Re: eap/peap certificate problems?
Great , but it was not the case of freeradius 1.x which i was using and discussing about all the time. Regards, D. 2008/4/22 Alan DeKok [EMAIL PROTECTED]: David Hláčik wrote: i did a lot of reading about certificate generation, This just kills me. 2.0 ships with scripts to create certificates, and documentation saying that this is what it does. The Wiki also has a page describing certificate creation. Go to the find dialog, and type certificates. You'll be taken directly to a page documenting these things. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/peap certificate problems?
Oou, its freeradius-1.1.3-1.2.el5 :( D. 2008/4/22 Ivan Kalik [EMAIL PROTECTED]: Version? If it is before 1.1.4 it will not work with Vista. Ivan Kalik Kalik informatika ISP Dana 21/4/2008, David Hláčik [EMAIL PROTECTED] piše: Ivan simple becouse i have running freeradius as authorization server for VPN (poptop) on our company infrastructure server based on CentOS5.1 . I just want to add to that radius PEAP functionality for wirelles AP's (4 of them currently), i did a lot of reading about certificate generation, and i am sucessfully using them for explample for OpenLDAP, i have followed so far this tutorial where everything is nicely explained http://www.smallnetbuilder.com/content/view/30213/98/1/2/. So please tell me is it the certificate which is causing that problem, or it might be possible something another? Thanks in advance! David 2008/4/21 Ivan Kalik [EMAIL PROTECTED]: What freeradius version is this? Why don't you upgrade to current version where PEAP works with default configuration with test certifictes that are made during install? Once you check that's working, replace them with your certificates and you will know if certificates are the problem. Ivan Kalik Kalik informatika ISP Dana 21/4/2008, David Hláčik [EMAIL PROTECTED] piše: Hi, becouse for a period of time i was not able to add to my working MSCHAPv2 for PPTPD with ldap radius configuration , i have copied a fresh new radius configuration files and tried to configure just a simple eap/peap for my wireless router. I have CentOS 5.1 , but basically i have followed this howto http://ubuntuforums.org/showthread.php?t=478804 I have my own CA , and my own server certificate , with X509 xpextension support configured. I have installed as a trusted root CA certificate in my Windows Vista SP1 Client computer, i am using simple testuser with Secret149 password defined in users file, but it still not works and complains about certificates. My windows vista wirelless connection manager is showing my server certificate as correct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: eap/peap certificate problems?
Ivan simple becouse i have running freeradius as authorization server for VPN (poptop) on our company infrastructure server based on CentOS5.1 . I just want to add to that radius PEAP functionality for wirelles AP's (4 of them currently), i did a lot of reading about certificate generation, and i am sucessfully using them for explample for OpenLDAP, i have followed so far this tutorial where everything is nicely explained http://www.smallnetbuilder.com/content/view/30213/98/1/2/. So please tell me is it the certificate which is causing that problem, or it might be possible something another? Thanks in advance! David 2008/4/21 Ivan Kalik [EMAIL PROTECTED]: What freeradius version is this? Why don't you upgrade to current version where PEAP works with default configuration with test certifictes that are made during install? Once you check that's working, replace them with your certificates and you will know if certificates are the problem. Ivan Kalik Kalik informatika ISP Dana 21/4/2008, David Hláčik [EMAIL PROTECTED] piše: Hi, becouse for a period of time i was not able to add to my working MSCHAPv2 for PPTPD with ldap radius configuration , i have copied a fresh new radius configuration files and tried to configure just a simple eap/peap for my wireless router. I have CentOS 5.1 , but basically i have followed this howto http://ubuntuforums.org/showthread.php?t=478804 I have my own CA , and my own server certificate , with X509 xpextension support configured. I have installed as a trusted root CA certificate in my Windows Vista SP1 Client computer, i am using simple testuser with Secret149 password defined in users file, but it still not works and complains about certificates. My windows vista wirelless connection manager is showing my server certificate as correct. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frammed ip adress
Hi, does my own ip - pools needs to be added to post-auth and to accounting section? Thanks! D. 2008/4/6 Ivan Kalik [EMAIL PROTECTED]: ldap looks fine to me, but I don't use it. Ivan Kalik Kalik Informatika ISP Dana 6/4/2008, David Hláčik [EMAIL PROTECTED] piše: Thanks Ivan!, can i understand it like that my group structure in LDAP is okay, and there is only need to add those to users file and it will work? D. 2008/4/5 Ivan Kalik [EMAIL PROTECTED]: DEFAULT Ldap-Group == GroupLetters, Pool-Name := letters DEFAULT Ldap-Group == GroupNumbers, Pool-Name := numbers Ivan Kalik Kalik Informatika ISP Dana 5/4/2008, David Hláčik [EMAIL PROTECTED] piše: Hi, i will describe what i am trying to achieve. This is my sample ldap structure users (inetOrgPerson) : cn=User1,ou=Users,o=Polarion cn=User2,ou=Users,o=Polarion cn=UserA,ou=Users,o=Polarion cn=UserB,ou=Users,o=Polariong groups (GroupOfNames) cn=GroupNumbers,ou=Groups,o=Polarion member=cn=User1,ou=Users,o=Polarion member=cn=User2,ou=Users,o=Polarion cn=GroupLetters,ou=Groups,o=Polarion member=cn=UserA,ou=Users,o=Polarion member=cn=UserB,ou=Users,o=Polarion I want to be able to assign different poll-name per group for GroupNumbers Pool-Name number for GroupLetters Pool-Name letters How can i achieve this without adding any attribute to user entry? (users have access to their dn, so they will be able to change it - this is what i want to block! , i know i can set readonly access in slapd.conf, but this is not what i want) 1) One scenario i was thinking of is to add in radius to users file : DEFAULT Pool-Name == numbers, Ldap-Group == cn=GroupNumbers,ou=Groups,o=Polarion Fall-Through = no DEFAULT NAS-Port-Type == letters, Ldap-Group == cn=GroupLetters,ou=Groups,o=Polarion Fall-Through = no But what i need to add to ldap - configuration part in order to make it work? Thanks very very much for help! Regards, David On Wed, Apr 2, 2008 at 12:13 PM, Ivan Kalik [EMAIL PROTECTED] wrote: So if i understand clear a i need to name and configure ip pool parts in radius.conf and than use this name as a Pool-Name in LDAp P? Yes. Is there a chance to specify range directly in LDAP and not in ip pool? No, but there is sqlippool. Or use DHCP on your NAS. Or define IP pools on the NAS and select them with Framed-Pool if your NAS supports it. Cisco doesn't but you can set IP pool with avpairs. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frammed ip adress
Can i before : DEFAULT Ldap-Group == GroupLetters, Pool-Name := letters DEFAULT Ldap-Group == GroupNumbers, Pool-Name := numbers add DEFAULT Pool-Name := vpn_main which will asign vpn_main pool to all other groups not defined in users file? Thanks! 2008/4/6 Ivan Kalik [EMAIL PROTECTED]: ldap looks fine to me, but I don't use it. Ivan Kalik Kalik Informatika ISP Dana 6/4/2008, David Hláčik [EMAIL PROTECTED] piše: Thanks Ivan!, can i understand it like that my group structure in LDAP is okay, and there is only need to add those to users file and it will work? D. 2008/4/5 Ivan Kalik [EMAIL PROTECTED]: DEFAULT Ldap-Group == GroupLetters, Pool-Name := letters DEFAULT Ldap-Group == GroupNumbers, Pool-Name := numbers Ivan Kalik Kalik Informatika ISP Dana 5/4/2008, David Hláčik [EMAIL PROTECTED] piše: Hi, i will describe what i am trying to achieve. This is my sample ldap structure users (inetOrgPerson) : cn=User1,ou=Users,o=Polarion cn=User2,ou=Users,o=Polarion cn=UserA,ou=Users,o=Polarion cn=UserB,ou=Users,o=Polariong groups (GroupOfNames) cn=GroupNumbers,ou=Groups,o=Polarion member=cn=User1,ou=Users,o=Polarion member=cn=User2,ou=Users,o=Polarion cn=GroupLetters,ou=Groups,o=Polarion member=cn=UserA,ou=Users,o=Polarion member=cn=UserB,ou=Users,o=Polarion I want to be able to assign different poll-name per group for GroupNumbers Pool-Name number for GroupLetters Pool-Name letters How can i achieve this without adding any attribute to user entry? (users have access to their dn, so they will be able to change it - this is what i want to block! , i know i can set readonly access in slapd.conf, but this is not what i want) 1) One scenario i was thinking of is to add in radius to users file : DEFAULT Pool-Name == numbers, Ldap-Group == cn=GroupNumbers,ou=Groups,o=Polarion Fall-Through = no DEFAULT NAS-Port-Type == letters, Ldap-Group == cn=GroupLetters,ou=Groups,o=Polarion Fall-Through = no But what i need to add to ldap - configuration part in order to make it work? Thanks very very much for help! Regards, David On Wed, Apr 2, 2008 at 12:13 PM, Ivan Kalik [EMAIL PROTECTED] wrote: So if i understand clear a i need to name and configure ip pool parts in radius.conf and than use this name as a Pool-Name in LDAp P? Yes. Is there a chance to specify range directly in LDAP and not in ip pool? No, but there is sqlippool. Or use DHCP on your NAS. Or define IP pools on the NAS and select them with Framed-Pool if your NAS supports it. Cisco doesn't but you can set IP pool with avpairs. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frammed ip adress
I will configure ippool vpn_main_pool { } in radius.conf
If i will use it in accounting section ( vpn_main_pool ) i will get
following error :]
adiusd.conf[1685]: vpn_main_pool: Module instantiation failed.
radiusd.conf[2112] Unknown module vpn_main_pool.
radiusd.conf[2089] Failed to parse accounting section.
D.
2008/4/14 David Hláčik [EMAIL PROTECTED]:
Can i before :
DEFAULT Ldap-Group == GroupLetters, Pool-Name := letters
DEFAULT Ldap-Group == GroupNumbers, Pool-Name := numbers
add
DEFAULT Pool-Name := vpn_main
which will asign vpn_main pool to all other groups not defined in users
file?
Thanks!
2008/4/6 Ivan Kalik [EMAIL PROTECTED]:
ldap looks fine to me, but I don't use it.
Ivan Kalik
Kalik Informatika ISP
Dana 6/4/2008, David Hláčik [EMAIL PROTECTED] piše:
Thanks Ivan!,
can i understand it like that my group structure in LDAP is okay, and
there
is only need to add those to users file and it will work?
D.
2008/4/5 Ivan Kalik [EMAIL PROTECTED]:
DEFAULT Ldap-Group == GroupLetters, Pool-Name := letters
DEFAULT Ldap-Group == GroupNumbers, Pool-Name := numbers
Ivan Kalik
Kalik Informatika ISP
Dana 5/4/2008, David Hláčik [EMAIL PROTECTED] piše:
Hi,
i will describe what i am trying to achieve.
This is my sample ldap structure
users (inetOrgPerson) :
cn=User1,ou=Users,o=Polarion
cn=User2,ou=Users,o=Polarion
cn=UserA,ou=Users,o=Polarion
cn=UserB,ou=Users,o=Polariong
groups (GroupOfNames)
cn=GroupNumbers,ou=Groups,o=Polarion
member=cn=User1,ou=Users,o=Polarion
member=cn=User2,ou=Users,o=Polarion
cn=GroupLetters,ou=Groups,o=Polarion
member=cn=UserA,ou=Users,o=Polarion
member=cn=UserB,ou=Users,o=Polarion
I want to be able to assign different poll-name per group
for GroupNumbers Pool-Name number
for GroupLetters Pool-Name letters
How can i achieve this without adding any attribute to user entry?
(users
have access to their dn, so they will be able to change it - this is
what
i
want to block! , i know i can set readonly access in slapd.conf, but
this
is
not what i want)
1) One scenario i was thinking of is to add in radius to users file
:
DEFAULT Pool-Name == numbers, Ldap-Group
== cn=GroupNumbers,ou=Groups,o=Polarion
Fall-Through = no
DEFAULT NAS-Port-Type == letters, Ldap-Group ==
cn=GroupLetters,ou=Groups,o=Polarion
Fall-Through = no
But what i need to add to ldap - configuration part in order to make
it
work?
Thanks very very much for help!
Regards,
David
On Wed, Apr 2, 2008 at 12:13 PM, Ivan Kalik [EMAIL PROTECTED] wrote:
So if i understand clear a i need to name and configure ip pool
parts
in
radius.conf and than use this name as a Pool-Name in LDAp P?
Yes.
Is there a
chance to specify range directly in LDAP and not in ip pool?
No, but there is sqlippool. Or use DHCP on your NAS. Or define IP
pools
on the NAS and select them with Framed-Pool if your NAS supports
it.
Cisco doesn't but you can set IP pool with avpairs.
Ivan Kalik
Kalik Informatika ISP
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See
http://www.freeradius.org/list/users.html
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
generating tls certificates for radius under centos
Hi all, i need to generate certificate files for radius tls. I am using CentOS 5.1 and scripts in /etc/pki/tls/misc for generated own CA key, and for own keys signed with my CA. For Radius i need a server certificate with xpextensions support. How can i generate server certificate with xpextensions which will be signed with my own CA on CentOS5.1? Thanks in advance! David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frammed ip adress
Thanks Ivan!, can i understand it like that my group structure in LDAP is okay, and there is only need to add those to users file and it will work? D. 2008/4/5 Ivan Kalik [EMAIL PROTECTED]: DEFAULT Ldap-Group == GroupLetters, Pool-Name := letters DEFAULT Ldap-Group == GroupNumbers, Pool-Name := numbers Ivan Kalik Kalik Informatika ISP Dana 5/4/2008, David Hláčik [EMAIL PROTECTED] piše: Hi, i will describe what i am trying to achieve. This is my sample ldap structure users (inetOrgPerson) : cn=User1,ou=Users,o=Polarion cn=User2,ou=Users,o=Polarion cn=UserA,ou=Users,o=Polarion cn=UserB,ou=Users,o=Polariong groups (GroupOfNames) cn=GroupNumbers,ou=Groups,o=Polarion member=cn=User1,ou=Users,o=Polarion member=cn=User2,ou=Users,o=Polarion cn=GroupLetters,ou=Groups,o=Polarion member=cn=UserA,ou=Users,o=Polarion member=cn=UserB,ou=Users,o=Polarion I want to be able to assign different poll-name per group for GroupNumbers Pool-Name number for GroupLetters Pool-Name letters How can i achieve this without adding any attribute to user entry? (users have access to their dn, so they will be able to change it - this is what i want to block! , i know i can set readonly access in slapd.conf, but this is not what i want) 1) One scenario i was thinking of is to add in radius to users file : DEFAULT Pool-Name == numbers, Ldap-Group == cn=GroupNumbers,ou=Groups,o=Polarion Fall-Through = no DEFAULT NAS-Port-Type == letters, Ldap-Group == cn=GroupLetters,ou=Groups,o=Polarion Fall-Through = no But what i need to add to ldap - configuration part in order to make it work? Thanks very very much for help! Regards, David On Wed, Apr 2, 2008 at 12:13 PM, Ivan Kalik [EMAIL PROTECTED] wrote: So if i understand clear a i need to name and configure ip pool parts in radius.conf and than use this name as a Pool-Name in LDAp P? Yes. Is there a chance to specify range directly in LDAP and not in ip pool? No, but there is sqlippool. Or use DHCP on your NAS. Or define IP pools on the NAS and select them with Framed-Pool if your NAS supports it. Cisco doesn't but you can set IP pool with avpairs. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frammed ip adress
Hi, i will describe what i am trying to achieve. This is my sample ldap structure users (inetOrgPerson) : cn=User1,ou=Users,o=Polarion cn=User2,ou=Users,o=Polarion cn=UserA,ou=Users,o=Polarion cn=UserB,ou=Users,o=Polariong groups (GroupOfNames) cn=GroupNumbers,ou=Groups,o=Polarion member=cn=User1,ou=Users,o=Polarion member=cn=User2,ou=Users,o=Polarion cn=GroupLetters,ou=Groups,o=Polarion member=cn=UserA,ou=Users,o=Polarion member=cn=UserB,ou=Users,o=Polarion I want to be able to assign different poll-name per group for GroupNumbers Pool-Name number for GroupLetters Pool-Name letters How can i achieve this without adding any attribute to user entry? (users have access to their dn, so they will be able to change it - this is what i want to block! , i know i can set readonly access in slapd.conf, but this is not what i want) 1) One scenario i was thinking of is to add in radius to users file : DEFAULT Pool-Name == numbers, Ldap-Group == cn=GroupNumbers,ou=Groups,o=Polarion Fall-Through = no DEFAULT NAS-Port-Type == letters, Ldap-Group == cn=GroupLetters,ou=Groups,o=Polarion Fall-Through = no But what i need to add to ldap - configuration part in order to make it work? Thanks very very much for help! Regards, David On Wed, Apr 2, 2008 at 12:13 PM, Ivan Kalik [EMAIL PROTECTED] wrote: So if i understand clear a i need to name and configure ip pool parts in radius.conf and than use this name as a Pool-Name in LDAp P? Yes. Is there a chance to specify range directly in LDAP and not in ip pool? No, but there is sqlippool. Or use DHCP on your NAS. Or define IP pools on the NAS and select them with Framed-Pool if your NAS supports it. Cisco doesn't but you can set IP pool with avpairs. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frammed ip adress
Sorry for that mistake in last lines DEFAULT NAS-Port-Type == letters, Ldap-Group == cn=GroupLetters,ou=Groups,o=Polarion Fall-Through = no *DEFAULT Pool-Name == letters, Ldap-Group == cn=GroupLetters,ou=Groups,o=Polarion Fall-Through = no On Sat, Apr 5, 2008 at 4:38 PM, David Hláčik [EMAIL PROTECTED] wrote: Hi, i will describe what i am trying to achieve. This is my sample ldap structure users (inetOrgPerson) : cn=User1,ou=Users,o=Polarion cn=User2,ou=Users,o=Polarion cn=UserA,ou=Users,o=Polarion cn=UserB,ou=Users,o=Polariong groups (GroupOfNames) cn=GroupNumbers,ou=Groups,o=Polarion member=cn=User1,ou=Users,o=Polarion member=cn=User2,ou=Users,o=Polarion cn=GroupLetters,ou=Groups,o=Polarion member=cn=UserA,ou=Users,o=Polarion member=cn=UserB,ou=Users,o=Polarion I want to be able to assign different poll-name per group for GroupNumbers Pool-Name number for GroupLetters Pool-Name letters How can i achieve this without adding any attribute to user entry? (users have access to their dn, so they will be able to change it - this is what i want to block! , i know i can set readonly access in slapd.conf, but this is not what i want) 1) One scenario i was thinking of is to add in radius to users file : DEFAULT Pool-Name == numbers, Ldap-Group == cn=GroupNumbers,ou=Groups,o=Polarion Fall-Through = no DEFAULT NAS-Port-Type == letters, Ldap-Group == cn=GroupLetters,ou=Groups,o=Polarion Fall-Through = no But what i need to add to ldap - configuration part in order to make it work? Thanks very very much for help! Regards, David On Wed, Apr 2, 2008 at 12:13 PM, Ivan Kalik [EMAIL PROTECTED] wrote: So if i understand clear a i need to name and configure ip pool parts in radius.conf and than use this name as a Pool-Name in LDAp P? Yes. Is there a chance to specify range directly in LDAP and not in ip pool? No, but there is sqlippool. Or use DHCP on your NAS. Or define IP pools on the NAS and select them with Framed-Pool if your NAS supports it. Cisco doesn't but you can set IP pool with avpairs. Ivan Kalik Kalik Informatika ISP - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: frammed ip adress
Thanks Ivan So if i understand clear a i need to name and configure ip pool parts in radius.conf and than use this name as a Pool-Name in LDAp P? Is there a chance to specify range directly in LDAP and not in ip pool? Thanks! D. 2008/3/26 Ivan Kalik [EMAIL PROTECTED]: Pool-Name. Have a look at ippool section of radiusd.conf. Ivan Kalik Kalik Informatika ISP Dana 25/3/2008, David Hláčik [EMAIL PROTECTED] piše: Hi, in my working solution, i have pptp (vpn) configured with radius using LDAP. Each user has a value Framed IP Adress which will assign him exact IP adress. Currently i am rebuilding ldap structure to groups. And i want the users which will be members of group foo , to have dynamically assignet ip adresses from pool 10.123.40.0/255.255.255.0 . How can i achieve ? Which radius attributes should i use? Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
WPA enterprise
Hi i have freeradius mschap ldap working configuration - i am using it for pptpd (VPN server) to authentificate against freeradius with ldap . Windows VPN client can connect to our company network and use it. Next i want to add user/password auth to our WIFI (based on Dlink AP - with radius support). We are currently using wpa-preshared key. i want to use wpa enterprise with ldap authentification (providing username and password) without need to install any certificate on windows. First to make a clear - how do i achieve it? --- i mean exactly which protocol i need to use and how it works (some shortcut to such howto) How do i arrange to use same freeradius for currently working VPN and for my plan to make wpa enterprise. Thanks in advance! David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: WPA enterprise
Hi, i forgot to mention, that passwords in LDAP are stored in plaintext. Thanks! David. On Sun, Mar 30, 2008 at 2:14 AM, David Hláčik [EMAIL PROTECTED] wrote: Hi i have freeradius mschap ldap working configuration - i am using it for pptpd (VPN server) to authentificate against freeradius with ldap . Windows VPN client can connect to our company network and use it. Next i want to add user/password auth to our WIFI (based on Dlink AP - with radius support). We are currently using wpa-preshared key. i want to use wpa enterprise with ldap authentification (providing username and password) without need to install any certificate on windows. First to make a clear - how do i achieve it? --- i mean exactly which protocol i need to use and how it works (some shortcut to such howto) How do i arrange to use same freeradius for currently working VPN and for my plan to make wpa enterprise. Thanks in advance! David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: NTLM in MSCHAP
Hi, i've got back to problem : as i mentioned i have plain text stored passwords (atrib UserPassword) in ldap, and i want to change it to crypt, or mda5. Mschap need NT-Password , which is the best way to solve it? I do not want to store NT-Password value in LDAP, or there is no other choice? What about that ntlm_auth - it will create from crypt nt and send it to mschap? Thanks in advance! David 2008/3/5 Alan DeKok [EMAIL PROTECTED]: David Hláčik wrote: Hi, I have working configuration of PPTPD (Windows VPN) trought Radius to LDAP stored users. The think is ,that it accepts only plain text stored passwords in ldap becouse of very well known NT-Password for MSCHAPv2 ... Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boss --challenge=09c34801a6bafab3 --nt-response=e9aa9365702850c20847566b84c4c729efbac9d014ff1301 Exec-Program output: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da) That's an error from winbindd. Does ntlm_auth work from the command line? http://deployingradius.com/documents/configuration/active_directory.html If not, don't bother trying FreeRADIUS until ntlm_auth works from the command-line. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
frammed ip adress
Hi, in my working solution, i have pptp (vpn) configured with radius using LDAP. Each user has a value Framed IP Adress which will assign him exact IP adress. Currently i am rebuilding ldap structure to groups. And i want the users which will be members of group foo , to have dynamically assignet ip adresses from pool 10.123.40.0/255.255.255.0 . How can i achieve ? Which radius attributes should i use? Thanks a lot! - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
NTLM in MSCHAP
Hi, I have working configuration of PPTPD (Windows VPN) trought Radius to
LDAP stored users. The think is ,that it accepts only plain text stored
passwords in ldap becouse of very well known NT-Password for MSCHAPv2
I figure out there is an option to make it work with ntlm_auth in mschap
configuration in radius.
But when I enable it :
#with_ntdomain_hack = yes
# The module can perform authentication itself, OR
# use a Windows Domain Controller. This configuration
# directive tells the module to call the ntlm_auth
# program, which will do the authentication, and return
# the NT-Key. Note that you MUST have winbindd and
# nmbd running on the local machine for ntlm_auth
# to work. See the ntlm_auth program documentation
# for details.
#
# Be VERY careful when editing the following line!
#
ntlm_auth = /usr/bin/ntlm_auth --request-nt-key
--username=%{Stripped-Use
r-Name:-%{User-Name:-None}} --challenge=%{mschap:Challenge:-00}
--nt-response=%{mschap:NT-
Response:-00}
}
I am getting following error :
rad_check_password: Found Auth-Type MS-CHAP
auth: type MS-CHAP
Processing the authenticate section of radiusd.conf
modcall: entering group MS-CHAP for request 1
rlm_mschap: Told to do MS-CHAPv2 for boss with NT-Password
radius_xlat: Running registered xlat function of module mschap for string
'Challenge'
mschap2: 6b
radius_xlat: Running registered xlat function of module mschap for string
'NT-Response'
radius_xlat: '/usr/bin/ntlm_auth --request-nt-key --username=boss
--challenge=09c34801a6bafab3
--nt-response=e9aa9365702850c20847566b84c4c729efbac9d014ff1301'
Exec-Program: /usr/bin/ntlm_auth --request-nt-key --username=boss
--challenge=09c34801a6bafab3
--nt-response=e9aa9365702850c20847566b84c4c729efbac9d014ff1301
Exec-Program output: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da)
Exec-Program-Wait: plaintext: NT_STATUS_CANT_ACCESS_DOMAIN_INFO (0xc0da)
Exec-Program: returned: 1
rlm_mschap: External script failed.
rlm_mschap: FAILED: MS-CHAP2-Response is incorrect
modcall[authenticate]: module mschap returns reject for request 1
But I am not sending a domain trought VPN connection (I have it clear). I
have also tried #with_ntdomain_hack = yes
But without result.
Please help me,
David
-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
radius ldap tls
Hi to all, i am finding in my radiusd.log on CentOS 5.1 Sun Dec 16 14:45:04 2007 : Error: rlm_ldap: could not set LDAP_OPT_X_TLS_REQUIRE_CERT option to allow In radiusd.conf i have use_tls to off , my ldap server (open ldap) is configured with tls support and set to not regueire certificate from client. Where should be the problem? Thanks. David - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
