RE: How to accept RADIUS traffic on multiple interfaces?
Also don't forget to disable (or modify) SELinux. If memory serves, RHEL 6 comes with that enabled by default as well. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Matteo Vocale Sent: Wednesday, August 14, 2013 2:32 PM To: FreeRadius users mailing list Subject: Re: How to accept RADIUS traffic on multiple interfaces? Before running radius in debug mode, try iptables -F with root privileges, it disables iptables default rules Phil Mayers p.may...@imperial.ac.uk ha scritto: On 14/08/13 15:07, Kurt Hillig wrote: But radiusd isn't seeing any of the inbound RADIUS traffic on eth1 - tcpdump shows it coming in, but radiusd -X shows no indication of this traffic (but is reporting all of the traffic on eth0). If radiusd -X isn't reporting *anything*, then it's not reaching FreeRADIUS, which means some part of the network stack is dropping it. If you're sure your iptables are correct, google linux log martians and linux rp filter. RHEL6 has different defaults to previous RHEL versions in this regard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: How to accept RADIUS traffic on multiple interfaces?
One other thing with multiple interfaces: RHEL 6 comes with some anti-spoofing features in the kernel enabled by default. I'm afraid I forget exactly what they are, but the idea is this: If the kernel gets a packet from HostA on eth1, but the routing table says that the return path to HostA is via eth0, the kernel will drop the packet. If you have this case, you have two choices: 1) Make sure that requests come IN the same interface that will send the replies. 2) Turn off the anti-spoofing features in the kernel. There's also the third option in which you create separate routing tables for each interface (plus the master routing table for sessions initiated outbound). It's a pretty big hammer, but has other advantages for multi-homed systems. Write back to me off-list if you want to go that route (pardon the pun). --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Matteo Vocale Sent: Wednesday, August 14, 2013 2:32 PM To: FreeRadius users mailing list Subject: Re: How to accept RADIUS traffic on multiple interfaces? Before running radius in debug mode, try iptables -F with root privileges, it disables iptables default rules Phil Mayers p.may...@imperial.ac.uk ha scritto: On 14/08/13 15:07, Kurt Hillig wrote: But radiusd isn't seeing any of the inbound RADIUS traffic on eth1 - tcpdump shows it coming in, but radiusd -X shows no indication of this traffic (but is reporting all of the traffic on eth0). If radiusd -X isn't reporting *anything*, then it's not reaching FreeRADIUS, which means some part of the network stack is dropping it. If you're sure your iptables are correct, google linux log martians and linux rp filter. RHEL6 has different defaults to previous RHEL versions in this regard. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant-load-balance
From 'man unlang' I see this: redundant-load-balance { ldap1 # 50%, unless ldap2 is down, then 100% ldap2 # 50%, unless ldap1 is down, then 100% } I clearly don't know what I'm doing when it comes to defining these modules. If I have just ldap in there, it works. raddb/modules/ldap exists and is configured correctly. However, when I do this in my raddb/sites-enabled/FOO: authorize { ... redundant-load-balance { ldap1 ldap2 ldap3 } ... } I get the following errors from radiusd -XC: /etc/raddb/sites-enabled/campus-main[179]: Failed to load module ldap1. /etc/raddb/sites-enabled/campus-main[179]: Failed to parse ldap1 entry. /etc/raddb/sites-enabled/campus-main[70]: Errors parsing authorize section. I tried copying modules/ldap to modules/ldap1, but that didn't work. Also changed the ldap { ... } in modules/ldap1 to ldap1 { ... }. No help there. This must be some syntactical aliasing that I haven't set up. What am I missing? For now, ldap1, ldap2, and ldap3 can all be identical (for testing). As it happens, they point to ldap.missouri.edu at the moment, which is itself a DNS round robin. My plan is that if it fails on the first attempt, it should attempt at least two more times, likely hitting different real servers before actually failing. Thoughts? Thanks! --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: redundant-load-balance
Yup. That was it. Thanks to both of you who replied. :) --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Arran Cudbard-Bell Sent: Friday, August 24, 2012 12:31 PM To: FreeRadius users mailing list Subject: Re: redundant-load-balance Thoughts? ldap ldap1 { ldap config } ldap ldap2 { ldap config } ldap ldap3 { ldap config } -Arran - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: redundant-load-balance
Okay new related question. I have these working: ldap ldap1 { ... } ldap ldap2 { ... } ldap ldap3 { ... } Is there an $INCLUDE syntax for modules (is it perhaps just $INCLUDE ./file) that will load ./file in the current context that I can use so that ldap1, ldap2, and ldap3 can share all of their common settings? At the moment, I just have them all duplicated, which works, but doesn't scale well. Thanks again! --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Omri Bahumi Sent: Friday, August 24, 2012 12:37 PM To: FreeRadius users mailing list Subject: Re: redundant-load-balance I get the following errors from radiusd -XC: /etc/raddb/sites-enabled/campus-main[179]: Failed to load module ldap1. /etc/raddb/sites-enabled/campus-main[179]: Failed to parse ldap1 entry. /etc/raddb/sites-enabled/campus-main[70]: Errors parsing authorize section. I tried copying modules/ldap to modules/ldap1, but that didn't work. Also changed the ldap { ... } in modules/ldap1 to ldap1 { ... }. No help there. This must be some syntactical aliasing that I haven't set up. What am I missing? For now, ldap1, ldap2, and ldap3 can all be identical (for testing). As it happens, they point to ldap.missouri.edu at the moment, which is itself a DNS round robin. My plan is that if it fails on the first attempt, it should attempt at least two more times, likely hitting different real servers before actually failing. You need to create another instance of ldap. See here: http://wiki.freeradius.org/Rlm_ldap#Group-Support In other words if in radiusd.conf we configure an ldap module instance like: ldap myname { [...] } Change ldap { ... } to ldap ldap1 { ... } and it should solve your issue. Good luck, Omri. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
redundant load balancing and mschap
Grrr... This is probably a Samba issue - a known one? - but I can't seem to get AD authentications to hit multiple DCs. Everything goes to the one listed in /etc/samba/smb.conf (which may be a coincidence). I set up several mschap instances like so: mschap mschap1 { ... ntlm_auth -s /etc/samba/radius.smb1.conf } mschap mschap2 { ... ntlm_auth -s /etc/samba/radius.smb2.conf } mschap mschap3 { ... ntlm_auth -s /etc/samba/radius.smb3.conf } I also disabled all PAP, CHAP, and references to mschap in all virtual servers listed in sites-enabled. There is currently no mschap { ... } section in modules/mschap. Added this to sites-enabled/campus-inner-tunnel where mschap was before: redundant-load-balance { mschap1 mschap2 mschap3 } Authentication *works*, but all authentications go to the same DC (the one specified in mschap2). Running radiusd -X shows that all mschap1/2/3 instances are being called, and no authentication *attempts* are being sent to the other two domain controllers. (1 and 3 aren't failing. They just aren't *tried*.) Am I going about this all the wrong way? Is this a known limitation in Samba? Is there something about ntlm_auth that always references /etc/samba/smb.conf, regardless of the -s option? Comments and criticisms welcome. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: redundant load balancing and mschap
Alan D. and Alan B. are correct. Whatever this is, it isn't FreeRADIUS that isn't behaving. Radiusd -XC shows that pretty conclusively. At this point, if any of you are using Samba/ntlm_auth to handle the back-end authentication for FreeRADIUS, your advice is welcome, but it's definitely a Samba issue at this point. (Possibly even a Kerberos issue, though the way Samba does Kerberos is a little... odd...) Fortunately, the only Samba-related daemons actually running on my FR host are the two instances of winbindd. Smbd and nmbd are not in the process list. (Actually, my server admins have been doing their jobs. There isn't much in the process list AT ALL. But I digress...) Attempts to use the -s option with ntlm_auth to force the password server option in smb.conf to vary have failed. Setting multiple servers in the main smb.conf is an option: password server = server1 server2 server3 ...however, ntlm_auth doesn't seem to use them. For whatever reason, it seems to always talk to server1, even when only server2 is listed in any config file I can find. Queries to domain controllers on port 3269 DO seem to round-robin, though I couldn't tell you why for sure. Any advice is welcome, though technically off-topic at this point. I'm going to have to hack on Samba until it gives me what I want. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of alan buxey Sent: Friday, August 24, 2012 3:59 PM To: FreeRadius users mailing list Subject: Re: redundant load balancing and mschap Hi, Authentication *works*, but all authentications go to the same DC (the one specified in mschap2). Running radiusd -X shows that all mschap1/2/3 instances are being called, and no authentication *attempts* are being sent to the other two domain controllers. (1 and 3 aren't failing. They just aren't *tried*.) i would advise to increase debuggin in smbd/winbindd and for ntlm_auth also check your samba and kerberos configs to see how you are querying the KDC - are you specifying particular names? It could be that your client did a DNS lookup, cached that answer and doesnt want to use anything else - a few entries in /etc/hosts might be in order alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: redundant load balancing and mschap
The underlying problem is that I have four production RADIUS servers that all seem to choose the same domain controller, which is not only a lot of load, but it's a bad idea in terms of fault tolerance. I may try just making each server choose a separate DC as its default, for starters, which would get me most of the way there. The wireless controllers that authenticate against the RADIUS servers *themselves* round-robin among the RADIUS servers, so if one of them - or even two of them - were talking to a DC that is down, a given user's machine is likely to re-attempt authentication and succeed eventually. We'd hear a lot of complaints that getting on wireless is slow but things would *work*. Anyway, thanks for the insight. I'll keep banging on it. If I get an elegant - or at least *stable* - configuration, I'll post something about it here. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, August 24, 2012 4:23 PM To: freeradius-users@lists.freeradius.org Subject: Re: redundant load balancing and mschap On 08/24/2012 08:11 PM, McNutt, Justin M. wrote: Grrr... This is probably a Samba issue - a known one? - but I can't seem to get AD authentications to hit multiple DCs. Everything goes to the one This is indeed a Samba issue, and unfortunately a hard one to fix. ntlm_auth doesn't talk over the network - rather, it talks over a Unix socket to winbind. Winbind maintains a *single* open session to a DC, and sends all the domain RPCs down this pipe. Winbind discovers the DC from the AD subnet/site queries and builds an app-specific kerberos config that will show you this - see /var/lib/samba/smb_krb5/krb5.conf.DOMNAME If you want to force connections to separate domain controllers, you'll need separate smbd/winbindd instances running, with their own unix sockets and smb.conf setups. This will probably be hard, and fragile. My advice - don't, unless you really really need to. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: redundant load balancing and mschap
Because there are so many files (pipes, actual files, etc.) whose locations are hard-coded into winbind, the only way to even begin to try to run multiple instances of winbind would be through chroot-ed setups, which would probably mean that ntlm_auth would also have to run in the same chroot-ed environment in order to locate the correct pipe. Messy. And that's still assuming that I can force a given instance of winbind to talk to the DC I want. Need to start from that angle and see where I get. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Phil Mayers Sent: Friday, August 24, 2012 4:23 PM To: freeradius-users@lists.freeradius.org Subject: Re: redundant load balancing and mschap On 08/24/2012 08:11 PM, McNutt, Justin M. wrote: Grrr... This is probably a Samba issue - a known one? - but I can't seem to get AD authentications to hit multiple DCs. Everything goes to the one This is indeed a Samba issue, and unfortunately a hard one to fix. ntlm_auth doesn't talk over the network - rather, it talks over a Unix socket to winbind. Winbind maintains a *single* open session to a DC, and sends all the domain RPCs down this pipe. Winbind discovers the DC from the AD subnet/site queries and builds an app-specific kerberos config that will show you this - see /var/lib/samba/smb_krb5/krb5.conf.DOMNAME If you want to force connections to separate domain controllers, you'll need separate smbd/winbindd instances running, with their own unix sockets and smb.conf setups. This will probably be hard, and fragile. My advice - don't, unless you really really need to. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: RHEL Patches Broke FreeRADIUS
... *facepalm* Yeah, that'd do it. Much easier than what I was doing. Thanks, Alan. :) --J From: Alan DeKok al...@deployingradius.commailto:al...@deployingradius.com Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Sat, 3 Mar 2012 09:14:31 +0100 To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re: RHEL Patches Broke FreeRADIUS McNutt, Justin M. wrote: I'd like to tackle this from the FreeRADIUS side rather than by reconfiguring rpm because I can think of other reasons why some idio^H^H^H^H well-meaning admin might stick a test file in there without realizing that it causes problems. Switching to a site-specific module name (or some other method that allows FR to ignore the extra files) would prevent any such scenario. The modules directory is just a convention. It can be changed. Instead, put the modules into raddb/missouri/ :) Change radiusd.conf to edit $INCLUDE modules/ to missouri/ And the problem will go away. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Re[2]: High Avaibility
Be careful with load balancers too. Some NAS don't work well through a load balancer (Trapeze wireless controllers). --J From: Толик Шавловский tolik_shavlov...@mail.rumailto:tolik_shavlov...@mail.ru Reply-To: Толик Шавловский tolik_shavlov...@mail.rumailto:tolik_shavlov...@mail.ru, FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Thu, 1 Mar 2012 17:52:29 +0400 To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re[2]: High Avaibility Hi, if your NAS does not support 2 radius servers you can use load balancer (ex fortinet). 01 марта 2012, 15:37 от Phil Mayers p.may...@imperial.ac.ukmailto:p.may...@imperial.ac.uk: On 01/03/12 10:16, Anto wrote: Hello In the coming days I will set up a freeradius server for access control and accounting. I've been looking for information on freeradius and high availability, since my idea is to have two servers in case one fails, continue to operate with the other, but I just found information. So I turn to the list, in case I can recommend someone with experience on stage. I do not know if it is feasible to have a server as master and one slave, when the main falls, the other up the interface. If there is some kind of balancer radius and use both servers, etc.. This is a very vague question. You're going to get a lot of either too-vague or too-specific answers. A few things you need to specify: 1. When you say high availability what are you hoping to achieve? 2. How long can you tolerate when an unscheduled outage for? 1 second or 60? 3. Do your RADIUS servers talk to external data sources (SQL, LDAP)? 4. Do you care about load-balancing, or just high-availability? I'll make a few comments: Most NASes support 2 (or more) RADIUS servers, and will fail over when they detect an outage. For resilience, you just need to build two RADIUS servers on different IPs, and specify these in your NAS. You don't need a load-balancer or other complications, and they will just make things less reliable. Making redundant RADIUS servers is easy; you just build two machines, and run FreeRADIUS on each with the same config. The hard bit is replicating any data sources between them (LDAP, SQL) and handling writes such as accounting packets into SQL, SQL session counters, and so on. You need to be more specific about what you're doing and what you want to achieve. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RHEL Patches Broke FreeRADIUS
So my server admins did what they're supposed to do and ran yum update on everything last weekend. The updates included a refresh of the freeradius2 packages that took FR from 2.1.7 to 2.1.12. That's all fine and dandy, except that what rpm does when it has config files that are part of a package - like /etc/raddb/modules/ldap - and those config files exist on your system already AND those config files have changed, is that it renames the new one to blah.rpmnew. This created a nasty problem. Now I have an /etc/raddb/modules/ldap and an /etc/raddb/modules/ldap.rpmnew, both of which define how ldap { } is supposed to work. Same thing happened to the mschap module. SO... The way I avoided this problem in the $RADDB/certs and $RADDB/sites-available directories is that I'm not using the default filenames in the first place. My certs are not named ca.pem and server.pem and so on. I'm not using the default or inner-tunnel virtual server definitions. I copied them to site-specific names and used THOSE, so I get the benefit of the sanity of the built-in virtual server definitions (not to mention an unsullied copy for contrast), but rpm doesn't screw me up. The $RADDB/modules directory doesn't seem to work that way. I can't just do cp ldap ldap-site and call ldap-site from my virtual server instead of ldap. I also can't leave it the way it is (stock) because rpm is going to come along and put another ldap.rpmnew file in there. I can't not patch FR because my predecessor went down that road and that's why he's not in charge of the RADIUS servers any more. Ideas? I'd like to tackle this from the FreeRADIUS side rather than by reconfiguring rpm because I can think of other reasons why some idio^H^H^H^H well-meaning admin might stick a test file in there without realizing that it causes problems. Switching to a site-specific module name (or some other method that allows FR to ignore the extra files) would prevent any such scenario. Thx! --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Am I still subscribed?
Mailing list seems to be having problems. Checking to see if it's just me. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
I'm not sure why, then, but it actually does work. We have shown that with the client configured to use u...@e.mail.address (where e.mail.address is NOT the same as the AD domain), if I have FR look for 'e.mail.address' and translate it to the correct NT domain, authentication succeeds. The user name must not be part of the crypto calculation or it would fail. I've been able to correct all kinds of things in the user name and set the domain manually to whatever I want. As long as I supply the correct password on the client side to what I happen to know the RADIUS server has mapped my ID to, authentication is successful. --J From: Phil Mayers p.may...@imperial.ac.ukmailto:p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Fri, 3 Feb 2012 12:48:30 + To: freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re: Multi-domain AD and Users Who Aren't So Bright On 02/02/2012 05:33 PM, NdK wrote: Il 02/02/2012 13:35, McNutt, Justin M. ha scritto: Thoughts? Opinions? Better ways to accomplish any/all of this? Briefly, there's probably not much you can do to improve this. If you have such a complex domain environment, you're going to have to write complex policies OR mandate your users always use the correct DOM\user format. Or make 'em use their institutional email address. Easier to remember :) This doesn't work, unless username == email local part. Seems trivial but it might not be. At least in our case we have 3 kinds of email addresses, referring to 2 domains. And the name before the '@' sign might not be the same as the sAMAccountName. Exactly. And this name is mixed into the challenge/response. If you try to use email addresses, the client will calculate: response = crypto(challenge, e.m...@domain.commailto:e.m...@domain.com, password) Let's assume you map email - username on your radius servers: Real-Username = some_lookup(User-Name) ...and you then call ntlm_auth, this basically asks the domain controllers: is_valid(Real-Username, challenge, response) The domain controllers do this: expected_response = crypto(challenge, samaccountname, stored_password) if response != expected_response: error else success See the problem? The domain controller performs its crypto calculation on the samaccountname. The client performs its crypto on the email addresses. The results differ, and authentication fails. Basically, usernames != email address, unless you MAKE them the same. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
From: Phil Mayers p.may...@imperial.ac.ukmailto:p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Thu, 2 Feb 2012 14:09:30 + To: freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re: Multi-domain AD and Users Who Aren't So Bright On 02/02/2012 12:35 PM, McNutt, Justin M. wrote: ridiculously large number of phone calls to our Help Desk demonstrate this, not to mention the Login incorrect messages from FR. (I built all of my fix it stanzas based on actual failed login attempts by users.) The other option is a single-domain environment. I've no idea of the size of your site, but we do this. It removes a lot of hassle. Obviously, that's probably not a sensible option for you; the disruption of a move would be enormous! We looked at this. A lot. For these specific reasons. The main problems are political. TECHNICALLY, we could just build a new domain in the existing forest and put everything NEW into that domain, then allow all of the other domains (except two) fade out through attrition. The two exceptions would be the forest root (which contains no user or computer accounts), and a special domain that contains only retired user accounts (long story) and thus, not my problem. But we won't do that, because this is a multi-campus university with lots of autonomy issues and wrangling for independence. So we'll have to fight the good fight and make any software we use work in a multi-domain environment as AD was intended to work, regardless of any other practical issues. ;) We've also seen winbind drop out of the domain for no readily apparent reason. Winbind is also REALLY bad at detecting domain controller failure; it keeps the TCP connection to the chosen DC open, and can take 30 seconds or more to detect failures, and only *then* performs DC re-discovery. Sigh... Unfortunately, I don't have the time to chase the underlying problems and report them to the Samba guys. Same here on all counts, though we don't have machines dropping out very often. But these kinds of things are why we have some complicated load balancing and redundancy in front of the RADIUS servers. It's not a failure of FreeRADIUS, but rather the imperfect world that FR lives in. Plus, in addition to reading through these replies and refining my multi-domain user-ID-fixing implementation, my current FR effort is to make the config more robust and tolerant of server failures. The ldap module is currently configured in a way that depends entirely upon a single domain controller. That's bad. I KNOW there's a way to config FR better than this. I just have to go read more stuff in /usr/share/docs/freeradius. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
Thoughts? Opinions? Better ways to accomplish any/all of this? Briefly, there's probably not much you can do to improve this. If you have such a complex domain environment, you're going to have to write complex policies OR mandate your users always use the correct DOM\user format. Or make 'em use their institutional email address. Easier to remember :) Seems trivial but it might not be. At least in our case we have 3 kinds of email addresses, referring to 2 domains. And the name before the '@' sign might not be the same as the sAMAccountName. I'm trying (with no luck :( ) to use /usr/bin/net ads search -P (mail=%{User-Name}) sAMAccountName|grep sAMAccountName|sed s/^[^ ]* // (maybe it's possible to do the same without using grep and sed, but it's been just a quick test -- suggestions welcome). Replacement is OK, but seems secrets.tdb can't be opened :( even if permissions should be OK :-? A limit of net ads search is that it searches only the default (joined) domain, unless you specify another domain controller with -S or -I -- I could easily do that based on the mail domain but in others setups it could be harder. A problem I'm having with that is the fact that we outsourced student e-mail (so they can continue to use that account after they graduate). So the password for their e-mail account is not the same as the password for their AD account (possibly). For the lookup, I'm betting that ldapsearch could be given a filter like (|(sAMAccountName=%{User-Name})(exchangeSMTPAliases=%{User-Name})) that would match any valid SMTP alias, but that's assuming that you're using Exchange and all of the aliases are visible in AD someplace. Also, I'm finding that the callouts to scripts of any kind to run 'ldapsearch' are fairly slow. I'm working on a way to run 'ldapsearch' daily and pre-populating an Oracle or MySQL database with the data that I want so that FR can look there first, and only go to an 'ldapsearch' script if that fails (maybe). I'm pretty impressed with the way ldapsearch will failover to a second, third, fourth URI given at the command line, but the shell call takes a lot of time as the load ramps up. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: Multi-domain AD and Users Who Aren't So Bright
On 02/01/2012 09:57 PM, McNutt, Justin M. wrote: Thoughts? Opinions? Better ways to accomplish any/all of this? Briefly, there's probably not much you can do to improve this. If you have such a complex domain environment, you're going to have to write complex policies OR mandate your users always use the correct DOM\user format. We just finished a many-year span trying to get users to understand and use DOM\user. They don't get it, at least not consistently. A ridiculously large number of phone calls to our Help Desk demonstrate this, not to mention the Login incorrect messages from FR. (I built all of my fix it stanzas based on actual failed login attempts by users.) Couple of things you could do; use SQL to store the mappings rather than hard-code; replace your script with a SQL lookup (use a bulk LDAP dump to populate unqualified user - domain mapping, nightly). I guess in an ideal world, Samba would handle any username format that windows itself would handle, and none of this would be necessary e.g. ntlm_auth might output: SamAccountName: user NT-Domain: DOM NT_KEY: foobar ...and FR could populate those. Ideally, ntlm_auth would just take SamAccountName and NT_KEY and figure out the domain for itself (requiring an LDAP lookup, which is cached by winbind if you use wbinfo to do it). But TBH I think (not sure here) you've crafted a solution that processes usernames windows itself could not; basically you've coded site-specific knowledge into your configs. This is, necessarily, site specific! That's true. At the login screen, Windows will accept DOM\user or u...@ad.domain.com, but my solution also allows for DOM/user and users@valid.email.address and just user, plus anything else I feel makes sense to a human, and thus deserves to be accepted by the computer. tl;dr - from what I can see, that's about as good as you're going to get. Thanks for the reply. I think so too, for the moment. I didn't give many details on what the GetDomain.pl script does. At first, I had it set to use wbinfo --all-domains to get a list of all valid domains in the forest (weeding out a few things like BUILTIN), and then just iterate through each domain and see if user had a SID in that domain. On the one hand, this was wasteful. On the other hand, it was still pretty fast, required no password (aside from the Samba/LDAP configs, which aren't seen at the command line), and winbind cached the results, including the negative results. That caching seemed like a really good idea to me. Sadly, it failed miserably. In practice, the wbinfo method caused... problems. We aren't exactly sure what it broke, but the test FR server would stop authenticating altogether. When winbind was restarted, it would complain Cannot find KDC for this domain, which usually means it needs to be removed and re-joined to AD. But even that didn't *quite* fix it. After re-joining and waiting a few minutes, the problem would go away. (Likely, there's some AD policy that was violated that temporarily locked the resource account that Samba and/or FR use for authenticating *themselves* to AD that had to expire.) So wbinfo works from the command line by hand, not so much when scaled up. So now GetDomain.pl uses ldapsearch. Advantage is it works well and only requires a single lookup per user ID (rather than iterating through anything). Disadvantage is lack of any sort of caching (SQL server for cache might be good here), and the fact that I, personally, find that when I have to include the password in the CLI arguments and the program does not hide them for me in the ps output, I'm a bit disappointed. So yeah, I'm pretty happy with it so far. We'll see how it scales up when it's done to the production servers. Setting up MySQL and a single table to hold user / domain / TTL cached data wouldn't be difficult, though the politics around here are such that I'll have to ask around a bit about the best way to do that, even if the end result is the same. *sigh* (I can always build it on just the test server and call it a proof of concept, of course) --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Multi-domain AD and Users Who Aren't So Bright
So I'm working on a way to Improve the User Experience. I've gotten a LONG way, but now I'm stuck. Here's the short/long version (all details, without undue explanation or discussion of what I tried that doesn't work): WARNING: This may well be a case of doing it the hard way. If that's the case, feel free to tell me, but it's not for lack of trying to research this via Google, searching archives of this list, etc. Just tell me what I'm doing wrong. I can handle it. ;) Okay, here goes: 1) I created two custom attributes named My-NT-Domain and My-User-Name and added them to the dictionary file as 3003 and 3004, respectively. 2) I added sections to sites-enabled/my-virt-server in the authorize { like this: # Allow host-based authentication for computers in the domain. if ( User-Name =~ /host\/[^\.]+\.(.+)/ ) { update request { My-User-Name = %{mschap:User-Name} My-NT-Domain = %{1} } } # Fix the forward slash. elsif ( User-Name =~ /([^\/]+)\/(.+)/ ) { update request { My-User-Name = %{2} My-NT-Domain = %{1} } } # New student e-mail format. elsif ( User-Name =~ /([^@]+)@mail.missouri.edu/ ) { update request { My-User-Name = %{1} My-NT-Domain = TIGERS } } ... and so on. 3) I changed /etc/raddb/modules/mschap to call ntlm_auth like this: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{%{My-User-Name}:-%{mschap:User-Name}} --domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} So at this point, if a user plugs in the correct domain\username stuff, none of the cleanup cases match, so my custom attributes are empty, and the usual %{mschap:xx} variables work fine. If fixes were necessary, the custom attributes take over. All that works fine. NOW we want to be able to have a user authenticate without specifying a domain. In theory, that's no big deal. If the users NEVER specify a domain at all, I can populate my custom attributes with this: if ( ! My-NT-Domain ) { update request { My-User-Name = %{User-Name} My-NT-Domain = `/etc/raddb/bin/GetDomain.pl %{User-Name}` } } The GetDomain.pl script does a command-line LDAP search (using ldapsearch) against our AD for %{User-Name}, grabs the dn attribute, matches the AD domain, and returns the NT domain that corresponds. This also works. NOW, the problem is that if the user DOES specify domain\username correctly, then none of the cleanup cases match, so My-NT-Domain is empty. But since my custom attribute is empty, the Perl script is being called unnecessarily to run the LDAP search. Solution: I was still thinking about this as I wrote it, and I modified the final check clause (that looks for the total absence of domain hints) and I thought of a way to implicitly resolve the case where the user passes scary characters in the user ID (injection attack) AND the case where the user specified a valid domain\username set of creds at the same time: # Check special fix-it cases above. # These could probably be done as a single if statement. # It was simpler to keep them separate while testing. if ( ! My-NT-Domain ) { if ( User-Name =~ /^[a-zA-Z0-9]+$/ ) { update request { My-User-Name = %{User-Name} My-NT-Domain = `/etc/raddb/bin/GetDomain.pl %{User-Name}` } } } This appears to be working. Overall, I give this solution about a B+. PROS: Works in a single forest, multi-domain environment, regardless of any conformity to typical AD domain naming standards. Makes authentication SIMPLE for the users. The way I wrote the GetDomain script, it always returns DOMAIN or (null) after only a single LDAP query (efficient). Combined with judicious use of radiusd -XC provides a simple way to correct common typos. Permits computer-based authentication to work again in multi-domain or non-typical-naming cases (where mschap currently fails). Still reports the original creds as given by user (in case you still want to report on the cases that needed fixing and resolve the problem at the source, rather than making FR do all the work. Limited to this virtual server. CONS: In many cases - like translating col.missouri.edu to UMC-USERS, the fixes are hard-coded. By comparison, changing the / to a \ works for any domain in a single check. Doubles (at least) the number of calls to AD in cases where everyone is lazy and leaves out the domain. I.e. an LDAP call to get the domain plus the
Re: Multi-domain AD [Kudos]
Btw, kudos to Alan DeKok and the rest of the FR developers for these FR abilities. The things listed here were INVALUABLE to figuring all of this out without just guessing: 1) radiusd -XC You just can't live without this. Seriously. 2) radiusd -XIt's there for a reason. Specifically, 3) THIS (from radiusd -X): ++? if (User-Name =~ /host\/[^\.]+\.(.+)/ ) ? Evaluating (User-Name =~ /host\/[^\.]+\.(.+)/) - FALSE ++? if (User-Name =~ /host\/[^\.]+\.(.+)/ ) - FALSE ++? elsif (User-Name =~ /([^\/]+)\/(.+)/ ) ? Evaluating (User-Name =~ /([^\/]+)\/(.+)/) - FALSE ++? elsif (User-Name =~ /([^\/]+)\/(.+)/ ) - FALSE 4) and THIS: [mschap] Told to do MS-CHAPv2 for tmpid with NT-Password [mschap] expand: %{My-User-Name} - [mschap] expand: %{mschap:User-Name} - tmpid [mschap] expand: --username=%{%{My-User-Name}:-%{mschap:User-Name}} - --username=tmpid [mschap] expand: %{My-NT-Domain} - [mschap] expand: %{mschap:NT-Domain} - testing [mschap] expand: --domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}} - --domain=testing 5) and last, but certainly not least, man unlang. It won't read itself, yanno! It may not be the best way to do it, but it works, and I couldn't have done it without all of these debugging features. It's what my Linux sysadmin calls awesome sauce. --J From: Z mcnu...@missouri.edumailto:mcnu...@missouri.edu Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Wed, 1 Feb 2012 21:57:02 + To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Multi-domain AD and Users Who Aren't So Bright So I'm working on a way to Improve the User Experience. I've gotten a LONG way, but now I'm stuck. Here's the short/long version (all details, without undue explanation or discussion of what I tried that doesn't work): WARNING: This may well be a case of doing it the hard way. If that's the case, feel free to tell me, but it's not for lack of trying to research this via Google, searching archives of this list, etc. Just tell me what I'm doing wrong. I can handle it. ;) Okay, here goes: - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
Thanks to all for the responses so far. I'm still reading through them. In my case, guests are given a WEP key (which just keeps the Automatically Connect to Open Networks devices away) and allowed to connect to a guest SSID which has a separate Internet drain, policies, limitations, etc. To get high speed access, you have to take the trouble to get an account and use the EAP-enabled network. Carrot and stick. But to be clear, I'm not making guests authenticate at all, so that's one nasty problem that is outside of the scope of this particular discussion. --J From: Phil Mayers p.may...@imperial.ac.ukmailto:p.may...@imperial.ac.uk Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Fri, 27 Jan 2012 10:07:27 + To: freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re: self-signed root CA On 01/27/2012 12:29 AM, Christ Schlacta wrote: I've attached android, windows 7, macosx, and ubuntu linux to an eap-tls network using wpa2-eap-tls, which requires client and CA certs. it's no issue once you know what you're doing. the hardest part is the nearly complete lack of documentation for any OS except linux. you're limited to what google provides from various blogs. Once you know what you're doing. When guests arrive at your site, they don't want to spend 20 minutes following intricate docs. Especially if their meeting is only 30 minutes. Sure *I* can get any of those systems online in under a minute. The concern is how fast a short-lived guest can get online. Our web-based staff create a guest account portal takes only seconds. Walking the user through cert installation takes a lot longer. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Re: self-signed root CA
This is basically what we've decided. Assuming there are no more issues with management, we're going to set up a separate CA for RADIUS that only signs the server certs for the RADIUS servers. Thanks to all for the replies. Very useful! --J From: Christ Schlacta li...@aarcane.orgmailto:li...@aarcane.org Reply-To: FreeRadius users mailing list freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Date: Thu, 26 Jan 2012 16:25:33 -0800 To: freeradius-users@lists.freeradius.orgmailto:freeradius-users@lists.freeradius.org Subject: Re: self-signed root CA Self-signed provides stronger security in most cases. I'm using self-signed here, and distributing a certificate to unmanaged user devices is as easy as placing a p12 file on a USB drive and requiring users to stop by ops before getting on wireless. If you're using a public CA to sign certs, and you're not using TLS authentication (I'm guessing you're not. getting that many certs would be expensive), then anyone can impersonate your network and intercept perceivably protected traffic. this is BAD. Insofar as I know, nearly everyone on this list using certs is using self-signed. On 1/25/2012 16:08, McNutt, Justin M. wrote: So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. For my own reasons, I'd like to know slightly more than that. If you AREN'T using a self-signed CA for your RADIUS server, what made you use another CA, and what CA did you use? And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am. Looking forward to your responses, and thanks in advance. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
self-signed root CA
So I'm getting some pushback in my organization against using a self-signed CA for signing my RADIUS server certs. To make a long story short, I was asked to find out what other people were doing. For my own reasons, I'd like to know slightly more than that. If you AREN'T using a self-signed CA for your RADIUS server, what made you use another CA, and what CA did you use? And just to be clear, is the concensus still that a self-signed CA is the way to go, assuming that you have a decent way to distribute the CA cert (which we do) to the clients who need to trust it? I've read /etc/raddb/certs/README and I've done some Googling and everything I find pretty much assumes that you're using a self-signed CA. The README explains briefly why, but my management wants more assurance than that, so here I am. Looking forward to your responses, and thanks in advance. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR 2.1.7 Exits for no reason
Well, at the very least, I'm going to START there and see what happens. It's maddening, since it goes for weeks with no problems, and then suddenly two or three will die within hours. :( --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Wednesday, March 09, 2011 3:28 AM To: FreeRadius users mailing list Subject: Re: FR 2.1.7 Exits for no reason hi, 2.1.7 has many little quirks/bugs that caused daemon deaths. 2.1.10 is the answer alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
FR 2.1.7 Exits for no reason
Hey all, So the host-based auth stuff is working well now, but we've discovered another problem. We have four FR 2.1.7 servers running on RHEL 5 (fully patched). Every now and then, for no apparent reason, radiusd just stops. It exits with Exiting normally. to syslog. They don't all exit at the same time. Since there are four of them behind a load balancer, it usually doesn't result in a service outage, and we've been lucky so far that only a couple of them have been down at once. But it's still disconcerting. The servers tend to all be started within a minute of each other, since I make changes to Server #1, and then use an rsync script to replicate /etc/raddb to the other servers and restart them. So they all start within seconds of one another. This week, Server #3 stopped within about 8 hours of being started (went from 1130 to 1930). Server #1 failed last week at 2330. Server #4 hasn't failed yet. It's very odd. Any ideas on how I can troubleshoot this? Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 Do you have a concussion? Ping is NOT a service. You don't need it. Use a real test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Secondary LDAP server
One of my virtual servers uses LDAP auth. However, it isn't clear to me if modules/ldap can be configured with a secondary LDAP server, should the primary fail to respond. The group that provides the LDAP server can't set up multiple servers behind a load balancer due to cert issues, so I'm looking for a way to add a failover LDAP server to the RADIUS configuration. What's the easiest/best/recommended way to do something like this? Can modules/ldap be configured this way, or should I create a modules/ldap2 (or similar) and call it somehow? Suggestions welcome. Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 Do you have a concussion? Ping is NOT a service. You don't need it. Use a real test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: FR 2.1.7 Exits for no reason
You must realize that gdb by itself is an answer that is of very little use. While I am aware that gdb is the GNU Debugger, you have no way of knowing that I do, and you gave no other context or other information that would help me use gdb to gather anything. So let me be more clear: What EXACTLY do I need to do to get more information about this phenomenon, and under what circumstances do I need to do it, and once I have some output, what should I be looking for in it? Running production RADIUS servers with strace radiusd -X is probably impractical (and highly insecure), and may even alter the runtime environment such that the fatal event never occurs. I've never observed the failure in either of the two test servers I run, and their configurations are identical, so I must assume that radiusd dies after receiving some sort of improper/unexpected data, or when it gets into some weird state, or other such thing. But it can't be fixed if I can't figure out how to reproduce it. It'll happen eventually, but a server that is no longer running doesn't tell me much either. How is gdb going to help me figure out why something isn't working any more? --J From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Tuesday, March 08, 2011 5:06 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: FR 2.1.7 Exits for no reason Gdb From: McNutt, Justin M. [mailto:mcnu...@missouri.edu] Sent: Tuesday, March 08, 2011 04:59 PM To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: FR 2.1.7 Exits for no reason Hey all, So the host-based auth stuff is working well now, but we've discovered another problem. We have four FR 2.1.7 servers running on RHEL 5 (fully patched). Every now and then, for no apparent reason, radiusd just stops. It exits with Exiting normally. to syslog. They don't all exit at the same time. Since there are four of them behind a load balancer, it usually doesn't result in a service outage, and we've been lucky so far that only a couple of them have been down at once. But it's still disconcerting. The servers tend to all be started within a minute of each other, since I make changes to Server #1, and then use an rsync script to replicate /etc/raddb to the other servers and restart them. So they all start within seconds of one another. This week, Server #3 stopped within about 8 hours of being started (went from 1130 to 1930). Server #1 failed last week at 2330. Server #4 hasn't failed yet. It's very odd. Any ideas on how I can troubleshoot this? Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 Do you have a concussion? Ping is NOT a service. You don't need it. Use a real test. This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Secondary LDAP server
It's not anywhere in the config files, but I did find where RedHat hid the doc/* files. There's a /usr/share/doc/freeradius-2.1.7/configurable_failover that looks like what I need. Goes into some decent detail, too. --J From: freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.freeradius.org] On Behalf Of Gary Gatten Sent: Tuesday, March 08, 2011 5:17 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: Secondary LDAP server I'm pretty sure this is discussed, examples, etc in the doc: online and in FR conf files. Sorry I don't have exact location handy, but I'm sure its there. From: McNutt, Justin M. [mailto:mcnu...@missouri.edu] Sent: Tuesday, March 08, 2011 05:02 PM To: freeradius-users@lists.freeradius.org freeradius-users@lists.freeradius.org Subject: Secondary LDAP server One of my virtual servers uses LDAP auth. However, it isn't clear to me if modules/ldap can be configured with a secondary LDAP server, should the primary fail to respond. The group that provides the LDAP server can't set up multiple servers behind a load balancer due to cert issues, so I'm looking for a way to add a failover LDAP server to the RADIUS configuration. What's the easiest/best/recommended way to do something like this? Can modules/ldap be configured this way, or should I create a modules/ldap2 (or similar) and call it somehow? Suggestions welcome. Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 Do you have a concussion? Ping is NOT a service. You don't need it. Use a real test. This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschap with ntlm_auth and Active Directory
root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D670F3A6 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) root@FREERADIUS:/etc/freeradius# ntlm_auth --username=0024D6650564 --password=Pa$$w0rd NT_STATUS_OK: Success (0x0) The password Pa$$w0rd is set in the Wireless Controller, if thats what you mean by mschap client? May I suggest two things: 1) I'm assuming that the password is not actually 'Pa$$w0rd', but that string reminds me that certain special characters - the dollar sign is a notable one - are not always handled correctly in password strings. Even if FreeRADIUS is handling it correctly, AD may not, and the wireless controller may not. I suggest setting the password to something simpler. If your password policy requires special characters, use dash, equals, underscore, or dot. I have used passwords with these characters successfully when authenticating via EAP/PEAP through FreeRADIUS and then on through MSCHAPv2 to AD via ntlm_auth. (Same chain as you.) 2) Even if you are confident that your real password's characters are not a problem, re-enter it on the wireless controller, MANUALLY. You may have accidentally entered an unprintable character or a space or some similar thing that causes the password to APPEAR to be correct, when in fact it doesn't match. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschap with ntlm_auth and Active Directory
Im using Samba version 3.5.4 and FreeRADIUS Version 2.1.9 on Ubuntu 10.10. I'm using 3.5.4 and FreeRADIUS 2.1.7. Should be okay. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschap with ntlm_auth and Active Directory
Found Auth-Type = MSCHAP +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv1 with NT-Password [mschap]expand: --username=%{mschap:User-Name:-None} - --username=001E52805980 [mschap] No NT-Domain was found in the User-Name. [mschap]expand: %{mschap:NT-Domain} - [mschap]... expanding second conditional [mschap]expand: --domain=%{%{mschap:NT-Domain}:-MY.ACTUAL.DOMAIN} - --domain=MY.ACTUAL.DOMAIN [mschap] mschap1: 86 [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=86acd2fc97136970 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662 Exec-Program output: Logon failure (0xc06d) Exec-Program-Wait: plaintext: Logon failure (0xc06d) Exec-Program: returned: 1 [mschap] External script failed. [mschap] MS-CHAP-Response is incorrect. ++[mschap] returns reject Failed to authenticate the user. First things first. When you run this on the command line, what exactly do you get? ntlm_auth --request-nt-key \ --username=001E52805980 \ --domain=MY.ACTUAL.DOMAIN \ --challenge=86acd2fc97136970 \ --nt-response=bc25975c513bb7dc3b2b1068d2ac048fe46e52a840f4f662 (You may need to run FreeRADIUS in debug mode, observe another failure, and then copy the challenge and response values from that *recent* failure in there for this to work. I don't know what the lifetime is on those values. Using the ones from hours ago may not work.) Second question is, is request-nt-key appropriate in this case? I only ask because I've only ever used ntlm_auth to authenticate Windows hosts directly. In this case, the wireless controller is doing the authentication, and the wireless controller is not a Windows box. Sure, it's using a set of credentials in AD, but that's not exactly the same. The *Windows* box is not doing the authentication. The *controller* is. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: mschap with ntlm_auth and Active Directory
I am trying to setup freeRadius to process requests from our Wireless Controller. The controller uses the wireless devices MAC address as the username, and a predefined password. These MAC addresses all excist in Active Directory as user accounts, with the same password set. This works fine with our current Windows 2003 Server but Im trying to get it going with FreeRadius. the mschap module line in MSCHAP for ntlm_auth is as such: ... I forgot to mention: Also check that winbind is working like this: wbinfo --all-domains If you don't see a list of all valid NT-style domains, winbind is broken and you'll have to fix that first. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
These look like MS-CHAP machine-auth usernames; have you considered using: %{mschap:User-Name} %{mschap:NT-Domain} The mschap module has special handling for host/ names, and these will expand: host/name.domain.com to: name$ domain.com The trailing dollar sign on the hostname is intentional; SAM account names for machines conventionally end in $ in windows. I'm aware of all of this. The problem is, it doesn't seem to be actually working. Here's the ntlm_auth command I'm using: ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Note use of %{mschap:User-Name} and %{mschap:NT-Domain}. Despite this, host/computer.domain login attempts always fail. Hence, trying to do the translation manually via a regex and update clauses. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
And what happens when you try to run ntlm_auth on the command-line? i.e. take the string printed by the server, and keep running it by hand. Play with the various parameters until it works. Then, configure the server to run it with those parameters. I haven't, partly because it works for users, partly because it seemed that some others had done this already and might have been able to tell me what I'm doing incorrectly, and partly because I don't know what you mean by take the string printed by the server. What is the string in this case? --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Note use of %{mschap:User-Name} and %{mschap:NT-Domain}. Despite this, host/computer.domain login attempts always fail. Hence, trying to do the translation manually via a regex and update clauses. And what happens when you try to run ntlm_auth on the command-line? i.e. take the string printed by the server, and keep running it by hand. Play with the various parameters until it works. Then, configure the server to run it with those parameters. Also, here is the 'mschap' section from a recent attempt. Note that the User-Name attribute is not changed to 'dnps-caplap-4$' nor is the NT-Domain attribute set to 'col.missouri.edu'. The User-Name attribute is being left unchanged and the NT-Domain attribute is set to 'col'. So something in mschap is broken? Perhaps is an old bug? This is version 2.1.7 (built a little over a year ago, Dec. 2009). --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
In the most recent debug I see you posted (16:36 yesterday) it's failing because: [eap] Request is supposed to be proxied to Realm $2. Not doing EAP. ++[eap] returns noop ... You tried to use a regexp to parse the username (usually a mistake IMHO) and put the domain bit into the Proxy-To-Realm attribute but Proxy-To-Realm instructs the server to do just that - which cancels local authentiction. Agreed. I commented all that back out this morning while pursuing the mschap possibility. Reading back through the thread, it seems like there is some confusion between domain in the Windows NT/Active Directory sense, and domain as a Realm, which is a concept used in Radius proxying. I'm going to take a guess and assume you don't really need to do proxying, and were just trying to use the realm module to strip off the host/...domain.com bits, and have gotten a bit tangled. Yup. Make sure you're using %{mschap:User-Name} everywhere that NT domain usernames might exist - in the ldap module filter, for starters. That's the thing. There isn't anywhere else to set it, that I can see. At this point, you may find it easier to revert to the default configs and start from scratch, one change at a time and keeping the configs in version control. That's another thing. I specifically created this setup by doing: cd /etc/raddb/sites-available cp default campus-eap And then making only the necessary changes to make it work. Anything I've changed was done by commenting out the original, copying that line(s), and making changes. I have changed very, very little from the default. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Also, here is the 'mschap' section from a recent attempt. I don't see anything. Did you forget an attachment? Um... yeah. I'm doing a couple of things at once. Here it is. Found Auth-Type = EAP +- entering group authenticate {...} [eap] Request found, released from the list [eap] EAP/mschapv2 [eap] processing type mschapv2 [mschapv2] +- entering group MS-CHAP {...} [mschap] Told to do MS-CHAPv2 for host/dnps-caplap-4.col.missouri.edu with NT-Password [mschap]expand: %{Stripped-User-Name} - [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details ## NOTE THE NEXT THREE LINES: [mschap]expand: %{User-Name:-None} - host/dnps-caplap-4.col.missouri.edu [mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=host/dnps-caplap-4.col.missouri.edu [mschap]expand: --domain=%{mschap:NT-Domain} - --domain=col [mschap] mschap2: e8 [mschap]expand: --challenge=%{mschap:Challenge:-00} - --challenge=665bcdce0a4676a0 [mschap]expand: --nt-response=%{mschap:NT-Response:-00} - --nt-response=ac910bfec0608f8f666352ef38ffdd6d6298a98ef35b9b41 So something in mschap is broken? Perhaps is an old bug? This is version 2.1.7 (built a little over a year ago, Dec. 2009). I don't think so. That code has been unchanged for a *long* time. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
which you resolve by putting the right entries into proxy.conf eg col.missouri.edu { strip } Do you mean: realm col.missouri.edu { strip } ? --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
And what happens when you try to run ntlm_auth on the command-line? i.e. take the string printed by the server, and keep running it by hand. Play with the various parameters until it works. Then, configure the server to run it with those parameters. I dug through the debug output and presumed that you meant, do this from the command line: wbinfo --all-domains - good check that winbind isn't screwy - test passed ntlm_auth --request-nt-key --username='dnps-caplap-4$' --domain=col.missouri.edu --challenge=(pasted-from-debug) --nt-response=(pasted-from-debug) The result was: NT_KEY: (long hex string) If I change the username to a bogus hostname, I get Logon failure (hex error). So I presume that the problem really is just the proper translation of host/computer.domain to username=computer$ domain=domain. Given that I've changed so very few things from the default configs, is there someplace I should look at turning things off that I'm not using that would at least simplify the issue? For example, I see rlm_ldap calls just before Found Auth-Type = EAP, possibly called by the files section just above that. Will commenting out unix and files and anything else in the virtual server that I'm not using confuse or simplify the issue? I don't want to go changing things that are normally relied upon to preprocess something or at least create some usual expected behavior and make it all that much more complicated. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
this output does not match with what you claim to have been using. please ensure that your ntlm_auth configuration is correct and the right one is being called. (this one in debug is looking at %{Stripped-User-Name} etc - you claimed to be using %{mschap:User-Name} That's a test that I ran this morning, taking the --username section from the example ntlm_auth line in the mschap module. Since it didn't work, I set it back to ${mschap:User-Name}. I pasted the results anyway because they are exactly the same as when I use %{mschap:User-Name}. Mschap config has definitely been changed back to %{mschap:User-Name}. Working on a few tests based on Phil Mayers' last reply. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
[mschap]expand: --username=%{%{Stripped-User-Name}:-%{User-Name:-None}} - --username=host/dnps-caplap-4.col.missouri.edu That is not %{mschap:User-Name}. i.e. it's misconfigured Actually, I tried it both ways, since the longer string shown above was the default. [mschap]expand: --domain=%{mschap:NT-Domain} - --domain=col Ah, yes. Now this I do remember. The %{mschap:NT-Domain} expansion assumes that in a host account of the form: host/username.domain.com ...the old-style short domain is domain. Of course, this falls apart if you have a disjoint DNS/AD namespace: host/username.subdomain.domain.com ...or if your new-style DNS domain and old-style NT domain don't match: host/username.mycompany.com vs. NT domain of CORP - mycompany != CORP And this is the case. AD domain = col.missouri.edu NT domain = UMC-USERS The only real solution in this case is to not use the %{mschap:NT-Domain} expansion - you can't, since there's not enough info to get the old-style short domain name in all cases. So, in /etc/raddb/modules/mschap, set (don't include the line continuation \ I've added): ntlm_auth = /path/to/ntlm_auth --request-nt-key \ --username=%{mschap:User-Name} --domain=YOURDOMAIN \ --challenge=... --nt-response=... Good news: Login OK: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port 573 cli 00-90-4B-2F-80-B4) +- entering group post-auth {...} ++[exec] returns noop } # server campus-eap Sending Access-Accept of id 179 to 128.206.131.253 port 20009 Bad news: I have a multi-domain environment. If I hard-code the domain in here, then only users or hosts from that domain will be able to authenticate. How can I make it recognize the others and behave correctly? It's fine if I have to write some code using string matching and switch/case. But I can't restrict access to only one domain. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
So, in /etc/raddb/modules/mschap, set (don't include the line continuation \ I've added): ntlm_auth = /path/to/ntlm_auth --request-nt-key \ --username=%{mschap:User-Name} --domain=YOURDOMAIN \ --challenge=... --nt-response=... More good news (though expected): This change did not break authentication for users. Both users and computers in DOMAIN (whether specified as col.missouri.edu or UMC-USERS) can now authenticate. Still leaves the multi-domain problem, though. :( --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
McNutt, Justin M. wrote: ntlm_auth --request-nt-key --username='dnps-caplap-4$' --domain=col.missouri.edu --challenge=(pasted-from-debug) --nt-response=(pasted-from-debug) The result was: NT_KEY: (long hex string) Exactly. Now that you know what works, the only problem is creating a configuration in FreeRADIUS that *automatically* uses that style of username domain. Sure. I had been assuming that it worked, but this does prove it, thus reducing the number of unknowns in the conversation. Based on the other thread regarding the behavior of the mschap module, here's where things stand. - The User-Name variable is set to host/computer.ad.domain.edu, which is acceptable to ntlm_auth. In my environment, ad.domain may vary and is not set same as the NT domain (or even close). - The mschap module wants to take ad.domain.edu and set the NT-Domain variable to ad, which likely works in some environments, but not here. - The hard-coded domain name in the ntlm_auth command line works, but only for users/hosts in that domain (obviously). So in the short term, I'd like to figure out a way to automatically match the DNS-style domain name based on the User-Name variable and update the NT-Domain variable so ntlm_auth will work for more cases. Depending upon how this is implemented - what I'm about to say may not be necessary - I'd like to see a flag for the mschap module that choose between the NT-style domain guessing (which results in col in this case) and DNS-style domain guessing (which would take everything after the first dot as the domain. I think that might result in a cleaner solution in the long term. I think it should be a flag - set to the current NT-style guessing as the default - to maintain backward compatibility an ease of removal in case it turns out to be a Very Bad Idea Indeed. What do you think? --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
%{mschap:NT-Domain} is not a real variable; it's a dynamic expansion. There's no attribute you can set, so you'll need to use another attribute (see my other email) Gotcha. I'm looking into that now (based on your other e-mail). That's very likely do-able. I think it should be a flag - set to the current NT-style guessing as the default - to maintain backward compatibility an ease of removal in case it turns out to be a Very Bad Idea Indeed. What do you think? I agree. However, as I say - I am pretty sure that long-form won't work either if you have a disjoint DNS/AD namespace. In that case, sites are going to have to use locally-defined rules. I'm not following what you mean about disjoint namespace. You mean the difference between UMC-USERS and col.missouri.edu? I think of UMC-USERS as NT namespace whereas I see AD and DNS as the same thing, in this case. In any event, in the test cases where I hard-coded one of the domain names into the ntlm_auth string, I used col.missouri.edu (DNS/long form) and this worked. So I'm confident in that part. I'd just like to see it done automatically, given a user flag that asks it to do so. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Disjoint namespace is the term used if you have DNS names for windows active directory members which are anything other than: samaccountname.AD domain So, if you give your hosts DNS hostnames of: samaccountname.dept.AD domain ...this is a disjoint namespace. This is a supported configuration in principle - AD itself and most of the Microsoft tools work just fine - but in practice you'll find an awful lot of 3rd party stuff out there assumes that the AD domain starts at the first . in the hostname, and will break if it doesn't. This makes me sad, since the underlying protocols at AD is built on (DNS, Kerberos, LDAP) have plenty of mechanisms for doing the mapping properly. They're just not used. Okay. Fortunately, we're not doing that. Missouri.edu is not an AD domain. Col.missouri.edu however, is. So a dnps-caplap-4.col.missouri.edu is a computer named dnps-caplap-4 in the col.missouri.edu AD domain. So the first dot assumption should work IF you take col.missouri.edu as the domain, rather than just COL (that which is between the first two dots). --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
Host-based auth against AD - MOSTLY SOLVED (was: New User and AD Question)
I think you'll have to do that. The tedious bit is matching the domains in the regexps. My advice would be to define a local, internal-only attribute in /etc/raddb/dictionary: ATTRIBUTE My-NT-Domain3003string Done. ...then in your ntlm_auth helper, do: ntlm_auth = ... --domain=%{My-NT-Domain:-DEFAULTVALUE} ... Done. Works: [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap]expand: --domain=%{My-NT-Domain:-umad.umsystem.edu} - --domain=umad.umsystem.edu (We'll get back to that deprecated conditional part later, assuming it's not part of the problem.) ...and set this in your regexps: if (User-Name =~ /host[/].+[.]domain.com/) { update request { My-NT-Domain = DOMAIN.COM } } elsif (...) { } I had this whole long e-mail about how it wasn't working yet the way I expected and wasn't matching all the time and blah blah blah. I was copying some more stuff out of the debug output to paste in here when I saw this: Sending tunneled request EAP-Message = 0x0208002801686f73742f646e70732d6361706c61702d342e636f6c2e6d6973736f7572692e656475 FreeRADIUS-Proxied-To = 127.0.0.1 User-Name = host/dnps-caplap-4.col.missouri.edu server campus-inner-tunnel { +- entering group authorize {...} ... campus-inner-tunnel ... I'm working on the wrong virtual server! I mean, the variables were getting matched and modified, but only on the outer tunnel (campus-eap)! Curses! So I moved (*moved*, not *copied*) the if User-Name =~ /stuff/ block to the 'campus-inner-tunnel' virtual server's config just after the suffix and ntdomain items are called, and bingo! My-NT-Domain is set correctly and the host is able to get in. NOTE: This successful test was done AFTER the output you see above that references umad.umsystem.edu. The domain umad.umsystem.edu is a valid domain here, but there are no computers in it. I was using that domain so I could see if the expansion was working, not getting modified, or what. It also means that it won't work by accident due to my defaults. It all has to work or it breaks. So I now KNOW that this stuff you guys have been helping me set up works THE WAY WE ALL THINK IT SHOULD, not just by accident. Totally awesome. I may set up the eventual production box to have a more tolerant default, but this was perfect for testing. We'll see. Anyway, now that this part is working, I'm going to double-check that I haven't now broken user-based auth. If not, I'm going to try to re-write the pattern match to actually pull the domain name out as %{1} so it works for all domains using one bit of code, rather than hard-coding in every domain I deem as valid. Whatever it ends up working, I'll respond back to the list, since it sounds like at least one other person was interested in making this work soon. Thanks very much for all the help, everyone. This has been enlightening. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: Host-based auth against AD - MOSTLY SOLVED (was: New User and AD Question)
Holy crap, it works! I spent some time un-doing as many of the other changes as I could find (that is, anything that deviates from the default and isn't shown below). So what follows should be everything needed to make this work. STEP 1: CUSTOM ATTRIBUTE = My advice would be to define a local, internal-only attribute in /etc/raddb/dictionary: ATTRIBUTE My-NT-Domain3003string This was done exactly as shown. STEP 2: UPDATE MSCHAP MODULE TO USE CUSTOM ATTRIBUTE, IF SET = ntlm_auth = ... --domain=%{My-NT-Domain:-DEFAULTVALUE} ... This was modified slightly to preserve DOMAIN\USER authentication attempts. Here's what I have working in /etc/raddb/modules/mschap (prettified with the backslashes only for readability here): ntlm_auth = /usr/bin/ntlm_auth \ --request-nt-key \ --username=%{mschap:User-Name} \ --domain=%{My-NT-Domain:-%{mschap:NT-Domain}} \ --challenge=%{mschap:Challenge:-00} \ --nt-response=%{mschap:NT-Response:-00} Now this generates the following messages: [mschap] WARNING: Deprecated conditional expansion :-. See man unlang for details [mschap]expand: --domain=%{My-NT-Domain:-umad.umsystem.edu} - --domain=col.missouri.edu So I changed it to use --domain=%{%{My-NT-Domain}:-%{mschap:NT-Domain}}. That cleared up the warning messages. You can also set it to default to one domain or another, or (I suppose) fall through both variables to a default domain. I haven't bothered with this. Yet. STEP 3: SET UP REGEX TO GRAB AD-STYLE DOMAIN NAME FOR HOST AUTH This part goes ONLY IN THE inner-tunnel VIRTUAL SERVER DEFINITION when doing EAP authentication. At one time, I had these bits in both the outer and inner virtual servers. In my case, I only care about EAP authentication, so I reverted the outer tunnel to the defaults and made these changes to the inner-tunnel virtual server. If you aren't doing EAP, or you aren't sure, you can add this code to the outer virtual server without problems (as far as I can tell). Anyway, here's the code: # suffix # ntdomain # Match 'host', then a slash, then the computer name # (stuff that's not a dot), then a dot. # Grab everything after that and use it as the domain. if ( User-Name =~ /host\/[^\.]+\.(.+)/ ) { update request { My-NT-Domain = %{1} } } The suffix and ntdomain lines are shown for context, to show *where* I have this code, and also to demonstrate that this works with the ntdomain part commented out. Any shenanigans with THIS\THAT User-Name values are handled correctly by mschap, so it's unnecessary to play with it here. STEP 4: IT WORKS, BUT GOOD LORD, *WHY*? IF IT'S A HOST ACCOUNT: - Anything after the first dot in the computer's FQDN is pulled out and assigned to the custom attribute My-NT-Domain. - User-Name is still host/COMPUTER.DOMAIN - My-NT-Domain is DOMAIN - %{mschap:NT-Domain} is in a don't care state. My-NT-Domain overrides it. - ntlm_auth is called and My-NT-Domain is used for the --domain part, since it has a value. - It works! IF IT IS NOT A HOST ACCOUNT: - It is extremely unlikely that the User-Name variable will match host/foo.bar, so My-NT-Domain remains unset. - With My-NT-Domain unset, ntlm-auth uses %{mschap:NT-Domain} instead, which is what we were doing with only user accounts anyway. - It works! IF YOU LOGGED INTO A WINDOWS MACHINE USING A LOCAL ACCOUNT: If it's XP, this isn't going to work. Even though the XP machine is a member of the domain and has successfully authenticated, XP will switch over to the user ID you used to log in. Since that's a local account, this will fail. WORKAROUND (XP): You can go into View Wireless Networks, select the network, click Connect. Wait a few seconds and a bubble will appear above the systray prompting you for credentials. I used DOMAIN\USER format in the User field, my password in the obvious place, and left the Domain field blank. After that, whenever I logged in using that same local account, XP cached my domain user's credentials for logging into the network. WORKAROUND (Vista/Win7): I believe Windows Vista and newer can be configured so that the computer does not try to re-authenticate upon user login. That is, it can be made to log in using the AD host account and just stay there forever, thus enabling the use of whatever local accounts you like. I HAVE ONLY READ ABOUT THIS AND NEVER TESTED IT. I plan to work on this next. I'll post my results, if no one else beats me to it. Many thanks to everyone on the freeradius-users
RE: New User and AD Question
Could you send us the output of radiusd -X for a computer auth? Done. (See previous message with attachment.) If it works for users it should just work for machines. Perhaps under certain circumstances, but not for us, apparently. Perhaps it's the significant difference between the NT-style domain name and the AD-style domain name. Perhaps it's the multi-domain AD structure. I don't know. I do know that users can successfully authenticate - IF they supply a domain as part of their credentials - and computers cannot. Yet. You'll need to make sure you have samba 3.0.23 [IIRC] [which you seem to have] and your ntlm_auth line has to have an appropriately formatted User-Name bit e.g. %{mschap:User-Name} (the mschap module will take host\\computer.domain.name and turn it in to computer$ automatically). Yup. Samba 3.5.4. Here's the ntlm_auth line used (from mschap module): ntlm_auth = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --domain=%{mschap:NT-Domain} --challenge=%{mschap:Challenge:-00} --nt-response=%{mschap:NT-Response:-00} Interestingly enough, the modules/ntlm_auth file contains something completely different, though I don't think it is in play: exec ntlm_auth { wait = yes program = /usr/bin/ntlm_auth --request-nt-key --username=%{mschap:User-Name} --password=%{User-Password} } --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) { Something's wrong with the regex here. From the config: if ( User-Name =~ /^host\/([^\.]+)\.(\S+)$/i ) { From radiusd -X: User-Name = host/dnps-caplap-4.col.missouri.edu ... ? Evaluating (User-Name =~ /^host\/([^\.]+)\.(\S+)$/i) - FALSE I removed the ^ and $ anchors and got better results, but still not working: +- entering group authorize {...} ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) ? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) - TRUE ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) - TRUE ++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...} +++[control] returns notfound ++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound ++[preprocess] returns ok Here's the code it's trying to execute. There must be something wrong with the update control section: if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) { update control { Proxy-To-Realm := %{2} } } This looks related: WARNING: You set Proxy-To-Realm = %{2}, but the realm does not exist! Cancelling invalid proxy request. I changed the %{2} to $2, but it does basically the same thing: WARNING: You set Proxy-To-Realm = $2, but the realm does not exist! Cancelling invalid proxy request. Here's more context as to what it's doing. Basically, the User-Name and NT-Domain (nor realm) are getting changed into something usable by ntlm_auth. rad_recv: Access-Request packet from host 128.206.131.253 port 20007, id=9, length=209 NAS-Port-Id = AP85/1 Calling-Station-Id = 00-90-4B-2F-80-B4 Called-Station-Id = 5C-E2-86-00-15-C0:Eddies Office Service-Type = Framed-User EAP-Message = 0x0201002801686f73742f646e70732d6361706c61702d342e636f6c2e6d6973736f7572692e656475 User-Name = host/dnps-caplap-4.col.missouri.edu NAS-Port = 479 NAS-Port-Type = Wireless-802.11 NAS-IP-Address = 128.206.131.253 NAS-Identifier = nortel Message-Authenticator = 0xa6b9a66a7a99f19b8adc326da2ad0052 server campus-eap { +- entering group authorize {...} ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) ? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) - TRUE ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) - TRUE ++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...} +++[control] returns notfound ++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = host/dnps-caplap-4.col.missouri.edu, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop [ntdomain] No '\' in User-Name = host/dnps-caplap-4.col.missouri.edu, looking up realm NULL [ntdomain] No such realm NULL ++[ntdomain] returns noop [eap] Request is supposed to be proxied to Realm $2. Not doing EAP. ++[eap] returns noop ++[unix] returns notfound [files] expand: %{Client-IP-Address} - 128.206.131.253 rlm_ldap: Entering ldap_groupcmp() [files] expand: DC=edu - DC=edu [files] expand: (|(sAMAccountName=%{User-Name})(userPrincipalName=%{User-Name})) - (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=edu, with filter (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu)) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 [files] expand: %{Client-IP-Address} - 128.206.131.253 rlm_ldap: Entering ldap_groupcmp() [files] expand: DC=edu - DC=edu [files] expand: (|(sAMAccountName=%{User-Name})(userPrincipalName=%{User-Name})) - (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu)) rlm_ldap: ldap_get_conn: Checking Id: 0 rlm_ldap: ldap_get_conn: Got Id: 0 rlm_ldap: performing search in DC=edu, with filter (|(sAMAccountName=host/dnps-caplap-4.col.missouri.edu)(userPrincipalName=host/dnps-caplap-4.col.missouri.edu)) rlm_ldap: object not found rlm_ldap::ldap_groupcmp: search failed rlm_ldap: ldap_release_conn: Release Id: 0 ++[files] returns noop ++[expiration] returns noop ++[logintime] returns noop ++[pap] returns noop WARNING: You set Proxy-To-Realm = $2, but the realm does not exist! Cancelling invalid proxy request. No authenticate method (Auth-Type) configuration found for the request: Rejecting the user Failed to authenticate the user. Login incorrect: [host/dnps-caplap-4.col.missouri.edu] (from client test-wss2380 port 479 cli 00-90-4B-2F-80-B4) } # server campus-eap Using Post-Auth-Type Reject +- entering group REJECT {...} [attr_filter.access_reject] expand: %{User-Name} - host/dnps-caplap-4.col.missouri.edu attr_filter: Matched entry DEFAULT at line
RE: New User and AD Question
this stuff doesnt touch the User-Name - it just looks at it and alters the servers proxy choosing behaviour which is what makes it useful and powerful. It's not doing it correctly yet. See previous message. the language is 'unlang' - its a built in parser in freeradius - making the server very powerful by being able to actually put coding logic into the config filesin short its brilliant. 'man unlang' for more info Yup. I've been reading that, but it's a lot to digest in a short amount of time. Working on that. radiusd -XC likes it. Hopefully, I'll be able to tell if one or both of these schemes works fairly early tomorrow. I was going to suggest a session of radiusd -X because in the output you can actually SEE the logic decisions being made - which really really helps with dealing with false/true hits where you might not expect them.. the old 'why didnt that match?' question gets answered very quickly I sent a relevant snippet in my last message (unredacted in any way). The worst part of what I sent just now is that it was no longer attempting EAP. LDAP auth for the host/blah.blah will never work, since the computer doesn't have a cleartext password. It's going to have to go through mschap if it's going to succeed. I think. (Feel free to tell me I'm nuts...) --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Proxy-To-Realm := %{2} Proxy-To-Realm := %{2} Yeah, I just figured that out. :/ Adjusting and re-testing. --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) { update control { Proxy-To-Realm := %{2} } } Part of my troubleshooting involved changing the code to this: if ( User-Name =~ /host\/([^\.]+)\.(\S+)/i ) { switch %{2} { case 'col.missouri.edu' { update control { Proxy-To-Realm := 'UMC-USERS' } } case 'um.umsystem.edu' { update control { Proxy-To-Realm := 'UM-USERS' } } } } Now it matches, but something about the regex is still wrong (mainly, the multi-character captures) because it's not expanding correctly. Short version: ... User-Name = host/dnps-caplap-4.col.missouri.edu ... +- entering group authorize {...} ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) ? Evaluating (User-Name =~ /host\/([^\.]+)\.(\S+)/i) - TRUE ++? if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) - TRUE ++- entering if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) {...} expand: %{2} - s +++- entering switch %{2} {...} - switch %{2} returns notfound +++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound ++- if (User-Name =~ /host\/([^\.]+)\.(\S+)/i ) returns notfound ++[preprocess] returns ok So... %{2} expands to 's', which could be the 's' in 'dnps' or one of the 's' in 'missouri'. Definitely going to have to re-write this regex somewhat. :/ Suggestions welcome. Here's the logic behind the original regex: # host, a slash, one or more non-dot characters, a dot, # one or more non-whitespace chars. I'd like to use the Beginning Of Line and End Of Line anchors as well, but I'm going to have to figure out why the rest of it is failing before I can add those restrictions. Btw, thanks for the help so far. Much appreciated! --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Should I post the debug log here, or a pastebin, or...? --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr eeradius.org] On Behalf Of Alan DeKok Sent: Sunday, February 27, 2011 1:51 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question McNutt, Justin M. wrote: New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? http://deployingradius.com/documents/configuration/active_dire ctory.html It's pretty much the same as normal user authentication. PEAP goes in, authentication goes out, never a miscommunication. :) The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine for all users in all domains (authenticated via ntlm_auth) EXCEPT for the host\\computer.domain.name users (the computer accounts). I'd like to make this work, partly because a large number of the failed login attempts in my logs are from hosts that are valid domain members. So... what goes wrong? Sooo... help? What's the basic idea behind making this work? Post the debug log from a failed session. Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Removing the shared secrets, LDAP user passwords, etc. was the redacting I was talking about. That, and removing the thousands of messages related to other users' auth attempts, if I had had to do this on a production server. Fortunately, that wasn't necessary. I was able to get a valid debug log from the test server. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr eeradius.org] On Behalf Of Sallee, Stephen (Jake) Sent: Sunday, February 27, 2011 4:05 PM To: FreeRadius users mailing list Subject: RE: New User and AD Question Two comments about posting logs ... #1 Post the entire log of radiusd -X (NOT -XX, that has a bunch of timestamps we don't need) and don't redact anything that's not privileged info, you can very easily remove the portion of the log that holds the answer to your questions. #2 your output of radiusd -X WILL CONTAIN your SSL cert passwords in CLEAR TEXT! So make sure you remember to scrub them of any info you don't want becoming public. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -Original Message- From: freeradius-users-bounces+jake.sallee=umhb.edu@lists.freeradius .org [mailto:freeradius-users-bounces+jake.sallee=umhb@lists.fr eeradius.org] On Behalf Of McNutt, Justin M. Sent: Sunday, February 27, 2011 2:05 PM To: FreeRadius users mailing list Subject: RE: New User and AD Question McNutt, Justin M. wrote: New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? http://deployingradius.com/documents/configuration/active_directory.ht ml It's pretty much the same as normal user authentication. PEAP goes in, authentication goes out, never a miscommunication. :) If I recall, we used this walkthrough to get user authentication to work (which it does), but it still doesn't work for host authentication. This is keeping in mind that users' creds come across as NT-LIKE-DOMAIN\\USERID but hosts appear as host\\computer.ad.domain.name AND that NT-LIKE-DOMAIN and ad.domain.name do not look at all alike. I'll re-read the link, though, just to be sure. So... what goes wrong? For users, it's a number of things. Bad passwords. Attempts to use EAP-TLS or EAP-MD5 (which we don't support). Misspelled or missing domain names. That sort of thing. For the hosts, it Just Doesn't Work. I have yet to determine why. (More research.) Post the debug log from a failed session. Will do. (Pulling just the relevant bits out will be difficult, given the verbosity of 'radiusd -X' but I have no shortage of hosts attempting this, so it shouldn't take long.) --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
I don't have a modules/prefix file. I have a preprocess file, which is called at the top of the authorize section of the campus-eap virtual server (this is the default, I believe). From the debug log, request 9: server campus-eap { +- entering group authorize {...} ++[preprocess] returns ok ++[chap] returns noop ++[mschap] returns noop [suffix] No '@' in User-Name = host/doit-tcb-agl.col.missouri.edu, looking up realm NULL [suffix] No such realm NULL ++[suffix] returns noop The preacct section of raddb/sites-available/campus-eap has this as well. Several files make mention of the realm module. In this case, I'm trying to use DOIT-TCB-AGL as the user name and COL.MISSOURI.EDU as the realm (or domain). What I'm not clear on is how to code a realm { } section to match this: host/$USER.$REALM where the first dot is a delimiter, the remaining dots are part of the realm, and the prefix host/ is only used to identify that this section should be used to process the ID. Or am I going off in the completely wrong direction here? --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 28, 2011 3:16 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question hi, in your campus-eap virtual server you are not making a call to eg the prefix module (put straight after the preprocess module) ie preprocess suffix ntdomain do this in the authorization and preacct sections to handle these better alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
I'll try it, but I've read it, and I don't see how this (from realm module): # # 'domain\user' # realm ntdomain { format = prefix delimiter = \\ } Is going to apply to this: User-Name = host/doit-tcb-agl.col.missouri.edu --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 28, 2011 4:42 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question Hi, I don't have a modules/prefix file. I have a preprocess file, which is called at the top of the authorize section of the campus-eap virtual server (this is the default, I believe). just add ntdomain as i said read the realm module for description about fall through alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
Attempted and failed. Can authenticate users, but host authentication still fails. Uncommented ntdomain from both the authorize and preacct sections of /etc/raddb/sites-available/campus-eap. Same behavior as before. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 28, 2011 4:42 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question Hi, I don't have a modules/prefix file. I have a preprocess file, which is called at the top of the authorize section of the campus-eap virtual server (this is the default, I believe). just add ntdomain as i said read the realm module for description about fall through alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question: OT hijack
Yes, and no, respectively. My wife has taken the kids there, but I have never been. --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr eeradius.org] On Behalf Of Gary Gatten Sent: Monday, February 28, 2011 5:34 PM To: 'freeradius-users@lists.freeradius.org' Subject: Re: New User and AD Question: OT hijack First, is your last name really McNutt? And, have you ever been by the house near MU that has camels and zebras in the front yard? - Original Message - From: McNutt, Justin M. [mailto:mcnu...@missouri.edu] Sent: Monday, February 28, 2011 04:52 PM To: FreeRadius users mailing list freeradius-users@lists.freeradius.org Subject: RE: New User and AD Question I'll try it, but I've read it, and I don't see how this (from realm module): # # 'domain\user' # realm ntdomain { format = prefix delimiter = \\ } Is going to apply to this: User-Name = host/doit-tcb-agl.col.missouri.edu --J -Original Message- From: freeradius-users-bounces+mcnuttj=missouri.edu@lists.freeradius .org [mailto:freeradius-users-bounces+mcnuttj=missouri@lists.fr eeradius.org] On Behalf Of Alan Buxey Sent: Monday, February 28, 2011 4:42 PM To: FreeRadius users mailing list Subject: Re: New User and AD Question Hi, I don't have a modules/prefix file. I have a preprocess file, which is called at the top of the authorize section of the campus-eap virtual server (this is the default, I believe). just add ntdomain as i said read the realm module for description about fall through alan - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html font size=1 div style='border:none;border-bottom:double windowtext 2.25pt;padding:0in 0in 1.0pt 0in' /div This email is intended to be reviewed by only the intended recipient and may contain information that is privileged and/or confidential. If you are not the intended recipient, you are hereby notified that any review, use, dissemination, disclosure or copying of this email and its attachments, if any, is strictly prohibited. If you have received this email in error, please immediately notify the sender by return email and delete this email from your system. /font - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
ignore me. i'm tired. yes, this is a little bit of pain. I understand. I wondered about that when I saw the ac.uk. You must be working hours similar to mine. (That is, all of them.) you'll be best off using a bit of unlang eg (put this in the authorize section of your main virtual server) if ( User-Name =~ /^host\//i ) { if ( User-Name =~ /\\.col\\.missouri\\.edu$/i ) { update control { Proxy-To-Realm := col.missouri.edu } } } this will then throw the packet to the the part of proxy.conf that has col.missouri.edu a bit of regex foo and you can use %{1} return operators etc rather than hardcode things if you want alternatively you can deal with what you know as yours and then identity what isnt yours and reject or proxy them machine auth can be pretty nasty... That looks like Perl. Perl, I can deal with. I do have multiple domains to attack. If I can come up with something generic that works for at least two domains, I'll post it here. Looks predictable enough. I'm thinking along the lines of something like this: # BOL, host, a slash, one or more non-dot characters, a dot, # one or more non-whitespace chars, EOL. if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) { update control { Proxy-To-Realm := %{2}; } } I have two toddlers crawling on me at the moment (literally), so I haven't checked unlang syntax, but from Perl, that's more or less what it would look like. %{1} would contain the host name. Do I need to update the User-Name to just %{1} and/or update other fields related to the realm (domain)? It may be difficult to try this before tomorrow morning, since I'm now off site, but I'll at least work at it until radiusd -X is happy with it. Thanks! --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
# BOL, host, a slash, one or more non-dot characters, a dot, # one or more non-whitespace chars, EOL. if ( User-Name =~ /^host\/([^\.])+\.(\S+)$/i ) { switch %{2} { case 'my-domain-string-1' { update control { Proxy-To-Realm := 'my-domain-1' } } case 'my-domain-string-2' { update control { Proxy-To-Realm := 'my-domain-1' } } case 'my-domain-string-3' { update control { Proxy-To-Realm := 'my-domain-2' } } case { # Domain not recognised } } } I took this code and modified it, assuming that if the code I wrote before (which tries to use COL.MISSOURI.EDU as the realm) doesn't work, I can use the code above to take FOO.MISSOURI.EDU and proxy to the NT domain FOO-USERS, which is more than just massaging the User-Name field. The switch statement will be necessary to translate the AD domain into the correct NT domain. radiusd -XC likes it. Hopefully, I'll be able to tell if one or both of these schemes works fairly early tomorrow. Thanks! --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
New User and AD Question
New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? I have Googled and Googled, but only found references to the fact that it *can* be done (mostly from archives of this list), but little reference on HOW to do it, other than that it has something to do with editing the realms file. I also went to #freeradius on FreeNode, but it seemed there was rarely anyone in the channel. So here I am. I'm running FreeRADIUS 2.1.7 from the RHEL 5 RPM (freeradius2-2.1.7-7.el5). It's running on an RHEL 5 virtual machine that is a member of an AD domain via Samba 3.5.4 (which was required to talk to the 2008R2 domain controllers). We have a multi-domain, single forest environment. I'm running two virtual servers, based on the defaults. I have the campus-main virtual server that is pretty much the exact same as the default, except that I have LDAP authentication enabled. This works perfectly and is able to authenticate users for all domains. I also have the campus-eap and campus-inner-tunnel virtual servers for EAP authentication that are the same as the default and inner-tunnel servers except for the names. (I copied them so I could make changes to the campus-XXX virtual servers and still have the originals for reference.) The EAP functions for clients using EAP-TTLS and EAP-PEAP work just fine for all users in all domains (authenticated via ntlm_auth) EXCEPT for the host\\computer.domain.name users (the computer accounts). I'd like to make this work, partly because a large number of the failed login attempts in my logs are from hosts that are valid domain members. Sooo... help? What's the basic idea behind making this work? Thanks! Justin McNutt Network Systems Analyst - Ninja DNPS, Mizzou Telecom (573) 882-5183 Do you have a concussion? Ping is NOT a service. You don't need it. Use a real test. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
RE: New User and AD Question
McNutt, Justin M. wrote: New member to the list, here. I have a question about AD computer-based authentication. Basically, how is it accomplished? http://deployingradius.com/documents/configuration/active_directory.html It's pretty much the same as normal user authentication. PEAP goes in, authentication goes out, never a miscommunication. :) If I recall, we used this walkthrough to get user authentication to work (which it does), but it still doesn't work for host authentication. This is keeping in mind that users' creds come across as NT-LIKE-DOMAIN\\USERID but hosts appear as host\\computer.ad.domain.name AND that NT-LIKE-DOMAIN and ad.domain.name do not look at all alike. I'll re-read the link, though, just to be sure. So... what goes wrong? For users, it's a number of things. Bad passwords. Attempts to use EAP-TLS or EAP-MD5 (which we don't support). Misspelled or missing domain names. That sort of thing. For the hosts, it Just Doesn't Work. I have yet to determine why. (More research.) Post the debug log from a failed session. Will do. (Pulling just the relevant bits out will be difficult, given the verbosity of 'radiusd -X' but I have no shortage of hosts attempting this, so it shouldn't take long.) --J - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html