Yum install freeradius2-ldap
Cheers, Harry From: freeradius-users-bounces+hhoffman=ip-solutions....@lists.freeradius.org [mailto:freeradius-users-bounces+hhoffman=ip-solutions.net@lists.freeradius. org] On Behalf Of Usuário do Sistema Sent: Wednesday, March 09, 2011 2:39 PM To: [email protected] Cc: [email protected] Subject: Re: Freeradius 2 Hello everyone, I've Installed by yum freeradius2-2.1.7-7.el5 but I'm can't found the ldap dirctory under /etc/raddb/.. I have creta it or install more any package ?? thank! 2011/3/5 <[email protected]> Send Freeradius-Users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit http://lists.freeradius.org/mailman/listinfo/freeradius-users or, via email, send a message with subject or body 'help' to [email protected] You can reach the person managing the list at [email protected] When replying, please edit your Subject line so it is more specific than "Re: Contents of Freeradius-Users digest..." Today's Topics: 1. Re: Caching techniques with ntlm_auth usage? (EAP-PEAP-MSchapV2) (Phil Mayers) 2. Re: Freeraidus 2 (Gary Gatten) 3. Re: Caching techniques with ntlm_auth usage? (EAP-PEAP-MSchapV2) (James J J Hooper) 4. RE: mschap with ntlm_auth and Active Directory (McNutt, Justin M.) 5. Re: MS-CHAP-V2 with no retry (Alan DeKok) 6. Re: Hopefully quick question: conditional processing sneaking in and setting Auth-Type (Alan DeKok) 7. Re: Freeraidus 2 (Alan Buxey) ---------------------------------------------------------------------- Message: 1 Date: Sat, 05 Mar 2011 00:45:43 +0000 From: Phil Mayers <[email protected]> Subject: Re: Caching techniques with ntlm_auth usage? (EAP-PEAP-MSchapV2) To: [email protected] Message-ID: <[email protected]> Content-Type: text/plain; charset=ISO-8859-1; format=flowed On 03/05/2011 12:21 AM, Gary Gatten wrote: > I kinda like your caching idea, but not sure of any security > implications. It's not a workable idea. MSCHAP responses are specific to the 8-byte random challenge, which is different every time. You can't cache them. > > I have (2) FR servers (each pointing to different DC) and my NAS's > are configured to use both. But, iirc if AD is down on the backend > FR still replies (with something) so the NAS never rolls over to the > other FR server. Yes, this is a bad idea. Just configure samba to autodiscover the AD controllers. Winbind will cache connections and open new ones when the old ones go away. > > So, I thought about some script that would use ntlm_auth every...n > seconds, if it fails kill FR process (or use FR policy to act dead). > When it starts working again, restart FR. This should make the NAS > roll to the next FR server. That might work, but it seems like a sledgehammer to crack a nut. > > What about OpenLDAP on the FR server that's "refreshed" / sync'd to > the winblows/AD? I've never tried this but assume it's doable. It's not possible. AD controllers will only sync to other AD controllers. At some point in the future, Samba 4 might be able to slave the LDAP database of an AD controller, but it's purely theoretical at the moment I think. ------------------------------ Message: 2 Date: Fri, 4 Mar 2011 18:54:44 -0600 From: Gary Gatten <[email protected]> Subject: Re: Freeraidus 2 To: "'[email protected]'" <[email protected]> Message-ID: <27487_1299286485_4D7189D5_27487_3768_1_D9B37353831173459FDAA836D3B43499BD35 [email protected]> Content-Type: text/plain; charset="utf-8" Try ../sites_enabled/default; or if *eap requests it would be inner-tunnel, - I think... From: Paulo Maia [mailto:[email protected]] Sent: Friday, March 04, 2011 06:43 PM To: FreeRadius users mailing list <[email protected]> Subject: Re: Freeraidus 2 Compilou o instalou via yum ? Geralmente fica em $RADIUSDIR/modules/ldap Abs, 2011/3/4 Usu?rio do Sistema <[email protected]<mailto:[email protected]>> Hello everyone, I'm Maicon from Brazil. I'm in a project with Freeradius. I want to deployment authentication with certificate from my wireless users EAP-TLS but I'm finding some difficult. there is a good how to for version 2 ?? I've started with version 1.x but decided to change for version 2 and I'm not finding where I set the LDAP conection. at the older version it was inside radiusd.conf. anybody help me ?? thank! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html <font size="1"> <div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in'> </div> "This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system." </font> -------------- next part -------------- An HTML attachment was scrubbed... URL: <https://lists.freeradius.org/pipermail/freeradius-users/attachments/2011030 4/3cfd97ca/attachment.html> ------------------------------ Message: 3 Date: Sat, 05 Mar 2011 01:17:54 +0000 From: James J J Hooper <[email protected]> Subject: Re: Caching techniques with ntlm_auth usage? (EAP-PEAP-MSchapV2) To: FreeRadius users mailing list <[email protected]> Message-ID: <403FF343B2CCD5B162F64B80@[172.16.13.237]> Content-Type: text/plain; charset=us-ascii; format=flowed --On 04 March 2011 12:34 -0500 John Douglass <[email protected]> wrote: > Group, > > Recently, my AD servers were patched by another support group and this > caused a (small but noticeable) service outage for our WPA radius > services (Radius 2.1.9) I can think of two things to investigate: * Recent Samba can do winbind credential caching IIRC - I haven't experimented with this so I'm not sure if it will work for this application. * Enable Fast Session Resumption: <https://github.com/alandekok/freeradius-server/blob/master/raddb/modules/ea p#L312> ... We dropped the hits on our DCs by > 40% by doing this. N.B Resumed sessions will not touch your inner-tunnel config, so you have to make sure that you pay attention when (re-)assigning VLANs / other returned attributes based on username. -James -- James J J Hooper Network Specialist, University of Bristol http://www.wireless.bristol.ac.uk <http://www.wireless.bristol.ac.uk/> -- ------------------------------ Message: 4 Date: Fri, 4 Mar 2011 21:05:46 -0600 From: "McNutt, Justin M." <[email protected]> Subject: RE: mschap with ntlm_auth and Active Directory To: FreeRadius users mailing list <[email protected]> Message-ID: <0a99e1da688c7a4796a68b3bc4f74b793ce60e7...@um-email04.um.umsystem.edu> Content-Type: text/plain; charset="us-ascii" > > root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 > > --password=Pa$$w0rd > > NT_STATUS_OK: Success (0x0) > > root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6 > > --password=Pa$$w0rd > > NT_STATUS_OK: Success (0x0) > > root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 > > --password=Pa$$w0rd > > NT_STATUS_OK: Success (0x0) > > > > The password Pa$$w0rd is set in the Wireless Controller, if > thats what you > > mean by mschap client? May I suggest two things: 1) I'm assuming that the password is not actually 'Pa$$w0rd', but that string reminds me that certain special characters - the dollar sign is a notable one - are not always handled correctly in password strings. Even if FreeRADIUS is handling it correctly, AD may not, and the wireless controller may not. I suggest setting the password to something simpler. If your password policy requires special characters, use dash, equals, underscore, or dot. I have used passwords with these characters successfully when authenticating via EAP/PEAP through FreeRADIUS and then on through MSCHAPv2 to AD via ntlm_auth. (Same chain as you.) 2) Even if you are confident that your real password's characters are not a problem, re-enter it on the wireless controller, MANUALLY. You may have accidentally entered an unprintable character or a space or some similar thing that causes the password to APPEAR to be correct, when in fact it doesn't match. --J ------------------------------ Message: 5 Date: Sat, 05 Mar 2011 07:23:54 +0100 From: Alan DeKok <[email protected]> Subject: Re: MS-CHAP-V2 with no retry To: FreeRadius users mailing list <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset=ISO-8859-1 [email protected] wrote: > 1) In freeradius version 2.1.10 and older (at least 1.1.7) when there was > a bug in that when there was a PW_EAP_MSCHAPV2_FAILURE while there was > a response sent back to the client but there was no message in the > response. It's more complicated. The server would send EAP-Failure, and nothing else. > 2) The patch given resolves that problem - giving the message > of the rlm_mschap.c module of E=691 R=1 On closer inspection, the patch doesn't resolve anything. It still sends an EAP-Failure. It should instead send an EAP-Response with EAP-MSCHAPv2-Failure, and the "E=691 R=1" failure code. After the client has ACKed that, it should *then* send EAP-Failure. i.e. fixing it is likely a fair bit more work. > 3) It is possible to configure in radius.conf the message on failure by: No. That sends back an MS-CHAP-Error. The code has to package that MS-CHAP-Error into an EAP sub-type, and send it back to the client in an *additional* request/response round trip, before finally sending EAP-Failure. Alan DeKok. ------------------------------ Message: 6 Date: Sat, 05 Mar 2011 07:38:15 +0100 From: Alan DeKok <[email protected]> Subject: Re: Hopefully quick question: conditional processing sneaking in and setting Auth-Type To: FreeRadius users mailing list <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset=UTF-8 Gary Gatten wrote: > I can?t find where this conditional processing is happing. I have two > FR servers with ?nearly? the same config. Auth works on one, but not > the other: Posting 2-3 lines of debug output doesn't help. Alan DeKok. ------------------------------ Message: 7 Date: Sat, 5 Mar 2011 09:44:15 +0000 From: Alan Buxey <[email protected]> Subject: Re: Freeraidus 2 To: FreeRadius users mailing list <[email protected]> Message-ID: <[email protected]> Content-Type: text/plain; charset=us-ascii hi, th details for your LDAP in 2.x go into $RADDB/modules/ldap in 2.x most of the stuff was broken out of radiusd.conf and put into either modules/* or sites-available/* if you want a particular feature, then configure the module file , configure the sites-available file, module files are pulled in by default, but to activate a 'site' you need to ensure its in the sites-enabled/ directory (a few 'sites' files are symlinked there by default... eg default, inner-tunnel .....) alan ------------------------------ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html End of Freeradius-Users Digest, Vol 71, Issue 32 ************************************************
- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
