-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of
[EMAIL PROTECTED]
Sent: Wednesday, March 17, 2004 8:59 PM
To: [EMAIL PROTECTED]
Subject: Freeradius-Users digest, Vol 1 #2989 - 6 msgs
Send Freeradius-Users mailing list submissions to
[EMAIL PROTECTED]
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.freeradius.org/mailman/listinfo/freeradius-users
or, via email, send a message with subject or body 'help' to
[EMAIL PROTECTED]
You can reach the person managing the list at
[EMAIL PROTECTED]
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Freeradius-Users digest..."
Today's Topics:
1. Re: leap works, mschap does not (Alan DeKok)
2. RE: Using freeradius to authenticate users to a Windows 2000 AD (Steve
OBrien)
3. Multiple IP Pools with Ascend APX's (Anson Rinesmith)
4. accounting detail importing? (Ryan Ghering)
5. Re: CVS install ERROR 2 (Paul Hampson)
6. RE: Using freeradius to authenticate users to a Windows 2000 AD (Albers
Darren)
--__--__--
Message: 1
From: "Alan DeKok" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: leap works, mschap does not
Date: Wed, 17 Mar 2004 16:46:22 -0500
Reply-To: [EMAIL PROTECTED]
"Brian Schuetz" <[EMAIL PROTECTED]> wrote:
> If I use a cisco client wireless nic set to leap, and use leap or md5 as my
> default_eap_type on my radius server, everything works fine and the user is
> authenticated.
>
> Here is the message I get trying to implement mschap:
You haven't said HOW you're implementing mschap.
> Any suggestions?
Describe how you're implementing mschap.
The debug log you posted used EAP, not MSCHAP.
Alan DEKok.
--__--__--
Message: 2
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
From: Steve OBrien <[EMAIL PROTECTED]>
Date: Wed, 17 Mar 2004 14:21:03 -0800
Reply-To: [EMAIL PROTECTED]
This is a multipart message in MIME format.
--=_alternative 007AD30A88256E5A_=
Content-Type: text/plain; charset="US-ASCII"
Well it still seems not to be working. And I could not find your other
article, I searched for radiusd.conf and your name and email with no luck.
The output is not helpfull:
Request:
/usr/local/bin/radtest guest "test" localhost 1 testing123
Sending Access-Request of id 104 to 127.0.0.1:1812
User-Name = "guest"
User-Password = "test"
NAS-IP-Address = blade1.ci.bend.or.us
NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=104, length=20
Response:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:33317, id=104,
length=57
User-Name = "guest"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "guest", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Steve O'Brien
City of Bend
Network Administrator
[EMAIL PROTECTED]
541-322-6393
Albers Darren <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/17/2004 11:37 AM
Please respond to
[EMAIL PROTECTED]
To
"'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>
cc
Subject
RE: Using freeradius to authenticate users to a Windows 2000 AD
With the help of another individual on this list Richard Lucassen we were
able to get it working to authenticate against either a group or against
AD as a whole. To see an example I posted of just authenticated a user in
general against AD look for another post by me with a sample radiusd.conf.
Here is what Richard and I put together to get group auth working, this
may not be the 100% correct way but it worked for us and if anyone has any
suggestions that would be great. The comments are my comments and since
the formatting will probably be borked please don't just copy and paste
this into your radiusd.conf:
ldap {
server = "FDC of your DC"
#Account in AD with the rights to query ad for the user account
properties, in this example I have an account named freeradius located in
# my users container in the domain dc.domain.com that I am using to
auth.
identity = "CN=freeradius,CN=Users,DC=dc,DC=domain,DC=com"
#password of the above account
password = password
#Base dn to search from, usually the top of your domain, in this example
it is dc.domain.com
basedn = "DC=dc,DC=domain,DC=com"
#This is the search filter to find the users account and then check it's
group membership. You will see that I used the full path to the
# group including the conatiner it is located in. This example is for a
group named RemoteUser in the users container in the domain
#dc.domain.com
filter
="(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=RemoteUser,CN=Users,DC=dc,DC=domain,DC=com))"
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = yes
I commented out the groupmembership stuff, but I am not sure if that was a
bad thing or not. Eventually I plan on writing this into a quick Howto
and posting it again.
Let me know if this helps or if you have any further questions and again
my thanks to Richard for all his help in getting this working!
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Steve
OBrien
Sent: Wednesday, March 17, 2004 2:24 PM
To: [EMAIL PROTECTED]
Subject: Using freeradius to authenticate users to a Windows 2000 AD
I have seen threads pertaining to this but I cannot seem to get it to
work. I would like to authenticate users via freeradius against a windows
2000 ad domain using LDAP. Is this possible if so anyone have a sample
config??
TIA,
Steve
**********************************************************************
The information and any files contained in this e-mail message are
property of WestPoint Stevens Inc., its subsidiaries or affiliates, and
are intended only for use of the individual or entity named above. If the
reader of this message is not the intended recipient, or the employee or
agent responsible to deliver it to the intended recipient, you hereby are
notified that use, dissemination, distribution or copying of this
information is strictly prohibited. If you have received this
communication in error, please immediately notify us by return e-mail and
destroy the original message. Thank you.
**********************************************************************
--=_alternative 007AD30A88256E5A_=
Content-Type: text/html; charset="US-ASCII"
<br><font size=2 face="sans-serif">Well it still seems not to be working.
And I could not find your other article, I searched for radiusd.conf
and your name and email with no luck. The output is not helpfull:</font>
<br>
<br><font size=2 face="sans-serif">Request:</font>
<br>
<br><font size=2 face="sans-serif">/usr/local/bin/radtest guest "test"
localhost 1 testing123</font>
<br><font size=2 face="sans-serif">Sending Access-Request of id 104 to
127.0.0.1:1812</font>
<br><font size=2 face="sans-serif"> User-Name
= "guest"</font>
<br><font size=2 face="sans-serif"> User-Password
= "test"</font>
<br><font size=2 face="sans-serif"> NAS-IP-Address
= blade1.ci.bend.or.us</font>
<br><font size=2 face="sans-serif"> NAS-Port
= 1</font>
<br><font size=2 face="sans-serif">rad_recv: Access-Reject packet from
host 127.0.0.1:1812, id=104, length=20</font>
<br>
<br>
<br>
<br><font size=2 face="sans-serif">Response:</font>
<br><font size=2 face="sans-serif">Ready to process requests.</font>
<br><font size=2 face="sans-serif">rad_recv: Access-Request packet from
host 127.0.0.1:33317, id=104, length=57</font>
<br><font size=2 face="sans-serif"> User-Name
= "guest"</font>
<br><font size=2 face="sans-serif"> User-Password
= "test"</font>
<br><font size=2 face="sans-serif"> NAS-IP-Address
= 255.255.255.255</font>
<br><font size=2 face="sans-serif"> NAS-Port
= 1</font>
<br><font size=2 face="sans-serif">modcall: entering group authorize for
request 0</font>
<br><font size=2 face="sans-serif"> modcall[authorize]: module
"preprocess"
returns ok for request 0</font>
<br><font size=2 face="sans-serif"> modcall[authorize]: module
"chap"
returns noop for request 0</font>
<br><font size=2 face="sans-serif"> modcall[authorize]: module
"eap"
returns noop for request 0</font>
<br><font size=2 face="sans-serif"> rlm_realm: No '@' in User-Name
= "guest", looking up realm NULL</font>
<br><font size=2 face="sans-serif"> rlm_realm: No such realm
"NULL"</font>
<br><font size=2 face="sans-serif"> modcall[authorize]: module
"suffix"
returns noop for request 0</font>
<br><font size=2 face="sans-serif"> users: Matched DEFAULT
at 152</font>
<br><font size=2 face="sans-serif"> modcall[authorize]: module
"files"
returns ok for request 0</font>
<br><font size=2 face="sans-serif"> modcall[authorize]: module
"mschap"
returns noop for request 0</font>
<br><font size=2 face="sans-serif">modcall: group authorize returns ok
for request 0</font>
<br><font size=2 face="sans-serif"> rad_check_password: Found
Auth-Type LDAP</font>
<br><font size=2 face="sans-serif">auth: type "LDAP"</font>
<br><font size=2 face="sans-serif">auth: Failed to validate the user.</font>
<br><font size=2 face="sans-serif">Delaying request 0 for 1 seconds</font>
<br><font size=2 face="sans-serif">Finished request 0</font>
<br><font size=2 face="sans-serif">Going to the next request</font>
<br>
<br><font size=2 face="sans-serif"><br>
Steve O'Brien<br>
City of Bend<br>
Network Administrator<br>
[EMAIL PROTECTED]<br>
541-322-6393</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td width=40%><font size=1 face="sans-serif"><b>Albers Darren
<[EMAIL PROTECTED]></b>
</font>
<br><font size=1 face="sans-serif">Sent by:
[EMAIL PROTECTED]</font>
<p><font size=1 face="sans-serif">03/17/2004 11:37 AM</font>
<table border>
<tr valign=top>
<td bgcolor=white>
<div align=center><font size=1 face="sans-serif">Please respond to<br>
[EMAIL PROTECTED]</font></div></table>
<br>
<td width=59%>
<table width=100%>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">To</font></div>
<td valign=top><font size=1
face="sans-serif">"'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]></font>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">cc</font></div>
<td valign=top>
<tr>
<td>
<div align=right><font size=1 face="sans-serif">Subject</font></div>
<td valign=top><font size=1 face="sans-serif">RE: Using freeradius to authenticate
users to a Windows 2000 AD</font></table>
<br>
<table>
<tr valign=top>
<td>
<td></table>
<br></table>
<br>
<br>
<br><font size=2 color=blue face="Arial">With the help of another individual
on this list Richard Lucassen we were able to get it working to authenticate
against either a group or against AD as a whole. To see an example
I posted of just authenticated a user in general against AD look for another
post by me with a sample radiusd.conf. </font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">Here is what Richard and I put
together to get group auth working, this may not be the 100% correct way
but it worked for us and if anyone has any suggestions that would be great.
The comments are my comments and since the formatting will probably
be borked please don't just copy and paste this into your radiusd.conf:</font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">ldap {<br>
server = "FDC of your DC"</font>
<br><font size=2 color=blue face="Arial"> #Account in AD with the
rights to query ad for the user account properties, in this example I have
an account named freeradius located in</font>
<br><font size=2 color=blue face="Arial"> # my users container in
the domain dc.domain.com that I am using to auth.<br>
identity = "CN=freeradius,CN=Users,DC=dc,DC=domain,DC=com"</font>
<br><font size=2 color=blue face="Arial"> #password of the above
account<br>
password = password</font>
<br><font size=2 color=blue face="Arial"> #Base dn to search from,
usually the top of your domain, in this example it is dc.domain.com<br>
basedn = "DC=dc,DC=domain,DC=com"</font>
<br><font size=2 color=blue face="Arial"> #This is the search filter
to find the users account and then check it's group membership. You
will see that I used the full path to the </font>
<br><font size=2 color=blue face="Arial"> # group including the conatiner
it is located in. This example is for a group named RemoteUser in
the users container in the domain </font>
<br><font size=2 color=blue face="Arial"> #dc.domain.com<br>
filter
="(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=RemoteUser,CN=Users,DC=dc,DC=domain,DC=com))"<br>
password_attribute = userPassword<br>
timeout = 4<br>
timelimit = 3<br>
net_timeout = 1<br>
compare_check_items = yes<br>
</font>
<br><font size=2 color=blue face="Arial">I commented out the groupmembership
stuff, but I am not sure if that was a bad thing or not. Eventually
I plan on writing this into a quick Howto and posting it again.</font>
<br><font size=3> </font>
<br><font size=2 color=blue face="Arial">Let me know if this helps or if
you have any further questions</font><font size=2 face="Tahoma"> </font><font
size=2 color=blue face="Arial">and
again my thanks to Richard for all his help in getting this working!</font>
<br><font size=3> </font>
<br><font size=3> </font>
<br><font size=2 face="Tahoma"> -----Original Message-----<b><br>
From:</b> [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]<b>On
Behalf Of </b>Steve OBrien<b><br>
Sent:</b> Wednesday, March 17, 2004 2:24 PM<b><br>
To:</b> [EMAIL PROTECTED]<b><br>
Subject:</b> Using freeradius to authenticate users to a Windows 2000 AD<br>
</font>
<br><font size=2 face="sans-serif"><br>
I have seen threads pertaining to this but I cannot seem to get it to work.
I would like to authenticate users via freeradius against a windows
2000 ad domain using LDAP. Is this possible if so anyone have a sample
config??</font><font size=3> <br>
</font><font size=2 face="sans-serif"><br>
TIA,</font><font size=3> </font><font size=2 face="sans-serif"><br>
Steve</font><font size=3> </font>
<br><font size=3><br>
<br>
**********************************************************************<br>
The information and any files contained in this e-mail message are property
of WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended
only for use of the individual or entity named above. If the reader of
this message is not the intended recipient, or the employee or agent responsible
to deliver it to the intended recipient, you hereby are notified that use,
dissemination, distribution or copying of this information is strictly
prohibited. If you have received this communication in error, please immediately
notify us by return e-mail and destroy the original message. Thank you.<br>
**********************************************************************</font>
<br>
--=_alternative 007AD30A88256E5A_=--
--__--__--
Message: 3
From: "Anson Rinesmith" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: Multiple IP Pools with Ascend APX's
Date: Wed, 17 Mar 2004 17:04:05 -0600
Reply-To: [EMAIL PROTECTED]
This is a multi-part message in MIME format.
------=_NextPart_000_0018_01C40C41.DB0C9920
Content-Type: text/plain;
charset="US-ASCII"
Content-Transfer-Encoding: 7bit
I'm using freeRadius with MySQL
In radgroupreply, GroupName, Attribute, op, Value, prio
I have multiple ISP's logging into one RAS. First ISP needs to class C's,
pools 1 and 2. Second ISP needs 3 Class C's, pools 3, 4 & 5. etc...
Therefore I cannot use isp1, X-Ascend-Assign-IP-Pool, :=, 0
Would I have
isp1, X-Ascend-Assign-IP-Pool, :=, 1
isp1, X-Ascend-Assign-IP-Pool, +=, 2
isp2, X-Ascend-Assign-IP-Pool, :=, 3
isp2, X-Ascend-Assign-IP-Pool, +=, 4
isp2, X-Ascend-Assign-IP-Pool, +=, 5
etc..
------=_NextPart_000_0018_01C40C41.DB0C9920
Content-Type: text/html;
charset="US-ASCII"
Content-Transfer-Encoding: quoted-printable
<html>
<head>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 10 (filtered)">
<style>
<!--
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
a:link, span.MsoHyperlink
{color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{color:purple;
text-decoration:underline;}
p.MsoAutoSig, li.MsoAutoSig, div.MsoAutoSig
{margin:0in;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman";}
span.EmailStyle17
{font-family:Arial;
color:windowtext;}
@page Section1
{size:8.5in 11.0in;
margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
{page:Section1;}
-->
</style>
</head>
<body lang=3DEN-US link=3Dblue vlink=3Dpurple>
<div class=3DSection1>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I’m using freeRadius with =
MySQL</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>In radgroupreply, GroupName, Attribute, op, =
Value,
prio</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'> </span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I have multiple ISP’s logging into one RAS. =
First ISP
needs to class C’s, pools 1 and 2. Second ISP needs 3 Class =
C’s,
pools 3, 4 & 5. etc…..</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Therefore I cannot use isp1, X-Ascend-Assign-IP-Pool, =
:=3D, 0</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Would I have</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>isp1, X-Ascend-Assign-IP-Pool, :=3D, =
1</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>isp1, X-Ascend-Assign-IP-Pool, +=3D, =
2</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>isp2, X-Ascend-Assign-IP-Pool, :=3D, =
3</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>isp2, X-Ascend-Assign-IP-Pool, +=3D, =
4</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>isp2, X-Ascend-Assign-IP-Pool, +=3D, =
5</span></font></p>
<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>etc….</span></font></p>
<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'> </span></font></p>
</div>
</body>
</html>
------=_NextPart_000_0018_01C40C41.DB0C9920--
--__--__--
Message: 4
Date: Wed, 17 Mar 2004 16:22:50 -0700
From: Ryan Ghering <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: accounting detail importing?
Reply-To: [EMAIL PROTECTED]
Does anyone know of a script to import data from livingston radius to
freeradius mysql ?
If so where is the beast and how do I get my hands on it?
Thanks
Ryan
--__--__--
Message: 5
Date: Thu, 18 Mar 2004 10:28:43 +1100
To: [EMAIL PROTECTED]
Subject: Re: CVS install ERROR 2
From: [EMAIL PROTECTED] (Paul Hampson)
Reply-To: [EMAIL PROTECTED]
On Wed, Mar 17, 2004 at 01:58:07PM -0600, Rick Stevens wrote:
> I've tried installing from CVS on a Linux RH 9 box, produced this error.
> c -c rlm_sql_mysql.la /usr/local/lib/rlm_sql_mysql.la
> libtool: install: `rlm_sql_mysql.la' is not a valid libtool archive
> Try `libtool --help --mode=install' for more information.
> gmake[11]: *** [install] Error 1
> gmake[11]: Leaving directory
> `/working/radiusd/src/modules/rlm_sql/drivers/rlm_sql_mysql'
> gmake[10]: *** [common] Error 1
> gmake[10]: Leaving directory `/working/radiusd/src/modules/rlm_sql/drivers'
> gmake[9]: *** [install] Error 2
> gmake[9]: Leaving directory `/working/radiusd/src/modules/rlm_sql/drivers'
> gmake[8]: *** [common] Error 1
> gmake[8]: Leaving directory `/working/radiusd/src/modules/rlm_sql'
> gmake[7]: *** [install-drivers] Error 2
> gmake[7]: Leaving directory `/working/radiusd/src/modules/rlm_sql'
> gmake[6]: *** [install] Error 2
> gmake[6]: Leaving directory `/working/radiusd/src/modules/rlm_sql'
> gmake[5]: *** [common] Error 1
> gmake[5]: Leaving directory `/working/radiusd/src/modules'
> gmake[4]: *** [install] Error 2
> gmake[4]: Leaving directory `/working/radiusd/src/modules'
> gmake[3]: *** [common] Error 1
> gmake[3]: Leaving directory `/working/radiusd/src'
> gmake[2]: *** [install] Error 2
> gmake[2]: Leaving directory `/working/radiusd/src'
> gmake[1]: *** [common] Error 1
> gmake[1]: Leaving directory `/working/radiusd'
> make: *** [install] Error 2
I think the important parts of the error are the lines right above
where you cut the output...
However, at a guess, check your versions of autoconf and libtool...
--
Paul "TBBle" Hampson, on an alternate email client
Checked the versons of the modules you mentioned. Autoconf-2.57-3 and
libtool-1.4.3-5
Should They be updated (The .9.3 version had no problems during compile or install)
--__--__--
Message: 6
From: Albers Darren <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
Date: Wed, 17 Mar 2004 21:52:55 -0500
Reply-To: [EMAIL PROTECTED]
This message is in MIME format. Since your mail reader does not understand
this format, some or all of this message may not be legible.
------_=_NextPart_001_01C40C94.1C85D9E6
Content-Type: text/plain
Steve,
Can you post the ldap section of your radiusd.conf, editing out your DC info
of course.
Thanks,
Darren
_____
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Steve
OBrien
Sent: Wednesday, March 17, 2004 5:21 PM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD
Well it still seems not to be working. And I could not find your other
article, I searched for radiusd.conf and your name and email with no luck.
The output is not helpfull:
Request:
/usr/local/bin/radtest guest "test" localhost 1 testing123
Sending Access-Request of id 104 to 127.0.0.1:1812
User-Name = "guest"
User-Password = "test"
NAS-IP-Address = blade1.ci.bend.or.us
NAS-Port = 1
rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=104, length=20
Response:
Ready to process requests.
rad_recv: Access-Request packet from host 127.0.0.1:33317, id=104, length=57
User-Name = "guest"
User-Password = "test"
NAS-IP-Address = 255.255.255.255
NAS-Port = 1
modcall: entering group authorize for request 0
modcall[authorize]: module "preprocess" returns ok for request 0
modcall[authorize]: module "chap" returns noop for request 0
modcall[authorize]: module "eap" returns noop for request 0
rlm_realm: No '@' in User-Name = "guest", looking up realm NULL
rlm_realm: No such realm "NULL"
modcall[authorize]: module "suffix" returns noop for request 0
users: Matched DEFAULT at 152
modcall[authorize]: module "files" returns ok for request 0
modcall[authorize]: module "mschap" returns noop for request 0
modcall: group authorize returns ok for request 0
rad_check_password: Found Auth-Type LDAP
auth: type "LDAP"
auth: Failed to validate the user.
Delaying request 0 for 1 seconds
Finished request 0
Going to the next request
Steve O'Brien
City of Bend
Network Administrator
[EMAIL PROTECTED]
541-322-6393
Albers Darren <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]
03/17/2004 11:37 AM
Please respond to
[EMAIL PROTECTED]
To
"'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]>
cc
Subject
RE: Using freeradius to authenticate users to a Windows 2000 AD
With the help of another individual on this list Richard Lucassen we were
able to get it working to authenticate against either a group or against AD
as a whole. To see an example I posted of just authenticated a user in
general against AD look for another post by me with a sample radiusd.conf.
Here is what Richard and I put together to get group auth working, this may
not be the 100% correct way but it worked for us and if anyone has any
suggestions that would be great. The comments are my comments and since the
formatting will probably be borked please don't just copy and paste this
into your radiusd.conf:
ldap {
server = "FDC of your DC"
#Account in AD with the rights to query ad for the user account
properties, in this example I have an account named freeradius located in
# my users container in the domain dc.domain.com that I am using to auth.
identity = "CN=freeradius,CN=Users,DC=dc,DC=domain,DC=com"
#password of the above account
password = password
#Base dn to search from, usually the top of your domain, in this example
it is dc.domain.com
basedn = "DC=dc,DC=domain,DC=com"
#This is the search filter to find the users account and then check it's
group membership. You will see that I used the full path to the
# group including the conatiner it is located in. This example is for a
group named RemoteUser in the users container in the domain
#dc.domain.com
filter
="(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=RemoteU
ser,CN=Users,DC=dc,DC=domain,DC=com))"
password_attribute = userPassword
timeout = 4
timelimit = 3
net_timeout = 1
compare_check_items = yes
I commented out the groupmembership stuff, but I am not sure if that was a
bad thing or not. Eventually I plan on writing this into a quick Howto and
posting it again.
Let me know if this helps or if you have any further questions and again my
thanks to Richard for all his help in getting this working!
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Steve
OBrien
Sent: Wednesday, March 17, 2004 2:24 PM
To: [EMAIL PROTECTED]
Subject: Using freeradius to authenticate users to a Windows 2000 AD
I have seen threads pertaining to this but I cannot seem to get it to work.
I would like to authenticate users via freeradius against a windows 2000 ad
domain using LDAP. Is this possible if so anyone have a sample config??
TIA,
Steve
**********************************************************************
The information and any files contained in this e-mail message are property
of WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended
only for use of the individual or entity named above. If the reader of this
message is not the intended recipient, or the employee or agent responsible
to deliver it to the intended recipient, you hereby are notified that use,
dissemination, distribution or copying of this information is strictly
prohibited. If you have received this communication in error, please
immediately notify us by return e-mail and destroy the original message.
Thank you.
**********************************************************************
------_=_NextPart_001_01C40C94.1C85D9E6
Content-Type: text/html
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2800.1400" name=GENERATOR></HEAD>
<BODY>
<DIV dir=ltr align=left><SPAN class=050235202-18032004><FONT face=Arial
color=#0000ff size=2>Steve, </FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=050235202-18032004><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=050235202-18032004><FONT face=Arial
color=#0000ff size=2>Can you post the ldap section of your radiusd.conf, editing
out your DC info of course.</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=050235202-18032004><FONT face=Arial
color=#0000ff size=2></FONT></SPAN> </DIV>
<DIV dir=ltr align=left><SPAN class=050235202-18032004><FONT face=Arial
color=#0000ff size=2>Thanks,</FONT></SPAN></DIV>
<DIV dir=ltr align=left><SPAN class=050235202-18032004><FONT face=Arial
color=#0000ff size=2>Darren</FONT></SPAN></DIV><BR>
<DIV class=OutlookMessageHeader lang=en-us dir=ltr align=left>
<HR tabIndex=-1>
<FONT face=Tahoma size=2><B>From:</B>
[EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] <B>On Behalf Of </B>Steve
OBrien<BR><B>Sent:</B> Wednesday, March 17, 2004 5:21 PM<BR><B>To:</B>
[EMAIL PROTECTED]<BR><B>Subject:</B> RE: Using freeradius to
authenticate users to a Windows 2000 AD<BR></FONT><BR></DIV>
<DIV></DIV><BR><FONT face=sans-serif size=2>Well it still seems not to be
working. And I could not find your other article, I searched for
radiusd.conf and your name and email with no luck. The output is not
helpfull:</FONT> <BR><BR><FONT face=sans-serif size=2>Request:</FONT>
<BR><BR><FONT face=sans-serif size=2>/usr/local/bin/radtest guest "test"
localhost 1 testing123</FONT> <BR><FONT face=sans-serif size=2>Sending
Access-Request of id 104 to 127.0.0.1:1812</FONT> <BR><FONT face=sans-serif
size=2> User-Name = "guest"</FONT> <BR><FONT
face=sans-serif size=2> User-Password = "test"</FONT>
<BR><FONT face=sans-serif size=2> NAS-IP-Address =
blade1.ci.bend.or.us</FONT> <BR><FONT face=sans-serif size=2>
NAS-Port = 1</FONT> <BR><FONT face=sans-serif size=2>rad_recv:
Access-Reject packet from host 127.0.0.1:1812, id=104, length=20</FONT>
<BR><BR><BR><BR><FONT face=sans-serif size=2>Response:</FONT> <BR><FONT
face=sans-serif size=2>Ready to process requests.</FONT> <BR><FONT
face=sans-serif size=2>rad_recv: Access-Request packet from host
127.0.0.1:33317, id=104, length=57</FONT> <BR><FONT face=sans-serif
size=2> User-Name = "guest"</FONT> <BR><FONT
face=sans-serif size=2> User-Password = "test"</FONT>
<BR><FONT face=sans-serif size=2> NAS-IP-Address =
255.255.255.255</FONT> <BR><FONT face=sans-serif size=2>
NAS-Port = 1</FONT> <BR><FONT face=sans-serif size=2>modcall: entering
group authorize for request 0</FONT> <BR><FONT face=sans-serif size=2>
modcall[authorize]: module "preprocess" returns ok for request 0</FONT>
<BR><FONT face=sans-serif size=2> modcall[authorize]: module "chap"
returns noop for request 0</FONT> <BR><FONT face=sans-serif size=2>
modcall[authorize]: module "eap" returns noop for request 0</FONT> <BR><FONT
face=sans-serif size=2> rlm_realm: No '@' in User-Name = "guest",
looking up realm NULL</FONT> <BR><FONT face=sans-serif size=2>
rlm_realm: No such realm "NULL"</FONT> <BR><FONT face=sans-serif size=2>
modcall[authorize]: module "suffix" returns noop for request 0</FONT> <BR><FONT
face=sans-serif size=2> users: Matched DEFAULT at 152</FONT>
<BR><FONT face=sans-serif size=2> modcall[authorize]: module "files"
returns ok for request 0</FONT> <BR><FONT face=sans-serif size=2>
modcall[authorize]: module "mschap" returns noop for request 0</FONT> <BR><FONT
face=sans-serif size=2>modcall: group authorize returns ok for request 0</FONT>
<BR><FONT face=sans-serif size=2> rad_check_password: Found
Auth-Type LDAP</FONT> <BR><FONT face=sans-serif size=2>auth: type "LDAP"</FONT>
<BR><FONT face=sans-serif size=2>auth: Failed to validate the user.</FONT>
<BR><FONT face=sans-serif size=2>Delaying request 0 for 1 seconds</FONT>
<BR><FONT face=sans-serif size=2>Finished request 0</FONT> <BR><FONT
face=sans-serif size=2>Going to the next request</FONT> <BR><BR><FONT
face=sans-serif size=2><BR>Steve O'Brien<BR>City of Bend<BR>Network
Administrator<BR>[EMAIL PROTECTED]<BR>541-322-6393</FONT> <BR><BR><BR>
<TABLE width="100%">
<TBODY>
<TR vAlign=top>
<TD width="40%"><FONT face=sans-serif size=1><B>Albers Darren
<[EMAIL PROTECTED]></B> </FONT><BR><FONT face=sans-serif
size=1>Sent by: [EMAIL PROTECTED]</FONT>
<P><FONT face=sans-serif size=1>03/17/2004 11:37 AM</FONT>
<TABLE border=1>
<TBODY>
<TR vAlign=top>
<TD bgColor=white>
<DIV align=center><FONT face=sans-serif size=1>Please respond
to<BR>[EMAIL PROTECTED]</FONT></DIV></TR></TBODY></TABLE><BR></P>
<TD width="59%">
<TABLE width="100%">
<TBODY>
<TR>
<TD>
<DIV align=right><FONT face=sans-serif size=1>To</FONT></DIV>
<TD vAlign=top><FONT face=sans-serif
size=1>"'[EMAIL PROTECTED]'"
<[EMAIL PROTECTED]></FONT>
<TR>
<TD>
<DIV align=right><FONT face=sans-serif size=1>cc</FONT></DIV>
<TD vAlign=top>
<TR>
<TD>
<DIV align=right><FONT face=sans-serif size=1>Subject</FONT></DIV>
<TD vAlign=top><FONT face=sans-serif size=1>RE: Using freeradius to
authenticate users to a Windows 2000 AD</FONT></TR></TBODY></TABLE><BR>
<TABLE>
<TBODY>
<TR vAlign=top>
<TD>
<TD></TR></TBODY></TABLE><BR></TR></TBODY></TABLE><BR><BR><BR><FONT
face=Arial
color=blue size=2>With the help of another individual on this list Richard
Lucassen we were able to get it working to authenticate against either a group
or against AD as a whole. To see an example I posted of just authenticated
a user in general against AD look for another post by me with a sample
radiusd.conf. </FONT><BR><FONT size=3> </FONT> <BR><FONT face=Arial
color=blue size=2>Here is what Richard and I put together to get group auth
working, this may not be the 100% correct way but it worked for us and if anyone
has any suggestions that would be great. The comments are my comments and
since the formatting will probably be borked please don't just copy and paste
this into your radiusd.conf:</FONT> <BR><FONT size=3> </FONT> <BR><FONT
face=Arial color=blue size=2>ldap {<BR> server = "FDC of your DC"</FONT>
<BR><FONT face=Arial color=blue size=2> #Account in AD with the rights to
query ad for the user account properties, in this example I have an account
named freeradius located in</FONT> <BR><FONT face=Arial color=blue size=2>
# my users container in the domain dc.domain.com that I am using to
auth.<BR> identity = "CN=freeradius,CN=Users,DC=dc,DC=domain,DC=com"</FONT>
<BR><FONT face=Arial color=blue size=2> #password of the above
account<BR> password = password</FONT> <BR><FONT face=Arial color=blue
size=2> #Base dn to search from, usually the top of your domain, in this
example it is dc.domain.com<BR> basedn = "DC=dc,DC=domain,DC=com"</FONT>
<BR><FONT face=Arial color=blue size=2> #This is the search filter to find
the users account and then check it's group membership. You will see that
I used the full path to the </FONT><BR><FONT face=Arial color=blue size=2>
# group including the conatiner it is located in. This example is for a
group named RemoteUser in the users container in the domain </FONT>
<BR><FONT face=Arial color=blue size=2> #dc.domain.com<BR> filter
="(&(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})(memberOf=CN=RemoteUser,CN=Users,DC=dc,DC=domain,DC=com))"<BR> password_attribute
= userPassword<BR> timeout = 4<BR> timelimit = 3<BR> net_timeout
= 1<BR> compare_check_items = yes<BR> </FONT> <BR><FONT face=Arial
color=blue size=2>I commented out the groupmembership stuff, but I am not sure
if that was a bad thing or not. Eventually I plan on writing this into a
quick Howto and posting it again.</FONT> <BR><FONT size=3> </FONT>
<BR><FONT face=Arial color=blue size=2>Let me know if this helps or if you have
any further questions</FONT><FONT face=Tahoma size=2> </FONT><FONT face=Arial
color=blue size=2>and again my thanks to Richard for all his help in getting
this working!</FONT> <BR><FONT size=3> </FONT> <BR><FONT
size=3> </FONT> <BR><FONT face=Tahoma size=2> -----Original
Message-----<B><BR>From:</B> [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]<B>On Behalf Of </B>Steve
OBrien<B><BR>Sent:</B> Wednesday, March 17, 2004 2:24 PM<B><BR>To:</B>
[EMAIL PROTECTED]<B><BR>Subject:</B> Using freeradius to
authenticate users to a Windows 2000 AD<BR></FONT><BR><FONT face=sans-serif
size=2><BR>I have seen threads pertaining to this but I cannot seem to get it to
work. I would like to authenticate users via freeradius against a windows
2000 ad domain using LDAP. Is this possible if so anyone have a sample
config??</FONT><FONT size=3> <BR></FONT><FONT face=sans-serif
size=2><BR>TIA,</FONT><FONT size=3> </FONT><FONT face=sans-serif
size=2><BR>Steve</FONT><FONT size=3> </FONT><BR><FONT
size=3><BR><BR>**********************************************************************<BR>The
information and any files contained in this e-mail message are property of
WestPoint Stevens Inc., its subsidiaries or affiliates, and are intended only
for use of the individual or entity named above. If the reader of this message
is not the intended recipient, or the employee or agent responsible to deliver
it to the intended recipient, you hereby are notified that use, dissemination,
distribution or copying of this information is strictly prohibited. If you have
received this communication in error, please immediately notify us by return
e-mail and destroy the original message. Thank
you.<BR>**********************************************************************</FONT>
<BR></BODY></HTML>
------_=_NextPart_001_01C40C94.1C85D9E6--
--__--__--
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
End of Freeradius-Users Digest
<br><br>- This message including any attachments contains privileged and confidential
information intended for the use of the addressee.
If you are not the intended recipient, you should delete this message (and its
attachments) immediately and are hereby notified that any dissemination of this
communication is strictly prohibited.
<br>www.sislink.net "Come Join Us!"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
