unsubscribe
thanks for all the help guys, Im no longer using freeradius at work. Big thanks to every1 (excluding Alan Dekok, sorry we had our diff). Take it easy. unsubscribe - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Reccomended switches for dynamic vlans
Thanks very much for that information, shall follow up on it :) On 7/13/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Jacob I use procurve switches and i'm quite happy with them. Price is almost half of cisco prices(and lifetime warranty).(although i have already seen cisco match hp prices for large purchases if you mention procurve) Until previous firmware version they even suppported cisco p protocols (and open standard). Now they moved to open standards. regards, Stieven Struyf M.I.S. Division - System Operations Komatsu Europe International NV Mechelsesteenweg 586 B-1800 Vilvoorde [EMAIL PROTECTED] Tel. +32 (0)2 2552551 The question of whether a computer can think is no more interesting than the question of whether a submarine can swim. -- E. W. Dijkstra *Jacob Jarick [EMAIL PROTECTED]* Sent by: freeradius-users-bounces+stieven.struyf= [EMAIL PROTECTED] 13-07-07 06:35 Please respond to FreeRadius users mailing list freeradius-users@lists.freeradius.org To FreeRadius users mailing list freeradius-users@lists.freeradius.org cc Subject Reccomended switches for dynamic vlans Can any1 reccomend a brand / model of wireless switches that will support dynamic vlans. I finally have freeradius working very nicely, just need to (hopefully) find an inexpensive solution for the hardware side. I am currently looking into the openwrt distro to see if that will provide dynamic vlans. Thanks for all the help guys, wouldnt have gotten Freeradius setup without this mailing list thats for sure. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html This e-mail is property of the company and is supposed to contain only professional content. The company can at all times consult the content of this e-mail and the reply to this e-mail. By replying to this e-mail, you confirm your explicit agreement with the preceding. Deze e-mail is het eigendom van de Vennootschap en wordt verondersteld enkel beroepsmatige informatie te bevatten. De Vennootschap kan ten allen tijden de inhoud van deze e-mail en van het antwoord daarop raadplegen. Door het beantwoorden van deze e-mail bevestigt U uitdrukkelijk uw akkoord met het voorafgaande. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap auth based on user acc and dialupaccess attr
On 7/11/07, Alan Walters [EMAIL PROTECTED] wrote: On Tue, 2007-07-10 at 10:34 +0100, [EMAIL PROTECTED] wrote: Im currently trying to setup FR to authenticate a user / machine regardless of password .. In the end I hope to have the ldap check if dialup access is allowed, if it is then check if user / pass is correct via ntlm. This makes no sense. If you are going to authenticate users regardless of the password (based on that dialup flag), what is the point in checking passwords with ntlmauth (or Ldap)? i think the point of this is you can use the flag to disable access to the account without changing password yes thats what I am after, this way users can still log into the domain on a wired connection but wireless access will be controlled by the dialupAccess attribute. if dialup access is off don't auth if it is on check password if password is right auth dialup access should be TRUE or FALSE though Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
If you wish to split hairs over a single line in my email that you purposefully skewed the meaning off by all means be that guy. Should you have anything constructive at all to offer the conversation please do, however petty criticisms are not welcome though. On 7/9/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Not everything comment / criticism about free radius is a vieled insult at you or your work Alan (rolls eyes). saying the radiusd.conf is touchy is a fail call, since it is and most people offering help warn / suggest about changing 1 line at a time. Saying the configuration file is touchy is an admission that you don't understand how it works, and that you don't have a methodical approach to changing it. The recommendations aren't to change a line at a time. The recommendations are to have a methodical approach to creating a new configuration. And to read the documentation. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
Fussy config file = petty criticism ? If so deal with it you will hear far worse I'm sure. Why not be honest ? and admit that all your really after is to continue the conflict we hard several months ago. So can we drop it please? If nothing else this is counter productive. I'm very surprised your still upset from previous clash which I had let lie. To be still looking for conflict after all this time is quite sad. so there is no misunderstanding: * The Freeradius configs are the touchiest fussiest config files I have ever dealt with, this in no way reflects on the product itself. It is just a very steep learning curve. I also am aware that most of the complexity is due to it supporting many many protocols and backends. * Freeradius Documentation is lacking (its a common thing for oss projects). That is a statement, not a shot at any of the howto writers. Again I do realise that this is due to the diversity of the project (many different possible configurations). I will gladly help document my current setup once finalized. * I despise people whose only purpose in a thread to be a obnoxious self-important git. To clarify on this most recent occasion that would be you Alan, though I have seen you been very helpful on other threads. The last thing a frustrated user who has been making an honest attempt needs to hear is your an idiot, rtfm, upgrade, etc - paraphrasing of course. On 7/9/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: If you wish to split hairs over a single line in my email that you purposefully skewed the meaning off by all means be that guy. Should you have anything constructive at all to offer the conversation please do, however petty criticisms are not welcome though. So why do you engage in petty criticisms of FreeRADIUS? Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
my 2n comment was referring to my current project (ntlm auth + conditional auth if ldap Field dialupaccess =1 On 7/9/07, Jacob Jarick [EMAIL PROTECTED] wrote: On 7/9/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Fussy config file = petty criticism ? When it's clear that you aren't following the documentation or recommended methods, yes. Yes I do indeed follow the documentation but alas this is another tired argument you seem bent on dredging up, so you can either repeat yourself yet again or stop calling me a liar. Mailing list / forum questions are always the end result of alot of research on my end that hasn't yielded needed information. Sometimes I may miss something obvious for that I am so sorry I am but a mere human. Rest assured I always try to double and triple check my work, it is a habit I have used for many years to compensate for my dyslexia. Recommended methods are exactly what I'm after, currently there are none listed in your wiki, howtos etc for this particular setup. * I despise people whose only purpose in a thread to be a obnoxious self-important git. As opposed to someone who offer gratuitous slams at a product, and then asks for help? Try that with a mechanic: The last repair you did was shoddy. Can you fix my car now? A mechanic would use choicer words than I have used. Or, he'd smile, do the repair, and purposefully break something else so that you'd have to come in again, and again... If you're going to ask for help, don't insult the people and the project in the same message. My purpose in being a self important git is to point out that your posts are rude. I recognize that you are offended by that. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
ldap auth based on user acc and dialupaccess attr
Hello, Im currently trying to setup FR to authenticate a user / machine regardless of password, provided that the account exists and that DialupAccess = 1. Im a bit stuck atm because I do not know how to ignore the passwd failing the ldap check. In the end I hope to have the ldap check if dialup access is allowed, if it is then check if user / pass is correct via ntlm. Once I have ldap working as I want it to then I will add ntlm auth. Running gentoo with 2.6.20 kernel freeradius 1.1.6 windows 2003 server radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: ldap auth based on user acc and dialupaccess attr
Forgot to paste the radiusd.conf url - http://pastebin.ca/611795 On 7/10/07, Jacob Jarick [EMAIL PROTECTED] wrote: Hello, Im currently trying to setup FR to authenticate a user / machine regardless of password, provided that the account exists and that DialupAccess = 1. Im a bit stuck atm because I do not know how to ignore the passwd failing the ldap check. In the end I hope to have the ldap check if dialup access is allowed, if it is then check if user / pass is correct via ntlm. Once I have ldap working as I want it to then I will add ntlm auth. Running gentoo with 2.6.20 kernel freeradius 1.1.6 windows 2003 server radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
If it's not clear, you don't understand how the configuration files work. Well yes Alan, thats why I was asking for help on the subject If I was 100% on the subject I wouldnt request conformation or information would I ? Ah, yes. There's nothing quite like asking for help and insulting the project in the same message. Not everything comment / criticism about free radius is a vieled insult at you or your work Alan (rolls eyes). saying the radiusd.conf is touchy is a fail call, since it is and most people offering help warn / suggest about changing 1 line at a time. On 7/6/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to If it's not clear, you don't understand how the configuration files work. and we all know how touchy the radiusd.conf file is. Ah, yes. There's nothing quite like asking for help and insulting the project in the same message. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
Phil A.L Thanks alot for this new information I have to rebuild my network again (big shift around at work) and test again. On 7/7/07, Phil Mayers [EMAIL PROTECTED] wrote: As per my previous emails, you can see the rlm_mschap is doing the expansion correctly without Novells hack: modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for host/Andy.admin.internal with NT-Password radius_xlat: Running registered xlat function of module mschap for string 'User-Name' radius_xlat: '--username=Andy$' radius_xlat: Running registered xlat function of module mschap for string 'NT-Domain' radius_xlat: '--domain=admin' radius_xlat: Running registered xlat function of module mschap for string 'Challenge' mschap2: a1 radius_xlat: '--challenge=d86cb80cb2cc9af6' radius_xlat: Running registered xlat function of module mschap for string 'NT-Response' radius_xlat: '--nt-response=7010e83a5b08ff6401e35e1f5916396538272a88a162a194' Exec-Program output: NT_KEY: 18B3A6F684E6D9218D8F63B68904C2D2 Exec-Program-Wait: plaintext: NT_KEY: 18B3A6F684E6D9218D8F63B68904C2D2 ...and your radius server sends an accept: Sending Access-Accept of id 238 to 10.10.60.100 port 1645 MS-MPPE-Recv-Key = 0xbba590b48209b4e284f1b69dc04d04c0db3b2e5f487e30c9b2554d3e9b14c8c3 MS-MPPE-Send-Key = 0xa41125592b9aab7510bfcee91fb53cb91bf49fba67a0ad95879538526a78edff EAP-Message = 0x030b0004 Message-Authenticator = 0x User-Name = host/Andy.admin.internal Finished request 8 If your machine isn't on the network at this point, the problem lies with your NAS, not FreeRadius. I would investigate there I see it's wireless - what type of AP? Looks like a Cisco to me. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
Ryan, I am now actually in the process of implementing your method. auth via ntlm retrevie attributes via ldap (group, dialup_access, etc) Can you suggest some reading or point me in the right direction. ATM I have ntlm and ldap configured and ntlm (hoping it might just work :P and for testing). If I comment out line 1566 it auths the machine but ignores the dialup attribute. All i need is a module to deny / override a users authentication if the dialup attribute isnt set. Thanks in advance. On 5/2/07, Ryan Kramer [EMAIL PROTECTED] wrote: You can take care of #1 by still doing LDAP to AD for the groups, but using ntlm for the password authentication. This seems counterproductive, unless you are using a backside encryption where you need to do it that way, which is what I ended up having to do. On 4/30/07, Jacob Jarick [EMAIL PROTECTED] wrote: Thanks for the Tip ryan but I have been down that road and 2 reasons stopped me: 1 - no way of retrieving ldap groups 2 - Been requested not to have samba on the machine. ntlm_auth was very straight forward for me because it supports all the encryption methods. On 5/1/07, Ryan Kramer [EMAIL PROTECTED] wrote: depending on the wifi auth method, you may want to also investigate a NTLM_AUTH method instead of straight ldap. This requires the freeradius machine to be a member of the domain, but once you do that it works great. On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: OK tried with 1.1.4 and yerp works great. radiusd -X output: http://pastebin.ca/464153 radiusd.conf: http://pastebin.ca/464156 I also realised a mistake I have been making, see I want to search the whole active directory, hence I kept setting my basedn without an ou. After seeing your excellent example and auth'ing had failed I stuck in an OU and tried a user from the OU and worked fine. So my questions is this, to auth people from multiple OU's do I create a new ldap module for each OU or is their a simpler way. Thanks Very much for your help Phil, its been a very productive weekend thanks to the info you provided. My challenge for monday will be setting up the cisco and wireless clients now :) On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: radiusd.conf: http://pastebin.ca/464133 radius -X ouput: http://pastebin.ca/464138 Tried with 1.1.6 and fails with this error: rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap failed radiusd.conf[540]: ldap: Module instantiation failed. radiusd.conf[586] Unknown module ldap. radiusd.conf[586] Failed to parse ldap entry. - /etc/raddb/ldap.attrmap does exist as provided by the rpm. [EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap -rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap I assume the permissions are correct, as it was installed by rpm. Im building the 1.1.4 rpm now, will report back once done. On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: Thanks for the very detailed instructions. I will attempt this shortly (bought rad ad servers home for weekend study). Quite possible the biggest learning curve for me is the ldap fields but I am finally starting to get familar with them. Cheers again, will post back once Ive run the radtest. On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote: I haven't been following your (quite extensive) queries, so apologies if I've missed something fundamental. I honestly don't know why this is proving so difficult. I've just tested this against our own 2k3 AD service, and although I'm pretty familiar with FR it took under 5 minutes. Try following the instructions below. These were tested with FreeRadius 1.1.4 1. First, create or locate an existing account which FreeRadius can bind and do it's searches as. Record the following variables: SEARCHDN=the DN of the account SEARCHPW=the password BASEDN=the DN below which all your accounts live in AD ADHOST=hostname of the AD controller you'll search against For example, these might be: SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com SEARCHPW=blahblah BASEDN=OU=My Site,DC=mysite,DC=com 2. Next, take the default radiusd.conf 3. Find the start of the modules section: modules { ... Delete this line and all the following lines 4. Insert the following config: modules { ldap { server = $ADHOST
FR + AD host/ machine/ workstation authentication
Im after some documentation on setting up host authentication on freeradius (or an example config). This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to and we all know how touchy the radiusd.conf file is. My files are configured according to this howto: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO and user authentication is working fine. I need host/ machine authentication for laptops that will connect wirelessly to a domain (- need machine auth) before logon. Thanks in advance. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 7 rlm_eap: Request found, released from the list rlm_eap: EAP/mschapv2 rlm_eap: processing type mschapv2 rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 7 modcall: leaving group authenticate (returns ok) for request 7 PEAP: Tunneled authentication was successful. rlm_eap_peap: SUCCESS modcall[authenticate]: module eap returns handled for request 7 modcall: leaving group authenticate (returns handled) for request 7 Sending Access-Challenge of id 237 to 10.10.60.100 port 1645 EAP-Message = 0x010b00261900170301001b06cc271b7548a332478a374812dfd4d32259c6a408fe83593e883f Message-Authenticator = 0x State = 0x611781a98805ebe2fff178d0af7f3e73 Finished request 7 Going to the next request Waking up in 6 seconds... rad_recv: Access-Request packet from host 10.10.60.100:1645, id=238, length=196 User-Name = host/Andy.admin.internal Framed-MTU = 1400 Called-Station-Id = 001b.d526.8210 Calling-Station-Id = 0040.96a1.f472 Service-Type = Login-User Message-Authenticator = 0xac0657f2fbdcafe9e281ff37aa937856 EAP-Message = 0x020b00261900170301001bfccca09312fe89c03d3dc8a9a4a5e1b7ab536489f14fa304840ee6 NAS-Port-Type = Wireless-802.11 NAS-Port = 534 State = 0x611781a98805ebe2fff178d0af7f3e73 NAS-IP-Address = 10.10.60.100 NAS-Identifier = TESTAP Processing the authorize section of radiusd.conf modcall: entering group authorize for request 8 modcall[authorize]: module preprocess returns ok for request 8 modcall[authorize]: module chap returns noop for request 8 modcall[authorize]: module mschap returns noop for request 8 rlm_realm: No '@' in User-Name = host/Andy.admin.internal, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 8 rlm_eap: EAP packet type response id 11 length 38 rlm_eap: No EAP Start, assuming it's an on-going EAP conversation modcall[authorize]: module eap returns updated for request 8 users: Matched entry DEFAULT at line 154 modcall[authorize]: module files returns ok for request 8 modcall: leaving group authorize (returns updated) for request 8 rad_check_password: Found Auth-Type EAP auth: type EAP Processing the authenticate section of radiusd.conf modcall: entering group authenticate for request 8 rlm_eap: Request found, released from the list rlm_eap: EAP/peap rlm_eap: processing type peap rlm_eap_peap: Authenticate rlm_eap_tls: processing TLS eaptls_verify returned 7 rlm_eap_tls: Done initial handshake eaptls_process returned 7 rlm_eap_peap: EAPTLS_OK rlm_eap_peap: Session established. Decoding tunneled attributes. rlm_eap_peap: Received EAP-TLV response. rlm_eap_peap: Tunneled data is valid. rlm_eap_peap: Success rlm_eap: Freeing handler modcall[authenticate]: module eap returns ok for request 8 modcall: leaving group authenticate (returns ok) for request 8 Sending Access-Accept of id 238 to 10.10.60.100 port 1645 MS-MPPE-Recv-Key = 0xbba590b48209b4e284f1b69dc04d04c0db3b2e5f487e30c9b2554d3e9b14c8c3 MS-MPPE-Send-Key = 0xa41125592b9aab7510bfcee91fb53cb91bf49fba67a0ad95879538526a78edff EAP-Message = 0x030b0004 Message-Authenticator = 0x User-Name = host/Andy.admin.internal Finished request 8 Going to the next request Waking up in 6 seconds... --- Walking the entire request list --- Cleaning up request 0 ID 230 with timestamp 468de237 Cleaning up request 1 ID 231 with timestamp 468de237 Cleaning up request 2 ID 232 with timestamp 468de237 Cleaning up request 3 ID 233 with timestamp 468de237 Cleaning up request 4 ID 234 with timestamp 468de237 Cleaning up request 5 ID 235 with timestamp 468de237 Cleaning up request 6 ID 236 with timestamp 468de237 Cleaning up request 7 ID 237 with timestamp 468de237 Cleaning up request 8 ID 238 with timestamp 468de237 Nothing to do. Sleeping until we see a request. -- On 7/6/07, Jacob Jarick [EMAIL PROTECTED] wrote: Im after some documentation on setting up host authentication on freeradius (or an example config). This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to and we all know how touchy the radiusd.conf file is. My files are configured according to this howto: http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO and user authentication is working fine. I need host/ machine authentication for laptops
Re: FR + AD host/ machine/ workstation authentication
config on client follows exactly what the howto reccomends with the 1 change of checking authenticate as computer when computer information is available. Which as you can see does attempt to auth. The cert options are set as in this picture: http://wiki.freeradius.org/Image:117F01D2C7856F9F.png I just reread this section here on the howto Certificate validation is strongly recommended for wireless configurations, and optional for wired deployments. Select « Validate server certificate » and check ONLY the CA for your FreeRADIUS server (the one you installed above). Also select « Connect to these servers » and enter the Common Name of the server certificate. If you are configuring a wired ethernet interface, you can leave certificate verification off in your supplicants: just deselect « Validate server certificate ». Either way, select « EAP-MSCHAP v2 » as authentication method. Click the « Configure » button next. So I will enable cert validation retry and post back. Cheers for the info /tip :) On 7/6/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to and we all know how touchy the radiusd.conf file is. those parts can go pretty much anywhere in the main config file - eg stick them at the end of the file. from what I can see of the log the NTLM is working fine - the NTKEY reply matched and its all okay. which leaves me to assume that a config on the client isnt correct - is the machine configured to validate the RADIUS server and does it have the correct 'tick' for the certificate and host name for the server to validate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD host/ machine/ workstation authentication
quick question, should machine authentication work if I follow the howto on a base system or will I need to add attr_rewrite's as suggested in the novell howto. On 7/6/07, Jacob Jarick [EMAIL PROTECTED] wrote: config on client follows exactly what the howto reccomends with the 1 change of checking authenticate as computer when computer information is available. Which as you can see does attempt to auth. The cert options are set as in this picture: http://wiki.freeradius.org/Image:117F01D2C7856F9F.png I just reread this section here on the howto Certificate validation is strongly recommended for wireless configurations, and optional for wired deployments. Select « Validate server certificate » and check ONLY the CA for your FreeRADIUS server (the one you installed above). Also select « Connect to these servers » and enter the Common Name of the server certificate. If you are configuring a wired ethernet interface, you can leave certificate verification off in your supplicants: just deselect « Validate server certificate ». Either way, select « EAP-MSCHAP v2 » as authentication method. Click the « Configure » button next. So I will enable cert validation retry and post back. Cheers for the info /tip :) On 7/6/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, This url here looks like what I need http://support.novell.com/docs/Tids/Solutions/10100693.html but their instructions are pretty lousy For machine-based authentication or user based authentication, modify the RADIUSD.CONF file by adding the following lines: doesnt say where or what section to add said lines to and we all know how touchy the radiusd.conf file is. those parts can go pretty much anywhere in the main config file - eg stick them at the end of the file. from what I can see of the log the NTLM is working fine - the NTKEY reply matched and its all okay. which leaves me to assume that a config on the client isnt correct - is the machine configured to validate the RADIUS server and does it have the correct 'tick' for the certificate and host name for the server to validate? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Machine-Authentication against SaMBa account in LDAP Directory
Christan, You may be able to overcome / work around the problem by specifying a 2nd ldap module. Have one that appends the $ and checks and one that doesnt. On 5/9/07, Phil Mayers [EMAIL PROTECTED] wrote: Christian Hohmann wrote: Hi members, I have a problem with the name of hosts. Here is the situation: I have an LDAP Directory which is filled by samba-Deamon, for example with hosts that are added to my domain. Samba signs every host-account with a $ at the end. If my laptop would be named christian, the entry created by SaMBa in LDAP is christian$ More recent versions of FreeRadius have an option in the mschap module to handle this - you can do: filter = (uid=%{mschap:User-Name:-%{User-Name}}) ...and the mschap module will strip the host/foo.bar to give foo$ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to configure multiple LDAPs with different DN's ?
It will be postauth that you need. Unfortunately Im still learning that part myself (when I have spare time). On 5/8/07, Eric Martell [EMAIL PROTECTED] wrote: I will be really appreciated if someone points me to the right direction or archive of the thread. Thanks in advance. Regards. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
Sure, I have no probs doing it via the wiki. When I get a chance I will create. For me the biggest help was finding SecureW2, truly an excellent little app. On 5/2/07, Ryan Kramer [EMAIL PROTECTED] wrote: You can take care of #1 by still doing LDAP to AD for the groups, but using ntlm for the password authentication. This seems counterproductive, unless you are using a backside encryption where you need to do it that way, which is what I ended up having to do. On 4/30/07, Jacob Jarick [EMAIL PROTECTED] wrote: Thanks for the Tip ryan but I have been down that road and 2 reasons stopped me: 1 - no way of retrieving ldap groups 2 - Been requested not to have samba on the machine. ntlm_auth was very straight forward for me because it supports all the encryption methods. On 5/1/07, Ryan Kramer [EMAIL PROTECTED] wrote: depending on the wifi auth method, you may want to also investigate a NTLM_AUTH method instead of straight ldap. This requires the freeradius machine to be a member of the domain, but once you do that it works great. On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: OK tried with 1.1.4 and yerp works great. radiusd -X output: http://pastebin.ca/464153 radiusd.conf: http://pastebin.ca/464156 I also realised a mistake I have been making, see I want to search the whole active directory, hence I kept setting my basedn without an ou. After seeing your excellent example and auth'ing had failed I stuck in an OU and tried a user from the OU and worked fine. So my questions is this, to auth people from multiple OU's do I create a new ldap module for each OU or is their a simpler way. Thanks Very much for your help Phil, its been a very productive weekend thanks to the info you provided. My challenge for monday will be setting up the cisco and wireless clients now :) On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: radiusd.conf: http://pastebin.ca/464133 radius -X ouput: http://pastebin.ca/464138 Tried with 1.1.6 and fails with this error: rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap failed radiusd.conf[540]: ldap: Module instantiation failed. radiusd.conf[586] Unknown module ldap. radiusd.conf[586] Failed to parse ldap entry. - /etc/raddb/ldap.attrmap does exist as provided by the rpm. [EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap -rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap I assume the permissions are correct, as it was installed by rpm. Im building the 1.1.4 rpm now, will report back once done. On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: Thanks for the very detailed instructions. I will attempt this shortly (bought rad ad servers home for weekend study). Quite possible the biggest learning curve for me is the ldap fields but I am finally starting to get familar with them. Cheers again, will post back once Ive run the radtest. On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote: I haven't been following your (quite extensive) queries, so apologies if I've missed something fundamental. I honestly don't know why this is proving so difficult. I've just tested this against our own 2k3 AD service, and although I'm pretty familiar with FR it took under 5 minutes. Try following the instructions below. These were tested with FreeRadius 1.1.4 1. First, create or locate an existing account which FreeRadius can bind and do it's searches as. Record the following variables: SEARCHDN=the DN of the account SEARCHPW=the password BASEDN=the DN below which all your accounts live in AD ADHOST=hostname of the AD controller you'll search against For example, these might be: SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com SEARCHPW=blahblah BASEDN=OU=My Site,DC=mysite,DC=com 2. Next, take the default radiusd.conf 3. Find the start of the modules section: modules { ... Delete this line and all the following lines 4. Insert the following config: modules { ldap { server = $ADHOST identity = $SEARCHDN password = $SEARCHPW basedn = $BASEDN filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3
VLAN Queries
Salutations all, I will be attempting VLAN assignment tomorrow via FR + ADS + cisco wap. 1st Question: Is it possible to assign VLAN based solely on what ldap server authorized it. (The sites we are looking @ have 1 domain server for staff and 1 for students). 2: Ive been looking @ Mat Ashfields email query regarding vlans, it looks nice and straight forward to me, my only query: Is the ldap group automatically fetched or is some extra configuration needed under the ldap modules or ldap.attrbmap. Mats Example: DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=176, Tunnel-Type=VLAN, Fall-Through = no DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=177, Tunnel-Type=VLAN, Fall-Through = no Thanks for the info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FreeRadius+AD integration
The deploying freeradius + AD is an excellent guide for the ntlm_auth method. Im guessing it is because your ntlm_auth command is commented out in the mschap part On 5/2/07, Danner, Mearl [EMAIL PROTECTED] wrote: Why not try this? Worked for us. http://wiki.freeradius.org/FreeRADIUS_Active_Directory_Integration_HOWTO Note that the first thing configured is the Samba server. It doesn't even mention installing the Freeradius server until after the Samba configuration is completed. Hi, It must be you. so your are the right person to tell me what is causing ntlm_auth to send OK. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: VLAN Queries [SEC=UNCLASSIFIED]
Thanks Frank your a wealth of info. I will test it out once Ive finished the cgi frontend for freeradius Ive been askes to code. On 5/3/07, Ranner, Frank MR [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Wednesday, 2 May 2007 18:28 To: FreeRadius users mailing list Subject: VLAN Queries Salutations all, I will be attempting VLAN assignment tomorrow via FR + ADS + cisco wap. 1st Question: Is it possible to assign VLAN based solely on what ldap server authorized it. (The sites we are looking @ have 1 domain server for staff and 1 for students). 2: Ive been looking @ Mat Ashfields email query regarding vlans, it looks nice and straight forward to me, my only query: Is the ldap group automatically fetched or is some extra configuration needed under the ldap modules or ldap.attrbmap. Mats Example: DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == staff User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=176, Tunnel-Type=VLAN, Fall-Through = no DEFAULT Huntgroup-Name == mySWITCH1, Ldap-Group == student User-Name=`%{User-Name}`, Tunnel-Private-Group-Id=177, Tunnel-Type=VLAN, Fall-Through = no An ldap group query is triggered by the presence of the Ldap-Group attribute in the users file. The query uses the groupmembership_filter to locate the entry relevent to the user and matches the groupname in the groupmembership_attribute. For active directory, you probably want the memberOf attribute in the person record. Something like (radiusd.conf): groupmembership_filter = (samaccountname=%{Stripped-User-Name:-%{User-Name}}) groupname_attribute = memberOf Regards Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Thanks alot everyone
Thanks very much everyone, specially Phil, Alan and the rest who helped me but I cant recall just now. I Have fiiinally got it going (properly this time to). Here is a quick outline of my setup, I may write a detailed howto later on. Windows XP home client - cisco wap - freeradius on Fedora - Windows 2003 ADS FREERADIUS: I used EAP-TTLS as the encryption / tunneling. Used certs (needed for TTLS) that came with rpm. Used PAP inside of EAP-TTLS (sends plain text password which ldap expects) WINDOWS SERVER: * Add 1 user with password for ldap searching (cant remember if user needs special permision to search LDAP). * Fortunately not much config is needed on the server, enabling anonymous LDAP searching is very handy when figuring out a new domain and its users. WINDOWS XP CLIENTS: I reccomend using SecureW2 on XP clients as it allows you to use PAP inside of EAP. Configure clients with these options: My windows client details: Network Authentication: Open Data Encryption: WEP the key is provided for me automatically: (ticked) EAP type: SecureW2 Authenticate as a computer: (unticked) Authenticate as a guest: (unticked) Securew2 config details: use alternate outer identity: (unticked) verify server cert: (unticked) Select Authentication Method: PAP Prompt user for credentials: (ticked) http://www.securew2.com/ - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
Thanks for the Tip ryan but I have been down that road and 2 reasons stopped me: 1 - no way of retrieving ldap groups 2 - Been requested not to have samba on the machine. ntlm_auth was very straight forward for me because it supports all the encryption methods. On 5/1/07, Ryan Kramer [EMAIL PROTECTED] wrote: depending on the wifi auth method, you may want to also investigate a NTLM_AUTH method instead of straight ldap. This requires the freeradius machine to be a member of the domain, but once you do that it works great. On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: OK tried with 1.1.4 and yerp works great. radiusd -X output: http://pastebin.ca/464153 radiusd.conf: http://pastebin.ca/464156 I also realised a mistake I have been making, see I want to search the whole active directory, hence I kept setting my basedn without an ou. After seeing your excellent example and auth'ing had failed I stuck in an OU and tried a user from the OU and worked fine. So my questions is this, to auth people from multiple OU's do I create a new ldap module for each OU or is their a simpler way. Thanks Very much for your help Phil, its been a very productive weekend thanks to the info you provided. My challenge for monday will be setting up the cisco and wireless clients now :) On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: radiusd.conf: http://pastebin.ca/464133 radius -X ouput: http://pastebin.ca/464138 Tried with 1.1.6 and fails with this error: rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap failed radiusd.conf[540]: ldap: Module instantiation failed. radiusd.conf[586] Unknown module ldap. radiusd.conf[586] Failed to parse ldap entry. - /etc/raddb/ldap.attrmap does exist as provided by the rpm. [EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap -rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap I assume the permissions are correct, as it was installed by rpm. Im building the 1.1.4 rpm now, will report back once done. On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: Thanks for the very detailed instructions. I will attempt this shortly (bought rad ad servers home for weekend study). Quite possible the biggest learning curve for me is the ldap fields but I am finally starting to get familar with them. Cheers again, will post back once Ive run the radtest. On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote: I haven't been following your (quite extensive) queries, so apologies if I've missed something fundamental. I honestly don't know why this is proving so difficult. I've just tested this against our own 2k3 AD service, and although I'm pretty familiar with FR it took under 5 minutes. Try following the instructions below. These were tested with FreeRadius 1.1.4 1. First, create or locate an existing account which FreeRadius can bind and do it's searches as. Record the following variables: SEARCHDN=the DN of the account SEARCHPW=the password BASEDN=the DN below which all your accounts live in AD ADHOST=hostname of the AD controller you'll search against For example, these might be: SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com SEARCHPW=blahblah BASEDN=OU=My Site,DC=mysite,DC=com 2. Next, take the default radiusd.conf 3. Find the start of the modules section: modules { ... Delete this line and all the following lines 4. Insert the following config: modules { ldap { server = $ADHOST identity = $SEARCHDN password = $SEARCHPW basedn = $BASEDN filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0644 } } instantiate { } authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap } } preacct { preprocess } accounting { detail
Re: Freeradius Auth via LDAP against Active Directory Server 2003
Thanks for the very detailed instructions. I will attempt this shortly (bought rad ad servers home for weekend study). Quite possible the biggest learning curve for me is the ldap fields but I am finally starting to get familar with them. Cheers again, will post back once Ive run the radtest. On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote: I haven't been following your (quite extensive) queries, so apologies if I've missed something fundamental. I honestly don't know why this is proving so difficult. I've just tested this against our own 2k3 AD service, and although I'm pretty familiar with FR it took under 5 minutes. Try following the instructions below. These were tested with FreeRadius 1.1.4 1. First, create or locate an existing account which FreeRadius can bind and do it's searches as. Record the following variables: SEARCHDN=the DN of the account SEARCHPW=the password BASEDN=the DN below which all your accounts live in AD ADHOST=hostname of the AD controller you'll search against For example, these might be: SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com SEARCHPW=blahblah BASEDN=OU=My Site,DC=mysite,DC=com 2. Next, take the default radiusd.conf 3. Find the start of the modules section: modules { ... Delete this line and all the following lines 4. Insert the following config: modules { ldap { server = $ADHOST identity = $SEARCHDN password = $SEARCHPW basedn = $BASEDN filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0644 } } instantiate { } authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap } } preacct { preprocess } accounting { detail } session { } post-auth { } pre-proxy { } post-proxy { } 5. Start the server with -X 6. Run radtest to send a checking PAP request It should work. The above config is the ABSOLUTE BARE MINIMUM server config which will check PAP requests ONLY against an AD LDAP server. I do NOT recommend you go into service with this config. Try to look at it, understand how it's doing what it's doing, *then* start again with the default FreeRadius config and make the absolute minimum changes to get back to that point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
radiusd.conf: http://pastebin.ca/464133 radius -X ouput: http://pastebin.ca/464138 Tried with 1.1.6 and fails with this error: rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap failed radiusd.conf[540]: ldap: Module instantiation failed. radiusd.conf[586] Unknown module ldap. radiusd.conf[586] Failed to parse ldap entry. - /etc/raddb/ldap.attrmap does exist as provided by the rpm. [EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap -rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap I assume the permissions are correct, as it was installed by rpm. Im building the 1.1.4 rpm now, will report back once done. On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: Thanks for the very detailed instructions. I will attempt this shortly (bought rad ad servers home for weekend study). Quite possible the biggest learning curve for me is the ldap fields but I am finally starting to get familar with them. Cheers again, will post back once Ive run the radtest. On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote: I haven't been following your (quite extensive) queries, so apologies if I've missed something fundamental. I honestly don't know why this is proving so difficult. I've just tested this against our own 2k3 AD service, and although I'm pretty familiar with FR it took under 5 minutes. Try following the instructions below. These were tested with FreeRadius 1.1.4 1. First, create or locate an existing account which FreeRadius can bind and do it's searches as. Record the following variables: SEARCHDN=the DN of the account SEARCHPW=the password BASEDN=the DN below which all your accounts live in AD ADHOST=hostname of the AD controller you'll search against For example, these might be: SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com SEARCHPW=blahblah BASEDN=OU=My Site,DC=mysite,DC=com 2. Next, take the default radiusd.conf 3. Find the start of the modules section: modules { ... Delete this line and all the following lines 4. Insert the following config: modules { ldap { server = $ADHOST identity = $SEARCHDN password = $SEARCHPW basedn = $BASEDN filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0644 } } instantiate { } authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap } } preacct { preprocess } accounting { detail } session { } post-auth { } pre-proxy { } post-proxy { } 5. Start the server with -X 6. Run radtest to send a checking PAP request It should work. The above config is the ABSOLUTE BARE MINIMUM server config which will check PAP requests ONLY against an AD LDAP server. I do NOT recommend you go into service with this config. Try to look at it, understand how it's doing what it's doing, *then* start again with the default FreeRadius config and make the absolute minimum changes to get back to that point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
OK tried with 1.1.4 and yerp works great. radiusd -X output: http://pastebin.ca/464153 radiusd.conf: http://pastebin.ca/464156 I also realised a mistake I have been making, see I want to search the whole active directory, hence I kept setting my basedn without an ou. After seeing your excellent example and auth'ing had failed I stuck in an OU and tried a user from the OU and worked fine. So my questions is this, to auth people from multiple OU's do I create a new ldap module for each OU or is their a simpler way. Thanks Very much for your help Phil, its been a very productive weekend thanks to the info you provided. My challenge for monday will be setting up the cisco and wireless clients now :) On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: radiusd.conf: http://pastebin.ca/464133 radius -X ouput: http://pastebin.ca/464138 Tried with 1.1.6 and fails with this error: rlm_ldap: reading ldap-radius mappings from file /etc/raddb/ldap.attrmap rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap failed radiusd.conf[540]: ldap: Module instantiation failed. radiusd.conf[586] Unknown module ldap. radiusd.conf[586] Failed to parse ldap entry. - /etc/raddb/ldap.attrmap does exist as provided by the rpm. [EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap -rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap I assume the permissions are correct, as it was installed by rpm. Im building the 1.1.4 rpm now, will report back once done. On 4/29/07, Jacob Jarick [EMAIL PROTECTED] wrote: Thanks for the very detailed instructions. I will attempt this shortly (bought rad ad servers home for weekend study). Quite possible the biggest learning curve for me is the ldap fields but I am finally starting to get familar with them. Cheers again, will post back once Ive run the radtest. On 4/28/07, Phil Mayers [EMAIL PROTECTED] wrote: I haven't been following your (quite extensive) queries, so apologies if I've missed something fundamental. I honestly don't know why this is proving so difficult. I've just tested this against our own 2k3 AD service, and although I'm pretty familiar with FR it took under 5 minutes. Try following the instructions below. These were tested with FreeRadius 1.1.4 1. First, create or locate an existing account which FreeRadius can bind and do it's searches as. Record the following variables: SEARCHDN=the DN of the account SEARCHPW=the password BASEDN=the DN below which all your accounts live in AD ADHOST=hostname of the AD controller you'll search against For example, these might be: SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com SEARCHPW=blahblah BASEDN=OU=My Site,DC=mysite,DC=com 2. Next, take the default radiusd.conf 3. Find the start of the modules section: modules { ... Delete this line and all the following lines 4. Insert the following config: modules { ldap { server = $ADHOST identity = $SEARCHDN password = $SEARCHPW basedn = $BASEDN filter = (sAMAccountName=%{Stripped-User-Name:-%{User-Name}}) dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_connections_number = 5 timeout = 4 timelimit = 3 net_timeout = 1 } preprocess { huntgroups = ${confdir}/huntgroups hints = ${confdir}/hints with_ascend_hack = no ascend_channels_per_line = 23 with_ntdomain_hack = no with_specialix_jetstream_hack = no with_cisco_vsa_hack = no } detail { detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d detailperm = 0644 } } instantiate { } authorize { preprocess ldap } authenticate { Auth-Type LDAP { ldap } } preacct { preprocess } accounting { detail } session { } post-auth { } pre-proxy { } post-proxy { } 5. Start the server with -X 6. Run radtest to send a checking PAP request It should work. The above config is the ABSOLUTE BARE MINIMUM server config which will check PAP requests ONLY against an AD LDAP server. I do NOT recommend you go into service with this config. Try to look at it, understand how it's doing what it's doing, *then* start again with the default FreeRadius config and make the absolute minimum changes to get back to that point. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003 [unclas]
Thanks frank, Regarding searching base dn from parent node (correct term I hope) I did try on the weekend but to no success but retrying today worked fine :) (quite possibly me doing more that one change at a time again). I also added the filter as per your suggestion. I appreciate the feedback as this has made things alot easier. On 4/30/07, Ranner, Frank MR [EMAIL PROTECTED] wrote: -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Sunday, 29 April 2007 20:48 To: FreeRadius users mailing list Subject: Re: Freeradius Auth via LDAP against Active Directory Server 2003 OK tried with 1.1.4 and yerp works great. radiusd -X output: http://pastebin.ca/464153 radiusd.conf: http://pastebin.ca/464156 I also realised a mistake I have been making, see I want to search the whole active directory, hence I kept setting my basedn without an ou. After seeing your excellent example and auth'ing had failed I stuck in an OU and tried a user from the OU and worked fine. So my questions is this, to auth people from multiple OU's do I create a new ldap module for each OU or is their a simpler way. You should be able to set the base DN at the parent node, because the search is a subtree search. In my setup (openldap, not AD) I also use the base_filter directive in radiusd.conf to restrict the type of records to be searched. I use base_filter = (objectclass=radiusprofile) You should use base_filter = (objectclass=user) This goes into the ldap Section somewhere near the basedn line. Regards, Frank Ranner - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help please: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
radiusd.conf: http://pastebin.ca/465399 radius -X output: http://pastebin.ca/465404 After following phils guide on the weekend I successfully got both radtest and radping to return auth-accept packets. The default windows client wouldnt auth but they dont do PAP as I undertstand. I am currently using http://www.securew2.org to enable PAP though I am getting this error. ERROR: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user My windows client details: Network Authentication: Open Data Encryption: WEP the key is provided for me automatically: (ticked) EAP type: SecureW2 Authenticate as a computer: (unticked) Authenticate as a guest: (unticked) Scurew2 config details: use alternate outer identity: (unticked) verify server cert: (unticked) Select Authentication Method: PAP Prompt user for credentials: (ticked) I am using the SecureW2 client / extension because I have been told numerous times that LDAP only supports PAP and its been suggested that I get PAP working before anything else (let me know if Im on the right track with SecureW2). So Im guessing here, but the reason it fails is because I do not have eap pap modules configured ? Thanks for the help again guys. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help please: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user
Well after some more googling I have come to the conclusion I need to setup EAP-TTLS which If I understand correctly supports tunneling of PAP through ssl. So my current goal is to enable EAP-TTLS test then report. On 4/30/07, Jacob Jarick [EMAIL PROTECTED] wrote: radiusd.conf: http://pastebin.ca/465399 radius -X output: http://pastebin.ca/465404 After following phils guide on the weekend I successfully got both radtest and radping to return auth-accept packets. The default windows client wouldnt auth but they dont do PAP as I undertstand. I am currently using http://www.securew2.org to enable PAP though I am getting this error. ERROR: auth: No authenticate method (Auth-Type) configuration found for the request: Rejecting the user My windows client details: Network Authentication: Open Data Encryption: WEP the key is provided for me automatically: (ticked) EAP type: SecureW2 Authenticate as a computer: (unticked) Authenticate as a guest: (unticked) Scurew2 config details: use alternate outer identity: (unticked) verify server cert: (unticked) Select Authentication Method: PAP Prompt user for credentials: (ticked) I am using the SecureW2 client / extension because I have been told numerous times that LDAP only supports PAP and its been suggested that I get PAP working before anything else (let me know if Im on the right track with SecureW2). So Im guessing here, but the reason it fails is because I do not have eap pap modules configured ? Thanks for the help again guys. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
Well I have another angle I will be attacking the problem from on the weekend. I will be installing and configuring OpenLDAP on my linux server making it replicate the ADS 2003 server then following the gentoo-wiki's Freeradius and OpenLDAP implementation howto. So the modified layout plan: client - cisco wap - linux + fr - linux + openldap - windows 2003 ADS At least this way I will have two LDAP implementations to test against, which ever works 1st becomes the default solution :). I Do understand that the novel eDirectory works very nicely (novells LDAP implementation) but due to pricing issues it will be left until the last option. I would like to say though Novell generally has excellent support. On 4/27/07, Jacob Jarick [EMAIL PROTECTED] wrote: I have been at this for awhile now, so I thought I would share a summary of what I have figured out so far for anyone else that decides to try this. 1 - Documentation for this particular configuration is either out of date / incomplete / both. There are no howtos that will get from start to end (if you do know of one or wrote one yourself please share - I will myself when I figure it all out). 2 - Most the trouble is due to the fact we are making a linux service talk to a windows service (AD LDAP). Freeradius talking to the linux passwd file is a breeze by comprassion. 3 - Windows 2003 LDAP implementation will not provide a password when a user/ service preforms a ldap search, the proper way If I understand correctly is to supply plain text username / password then freeradius preforms a bind with the provided credentials against your ADS server, success means the password was correct. 4 - Installing Services For Unix on 2003 will make AD LDAP provide a password hash attribute among other unix LDAP attributes. The user has have posix enabled. 5 - Anonymous searchs can be preformed on 2003 AD LDAP if you set dSHeuristics to 002 using adsiedit.msc. 6 - Microsofts LDAP is different to Novells (big surprise) and so unfortunately their documentation isnt to helpfull as a reference for people trying to use ADS in the same fashion. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
Thank you for the suggestions / tips Frank.. Here is the results from the command you gave me: [EMAIL PROTECTED] ~]# ldapsearch -x -h 10.1.1.11 -D CN=admin,OU=People,DC=tfxschool,DC=internal -w pass -b o=tfxschool,c=AU 'objectclass=*' # extended LDIF # # LDAPv3 # base o=tfxschool,c=AU with scope subtree # filter: objectclass=* # requesting: ALL # # search result search: 2 result: 1 Operations error text: 20D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0 # numResponses: 1 Im about to install unix services for windows on my 2003 server and run my search command again to see if it populates the fields in ldap some more (reccomended from the gentoo wiki's HOWTO Authenticate from Active Directory using OpenLDAP). Also, it seems to me that freeradius is anonymously binding even though I have set these 2 lines under ldap { identity = cn=admin,o=tfxschool,c=AU password = pass here is the entry for admin which I retrieved using this command: ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s sub 'objectclass=*' dn: CN=admin,OU=People,DC=tfxschool,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: admin title: tfxschool givenName: admin distinguishedName: CN=admin,OU=People,DC=tfxschool,DC=internal instanceType: 4 whenCreated: 20070426003712.0Z whenChanged: 20070426014259.0Z displayName: admin uSNCreated: 82400 uSNChanged: 82415 department: tfxschool company: tfxschool name: admin objectGUID:: Y5PXIUnZgEeBru7NxgIn3Q== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 128220214326562500 primaryGroupID: 513 objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bwQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: admin sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal Thanks in adavance, I appreciate the info very much. On 4/26/07, Ranner, Frank MR [EMAIL PROTECTED] wrote: Are you sure that the uid attribute is even in Active Directory. Chances are the usernames are in the sAMAccountName attribute. Since you now seem to be able to bind, why not use the ldapsearch utility to show entries in the o=tfxschool,c=AU subtree. ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b o=tfxschool,c=AU 'objectclass=*' This will show you what attributes there are, and whether the password is readable. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Thursday, 26 April 2007 12:38 To: FreeRadius users mailing list Subject: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
OK, some more progress, found 1 setting that rejected any user if they did not have dialup access attribute which I have commented. Now I get the following results when using the radping program. It looks to me like it searchs fine rlm_ldap: user jacob authorized to use remote access but Im guessing because there is no password feild it returns 0 and moves on. I am about to install Unix Services for Windows and inspect the new feilds (if any). If any1 knows what is involved in populating the ADS 2003 LDAP feilds with user password/ hashes please let me know. rad_recv: Access-Request packet from host 10.1.1.11:3470, id=8, length=45 User-Name = jacob User-Password = \330\3338\220\201\273J\246fU\270\354xC{\212 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module preprocess returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(sAMAccountName=jacob)' radius_xlat: 'dc=tfxschool,dc=internal' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:3268, authentication 0 rlm_ldap: bind as / to tfxschoolfs01.tfxschool.internal:3268 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in dc=tfxschool,dc=internal, with filter (sAMAccountName=jacob) rlm_ldap: looking for check items in directory... rlm_ldap: looking for reply items in directory... rlm_ldap: user jacob authorized to use remote access rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns ok for request 0 modcall[authorize]: module chap returns noop for request 0 modcall[authorize]: module mschap returns noop for request 0 rlm_realm: No '@' in User-Name = jacob, looking up realm NULL rlm_realm: No such realm NULL modcall[authorize]: module suffix returns noop for request 0 On 4/27/07, Jacob Jarick [EMAIL PROTECTED] wrote: Thank you for the suggestions / tips Frank.. Here is the results from the command you gave me: [EMAIL PROTECTED] ~]# ldapsearch -x -h 10.1.1.11 -D CN=admin,OU=People,DC=tfxschool,DC=internal -w pass -b o=tfxschool,c=AU 'objectclass=*' # extended LDIF # # LDAPv3 # base o=tfxschool,c=AU with scope subtree # filter: objectclass=* # requesting: ALL # # search result search: 2 result: 1 Operations error text: 20D6: SvcErr: DSID-031006CC, problem 5012 (DIR_ERROR), data 0 # numResponses: 1 Im about to install unix services for windows on my 2003 server and run my search command again to see if it populates the fields in ldap some more (reccomended from the gentoo wiki's HOWTO Authenticate from Active Directory using OpenLDAP). Also, it seems to me that freeradius is anonymously binding even though I have set these 2 lines under ldap { identity = cn=admin,o=tfxschool,c=AU password = pass here is the entry for admin which I retrieved using this command: ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s sub 'objectclass=*' dn: CN=admin,OU=People,DC=tfxschool,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: admin title: tfxschool givenName: admin distinguishedName: CN=admin,OU=People,DC=tfxschool,DC=internal instanceType: 4 whenCreated: 20070426003712.0Z whenChanged: 20070426014259.0Z displayName: admin uSNCreated: 82400 uSNChanged: 82415 department: tfxschool company: tfxschool name: admin objectGUID:: Y5PXIUnZgEeBru7NxgIn3Q== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 128220214326562500 primaryGroupID: 513 objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bwQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: admin sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal Thanks in adavance, I appreciate the info very much. On 4/26/07, Ranner, Frank MR [EMAIL PROTECTED] wrote: Are you sure that the uid attribute is even in Active Directory. Chances are the usernames are in the sAMAccountName attribute. Since you now seem to be able to bind, why not use the ldapsearch utility to show entries in the o=tfxschool,c=AU subtree. ldapsearch -x -h hostname -D cn=admin,o=tfxschool,c=AU -w pass -b o=tfxschool,c=AU 'objectclass=*' This will show you what attributes there are, and whether the password is readable. Regards, Frank Ranner -Original Message- From: [EMAIL PROTECTED] eradius.org [mailto:freeradius-users- [EMAIL PROTECTED] On Behalf Of Jacob Jarick Sent: Thursday, 26 April 2007 12:38 To: FreeRadius users mailing list Subject: FR
Re: freeradius eap error.
there is a script that comes with the freeradius source (perhaps bins aswell) that generates you new certs. for me the script is @ /usr/src/freeradius-1.1.6/scripts/CA.all iirc that will generate you all the certs u need and read default options from your openssl config file. You will have to copy across your new certs once done (be sure to backup 1st). good luck. On 4/27/07, member alsuki [EMAIL PROTECTED] wrote: Hello, list. I'm having some problems implementing freeradius on opensuse box. I've followed the toturial at novell and as a test i've used the default CA and certs that camed with the freeradius rpm. This worked very good the server started and every thing seamed nice. Then i made my own CA and certs, 1st a 4096 and then a 1024 bits, but no luck in either cases. Is there a limit to the length of the certs and CA keys? I've google to find if there was some info on this but no luck. Can anyone help me on this? This is a radiusd -X -A output. Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /etc/raddb/proxy.conf Config: including file: /etc/raddb/clients.conf Config: including file: /etc/raddb/snmp.conf Config: including file: /etc/raddb/eap.conf Config: including file: /etc/raddb/sql.conf main: prefix = /usr main: localstatedir = /var main: logdir = /var/log/radius main: libdir = /usr/lib/freeradius main: radacctdir = /var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /var/run/radiusd/radiusd.pid main: bind_address = 10.10.0.1 IP address [10.10.0.1] main: user = radiusd main: group = radiusd main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/lib/freeradius Module: Loaded exec exec: wait = yes exec: program = (null) exec: input_pairs = request exec: output_pairs = (null) exec: packet_type = (null) rlm_exec: Wait=yes but no output defined. Did you mean output=none? Module: Instantiated exec (exec) Module: Loaded expr Module: Instantiated expr (expr) Module: Loaded PAP pap: encryption_scheme = crypt Module: Instantiated pap (pap) Module: Loaded CHAP Module: Instantiated chap (chap) Module: Loaded MS-CHAP mschap: use_mppe = yes mschap: require_encryption = yes mschap: require_strong = yes mschap: with_ntdomain_hack = no mschap: passwd = (null) mschap: ntlm_auth = (null) Module: Instantiated mschap (mschap) Module: Loaded System unix: cache = no unix: passwd = (null) unix: shadow = (null) unix: group = (null) unix: radwtmp = /var/log/radius/radwtmp unix: usegroup = no unix: cache_reload = 600 Module: Instantiated unix (unix) Module: Loaded eap eap: default_eap_type = peap eap: timer_expire = 60 eap: ignore_unknown_eap_types = no eap: cisco_accounting_username_bug = no rlm_eap: Loaded and initialized type md5 rlm_eap: Loaded and initialized type leap gtc: challenge = Password: gtc: auth_type = PAP rlm_eap: Loaded and initialized type gtc tls: rsa_key_exchange = no tls: dh_key_exchange = yes tls: rsa_key_length = 512 tls: dh_key_length = 512 tls: verify_depth = 0 tls: CA_path = (null) tls: pem_file_type = yes tls: private_key_file = /etc/raddb/certs/cert-srv.pem tls: certificate_file = /etc/raddb/certs/cert-srv.pem tls: CA_file = /etc/raddb/certs/demoCA/cacert.pem tls: private_key_password = whatever tls: dh_file = /etc/raddb/certs/dh tls: random_file = /etc/raddb/certs/random tls: fragment_size = 1024 tls: include_length = yes tls: check_crl = no tls: check_cert_cn = (null) tls: cipher_list = (null) tls: check_cert_issuer = (null) rlm_eap_tls: Loading the certificate file as a chain rlm_eap: SSL error error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt rlm_eap_tls: Error reading private key file rlm_eap: Failed to initialize type tls radiusd.conf[10]: eap: Module instantiation failed. radiusd.conf[1941] Unknown module eap. radiusd.conf[1888] Failed
Re: FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error [unclas]
OK, Ive setup SFU and indeed it has populated my ldap feilds some more. I have enabled the user Jacob Jarick as a unix user, created a unix group added myself to it then reset my password so the unix password would be set. Search command: ldapsearch -h 10.1.1.11 -x -b dc=tfxschool,dc=internal -x -LLL -s sub 'objectclass=*' Search Output: http://rapidshare.com/files/28137503/unixldap.txt.html The list of info from myself: dn: CN=Jacob Jarick,OU=People,DC=tfxschool,DC=internal objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user cn: Jacob Jarick sn: Jarick givenName: Jacob distinguishedName: CN=Jacob Jarick,OU=People,DC=tfxschool,DC=internal instanceType: 4 whenCreated: 20070419064035.0Z whenChanged: 20070427035457.0Z displayName: Jacob Jarick uSNCreated: 73945 memberOf: CN=unixgroup,OU=TFX School Users,DC=tfxschool,DC=internal uSNChanged: 94233 name: Jacob Jarick objectGUID:: +aiQmQK4HUS1E97VMF95aw== userAccountControl: 66048 badPwdCount: 0 codePage: 0 countryCode: 0 badPasswordTime: 0 lastLogoff: 0 lastLogon: 0 pwdLastSet: 12822119697250 primaryGroupID: 513 userParameters:: bTogICAgICAgICAgICAgICAgICAgIGQJICAgICAgICAgICAgICAgICAgICAgI CAg objectSid:: AQUAAAUVKyI9FO9VW1CmlC13bQQAAA== accountExpires: 9223372036854775807 logonCount: 0 sAMAccountName: jacob sAMAccountType: 805306368 userPrincipalName: [EMAIL PROTECTED] objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=tfxschool,DC=internal msNPAllowDialin: TRUE dSCorePropagationData: 20070419075901.0Z dSCorePropagationData: 20070419075640.0Z dSCorePropagationData: 16010101000417.0Z lastLogonTimestamp: 128218581059375000 msSFU30Name: jacob msSFU30NisDomain: tfxschool msSFU30PosixMemberOf: CN=unixgroup,OU=TFX School Users,DC=tfxschool,DC=interna l msSFU30UidNumber: 1 msSFU30Password: FxatPL90rt0As msSFU30GidNumber: 1 msSFU30HomeDirectory: /home/jacob msSFU30LoginShell: /bin/sh - See I now have a unix password feild, how do I make freeradius check against that password hash anyone ? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Freeradius Auth via LDAP against Active Directory Server 2003
I have been at this for awhile now, so I thought I would share a summary of what I have figured out so far for anyone else that decides to try this. 1 - Documentation for this particular configuration is either out of date / incomplete / both. There are no howtos that will get from start to end (if you do know of one or wrote one yourself please share - I will myself when I figure it all out). 2 - Most the trouble is due to the fact we are making a linux service talk to a windows service (AD LDAP). Freeradius talking to the linux passwd file is a breeze by comprassion. 3 - Windows 2003 LDAP implementation will not provide a password when a user/ service preforms a ldap search, the proper way If I understand correctly is to supply plain text username / password then freeradius preforms a bind with the provided credentials against your ADS server, success means the password was correct. 4 - Installing Services For Unix on 2003 will make AD LDAP provide a password hash attribute among other unix LDAP attributes. The user has have posix enabled. 5 - Anonymous searchs can be preformed on 2003 AD LDAP if you set dSHeuristics to 002 using adsiedit.msc. 6 - Microsofts LDAP is different to Novells (big surprise) and so unfortunately their documentation isnt to helpfull as a reference for people trying to use ADS in the same fashion. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + LDAP + ADS - rlm_ldap: ldap_search() failed: Operations error
radiusd.conf: radiusd -X -f: http://pastebin.ca/458790 Hello again, I have configured the ldap module according to the rlm_ldap wiki (minus TLS, just trying one thing at a time).I have supplied: identity = cn=admin,o=tfxschool,c=AU password = pass As I have been told anonymous binding is not the way to go for confirming username/password. From reading the error log it seems to me that freeradius does succesfully connect to the ADS server via ldap but fails to find the user. output in question: rlm_ldap: - authorize rlm_ldap: performing user authorization for jacob radius_xlat: '(uid=jacob)' radius_xlat: 'o=tfxschool,c=AU' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to tfxschoolfs01.tfxschool.internal:389, authentication 0 rlm_ldap: bind as /pass to tfxschoolfs01.tfxschool.internal:389 rlm_ldap: waiting for bind result ... request done: ld 0x8697ed0 msgid 1 rlm_ldap: Bind was successful rlm_ldap: performing search in o=tfxschool,c=AU, with filter (uid=jacob) request done: ld 0x8697ed0 msgid 2 rlm_ldap: ldap_search() failed: Operations error rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 0 modcall: leaving group authorize (returns fail) for request 0 Finished request 0 . The user Jacob auth's fine via the ntlm_auth module but fails with my current ldap setup. Does the user admin need special priveleges on the Windows 2003 ADS to search / retrieve user information (eg password, group etc). - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add a secondary ldap server to radiusd.conf
Sigh, I should just tell my employers to buy novell edirectory, it does look very nice. On 4/24/07, Hubert Kupper [EMAIL PROTECTED] wrote: On 23 Apr 2007 at 18:00, Jacob Jarick wrote: Hubert would you mind showing me how you map the ldap password to the radius password. Ive Tried checkItem userPassword User-Password but the radius debug logs complain that it Needs User-Password still :| On 4/23/07, Hubert Kupper [EMAIL PROTECTED] wrote: Hello, how can I add a secondary ldap server to radiusd.conf for failover? Jacob, we authenticate freeradius requests against Novell eDirectory with ldap. password_attribute = nspmPassword Regard Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth
Sorry to offend, But I have been seeing alot of Docs warn u of this etc but seeing as there are so many conflicting documents seeing the generic reply when I have read / googled high and low is quite frustrating. On 4/24/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, good docs, link it or shutup). I will now no longer be replying to you alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Alan, I try to understand I can only get answers from you guys when available so yes I do go off and try random howtos (literally anything I can find) I the hopes I learn a bit more. But yes, I am now 100% clear on not setting Auth-Type. Thanks again Alan. On 4/24/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: So the big question is, what Auth-Type do I use ? You have been told that you should not set it. That means You should not set it. It does not mean use another value. If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. You're confused because you're not believing the messages on this list. LDAP is not an authentication server. When you say authenticate against LDAP, you are talking nonsense. Other people have FreeRADIUS authenticating against Active Directory. They have done so by carefully following the guides. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth
radiusd -X -f: http://pastebin.ca/455497 Alan, I have been trying todo my groundwork / homework is all, ie research before asking. Its simply a case of taking whatever support is available and not always being aware who the devs are. When nothing you have tried works try something you havent. Its rare to be told, dont google, ask. Anyway, I appoligize for getting testy, I should have said if there is a doc I should be reading paste the link, rather than have me google, find the incorrect one then be told the howto/document is incorrect. Now regarding your document Alan, Page 12 of 20 Make sure that fhe following lines are uncommented and that the value is the same as indicated here authtype = MS-CHAP Is this the line in question # An example configuration for using /etc/smbpasswd. # #passwd etc_smbpasswd { # filename = /etc/smbpasswd # format = *User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT:: # authtype = MS-CHAP # hashsize = 100 # ignorenislike = no # allowmultiplekeys = no #} I have checked through the tutorial again, all my config files were in order but ntlm_auth was failing for some reason, a reboot later and all was well again. Here is the output of my testing ntlm_auth, so you know I have the samba side working. [EMAIL PROTECTED] ~]# net join -U Administrator Administrator's password: Using short domain name -- TFXSCHOOL Joined 'LOCALHOST' to realm 'TFXSCHOOL.INTERNAL' [EMAIL PROTECTED] ~]# wbinfo -a jacob%pass plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user jacob%pass with plaintext password challenge/response password authentication succeeded [EMAIL PROTECTED] ~]# ntlm_auth --request-nt-key --domain=tfxschool --username=jacob password: NT_STATUS_OK: Success (0x0) [EMAIL PROTECTED] ~]# So thats samba checking passwords fine. I ask because it is not under the # Microsoft CHAP authentication section at all. I went through the whole log this time (sorry bad habbit of scrolling up for the last error then working on that 1 1st) modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for jacob with NT-Password ^ Does that mean it did not get sent the password, or simply that it didnt find User-Password so its using the found NT-Password ?. And just below that (mem feels silly) I see: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=jacob --domain=TFXSCHOOL --challenge=a1a6b069c8d565ac --nt-response=abd3d6a8f9fdef0cf50b4ea12325cbaa9fbeccfd716c07ec Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 Looking at resolving that issue right now. On 4/24/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Sorry to offend, But I have been seeing alot of Docs warn u of this etc but seeing as there are so many conflicting documents seeing the generic reply when I have read / googled high and low is quite frustrating. The authors of the program you're using have told you what works and what doesn't. You have a hard time believing them, because of some random web page that isn't associated with the project. Is that really what you're saying? If your boss tells you to come in to work at 9am, do you show up at noon, claiming confusion, because the 10 year old newspaper boy down the street said you could show up at noon? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + ADS 2003 + ntlm_auth
For any1 else who might have the same problem, it was resolved by the following cmd: chgrp radiusd /var/cache/samba/winbindd_privileged/ original article: http://www.members.optushome.com.au/~wskwok/poptop_ads_howto_10.htm Thanks to google and Alan for tipping me off. Yes I am about to backup everything :P before resuming ldap. On 4/24/07, Jacob Jarick [EMAIL PROTECTED] wrote: radiusd -X -f: http://pastebin.ca/455497 Alan, I have been trying todo my groundwork / homework is all, ie research before asking. Its simply a case of taking whatever support is available and not always being aware who the devs are. When nothing you have tried works try something you havent. Its rare to be told, dont google, ask. Anyway, I appoligize for getting testy, I should have said if there is a doc I should be reading paste the link, rather than have me google, find the incorrect one then be told the howto/document is incorrect. Now regarding your document Alan, Page 12 of 20 Make sure that fhe following lines are uncommented and that the value is the same as indicated here authtype = MS-CHAP Is this the line in question # An example configuration for using /etc/smbpasswd. # #passwd etc_smbpasswd { # filename = /etc/smbpasswd # format = *User-Name::LM-Password:NT-Password:SMB-Account-CTRL-TEXT:: # authtype = MS-CHAP # hashsize = 100 # ignorenislike = no # allowmultiplekeys = no #} I have checked through the tutorial again, all my config files were in order but ntlm_auth was failing for some reason, a reboot later and all was well again. Here is the output of my testing ntlm_auth, so you know I have the samba side working. [EMAIL PROTECTED] ~]# net join -U Administrator Administrator's password: Using short domain name -- TFXSCHOOL Joined 'LOCALHOST' to realm 'TFXSCHOOL.INTERNAL' [EMAIL PROTECTED] ~]# wbinfo -a jacob%pass plaintext password authentication failed error code was NT_STATUS_NO_SUCH_USER (0xc064) error messsage was: No such user Could not authenticate user jacob%pass with plaintext password challenge/response password authentication succeeded [EMAIL PROTECTED] ~]# ntlm_auth --request-nt-key --domain=tfxschool --username=jacob password: NT_STATUS_OK: Success (0x0) [EMAIL PROTECTED] ~]# So thats samba checking passwords fine. I ask because it is not under the # Microsoft CHAP authentication section at all. I went through the whole log this time (sorry bad habbit of scrolling up for the last error then working on that 1 1st) modcall: entering group MS-CHAP for request 6 rlm_mschap: No User-Password configured. Cannot create LM-Password. rlm_mschap: No User-Password configured. Cannot create NT-Password. rlm_mschap: Told to do MS-CHAPv2 for jacob with NT-Password ^ Does that mean it did not get sent the password, or simply that it didnt find User-Password so its using the found NT-Password ?. And just below that (mem feels silly) I see: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=jacob --domain=TFXSCHOOL --challenge=a1a6b069c8d565ac --nt-response=abd3d6a8f9fdef0cf50b4ea12325cbaa9fbeccfd716c07ec Exec-Program output: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program-Wait: plaintext: winbind client not authorized to use winbindd_pam_auth_crap. Ensure permissions on /var/cache/samba/winbindd_privileged are set correctly. (0xc022) Exec-Program: returned: 1 rlm_mschap: External script failed. rlm_mschap: FAILED: MS-CHAP2-Response is incorrect modcall[authenticate]: module mschap returns reject for request 6 modcall: leaving group MS-CHAP (returns reject) for request 6 Looking at resolving that issue right now. On 4/24/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Sorry to offend, But I have been seeing alot of Docs warn u of this etc but seeing as there are so many conflicting documents seeing the generic reply when I have read / googled high and low is quite frustrating. The authors of the program you're using have told you what works and what doesn't. You have a hard time believing them, because of some random web page that isn't associated with the project. Is that really what you're saying? If your boss tells you to come in to work at 9am, do you show up at noon, claiming confusion, because the 10 year old newspaper boy down the street said you could show up at noon? Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Add a secondary ldap server to radiusd.conf
Hubert would you mind showing me how you map the ldap password to the radius password. Ive Tried checkItem userPassword User-Password but the radius debug logs complain that it Needs User-Password still :| On 4/23/07, Hubert Kupper [EMAIL PROTECTED] wrote: Hello, how can I add a secondary ldap server to radiusd.conf for failover? Regards Boert - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + LDAP + ADS 2003 password questions
here is a 57kb tar.gz of my /etc/raddb folder containing all configs. http://rapidshare.com/files/27470184/20070420_ldap_working.tar.gz.html -- Hello I have been reading everything I can get my hands on to resolve this problem Im having. The error message related to this problem: Attribute User-Password is required for authentication. Now I have just read through doc/rlm_ldap again and the 4th last paragraph made me wonder if this current method Im trying is supported. LDAP and Active Directory - Active directory does not return anything in the userPassword attribute, unlike other LDAP servers. As a result, you cannot use Active Directory to perform CHAP, MS-CHAP, or EAP-MD5 authentication. You can only use PAP, and then only if you list ldap in the authenticate section. To do MS-CHAP against an Active Directory domain, see the comments in radiusd.conf, about ntlm_auth. You will need to install Samba. Is it true that the only way to authenticate against active directory is using ntlm_auth ?. I have been specifically asked not to use the ntlm_auth method against AD out of security cocerns from having samba installed. I cant see the risk of having samba installed myself if no directorys are being shared (please correct me if Im wrong). I have enabled anonymous LDAP searches on the ADS. On friday I added this line to ldap.attrmap: checkItem userPasswordUser-Password And it worked for that day, I came back after the weekend copied configs across to my 2nd linux machine and retryed but it failed with the old error metioned above. I tried on the test server and it now fails as well with the same error (possibly server was reset over the weekend or something, I dunno). My test shows that anonymous search is definitely working ldapsearch -h 10.1.1.11 -b 'dc=tfxschool,dc=internal' -x -LLL -s sub 'objectclass=*' I dont have access to the machines atm (finished work for the day) but I did notice that down the bottom of ldap.attrmap I still have these entrys which were suggested by a thread I found on google (same error message). Im wondering if these lines will be adversly effecting my entry above and/or ldap authentication in general. checkItem LM-Password lmPassword checkItem NT-Password ntPassword checkItem User-Password lmPassword Thanks in advance people, I really appreciate the help I have been getting on this mailing list. It has been an epic struggle for me so far (learning perl + snmp + cisco was easier) but I havent given up hope yet ! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Sorry to pester u Alan :P Does mschapv2 also support ntlm_auth ? and now that I understand your tables (well I think) I should be able to persuade my employer to use ntlm and firewall the the samba ports. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Is it true that the only way to authenticate against active directory is using ntlm_auth ? For ms-chap, yes. I have been specifically asked not to use the ntlm_auth method against AD out of security cocerns from having samba installed. I cant see the risk of having samba installed myself if no directorys are being shared (please correct me if Im wrong). Yes. You can also put firewall rules in place to block any traffic to the Samba machine. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Forgive the newbie questions but I think its best to clear up confusion. client - cisco - FR server = eap FR - ADS 2003 = pap Is that correct or am I way off track. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Thanks again Alan, For reference the oriellys LDAP book instructs you to set Auth-Type := LDAP so thats where I got the bad reference (perhaps other people to). Yes. There is a LOT of documentation (web pages, etc.) that say to do the wrong thing. It's unfortunate that the people writing those don't read the FreeRADIUS docs first, and don't ask us to review their configuration. Now lets see if I understood the tables correctly. PAP is the only method that will support LDAP bind as user ? It's the other way around. LDAP bind as user only works with PAP. When Using PAP - LDAP will I still have to map userPassword to User-Password ? No. I've added some more code that will go into 1.1.7 2.0. If the LDAP module succeeds in retrieving a password from LDAP, it does NOT set Auth-Type to LDAP. Will there be extra configuration required on free radius to make use of pap - ADS ldap or will it work automatically because ldap is configured in the modules {} section. I would ask what other authentication protocols you need to support before suggesting to set Auth-Type to LDAP. Wont using PAP mean plain text password from client - cisco wap - radius - ADS server ? No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible with Auth-Type = LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + LDAP + ADS 2003 password questions
Thanks On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Sorry to pester u Alan :P Does mschapv2 also support ntlm_auth ? Yes. The mschap module does both mschapv1 and mschapv2. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + LDAP + PAM + encryption question
From my recent thread with Alan, I have gathered that ldap only supports PAP. PAP sends the password in plain text. Is it possible to encasuplate PAP inside another protocol say EAP to prevent from packet sniffers etc. Failing that is it possible to asign vlans bases on ldap primary group via the ntlm_auth method. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
So the big question is, what Auth-Type do I use ? If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. On 4/23/07, Jacob Jarick [EMAIL PROTECTED] wrote: Forgive the newbie questions but I think its best to clear up confusion. client - cisco - FR server = eap FR - ADS 2003 = pap Is that correct or am I way off track. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Thanks again Alan, For reference the oriellys LDAP book instructs you to set Auth-Type := LDAP so thats where I got the bad reference (perhaps other people to). Yes. There is a LOT of documentation (web pages, etc.) that say to do the wrong thing. It's unfortunate that the people writing those don't read the FreeRADIUS docs first, and don't ask us to review their configuration. Now lets see if I understood the tables correctly. PAP is the only method that will support LDAP bind as user ? It's the other way around. LDAP bind as user only works with PAP. When Using PAP - LDAP will I still have to map userPassword to User-Password ? No. I've added some more code that will go into 1.1.7 2.0. If the LDAP module succeeds in retrieving a password from LDAP, it does NOT set Auth-Type to LDAP. Will there be extra configuration required on free radius to make use of pap - ADS ldap or will it work automatically because ldap is configured in the modules {} section. I would ask what other authentication protocols you need to support before suggesting to set Auth-Type to LDAP. Wont using PAP mean plain text password from client - cisco wap - radius - ADS server ? No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible with Auth-Type = LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Requesting Decent Freeradius + ADS 2003 + LDAP howto
Ok, I have read them all - the wiki's the unrelated novell howtos for edirectory bought a Oriellys book on ldap (their FR + LDAP howto is incorrect apparently) and googled countless times. The articles on http://wiki.freeradius.org/LDAP arent much help they just re-itterate whats in the config files and rlm_ldap doesnt seem to mention setting the users file. http://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/radius.html The above article instructs you to set Auth-Type =: LDAP which is wrong I have been told by alan (but what is correct then ?). I am about to start from fresh again just to make sure its not config setting I have changed and forgot to fix. But I would appreciate any good howtos others may have found and of course any answers / information you guys can provide. Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Requesting Decent Freeradius + ADS 2003 + LDAP howto
These examples here look a bit more promising. http://vuksan.com/linux/dot1x/802-1x-LDAP.html -- Forwarded message -- From: Jacob Jarick [EMAIL PROTECTED] Date: Apr 24, 2007 9:01 AM Subject: Requesting Decent Freeradius + ADS 2003 + LDAP howto To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Ok, I have read them all - the wiki's the unrelated novell howtos for edirectory bought a Oriellys book on ldap (their FR + LDAP howto is incorrect apparently) and googled countless times. The articles on http://wiki.freeradius.org/LDAP arent much help they just re-itterate whats in the config files and rlm_ldap doesnt seem to mention setting the users file. http://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/radius.html The above article instructs you to set Auth-Type =: LDAP which is wrong I have been told by alan (but what is correct then ?). I am about to start from fresh again just to make sure its not config setting I have changed and forgot to fix. But I would appreciate any good howtos others may have found and of course any answers / information you guys can provide. Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Requesting Decent Freeradius + ADS 2003 + LDAP howto
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS#Configuring_The_.2Fetc.2Fraddb.2Fradiusd.conf_File Another howto that instructs you to set DEFAULT Auth-Type := LDAP -- Forwarded message -- From: Jacob Jarick [EMAIL PROTECTED] Date: Apr 24, 2007 9:01 AM Subject: Requesting Decent Freeradius + ADS 2003 + LDAP howto To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Ok, I have read them all - the wiki's the unrelated novell howtos for edirectory bought a Oriellys book on ldap (their FR + LDAP howto is incorrect apparently) and googled countless times. The articles on http://wiki.freeradius.org/LDAP arent much help they just re-itterate whats in the config files and rlm_ldap doesnt seem to mention setting the users file. http://tldp.org/HOWTO/archived/LDAP-Implementation-HOWTO/radius.html The above article instructs you to set Auth-Type =: LDAP which is wrong I have been told by alan (but what is correct then ?). I am about to start from fresh again just to make sure its not config setting I have changed and forgot to fix. But I would appreciate any good howtos others may have found and of course any answers / information you guys can provide. Thanks again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: Attribute User-Password is required for authentication. HELP Please
Alan, my test pc only supports PEAP over wireless and setup has to be wireless. Removing ldap from the authenticate section causes an EAP error, so I guess there is more configuration than simply removing / commenting that section out. I dont know how to not bind as a user when using FR + LDAP, no document I have seen so far seems to cover it. What encryption do you use for the ldap password in radius.conf ? so that anonymous searches are not needed. On 4/24/07, Jacob Jarick [EMAIL PROTECTED] wrote: So the big question is, what Auth-Type do I use ? If LDAP is not permitted (still confuses me as I only need / want radius to authenticate against LDAP) what Auth-Type do I set in the users file so that Wireless users can authenticate using their ADS username and passwords. On 4/23/07, Jacob Jarick [EMAIL PROTECTED] wrote: Forgive the newbie questions but I think its best to clear up confusion. client - cisco - FR server = eap FR - ADS 2003 = pap Is that correct or am I way off track. On 4/23/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Thanks again Alan, For reference the oriellys LDAP book instructs you to set Auth-Type := LDAP so thats where I got the bad reference (perhaps other people to). Yes. There is a LOT of documentation (web pages, etc.) that say to do the wrong thing. It's unfortunate that the people writing those don't read the FreeRADIUS docs first, and don't ask us to review their configuration. Now lets see if I understood the tables correctly. PAP is the only method that will support LDAP bind as user ? It's the other way around. LDAP bind as user only works with PAP. When Using PAP - LDAP will I still have to map userPassword to User-Password ? No. I've added some more code that will go into 1.1.7 2.0. If the LDAP module succeeds in retrieving a password from LDAP, it does NOT set Auth-Type to LDAP. Will there be extra configuration required on free radius to make use of pap - ADS ldap or will it work automatically because ldap is configured in the modules {} section. I would ask what other authentication protocols you need to support before suggesting to set Auth-Type to LDAP. Wont using PAP mean plain text password from client - cisco wap - radius - ADS server ? No. 802.1x uses EAP, which is NOT PAP, and which is NOT compatible with Auth-Type = LDAP. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + ADS 2003 + ntlm_auth
radius -X -f: http://pastebin.ca/455389 config files: Hello All, I have gone back to ntlm_auth for the time being instead of ldap due to the incredibly frustrating lack of good documentation (if there are good docs, link it or shutup). None of the howtos/ tutorials I have followed end in success its always some ldap error of some kind. At least 1/2 the FR + LDAP howtos say to set DEFAULT Auth-Type := LDAP which I have been told by Alan is incorrect. I followed Alans Active Directory Intergation tutorial and everything is setup as the guide says, But eap fails with this message: rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. I had this the 1st time I followed the pdf but I did find another howto that said to add something else and that got it working, but for the life of me I cant find it again. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + ADS 2003 + ntlm_auth (including config files)
radius -X -f: http://pastebin.ca/455389 config files: http://rapidshare.com/files/27607850/config.tgz.html Hello All, I have gone back to ntlm_auth for the time being instead of ldap due to the incredibly frustrating lack of good documentation (if there are good docs, link it or shutup). None of the howtos/ tutorials I have followed end in success its always some ldap error of some kind. At least 1/2 the FR + LDAP howtos say to set DEFAULT Auth-Type := LDAP which I have been told by Alan is incorrect. I followed Alans Active Directory Intergation tutorial and everything is setup as the guide says, But eap fails with this message: rlm_eap: Handler failed in EAP/peap rlm_eap: Failed in EAP select modcall[authenticate]: module eap returns invalid for request 7 modcall: leaving group authenticate (returns invalid) for request 7 auth: Failed to validate the user. I had this the 1st time I followed the pdf but I did find another howto that said to add something else and that got it working, but for the life of me I cant find it again. On another note Id like to volenteer to help update some of the documentation out there on FR, some is horribly out of date and makes for a very frustrating introduction for people. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fedora 1.1.6 rpm build BROKEN
hahaha sorry alan. Big mistake of mine, I am dsylexic and yer well there u go. I was reading suse as fedors (dont ask why). Sorry for the false alarm, I did check and double check but sometimes I never see the words right once I have mis-read them until some1 else points it out. So I should be using the redhat spec file for fedora correct ? - will try that asap. On 4/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, The deps have incorrect names, ie requests apache2-devel but fedora calls it httpd2-devel and so on. argh!!! now it all makes sense. from your previous email you said cp freeradius-1.1.6/suse/freeradius.spec /usr/src/redhat/SPECS/ why the ** would you be trying to use a SUSE spec file on a Fedora system??? Fedora is REDHAT. use the REDHAT spec file! /freeradius-1.1.6/redhat/ look. not only the correct spec file, but also a nice init.d script so you can run it as a service upon boot. oh! and a nice logrotate script too. I really cant see the problem here. alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6 rpm build errors
Thanks again for the reply. Yes it was a mistake on my behalf no1 elses (Im dsylexic and misread the suse as fedora). Thanks for catching me on that, Keep up the good work guys. On 4/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Notes: * The wiki glosses over a little and gives u an incorrect dir * the spec file expects 1.1.5 tar.gz yes, that has already been noted. simply edit the spec file to use the correct value. # tar zxvf /root/Desktop/freeradius-1.1.6.tar.gz # cp /root/Desktop/freeradius-1.1.6.tar.gz /usr/src/redhat/SOURCES/freeradius-1.1.5.tar.gz # cp freeradius-1.1.6/suse/freeradius.spec /usr/src/redhat/SPECS/ # rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec just confirm that you are running SUSE or RedHat/Fedora/CentOS ? [EMAIL PROTECTED] src]# rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found okay. no apache devel tools installed. error: Failed build dependencies: apache2-devel is needed by freeradius-1.1.5-0.generic.i386 db-devel is needed by freeradius-1.1.5-0.generic.i386 gettext-devel is needed by freeradius-1.1.5-0.generic.i386 mysql-devel is needed by freeradius-1.1.5-0.generic.i386 net-snmp-devel is needed by freeradius-1.1.5-0.generic.i386 openldap2-devel is needed by freeradius-1.1.5-0.generic.i386 postgresql-devel is needed by freeradius-1.1.5-0.generic.i386 unixODBC-devel is needed by freeradius-1.1.5-0.generic.i386 yep. it'll need all of these - IF you want a fully specced FreeRADIUS install. you can edit the SPEC file if you really want/need to have less features - simply edit the ./configure command etc and remove the dependencies that match those changes. now checking yum and smart --gui I do not see apache2-devel for starters. correct distro for the spec file? how did you check with yum? So for the mean time I am back to compiling as rpm's are causing the issues they are famous for. If some1 has some tips on resolving dependancies I will be intrested. But I do not see what it needs apache2 headers anyway. that'd be for the lovely FreeRADIUS apache authentication module mod_auth_radius most likely alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fedora 1.1.6 rpm build BROKEN
Here is my updated Install (now the same as the wikis) and yes works the way I expected. Swapping to 1.1.6 now, then back to figuring out LDAP :) # cd /usr/src # tar zxvf /root/Desktop/freeradius-1.1.6.tar.gz # cp /root/Desktop/freeradius-1.1.6.tar.gz /usr/src/redhat/SOURCES/ # cp freeradius-1.1.6/redhat/freeradius.spec /usr/src/redhat/SPECS/ # rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec On 4/19/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, So I should be using the redhat spec file for fedora correct ? - will correct. SUSE is a very different beast to RedHat - as you have discovered alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
rlm_ldap: ldap_search() failed: Operations error - advice please
Freeradius 1.1.3 installed via YUM on Fedora (not suse :P) radiusd.conf: http://pastebin.ca/447690 radiusd -X -A output: http://pastebin.ca/447693 domain: tfxschool.internal ADS: tfxschoolfs01.tfxschool.internal Hi again people, I have been pouring through the oreillys LDAP book (quite informative so far to btw). I got the example of using freeradius against the linux passwd file working fine. I tried their Freeradius and OpenLDAP (now I know ADS isnt OpenLDAP btw) and it fails with the following message: rlm_ldap: ldap_search() failed: Operations error Oriellys one reccomended for OpenLDAP (errors, possibly due to incorrect syntax ?): filter = ((objectclass=posixAccount)(uid=%{Stripped-User-Name:-%{User-Name}})) Default filter (Fails with same search error): filter = (uid=%{Stripped-User-Name:-%{User-Name}}) Im wondering if it is perhaps my basedn ?, Im still getting used to the idea of them, the user jacob (me) resides in the ou people FYI. basedn = ou=people,dc=tfxschool,dc=internal Thats all my info atm, Im currently compiling a 1.1.6 rpm (after Alan resolving my silly little mistake) and will test then report back as I feel its more likely a config error than a bug :) If some1 else has a working radius setup that auths againts AD using LDAP would they mind sending me the ldap { } section, would be very handy to compare my config to a working one. Thanks all, keep up the good work. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: rlm_ldap: ldap_search() failed: Operations error - advice please
After more research yet again (google/ oriellys/ FR mailing list archives) I think its one of these 2 scenarios. 1 - Anonymous Searches in Active Directory isnt working 2 - When I set: # identity = cn=root,o=tfxschool,c=AU # password = pass the password should be encrypted. I have tried slappasswd but to no avail. oreillys showed me the anonymous way (which fails quite possibly due to win2k3 permissions) and the gentoo 1 actually shows u how to enable Anonymous Searches in Active Directory on windows 2000. So yes, def ldap atm not FR. I will post a seperate request asking about FR + win2k3 Allowing Anonymous Searches in Active Directory. Gentoo howto: http://gentoo-wiki.com/HOWTO_Adding_a_Samba_Server_into_an_existing_AD_Domain On 4/19/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: I have been pouring through the oreillys LDAP book (quite informative so far to btw). I got the example of using freeradius against the linux passwd file working fine. I tried their Freeradius and OpenLDAP (now I know ADS isnt OpenLDAP btw) and it fails with the following message: rlm_ldap: ldap_search() failed: Operations error That's an internal LDAP error saying something went wrong, and it can't be more specific than that. I'm not sure what to suggest. If some1 else has a working radius setup that auths againts AD using LDAP would they mind sending me the ldap { } section, would be very handy to compare my config to a working one. Google is your friend: freeradius ldap active directory http://lists.cistron.nl/pipermail/freeradius-users/2004-August/035046.html Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Fedora 1.1.6 rpm build BROKEN
Unless I did something wrong mate it def doesnt build (dependancies have diff names). On the topic though. 1.1.6 built fine from the redhat spec file, I am going to trial it once Im done with testing this ldap search problem. On 4/19/07, Peter Nixon [EMAIL PROTECTED] wrote: On Thu 19 Apr 2007, [EMAIL PROTECTED] wrote: Hi, So I should be using the redhat spec file for fedora correct ? - will correct. SUSE is a very different beast to RedHat - as you have discovered Erm.. Having said that, the SUSE spec file should and DOES build on Fedora as well. I have gone to quite some trouble to make it compatible with SUSE, Fedora and Mandriva.. The same is not true for the existing RedHat spec file.. Cheers -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Crypt passwords doesn't work
On the topic of password encryption. Kevin would you know how to encode a password for windows 2003 active directory server. I need a user with permission to do active directory searchs, it tries atm but fails because the password is not encrypted. Even if you know what the encryption they use is it would be a big help thanks. On 4/19/07, Sebastian Firpo [EMAIL PROTECTED] wrote: It works!!! Thank you very much! Kevin Bonner wrote: html I almost ignored your message, as I don't parse HTML well. =) On Wednesday 18 April 2007 18:06:28 Sebastian Firpo wrote: Thank you Kevin, but it didn't work now my entire users file is: sebas Crypt-Password := (!lGOOlHaBWoQ Service-Type = Administrative-User, Cisco-AVPair = shell:priv-lvl=15 and then the debug was: rad_recv: Access-Request packet from host 10.12.4.2:1645, id=103, length=75 NAS-IP-Address = 10.12.4.2 NAS-Port = 1 NAS-Port-Type = Virtual User-Name = sebas Calling-Station-Id = 10.11.1.25 User-Password = hello Another idea?? Thanks a lot, any way. $ perl -e 'print crypt(hello,(!) . \n;' (!BVoPlmea8cg Fix your Crypt-Password? How you are generating that encrypted string? -Kevin - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
I just tried building 1.1.6 as an rpm on suse, it fails with this error. [EMAIL PROTECTED] src]# rpmbuild -ba /usr/src/packages/SPECS/freeradius.spec error: File /usr/src/redhat/SOURCES/freeradius-1.1.5.tar.gz: No such file or directory This is corrected instructions Notes: * The wiki glosses over a little and gives u an incorrect dir * the spec file expects 1.1.5 tar.gz # cd /usr/src # tar zxvf /root/Desktop/freeradius-1.1.6.tar.gz # cp /root/Desktop/freeradius-1.1.6.tar.gz /usr/src/redhat/SOURCES/freeradius-1.1.5.tar.gz # cp freeradius-1.1.6/suse/freeradius.spec /usr/src/redhat/SPECS/ # rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec On 4/16/07, Nicolas Baradakis [EMAIL PROTECTED] wrote: You were not told to pick up a random RPM on the net. The wiki explains how to build yourself a RPM from sources. The resulting package should run without problem on the host where it was compiled. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fedora 1.1.6 rpm build BROKEN
The deps have incorrect names, ie requests apache2-devel but fedora calls it httpd2-devel and so on. So atm, rpm building completely broken, any comments / suggestions are welcome. I will be going back to compiling from source until the bins are resolved. I suppose I could use some random rpm for 1.1.6 or compile the source but for now I will go back to using 1.1.3 that is provided with fedora (it installs without dep errors). -- Forwarded message -- From: Jacob Jarick [EMAIL PROTECTED] Date: Apr 19, 2007 10:18 AM Subject: 1.1.6 rpm build errors To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Notes: * The wiki glosses over a little and gives u an incorrect dir * the spec file expects 1.1.5 tar.gz # cd /usr/src # tar zxvf /root/Desktop/freeradius-1.1.6.tar.gz # cp /root/Desktop/freeradius-1.1.6.tar.gz /usr/src/redhat/SOURCES/freeradius-1.1.5.tar.gz # cp freeradius-1.1.6/suse/freeradius.spec /usr/src/redhat/SPECS/ # rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec ^ that gets me to this point here: [EMAIL PROTECTED] src]# rpmbuild -ba /usr/src/redhat/SPECS/freeradius.spec sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found sh: apxs2-prefork: command not found error: Failed build dependencies: apache2-devel is needed by freeradius-1.1.5-0.generic.i386 db-devel is needed by freeradius-1.1.5-0.generic.i386 gettext-devel is needed by freeradius-1.1.5-0.generic.i386 mysql-devel is needed by freeradius-1.1.5-0.generic.i386 net-snmp-devel is needed by freeradius-1.1.5-0.generic.i386 openldap2-devel is needed by freeradius-1.1.5-0.generic.i386 postgresql-devel is needed by freeradius-1.1.5-0.generic.i386 unixODBC-devel is needed by freeradius-1.1.5-0.generic.i386 now checking yum and smart --gui I do not see apache2-devel for starters. So for the mean time I am back to compiling as rpm's are causing the issues they are famous for. If some1 has some tips on resolving dependancies I will be intrested. But I do not see what it needs apache2 headers anyway. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD + Vlans + LDAP help
Thanks again alan. ntlm_auth error fixed, just working on the next 1 now :) On 4/17/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Im currently trying to configure freeradius to authenticate via a win2k3 server, check the users group and then return a confirmation/ denial + vlan id for the cisco WAP to process. Questions: 1: Is ldap the only way of retreiving the users group/s If the users and groups are in LDAP, yes. 2 - Can I talk directly to the ADS using the ldap client (or however its done) instead of setting up a linux openldap server. Yes. Just point the ldap module to active directory. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD + Vlans + LDAP help
radiusd -X -A output: http://pastebin.ca/444131 radius.conf: http://pastebin.ca/444132 OK Ive sorted that pesky ntlm_auth error, but I have encountered a new 1 (at least its something new :D ). The specific part of the error is below. rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.1.1.11:389, authentication 0 rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow rlm_ldap: bind as cn=freeradius,ou=admins,ou=radius,dc=tfxschool,dc=com/frpass to 10.1.1.11:389 rlm_ldap: waiting for bind result ... rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf rlm_ldap: (re)connection attempt failed rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module ldap returns fail for request 1 modcall: leaving group authorize (returns fail) for request 1 It complains about my password in radius.conf. Here is the section in question: ldap { # !! I assume that mydomain is replaced with desired domain. server = 10.1.1.11 identity = cn=freeradius,ou=admins,ou=radius,dc=tfxschool,dc=com password = frpass #this is the basedn to do searches on a user basedn = ou=users,ou=radius,dc=tfxschool,dc=com #notice the username is the stripped user-name or user-name filter = (uid=%{Stripped-User-Name:-{User-Name}}) start_tls = no tls_mode = no #this maps ldap attributetypes to radius attributes dictionary_mapping = ${raddbdir}/ldap.attrmap ldap_cache_timeout = 120 ldap_cache_size = 0 ldap_connections_number = 10 #password_header = {clear} #While integrating FreeRADIUS with Novell eDirectory, set #'password_attribute = nspmpassword' in order to use the universal password #of the eDirectory users for RADIUS authentication. This will work only if #FreeRADIUS is configured to build with --with-edir option. password_attribute = frpass I have created the user freeradius on the win2k3 server, added him to the groups admins and radius and set the password to frpass. All insights and suggestions welcome. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD + Vlans + LDAP help
radiusd -X -A output: http://pastebin.ca/444162 radiusd.conf: http://pastebin.ca/444163 I just figured out that ou != groups. So my current freeradius user is \admins\radius\freeradius admins being an orgnisational unit, radius being an ou inside admins. I get this error when freeradius trys to confirm the user/passwd against the ADS. rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf On 4/17/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Im currently trying to configure freeradius to authenticate via a win2k3 server, check the users group and then return a confirmation/ denial + vlan id for the cisco WAP to process. Questions: 1: Is ldap the only way of retreiving the users group/s If the users and groups are in LDAP, yes. 2 - Can I talk directly to the ADS using the ldap client (or however its done) instead of setting up a linux openldap server. Yes. Just point the ldap module to active directory. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: FR + AD + Vlans + LDAP help
radiusd -X -A output: http://pastebin.ca/444201 radiusd.conf: http://pastebin.ca/444205 After re-reading http://wiki.freeradius.org/index.php/Rlm_ldap I enabled ldap debug and re-aranged the ldap config like so: before: identity = cn=freeradius,ou=admins,ou=radius,dc=tfxschool,dc=internal password = frpass after: identity = cn=freeradius,ou=admins,ou=radius,dc=tfxschool password = frpass It didnt seem to make any difference unfortunately. On 4/17/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Im currently trying to configure freeradius to authenticate via a win2k3 server, check the users group and then return a confirmation/ denial + vlan id for the cisco WAP to process. Questions: 1: Is ldap the only way of retreiving the users group/s If the users and groups are in LDAP, yes. 2 - Can I talk directly to the ADS using the ldap client (or however its done) instead of setting up a linux openldap server. Yes. Just point the ldap module to active directory. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help stuck on error: rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf
radiusd -X -A output: http://pastebin.ca/444201 radiusd.conf: http://pastebin.ca/444205 I am slowly setting up FR to work with ADS, I had ntlm_auth working fine but have been requested to swap to ldap my current freeradius user is \admins\radius\freeradius admins being an orgnisational unit, radius being an ou inside admins. I get this error when freeradius trys to confirm the user/passwd against the ADS. rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Fwd: Help stuck on error: rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf
I am still stuck on this problem, HELP PLEASE. I have 4 questions atm, 1 Does the password needs to be encrypted before being pasted to the config file. 2 Is it neccesary to configure the ldap client files. 3 Can you auth against ADS using LDAP without a password ? 4 If radiusd runs a command when auth'ing against ADS what is the command so I might test it. Id really appreciate any info at all, Thanks guys. -- Forwarded message -- From: Jacob Jarick [EMAIL PROTECTED] Date: Apr 17, 2007 4:55 PM Subject: Help stuck on error: rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf To: FreeRadius users mailing list freeradius-users@lists.freeradius.org radiusd -X -A output: http://pastebin.ca/444201 radiusd.conf: http://pastebin.ca/444205 I am slowly setting up FR to work with ADS, I had ntlm_auth working fine but have been requested to swap to ldap my current freeradius user is \admins\radius\freeradius admins being an orgnisational unit, radius being an ou inside admins. I get this error when freeradius trys to confirm the user/passwd against the ADS. rlm_ldap: LDAP login failed: check identity, password settings in ldap section of radiusd.conf - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Technical support
Hello, Im looking for a company that can provide professional level of technical support. If any one here can reccomend one I would appreciate it. I am after technical support, due to lack of good documentation on the freeradius project. Most the stuff I need done has only incomplete docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Technical support
I am In Western Australia Perth. Current having major issues with ldap authentication (done correctly as far as I can tell but I dont get replys from forums / mailing groups) and once that is sorted I need to figure out vlan assignment bassed on ou or group. On 4/18/07, Alex M [EMAIL PROTECTED] wrote: What's your location? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Tuesday, April 17, 2007 10:25 PM To: FreeRadius users mailing list Subject: Technical support Hello, Im looking for a company that can provide professional level of technical support. If any one here can reccomend one I would appreciate it. I am after technical support, due to lack of good documentation on the freeradius project. Most the stuff I need done has only incomplete docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quick HOWTO : Ch31 : Centralized Logins Using LDAP and RADIUS - Fails on Fedora 6
Fedora 6, openldap rpms installed via smart package manager. slapd.conf: http://pastebin.ca/445851 tfxschool.internal.lidf: http://pastebin.ca/445852 root.ldif: http://pastebin.ca/445854 ldapusers.ldif: http://pastebin.ca/445855 I decided to try setting up openldap in hopes of learning more about my error. I followed this howto http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS step by step and rechecked all configs etc when I got the following error. [EMAIL PROTECTED] ~]# ldapadd -x -D cn=Manager,dc=tfxschool,dc=internal -W -f /etc/openldap/tfxschool.internal.ldif Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece It seems to be similar if not the same problem I am having with FR refusing to auth via ldap to our ADS server. I am stuck though I have no idea how to resolve this error and unfortunately the howto assumes it just works. Google suggests that it may be the result of my domain string dc=tfxschool,dc=interternal, which looks correct to me. Our test domain is tfxschool.internal . any help / suggestions/ insight would be greatly appreciated. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Technical support
step 1 for me is to get radius to auth against ADS via ldap (I got ntlm working fine). Unfortunately because this job is contracted by the govt it has to be done their specific way every step which means freeradius HAS TO auth against a 2003 ADS via LDAP. Unfortunately I cannot give out access to my work test pc's due to security restrictions out of my control (I could but then Id be in trouble). What would your asking price be for a working FR 1.1.6 config that can auth against 2003 ADS using LDAP. Regarding VLANS, I need users with a GID of students to be put onto vlan2 and users with GID staff to be put onto vlan3 On 4/18/07, Alex M [EMAIL PROTECTED] wrote: Well we are in New York. So the only way we can help you is to do SSH. Technically LDAP should work straight forward, unless your DC does not want to accept connections from remote PC and especially Linux. We don't use Widows in our company any more, but I can set up DC and see if my radius can access it and then just send you config file. As to VLANS, im not sure what u looking for, if you wanna do something like separation of Ethernet chanels for Ethernet service provider then it should be done by your NAS if that is supported. I would assume your NAS should be listening for some custom attribute to assign vlan tag to specific user group. -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Tuesday, April 17, 2007 10:52 PM To: FreeRadius users mailing list Subject: Re: Technical support I am In Western Australia Perth. Current having major issues with ldap authentication (done correctly as far as I can tell but I dont get replys from forums / mailing groups) and once that is sorted I need to figure out vlan assignment bassed on ou or group. On 4/18/07, Alex M [EMAIL PROTECTED] wrote: What's your location? -Original Message- From: [EMAIL PROTECTED] .org [mailto:[EMAIL PROTECTED] eeradius.org] On Behalf Of Jacob Jarick Sent: Tuesday, April 17, 2007 10:25 PM To: FreeRadius users mailing list Subject: Technical support Hello, Im looking for a company that can provide professional level of technical support. If any one here can reccomend one I would appreciate it. I am after technical support, due to lack of good documentation on the freeradius project. Most the stuff I need done has only incomplete docs. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Quick HOWTO : Ch31 : Centralized Logins Using LDAP and RADIUS - Fails on Fedora 6 + debug info
Just added debug output to help. Fedora 6, openldap rpms installed via smart package manager. slapd.conf: http://pastebin.ca/445851 tfxschool.internal.lidf: http://pastebin.ca/445852 root.ldif: http://pastebin.ca/445854 ldapusers.ldif: http://pastebin.ca/445855 ldapadd -d9 -x -D cn=Manager,dc=tfxschool,dc=internal -W -f /etc/openldap/tfxschool.internal.ldif - http://pastebin.ca/445899 I decided to try setting up openldap in hopes of learning more about my error. I followed this howto http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch31_:_Centralized_Logins_Using_LDAP_and_RADIUS step by step and rechecked all configs etc when I got the following error. [EMAIL PROTECTED] ~]# ldapadd -x -D cn=Manager,dc=tfxschool,dc=internal -W -f /etc/openldap/tfxschool.internal.ldif Enter LDAP Password: ldap_bind: Invalid credentials (49) additional info: 80090308: LdapErr: DSID-0C090334, comment: AcceptSecurityContext error, data 525, vece It seems to be similar if not the same problem I am having with FR refusing to auth via ldap to our ADS server. I am stuck though I have no idea how to resolve this error and unfortunately the howto assumes it just works. Google suggests that it may be the result of my domain string dc=tfxschool,dc=interternal, which looks correct to me. Our test domain is tfxschool.internal . any help / suggestions/ insight would be greatly appreciated. Thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Quick HOWTO : Ch31 : Centralized Logins Using LDAP and RADIUS - Fails on Fedora 6 + debug info
Might buy that book, thanks for the reply Alan. I have also posted the same q to the the openldap mailing list so I hope to get some info from those people. Its just quite frustrating, the govt has said we can only do it this 1 way (but they themselves have never done it) and I cant find any good docs/ howtos that cover what I need in detail. All the howtos assume ldap communication works flawlessly 1st got but unfortunately its definitely not the situation. Thanks again Alan, going to make a call about the ldap book. On 4/18/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: ldapadd -d9 -x -D cn=Manager,dc=tfxschool,dc=internal -W -f /etc/openldap/tfxschool.internal.ldif - http://pastebin.ca/445899 ... It seems to be similar if not the same problem I am having with FR refusing to auth via ldap to our ADS server. I am stuck though I have no idea how to resolve this error and unfortunately the howto assumes it just works. Google suggests that it may be the result of my domain string dc=tfxschool,dc=interternal, which looks correct to me. Our test domain is tfxschool.internal . any help / suggestions/ insight would be greatly appreciated. This is really an LDAP question. If you can't use LDAP tools to login to the LDAP server, you won't be able to use the same configuration in FreeRADIUS. Unfortunately, I don't use LDAP, so I can't help you here. The few times I have used it, I follow the O'Reilly LDAP book, and it works for me. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Requesting help with FR + Dynamic vlans
Hi, here is the current scenario: * school with wireless access * allready uses radius (soon to be freeradius) * freeradius auth's via a win2k3 Active Directory Server * teachers need to be able to log into WAP's a,b,c etc and be automatically assigned to the teachers vlan * priv students need to be able to log into WAP's a,b,c and be assigned to the priv student vlan * norm students simply need to have network access denied from WAP's a,b,c From what Ive learnt so far today, I need to configure the radius.conf to retrieve the users group from the ADS and then return auth and map group - vlan / tunnel ID. If some1 could provide me an example or documentation / howto I should read Id be very thankfull. Also if the scenario wasnt clear enough please say so and I will re explain. Thanks alot FR crew. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
I personally hate rpms and will compile all apps so no, I try rpms as a last resort and Im not surprised when they fail with a big list of dependancies. I will look into it though and test on the next machine and report back. On 4/16/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Thanks to the people who helped me figure this out (big thanks to Alan), this works perfectly on a fresh Fedora system. Download, compile and install openssl download freeradius 1.1.6 unpack in usr/src cd freeradius-1.1.6 ./configure --prefix=/usr --with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib/ --disable-libtool-lock --with-system-libtool --sysconfdir=/etc (^all one line) make make install you SHOULD be able to simply use the redhat spec file that is shipped as part of the contrib sources in that 1.1.6 tarball to make an RPM exactly as the distro should/would supply if they were doing 1.1.6 did you try this? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
I should be more specific, I will compile all specially needed apps after doing a norm installation. Generic stuff like X etc, I dont care about unless it doesnt work. On 4/16/07, Jacob Jarick [EMAIL PROTECTED] wrote: I personally hate rpms and will compile all apps so no, I try rpms as a last resort and Im not surprised when they fail with a big list of dependancies. I will look into it though and test on the next machine and report back. On 4/16/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Thanks to the people who helped me figure this out (big thanks to Alan), this works perfectly on a fresh Fedora system. Download, compile and install openssl download freeradius 1.1.6 unpack in usr/src cd freeradius-1.1.6 ./configure --prefix=/usr --with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib/ --disable-libtool-lock --with-system-libtool --sysconfdir=/etc (^all one line) make make install you SHOULD be able to simply use the redhat spec file that is shipped as part of the contrib sources in that 1.1.6 tarball to make an RPM exactly as the distro should/would supply if they were doing 1.1.6 did you try this? alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
O'Reillys Radius Book - Worth buying
Hi, Im just getting started with freeradius (trying to nut out dynamic vlans atm) and I was wondering if this book would be a worth while purchase. I had a great experience with O'reillys bind and perl cookbook books. Have any FR users used this book and if so your comments would be appreciated. http://www.oreilly.com/catalog/radius/index.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
It wasnt a random rpm and at the time I was unaware that the wiki had been updated to list the latest rpms etc. So binarys are fairly well supported by freeradius I take it. On 4/16/07, Nicolas Baradakis [EMAIL PROTECTED] wrote: Jacob Jarick wrote: I personally hate rpms and will compile all apps so no, I try rpms as a last resort and Im not surprised when they fail with a big list of dependancies. You were not told to pick up a random RPM on the net. The wiki explains how to build yourself a RPM from sources. The resulting package should run without problem on the host where it was compiled. Moreover, building a package allows you to uninstall the files later, so you can cleanly upgrade the version of FreeRADIUS. Residual files from previous installation do weird things, like the problem of double free for example. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: O'Reillys Radius Book - Worth buying
I will put it on order as reference is better than nothing :) I have used radius before but not for ages (2000) I will be using it alot at this new job so I will need all the good references I can get. On 4/16/07, Alan DeKok [EMAIL PROTECTED] wrote: Arran Cudbard-Bell wrote: What put me off the O'Rielly book was it's age.. Although I only started using FreeRADIUS with 1.1.4 , i've seen pretty rapid development. So I was concerned about how much relevance a book published in 2002 has today. It covers RADIUS. It's good for people who are completely new to RADIUS. There are also amazingly useful, mostly undocumented features like SQL Xlat, which won't be covered anywhere except the mailing list archives. As always, patches are welcome. Even patches to the documentation. Oh Btw on a completely unrelated subject, if you fix the 'Use Client-Ip-Address/ Packet-Src-IP-Address attribute as a check item' then I can push the CVS head out live and give you some proper feedback ;) Yeah, it turns out that some of the Packet-Src-IP-Address compares weren't even registered. The code has been re-shuffled, and it should now work, including with regular expressions. You'll have to list the expr module in the instantiate section for Packet-Src-IP-Address to work, though. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: O'Reillys Radius Book - Worth buying
I will start reading it all ASAP, thanks alot guys :) On 4/16/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi, Hi, Im just getting started with freeradius (trying to nut out dynamic vlans atm) and I was wondering if this book would be a worth while purchase. I had a great experience with O'reillys bind and perl cookbook books. Have any FR users used this book and if so your comments would be appreciated. the O'Reilly book is a good resource if you are starting from minimal RADIUS knowledge and want a bit more background. ie its good for beginners through to experts. especially if you need to remind yourself of, eg, the exact structure of accounting packets. however it was written at the time of FreeRADIUS 0.9 - and is therefore a little dated with regards to some of the newer modules and methodsalso password expressions. however it is a good fundamental start. for FreeRADIUS you cant go much better than the current deployingradius site, source tarball docs and historical mailing archives - and Alans forthcoming book! ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Howto compile 1.1.6 on Fedora 6
No probs guys, will check for bins 1st in future. On 4/16/07, Alan DeKok [EMAIL PROTECTED] wrote: Peter Nixon wrote: Yep. The general plan is that we spend the time once building an rpm, and then have much less questions on random build problems on various OS' Ideally, we should have packages on the web site. This is sometimes difficult to do... Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR + AD + Vlans + LDAP help
Hello, Im currently trying to configure freeradius to authenticate via a win2k3 server, check the users group and then return a confirmation/ denial + vlan id for the cisco WAP to process. Questions: 1: Is ldap the only way of retreiving the users group/s 2 - Can I talk directly to the ADS using the ldap client (or however its done) instead of setting up a linux openldap server. 3: Does users entry look correct it is ment to disallow people in the group rejects, assign priv students to 1 vlan and students to the other vlan: # !! testing groups DEFAULT LDAP-Group == rejects, Auth-Type := Reject DEFAULT Auth-Type = ntlm_auth Fall-Through = 1 DEFAULT LDAP-Group == staff Service-Type = Framed-User, Tunnel-Type = :1:VLAN, Tunnel-Medium-Type = :1:6, Tunnel-Private-Group-ID = :1:140 DEFAULT LDAP-Group == students Service-Type = Framed-User, Tunnel-Type = :1:VLAN, Tunnel-Medium-Type = :1:6, Tunnel-Private-Group-ID = :1:141 - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Howto compile 1.1.6 on Fedora 6
Thanks to the people who helped me figure this out (big thanks to Alan), this works perfectly on a fresh Fedora system. Download, compile and install openssl download freeradius 1.1.6 unpack in usr/src cd freeradius-1.1.6 ./configure --prefix=/usr --with-openssl-includes=/usr/local/ssl/include --with-openssl-libraries=/usr/local/ssl/lib/ --disable-libtool-lock --with-system-libtool --sysconfdir=/etc (^all one line) make make install That should also put everything where the rpm normally does (yuck) so should u upgrade later you wont have lib conflicts. All the best. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: assigning vlan based on NAS and LDAP field?
Jerry, I hate to be a pain but what you have implemented atm is my next task with freeradius. Would you mind linking any howtos you use, thanks. Also how do u get freeradius to find a users group then report it back to the cisco / ap so it can decide what vlan the client belongs on. Many thanks in advance. On 4/14/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Message du 13/04/07 à 11h43 De : Kostas Kalevras A : [EMAIL PROTECTED], FreeRadius users mailing list Copie à : Objet : Re: assigning vlan based on NAS and LDAP field? O/H Matt Ashfield έγραψε: HI all, We're using FR authenticating against LDAP to implement our wireless solution. Basically, we are looking at the LDAP field of record type and determining if it is a staff or a student, and assigning a vlan based on that. Pretty simple and it works. However, there are two issues with this: 1. We have a sister campus, on a different network, but who are sharing the same FR and LDAP servers for authentication. Obviously their NAS's are different than ours because we're in different physical locations and networks. With our current configuration, it looks like we have to define the exact same vlans id's and the same vlan eligibility rules (ie staff get vlan x and student get vlan y) in order for this to work. I guess I'm hoping there is a way to assign different vlans based on the NAS ip address in addition to the student/staff distinction. You can use multiple ldap module instances and set Autz-Type depending on the nas ip address (or better yet huntgroups) 2. This follows into our future wired side implementation of 802.1x. In this case, we don't want our staff/student wired users to be assigned to the same vlans as they would be if they were on wireless. Rather we'd prefer to break them up based on their NAS or something like that. Anyways, I realize this is quite an odd situation, but probably quite similar to what many EDU people are encountering. Any help/advice is greatly appreaciated. you have to find an attribute in the radius nas request that will différenciate a wifi connection and a wired 802.1x connection: for me it is NAS-Port-Type = Wireless-802.11 for wifi and NAS-Port-Type = ethernet for wired 802.1x depending on this you send a vlan or an other in the radius response. but you still can do it depending on the nas IP Thomas Thanks Matt [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. Is there any howto that actually covers this properly. On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, Yes. See the users file. It sets authentication to /etc/passwd (or system) if there's no other method set. I only need FR to auth against our w2k3 AD server. Any help is appreciated. For PAP authentication, you have to configure that manually. i.e. tell the server if you receive PAP, run ntlm_auth to authenticate against AD. See the exec module for how to run external programs. It looks like you didn't tell the server to authenticate against AD. Please do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius + AD2003 Authentication ERROR - Help please !
ok will try another user, thanks again for the tips allan. On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: I start the wireless connection on XP, enter in user and password, freeradius runs the ntlm_auth command but then it spits out this hge message. Its so big the terminals buffer isnt big enough, but I have copied and pasted everything I can. $ script logfile $ radiusd -X ... $ exit $ more logfile SSL ERROR: (other): SSL negotiation finished successfully rlm_eap: SSL error error::lib(0):func(0):reason(0) That's fixed in 1.1.6. It's not an error, it just logs too much information. Failure to validate user: Exec-Program: /usr/bin/ntlm_auth --request-nt-key --domain= --username=Administrator --challenge=bb4c397988ae6ebc --nt-response=4a7cd9abdfc2f92680c182845a937f4beb6646c4cddd7de1 Exec-Program output: No such user (0xc064) Exec-Program-Wait: plaintext: No such user (0xc064) The ntlm_auth program returns that there's no such user. Maybe you should try testing with a user other than Administrator. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: 1.1.6 crashes on fedora 6
there could be some libs lurking around, but for the moment I will stick with 1.1.3 until I resolve these authentication issues. My Job depends on it. On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: *** glibc detected *** ./sbin/radiusd: double free or corruption ... Its pretty much the same issue I had with 1.1.5 on fedora 6 Are you sure you've removed all of the 1.1.5 libraries and binaries? And the immediate cause of the bug appears to be libltdl, if the backtrace can be believed. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 OK, some more googling :P and Ive turned up this intresting howto which I will be trialing: http://deployingradius.com/documents/configuration/active_directory.html It covers Configuring FreeRADIUS to use ntlm_auth in a bit more detail than the last one. On 4/13/07, Jacob Jarick [EMAIL PROTECTED] wrote: Freeradius 1.1.3 smb.conf http://pastebin.ca/437671 radius.conf http://pastebin.ca/437670 clients.conf http://pastebin.ca/437668 eap.conf http://pastebin.ca/437667 krb5.conf http://pastebin.ca/437666 How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. Is there any howto that actually covers this properly. On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: A local test using radtest fails but I am unsure why. It looks like its trying to authenticate against the unix passwd file, Yes. See the users file. It sets authentication to /etc/passwd (or system) if there's no other method set. I only need FR to auth against our w2k3 AD server. Any help is appreciated. For PAP authentication, you have to configure that manually. i.e. tell the server if you receive PAP, run ntlm_auth to authenticate against AD. See the exec module for how to run external programs. It looks like you didn't tell the server to authenticate against AD. Please do so. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: HELP: radtest fails local test
Alan, Thanks so much for your advice mate. I got it going finally ! For people out there looking todo a similar setup here is my short mini howto: 1 Install Kerberos 2 Install OpenSSL 3 Install Samba 4 Follow the FreeRadius Tutorial for AD intergration: http://www.swami.se/swami/space/Categories/EduRoam/Workshop+about+eduroam+implementation/freeRadius_AD_tutorial.pdf 5: Follow this guide, particulary the part about Configuring FreeRADIUS to use ntlm_auth http://deployingradius.com/documents/configuration/active_directory.html On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: How do I configure the users file to authenticate against the AD, the howto I followed says u do not need to configure the users file. If you're using PEAP, yes. If you're just using PAP, you need to tell the server what to do. I read the users.txt man page but it wasnt any help. My krb5.conf is properly configured, running ntlm_auth from the command line works perfectly. So... when I said you need to run ntlm_auth, and you could use the exec module to do that, what conclusion did you reach? Or, you can replace the reference to System in the users file with Kerberos. But be sure you've told FreeRADIUS to use the kerberos module. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Generating new EAP demo certs for freeradius
I downloaded the latest FR, compiled but didnt install then used the script to generate the needed certs, worked fine. On 4/13/07, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: Hi I have just install the package of freeradius using yum which is available for fedora 6. However, I found that the demo cert in the server for EAP is expired and can't be installed on my client. I'm trying to generate a new cert by using the script cert.sh. However, it seems that the package does not come with such a script. Am I able to download this from somewhere so that I can generate new sets of certifcates? Rgds Andrea - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: glibc double free or corruption still happening
have u tried this which was suggested by Nicolas Baradakis [EMAIL PROTECTED] You could try to use the libltdl from Fedora instead of the one from the FreeRADIUS sources. $ ./configure --with-system-libtool On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Roberto Greiner wrote: I've installed FreeRadius 1.1.6 to my Debian Etch box, trying to solve the 'glibc double free or corruption', but the error is still happening. I'de love to know where it's coming from. I ran it on my system, and under valgrind, and say nothing. To make sure that no old library was causing the problem, I searched for any file and folder which could be from the old freeradius (using locate *radiu* and updatedb, it until no file was to be found). Then I recompiled everything and reinstalled. The problem persisted. Could I have missed some library with the locate I used? Is there a better way to uninstall everything for the upgrade? Any other Ideas? $ valgrind --tool=memcheck --leak-check=full radiusd -X It might get you more information. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, windows 2003 ADS - authentication fails
Thanks for your prompt reply Alan, My 1st post so forgive the omission, I will clear the logs then post radtest and the log info tomorrow once at work. On 4/12/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Hi I have recently setup freeradius on fedora 6 and I need it to authenticate against windows ADS. Currently the requests come through the AP but are rejected by freeradius. The reason is in the logs. [EMAIL PROTECTED] raddb]# radtest Administrator tfxsol 127.0.0.1:1812 10 testing123 Sending Access-Request of id 40 to 127.0.0.1 port 1812 User-Name = Administrator User-Password = tfxsol NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=40, length=20 Unfortunately, you've showed radtest giving a reject, but have NOT shown the corresponding debugging output from radtest. Instead, the debugging output is from a login via the AP: ... rad_recv: Access-Request packet from host 10.1.1.110:1645, id=117, length=164 User-Name = TFXSCHOOL\\Administrator Which is not the radtest packet you quoted above. rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler Read eap.conf. Also, see which module is mangling the User-Name attribute. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius, windows 2003 ADS - authentication fails
OK, 1st off here is the document I have been following: http://www.swami.se/swami/space/Categories/EduRoam/Workshop+about+eduroam+implementation/freeRadius_AD_tutorial.pdf I have managed to get all tests and commands working except for radtest (which i found out via google) and having an xpro client login via wireless (as per the guide). Sorry about only posting the debug info from the wireless session and only the results from radtest, as I said earlier I will retest tomorrow and repost correctly. I definitely need to find out what is mangling the user name, the document also mentions something about it (which I did follow). Make sure that the following lines are uncommented and that the value is the same as indicated here. authtype = MS-CHAP with_ntdomain_hack = yes Ntdomain_hack is necessary to correct an error due to the challenge/response and the format in which the user information is sent. I just re read the erd.conf I included, all seems fine (but dont take my word on that) the only bit Im curious about is : # This module is the *Microsoft* implementation of MS-CHAPv2 # in EAP. There is another (incompatible) implementation # of MS-CHAPv2 in EAP by Cisco, which FreeRADIUS does not # currently support. # mschapv2 { } } Its inside the peap { backets. Should mschapv2 brackets have any configuration options ? Ive been doing some more looking @ the config files (I can only read the attached ones atm). Thanks again for the help :) On 4/12/07, Jacob Jarick [EMAIL PROTECTED] wrote: Thanks for your prompt reply Alan, My 1st post so forgive the omission, I will clear the logs then post radtest and the log info tomorrow once at work. On 4/12/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Hi I have recently setup freeradius on fedora 6 and I need it to authenticate against windows ADS. Currently the requests come through the AP but are rejected by freeradius. The reason is in the logs. [EMAIL PROTECTED] raddb]# radtest Administrator tfxsol 127.0.0.1:1812 10 testing123 Sending Access-Request of id 40 to 127.0.0.1 port 1812 User-Name = Administrator User-Password = tfxsol NAS-IP-Address = 255.255.255.255 NAS-Port = 10 rad_recv: Access-Reject packet from host 127.0.0.1:1812, id=40, length=20 Unfortunately, you've showed radtest giving a reject, but have NOT shown the corresponding debugging output from radtest. Instead, the debugging output is from a login via the AP: ... rad_recv: Access-Request packet from host 10.1.1.110:1645, id=117, length=164 User-Name = TFXSCHOOL\\Administrator Which is not the radtest packet you quoted above. rlm_eap: Identity does not match User-Name, setting from EAP Identity. rlm_eap: Failed in handler Read eap.conf. Also, see which module is mangling the User-Name attribute. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User never get disconnected (was Re: Simultaneous-Use problem)
for a temp fix I would make your perl script ping said ip before checking for idle (perhaps a sleep timer) or you could simply have each supposed active ip pinged every 1 - 2 minutes by a seperate perl script. Would you mind posting your checkrad.pl script, Im a perl hacker myself :) On 4/12/07, satish patel [EMAIL PROTECTED] wrote: I have faceing same problem when some time NAS send ACCT-STOP packet and packet would be lost then user session would be open and next time whne user try to login he/she got error multilogin so that i have implement checkrad.pl script and check simultaneouse users through SNMP and it is working fine but i dont know why acct-stop packet lost I have one more query regarding idle-time out if i set idle-time out 5 min then user automaicaly disconnect if connection was idle but suppose NAS send acct-stop packet and packet will be lost then idle-time out work in this case PD [EMAIL PROTECTED] wrote: On 4/12/2007, [EMAIL PROTECTED] wrote: + what cause of this problem ? Either NAS thinks that users are still connected or your RADIUS server is not receiving Stop packages. If NAS (NAS not radacct table) shows users as connected you can add Idle-Timeout of about 5 minutes in user (or group) configuration. If RADIUS packets are not being received have a look at your network. NAS needs reliable connection to RADIUS server - you shouldn't have firewalls and such in the way. Well... the problem only persist sometime.. let say once or two timeseveryday. The communication between Radius box and NAS using STP cable. Currently we are still on development stage of hotspot system. Before implement them on big area, we found some problem, like explain above. When I log in and log out or shut the notebook down without logout, I can see both start and stop the record on radacct table, I could not find the problem sources.. perhaps someone else has face the same problem ? + how to delete this entry daily (perhaps with crontab) Don't do that. Fix your server communication and then delete stale entries once. Well.. with simultaneous-use:=1, the same user will not be able login anymore because radius see that he / she still online. TIA PD - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html $ cat ~/satish/url.txt System administrator ( Data Center ) please visit this site http://linux.tulipit.com Check out what you're missing if you're not on Yahoo! Messenger - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
freeradius 2 character delimiter in realm problem
Hello, I am researching my current problem with freeradius not authenticating. The user is rejected because the name is not found, our AD (w2k3) sends usernames to freeradius in this format domainname\\username. I have tried enabling the nt hack under the ldap section with no luck. reading through the comments in /etc/raddb/radiusd.conf under the ldap module section I found this though. # Four config options: # format - must be 'prefix' or 'suffix' # delimiter - must be a single character # ignore_default - set to 'yes' or 'no' # ignore_null- set to 'yes' or 'no' and the setting for realmntdomain # # 'domain\user' # realm ntdomain { format = prefix delimiter = \\ ignore_default = no ignore_null = no } so this leads me to two questions. 1 Is \\ actually \ escaped ? 2 can you have 2 character delimiters (despite what the config comments claim) Cheers for any info. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Problem when executing radiusd
I had the same issue on fedora 6, the temporary solution is to roll back to FreeRADIUS Version 1.1.3. There is an rpm availble if you google. It compiles fine on gentoo though. On 4/12/07, BOQUET Stephanie [EMAIL PROTECTED] wrote: Hi, when I execute radiusd, it ends with Abandon : a glibc detected * radiusd : double free or corruption error occured. Thanks for helping me ! Stephanie - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: freeradius 2 character delimiter in realm problem
How would I then tell radius to remove the domain\\ from domain\\user On 4/13/07, Alan DeKok [EMAIL PROTECTED] wrote: Jacob Jarick wrote: Hello, I am researching my current problem with freeradius not authenticating. The user is rejected because the name is not found, our AD (w2k3) sends usernames to freeradius in this format domainname\\username. That's not a 2-character delimiter. It's a backslash, escaped. I have tried enabling the nt hack under the ldap section with no luck. There's an nt hack in the LDAP section? 1 Is \\ actually \ escaped ? Yes. 2 can you have 2 character delimiters (despite what the config comments claim) No. Alan DeKok. -- http://deployingradius.com - The web site of the book http://deployingradius.com/blog/ - The blog - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
1.1.6 crashes on fedora 6
Starting - reading configuration files ... reread_config: reading radiusd.conf Config: including file: /usr/local/etc/raddb/proxy.conf Config: including file: /usr/local/etc/raddb/clients.conf Config: including file: /usr/local/etc/raddb/snmp.conf Config: including file: /usr/local/etc/raddb/eap.conf Config: including file: /usr/local/etc/raddb/sql.conf main: prefix = /usr/local main: localstatedir = /usr/local/var main: logdir = /usr/local/var/log/radius main: libdir = /usr/local/lib main: radacctdir = /usr/local/var/log/radius/radacct main: hostname_lookups = no main: max_request_time = 30 main: cleanup_delay = 5 main: max_requests = 1024 main: delete_blocked_requests = 0 main: port = 0 main: allow_core_dumps = no main: log_stripped_names = no main: log_file = /usr/local/var/log/radius/radius.log main: log_auth = no main: log_auth_badpass = no main: log_auth_goodpass = no main: pidfile = /usr/local/var/run/radiusd/radiusd.pid main: user = (null) main: group = (null) main: usercollide = no main: lower_user = no main: lower_pass = no main: nospace_user = no main: nospace_pass = no main: checkrad = /usr/local/sbin/checkrad main: proxy_requests = yes proxy: retry_delay = 5 proxy: retry_count = 3 proxy: synchronous = no proxy: default_fallback = yes proxy: dead_time = 120 proxy: post_proxy_authorize = no proxy: wake_all_if_all_dead = no security: max_attributes = 200 security: reject_delay = 1 security: status_server = no main: debug_level = 0 read_config_files: reading dictionary read_config_files: reading naslist Using deprecated naslist file. Support for this will go away soon. read_config_files: reading clients read_config_files: reading realms radiusd: entering modules setup Module: Library search path is /usr/local/lib *** glibc detected *** ./sbin/radiusd: double free or corruption (fasttop): 0x09f91ca8 *** === Backtrace: = /lib/libc.so.6[0xcbfefd] /lib/libc.so.6(cfree+0x90)[0xcc3550] /usr/local/lib/libltdl.so.3[0x3d55db] /usr/local/lib/libltdl.so.3(lt_dlopenext+0xbe)[0x3d5f6e] ./sbin/radiusd(find_module_instance+0x317)[0x8bcc67] ./sbin/radiusd(setup_modules+0x1e8)[0x8bd108] ./sbin/radiusd(main+0x42c)[0x8c090c] /lib/libc.so.6(__libc_start_main+0xdc)[0xc6ff2c] ./sbin/radiusd[0x8b46b1] === Memory map: 0011-00124000 r-xp fd:00 7745049 /usr/local/lib/libradius-1.1.6.so 00124000-00125000 rwxp 00014000 fd:00 7745049 /usr/local/lib/libradius-1.1.6.so 00125000-00126000 rwxp 00125000 00:00 0 00126000-0012f000 r-xp fd:00 458793 /lib/libnss_files-2.5.so 0012f000-0013 r-xp 8000 fd:00 458793 /lib/libnss_files-2.5.so 0013-00131000 rwxp 9000 fd:00 458793 /lib/libnss_files-2.5.so 001e-001eb000 r-xp fd:00 461338 /lib/libgcc_s-4.1.1-20061011.so.1 001eb000-001ec000 rwxp a000 fd:00 461338 /lib/libgcc_s-4.1.1-20061011.so.1 00218000-0022a000 r-xp fd:00 461341 /lib/libnsl-2.5.so 0022a000-0022b000 r-xp 00012000 fd:00 461341 /lib/libnsl-2.5.so 0022b000-0022c000 rwxp 00013000 fd:00 461341 /lib/libnsl-2.5.so 0022c000-0022e000 rwxp 0022c000 00:00 0 0022e000-0023 r-xp fd:00 461330 /lib/libdl-2.5.so 0023-00231000 r-xp 1000 fd:00 461330 /lib/libdl-2.5.so 00231000-00232000 rwxp 2000 fd:00 461330 /lib/libdl-2.5.so 002eb000-002fe000 r-xp fd:00 461331 /lib/libpthread-2.5.so 002fe000-002ff000 r-xp 00012000 fd:00 461331 /lib/libpthread-2.5.so 002ff000-0030 rwxp 00013000 fd:00 461331 /lib/libpthread-2.5.so 0030-00302000 rwxp 0030 00:00 0 003d2000-003d7000 r-xp fd:00 7763046/usr/local/lib/libltdl.so.3.1.4 003d7000-003d8000 rwxp 4000 fd:00 7763046/usr/local/lib/libltdl.so.3.1.4 00637000-0065 r-xp fd:00 461328 /lib/ld-2.5.so 0065-00651000 r-xp 00018000 fd:00 461328 /lib/ld-2.5.so 00651000-00652000 rwxp 00019000 fd:00 461328 /lib/ld-2.5.so 0071e000-00723000 r-xp fd:00 458841 /lib/libcrypt-2.5.so 00723000-00724000 r-xp 4000 fd:00 458841 /lib/libcrypt-2.5.so 00724000-00725000 rwxp 5000 fd:00 458841 /lib/libcrypt-2.5.so 00725000-0074c000 rwxp 00725000 00:00 0 007fa000-007fc000 r-xp fd:00 7759006 /usr/local/lib/rlm_exec-1.1.6.so 007fc000-007fd000 rwxp 1000 fd:00 7759006 /usr/local/lib/rlm_exec-1.1.6.so 008b-008ce000 r-xp fd:00 7763256/usr/local/sbin/radiusd 008ce000-008cf000 rwxp 0001e000 fd:00 7763256/usr/local/sbin/radiusd 008cf000-008d rwxp 008cf000 00:00 0 00c5a000-00d91000 r-xp fd:00 461329 /lib/libc-2.5.so 00d91000-00d93000 r-xp 00137000 fd:00 461329 /lib/libc-2.5.so 00d93000-00d94000 rwxp 00139000 fd:00 461329 /lib/libc-2.5.so 00d94000-00d97000 rwxp 00d94000 00:00 0 00e7c000-00e8b000 r-xp fd:00 461343 /lib/libresolv-2.5.so 00e8b000-00e8c000 r-xp e000 fd:00 461343 /lib/libresolv-2.5.so 00e8c000-00e8d000 rwxp f000 fd:00 461343