RE: FW: mpd+freeradius+AD

Fri, 30 Jun 2006 02:16:25 -0700

Title: RE: FW: mpd+freeradius+AD

Ok, this is my users file


test    Auth-Type := MS-CHAP

        Framed-IP-Address = 192.168.10.65

DEFAULT Auth-Type := MS-CHAP

And this is freeradius log, then I connect to mpd via test account:

Login OK: [test/<no User-Password attribute>] (from client localhost port 0 cli 192.168.12.126)

Sending Access-Accept of id 121 to 127.0.0.1 port 49791

        Framed-IP-Address = 192.168.10.65

        MS-CHAP2-Success = 0x01533d42454334303938434341393443383234413844444431463938303641384133453236394441413430

        MS-MPPE-Recv-Key = 0x0bbdc1d49670112e799bd5a86b084808

        MS-MPPE-Send-Key = 0x0df81127464f94a443c13e7e683f5251

        MS-MPPE-Encryption-Policy = 0x00000002

        MS-MPPE-Encryption-Types = 0x00000004

rad_recv: Accounting-Request packet from host 127.0.0.1:54511, id=119, length=139

        NAS-Identifier = "testradius.ion.ru"

        NAS-Port = 0

        NAS-Port-Type = Virtual

        Service-Type = Framed-User

        Framed-Protocol = PPP

        Calling-Station-Id = "192.168.12.126"

        User-Name = "test"

        Framed-IP-Address = 192.168.10.12

        Acct-Status-Type = Start

        Acct-Session-Id = "1652038-pptp0"

        Acct-Multi-Session-Id = "1652038-pptp0"

        Acct-Link-Count = 1

        Acct-Authentic = RADIUS

Sending Accounting-Response of id 119 to 127.0.0.1 port 54511

In this log freeradius said that account test OK, and his address 192.168.10.65. But mpd replace it this his own. How could I improve it?



-----Original Message-----

From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]]

Sent: Thursday, June 29, 2006 7:05 PM

To: Undisclosed.Recipients :

Cc: Егоров Сергей

Subject: Re: FW: mpd+freeradius+AD

On Thursday 29 June 2006 15:28, Егоров Сергей wrote:

> >This is Framed-IP-Address in radius dialect.

>

> Thanks for explaining freeradius basic concepts. I understood, that to

> assign IP to user I should use users freeradius file. But I couldn't

> configure it correctly. Now I have only one line in this file

>

> DEFAULT Auth-Type := MS-CHAP

>

> I've add another string (for user test), but it doesn't correct

>

> test   Auth-Type := MS-CHAP,

Try without the comma

run the server in debug mode(radiusd -X)

and use radclient

>        Framed-IP-Address = 192.168.10.65,

>

I think you can put this in AD. Don't know...

> That should I fix?

>

>

> -----Original Message-----

> From: Nikos Vassiliadis [mailto:[EMAIL PROTECTED]]

> Sent: Monday, June 26, 2006 5:09 PM

> To: [email protected]

> Cc: Егоров Сергей

> Subject: Re: mpd+freeradius+AD

>

> On Monday 26 June 2006 14:04, Егоров Сергей wrote:

> > Thanks for reply.

> >

> > >You can use one of the three firewalls avaliable in the base

> > > system(ipfw,

> > >

> > > >ipf and pf), however mpd comes with a small dictionary  that uses

> > >

> > > ipfw(8) >and you can easily define some filter bound to an interface

> > > (bound to a >username) via a radius reply attribute, let filter be a

> > > pipe(for bandwidth >control) or a packet filtering _expression_.

> >

> > That's fine for filtering vpn users access to local net. But how could I

> > assign specific IP for specific user in AD?

> >

> > > Your questions don't clearly tell where your problem is.

> > >Active Directory? mpd? or FreeRADIUS? You should define

> > >them better in order to get help from the list.

> >

> > My goal is to replace VPN server, based on win2003, with FreeBSD one. WIN

> > 2003 can do 1 and 2 in my questions, so I have to realize how to setup

> > this in mpd + freeradius. I already authenticate users from AD group:

> >

> > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key

> >                   --username=%{Stripped-User-Name:-%{User-Name:-None}}

> >                   --challenge=%{mschap:Challenge:-00}

> >                   --nt-response=%{mschap:NT-Response:-00}

> >                   --require-membership-of=EXAMPLE+VPN_Allowed".

> >

> > But I have several vpn groups and need to setup timeouts on each one.

>

> setup timeout? This looks like Session-Timeout in radius dialect.

>

> > Also

> > I need to I assign specific IP for specific user in AD.

>

> This is Framed-IP-Address in radius dialect.

>

> > Looks like

> > FreeRadius should respond for this.

>

> Yes, you have to have basic understanding of what radius is. All of these

> are very basic setup. I don't know how FreeRADIUS interacts with AD and

> what info it should get from AD. So, try searching (or asking) for active

> directory and FreeRADIUS. Keep the mpd part out of it, since it will

> add unneeded complexity. Or perhaps start from setting up mpd and

> FreeRADIUS. And then you could add AD.

>

> A few suggestions, Nikos

>

> -

> List info/subscribe/unsubscribe? See

> http://www.freeradius.org/list/users.html

>

> -

> List info/subscribe/unsubscribe? See

> http://www.freeradius.org/list/users.html

- 
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to