Re: FreeRadius not sending access-deny
That setting was at the default of 1, I tried setting to zero, no affect. Here is the debug output with first a successful user followed by the same user with a bad pwd. -- rad_recv: Access-Request packet from host 10.15.251.232:1387, id=6, length=62 User-Name = "test" User-Password = "test" Message-Authenticator = 0x0adeae0c4cb8659e2aaede3adb6009a3 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius-switch/radacct-switch/ 10.15.251.232/auth-detail-20080829' rlm_detail: /var/log/radius-switch/radacct-switch/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius-switch/radacct-switch/ 10.15.251.232/auth-detail-20080829 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm: No '\' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "ntdomain" returns noop for request 0 users: Matched entry DEFAULT at line 1 users: Matched entry test at line 33 rlm_ldap: Entering ldap_groupcmp() radius_xlat: 'ou=***,dc=**,dc=**' radius_xlat: '(uid=test)' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: attempting LDAP reconnection rlm_ldap: (re)connect to 10.2.16.156:389, authentication 0 rlm_ldap: bind as cn=ITDRADIUSC,ou=USERS,ou=ITD,dc=nd,dc=gov/X27wireless45 to 10.2.16.156:389 rlm_ldap: waiting for bind result ... rlm_ldap: Bind was successful rlm_ldap: performing search in ou=***,dc=nd,**=***, with filter (uid=test) rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "files" returns ok for request 0 rlm_ldap: - authorize rlm_ldap: performing user authorization for test radius_xlat: '(uid=test)' radius_xlat: 'ou=***,dc=**,dc=***' rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in ou=***,**=nd,**=***, with filter (uid=test) rlm_ldap: object not found or got ambiguous search result rlm_ldap: search failed rlm_ldap: ldap_release_conn: Release Id: 0 modcall[authorize]: module "" returns notfound for request 0 modcall: leaving group authorize (returns ok) for request 0 rad_check_password: Found Auth-Type Local auth: type Local auth: user supplied User-Password matches local User-Password Login OK: [test] (from client NetworkEquipment port 0) Processing the post-auth section of radiusd.conf modcall: entering group post-auth for request 0 radius_xlat: '/var/log/radius-switch/radacct-switch/ 10.15.251.232/reply-detail-20080829' rlm_detail: /var/log/radius-switch/radacct-switch/%{Client-IP-Address}/reply-detail-%Y%m%d expands to /var/log/radius-switch/radacct-switch/ 10.15.251.232/reply-detail-20080829 modcall[post-auth]: module "reply_log" returns ok for request 0 modcall: leaving group post-auth (returns ok) for request 0 Sending Access-Accept of id 6 to 10.15.251.232 port 1387 NS-Admin-Privilege = Root-Admin APC-Service-Type = 1 Service-Type = Administrative-User Cisco-AVPair = "shell:priv-lvl=15" Filter-Id = "unlim" Extreme-Shell-Command = "Enable" Finished request 0 Going to the next request --- Walking the entire request list --- Waking up in 6 seconds... -- rad_recv: Access-Request packet from host 10.15.251.232:1337, id=5, length=62 User-Name = "test" User-Password = "test2" Message-Authenticator = 0x9bb6290c9d5e7dcffeeafe87e2c65b40 Processing the authorize section of radiusd.conf modcall: entering group authorize for request 0 modcall[authorize]: module "preprocess" returns ok for request 0 radius_xlat: '/var/log/radius-switch/radacct-switch/ 10.15.251.232/auth-detail-20080829' rlm_detail: /var/log/radius-switch/radacct-switch/%{Client-IP-Address}/auth-detail-%Y%m%d expands to /var/log/radius-switch/radacct-switch/ 10.15.251.232/auth-detail-20080829 modcall[authorize]: module "auth_log" returns ok for request 0 modcall[authorize]: module "chap" returns noop for request 0 modcall[authorize]: module "mschap" returns noop for request 0 rlm_realm: No '@' in User-Name = "test", looking up realm NULL rlm_realm: No such realm "NULL" modcall[authorize]: module "suffix" returns noop for request 0 rlm_realm
FreeRadius not sending access-deny
Hello, I recently discovered that my Freeradius 1.1.7 install is no longer sending access-deny messages for bad passwords. This causes the device to mark the radius server as down and move on to the next one, or just marks it as down. I know its probably something I did in the config, but for the life of me can't figure out how I managed to cause that. Everything else on the install works great, just for the exception of no access-deny packets ever move. Any ideas? Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Machine auth without cert - EAP-PEAP/MSCHAPV2
I've been experimenting with machine auth without using a cert, but I seem to be stuck on the fact that FreeRadius will not authenticate a local user. I see the request come across through debugging with a username of "host/mymachine.mydomain.com", and no password, and in my users file I have "host/mymachine.mydomain.com" Cleartext-Password="", Auth-Type := Local, MS-CHAP-Use-NTLM-Auth := 0 Filter-ID = "WIRELESS-USER", Fall-Through = 0 but for some reason it never authenticates... I've tried every both without the MS-CHAP option, that doesn't seem to change it. Also tried User-Password instead of cleartext password, no change. Any suggestions? Ryan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: MSCHAP test client?
JRadius simulator will do MSCHAPv2 very well... http://jradius.org/wiki/index.php/JRadiusSimulator On 7/12/07, Hugh Messenger <[EMAIL PROTECTED]> wrote: Phil Mayers said: > On Thu, 2007-07-12 at 11:46 -0500, Hugh Messenger wrote: > > Has anyone ever come across a RADIUS test client which supports > > MSCHAP? > > If you mean plain MS-CHAP, you can do it with radclient. Since, with > plain MS-CHAP, the NAS generates the challenge and sends it to the > radius server with the response. Since the response for any given > challenge is the same, you can just capture a chal/resp pair (e.g. in > debug mode) and replay it an arbitrary number of times. Ah HAH! That is exactly what I needed, thankyou. > If you mean EAP/MS-CHAP (or EAP/PEAP/MS-CHAP) you can use eapol_test > from wpa_supplicant. That's next month, as part of our baby-steps migration to FR. For now it's just our PPPOE clients. Then dialup. Then "funky stuff". -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: [meta] admin tools and utilities
Haven't tried ntradping, but jradiussimulator does a great job of being a simulated radius client. http://jradius.org/wiki/index.php/JRadiusSimulator On 6/28/07, Hugh Messenger <[EMAIL PROTECTED]> wrote: Forgive me if meta-discussions are frowned upon. I was just wandering what tools and utilities (not shipped with freeradius) people find useful in day to day admin and testing. My vote goes to NTRadPing, a fully featured Windows take on the standard UN*X radping. Freebie, from http://www.dialways.com/download/. Very intuitive UI for creating, saving, loading and executing auth and accounting queries. Configurable dictionary file. I'd be lost without it. Something I'd really like to find is an 'unsolicited' test service, simulating a NAS listening on 1700, to help diagnose disconnect request issues. -- hugh - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and users file
Alan DeKok already hit it head on, I had an old version of the radius dictionary hanging around. -v doesn't list the version of the modules or dictionary file unfortunately. Swapped in the new one and it works Ryan On 6/20/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hi, > I'm having the same problem on 1.1.6, but when I try the cobb > Cleartext-Password := "secret" as below, i get this when starting... > > /etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown > attribute "Cleartext-password" > Errors reading /etc/raddb-test/users > radiusd.conf[1052]: files: Module instantiation failed. > radiusd.conf[1654] Unknown module "files". > radiusd.conf[1589] Failed to parse authorize section. output of `radiusd -v` please alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: mschapv2 and users file
I'm having the same problem on 1.1.6, but when I try the cobb Cleartext-Password := "secret" as below, i get this when starting... /etc/raddb-test/users[1]: Parse error (check) for entry test: Unknown attribute "Cleartext-password" Errors reading /etc/raddb-test/users radiusd.conf[1052]: files: Module instantiation failed. radiusd.conf[1654] Unknown module "files". radiusd.conf[1589] Failed to parse authorize section. On 6/20/07, Alan DeKok <[EMAIL PROTECTED]> wrote: Matt Cobb wrote: > Tried: > > cobb Cleartext-Password:="secret" > > same result: Please post the ENTIRE debug output. Trust me, MS-CHAP works in the server. Put that entry at the TOP of the "users" file, and it should work. Odds are you put it in the middle of the "users" file, and there's an earlier entry which means that the "cobb" entry is never used. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Frreradius PAP and CHAP
Instead of using radclient/radtest, this program BY FAR is the best way to debug a radius box... http://jradius.org/wiki/index.php/JRadiusSimulator On 6/19/07, hao chen <[EMAIL PROTECTED]> wrote: Hi,Ivan I want to know how to test CHAP with radclient(I have no NAS). Could you give me a example of the radclient configure file? Thank you. -chenhao 2007/6/20, [EMAIL PROTECTED] <[EMAIL PROTECTED]>: > > No, not with radtest. You can use radclient, which has much more > ability, > but is also more complicated. > > Use, for instance, XP dialup connection. In connection properties click > on Security tab, Advanced radio button and then Settings button. By > default all protocols are ticked. Leave only CHAP ticked and exit with > OK. Once you are done with testing remember to go back and add protocols > back. > > WARNING: This will work only if the NAS you are connecting through also > supports CHAP authentication. If it doesn't, XP client with only CHAP > enabled won't be able to connect. > > Ivan Kalik > Kalik Informatika ISP > > > Dana 19/6/2007, "lisa laam" <[EMAIL PROTECTED]> piše: > > >thanks, > > > >Is there a way to test CHAP? > > > >could we test that with "radtest"? > > > > > > > > > >2007/6/19, [EMAIL PROTECTED] < [EMAIL PROTECTED]>: > >> > >> Have a look at dictionary.freeradius.internal. You will find several > >> xxx-Password attributes where xxx are supported encryption types. > >> > >> To test CHAP you don't need to "tell" Freeradius anything. Chap > module > >> is enabled by default, so it will work if you havent diabled it. What > >> you need to do is to get the client to use CHAP - radius server will > >> "follow". > >> > >> Ivan Kalik > >> Kalik Informatika ISP > >> > >> > >> Dana 19/6/2007, "lisa laam" <[EMAIL PROTECTED]> pi e: > >> > >> >Hi, > >> > > >> >I configured Freeradius to use PAP method with users file. > >> >The password is stored in clear text is stored in clear text in the > user > >> >file and it works well. > >> > > >> >Now I want to use other mode of user storing with PAP method. > (exemple > >> MD5 > >> >with the user file locatedt in /freeradius-1.1.6 > >> /src/tests/digest-auth-MD5) > >> > > >> >1- How to tell frreeradius that the user password is stored in > clear > >> text, > >> >or digest, or MD5 hashed, etc ?? > >> >I tried to copy the content of "digest-auth-MD5" in the "users" file > and > >> I > >> >got this errror : > >> > > >> >Errors reading /opt/freeradius/etc/raddb/users > >> >radiusd.conf[1067]: files: Module instantiation failed. > >> >radiusd.conf [1852] Unknown module "files". > >> >radiusd.conf[1788] Failed to parse authorize section. > >> > > >> > > >> >I want to test also CHAP method, how to tell radius to use this > method in > >> >stead of PAP? > >> > > >> > > >> >thanks > >> > > >> > > >> > >> - > >> List info/subscribe/unsubscribe? See > >> http://www.freeradius.org/list/users.html > >> > > > > > > - > List info/subscribe/unsubscribe? See > http://www.freeradius.org/list/users.html > - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Help with Multiple AD/LDAP
it works! Just a quick followup for anyone else that might run into it... You need to define the DEFAULT users.conf entry differently as it can apply to different servers individually. DEFAULT LDAP1-Ldap-Group == "WIFIUSER" Filter-ID = "WIFIUSER", Fall-Through=0 DEFAULT LDAP2-Ldap-Group == "WIFIUSER" Filter-ID = "WIFIUSER", Fall-Through=0 DEFAULT LDAP3-Ldap-Group == "WIFIUSER" Filter-ID = "WIFIUSER", Fall-Through=0 works perfectly... Ryan Kramer On 6/11/07, Ryan Kramer <[EMAIL PROTECTED]> wrote: Hello, I'm working on a new config to allow multiple AD servers to be hit, and am running into a problem. Just a quick background, I have one server that has multiple root level OU's with users under it. It may not be the recommended design, but for our needs it is suitable. I've set up freeradius with three unique ldap entries, all connecting to the same AD server but under different OU's. Anyway, in users.conf I've got this: DEFAULT Ldap-Group == "WIFIUSER" Filter-ID = "WIFIUSER", Fall-Through=1 radiusd.conf authorize { ... LDAP1 LDAP2 LDAP3 } which will return group=WIFIUSER in the accept-accept if the user is in the WIFIUSER AD group. The problem is it only works if the user exists in the last LDAP entry that is listed. it will still return an accept-accept, but no group, if they aren't in the last OU. (In the example above, a user in the LDAP1 OU would not get the WIFUSER group accept-accept, even though they are in it. Moving LDAP1 to the bottom would make it work. Any suggestions? Ryan Kramer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help with Multiple AD/LDAP
Hello, I'm working on a new config to allow multiple AD servers to be hit, and am running into a problem. Just a quick background, I have one server that has multiple root level OU's with users under it. It may not be the recommended design, but for our needs it is suitable. I've set up freeradius with three unique ldap entries, all connecting to the same AD server but under different OU's. Anyway, in users.conf I've got this: DEFAULT Ldap-Group == "WIFIUSER" Filter-ID = "WIFIUSER", Fall-Through=1 radiusd.conf authorize { ... LDAP1 LDAP2 LDAP3 } which will return group=WIFIUSER in the accept-accept if the user is in the WIFIUSER AD group. The problem is it only works if the user exists in the last LDAP entry that is listed. it will still return an accept-accept, but no group, if they aren't in the last OU. (In the example above, a user in the LDAP1 OU would not get the WIFUSER group accept-accept, even though they are in it. Moving LDAP1 to the bottom would make it work. Any suggestions? Ryan Kramer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
Were you ever able to solve the issue of multipe OU's? I have about 100 OU's that have users under them, running without a specified OU doesn't work, and obviously once I drop into an OU it hits the users that live there, and no others. Ryan On 4/29/07, Jacob Jarick <[EMAIL PROTECTED]> wrote: OK tried with 1.1.4 and yerp works great. radiusd -X output: http://pastebin.ca/464153 radiusd.conf: http://pastebin.ca/464156 I also realised a mistake I have been making, see I want to search the whole active directory, hence I kept setting my basedn without an ou. After seeing your excellent example and auth'ing had failed I stuck in an OU and tried a user from the OU and worked fine. So my questions is this, to auth people from multiple OU's do I create a new ldap module for each OU or is their a simpler way. Thanks Very much for your help Phil, its been a very productive weekend thanks to the info you provided. My challenge for monday will be setting up the cisco and wireless clients now :) On 4/29/07, Jacob Jarick <[EMAIL PROTECTED]> wrote: > radiusd.conf: http://pastebin.ca/464133 > radius -X ouput: http://pastebin.ca/464138 > > Tried with 1.1.6 and fails with this error: > > rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap > rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed > rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap failed > radiusd.conf[540]: ldap: Module instantiation failed. > radiusd.conf[586] Unknown module "ldap". > radiusd.conf[586] Failed to parse "ldap" entry. > - > /etc/raddb/ldap.attrmap does exist as provided by the rpm. > > [EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap > -rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap > > I assume the permissions are correct, as it was installed by rpm. Im > building the 1.1.4 rpm now, will report back once done. > > On 4/29/07, Jacob Jarick <[EMAIL PROTECTED]> wrote: > > Thanks for the very detailed instructions. > > > > I will attempt this shortly (bought rad & ad servers home for weekend study). > > > > Quite possible the biggest learning curve for me is the ldap fields > > but I am finally starting to get familar with them. > > > > Cheers again, will post back once Ive run the radtest. > > > > On 4/28/07, Phil Mayers <[EMAIL PROTECTED]> wrote: > > > I haven't been following your (quite extensive) queries, so apologies if > > > I've missed something fundamental. > > > > > > I honestly don't know why this is proving so difficult. I've just tested > > > this against our own 2k3 AD service, and although I'm pretty familiar > > > with FR it took under 5 minutes. Try following the instructions below. > > > These were tested with FreeRadius 1.1.4 > > > > > > 1. First, create or locate an existing account which FreeRadius can bind > > > and do it's searches as. Record the following variables: > > > > > > SEARCHDN= > > > SEARCHPW= > > > BASEDN= > > > ADHOST= > > > > > > For example, these might be: > > > > > > SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com > > > SEARCHPW=blahblah > > > BASEDN=OU=My Site,DC=mysite,DC=com > > > > > > 2. Next, take the default "radiusd.conf" > > > > > > 3. Find the start of the modules section: > > > > > > modules { > > > ... > > > > > > Delete this line and all the following lines > > > > > > 4. Insert the following config: > > > > > > modules { > > >ldap { > > > server = "$ADHOST" > > > identity = "$SEARCHDN" > > > password = "$SEARCHPW" > > > > > > basedn = "$BASEDN" > > > filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" > > > > > > dictionary_mapping = ${raddbdir}/ldap.attrmap > > > > > > ldap_connections_number = 5 > > > timeout = 4 > > > timelimit = 3 > > > net_timeout = 1 > > >} > > > > > >preprocess { > > > huntgroups = ${confdir}/huntgroups > > > hints = ${confdir}/hints > > > > > > with_ascend_hack = no > > > ascend_channels_per_line = 23 > > > > > > with_ntdomain_hack = no > > > with_specialix_jetstream_hack = no > > > with_cisco_vsa_hack = no > > >} > > > > > >detail { > > > detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d > > > detailperm = 0644 > > >} > > > > > > } > > > > > > instantiate { > > > } > > > > > > authorize { > > >preprocess > > > > > >ldap > > > } > > > > > > authenticate { > > >Auth-Type LDAP { > > > ldap > > >} > > > } > > > > > > > > > preacct { > > >preprocess > > > } > > > > > > accounting { > > >detail > > > } > > > > > > > > > session { > > > } > > > > > > post-auth { > > > } > > > > > > pre-proxy { > > > } > > > > > > post-proxy { > > > } > > > > > > 5. Start the server with -X > > > > > > 6. Run "radtest" to send a checking PAP request > > > > > > It should work. > > > > > > The above config is the ABSOLUTE BARE MINIMUM server config which will > > > check PAP requests ONLY against an AD
Re: Freeradius and MS ActiveDirectory
It is already built into FreeRadius in a number of ways... either NTLM or Ldap to AD. Ryan Kramer\ On 5/24/07, Ouahiba MACHANI <[EMAIL PROTECTED]> wrote: Hi, Is there any plug-in for Freeradius, that allow to interface with an Active Directory and authenticate users?? if not, is it possible to developpe such a plug-in ? and what are the requiremenet? could this plug-in be a PAM module ? thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Freeradius Auth via LDAP against Active Directory Server 2003
You can take care of #1 by still doing LDAP to AD for the groups, but using ntlm for the password authentication. This seems counterproductive, unless you are using a backside encryption where you need to do it that way, which is what I ended up having to do. On 4/30/07, Jacob Jarick <[EMAIL PROTECTED]> wrote: Thanks for the Tip ryan but I have been down that road and 2 reasons stopped me: 1 - no way of retrieving ldap groups 2 - Been requested not to have samba on the machine. ntlm_auth was very straight forward for me because it supports all the encryption methods. On 5/1/07, Ryan Kramer <[EMAIL PROTECTED]> wrote: > depending on the wifi auth method, you may want to also investigate a > NTLM_AUTH method instead of straight ldap. This requires the freeradius > machine to be a member of the domain, but once you do that it works great. > > > > > On 4/29/07, Jacob Jarick <[EMAIL PROTECTED]> wrote: > > OK tried with 1.1.4 and yerp works great. > > > > radiusd -X output: http://pastebin.ca/464153 > > radiusd.conf: http://pastebin.ca/464156 > > > > I also realised a mistake I have been making, see I want to search the > > whole active directory, hence I kept setting my basedn without an ou. > > After seeing your excellent example and auth'ing had failed I stuck in > > an OU and tried a user from the OU and worked fine. > > > > So my questions is this, to auth people from multiple OU's do I create > > a new ldap module for each OU or is their a simpler way. > > > > Thanks Very much for your help Phil, its been a very productive > > weekend thanks to the info you provided. > > > > My challenge for monday will be setting up the cisco and wireless clients > now :) > > > > On 4/29/07, Jacob Jarick <[EMAIL PROTECTED] > wrote: > > > radiusd.conf: http://pastebin.ca/464133 > > > radius -X ouput: http://pastebin.ca/464138 > > > > > > Tried with 1.1.6 and fails with this error: > > > > > > rlm_ldap: reading ldap<->radius mappings from file > /etc/raddb/ldap.attrmap > > > rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed > > > rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap > failed > > > radiusd.conf[540]: ldap: Module instantiation failed. > > > radiusd.conf[586] Unknown module "ldap". > > > radiusd.conf[586] Failed to parse "ldap" entry. > > > - > > > /etc/raddb/ldap.attrmap does exist as provided by the rpm. > > > > > > [EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap > > > -rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap > > > > > > I assume the permissions are correct, as it was installed by rpm. Im > > > building the 1.1.4 rpm now, will report back once done. > > > > > > On 4/29/07, Jacob Jarick <[EMAIL PROTECTED]> wrote: > > > > Thanks for the very detailed instructions. > > > > > > > > I will attempt this shortly (bought rad & ad servers home for weekend > study). > > > > > > > > Quite possible the biggest learning curve for me is the ldap fields > > > > but I am finally starting to get familar with them. > > > > > > > > Cheers again, will post back once Ive run the radtest. > > > > > > > > On 4/28/07, Phil Mayers <[EMAIL PROTECTED]> wrote: > > > > > I haven't been following your (quite extensive) queries, so > apologies if > > > > > I've missed something fundamental. > > > > > > > > > > I honestly don't know why this is proving so difficult. I've just > tested > > > > > this against our own 2k3 AD service, and although I'm pretty > familiar > > > > > with FR it took under 5 minutes. Try following the instructions > below. > > > > > These were tested with FreeRadius 1.1.4 > > > > > > > > > > 1. First, create or locate an existing account which FreeRadius can > bind > > > > > and do it's searches as. Record the following variables: > > > > > > > > > > SEARCHDN= > > > > > SEARCHPW= > > > > > BASEDN= > > > > > ADHOST= > > > > > > > > > > For example, these might be: > > > > > > > > > > SEARCHDN=CN=freeradius,OU=Users,OU=My > Site,DC=mysite,DC=com > > > > > SEARCHPW=blahblah > > > > > BASEDN=OU=My Site,DC=mysite,DC=com > > > > >
Re: Freeradius Auth via LDAP against Active Directory Server 2003
depending on the wifi auth method, you may want to also investigate a NTLM_AUTH method instead of straight ldap. This requires the freeradius machine to be a member of the domain, but once you do that it works great. On 4/29/07, Jacob Jarick <[EMAIL PROTECTED]> wrote: OK tried with 1.1.4 and yerp works great. radiusd -X output: http://pastebin.ca/464153 radiusd.conf: http://pastebin.ca/464156 I also realised a mistake I have been making, see I want to search the whole active directory, hence I kept setting my basedn without an ou. After seeing your excellent example and auth'ing had failed I stuck in an OU and tried a user from the OU and worked fine. So my questions is this, to auth people from multiple OU's do I create a new ldap module for each OU or is their a simpler way. Thanks Very much for your help Phil, its been a very productive weekend thanks to the info you provided. My challenge for monday will be setting up the cisco and wireless clients now :) On 4/29/07, Jacob Jarick <[EMAIL PROTECTED]> wrote: > radiusd.conf: http://pastebin.ca/464133 > radius -X ouput: http://pastebin.ca/464138 > > Tried with 1.1.6 and fails with this error: > > rlm_ldap: reading ldap<->radius mappings from file /etc/raddb/ldap.attrmap > rlm_ldap: Opening file /etc/raddb/ldap.attrmap failed > rlm_ldap: Reading dictionary mappings from file /etc/raddb/ldap.attrmap failed > radiusd.conf[540]: ldap: Module instantiation failed. > radiusd.conf[586] Unknown module "ldap". > radiusd.conf[586] Failed to parse "ldap" entry. > - > /etc/raddb/ldap.attrmap does exist as provided by the rpm. > > [EMAIL PROTECTED] src]# ls -l /etc/raddb/ldap.attrmap > -rw-r- 1 root root 2424 Apr 19 16:32 /etc/raddb/ldap.attrmap > > I assume the permissions are correct, as it was installed by rpm. Im > building the 1.1.4 rpm now, will report back once done. > > On 4/29/07, Jacob Jarick <[EMAIL PROTECTED]> wrote: > > Thanks for the very detailed instructions. > > > > I will attempt this shortly (bought rad & ad servers home for weekend study). > > > > Quite possible the biggest learning curve for me is the ldap fields > > but I am finally starting to get familar with them. > > > > Cheers again, will post back once Ive run the radtest. > > > > On 4/28/07, Phil Mayers <[EMAIL PROTECTED]> wrote: > > > I haven't been following your (quite extensive) queries, so apologies if > > > I've missed something fundamental. > > > > > > I honestly don't know why this is proving so difficult. I've just tested > > > this against our own 2k3 AD service, and although I'm pretty familiar > > > with FR it took under 5 minutes. Try following the instructions below. > > > These were tested with FreeRadius 1.1.4 > > > > > > 1. First, create or locate an existing account which FreeRadius can bind > > > and do it's searches as. Record the following variables: > > > > > > SEARCHDN= > > > SEARCHPW= > > > BASEDN= > > > ADHOST= > > > > > > For example, these might be: > > > > > > SEARCHDN=CN=freeradius,OU=Users,OU=My Site,DC=mysite,DC=com > > > SEARCHPW=blahblah > > > BASEDN=OU=My Site,DC=mysite,DC=com > > > > > > 2. Next, take the default "radiusd.conf" > > > > > > 3. Find the start of the modules section: > > > > > > modules { > > > ... > > > > > > Delete this line and all the following lines > > > > > > 4. Insert the following config: > > > > > > modules { > > >ldap { > > > server = "$ADHOST" > > > identity = "$SEARCHDN" > > > password = "$SEARCHPW" > > > > > > basedn = "$BASEDN" > > > filter = "(sAMAccountName=%{Stripped-User-Name:-%{User-Name}})" > > > > > > dictionary_mapping = ${raddbdir}/ldap.attrmap > > > > > > ldap_connections_number = 5 > > > timeout = 4 > > > timelimit = 3 > > > net_timeout = 1 > > >} > > > > > >preprocess { > > > huntgroups = ${confdir}/huntgroups > > > hints = ${confdir}/hints > > > > > > with_ascend_hack = no > > > ascend_channels_per_line = 23 > > > > > > with_ntdomain_hack = no > > > with_specialix_jetstream_hack = no > > > with_cisco_vsa_hack = no > > >} > > > > > >detail { > > > detailfile = ${radacctdir}/%{Client-IP-Address}/detail-%Y%m%d > > > detailperm = 0644 > > >} > > > > > > } > > > > > > instantiate { > > > } > > > > > > authorize { > > >preprocess > > > > > >ldap > > > } > > > > > > authenticate { > > >Auth-Type LDAP { > > > ldap > > >} > > > } > > > > > > > > > preacct { > > >preprocess > > > } > > > > > > accounting { > > >detail > > > } > > > > > > > > > session { > > > } > > > > > > post-auth { > > > } > > > > > > pre-proxy { > > > } > > > > > > post-proxy { > > > } > > > > > > 5. Start the server with -X > > > > > > 6. Run "radtest" to send a checking PAP request > > > > > > It should work. > > > > > > The above config is the ABSOLUTE BARE MINIMUM server config which will > > > check PAP requests ONLY against an AD LDAP server. I do NOT recom
Re: LDAP changes between 1.01 and 1.1.5
On 4/12/07, Alan DeKok <[EMAIL PROTECTED]> wrote: Ryan Kramer wrote: > Apparently something in the ldap_escape_func is broken when talking to > Microsoft AD. The code does not distinguish between Microsoft AD and other LDAP servers. Correct, it is very simple code and doesn't care. My guess is that it is Microsoft AD not acting like any other reasonable AD on the planet i suspect. I'll post my exact queries tomorrow, but as I mentioned, the only change was to revert that section of code back to the 1.0.1 version, recompile, and it works great. I hacked away at the configs for about 3 hours without any success using pretty much every trick I could think of to get it working. I SUSPECT something might not be escaped in a manner the MS AD server likes, or maybe just the fact it has any escape sequences built in at all is what is causing it to toss it. Hopefully tomorrow I'll be able to get some logs from our server admins to see exactly what the queries they receive look like. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: LDAP changes between 1.01 and 1.1.5
No. It's part of the LDAP query. In order to avoid external users logging in with names that are valid LDAP queries, the untrusted user input is escaped before it is passed to the LDAP module. Apparently something in the ldap_escape_func is broken when talking to Microsoft AD. I replaced the code of that function with the much more lenient code of the 1.0.1 ldap_escape_func, and it works great with MS LDAP now! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
LDAP changes between 1.01 and 1.1.5
I've recently moved to 1.1.5, and went from a system that worked perfectly with MS LDAP to one that will no longer find the user groups, using the identical config. Anyone have any ideas? The obvious one is that 1.1.5throws in all kinds of escape characters, but i'm assuming that is output only. Ryan Kramer 1.0.1 output rlm_ldap: performing search in ou=DIVISION,dc=state,dc=company, with filter (&(cn=DIVISION-WIFI)(|(&(objectClass=group)(member=CN=Kramer\\, Ryan M.,OU=USERS,OU=DIVISION,DC=state,DC=company))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN=Kramer\\, Ryan M.,OU=USERS,OU=DIVISION,DC=state,DC=company rlm_ldap::ldap_groupcmp: User found in group DIVISION-WIFI 1.1.5 output rlm_ldap: performing search in ou=DIVISION,dc=state,dc=company, with filter (&(cn=DIVISION-WIFI)(|(&(objectClass=group)(member=CN\3dKramer\5c\5c\2c Ryan M.\2cOU\3dUSERS\2cOU\3dDIVISION\2cDC\3dstate\2cDC\3dcompany))(&(objectClass=GroupOfUniqueNames)(uniquemember=CN\3dKramer\5c\5c\2c Ryan M.\2cOU\3dUSERS\2cOU\3dDIVISION\2cDC\3dstate\2cDC\3dcompany rlm_ldap: object not found or got ambiguous search result rlm_ldap::ldap_groupcmp: Group DIVISION-WIFI not found or user is not a member. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: question about freeradius, 802.1x with peap, auth via LDAP
1) Microsoft LDAP isn't like normal ldap, you don't get access to the password. To have freeradius touch the password at any point, it needs to be on the domain and do a ntlm_auth instead of ldap. On 4/4/07, wenny wang <[EMAIL PROTECTED]> wrote: Hi, I need help/advise with te following scenario: 1. I have a freeradius server, this server is not part of Active Directory Domain, server is able to perform ldapsearch for user account. 2. the workstation is a windows 2000 pc, need to be authenticated thru Cisco catalyst switch to the freeradius server with user's LAN username and password transparently (peap) my question is: what is the requirement for radius server, does the server needs to be part of the Active Directory Domain?, can you direct me to a how to link?, I have made several configurations but none were successful, please help, thanks. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Radius Packet Simulator
jradius is about the best i've found. On 4/2/07, khursheed Ahmed <[EMAIL PROTECTED]> wrote: Hi All I need a RADIUS Packet simulator, which could simulate RADIUS packet for me, If is there any Plz tell me, As I needed it bcz I m developing a Translation Agent which could translate (convert) RADIS packet in to Diameter Packet. Is there any Idea Plz help me Khursheed Ahmed QAU - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
802.1x->radius VLAN assignment
Hello! I am working on implementing freeradius with an aruba Wifi controller connected to freeradius, which then talks to AD. (The linux box is on the AD domain) Anyway, we need to pull the vlan identifier through from an AD group, but it appears FreeRadius does not pull that through the request field. Anyone have any thoughts? We know this is possible through the Microsoft radius solution, but are having a tough time of it without using that instead. Thanks! Ryan Kramer - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html