeRadius Server, which can Authenticate against primary a AD and as second method against AD LDS (Lightweight Directory from Windows). Follow this guide: http://deployingradius.com/documents/configuration/active_directory.html We want for our WLAN, that in the Guest-Network employees can use their AD-Login (I already implemented that with ntlm_auth and it works) and also guests can use this network but their login should be in a AD LDS (LDAP), which can be edited by our reception. I would prefer not to store the password for the guests as Cleartext. Is this possible? How could I realize that with FreeRadius? You don't. AD stores passwords in hashed form. And you *can't* get access to the passwords. This is a limitation of AD, not FreeRADIUS. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Delete one value of multiple attribute(Class)
Dear all,
I want to delete a specific AVP which could be one of multiple value
attribute, such as *Class*.
Suppose I have three Class value: Class 1, Class 2, Class 3. Then I want to
remove Class 2 if its value matches the regex in the pre-proxy section.
I've tried some unlang below but it did nothing on Class.
If(%{proxy-request:Class[*]} =~ /(some regex here)/) {
update proxy-request {
Class -= %{1}
}
}
I'm sure the if condition is *TRUE* and the %{1} expanding value is also
what I'm going to delete.
Otherwise, proxy-request returned *updated*.
However, Class 2 is still there.
Btw, I think attr_filter may do very few help to me, since it cannot work by
operator -~ , at least in my experiences.
I've spend some time searching about how to delete or remove attribute in
mailing list. There is no one fit my situation since they almost can be
solved by module attr_filter.
So does any master hand can kindly teach me how to achieve this goal?
Thanks a lot.
Okis.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FreeRadius Authentication against AD or AD LDS (LDAP)
Considering that LDS will still be running Active Directory, give your reception login(s) the permission to administer the Guest-Network OU (i.e. add/delete/edit users), and continue to use the NTLM authentication you use with the primary AD. Active Directory uses MS-CHAPv2, so using the mschap and ntlm modules as per standard FreeRADIUS wiki articles on AD authentication should be sufficient to be able to authenticate the users in your LDS. :-) Stefan From: freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users-bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of limacher david Sent: 16 July 2013 07:03 To: freeradius-users@lists.freeradius.org Subject: FW: FreeRadius Authentication against AD or AD LDS (LDAP) Hello I'm looking for a solution to realize a FreeRadius Server, which can Authenticate against primary a AD and as second method against AD LDS (Lightweight Directory from Windows). We want for our WLAN, that in the Guest-Network employees can use their AD-Login (I already implemented that with ntlm_auth and it works) and also guests can use this network but their login should be in a AD LDS (LDAP), which can be edited by our reception. I would prefer not to store the password for the guests as Cleartext. Is this possible? How could I realize that with FreeRadius? Thanks in advance Dave -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [ANN] Version 3.0.0-rc0
Stefan Winter wrote:
(0) ERROR: %{#User-Password}
(0) ERROR: ^ Unknown attribute
(0) ERROR: Evaluation of condition failed for some reason.
(0)else else {
(0) - entering else else {...}
Earlier, this would yield the number of characters in the incoming
request's User-Password attribute, and see if it's exactly 96 Bytes.
I don't know why the # triggers an unknown attribute? Looks like a bug
to me...
That code was removed because it was horrid.
I've pushed a fix, including fixes to documentation.
Use %{strlen:...} instead.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Duplicated records in RADACCT with differents delay times
Hi everybody, Recently I posted a problem with accounting rows duplicated. Following Arran's advices I changed radacct table, defining AcctUniqueId column as a unique index. Solved it! Now, I have the same problem but, at this time with AcctSesionId column. There are a lot of rows that have different AcctUniqueId value with the same AcctSessionId (Is the same record, about the same user). Should I to define AcctSessionId as a unique index? AcctSessionId is generated by the NAS. Will be problematic to make this change in the table? Records have not delay. In AcctStartTime column the difference between both rows is 21 seconds. Any ideas? Thank you very much. Regards, Antonio. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Dynamic vlan assignment with ldap groups
Hi guys I had to also set the *use_tunneled_reply=yes* in the eap.conf to get the Dynamic vlan assignment to work On 12 July 2013 19:42, val john valjohn1...@gmail.com wrote: Hi guys , Small question , do i need to import radius ldap schema ( items like radiusprofiles ) to our ldap server to get this VLAN assignment work Thank You john On 12 July 2013 18:39, Arran Cudbard-Bell a.cudba...@freeradius.orgwrote: On 12 Jul 2013, at 13:57, val john valjohn1...@gmail.com wrote: Hi guys , i have a freeradius setup that works with ldap group authentication ,i also need to configure the dynamic VLAN assignment , so i configured the users file as fallows , DEFAULT Ldap-Group == cn=staff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 100, Reply-Message = You are Accepted DEFAULT Ldap-Group == cn=nonstaff,ou=groups,dc=ldap,dc=example,dc=com Tunnel-Type = VLAN, Tunnel-Medium-Type = IEEE-802, Tunnel-Private-Group-Id = 200, Reply-Message = You are Accepted DEFAULT Auth-Type := Reject ,Do i need any other configuration file to be edited to get VALN assignment to work ..? or juts users file is enough Just users file is fine. Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Vouchers Top Up
Hi List is anyone able to implement top up for hotspot vouchers ? Top up means, if a hotspot user is browsing and his 3600 seconds are getting finish. he wish to top up another 1800 seconds to avoid disconnection. Thanks / Regards - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Delete one value of multiple attribute(Class)
Is there anyone can help? Actually I can write a short perl script to do this, but I try to do with pure unlang. So.if someone can told me whether this purpose can be done with only unlang, I can save lots of time on this endless trial. Lol In fact, the reason why I need this function is that sometimes we treat some attributes as temporary variable for generating another attribute value pair. Then erase it before sending request or reply out. So I am wondering would majority of FR user do this things like this? I personally pretty love this way for some policy processing, and that how FreeRADIUS to be powerful and flexible I think. So I believe there might be somebody else probably need this. Alright.just free chat. Cheers, Okis. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
