pam_radius_auth token user
This question appears in various forums time and time again though I've yet to discover a solution for it under linux. It *must* be a common issue The need exists to map users who are successfully authenticated via pam_radius_auth and who do not have a local account to a default 'token user'. FreeBSD's radius/pam module has a simple and obvious 'template_user' directive that suits this precise purpose well. Linux pam_radius_auth lacks this feature. Deploying centralized authentication only to require that all other user info be manually configured on each and every device anyway doesn't make any sense. Nor should it involve a full-blown and often unwieldy NIS (or similar) infrastructure to function. Surely I'm overlooking something. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Regarding VLAN
Hi I tried sending tunneling attributes from Radius server and it shows sending those tunneling attributes.. But the access point doesnt seem to understand it anyway. I had configured both the access point and the switch for this.. What can be the problem Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: group definitions in users file
"ho" <[EMAIL PROTECTED]> wrote: > Is it possible to group the User entries and than give them the special > profile with the AVPairs? Yes. You can use Unix groups for this, or create your own groups. See "man rlm_passwd" for an example of creating groups. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Help, Chap problem
Hello: I have this problem, i get this message in the log: "Tue Apr 11 14:43:18 2006 : Auth: Login incorrect (rlm_chap: Clear text password not available): [adexus/] (from client 3com port 268443649 cli 0010-a484-6e7a)" I set the users file as follow: adexus Auth-Type := CHAP, User-Password == "adexus" i configure the windows 2000 802.1x client how: EAP type: MD5 challenge Any idea Saludos Francisco Lagos - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
group definitions in users file
Hi folks, my environment: I do AAA with freeradius as a radius-proxy in combination with ms-ias (only for the passwords ;-) )for cisco asa 5540-box, which is similar to a cisco pix firewall. in the future we have many, many entries for users with the same Cisco-AVPairs USER1 Proxy-To-Realm := IAS Service-Type = Framed-User, Framed-Protocoll = PPP, Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq domain", Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq domain", Cisco-AVPair += "ip:inacl# = permit tcp any host A.B.C.D eq 264", Cisco-AVPair += "ip:inacl# = permit tcp any host A.B.C.D eq 443", Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq isakmp", Cisco-AVPair += "ip:inacl# = permit udp any host A.B.C.D eq 2746", Cisco-AVPair += "ip:inacl# = permit esp any host A.B.C.D", Cisco-AVPair += "ip:inacl# = deny tcp any any", Cisco-AVPair += "ip:inacl# = deny udp any any", Fall-Through = 0 Is it possible to group the User entries and than give them the special profile with the AVPairs? If not, what could be another good workaround for this problem? thanks marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql database in freeradius-1.1.1 ???
Hi, > src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql > > are lost in version 1.1.1, which i've downloaded 2 says ago? > > I've tried a find, but didn't have a match. doc/examples/mysql.sql ? granted, not many people look in the doc directory generally ;-) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql database in freeradius-1.1.1 ???
thank you for answering so quickly, i found the file. sorry for posting with html. marco - Original Message - From: "Alan DeKok" <[EMAIL PROTECTED]> To: "FreeRadius users mailing list" Sent: Tuesday, April 11, 2006 9:29 PM Subject: Re: sql database in freeradius-1.1.1 ??? "ho" <[EMAIL PROTECTED]> wrote: src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql are lost in version 1.1.1, which i've downloaded 2 says ago? doc/examples/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: sql database in freeradius-1.1.1 ???
"ho" <[EMAIL PROTECTED]> wrote: > src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql > > are lost in version 1.1.1, which i've downloaded 2 says ago? doc/examples/ Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
sql database in freeradius-1.1.1 ???
Hi, am i right that the database schemes under e.g. src/modules/rlm_sql/drivers/rlm_sql_mysql/db_mysql.sql are lost in version 1.1.1, which i've downloaded 2 says ago? I've tried a find, but didn't have a match. Can i use the same schema i've downloaded with version 1.0.4? Best regards marco - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
On Tue 11 Apr 2006 20:20, Alan DeKok wrote: > Nicolas Baradakis <[EMAIL PROTECTED]> wrote: > > Perhaps it's fine if the copyright owners distribute the binaries > > themselves, I don't know. > > Copyright owners can do whatever they want with their copyrighted > material, including changing the copyright, or distributing the > material in ways that are denied to others. > > > Aside the legal problem, I believe it's a great idea: we could provide > > an apt repository with the latest version of FreeRADIUS for Debian > > stable, testing and unstable. > > Ok. Let's get it set up. > > If we go down that route, though, I'd like to make RPM's available, > Solaris PKG's, etc. That involves some additional resources which > might not be readily available. I already make RPMs available on a sporadic basic for SUSE. I had a red carpet repo setup also, but havent maintained it recently... -- Peter Nixon http://www.peternixon.net/ PGP Key: http://www.peternixon.net/public.asc - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Alan DeKok <[EMAIL PROTECTED]> wrote: > Nicolas Baradakis <[EMAIL PROTECTED]> wrote: > > Perhaps it's fine if the copyright owners distribute the binaries > > themselves, I don't know. > > Copyright owners can do whatever they want with their copyrighted > material, including changing the copyright, or distributing the > material in ways that are denied to others. > > > Aside the legal problem, I believe it's a great idea: we could provide > > an apt repository with the latest version of FreeRADIUS for Debian > > stable, testing and unstable. > > Ok. Let's get it set up. > > If we go down that route, though, I'd like to make RPM's available, > Solaris PKG's, etc. That involves some additional resources which > might not be readily available. I've had my eye on this package, it may help: http://www.autobuild.org/ I think even if we do this, I'd like to see the FreeRadius license change to allow linking against OpenSSL, the OpenSSL license to change to allow linking against GPL, and the GPL license to change to allow linking against whatever. - Tyler - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Nicolas Baradakis <[EMAIL PROTECTED]> wrote: > Perhaps it's fine if the copyright owners distribute the binaries > themselves, I don't know. Copyright owners can do whatever they want with their copyrighted material, including changing the copyright, or distributing the material in ways that are denied to others. > Aside the legal problem, I believe it's a great idea: we could provide > an apt repository with the latest version of FreeRADIUS for Debian > stable, testing and unstable. Ok. Let's get it set up. If we go down that route, though, I'd like to make RPM's available, Solaris PKG's, etc. That involves some additional resources which might not be readily available. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Allow linking against OpenSSL? (Was Re: [GENERAL] Debian package for freeradius_postgresql module)
Alan DeKok wrote: > How about an additional idea: I don't think it's a problem for > copyright owners to distribute binaries, so if we set up a mini apt > system (say apt.freeradius.org), we could put problematic debian > packages there. Perhaps it's fine if the copyright owners distribute the binaries themselves, I don't know. Aside the legal problem, I believe it's a great idea: we could provide an apt repository with the latest version of FreeRADIUS for Debian stable, testing and unstable. Indeed I think more people are installing Debian stable (Sarge) on a production server, but they get an old version of FreeRADIUS. (unless they compile it manually) Such a repository would help the Debian users to easily upgrade FreeRADIUS on their servers with the apt-get utility. -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How to implement radius with mysql
Hello. I am a new user of free radius the version that i use is 1.0.4-1. Anybody knows where can i find help to enable mysql with radius? Thank's Alex. ___ Do You Yahoo!? La mejor conexión a Internet y 2GB extra a tu correo por $100 al mes. http://net.yahoo.com.mx - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Acct-Type and MySQL
Luca Corti wrote: > Now I'd like to specify "Acct-Type := DIALUP" in MySQL for a particular > group of users so that accounting for that group uses sql_dialup. > > Is this doable? Do I need to specify Acct-Type as a reply or check item? You need to specify Acct-Type during "preacct". It's doable if you can write an acct_users file to set the Acct-Type. If you need to do it with MySQL, I've seen a patch on the bugzilla. http://bugs.freeradius.org/show_bug.cgi?id=264 -- Nicolas Baradakis - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
> -Original Message-
> From:
> [EMAIL PROTECTED]
> ists.freer
> adius.org
> [mailto:freeradius-users-bounces+sburton=shepherd-construction
> [EMAIL PROTECTED]
> ts.freeradius.org]On Behalf Of Burton, Steven
> Sent: 11 April 2006 16:15
> To: FreeRadius users mailing list
> Subject: RE: How do I set up simple AD integration?
>
>
>
>
> > -Original Message-
> > From:
> > [EMAIL PROTECTED]
> > ists.freer
> > adius.org
> > [mailto:freeradius-users-bounces+sburton=shepherd-construction
> > [EMAIL PROTECTED]
> > ts.freeradius.org]On Behalf Of King, Michael
> > Sent: 11 April 2006 15:40
> > To: FreeRadius users mailing list
> > Subject: RE: How do I set up simple AD integration?
> >
> >
> > >
> > > Is there a how-to or tutorial for this simple case? I have
> > > searched this list and google generally. I have read the
> > > articles referred to on the FreeRadius home page and several
> > > others and I still can't see how the configuration works. Any
> > > and all help gratefully received.
> > >
> > > Steve.
> > >
> >
> >
> > As for the simple how to, they're a few, but none that I
> > would consider
> > easy to follow.
> >
> > What your looking for this the following lines: (I have
> > two ntlm_auth
> > Lines, the original that is commented out, and the one that I
> > use. They
> > are long, so they will break across lines, but they are not
> > that way in
> > my config file)
> >
> >
> > # Windows sends us a username in the form of
> > # DOMAIN\user, but sends the challenge response
> > # based on only the user portion. This hack
> > # corrects for that incorrect behavior.
> > #
> > with_ntdomain_hack = yes
> >
> > # The module can perform authentication itself, OR
> > # use a Windows Domain Controller. This
> configuration
> > # directive tells the module to call the ntlm_auth
> > # program, which will do the authentication,
> > and return
> > # the NT-Key. Note that you MUST have
> "winbindd" and
> > # "nmbd" running on the local machine for ntlm_auth
> > # to work. See the ntlm_auth program documentation
> > # for details.
> > #
> > # Be VERY careful when editing the following line!
> > #
> > #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
> > --username=%{Stripped-User-Name:-%{User-Name:-None}}
> > --challenge=%{mschap:Challenge:-00}
> > --nt-response=%{mschap:NT-Response:-00}"
> > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > --username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
> > --nt-response=%{mschap:NT-Response}"
>
> This stanza is a enclosed with the mschap section, still
> nothing ventured
> I changed the line and unfolded it and ran radiusd -X. The
> first request didn't match anything usefull and was rejected
> by System. I tried again but ticked the box 'CHAP' on
> NTRadPing and got the output:
>
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/etc/raddb/proxy.conf
> Config: including file: /usr/local/etc/raddb/clients.conf
> Config: including file: /usr/local/etc/raddb/snmp.conf
> Config: including file: /usr/local/etc/raddb/eap.conf
> Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/var"
> main: logdir = "/var/log"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/var/log/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded exec
> exec: wait = yes
> exec: program =
Re: How do I set up simple AD integration?
"Burton, Steven" <[EMAIL PROTECTED]> wrote: > This stanza is a enclosed with the mschap section, still nothing ventured > I changed the line and unfolded it and ran radiusd -X. The first > request didn't match anything usefull and was rejected by System. I > tried again but ticked the box 'CHAP' on NTRadPing and got the > output: You can't do CHAP to MS AD. It's impossible. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
You would still needwith_ntdomain_hack = yes
But that isn't your actual problem.
It never called ntlm_auth
> -Original Message-
> From:
> [EMAIL PROTECTED]
> g
> [mailto:[EMAIL PROTECTED]
> adius.org] On Behalf Of Burton, Steven
> Sent: Tuesday, April 11, 2006 11:15 AM
> To: FreeRadius users mailing list
> Subject: RE: How do I set up simple AD integration?
>
>
>
> > -Original Message-
> > From:
> > [EMAIL PROTECTED]
> > ists.freer
> > adius.org
> > [mailto:freeradius-users-bounces+sburton=shepherd-construction
> > [EMAIL PROTECTED]
> > ts.freeradius.org]On Behalf Of King, Michael
> > Sent: 11 April 2006 15:40
> > To: FreeRadius users mailing list
> > Subject: RE: How do I set up simple AD integration?
> >
> >
> > >
> > > Is there a how-to or tutorial for this simple case? I
> have searched
> > > this list and google generally. I have read the articles
> referred to
> > > on the FreeRadius home page and several others and I
> still can't see
> > > how the configuration works. Any and all help gratefully received.
> > >
> > > Steve.
> > >
> >
> >
> > As for the simple how to, they're a few, but none that I would
> > consider easy to follow.
> >
> > What your looking for this the following lines: (I have two
> > ntlm_auth Lines, the original that is commented out, and
> the one that
> > I use. They are long, so they will break across lines, but
> they are
> > not that way in my config file)
> >
> >
> > # Windows sends us a username in the form of
> > # DOMAIN\user, but sends the challenge response
> > # based on only the user portion. This hack
> > # corrects for that incorrect behavior.
> > #
> > with_ntdomain_hack = yes
> >
> > # The module can perform authentication itself, OR
> > # use a Windows Domain Controller. This
> configuration
> > # directive tells the module to call the ntlm_auth
> > # program, which will do the authentication, and
> > return
> > # the NT-Key. Note that you MUST have
> "winbindd" and
> > # "nmbd" running on the local machine for ntlm_auth
> > # to work. See the ntlm_auth program documentation
> > # for details.
> > #
> > # Be VERY careful when editing the following line!
> > #
> > #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
> > --username=%{Stripped-User-Name:-%{User-Name:-None}}
> > --challenge=%{mschap:Challenge:-00}
> > --nt-response=%{mschap:NT-Response:-00}"
> > ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> > --username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
> > --nt-response=%{mschap:NT-Response}"
>
> This stanza is a enclosed with the mschap section, still
> nothing ventured
> I changed the line and unfolded it and ran radiusd -X. The
> first request didn't match anything usefull and was rejected
> by System. I tried again but ticked the box 'CHAP' on
> NTRadPing and got the output:
>
> Starting - reading configuration files ...
> reread_config: reading radiusd.conf
> Config: including file: /usr/local/etc/raddb/proxy.conf
> Config: including file: /usr/local/etc/raddb/clients.conf
> Config: including file: /usr/local/etc/raddb/snmp.conf
> Config: including file: /usr/local/etc/raddb/eap.conf
> Config: including file: /usr/local/etc/raddb/sql.conf
> main: prefix = "/usr/local"
> main: localstatedir = "/var"
> main: logdir = "/var/log"
> main: libdir = "/usr/local/lib"
> main: radacctdir = "/var/log/radacct"
> main: hostname_lookups = no
> main: max_request_time = 30
> main: cleanup_delay = 5
> main: max_requests = 1024
> main: delete_blocked_requests = 0
> main: port = 0
> main: allow_core_dumps = no
> main: log_stripped_names = no
> main: log_file = "/var/log/radius.log"
> main: log_auth = no
> main: log_auth_badpass = no
> main: log_auth_goodpass = no
> main: pidfile = "/var/run/radiusd/radiusd.pid"
> main: user = "(null)"
> main: group = "(null)"
> main: usercollide = no
> main: lower_user = "no"
> main: lower_pass = "no"
> main: nospace_user = "no"
> main: nospace_pass = "no"
> main: checkrad = "/usr/local/sbin/checkrad"
> main: proxy_requests = yes
> proxy: retry_delay = 5
> proxy: retry_count = 3
> proxy: synchronous = no
> proxy: default_fallback = yes
> proxy: dead_time = 120
> proxy: post_proxy_authorize = no
> proxy: wake_all_if_all_dead = no
> security: max_attributes = 200
> security: reject_delay = 1
> security: status_server = no
> main: debug_level = 0
> read_config_files: reading dictionary
> read_config_files: reading naslist
> read_config_files: reading clients
> read_config_files: reading realms
> radiusd: entering modules setup
> Module: Library search path is /usr/local/lib
> Module: Loaded
Re: How do I set up simple AD integration?
Steve,
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"
This stanza is a enclosed with the mschap section, still nothing ventured
I changed the line and unfolded it and ran radiusd -X. The first request didn't
match anything usefull and was rejected by System. I tried again but ticked the
box 'CHAP' on NTRadPing and got the output:
rad_check_password: Found Auth-Type CHAP
auth: type "CHAP"
Processing the authenticate section of radiusd.conf
modcall: entering group CHAP for request 0
rlm_chap: login attempt by "burst01" with CHAP password
rlm_chap: Could not find clear text password for user burst01
modcall[authenticate]: module "chap" returns invalid for request 0
modcall: leaving group CHAP (returns invalid) for request 0
You can't do this.
If you want to do ntlm_auth, you need to use an authentication protocol
that provides FreeRADIUS with either the user's (1) cleartext
credentials or (2) the user's NT credentials.
CHAP won't work - it's impossible. However PAP will work, as will
MS-CHAP. CHAP is different from MS-CHAP.
best regards, josh.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How do I set up simple AD integration?
> -Original Message-
> From:
> [EMAIL PROTECTED]
> ists.freer
> adius.org
> [mailto:freeradius-users-bounces+sburton=shepherd-construction
> [EMAIL PROTECTED]
> ts.freeradius.org]On Behalf Of King, Michael
> Sent: 11 April 2006 15:40
> To: FreeRadius users mailing list
> Subject: RE: How do I set up simple AD integration?
>
>
> >
> > Is there a how-to or tutorial for this simple case? I have
> > searched this list and google generally. I have read the
> > articles referred to on the FreeRadius home page and several
> > others and I still can't see how the configuration works. Any
> > and all help gratefully received.
> >
> > Steve.
> >
>
>
> As for the simple how to, they're a few, but none that I
> would consider
> easy to follow.
>
> What your looking for this the following lines: (I have
> two ntlm_auth
> Lines, the original that is commented out, and the one that I
> use. They
> are long, so they will break across lines, but they are not
> that way in
> my config file)
>
>
> # Windows sends us a username in the form of
> # DOMAIN\user, but sends the challenge response
> # based on only the user portion. This hack
> # corrects for that incorrect behavior.
> #
> with_ntdomain_hack = yes
>
> # The module can perform authentication itself, OR
> # use a Windows Domain Controller. This configuration
> # directive tells the module to call the ntlm_auth
> # program, which will do the authentication,
> and return
> # the NT-Key. Note that you MUST have "winbindd" and
> # "nmbd" running on the local machine for ntlm_auth
> # to work. See the ntlm_auth program documentation
> # for details.
> #
> # Be VERY careful when editing the following line!
> #
> #ntlm_auth = "/path/to/ntlm_auth --request-nt-key
> --username=%{Stripped-User-Name:-%{User-Name:-None}}
> --challenge=%{mschap:Challenge:-00}
> --nt-response=%{mschap:NT-Response:-00}"
> ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
> --username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
> --nt-response=%{mschap:NT-Response}"
This stanza is a enclosed with the mschap section, still nothing ventured
I changed the line and unfolded it and ran radiusd -X. The first request didn't
match anything usefull and was rejected by System. I tried again but ticked the
box 'CHAP' on NTRadPing and got the output:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
ms
RE: How do I set up simple AD integration?
>
> Is there a how-to or tutorial for this simple case? I have
> searched this list and google generally. I have read the
> articles referred to on the FreeRadius home page and several
> others and I still can't see how the configuration works. Any
> and all help gratefully received.
>
> Steve.
>
As for the simple how to, they're a few, but none that I would consider
easy to follow.
What your looking for this the following lines: (I have two ntlm_auth
Lines, the original that is commented out, and the one that I use. They
are long, so they will break across lines, but they are not that way in
my config file)
# Windows sends us a username in the form of
# DOMAIN\user, but sends the challenge response
# based on only the user portion. This hack
# corrects for that incorrect behavior.
#
with_ntdomain_hack = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have "winbindd" and
# "nmbd" running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
#ntlm_auth = "/path/to/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}"
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--username=%{mschap:User-Name} --challenge=%{mschap:Challenge}
--nt-response=%{mschap:NT-Response}"
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How do I set up simple AD integration?
Burton, Steven wrote: > However, although I can see tantalizing references to 'ntlm_auth' and > 'ntdomain' and the like in various files I cannot see how to trigger an AD > lookup from a RADIUS request. So far all I have achieved is: You are doing well. Too many people try to jump directly to the end. I *think* AD = LDAP is the piece you are missing. See where that gets you. I don't use either, so beyond pointing you in that direction, I can't help much. You also prob don't need the sql.conf file as I didn't see mention of an SQL server anywhere. There is probably an ldap.conf file or an ldap section of the radius.conf that you should look at. -- Dennis Skinner Systems Administrator BlueFrog Internet http://www.bluefrog.com - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
How do I set up simple AD integration?
Hi,
I am trying to set up FreeRadius 1.1.1 on FreeBSD 6.0 REL with user integration
with Active directory for a Windows 2003 domain currently in Win2000 mixed
mode. My final object is to authenticate user-connections through a wireless AP.
I have setup Samba 3 and successfully joined the Windows domain. I have tried:
# wbinfo -u
# wbinfo -g
# wbinfo -a username%password
# ntlm_auth --request-nt-key --domain= --username=
and all ran/authenticated successfully.
I have built and installed FreeRadius 1.1.1 from the FreeBSD port and copied:
acct_users
clients.conf
dictionary
eap.conf
hints
huntgroups
preproxy_users
proxy.conf
radiusd.conf
realms
snmp.conf
sql.conf
users
from the *.sample files provided and added my PC as a client (for NTRadPing)
and a 802.11g AP with matching shared secrets and type 'other'
I have uncommented the example user 'steve' in users and I can get an
'Access-Accept' using NTRadPing with Steve's credentials so I know that local
users are working.
If I point NTRadPing at our Funk SBR server and my Windows username and
password I can get an 'Access-Accept' so, initially, I would like to emulate
this operation before I get involved with MSCHAPv2 PEAP etc.
However, although I can see tantalizing references to 'ntlm_auth' and
'ntdomain' and the like in various files I cannot see how to trigger an AD
lookup from a RADIUS request. So far all I have achieved is:
Starting - reading configuration files ...
reread_config: reading radiusd.conf
Config: including file: /usr/local/etc/raddb/proxy.conf
Config: including file: /usr/local/etc/raddb/clients.conf
Config: including file: /usr/local/etc/raddb/snmp.conf
Config: including file: /usr/local/etc/raddb/eap.conf
Config: including file: /usr/local/etc/raddb/sql.conf
main: prefix = "/usr/local"
main: localstatedir = "/var"
main: logdir = "/var/log"
main: libdir = "/usr/local/lib"
main: radacctdir = "/var/log/radacct"
main: hostname_lookups = no
main: max_request_time = 30
main: cleanup_delay = 5
main: max_requests = 1024
main: delete_blocked_requests = 0
main: port = 0
main: allow_core_dumps = no
main: log_stripped_names = no
main: log_file = "/var/log/radius.log"
main: log_auth = no
main: log_auth_badpass = no
main: log_auth_goodpass = no
main: pidfile = "/var/run/radiusd/radiusd.pid"
main: user = "(null)"
main: group = "(null)"
main: usercollide = no
main: lower_user = "no"
main: lower_pass = "no"
main: nospace_user = "no"
main: nospace_pass = "no"
main: checkrad = "/usr/local/sbin/checkrad"
main: proxy_requests = yes
proxy: retry_delay = 5
proxy: retry_count = 3
proxy: synchronous = no
proxy: default_fallback = yes
proxy: dead_time = 120
proxy: post_proxy_authorize = no
proxy: wake_all_if_all_dead = no
security: max_attributes = 200
security: reject_delay = 1
security: status_server = no
main: debug_level = 0
read_config_files: reading dictionary
read_config_files: reading naslist
read_config_files: reading clients
read_config_files: reading realms
radiusd: entering modules setup
Module: Library search path is /usr/local/lib
Module: Loaded exec
exec: wait = yes
exec: program = "(null)"
exec: input_pairs = "request"
exec: output_pairs = "(null)"
exec: packet_type = "(null)"
rlm_exec: Wait=yes but no output defined. Did you mean output=none?
Module: Instantiated exec (exec)
Module: Loaded expr
Module: Instantiated expr (expr)
Module: Loaded PAP
pap: encryption_scheme = "crypt"
Module: Instantiated pap (pap)
Module: Loaded CHAP
Module: Instantiated chap (chap)
Module: Loaded MS-CHAP
mschap: use_mppe = yes
mschap: require_encryption = no
mschap: require_strong = no
mschap: with_ntdomain_hack = no
mschap: passwd = "(null)"
mschap: authtype = "MS-CHAP"
mschap: ntlm_auth = "/usr/local/bin/ntlm_auth --request-nt-key
--username=%{Stripped-User-Name:-%{User-Name:-None}}
--challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00}"
Module: Instantiated mschap (mschap)
Module: Loaded System
unix: cache = no
unix: passwd = "(null)"
unix: shadow = "(null)"
unix: group = "(null)"
unix: radwtmp = "/var/log/radwtmp"
unix: usegroup = no
unix: cache_reload = 600
Module: Instantiated unix (unix)
Module: Loaded eap
eap: default_eap_type = "md5"
eap: timer_expire = 60
eap: ignore_unknown_eap_types = no
eap: cisco_accounting_username_bug = no
rlm_eap: Loaded and initialized type md5
rlm_eap: Loaded and initialized type leap
gtc: challenge = "Password: "
gtc: auth_type = "PAP"
rlm_eap: Loaded and initialized type gtc
tls: rsa_key_exchange = no
tls: dh_key_exchange = yes
tls: rsa_key_length = 512
tls: dh_key_length = 512
tls: verify_depth = 0
tls: CA_path = "(null)"
tls: pem_file_type = yes
tls: private_key_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: certificate_file = "/usr/local/etc/raddb/certs/cert-srv.pem"
tls: CA_file = "/usr/local/etc/raddb/certs/demoCA/cacert.pem"
tls: private_key_password = "whatever"
tls: dh_file = "/
Re: problem with oracle scheme - table radacct
On Mon 10 Apr 2006 23:21, Mathieu Legare wrote:
> Using freeradius 1.1.0 on RHEL 4.0 update 3 with Oracle 9 database
> backend for accounting, we discovered the following problem while trying
> to add our wireless stuff to our RADIUS system. We've been using the
> current setup for PPP login with a Cisco access server without any
> problem.
>
> So the NAS is a Nortel WLAN Security Switch 2380 (more or less a Trapeze
> device if i am not mistaken). The WLAN switch sends a "start
> accounting" packet, unfortunalety the content of the %{NAS-Port-Id}
> variable that the WLAN switch sends seems to be in the following format:
> "2049/1" which is NOT a NUMERIC(12) (or integer if using the MySQL
> driver). This cause an ORA-01722 error . We've changed the NasPortId
> field type to VARCHAR2(15) to fix the problem.
>
> I really don't know if changing the type of the NasPortId field to
> varchar2 can introduce other problems, so far we haven't notice any.
Although I have not seen this type of value previously the RFC does device
NAS-Port-Id as string so I will update all of the sample schemas to take this
into account.
Regards
--
Peter Nixon
http://www.peternixon.net/
PGP Key: http://www.peternixon.net/public.asc
pgpaKx5IwxlTk.pgp
Description: PGP signature
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Acct-Type and MySQL
Hello,
I'm using MySQL as an authentication and accounting backend. I'd like to
move the accounting for users in a particular group to a different table
in the database.
sql.conf:
-
sql sql_generic {
...
}
sql sql_dialup {
...
}
radiusd.conf:
-
accounting {
...
Acct-Type DIALUP {
sql_dialup
}
sql_generic
}
Now I'd like to specify "Acct-Type := DIALUP" in MySQL for a particular
group of users so that accounting for that group uses sql_dialup.
Is this doable? Do I need to specify Acct-Type as a reply or check item?
thanks
--
Luca Corti
PGP Key ID 1F38C091
BOFH excuse of the moment:
The kernel license has expired
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Cisco AP 1240AG - PEAP/MSCHAPv2 with ntlm_auth
hi
my situation:
ive Windows 2003 Server Domaincontrollers. i use freeradius who
authenticates the clients in the domain with ntlm_auth. only users they
will be in the group "wireless" have access to the wireless:
ntlm_auth = "/usr/bin/ntlm_auth --request-nt-key
--domain=%{mschap:NT-Domain} --username=%{mschap:User-Name}
--challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-Response:-00}
--require-membership-of=DOMAIN\\WIRELESS"
my question is now:
how can i realize that ive 2 ssid, one ssid=administrators, and the
other ssid=users,
i omit the "--require-membership-of=DOMAIN\\WIRELESS" on the ntlm
authentication and make two groups in the active directory:
-- wireless_admin - ssid1=adminis
-- wireless_users - ssid2=users
when the user is a member of admins he become the vlan and the ssid for
Administrators,
and when the user is a member of users he become the vlan and the ssid
for Users.
is that possible to configure it in the "/etc/raddb/users" like
following, but without user1, instead of this a group...
user1Auth-Type := EAP
Cisco-AVPair := "ssid=admins",
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 2,
Tunnel-Type = VLAN
user2Auth-Type := EAP
Cisco-AVPair := "ssid=users",
Tunnel-Medium-Type = IEEE-802,
Tunnel-Private-Group-Id = 3,
Tunnel-Type = VLAN
somone has experience to associate ntlm and group differentiation...
and how can i do that the Admins can also login via shell, and the user
only authentication no shell or something like that?
thx Konne
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Can Juniper router or firewall configured on Free radius
Venu Gopal <[EMAIL PROTECTED]> writes: > Currently i'm doing testing on Netscreen boxes N25/50 > series, it works for authentication. If you could help > me in defining the privilege level commands on radius > server like cisco for netscreen boxes, it would be > great help. Take a look at share/dictionary.netscreen I haven't used these boxes myself, but the VSAs look pretty self-explanatory. Bjørn - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Digest & Messenger
dear Alan
I changed the version of freeradius to 1.1.1 and we kept the last
radiusd.conf file from 1.0.5 version unchanged. Belove you can see the
excerpt of radiusd.conf file
expr {
}
digest {
}
exec {
wait = yes
input_pairs = request
}
exec echo {
wait = yes
program = "/bin/echo %{User-Name}"
input_pairs = request
output_pairs = reply
}
ippool main_pool {
range-start = 192.168.1.1
range-stop = 192.168.3.254
netmask = 255.255.255.0
cache-size = 800
session-db = ${raddbdir}/db.ippool
ip-index = ${raddbdir}/db.ipindex
override = no
maximum-timeout = 0
}
}
instantiate {
exec
expr
}
authorize {
# preprocess
# auth_log
# attr_filter
# chap
# mschap
digest
# eap
sql
}
authenticate {
# Auth-Type PAP {
# pap
# }
# Auth-Type CHAP {
# chap
# }
# Auth-Type MS-CHAP {
# mschap
# }
digest
# unix
# eap
}
===
When I test the server with some open source sip phones, everything is
ok but when I want to test following user with MSN messenger
, reject packet was received :
user = server2_user1
password = test
URI =[EMAIL PROTECTED]
Method = REGISTER
Algorithm = "MD5"
Here it is the dubug of freeradius for this packet :
rad_recv: Access-Request packet from host 10.10.1.3:2309, id=242, length=200
NAS-Identifier = "testrealm"
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x0a0f736572766572325f7573657231
Digest-Attributes =
0x02226530663765326631373633376638323638316463323461396262363264643637
Digest-Attributes = 0x06054d4435
User-Name = "server2_user1"
Digest-Attributes = 0x04187369703a746573747265616c6d2e696369692e636f6d
Digest-Response = "5f0fc8449eb607379d80ad34a83fe512"
Digest-Attributes = 0x0114746573747265616c6d2e696369692e636f6d
Processing the authorize section of radiusd.conf
modcall: entering group authorize for request 0
rlm_digest: Adding Auth-Type = DIGEST
modcall[authorize]: module "digest" returns ok for request 0
radius_xlat: 'server2_user1'
rlm_sql (sql): sql_set_user escaped user --> 'server2_user1'
radius_xlat: 'SELECT id, UserName, Attribute, Value,
op FROM
radcheck
WHERE Username =
'server2_user1'
ORDER BY
id'
rlm_sql (sql): Reserving sql socket id: 4
radius_xlat: 'SELECT
radgroupcheck.id,radgroupcheck.GroupName,radgroupcheck.Attribute,radgroupcheck.Value,radgroupcheck.op
FROM radgroupcheck,usergroup WHERE usergroup.Username = 'server2_user1'
AND usergroup.GroupName = radgroupcheck.GroupName ORDER BY
radgroupcheck.id'
radius_xlat: 'SELECT id, UserName, Attribute, Value,
op FROM
radreply
WHERE Username =
'server2_user1'
ORDER BY
id'
radius_xlat: 'SELECT
radgroupreply.id,radgroupreply.GroupName,radgroupreply.Attribute,radgroupreply.Value,radgroupreply.op
FROM radgroupreply,usergroup WHERE usergroup.Username = 'test' AND
usergroup.GroupName = radgroupreply.GroupName ORDER BY radgroupreply.id'
rlm_sql (sql): Released sql socket id: 4
modcall[authorize]: module "sql" returns ok for request 0
modcall: leaving group authorize (returns ok) for request 0
rad_check_password: Found Auth-Type DIGEST
auth: type "digest"
Processing the authenticate section of radiusd.conf
modcall: entering group authenticate for request 0
rlm_digest: Converting Digest-Attributes to something sane...
Digest-Method = "REGISTER"
Digest-User-Name = "server2_user1"
Digest-Nonce = "e0f7e2f17637f82681dc24a9bb62dd67"
Digest-Algorithm = "MD5"
Digest-URI = "sip:testrealm.icii.com"
Digest-Realm = "testrealm.icii.com"
A1 = server2_user1:testrealm.icii.com:test
A2 = REGISTER:sip:testrealm.icii.com
KD = 590b483ad6e6df65edb1826f5404e3a5:e0f7e2f17637f82681dc24a9bb62dd67:684a8ca612e13a06c419dc89351ac183
rlm_digest: FAILED authentication
modcall[authenticate]: module "digest" returns reject for request 0
modcall: leaving group authenticate (returns reject) for request 0
auth: Failed to validate the user.
===
Now let's look at a correct authentication that was sent by open source sip phone.
rad_recv: Access-Request packet from host 10.10.1.3:2773, id=22, length=200
NAS-Identifier = "testrealm"
Digest-Attributes = 0x030a5245474953544552
Digest-Attributes = 0x0a0f736572766572325f7573657231
Digest-Attributes =
0x02226562376234336638333032613234656261343338313533366338346334393335
Digest-Attributes = 0x06054d4435
User-Name = "server2_user1"
Digest-Attributes = 0x04187369703a746573747265616c6d2e696369692e636f6d
Digest-Response = "d1b993f54dc5e242c4b67389188db5dd"
Modifying username before its handed off to other modules?
Hello, I need to modify the username attribute dynamically before its handed off to other modules. Is it possible to use the "rlm_attr_rewrite"-module in a simple perl script? I want to change usernumbers to username. Any ideas about that one? Thanks, David Lais [EMAIL PROTECTED] - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
filter to authenticate posixAccount users
Hi,
I was a little confused about radiusd.conf settings for ldap authentication. These are a few doubts i have ...
1) Is there any specific filter entry to authenticate posixAccount users?
The default is filter = "(uid=%{Stripped-User-Name:-%{User-Name}})" , will this work for posixAccount /
shadowAccount users?
2) Do i need to comment the
password_attribute = "userPassword" entry for successful bind to the ldap server?
3) Why does the entry
: base_filter = "(objectclass=radiusprofile)" gets set when radiusd runs even though i comment it
in the radiusd.conf file? Is the base filter entry required for ldap authentication? If yes, is the above default entry correct?
I've tried rlm_ldap authentication but failed till now,i get the error message during authentication.
rlm_ldap: Bind failed with invalid credentials
However,bind is successful during authorization but fails during authentication... any ideas?
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
