Re: How to setup Freeradius in a Domain
sgilmour wrote: My Question is on my PC's Winows 7 and Windows XP clients. How do I get my user to work in a domain environment with PEAP and EAP-TLS so that I don't need to manually login with my client. This would be the preferred way for us to authenticate to the network. This is how we do it with our Windows 2003/2008 Servers. See http://deployingradius.com It contains instructions for how to configure EAP-TLS, and domain logins to Active Directory. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NAS re-uses the same port and ID
Hi all! I've found, that our NAS-server sometimes (when it restarts and there are many auth. packets comes to the radius-server) re-uses port and ID in a 1 second period. (information from tcpdump) That causes conflicting packet from client. I think, that the NAS works wrong (it must wait a little bit more, then 1 sec. to re-use the port+ID), that's why I wont to find some documentation about it for a bug-report. Thanks a lot.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS re-uses the same port and ID
On Wed, Jul 13, 2011 at 1:54 PM, Konstantin Chekushin ko...@inbox.lv wrote: Hi all! I've found, that our NAS-server sometimes (when it restarts and there are many auth. packets comes to the radius-server) re-uses port and ID in a 1 second period. (information from tcpdump) That causes conflicting packet from client. I think, that the NAS works wrong (it must wait a little bit more, then 1 sec. to re-use the port+ID), that's why I wont to find some documentation about it for a bug-report. Thanks a lot. Are you sure the NAS reuse port number? Isn't it a duplicate packet? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to setup Freeradius in a Domain
Hi, I had to uncheck validate certificates on the client. I also had to uncheck use logon on username and password so it would ask me for the credentials. The server does not like when the client sends domain info. On the server side I had to change the users file so it doesn't include the Auth-Type as previously recommended. My Question is on my PC's Winows 7 and Windows XP clients. How do I get my user to work in a domain environment with PEAP and EAP-TLS so that I don't need to manually login with my client. This would be the preferred way for us to authenticate to the network. This is how we do it with our Windows 2003/2008 Servers. bind your FreeRADIUS into the AD and use the NTLM and AD login stuff. the FreeRADIUS server is quite able to handle these - you just need to configure it to do so...if you dont, then yes, you cant login with your AD identity - we happily do this with the machine identity for our local people on our 802.1X wireless network (and wired network) alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS re-uses the same port and ID
Konstantin Chekushin wrote: Hi all! I've found, that our NAS-server sometimes (when it restarts and there are many auth. packets comes to the radius-server) re-uses port and ID in a 1 second period. (information from tcpdump) That causes conflicting packet from client. It's OK to re-use the same port ID, *if* it's received a response from the RADIUS server. But if the server says conflicting packet, then the NAS is broken. I think, that the NAS works wrong (it must wait a little bit more, then 1 sec. to re-use the port+ID), that's why I wont to find some documentation about it for a bug-report. The NAS is broken. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet another multiple SSID setup question
Nick Kartsioukas lists.freerad...@change.nightwind.net wrote:
Thanks for the hints! I think I've got my eap.conf set up as I need it.
After some errors from freeradius and further document exploration, it
looks like what I need for the authorize section is this:
rewrite_called_station_id
if(Called-Station-Ssid == staff) {
mschap_staff
}
if(Called-Station-Ssid == lab) {
mschap_lab
}
if(Called-Station-Ssid == student_wpa) {
ldap
}
if(Called-Station-Ssid == student) {
ldap
}
I would *strongly* recommend you run just one SSID and use VLAN
assignment in post-auth to
post-auth {
...
# defaults
update reply {
Tunnel-Type := VLAN
Tunnel-Medium-Type := IEEE-802
Tunnel-Private-Group-Id := unauthorised
Termination-Action := RADIUS-Request
Session-Timeout := 300
Acct-Interim-Interval := 3600
}
if (Ldap-Group == foobar) {
update reply {
Tunnel-Private-Group-Id := staff
}
}
else {
...
}
}
The huge advantage is that *every* user at your organisation can follow
the same instructions to connect to the wireless (and wired) network.
It is also then trivial to put in 'eduroam'; if you use 'eduroam' from
day one (*strongly* recommended to avoid pain down the road).
Cheers
--
Alexander Clouter
.sigmonster says: Youth is the trustee of posterity.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS re-uses the same port and ID
Yes, but we just have got the problem, so, the source of the problem may be in other place... I've look through the sniffer file and found, this strange sequence: ... 31:05 access-request (port 65025, id 229) (Authenticator1) 31:10 access-accept (port 65025, id 229) 31:10 access-request (port 65025, id 229) (Authenticator2) 31:14 access-request (port 65025, id 229) (Authenticator2) 31:20 access-request (port 65025, id 229) (Authenticator2) 31:26 access-accept (port 65025, id 229) 31:26 access-request (port 65025, id 229) (Authenticator3) ... I'm not sure, but it seems to me, that some of this requests in radius.log file were marked as duplicated (Discarding duplicate request from client...), and some - as a conflicting. (Received conflicting packet from client...) ... Jul 12 14:31:10 radius1 radiusd[8647]: Discarding duplicate request from client fl2 port 65025 - ID: 229 due to unfinished request 6545 Jul 12 14:31:16 radius1 radiusd[8647]: Discarding duplicate request from client fl2 port 65025 - ID: 229 due to unfinished request 6545 Jul 12 14:31:21 radius1 radiusd[8647]: Received conflicting packet from client fl2 port 65025 - ID: 229 due to unfinished request 6545. Giving up on old request. Jul 12 14:31:22 radius1 radiusd[8647]: Dropping request (2049 is too many): from client fl1 port 65025 - ID: 229 Jul 12 14:31:25 radius1 radiusd[8647]: Discarding duplicate request from client fl2 port 65025 - ID: 229 due to unfinished request 8342 Jul 12 14:31:26 radius1 radiusd[8647]: Dropping request (2049 is too many): from client fl1 port 65025 - ID: 229 ... and so on... Citējot *Fajar A. Nugraha l...@fajar.net [1]*: On Wed, Jul 13, 2011 at 1:54 PM, Konstantin Chekushin ko...@inbox.lv wrote: Hi all! I've found, that our NAS-server sometimes (when it restarts and there are many auth. packets comes to the radius-server) re-uses port and ID in a 1 second period. (information from tcpdump) That causes conflicting packet from client. I think, that the NAS works wrong (it must wait a little bit more, then 1 sec. to re-use the port+ID), that's why I wont to find some documentation about it for a bug-report. Thanks a lot. Are you sure the NAS reuse port number? Isn't it a duplicate packet? -- Fajar - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Links: -- [1] mailto:l...@fajar.net - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NAS re-uses the same port and ID
On Wed, Jul 13, 2011 at 4:14 PM, Konstantin Chekushin ko...@inbox.lv wrote:
Yes, but we just have got the problem, so, the source of the problem may be
in other place...
There's an analogy I sometime use to explain things like this to my coworkers:
You're driving a new car. Not far from the dealer, the car broke
down. You get out, and say 'hey, this car must be broken. Let's get
another car'.
... when in fact the problem is simply an empty gas tank
I've look through the sniffer file and found, this strange sequence:
Let's look at these one by one, shall we. I assume you got the log by
using grep or some capture filter to packet sniffer?
...
31:05 access-request (port 65025, id 229) (Authenticator1)
31:10 access-accept (port 65025, id 229)
As Alan said, It's OK to re-use the same port ID, *if* it's
received a response
from the RADIUS server. So based on that ...
31:10 access-request (port 65025, id 229) (Authenticator2)
... this request is valid, since the NAS should already got response
from radius. However ...
31:14 access-request (port 65025, id 229) (Authenticator2)
31:20 access-request (port 65025, id 229) (Authenticator2)
... those two are duplicate packets. The NAS resent those because the
radius server took too long to response. This is the main problem.
Now let's get to radius log
Jul 12 14:31:10 radius1 radiusd[8647]: Discarding duplicate request from
client fl2 port 65025 - ID: 229 due to unfinished request 6545
Jul 12 14:31:16 radius1 radiusd[8647]: Discarding duplicate request from
client fl2 port 65025 - ID: 229 due to unfinished request 6545
Jul 12 14:31:21 radius1 radiusd[8647]: Received conflicting packet from
client fl2 port 65025 - ID: 229 due to unfinished request 6545. Giving up
on old request.
The times match the duplicate request from your packet sniffer. So
bottom line, you need to find out what's causing radius to respond
slowly.
Jul 12 14:31:22 radius1 radiusd[8647]: Dropping request (2049 is too many):
from client fl1 port 65025 - ID: 229
this one is also an indication that something's wrong with your radius
server. It takes too long to respond to a request, thus it's unable to
accept new request.
Now let's take some time to read a snippet from radiusd.conf:
thread pool {
...
# You may find that the server is regularly reaching the
# 'max_servers' number of threads, and that increasing
# 'max_servers' doesn't seem to make much difference.
#
# If this is the case, then the problem is MOST LIKELY that
# your back-end databases are taking too long to respond, and
# are preventing the server from responding in a timely manner.
#
# The solution is NOT do keep increasing the 'max_servers'
# value, but instead to fix the underlying cause of the
# problem: slow database, or 'hostname_lookups=yes'.
#
# For more information, see 'max_request_time', above.
That should be clear enough.
If you're using database backend, then most likely the database is
non-optimal (e.g. too many rows, non-optimum queries/index, slow disk,
and so on). Often the solution to this problem is to get a dba, cause
fixing it would require some skills and knowledge that only a dba has.
--
Fajar
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Different Attributes based on NAS-IP
Dear Community, I want to use SQL to send different Attributes of the same groupname based on NAS-IP-Address. for example 1024DL_512UL is the name of my group in sql. I want to send different Attributes based on NAS IP 2.2.2.2 and Different attributes for same group when NAS IP is 6.6.6.6 Any pointers. Thanks Waqas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to setup Freeradius in a Domain
I just want to make sure I understand this. The only way is to be able to login to my PC with a Domain is to incorporate freeradius with an Active Directory server. There isn't a way to do this without using Active Directory and to have freeradius do this independantly? -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p4583026.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Attributes based on NAS-IP
This looks to be very much like what you're after. http://wiki.freeradius.org/SQL%20Huntgroup%20HOWTO -Jacob On 13 Jul 2011, at 06:56, Waqas Toor wrote: Dear Community, I want to use SQL to send different Attributes of the same groupname based on NAS-IP-Address. for example 1024DL_512UL is the name of my group in sql. I want to send different Attributes based on NAS IP 2.2.2.2 and Different attributes for same group when NAS IP is 6.6.6.6 Any pointers. Thanks Waqas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Yet another multiple SSID setup question
On Wed, 13 Jul 2011 09:33 +0100, Alexander Clouter a...@digriz.org.uk wrote: I would *strongly* recommend you run just one SSID and use VLAN assignment in post-auth to The huge advantage is that *every* user at your organisation can follow the same instructions to connect to the wireless (and wired) network. It is also then trivial to put in 'eduroam'; if you use 'eduroam' from day one (*strongly* recommended to avoid pain down the road). I appreciate the suggestion and may re-visit this some day, but I am replacing a Cisco ACS appliance that is going end-of-support in an existing wireless setup and I don't want to make extensive changes to anything user-facing at this time. Any ideas on my issue, or pointers to documentation that would help me out? - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to setup Freeradius in a Domain
On 07/13/2011 04:20 PM, sgilmour wrote: I just want to make sure I understand this. The only way is to be able to login to my PC with a Domain is to incorporate freeradius with an Active Directory server. There isn't a way to do this without using Active Directory and to have freeradius do this independantly? To login with domain credentials, FreeRADIUS must be able to check domain credentials. To check domain credentials, FreeRADIUS must be able to talk to Samba as a domain member. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to setup Freeradius in a Domain
sgilmour wrote: I just want to make sure I understand this. The only way is to be able to login to my PC with a Domain is to incorporate freeradius with an Active Directory server. There isn't a way to do this without using Active Directory and to have freeradius do this independantly? If there was such a method, we would have said so. We're not in the business of lying to people about solutions. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to setup Freeradius in a Domain
On Wed, 13 Jul 2011 08:20 -0700, sgilmour sgilm...@enterasys.com wrote: I just want to make sure I understand this. The only way is to be able to login to my PC with a Domain is to incorporate freeradius with an Active Directory server. There isn't a way to do this without using Active Directory and to have freeradius do this independantly? Correct, but it's not too difficult. Here are some docs I followed to get a Debian machine joined to my AD domain: http://www.surlyjake.com/2009/05/join-debian-lenny-to-active-directory-using-samba/ https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto http://wiki.debian.org/Authenticating_Linux_With_Active_Directory You can stop after you've joined the domain, you don't need to proceed through the setting up authentication steps. After that, go to the section Configuring FreeRADIUS to use ntlm_auth at http://deployingradius.com/documents/configuration/active_directory.html and try it out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to setup Freeradius in a Domain
On 2011/07/13 05:49 PM, Phil Mayers wrote: To login with domain credentials, FreeRADIUS must be able to check domain credentials. To check domain credentials, FreeRADIUS must be able to talk to Samba as a domain member. - Just for interest sake... We use a lot of Samba Domain Controllers (samba3, NT4 style domain) Can you get this to work if you dont want Windows on your network? (Not something I'm trying to achieve, just curious) -- Johan Meiring Cape PC Services CC Tel: (021) 883-8271 Fax: (021) 886-7782 Before acting on this email or opening any attachments you should read Cape PC Service's email disclaimer at: http://www.pcservices.co.za/disclaimer.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
User Problem with Cisco Nexus 4.x
Hi,
I have a little problem.
I have two devices within the same huntgroup, but i get in trouble with one of
them.
Both are Cisco Nexus, but there is one difference:
The working one has NXOS 5.x, the one that is not working as expected NXOS 4.x
Why is the right line in the users file found for the working device (line 67),
but not found for the other device (line 136)?
While both devices are in the same huntgroup and both requests look identically?
Any ideas?
Am i just blind?
The interesting part is, that both requests look identical (even in tcpdump!).
But the answer paket always shows a bad udp checksum when i´m not able to log
in.
17:33:57.201238 IP (tos 0x0, ttl 64, id 1280, offset 0, flags [none], proto:
UDP (17), length: 48) radius-server.datametrics 10.48.137.62 .40077: [bad udp
cksum 2dde!] RADIUS, length: 20
Access Reject (3), id: 0x17, Authenticator:
436530c99d29615e3a35aa878275a97d
Is it possible that this causes my problem?
Jan
Huntgroups:
nexus NAS-IP-Address == 10.48.141.157
nexus NAS-IP-Address == 10.48.137.62
Users:
Line 67 ff:
test Auth-Type := Pap, Huntgroup-Name == nexus, MD5-Password :=
098f6bcd4621d373cade4e832627b4f6
Login-Service = Telnet,
Vendor-Specific = 9,
Cisco-AVPair = shell:roles*\network-operator\ \vdc-operator\
Line 136:
DEFAULT Auth-Type := Reject
Not Working:
rad_recv: Access-Request packet from host 10.48.137.62 port 7032, id=63,
length=62
User-Name = test
User-Password = test
NAS-Port-Type = Virtual
NAS-Port = 3002
NAS-IP-Address = 10.48.137.62
+- entering group authorize {...}
++[preprocess] returns ok
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=IAN,o=AD,o=WiW - o=IAN,o=AD,o=WiW
[files] expand: (uid=%u) - (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=IAN,o=AD,o=WiW - o=IAN,o=AD,o=WiW
[files] expand: (uid=%u) - (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=IAN,o=AD,o=WiW - o=IAN,o=AD,o=WiW
[files] expand: (uid=%u) - (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=IAN,o=AD,o=WiW - o=IAN,o=AD,o=WiW
[files] expand: (uid=%u) - (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=IAN,o=AD,o=WiW - o=IAN,o=AD,o=WiW
[files] expand: (uid=%u) - (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=IAN,o=AD,o=WiW - o=IAN,o=AD,o=WiW
[files] expand: (uid=%u) - (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=IAN,o=AD,o=WiW - o=IAN,o=AD,o=WiW
[files] expand: (uid=%u) - (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files] expand: o=IAN,o=AD,o=WiW - o=IAN,o=AD,o=WiW
[files] expand: (uid=%u) - (uid=test)
rlm_ldap: ldap_get_conn: Checking Id: 0
rlm_ldap: ldap_get_conn: Got Id: 0
rlm_ldap: performing search in o=IAN,o=AD,o=WiW, with filter (uid=test)
rlm_ldap: object not found
rlm_ldap::ldap_groupcmp: search failed
rlm_ldap: ldap_release_conn: Release Id: 0
rlm_ldap: Entering ldap_groupcmp()
[files]
RE: How to setup Freeradius in a Domain
Nick, I will take a look. Thanks Scott From: Nick Kartsioukas [via FreeRadius] [mailto:ml-node+4583281-225081943-107...@n5.nabble.com] Sent: Wednesday, July 13, 2011 12:31 PM To: Gilmour, Scott Subject: Re: How to setup Freeradius in a Domain On Wed, 13 Jul 2011 08:20 -0700, sgilmour [hidden email]/user/SendEmail.jtp?type=nodenode=4583281i=0 wrote: I just want to make sure I understand this. The only way is to be able to login to my PC with a Domain is to incorporate freeradius with an Active Directory server. There isn't a way to do this without using Active Directory and to have freeradius do this independantly? Correct, but it's not too difficult. Here are some docs I followed to get a Debian machine joined to my AD domain: http://www.surlyjake.com/2009/05/join-debian-lenny-to-active-directory-using-samba/ https://help.ubuntu.com/community/ActiveDirectoryWinbindHowto http://wiki.debian.org/Authenticating_Linux_With_Active_Directory You can stop after you've joined the domain, you don't need to proceed through the setting up authentication steps. After that, go to the section Configuring FreeRADIUS to use ntlm_auth at http://deployingradius.com/documents/configuration/active_directory.html and try it out. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html If you reply to this email, your message will be added to the discussion below: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p4583281.html To unsubscribe from How to setup Freeradius, click herehttp://freeradius.1045715.n5.nabble.com/template/NamlServlet.jtp?macro=unsubscribe_by_codenode=4526799code=c2dpbG1vdXJAZW50ZXJhc3lzLmNvbXw0NTI2Nzk5fDczMDY1MTY5NQ==. -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p4583336.html Sent from the FreeRadius - User mailing list archive at Nabble.com.- List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to setup Freeradius in a Domain
On 07/13/2011 05:40 PM, Johan Meiring wrote: Just for interest sake... We use a lot of Samba Domain Controllers (samba3, NT4 style domain) I should have been more precise: my comments apply to Microsoft domain controllers. If you are using Samba as your domain controllers, then you have access to the SAM and can extract the LM/NT hash from whatever backend you use. So you can just feed that info straight to FreeRADIUS. No need to use ntlm_auth / samba membership - just dump the NT hashes somewhere FreeRADIUS can get at them, or if you're using LDAP, point FreeRADIUS at that LDAP server and make sure it can read the ntPassword attribute. This is preferable to using ntlm_auth in fact. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to setup Freeradius in a Domain
On Jul 13, 2011, at 5:20 PM, sgilmour wrote: I just want to make sure I understand this. The only way is to be able to login to my PC with a Domain is to incorporate freeradius with an Active Directory server. No as the others have said, unless you're looking to qualify a username using the value of the domain field in the login box, in which case yes its possible. e.g. User: 010103523 Domain: STAFF You can then proxy the request based on the domain, use it to determine which directory to query, or to check group membership (though thats a little weird and undomainy). -Arran Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Different Attributes based on NAS-IP
On Jul 13, 2011, at 5:12 PM, Jacob Dawson wrote: This looks to be very much like what you're after. http://wiki.freeradius.org/SQL%20Huntgroup%20HOWTO Yes, there's even an example. * Create multiple groups, each group mapping to a different set of reply attributes. * Add different Huntgroup-Name check item to each group * Add your users to all groups -Arran -Jacob On 13 Jul 2011, at 06:56, Waqas Toor wrote: Dear Community, I want to use SQL to send different Attributes of the same groupname based on NAS-IP-Address. for example 1024DL_512UL is the name of my group in sql. I want to send different Attributes based on NAS IP 2.2.2.2 and Different attributes for same group when NAS IP is 6.6.6.6 Any pointers. Thanks Waqas. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html Arran Cudbard-Bell a.cudba...@freeradius.org RADIUS - Half the complexity of Diameter - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
PAP authentication to Active Directory
Hi
I'm currently setting up a radius server to authenticate EAP based requests
against Active Directory.
Using Alan Dekok's guide I've got this authenticating mschap based EAP requests
successfully.
I also want to authenticate ttls/pap requests and I've found two ways to do
this that seem to work.
Method 1 is based on whats in
http://freeradius.1045715.n5.nabble.com/EAP-TTLS-w-PAP-using-ntlm-auth-td2773260.html
Method 2 is to use LDAP for pap authentications.
All things being equal my preference is to use Method 1 as it keeps all
authentications the same, however the:
if (!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
In the inner-tunnel/authorize section seems a bit like a hack. Is there a
better way to do this ?
Is either method particularly better than the other ?
Regards
Mike Axford
--
Mike Axford
Enterprise Systems
iSolutions
University of Southampton
Southampton
SO17 1BJ
Email: m.f.axf...@soton.ac.uk
Phone: 023 8059 5337
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: PAP authentication to Active Directory
On 07/13/2011 06:04 PM, Axford M.F. wrote:
Hi
I'm currently setting up a radius server to authenticate EAP based requests
against Active Directory.
Using Alan Dekok's guide I've got this authenticating mschap based EAP requests
successfully.
I also want to authenticate ttls/pap requests and I've found two ways to do
this that seem to work.
Method 1 is based on whats in
http://freeradius.1045715.n5.nabble.com/EAP-TTLS-w-PAP-using-ntlm-auth-td2773260.html
Method 2 is to use LDAP for pap authentications.
All things being equal my preference is to use Method 1 as it keeps all
authentications the same, however the:
if (!control:Auth-Type) {
update control {
Auth-Type = ntlm_auth_pap
}
}
In the inner-tunnel/authorize section seems a bit like a hack. Is there a
better way to do this ?
We do this:
server inner-tunnel {
authorize {
...
mschap
eap
pap
}
authenticate {
Auth-Type PAP {
ntlm_auth_pap
}
...
}
}
...which is, in it's own way, a hack (run the pap module to set the
Auth-Type, run a different module to service it). Your solution isn't so
bad; the pap module itself basically only does this internally:
if (!control:Auth-Type User-Password) {
update control {
Auth-Type := PAP
}
}
Is either method particularly better than the other ?
There might be circumstances in which LDAP is better; but knowing how
the protocols works and the failure modes of the two modules in
FreeRADIUS, I doubt it.
It also means you don't need a username to bind to LDAP for you; which
is just another bit of config to get wrong, out of data, expired
password, or compromised...
If you don't need LDAP for other reasons (e.g. groups) then don't bother
with it.
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: User Problem with Cisco Nexus 4.x
On 07/13/2011 05:40 PM, jan.gnep...@t-systems.com wrote: Access Reject (3), id: 0x17, Authenticator: 436530c99d29615e3a35aa878275a97d Is it possible that this causes my problem? No, this is just due to checksum offload. Ignore it. Jan Huntgroups: nexus NAS-IP-Address == 10.48.141.157 nexus NAS-IP-Address == 10.48.137.62 Users: Line 67 ff: Are you absolutely sure that: 1. This file really says exactly this, and 2. FreeRADIUS is reading this file - have you check you aren't editing the wrong file? Have you restarted FreeRADIUS after editing it? The requests look identical. However, your users file is obviously complex; you must have a lot of LDAP-Group comparisons earlier in it. I suggest emptying the file and starting simple, with just two entries - the test user and the default reject. test Auth-Type := Pap, Huntgroup-Name == nexus, MD5-Password := Don't set Auth-Type to PAP. Let the pap module handle this. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: How to setup Freeradius in a Domain
Thanks for everyones help. I will follow the http://deployingradius.com/documents/configuration/active_directory.html Looks like all I need to do is setup the samba, and the ntml_auth file and I should be all set. I should be able to setup the smb.conf file so it will work with both my 2003 and 2008 Servers Active Directory files? Thanks Scott -- View this message in context: http://freeradius.1045715.n5.nabble.com/How-to-setup-Freeradius-tp4526799p4583600.html Sent from the FreeRadius - User mailing list archive at Nabble.com. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Unmatched ( or \(, and, more broadly, setting Stripped-User-Name
So, one of my last things here is making sure I can get at the stripped
usernames for my domain users, as they're authorized by their stripped name,
not the name w/ which they're authenticating. Forex, if I'm using my AD
credentials to log in, User-Name = hokies\dawson, but I'm authorized for WLAN
access as 'dawson,' not 'hokies\dawson.'
That's all well and good, as I should just be able to use Stripped-User-Name in
my queries and it'll be fine (assuming it exists, using the :- operator and
doing a little logic there, which I have working fine). However, I haven't
found a way, or maybe just the right way, to get the realms module to create
that stripped user name at the right time, and when I use the perl module to
create it and add it to the list, it doesn't seem to come out the other side,
like so:
rlm_perl: Added pair User-Name = hokies\\dawson
...
rlm_perl: Added pair Stripped-User-Name = dawson
(1) [perl] = updated
(1) ? if (%{Stripped-User-Name} == dawson)
(1) expand: %{Stripped-User-Name} -
(1) ? Evaluating (%{Stripped-User-Name} == dawson) - FALSE
(1) ? if (%{Stripped-User-Name} == dawson) - FALSE
I uncommented the func_authorize = authorize line in modules/perl, and the
script to which the perl module points has this for its authorize function:
sub authorize {
# For debugging purposes only
# log_request_attributes;
# Logic to add stripped user name to request if our realms are
recognized
my $fullUserName = $RAD_REQUEST{'User-Name'};
#If we have a prefix-determined domain
if ( $fullUserName =~/^.*\\(\\)?/i){
$RAD_REPLY{'Stripped-User-Name'} = $';
return RLM_MODULE_UPDATED;
}
#If we have a suffix-determined domain
elsif ( $fullUserName =~/\@.*$/){
$RAD_REPLY{'Stripped-User-Name'} = $`;
return RLM_MODULE_UPDATED;
}
return RLM_MODULE_OK;
}
Obviously, the regexps are working and the logic is working, based on the debug
output, but since in the very next line, Stripped-User-Name is blank again,
something's not working here.
I _tried_ getting this working in unlang, but that got mess pretty fast, and
started complaining about unmatched parens:
(1)? elsif (%{User-Name} =~ /^(.*\\)(.*)$/)
(1) expand: %{User-Name} - hokies\dawson
ERROR: Failed compiling regular expression: Unmatched ( or \(
(1) - if (%{User-Name} !~ /^.*\/.*$/) returns updated
where the relevant part of sites-enabled/default authorize section looks thus:
elsif(%{User-Name} =~ /^(.*\\)(.*)$/){
update request{
Stripped-User-Name := %{$`}
}
}
(I can't tell if the assignment is working or not, since it never gets that
far, but I wouldn't be surprised if it shouldn't work in that state)
One of these ought to be writing the Attribute correctly, but not a one of them
has worked. Manually writing to the attribute works
(Stripped-User-Name:=dawson) but that's hardly the right answer. I'm out of
ideas here. I can't tell if I'm getting unexpected behavior out of FreeRADIUS,
or I'm just missing something.
Thoughts?
Thanks much,
- Jacob
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WiFI
Hello I have three Linksys Wireless Routers: WRT160N WRT110 WRT360 - Now I'm not sure of the model With them, users connect to my network using WIFI using a password exchange. I would like to change this pattern, I wondered if configuration is possible to perform Authentication, Authorization and Accounting with Freeradius and if I can provide any documentation that details the way as it can get. Thanks Michel -- Webmail, servicio de correo electronico Casa de las Americas - La Habana, Cuba. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
