Re: Active Directory authentication question
Dear Stephan, just the last question pleasein your guide you say: In /etc/raddb/eap.conf, change the ttls section as follows: default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = no That's OKbut what do I have to put in the eap section from eap.conf file??? eap { default_eap_type = ttls default_eap_type=ttls or =mschapv2 ??? Thanks a lot, Roberto 2013/9/24 stefan.pae...@diamond.ac.uk: You need the following items on your Debian system to build eapol_test: libssl-dev, libnl1, libnl-dev :-) Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Roberto Carna Sent: 24 September 2013 15:17 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all the steps to use this tool, but I can't make it. What can be the problem ??? Thanks 2013/9/24 stefan.pae...@diamond.ac.uk: Hi Roberto, You have to install Kerberos, yes. I believe you'll need the krb5- user package. When you install krb5-user, it should install krb5.conf for you, but I'm not up to date on Debian specifically. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 19:16 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stepahn, I use Debian 7 for my Freeradius server and there I've installed Samba, Winbind and krb5.confnot Kerberos (or whatever the package is called). Do I need to install the Kerberos package, or simply install the krb5.conf and then edit it ??? Thanks again. Roberto 2013/9/23 stefan.pae...@diamond.ac.uk: Hi Roberto, When in the process do you get that error? Here are my configuration bits. In the [global] section of the SMB.CONF file I have: workgroup = DIAMOND security = ads realm = DIAMOND.LOCAL (my test domain) password server = IP address of my primary domain controller Everything else is left as-is (default). My test domain is called DIAMOND.LOCAL. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 15:58 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stephan, can you send me a complete smb.conf file because I am a bit lost in the correct configuration ? I'm getting the error: Could not connect to server 10.11.0.64 Connection failed: NT_STATUS_BAD_NETWORK_NAME -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation
RE: Active Directory authentication question
In the eap section, the default is md5, set it to ttls And Roberto, you've emailed the entire FreeRADIUS mailing list. :-) Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Roberto Carna Sent: 25 September 2013 14:27 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear Stephan, just the last question pleasein your guide you say: In /etc/raddb/eap.conf, change the ttls section as follows: default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = no That's OKbut what do I have to put in the eap section from eap.conf file??? eap { default_eap_type = ttls default_eap_type=ttls or =mschapv2 ??? Thanks a lot, Roberto 2013/9/24 stefan.pae...@diamond.ac.uk: You need the following items on your Debian system to build eapol_test: libssl-dev, libnl1, libnl-dev :-) Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf bounces+Of Roberto Carna Sent: 24 September 2013 15:17 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all the steps to use this tool, but I can't make it. What can be the problem ??? Thanks 2013/9/24 stefan.pae...@diamond.ac.uk: Hi Roberto, You have to install Kerberos, yes. I believe you'll need the krb5- user package. When you install krb5-user, it should install krb5.conf for you, but I'm not up to date on Debian specifically. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 19:16 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stepahn, I use Debian 7 for my Freeradius server and there I've installed Samba, Winbind and krb5.confnot Kerberos (or whatever the package is called). Do I need to install the Kerberos package, or simply install the krb5.conf and then edit it ??? Thanks again. Roberto 2013/9/23 stefan.pae...@diamond.ac.uk: Hi Roberto, When in the process do you get that error? Here are my configuration bits. In the [global] section of the SMB.CONF file I have: workgroup = DIAMOND security = ads realm = DIAMOND.LOCAL (my test domain) password server = IP address of my primary domain controller Everything else is left as-is (default). My test domain is called DIAMOND.LOCAL. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 15:58 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stephan, can you send me a complete smb.conf file because I am a bit lost in the correct configuration ? I'm getting the error: Could not connect to server 10.11.0.64 Connection failed: NT_STATUS_BAD_NETWORK_NAME -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt
Re: Active Directory authentication question
Dear Stephan: Notebook with Windows 7 + AP + EAP-TTLS + MSCHAPv2 + Freeradius + AD is working now !!! But just a doubt: if I access with my Android device, using EAP-TLS (not EAP-TTLS) + MSCHAPv2, I can access the same...why ??? Regards and thanks, Roberto 2013/9/25 stefan.pae...@diamond.ac.uk: In the eap section, the default is md5, set it to ttls And Roberto, you've emailed the entire FreeRADIUS mailing list. :-) Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Roberto Carna Sent: 25 September 2013 14:27 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear Stephan, just the last question pleasein your guide you say: In /etc/raddb/eap.conf, change the ttls section as follows: default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = no That's OKbut what do I have to put in the eap section from eap.conf file??? eap { default_eap_type = ttls default_eap_type=ttls or =mschapv2 ??? Thanks a lot, Roberto 2013/9/24 stefan.pae...@diamond.ac.uk: You need the following items on your Debian system to build eapol_test: libssl-dev, libnl1, libnl-dev :-) Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf bounces+Of Roberto Carna Sent: 24 September 2013 15:17 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all the steps to use this tool, but I can't make it. What can be the problem ??? Thanks 2013/9/24 stefan.pae...@diamond.ac.uk: Hi Roberto, You have to install Kerberos, yes. I believe you'll need the krb5- user package. When you install krb5-user, it should install krb5.conf for you, but I'm not up to date on Debian specifically. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 19:16 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stepahn, I use Debian 7 for my Freeradius server and there I've installed Samba, Winbind and krb5.confnot Kerberos (or whatever the package is called). Do I need to install the Kerberos package, or simply install the krb5.conf and then edit it ??? Thanks again. Roberto 2013/9/23 stefan.pae...@diamond.ac.uk: Hi Roberto, When in the process do you get that error? Here are my configuration bits. In the [global] section of the SMB.CONF file I have: workgroup = DIAMOND security = ads realm = DIAMOND.LOCAL (my test domain) password server = IP address of my primary domain controller Everything else is left as-is (default). My test domain is called DIAMOND.LOCAL. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 15:58 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stephan, can you send me a complete smb.conf file because I am a bit lost in the correct configuration ? I'm getting the error: Could not connect to server 10.11.0.64 Connection failed: NT_STATUS_BAD_NETWORK_NAME -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom
RE: Active Directory authentication question
Because your EAP-TLS process works? Remember, you set up EAP-TLS first (which worked). You just configured EAP-TTLS with EAP-MSCHAPv2 as an additional authentication method. Since the default_eap_type is set to ttls, your server *prefers* using EAP-TTLS with EAP-MSCHAPv2, but it still supports other methods (like EAP-TLS and PEAP with EAP-MSCHAPv2). Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Roberto Carna Sent: 25 September 2013 15:44 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear Stephan: Notebook with Windows 7 + AP + EAP-TTLS + MSCHAPv2 + Freeradius + AD is working now !!! But just a doubt: if I access with my Android device, using EAP-TLS (not EAP-TTLS) + MSCHAPv2, I can access the same...why ??? Regards and thanks, Roberto 2013/9/25 stefan.pae...@diamond.ac.uk: In the eap section, the default is md5, set it to ttls And Roberto, you've emailed the entire FreeRADIUS mailing list. :-) Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf bounces+Of Roberto Carna Sent: 25 September 2013 14:27 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear Stephan, just the last question pleasein your guide you say: In /etc/raddb/eap.conf, change the ttls section as follows: default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = no That's OKbut what do I have to put in the eap section from eap.conf file??? eap { default_eap_type = ttls default_eap_type=ttls or =mschapv2 ??? Thanks a lot, Roberto 2013/9/24 stefan.pae...@diamond.ac.uk: You need the following items on your Debian system to build eapol_test: libssl-dev, libnl1, libnl-dev :-) Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On bounces+Behalf Of Roberto Carna Sent: 24 September 2013 15:17 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all the steps to use this tool, but I can't make it. What can be the problem ??? Thanks 2013/9/24 stefan.pae...@diamond.ac.uk: Hi Roberto, You have to install Kerberos, yes. I believe you'll need the krb5- user package. When you install krb5-user, it should install krb5.conf for you, but I'm not up to date on Debian specifically. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 19:16 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stepahn, I use Debian 7 for my Freeradius server and there I've installed Samba, Winbind and krb5.confnot Kerberos (or whatever the package is called). Do I need to install the Kerberos package, or simply install the krb5.conf and then edit it ??? Thanks again. Roberto 2013/9/23 stefan.pae...@diamond.ac.uk: Hi Roberto, When in the process do you get that error? Here are my configuration bits. In the [global] section of the SMB.CONF file I have: workgroup = DIAMOND security = ads realm = DIAMOND.LOCAL (my test domain) password server = IP address of my primary domain controller Everything else is left as-is (default). My test domain is called DIAMOND.LOCAL. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 15:58 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stephan, can you send me a complete smb.conf file because I am a bit lost in the correct configuration ? I'm getting the error: Could not connect to server 10.11.0.64 Connection failed: NT_STATUS_BAD_NETWORK_NAME -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use
Re: Active Directory authentication question
But in the EAP-TLS section from eap.conf file, I don't see any reference to MSCHAPv2and remember the NTLM authentication query is set up in the MSCHAPv2 module 2013/9/25 stefan.pae...@diamond.ac.uk: Because your EAP-TLS process works? Remember, you set up EAP-TLS first (which worked). You just configured EAP-TTLS with EAP-MSCHAPv2 as an additional authentication method. Since the default_eap_type is set to ttls, your server *prefers* using EAP-TTLS with EAP-MSCHAPv2, but it still supports other methods (like EAP-TLS and PEAP with EAP-MSCHAPv2). Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Roberto Carna Sent: 25 September 2013 15:44 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear Stephan: Notebook with Windows 7 + AP + EAP-TTLS + MSCHAPv2 + Freeradius + AD is working now !!! But just a doubt: if I access with my Android device, using EAP-TLS (not EAP-TTLS) + MSCHAPv2, I can access the same...why ??? Regards and thanks, Roberto 2013/9/25 stefan.pae...@diamond.ac.uk: In the eap section, the default is md5, set it to ttls And Roberto, you've emailed the entire FreeRADIUS mailing list. :-) Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf bounces+Of Roberto Carna Sent: 25 September 2013 14:27 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear Stephan, just the last question pleasein your guide you say: In /etc/raddb/eap.conf, change the ttls section as follows: default_eap_type = mschapv2 copy_request_to_tunnel = yes use_tunneled_reply = no That's OKbut what do I have to put in the eap section from eap.conf file??? eap { default_eap_type = ttls default_eap_type=ttls or =mschapv2 ??? Thanks a lot, Roberto 2013/9/24 stefan.pae...@diamond.ac.uk: You need the following items on your Debian system to build eapol_test: libssl-dev, libnl1, libnl-dev :-) Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On bounces+Behalf Of Roberto Carna Sent: 24 September 2013 15:17 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all the steps to use this tool, but I can't make it. What can be the problem ??? Thanks 2013/9/24 stefan.pae...@diamond.ac.uk: Hi Roberto, You have to install Kerberos, yes. I believe you'll need the krb5- user package. When you install krb5-user, it should install krb5.conf for you, but I'm not up to date on Debian specifically. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 19:16 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stepahn, I use Debian 7 for my Freeradius server and there I've installed Samba, Winbind and krb5.confnot Kerberos (or whatever the package is called). Do I need to install the Kerberos package, or simply install the krb5.conf and then edit it ??? Thanks again. Roberto 2013/9/23 stefan.pae...@diamond.ac.uk: Hi Roberto, When in the process do you get that error? Here are my configuration bits. In the [global] section of the SMB.CONF file I have: workgroup = DIAMOND security = ads realm = DIAMOND.LOCAL (my test domain) password server = IP address of my primary domain controller Everything else is left as-is (default). My test domain is called DIAMOND.LOCAL. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 15:58 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stephan, can you send me a complete smb.conf file because I am a bit lost in the correct configuration ? I'm getting the error: Could not connect to server 10.11.0.64
Re: Active Directory authentication question
Well. There's no such thing as EAP-TLS/MSCHAPv2 . So I'd guess that your Android device is just doing PEAPv0/EAP-MSCHAPv2 or such and your config allows it to. If you ran in full debug mode when connecting with the Android device you'd see exactly what's happening alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory authentication question
But in the EAP-TLS section from eap.conf file, I don't see any reference to MSCHAPv2and remember the NTLM authentication query is set up in the MSCHAPv2 module EAP-TLS does not use MSCHAPv2. It uses certificates. I quote Alan DeKok's response to your question on September 18: Dear, I have several Windows 7 clients over WiFi autheticating throug EAP-TLS to a Freeradius 2.1 service against a local MySQL database, it works OK. EAP-TLS doesn't use MySQL for storing credentials. Everything is in the certificate. Because I don't know so much about Windows world, I need to know if I have to use NTLM, LDAP or Kerberos in order to authenticate against the remote AD. For MS-CHAP and PEAP, you use ntlm. You don't have any other choice. For EAP-TLS, you don't use AD or MySQL. -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all the steps to use this tool, but I can't make it. What can be the problem ??? Thanks 2013/9/24 stefan.pae...@diamond.ac.uk: Hi Roberto, You have to install Kerberos, yes. I believe you'll need the krb5-user package. When you install krb5-user, it should install krb5.conf for you, but I'm not up to date on Debian specifically. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 19:16 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stepahn, I use Debian 7 for my Freeradius server and there I've installed Samba, Winbind and krb5.confnot Kerberos (or whatever the package is called). Do I need to install the Kerberos package, or simply install the krb5.conf and then edit it ??? Thanks again. Roberto 2013/9/23 stefan.pae...@diamond.ac.uk: Hi Roberto, When in the process do you get that error? Here are my configuration bits. In the [global] section of the SMB.CONF file I have: workgroup = DIAMOND security = ads realm = DIAMOND.LOCAL (my test domain) password server = IP address of my primary domain controller Everything else is left as-is (default). My test domain is called DIAMOND.LOCAL. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 15:58 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stephan, can you send me a complete smb.conf file because I am a bit lost in the correct configuration ? I'm getting the error: Could not connect to server 10.11.0.64 Connection failed: NT_STATUS_BAD_NETWORK_NAME -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Roberto Carna wrote: Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all the steps to use this tool, but I can't make it. What can be the problem ??? You do realize that eapol_test isn't part of FreeRADIUS, right? Please ask the eapol_test authors how to fix it. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
On 09/24/2013 10:16 AM, Roberto Carna wrote: Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 Basic software development isn't really a topic for this list. You should really look elsewhere for information on how to build and install on your chosen platform. You also need to understand error messages. But just to get you going cannot find -lnl means the linker cannot find the libnl library, therefore you need to install the libnl-devel package for your distribution. The devel package because includes the files you need during development as opposed to runtime. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory authentication question
You need the following items on your Debian system to build eapol_test: libssl-dev, libnl1, libnl-dev :-) Stefan -Original Message- From: freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org [mailto:freeradius-users- bounces+stefan.paetow=diamond.ac...@lists.freeradius.org] On Behalf Of Roberto Carna Sent: 24 September 2013 15:17 To: FreeRadius users mailing list Subject: Re: Active Directory authentication question Dear, I'm advancing in the Freeradius + AD authenticationjust a short question: when I want to make the eapol_test tool, I get this error: # make eapol_test /usr/bin/ld: cannot find -lnl collect2: error: ld returned 1 exit status make: *** [eapol_test] Error 1 I've followed all the steps to use this tool, but I can't make it. What can be the problem ??? Thanks 2013/9/24 stefan.pae...@diamond.ac.uk: Hi Roberto, You have to install Kerberos, yes. I believe you'll need the krb5- user package. When you install krb5-user, it should install krb5.conf for you, but I'm not up to date on Debian specifically. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 19:16 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stepahn, I use Debian 7 for my Freeradius server and there I've installed Samba, Winbind and krb5.confnot Kerberos (or whatever the package is called). Do I need to install the Kerberos package, or simply install the krb5.conf and then edit it ??? Thanks again. Roberto 2013/9/23 stefan.pae...@diamond.ac.uk: Hi Roberto, When in the process do you get that error? Here are my configuration bits. In the [global] section of the SMB.CONF file I have: workgroup = DIAMOND security = ads realm = DIAMOND.LOCAL (my test domain) password server = IP address of my primary domain controller Everything else is left as-is (default). My test domain is called DIAMOND.LOCAL. Stefan -Original Message- From: Roberto Carna [mailto:robertocarn...@gmail.com] Sent: 23 September 2013 15:58 To: Paetow, Stefan (DLSLtd,RAL,LSCI) Subject: Re: Active Directory authentication question Dear Stephan, can you send me a complete smb.conf file because I am a bit lost in the correct configuration ? I'm getting the error: Could not connect to server 10.11.0.64 Connection failed: NT_STATUS_BAD_NETWORK_NAME -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do
Re: Active Directory authentication question
Or ask your distribution provider why they still provide wpa_supplicant package without eapol_test tool ;) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Active Directory authentication question
What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authenticationis it OK ??? Roberto, you don't have to remove EAP-TLS to support NTLM/MS-CHAPv2 authentication. What you can do in eap.conf is specify which EAP type you want to use by default. If you prefer EAP-TLS, you can specify default_eap_type = tls. But if the client does not support that and asks for EAP-TTLS or PEAP instead, then, if your server is configured correctly, it can support those additional types too. For NTLM authentication, what you *do* need is to add your FreeRADIUS machine to the Windows 2012 domain. Since you're on a flavour of Unix/Linux, you need to install Samba on your Linux box and configure it to talk to the Windows 2012 domain controller (via Kerberos). You may want to read this page, which describes how we've made authentication against Active Directory work with PEAP (specifically PEAP with EAP-MSCHAPv2) and EAP-TTLS with EAP-MSCHAPv2: http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source We don't use PEAP and don't have any test clients that support PEAP, but EAP-TTLS/EAP-MSCHAPv2 works splendidly (which is good enough for our purposes and is widely supported by Windows clients). You can use rad_eap_test (there is information about this on the link above, including how to build the binary) to specify which EAP method you want to use and then which inner authentication to use (where applicable). So you can leave your existing setup (I assume default_eap_type is 'tls') alone and still test your NTLM authencation. Folks, feel free to correct... but that's what worked here. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Thanks Stepahn for all your important help. Regards, Roberto 2013/9/19 stefan.pae...@diamond.ac.uk: What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authenticationis it OK ??? Roberto, you don't have to remove EAP-TLS to support NTLM/MS-CHAPv2 authentication. What you can do in eap.conf is specify which EAP type you want to use by default. If you prefer EAP-TLS, you can specify default_eap_type = tls. But if the client does not support that and asks for EAP-TTLS or PEAP instead, then, if your server is configured correctly, it can support those additional types too. For NTLM authentication, what you *do* need is to add your FreeRADIUS machine to the Windows 2012 domain. Since you're on a flavour of Unix/Linux, you need to install Samba on your Linux box and configure it to talk to the Windows 2012 domain controller (via Kerberos). You may want to read this page, which describes how we've made authentication against Active Directory work with PEAP (specifically PEAP with EAP-MSCHAPv2) and EAP-TTLS with EAP-MSCHAPv2: http://confluence.diamond.ac.uk/display/PAAUTH/Using+Active+Directory+as+authentication+source We don't use PEAP and don't have any test clients that support PEAP, but EAP-TTLS/EAP-MSCHAPv2 works splendidly (which is good enough for our purposes and is widely supported by Windows clients). You can use rad_eap_test (there is information about this on the link above, including how to build the binary) to specify which EAP method you want to use and then which inner authentication to use (where applicable). So you can leave your existing setup (I assume default_eap_type is 'tls') alone and still test your NTLM authencation. Folks, feel free to correct... but that's what worked here. Stefan -- This e-mail and any attachments may contain confidential, copyright and or privileged material, and are for the use of the intended addressee only. If you are not the intended addressee or an authorised recipient of the addressee please notify us of receipt by returning the e-mail and do not use, copy, retain, distribute or disclose the information in or attached to the e-mail. Any opinions expressed within this e-mail are those of the individual and not necessarily of Diamond Light Source Ltd. Diamond Light Source Ltd. cannot guarantee that this e-mail or any attachments are free from viruses and we cannot accept liability for any damage which you may sustain as a result of software viruses which may be transmitted in or with the message. Diamond Light Source Limited (company no. 4375679). Registered in England and Wales with its registered office at Diamond House, Harwell Science and Innovation Campus, Didcot, Oxfordshire, OX11 0DE, United Kingdom - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Roberto Carna wrote: Dear, I have several Windows 7 clients over WiFi autheticating throug EAP-TLS to a Freeradius 2.1 service against a local MySQL database, it works OK. EAP-TLS doesn't use MySQL for storing credentials. Everything is in the certificate. Now I have to change the authentication from MySQL to a remote Active Directory on a Windows 2012 server. FreeRADIUS is an authentication server. MySQL is not. It's a database. Using the correct terminology menas it's easier to come up with a solution. Using the wrong terminology means you're lost, and you can't find a solution. Because I don't know so much about Windows world, I need to know if I have to use NTLM, LDAP or Kerberos in order to authenticate against the remote AD. For MS-CHAP and PEAP, you use ntlm. You don't have any other choice. For EAP-TLS, you don't use AD or MySQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Sorry, so I'm a bit confused... I'm using Windows 7 clients for accesing the WiFi network through EAP-TLS with X.509 certificates. But in this way, I could see that I can authenticate users or hosts...if I choose users, I can see a dialog box to fill user and password and I suppose they are checked against MySQL database (because I see the query in debug mode). Is this correct or not ??? And finally, if I use EAP-TLS with X.509 certificates, do you mean I don't need to use the authentication against the active directory database ??? Maybe this is easier to me because I've put EAP-TLS to work. Thanks a lot, Roberto 2013/9/18 Alan DeKok al...@deployingradius.com: Roberto Carna wrote: Dear, I have several Windows 7 clients over WiFi autheticating throug EAP-TLS to a Freeradius 2.1 service against a local MySQL database, it works OK. EAP-TLS doesn't use MySQL for storing credentials. Everything is in the certificate. Now I have to change the authentication from MySQL to a remote Active Directory on a Windows 2012 server. FreeRADIUS is an authentication server. MySQL is not. It's a database. Using the correct terminology menas it's easier to come up with a solution. Using the wrong terminology means you're lost, and you can't find a solution. Because I don't know so much about Windows world, I need to know if I have to use NTLM, LDAP or Kerberos in order to authenticate against the remote AD. For MS-CHAP and PEAP, you use ntlm. You don't have any other choice. For EAP-TLS, you don't use AD or MySQL. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
On 18 Sep 2013, at 15:39, Roberto Carna robertocarn...@gmail.com wrote: Sorry, so I'm a bit confused... I'm using Windows 7 clients for accesing the WiFi network through EAP-TLS with X.509 certificates. But in this way, I could see that I can authenticate users or hosts...if I choose users, I can see a dialog box to fill user and password and I suppose they are checked against MySQL database (because I see the query in debug mode). Is this correct or not ??? MySQL can be used to retrieve additional attributes associated with a given user/host. It can even perform lookups based on fields in the cert presented, but it can't be used to store X.509 certificate data. And finally, if I use EAP-TLS with X.509 certificates, do you mean I don't need to use the authentication against the active directory database ??? Maybe this is easier to me because I've put EAP-TLS to work. No, the easier way is to complete the certificate chain using the signing cert which created the client certs in the first place. This needs to be made available to the EAP-TLS module. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
On 09/18/2013 11:01 AM, Roberto Carna wrote: Arran, I have a private CA and I've created the server and client certs of course...and I've generated the .p12 cert (includind the CA cert) to install in my Windows 7 clientsit works OK. What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authenticationis it OK ??? I think you have a misconception. The client decides what type of authentication mechanism it's going to use. The radius server should be able to handle a wide variety of authentication mechanisms supplied by a diverse range of clients. So in your case you've got one mechanism working, great, now add support for another, when you're done your radius server can handle 2 mechanisms. Keep iterating on this basic cycle until your server supports the range of clients you need to support. -- John - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Arran, I have a private CA and I've created the server and client certs of course...and I've generated the .p12 cert (includind the CA cert) to install in my Windows 7 clientsit works OK. What I mean is that EAP-TLS is easier to me than AD authentication at this point, because I've just put it to work...and if I want to use AD auth I have to take EAP-TLS out and start again with NTLM / AD authenticationis it OK ??? Regards 2013/9/18 Arran Cudbard-Bell a.cudba...@freeradius.org: On 18 Sep 2013, at 15:39, Roberto Carna robertocarn...@gmail.com wrote: Sorry, so I'm a bit confused... I'm using Windows 7 clients for accesing the WiFi network through EAP-TLS with X.509 certificates. But in this way, I could see that I can authenticate users or hosts...if I choose users, I can see a dialog box to fill user and password and I suppose they are checked against MySQL database (because I see the query in debug mode). Is this correct or not ??? MySQL can be used to retrieve additional attributes associated with a given user/host. It can even perform lookups based on fields in the cert presented, but it can't be used to store X.509 certificate data. And finally, if I use EAP-TLS with X.509 certificates, do you mean I don't need to use the authentication against the active directory database ??? Maybe this is easier to me because I've put EAP-TLS to work. No, the easier way is to complete the certificate chain using the signing cert which created the client certs in the first place. This needs to be made available to the EAP-TLS module. -Arran Arran Cudbard-Bell a.cudba...@freeradius.org FreeRADIUS Development Team - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Active Directory authentication question
Roberto Carna wrote: Sorry, so I'm a bit confused... Because you're unfamiliar with the correct terminology, and with how things really work. To recap: EAP-TLS uses certificates to identify users. And nothing else. No passwords, etc. AD is a database. MySQL is a database. They store user information. They don't authenticate users. FreeRADIUS is an authentication server. Where necessary, it pulls user information from a database. It also returns user profiles to a WiFI AP. e.g. VLAN, etc. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html