Dear Jay Lyerly,
Check dictionaries to find a name for this attribute. If there is no
this attribute in dictionaries, add it with value and vendor code
specified by equipment manufacture.
--Sunday, March 16, 2003, 10:31:13 PM, you wrote to [EMAIL PROTECTED]:
JL> That helps. Now an entry like Reply-Message in the users file under
JL> DEFAULT works. But how do I return group information with a Radius
JL> Authentication request? I've tried adding things like Group='pptp_users'
JL> and Group-Name="pptp_users", but these don't seem to get returned to the
JL> VPN server when it makes a request. From what I've read elsewhere, it
JL> looks like these are internal names to the freeradius server. What
JL> parameter will return group information when a client requests
JL> authentication?
JL> thanks for the help,
JL> jay
>> Dear Jay Lyerly,
>>
>> Configure default entry in 'users' file and add 'file' authorization.
>>
>> --Friday, March 14, 2003, 2:22:48 AM, you wrote to
>> [EMAIL PROTECTED]:
>>
>> JL> Excellent! This is working now.... mostly.
>>
>> JL> The Firebox successfully authenticates via MS-CHAP with data stored
>> in LDAP.
>>
>> JL> One last problem.
>>
>> JL> The Firebox requires the users to be members of a group called JL>
>> pptp_users. I've added an LDAP attribute of radiusGroupName with a JL>
>> value of pptp_users to my LDAP account and created a group in LDAP with
>> JL> cn=pptp_users. This group lists my DN as a member. I believe this
>> JL> corresponds to the settings in my radiusd.conf file:
>>
>> JL> groupname_attribute = cn
>> JL> groupmembership_filter =
>> JL>
>> "(|(&(objectClass=GroupOfNames)(member=%{Ldap-UserDn}))(&(objectClass=GroupOfUniqueNames)(uniquemember=%{Ldap-UserDn})))"
>> JL> groupmembership_attribute = radiusGroupName
>>
>> JL> I tested out the groupmembership filter and it seems to work as JL>
>> expected. Unfortunately, this doesn't return the group information to
>> JL> the Firebox with the authentication information. In fact,
>> monitoring JL> the LDAP server, it looks like radiusd is never looking
>> up anything JL> related to pptp_users, just one query for my user info.
>> How can I make JL> radiusd expose this group information.
>>
>> JL> If it is terribly difficult via LDAP, how can I hardcode one group
>> JL> response for all users? (I'll need the right syntax for this one.)
>> JL> That seems much less elegant, but would work for my purposes.
>>
>> JL> thanks again,
>> JL> jay
>>
>>
>> JL> 3APA3A wrote:
>>
>>>>Dear Jay Lyerly,
>>>>
>>>>You better add radiusAuthType attribute in your LDAP schema with
>>>> value of MSCHAP for MS-CHAP users.
>>>>
>>>>--Thursday, March 13, 2003, 3:53:34 PM, you wrote to
>>>> [EMAIL PROTECTED]:
>>>>
>>>>JL> Okay. That sounds like it should work. In fact, I tried that,
>>>> but I JL> don't quite understand the file format of radiusd.conf yet.
>>>> Do I put in JL> the line
>>>>
>>>>JL> authtype= MS-CHAP
>>>>
>>>>JL> in the config file? If that's right, where does it go?
>>>>
>>>>JL> thanks,
>>>>JL> jay
>>>>
>>>>
>>>>
>>>>
>>>>>>Dear Jay Lyerly,
>>>>>>
>>>>>>Remove mschap from authorize section (you don't need it to
>>>>>> be in authorize) and set Auth-Type for user to MSCHAP (you have
>>>>>> Auth-Type LDAP instead of MSCHAP).
>>>>>>
>>>>>>--Thursday, March 13, 2003, 1:21:02 AM, you wrote to
>>>>>>[EMAIL PROTECTED]:
>>>>>>
>>>>>>JL> Hi,
>>>>>>
>>>>>>JL> I'm trying to set up a radius server to authenticate VPN users
>>>>>> connecting JL> via a WatchGuard Firebox. The only external
>>>>>>authentication mechanism the JL> Firebox supports is MS-CHAPv2 via
>>>>>> Radius. I'd like to use freeradius to JL> access data in our LDAP
>>>>>> database. All the steps leading up to the end JL> seem good, but
>>>>>> the last crucial step keesp failing. The Firebox makes the JL>
>>>>>>authentication request to the radius server, the radius server looks
>>>>>> up JL> the user in LDAP and retrieves the ntPassword and lmPassword.
>>>>>> The problem JL> is the rlm_mschap module never seems to fire to
>>>>>> verify the login JL> credentials. I've read through all the info I
>>>>>> can find, but I can't get JL> it to work. The debug output from
>>>>>> radiusd is below.
>>>>>>
>>>>>>JL> Any thoughts?
>>>>>>
>>>>>>
>>>>>>
>>>>>>JL> rad_recv: Access-Request packet from host 192.168.244.4:4037,
>>>>>> id=172, JL> length=135
>>>>>>JL> User-Name = "jayl"
>>>>>>JL> MS-CHAP-Challenge = 0x117d9959135175e680ee77c456713eaf
>>>>>> JL>
>>>>>> MS-CHAP2-Response =
>>>>>>JL> 0x8100e50b7fc08691cf23a35fb1db2be0421900000000000000
>>>>>>JL> 002e053612d932f67ad81de0df53ea48744e0912054fda8857
>>>>>>JL> NAS-Identifier = "firebox"
>>>>>>JL> NAS-Port = 3012
>>>>>>JL> NAS-Port-Type = Virtual
>>>>>>JL> Service-Type = Authenticate-Only
>>>>>>JL> modcall: entering group authorize
>>>>>>JL> modcall[authorize]: module "preprocess" returns ok
>>>>>>JL> rlm_realm: No '@' in User-Name = "jayl", looking up realm
>>>>>> NULL JL> rlm_realm: No such realm NULL
>>>>>>JL> modcall[authorize]: module "suffix" returns noop
>>>>>>JL> rlm_ldap: - authorize
>>>>>>JL> rlm_ldap: performing user authorization for jayl
>>>>>>JL> radius_xlat: '(uid=jayl)'
>>>>>>JL> radius_xlat: 'dc=ceintl,dc=com'
>>>>>>JL> ldap_get_conn: Got Id: 0
>>>>>>JL> rlm_ldap: attempting LDAP reconnection
>>>>>>JL> rlm_ldap: (re)connect to igate:389, authentication 0
>>>>>>JL> rlm_ldap: bind as / to igate:389
>>>>>>JL> rlm_ldap: waiting for bind result ...
>>>>>>JL> rlm_ldap: performing search in dc=ceintl,dc=com, with filter
>>>>>> (uid=jayl) JL> rlm_ldap: checking if remote access for jayl is
>>>>>> allowed by loginShell JL> rlm_ldap: looking for check items in
>>>>>> directory... JL> rlm_ldap: Adding ntPassword as NT-Password, value
>>>>>>JL> F960112331D92B555B63B469248E92
>>>>>>JL> 3F & op=21
>>>>>>JL> rlm_ldap: Adding lmPassword as LM-Password, value
>>>>>>JL> 49F1F165D6182D587C3113B4A1A5E3
>>>>>>JL> A0 & op=21
>>>>>>JL> rlm_ldap: looking for reply items in directory...
>>>>>>JL> rlm_ldap: user jayl authorized to use remote access
>>>>>>JL> ldap_release_conn: Release Id: 0
>>>>>>JL> modcall[authorize]: module "ldap" returns ok
>>>>>>JL> modcall[authorize]: module "mschap" returns notfound
>>>>>>JL> modcall: group authorize returns ok
>>>>>>JL> rad_check_password: Found Auth-Type LDAP
>>>>>>JL> auth: type "LDAP"
>>>>>>JL> auth: Failed to validate the user.
>>>>>>JL> Delaying request 0 for 1 seconds
>>>>>>JL> Finished request 0
>>>>>>JL> Going to the next request
>>>>>>JL> --- Walking the entire request list ---
>>>>>>JL> Waking up in 1 seconds...
>>>>>>JL> --- Walking the entire request list ---
>>>>>>JL> Waking up in 1 seconds...
>>>>>>JL> --- Walking the entire request list ---
>>>>>>JL> Sending Access-Reject of id 172 to 192.168.244.4:4037
>>>>>>JL> MS-CHAP-Error = "\201E=691 R=1"
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>JL> -
>>>>>>JL> List info/subscribe/unsubscribe? See
>>>>>>http://www.freeradius.org/list/users.html
>>>>>>
>>>>>>
>>>>>>--
>>>>>>~/ZARAZA
>>>>>>������ ����� ���� ��������� ���� ��������� (����)
>>>>>>
>>>>>>
>>>>>>-
>>>>>>List info/subscribe/unsubscribe? See
>>>>>>http://www.freeradius.org/list/users.html
>>>>>>
>>>>>>
>>>>
>>>>
>>>>
>>>>JL> -
>>>>JL> List info/subscribe/unsubscribe? See
>>>> http://www.freeradius.org/list/users.html
>>>>
>>>>
>>>>
>>>>
>>>>
>>
>>
>>
>> JL> -
>> JL> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
>>
>>
>>
>> --
>> ~/ZARAZA
>> ������ ������ ������� �������! (����)
>>
>>
>> -
>> List info/subscribe/unsubscribe? See
>> http://www.freeradius.org/list/users.html
JL> -
JL> List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
--
~/ZARAZA
����, � ���� ������. (����)
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
