Hi all
The point is that at one time ntlm_auth stop to work on the primary server.
When I test it from the command line it says No logon server
I noticed in the logs that there were 10 attempts per minute with wrong
password from one of our routers. When I applied ACL on the router to block
Hi ,
My cisco sends to radius it's ip address, and isakmp-group-id ( or profile name
)
Debug from radius -X :
Cisco-AVPair = isakmp-group-id=CiscoGroup
Acct-Session-Id = 61286
User-Name = domain\\user
Cisco-AVPair = connect-progress=No Progress
Sorry, I made a mistake in the email.
My cisco sends to radius it's ip address, and isakmp-group-id ( or profile name
)
Debug from radius -X :
Cisco-AVPair = isakmp-group-id=CiscoGroup
Acct-Session-Id = 61286
User-Name = domain\\user
Cisco-AVPair =
Thank you phill, that's great help, but it still doesn't work as it
should.
Now I don't know how should I adjust the users file : )
I used
if ((NAS-IP-Address == 1.1.1.1) %{mschap:NT-Domain} =
vipdomainuser)) {
update control {
Auth-Type := ntlm_auth_vip
As a hint, if you don't implement a rule for a different NT-Domain,
then the rules for that different NT-Domain won't be applied. Because
they don't exist.
Alan DeKok.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thank you Alan , it makes sense. But it
Jevos, Peter wrote:
Fall-through attribute doesn’t work in this case, cause it is “falling”
all the time ( even though it matches the condition )
You're not getting what I'm saying. The users file does *not* run
during the authenticate phase. So it makes no sense to ask about
modifying
See man unlang. Put the logic into raddb/sites-available/default,
the authorize section.
Uh... read the debug output, and look at the files in the raddb
directory. The directory has more than *one* file. This should be a
hint that the users file doesn't solve everything.
Alan
Jevos, Peter wrote:
How can I skip to the second DEFAULT if the first DEFAULT doesn’t pass ?
Use the Fall-Through attribute. See comments in the default users
file.
So if request comes from the 10.1.1.2 and user doesn’t pass through
authentication, it should be forwarded
Hi
How can I skip to the second DEFAULT if the first DEFAULT doesn't pass ?
So if request comes from the 10.1.1.2 and user doesn't pass through
authentication, it should be forwarded to another DEFAULT ( with the
vpn_auth_name authentication).
Now it stops at the first DEFAULT
DEFAULT
Hi , I tried to setup configuration from different sources from the
web, but it's not easy
I have cisco vpn access server where are more IPSEC proflles ( groups ).
They should be authenticated against Freeradius.
One profile called Group1 should be authenticated against ntlm_auth_vpn
(
On 04/11/10 10:41, Jevos, Peter wrote:
DEFAULT Auth-Type := ntlm_auth_vpn, NAS-IP-Address == 10.1.1.252
Tunnel-Type = ESP,
Tunnel-Private-Group-ID = Group1,
Tunnel-Password = cisco,
Cisco-Avpair=ipsec:dns-servers=10.1.1.6 10.1.1.7,
Cisco-Avpair=ipsec:addr-pool=vpn_pool,
This wrong; you
Cisco-AVpair += 2nd:attribute
This is documented in the manpage and docs.
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
Thank you, it helped but it still doesn't work as I wished:
All I need is:
When request comes from 10.1.1.252 and
On 04/11/10 15:52, Jevos, Peter wrote:
Dear Phil , thank you ,
I removed Fall through parameter, it works partially, when user
comes
from the address 10.1.1.252 and Tunnel-Private-Group-ID is not Group1,
it takes the Auth-Type := ntlm_auth_vpn ( which is wrong ), and not
Auth-Type
On 04/11/10 16:15, Jevos, Peter wrote:
Thank fo your reply, hoever as you can see from my previous posts, I
did
it:
Frankly I find your posts confusing; your email client doesn't quote
properly and mangles the text wrapping, so I had no way to be sure.
Post full debug output of a failing
Hi
I have at the end of Users file two DEFAULTS statements:
DEFAULT Auth-Type := ntlm_auth_vpn_comp
NAS-IP-Address == 10.1.1.1,
Service-Type = Framed-User,
Framed-Protocol = PPP,
However it doesn’t work, cause every request match only the first DEFAULT
statement, despite of that it comes from different NAS-IP-Address then
10.1.1.1
Do you know why it is happen ?
because, as documented, your MATCH statement must all be on the first line. the
second line
Hi guys
I'm really trying but it's not easy to find somehitng in the
documenatiion.
I have 2 modules ntlm_auth_vpn1/2 and I like to do failover.
I tried this but I was not sucesfull:
In the modules I have 2 files, ntlm_auth_vpn1 and ntlm_auth_vpn2
In the sites-available/default I have:
great here for some other moduls (SQL)
Hope it helps.
Message original
Date: Fri, 23 Jul 2010 18:45:30 +0200
From:
freeradius-users-bounces+alexandre.chapellon=mana...@lists.freeradius.or
g (on behalf of Jevos, Peter peter.je...@oriflame.com)
Subject: How to set properly failover
Is it possible to display type of authentication ( Auth-type ) that
the
clients used during the authentication ?
In 2.1.9, see msg_goodpass in radiusd.conf. You can out anything
you want in there.
Hi Alan
Thank you for your answer. This feature is really useful, thanks.
However how should
Hi
I have in the modules/ntlm_auth_vpn command:
exec ntlm_auth_vpn {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--password=%{User-Password} --require-membership-of=domain1
}
I have in the modules/ntlm_auth_vpn command:
..
Is it possible to add another command ( with different domain ) and to
add OR in order to choose which one will pass ?
Something like this:
exec ntlm_auth_vpn {
program = /usr/bin/ntlm_auth --request-nt-key
I have in the modules/ntlm_auth_vpn command:
there is another way to.
simply make a second copy of that moduleeg have
ntlm_auth_vpn1
and
ntlm_auth_vpn2
(each configured with what you want/need)
and then read: http://wiki.freeradius.org/Fail-over
you can then have this sort of
HI
Is it possible to display type of authentication ( Auth-type ) that the
clients used during the authentication ?
Thank
pet
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
HI
I'd like to autheticate cisco vpn clients against the freeradius and AD
Prompt for the vpn client should be domainame\username.
In my smb.conf is as the delimiter:
winbind separator = \\ ( because backslash is special character, I had
to use twice )
This command works:
ntlm_auth2 = /usr/bin/ntlm_auth --request-nt-key
--domain=%{%{mschap:NT-Domain}:} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00} --require-membership-of=
S-1-5-21-853024553-185696384-3473746203-512
Err... no. That won't work.
How can I force freradius to authenticate through domainame\username
Get radtest to send the same data as sent by the Cisco client. See
the server debug output in order to compare the two user names.
Alan DeKok.
Hi Alan, I forced radtest to pass, with this syntax:
1. radtest
Jevos, Peter wrote:
Thank you for your answer, but I don't understand
The documentation debug mode is clear. Do you have a *specific*
question?
I took it from the mailing list:
http://lists.freeradius.org/mailman/htdig/freeradius-users/2010-February
/msg00046.html
I see. You'll
Dear Alan, thank you , I'm moving slowly forward : )
So now, I have created second ntlm_auth2 file in the modules directory,
with this command:
exec ntlm_auth2 {
wait = yes
program = /usr/bin/ntlm_auth --request-nt-key
--domain=MYDOMAIN
Err... no. That won't work.
But the vpn cisco clients are authenticated through
domainname\username
and password
Then you don't need to edit the mschap configuration.
Is this ntlm_auth2 in the mschap ok ? or should I remove
--domain=%{%{mschap:NT-Domain}:} ?
Delete the ntlm_auth2
Hi
I installed the Freeradius and I'd like to authenticate cisco vpn
clients against AD
Clients are autheticated thorugh domainame\username and password and
they need to be a members of the AD group
I have already running AD authentication but with the access to the
router ( priv level 15 )
Jevos, Peter wrote:
user Auth-Type := ntlm_auth
Service-Type = NAS-Prompt-User,
cisco-avpair = shell:priv-lvl=15
...
And I added this lines into users file:
DEFAULT Huntgroup-Name == vpn
Auth-Type := ntlm_auth2
What is Auth-Type on the first line
Jevos, Peter wrote:
How should look like the ntlm_auth file ? How should look like mschap
module ?
How should look like parameter --require-membership-of in these files
?
How should look like users file ?
These answers I was not able to find in any documentation
Read the URLs from
Jevos, Peter wrote:
However I was not able to find in these links anything about the
--require-membership-of
See the man page for ntlm_auth. It is just a Unix command that can
be run, like anything else.
and the vpn cisco client example
(also find on these pages found nothing
Hello friends
I was reading few tutorials regarding the Cisco authetication against
Freeradius and Windows AD.
Actually I'm not really clever, because main tutorial on the main pages
is connected with the older version , and there are more version of the
Freradius 2.0, a bit different:
was not able to find in any documentation
I'm using freeradius2-2.1.7-7.el5 ( RED HAT )
Thanks
On Fri, Jul 2, 2010 at 6:43 PM, Jevos, Peter peter.je...@oriflame.com wrote:
Actually I'm not really clever, because main tutorial on the main pages is
connected with the older version
35 matches
Mail list logo